Healthcare privacy laws are designed to protect your information. But some companies seem to ignore some aspects just to maintain red tape.
You’ve probably heard all about HIPAA many times over the years. HIPAA stands for the Health Information Portability and Accountability Act. Lawmakers passed the bill to help ensure healthcare privacy.
Companies must protect the sensitive nature of your documents. Insureon.com reports the HIPAA security rule consists of three components that healthcare organizations must comply with. Keeping patient data safe requires healthcare organizations to exercise best practices in three areas: administrative, physical security, and technical security, the site says.
Therefore, you might wager companies will react quickly when they learn they are sending someone else’s records to the wrong person.
You would lose that bet.
Sorry, wrong address.
If you’ve followed this blog for a while, you know I purchased my first home last year. Anytime you move to a new address, you occasionally receive mail addressed to previous residents.
I accept that this is a normal part of life.
But with an ever-increasing obsession with protecting people’s personal information, some companies don’t seem to get it.
Today, I received another piece of healthcare information belonging to someone I don’t know. Apparently, that person used to live at my address. I don’t know how long ago they lived here. (The person’s name is one that could be male or female, so I don’t even know the gender.) I don’t know where this person now lives.
I only know, beyond any doubt, the person no longer lives here. So I called the insurance company to notify them of the address error and ask that they stop sending me this person’s information.
Fortunately for the patient, I’m an honest person. I wouldn’t publish their data or do anything else untoward with it.
But the company, a large health coverage conglomerate, totally missed the point about healthcare privacy. I explained that they keep sending me this person’s health information by mistake.
They asked me for the patient’s name and birthdate. I gave them the name — which I knew from the front of the envelope. I reminded them that I don’t know the person — which was the point of the call — and that I therefore couldn’t possibly know their birthdate.
They told me that I shouldn’t open other people’s mail. I pointed out that since they don’t put a contact number on the outside of their envelope, the only way to reach them to report the error is to get the number that’s inside the envelope.
Both points, I figured, would be common sense.
Then they said they couldn’t stop the mail from coming to me. The patient would have to be the one to change the address.
Let’s think about that for a second.
I’ve told them they’re sending someone else’s healthcare information to a complete stranger. I explained that person does not live at my address.
To put it another way, I notified them that they’re doing what laws like HIPAA are designed to prevent them from doing.
They present themselves as caring so much about protecting privacy. Yet when told they’re violating by sending it to the wrong address, they actually refuse to do anything about it.
Until the patient asks them to correct the address, they said can’t do anything. I pointed out one more detail I considered common sense.
“The patient isn’t getting the information you’re sending me. So how would they know to correct the address? For that matter, how would they know their information is going out at all?”
Spoiler alert: They can’t know that. That’s why I called the coverage provider.
“So you’re telling me that after I notify you that you have a wrong address, you’re going to intentionally continue sending me their information?” I asked.
“We can’t change the address,” the operator answered. “That’d violate HIPAA.”
“No, ma’am, I’m not asking you to change the address,” I told her. “I’m asking you to stop sending mail. That’s not violating HIPAA; it’s protecting this person’s healthcare privacy information. That’s what HIPAA is all about, right?”
Here’s the advice they gave.
They told me to reseal the envelope and mark it as, “Return to Sender: No Longer At this Address,” and put it back in the mailbox.
Do I seriously think the post office is actually going to take the time and energy to return the letter all the way back to its source? Not for a second. If anything, I suspect the post office will toss the letter into the nearest circular file.
But you surely know I’d ask this next question.
“If you can’t trust me when you’re talking to me that I’m authorized to tell you who does and doesn’t live here, why can you trust me when I write ‘Return to Sender’ and drop it back in the mailbox?”
After all, if they want to argue that they don’t know who I am, it stands to reason they can’t know who wrote that message on the envelope — if they ever receive it.
It doesn’t make a lick of sense.
It certainly felt as though they were more committed to following their script and protecting bureaucratic nonsense than actually caring about someone’s privacy.
The moral of the story
If you’re planning a move, give yourself plenty of time to make a list of everyone who sends you important information. Make sure all of your healthcare providers and carriers get your address.
Otherwise, they’ll mindlessly send your information to the address they have and won’t give a damn when someone tells them you don’t live there. If they have a way to easily suspend mailings, they won’t use it. If they have a client’s phone number or email address on file, they won’t use that to verify the change of address, either.
To put it simpler, they just don’t care.
It sounds absurd, yes, but that’s the way it is these days. The best way to make sure your privacy is protected is to act as if you’re the only person who wants to protect it. That wouldn’t be far from the truth!