Attn: lawyers, law students, and freelance ambulance chasers,

Is this a HIPAA violation? Should I pursue reporting this incident or just politely call and notify the offending (?) office?

- I received in the mail today a hand-addressed letter from a local physician's office. The letter contained an itemized bill, addressed to an individual with my same name. The bill listed a different address for this unknown eponymous individual than my current address, to which the letter was sent. I have never been seen by this office, nor have I ever been seen by the named physician. I have never undergone the procedures listed. Accordingly, I have no clue how this office obtained my address. Nonetheless, I have unwittingly been given another individual private health information.

What's the verdict?

[Edited on February 13, 2010 at 2:40 PM. Reason : ]

2/13/2010 2:37:02 PM

sure is. go get'em, maverick.

2/13/2010 2:39:10 PM

first step would be to call politely, then go from there.

2/13/2010 2:42:59 PM

Oh god. I can't imagine the shit that would hit the fan in my office if we did something like that. I would definitely call first and try to talk to the head of their billing department. I know that we have multiple patients at our practice with the same name, down to middle initial.

2/13/2010 2:49:05 PM

Pretty sure it's a crime to open somebody else's mail.

2/13/2010 3:09:53 PM

2/13/2010 3:32:29 PM

how would this be a HIPAA violation?

Do you even know what HIPAA is?

More than likely the guy with your same name has not paid his bill, and perhaps claimed that he's not the same guy. So they searched for addresses of other people with the same name and sent a bill.

This has nothing to do with HIPAA. This is all about debt collection.

[Edited on February 13, 2010 at 3:34 PM. Reason : .]

2/13/2010 3:33:43 PM

I blame this thread on lawyer shows

2/13/2010 3:36:20 PM

hell yeah, the doc is knowingly disseminating protected health information! sue that motherfucker!

2/13/2010 3:49:48 PM

god damnit i hate sue happy americans

2/13/2010 3:50:47 PM

^x6 - This piece of mail was addressed to me. Thanks for the input!

^x4 - No, I don't know all the details of HIPAA. That is why I asked. Are you claiming to have this knowledge - specifically that sending an itemized bill listing medical procedures along with personal information is NOT a HIPAA violation?

^ - I have no interest in lawsuits of any kind. I am not wronged in this scenario.

I bring this issue up because I would be pissed if my physician decided to send a bill with my personal information and a listing of medical procedures I had undergone to any one in the phone book with the same name.

[Edited on February 13, 2010 at 4:30 PM. Reason : ]

[Edited on February 13, 2010 at 4:31 PM. Reason : ]

2/13/2010 4:29:53 PM

Quote :

"I bring this issue up because I would be pissed if my physician decided to send a bill with my personal information and a listing of medical procedures I had undergone to any one in the phone book with the same address."

How about you just pay your medical bills and keep your contact info updated and you won't face that situation

2/13/2010 4:32:55 PM

Quote :

"Is this a HIPAA violation? Should I pursue reporting this incident or just politely call and notify the offending (?) office?"

.....



what in fuck's name makes you think that YOU'd get any money out of this? If it's not your info, then you don't have a fucking leg to stand on. They'd take your complaint and say "Thank you, we'll contact the person this affects."




GIVE ME MONEY BECAUSE I SAW SOMEONE ELSE'S MEDICAL INFO!!


what fucking planet do you live on?

2/13/2010 4:35:38 PM

haha i believe the OP thinks HIPAA is some magical pot of gold that can be tapped into whenever there is a violation

2/13/2010 4:40:41 PM

i think by reporting he didn't mean suing

i could be wrong though

anyways i get itemized statements whenever i've gone to urgent care. they say "THIS IS NOT A BILL" but it still has some info on there that i GUESS i wouldn't want other people to see if it was like for herpes or something. but since it has only been for cutting my own finger off with a knife i wouldn't really care if someone else saw it.

i don't really understand how getting an itemized bill is evidence of someone not paying their bills.

READING helps people:

Quote :

"^ - I have no interest in lawsuits of any kind. I am not wronged in this scenario. I bring this issue up because I would be pissed if my physician decided to send a bill with my personal information and a listing of medical procedures I had undergone to any one in the phone book with the same name."

reporting does not equal a lawsuit.

[Edited on February 13, 2010 at 4:43 PM. Reason : .]

2/13/2010 4:40:49 PM

Quote :

"^x6 - This piece of mail was addressed to me. Thanks for the input!"

Are you or are you not the intended recipient of this bill?

2/13/2010 4:47:40 PM

oh my god

it isn't that hard to understand.

say his name is JOHN SMITH at 105 PARK PLACE

a letter came to JOHN SMITH at 105 PARK PLACE

but when he opened it he noticed it was a bill for medical services he didn't receive THUS he is assuming it belongs to another JOHN SMITH.

get it?

i'll elaborate a little further

SO seeing as how the bill belongs to another JOHN SMITH and has detailed health information on it THIS JOHN SMITH (aka the OP) just wants to know if he should call the doctor's office and inform them of their careless mistake OR report it to the proper agency. NOT try to sue to get money because he saw someone else's itemized bill.

[Edited on February 13, 2010 at 4:53 PM. Reason : .]

2/13/2010 4:49:42 PM

Quote :

"reporting does not equal a lawsuit."

it's clear from his tone that he is trying to exact some kind of punishment against the physician who is responsible for this. why immediately blame the doc, when it was most likely a sloppy secretary or some outsourced billing company that made the mistake? this just exemplifies the litigious nature of people towards doctors today

2/13/2010 4:51:29 PM

thats not what i got from it. i understood it as should he report a sloppy doctor's office or should he just call them and say "yo you made a mistake and i could have reported you but instead i'm calling to let you know..."

and not that it has anything to do with this thread and i disagree with people trying to nickel and dime every health care provider they see BUT it isn't bad to be SLIGHTLY protective of your body when undergoing medical procedures and not just take the physician's word for everything. i'm not saying suit i'm just saying - being aware of what is going on and asking questions might make you seem like a douche but its YOUR body.

and furthermore, doctors are human. humans make mistakes. they're unavoidable. you better believe if a sponge or whatever got left in me and i had 5 years of unexplained ailments until they finally figured out it was caused by a sponge left over from a previous surgery that i would NOT be like "awww well doctors are humans, they make mistakes." no - i would want my bills covered and $$$ if i had to take leave from work.

it just pisses me off when people are so negative about law suits because then something happens to them that warrants a suit and they are singing a different tune. and they aren't all about money.

but i'm going to stop ranting now because we're getting really off topic!!!

whew!

[Edited on February 13, 2010 at 5:06 PM. Reason : .]

2/13/2010 4:54:16 PM

well, whatever his intent may be, there's no private cause of action under HIPAA. he's always free to submit a complaint form and/or contact the physician's office, but somehow i don't think that is all he's getting at.

http://www.hhs.gov/ocr/privacy/hipaa/complaints/hipcomplaintpackage.pdf

^ and I agree, avoidable medical mistakes are worth going to court over. but the attitude today is that you can sue even if you experience a KNOWN complication to your medical care. even when it's right on the consent form. that kind of shit makes me sick

[Edited on February 13, 2010 at 5:13 PM. Reason : ]

2/13/2010 5:07:05 PM

oh well that is what i thought he was saying

because i guess that is what i would do

but if he thinks he is going to sue someone that is a different story!

2/13/2010 5:08:28 PM

Quote :

"Are you claiming to have this knowledge - specifically that sending an itemized bill listing medical procedures along with personal information is NOT a HIPAA violation?"

Sending an itemized bill with personal information is NOT a violation, it's a protected use of the information.



However, sending it to the wrong address technically is. You should notify the office that sent it (of course), and they'll be expected to self-report themselves for a breach in addition to trying to find the correct patient.

The other option is to contact HHS, as suggested above, and they'll look into it.

[Edited on February 13, 2010 at 6:16 PM. Reason : ]

2/13/2010 6:10:46 PM

Quote :

"what in fuck's name makes you think that YOU'd get any money out of this? If it's not your info, then you don't have a fucking leg to stand on."

Quote :

"haha i believe the OP thinks HIPAA is some magical pot of gold that can be tapped into whenever there is a violation"

Where are you guys getting this money angle from? I never saw anything the OP said that made me think he was looking for money out of this. He didn't mention money. He didn't mention suing. He just asked if was a hipaa violation and whether or not he should report it to someone.

I think his whole point was that if it is a violation of some sort, he wanted to notify the appropriate people. Not say "hey, you guys did something against the rules" and leave it to them to "do the right thing." Where as if it's not any sort of violation, he can simply call and say "hey, you sent the bill to the wrong person. Same name, different person." or maybe even if it was a violation, if he should bother notifying anyone or just simply call and let them know they made a mistake.

[Edited on February 13, 2010 at 6:22 PM. Reason : .]

2/13/2010 6:18:39 PM

Holy shit, so many bare asses in this thread.



And, yeah, it's a violation, but I trick people into revealing my parents' business all the time.

It's fun.

2/13/2010 6:33:32 PM

Wow. As I previously explicitly stated, I have no interest in money or lawsuits. I was in no way harmed or wronged here. My reference in the original post about lawyers and ambulance chasers was both a poor attempt at humor and an acknowledgment that these individuals would likely be most able to succinctly answer my question.

duro982 seems to best understand my intent. Violation of law or not, the assumptions that needed to be drawn by the physician/staff/outsourced billing for me to be sent this information seemed a bit reckless for any type of debt collection, and especially reckless given the sensitive way in which health information is usually treated. My post was a solicitation of input from people who would know if someone was seriously and unknowingly wronged here. If so, I wasn't going to mind making a phone call to stand up for that person.

Thanks to DaveOT for what I'm assuming is the correct answer to my original question.

2/13/2010 6:59:52 PM

I realize this thread is about you receiving someone else's medical bill and your concerns about the HIPAA violation implications committed by the doctor against the intended receiver which is curious. Hear me out, maybe I can offer some insight.

I am in outside sales, which is currently salary+commission, but will move into straight commission starting at the beginning of July 2010. I have been in this position since July 2009. I have competition from several direct manufacturing sales reps, large distributors, and local distributors. Here are the advantages and disadvantages of each:

Direct Advantages: Immediate knowledge of new technology, no middle man mark up, one shipping bill (paid by manufacturer or buyer of goods), access to larger range of non-commodity items, control inventory, have access to many distributors that can effectively sell their goods which increases market share, and set prices of commodity they manufacture.

Direct disadvantages: Typically have 1-3 sales reps per region (i.e. southeast, mid-atlantic, northeast, etc.) limiting the number of accounts they can successfully manage/cold-call, lack physical customer service or physical technical service available to or affordable for smaller users or altogether, are sometimes not trustworthy because they will go in behind their distributors that sell their commodity to one account in large quantities (i.e. they missed a big account, and have found out about it through a distributor selling their particular product) which leads to the distributor not selling their product anymore, have too many distributors selling the product ultimately driving the set price down through deviations, possibly rely on distributors to actually sell the product, and competition from other direct sources.

Large distributor advantages: have access to other commodities that go hand in hand with other manufacturers (poor example- grocery stores sell milk as well as cereal), get direct pricing, many locations regionally or nationally easing the shipping burden of buyers with multiple locations, personal service either customer or technical, many sales reps that are able to cover a broader territory, access to multiple manufacturers of the same commodity allowing to keep prices in check, service programs that smaller companies can't offer and direct providers can't match in price or value, and experts of many many commodities as opposed to one or a few.

Large distributor disadvantages: smaller local distributors creating price wars (think Michael Scott Paper Co vs Dunder-Mifflin), direct mfg's going in behind and stealing business, limited access to all of the mfg's (you won't find Harris Teeter name brands in Food Lion and visa versa), can't truly set prices because it's based on both supply and demand, territory management, and tough growth prospects in slower economies (this is true for direct as well really)

Local distributor advantages: Typically a good ol' boy setting where the seller and the buyer know each other for years (this does happen at all levels, but mostly at the local level), local folks are right down the street and can be used in emergencies, if the local guy buys at high enough volumes then there is no shipping charge to the end user, and access to both direct mfg's and large distributors.

Local distributor disadvantages: easily beaten in price, array of commodities, array of technology, lack of trained staff, low cash flow, etc etc etc.

This is what I have noticed in my six months, I am sure there are plenty more that need mentioning. The way I am setting myself apart as a sales person is this: I go after the big accounts right now while I am new. The big accounts, if I land them, will take care of me while I am new and building a customer base. The money made off of those allows me to focus free time on smaller accounts that get me higher margins. I build up big accounts, I would like to have 5-10 of these, then get 20-30 medium accounts. If I lose 1 or 2 big accounts, the 20-30 medium accounts keep me afloat while I go after new big accounts. I don't really waste time on small accounts simply because they basically pay for breakfast or something really small.

I will say this, if you can't get a big account in the first 6-8 months (assuming you have cash flow that you can ride this long) you could be in a world of trouble. If you can get one, it will really make going after the others a lot more enjoyable and less stressful. It's simply just very exhausting wasting any time on anything other than big accounts in the very beginning. You work just as hard on the medium sized accounts and see 1/3 to 1/36 of the money in my situation.

If you have any other questions, you can PM me. I hope this helps in the slightest!

2/13/2010 7:04:24 PM

I wouldn't report it. I would call the MDO. I would also be wary of my information. Make sure no one is is assuming your identity. Obviously an MDO wouldn't happen upon this information. And finally perhaps you have been seen by this practice at some point in your life, and they moved or smthg similar.

Now I know some people are non-compliant with bills and MD's send patients to "collection" in order to obtain their money. This may result in a collections agency sending bills to presumed addresses of the patient.

I know this can happen in cases where you buy a property that had previous liens on it or the previous owner had non-payment issues of some sort.

[Edited on February 13, 2010 at 7:12 PM. Reason : ass]

2/13/2010 7:08:32 PM

Just call the doctors office and let them know. They are looking for the other guy to pay the bill.

It is not a hippa violation bc there PROBABLY isnt a diagnosis on the itemized billing, simply just a list of exam fees and tests run. If there is an actual diagnosis code, then maybe... but it wouldnt amount to anything, bc this seems like a pretty innocent mistake. However, doctors are getting sued bc they tell patients to go on diets, so you never know.

2/13/2010 8:05:36 PM

damn there are some fucktards ITT. especially those who don't understand why he would have opened mail addressed to him...

i would just call the doctor's office and let them know. i had a voicemail one day from a dr's office saying that my son michael had a severe sinus infection and his prescrip had been called in to blahblahblah. i don't have kids. i just called them up and told them they had the wrong #.

2/13/2010 10:26:05 PM

^^ something I can agree with eyedr 100% on

2/14/2010 2:16:27 AM

^^^, ^ Well said. HIPAA is obsessive about your medical records, and it may well be that showing what tests were run could be a violation; however, doctors' offices routinely mail out things like pap test results, and if they get addressed incorrectly I know I certainly wouldn't want someone else seeing that. There's got to be some kind of allowance for mailing error, on the part of the office or the USPS--although that assumes that the law makes sense, and you can never assume that.

Let the office know; they can correct the address and handle it without having to get ugly.

2/14/2010 10:06:14 AM

Quote :

" GIVE ME MONEY BECAUSE I SAW SOMEONE ELSE'S MEDICAL INFO!! what fucking planet do you live on?"

You're an idiot. READ. IT WORX.

2/14/2010 1:03:41 PM

you should really contact lewoods regarding this.

She is an expert on such things.

2/14/2010 1:12:59 PM

Little HIPAA little known fact. Clinton's original proposal called for every exam room and office to be made soundproof so others couldnt "hear" your business. Just another example of the disconnect between washington and the real world.

I once called a teacher about a student she sent for an eye exam. She didnt appear to have anything wrong with her eyes so I suspected a learning or cognitive problem. So I called to ask her what she was noticing about the child. She started talking and then was having another conversation with someone else in the room and then asked if I had a signed release for her to talk to me and then just kept repeating it to any of my questions. I kept thinking, this is exactly what this law was meant to do.

I do think there needs to be rules on protection of patient records, but some of the crap you have to go through just to get a fucking question answered concerning patient care is ridiculous. Most docs wont care, but you can tell this teacher, her boss or whoever kept talking to her, was more concerned over the BS than trying to help this girl.

2/14/2010 2:09:58 PM

Update: I called the associated office this morning, stating that I needed to speak with someone regarding a bill. The woman who answered the phone stated that she was able to do so. I informed this individual that I had received a bill which I believed was not intended for me, noting that I had never been seen by the physician she named when answering the phone. I detailed how this bill was addressed to me, listing my name and address on the outer envelope, but that the heading of the bill inside the envelope listed an unknown individual with my same name but different address. I also respectfully inquired as to how the office had acquired my address, as I, again, have no prior affiliation with this office whatsoever. The woman asked for an account number listed on the bill, which I provided. She then proceeded to unpromptedly describe, in detail, the date, location, and reason for the billed procedures, a la - "This was for an (insert procedure) on (insert date) at (insert hospital name) for (insert disease)."

(face palm)

Somewhat answering my question, she added some babbling incoherent response stating something along the lines of a returned piece of mail/invalid address and that "somehow" my address "got tacked on there". Before hanging up I informed her that I would be shredding the correspondence in question and politely reminded her that an office of her type should endeavor to follow all rules and regulations associated with the protection of private health information.

2/15/2010 9:36:39 AM

You should get her name and let the doctor know she's giving out personal information like that. I wouldn't want my medical information just spouted off like that, ESPECIALLY since you said you were not the intended recipient.

2/15/2010 9:45:56 AM

This is one of those things where you'd probably get a better response if they had let you talk directly to the physician.

2/15/2010 9:50:47 AM

Quote :

"I also respectfully inquired as to how the office had acquired my address, as I, again, have no prior affiliation with this office whatsoever."

That is super weird.

2/15/2010 9:56:07 AM

Yes its a violation. Regardless of whether or not the thing contains actual diagnosis info or anything else, the fact that it contains identifying info (in this case an account number+address) its enough that anyone can use it to get more private information (as you did). Most likely this is a lazy clerical error. HIPAA is designed to provide legal means for someone to protect themselves and their information from this type of action.

Report it to the feds. You could additionally try to talk directly to the doctor about it, but theres no guarantee they wont simply fix the one instance and not whatever led them to make the mistake. Its certainly not your job to report it or to really do anything with it (aside from maybe shred it), but I know I'd sure appreciate it if someone who got my info reported it.

2/15/2010 1:27:13 PM

Quote :

"Report it to the feds. "

geez. He already called the office. He handled it.

"The Privacy Rules allow a physician to communicate with patients, including communications to the patient's home. When making these types of communications, however, the physician should take precautions to safeguard the patient's privacy. For example, when leaving a message on the patient's answering machine, the physician should limit the amount of information left in the message to just the information necessary to confirm the appointment time or to request that the patient call the physician's office."

I think its pretty much understood they thought they were communicating with thier patient, but made a mistake.

[Edited on February 15, 2010 at 3:57 PM. Reason : .]

2/15/2010 3:52:56 PM

If they communicate that information to the patient thats one thing, communicating it to another person in an attempt to resolve a bill, is fucking terrible. They fucked up and the person he talked to didn't have any trouble handing out data to someone who wasnt the patient. I work in the healthcare industry and if we sent out account info for some of our clients' members incorrectly like that we'd be crucified, and rightly so.

If the original patient left the OP's address as his point of contact thats one thing, but it sounds like the doc went out of his way to track this guy down for a bill and didn't bother to confrim the address before sending it. Thats exactly what HIPAA is designed to prevent. Its not just to prevent people selling data, its about making sure docs are careful with the info.

If the doc takes a hit because of this, its too damned bad. Hire better people, make sure you drill privacy protection laws into their heads. I know you aren't a big government guy and neither am I for the most part, but this is something that exists to protect all people and unlike SoX its not some terrible burden. Its mostly common sense stuff put in place to protect people. If this was mailed to someone less scrupulous they could use it to get other info out of this doc's office and do some identity theft.

2/15/2010 4:44:09 PM

Quote :

" but it sounds like the doc went out of his way to track this guy down for a bill and didn't bother to confrim the address before sending it. "

I can guarantee you the doctor knows NOTHING about this.

The person he talked too should not have addressed any of the items on the bill once he established that he was not the patient.

Sending out itemized billing is required as is an EOB that the insurance company will send. They simply got the wrong address. They prob just looked in the phone book and figured their patient moved, which he has.. just didnt notify the practice.

2/15/2010 4:50:33 PM

Theres no guarantee he moved, and just picking someone out of the phone book to send it to is completely wrong. I mean why dont they just email the info to all combinations of John_Smith@gmail.com while they're at it?

2/15/2010 4:53:12 PM

call the office and tell them they sent you some mail that isn't yours and you had to open it to confirm this. it's not a violation

2/18/2010 12:00:37 PM

^ i think he did that already

Quote :

"Update: I called the associated office this morning, stating that I needed to speak with someone regarding a bill. "

2/18/2010 12:03:51 PM

What can it hurt to report them. If it is a violation, then they will get fined and retrained so that it doesn't happen again. If it isn't a violation, no harm done.

2/18/2010 1:36:15 PM

Yeah, the doctor probably won't know anything about billing/admin issues. Before you shred anything, try to get either the office manager or practice manager. At my office, the practice manager addresses any sort of privacy concerns within one day of receiving information. You probably spoke to a billing person at the bottom of the chain.

2/18/2010 10:55:48 PM

^^ what can it gain to report them?

"fined and retrained"? ha, yeah right. So, they get fined, and they pass the cost along to future patients. and "retrained"? This was most likely a simple clerical error. no "retraining" necessary - billing department just needs to pay more attention. This kind of shit happens daily at every company who has to send out bills, but most people don't get their panties in a wad when small mistakes are made.

2/18/2010 11:11:14 PM

Giving out private information is a big deal. Most companies, hospitals, doctor's office require all employees to take training classes on what they are allowed to give out when they handle patient information. If someone is giving out (even accidentally) patient information to people who are not the patient its a violation. Don't tell you wouldn't be pissed if someone was given access to your files without your permission.

2/19/2010 3:55:21 PM

^^i would have been of the same mind too if they didn't screw up again on the phone.

2/19/2010 8:22:13 PM