Frequently I am asked at seminars and in trainings about families and their rights to Aunt Mandy's information. One of the biggest points of resistance to HIPAA compliance, especially among hospital front line workers, is the idea that someone calling from six states away might not be able to get information about a loved one.
We all know cases where this has happened, but we tend to forget that in spite of the concern and desire to know about Aunt Mandy, it may not be any of that person's business, and in fact that person might be the last one Aunt Mandy wants poking into her medical information. This is an old issue, but like many golden oldies it keeps making back onto the playlist. Another is the clergy who can no longer minister to his flock or print prayer requests in the church bulletin. Of course, if she wanted Reverend Finefellow at Aunt Mandy's bedside, there is nothing in HIPAA preventing him from being there, and in any case, the local congregation is not a covered entity, and how much they print in the bulletin is only governed by the limits of space and good taste.
This article, by Cindy Steltz in the Rochester Democrat and Chronicle, does a good job of covering some of the still lingering public concerns, and debunking some of the persistant myths. I'd like to see more of this kind of thing.
Monday, October 31, 2005
Rikki Don't Lose That Number
Further steps toward the dreaded patient identifier here in this report from the Commission on Systemic Interoperability. We know it is going to happen, we know that it really should happen, but when it actually does happen, be prepared for an enormous backlash from patients.
The group urged building on the Health Insurance Portability and Accountability Act (HIPAA) to develop national standards for authentication, authorization and security to gain consumers' confidence for connectivity. The standard could include a unique patient identifier, and Congress should strengthen protections under HIPAA by authorizing federal criminal penalties against those who intentionally access protected data without authorization, according to the commission.
"It is clear that electronic records, appropriately secured, provide a great deal more confidentiality than paper records. But the patchwork of often contradictory state laws, rules and cases preclude the development of a national health information network," said Scott Wallace, commission chair and CEO of the National Alliance for Health IT, an industry group. The commission recommended that AHIC begin work toward an interoperable drug record for all Americans by 2010 as a breakthrough case.
Tuesday, October 25, 2005
Welcome to the Machine
From Healthcare IT News:
This is the wave of the future, I think. One of the consequences of HIPAA has been a growing interest by some in having better control and access to their own PHI. As long as there is some kind of verifiable, high wallseparationn between employee access and the employer providing it, this could be a very good thing. Of course, like everything else, it will be abused, but the growing awareness of the public of individual rights under HIPAA and other privacy laws will make any transgressions ugly, at least.
At the same time, there is some understandable discomfort with allowing your employer to potentially tap into your PHI. Recent events in the corporate realm haven't been comforting--- the lowered regulatory enthusiasm and the "anything goes" attitude shown by companies like Worldcom and Enron are making it difficult for many people to maintain any level of trust in MegaCorp, Inc, and that it is IBM at the forefront of this initiative has it's own sardonic flavor.
In a memo to its employees last week, IBM announced it would allow employees to conduct online health risk assessments and create personal health records. The service, a joint offering from WebMD and Fidelity, initially will let employees enter information such as medication and medical history into the records. There's also a health tracker that allows users to enter data such as blood pressure readings. Another tool allows employees to check for any drug interactions with medications they are currently taking.
This is the wave of the future, I think. One of the consequences of HIPAA has been a growing interest by some in having better control and access to their own PHI. As long as there is some kind of verifiable, high wallseparationn between employee access and the employer providing it, this could be a very good thing. Of course, like everything else, it will be abused, but the growing awareness of the public of individual rights under HIPAA and other privacy laws will make any transgressions ugly, at least.
At the same time, there is some understandable discomfort with allowing your employer to potentially tap into your PHI. Recent events in the corporate realm haven't been comforting--- the lowered regulatory enthusiasm and the "anything goes" attitude shown by companies like Worldcom and Enron are making it difficult for many people to maintain any level of trust in MegaCorp, Inc, and that it is IBM at the forefront of this initiative has it's own sardonic flavor.
Monday, October 17, 2005
In the Lap of the Gods Revisited
I keep harping on this, but you know, its true: the greatest danger to your confidential information, including PHI, is from within. From SearchSecurity.com:
It does no good to secure your fixed systems with encryption, multi-layer passwords, and biometrics and leave it possible for someone to just lift the keys to the kingdom in an unsecured laptop, PDA, or even web-enable cell phone or other convergent device. The worst part?
A new survey of Global 2000 professionals suggests laptops are most likely to be lost or stolen at work. And 90% of those missing devices contain confidential business information, such as sensitive e-mails, network passwords and proprietary documents. Add in that 82% are never recovered, and you've got a lot of corporate secrets circulating in the open.
It does no good to secure your fixed systems with encryption, multi-layer passwords, and biometrics and leave it possible for someone to just lift the keys to the kingdom in an unsecured laptop, PDA, or even web-enable cell phone or other convergent device. The worst part?
"When looking at how the respondents commented on their stolen laptop, many mentioned the physical security of the device but no one mentioned the information security of the device. In most circumstances, the information value contained on the laptop far outweighs the hardware/software value."
School Street
Perhaps I am missing something here, but this statement seems incorrect:
The student came from the Kilpatrick Elementary Health, Science and Wellness Magnet School, but unless there is something more going on than the school name, I doubt that they are a covered entity.
At the same time, the Arkansas Department of Health issued this less than enlightening statement:
See if you can figure it out. The full story is here.
A school official said due to the federal HIPAA Privacy Rule, they could not identify the student. HIPAA stands for the Health Insurance Portability and Accountability Act.
The student came from the Kilpatrick Elementary Health, Science and Wellness Magnet School, but unless there is something more going on than the school name, I doubt that they are a covered entity.
At the same time, the Arkansas Department of Health issued this less than enlightening statement:
”We investigate any reportable infectious disease in the state that is contagious,“ said Ann Wright, spokeswoman with the ADH.
See if you can figure it out. The full story is here.
King's Lead Hat
Here is an update on the lead/privacy case in Ohio. From the First Amendment Center :
COLUMBUS, Ohio — A newspaper wants to report on homes, many of them rented, where lead paint has harmed children. The city health department fears federal fines and penalties if it complies with the state's open-records law.
In what attorneys say is one of the first such tests nationwide, the Ohio Supreme Court must decide if state law trumps the federal rule.
The 2-year-old federal Health Insurance Portability and Accountability Act prohibits health insurers, medical care providers and entities that process medical information from releasing any information that identifies the patient. However, the information can be released by a public agency if a state records law mandates it.
Mister Cee's Master Plan
It is not enough to decide that you are going to do something to make your systems HIPAA compliant--- too often I see systems which would have worked just fine, if there had been some kind of overview planning before I was called in to fix them.
Here, from LocalTechWire are some steps to help you optimize the results of your planning for technology implementations. Some of the highlights:
Here, from LocalTechWire are some steps to help you optimize the results of your planning for technology implementations. Some of the highlights:
- Create a vision that considers both the short- and long-term implications, defines success criteria, and identifies risks.
Have an independent technology consultant perform a technology assessment. Evaluate several approaches and solutions.
Focus on total cost of ownership, not just the initial cost. Consider operational and productivity benefits as well on-going support costs in order to determine your best option.
Tuesday, October 11, 2005
Midnight at the Lost and Found
Interesting case from The Pueblo Chieftan:
I'm not really certain that Colorado state law would allow disclosure, but under HIPAA a missing person's case would probably allow at least confirmation that the person was still alive. Mental health issues can be sticky, though, and it looks like the hospital in this case was being over cautious rather than obstructive.
Rick is emancipated from his parents but stays in touch with them. They reported him missing on Sept. 22, and didn't find him until a week later.
"It turns out that he checked himself into the mental ward at Parkview hospital, but when we checked with the hospital they flat out told us no, he was not there," Harmes said. "They finally released him (on Sept. 29) and he called us right away."...
"The hospital blamed it on the privacy laws, but I think they dropped the ball," he said. "I would think if people have to go to the law to try to find a person, that would carry some weight. But it didn't."
I'm not really certain that Colorado state law would allow disclosure, but under HIPAA a missing person's case would probably allow at least confirmation that the person was still alive. Mental health issues can be sticky, though, and it looks like the hospital in this case was being over cautious rather than obstructive.
Give Me Just a Little More Time
Some help for Katrina victims:
The U.S. Department of Labor's Employee Benefits Security Administration (EBSA), in conjunction with the Internal Revenue Service, announced a further extension of a number of deadlines so workers and employers affected by Hurricane Katrina have additional time to make critical health coverage decisions.
The relief provides additional time to comply with certain deadlines, contained in the Consolidated Omnibus Budget Reconciliation Act (COBRA), the Health Insurance Portability and Accountability Act (HIPAA) and the rules for processing of health claims, that can have a profound impact on workers' health benefits.
Auntie's Municipal Court
Pretty interesting story from the Cincinnati Enquirer:
It will be interesting to see how this is decided in the courts. I am torn. On the one hand, this seems like another case of public officials hiding behind HIPAA to avoid public accountablity, and a case of frustrated reporters trying to do their jobs. On the other hand, the children involved certainly have a right to privacy, especially since exposure to lead can have serious, life-long effects, and a prospective employer, for example, might use the information unfairly.
The Cincinnati Health Department and The Enquirer will square off in the Ohio Supreme Court today over how to balance privacy rights with the public's right to know.
The fight, among the first of its kind in Ohio, involves federal privacy rules that have triggered two years of legal battles between journalists and public officials across the country.
The Cincinnati dispute arose last year when the newspaper requested records of citations that the health department has issued to property owners for failing to eliminate sources of lead poisoning, such as lead-based paint.
It will be interesting to see how this is decided in the courts. I am torn. On the one hand, this seems like another case of public officials hiding behind HIPAA to avoid public accountablity, and a case of frustrated reporters trying to do their jobs. On the other hand, the children involved certainly have a right to privacy, especially since exposure to lead can have serious, life-long effects, and a prospective employer, for example, might use the information unfairly.
Monday, October 03, 2005
Stealing People's Mail
Free online seminar coming Wednesday Oct 5, 9:30 AM PST:
Vendor driven, of course, but still may be informative.
Simplifying HIPAA Email Compliance
October 5, 2005
The American Hospital Association recently endorsed a standardized secure messaging solution to comply with HIPAA e-mail regulations. After researching all major players in the secure messaging space, AHA chose PostX for its ability to meet rigorous security requirements, with solutions sized for the smallest hospitals to the largest. In this informative 30-minute event, the AHA explain why they awarded PostX an exclusive endorsement for secure messaging.
Vendor driven, of course, but still may be informative.
Monday, September 26, 2005
Straight Outta Now Rule
Here it is, the thing you have been waiting for:
HIPAA Administrative Simplification: Standards for Electronic Health Care Claims Attachments; Proposed Rule
Read, enjoy, there will be a quiz Friday.
HIPAA Administrative Simplification: Standards for Electronic Health Care Claims Attachments; Proposed Rule
Read, enjoy, there will be a quiz Friday.
Everybody's Got Something to Hide Except for Me and My Monkey.
As a former reporter, I can be sympathetic to those who feel that HIPAA blocks them from being able to do their job correctly. However, much of the time when I hear the HIPAA whine from reporters, they are just flat wrong--- the patient's right to privacy is not trumped in most cases by the public's right to know. There certainly are exceptions, but usually, though sympathetic, I know that the greater good is being served by the privacy given all of us by HIPAA and other privacy laws.
So when I started reading this article in the Missoula Independant, I was sceptical. It sounded like another HIPAA whine. Reading further I realized that it was, in fact, another case of folks in authority using HIPAA as an excuse to cover up what seems to be from what I can tell, some negligence somewhere along the line.
I was especially amused by the little jab from one of the interviewees:
Someone a little bitter here? Like Jon Stewart asks;"What exactly is the statuate of limitations on Bill Clinton?"
As an aside, I have to say this to folks who mouth off to reporters--- you may very well be correct about what you are angry about, but they nearly always get the last word, and their last word is read by the entire circulation of their paper.
So when I started reading this article in the Missoula Independant, I was sceptical. It sounded like another HIPAA whine. Reading further I realized that it was, in fact, another case of folks in authority using HIPAA as an excuse to cover up what seems to be from what I can tell, some negligence somewhere along the line.
I was especially amused by the little jab from one of the interviewees:
“You can thank your buddy Bill Clinton,” Eggensperger told us, by way of explaining his secrecy. When asked what he meant by “your buddy Bill Clinton,” Eggensperger had this to say: “I’ve read your Independent. It’s about as left-wing as it gets. I’m telling you because of your buddy Bill Clinton we can’t give out that information.”
When pressed, Eggensperger said the Sanders county attorney had instructed him to not give out any information. Then he hung up.
Someone a little bitter here? Like Jon Stewart asks;"What exactly is the statuate of limitations on Bill Clinton?"
As an aside, I have to say this to folks who mouth off to reporters--- you may very well be correct about what you are angry about, but they nearly always get the last word, and their last word is read by the entire circulation of their paper.
Woo-Hah--- Got You All In Check
At the University of Arizona, they are taking HIPAA compliance seriously:
"During "spot checks" she observes activities in the waiting area while disguised as a typical student or patient, Poole said. "I'll put on my jeans and a T-shirt and pull my hair up on top of my head," Poole said.As well as keeping very good track of what is going on, they are experimenting with computer kiosks for checking in for appointments (rather than saying your name to a receptionist) and light up pagers for when it is that patient's turn. I like to see this level of creativity, and from the reactions of the students affected who were interviewed, patients seem to appreciate it to.
Unannounced visits also serve the purpose of ensuring that the behavior Poole observes during evaluations is maintained on a daily basis, answering the question, "Did they put on a show because I was coming in, or is this really the way it's done?" Poole said."
Tuesday, September 20, 2005
Rebel Without a Clue
HHS (you know, the government guys who have a clue) came up with this fast-and-dirty solution to difficult to obtain perscription records in the wake of the katrina disaster. They were able in a very short time to provide a database for nearly 80% of those affected. The cool thing? It was entirely voluntary.
Gold Standard Multimedia of Tampa, Fla., the Medicaid prescription-drug contractor for the three affected states, provided the front end. Looks like they did a bang-up job.
Privacy issues will follow, of course, but the success of this project is pretty clearly the child of the big push for EPHI.
"The companies voluntarily worked together to create a site where shelter doctors could link to databases from a single source. Otherwise, doctors would have had to cobble together patient information from five sources. The databases contained prescription data for 80 percent of those affected by the storm and floodwaters, he said. The Veterans Affairs Department also contributed data. "
Gold Standard Multimedia of Tampa, Fla., the Medicaid prescription-drug contractor for the three affected states, provided the front end. Looks like they did a bang-up job.
Privacy issues will follow, of course, but the success of this project is pretty clearly the child of the big push for EPHI.
Monday, September 19, 2005
Reflect on Conflict
An interesting new study from Harvard University--- Health IT Report: Coordinating Patient Care Takes Back Seat to Processing Claims:
There is money to be saved on every front here. An important reason for electronic records is that somewhere along the line there is money to be saved, in labor costs, in liability, and in other efficiencies. The sad thing for clinicians is that the payers have a bigger stick, and are farther removed from the patient. The middle ground here is probably not going to be in the middle.
"Understanding exactly who benefits from electronic health records, and how much, is at the heart of a debate between health care providers and health care payers.
Clinicians say they are pressured to purchase expensive systems that primarily benefit payers.
Payers don't want to help physicians purchase systems that will help provide care to competitors' clients. "
There is money to be saved on every front here. An important reason for electronic records is that somewhere along the line there is money to be saved, in labor costs, in liability, and in other efficiencies. The sad thing for clinicians is that the payers have a bigger stick, and are farther removed from the patient. The middle ground here is probably not going to be in the middle.
Wednesday, September 14, 2005
Nothing to Say
Passed on without comment:
A database of electronic medical records could have helped emergency medical workers care for people displaced by Hurricane Katrina and would have resulted in fewer disruptions in evacuees’ medical needs, according to speakers at the 11th National Health Insurance Portability and Accountability Act (HIPAA) Summit, held Sept. 7-9 in Washington, D.C., and sponsored by the eHealth Initiative..
Many of the evacuees’ original medical records, which were housed in health care providers’ offices in areas affected by the storm, are currently inaccessible, and many likely were destroyed. As a result, emergency medical care providers are having trouble determining what medications evacuees were taking and in what dosages.
Impact is Imminent
Interesting white paper from Apani Networks on Health Insurance Portability and Accountability Act (HIPAA) and its Impact on IT Security :
"HIPAA security regulations are intentionally vendor and technology neutral, and consequently are both broad and open to interpretation based on the individual circumstances of the healthcare entity. The Security Rule contains three measuresthat must be addressed in order to protect and assure the confidentiality of electronic protected health information:- Administrative Safeguards: Implement policies and procedures to prevent, detect, contain, and correct security violations.- Physical Safeguards: Implement policies and procedures to limit physical access to computer systems and their facilities, while ensuring that properly authorized access is allowed.- Technical Safeguards: Implement policies and procedures that protect and monitor information access, and prevent unauthorized access to data transmitted over a network."
Fight from the Inside
Okay, I have been harping on this forever, but you know, it isn't some spike-haired superhacker who is going to snatch your data. This very well written article from Insurance Networking News:
Read the whole thing, please.
"Circumstances surrounding the majority of insiders who committed acts of sabotage and their resultant acts of destruction followed similar paths:
* The attack was triggered by a negative work-related event.
* Insiders planned their attack in advance.
* When hired, perpetrators had been granted system administrator or privileged access (one-half did not have authorized access at time of incident).
* They used unsophisticated methods for exploiting systemic vulnerabilities in applications, processes and/or procedures.
* They compromised computer accounts, created unauthorized backdoor accounts, or used shared accounts in their attacks.
* They used remote access to carry out some of the attacks.
* The attacker was detected only after there was a noticeable irregularity in the information system, or when a system became unavailable."
Read the whole thing, please.
Subscribe to:
Posts (Atom)