Monday, September 26, 2005

Straight Outta Now Rule

Here it is, the thing you have been waiting for:
HIPAA Administrative Simplification: Standards for Electronic Health Care Claims Attachments; Proposed Rule
Read, enjoy, there will be a quiz Friday.

Everybody's Got Something to Hide Except for Me and My Monkey.

As a former reporter, I can be sympathetic to those who feel that HIPAA blocks them from being able to do their job correctly. However, much of the time when I hear the HIPAA whine from reporters, they are just flat wrong--- the patient's right to privacy is not trumped in most cases by the public's right to know. There certainly are exceptions, but usually, though sympathetic, I know that the greater good is being served by the privacy given all of us by HIPAA and other privacy laws.
So when I started reading this article in the Missoula Independant, I was sceptical. It sounded like another HIPAA whine. Reading further I realized that it was, in fact, another case of folks in authority using HIPAA as an excuse to cover up what seems to be from what I can tell, some negligence somewhere along the line.
I was especially amused by the little jab from one of the interviewees:


“You can thank your buddy Bill Clinton,” Eggensperger told us, by way of explaining his secrecy. When asked what he meant by “your buddy Bill Clinton,” Eggensperger had this to say: “I’ve read your Independent. It’s about as left-wing as it gets. I’m telling you because of your buddy Bill Clinton we can’t give out that information.”
When pressed, Eggensperger said the Sanders county attorney had instructed him to not give out any information. Then he hung up.

Someone a little bitter here? Like Jon Stewart asks;"What exactly is the statuate of limitations on Bill Clinton?"
As an aside, I have to say this to folks who mouth off to reporters--- you may very well be correct about what you are angry about, but they nearly always get the last word, and their last word is read by the entire circulation of their paper.

Woo-Hah--- Got You All In Check

At the University of Arizona, they are taking HIPAA compliance seriously:

"During "spot checks" she observes activities in the waiting area while disguised as a typical student or patient, Poole said. "I'll put on my jeans and a T-shirt and pull my hair up on top of my head," Poole said.
Unannounced visits also serve the purpose of ensuring that the behavior Poole observes during evaluations is maintained on a daily basis, answering the question, "Did they put on a show because I was coming in, or is this really the way it's done?" Poole said."

As well as keeping very good track of what is going on, they are experimenting with computer kiosks for checking in for appointments (rather than saying your name to a receptionist) and light up pagers for when it is that patient's turn. I like to see this level of creativity, and from the reactions of the students affected who were interviewed, patients seem to appreciate it to.

Tuesday, September 20, 2005

Rebel Without a Clue

HHS (you know, the government guys who have a clue) came up with this fast-and-dirty solution to difficult to obtain perscription records in the wake of the katrina disaster. They were able in a very short time to provide a database for nearly 80% of those affected. The cool thing? It was entirely voluntary.

"The companies voluntarily worked together to create a site where shelter doctors could link to databases from a single source. Otherwise, doctors would have had to cobble together patient information from five sources. The databases contained prescription data for 80 percent of those affected by the storm and floodwaters, he said. The Veterans Affairs Department also contributed data. "

Gold Standard Multimedia of Tampa, Fla., the Medicaid prescription-drug contractor for the three affected states, provided the front end. Looks like they did a bang-up job.
Privacy issues will follow, of course, but the success of this project is pretty clearly the child of the big push for EPHI.

Monday, September 19, 2005

Reflect on Conflict

An interesting new study from Harvard University--- Health IT Report: Coordinating Patient Care Takes Back Seat to Processing Claims:

"Understanding exactly who benefits from electronic health records, and how much, is at the heart of a debate between health care providers and health care payers.
Clinicians say they are pressured to purchase expensive systems that primarily benefit payers.
Payers don't want to help physicians purchase systems that will help provide care to competitors' clients. "

There is money to be saved on every front here. An important reason for electronic records is that somewhere along the line there is money to be saved, in labor costs, in liability, and in other efficiencies. The sad thing for clinicians is that the payers have a bigger stick, and are farther removed from the patient. The middle ground here is probably not going to be in the middle.

Wednesday, September 14, 2005

Nothing to Say

Passed on without comment:

A database of electronic medical records could have helped emergency medical workers care for people displaced by Hurricane Katrina and would have resulted in fewer disruptions in evacuees’ medical needs, according to speakers at the 11th National Health Insurance Portability and Accountability Act (HIPAA) Summit, held Sept. 7-9 in Washington, D.C., and sponsored by the eHealth Initiative.
Many of the evacuees’ original medical records, which were housed in health care providers’ offices in areas affected by the storm, are currently inaccessible, and many likely were destroyed. As a result, emergency medical care providers are having trouble determining what medications evacuees were taking and in what dosages.
.

Impact is Imminent

Interesting white paper from Apani Networks on Health Insurance Portability and Accountability Act (HIPAA) and its Impact on IT Security :

"HIPAA security regulations are intentionally vendor and technology neutral, and consequently are both broad and open to interpretation based on the individual circumstances of the healthcare entity. The Security Rule contains three measuresthat must be addressed in order to protect and assure the confidentiality of electronic protected health information:- Administrative Safeguards: Implement policies and procedures to prevent, detect, contain, and correct security violations.- Physical Safeguards: Implement policies and procedures to limit physical access to computer systems and their facilities, while ensuring that properly authorized access is allowed.- Technical Safeguards: Implement policies and procedures that protect and monitor information access, and prevent unauthorized access to data transmitted over a network."

Fight from the Inside

Okay, I have been harping on this forever, but you know, it isn't some spike-haired superhacker who is going to snatch your data. This very well written article from Insurance Networking News:

"Circumstances surrounding the majority of insiders who committed acts of sabotage and their resultant acts of destruction followed similar paths:
* The attack was triggered by a negative work-related event.
* Insiders planned their attack in advance.
* When hired, perpetrators had been granted system administrator or privileged access (one-half did not have authorized access at time of incident).
* They used unsophisticated methods for exploiting systemic vulnerabilities in applications, processes and/or procedures.
* They compromised computer accounts, created unauthorized backdoor accounts, or used shared accounts in their attacks.
* They used remote access to carry out some of the attacks.
* The attacker was detected only after there was a noticeable irregularity in the information system, or when a system became unavailable."

Read the whole thing, please.

Monday, September 12, 2005

Good Luck Charm

Here are some folks who seem to have their act pretty much together:

"Robert Merritt was worried about the medical ID bracelet he left behind at a hospital.
The bracelet, put on his arm as part of the hospital's routine, contained personal information, including his Social Security number.
After a few days at home, Merritt went back to the hospital, where the administrator put him at ease. The bracelet, he was told, was shredded.
"They were pretty thorough from what I saw," Merritt said."


Read the whole thing, it is an example of both a pretty good article, and a hospital administration who is concerned for patient privacy, and interested in taking advantage of the technologies already available. Remember, this sort of tech is an investment, not an expense. Wisely spent, your tech dollars will return themselves quite nicely in efficiencies, as well as provide some much appreciated regulatory CYA.

La Belle Dame Sans Regrets

From the article in ComputerWorld cited below:

"HIPAA provides for civil penalties of up to $25,000 and criminal penalties of up to $250,000 per year for noncompliance. But the CMS initiates an enforcement process only if a complaint is filed against a company.
As a result, many businesses are unwilling to invest the money and resources needed to comply, said James Bragg, a former HIPAA security officer at a Tulsa, Okla.-based hospital. Bragg said he was laid off earlier this year after he had implemented "very basic levels of access and audit controls" for the hospital. "

Oh, very nice. This is akin to putting your fingers in your ears and chanting "lalala"--- I hope this hospital and others like them find their happy place, because the process is complaint driven. All it takes is one disgruntled employee--- like for instance the HIPAA guy they laid off--- to blow the whistle, and they will be paying lawyers instead of compliance officers. We may be expensive, but few of us bill by the hour.

I Wish on Every Nickle

This is just plain nuts:

"CHP, which operates 29 hospitals, has implemented many of the requirements but still needs to address the disaster recovery component, Harrison said. That part of the process has been put off because of a lack of IT staffers to dedicate to the task, he said, noting that CHP's security team has just two workers who are responsible for securing more than 2,000 servers across two data centers. "

They run 29 hospitals, but only have 2 people for 2000 servers? What exactly can they be thinking? Hats off to those two techies, 'cause I sure couldn't keep track of my share of that many servers, spread over two data centers and 29 facilites. Do they think they are somehow saving money? More than anything, they should be coming up with a good disaster recovery plan, because they are certainly setting themselves up for a good disaster.
Bt the way, I think I met these two uber-techs at a HIPAA training in Chicago earlier this year. They are good, alright, but if I had known the kind of responsibility they are shouldering, I would have looked closer for the supersuits hidden under their secret identity outfits.
If this is how it seems, then shame on the CHP administration. Saving a nickle, and overworking two very good, dedicated and knowlegeable people can only come back to bite you in the end.

Thursday, September 08, 2005

Cover Your Rig

Here is an update on the earlier story about the clinic administrator who was using HIPAA as an excuse to avoid oversight: his butt got fired---

"Late in Wednesday’s meeting, the board discussed a memorandum that Donahue issued last week, restricting access to the clinic for board members and others. Donahue said Friday that he sent the memorandum to comply with the federal Health Insurance Portability and Accountability Act (HIPAA) County Attorney
James Konstanty said the memorandum does appear to comply with HIPPA. However, Dr. Ben Friedell, D-Milford, said he thought the memorandum went beyond what HIPAA mandates and should be revoked."

The County Attorney is wrong. HIPAA specifically allows as use any PHI that might be revealed to the clinic's board as TPO, Treatment, Payment, or Operations. Also, any PHI that could be accidently seen by a board member walking through the halls would also be visible to other patients. This was blatantly a fanny-cover, and the administrator doing it was counting on nobody understanding HIPAA well enough to call him on it. In the case of the County Attorney, he was right--- the Attorney had an opinion, but sadly it was a wrong one.

Wednesday, September 07, 2005

I Fought the Law

I am often asked at seminars about law enforcement and HIPAA. My answer is usually to provide the attendee with a copy of the Washington State Hospital Association's Hosptial and Law Enforcement Guide to Disclosure of Protected Health Information, which is 33 pages long.
The short answer is that law enforcement and healthcare workers have different priorities, and I give a warning that the cops will cheerfully lie to you about their authority if they think it will help them to catch the bad guys. I would to, if I were in their shoes.
An example of how this might play out in your state can be found here, where, predictably, law enforcement wants one thing, and healthcare folks want another. Nearly every state has already addressed this problem, but once again, it isn't the overworked cop's responsibilty to ensure your compliance, it is your overworked staffer's responsibility.

Lock Down

WooHoo! Here is a report from Network World that just makes my little IT security heart sing:

"In December, people would receive an e-mail with a Christmas tree that you could click on to decorate. It looked innocent enough, but it wound up installing a keystroke logger on people's computers."

That's bad enough, but when the keystroke logger is on a PC in a pharmacy that is already struggling to keep up with Health Insurance Portability and Accountability Act (HIPAA) privacy mandates, the potential for legal exposure skyrockets. "A keystroke logger is a clear HIPAA violation," Fischer says. "



These folks have locked their systems down--- the only hole? The pharmacies, of course, because they require more internet access for obvious reasons. The solution for that final bit of open vulnerablity? Training, of course.
It can be done!

Ease My Pain

If you thought you would never see an affected party praise HIPAA, the good folks at the Indiana University Athletic Department are here to ease your pain:

"We are continuing to educate our media, our coaches and our student-athletes about HIPAA, and how important it is to abide by this law," Rhoda said. "I support HIPAA because I feel that it provides clear parameters for releasing injury information."

Read this--- some folks out in the real world do get it, and how it can be a good thing.

Take Up Thy Stethescope and Walk

Wow, this is really confusing, but it looks like someone is trying to use HIPAA as an excuse to cover up misconduct:

"In a related matter, last week Donahue sent board members a memorandum, telling them, in part, that "no person other than authorized staff should simply walk into the hallway or other areas of the clinic without staff authorization. Persons without authorization will be asked to leave, and appropriate authorities, Oneonta Police or Otsego County Sheriff, will be notified if they fail to comply."
Donahue said Friday that the memorandum was necessary to make sure the clinic complies with the federal Health Insurance Portability and Accountability Act (HIPAA). "

Can anyone make sense of this for me?

Vertical Man

It may be kicking and screaming, and dragged by the hair into the 21st century, but it still is going to happen that even the most reluctant office will eventually use some sort of e-records. From the Channel Insider: "Industry Labors in Anticipation of Health Records Standards"
"If you look at every doctor's office, they have their billing online and in a format like everyone else, but their records are still done largely by hand and kept in those giant vertical cabinets we all know," he said. "HIPAA was supposed to make these things portable."