Song Sung Blue

Why is it almost always someone famous that sparks these audits? Remember a short while ago when a number of staff were fired or suspended for peeking at Bill Clinton's records? I know it it human nature to be curious about someone who is famous, but celebrities generally are considered to have given up some of their right to privacy, not earned the right to extra enforcement:

Buffalo, NY (WBEN) - In the wake of extensive publicity over Buffalo Bill Kevin Everett's on-field spinal injury, Kaleida Health has disciplined an employee after investigating possible violation of the federal health care privacy rules, known as HIPAA.

HIPAA (The Health Insurance Portability and Accountability Act of 1996) includes several privacy regulations that severely restrict who can access patient medical records.

The routine compliance audit found no violation of the federal rules that regulate access to medical records, but did uncover enough of an issue to have one employee suspended, according to sources.

Good for the hospital, but it shouldn't take a special case to remind folks about compliance.

The Boys are Back in Town

Some of you may have noticed that I haven't been updating as often as I used to. Well I've been pretty busy. My wife ran for office, and I also took a little time and wrote this:

$13.99

That's right, I wrote a novel, you can buy it, and it is getting great reviews. Check it out--- it is about a woman in bronze age Mesopotamia who takes people out into the desert and feeds them to a monster. Its got blood, sword fights, betrayal, sorcery and death. You know, a love story.

Girl in the Mirror

This looks like it could have been written by me--- a sweet little rundown of Golden Hippo contenders for worst misuse of HIPAA, by Shanna Flowers of the Roanoke Times. Her centerpiece is this:

The latest example is William Byrd High School, where officials this week told an auditorium full of hysterical parents to stand down because there isn't a problem, but golly, if there is, they can't tell you all the facts. Just trust them -- they're doing everything they can.

Kids are sick, but we can't tell you the symtoms, and it isn't serious, but we can't tell you what it is, and its not contagious, but we can't tell you who it is.
Sheesh!

Doctor My Eyes

Workplace Wellness programs are starting to look very attractive to many companies that are faced with impossible rises in the cost of benefits. Implementing a stop smoking plan, or providing incentivess for workers to live healthier can increase production, reduce sick days, and help to cut the overall healthcare costs of campany. But there are regulatory pitfalls that many don't understand, and find intimidating.
Here is a quick rundown from The Metropolitan Corporate Council on the steps employers need to take before embarking on such a program.

Nonetheless, employers contemplating a workplace wellness program are well advised to consider that conditioning a reduction in health care costs on satisfying a health-related goal, such as actual smoking cessation or meeting a certain cholesterol level, may be subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Nondiscrimination Rules and/or federal and state discrimination statutes. In addition, regardless of the structure contemplated, employers should consider requirements for wellness programs that may arise under the HIPAA Privacy Rule (45 C.F.R. 160,164).

Yeah, its a little on the dry side, but the information is well presented and worth knowing.

Call The Ambulance

That HIPAA thingy cuts both ways...

Jaramillo said he plans to sue the city as an entity, and the mayor and councilors individually on grounds violating the Health Insurance Portability and Accountability Act by divulging unpaid ambulance bills, infringing upon his freedom of speech and retaliation for whistleblowing...

Documentation shows Jaramillo divulged his ambulance bills himself at a council meeting, Bhasker said.

Self-immolation is one thing, but flaming out like this is amazing. I think he had better get a new lawyer, because from the looks of things, his current one is not serving him very well.

Stupid Cupid

Now here is a classic hunka hunka burnin' stupid:

NORTH BERGEN -- More than two dozen Palisades Medical Center employees have been suspended for violating Oscar winner George Clooney's patient privacy rights after a motorcycle accident in Weehawken last month, hospital officials said.


A hospital spokesman would not detail the alleged infractions that led to the monthlong suspensions of 27 workers. But a spokeswoman for the union that represents some of the suspended employees said the violations ranged from workers who accessed Clooney's health records to others who went into his room to shake his hand.

The suspended workers acted "inappropriately" in accordance with federal patient confidentiality regulations, spokesman Eurice Rojas said.

"They were suspended for a range of things," Rojas said on Tuesday. "Only direct caregivers should be accessing a patient's file or chart."

I have no sympathy for front line workers who, at this late date think that it okay to oogle someone's health info just because they are famous. I would also fire the person responsible for their training.

Open Season On My Heart

It is the HIPAA excuse season, and boy howdy are they thick on the ground:

ATLANTIC CITY - Federal health law experts said health privacy laws are confusing, but should not keep city officials from revealing where the resort's mayor is.
Mayor Bob Levy's last official duty came last Wednesday, when he signed seven ordinances into law. Since then he, and his black city-issued Dodge Durango, have apparently vanished.

His attorney and city officials have said since Thursday he was in an undisclosed hospital receiving unspecified treatment. In the meantime, Business Administrator Domenic Cappella has served as acting mayor.

With Levy's absence, the city has been beset by rumors of imminent resignations tied to an ongoing federal investigation into his military record. City Council members have said they believe Levy has abandoned his post and have sought state help replacing him.

Adding to the problem is that top city officials say they know where he is, but providing more information would run afoul of the 1996 federal Health Insurance Portability and Accountability Act, commonly called HIPAA.

Under Federal investigations? Hide, say you are sick, and claim HIPAA rules prevent anyone from finding out where you are! This one has Golden Hippo written all over it!

How We Operate

Here is an excellent run-down on setting up secure passwords from fellow CISSP and IT security blogger Joel Dubin:

At the heart of compliance is access management and authentication. And at the heart of authentication are user IDs and passwords. Despite their many weaknesses and the availability of multifactor authentication technologies, the venerable user ID and password combo remains the centerpiece of access to many corporate systems.
Rather than tearing up network plumbing for new-fangled devices, like one-time password (OTP) tokens and smart cards, many companies have opted to strengthen their existing password systems to keep compliant with audit and compliance regulations and standards, including Sarbanes-Oxley, HIPAA, FFIEC and PCI DSS.

It doesn't have to be a big deal, and you don't have to spend a ton of money. Just spend a little time in training and reminding users of how it is done.

Take That & Party

Damn skippy!

"Attorney General Van Hollen's well-researched legal opinion provides a valuable public service by clearing up confusion and explaining that federal HIPAA law does not enable local and state government officials to keep records secret if they should otherwise be open," Stanley said.

"In this case, a local fire department had refused to provide information about a public employee who crashed his truck into a sign and was arrested for drunk driving. The taxpayers who pay for his salary, for the truck he was driving and for the auto and liability insurance - as well as the people who live in the neighborhoods he was driving drunk through - deserve to know that information."

Like every other abused law, HIPAA has a special place in the heart of public officials who are less than fond of the public spotlight. HIPAA is not a shield law for cronies and incompetence, it is to protect individuals rights of privacy. Take that, public servant!

They're Red Hot

Somedays the stupid burns so hotly you can warm your attic with it:

"You can't look at your own records or any family member records unless there is a clinical need to do so," Braccino said. "If you are doing so just because they are there and you have a private interest, you are violating HIPAA regulations and patient confidentiality."

Trustee Shelbie Bershinsky said many of the employees probably looked at their own medical records with harmless intent.

"I've been in health care 19 years and I, until today, I didn't think there was anything wrong with me looking at my records," she said. "I now know that I shouldn't do that."

Hospital compliance officer Dean Jessup said HIPPA regulations, including the prohibition against viewing one's own medical records, are posted at each of the hospital's time clocks.

Your medical records are yours. There is no provision in HIPAA preventing you in any way from viewing your own PHI. None. There may very well be a regulation in that facility's HIPAA compliance policy against it, but it is nowhere to be found in the Act itself.

Insecurity Alert

Headlines like this scare me:

These Notebook PCs Aren't A Security Risk

Nope. Even though they carry no data, there is no such thing. This particular item is a wireless thin client, and though they don't carry any data, they connect through wireless networks! What part of wireless network goes with "Aren't a Security Risk?"

Whisper in Blindness

More and more I am starting to believe that email is the biggest blind spot in most systems:

One slip-up can become a whopper. For example, a Palm Beach County, Fla., health department statistician and epidemiologist mistakenly attached a list containing more than 6,000 names of HIV/AIDS patients to an e-mail in 2005. The message was sent to 800 of the department's 900 employees.

It is so easy to hit send without giving any thought, and that is just the most likely innocent breach. Most people have web-based email accounts like Hotmail, GMail, or Yahoo Mail. Because these are web-based, it is nearly impossible to control what goes out via them. One alternative, of course, is to block access to these webmail providers, but there are so many and users are so clever at circumventing blocks and safeguards that it is almost impossible to make this bulletproof. Training is a solution, of course, but not a cure, because if your users are careless or malicious they will ignore you.

Anatomy of Your Enemy

See? Its not just me:

Apgar noted that while there are technological solutions that claim to harden records against vulnerabilities, it might be a mistake to focus too much on outside threats. "Eighty percent of all security breaches come from your people," he said. "It's not the hackers."

Don't ignore the barbarians at the gates, but pay closer attention to the enemy within!

Get That Clear

Quote of the day:

On the opposite end of the spectrum are those less-enlightened companies that chose to go with "CNN is our IDS" and that only learn that their networks were compromised when the news shows up in the media. Don't be those guys.

Just say no to CNN!

No, No, No, No

Ha! This is really pushing the HIPAA envelope--- that a hospital name is protected under HIPAA! Talk about a prime Golden Hippo candidate!

Gunther Slaton, President of GSI states ... "GSI is engaged in a project with nine separate hospitals and are working on due diligence for analysis and funding for healthcare accounts receivable. This is part of the ever- increasing market share for GSI for funding of receivables in the $2-trillion+ healthcare market. The names are withheld due to confidentiality requirements and HIPAA rules. Progress reports will be made as this project moves forward. We can categorically state that this project involves the largest amount of receivables for a single project in the history of GSI."

I am guessing that there either isn't really all that many hospitals involved, that the deal isn't really done, or that there is some other factor that makes them want to hide the name of the hospitals. Any of these reasons are likely, but if I were an investor, I'd be asking why the folks in this deal have so little understanding of regulations that they deal with every single day.

Testify

Another thing to tatoo on your forehead:

If you have the job of making your company compliant, remember this: compliance is NOT a technology project. It involves so much more. It takes diligence and hard work. Don't get into the checkbox mentality. There is no quick fix. Don't believe the companies that give quick paths to becoming compliant. They don't work. And don't assume that you don't need help. This is not an easy task, even for smaller companies.

Not a goal, a process!

Walking Shoes

Sometimes no matter what you do, stupid wins:

Covered entities are responsible

The Council of Community Clinics (CCC) in San Diego ought to ponder that difference as it deals with the aftermath of its recent breach. Jon Paul Oson, a former network administrator with privileged access, quit his job after a disagreeable performance evaluation. He then allegedly gained access to the CCC systems two month later, disabled the backup systems and then systematically destroyed patient data. For this, Olsen faces an indictment (download PDF), a fine of up to $500,000 and a career reduced to a pile of ash. [Just the career? Not if the affected patients get hold of him, I'd bet. -- Ed.]

Oson's the bad guy, obviously, but CCC is not out of the woods. An astute Computerworld reader asked, "Where is the line about the company he hacked being fined for HIPAA violations?" and noted that "if they were doing everything they were supposed to be doing, he [w]ould not have been able to get access ... after being terminated" and that they would have been "monitoring their logs and caught the fact that the backup wasn't working correctly."

How in the world can an adminsitrator leave the building after termination and still be able to access systems? This is beyond stupid, it is transcendently irresponsible.

Sing, sing, sing

Music to my ears:

"Our software is HIPAA (SOX, etc.) compliant."

No, it's not.

Many security standards, such as the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act, include requirements for the implementation and operation of a system. These detail the actual practice of protecting sensitive data, not just the type or design of security controls.

Proper security controls in a piece of software can support compliance with HIPAA, Sarbanes-Oxley or other regulatory requirements, but a direct claim of compliance-in-a-box is laughable. There's no way to box up a proven-compliant life cycle into an unimplemented piece of software without incorporating your data and experience.

This article is golden. Absolutely a must read for anyone lost in the dark forest of regulatory confusion.

Only the Lonely

It is nice to find I am not alone--- I'm not the only one who has become less than popular by insisting on having a minimum level of security:

We allowed laptops until last year, when one news story after another told about laptops that had gone missing. They often held data such as patients’ names and Social Security numbers. The case of the missing Veterans Administration laptop alone was enough to curl your hair if you’re in charge of securing similar information.

The Lucky Few

Now, only systems administrators and a few chiefs trained in laptop security have laptops. Even then, they can’t synchronize their My Documents folders from the network drive to the laptop. Protected data remains within the protected network.

Read the whole article, then read the comments. Setting high standards will catch you flak, even from those not affected. But you will sleep at night.

The times they are a'changing

Okay, slackers, your happy time is over:

Measured subjectively, Runyon estimates that 60% of health care providers are compliant with HIPAA's security standards. A survey last summer of 220 health care providers and insurance companies by the Healthcare Information and Management Systems Society and Phoenix Health Systems showed that only 56% are complying with the security requirements.

Runyon said ambiguity was built into the HIPAA security regulations on purpose to make them less onerous and encourage adoption. But now that organizations have had a couple years to implement best practices and security technologies, he expects enforcement to increase in the next two to five years, which will "put some teeth into this rule."

Enforcement is coming--- I know you have heard this before, but time really is running out. Don't wait for it to start to rain before you build your ark.

I Owe My Soul (to the Company Store)

I'm not very worried for the potential of privacy abuse here, (though given the history of company abuse of employee health info I probably should be) but this seems a little creepy to me, for reasons I can't quite identify:

As companies try to rein in rising health care costs, workers in many industries are dealing with on-site health clinics. Large employers including Toyota Motor Co., Pepsi Bottling Group, Credit Suisse and Sprint Nextel have set up or expanded on-site health clinics in recent years.

Workers aren't forced to use these company clinics, but companies provide financial incentives including lower co-pays, deductibles and an ability to see the on-site doctor on company time.

I think the idea of providing an on-site health clinic is actually a good idea, but it would seem less big-brotherly if they were run by independent third parties. Am I being paranoid here, or do you feel like it would be too weird to have your employer potentially have access to your health info?

Run Around Sue

Nope. HIPAA is a power so great that it can only be used for good, or evil, but it won't do this:

An Ohio federal court has ruled that the confidentiality requirements of the Health Insurance Portability and Accountability Act (HIPAA) do not excuse Ohio's Medicaid agency from disclosing patient information in a class action to enforce Medicaid's early and periodic screening, diagnosis and treatment (EPSDT) requirements

Like everything else that is little understood and big and scary seeming, HIPAA is just too tempting to hide behind, especially if you are a public servant hoping to avoid scrutiny. From the beginning the coursts have been able to penetrate this veil of privacy, but it hasn't stopped folks from trying.

How Can I Miss You

Regulars to this site will have noticed that my posting has been light lately. I have been working on a fairly lengthy paper on compliance transparency and it has been taking far too much of my HIPAA energy. It should be done sometime next week, and then I'll be back to my usual irregular posting :)

Blinded by the Light

Here is what people say when they have been terrified by HIPAA training:

You know you can go to jail," firefighter Jim Robertson told the Potterville-Benton Township Fire Board. "You know you can go to jail if you have a HIPAA (federal privacy law) violation."

Yeah, except nobody ever has.

Too Much Love

Interesting piece by Phillip Alexander in Security Park titled "The Dangers of Too Much Data Privacy"-- while I don't entirely agree with him, he brings ups some good points.

The private sector as a whole has not always been responsible stewards of the non-public personal information that consumer entrust to them. It is axiomatic that when the private sector fails to act responsibly, the public sector will enact regulations to mandate changes in behavior. The slew of highly publicized data breaches and the accompanying public outcry are at least partially responsible for the stampede of data privacy laws passed in recent years.

By the way, just in general Security Park has some cool stuff.

Fear the Reaper

Because, you know, if we continue with HIPAA the terrorists win. From a letter to the editor of the Asbury Park Press:

Finding terrorist cells in the British health care industry is disturbing, because it exposes those doctors as criminals intending to cause mass murder. Al-Qaida is recruiting people from nations such as India and Pakistan who work within the industry. The easy access and knowledge doctors have of dangerous biological agents, chemicals and drugs poses a new threat.

Medical terrorists also have access to private information in our medical records. In cases of our recovering soldiers, they see the wounds inflicted that make them unfit for further duty.

The medical reports of millions of Americans are routinely sent over the Internet to India and Pakistan to be typed or transcribed. Most Americans are unaware the doctor treating them here is sending their private medical history and treatment record to India to be typed. Depending on the turnaround time, your medical report already may be somewhere in India before you return home from treatment.

Once these private medical reports leave the United States via the Internet, they enter a cyber-system, where the medical information can be passed from one company to another within a business chain. Your doctor may not know where the medical dictation finally ends up downloaded to a foreign computer to be typed or transcribed.

All of this is legal under the less-than-adequate medical privacy law called HIPAA. The solution to this crisis is simple: Don't allow our personal medical information to leave the jurisdiction of the U.S. court system. Plenty of qualified medical transcribers live here, where it is easier to maintain privacy and trace the path of this sensitive information.

There are so many things wrong with this I don't have the energy to fully rebut them. Leaving aside the delusional nature of the thing and concentrating on HIPAA, the writer is of course mistaken. PHI in India is still under jurisdiction of US courts via Business Associate Agreements, which make at least the US based sides responsible for the conduct of their foreign counterparts.

Now there are boogymen under every hospital bed. Sheesh.

One Clear Moment

Great article on EHR from Government Health IT:

At the same time, he acknowledged that simply building security features into a system doesn’t ensure that the data will be protected if no one reviews the logs, insists that passwords be changed regularly and so on.

“Everyone in this field of privacy and security acknowledges that the weak link is humans and their training,” Leavitt said. “So you get a false sense of security. You look at the features and you’re quite impressed, but most breaches occur because of human problems.… It’s very important to recognize that the human component — the training component and the policy component — is as important or more important than the software features. You never want to focus only on these technical features.”

In the same vein, most of the people interviewed for this article mentioned the need for HHS to more strongly enforce HIPAA rules. The department enforces the rules only when someone complains. When HHS discovers violations, officials have chosen to work with the offenders to bring them into compliance rather than take them to court.

Without more rigorous enforcement, critics say, the public will have little confidence that health care providers are actually using audit trails and other EMR security features. Runyon noted approvingly that in March the HHS inspector general undertook an audit of an Atlanta hospital’s compliance with HIPAA’s security rules. It was the agency’s first such audit, but the IG is reportedly planning more.

Among other things, it discusses the Nationwide Health Information Network and health information exchanges (HIEs), also known as regional health information organizations, and their role in disclosure and auditing. My wife is on the Governor's Commission on this in our state, and I have been following it with great interest. As I know more, I'll report.

Mr. Postman

From the comments faaaaar below:

Anonymous said...
My friend works for a large health insurance company and her daughter works at one of the insurance company's key accounts. The daughter sent the mother an email one day asking for some information about a key account coworker. The mother replied that the daughter's request, which had the last name and date of birth of coworker, tripped the PHI filter on the email and the mother had to delete the request. The daughter resends the request with the information 'hidden' within a song of silly words and asks if the stupid filters caught the last name and date of birth that time. The mother replies that it didn't. The mother fabricates a response to the daughter so she would stop asking for this information. A day later the mother was fired from her job because human resources said that she had violated HIPAA. How can HIPAA be violated when the mother did not use the name and date of birth and fabricated her response? HR will not look up the key account woman's information because they claim they would be in violation of HIPAA based on the reason that they have no need to know if real/false medical information was given because their perception of what the mother did is more than necessary for them to have fired her. Is this really how HIPAA works or is someone misreading the rule? Thank you in advance for helping.

As a professionally paranoid security guy I must say that this looks like an attempt to circumvent the safeguards in place. To an outsider this looks like a test run. The mother's best course of action (if truly innocent) was to firmly tell the daughter no, and explain why it was not appropriate to ask, and really not appropriate to try to game the PHI filters. Made up data has an even worse potential for damaging the privacy of the individual than real data. If they were truly innocent of planning skullduggery, then they are both extremely guilty of poor judgemnt and disregard for the rules.
Can't blame this one on HIPAA--- the mother was guilty of circumventing the protections set in place, breaking the security rules of the insurance company, and playing fast and loose with the patient's PHI, fabricated or not. And yes, HR had no reason to review the real PHI, which would have definatly violated the patient's privacy.

Save My Grave

Wow! Another great "Golden Hippo" nominee for creative use of HIPAA. This time it is Nebraska Attorney General Jon Bruning, who has declared that numbered markers on graves from the state mental hospital from over a century ago cannot be indentified by name, because of HIPAA. The McCook Daily Gazette disagrees:

We understand Nebraska Health and Human Services' reluctance to release patient information -- most of us wouldn't want such information about ourselves to be made public.

But we have seen HIPAA used as an excuse for all sorts of obstruction, from the condition of accident victims to the location of a house fire.

We have to question the need to conceal the name or date of death for someone who died nearly 120 years ago, especially to people who only want to trace their family trees.

Send in the Clowns

Security is a strategy, not a policy!

A box left in a trash bin could end up leaving some local doctors a little lighter in the wallet.

The Greenwich Post was given a box filled medical documents from the Dearfield Medical Building that may have been improperly disposed of. The box was discovered at 4 Dearfield Drive inside a trash bin in May and contains information about lab tests and insurance approvals as well as other medical issues. These documents are not medical charts, but do contain patient names and contact information.

According the United States Department of Health and Human Services, under the privacy regulations for the Health Insurance Portability and Accountability Act (HIPAA), documents such as the ones in the trash bin are supposed to be kept confidential and then shredded when disposed of, not just thrown out in a box.

While it was not confirmed from which office at the medical building all the documents originated, the names of Alfred Padilla and Judith Goldberg-Berman, who run an endocrinology practice in the building, appear frequently on the documents.
Dr. Padilla spoke to Greenwich Post on Tuesday and expressed surprise that the documents had not been shredded. He said it was the practice’s policy to make sure all medical documents were properly disposed of.

“We take HIPAA very seriously,” Dr. Padilla said. “In general we will shred everything we throw away.”

Dr. Padilla said there were some documents that were kept in a room at the practice to be shredded, but hadn’t yet been. He speculated that the cleaning crew at the building might have accidentally disposed of them.

“We have a pile of boxes to be shredded,” Dr. Padilla said. “If the cleaning people came and took the box, mistaking it for garbage, that would have been what happened... My suspicion is that one of our shredding boxes ended up in the trash bin. That’s the only theory I can come up with.”

Sheesh. Who'da ever thunk that cleaning people might mishandle patient records?

Fight For All The Wrong Reasons

I TOLD you so!

An audit of Atlanta's Piedmont Hospital that was initiated by the U.S. Department of Health and Human Services in March is raising concerns in the health care industry about the prospect of more enforcement actions related to the data security requirements of the federal HIPAA legislation.

The audit was the first of its kind since the Health Insurance Portability and Accountability Act's security rules went into effect in April 2005, joining data privacy mandates that were already in place. The security rules require organizations that handle electronic health data to implement measures for controlling access to confidential medical information and protecting it against compromise and misuse.

If your management has been slacking on compliance, it is time to read them this article from Computer World. Enforcement is the new black; the free ride is over. I absolutely agree with Barry Runyon:

The mere fact that an audit of HIPAA security compliance was conducted for the first time has many in the health care industry preparing for more enforcement actions, according to Barry Runyon, an analyst at Gartner Inc. "I don't think Piedmont was an anomaly," he said. "My sense is that there is going to be more feet on the street from HHS going on unannounced audits."

Good grief, we in this industry have had plenty of time to get our acts together, and most of the provisions are nothing more than best practices anyway.

Please, please, please do not be the next hospital, clinic, or other covered entity that I write about here. Get compliant!

If Everyone Cared

From another forum where I am a moderator comes this question from someone worried about IT security:

I was asked this question, and I'm not quite sure how to answer it. Where does one turn when they see a complete disregard and lack of importance in the compliance for HIPAA security. The privacy rules are basically followed. But on the technology side, they have policies in place that are just not followed, upper management has stated behind closed doors that HIPAA and security really aren't that important. There really is no one who is the HIPAA security officer. HR is the HIPAA privacy officer. And no one in the healthcare facility will take the issues seriously - even when approached by their own IT about its importance.
Where do they turn, and how do they go about it while keeping their job

The problem is, of course, that enforcement has been criminally lax. But with the recent change in power comes a new emphasis on enforcement, and there are going to be covered entities that are going to become the big, awful example. In the past very little was done when someone was found to be out of compliance, but recent news suggests that the tide is turning.
One of the most compelling reasons to follow the HIPAA security rules is that they are generally best practices anyway. The time to protect yourself is not after you have already been exposed.
All it would take would for there to be a big data loss, with PHI exposed, and those same scofflaws would be scrambling to save their behinds. And the goat would be the IT guy--- no matter the final outcome, the first instinct of those in charge is to blame underlings, and nobody likes IT people anyway.
The process is complaint driven, which means that someone has to rat them out first. The good news is that any affected person can complain, which in practice means just about anybody.
I would suggest the hair-on-fire approach, pointing out to the beancounters that the exposure is real, the dangers are extreme, and the risk to their jobs, the economic strength of the facility, and the possible irreparable PR disaster of a major data loss is not in any way worth not following procedures.
Of course, it is important to make certain that the procedures and policies don't interfere with the business at hand. Healthcare frontliners are notoriously hostile to extra steps that seem to make their primary mission more difficult. Your procedures need to be as transparent to the end user as possible, or they will be disregarded, bypassed or ignored.
The person may be able to convince management of the possible financial risks involved, as money seems to motivate. They may also volunteer to be the champion on this, as sometimes the only reason things don't happen is nobody wants to bell the cat.
Of course, without the buy-in of top management, this is all moot, because every organization is like a fish, in that it rots from the head down. Without a security officer, and absent help from on high, there is not much to be done.
Good luck on this!

Three Of A Perfect Pair

HIPAA as a PR Shield:

Javier Espinosa, a senior at SMU, recently came within two hours of dying. Doctors at Methodist Hospital in Dallas saved his life with an emergency liver transplant.

While Espinosa initially went to SMU's Memorial Health Center to be treated and diagnosed for his cold-like symptoms, he said the health center is not equipped with proper resources to diagnose and treat severe cases.

"The health center can't recognize and [doesn't] really know how to handle hard-core cases like mine," Espinosa said.

Espinosa said he expected the health center to offer advice and guidance when they were unable to diagnose his symptoms. However, staff at the health center said very little and did not suggest going to a hospital.

"I expected the health center to be more responsible," he said. "It was obvious my test results were off the chart and they weren't like 'Go and see a doctor in this hospital,' and they should have."

The health center had no comment regarding Espinosa's case and referred questions to SMU's Assistant Director of News & Communications, Robert Bobo.

Bobo said that Espinosa's case cannot be talked about unless he signs a contract releasing the school from HIPAA or FERPA. HIPAA is the Health Insurance Portability and Accountability Act and according to the online U.S. Department of Health and Human Services it's the "national standards to protect the privacy or personal health information." FERPA is the Family Educational Rights and Privacy Act.

HIPAA as interpreted by the Three Stooges:

So, we all trooped in to the county’s selected health care provider for TB testing. I really didn’t know exactly what was supposed to be done and presumed that the Occupational Medicine Center we went to did. Wrong. I came to find out that while half of us received the appropriate testing, the other half received misinformation. And our second test was done way too soon, necessitating a third test. Further, I found out that we were treated as “new hires” in a big hospital rather than acute EMS exposures. After several weeks of attempting to deal with the situation as Jane Q. Paramedic, I was still unable to convince the hospital to give me a copy of my own medical records, despite executed HIPAA releases and dozens of phone calls. Seems you have to get your medical records from somewhere six states away. Then, they sent me all of my medical records for the last 10 years, with the exception of the one for the exposure, which was the only one I requested. They also sent me a big bill for the copies.

And finally, HIPAA as the New Sheriff in Town:

Arizona requires mandatory disclosure of medical records in medical malpractice cases and, amazingly, is currently considering a change to mandatory arbitration procedures to require the same thing. As we have often explained, these provisions violate HIPPA, the comprehensive federal scheme that provides essential privacy rights for medical records.

The voice of reason is finally kicking in: the Georgia Supreme Court recently struck down their statute requiring mandatory disclosure of medical records in medical malpractice cases citing HIPPA preemption. The decision basically holds that the Georgia statute's failure to include provisions required by HIPPA, such as "the HIPAA requirement of notice of the right to revoke" or "the failure to require a specific and meaningful identification of the information to be disclosed and the failure to provide for an expiration date or a sufficient expiration event," makes the Georgia invalid in light of the preemptive effect of HIPPA.

I Made My Excuses and Left

No more excuses:

The same swing can be seen with other laws. Twenty-five percent of large companies are not compliant with California’s security breach notification law but only 14 percent of midsize companies are not compliant. Midsize companies are less compliant when it comes to the Health Insurance Portability and Accountability Act, or HIPAA (27 percent of midsize companies are noncompliant versus 21 percent of large companies).

The reason, as usual, is money. Sarbanes-Oxley and HIPAA compliance is more complicated and expensive than, for example, GLBA compliance. But the mid-market’s excuse that it doesn’t have the money to comply may be becoming obsolete. According to Mark Lobel, a PricewaterhouseCoopers advisory partner specializing in security, the price is dropping for technologies that help companies comply with security and privacy laws. With affordable tools coming onto the market that can sniff out the data you need to protect, excuses from mid-market CIOs that it’s too expensive to comply with Sox and other laws will no longer work, Lobel asserts.

Mo Money, Mo Problems

AAAAAAAAArrrrrrgggggg!

Attorney David Hanson, a partner in Michael Best & Friedrich and chairman of its healthcare practice group, noted there are people in the health field who think the industry already is spending too much time and money on patient data security - thanks to regulations like the Health Insurance Portability and Accountability Act.

Too much time and money? Yeah, like there hasn't been any data-breeches lately in the health-care sector. Only if you are spending your money stupidly. Only if your time is spent trying to find ways to just barely comply, as a part of a general CYA policy concerning compliance.

Show me a properly designed and fully supported patient data security system. Then bitch about too much time and money. Anybody who thinks this deserves whatever exposure to lawsuit they get.

"It's a strategy, not a policy!"

Days of Our Wives

You know, this HIPAA thing often seems to lead in completely unexpected directions. Who would have ever guessed that a boring collection of medical regulations would somehow connect with the trial for statuatory rape of a notorious cult leader?

A 5th District judge has ordered a media coalition seeking to unseal a secret petition issued in the prosecution of polygamous sect leader Warren S. Jeffs to submit to the court briefs addressing issues of the leader's privacy rights under HIPAA, the Health Insurance Portability and Accountability Act of 1996.

You know, it used to be if I wanted to be left alone on a long flight, when the person in the seat next to me asked what I did, I told them I was a HIPAA consultant and offered to tell them all about it. They would immediately feign fatigue, and be fake-snoring in minutes. But if this sort of thing keeps happeneing, I'll be wearing wrap-around shades and travelling with an entourage.

Hat too Flat

At a recent speech in Washington DC, Google's Adam Bosworth set forth a bunch of stuff planned for Google Health, described as as likely to be “simple, sloppy solution” as befitting the Google way of doing business. All of it sounded pretty good, except when he unleashed this whopper:

Google is trying to lay the groundwork to have HIPAA overturned, and short of that would like to educate providers and patients about how to get at their information even within the constraints of current laws. They’d like to see consumers have the ability to review and challenge their records as is the case with credit bureau information

Ummm.... this is already a right under HIPAA--- Mr.Bosworth seems to have been talking through his hat.

Stupid Things

How in the world can this still happen?

Empire Blue Cross and Blue Shield, a division of WellPoint a medical services company in the US , has begun notifying 75,000 members that a compact disc holding their personal and medical information has been lost, according to published reports.

The personal data was stored on an unencrypted CD

Not one day passes that there isn't another report of ID theft or smething similar, so awareness must surely be there. Low cost encription software is cheap, easy to use and ubiquitous. There are thousans of us out there talking ourselves blue in the face about this stuff.
Johns Hopkins had a similar issue lately, but the data was encripted, so no problem.
How can this still happen?

Highway Rain

Shred, please.

Hundreds of confidential documents from the Cleveland Clinic littered Interstate 77 on Tuesday after blowing off the back of a garbage truck.

Clinic spokeswoman Eileen Sheil said "almost all" of the 300 to 500 documents were recovered from the area of Fleet Avenue.

The documents are employees' performance reviews and patients' results from the cardiology laboratory, Sheil said.

The federal Health Insurance Portability and Accountability Act requires patient documents to be shredded, which these were not.

"Procedures were not followed," Sheil said. Clinic officials are investigating who was responsible.

Uh huh.

The First Cut Is The Deepest

ID theft is a huge problem, and when it involves medical records, the outcome can sometimes be deadly. But see if you can see the problem with this:

HIPAA also addressed security and privacy of health data, encouraging the widespread use of electronic data interaction.

The danger, however; comes when a thief uses a fraudulent identification to seek health treatment. His history - allergies, blood type, and treatment record - then becomes part of the data stored in the system, and can affect the care of the actual person.

“That's when they start giving me the wrong blood,” Jennings said, adding grimly. “I know a surgeon in Warsaw, Ind., that's removed an appendix from the same person five times.”

Five times? At what point do you notice something wrong? And who in the world is yanking so many appendices, anyway? What sort of patient population would allow for this? And how many is too many? Do you cut them off at some point? "Sorry, this coupon has a limit of three per customer."
Somehow I think someone is exaggerating for effect, don't you?

I Write the Songs

Gotta love a guy who heads his posts with song titles! This piece, titled Paper Doll, is a quick rundown on the various technologies available at low cost to help you get a little closer to that goal of a paperless office, dental style.
Most small practices don't have anybody to ramrod changes. New technology usually happens as something breaks. There are some ways that are relatively painless steps to friendlier processes, though, and if they are less expensive and easy to impliment, then they are both more likely to find their way into use, and less likely to be bypassed by the end users as being too much trouble or getting in the way of care.

One (Hu)man, One Vote Remix

From the comments on the post below about the pharmacy worker who was using patient records for her husband's political campaign:

pharmdatamining said...
She lives near me.
I'm changing pharmacies now! Doh!

My wife is a candidate for city council of the city in which we reside. I promise not to pirate anyone's information for her fundraising activities :)

I Fought the Law

Let's see if I can make sense of this: a woman was admitted to the hospital, told the folks there that her husband had pushed her, hospital calls police. All normal stuff. But then the woman decides she doesn't want to talk to the police, and the hospital staff decides HIPAA does not allow them to let the police in to interview the woman. They come back with an obstruction of justice warrant, and arrest the case manager. Woman goes home, police never talk to her. Obstruction charges are later dropped, but the arrested case manager sues for false arrest:

Melancon threw out the lawsuit, saying the federal Health Insurance Portability and Accountability Act does not block officers from getting information about a crime, and noting that the officers had obtained a warrant for Maier's arrest, meaning that a judge had found probable cause for the charge. He said that provides protection against accusations of false arrest.

It seems like everyone got caught in the machine, here. The police certainly needed to respond to the domestic violence call, and the patient's privacy was protected. In some states the domestic violence laws are strict enough that the cops would not have been allowed any discrection. But even though the charges were dropped, no one ever is edified by being escorted out of their place of employment in handcuffs.
Reading between the lines, I suspect this may have been a motivator:

Maier's attorney, Paul Marx, said Maier was far from the only person who told police that they could not give them the woman's name, but may have been the most vocal.

*Thanks for catching the typo, Jason!

Mr. Postman

From the comment section, below:

Anyone, please point me to right direction. My niece married to a doctor who later turned out to be a jerk. My niece finally gave up and filed for divorce. While the divorce is still pending he disclosed some very sensitive health information of her wife to like half of the town. Somebody told us to file a HIPAA complaint but we are not sure if it falls under that law? where to start from and what should we expect from HIPAA's end?
Thanks in advance for your help.
Regards
Ray

HIPAA will only apply if the doctor was also her caregiver. Information gathered and shared as a spouse is not covered, and the fact of his being a doctor will not automatically make him a covered entity.
Although things are looking better, enforcement has been very lax under the current administration. You might inquire, though, and other local privacy laws may apply.
The complaint process is here:
http://www.hhs.gov/ocr/privacyhowtofile.htm
Good Luck!

Easy Does It

Here is what happens when HIPAA training happens in a calm and sensible manner:

Although people might complain about HIPAA requirements I no longer feel that they have a leg to stand on. There is nothing outrageous in these requirements (except maybe one or two really quirky things) and the only real problem will be the way that the auditors interpret the HIPAA standards and how they are applied within an organization. Of course this is true of any standard. There will always be a negotiation of the level of protections compared to the risks involved. My personal feeling is that through HIPAA we have a standard, a overall policy, that is applicable to these specific organizations. We can point to these standards to when the organization fails to adequately protect the sensitive information with which they are entrusted.

See? It wasn't that difficult, now was it?

One (hu)'man One Vote

This is wrong in so many ways! Professional breach, HIPAA violation and most likely election law violation too. (My wife is a candidate for city council here on the opposite corner of the country, and while state laws vary, the allowable sources of voter information are usually pretty narrow.)

In her zeal to drum up votes for her husband, Loretta Jason said she used the customer list at Publix's pharmacy, where she works, to get the unlisted home number of a Dania Beach family to ask for their votes in the city's Feb. 13 primary

I have a great deal of sympathy for the poor lady, who after all was just trying to help her husband make a difference. Still, some pretty poor judgement on her part, poor enough that I tend to think she wasn't entirely unaware, and perhaps just didn't think she would get caught.

Street Fighting Man

Yes, HIPAA does mandate the assault of photographers, if Mr. Moon is to be believed:

During the pandemic drill on November 30, Mr. Sharpe approached news photographer Chip Moon from behind without warning, grabbed the photographer's arm and pulled him across the room to a Hudson police officer, demanding that the officer confiscate Mr. Moon's equipment and destroy any images in his camera.
The Independent had assigned Mr. Moon to photograph the event and had received advance clearance from the county Health Department. When a Health Department official at the site confirmed that Mr. Moon was authorized to be at the event, Mr. Sharpe left the room without any explanation.
According to the stipulation, in addition to serving a 30-calendar-day suspension without pay and issuing a statement expressing regret for his actions, Mr. Sharpe waives any right to a hearing. He acknowledges that he was offered the opportunity to consult with an attorney.
In his statement, Mr. Sharpe says at the time of the incident he had received a radio message that there was a breach of security by a photographer inside the school. "Due to the fact that established protocol was altered, I was unaware that the photographer had been given access and permission to take photos," he writes. "Being mindful of HIPAA rules and regulations, my actions were two-fold: 1) to protect the privacy of the person receiving the flu inoculation and 2) to protect the County from possible Federal HIPAA Law violation." HIPPA refers to the federal Health Insurance Portability and Accountability Act, part of which protects the confidentiality of patient records.

It is gratifying to learn that, as much as I love HIPAA and all of the many things it allows, that there is someone out there even more concerned about the privacy of others, enough so that he was ready to throw his body in the path of the rogue photographer in question and manhandle him away from the exposed vaccinationees!

Start Me Up

Jury returns guilty verdict in first HIPAA trial
The owner of a Florida claims handling company has been convicted of conspiracy to commit fraud, computer fraud, identity theft related to the use patient information from a local medical clinic, and violating the Health Insurance Portability and Accountability Act (HIPAA) through wrongful disclosure of personally identifiable health information. This HIPAA prosecution was the first HIPAA violation case that has gone to trial in the U.S., according to the Department of Justice (DOJ).

Identity theft and Medicare fraud. Fernando Ferrer, Jr., the owner of Advanced Medical Claims, Inc., purchased patient information from a former Cleveland Clinic employee. According to the indictment, the clinic employee accessed the clinic's computer system to download the personal identification information of more than 1,100 of the clinic's patients and sold the information to Ferrer. Ferrer then provided the information to others who used it to file fraudulent claims for Medicare reimbursement. The theft resulted in the submission of more than $7 million in fraudulent Medicare claims, with approximately $2.5 million paid to providers and suppliers.

Possible sentence. At sentencing, Ferrer faces statutory maximum prison terms of five years on the conspiracy count, five years on the computer fraud count, ten years on the wrongful disclosure of individually identifiable health information count, and two years on each count of aggravated identity theft. In addition, he may be required to pay fines totaling $750,000.

DOJ Press Release, Jan. 24, 2007. From CCH Healthcare.

What's Goin' On

Can anybody make sense of this? Something is off, but there just isn't enough infrormation as to what exactly is going on:

In one case, Mary Dykton, a rehab patient at St. Vincent since her 2003 elective open-heart surgery in Albuquerque, came to know and respect Andermann over the course of regular visits to the hospital gym. When Andermann departed suddenly for England, Dykton asked gym staff for news about Andermann and her father’s health. In doing so, she told one hospital staffer “that I knew what was going on.” Dykton says her comment was in reference to Andermann’s father’s health. But it was interpreted to mean that Dykton, a patient, knew about the hospital’s disciplinary action against Andermann.

In a Jan. 8 letter to St. Vincent CEO Alex Valdez, Dykton refutes the allegation that Andermann ever divulged inappropriate information to her. According to Dykton, Valdez has yet to respond to the letter.

Another former cardiac rehab patient, Santa Fe attorney Jeff Brannen, became a gym regular “because you get to know the people who work there, not because the gym is a great place.”

But after Andermann approached Brannen “as a friend” for a lawyer referral, “Someone there from cardio rehab recognized me as a patient, and apparently by giving her the name of another attorney, that somehow constituted independent grounds for termination,” Brannen says, shaking his head in disbelief.

Ducks On The Wall

Claire Martin from the Denver Post was kind enough to email me with this bit of info:

"...HIPAA was invoked when an official here said we couldn't photograph some dead wild ducks, whose deaths may be connected to a wastewater treatment system, because of HIPAA.
Which seemed to me like an incredibly elastic interpretation of HIPAA..."

Elastic indeed! This official really does deserve some recognition; this is cya taken to dizzyingly artistic heights. And as our latest entry in the "HIPAA Made Me Do It" it may be the benchmark against which all others must measure themselves. This is looking to be a banner year.

More as I am able.

Dead And Bloated

A timely and timeless piece on "privilege bloat":

Large organizations have to manage high staff mobility and turnover. Access requirements of employees and contractors change rapidly as they are re-assigned from one position to another. When users try to access something that they need to do their job, and get an 'access denied' error message, they call the help desk, figure out what's missing, and get it fixed. In other words, processes for granting new privileges to users may not be friendly or timely, but they are always reliable.

The same cannot be said of privilege deactivation. When was the last time a user in your organization called the security administration desk and asked that an old ID or group membership be removed? In reality, users may forget that they have the old privilege, may not understand the security infrastructure or may simply hoard old privileges "just in case."

The net result of unreliable and/or untimely access termination processes is that users accumulate inappropriate security rights.

I often go into a small to medium organization and find an entire archaeology of former employees and changed current employees subsumed into the system. My favorite is when an employee is signing on to the "Assistant's" account, with the same password and username as the last five holders of that position. In small and medium organizations, a hired gun like me can ask a few questions and clean it up. In a large company, there may not be anyone who knows for certain about required rights and privileges, or even a current master list of users.
I know, you are asking yourself---"How can this be? Is there really any organization that is so careless that there are such gaping holes in their security?"
Well Timmy, here is the sad answer: There are a lot of them. And they have your personal information, lurking right there on their insanely insecure systems, just begging to be accessed by an unauthorized and ethically-challenged user.

The Young Offender's Mum

It has to be an election year in Allenstown New Hampshire:

Allenstown Police Chief Shaun Mulholland on Monday warned residents to beware of a "sexually dangerous" person who had moved into town. If Mulholland revealed the person's name, he would be violating federal law.

The vague warning has caused widespread fear throughout the small town of 5,000, as Mulholland has said he knew it would. But the chief has also said he felt the option of remaining silent was unacceptable.

"I had to weigh the risks of the fear that would be created with the fear that somebody would get hurt," Mulholland told the New Hampshire Union Leader earlier this week. "And I had to take that risk. If I did nothing and, God forbid, something happened to one of our residents, that would (be) intolerable."

This, of course, is fear-mongering plain and simple. Sex offender notices are regularly sent out in nearly every state. HIPAA is very clear when it comes to public safety disclosures.
In the same article, an official comments to the effect that this whole privacy thing may have gone too far. This, and a police levy are most likely the real impetus behind this ridiculous piece of drivel.

Band Aid Covers the Bullet Hole

The post below is from a response to this piece from the blogs on ComputerWorld:

When I see PCI or HIPAA programs, the motivating factor seems to be CYA tied to executive or market accountability. That is, if there is a breach, affected parties want to know that the organization took every reasonable precaution. That’s when compliance with specific sections of PCI or HIPAA comes in handy.

We are now on the threshold of more regulations. It is very clear that governments cannot mandate how organizations secure confidential information. The attacks and defense technologies just change too rapidly for any such regulations to be effective for long (like PCI requiring an IDS). New statutes for such things as data encryption or identity theft should use executive and market accountability as the enforcement hammers. Let the businesses adapt and innovate over time as threats and risks evolve. Anything else is doomed to be unproductive without improving security one iota.

CYA? Damn Skippy! What little HIPAA compliance I see is entirely the result of CYA; in fact, it is a large part of my consulting pitch. And while we have gone through a long period of lax or non-existant enforcement, the pendulum is clearly swinging back. Best we all be thinking about C'ing our A's.

Cut Hands Has The Solution

Hard to argue with this:

When I evaluate a "solution", I am thinking circles around the vendor because information security is a complicated, multi-layered beast. If a vendor came in, who was very well versed in the legislation, and in the security arena, and understood what their solution actually did as a part of the total solution, I would listen. So far, I've just not been that impressed and maybe that is why compliance vendors are wondering "how little market demand there is for HIPAA and PCI compliance solutions".

Compliance is a subset of security. And Michael's New Rule of Security is this: "It's A Strategy, Not Just A Policy." Or a piece of software.

It Wasn't Me

Oh sure. Now not only can you use HIPAA to excuse just about anything you can torture into congruence, you can torture HIPAA itself to prove that you are not actually responsible for any actual violation, and of course without enforcement, who is to say you are wrong? From the Wall Street Journal, via Kaisernetwork.com --

The Journal profiled attorney Patricia Galvin, who was denied disability benefits after her health insurer, UnumProvident, accessed notes from psychotherapy sessions at Stanford Hospital & Clinics. According to the Journal, UnumProvident said the notes indicated that Galvin was not "too injured to work" after she was involved in a car accident and applied for long-term disability leave. UnumProvident had asked Galvin to sign a broad release to access her basic medical records, which included some of the psychotherapist's notes about Galvin that Stanford had scanned into its computer records system. Galvin has filed a lawsuit against Stanford and UnumProvident for violating medical privacy laws, among other issues, under the federal Health Insurance Portability and Accountability Act. HIPAA includes added protection for mental health records, but Stanford in court papers said that "psychotherapy notes that are kept together with the patient's other medical records are not defined as 'psychotherapy' notes under HIPAA."

Live and Let Die

A chilling and sobering report from Bankrate.com:

Financial identity theft might wound your wallet, but medical identity theft can kill you.

Medical identity theft occurs when criminals obtain information such as a health insurance identification or Social Security number and use it to get health care or to obtain reimbursement from insurers and others for false claims. That means your medical history and health care records can include someone else's information. This can be life threatening: for example, causing a transfusion of the wrong blood type.

"People can die from this crime," says Pam Dixon, executive director of the World Privacy Forum, a privacy rights group. "It is a potentially huge issue. It's an incredibly intransigent problem and victims are finding that they have to sue health care providers to have their records corrected."

Pay attention--- you are not just exposing yourself to legal liability by sloppy record handling, you could cost someone their life.