Wednesday, December 20, 2006

Stench From The Dumpster

A follow up on the Salt Lake dumpster dive story: it seems that it is shoot the messenger time:

The lawsuit filed Wednesday against KSL alleges its coverage was inaccurate.
"It wasn't a Dumpster, it was a recycling bin," said Brenda Flanders, a lawyer representing the company. "And it wasn't 20 feet from the sidewalk."
The bin was "out of the public domain" and its contents are collected by a company that shreds the documents inside, the lawsuit asserts. "At no time is the recycle bin subject to public dissemination," it claims.
Sheryl Worsley, managing editor of KSL Newsradio, said the station stands by its story. "The records were accessible to anyone," she said in a statement. "We found them in plain view, near a busy street, in an open recycling dumpster just 20 feet from the sidewalk and right next to a fast food restaurant drive-through."
The property was not marked private or fenced off, she said. The site was visited at least six times, and each time, the bin "was unlocked, sometimes with the lid wide open," she added.

Lame, lame, lame. And they would have gotten away with it to, if it weren't for those pesky kids.

Heard It Through the Grapevine

Are you a reporter who has come here by mistake, hoping to pull a quote, or learn a little something? If so, here is an excellent set of lists to help you navigate HIPAA and still do your job.
Just to let you know, I feel your pain. I used to be a reporter, and know how difficult it can be to get the info you need. There are ways to get around to what you need, and still protect the privacy of those you write about.
If you just remember that HIPAA is to protect the patient's privacy and not cover the Hospital's gown gap, you should be just fine.

Slippin' and Slidin'

If you haven't guessed already, I just love HIPAA. One of the best things about it is that is a force so powerful that it can only be used for good, or evil. The evil in this case being our latest installment in "HIPAA made me do it!"

It seems that a school board memeber has a wife who is involved in the union. Some folks feel that it would be a conflict of interest if Mr. Steel gets his health insurance through his wife, and is allowed to vote on contract issues that affect coverage. It would be pretty simple, but terribly boring, if Mr. Steel just recused himself from the vote, but he is saved from obscurity by refusing and by claiming he can't disclose if he is covered by his wife's policy because of HIPAA.

Mr. Flagg's been trying to learn if Mr. Steel gets health benefits from the school district through his wife. Mr. Steel has declined to release what he calls his "wife's personal information."

"Right now, we have been unable to get it because [Mr.] Steel has refused or ignored," Mr. Flagg said. "We disagree that it is a protected record under HIPAA."

The Health Insurance Portability and Accountability Act, known as HIPAA, enacted in 1996, is a federal law intended to protect the disclosure of personal medical information.

If Mr. Steel does receive the health insurance, he would not be permitted under Ohio law to vote on the teachers' contract.

If we had an award to give for creative HIPAA abuse, Mr. Steel would certainly get it. We could have a little award ceremony, and give out a gilded hippo.

Enforce U

Is this how we are finally going to be forced to compliance?

The requirements laid out by HIPAA are notorious for lacking teeth or oversight, and many smaller healthcare organizations take advantage of this with lackluster compliance efforts. Magrath says that from a government enforcement perspective this won't likely change soon.

"The only way I see something coming down the pike, is if there are a bunch of high profile breaches that force legislators to do something," he says. "In the absence of that, I don't see anybody forcing hospitals to pay fines."

However, Walsh says that the healthcare sector may turn to self-policing as the most influential healthcare organizations recognize the importance of HIPAA mandates. For example, he believes that this may be the year that the Joint Commission on Accreditation of Healthcare Organizations (JCAHO) ties more HIPAA compliance requirements in with its accreditation process.

"Accreditation may be held up when the hospital doesn't comply," says Walsh. "They have been threatening this for some time, but maybe 2007 is the year they get serious about this."

Volume of Neglect

Why am I not surprised by this:
The Department of Health and Human Services investigated less than 25 percent of 22,964 privacy complaints submitted to HHS’ Office for Civil Rights (OCR) from April 2003 through September 2006, according to a new report on medical privacy.

Somehow I don't think it is because most complaints are easily dismissed. I'm not alone here:

“Our experience has been that complaints are being dismissed without any real investigation and very few of them are sent to the Department of Justice for enforcement,” (Deborah)Peel said...
“Patients with legitimate complaints are simply not being helped," Peel said.

Now or Never

I am a little late on this, but here are more final rules.

SHRMOnline has this excellent summary:

The 43 pages of final rules do not change the 2001 interim rules or the proposed rules on wellness programs. Instead, they finalize the 2001 interim rules from the DOL, HHS and Treasury and are designed to clarify some ambiguities regarding wellness programs, make some changes in terminology and organization, and add a description of wellness programs that are not required to satisfy additional standards.

Sunday, December 03, 2006

Milk Shake

Just when you think you have seen everything, comes some new and impossibly talented interpretation of HIPAA--- "Lampert Smith: UW boobs when it comes to breasts"

Unlike in 2001, when Cooper was born, Amy Olson was turned away this fall when she wanted to sit in a Camp Randall Stadium first-aid station to pump her breast milk during the game.

Frankly, UW-Madison administrators are being boobs about this.

Doug Beard, senior associate athletic director, said the difference is that the federal health information privacy rules (HIPAA) went into effect in the meantime.

If UW-Madison was to let nursing mothers into the first-aid station, Beard said they would invade the privacy of other patients.

"We feel it's totally inappropriate," Beard said. "We're tending to the ill and the sick" in the first-aid stations.

So what?

"My breast is hanging out," Olson said. "I'll see your medical emergency, and you'll see my breast."

I am in awe. This Doug Beard is like the Albert Einstien of HIPAA abusers. This might just be my favorite use of HIPAA for a stupid unintended excuse ever.

My Way

Another thing to tatoo on your forehead, this time about security:

"It's A Strategy, Not Just A Policy"

When I'm 64

Here is a thoughtful and intriguing discussion on long term storage--- what really will we do when records need to be retained for 100+ years?

A frequently discussed issue with long-term archiving is software compatibility over long periods of time -- what happens when no one remembers what "Centera" means, but there's still terabyte upon terabyte of disk stored in Centera format? While the debate rages about those issues, the issue of long-lasting physical media is often overlooked. Current digital media formats are far more advanced in the short term, but in terms of readability over vast stretches of time, they've still got nothing on the Rosetta Stone.

One by one, according to Remsing, the different formats can be scratched off the hundred-year archive list for physical reasons. It's difficult to put RAID on tape and difficult to migrate between formats on any form of removable media, whether tape or optical. Disk is flimsy in the long run and requires power and cooling.

There are many ideas, like holographic disks proposed. Worth thinking about.

Sweet Little Lies

Another of the many wonderful ways HIPAA can be used as an excuse for something completely unreasonable from the Daily Astorian:

Too many government agencies want to keep secrets. The spirit of Oregon's public records statute is that records are deemed to be open to public inspection unless an agency head can substantiate a claim for secrecy.

Last week's absurd claim by the Oregon Health Division begs for a ray of sunshine. A public health authority declined the request of our sister newspaper, the Blue Mountain Eagle, for the name of the county in which Oregon's first mortality from West Nile Virus occurred. The health authority said secrecy was needed to protect the family of the deceased, and that the county had requested it not be named.

Take a law that many are terrified of but few know anything about, and you too can use it for an excuse for just about anything!

Lean on Me

From the Sabanes-Oxley Compliance Journal comes this succinct and clear take on the drivers for IT security--- it's the compliance, stupid:

When strict regulations were first implemented, many IT professionals saw the legislation as an opportunity to demonstrate the important link between IT practices and standard business operations. However, the reality of the situation is that regulation is bogging down already overburdened IT resources. In today’s heightened cyber-threat environment where IT resources are already constrained, organizations face tremendous pressure to maintain compliance with the variety of complex regulations, and many IT departments are feeling the pinch.

A November 2005 survey by Ernst & Young stated that nearly two-thirds of its 1,300 respondents claimed that regulatory compliance is the primary driver of information security at their companies, ranking ahead of other critical missions such as protecting against security threats and meeting business objectives. It is not surprising that compliance ranked so important among the survey respondents. After all, even the most miniscule non-compliant decision can become the weak link to a data breach that threatens a company’s brand integrity and consumer confidence.

The data breaches that have dominated the headlines recently should make every IT manager take notice. According to Privacy Rights Clearinghouse, more than 210 publicized breaches have affected more than 55 million customers since February 2005. Those numbers are alarming, but the cost of notification is more so, with notification cost projections running from $10 to $35 per customer. Combining the hard costs of notification with the decline in shareholder and consumer confidence – where some studies show a five percent market cap decline in addition to a 10 to 12 percent decline in consumer confidence immediately following a breach – can produce devastating effects on an organization.

From one angle, it doesn't matter to me from where the driving force for IT security comes. That companies are paying attention and doing something about the potential company-destroying vulnerabilties that until recently were given only lip-service is a giant leap forward.

Get your Kicks

Tell us what you really think: (from the gripe column at the Maryland, Pennsylvania, West Virginia Herald-Mail)

"HIPAA and the HIPAA regulations are the worst thing that has ever happened in the U.S. - worse than any type of foreign war, worse than any scourge or plague or anything else. HIPAA is ridiculous, and should be abolished at all costs. I understand the reasoning behind it, but as is typical in this country, we cannot do things middle-of-the-road; things that make sense. We have to go to one extreme or another. HIPAA is an extreme measure, and needs to be abolished and repealed as soon as possible. Hopefully, with a changeover in Congress, this will be reconsidered. I urge you, if you have loved ones who are ill or disabled or anything along those lines, please call your congressmen. Ask them to repeal or roll back HIPAA now. Spoken from someone who has been adversely affected by HIPAA."