Collecting Patient Information and Patient Identifiers - HIPAA

[ehoqa]

We are a manufacturer of a prescription-based medical device in the US. We sell to hospitals/doctors and to patients with prescriptions. In light of HIPAA rules and obligations of covered entities and business associates, we realize we don't collect much patient information. We are wondering if our current procedure in collecting patient information meets a regulation or standard regarding patient info (if there is one?).

Here's the info we currently have from receiving prescriptions before we ship our product:
1. the prescribing doctor
2. the patient's name
3. the size & preferred color of our product.

We also have the ship-to address and credit card number associated with the order, though those are not necessarily the patient's address and credit card.


My questions are:

As a medical device manufacturer in supplying prescription-based products, is our current procedure for collecting patient information adequate? (i.e. does it meet a regulation or standard, if there is one regarding having the minimum patient information?)

If we need to change our procedure in collecting patient information, are we obligated to use a minimum number of patient identifiers? Do we need to go further to require another identifier such as patient's birthday?

As I mentioned, we just have the doctor's name/contact, patient's name, and product. Shipping address and payment information may or may not be the patient's. Internally we don't need to collect more information for our purposes of selling the products and keeping our orders straight, but I want to make sure we are not breaking any rules by not having enough patient information. I hope this make sense!

I realize it's the holiday season so this question may not get much attention. I hope someone can answer or point me in the right direction of where to look.

 

[Stijloor]

Happy New Year!

A Quick Bump!

Can someone help?

Thank you very much!!

 

[JillianWright]

Protection of health information of patients is one of the primary aims that the Health Insurance Portability and Accountability Act (HIPAA) seeks to achieve. This being the case, it is natural that whenever an entity that is tasked with protection of this data fails to achieve this, it has to face penalties and other punishments for HIPAA violations. HIPAA violations and law enforcement play a major role as a medium in ensuring that patient information is kept confidential as required by this legislation.

HIPAA violations and law enforcement are built on the national privacy standards that have been embedded into HIPAA. If any information about the patient is disclosed to any unauthorized source without authorization, this constitutes breach of patient privacy, and brings HIPAA violations and law enforcement into play.

The role of the law enforcement official

HIPAA violations and law enforcement is founded on a well-established set of fines and penalties that are prescribed for the different kinds of privacy breach. This is how HIPAA violations and law enforcement work:

HIPAA's Privacy Rule has a definition for a law enforcement official. Any officer, official or employee of any local, State, or federal agency, or a member of an Indian tribe who has the requisite qualification can be appointed as a HIPAA enforcement official.

Such an official, who has been given the power to investigate a potential violation of Protected Health Information (PHI), is empowered to prosecute an entity that is found to be violating provisions of the HIPAA. This constitutes the core of HIPAA violations and law enforcement.

Of course, such a designated person should carry the requisite legal identification documents required to establish the proof of the person's authenticity. Any Covered Entity, including hospitals, has the right to demand proof of genuineness of the person's identity. This said; a law enforcement official has to have the proper permissions and situations to carry out law enforcement activities for HIPAA violations