Monday, June 26, 2006

Play that Funky Music

I talk a lot about the value of integrated systems. By making your fax talk to your server, and your records interface with your billing system, you can save a ton of steps and avoid stuff dropping through the cracks. The same is true of some sort of holistic medical record system:

Recently I was at a distinguished doctor’s office. This doctor – a very nice and knowledgeable person – described how there was no intersection between the records of his office and any other doctor’s office. A patient could visit a gynecologist, a cardiologist, an endocrinologist and a general practitioner, but there would be no systemic, holistic view of data. The gynecologist knows nothing about the patient from the standpoint of the cardiologist. The cardiologist knows nothing about the patient from the standpoint of the endocrinologist, and so forth. These specialists do not share data about their patients with other specialists. Period.
Some of this lack of sharing of data is because of HIPAA, but a lot of the lack of sharing of data would be occurring even if there never had been a HIPAA. The world of medicine is a world of chopped up, little systems where there is no interconnection from any point to any other point.
When asked about the fact that a patient – any patient – might want a truly holistic view of his/her health, the specialist simply said that there is no way to do that.
Perhaps the most disturbing aspect of the conversation was the fact that the specialist had no inclination whatsoever to create integrated data for the patient. There simply was no incentive – no motivation – to step outside of the silo.

It may well be that some variation of the Clinton-Frist bill will provide the driver for an integrated record system. Of course the potential for abuse is there, but the record systems we have are often abused. For all the funky goodness of distributed, fragmented and partial records like we have now, the time, effort and lives saved by an integrated system would most likely more than pay for its implimentation.

Monday, June 19, 2006

Candy Man

From Dark Reading comes an account of treachery, deceit, low-down dirty deeds and usb thumb-drives. What they did to test a company's awareness of social engineering was brilliantly devious. For a brief time one morning, it rained thumb-drives:

You’ve probably seen the experiments where users can be conned into giving up their passwords for a chocolate bar or a $1 bill. But this little giveaway took those a step further, working off humans' innate curiosity. Emailed virus writers exploit this same vulnerability, as do phishers and their clever faux Websites. Our credit union client wasn’t unique or special. All the technology and filtering and scanning in the world won’t address human nature. But it remains the single biggest open door to any company’s secrets.

Disagree? Sprinkle your receptionist's candy dish with USB drives and see for yourself how long it takes for human nature to manifest itself.

As always, your most vulnerable area is employee training, morale and supervision. Let's face it, users suck. But if you can just get them on your side a little, they will suck less.

Counting Sheep

Only 20% there, and a deadline looming:

Though it's not an imminent problem, the compliance deadline for adoption of the national provider identifier -- a numbering system required under the Health Insurance Portability and Accountability Act of 1996 -- is now less than a year away, and, given the enormity of the task, industry experts are warning it should already be on the "to do" lists of healthcare executives and technology professionals.

By law, all electronic transactions should be tagged with these discrete, government-generated provider numbers by May 23, 2007.
Not that difficult, and better done now.

Never Alone

Even if the guy didn't agree with me on several salient points, I would recommend this fine article from Application Development Trends:

Locking down the network can be especially tough for health-care organizations, with their typical mix of paper and electronic records, the need for long record retention, and the move to digital imaging. With the passage of the Health Insurance Portability and Accountability Act (HIPAA) security rule last April, protection of electronic records has been shoved to the forefront. (HIPAA's privacy rule has been in effect for several years, depending on the size of the organization.)

For a health-care organization such as Kettering, HIPAA is huge, with specific security and patient privacy stipulations. Thanks to the regulation, which Burritt loves, by the way, Kettering underwent a major overhaul of its security infrastructure earlier this year, selecting and installing a variety of Symantec products and services for intrusion prevention, policy compliance, and client security.

It can be done, it can be used to drive new and better ways to do things, and you can get your front-line workers onboard.

My Kind of Town

From WBBM Chicago:

Cook County Board President John Stroger's son says a federal statute protecting the privacy of medical records prevents him from talking about his father's condition.

Chicago 8th Ward alderman Todd Stroger told the "Chicago Sun-Times" the Health Insurance Portability and Accountability Act (HIPAA) means only John Stroger can talk about his health.

The "Sun-Times" reports the HIPAA law doesn't actually prohibit Stroger from talking about his dad's health, as long as he gets permission.John Stroger has not been seen in public nor has he conducted any interviews since suffering a stroke in March. He was back in the hospital last week.

A growing number of prominent politicians have been calling on Stroger's family to release more information on his condition. Several politicians, including Todd Stroger, have said they might like to replace John Stroger if he can't continue to serve or run in this fall's election.

Listen to the Rythym

It is good to know that someone who understands the issues concerning ePHI has the ear of the folks making the rules:

"Health IT creates the potential for breaches of health information privacy on a scale previously unimaginable,"Pyles said. "Once health information is disclosed electronically, it cannot be recovered."

And, as with most other kinds of data theft, it isn't always obvious that it has been disclosed. Privacy in the electronic records age has to be thought of in entirely new ways. At least these lawmakers are considering this, though the hope of them actually getting it right are probably slim.

Monday, June 12, 2006

Give It To Me One More Time

Another piece on the consequences of failure to enforce:

Another major flaw in HIPAA was revealed in 2005 after HHS referred several hundred privacy cases to the Justice Department, which responded with the opinion that HIPAA’s criminal statute does not apply to individuals — even those responsible for reprehensible acts. By that standard, employees of covered entities who choose to sell personal medical information or even hackers who break into databases and steal health records are not in violation of the law.
Even before that opinion, HHS’ ability to punish violators of HIPAA rules was suspect. In the three years since Congress approved HHS’ final recommendations on privacy, the department has received about 18,000 complaints of HIPAA violations. To date, only two have been prosecuted. “Basically, with the way things are right now, you have the right to whine to a federal agency,” said Dr. Deborah Peel, a Texas psychiatrist and chairwoman of the Patient Privacy Rights Foundation. “It’s not exactly the most useful way to enforce problems.”
And in fact, it could have potentially destructive consequences for health information privacy. “The level of interest and attention and fear-driven compliance have gone down significantly in the last year,” Braithwaite said. “If there’s a complaint to HHS, people are now recognizing that all they have to do is respond and say, ‘Okay, we’ll fix that,’ and the problem goes away.”

This is a great roundup of arguments and issues.

Sunday, June 11, 2006

Back to Ohio

More stories the growing awareness of the poor enforcement of HIPAA.

First this one from Ohio:

(Columbus Dispatch (Ohio) (KRT) Via Thomson Dialog NewsEdge) Jun. 11--The big board in the intensive-care unit at Mount Carmel West hospital, where Daniel Lynch spent four months last year, listed his name, room number, doctor and when he last had a bath.

Wives of other patients approached his wife, Eileen, and told her that their husbands shared the same doctor and the same pulmonary illness."I was like, 'Who are you? Go away,' " Mrs. Lynch said. "My husband was dying."She complained to nurses and supervisors, saying that the board violated the privacy portion of the federal Health Insurance Portability and Accountability Act, HIPAA for short.

"I refer to it as the HIPAA violation board," Lynch said.

Lynch did not complain to the Feds.

And yet another story, this time an editorial from the same state:

When met with a clear violation, the HHS's Office of Civil Rights encourages "voluntary compliance." So instead of getting a fine or some other tough penalty, violators are told to right their wrongs. So what's the point of the law? Why make patients sign the forms if violators are not penalized? That makes the law meaningless.The lax approach leaves nothing to compel the health-care profession to comply. Not surprisingly, insurance companies, hospitals, and doctors like the emphasis on voluntary compliance. That means they don't have to worry about $100 fines for each civil violation of the law, or having the Justice Department seek up to $250,000 in fines and 10 years in jail for criminal violations.This cannot continue. The Department of Health and Human Services must enforce HIPAA. Once the federal agency begins to do its job and clamp down on violators, others in health care will get the message and comply. The sad truth is that HHS should have been doing so all along.

As a famous blogger often says, indeed.

Friday, June 09, 2006

I'm So Miserable Without You, It's Like Having You Here

You just knew that this was going to happen:

A coalition of consumer privacy groups in the health care industry is asking the U.S. Department of Health and Human Services (DHHS) to conduct a HIPAA compliance review of the Department of Veterans Affairs after a massive security breach was disclosed last week.
In a letter sent Wednesday to Health and Human Services Secretary Mike Leavitt, 30 privacy groups belonging to the Consumer Coalition for Health Privacy expressed their concerns about the recent theft of personal data at the VA (see "Personal data on millions of U.S. veterans stolen").
The data, which included names, Social Security numbers and addresses belonging to 26.5 million veterans, also included protected health information such as medical diagnostic codes and disability ratings. The data was included in a laptop and disks that were stolen May 3 during a burglary at the home of a VA analyst who had improperly taken the data from the office.
The incident raises serious questions about the "nature and the extent" of violations by the VA of the security and privacy requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the letter said.

For the longest time I have talked about the Big Example that will drive compliance. This may be it.

The Sound of Your Voice

An interesting question posed by Joanie Wexler in Network World:

At the Interop trade show last month, I chatted with a medical facility that used wireless LANs but had chosen not to deploy Vocera’s popular voice “badges” for conducting phone calls across the WLAN.

The primary reason? The company was unsure about compliance with the Health Insurance Portability Accountability Act (HIPAA).

Use of Vocera badges for voice communications has become common in many healthcare facilities, where highly mobile medical personnel are suddenly needed to handle emergencies. The badges, which operate like little mobile speakerphones that can be handily clipped to a garment or worn on a lanyard, help reduce wasted time caused by paging delays, phone tag and voicemail. Still, the IT administrator’s concern was understandable: private patient information might be overheard by anyone within earshot of the devices.

This should be an addressable issue, and as the writer points out, primarily a training one.

Thursday, June 08, 2006

Mr. Postman

It isn't every day that the Postal Service offers something for nothing, but this series is free, and they even cover the postage.

Order one of these free, fraud-prevention DVDs from the U.S. Postal Inspection Service by following the link above to the Postal Store, or by calling toll-free 1-800-STAMP-24 (1-800-782-6724). All DVDs feature a Spanish-language option.

All the King's Men: Picking Up the PiecesFraud schemes victimize millions of Americans each year, leaving many financially devastated. There are laws to protect victims and services and support available to them. The U.S. Postal Inspection Service urges victims to learn more about their rights and services by ordering our free DVD. Remember, being a victim of a crime is nothing to be ashamed of. And neither is seeking help to recover from it.

Nowhere to Run: Cross-Border Fraud The Internet and international phone calls make it easy for fraudsters to work from anywhere in the world. This film illustrates how U.S. Postal Inspectors created task forces with Canadian law enforcement partners to stop "long distance" scams.

Web of Deceit: Internet FraudInternet scams are like old wine in new bottles. Telemarketing and mail fraud scams are now coming to you from cyberspace. This DVD tells the story of a scammer who uses the Internet to victimize unsuspecting consumers around the world until he gets caught in his own web of deceit. The DVD also provides tips on what to watch out for when you do business on the Internet.

Long Shot: Foreign Lottery ScamsIt's illegal to play foreign lotteries in the United States. But another reason not to play is that you are almost guaranteed to lose. And once you play, you can count on receiving more "chances" to play and lose. This free DVD tells the story of a foreign lottery fraud victim and the con artist behind the scam. Produced by High Noon Film and presented by the U.S. Postal Inspection Service, it also provides tips on helping you avoid becoming a victim of this scam.

Work-at-Home Scams: They Just Don't PayWorking at home has become attractive to many stay-at-home moms, college students, and retirees. While some jobs are legitimate, others just don't deliver on their promises. This free, short film tells the story of a new type of work-at-home scam and how a young mother gets caught up in it. It also provides tips on how you can avoid being duped by criminals and what to do if you've been victimized. This High Noon Film is presented by the U.S. Postal Inspection Service.

Identity Crisis: Protect Your IdentityIdentity fraud is the fastest-growing crime in America. With millions of victims and losses in the billions of dollars, it continues to be one of consumers' biggest fears. This free DVD tells the story of a couple whose credit is ruined and of the criminals who defrauded them. The DVD by High Noon Film, presented by the U.S. Postal Inspection Service, also provides tips on how to protect yourself against identity fraud -- and what to do if you become a victim.

Delivering Justice: Dialing for DollarsTelemarketing fraud costs Americans millions of dollars each year. And when it comes to phony investment "opportunities," older Americans are prime targets. This free, 15-minute DVD tells the story of such a scam and the lives that are ruined by criminals. The film provides tips on how to protect yourself from investment fraud and tells you what to do if you've been victimized. "Dialing for Dollars" is a High Noon film presented by the U.S. Postal Inspection Service

Monday, June 05, 2006

Nothin' from Nothin'

Here it is. The Washington Post story that everyone is talking about, and a ton of reactions from different sources. First the story:

A total of 19,420 grievances have been lodged, the most common allegations including that personal medical details were wrongly revealed. The Bush administration has not imposed a single civil fine and has prosecuted just two criminal cases, one of them in Texas.

And here are a few of the reactions:

From KaiserNetwork

Chris Apgar, president of Oregon health care industry consultant Apgar & Associates, said providers "are saying, 'HHS really isn't doing anything, so why should I worry?'" Privacy advocates say the need to enforce HIPAA will increase if or when the federal government is successful in its effort to implement a system of electronic health records.

From the comments at Slashdot

I'd say the right thing to do is to give the regs more teeth by prosecuting a few of the worst offenses. Basically, make it easy to show how and why disclosures caused damaged. This will put people on notice that the government is serious about the regs. If that doesn't work, the regs themselves can be tightened up, hopefully in the context of broader data privacy legislation.

From UPI

Privacy advocates and some health industry analysts say the administration's decision not to enforce the law more aggressively has failed to safeguard sensitive medical records and made providers and insurers complacent about complying...

The Slashdotters seem to have the most to say about this. This is timely, of course, with several other privacy issues on the map right now. It is not really news, though, because the HIPAA cops have a built-in excuse--- many parts of compliance are discretionary, and while in general it is nice that the primary thrust has been to help with compliance rather than penalize providers, there are egregious offenders out there who should be fined or prosecuted. That HHS has only found less than a handful means that they are probably not trying all that hard. Wink-wink nudge-nudge enforcement means that the clowns who don't give a damn about handling sensitive information are reinforced in their bad behavior, and the rest of us who are trying to behave in ethical ways are given nothing in return for our efforts.
I truly understand that the current political climate is not very regulatory enforcement friendly, but you would think that there are some things that everyone, regardless of where they hit on the political spectrum, would like to keep to themselves. Personal health information should be near the top of the list. But perhaps, if our PHI is kept private, the terrorists win. That certainly has been the excuse for every other recent erosion of privacy--- it has worked so well everywhere else, why not here?

Thursday, June 01, 2006

I Fought the Law

Oh come on now! Aren't we past this?

Martinez was admitted to University Hospital. Investigators learned through other sources he was there. But when detectives went to the hospital, "hospital staff refused to disclose any information about the defendant, including his presence or absence at the hospital," the affidavit stated.
Martinez was released from the hospital without authorities being notified as they had requested, the affidavit stated.
On Monday, deputies learned Martinez was staying with his mother and called her, notifying her of the arrest warrant and telling her to have her son turn himself in. Instead, Martinez checked into Uni.
Again, federal privacy laws prohibited the hospital from confirming to police whether Martinez was present, even when detectives arrived at the front door with an arrest warrant.

Warrant! Warrant warrant warrant! WARRANT!!!
How hard is it to understand that HIPAA is to protect patient healthcare information privacy, not to provide an excuse to be uncooperative to law enforcement?

Hospitals should be allowed to give basic information to police, according to Salt Lake Deputy District Attorney Kent Morgan. A couple of years ago, Morgan wrote a letter to clarify HIPAA rules and how they pertain to law enforcement.
"A health-care provider can disclose limited information in response to law enforcement's request to identify or locate a suspect," he stated.
Morgan reaffirmed his statement Thursday.
"HIPAA was never designed to hide suspects or to obstruct from police investigations. Rather it was designed to protect the privacy of individuals' records who are receiving medical care," he said.


Drive My Car

Here is a guy who is concerned with his privacy to such an extent that he completely misses the point:

Furthermore, the information is subject to the Health Insurance Portability and Accountability Act (HIPAA), meaning it carries the same level of protection as the medical information in the file and must be disposed of under federal guidelines, Scionti said.
If a patient refuses to provide a license or photo identification is not available, a note is placed in the file, but "we never deny treatment because they do not provide identification," he said.

It might be important for reasons that have not a thing to do with privacy or PHI to make sure that they are treating the right person. In IT we call these kind of people "tree counters" as in not just unable to see the forest, but needing an exact enumeration of the trees therein.