Wednesday, November 30, 2005

William Tell Overture

Still struggling with compliance? You are not the Lone Ranger. A HIPAA compliance survey released by HIPAAdvisory.com found that only 30% of payer organizations and 18% of provider organizations were currently compliant with HIPAA security regulations. If you are a provider who falls into that unhappy 82%, it is only a matter of time before someone has a complaint. So far, the HIPAA cops have been pretty easy, preferring that you remediate rather than be penalized. How did we get to this place, even though we have been given years to compy? Security expert Joe Malec thinks there are a number of reasons:

Fearful of lawsuits and hefty civil penalties, some public and private institutions have erred on the side of caution, implementing more stringent HIPAA safeguards than were originally intended. Since the law is intentionally vague on what companies should do to comply, organizations would rather be safe than sorry. Even with the best of intentions, some standards for controls have had to be decided by the courts. One company that learned this the hard way was BJ Wholesalers, which just recently settled with the Federal Trade Commission over charges of failing to adequately safeguard sensitive customer information on their systems.
Then there's the required cultural shift. Beyond the technical safeguards, companies also need to promote security awareness and ethics training as well as education and enforcement of corporate security policies and procedures covering topics such as password standards, encryption and data classification. Such a level of cooperation has been hard to come by. Compliance laws have put more pressure on IT security and on enterprise users who ultimately make or break any approved security program. Political battles and fallout are new to some IT workers.

So what do we do?
For smaller practices, there is probably no way around it. You are just going to have to go to a hired gun. Just yesterday I was chatting with another consultant, and he passed on the story of a 4 doctor practice who decided that they would just roll the dice, not spend the few thousand bucks it would take to make their new systems compliant, and just hope that nobody complains. Because my friend is a pretty ethical guy, he turned down the gig, because he knew that particular shortcut had every possibilty of turning out bad. There are a lot of ways to save a nickle, but failing to take the required steps to protect your patients PHI is a very pound-foolish one.

Monday, November 28, 2005

Baby Got Back

A whole new category of PHI---

Fatter rear ends are causing many drug injections to miss their mark, requiring longer needles to reach buttock muscle, researchers said Monday.
Standard-sized needles failed to reach the buttock muscle in 23 out of 25 women whose rears were examined after what was supposed to be an intramuscular injection of a drug.

Next time someone asks you why they need to keep health information confidential, just remind them of how easy it would be to figure out what the king-size needles are for.

Rocket Man

Most PHI fits nicely into a traditional structured database, but some things, like x-ray images, and other graphical PHI, sometimes do not. XML is a general-purpose markup language for creating special-purpose markup languages, capable of describing many different kinds of data. One of the DB products mentioned below is Windows SQL Server 2005. I will be attending a product launch for this tomorrow--- I'll let you know what Uncle Bill's minions have to say.

"Databases have done a very good job of storing structured data -- but with unstructured data they have not," said Noel Yuhanna, an analyst at Forrester Research Inc., in Cambridge, Mass.
Reaching into that unstructured data to extract information is one pressing integration issue. The other is interoperability -- being able to get information using data from different applications, which may run on different operating systems.
With IBM's DB2 Viper, Microsoft's SQL Server 2005 and Oracle's XML DB feature in 9i and 10g, all three major database vendors are now offering XML capability, which allows a database to query the content of files that are not in relational database form. Bernie Spang, director of databases at IBM, estimated that 35% of business information is already in XML, compared with only 15% in traditional relational databases.

Tuesday, November 22, 2005

Scene Report

Here is a little more of the tension between journalists and privacy. I am a firm supporter of the first amendment--- in fact my first blog was about first amendment issues. I also was a reporter for a couple of years, and I understand the frustration many writers have when trying to gather information or confirmation. No one in the news biz wants to be simply a stenographer. But as recent developments have shown us, the press is not above blame. And even though I agree with three-fourths of this editorial from the College Heights Herald in Bowling Green, Kentucky, I am not willing to hand off privacy decisions to the fourth estate.

HIPAA isn't entirely bad. It makes an attempt to improve health care in this country, but that comes at the expense of press freedom. Some will undoubtedly disagree, but we feel precedence should go to the First Amendment issue. The right to privacy is implied, but not written.Surely there is a way to reconstruct HIPAA in a way that protects the individual with regard to health insurance while allowing journalists to obtain pertinent information for accurate stories.Journalists may not be licensed, but we take our work seriously. We are more than capable of knowing the difference between using information for the public good and abusing it. Have a little faith in our profession.

I would like to, but then I am reminded of Jayson Blair, Jeff Gannon, and others who have shown that some reporters are no more trustworthy than the people they cover, and unlike a hospital administrator or rogue physician, are already protected from the consequences of whatever they report by that very same first amendment.

Friday, November 18, 2005

Man (Opposable Thumb)

Pay attention! If it makes the front page of MSNBC, soon it will be affecting you!

It was just a tiny thumb drive, but now, it's a pretty big problem for a Hawaii hospital. And what happened there could eventually become a problem for you, too.
Last month, Wilcox Memorial Hospital in Kauai had to inform 120,000 past and present patients that their private information had been misplaced. Their names, addresses, Social Security numbers, even medical record numbers had been placed on one of those tiny USB flash drives -- and now, according to a letter sent home, the drive was missing.
The device had been misplaced in early October, and hasn't been heard from since, said hospital spokeswoman Lani Yukimura. While medical information was not on the device, it would be a treasure trove for an ID thief who found it. Once plugged into any computer’s USB port, a finder would have access to about as many identities as ChoicePoint Inc. leaked to criminals last year. So why has the Wilcox incident gotten so little attention?

Oooh! Oooh! Oooh! I know the answer to that one!
Nobody has gotten nailed by a multi-million dollar class-action suit yet.
But they will. Trust me, they will.
Please don't let it be you.

Block Lockdown

Speaking here as an IT guy, we have a love/hate relationship with USB thumb drives, or "geek sticks" as we used to call them. On the one...er...hand, they are handy, portable, fast and easy to deploy. On the other is the fact that they are generally as secure as post-it notes, and as easy to steal as the plastic flamingo on your neighbor's lawn. EnterpriseStorageForum.com has this to say about them:

Doctors or technicians, say, could be logged on to a system and be interrupted by an emergency. They may leave their desks without logging out. All it takes, then, is someone within the facility to slip a USB drive in and record confidential information. Even if such a scenario never actually happens, hospitals have to be able to prove that it didn't. The question is how?
This problem is compounded by the fact that doctors are notoriously opposed to heavy-handed security. They want nothing standing between them and rapid access to patient data. So a blanket lockdown on thumb drives and CDs could result in a backlash from physicians.

This piece is largely a commercial for a company that makes security software for storage devices, but the problem is real.

Thursday, November 17, 2005

California Uber Alles

Lisa Woodley, CMT, alerted me to this piece from the California Healthcare Foundation:

Conducted by Forrester Research, the survey reveals that—despite federal protections under HIPAA—two in three Americans are concerned about the confidentiality of their personal health information and are largely unaware of their privacy rights.
In addition, one in eight patients reportedly engages in behavior to protect personal privacy, presenting a potential risk to their health. More than half (52 percent) of respondents are concerned that employers may use health information to limit job opportunities, highlighting the implications of the privacy issue.
Yet despite these concerns, consumers report a favorable view of new health technology, with a majority (59 percent) willing to share personal health information when it could result in better medical treatment.

There are some pretty interesting conclusions here. Seems like we should be educating our patients, as well as our staff.

Friday, November 11, 2005

Just Dropped In (To See What Condition My Condition Was In)

More yummy HIPAA goodness from Monsters and Critics:

Scott Myers, Accenture`s managing director for health and life sciences, said the pilot projects would expose the critical issues around protecting privacy so the IT consortiums could develop the answers.
'Most people don`t know they will be able to tailor their consent to view medical records so a doctor only gets the information pertinent to their current condition,' Myers told UPI. 'Perhaps you think the orthopedist who`s fixing your broken leg doesn`t need to know about the STD you contracted four years ago and you want your psychiatric records off limits to everyone. You will be able to specify that in the new system, but you will need to know how. Once we learn how to do these things properly in the pilots, we need to create good education programs for both consumers and healthcare professionals so the system will work,' he said.

Thursday, November 10, 2005

All Rights Reserved

And speaking of TPO:

Court Upholds Use of TPO in HIPAA Privacy Case
The US Court of Appeals for the Third Circuit has upheld the use of personal health information (PHI) for use in treatment, payment, and operations (TPO) without consent as permitted in the HIPAA privacy regulations. The decision in the case Citizens for Health v. Leavitt (3d Cir., No. 04-2550) was handed down on October 31 and upheld a previous decision by the US District Court for Eastern Pennsylvania. Patient advocacy groups had argued that the HIPAA rules for release of PHI for these routine uses, without consent, violated First and Fifth Amendment rights of individuals. The courts decision can be found at http://www.ca3.uscourts.gov/opinarch/042550p.pdf.

*thanks to Lisa Woodley for passing on this item from the AHIMA Advantage e-alert.

We Laugh at Danger and Break All the Rules

Stuff like this makes me want to scream:

My son had been experiencing chest pain. On Oct. 11, the facility nurse spent a large amount of her workday on the phone trying to get care for my son, but HIPAA prevented my son from getting timely care. Ultimately, he was brought to the emergency room because, even with all the releases and consents I had signed, effective communication was blocked by fear of violating HIPAA.

No! No! No! No!
HIPAA was specidically set up to not interfere with TPO-- Treatment, Payment, and Operations. And there is a reason for the T being first.
There is no excuse for this, especially in Oregon, where there has been a concentrated effort at training.
Mental Health has its own HIPAA issues, and I have nothing but sympathy for the frustrations of this poor mother who gets to do the bureaucratic tango every time she wants a tissue. But for the love of little worms in apples, if the patient is having chest pains, treat the patient!

Revealed Secrets of the Whispering Moon

Man bites dog! Lions bunk with lambs! Mariners win the pennant!
OK, maybe not the last one, dangit. But almost. Here, from Monsters and Critics, is someone who thinks HIPAA doesn't go far enough!

'Simply put, we don`t think the legal protection under HIPAA is sufficient for the technological development planned -- we`re not opposed to the technology, but we feel there should be more safeguards when (transmitting) some medical information,' Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington, D.C., told United Press International.


Put that way, I have to agree. Only problem, there is huge resistance to the technology as it is. As Mr. Rotenberg points out farther down in the article, the financial world has far more stringent safeguards, and they still get hacked. The technology is there, but the healthcare world lacks the will, the vision, and let's face it, the motivation or interest. Very few people enter the healthcare field hoping to work with encryption algorythms and virtual private networking protocols.
I love Monsters and Critics. They are not always right, but they always stir things up.

It Only takes One Bar (To Make a Prison)

Looks like some folks in the Delaware Department of Correction and Correctional Medical Services are hiding behind HIPAA:

Rep. Spence decided to call for research into HIPAA after a Monday night legislative public hearing, where scores of inmates or their families lambasted the state agency and the private company for poor care."We want to find out if there is a way we can look at some of these records," Rep. Spence said."It's very frustrating for us as elected officials because we want to find out what's happening, but it's hard to do that without medical records."There might be something we can do legislatively to help the situation."
Ronald D. Smith, the House attorney who will be charged with researching HIPAA, said he is not sure what his efforts will yield."HIPAA is a vast undertaking of federal legislation," Mr. Smith said."I have some familiarity with it because my wife is involved with medical record-keeping. You either have an exemption or you do not. You are not going to get a lot of give.

HIPAA is so dang convenient! No one understands it, everyone is afraid of it, and it lets you keep secrets! Mr. Smith, who is quoted above, demonstrates the problems with osmotive knowledge. His wife works in medical records keeping, so he is an expert! My ex-wife is an engineer with Boeing, so I can design airplanes! My oldest son is a french Chef, so lemme at that coq au vin! My across the street neighbor is a heart surgeon, so hand me that scalpel!
I am a little confused, though. Which "exemptions" are Mr. Smith talking about? Certainly he must know that a court can order those records examined. Surely he is aware that, as the article points out, the inmate can designate a personal representative.
In fairness to poor Mr. Smith, he was probably put on the spot, and very likely HIPAA is pretty far outside of his field of practice. It sounds like he is not going to let the Department of Corrections bamboozle him, at least not for long. Chances are, the real barrier is not some evil-doer covering up wrong, but some over-worked records clerk in the basement of a state facility who just doesn't understand how the whole thing works. In which case there is no need for new legislation, just a better training program, and perhaps better oversight of the patient notification of inmates.
If there is anyone in that cyclone of confusion who needs a consultant to help sort things out, give me a call. In the meantime, has anyone seen my retracters? I'm needed in surgery!

Monday, November 07, 2005

When I'm President

I am a little frightened by this--- President Bush is using the same examples here that I use when explaining privacy and portability issues:

'If you live in Ohio and you have to go down to Florida and you get in an automobile accident, an electronic medical record means your data (are transmitted) to the doctor in the emergency room ... just like that, as opposed to calling somebody, getting them out of bed, asking `could you please go find so-and-so`s file` and transmitting the information -- a speedy response to an emergency saves lives,' Bush said after touring the Cleveland Clinic last January.
'I`m sure people are out there saying, `I don`t want my medical records floating around so somebody can pick them up,`' the president continued. 'I presume I`m like most Americans -- I think my medical records should be private. I don`t want people prying into them, I don`t want people looking at them, I don`t want people opening them up unless I say it`s fine ... to do so.'

I would guess that Uncle George and I are seldom in agreement. Even so, it is a good example, and the article it comes from, in Monster and Critics, is a good one to show someone who isn't getting why this HIPAA stuff is all that important.

Jail Guitar Doors

Just think: if you continue to be a compliance slacker, you could be the cautionary tale. From IT Business Edge:

Question: Why haven't we heard much about HIPAA lately?

Armstrong: There haven't been any high-profile prosecutions yet under HIPAA. With Sarbanes-Oxley, you have people fined, going to jail, bankrupted. Sarbanes-Oxley has had a much greater impact on IT people and c-level executives. Organizations covered by HIPAA should be thinking about patient privacy anyway, and HIPAA, after all, is one big privacy policy. But until there is a headline about a hospital official going to jail over selling patient information, HIPAA won't be an effective deterrent. It all boils down to how the law is enforced. When you start throwing people in jail, it becomes a deterrent.

It really is just a matter of time.

The Diving Line

More on the WZZM Dumpster Dive Olympics:

We found billing information, doctors' schedules, and some very personal information. In one dumpster we found a personal information form that a patient filled out when they went to the doctor's office. It included the person's name, address, social security number, date of birth, and more. We even found one woman's entire hospital discharge report, with all of her diagnosis.

Reporter Amy Fox is doing a great job on this series, enough so that I wish I got WZZM--- maybe I should talk to my cable provider :)

Scary Indecision

When I speak at conferences, I always ask who is in compliance. Nearly every hand comes up, but by the end there are enough of the same dozen questions to let me know that far too many of us are not. Here is a horror story from WZZN in Grand Rapids, MI:

We looked at about a dozen unlocked, ungated dumpsters and found information in about half of them. The private information came from a handful of locations, out of tens of thousands of medical providers in Michigan. But, health care privacy laws are in place to make sure no personal patient information gets out.

If I were a greedier man, I would do a combination of dumpster diving and wardriving, and sell that information to a hungry litigator. Instead, I am working on the side of the angels, trying hard to nudge the healthcare world into the 21st century. Please, don't think that you can roll the dice, and just slide by with compliance. It isn't just HIPAA that will rise up and bite you: at least 16 states have far more draconian laws on the books.

Cherry Lips

Proof once again that I roam the far corners of the blogosphere so that you don't have to:

With benefits such as enhanced employee efficiency, greater overall business productivity and improved customer service and satisfaction, one would expect organisations to rush towards mobilising their workforce. However, in a recent IDC survey, the biggest inhibitor to enterprise mobility was the fear of unauthorised access.

A few days ago I was a speaker at a healthcare conference (I do that alot!) and afterword, as so often happens, I spent more time talking to participants in the lobby than I had spent in actual presentation. Some less than kind observers might say that indicates that less information is presented than is optimal, but I prefer to think that I had stimulated so much thought that there wan't time in the allotted Q&A to answer all of them.
At any rate, more and more I am being asked about wireless devices, not just wireless laptops and PDA's, but convergent devices as well. The article cited above, from CIO Asia, has the simplest, most direct answer to maybe half of the questions:

Treat mobile devices as part of your existing network
Mobile devices accessing corporate information via the Internet must be treated as an extension of your existing network and not as a separate network. Integrate the two authentication mechanisms to provide second level authentication, and centrally administer and manage devices from within the network to ensure that devices are regularly backed up and the latest security updates are applied.

Try the following experiment: sit with your wireless laptop in the parking lot of any multi-practice complex. If there are 50 practices, you will find 12-15 unsecured wireless networks available. This is unacceptable, and it is just getting worse.