Archive for the ‘Medical Records – Privacy’ Category

Bar Codes, QR Codes and more: The Intersection of Technology and Life

Thursday, May 5th, 2011

Is that a UPC on your Business Card?

The business cards I ordered arrived yesterday.  I tore into the package to do the usual inspection.  Is my name spelled correctly?  Is the card stock heavy enough?  Did they use the desired typeface?  Yes. Yes. And Yes.  But I needed to ask one additional question: Does the QR code link correctly?   I know what you are thinking:  What is a QR Code and why is it on your business card?  Let’s try an experiment.

The image you see above is a QR Code.  Although it looks similar to a UPC Code, it is actually a Quick Response Code. A Quick Response Code is a pixel generated collection of information packaged into a neat square comprised of dot artwork.  Go ahead. Use your iPhone (or other smart phone) to snap this QR code.  I should tell you that you will need to download a free app to read the QR code.  (QR Reader, easily found in any App Store or Marketplace should do the trick.)  Now, where did that take you?

Much like a barcode, you can create your personal QR Code, in multiple versions, with each version containing a specific message or URL.  The information is read with an optical scanner that recognizes the universal code. The ubiquitous camera cell phone serves as the quick scan reader.

A neat party trick?  Maybe.  But it also serves as a very easy way for me to connect with my technologically savvy clients.  In one click, my clients are directed to my mobile website containing my telephone number, email address and profile.  The link can be updated to contain a map with directional information to my office also.  All from their smart phone.

A Grocery Store or a Hospital:  Technology in Healthcare

If you’ve been to a hospital lately, you have probably noticed the prevalence of technology in the hospital setting.  Specifically, barcodes.  They are everywhere.  On the charts, on the patient’s wrist.  It can make you wonder if you are shopping for groceries or checking in on Mom and the newest addition to the family.

The first attempts to introduce bar codes into the hospital setting came in the late 1970’s when the National Cash Registered offered a product built around bar codes.  Bar codes were placed next to computer terminals on patient units.  Staff were instructed to swipe the patient’s bar code label, then the bar codes of the tests, procedures and medications.

The idea then and now is to reduce the number of errors that occur when humans read or transcribe information.  Although certainly the error rate can be reduced with due caution, it is difficult to replicate the accuracy and reliability afforded by a computer.  Accordingly, on a nationwide basis, hospitals currently utilize bar codes to assist in patient registration and admission processes, patient safety, clinical care delivery, patient tracing, product/supply logistics and material management coordination and patient accounting and billing.  Not only are bar codes being used, but so are electronic medical records.  With both their advocates and their detractors, it certainly appears that they are here to stay, as discussed here.  All are representative of the health care industry’s attempts to reduce errors.

Technology — its symbols and its terminology — are here to stay.  If you are unwilling to accept technology and its invasion, I suggest you spend some time with a three year old and a computer or a smartphone.  I have, and let me tell you, she could probably teach me a thing or two.  There is no replacement for face to face contact, but if technology can help with client contact and patient safety, I’m on board.

It doesn’t say “leave a response” down below for nothing. Feel free to let us know YOUR thoughts.

Question:  What about you?  Have you seen QR codes popping up in everyday life?  Are you still fighting the tide of technology or are you fully immersed?

Week in Review: If you missed this past week’s blogs – catch up!

Sunday, April 10th, 2011

This past week was a busy one for our bloggers. It was also a very busy week in our law practice. Over the last two months, we have also had two new lawyers join us – Sarah Keogh and Jason Penn. Sarah has contributed a number of posts already. Jason , who just started this past Monday, will soon be sharing his contributions, thoughts and comments with you as well. We’re very happy to have both of them. I’m sure you join us in wishing them a very warm welcome.

Last week our writers covered a number of topics related to health, medicine, child safety, medical technology and patient safety. We started the week off with a piece by Brian Nash on some key facts women need to be aware of when having an epidural for labor, delivery and post-partum pain relief.


There can be no doubt that thousands of epidurals are administered to women every day throughout this country. This form of analgesia (pain relief) has become probably the most popular form of anesthetic management and apparently is generally believed to be essentially risk free. As this week’s piece, Having an epidural when you have your baby? 3 questions to ask the doctor, reports, some literature gives the figure of complications from epidurals as high as 23% - ranging in severity from minor inconveniences, to life-long major disabilities and even death.

This particular piece was written as a result of several cases in which we have been involved when women, who had undergone an epidural, became essentially paralyzed from the waist down. We raise some questions for women to ask the doctor and suggest they just might want to ask those questions before they find themselves in the process of labor or when they are going through the recovery phase of having given birth to their baby. We believe it’s an important piece for women – and frankly for all – to read so that they have a much better idea of what they should expect with an epidural and what the risks and benefits are of this wonderful yet potentially life-altering anesthetic technique.


On Wednesday, Jon Stefanuca again brought to the public’s attention a problem that is probably as old as childbirth. Everyone who has had the experience of taking care of a child – particularly a baby – knows that along with the joy of parenting comes the physical and emotional toll on parents and care-givers. The human condition makes us all susceptible to being less than completely tolerant, forgiving and gentle with little ones when we are under stress, frustrated or just plain exhausted. The response to the persistent crying can simply not be “a good shake.”

Medicine and science (and unfortunately the courtroom) have given a name to a syndrome of injury babies can suffer when that “just a good shake” approach is used. While a parent or care-giver may think it unimaginable to strike a child, they may not realize just now much harm they can do with “just a good shake.” Jon brings this information and some expert tips and tricks on how to deal with these difficult times parents and care-givers face in their everyday lives in his piece Shaken Baby Syndrome – What we all should know to prevent child abuse.

Makena: New Anti-Prematurity Drug

Thursday, Sarah Keogh reported on a relatively new drug called Makena, which has been found to help pregnant women, who have previously had a premature infant. I say “relatively” since according to Sarah’s piece, a compounding pharmacy could and was making this medication prior to the FDA giving K-V Pharmaceutical Company the exclusive rights to manufacture this drug for a period of 7 years.

Read Sarah’s piece, Makena: Drug to fight prematurity leads to major firestorm, and see what the controversy is all about. How could people possible be upset with a drug that can fight premature birth? Prematurity is one of the major causes of significant childbirth injuries such as cerebral palsy. Sarah’s blog makes it all too clear why people are upset and why the March of Dimes withdrew its sponsorship for Makena.

Medical Technology and Patient Safety

The week ended with Part II of my series on medical technology and whether all the new toys, bells and whistles of our modern healthcare system are truly advancing safe, efficient and effective delivery of healthcare. The week’s piece focuses on perhaps one of the largest advances in the healthcare industry – electronic medical records (EMR).

The blog, Medical Technology and Patient Safety – Part II – EMR’s (electronic medical records), brings a lawyer’s perspective to this topic. Much has already been written – and frankly will continue to be written – about EMR’s by the medical profession. Controversy has filed the pages of journals and at times probably slowed traffic on the internet (okay – maybe that’s a bit of an exaggeration) since this new marvelous technological advance was rolled-out in our medical institutions.  Those writing and fighting about it have been the end-users themselves – the medical professionals, who have to deal with the issues and flaws that have surfaced with this wonderful new technology. I thought it was about time to tell you how this plays out by another end-user – the lawyer who now deals with EMR’s. This piece is also intended as the foundation for what we as lawyer have seen play-out in terms of patient safety and health as a result of EMR implementation.

Sneak Peak of the Week Ahead

I anticipate that next week we’ll be seeing Jason Penn with his first blog on a recent report about numerous safety violations by hospitals in our practice jurisdictions – Maryland and Washington, D.C. Mike Sanders will be bringing to our readers aN old but back-in-the-news report on super infections, which still seem to be – unfortunately – thriving in our nation’s hospitals. We’ll start off this coming week with a piece by Theresa Neumann, our highly acclaimed in-house physician’s assistant expert, on spinal stroke. We all know about strokes that can damage the brain. Theresa will be sharing her insights on an equally devastating stroke of the spinal cord. I also suspect – shhh – that we’ll be reading more from Sarah Keogh this coming week. If the practice of law doesn’t get too much in the way, I am also hoping to share with you some real life examples – from a lawyer’s perspective – of just how EMR’s may not be advancing the causes of patient safety and health.

As with all our blogs, we sincerely invite you to not only read our thoughts and comments but to also share yours with us and our readers. Our latest stats show that around 10,000 pages are viewed by our readers and visitors every month! We sincerely thank all of you, who have taken the time out of your busy lives to read our offerings in The Eye Opener – Views and Opinions from the Nash Community. We invite you to share our posts with your friends and colleagues. Don’t forget to sign-up for easy delivery to your email inbox. Last – but certainly not least – come join our social media communities on Facebook and Twitter.

Medical Technology and Patient Safety – Part II – EMR’s (electronic medical records)

Saturday, April 9th, 2011

Let’s begin the discussion about whether or not medical technology is truly advancing the efficient and safe delivery of patient care with the topic of electronic medical records (EMR’s). Much has already been written on this subject; however, a recap of some of the arguments being made – pro and con – for EMR’s will set the stage for what I believe is the major problem with this technological advance.

If you have ever had to review old-fashioned hand-written records relating to a patient’s care, which I’ve been doing now for almost four decades, you were thrilled – at least initially - when you heard about the advent of this new, eye-strain-saving project. Not only was I counting on cutting down the number of times I would have to increase the strength of my prescription eyeglasses, I figured I might now be able to actually read what the healthcare provider learned by history, found on examination, thought was the more likely diagnoses causing the patient’s presenting complaint and what the doctor’s plans were to address the medical problem confronting that healthcare provider. What a bonus! No more guessing! Too good to be true?

Now with EMR’s, when you request medical records from a healthcare provider, you could expect to receive – presumably with the push of a “print” button, not papyrus-like records filled with hieroglyphics, but a formatted, easily readable comprehensive rendition of what happened in the course of patient care. Well, not so fast, I quickly learned.

With the arrival of EMR’s, I became mired in a world of radio buttons, drop down menus, cryptic narratives that didn’t really match the fill-in-the-blanks charting, and a world of metadata to find out the story-behind-the-story (like who accessed the EMR, what they were looking at and when they saw it).

Now let’s be real – I sincerely doubt that the medical profession and the computer and software vendors had lawyers in mind when they created and rolled-out this new marvel. As the medical profession is so quick to point out to us lawyers, lawyers are not the ones in the trenches trying to make people better and save lives. We’re the bottom feeders (oh yeah – that’s their description so many times), who do nothing but second guess for our personal monetary gain the medical community’s valiant efforts. That discussion is for another day!

Turns out, however, that it is not only my kind screaming about how this modern medical technology has flaw upon flaw associated with it; the medical profession has serious, second thoughts about just how wonderful EMR’s are.

The Concepts Behind EMR’s

Just do a search in your favorite search engine on the topic of EMR’s – add the word “controversy” or get really ingenious and pose the question: “What are the pro’s and con’s of EMR’s?” While you’re combing through page after page of search results, take note of who is writing about why EMR’s are not the next best thing to sliced bread. I’ll save you the task; it’s the medical profession. That’s right, the very people who hailed the advent of EMR’s and extolled the many intended virtues of this technology.

The Pro’s of EMR’s:

Here are some of intended benefits of EMR’s:

  • improve the quality of patient healthcare through instant, universal access to patient data (at the click of a mouse or push of a button)
  • avoid, if not eradicate, the “unreadability” (interpretation: I can’t read your handwriting; what are you telling me?) of hand-written chart entries.
  • improve patient safety through better detection of adverse events. The intended goal is premised on EMR’s having a central database of patient information, decision-making, outcomes (including adverse events) and other key epidemiological data available and accessible for analysis.
  • enhanced quality of care through immediate access of all pertinent patient information (e.g. testing, radiological studies, medications, vital signs, laboratory studies, etc.) so that caregivers can make better, faster and more informed decisions about continuing plans of care.
  • making healthcare more cost efficient by reducing unnecessary redundancy of testing (due to inability to locate prior paper-based information), digital access to key points of patient data rather than the waste incurred through manual search of past records from various healthcare provider sources, copying, faxing, etc.
  • keeping records safe: with proper digital storage measures, there can be avoidance of destruction, misplacement and the like.
  • overcoming inaccurate past medical history (PMH) information since care providers would have access to a patient’s “true and accurate” medical history by accessing stored medical data. Healthcare providers would no longer be relying on ofttimes faulty patient memory of PMH.
  • improved coordination and information exchange between healthcare providers. Studies have shown that the communication and transfer of information between primary care physicians and hospital-based physicians has been less than optimal.
  • improved, accessible and faster surveillance capabilities for wide scale events such as epidemics, catastrophic natural disasters (e.g. Katrina) and even bioterrorism.

I have absolutely no doubt that there are a host of other EMR pro’s. Yet even though the concept of EMR’s has apparently been the topic of discussion for about forty years and there are so many potential benefits inherent in their use, one must wonder – why did it take so long to implement EMR’s and why are they not being fervently embraced throughout the medical profession?

Some Con’s

As with many great modern marvels, once the allure of the new toy wears-off and implementation begins, some of the flaws begin to surface. ERM’s clearly have their share of warts.

  • privacy concerns – do EMR’s have the ability to turn the sacrosanct confidential communications between physician and patient on their ear? Some scream a resounding “yes.” Some have expressed deep-seated concerns that such accessible data will be used against a patient when they apply for jobs, health insurance, or – I’ve seen said – even a college scholarship. The potential inclusion of genetic data in EMR’s and the accessibility by researchers or others who don’t fit the need-to-know category also has privacy advocates screaming “foul.”
  • loss of the benefit of provider narratives (which were the norm in hand-written charts) so as to better appreciate the subtleties and thought processes of medical care. It is often said that medicine is an art, not a science. The ability to appreciate the art of medicine, some fear, has been lost when all that you can glean is pre-formatted information from drop-down menus and radio buttons. There’s no longer an ability to appreciate the true thinking process of the caregiver. Some refer to these problems as blind and meaningless use of short-cuts, templates and pre-fills, which don’t allow subsequent caregivers relying on EMR charts to get a true and accurate picture of a prior caregiver’s true thoughts. Apparently, quicker and easier input does not always translate into better or more accurate information.

Think I’m making this one up? Here’s what one internist at Harvard Medical School had to say about EMR’s:

Harvard Medical School internist and entrepreneur Dr. Rushika Fernandopulle says that many EMRs are designed to improve coding and maximize reimbursements, often at the expense of clinician functionality. “When you’re trying to read the notes of your colleague [in an EMR], it’s almost impossible to figure out what happened to the patient,” Fernandopulle tells the Journal. “You have to read through two pages of all this junk that’s put in to increase billing.”

  • Notwithstanding the claims of EMR advocates, many in healthcare and related fields firmly believe that EMR’s are not safe and secure. They point out that despite encryption and restricted access through log-in’s via usernames and passwords, there are numerous and disturbing instances of hackers gaining access to private patient information.

• November 26, 2007, Canada. Hackers accessed medical information on HIV and hepatitis from a Canadian health agency computer.
• September 22, 2008, UK. The National Health Service (NHS) reported the loss of 4 CDs in the mail containing information on 17,990 employees.
• September 30, 2008, US. The company Blue Cross and Blue Shield of Louisiana confirmed breach of personal data, including Social Security numbers, phone numbers and addresses of about 1,700 brokers. The data was accidentally attached to a general email.

(source: The HWN Team @

  • computer-driven healthcare is potentially hazardous to one’s health. Rather than paraphrase, let me share one comment I found on a blog extolling the virtues of EMR’s:

Try telling that to a computer: I am on medication that I take every three days. So, a normal 30 day supply last[s] me 90 days. However, the computer at my pharmacy automatically renews the prescription and I get a phone call every month asking me to come pick it up. I now have a year’s worth of pills on hand and they’ll expire before I can take them (which means I should not take them as they may not be effective). So, I called on Friday to tell them that I wanted to opt out of the system. The nice person informed me that I had been removed from the system. 9:01 AM Today (Monday) I got a call, telling me that my prescription is ready to be picked up. This is what happens when people cede thinking and into the ‘computer said it so it must be true’ mindset that we’ve all experienced from time to time to maddening effect.

  • way too much information, a lot of which is purely redundant and distracting. From my perspective as a lawyer, this is a major problem with EMR’s. A click of a radio button or a selection from a drop-down menu often generates duplicate entry data in a host of other fields across the system. As you try working your way through the jungle of screens or paper generated by EMR’s, you say to yourself, “Didn’t I just read that same thing somewhere else?” Now put yourself in the shoes of a healthcare provider. You have a number of patients to see, orders to give, reports on patients to share, calls from your pager to answer – and all you want to know when checking a patient’s EMR is some key information so you can do what needs to be done and move on. What do you find? More information than your ever wanted or needed and at times conflicting information. Frustration mounts and you yearn for the days of color-coded, hand-written charts.
  • How fast can you type? Simple but real issue for apparently many in the medical profession. EMR’s are meant to save time – perhaps not!
  • How fast do the records load? Some have become frustrated when using internet portals for records with very slow loading time of EMR’s when using over-utilized internet connections during peak usage hours.
  • those developing the EMR software failed to consult with practitioners before rolling out their product leading to templates, care strategies and selection choices that have no practical use for actual caregivers.

Just as is the case with the pro’s, there are many more con’s being voiced throughout the internet by medical care providers. That being said, I am of the firm belief that one of the biggest flaws is the manner in which EMR’s were and continue to be implemented – rolled out for use – in our medical institutions and physician offices. This can range from lack of training, lack of quality control, lack of system-wide coordination – you name it. In the rush to purchase, upload and put in use EMR’s, too little thought seems to have been given too many times to such projects before implementation. After the implementation, many problems started to rear their ugly heads.

Here are but a few examples of poor implementation voiced by a nurse, Kaye, in a comment she posted to the first installment of this series. Make sure to take particular note of Kaye’s fourth point!

1. Facilities are not getting input from the potential users before purchasing. Cost and JC compliance is more important than usability. “Here is your new system. Make it work.”
2. Seasoned nurses and ancillary staff are not given the considerations derserving of the huge technological changes. It’s a whole other language. A COW (Computer On Wheels) stands in the field.
3. A culture clash has developed between nursing and the IT department who cannot appreciate the urgency of correcting problems.
4. At my facility, there are 3 different systems. They don’t ‘talk’ to each other. Whose idea was that?

I could go on; but you get the point.

In my next installment, I will share with you with more real-life examples of just how misleading, inaccurate and unsafe EMR’s can be. Just to give you a tease – how about the case of a woman who was paralyzed following an epidural for labor and post-childbirth pain relief. Hours after she was diagnosed by a neurologist as having suffered injury to her spinal cord leaving her with significant, devastating motor deficits and sensory loss, she was noted by a nurse in the EMR to be “ambulating [i.e. walking] x 2″? I wonder if that would have happened if the nurse had to hand-write that entry and not just click on a drop down menu choice. There will be plenty more examples of such just how effective and safe EMR’s have turned out to be. Stay tuned and tune in to Part III coming next week.

Related Posts: Medical Technology and Patient Safety: EMR’s, COW’s, iPads, etc. – are they really doing the job? Part I.


Are Your HIPPA Privacy Rights Really Being Protected? New Study Suggests They Are Not!

Monday, November 15th, 2010

Anyone who has been to a healthcare provider in the last five years has become familiar with a HIPAA Release form. As a patient, you are required to sign the form giving the provider permission to release confidential medical records to your insurance company. Along with the form you may have been given a summary of the law describing your rights. I usually get a shrug and an apology from the registration staff for having to repeatedly ask me to sign the same form. However, it has always seemed to me healthcare workers were taking the law seriously and complying with its regulations.

I was surprised to learn recently hospitals are not shoring up their responsibility under the federal law to protect the unwarranted release or loss of my data. Individual physician office practices are scoring even lower in their protection of confidential patient data. Ponemon Institute released a benchmark study this past week on hospital compliance with the Health Insurance Portability and Accountability Act (HIPAA) of 1996. While I was not able to access the full report, their press release was compelling enough.

Federal and cival penalties for HIPAA privacy and security breaches were significantly increased as part of the HITECH Section of the American Recovery and Reinvestment Act which took effect on February 17, 2010.  Along with billions of dollars for investment into creating electronic health records (EHR), additional funding was allocated to ensure breaches in confidentiality would be investigated and violators successfully penalized. Key provisions of the HITECH regulations now include:


  • Fines will be imposed even when a violator unknowingly violates the act. The minimum penalty is $100 with an annual maximum for repeat minimal violations of $25,000.  If the violation is severe, irregardless of the circumstances, a provider can be fined up to $50,000 per violation with an annual maximum fine of $1.5 million. No penalty will be imposed if the violation is corrected in 30 days.


  • This penalty is reserved for the provider, who is aware of the act and willfully, but not neglectfully, accesses medical data without patient consent. Such infractions could occur during the course of patient transfer to another facility when a provider might want to learn the clinical outcome of a prior patient. Fines in this category range from $1,000 to a maximum of $100,000 for repeated violations.


  • Willful neglect will cost a provider anywhere from a minimum of $10,000 to a maximum of $250,000 per violation. Maximum penalties for repeat offenses remain up to $50,000 to $1.5 million. Lesser penalties will be imposed if the provider corrects the violation within 30 days. Maximum penalties for corrections not remedied in 30 days. Examples of violations might be an unsecured server; exposed passwords; and/or data leaving secured provisions for analysis purposes.


  • Individuals who knowingly release health information and/or medical record data may be criminally prosecuted and spend 1 year in jail in addition to fines of up to $50,000. A violation using a false pretense basis is more serious. Such offenses can land individuals up to 5 years in jail in addition to fines up to $100,000. Selling or maliciously using health information for personal or financial gain comes with a 10 year prison sentence and fines up to $250,000.

With the above looming penalties, providers have been required to report all breaches involving 500 unencrypted medical records or more since September 2009. Some states have enacted even tougher laws. Earlier in 2010, Connecticut’s Attorney General, Richard Blumenthal, sued Health Net of Connecticut for misplacing security data for nearly 450,000 enrolled patients along with failing to timely notify them. The lost data included social security numbers, bank account information, and medical health information. The data was lost for 6 months before authorities and patients were notified.

California is one of the states with tough laws supporting patient confidentiality.  During 2010 the state imposed stiff penalties totaling $675,000 against 6 hospitals.

  • $250,000 for one unauthorized employee who was able to access 204 patient medical records.
  • $130,000 for unauthorized access of one patient medical record by 7 employees.
  • $100,000 for unauthorized access of 33 patient medical records by 17 employees.
  • $95,000 for unauthorized access of one patient record by 4 employees.
  • $75,000 for unauthorized access of three patient records by 1 employee.
  • $25,000 for unauthorized access of three patient records by 2 employees.

The Ponemon Institute, a research organization sponsored by ID Experts, conducted a two year study at 65 healthcare organizations and interviewed 211 senior-level managers. Data loss and theft experiences were included in the research. Poneman reported the following:

Breaches are costing the healthcare industry nearly $6 billion annually.

The average organization had 2.4 data breach incidents over the last 2 years.

Major breaches were unintentional employee action, lost or stolen computing devices, and 3rd party error.

Ponemon went on to report that 58% of the participating organizations have little to no confidence in their ability to protect electronic health records. A staggering 71% have inadequate resources allocated to data security, and 69% would be unable to quickly identify and detect a data theft. Sadly, a majority of the organizations had less than two staff dedicated to data protection management. Reportedly, there were a significant number of undetected data breaches not reported to state and federal authorities. Most interviewed did not feel the HITECH regulations have been an impetus to do a better job.

Ponemon Institute is holding a FREE WEBINAR entitled Benchmark Study on Patient Privacy and Data Security on Tuesday, November 16, 2010 at 1:00pm ET for those interested. ID Experts are reported in to be the leader in data breach solutions for government, financial, universities, corporations, and healthcare organizations. While this is clearly a marketing effort, if the research process and what was revealed is solid which I suspect it is, then the results are staggering and healthcare executives need to tune in.

Another issue looming in the confidential healthcare data world was revealed in the November 14 Baltimore Sun newspaper. Med Chi, a physician medical society representing 22,000 Maryland physicians, is concerned electronic health records can also be altered by drug companies and insurance companies. They are the first medical society in the nation to pass a resolution calling for state legislation to ensure doctors retain the right to control the treatment plan and keep patient records neutral without imposed financial parameters. This resolution follows Maryland legislation last year encouraging physicians to adopt electronic medical records. It seems physicians are fearing daily access and interaction by 3rd party payors and drug companies into what was once a confidential treatment process conducted solely by health professionals.

It seems hackers, thieves, harassers, and paparrazzi have an open market at this time. Government regulations and penalties are not making much of an impact. More legislation and regulation is coming, but will my and YOUR data be any safer in the end? What will it take to get the attention and priority agenda of heathcare executives to use the experiences and systems of other industries and get data safeguarded?

Comment from Brian Nash: We will soon be posting a White Paper providing instructions on how to report a HIPAA violation as well as important links to federal and state agencies responsible for the protection of a patient’s rights under HIPAA.