Friday, September 9, 2011

Hospital billing contractor shares private health information on 20,000 Stanford ER patients

Mental Health Disorder DXThis release of private health data should make you very concerned and eager to know more about your health care provider's security measures for your private health information. The exposed are unsuspecting Emergency room patients at Stanford Medical Hospital who had their information shared on a website call Student of Fortune (a pay for tutoring website). The information was shared publicly for 11 months and had names, diagnosis codes, account numbers, admission and discharge dates, and billing charges for patients seen at Stanford Hospital’s emergency room during a six-month period in 2009. Here is the original article for your review.

Concerned? You should be! Who knows who possesses this data, but the company website that hosted that information should definitely be able to tell who accessed it and how many times over the 11 month period.

Who's to blame? If Stanford had a written contract with Multi-Specialty Collection Services to protect the privacy of protected health information, the fault appears to rest with Multi-Specialty Collection Services according to this HHS Article.

Especially interesting though, is this section on the Health and Human Services Website:

How Is This Information Protected

  • Covered entities must put in place safeguards to protect your health information.
  • Covered entities must reasonably limit uses and disclosures to the minimum necessary to accomplish their intended purpose.
  • Covered entities must have contracts in place with their contractors and others ensuring that they use and disclose your health information properly and safeguard it appropriately.
  • Covered entities must have procedures in place to limit who can view and access your health information as well as implement training programs for employees about how to protect your health information.

It begs the question - why is a diagnosis needed for a billing contractor? Is it necessary to have that information (diagnosis code) in order to collect payment due for services? If it was the company that submits information to the insurance carriers, most definitely it would need it this data. However, this company sounds like a collection agency that is engaged to contact patients after the insurance portion has been paid or for remaining balances. So, does this flip the blame toward Stanford for giving too much information to a contractor?

What do you think about this latest breach?

1 comment:

  1. While I was employed with this company back in 2004-2006 they dealt solely with work comp injuries and sought payment from insurance carriers. So they would have needed the data.