Monday, July 16, 2007

Fear the Reaper

Because, you know, if we continue with HIPAA the terrorists win. From a letter to the editor of the Asbury Park Press:

Finding terrorist cells in the British health care industry is disturbing, because it exposes those doctors as criminals intending to cause mass murder. Al-Qaida is recruiting people from nations such as India and Pakistan who work within the industry. The easy access and knowledge doctors have of dangerous biological agents, chemicals and drugs poses a new threat.

Medical terrorists also have access to private information in our medical records. In cases of our recovering soldiers, they see the wounds inflicted that make them unfit for further duty.

The medical reports of millions of Americans are routinely sent over the Internet to India and Pakistan to be typed or transcribed. Most Americans are unaware the doctor treating them here is sending their private medical history and treatment record to India to be typed. Depending on the turnaround time, your medical report already may be somewhere in India before you return home from treatment.

Once these private medical reports leave the United States via the Internet, they enter a cyber-system, where the medical information can be passed from one company to another within a business chain. Your doctor may not know where the medical dictation finally ends up downloaded to a foreign computer to be typed or transcribed.

All of this is legal under the less-than-adequate medical privacy law called HIPAA. The solution to this crisis is simple: Don't allow our personal medical information to leave the jurisdiction of the U.S. court system. Plenty of qualified medical transcribers live here, where it is easier to maintain privacy and trace the path of this sensitive information.

There are so many things wrong with this I don't have the energy to fully rebut them. Leaving aside the delusional nature of the thing and concentrating on HIPAA, the writer is of course mistaken. PHI in India is still under jurisdiction of US courts via Business Associate Agreements, which make at least the US based sides responsible for the conduct of their foreign counterparts.

Now there are boogymen under every hospital bed. Sheesh.

One Clear Moment

Great article on EHR from Government Health IT:

At the same time, he acknowledged that simply building security features into a system doesn’t ensure that the data will be protected if no one reviews the logs, insists that passwords be changed regularly and so on.

“Everyone in this field of privacy and security acknowledges that the weak link is humans and their training,” Leavitt said. “So you get a false sense of security. You look at the features and you’re quite impressed, but most breaches occur because of human problems.… It’s very important to recognize that the human component — the training component and the policy component — is as important or more important than the software features. You never want to focus only on these technical features.”

In the same vein, most of the people interviewed for this article mentioned the need for HHS to more strongly enforce HIPAA rules. The department enforces the rules only when someone complains. When HHS discovers violations, officials have chosen to work with the offenders to bring them into compliance rather than take them to court.

Without more rigorous enforcement, critics say, the public will have little confidence that health care providers are actually using audit trails and other EMR security features. Runyon noted approvingly that in March the HHS inspector general undertook an audit of an Atlanta hospital’s compliance with HIPAA’s security rules. It was the agency’s first such audit, but the IG is reportedly planning more.

Among other things, it discusses the Nationwide Health Information Network and health information exchanges (HIEs), also known as regional health information organizations, and their role in disclosure and auditing. My wife is on the Governor's Commission on this in our state, and I have been following it with great interest. As I know more, I'll report.

Monday, July 02, 2007

Mr. Postman

From the comments faaaaar below:

Anonymous said...
My friend works for a large health insurance company and her daughter works at one of the insurance company's key accounts. The daughter sent the mother an email one day asking for some information about a key account coworker. The mother replied that the daughter's request, which had the last name and date of birth of coworker, tripped the PHI filter on the email and the mother had to delete the request. The daughter resends the request with the information 'hidden' within a song of silly words and asks if the stupid filters caught the last name and date of birth that time. The mother replies that it didn't. The mother fabricates a response to the daughter so she would stop asking for this information. A day later the mother was fired from her job because human resources said that she had violated HIPAA. How can HIPAA be violated when the mother did not use the name and date of birth and fabricated her response? HR will not look up the key account woman's information because they claim they would be in violation of HIPAA based on the reason that they have no need to know if real/false medical information was given because their perception of what the mother did is more than necessary for them to have fired her. Is this really how HIPAA works or is someone misreading the rule? Thank you in advance for helping.

As a professionally paranoid security guy I must say that this looks like an attempt to circumvent the safeguards in place. To an outsider this looks like a test run. The mother's best course of action (if truly innocent) was to firmly tell the daughter no, and explain why it was not appropriate to ask, and really not appropriate to try to game the PHI filters. Made up data has an even worse potential for damaging the privacy of the individual than real data. If they were truly innocent of planning skullduggery, then they are both extremely guilty of poor judgemnt and disregard for the rules.
Can't blame this one on HIPAA--- the mother was guilty of circumventing the protections set in place, breaking the security rules of the insurance company, and playing fast and loose with the patient's PHI, fabricated or not. And yes, HR had no reason to review the real PHI, which would have definatly violated the patient's privacy.