Thursday, May 25, 2006

The Merry-go-round Broke Down

You want patients to trust you with your information? Then you better start building some credibility. And a great place to start would be with someone, sometime, somewhere taking responsibility for something.

Veterans Affairs Secretary Jim Nicholson said Thursday he is striving to find out why it took his agency two weeks to reveal the theft of personal data from 26.5 million veterans, telling Congress he is "mad as hell" that he wasn’t told right away...

Sen. Patrick Leahy, D-Vt., said Bush should call Nicholson "into the woodshed" and consider changing the department’s leadership, particularly after the agency waited until May 22 to inform the public about the May 3 theft.

"Instead of promptly notifying millions of veterans that their personal data was irresponsibly handled and then stolen, VA officials held their breath and crossed their fingers for nearly three weeks," Leahy said.

In a statement, Nicholson said he was outraged by his agency’s decision to keep the theft quiet for so long. He said he had asked the agency’s inspector general to determine who knew what and when.

Please, just secure your data. Use that energy to avoid having to point fingers and make up excuses.

Sunday, May 21, 2006

Just Leave me Alone

As I mentioned below, the privacy provisions have been weakened considerably, chiefly by the 2003 amendment. This poor decsion is starting to affect nearly every aspect of compliance, and making public acceptance of any sort of unified EHR system problematic. From the Federal Times:

It’s not the technology that has privacy experts like Peel most concerned, however. What troubles her is the loophole in existing law that gives thousands of companies — including self-insured employers, drug companies, banks and marketing firms — legitimate access to patients’ medical records without their knowledge.
A 2003 amendment to the Health Insurance Portability and Accountability Act (HIPAA), which Congress passed in 1996 to ensure medical records could not be given out without a patient’s consent, carved out an exemption for companies who use the records for health-related business activities, such as processing claims or managing benefits.
The exemption is so broad, and enforcement of violations is so lax, that virtually anyone can access your records, Peel said.
“Across the nation, the public is just beginning to wake up to this because they haven’t been told it’s a problem,” Peel said. “Over 600,000 covered entities can see and use your medical records without your objection, and you have no recourse. I don’t know how you can call that privacy.”

Indeed.

Blowing in the Wind

One of the best things about HIPAA is that more stringent state laws trump its provisions. But now comes the proposed HR 4157, which would give HHS the authority to establish a national privacy standard that would preempt state laws. This article in Psychiatric Times by Stephen Barlas explains why that might not be such a good idea:

Pyles said his group and other psychiatric and mental health organizations that are members of the Mental Health Liaison Group oppose legislation that would allow the HHS Secretary to set a privacy standard that would override all state laws—especially a secretary in the Bush administration, which, according to Pyles, "has not been a privacy friendly administration." He added, "It is almost a sure thing that the secretary would recommend preemption of state law."

HIPAA's privacy provisions have already been weakened considerably. State laws often provide the only real protection available. And by making the rules flexible to the whims of whoever is in office and the political climate of the moment cannot make compliance any easier.

Thursday, May 11, 2006

Talking in my Sleep

Just ran across this:

Just as HIPAA can mean Hiding Involving Privacy As Alibi, we're beginning to hear the vague explanations for the lack of a deliverable being attributable to complying with SOX - "Yeah, your food order for that breakfast meeting didn't go through because there was a SOX issue with upper management signatures down at the deli." (I won't try to come up with something cute for which SOX could be an acronym like I did with HIPAA - the X throws me every time.)

Yep. HIPAA can be a pretty darn convenient alibi.

Bad Attitude

A poster on NetWorkWorld finds himself in this quandry:

I'm the Security Official for a covered healthcare component of a State agency which declared itself a hybrid entity.
Our covered component agency reports directly to a branch of the hybrid entity which was NOT included on the hybrid's list of covered components. We share PHI with them, and with several other non-covered components of the hybrid, and are required to do so. We have been told that these non-covered components are "Internal" Business Associates, and as such, they must obey the hybrid's privacy and security policies, but that they do not have to comply with HIPAA BA requirements, such as reporting security incidents to us. Furthermore, they decided that it was too difficult a task to determine which of their workgroups served a function which required that we share PHI with them, and they declared their entire office staff (several hundred) to be "internal" BAs. This seems to leave us unable to comply with the HIPAA BA requirements. I can find no reference in the law to "Internal" BAs. Upon complaining to the non-covered component we report to, we are told that we are wrong (but not why), but that since only the hybrid can be punished by HIPAA enforcement (not the covered components of the hybrid), we should stop worrying.

"Internal" BAs are a made-up distiction. Someone is just too lazy, confused, or defiant to sort through compliance. If there is a compliance board or officer at the state level, he should talk to them about straightening this out. While his personal exposure is limited, the exposure of his component agency is extreme. They are wrong, and from the response he is getting it looks like they know they are wrong.

Friday, May 05, 2006

That's What I'm Talking About

From Annals of Internal Medicine comes this in-depth look at informed consent. What stood out for me was this paragraph:

In a recent survey of 100 top medical centers and 11 independent institutional review boards, researchers discovered that the authorization language used to satisfy the Privacy Rule has a median length of 744 words and is written at a median 12th-grade reading level (7). This wording is well above the eighth-grade reading level mandated by many institutional review boards (8) and the literacy level of most U.S. citizens (9). This complex language also seems inconsistent with the Privacy Rule's requirement that authorizations be written in "plain language." In another survey of investigators and institutional review board personnel, researchers found that the addition of extensive language to satisfy the Privacy Rule's authorization requirements often confuses research participants, burdens the informed consent process, and undermines recruitment (10).

Why, oh why do we insist on making the process so danged opaque? The KISS rule should be tattooed on the forehead of every person who is in charge of anything that comes into contact with the public or even general front-line users. Make things difficult to understand, and folks will just opt out.

Hard Days Night

You know, just reformatting your old hard drives before you send them off to salvage is really just not enough:

According to a November 2005 Gartner Inc. survey, nearly 80% of companies said that "managing data security and privacy risks' were very important or most important when disposing of obsolete hardware." Yet 30% admitted they had no policy for ensuring the security of used equipment.
Frances O'Brien, research vice president at Stamford, Conn.-based Gartner, said that despite the increased concern, there is still a vast amount of used hardware out there with recoverable corporate data on it. She points to a 2003 study conducted by Massachusetts Institute of Technology students on 158 disk drives bought from auction sites, PC retailers and salvage companies. It found that 74% of the drives contained recoverable data -- including company financials, credit card numbers, medical records, sensitive e-mails and pornography.


One company that I have worked with has a small drill press in the IT department--- a quick, inexpensive shredder program followed by six 1/4 inch holes pretty much does the trick.