Stench From The Dumpster

A follow up on the Salt Lake dumpster dive story: it seems that it is shoot the messenger time:

The lawsuit filed Wednesday against KSL alleges its coverage was inaccurate.
"It wasn't a Dumpster, it was a recycling bin," said Brenda Flanders, a lawyer representing the company. "And it wasn't 20 feet from the sidewalk."
The bin was "out of the public domain" and its contents are collected by a company that shreds the documents inside, the lawsuit asserts. "At no time is the recycle bin subject to public dissemination," it claims.
Sheryl Worsley, managing editor of KSL Newsradio, said the station stands by its story. "The records were accessible to anyone," she said in a statement. "We found them in plain view, near a busy street, in an open recycling dumpster just 20 feet from the sidewalk and right next to a fast food restaurant drive-through."
The property was not marked private or fenced off, she said. The site was visited at least six times, and each time, the bin "was unlocked, sometimes with the lid wide open," she added.

Lame, lame, lame. And they would have gotten away with it to, if it weren't for those pesky kids.

Heard It Through the Grapevine

Are you a reporter who has come here by mistake, hoping to pull a quote, or learn a little something? If so, here is an excellent set of lists to help you navigate HIPAA and still do your job.
Just to let you know, I feel your pain. I used to be a reporter, and know how difficult it can be to get the info you need. There are ways to get around to what you need, and still protect the privacy of those you write about.
If you just remember that HIPAA is to protect the patient's privacy and not cover the Hospital's gown gap, you should be just fine.

Slippin' and Slidin'

If you haven't guessed already, I just love HIPAA. One of the best things about it is that is a force so powerful that it can only be used for good, or evil. The evil in this case being our latest installment in "HIPAA made me do it!"

It seems that a school board memeber has a wife who is involved in the union. Some folks feel that it would be a conflict of interest if Mr. Steel gets his health insurance through his wife, and is allowed to vote on contract issues that affect coverage. It would be pretty simple, but terribly boring, if Mr. Steel just recused himself from the vote, but he is saved from obscurity by refusing and by claiming he can't disclose if he is covered by his wife's policy because of HIPAA.

Mr. Flagg's been trying to learn if Mr. Steel gets health benefits from the school district through his wife. Mr. Steel has declined to release what he calls his "wife's personal information."

"Right now, we have been unable to get it because [Mr.] Steel has refused or ignored," Mr. Flagg said. "We disagree that it is a protected record under HIPAA."

The Health Insurance Portability and Accountability Act, known as HIPAA, enacted in 1996, is a federal law intended to protect the disclosure of personal medical information.

If Mr. Steel does receive the health insurance, he would not be permitted under Ohio law to vote on the teachers' contract.

If we had an award to give for creative HIPAA abuse, Mr. Steel would certainly get it. We could have a little award ceremony, and give out a gilded hippo.

Enforce U

Is this how we are finally going to be forced to compliance?

The requirements laid out by HIPAA are notorious for lacking teeth or oversight, and many smaller healthcare organizations take advantage of this with lackluster compliance efforts. Magrath says that from a government enforcement perspective this won't likely change soon.

"The only way I see something coming down the pike, is if there are a bunch of high profile breaches that force legislators to do something," he says. "In the absence of that, I don't see anybody forcing hospitals to pay fines."

However, Walsh says that the healthcare sector may turn to self-policing as the most influential healthcare organizations recognize the importance of HIPAA mandates. For example, he believes that this may be the year that the Joint Commission on Accreditation of Healthcare Organizations (JCAHO) ties more HIPAA compliance requirements in with its accreditation process.

"Accreditation may be held up when the hospital doesn't comply," says Walsh. "They have been threatening this for some time, but maybe 2007 is the year they get serious about this."

Volume of Neglect

Why am I not surprised by this:

The Department of Health and Human Services investigated less than 25 percent of 22,964 privacy complaints submitted to HHS’ Office for Civil Rights (OCR) from April 2003 through September 2006, according to a new report on medical privacy.

Somehow I don't think it is because most complaints are easily dismissed. I'm not alone here:

“Our experience has been that complaints are being dismissed without any real investigation and very few of them are sent to the Department of Justice for enforcement,” (Deborah)Peel said...
“Patients with legitimate complaints are simply not being helped," Peel said.

Now or Never

I am a little late on this, but here are more final rules.

SHRMOnline has this excellent summary:

The 43 pages of final rules do not change the 2001 interim rules or the proposed rules on wellness programs. Instead, they finalize the 2001 interim rules from the DOL, HHS and Treasury and are designed to clarify some ambiguities regarding wellness programs, make some changes in terminology and organization, and add a description of wellness programs that are not required to satisfy additional standards.

Milk Shake

Just when you think you have seen everything, comes some new and impossibly talented interpretation of HIPAA--- "Lampert Smith: UW boobs when it comes to breasts"

Unlike in 2001, when Cooper was born, Amy Olson was turned away this fall when she wanted to sit in a Camp Randall Stadium first-aid station to pump her breast milk during the game.

Frankly, UW-Madison administrators are being boobs about this.

Doug Beard, senior associate athletic director, said the difference is that the federal health information privacy rules (HIPAA) went into effect in the meantime.

If UW-Madison was to let nursing mothers into the first-aid station, Beard said they would invade the privacy of other patients.

"We feel it's totally inappropriate," Beard said. "We're tending to the ill and the sick" in the first-aid stations.

So what?

"My breast is hanging out," Olson said. "I'll see your medical emergency, and you'll see my breast."

I am in awe. This Doug Beard is like the Albert Einstien of HIPAA abusers. This might just be my favorite use of HIPAA for a stupid unintended excuse ever.

My Way

Another thing to tatoo on your forehead, this time about security:

"It's A Strategy, Not Just A Policy"

When I'm 64

Here is a thoughtful and intriguing discussion on long term storage--- what really will we do when records need to be retained for 100+ years?

A frequently discussed issue with long-term archiving is software compatibility over long periods of time -- what happens when no one remembers what "Centera" means, but there's still terabyte upon terabyte of disk stored in Centera format? While the debate rages about those issues, the issue of long-lasting physical media is often overlooked. Current digital media formats are far more advanced in the short term, but in terms of readability over vast stretches of time, they've still got nothing on the Rosetta Stone.

One by one, according to Remsing, the different formats can be scratched off the hundred-year archive list for physical reasons. It's difficult to put RAID on tape and difficult to migrate between formats on any form of removable media, whether tape or optical. Disk is flimsy in the long run and requires power and cooling.

There are many ideas, like holographic disks proposed. Worth thinking about.

Sweet Little Lies

Another of the many wonderful ways HIPAA can be used as an excuse for something completely unreasonable from the Daily Astorian:

Too many government agencies want to keep secrets. The spirit of Oregon's public records statute is that records are deemed to be open to public inspection unless an agency head can substantiate a claim for secrecy.

Last week's absurd claim by the Oregon Health Division begs for a ray of sunshine. A public health authority declined the request of our sister newspaper, the Blue Mountain Eagle, for the name of the county in which Oregon's first mortality from West Nile Virus occurred. The health authority said secrecy was needed to protect the family of the deceased, and that the county had requested it not be named.

Take a law that many are terrified of but few know anything about, and you too can use it for an excuse for just about anything!

Lean on Me

From the Sabanes-Oxley Compliance Journal comes this succinct and clear take on the drivers for IT security--- it's the compliance, stupid:

When strict regulations were first implemented, many IT professionals saw the legislation as an opportunity to demonstrate the important link between IT practices and standard business operations. However, the reality of the situation is that regulation is bogging down already overburdened IT resources. In today’s heightened cyber-threat environment where IT resources are already constrained, organizations face tremendous pressure to maintain compliance with the variety of complex regulations, and many IT departments are feeling the pinch.

A November 2005 survey by Ernst & Young stated that nearly two-thirds of its 1,300 respondents claimed that regulatory compliance is the primary driver of information security at their companies, ranking ahead of other critical missions such as protecting against security threats and meeting business objectives. It is not surprising that compliance ranked so important among the survey respondents. After all, even the most miniscule non-compliant decision can become the weak link to a data breach that threatens a company’s brand integrity and consumer confidence.

The data breaches that have dominated the headlines recently should make every IT manager take notice. According to Privacy Rights Clearinghouse, more than 210 publicized breaches have affected more than 55 million customers since February 2005. Those numbers are alarming, but the cost of notification is more so, with notification cost projections running from $10 to $35 per customer. Combining the hard costs of notification with the decline in shareholder and consumer confidence – where some studies show a five percent market cap decline in addition to a 10 to 12 percent decline in consumer confidence immediately following a breach – can produce devastating effects on an organization.

From one angle, it doesn't matter to me from where the driving force for IT security comes. That companies are paying attention and doing something about the potential company-destroying vulnerabilties that until recently were given only lip-service is a giant leap forward.

Get your Kicks

Tell us what you really think: (from the gripe column at the Maryland, Pennsylvania, West Virginia Herald-Mail)

"HIPAA and the HIPAA regulations are the worst thing that has ever happened in the U.S. - worse than any type of foreign war, worse than any scourge or plague or anything else. HIPAA is ridiculous, and should be abolished at all costs. I understand the reasoning behind it, but as is typical in this country, we cannot do things middle-of-the-road; things that make sense. We have to go to one extreme or another. HIPAA is an extreme measure, and needs to be abolished and repealed as soon as possible. Hopefully, with a changeover in Congress, this will be reconsidered. I urge you, if you have loved ones who are ill or disabled or anything along those lines, please call your congressmen. Ask them to repeal or roll back HIPAA now. Spoken from someone who has been adversely affected by HIPAA."

1999

One in four. Luddites.

The federal goal is for most Americans to have their medical information in electronic format by 2014, and for all prescriptions to be written electronically four years before that.Are physicians moving towards those goals? According to the most recent annual study done by the CDC’s National Center for Health Statistics, almost one in four doctors use partial or full electronic systems in their offices; that number is up 31 percent from the same survey done in 2001. (The study excludes radiology, anesthesiology and pathology.) These connected doctors recognize the benefits of an interoperable system of healthcare information sharing; when everyone is on the same electronic page, there is less probability of error. The Department of Health and Human Services has estimated that one of seven primary care visits is affected by missing medical information. And medical errors are caused by “M” words: miscommunication and missed communication between physicians, misinformation in the record, mishandling of information, mislabeled specimens, and misfiled or missing data.

Every form of record keeping has its pitfalls, but it seems absurd that in 2006 I would still be harping about installing digital systems.

Someday My Prince Will Come

I have been harping for years that the regulatory climate would change someday. It looks like that someday is upon us:

The new Congress is likely to include oversight of a health privacy law, known as Health Insurance Portability and Accountability Act, or HIPAA, in the House Energy and Commerce Committee, where the feisty John Dingel is expected to take over and ally himself with muckraking Democratic Reps. Ed Markey and Henry Waxman. They'll have plenty to work with, as there have been some 20,000 violations of the complicated statute, according to Swire.

HIPAA is not the only regulation that enforcement has been lax on. A new congress will probably not be so likely to look the other way. Of course, big non-compliant targets will be flashiest, but smaller non-compliant targets (like you and me!) will be easier game.

Don't be the warm-up for the main event. There are a couple of months before the new congress sits. Use that time to tune up your compliance. I really don't want to read about you in the trades as the horrifying example.

Say My Name

Every so often, I highlight another example of people using the handy HIPAA rules as an excuse or a scapegoat for some ridiculous or underhanded behavior. We have seen clinic managers cover up malfeasance, administrators use it to cover up lost records, and office managers use it to explain whatever rudeness they have perpetrated on some poor patient. This one is the biggest stretch I have seen:

With the introduction of the HIPAA rules, our government has set out to help us by protecting our privacy. Now, almost everyone is calling new customers or patients by a first name.

It seems that HIPAA is a tool of the dread conspiracy to call us all by our first names!

Happy Birthday To You

Not on the national holiday list, but still an important landmark:

Dignitaries from the computer security field took the stage at the Computer History Museum on Oct. 26 to commemorate the 30th anniversary of public key cryptography, wax historical about academic, governmental and commercial developments in security, and ponder the future. Panelists included persons such as Whitfield Diffie, a cryptography pioneer and chief security officer at Sun Microsystems; Notes creator Ray Ozzie, now Microsoft's chief software architect, and Brian Snow, retired director for the National Security Agency's Information Assurance Directorate. They touched on topics ranging from NSA obstacles and export regulations to decades-old research papers and the Clipper chip.

A Hunting We Will Go

Here is nice rundown of the various types of scams and preditors on the web, trying to steal your information, or the information you are caretaking for your patients.

The summaries are about halfway down the page.

Lookin' For Trouble

Disturbing numbers:

Fewer hospitals and healthcare facilities are fully complying with the law this year than in 2005, according to a recent survey by the American Health Information Management Association (AHIMA), a professional organization for health information executives. And more than one-quarter of U.S. security executives whose organizations need to be HIPAA-compliant admit that they are not, according to "The Global State of Information Security 2006," a study released last month by CIO and PricewaterhouseCoopers.

A Bad Case of Loving You

Here is an example of a guy with a ton of credentials in another field missing something entirely:

One particularly outrageous aspect of these cases is the way HIPAA's privacy provisions tie the hands of defense attorneys. We're only now finding out about these women's histories with other doctors because defense attorneys were prevented by HIPAA from knowing of or viewing their medical records, even when a man's freedom was at stake. The prosecution was free to make spurious claims to the jury -- claims they knew or should have known were inaccurate -- but the defense was barred from looking at the very medical records that would have rebutted many those spurious charges.

Of course, is the prosecution knew of potentially exculpatory evidence -- that is, their witnesses' dealings with other doctors -- and didn't disclose it to the defense, Ms. Buchanan's office might soon be forced to answer some difficult questions about prosecutorial misconduct.

Medical privacy is important, of course. But if the DEA is going to continue to go after these doctors with charges that hinge on the medical histories of some of their witnesses, defendant doctors ought to be able to peruse those histories for evidence that could help proove their innocence.

I read Balko occasionally, and several of my more conservative friends are big fans of his. In this case he misses the very important point that the HIPAA Privacy Rule allows for this very type of case. The problem had nothing to do with HIPAA. It was a failure of the prosecution during the discovery phase to disclose what they knew. HIPAA did not hamper the defense; a dishonest prosecution did.

Kansas City Star

From the Kansas City Star, here is another case of HIPAA as a convenient excuse. An EMT got permission to post photos of an accident from the victims as a traffic safty example. He was suspended for violating the HIPAA Privacy Rule. Except with permission, there was no violation.

In the district's letter to Drennan, obtained by the Kirksville Daily Express, district officials accuse Drennan of disclosing protected patient information, violating ethics rules regarding patient confidentiality and committing an act that brings discredit on the district and questions its safe operation.

While the letter doesn't spell out the protected information, Drennan said ambulance district Chief Jason Albert told him the suspension was linked to the photos and online comments.

Albert said the suspension was based on other factors besides the photos but wouldn't comment further, saying it is still an internal personnel matter.

Other factors. Indeed. Without the HIPAA violation, which apparently didn't occur, would they have been able to suspend him? HIPAA is just so danged convenient!

Resolve

From GCN:

“You could look at all the state laws in all jurisdictions that are involved and come up with so many potential conflicts that it would take you forever to resolve them,” Christensen said. “Are they actually getting in the way, or is it the way people interpret those laws, or are there other things that they are doing in the name of privacy and security that aren’t even based on law or regulations?”

HHS and AHIC's CCPSG (American Health Information Community’s Confidentiality, Privacy and Security Work Group) are working on a project to smooth out some of the inconsistancies in privacy and security. It will be interesting to see how this shakes out.

Save the Land

In the course of writing this blog, I read a lot of stuff from a lot of sources. Most of it is pretty dull stuff, but occasionally something pops out at me, like this from an otherwise routine piece on secondary heath information markets from CosumerAffairs.com:

Sales of medical data could also figure into new "consumer-driven health care" products such as Health Savings Accounts (HSA's), as at least one company has developed "medical credit scores" designed to parse the risk of borrowers looking for price comparisons on potential accounts.

The whole HSA thing has never seemed very practical to me, as it would only help those who were in a position to need an additional tax break. As a replacement for insurance it would simply not work for most of us. But if someone opts in to a program like that, intended so far as I can tell to reward individual responsibility, how is it right that companies are already looking for ways to "redline" customers. That they would be using a loophole to use your own PHI against you is doubly wrong.

Killing Me Softly

If you are struggling with compliance and you have users who use moblie devices, you need to read this from Computer World:

In general, however, Palma said there are three types of tangible security procedures that can bring mobile devices, and the data they carry, into compliance:

Authentication of devices and users.
Encryption of data.
The "remote kill." This enables IT personnel to remotely delete data on wireless devices such as smartphones once they are known to be missing. Such capabilities typically are provided by mobile device management software.
These broad elements are closely related to central management of mobile devices, another key aspect of mobile compliance efforts, Palma added.

"You need to centrally manage and push [changes] out to all types of devices and have a consistent approach because when it comes back to compliance, that's what you need," he said.

One of the solutions is to encrypt the entire device, not just individual files on it. "We encrypt the entire [device] one level below the operating system so if the machine is lost or the disk is stolen, it can't be read..." USB drives, PDAs, convergent devices, laptops. If you truly must have PHI on mobile devices, make it useless to unauthorized users.

If I Had a Hammer

From NaplesNews.com comes this quite good piece by Liz Freeman on a very interesting case going on right now in Florida:

The 1,100 Naples patients who were victims in the state's first federal privacy prosecution have little legal recourse, and Cleveland Clinic not likely to face fines

The indictment of a former Cleveland Clinic Florida employee for conspiracy to commit health care fraud with personal information of more than 1,100 Naples patients isn’t likely to bring a hammer of civil fines against the hospital by the federal government, which has yet to sanction a hospital or other health care entity for patient privacy breaches.

But the former hospital employee at Cleveland Clinic in Weston and her Naples cousin, who was her alleged co-conspirator, will be the first in South Florida to be prosecuted for violating the federal law protecting patients’ privacy rights and the third such case nationally, according to the U.S. Attorney’s Office in Miami.

Note the general cynicism when it comes to enforcement--- even the folks from HHS can't put enough lipstick on this pig. What started as a reasonable policy to allow providers to ease into compliance has become an excuse to not enforce. It won't last forever, and when the climate changes there will be some very unhappy folks in the docket.

As a side note, it looks to me as though Cleveland Clinic Florida, the provider in this case, did everything they should have, and seem both blameless and cooperative.

Here is a little more detail on this case from the Sun-Sentinal.

And here is the press release from the FBI.

Crank it Up

In the middle of a quite excellent and wonderfully ascerbic piece on storage solutions, Jon William Toigo, writing in Application Development Trends drops this tasty little description:

Acknowledging the risk that deleted data might be recovered using “under-data,” the U.S. Department of Defense has a project running with Georgia Tech Research Center to perfect a technique for absolutely ensuring data erasure from a hard disk in less than 5 seconds. Apparently, software based “data shredders” such as Norton WipeInfo don’t do an adequate job. Bad sectors of a hard disks that have been marked for exclusion from new data writes by disk electronics are ignored by the erasure process too. Since some valuable information might persist in these sectors, another approach, dubbed “Guard Dog” by developers, is being tried that leverages a 125-pound magnet and a hand crank to completely obliterate disk data in all sectors.

A 125-pound magnet and a hand crank? Man, I gotta get me one of those!

The rest of the article is well worth reading, too, by the way.

Poppa Don't Preach

I told you so.
With the publication of the final enforcement rule, many observers are saying that the era of lax enforcement is at an end. Among those who think so are the folks at Law.com and Jennifer Wilcox has written a fine and scary piece called "HIPAA Gets 'Teeth'"--- among her suggestions for avoiding trouble in the future are these quite excellent queries:

Training: Are new benefits employees trained on the requirements of HIPAA Privacy and Security? Do you keep records documenting the training programs run for such employees, such as having employees sign statements certifying they attended the training?
Use of PHI for Employment Purposes: Do you have an appropriate "firewall" between your health plan and other human resources functions? Particularly for companies with relatively small human resources/benefits staff, do your employees know about the prohibition on using information obtained or created by the health plan for other employment-related purposes?
E-mails: Are you careful about disclosing PHI in e-mails that travel over open networks, unencrypted? Do employees use common-sense precautions to limit the amount of PHI used in e-mails?
Information Security: Has your HIPAA security risk assessment been updated to incorporate any new software, applications, or information technology systems purchased by your company? Does your Security Officer keep up to date on developments in information technology, and monitor warnings and reports regarding external PHI security threats such as viruses and worms?

There are several other questions in the full article that you should be asking yourself. It really does make sense to be ready for full enforcement, because it was inevitable that the day would come. It is so much better to be prepared, and compliant than to go through a scrambling panic remediation under the threat of federal attention. You are most of the way there now, and there is no reason for terror. Just spend a little effort and make sure that it is someone else held up as a cautionary tale on the six o'clock news.

Mr. Roboto

Interesting discussion in CXOToday.com about identity management:

Frost & Sullivan added that apart from aiding regulatory compliance and security issues, identity management would enhance operational efficiency of enterprises, reduce costs and also enable risk management. A high level service centric identity management solution will have features including automated audits, attestations, consistent access and provisioning, an ability to manage change automatically and full delegation.

As organizations open their networks for increasing numbers of employees, customers and partners, companies will face the challenge of providing accounts to multiple users with an appropriate level of access to applications and resources. Large enterprises then begin to demand comprehensive identity and access management solutions which can provide self-service to end users in a secure environment while addressing all aspects of user administration, authentication and access control, claimed the study.

As a commenter points out, identity management is just one step in protecting your information, but it is a very imortant one.

Wasting Away Again in Margaritaville

We live in the most interesting modern times--- did you know that there is an organization called The National Association for Information Destruction? I didn't until I read this excellent article in The Naples News:

Then his son introduced him to a magazine called Waste Age.
"I read an article that said Wayne Huizenga (owner of Miami Dolphins) had bought a document shredding business," Stevens said. "And I said, 'Gee if it's good enough for him, it's good enough for me.'"
So he started JM Stevens Services in Naples, which was one of the first on-site document shredding businesses in Collier and Lee counties. He did pretty good business, starting with about a dozen clients the first year and moving up to about 300 within seven years.
But it has been the last three years that Stevens' business has picked up.
"I added at least 200 or better clients in the last three years," Stevens said.
The reason for his client increase is recent federal laws designed to protect patient privacy rights, prevent identity thefts and preserve confidentiality of credit transactions. The laws increased the document handling requirements put on financial institutions that handle confidential information.

There is everything to like about this story--- small-town boy makes good, a new industry born of the need for privacy, and even a plug for keeping old data secure through destruction.

When You're a Jet

A little self-promotion here--- Comply With Me has been invited to join HITSphere.

The HITSphere is a network of premium weblogs that write content about the healthcare, medical, and clinical informatics and information technology (IT) industry. Combined, these sites reach a large readership of influential healthcare technology professionals.

Check them out here.

And I will be administrating the new HIPAA forum at CCCure.org, one of the top security websites around.

Welcome new visitors from both places!

Moment by Moment

Here is a nice little piece on web portals for patient information from ModernHealthCare.com --- you'll have to register, but it is fairly painless.

"Hospital staff says it helps avoid that `awkward HIPAA moment' when they have to stop and think about how much information they can share," says Tom Hills, vice president of market development for Chicago-based TLContact, which operates CarePages, a company offering patient-developed Web sites. Provisions of the federal Health Insurance Portability and Accountability Act of 1996 have made provider disclosure of patients' health status much more complicated.

Ann Converso, vice president of the United American Nurses union, acknowledged that these "HIPAA moments" do occur and said she welcomes anything that can help relieve this awkwardness. "I haven't heard it termed that way, but I like it," she says. "People call all the time and say `This is Joe Schmoe's first cousin. How's he doing?' But unless the person speaking is authorized to get (clinical) information, that's a HIPAA problem."

A couple of healthcare organizations in my area have implemented web portals with very good results. The usual caveats apply--- if you are ging to do this, great care must be taken with making it secure and user-friendly.

Drive my Car

From the Detroit News comes yet another example of the risks of treating PHI like the photos of your vacation, and allowing users to carry it around on portable devices:

It's ironic that while parents can't gain access to the medical records of college-age children still living under their roof, a laptop computer containing the medical histories of more than 28,000 Michigan residents was missing for days in Metro Detroit.

The laptop was assigned to a Beaumont Hospital home care nurse, and was stolen from her unlocked and running car when she stopped in Detroit for a restroom break. Fortunately, it has been recovered with the data apparently untapped.

The stupidity of the nurse is beyond belief. But even more unbelievable is that Beaumont or any other hospital would be so careless with the private medical records of its customers.

In the end, stupid stuff like this comes back to us. We must have systems in place that make it easy for the users to do their jobs, while at the same time make it difficult for them to drive around with thousands of records in the back seat of their car. The administrators failed in three places on this one. They failed to train the user correctly, they failed to put systems in place to limit the availablity of PHI, and they failed to secure the data itself.

And from the Detroit Free Press comes these additional details:

The security lapse, disclosed Tuesday by Beaumont officials in Troy, is not an isolated occurrence in these days of portable technology and information sharing, but it underscores the need for greater enforcement of laws intended to protect patients' privacy, advocates said.

Beaumont Hospital officials said the laptop, which contained Social Security numbers and medical information, was stolen earlier this month from the car of a home care nurse. They said the nurse broke hospital policy by leaving her access code and password with the computer.

There are a number of reasons why a user leaves their password written down--- poor training, too-complex passwords, simple idiocy. While the human capacity for the last seems infinite, it can many times be circumvented by proper application of the first, and avoidance of the second

Over and Over

Some great clarification to some confusion that some folks have about two-factor authentication from Michael Farnum:

In regards to the HIPAA security rule, it has been stated that §164.312(2)(i) only requires that each individual be given a unique username and password. This is not entirely true. §164.312(c)(2) states that the covered entity should "implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed". Single-factor authentication, even a username and password combination, is considered to be inadequate by many security professionals to verify identity of an individual. In case of legality, the Federal Financial Institutions Examinations Counsel ("FFIEC") has recently concluded "single-factor authentication, as the only control mechanism, to be inadequate in the case of high-risk transactions". Though this does not apply specifically to HIPAA, it does give a strong indication as to where all federal regulations are headed.

Simply said, requiring an easily remembered PIN number in addition to the RFID card adds virtually no complication or time to the login process, yet the security benefits are very high. It protects your patient data (your most valuable asset) and secures your network, and it would be a favorable layer of security in case of a HIPAA audit.

Thanks Michael!

All by Myself

My bold, below. More on that further down the page.
I am a big freedom of the press advocate. I think that the final bastion of liberty is the people's right to know what is going on with both their government and the world around them. However, this has to be balanced with the right of privacy of the individual. I am often amused by reporters framing of the awful HIPAA regs and how they prevent them from doing their job. I was a reporter, once, too. I sympathize. But there is no built-in coda to the first amendment that says that reporters should have automatic access to private information. Being a reporter is a tough job, and HIPAA makes it a little tougher. It is a trade.
Here is another episode of that ongoing saga:

Sen. Kirk Schuring, R-Jackson Township, said the public should have a right to know about criminal activity, even with the HIPAA laws.

“The HIPAA laws should apply to the mentally ill,” he said. “I think everyone understands that. But for those who are guilty of crimes against society, those records should be open to the public.”

It’s not the first time the Ohio Department of Mental Health has used the HIPAA laws to withhold information.

After the two “client” patients, Nathan Young and Damien Corley escaped in May, The Indepedent requested information on other felony “clients” being housed at Heartland to find out how dangerous they might be.

Corley was charged with aggravated murder, and Young was charged with felonious assault in two different cases.

Neither the personal at Heartland or Wentz were forthcoming with that information.

When The Independent asked for a list of clients, Heartland CEO Helen Stevens said HIPAA laws didn’t allow her to do that.

Back to the bold. I would have a little more trust in a reporter who spelled the name of his own paper correctly, an editorial staff who might catch that, and a typesetter who used the built-in spell checking that most software has. Just a thought.

In the Air Tonight

Okay, this is a quite amusing little tale from ComputerWorld:

The new HIPAA regulations have hit this small hospital with a vengeance, and it falls to the IT manager pilot fish to develop the necessary policies and protocols to stay compliant on the IT end.

"Among the many policies I had to develop in order to satisfy onerous government regulations was a computer access authorization policy," says fish. "It requires a department head to fill out an access modification form for any additions or changes in an employee's security access.

But I have a question. Why would it take "onerous government regulations" for you to realize that you needed an access authorization policy? Would you otherwise just let anybody see anything, or put the burden of authorization policies on managers with other duties to invent as they go along?

Your Money or Your Life

This is completely unacceptable:

Intracare is the publisher of a popular practice management system called Dr. Notes. When some doctors balked at a drastic increase in their annual software lease, they were cut off from accessing their own patients’ information.

This situation is completely unconscionable. There can be no truly open doctor-patient relationship when an unrelated third party is the de facto owner of and gatekeeper to all related data.

We do all we can to make users, providers and everyone in between more comfortable with technology, and then some idiot company throws it out the window by risking the lives of patients over a few bucks.

With or Without You

Great piece on basic security from Roger Grimes, at ComputerWorld:

The same thing happens in computer security. Some companies, like a law office I visited last week, don't have a clue. They are running a workgroup network full of Windows 95 computers with no log-ons, no anti-virus, no patches, and no firewall. Clearly a disaster already in progress.

But to be frank, that company and others like it aren't ready to listen to my spiel about all the current security risks and how I'm going to make their network perfect. It was all I could do to convince them that it would be nice if a law office holding lots of confidential client information required log-ons to get access to internal data and installed an Internet firewall.

And that's where Grimes' Hierarchy of Security Needs comes into play. Whenever I enter a company for the first time, I quickly try to measure its computer security maturity. Often I can do this in a few minutes. Mentally, I've classified them into five stages, much like Maslow's Hierarchy of Needs, based on their approach to security.

Grimes' Hierarchy of Security Needs. Wonder if someday college sophomores will snooze to its recitation?

There's a Kind of Hush

I just received, from a major training company, an offer for their latest product--- a computer-based training on security for end users. It seems reasonably priced, at a little less than 50 bucks per user---- which is much more than most companies are willing to spend on something like this, reasonable or not, at least until they have a major expensive data breach and then the perspective changes. But the money phrase was hidden in the littl clip below:

Business owners and IT departments beware: your users are the weakest link of your computer and information security plan. Show all your users this training, plus make it a part of new user orientation, and you'll see benefits and cost savings across the board...

...Every company with a computer needs this series. These 6 hours of training videos can be invaluable in strenghtening your security's weakest link.

Six hours? I can hardly get users to sit still for 15 minutes, once a quarter, and I am a pretty dynamic speaker. The whole point of training is to cause the trainee to, you know... learn something. Six butt-numbing hours of computer-based training for users who resent anything concerning that blinking box that interferes with their actual job is somehow a good idea?
Wow. Just wow.

Karma Police

I came to HIPAA as an IT guy, specifically in the security field. As any InfoSec guru will cheerfully tell you, all the high-tech gizmos and black-ops ultra-whiz code can do is protect you from the outside. There is no protection against yourself.
Dumpster-diving is a long honored and traditional form of gathering information. Any well-ordered penetration test will include a turn around the back and a quick peek under the plastic lid. One of the big frustrations for us all is the fact that no matter how mant times we repeat it, very few people seem to take this back-door approach very seriously.
Now, thanks to a clever news team, even the Office of Civil Rights, who has up to this point shown remarkable reluctance to actually, you know... protect any one's rights, has had their nose rubbed in the odiferous mess of idly tossed away PHI:

In Washington, D.C., officials at the Department of Health and Human Services have been "closely monitoring" the investigation, as well.
"I can tell you there are people in the highest levels of OCR who are watching these reports and are very interested in what they are seeing," said DHHS spokesman Patrick Hadley. OCR is the department's Office of Civil Rights, which investigates violations of the federal health privacy law known as HIPAA.
Last week, several local families filed HIPAA complaints with the OCR's regional office in Chicago after they learned their personal information was found in dumpsters during WTHR's pharmacy investigation. That clears the way for OCR to begin its own investigation, although the agency will not confirm whether that has happened.
"We take complaints very seriously," said Susan McAndrew, senior advisor for HIPAA privacy policy at the Department of Health and Human Services. "Just tossing out patient's personal information where anyone can access it is not taking reasonable precautions."

Though not much has been done to enforce HIPAA's requirements, if the situation is sufficiently blatant even our public servants have to take action.
Don't let this be you! Phamacists have the toughest row to hoe here, with daily exposure and need to use best professional judgement as to who gets information. Do the easy stuff. Walk over to aisle 7, office supplies and pick up that shredder. Shred everything. Get a locking can for used pill bottles, and empty it just before garbage pick-up into your locked dumpster.
See how easy it is to avoid your neighbors talking about seeing you on the six o'clock news?

Crash into Me

An update on the Ohio University data breach and what is being done--- after the horse has left the barn, of course:

The network still remains offline, pending the result of an audit to determine if the rebuilt network is compliant with the Health Insurance Portability and Accountability Act.
It is not known if the network prior to the breach adhered to HIPAA guidelines, because the U.S. Department of Health and Human Services, which enforces HIPAA compliance, has a policy against commenting on possible investigations.
When the system does come back online, Hudson will no longer store social security numbers with the student information, said Jackie Legg, Hudson business manager.
The Hudson breach, which was discovered May 4, compromised the Social Security numbers of all students enrolled since Fall Quarter 2001 and certain faculty and university employees.

A big part of the sloppiness seems to have resulted from higher-ups ignoring repeated requests from IT personel for help with an inadequate system. Now, instead of an ounce of prevention, the university will have to spend up to 5.5 million dollars on a cure.

Every Breath You Take

Here is some interesting commentary from a former insider in the insurance business who now has a private psychiatric practice:

"In practice, HIPAA has allowed the dissemination of our records of every illness, disorder, and condition for which an insurance claim has been filed," he said. Mr Schofield added that HIPAA has given managed care companies and underwriters, who receive no practical medical training, even more involvement in patients' lives.
Compounding the already complicated privacy standards are information services that can access sensitive medical and treatment records from secondary sources, which are actually disclosed and endorsed in the HIPAA statement providers are required to sign if they are participating in managed care compensation.
"If a company [human resources representative] can afford to subscribe to certain information services, they can find out almost everything that is on your insurance company's health care records," Mr Schofield said. "That's part of the reason why my wife and I both opted out of taking insurance from our patients.
"I don't want some young person to be refused a job five years down the road, because I recommended he seek psychiatric and possible medical treatment for depression or anxiety as a teenager," he said.

Along with supplying the world with a ready made pool of excuses, HIPAA has had the addded unintended consequence under the current, privacy-adverse political atmosphere of actually allowing easier access to some of the sort of things it was supposed to restrict. This will no doubt change with the regulatory climate but for many peoples' PHI the cat is already out of the bag.

Java Jive

It seems that every time I go to a coffee shop I see someone step away from their laptop. I guess I'm not the only one to notice this---- the bad guys see it too:

This month, the FBI and the Computer Security Institute (CSI) released the results of their most recent annual Computer Crime and Security Survey. And some of the findings should cause life science companies to re-examine their security procedures, software, and systems to make sure new threats are not hazardous to their organization's well being.
For instance, 47 percent of the 616 respondents said their organization had experienced laptop thefts within the last 12 months. This phenomenon is on the rise. For example, an April article in the San Francisco Chronicle noted that the number of laptops stolen in the city had nearly tripled from 2004 to last year and that thieves increasingly are staking out coffee shops to steal laptops when customers were distracted or stepped away from their table.

Boy, I am tired of reading about data theft that could be prevented with only the simplest safeguards. If you have to pee while tapping away at Starbucks, take your notebook with you. Or invest in a cheap cable lock. Or best of all, don't go tooling around with PHI or other sensitive data on your portable devices.

Slow Hand

Get on it!

Blue Cross and Blue Shield of North Carolina plans to make the required changes to its IT systems and business processes by September. However, the Durham-based company estimates that only 20% of the doctors and hospitals it works with have applied to the federal government and received their new ID numbers, according to Harry Reynolds, the insurer's vice president of information systems planning.

For many, adding the NPI number to records is pretty simple, but for others, modifing thousands of records is a very daunting task. Waiting until the last minute won't make it any smoother.

Wipe Out

Some great tips on using a data disposal service to wipe and destroy hardrives and other storage media, including this nice little summary:

The Pros & Cons Using a disposal service can keep your data safe and keep you from running afoul of local, state, and national laws meant to protect the environment. It can also provide you with audit logs if HIPAA or Sarbox regulators demand them. But, as with all things, there are cons. First are cons in the oldest sense of the word, fly-by-night outfits that don’t follow intricate laws to the letter or tell you they’ll drill holes through your hard drives when they really plan to resell them. What’s the antidote? First, of course, is careful research—never give old equipment to a firm you don’t trust. Second is a rock-solid contract. Your disposal service should spell out its process in detail.

As I have mentioned before, I have worked with a company that uses a DoD wiping software and keeps a small drillpress at the tech bench. Five quarter-inch holes makes data recovery pretty discouraging.

No News Today

Here is an interesting disclaimer at the head of a newspaper report on a clinic that does methadone treatment:

Editors note: Due to the federal Health Insurance Portability and Accountability Act, or HIPAA, medical service providers are prohibited from releasing information about a patient without the patient’s prior consent. The Southern Indiana Treatment Center and its parent company, CRC Health Group, were cooperative with The Evening News and The Tribune in identifying sources for this story, but due to the privacy rights of the clinic’s patients, the newspapers have no way to verify whether the patients quoted in this story are representative of the clinic’s patients at-large.

I am constantly amazed at how useful HIPAA has become. It truly answers all needs for obsfucation.

What a Wonderful World

I don't know much biology, but I do know that the data security problems of universities is completely out of hand. I didn't realize that 1/3 of all data loss comes from acedemia:

WAKEUP CALL. It can sometimes take an incident like this to jolt you out of the theoretical. I've been in the network security industry for nearly two decades and am familiar with the latest technology, trends, and what-have-you. But this time, it's hitting home. And certainly not just for UT alumni: Data thieves are helping themselves to personal data at schools across the nation, as the recent penetration of three Ohio University servers holding the SSNs of 137,000 people, attests.

The writer of the article calls for new regulation, but we know that regulation won't protect your data--- you have to do that.

Old and in the Way

From the Pittsburgh Tribune-Review comes this headline:

Privacy law delayed responders at home

Reading down, of course, we discover that it was some idiot's mis-reading of the law that led to the delay. TPO, people. TPO. The EMS folks needed the info--- HIPAA covers the situation quite well. There seems to be a whole class of folks determined to make something simple as much of a hassle as humanly possible.

Fame

Why is there such poor compliance? Perhaps poor enforcement is a cause:

David Kibbe, director of the American Academy of Family Physicians' Center for Health Information Technology, said the results of the survey didn't surprise him. Family physicians are doing what they can to comply with HIPAA given all the other things they have to do, he said, but the lack of government enforcement removes the urgency to comply."If you knew a security breach in your family medical practice was going to cost you $150,000, you might see more concern," Kibbe said. "But there has been so little enforcement and so little outreach on the part of the federal government that it has been difficult for family physicians and others in small and medium-size practices to take this seriously."

What are the numbers? The survey quoted in the article linked says "...74% of payer-respondents said they were in compliance (up from a January survey total of 30%) compared with 43% of provider-respondents (up from 18% in January)."

Why is this?

In fact, when asked to rank their biggest obstacles to HIPAA compliance, respondents placed "no public relations or branding problems anticipated with noncompliance" and "no anticipated legal consequences to noncompliance" at the top of the list.

Play that Funky Music

I talk a lot about the value of integrated systems. By making your fax talk to your server, and your records interface with your billing system, you can save a ton of steps and avoid stuff dropping through the cracks. The same is true of some sort of holistic medical record system:

Recently I was at a distinguished doctor’s office. This doctor – a very nice and knowledgeable person – described how there was no intersection between the records of his office and any other doctor’s office. A patient could visit a gynecologist, a cardiologist, an endocrinologist and a general practitioner, but there would be no systemic, holistic view of data. The gynecologist knows nothing about the patient from the standpoint of the cardiologist. The cardiologist knows nothing about the patient from the standpoint of the endocrinologist, and so forth. These specialists do not share data about their patients with other specialists. Period.
Some of this lack of sharing of data is because of HIPAA, but a lot of the lack of sharing of data would be occurring even if there never had been a HIPAA. The world of medicine is a world of chopped up, little systems where there is no interconnection from any point to any other point.
When asked about the fact that a patient – any patient – might want a truly holistic view of his/her health, the specialist simply said that there is no way to do that.
Perhaps the most disturbing aspect of the conversation was the fact that the specialist had no inclination whatsoever to create integrated data for the patient. There simply was no incentive – no motivation – to step outside of the silo.

It may well be that some variation of the Clinton-Frist bill will provide the driver for an integrated record system. Of course the potential for abuse is there, but the record systems we have are often abused. For all the funky goodness of distributed, fragmented and partial records like we have now, the time, effort and lives saved by an integrated system would most likely more than pay for its implimentation.

Candy Man

From Dark Reading comes an account of treachery, deceit, low-down dirty deeds and usb thumb-drives. What they did to test a company's awareness of social engineering was brilliantly devious. For a brief time one morning, it rained thumb-drives:

You’ve probably seen the experiments where users can be conned into giving up their passwords for a chocolate bar or a $1 bill. But this little giveaway took those a step further, working off humans' innate curiosity. Emailed virus writers exploit this same vulnerability, as do phishers and their clever faux Websites. Our credit union client wasn’t unique or special. All the technology and filtering and scanning in the world won’t address human nature. But it remains the single biggest open door to any company’s secrets.

Disagree? Sprinkle your receptionist's candy dish with USB drives and see for yourself how long it takes for human nature to manifest itself.

As always, your most vulnerable area is employee training, morale and supervision. Let's face it, users suck. But if you can just get them on your side a little, they will suck less.

Counting Sheep

Only 20% there, and a deadline looming:

Though it's not an imminent problem, the compliance deadline for adoption of the national provider identifier -- a numbering system required under the Health Insurance Portability and Accountability Act of 1996 -- is now less than a year away, and, given the enormity of the task, industry experts are warning it should already be on the "to do" lists of healthcare executives and technology professionals.

By law, all electronic transactions should be tagged with these discrete, government-generated provider numbers by May 23, 2007.

Not that difficult, and better done now.

Never Alone

Even if the guy didn't agree with me on several salient points, I would recommend this fine article from Application Development Trends:

Locking down the network can be especially tough for health-care organizations, with their typical mix of paper and electronic records, the need for long record retention, and the move to digital imaging. With the passage of the Health Insurance Portability and Accountability Act (HIPAA) security rule last April, protection of electronic records has been shoved to the forefront. (HIPAA's privacy rule has been in effect for several years, depending on the size of the organization.)

For a health-care organization such as Kettering, HIPAA is huge, with specific security and patient privacy stipulations. Thanks to the regulation, which Burritt loves, by the way, Kettering underwent a major overhaul of its security infrastructure earlier this year, selecting and installing a variety of Symantec products and services for intrusion prevention, policy compliance, and client security.

It can be done, it can be used to drive new and better ways to do things, and you can get your front-line workers onboard.

My Kind of Town

From WBBM Chicago:

Cook County Board President John Stroger's son says a federal statute protecting the privacy of medical records prevents him from talking about his father's condition.

Chicago 8th Ward alderman Todd Stroger told the "Chicago Sun-Times" the Health Insurance Portability and Accountability Act (HIPAA) means only John Stroger can talk about his health.

The "Sun-Times" reports the HIPAA law doesn't actually prohibit Stroger from talking about his dad's health, as long as he gets permission.John Stroger has not been seen in public nor has he conducted any interviews since suffering a stroke in March. He was back in the hospital last week.

A growing number of prominent politicians have been calling on Stroger's family to release more information on his condition. Several politicians, including Todd Stroger, have said they might like to replace John Stroger if he can't continue to serve or run in this fall's election.

Listen to the Rythym

It is good to know that someone who understands the issues concerning ePHI has the ear of the folks making the rules:

"Health IT creates the potential for breaches of health information privacy on a scale previously unimaginable,"Pyles said. "Once health information is disclosed electronically, it cannot be recovered."

And, as with most other kinds of data theft, it isn't always obvious that it has been disclosed. Privacy in the electronic records age has to be thought of in entirely new ways. At least these lawmakers are considering this, though the hope of them actually getting it right are probably slim.

Give It To Me One More Time

Another piece on the consequences of failure to enforce:

Another major flaw in HIPAA was revealed in 2005 after HHS referred several hundred privacy cases to the Justice Department, which responded with the opinion that HIPAA’s criminal statute does not apply to individuals — even those responsible for reprehensible acts. By that standard, employees of covered entities who choose to sell personal medical information or even hackers who break into databases and steal health records are not in violation of the law.
Even before that opinion, HHS’ ability to punish violators of HIPAA rules was suspect. In the three years since Congress approved HHS’ final recommendations on privacy, the department has received about 18,000 complaints of HIPAA violations. To date, only two have been prosecuted. “Basically, with the way things are right now, you have the right to whine to a federal agency,” said Dr. Deborah Peel, a Texas psychiatrist and chairwoman of the Patient Privacy Rights Foundation. “It’s not exactly the most useful way to enforce problems.”
And in fact, it could have potentially destructive consequences for health information privacy. “The level of interest and attention and fear-driven compliance have gone down significantly in the last year,” Braithwaite said. “If there’s a complaint to HHS, people are now recognizing that all they have to do is respond and say, ‘Okay, we’ll fix that,’ and the problem goes away.”

This is a great roundup of arguments and issues.

Back to Ohio

More stories the growing awareness of the poor enforcement of HIPAA.

First this one from Ohio:

(Columbus Dispatch (Ohio) (KRT) Via Thomson Dialog NewsEdge) Jun. 11--The big board in the intensive-care unit at Mount Carmel West hospital, where Daniel Lynch spent four months last year, listed his name, room number, doctor and when he last had a bath.

Wives of other patients approached his wife, Eileen, and told her that their husbands shared the same doctor and the same pulmonary illness."I was like, 'Who are you? Go away,' " Mrs. Lynch said. "My husband was dying."She complained to nurses and supervisors, saying that the board violated the privacy portion of the federal Health Insurance Portability and Accountability Act, HIPAA for short.

"I refer to it as the HIPAA violation board," Lynch said.

Lynch did not complain to the Feds.

And yet another story, this time an editorial from the same state:

When met with a clear violation, the HHS's Office of Civil Rights encourages "voluntary compliance." So instead of getting a fine or some other tough penalty, violators are told to right their wrongs. So what's the point of the law? Why make patients sign the forms if violators are not penalized? That makes the law meaningless.The lax approach leaves nothing to compel the health-care profession to comply. Not surprisingly, insurance companies, hospitals, and doctors like the emphasis on voluntary compliance. That means they don't have to worry about $100 fines for each civil violation of the law, or having the Justice Department seek up to $250,000 in fines and 10 years in jail for criminal violations.This cannot continue. The Department of Health and Human Services must enforce HIPAA. Once the federal agency begins to do its job and clamp down on violators, others in health care will get the message and comply. The sad truth is that HHS should have been doing so all along.

As a famous blogger often says, indeed.

I'm So Miserable Without You, It's Like Having You Here

You just knew that this was going to happen:

A coalition of consumer privacy groups in the health care industry is asking the U.S. Department of Health and Human Services (DHHS) to conduct a HIPAA compliance review of the Department of Veterans Affairs after a massive security breach was disclosed last week.
In a letter sent Wednesday to Health and Human Services Secretary Mike Leavitt, 30 privacy groups belonging to the Consumer Coalition for Health Privacy expressed their concerns about the recent theft of personal data at the VA (see "Personal data on millions of U.S. veterans stolen").
The data, which included names, Social Security numbers and addresses belonging to 26.5 million veterans, also included protected health information such as medical diagnostic codes and disability ratings. The data was included in a laptop and disks that were stolen May 3 during a burglary at the home of a VA analyst who had improperly taken the data from the office.
The incident raises serious questions about the "nature and the extent" of violations by the VA of the security and privacy requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the letter said.

For the longest time I have talked about the Big Example that will drive compliance. This may be it.

The Sound of Your Voice

An interesting question posed by Joanie Wexler in Network World:

At the Interop trade show last month, I chatted with a medical facility that used wireless LANs but had chosen not to deploy Vocera’s popular voice “badges” for conducting phone calls across the WLAN.

The primary reason? The company was unsure about compliance with the Health Insurance Portability Accountability Act (HIPAA).

Use of Vocera badges for voice communications has become common in many healthcare facilities, where highly mobile medical personnel are suddenly needed to handle emergencies. The badges, which operate like little mobile speakerphones that can be handily clipped to a garment or worn on a lanyard, help reduce wasted time caused by paging delays, phone tag and voicemail. Still, the IT administrator’s concern was understandable: private patient information might be overheard by anyone within earshot of the devices.

This should be an addressable issue, and as the writer points out, primarily a training one.

Mr. Postman

It isn't every day that the Postal Service offers something for nothing, but this series is free, and they even cover the postage.
http://www.usps.com/postalinspectors/dvdorder.htm

Order one of these free, fraud-prevention DVDs from the U.S. Postal Inspection Service by following the link above to the Postal Store, or by calling toll-free 1-800-STAMP-24 (1-800-782-6724). All DVDs feature a Spanish-language option.

All the King's Men: Picking Up the PiecesFraud schemes victimize millions of Americans each year, leaving many financially devastated. There are laws to protect victims and services and support available to them. The U.S. Postal Inspection Service urges victims to learn more about their rights and services by ordering our free DVD. Remember, being a victim of a crime is nothing to be ashamed of. And neither is seeking help to recover from it.

Nowhere to Run: Cross-Border Fraud The Internet and international phone calls make it easy for fraudsters to work from anywhere in the world. This film illustrates how U.S. Postal Inspectors created task forces with Canadian law enforcement partners to stop "long distance" scams.

Web of Deceit: Internet FraudInternet scams are like old wine in new bottles. Telemarketing and mail fraud scams are now coming to you from cyberspace. This DVD tells the story of a scammer who uses the Internet to victimize unsuspecting consumers around the world until he gets caught in his own web of deceit. The DVD also provides tips on what to watch out for when you do business on the Internet.

Long Shot: Foreign Lottery ScamsIt's illegal to play foreign lotteries in the United States. But another reason not to play is that you are almost guaranteed to lose. And once you play, you can count on receiving more "chances" to play and lose. This free DVD tells the story of a foreign lottery fraud victim and the con artist behind the scam. Produced by High Noon Film and presented by the U.S. Postal Inspection Service, it also provides tips on helping you avoid becoming a victim of this scam.

Work-at-Home Scams: They Just Don't PayWorking at home has become attractive to many stay-at-home moms, college students, and retirees. While some jobs are legitimate, others just don't deliver on their promises. This free, short film tells the story of a new type of work-at-home scam and how a young mother gets caught up in it. It also provides tips on how you can avoid being duped by criminals and what to do if you've been victimized. This High Noon Film is presented by the U.S. Postal Inspection Service.

Identity Crisis: Protect Your IdentityIdentity fraud is the fastest-growing crime in America. With millions of victims and losses in the billions of dollars, it continues to be one of consumers' biggest fears. This free DVD tells the story of a couple whose credit is ruined and of the criminals who defrauded them. The DVD by High Noon Film, presented by the U.S. Postal Inspection Service, also provides tips on how to protect yourself against identity fraud -- and what to do if you become a victim.

Delivering Justice: Dialing for DollarsTelemarketing fraud costs Americans millions of dollars each year. And when it comes to phony investment "opportunities," older Americans are prime targets. This free, 15-minute DVD tells the story of such a scam and the lives that are ruined by criminals. The film provides tips on how to protect yourself from investment fraud and tells you what to do if you've been victimized. "Dialing for Dollars" is a High Noon film presented by the U.S. Postal Inspection Service

Nothin' from Nothin'

Here it is. The Washington Post story that everyone is talking about, and a ton of reactions from different sources. First the story:

A total of 19,420 grievances have been lodged, the most common allegations including that personal medical details were wrongly revealed. The Bush administration has not imposed a single civil fine and has prosecuted just two criminal cases, one of them in Texas.

And here are a few of the reactions:

From KaiserNetwork

Chris Apgar, president of Oregon health care industry consultant Apgar & Associates, said providers "are saying, 'HHS really isn't doing anything, so why should I worry?'" Privacy advocates say the need to enforce HIPAA will increase if or when the federal government is successful in its effort to implement a system of electronic health records.

From the comments at Slashdot

I'd say the right thing to do is to give the regs more teeth by prosecuting a few of the worst offenses. Basically, make it easy to show how and why disclosures caused damaged. This will put people on notice that the government is serious about the regs. If that doesn't work, the regs themselves can be tightened up, hopefully in the context of broader data privacy legislation.

From UPI

Privacy advocates and some health industry analysts say the administration's decision not to enforce the law more aggressively has failed to safeguard sensitive medical records and made providers and insurers complacent about complying...

The Slashdotters seem to have the most to say about this. This is timely, of course, with several other privacy issues on the map right now. It is not really news, though, because the HIPAA cops have a built-in excuse--- many parts of compliance are discretionary, and while in general it is nice that the primary thrust has been to help with compliance rather than penalize providers, there are egregious offenders out there who should be fined or prosecuted. That HHS has only found less than a handful means that they are probably not trying all that hard. Wink-wink nudge-nudge enforcement means that the clowns who don't give a damn about handling sensitive information are reinforced in their bad behavior, and the rest of us who are trying to behave in ethical ways are given nothing in return for our efforts.
I truly understand that the current political climate is not very regulatory enforcement friendly, but you would think that there are some things that everyone, regardless of where they hit on the political spectrum, would like to keep to themselves. Personal health information should be near the top of the list. But perhaps, if our PHI is kept private, the terrorists win. That certainly has been the excuse for every other recent erosion of privacy--- it has worked so well everywhere else, why not here?

I Fought the Law

Oh come on now! Aren't we past this?

Martinez was admitted to University Hospital. Investigators learned through other sources he was there. But when detectives went to the hospital, "hospital staff refused to disclose any information about the defendant, including his presence or absence at the hospital," the affidavit stated.
Martinez was released from the hospital without authorities being notified as they had requested, the affidavit stated.
On Monday, deputies learned Martinez was staying with his mother and called her, notifying her of the arrest warrant and telling her to have her son turn himself in. Instead, Martinez checked into Uni.
Again, federal privacy laws prohibited the hospital from confirming to police whether Martinez was present, even when detectives arrived at the front door with an arrest warrant.

Warrant! Warrant warrant warrant! WARRANT!!!
How hard is it to understand that HIPAA is to protect patient healthcare information privacy, not to provide an excuse to be uncooperative to law enforcement?

Hospitals should be allowed to give basic information to police, according to Salt Lake Deputy District Attorney Kent Morgan. A couple of years ago, Morgan wrote a letter to clarify HIPAA rules and how they pertain to law enforcement.
"A health-care provider can disclose limited information in response to law enforcement's request to identify or locate a suspect," he stated.
Morgan reaffirmed his statement Thursday.
"HIPAA was never designed to hide suspects or to obstruct from police investigations. Rather it was designed to protect the privacy of individuals' records who are receiving medical care," he said.

Indeed.

Drive My Car

Here is a guy who is concerned with his privacy to such an extent that he completely misses the point:

Furthermore, the information is subject to the Health Insurance Portability and Accountability Act (HIPAA), meaning it carries the same level of protection as the medical information in the file and must be disposed of under federal guidelines, Scionti said.
If a patient refuses to provide a license or photo identification is not available, a note is placed in the file, but "we never deny treatment because they do not provide identification," he said.

It might be important for reasons that have not a thing to do with privacy or PHI to make sure that they are treating the right person. In IT we call these kind of people "tree counters" as in not just unable to see the forest, but needing an exact enumeration of the trees therein.

The Merry-go-round Broke Down

You want patients to trust you with your information? Then you better start building some credibility. And a great place to start would be with someone, sometime, somewhere taking responsibility for something.

Veterans Affairs Secretary Jim Nicholson said Thursday he is striving to find out why it took his agency two weeks to reveal the theft of personal data from 26.5 million veterans, telling Congress he is "mad as hell" that he wasn’t told right away...

Sen. Patrick Leahy, D-Vt., said Bush should call Nicholson "into the woodshed" and consider changing the department’s leadership, particularly after the agency waited until May 22 to inform the public about the May 3 theft.

"Instead of promptly notifying millions of veterans that their personal data was irresponsibly handled and then stolen, VA officials held their breath and crossed their fingers for nearly three weeks," Leahy said.

In a statement, Nicholson said he was outraged by his agency’s decision to keep the theft quiet for so long. He said he had asked the agency’s inspector general to determine who knew what and when.

Please, just secure your data. Use that energy to avoid having to point fingers and make up excuses.

Just Leave me Alone

As I mentioned below, the privacy provisions have been weakened considerably, chiefly by the 2003 amendment. This poor decsion is starting to affect nearly every aspect of compliance, and making public acceptance of any sort of unified EHR system problematic. From the Federal Times:

It’s not the technology that has privacy experts like Peel most concerned, however. What troubles her is the loophole in existing law that gives thousands of companies — including self-insured employers, drug companies, banks and marketing firms — legitimate access to patients’ medical records without their knowledge.
A 2003 amendment to the Health Insurance Portability and Accountability Act (HIPAA), which Congress passed in 1996 to ensure medical records could not be given out without a patient’s consent, carved out an exemption for companies who use the records for health-related business activities, such as processing claims or managing benefits.
The exemption is so broad, and enforcement of violations is so lax, that virtually anyone can access your records, Peel said.
“Across the nation, the public is just beginning to wake up to this because they haven’t been told it’s a problem,” Peel said. “Over 600,000 covered entities can see and use your medical records without your objection, and you have no recourse. I don’t know how you can call that privacy.”

Indeed.

Blowing in the Wind

One of the best things about HIPAA is that more stringent state laws trump its provisions. But now comes the proposed HR 4157, which would give HHS the authority to establish a national privacy standard that would preempt state laws. This article in Psychiatric Times by Stephen Barlas explains why that might not be such a good idea:

Pyles said his group and other psychiatric and mental health organizations that are members of the Mental Health Liaison Group oppose legislation that would allow the HHS Secretary to set a privacy standard that would override all state laws—especially a secretary in the Bush administration, which, according to Pyles, "has not been a privacy friendly administration." He added, "It is almost a sure thing that the secretary would recommend preemption of state law."

HIPAA's privacy provisions have already been weakened considerably. State laws often provide the only real protection available. And by making the rules flexible to the whims of whoever is in office and the political climate of the moment cannot make compliance any easier.

Talking in my Sleep

Just ran across this:

Just as HIPAA can mean Hiding Involving Privacy As Alibi, we're beginning to hear the vague explanations for the lack of a deliverable being attributable to complying with SOX - "Yeah, your food order for that breakfast meeting didn't go through because there was a SOX issue with upper management signatures down at the deli." (I won't try to come up with something cute for which SOX could be an acronym like I did with HIPAA - the X throws me every time.)

Yep. HIPAA can be a pretty darn convenient alibi.

Bad Attitude

A poster on NetWorkWorld finds himself in this quandry:

I'm the Security Official for a covered healthcare component of a State agency which declared itself a hybrid entity.
Our covered component agency reports directly to a branch of the hybrid entity which was NOT included on the hybrid's list of covered components. We share PHI with them, and with several other non-covered components of the hybrid, and are required to do so. We have been told that these non-covered components are "Internal" Business Associates, and as such, they must obey the hybrid's privacy and security policies, but that they do not have to comply with HIPAA BA requirements, such as reporting security incidents to us. Furthermore, they decided that it was too difficult a task to determine which of their workgroups served a function which required that we share PHI with them, and they declared their entire office staff (several hundred) to be "internal" BAs. This seems to leave us unable to comply with the HIPAA BA requirements. I can find no reference in the law to "Internal" BAs. Upon complaining to the non-covered component we report to, we are told that we are wrong (but not why), but that since only the hybrid can be punished by HIPAA enforcement (not the covered components of the hybrid), we should stop worrying.

"Internal" BAs are a made-up distiction. Someone is just too lazy, confused, or defiant to sort through compliance. If there is a compliance board or officer at the state level, he should talk to them about straightening this out. While his personal exposure is limited, the exposure of his component agency is extreme. They are wrong, and from the response he is getting it looks like they know they are wrong.

That's What I'm Talking About

From Annals of Internal Medicine comes this in-depth look at informed consent. What stood out for me was this paragraph:

In a recent survey of 100 top medical centers and 11 independent institutional review boards, researchers discovered that the authorization language used to satisfy the Privacy Rule has a median length of 744 words and is written at a median 12th-grade reading level (7). This wording is well above the eighth-grade reading level mandated by many institutional review boards (8) and the literacy level of most U.S. citizens (9). This complex language also seems inconsistent with the Privacy Rule's requirement that authorizations be written in "plain language." In another survey of investigators and institutional review board personnel, researchers found that the addition of extensive language to satisfy the Privacy Rule's authorization requirements often confuses research participants, burdens the informed consent process, and undermines recruitment (10).

Why, oh why do we insist on making the process so danged opaque? The KISS rule should be tattooed on the forehead of every person who is in charge of anything that comes into contact with the public or even general front-line users. Make things difficult to understand, and folks will just opt out.

Hard Days Night

You know, just reformatting your old hard drives before you send them off to salvage is really just not enough:

According to a November 2005 Gartner Inc. survey, nearly 80% of companies said that "managing data security and privacy risks' were very important or most important when disposing of obsolete hardware." Yet 30% admitted they had no policy for ensuring the security of used equipment.
Frances O'Brien, research vice president at Stamford, Conn.-based Gartner, said that despite the increased concern, there is still a vast amount of used hardware out there with recoverable corporate data on it. She points to a 2003 study conducted by Massachusetts Institute of Technology students on 158 disk drives bought from auction sites, PC retailers and salvage companies. It found that 74% of the drives contained recoverable data -- including company financials, credit card numbers, medical records, sensitive e-mails and pornography.

One company that I have worked with has a small drill press in the IT department--- a quick, inexpensive shredder program followed by six 1/4 inch holes pretty much does the trick.

Trust Your Mechanic

A fascinating multi-part interview with Dr. William Yasnoff on health records and patient control:

What I'm proposing is patient-centric in the sense that the proposal, which is called an eHealthTrust, involves the establishment of a lifetime health record for each person that is paid for and controlled by the person. They decide who has access to which parts when, and no one else decides that.

How can this be implemented? Through HIPAA, of course, which on the surface seems like just another way to make layers of busy-work, but as you drill down and see what he has to say, really makes a lot of sense.

A Plan for U

Great HIPAA article by Ross Armstrong in ComputerWorld written from a record-handling and storage POV:

Securing access to stored information — as well as ensuring data availability — puts considerable pressure on health care IT to conform to HIPAA requirements. It also presents an opportunity to establish best practices that will serve the organization for years to come.

While compliance is usually a cost center, it still can be combined with practices and procedures that can save your organization money in the long run by streamlining operations and by mandating such things as a Disaster Recovery Plan.

Everybody Plays the Game

You know, you just can't make up stuff like this:

The 2006 General Accounting Office (GAO) Report has focused on the Department of Health and Human Services (HHS) and claims there are “significant” weaknesses in their information systems, making it vulnerable to hackers and identity thieves.

Requested by Sen. Charles Grassley (R-Iowa), the 46-page report found instances of anti-virus software not installed or up to date; employees hired without proper background checks; computer passwords that are not properly updated or controlled; and a lack of physical controls such as security cameras that do not work.

It isn't even a case of who will watch the watchmen--- this has a Salavador Dali painting edge to it.

*thanks for the tip, Lisa

Don't Bogart That Joint, My Friend

Sometimes I love opening my email:

A Palm Desert medical marijuana dispensary is being required to turn clients' names over to authorities, and client advocates say that violates their privacy rights.
Palm Desert city attorney David Erwin said the deal between the city and the CannaHelp dispensary on El Paseo, is merely meant to ensure that the dispensary is obeying state law.
The agreement, negotiated by Erwin and James Warner of San Diego, a lawyer for the CannaHelp dispensary, requires the dispensary to turn over clients' names and state ID card numbers to the Riverside County Sheriff's Department.

See, the sheriff's department wants all of the clinic's patient names. Because they most likely would like to find out who is smoking pot. And I imagine they want this for both the reasons they state, and becuase they would like to know who to bust next time the spinner stops on "Medical Marijauna= Illegal" --- needless to say, the users are a little shy about this.

This is one of the subjects I wish it was possible to discuss rationally. As a privacy issue, I would have to say that if it is being dispensed as medicine, and by a doctor's perscription, then it should be covered under HIPAA. If the clinic does not qualify as a provider, then the physician should extend to them a BA agreement, as PHI is used to determine if a patient qualifies and the amount to be dispensed.

Give It to Me One More Time

This is alarming:

The association surveyed 1,117 hospitals and health systems, asking officials at the facilities about compliance with Health Insurance Portability and Accountability Act (HIPAA) rules. Although 91 percent said in 2005 that they were mostly compliant, that number dropped to 85 percent this year.
“A slight drop in the number of facilities reporting themselves to be fully or mostly compliant with HIPAA should serve as a warning to the industry that compliance should not be taken for granted,” AHIMA President Jill Callahan Dennis said in a written statement.

Clearly, as the article states, for most facilities the security rule is easier to implement, simply because so many of its initiatives don't rely on human interaction. And that security rule compliance has risen dramatically is probably the result of it being implemented by technical people, who are far less likely to see it as something that interferes with their primary function, unlike front-line caregivers who are interested in providing care and not so interested in extra rules that feel like they interfere with that.
Still, the fact that privacy rule compliance has fallen is not a good sign. Sooner or later, someone is going to get caught big-time, and it ain't gonna be pretty. Please do what you can to make sure it isn't you.

Feelin' Alright

Here is the right way to implement a new program:

"When I came to Children's in 2001, I brought the philosophy that if we do things right, then issues like [the Health Insurance Portability and Accountability Act] will take care of themselves," says Albert Oriol, IS program office director and data security officer at The Children's Hospital in Denver, an integrated health delivery system affiliated with the University of Colorado. His philosophy has paid dividends, including cost savings by enabling the hospital to combine disaster recovery and fail-over and simplify its upcoming move to a new state-of-the-art facility seven miles away.

Compliance does not need to be separate, incredibly painful process.

Doctor, Doctor, Give Me the News

Here is a stunning example of how not to implement a program:

Today, more than a year later, it's fair to say that the Maine Medicaid Claims System project has been a disaster of major proportions. Since the new system went live, it has cost the state of Maine close to $30 million. The fallout has been broad and deep. In December 2005, Jack Nicholas, the commissioner of the DHS who oversaw the project, resigned.

As of press time, Maine is the only state in the union not in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA)—a striking irony given that the new system was designed to facilitate that compliance. Although federal authorities have said they will work with the state in extending the deadline, the failure has been a black eye on Maine's ability to manage the health of hundreds of thousands of its residents. And it has become an issue in this year's race for governor.

As always, there are lessons to be learned from the failure of others--- we can add to the standard "...classic blunders! The most famous is never get involved in a land war in Asia, but only slightly less well-known is this: never go in against a Sicilian when death is on the line!", this new one: if you only get two bids for your new end-to-end system, and they are radically different, maybe you have conceptual issues to iron out before you proceed.