Thursday, June 30, 2005

Moonlight in Vermont

From the Bennington (Vermont) Banner comes a story of a defense attorney arguing that HIPAA prohibits the disclosure of mental health records from the state prison in this case:

"Prosecutors are seeking a Burlington murder suspect's medical records from the Vermont Department of Corrections to determine if he is mentally fit to stand trial.
The Corrections Department records, which date back eight years, are critical to supporting or disproving whether Gerald Montgomery is mentally incompetent, Mary Morrissey, a deputy Chittenden County state's attorney, told Vermont District Court Judge Michael Kupersmith on Tuesday.
"This is a man charged with murder and kidnapping," Morrissey said."

An independant, court-appointed psychiatrist says that Montgomery hears voices, but could be faking, so the state wants to see his records from prison to see if there is anything that would support this.

"Brenner also argued that Montgomery's health records are private and their confidentiality protected by state and federal law -- specifically the Health Insurance Portability and Accountability Act, or HIPAA."

Well.... no. The Privacy rule specifically lists this sort of disclosure as allowed when requested by court order. State law I don't know about, but I suspect it also has this as an exception.

In the Navy

Military providers come online: from the National Naval Medical Center Journal, at
"Although he says he does not envision identifier codes replacing everything, or solving all problems, Fennewald said he envisions it limiting record losses and unauthorized access to records. "

Friday, June 24, 2005

If You Have to Ask

Wow! This is really cool: a searchable HIPAA database from Ask Sam. Definitely something to add to your favorites.

Wednesday, June 22, 2005

Key to the Gate

Jeff over at HIPAA Blog gets all the best comments. Right now he is involved in a dialog with Diva of Disgruntled that points up a number of issues. From what I can tell, there is plenty of wrong to spread around, and some foolishness and poor judgment on both sides. The situation makes a good example of what can happen when an employer (in this case Kaiser) exposes themselves to an unhappy ex-employee. Some important points here:
Your biggest threat is from within. We spend tons of time building defenses against the uber hacker when most of the time he really isn't all that interested in us. These defenses are important, though because part of why he isn't interested in us is that we are hard to crack, and there are so many other easy targets out there. Anyone who wants to understand how most hackers work should read a good history of the campaigns of Caesar Borgia, Lucretia's older brother, and the man that Machiavelli based The Prince on. Borgia conquered most of Italy in a very short time, mostly by not conquering it. If a city was a hard nut to crack, he bypassed it, knowing that there were plenty of easier targets. If he really wanted a city, and the defenses were strong, he bribed someone inside to let him in.
Think about it. Who knows your defenses and systems? The folks who work with them, or in this case someone who used to work with them. And who is most likely to want to do you harm? Some joyriding script-kiddy out to show his buddies how good his kung fu is, or someone who feels they have been done wrong, and who has little to lose?
So what do you do to minimize your exposure here? Like everything else it is way better to prevent fires than to be a fireman. Screen your employees carefully. Treat them well. Monitor their activities. And make sure that you terminate them with dignity. Fighting with someone over a few dollars of unemployment insurance may save you some pennies in the short term, but you will make an enemy of someone who has the keys to the postern gate, a map to the stronghold, and the secret password that opens the citadel.

Monday, June 20, 2005

Every State Line

From the Providence Business News comes some more stuff on how state laws can preempt HIPAA, and how it is important to understand both, and how they apply to you.

"It's a complicated, specific area of law, Zubiago said, and not all people who interact with the health care system understand it."

You no doubt noticed that some of the examples would not be violations under HIPAA, but combined with the state law, and the added awareness of privacy issues that HIPAA brings they make a pretty good cautionary tale, indeed.

Thursday, June 16, 2005

Practice Makes Perfect

Some excellent practical suggestions on wireless from ComputerWorld---

"Stehman listed several best practices executives can follow to avoid compliance problems. Among them are making sure of the following:
  • All user devices are tested and certified by the IT staff prior to being connected to the wireless network.
  • Help desk support personnel receive hands-on training for all of the wireless devices certified by IT staffers.
  • Wireless users are briefed on how to comply with enterprise security requirements.
  • All wireless-enabled applications pass security and performance requirements prior to being deployed.
  • All wireless applications have a designated owner."

More stuff like this is needed--- there is no end of articles telling us about encryption, types of attacks, wireless protocols and technical stuff that you and I love, but to the users is just more crap in the way of doing their job.
(Shamelessly crossposted from my other blog KeepItSafe.)

Protect and Survive

From Newswise comes this interesting snippet---
CHERYL CAMIN, attorney at GARDERE WYNNE SEWELL: "The Justice Department's recent ruling, which sharply limited criminal liability for violations of the HIPAA privacy rule by individuals and companies, should not be read as letting violators off the hook completely. They may still be criminally or civilly liable under other federal and state laws. If a hospital is found liable for an employee or vendor's mistake, the hospital may seek recourse against them for breach of contract. And this announcement may not be the final word on HIPAA liability, either. Additional interpretations of this and future DOJ rulings will shed more light on who really may be held accountable under HIPAA."
Once again, here in Washington State, as in several other states, we have privacy laws that are a little more fierce than HIPAA, and so pre-empt them. It is important that you include your state privacy laws and guidelines in any HIPAA training that you provide for your employees. It would be a shame to be perfectly in compliance with HIPAA, have a complaint, and still be in violation under state law.

Monday, June 13, 2005

No Cure for the Pure

No, no, no, no, no!
Don't do this:
"...he was not happy when a Charlotte doctor's office insisted on having his Social Security number when Locke brought his 16-year-old son in for treatment last month.
In the wrong hands, Social Security numbers are identity theft booster rockets. They're used by criminals to open credit card accounts, commit financial fraud and put a victim into a mess of debt.
Why did the doctor's office -- Mecklenburg Dermatology Associates -- need his Social Security number?
The office manager, Felicia Canty, said it's required by HIPAA, the federal medical privacy law."

This stuff is hard enough to deal with. Lets not set up adversarial relationships with the very people we are supposed to be helping. Whether this was a training issue, or just an office manager who just wasn't going to be told how things works (and as a sometime consultant, I know that the real power in the office is the office manager--- regardless of whose name is on the corner office door--- fail to sell the office manager on a new compliance measure or procedure, and you have wasted your money and time) doesn't really matter. What matters is this is thunderously rotten customer service, and a very stupid thing to get yourself in the paper over.

Thursday, June 09, 2005

Justice in a Barrel

So if you haven't heard already, the DOJ has issued an opinion that clarifies and further muddies (ain't that the way it goes?) the confusion of who is criminally liable in HIPAA violation cases. As the famous Gibson case has been held up in the past as a guideline for the rest of us in dealing with employees and their actions, this is pretty revolutionary stuff, but at the same time makes a sort of sense: Covered entities are covered entities, not their employees or associates.
Will this make it less easy for you to coerce your employees into compliance?
Well, yes and no.
As Jeff points out over at the always readable HIPAA Blog, the responsibility always was on the covered entity to ensure compliance. That hasn't changed; what has changed is the size of the cudgel you wield. Before you could have said that if they weren't good little boys and girls and didn't eat their broccoli that the big bad HIPAA cops would come and get them. But in truth, the big bad HIPAA cops were probably never going to get them anyway. It was always up to you. Your rules, your policies, your responsibility to enforce.
On the front line, this is probably less of a big deal than it seems, especially here in Washington State, where our state laws on privacy are rough enough that even the HIPAA enforcers back slowly away, careful to avoid eye contact. But boy howdy has it got the dander up on the blogosphere! For a rundown on this donnybrook check out this and this. Read through the links--- it reminds me a little of some of the flame wars on the political sites I frequent.
Bruce Schneier, the security guru, thinks the law has been gutted, Jeff at HIPAA Blog disagrees. Both have good reasons to think what they do. Schneier comes from an IT background, as do I, and one of the results of that is the certain knowledge that there is no real privacy, only ways to make it inconvenient for the black hats to get at your stuff. HIPAA is one of those inconveniences, and anything that looks to make it less effective as a deterrent is going to bug him. Jeff is a lawyer, and his take on things carries some weight based on his experience with how the law actually shakes out in the courts.
The only one of my regular sources to not yet weigh in on this is Bob Coffield at Healthcare Blog Law. You can join me in checking back with him here.
At any rate, this is more fun than a possum in a lint bag.

Monday, June 06, 2005

Everybody Loves a Happy Ending

Here is a cure for that low-down feeling you may have been suffering as you slog through the latest set of steps to compliance: Cecilia woman on the front lines in nationwide ethics battle. (Hardin County, Kentucky, News-Enterprise.)
Read the whole thing--- at first it seems like regular law-suit boilerplate. But cases like this are why HIPAA came into being, and it has all the classic elements of an epic drama--- veteran done wrong, innocent children in the way, an unresponsive, faceless mega-company, crusading attorneys--- and it has a happy ending!

Friday, June 03, 2005

Eve of Destruction

An interesting development on the privacy front, as the FTC jumps in with new rules for every employer:

"On Wednesday, a new federal law kicked in requiring those who handle other people's personal information to dispose of the data properly. Recycling the paperwork isn't good enough -- it must be destroyed, the rule says, rendered useless to anyone who might stumble upon it.
The disposal rule, developed by the Federal Trade Commission, covers, all employers, large and small -- even those with only one employee.
"You might be surprised," warned FTC attorney Catherine Armstrong. "If you hire a contractor or a nanny, you are covered by this law."
Even if you ordered a background check on your kid's coach, or nanny, or -- as is the latest trend in online dating -- on a prospective blind date, the law applies to you."

Of course, we are all handling private information as if it were our own mother's PHI, right? The same precautions that work for PHI can work for pretty much any data we don't want spread around, from embarrassing love poetry we wrote in highschool to customer lists and employee SS numbers. It is all just data, and can be protected in exactly the same fashion.
Read it and learn, from MSNBC.

Wire Shock

All of this technology doesn't have to be our enemy, and some basic precautions can make our technological journey as smooth as the one described in this Microsoft whitepaper from last year:

"Prior to deploying the mobile management system at Bienville Orthopaedic, all paper charts were located in a records room and pulled for the day's appointments. A new patient might fill out four to five additional paper forms upon arrival. Medical assistants have added blood pressure, weight, and patient's condition on another sheet of paper. Finally, the doctor has added a dictated diagnosis and several procedure notes. Completing the medical records for each day's appointments required several hours of costly transcription and lengthened the billing and reimbursement cycle by days or weeks... 'The wireless messaging and mobility of the system is an excellent efficiency tool for us. A patient will call in with a medical issue and the message will be sent directly to the doctor's Tablet PC,' said Dr. Guy Spinelli, Granite Medical."

As you might expect, there is little mention in the piece of the possible risks involved, which are considerable, but manageable. In fact, I came to the HIPAA table as the result of doing a consultation in my IT capacity for a homecare organization where we ended up with a similar solution. Your integrated wireless solution can be made secure, but keep in mind these cautions-- Jeff at HIPAA Blog has his usually excellent suggestions here, and a post today on Bluetooth here. And I have given it a whirl around the floor at my other blog, here.
Be wireless, but be safe.