Sunday, April 29, 2007

I Made My Excuses and Left

No more excuses:

The same swing can be seen with other laws. Twenty-five percent of large companies are not compliant with California’s security breach notification law but only 14 percent of midsize companies are not compliant. Midsize companies are less compliant when it comes to the Health Insurance Portability and Accountability Act, or HIPAA (27 percent of midsize companies are noncompliant versus 21 percent of large companies).

The reason, as usual, is money. Sarbanes-Oxley and HIPAA compliance is more complicated and expensive than, for example, GLBA compliance. But the mid-market’s excuse that it doesn’t have the money to comply may be becoming obsolete. According to Mark Lobel, a PricewaterhouseCoopers advisory partner specializing in security, the price is dropping for technologies that help companies comply with security and privacy laws. With affordable tools coming onto the market that can sniff out the data you need to protect, excuses from mid-market CIOs that it’s too expensive to comply with Sox and other laws will no longer work, Lobel asserts.

Mo Money, Mo Problems


Attorney David Hanson, a partner in Michael Best & Friedrich and chairman of its healthcare practice group, noted there are people in the health field who think the industry already is spending too much time and money on patient data security - thanks to regulations like the Health Insurance Portability and Accountability Act.

Too much time and money? Yeah, like there hasn't been any data-breeches lately in the health-care sector. Only if you are spending your money stupidly. Only if your time is spent trying to find ways to just barely comply, as a part of a general CYA policy concerning compliance.

Show me a properly designed and fully supported patient data security system. Then bitch about too much time and money. Anybody who thinks this deserves whatever exposure to lawsuit they get.

"It's a strategy, not a policy!"

Days of Our Wives

You know, this HIPAA thing often seems to lead in completely unexpected directions. Who would have ever guessed that a boring collection of medical regulations would somehow connect with the trial for statuatory rape of a notorious cult leader?

A 5th District judge has ordered a media coalition seeking to unseal a secret petition issued in the prosecution of polygamous sect leader Warren S. Jeffs to submit to the court briefs addressing issues of the leader's privacy rights under HIPAA, the Health Insurance Portability and Accountability Act of 1996.

You know, it used to be if I wanted to be left alone on a long flight, when the person in the seat next to me asked what I did, I told them I was a HIPAA consultant and offered to tell them all about it. They would immediately feign fatigue, and be fake-snoring in minutes. But if this sort of thing keeps happeneing, I'll be wearing wrap-around shades and travelling with an entourage.

Hat too Flat

At a recent speech in Washington DC, Google's Adam Bosworth set forth a bunch of stuff planned for Google Health, described as as likely to be “simple, sloppy solution” as befitting the Google way of doing business. All of it sounded pretty good, except when he unleashed this whopper:

Google is trying to lay the groundwork to have HIPAA overturned, and short of that would like to educate providers and patients about how to get at their information even within the constraints of current laws. They’d like to see consumers have the ability to review and challenge their records as is the case with credit bureau information

Ummm.... this is already a right under HIPAA--- Mr.Bosworth seems to have been talking through his hat.

Wednesday, April 04, 2007

Stupid Things

How in the world can this still happen?

Empire Blue Cross and Blue Shield, a division of WellPoint a medical services company in the US , has begun notifying 75,000 members that a compact disc holding their personal and medical information has been lost, according to published reports.

The personal data was stored on an unencrypted CD

Not one day passes that there isn't another report of ID theft or smething similar, so awareness must surely be there. Low cost encription software is cheap, easy to use and ubiquitous. There are thousans of us out there talking ourselves blue in the face about this stuff.
Johns Hopkins had a similar issue lately, but the data was encripted, so no problem.
How can this still happen?

Highway Rain

Shred, please.

Hundreds of confidential documents from the Cleveland Clinic littered Interstate 77 on Tuesday after blowing off the back of a garbage truck.

Clinic spokeswoman Eileen Sheil said "almost all" of the 300 to 500 documents were recovered from the area of Fleet Avenue.

The documents are employees' performance reviews and patients' results from the cardiology laboratory, Sheil said.

The federal Health Insurance Portability and Accountability Act requires patient documents to be shredded, which these were not.

"Procedures were not followed," Sheil said. Clinic officials are investigating who was responsible.

Uh huh.

The First Cut Is The Deepest

ID theft is a huge problem, and when it involves medical records, the outcome can sometimes be deadly. But see if you can see the problem with this:

HIPAA also addressed security and privacy of health data, encouraging the widespread use of electronic data interaction.

The danger, however; comes when a thief uses a fraudulent identification to seek health treatment. His history - allergies, blood type, and treatment record - then becomes part of the data stored in the system, and can affect the care of the actual person.

“That's when they start giving me the wrong blood,” Jennings said, adding grimly. “I know a surgeon in Warsaw, Ind., that's removed an appendix from the same person five times.”

Five times? At what point do you notice something wrong? And who in the world is yanking so many appendices, anyway? What sort of patient population would allow for this? And how many is too many? Do you cut them off at some point? "Sorry, this coupon has a limit of three per customer."
Somehow I think someone is exaggerating for effect, don't you?

I Write the Songs

Gotta love a guy who heads his posts with song titles! This piece, titled Paper Doll, is a quick rundown on the various technologies available at low cost to help you get a little closer to that goal of a paperless office, dental style.
Most small practices don't have anybody to ramrod changes. New technology usually happens as something breaks. There are some ways that are relatively painless steps to friendlier processes, though, and if they are less expensive and easy to impliment, then they are both more likely to find their way into use, and less likely to be bypassed by the end users as being too much trouble or getting in the way of care.

One (Hu)man, One Vote Remix

From the comments on the post below about the pharmacy worker who was using patient records for her husband's political campaign:

pharmdatamining said...
She lives near me.
I'm changing pharmacies now! Doh!

My wife is a candidate for city council of the city in which we reside. I promise not to pirate anyone's information for her fundraising activities :)

I Fought the Law

Let's see if I can make sense of this: a woman was admitted to the hospital, told the folks there that her husband had pushed her, hospital calls police. All normal stuff. But then the woman decides she doesn't want to talk to the police, and the hospital staff decides HIPAA does not allow them to let the police in to interview the woman. They come back with an obstruction of justice warrant, and arrest the case manager. Woman goes home, police never talk to her. Obstruction charges are later dropped, but the arrested case manager sues for false arrest:

Melancon threw out the lawsuit, saying the federal Health Insurance Portability and Accountability Act does not block officers from getting information about a crime, and noting that the officers had obtained a warrant for Maier's arrest, meaning that a judge had found probable cause for the charge. He said that provides protection against accusations of false arrest.

It seems like everyone got caught in the machine, here. The police certainly needed to respond to the domestic violence call, and the patient's privacy was protected. In some states the domestic violence laws are strict enough that the cops would not have been allowed any discrection. But even though the charges were dropped, no one ever is edified by being escorted out of their place of employment in handcuffs.
Reading between the lines, I suspect this may have been a motivator:

Maier's attorney, Paul Marx, said Maier was far from the only person who told police that they could not give them the woman's name, but may have been the most vocal.

*Thanks for catching the typo, Jason!