Monday, October 31, 2005

Old Time Rock N Roll

Frequently I am asked at seminars and in trainings about families and their rights to Aunt Mandy's information. One of the biggest points of resistance to HIPAA compliance, especially among hospital front line workers, is the idea that someone calling from six states away might not be able to get information about a loved one.
We all know cases where this has happened, but we tend to forget that in spite of the concern and desire to know about Aunt Mandy, it may not be any of that person's business, and in fact that person might be the last one Aunt Mandy wants poking into her medical information. This is an old issue, but like many golden oldies it keeps making back onto the playlist. Another is the clergy who can no longer minister to his flock or print prayer requests in the church bulletin. Of course, if she wanted Reverend Finefellow at Aunt Mandy's bedside, there is nothing in HIPAA preventing him from being there, and in any case, the local congregation is not a covered entity, and how much they print in the bulletin is only governed by the limits of space and good taste.
This article, by Cindy Steltz in the Rochester Democrat and Chronicle, does a good job of covering some of the still lingering public concerns, and debunking some of the persistant myths. I'd like to see more of this kind of thing.

Rikki Don't Lose That Number

Further steps toward the dreaded patient identifier here in this report from the Commission on Systemic Interoperability. We know it is going to happen, we know that it really should happen, but when it actually does happen, be prepared for an enormous backlash from patients.

The group urged building on the Health Insurance Portability and Accountability Act (HIPAA) to develop national standards for authentication, authorization and security to gain consumers' confidence for connectivity. The standard could include a unique patient identifier, and Congress should strengthen protections under HIPAA by authorizing federal criminal penalties against those who intentionally access protected data without authorization, according to the commission.

"It is clear that electronic records, appropriately secured, provide a great deal more confidentiality than paper records. But the patchwork of often contradictory state laws, rules and cases preclude the development of a national health information network," said Scott Wallace, commission chair and CEO of the National Alliance for Health IT, an industry group. The commission recommended that AHIC begin work toward an interoperable drug record for all Americans by 2010 as a breakthrough case.

Tuesday, October 25, 2005

Welcome to the Machine

From Healthcare IT News:

In a memo to its employees last week, IBM announced it would allow employees to conduct online health risk assessments and create personal health records. The service, a joint offering from WebMD and Fidelity, initially will let employees enter information such as medication and medical history into the records. There's also a health tracker that allows users to enter data such as blood pressure readings. Another tool allows employees to check for any drug interactions with medications they are currently taking.

This is the wave of the future, I think. One of the consequences of HIPAA has been a growing interest by some in having better control and access to their own PHI. As long as there is some kind of verifiable, high wallseparationn between employee access and the employer providing it, this could be a very good thing. Of course, like everything else, it will be abused, but the growing awareness of the public of individual rights under HIPAA and other privacy laws will make any transgressions ugly, at least.
At the same time, there is some understandable discomfort with allowing your employer to potentially tap into your PHI. Recent events in the corporate realm haven't been comforting--- the lowered regulatory enthusiasm and the "anything goes" attitude shown by companies like Worldcom and Enron are making it difficult for many people to maintain any level of trust in MegaCorp, Inc, and that it is IBM at the forefront of this initiative has it's own sardonic flavor.

Monday, October 17, 2005

In the Lap of the Gods Revisited

I keep harping on this, but you know, its true: the greatest danger to your confidential information, including PHI, is from within. From

A new survey of Global 2000 professionals suggests laptops are most likely to be lost or stolen at work. And 90% of those missing devices contain confidential business information, such as sensitive e-mails, network passwords and proprietary documents. Add in that 82% are never recovered, and you've got a lot of corporate secrets circulating in the open.

It does no good to secure your fixed systems with encryption, multi-layer passwords, and biometrics and leave it possible for someone to just lift the keys to the kingdom in an unsecured laptop, PDA, or even web-enable cell phone or other convergent device. The worst part?

"When looking at how the respondents commented on their stolen laptop, many mentioned the physical security of the device but no one mentioned the information security of the device. In most circumstances, the information value contained on the laptop far outweighs the hardware/software value."

School Street

Perhaps I am missing something here, but this statement seems incorrect:

A school official said due to the federal HIPAA Privacy Rule, they could not identify the student. HIPAA stands for the Health Insurance Portability and Accountability Act.

The student came from the Kilpatrick Elementary Health, Science and Wellness Magnet School, but unless there is something more going on than the school name, I doubt that they are a covered entity.
At the same time, the Arkansas Department of Health issued this less than enlightening statement:

”We investigate any reportable infectious disease in the state that is contagious,“ said Ann Wright, spokeswoman with the ADH.

See if you can figure it out. The full story is here.

King's Lead Hat

Here is an update on the lead/privacy case in Ohio. From the First Amendment Center :
COLUMBUS, Ohio — A newspaper wants to report on homes, many of them rented, where lead paint has harmed children. The city health department fears federal fines and penalties if it complies with the state's open-records law.
In what attorneys say is one of the first such tests nationwide, the Ohio Supreme Court must decide if state law trumps the federal rule.
The 2-year-old federal Health Insurance Portability and Accountability Act prohibits health insurers, medical care providers and entities that process medical information from releasing any information that identifies the patient. However, the information can be released by a public agency if a state records law mandates it.

With a Little Help From My Friends

"DOL again extends COBRA deadlines for Katrina victims"

Mister Cee's Master Plan

It is not enough to decide that you are going to do something to make your systems HIPAA compliant--- too often I see systems which would have worked just fine, if there had been some kind of overview planning before I was called in to fix them.
Here, from LocalTechWire are some steps to help you optimize the results of your planning for technology implementations. Some of the highlights:

    • Create a vision that considers both the short- and long-term implications, defines success criteria, and identifies risks.

    • Have an independent technology consultant perform a technology assessment. Evaluate several approaches and solutions.

    • Focus on total cost of ownership, not just the initial cost. Consider operational and productivity benefits as well on-going support costs in order to determine your best option.

Tuesday, October 11, 2005

Midnight at the Lost and Found

Interesting case from The Pueblo Chieftan:

Rick is emancipated from his parents but stays in touch with them. They reported him missing on Sept. 22, and didn't find him until a week later.
"It turns out that he checked himself into the mental ward at Parkview hospital, but when we checked with the hospital they flat out told us no, he was not there," Harmes said. "They finally released him (on Sept. 29) and he called us right away."...

"The hospital blamed it on the privacy laws, but I think they dropped the ball," he said. "I would think if people have to go to the law to try to find a person, that would carry some weight. But it didn't."

I'm not really certain that Colorado state law would allow disclosure, but under HIPAA a missing person's case would probably allow at least confirmation that the person was still alive. Mental health issues can be sticky, though, and it looks like the hospital in this case was being over cautious rather than obstructive.

Give Me Just a Little More Time

Some help for Katrina victims:

The U.S. Department of Labor's Employee Benefits Security Administration (EBSA), in conjunction with the Internal Revenue Service, announced a further extension of a number of deadlines so workers and employers affected by Hurricane Katrina have additional time to make critical health coverage decisions.
The relief provides additional time to comply with certain deadlines, contained in the Consolidated Omnibus Budget Reconciliation Act (COBRA), the Health Insurance Portability and Accountability Act (HIPAA) and the rules for processing of health claims, that can have a profound impact on workers' health benefits.

Auntie's Municipal Court

Pretty interesting story from the Cincinnati Enquirer:

The Cincinnati Health Department and The Enquirer will square off in the Ohio Supreme Court today over how to balance privacy rights with the public's right to know.
The fight, among the first of its kind in Ohio, involves federal privacy rules that have triggered two years of legal battles between journalists and public officials across the country.
The Cincinnati dispute arose last year when the newspaper requested records of citations that the health department has issued to property owners for failing to eliminate sources of lead poisoning, such as lead-based paint.

It will be interesting to see how this is decided in the courts. I am torn. On the one hand, this seems like another case of public officials hiding behind HIPAA to avoid public accountablity, and a case of frustrated reporters trying to do their jobs. On the other hand, the children involved certainly have a right to privacy, especially since exposure to lead can have serious, life-long effects, and a prospective employer, for example, might use the information unfairly.

Monday, October 03, 2005

Stealing People's Mail

Free online seminar coming Wednesday Oct 5, 9:30 AM PST:

Simplifying HIPAA Email Compliance

October 5, 2005
The American Hospital Association recently endorsed a standardized secure messaging solution to comply with HIPAA e-mail regulations. After researching all major players in the secure messaging space, AHA chose PostX for its ability to meet rigorous security requirements, with solutions sized for the smallest hospitals to the largest. In this informative 30-minute event, the AHA explain why they awarded PostX an exclusive endorsement for secure messaging.

Vendor driven, of course, but still may be informative.