4
   

How do we possibly close this loophole?

Forums:
Email this Topic Print this Page
 
 
Barry2021
 
Reply Tue 19 Apr, 2022 01:02 pm
I work for a medical company providing free medication to patients who apply and qualify for it. One big HIPAA regulations we have to follow with any patient is that they can list on their application the name of a contact who they want to have access to their account or records. Typically it's a spouse, child, parent, sibling, friend, etc. Just someone they designate who can call in on their behalf. As long as their name is on the app we can release info to them. A lot of the patient work with patient advocacy groups who do a lot of stuff for them and they will list the advocacy group as their contact, but we still need a person's name. Lately I've noticed that one particular advocacy group will only use one name on the patient's applications and everyone who calls in will give the same name. In the morning I'll get a call from a guy obviously white, saying his name is Alex Williams, and we discuss the account. Around lunch I'll get another call from another Alex Williams and this person will have a heavy Hispanic accent. Later in the day a 3rd call will come in from a woman claiming to be Alex Williams. I guess with Alex being a unisex name they were not expecting to get the same rep 3 different times. When I asked one of them about this they told me that that's the name they use for all their employees so they don't have to give their actual names and they don't have to list different people on the applications. I can't see how this is legal. I personally think this is a big violation of the HIPAA guidelines. In speaking with a few employees and our manager one person stated that if they put their name as Felix The Cat on the app and identify themselves as Felix The Cat then we have to release whatever info they request. I just can't see how this is legal.
  • Topic Stats
  • Top Replies
  • Link to this Topic
Type: Question • Score: 4 • Views: 268 • Replies: 5
No top replies

 
engineer
 
  1  
Reply Tue 19 Apr, 2022 01:08 pm
@Barry2021,
Regardless of the name given, you don't take any steps to verify the identity, right? The real question is if the people who signed the form is ok with the person accessing their data and it sounds like they are. Think of the name like a password. If you use a common password, the chance of being hacked and having your data accessed goes up, but it sounds like a chance these people are willing to take that risk to receive help. Essentially they are giving their password to someone who is trying to help them.
Barry2021
 
  1  
Reply Tue 19 Apr, 2022 01:17 pm
@engineer,
engineer wrote:

Regardless of the name given, you don't take any steps to verify the identity, right? The real question is if the people who signed the form is ok with the person accessing their data and it sounds like they are. Think of the name like a password. If you use a common password, the chance of being hacked and having your data accessed goes up, but it sounds like a chance these people are willing to take that risk to receive help. Essentially they are giving their password to someone who is trying to help them.


A lot of the time since these agencies fill out the applications for the patients most of the time the patients never even know that name is on their application. It's typically a "sign here and we'll take care of the rest" scenario. And how do you verify a person on the phone? If they give you a name you're not suppose to questions it. But in this case everyone is giving the same name. When I pressed the one guy about it he came clean and gave me his real name. At that point when his actual name was not on the app I refused to give him any info. I'm sure he called right back, got a different rep and they told him exactly what he wanted to know.
engineer
 
  2  
Reply Tue 19 Apr, 2022 01:21 pm
@Barry2021,
Barry2021 wrote:

And how do you verify a person on the phone? If they give you a name you're not suppose to questions it.

Exactly, you are not supposed to question it. This is not the TSA. The name is nothing more than the password and anyone who knows the password is allowed the information. Your employer made that clear when they said not to question it. This loophole is there for a reason. You don't need to close it to make things harder for people who already have it hard enough.
Linkat
 
  1  
Reply Tue 19 Apr, 2022 03:20 pm
@engineer,
Agreed - you did the right thing and brought this information forward to your manager. S/he said it was ok - you then got confirmation.

The only thing I would take a step forward is if you some sort of "report it" line at work. In other words some companies have a report line where you can voice things that you suspect is fraud or unethical. If you do not - then you brought it to the attention of your manager.
0 Replies
 
Mame
 
  1  
Reply Wed 20 Apr, 2022 07:05 am
@Barry2021,
Barry2021 wrote:

And how do you verify a person on the phone?


I have to verify who I am whenever I call just about any agency. I have to give my password, PIN, mother's maiden name, address or SIN. This is with Telus, Apple, our energy companies... even if I just want to ask a general question. You can ask Alex Williams to provide you with the patient's home address, phone number, date of birth, or SSN if it makes you feel better. Or suggest this to your manager.

I find all this verifying a lot of nonsense sometimes. Why anyone would call my telephone company pretending to be me to report a line needing repairing is beyond me.
0 Replies
 
 

 
  1. Forums
  2. » How do we possibly close this loophole?
Copyright © 2024 MadLab, LLC :: Terms of Service :: Privacy Policy :: Page generated in 0.02 seconds on 05/10/2024 at 12:39:01