Confidentiality, Privacy and Security

HIPAA, Opiates, and married couple with 2 different Providers

  • 1.  HIPAA, Opiates, and married couple with 2 different Providers

    Posted 10-26-2020 13:48

    I have a situation. It seems simple at first, but it I've been unable to ascertain a concrete answer during analysis. We have a husband and wife (married) who see 2 different providers at our organization. They are both prescribed controlled substances. The wife has a signed medication agreement on file. The husband does not. The med agreement says, among other things: "I will not share my prescription with others".

    While the husband doesn't have a medication agreement on file, he recently submitted to a drug UA, which came back dirty. He explained to his provider that it's dirty because he's long used his wife's butalbital when he had a headache. The wife's provider became aware that she was sharing her medication with the husband. So, the wife's provider, after careful consideration, took her off of that but not her opioids (there's clinical reasoning for this; not relevant for the situation being investigated here). Further, the wife will now have more frequent monitoring, random pill counts, etc. to assure that none of her opiates are being used by her husband.

    Now, the husband says he's upset because he thinks his provider used his personal and confidential information for something other than treating him. 

    I'm trying to determine if that's true – did the husband's provider breach his privacy because his wife's provider now knows that he was taking her prescription? i.e. is this situation a HIPAA breach. It's still a question as to how the wife's provider came to realize the situation, which I am looking into and will conduct interviews (if necessary).

    Has anybody experienced a similar situation? How did you perform an analysis and what was your determination?



    ------------------------------
    Sarah Dietz, CHPC
    HIM & Privacy Manager
    GHC-SCW
    ------------------------------


  • 2.  RE: HIPAA, Opiates, and married couple with 2 different Providers

    Posted 30 days ago
    OCR has provided guidance for providers dealing with the Opioid crisis in the following publication.   Check out:

    https://www.hhs.gov/sites/default/files/hipaa-opioid-crisis.pdf

    The short answer is yes, his provider can share this information with his wife's provider because the use of the wife's medication has the potential to cause harm to the husband.  Also, if you ran it through your organization's Breach Risk Assessment Tool (hopefully you have one?) , you should find that this is not a breach.  If you do not have one, I recommend looking at AHIMA's Breach Management Toolkit when creating one for your organization.

    ------------------------------
    Laurie Bach
    Health Information Management Administrator
    ------------------------------



  • 3.  RE: HIPAA, Opiates, and married couple with 2 different Providers

    Posted 30 days ago
    Thank you, Laurie! That publication is extremely helpful and exactly what I was looking for. Yes, we do have a  Breach Risk Assessment Tool. In fact, it was adopted in part by the AHIMA Breach Management Toolkit - I cannot say enough good things about that resource :)

    ------------------------------
    Sarah Dietz, CHPC
    HIM & Privacy Manager
    GHC-SCW
    ------------------------------



  • 4.  RE: HIPAA, Opiates, and married couple with 2 different Providers

    Posted 25 days ago
    There does need to be investigation into how wife's provider learned of incident. Check state rags on AoD records also. If wife's provider learned of incident from husband's provider then Yes a breach occurred.

    ------------------------------
    Pamela [LastNam
    Medical Records Tech/Privacy Officer
    ------------------------------