The New Medical Privacy

I did a pre-employment drug test recently for a new position — my first drug test in my multi-decade career. I was past the indignance of my previous decade and the puzzlement I might have experienced the decade before that. After all, for all my ‘interesting’ background, drug use has been anathematic to my life. Not that it was anyone’s business but my own.

The company — Concerna — had an oozy enough name that I was somewhat tense coming in the door. Inside were over a dozen people. Some waiting for pre-employment drug screening, others for OSHA-injury analysis. Behind the counter was a highly proceduralized crew of people that reminded me of all those late-night “you too can be a medical industry professional” advertisements. Lots of on-the-spot training, scrubs on people that clearly didn’t use them, and a sense of grime all about the place. I didn’t sit in any of the rows of chairs. I guy in a 3-piece suit (very out of place in this part of the country) kept walking in and out of the back office area. Smug, with a little soul patch/landing strip kind of beard.

Clearly, I went in seeing baggage. I filled out the forms, then waited as they input them (asking me for the spelling of every field, as reading didn’t seem to be the clerk’s strong suite). Then they gave me some forms to sign. One of them read (paraphrased here), in large letters “Signing this cover letter means have read and accepted the terms of our privacy agreement.” I shuffled papers — didn’t see anything like that. I asked the person behind the counter where it was.

“Um, we have one if you’d like to read it.”

“Of course I want to read it,” I said, “you’re asking me to sign that I read it.”

She fought the filing cabinet for a couple of minutes, then came up with a form. “Here it is,” she said (mechanically) brightly.

“Do you often have people ask for the form?” I asked.

“Oh, yeah,” she said, “all the time.”

If so, I’d guess she probably didn’t give it to ’em often. She didn’t know where it was.

I read the form. At no point did it mention the HIPAA acronym. Don’t get me wrong, HIPAA doesn’t mean your or my privacy is ensured. But at least there’s a nod to the processes and procedures involved.

I called the number for the privacy officer and got immediately bumped to voicemail. Pressed zero, then asked for the Concerna’s Privacy Officer. That led to a different voice mail. I left a message.

To Concerna’s credit (and this is a good thing), she did call me back within ten minutes.

“So, I had a question,” I said. “Are you HIPAA compliant?”

“What’s on the form details our privacy statement,” she said.

“Um, yeah, but are you HIPAA compliant?”

She paused. “We are reasonably compliant with HIPAA,” she said.

Knowing when to fold, as Kenny Rogers pointed it, is a good thing. The woman was upset that the lab didn’t give me the paper, or wanted me to sign without seeing it. She took down the number and location of the lab (“we have so many; I don’t know all of them,” she said) and promised a training update to get them up to speed.

There’s no point in trying to reason with ‘jack in the box’ medical labs. They sell a commodity service to employers, and location and price are the determinants. But to employers, caring about whether their employee information is private should be a priority. And “Concentra is reasonably compliant with HIPAA…and privacy regulations” (quote from their web site) is not, in my professional opinion, good enough.

HIPAA compliance either is or isn’t. It’s like 2/3 pregnant — comply with regulations, or fall short. My social security number, birth date and drivers license number are in the hands of a company that might or might not comply with Federally mandated regulations (pathetic, in light of identity theft).

Employers have a duty to ensure that their subcontractors and vendors adhere to at least the level of privacy that their customers expect from them.