McCann said he discovered that the county's insurance office had gotten access to his medication records in violation of federal medical privacy law, known as the Health Insurance Portability and Accountability Act, or HIPAA.
``They could have at least asked me to sign off on this so they could have asked my physician to provide documentation on why the medication was prescribed, but they didn't,'' he said.
The longtime public employee said his doctor prescribed three drugs -- one used as an anti-anxiety medication -- to treat restless leg syndrome and has never suggested that he see a psychiatrist.
The county ``jumped to conclusions,'' McCann said. ``They had no way of knowing what the drug was prescribed for; they just looked at the name and said, aha!''
McCann said he was told by Caremark, the Nashville-based company that manages the county's pharmacy benefits, that the county had access to his records twice, two days before he was ordered to see a psychiatrist and in mid-May, about 10 days before his unpaid administrative leave with the county ended.
He was fired for insubordination and arguing with his supervisors. That should be enough grounds without snooping in his medical files. posted by Sydney on
9/01/2006 08:54:00 AM
Between this quote:
"McCann said he was told by Caremark, the Nashville-based company that manages the county's pharmacy benefits, that the county had access to his records twice, two days before he was ordered to see a psychiatrist and in mid-May, about 10 days before his unpaid administrative leave with the county ended."
and this one:
"County Law Director Karen Doty said Thursday she had not seen McCann's complaint. ``I know that we did not violate any HIPAA regulations,'' she said, ``and if he wants to bring another action, yet another one, against us, I guess we don't have really any choice but to defend ourselves.'",
methinks Summit County had better start socking away money to pay for this guy's settlement.
..."may have access" ? I was a risk manager for a TPA that administered self funded plans, including its own. I can assure you, legal or not, PHI was routinely reviewed and sometimes used in very unethical ways. There is no "may have" about it, they do have access, and some use it.
About the same risk of improper disclosure is present in any plan, including a government sponsored plan.
To believe otherwise requires one to believe that government clerks are more aware of the law, more careful to observe it, and more protective of individuals' privacy than insurance company clerks. That's just not believable.
That's why I think the risk is about the same, regardless who sponsors of the plan - which means this is not a distinguishing characteristic of employer-sponsored plans.
If the plan is self-administered (as some private and public plans are) or if the employer happens to be an insurance company, the steps necessary to avert improper disclosure are more difficult but still manageable.
It must be recognized that no system of administrative controls can absolutely guarantee that no data will ever be disclosed improperly. This is because people are involved, and people make mistakes. As T.S. Eliot once observed, "There can be no system so perfoect that no one needs to be good."
BTW, any TPA employee who provides medical information to a client in a form that permits individual identification is breaking the law. If the correspondent above saw this happening, and failed to report it, she might also be held legally accountable.