Friday, June 15, 2007

Save My Grave

Wow! Another great "Golden Hippo" nominee for creative use of HIPAA. This time it is Nebraska Attorney General Jon Bruning, who has declared that numbered markers on graves from the state mental hospital from over a century ago cannot be indentified by name, because of HIPAA. The McCook Daily Gazette disagrees:

We understand Nebraska Health and Human Services' reluctance to release patient information -- most of us wouldn't want such information about ourselves to be made public.

But we have seen HIPAA used as an excuse for all sorts of obstruction, from the condition of accident victims to the location of a house fire.

We have to question the need to conceal the name or date of death for someone who died nearly 120 years ago, especially to people who only want to trace their family trees.

Send in the Clowns

Security is a strategy, not a policy!

A box left in a trash bin could end up leaving some local doctors a little lighter in the wallet.

The Greenwich Post was given a box filled medical documents from the Dearfield Medical Building that may have been improperly disposed of. The box was discovered at 4 Dearfield Drive inside a trash bin in May and contains information about lab tests and insurance approvals as well as other medical issues. These documents are not medical charts, but do contain patient names and contact information.

According the United States Department of Health and Human Services, under the privacy regulations for the Health Insurance Portability and Accountability Act (HIPAA), documents such as the ones in the trash bin are supposed to be kept confidential and then shredded when disposed of, not just thrown out in a box.

While it was not confirmed from which office at the medical building all the documents originated, the names of Alfred Padilla and Judith Goldberg-Berman, who run an endocrinology practice in the building, appear frequently on the documents.
Dr. Padilla spoke to Greenwich Post on Tuesday and expressed surprise that the documents had not been shredded. He said it was the practice’s policy to make sure all medical documents were properly disposed of.

“We take HIPAA very seriously,” Dr. Padilla said. “In general we will shred everything we throw away.”

Dr. Padilla said there were some documents that were kept in a room at the practice to be shredded, but hadn’t yet been. He speculated that the cleaning crew at the building might have accidentally disposed of them.

“We have a pile of boxes to be shredded,” Dr. Padilla said. “If the cleaning people came and took the box, mistaking it for garbage, that would have been what happened... My suspicion is that one of our shredding boxes ended up in the trash bin. That’s the only theory I can come up with.”

Sheesh. Who'da ever thunk that cleaning people might mishandle patient records?

Fight For All The Wrong Reasons

I TOLD you so!

An audit of Atlanta's Piedmont Hospital that was initiated by the U.S. Department of Health and Human Services in March is raising concerns in the health care industry about the prospect of more enforcement actions related to the data security requirements of the federal HIPAA legislation.

The audit was the first of its kind since the Health Insurance Portability and Accountability Act's security rules went into effect in April 2005, joining data privacy mandates that were already in place. The security rules require organizations that handle electronic health data to implement measures for controlling access to confidential medical information and protecting it against compromise and misuse.

If your management has been slacking on compliance, it is time to read them this article from Computer World. Enforcement is the new black; the free ride is over. I absolutely agree with Barry Runyon:

The mere fact that an audit of HIPAA security compliance was conducted for the first time has many in the health care industry preparing for more enforcement actions, according to Barry Runyon, an analyst at Gartner Inc. "I don't think Piedmont was an anomaly," he said. "My sense is that there is going to be more feet on the street from HHS going on unannounced audits."

Good grief, we in this industry have had plenty of time to get our acts together, and most of the provisions are nothing more than best practices anyway.

Please, please, please do not be the next hospital, clinic, or other covered entity that I write about here. Get compliant!

Wednesday, June 13, 2007

If Everyone Cared

From another forum where I am a moderator comes this question from someone worried about IT security:

I was asked this question, and I'm not quite sure how to answer it. Where does one turn when they see a complete disregard and lack of importance in the compliance for HIPAA security. The privacy rules are basically followed. But on the technology side, they have policies in place that are just not followed, upper management has stated behind closed doors that HIPAA and security really aren't that important. There really is no one who is the HIPAA security officer. HR is the HIPAA privacy officer. And no one in the healthcare facility will take the issues seriously - even when approached by their own IT about its importance.
Where do they turn, and how do they go about it while keeping their job

The problem is, of course, that enforcement has been criminally lax. But with the recent change in power comes a new emphasis on enforcement, and there are going to be covered entities that are going to become the big, awful example. In the past very little was done when someone was found to be out of compliance, but recent news suggests that the tide is turning.
One of the most compelling reasons to follow the HIPAA security rules is that they are generally best practices anyway. The time to protect yourself is not after you have already been exposed.
All it would take would for there to be a big data loss, with PHI exposed, and those same scofflaws would be scrambling to save their behinds. And the goat would be the IT guy--- no matter the final outcome, the first instinct of those in charge is to blame underlings, and nobody likes IT people anyway.
The process is complaint driven, which means that someone has to rat them out first. The good news is that any affected person can complain, which in practice means just about anybody.
I would suggest the hair-on-fire approach, pointing out to the beancounters that the exposure is real, the dangers are extreme, and the risk to their jobs, the economic strength of the facility, and the possible irreparable PR disaster of a major data loss is not in any way worth not following procedures.
Of course, it is important to make certain that the procedures and policies don't interfere with the business at hand. Healthcare frontliners are notoriously hostile to extra steps that seem to make their primary mission more difficult. Your procedures need to be as transparent to the end user as possible, or they will be disregarded, bypassed or ignored.
The person may be able to convince management of the possible financial risks involved, as money seems to motivate. They may also volunteer to be the champion on this, as sometimes the only reason things don't happen is nobody wants to bell the cat.
Of course, without the buy-in of top management, this is all moot, because every organization is like a fish, in that it rots from the head down. Without a security officer, and absent help from on high, there is not much to be done.
Good luck on this!