Slashdot Mirror
Medical Privacy Laws Highly Ineffectual
Rick Zeman writes "According to the Washington Post, since Americans gained statutory privacy for their medical records backed by the US Federal Government (via HIPAA), the Bush administration has received thousands of complaints alleging violations but has not imposed a single civil fine and has prosecuted just two criminal cases saying that they were pursuing 'voluntary compliance.'" From the article: "'It's like when you're driving a car,' said consultant Gary Christoph of Teradata Government Systems of Dayton, Ohio. 'If you are speeding down the highway and no one is watching, you're much more likely to speed. The problem with voluntary compliance is, it doesn't seem to be motivating people to comply.'"
Considering the various privacy issues that have plagued this administration, most recently in the form of the whole NSA wiretapping debacle, what would make anyone think they'd give a damn about the privacy of anyone but themselves?
Medical Privacy Laws [in the USA] Highly Ineffectual
Slashdotters all over the world are smart enough to know that the problem with those medical records is largely a local problem. That is to say, it is a US problem and not a problem for the whole world. Here in Sweden, we have no such trouble.
How many of these cases were privacy violations due to accidents, staff inexperience, etc.? Do you really want doctors getting in legal trouble over trivial violations their first time or a particular staffer's first time? That is a GREAT way to drive up their insurance costs which only benefits lawyers and the insurance industry. You, in turn, pay higher medical costs.
And whatever happened to innocent until proven guilty? This sounds a lot like the feminist tendency to say "she claimed she was rape, and women never lie about rape, thus she must have been raped." People get impassioned and complain all of the time for invalid reasons. People also complain out of ignorance, what they feel the law ought to be, etc. Broadcasting would be dead if every complaint sent to the FCC was taken at face value, and every slip of indecency were fined.
How about we work toward some real privacy like, I don't know, fighting to keep the DMV from selling our records, the IRS our tax records (they want to do that now), get laws passed making law enforcement DNA databases available only to the police and NEVER to insurance groups, the DoJ requiring mandatory data retention and things like that.
Two problems. First, the ratio. It seems hard to believe that only two out of thousands were serious enough to prosecute. Secondly, more crucially, is the explanation given. It isn't that they've investigated the thousands of complaints and found that they don't warrant prosecution, it's that they want "voluntary compliance". Sorry, but that's stupid. The whole point of laws is that they're enforced. If you want people to play nice voluntarily then don't pass a law. If you pass a law then enforce it.
It's a classical example of the governement taking something simple and completely fucking it up and it's why healthcare is so expensive in the US. As it is, HIPPA will never fully be implemented, there will continue to be extensions, complaints won't be addressed and health care and insurance providers will continue to pass the costs on to the customers without actually making it "more secure." It's just like another expensive line item to pork barrel.
I'm not a socialist but at the current rate we will have to socialize medicine in the US.
Doctors, especially in the US, have money. They can easily cover a fine of say, $200. It doesn't increase their costs greatly, but at least it does give the impression that the laws are to be taken somewhat seriously, and will be enforced.
If your private information is compromised, I don't think you'd really give a fuck if it was due to some staffer's inexperience or an accident. The end result is that you've got to deal with your credit card information being used improperly, or you have to deal with your identity being used by a criminal somewhere else, or a myriad of other problems.
As for increasing costs, proper enforcement of this legislation may actually decrease expenses. It likely takes far more time and money for somebody to clear up a case of their credit card information being stolen and used to make purchases, than it does for a healthcare provider to secure its patients' information.
Check this out.
i rs-archive-control-sold-to-lowest-bidder-177771.ph p
http://www.consumerist.com/consumer/irs/breaking-
Talk about your privacy in jeapordy. How long before these records end up on an insecure server, or off shored to where people don't give a crap and sell the information. Identity theft anyone? How is keeping records secure *not* a core function?
Every day I wake up amazed at the sheer stupitiy around me.
putting the 'B' in LGBTQ+
Case in point: My father was hospitalized and I was called to approve treatment over the phone. The ER personnel never gave me the HIPPA security code. Later I called to check on his status. The nursing desk staff refused to give me that information citing HIPPA. Uh...they called me as medical power of attorney to give permission to treat him yet they never gave me the top-secret security code. When I pointed out how ludicrous that was they just used HIPPA as the reason to not give me my dad's health status. I managed to bypass the idiocy with the use of said Protected Healthcare information to get the information requested. It just shows that laws are made by the powers, but the analysis of the use-cases that will interact with the laws have not been given the proper review for the cases that are exceptions. So, all that said, nothing surprises me.
--Cally
Last year my health insurance company, in response to a billing dispute, send me a full page from their billing database. The record for my family took up just one paragraph, and above and below it I could see other patient names, billing codes, account numbers, and more.
I asked them to explain this, and got no response. I sent the sheet of paper to the US Department of Health & Human Services. A few months later I got a letter back in the mail from them, stating that they had investigated the situation, the provider (Humana) admitted making a mistake which resulted in a privacy violation, and they weren't going to do a damn thing about it.
So, I'm hardly surprised by this article. Still it's sad to see I was in the 73 percent of cases.
First, there is a LOT to HIPPA to understand. People often think any discussion of their medical history is a violation. The truth is you sign a lot over when you sign HIPPA wavers. For instance, the right for your care giver to discuss anything about you with any other potential care giver (often)...you want this, trust me.
One of the areas that does continually suprise me is that medical records are stored, transmitted and displayed all in clear text. Some of the major manufacturers of the healthcare software often use FTP (not Sftp) to exchange records with their customers. Even internally with in a hospital, records are transmitted from one system to another in clear text.
If you want security, ask your care give how they are protecting your electronic records.
When I first read the title, I thought it said "Medical Piracy Laws ...". The wierd things is, the title still made sense to me.
Go figure.
RTFA! This is not about "laws", it's about one law: HIPAA. And it's not that the law is "ineffectual", it's that enforcement of the law is virtually nonexistent.
It's not enough that we get numerous automovie analogies on Slashdot - now we get them in the articles as well. I expect the next step is the "+1, Car Analogy" mod (or -6, as the case may be).
Take it to the limit, everybody to the limit, come on, everybody fhqwhgads.
After a year long bout with several parallel ailments, my GP asked me how I was, and I replied "except for the writer's cramp, just fine". Every visit to a MD office now requires that you fill out and sign the form that swears they promised under HPPA not to divulge anything (maybe not explicitly required but it seems everyone's in CYA mode on every visit).
As he observed, "What do they think I'm going to do - run out into the parking lot and yell to passers-by 'You'll never guess what Pellino's got...!'"
And as I observed - you get three or more seniors in the waiting room, and no matter how the small talk starts, it always becomes a grand exposition of their ailments. "Huh! You don't know from gallstones! I should be so lucky to just have your gout!" and on and on and on...
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
While it's distressing that HIPAA is essentially seeing no enforcement, I find it more distressing that while it hinders movement of my medical information among my providers (requiring forms be signed by me, etc) it explicitely allows any law enforcement agent to waltz in without a warrant and assert without evidence that I am a suspect or victim in a crime and thus obtain my medical records.
:)
Everytime I hear someone throwing a fit about being able to obtain a warrant to get my library records I think of this. Funny how no one notices MASSIVE give aways of your privacy rights under democratic administrations. Oh, and look up 'know your customer' sometime too
Most major health care organizations use outside auditors to look at privacy compliance. It is taken very, very seriouly by hospitals and the other organizations. My wife has dealt with the auditors at the ambulatory surgery center where she practices. They have made all kinds of nit-picky changes to their procedures, many of which make no sense. Example: when patients with dentures or retainers go in for surgery, they have to take the appliance out and it is placed in a plastic container of water. The container has a label from the medical records printout attached. After the patient leaves, procedure was to throw the empty plastic container in the medical waste bin for disposal by burning. The auditor demanded that they peel the label off after use and shred it.
My late father had to have an outside auditor survey his office in order to remain on the list of authorized providers at several major insurance companies.
The regulations are ambiguous as can be, so violations are going to happen until the appropriate practices are worked out.
HIPPA = Hippopotamus. With an A.
STOP SPELLING IT "HIPPA"!
I've long suspected that Wal-Mart illegally compares personal health records with productivity and satisfaction.
This is a classic case of why consumers should have a private right of action to sue in court under the civil law. HIPAA does not allow individuals to sue a hospital or doctor for violations of the statute. (However, a stricter State statute or privacy or contract law might allow a suit)
s ue.htm and http://www.abanet.org/buslaw/blt/2001-11-12/meade. html
There is a growing trend in U.S. Federal Law that grants people rights, but does not allow them a remedy if there is a violation of these rights. This is a direct outgrowth of 20 years of conservative Supreme Court rulings that have gutted the power of the Judiciary to provide remedies for violations of the law.
The thought process is "well, Congress said you have a right to have your information kept private, but didn't explicitly say that anyone besides the State can enforce this remedy, so oh well, your screwed if the government doesn't want to do anything."
This thought process is not only unjust, but goes against 500+ years of legal of Common Law. Where you have a right, you should always have a remedy. It is an axiom, and 20+ years of Republican Judicial Activists have destroyed this notion. It is not right, and it is not fair. And it is not conservative. It is radical and undemocratic, and goes against the rule of law.
See: http://www.privacyrights.org/fs/fs8a-hipaa.htm and http://www.healthlawtoday.com/hipaa/files/rightto
As a practitioner, let me say that HIPAA is being fairly actively enforced. There are some fairly bone headed breaches from time to time, but there are bone headed privacy breaches in every industry. I can tell you that there have been incredible unintended consequences. First, millions to billions have been spent (and are continuing to be spent) on HIPAA compliance. For the most part, this is money spent nominally on health care that is completely administrative in nature. Ever wonder where all of that 13% of the GDP spent on health care goes? A bunch of it is being spent on HIPAA compliance offices, with 4-6 FTEs being spent training, and doing paperwork. Not a terribly cost effective way of improving health care. Second, everyone now is safety wired into the "don't tell anybody anything" position. If your spouse is in the hospital, and you do not have a designated HIPAA compliant health care proxy, you (by HIPAA rules) don't get to know anything, other than where she/he is. No diagnosis, no prognosis, not what happened, nothing. If he/she didn't or wasn't able to make the designation in writing on admission (i.e. was run over by bus) you will need to jump a bunch of legal hurdles to get the information released. As a medical consultant, it is very hard for me to get information from people trying to refer patients to me. Too often I get the "I can't tell you that; HIPAA" line. Although, to be honest, this is a misinterpretation of the law, but many institutions have taken the view that "unless I have a piece of paper which explicitly states I can release information to you, I'm not telling you crap".
getting your panties in a bunch
Still, the OP is right. HIPAA, as with all government attempts at regulation, is a wierd, complex, inconsistent, illogical construct that underneath all of the legal mumbo jumbo, handwaving and threats, is actually trying to do something useful.
The really scary aspect of this is that it represents a significant improvement from before. From someone who has been running a small medical office with ancient, creaking paper based systems and an even more ancient, creaking electronic billing system, I for one, welcome our new (and somewhat benign appearing) medical information security overlords.
Faster! Faster! Faster would be better!
I think the thing with HIPAA is that it takes time for it to improve security and privacy. Basically, you can handle it however you want as long as you justify your decisions in writing as being "reasonable." Reasonable security might mean that it would cost so much to do things more securely that it would adversely affect service. There are so many small niche markets for medical information software that your reason for poor security may simply be that you only have two or three vendors who serve your specialty and they all have poor security. Many of these applications were created before security was taken as seriously as it is now and many were designed for isolated LANs but are now being connected to the internet. I hope that the bar will be raised by those people who go the extra mile. Then the standard for "reasonable" will eventually become something which really protects privacy.
This goes to the topic of software warranties. Most medical informatics software come with something like a "statement of HIPAA compliance." which basically says that the vendor has designed the software in a way that it can satisfy HIPAA if you do your part to make it secure. This is fine in itself. The problem is that these applications don't run in isolation. You need an operating system to run them on and they quite often only run on the operating system with one of the worst security track records in the business. They may also depend on other application software. For example, one which I work with uses Microsoft Word and Word Macros to handle reports from the database. It was designed that way in order to allow the integration of third party options like speech-to-text from a variety of vendors. The thing is that Windows and Word don't come with any statement of HIPAA compliance. They follow the common practice in the software industry of disclaiming all warranty including against negligence.
Never mind that we live in a small town where Mrs. Smith and Mr. Jones went to kindergarten together and come from families that have been here for 150 years. And forget that my wife is a podiatrist and that visiting her isn't inherently compromising (unlike, say, sitting in the lobby of a clinic for sexually transmitted diseases).
So, according to HIPAA, my wife is breaking the law each and every time she treats her patients like people instead of numbers. We haven't had a complaint yet and don't expect to, but could technically be busted for violating Mrs. Jones's privacy at any moment.
Dewey, what part of this looks like authorities should be involved?
Yes, in fact, you do want to act on them. Note that act does not mean "assume the complaint is valid and slap a huge fine on the company"; but it does mean investigate and take appropriate action per the law.
I don't care if an offense was "accidental"; this is serious stuff, and the companies entrusted with this information need to take seriously the charge of protecting it. Being careless enough to "accidentally" divulge protected information should not be accepted.
Now a variation on that: In these early years of the law, when its meaning is unclear, it is reasonable that a company acting in good faith but failing to understand the requirements might get off with a light fine or a warning for the first couple offenses. But that still requires that complaints be investigated and acted upon.
See, absent an active regulatory environment, nobody knows exactly what these laws mean. That's why some leniency makes sense early on; but if that leniency is extended to the point of turning a blind eye, then the companies have no way to learn what the law does, in fact, mean. Spend $billions to enforce what your legal department thinks HIPAA means, and that still doesn't mean you've really captured what you're supposed to be doing. Keep in mind who pays your legal department; they're going to try to tilt their interpretation as far as they can without getting you in legal trouble, and if there's no enforcement, then the net result will be there might as well be no law.
Now, let's suppose that legal somehow figures out what the law means, and in spite of seeing the lack of enforcement the company nonetheless constrains itself to setting policy according to the law. Still no good without enforcement. Corporations are big places. Even when the company as a whole spends huge sums of money on compliance, the law will not truly be effective until the entire company's structure is on board, down to the PM's at least. I can tell you absolutely that when a project gets under pressure, the sentiment comes out that it's ok to skimp on HIPAA compliance because nobody is getting in trouble for violations. Sure, every professional "should" take the stance of "it's the law, so that's that"; but if there's no enforcement, that doesn't happen.
I swear I read at first the news as 'Medieval Privacy Laws...' damn associative memory
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
Want insurance?
You must sign a waiver of your HIPPA rights. You agree that data given to the insurance company will not be subject to HIPPA regulations.
Seriously, read the fine print. HIPPA does not exist unless your insurance company was unusually dumb. HIPPA is nothing until the law prohibits waiver of rights.
One case which I can comment on (up to a point) is one which I was involved in. There was a period, a while back, where we were just beginning to realize the extent of the spyware problem on PCs and we started to install two or three different antispyware applications on each machine. In this process, we discovered that two of our medical transcriptionists had been infected with keylogger trojans which were sending data to an internet marketing company. This, of course, had to be reported as a HIPAA violation. The authorities did nothing as a result of the incident but we started to take security more seriously anyway.
I had previously argued that these computers should use a particular set of secure, internal, non routed IP addresses which are available on our network (we are part of a large university). In the rush to get the new system going, the people who installed the workstations, had used the regular, less secure IP addresses (which don't require proxies to access the internet). It was surprisingly difficult for me to convince people that using these internal IP addresses was necessary because antispyware software will never be able to catch everything. Not to mention the other security benefits of not being directly visible from the internet. I think many people just don't grok the concept.
These computers were eventually moved to the secure IP address range (with proxy access denied as well) and other additional measures were taken to secure them but I don't think that would have happened without the reporting requirement of HIPAA. Still, it's surprising that there wasn't any more reaction from the authorities. My guess is that they were just swamped with similar reports.
The best thing about HIPAA is that the notifications you get tell you how little privacy you have.
So the next time you are answering profile questions be sure to remember that answering yes to use of an illegal drug may result in a no knock search of your premises if you piss off anyone in the government.
When medical data is treated like Lawyer Client privilege used to be before Bush, then you will have medical privacy.
I'm getting revenue from HIPAA compliance efforts and a lot of people at conferences are there to talk about "how we survived HIPAA".
Here's what's worrisome, though. The most common approach to HIPAA is "what's the least we have to do to stay out of jail?". Unless there's enforcement through some channel, those HIPAA initiatives will turn into forgotten dust-covered binders.
In Australia, practioners do not receive or ask your health insurance about how much cover you have. They give you the bill and it is up to you to organise paying it (between you and the health insurance company.)
In America, every medical facility that you want to claim through your health insurance appears able to access basic health insurance information such as how much you have spent "this year". What a joke.
Roll over citizen John, ACME Inc wants to make a buck and you're not allowed to have any privacy.
> Only you and your doctor should know your name
> and your medical condition, everywhere else it
> your name should be coded as number that other
> office workers cannot lookup.
Because the medical assistant doesn't review labs, and the records clerk doesn't file documents in your chart, and the billing clerk doesn't handle your call about the diagnosis codes on your latest EOB...do you have any sense how health care is actually delivered, even in efficient, high-quality places that are fully HIPAA-compliant?
I work in a pharmacy, and I can vouch for this. You know how pseudoephedrine became a controlled substance? Well, we now have to log all sales of it, including purchaser's name and address, and how much of the crap he bought. Police don't have access to your prescription records without a warrant, I'm pretty sure, but they can just come right in and check the PSE records. It makes me grind my damned teeth whenever I have to fill out that log book.
is that it contains no private right of action. In other words, you can't sue your insurance company when they sell your records to a marketing company^W^W^W^W^W^W^W share some of your health information with some of our selected, carefully prescreened partners. Your only recourse is to make a complaint to the same people that routinely accept millions in bribes^W contributions from the people you're complaining about. This is true with so many "protections" passed by this administration while at the same time they've gutted others (bankruptcy, class actions).
It seems hard to believe that only two out of thousands were serious enough to prosecute.
And in one of those cases, the crime involved selling an FBI agent's medical records. Wonder why the Justice Department (in which the FBI is housed) chose to prosecute that case?
Probably any information about you that is stored in any computer in Sweden is available for the right price. What makes you believe otherwise?
Since no one has pointed it out yet, I should mention that HIPAA stands for the Health Information Portability and Accountability Act. It's the portability part that came first. The accountability part only came after privacy advocates objected. The main purpose of HIPAA was to make it easier to share data among care providers. The medical profession is much more spread out among different specialties and facilities than it ever was in the past.
One of the basic principals of HIPAA is that you can share data with anyone who is directly involved in the care of the patient and anyone who is responsible for billing for that care. I am involved with a clinical laboratory. We take samples from referring physicians, process them and give the results back. Many patients probably don't even realize that they are in our database. It seems to me that this is one of the weaknesses in HIPAA. You ought to have a right to know who has your data.
The principal of medical privacy is there to prevent anyone from avoiding treatment for fear that their information will get out. This not only applies to people with diseases which might have a social stigma but it also applies to a case like that of a criminal on the run. Such a person should not have to avoid medical treatment for fear of being tracked through medical records. This is tantamount to denying medical care. Doctors should not be part of law enforcement (of course that general principal is not absolute when you consider examples like child abuse). I wonder if the level of access by law enforcement to medical data may already be causing some people to avoid, or delay being tested for conditions.
HIPAA needs to to have a number of new provisions. You should be able to find out who has medical records on you, you should be able to get copies and have the original records deleted, or more likely anonymized since many laws require bulk reporting of the occurrence of certain diseases.
It's hard to figure out what's a violation and what isn't; in a 12 mile radius of me there are 7 people with the same first and last name as me, 3 of those people have the same middle initial. Obviously the release of my name wouldn't really be personally identifying, however if my name was qvidis.... it would.
This HIPPA stuff is affecting patient care right now. 3 weeks ago I burnt my hand at work, so the boss drives me to the Port Huron Hospital ER (newly remodeled for increased HIPPA compliance); there is no triage any more because that's HIPPA sensative data. My pain on their scale of 1 to 10 is about 18, I've got about a square inch of skin just flapping in the breeze, my knees are starting to buckle and the info clerk is explaining to another person how to get to the third floor! Eventually I get to be seen in the ER proper, they start an IV push some morphine into it which takes my pain from 18 to 9, cover my burn with gauze and sterile saline and ask me when I had my last tetanus shot. My personal doctor's office has all of the admin stuff done by Mercy hospital, the records are supposed to be available 24-7, so I get a tetanus booster I don't need in the other arm and they call an ambulance to transfer me to the burn center at Detroit Receiving Hospital. I get to DRH's ER give them all of my data which is inputed into their New computer system, get taken up to the burn center only to not be in the computer system, and have the burns deroofed and debrided ( the definition of pain is yet again expanded for me) and sent down to a bed on a med-surg unit. I remember looking at the clock after I burned my hand and it was 6:05 PM thurs., it's now 3:45 am on friday and I'm not in the new computer system, I guess they can't release personal data that can't be found!
Apocalypse Cancelled, Sorry, No Ticket Refunds
...it's so HIPP!
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
...at causing a pain in my A5S!
I could paper my walls with the number of stupid disclosure notices I've had to sign. One for each member of the family at each healthcare provider including eye doctories, pharmacists, alergists, etc., and another one for each school, camp, afterschool program, and employement situation.
All this, which in my case is well over 100 by this point, and they are useless?
GRRRRRRRR.
It makes me as angry as when I fill out forms for schools and camps for the kids and they have 4 or 5 forms for each kid that repeat the same questions! I'll bet I wrote my daughter's birthday 12 times just for one camp. I have three daughters, multiple camps and schools. GACK. All it does is lead to inaccuracy because when something changes all those different places will NEVER get updated.
The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
So put this and this together, and we read the secret headline "Midaeval Piracy Laws", thereby tying HIPAA in with the MPAA and RIAA and the basic Slashdot anti-Copyright agenda! Yes, it's a *AA conspiracy!
Go on, mod me insightful. It's a slow news week so far.
//Information does not want to be free; it wants to breed.
From the outset, HIPAA was expected to have a period of voluntary compliance, followed by a period of enforcement aimed more toward corrective action than towards punishment. I don't recall just what the intended durations were, but the period of corrective enforcement was to be at least a few years long.
Although HIPAA was set in motion back in 1996, the Privacy rule only came into mandatory effect in October of 2002, and the Security rule not until April of 2005. We might be nearing the hard-enforcement date for Privacy, but for Security I don't think we're even close yet.
I'm no fan of this administration, but lax HIPAA enforcement is not something that one can fairly tar them with yet. They're pretty much sticking to the original plan so far.
With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
I agree that the implementor is at issue. Again, the laws are made without any regard for the ramifications for the implementation/interpretation of the masses. I've dealt with at least 3 institutions that couldn't deal with the ER entry of a patient (mother and father in this case) and the power of attorney situation. The hospitals get the authorization from the Medical POA but then don't know what to do if that person (POA) is not physically standing in front of them.
--Cally
HHS would have issued their $100 fines in more than 0 cases if they were taking the approach of enforcement.
They do have a reason for the policy of issuing warnings and explaining how to do things. The rules are new, people aren't used to them, some about of adjustment time might be reasonable. But the policy isn't producing compliance. The fantastic article says "The approach has made health-care organizations complacent about protecting records, several health-care consultants said". Or this quote:
"They are saying, 'HHS really isn't doing anything, so why should I worry?' " said Chris Apgar of Apgar & Associates in Portland, Ore., a health-care industry consultant.
Yeah? When does that kick in? My wife's a surgeon, but I'm stuck driving a used Oldsmobile and lately riding a bike to work. We're not poor but neither do we live up to the "rich doctor" bullshit myth that you're buying into.
In reality, doctors spend the first 12 years after high school incurring enormous debts (you didn't think med school was free, did you?), then another decade in jobs that put food on the table but just cover a mortgage and student loans. Maybe we'll be wealthy some day - if only we can start turning a real personal profit by the time we're in our 40s.
So kiss my ass with the "doctors can afford it!" BS. Some can, but a whole lot of them can't. You might as well say "IT staffers have money", or "salesmen have money", or "accountants have money"; any of those would be just as accurate (and grossly overgeneralized).
Dewey, what part of this looks like authorities should be involved?
I work as medical transcriptionist for a large health care organization. As a transcriptionist, my job requires accessing medical records for patients on a daily basis. In order to do this necessary part of my job, I am given access to ALL the medical records in our local system . . . not specifically the ones I need to do my job. This means that, if I chose to do so, I could view anyone's medical records from clinics within a large chunk of the state . . . that is, friends, enemies, people I know and am curious about, etc. Obviously, being privacy-conscious and having a conscience that forbids me from invading another's privacy, I don't abuse the system in such a way. However, if I were to do this, there is VERY little in the way of monitoring the use of the system by employees such as me. If I were to look up my professor's medical records and get ALL kinds of personal information from the records, no alarms would be sounded -- not even an eye would be blinked by anyone in my organization. It would just be assumed that I was in that record as part of a transcription.
Being in this position, I know how lax the security of our electronic medical records are and how, even with HIPPA, we still don't have as much real protection as it might seem.
Yep. So when they ask you about drug use when collecting medical profile information about you, remember that any "yes" answer could result in a no knock search of your property. If you piss off the wrong government official this could be a good way to get rid of you.
HIPAA (Health Insurance Portability and Accountability Act) was created (1) to guarantee that a person, when leaving one insurance provider, could, by maintaining continuous insurance coverage , not be excluded from coverage for "pre-existing illness." It was not uncommon for people to change employers, have to change insurance providers, and then lose coverage and benefits.
/. reiterate those points) because the regs are baroque, abstruse, and generally hard to understand - as most legalese is to people who have their jobs to do. An admitting clerk, a nurse, or a med tech receives training in HIPAA, but it's guidance, not a recitation of the pages and pages of language that even experts disagree on. And, staff are taught to be more conservative as a risk management approach to privacy.
As an "opportunity," the pending regulation was expanded to delve into all kinds of IT issues like privacy and security. The challenge of those potential regulations was that there was no current body of practice in the industry. Finance departments set expectations for financial systems, medical records departments handled release of information, and nursing services made patient status available. Having the IT focus caused much consternation among these other departments, which saw the effort as intrusion into their domains. Many departments simply didn't have the staffing or the time to devote to reading and interpreting the huge number of pages of material.
The most significant failure of HIPAA was to create the sense of "standards of privacy and security" as community standards, or measurements against the norm. There were, in fact, few well-defined and well-articulated standards of expectations in the regulations. Obviously, consultants and auditors and lawyers interpreted everything in the most rigorous, least risky manner, and not the community standards. This fact continues to be the most challenging of the regulations to deal with, because it is a moving target among competing healthcare organizations rather than a defined standard to which all are measured.
Ultimately, HIPAA has had little of the effect on personal information privacy in terms of secure electronic information exchange while giving a name(HIPAA - perhaps the most frequently misspelled acronym in the US) and a PERCEPTION that the law actually defined standard expectations.
Most of the complaints are due to irritation and confusion (and some posts on
There are many more important problems in healthcare than this one. More people are killed by the INABILITY to share critical information than are adversely affected by the ABILITY to err in doing so. Think of the loss of medical information for Katrina victims, and the fact that up to 100,000 adverse medical events leading to death occur EACH YEAR, and put those 17,000 complaints in perspective.
At my employer, as with many companies these days, the health insurance that's offered to employees has changed from a standard insurance provider like Blue Cross (just for example), to "Self-Insured", under the federal Employee Retirement Income Security Act, a.k.a., "ERISA".
What this means, besides the loss of virtually all state-mandated consumer protection in the area of medical reimbursement (because ERISA supercedes all that), is that now, instead of a 3rd party insurer getting my medical billing info, and keeping my employer at least an arm's length away from it, my employer gets to see it all.
So what's the point of "Medical Privacy Laws" if the information is specifically made available to the very people one would probably want to not have access to it?
I wonder if this has something to do with why the government is refraining from enforcing the patient protection provisions of HIPAA...
Just goes to show the Bush admin has plenty of tyme to push for an amendment to the constitution to deny some the ability to marry whom they want in a consentual manner but won't take the tyme to enforce a law already on the books. Seems like businesses can't to any wrong but individuals can't be allowed to do what they want when they aren't harming another.
FalconShould there be a Law?
You can lock down your servers, your network, etc. But as you imply, insiders are the big threat.
To avoid insider abuse at hospitals, doctors' offices, etc., you need to let insiders you're watching everything they do. This isn't "big brother", it's common sense. You can't necessarily lock everyone out of everything, but if they know you're looking they'll more likely play by the rules.
An article about the Michigan health system (they use the P2 Sentinel product from Cerner and SenSage) was informative, a useful case study. They monitor insiders, and everybody's happier.
A good friend of mine was suspended from her job of 18 years, alleged due to concerns about a HIPAA violation.
The violation: A member of our church brought his kid to her hospital. The parent asked her to let others in the church know that they had come to the hospital, and to pray for them. Someone at the hospital found out, and she got suspended.
Due to personal and family medical problems, her employer had chastised her in the past for missed days of work. This seems to those of us who know her like an excuse to get rid of someone who they felt was more trouble than she was worth.
She found employment at another hospital during her suspension, and is much happier now. The new employer actually acts like they understand family medical emergencies, and encourage her to take the necessary time to care for both herself and her children. She actually feels like the valuable employee she is.
Sort of a flip side to the previous poster's experience.
R David Francis
That would be like the highway patrol handing out tickets to the state troopers, if you get my drift.