“I have a quick question…..”

quick question.png

The conversation starts with …. I have a quick question..It’s never quick to ask or quick to answer – especially when to really answer the question, more information is required. I should never say never. If your question is “Is it okay to kidnap a stranger and keep them locked up for ten years while I bilk all their life savings?” – the answer is really quick. No.

Otherwise, most of the time when someone wants to ask a quick question of an attorney, they are generally looking for a valid legal response, even if the attorney disclaims it is not legal advice.

Don’t get me wrong, most of us love intellectual debates and/or discussing our passions. Asking me about privacy is like asking a new mom about her babe – it’s a miracle if I ever shut up. (Those who know me..quit laughing! I am limited to one cup of coffee daily)

The point is – there is rarely a “quick question.” If you really do intend it to be a quick question, do your homework first and only ask the remaining issue. Here’s a good scenario:

Quick question: 
“Should I report my doctor for a HIPAA breach if they mailed me the wrong lab results?”

Why it’s not quick:

  • Who are you thinking you should report the doctor to – the medical board, the U.S. Office for Civil Rights, a non-US regulatory authority, state attorney general, state insurance office, employer, insurer? The list can be very long.
  • Is your doctor under any requirements that address privacy, other than the physician requirement for confidentiality? (HIPAA does not apply to everyone)
  • What information did you receive and how do you know it’s not you? – are the lab results for a test you did not have, is there another name on the test, is it not your patient ID, was the address wrong and the post office delivered it to the right address or post office delivered it to the wrong address? – lots of ways this could be wrong.
  • Did you discover this yourself or were you informed?
  • Why do you want to report it? (public obligation, anger, want to sue, etc.)
  • Have you been harmed? (not necessarily critical to being a breach, but is important)
  • Has the other patient been harmed? (or would they be)
  • Do you still have the information?
  • Have you reported this to the doctor? if so, what what his/her response?

and other questions would follow based on responses.

My quick answer would be Рyou should let the doctor know and return the information to him/her without keeping a copy, but take notes on the entire interaction. This may or may not be the correct answer depending on the responses to the questions above that I would not know if I did not ask. 

And the “quick questioner” will probably still ask a follow-up question or respond with more information. Making the quick question and quick-perhaps accurate- response still not so quick.

If people really wanted to ask a quick question – they would do the homework and come to the attorney (or privacy officer) with a really quick question –

“Hey, my doctor in Indiana mailed me the lab results for another patient with that patient’s name on it and it is HIV results. I know it is a breach under HIPAA, but it appears my address is connected to that name. I told the doctor’s office and I shredded it, but should I report this to the Office for Civil Rights?”

Quick answer:
“Oh, that’s bad. Yes, you can report to the Office for Civil Rights, although you don’t have to, and they can match it to your doctor’s breach disclosure list, which is not required until the year is over for one-offs. You can also follow up and ask your doctor if they let the other patient know, but they don’t have to tell you. Make sure they correct your address linked to that patient and make sure your name is not on his/her address and no information on you has been sent there.”

This is not unique to privacy or to attorneys. This happens to pretty much everyone. If the quick question is a conversation starter, because you are looking for a way to start chatting, fine. It could be awkward and you might get a rude response or create a bad impression.

If, however, you really do think that you can ask someone who knows (perhaps an “expert”) a question related to their knowledge and expertise and the person is a friend, good acquaintance, or close work colleague – sure, do it. But be respectful, do your homework, and provide concise, clear, and critical facts. Do not turn it into a verbal essay and please explain up front that if it is not so quick from their point-of-view just to say so – you get that there may be complexities that you don’t see.

If this person does answer, you should provide them with a thank you, such as a gift card to their favorite coffee or food place, flowers, thank you item, or effusive thank you card. They won’t expect it – cause who does that? – and it will become a pleasurable experience for them and you.

 

 

Advertisements

Explaining “Privacy Attorney”

privacy wutPeople often ask me what I do as an attorney (disclaimer….I do not take clients, I work for a company). When I say I’,m a privacy attorney, the reactions range from polite confusion to complete incomprehension to vague niceties.

My typical response is “Here in the US, you hear about HIPAA HIPAA HIPAA and patients patients patients, right? In all other countries with privacy laws, you don’t have protection because you’re a patient, but because you’re a person.”

It’s a much bigger deal.

Privacy is something that we have lost in this digital world. We need to reclaim our privacy.

The most ¬†movement in personal data protection law is coming out of the European Union, but privacy (data protection) laws are prevalent in Asia-Pacific, Canada, and Latin America. And the level of protection varies greatly – from protecting only employee data, to everyone’s personal data, to online, mobile, financial, etc.

If you are an individual, pay attention to what you share online and how you maintain the security of your data (don’t write your passwords down on a post-it note and stick it to your computer and don’t email ID and credit cards without encryption…and that include efax). If you’re a business, pay attention to what data you collect, whether you need to collect it, how you use it, share it, and secure it – and for goodness sake, know how you long you retain it and DESTROY it.

That’s what a privacy attorney does. In a very small yet profound nutshell.