Slashdot Mirror
Medical Privacy Laws Highly Ineffectual
Rick Zeman writes "According to the Washington Post, since Americans gained statutory privacy for their medical records backed by the US Federal Government (via HIPAA), the Bush administration has received thousands of complaints alleging violations but has not imposed a single civil fine and has prosecuted just two criminal cases saying that they were pursuing 'voluntary compliance.'" From the article: "'It's like when you're driving a car,' said consultant Gary Christoph of Teradata Government Systems of Dayton, Ohio. 'If you are speeding down the highway and no one is watching, you're much more likely to speed. The problem with voluntary compliance is, it doesn't seem to be motivating people to comply.'"
Medical Privacy Laws [in the USA] Highly Ineffectual
Slashdotters all over the world are smart enough to know that the problem with those medical records is largely a local problem. That is to say, it is a US problem and not a problem for the whole world. Here in Sweden, we have no such trouble.
Having been the HIPAA security officer for the Home Health division of the nation's largest protestant health organization, I can tell you we spent MILLIONS trying to be HIPAA compliant. We locked down servers and databases (encrypted data on secured databases on secured servers on secured networks). We instituted dual-factor authentication and physical security. We stressed our management application to its limits doing our best to ensure patient security and privacy.
But, again, its the individual workers who matter. Like the time I found out our billers couldn't remember their countless insurance company BBS passwords, so they had a nice spreadsheet they shared. I couldn't get rid of it, but at least I had them put it in their drawers.
Good grief? Sure, but that was HIPAA compliant.
So, please, geeks of the world, let's not bash an entire industry based on one article.
How many of these cases were privacy violations due to accidents, staff inexperience, etc.? Do you really want doctors getting in legal trouble over trivial violations their first time or a particular staffer's first time? That is a GREAT way to drive up their insurance costs which only benefits lawyers and the insurance industry. You, in turn, pay higher medical costs.
And whatever happened to innocent until proven guilty? This sounds a lot like the feminist tendency to say "she claimed she was rape, and women never lie about rape, thus she must have been raped." People get impassioned and complain all of the time for invalid reasons. People also complain out of ignorance, what they feel the law ought to be, etc. Broadcasting would be dead if every complaint sent to the FCC was taken at face value, and every slip of indecency were fined.
How about we work toward some real privacy like, I don't know, fighting to keep the DMV from selling our records, the IRS our tax records (they want to do that now), get laws passed making law enforcement DNA databases available only to the police and NEVER to insurance groups, the DoJ requiring mandatory data retention and things like that.
RE:"but at least I had them put it in their drawers."
ouch!
Politics is Treachery, Religion is Brainwashing
When scandals explode, it's too easy to think "Aha, they got caught! Now they HAVE to stop this!", but it's not always what actually happens. The fact that many Americans put so much faith in the power of free information speaks very well about the level of freedom and democracy they enjoyed until recently.
Nuffsaid
________
Don't know about his cat, but Schroedinger is definitely dead.
The problem is that the health care facility doesn't care either.
My wife works in a hospital processing insurance. She complies with HIPPA (because privacy of her medical records is important to her), and will report the many violations she sees (technically, she could be fired for not reporting). However, her manager and upper management never do anything but give a verbal warning.
There have been some pretty major violations too. They just don't care.
I know how awful it sounds, but think about it another way:
1. Everybody in the office was theoretically allowed to get to that patient data.
2. They NEEDED to share passwords because of how the insurance carriers set up their BBS. They only give one username/password combo out per company, but we had a dozen billers.
3. We worked in a locked office with security.
So...the information was supposed to be shared amongst the people in the office, but functionally needed to be stored somewhere because, well, "turnover". So our barrier between the patient data and the outside world was twofold:
1. Even if you had a username and password, would you know how to get my patient data off a greenscreen emulator by connecting to our AS/400 and using passthrough to get it from the government?
2. We were on an upper floor in a nondescript office building with locks.
Check this out.
i rs-archive-control-sold-to-lowest-bidder-177771.ph p
http://www.consumerist.com/consumer/irs/breaking-
Talk about your privacy in jeapordy. How long before these records end up on an insecure server, or off shored to where people don't give a crap and sell the information. Identity theft anyone? How is keeping records secure *not* a core function?
Every day I wake up amazed at the sheer stupitiy around me.
putting the 'B' in LGBTQ+
Case in point: My father was hospitalized and I was called to approve treatment over the phone. The ER personnel never gave me the HIPPA security code. Later I called to check on his status. The nursing desk staff refused to give me that information citing HIPPA. Uh...they called me as medical power of attorney to give permission to treat him yet they never gave me the top-secret security code. When I pointed out how ludicrous that was they just used HIPPA as the reason to not give me my dad's health status. I managed to bypass the idiocy with the use of said Protected Healthcare information to get the information requested. It just shows that laws are made by the powers, but the analysis of the use-cases that will interact with the laws have not been given the proper review for the cases that are exceptions. So, all that said, nothing surprises me.
--Cally
Last year my health insurance company, in response to a billing dispute, send me a full page from their billing database. The record for my family took up just one paragraph, and above and below it I could see other patient names, billing codes, account numbers, and more.
I asked them to explain this, and got no response. I sent the sheet of paper to the US Department of Health & Human Services. A few months later I got a letter back in the mail from them, stating that they had investigated the situation, the provider (Humana) admitted making a mistake which resulted in a privacy violation, and they weren't going to do a damn thing about it.
So, I'm hardly surprised by this article. Still it's sad to see I was in the 73 percent of cases.
First, there is a LOT to HIPPA to understand. People often think any discussion of their medical history is a violation. The truth is you sign a lot over when you sign HIPPA wavers. For instance, the right for your care giver to discuss anything about you with any other potential care giver (often)...you want this, trust me.
One of the areas that does continually suprise me is that medical records are stored, transmitted and displayed all in clear text. Some of the major manufacturers of the healthcare software often use FTP (not Sftp) to exchange records with their customers. Even internally with in a hospital, records are transmitted from one system to another in clear text.
If you want security, ask your care give how they are protecting your electronic records.
RTFA! This is not about "laws", it's about one law: HIPAA. And it's not that the law is "ineffectual", it's that enforcement of the law is virtually nonexistent.
After a year long bout with several parallel ailments, my GP asked me how I was, and I replied "except for the writer's cramp, just fine". Every visit to a MD office now requires that you fill out and sign the form that swears they promised under HPPA not to divulge anything (maybe not explicitly required but it seems everyone's in CYA mode on every visit).
As he observed, "What do they think I'm going to do - run out into the parking lot and yell to passers-by 'You'll never guess what Pellino's got...!'"
And as I observed - you get three or more seniors in the waiting room, and no matter how the small talk starts, it always becomes a grand exposition of their ailments. "Huh! You don't know from gallstones! I should be so lucky to just have your gout!" and on and on and on...
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
HIPAA marked a big transition in regulation because:
a) enforcement is complaint-driven, rather than having an inspection apparatus.
b) It "scales": for many provisions, you can provide an explanation why you should be able to take an alternate (less onerous) measure.
c) it explicitly focuses on management controls much more than data specifics.
As a practitioner, I think this was a good approach (note that part c was taken up in earnest by Sarbanes-Oxley). Data privacy is an extraordinarily complicated affair, and one that is still evolving. Frankly, it's not like other industries in charge of personal data (e.g. finance) have done all that well either. And regulation itself takes time to settle down. Neither of these issues were explored at all by this article. I'd say given how much HIPAA differed from other regulation, and how dynamic the situation is, the implementation timeline has also been reasonable.
Additionally, medicine is an extraordinarily fractured industry. There is no smooth "supply chain" type model for moving patients or data through the system, rather nearly every transaction is negotiated. The parent touched on this, but I'll go a bit further: a large fraction of medical transactions require human intervention to move data, and a huge amount of medical data has yet to be digitized. This is in stark contrast to physical industries like airplanes or retail, all of which have systematized many or most of their transaction chains.
I'd say the right thing to do is to give the regs more teeth by prosecuting a few of the worst offenses. Basically, make it easy to show how and why disclosures caused damaged. This will put people on notice that the government is serious about the regs. If that doesn't work, the regs themselves can be tightened up, hopefully in the context of broader data privacy legislation.
While it's distressing that HIPAA is essentially seeing no enforcement, I find it more distressing that while it hinders movement of my medical information among my providers (requiring forms be signed by me, etc) it explicitely allows any law enforcement agent to waltz in without a warrant and assert without evidence that I am a suspect or victim in a crime and thus obtain my medical records.
:)
Everytime I hear someone throwing a fit about being able to obtain a warrant to get my library records I think of this. Funny how no one notices MASSIVE give aways of your privacy rights under democratic administrations. Oh, and look up 'know your customer' sometime too
Most major health care organizations use outside auditors to look at privacy compliance. It is taken very, very seriouly by hospitals and the other organizations. My wife has dealt with the auditors at the ambulatory surgery center where she practices. They have made all kinds of nit-picky changes to their procedures, many of which make no sense. Example: when patients with dentures or retainers go in for surgery, they have to take the appliance out and it is placed in a plastic container of water. The container has a label from the medical records printout attached. After the patient leaves, procedure was to throw the empty plastic container in the medical waste bin for disposal by burning. The auditor demanded that they peel the label off after use and shred it.
My late father had to have an outside auditor survey his office in order to remain on the list of authorized providers at several major insurance companies.
The regulations are ambiguous as can be, so violations are going to happen until the appropriate practices are worked out.
HIPPA = Hippopotamus. With an A.
STOP SPELLING IT "HIPPA"!
This is a classic case of why consumers should have a private right of action to sue in court under the civil law. HIPAA does not allow individuals to sue a hospital or doctor for violations of the statute. (However, a stricter State statute or privacy or contract law might allow a suit)
s ue.htm and http://www.abanet.org/buslaw/blt/2001-11-12/meade. html
There is a growing trend in U.S. Federal Law that grants people rights, but does not allow them a remedy if there is a violation of these rights. This is a direct outgrowth of 20 years of conservative Supreme Court rulings that have gutted the power of the Judiciary to provide remedies for violations of the law.
The thought process is "well, Congress said you have a right to have your information kept private, but didn't explicitly say that anyone besides the State can enforce this remedy, so oh well, your screwed if the government doesn't want to do anything."
This thought process is not only unjust, but goes against 500+ years of legal of Common Law. Where you have a right, you should always have a remedy. It is an axiom, and 20+ years of Republican Judicial Activists have destroyed this notion. It is not right, and it is not fair. And it is not conservative. It is radical and undemocratic, and goes against the rule of law.
See: http://www.privacyrights.org/fs/fs8a-hipaa.htm and http://www.healthlawtoday.com/hipaa/files/rightto
As a practitioner, let me say that HIPAA is being fairly actively enforced. There are some fairly bone headed breaches from time to time, but there are bone headed privacy breaches in every industry. I can tell you that there have been incredible unintended consequences. First, millions to billions have been spent (and are continuing to be spent) on HIPAA compliance. For the most part, this is money spent nominally on health care that is completely administrative in nature. Ever wonder where all of that 13% of the GDP spent on health care goes? A bunch of it is being spent on HIPAA compliance offices, with 4-6 FTEs being spent training, and doing paperwork. Not a terribly cost effective way of improving health care. Second, everyone now is safety wired into the "don't tell anybody anything" position. If your spouse is in the hospital, and you do not have a designated HIPAA compliant health care proxy, you (by HIPAA rules) don't get to know anything, other than where she/he is. No diagnosis, no prognosis, not what happened, nothing. If he/she didn't or wasn't able to make the designation in writing on admission (i.e. was run over by bus) you will need to jump a bunch of legal hurdles to get the information released. As a medical consultant, it is very hard for me to get information from people trying to refer patients to me. Too often I get the "I can't tell you that; HIPAA" line. Although, to be honest, this is a misinterpretation of the law, but many institutions have taken the view that "unless I have a piece of paper which explicitly states I can release information to you, I'm not telling you crap".
I think the thing with HIPAA is that it takes time for it to improve security and privacy. Basically, you can handle it however you want as long as you justify your decisions in writing as being "reasonable." Reasonable security might mean that it would cost so much to do things more securely that it would adversely affect service. There are so many small niche markets for medical information software that your reason for poor security may simply be that you only have two or three vendors who serve your specialty and they all have poor security. Many of these applications were created before security was taken as seriously as it is now and many were designed for isolated LANs but are now being connected to the internet. I hope that the bar will be raised by those people who go the extra mile. Then the standard for "reasonable" will eventually become something which really protects privacy.
This goes to the topic of software warranties. Most medical informatics software come with something like a "statement of HIPAA compliance." which basically says that the vendor has designed the software in a way that it can satisfy HIPAA if you do your part to make it secure. This is fine in itself. The problem is that these applications don't run in isolation. You need an operating system to run them on and they quite often only run on the operating system with one of the worst security track records in the business. They may also depend on other application software. For example, one which I work with uses Microsoft Word and Word Macros to handle reports from the database. It was designed that way in order to allow the integration of third party options like speech-to-text from a variety of vendors. The thing is that Windows and Word don't come with any statement of HIPAA compliance. They follow the common practice in the software industry of disclaiming all warranty including against negligence.
Never mind that we live in a small town where Mrs. Smith and Mr. Jones went to kindergarten together and come from families that have been here for 150 years. And forget that my wife is a podiatrist and that visiting her isn't inherently compromising (unlike, say, sitting in the lobby of a clinic for sexually transmitted diseases).
So, according to HIPAA, my wife is breaking the law each and every time she treats her patients like people instead of numbers. We haven't had a complaint yet and don't expect to, but could technically be busted for violating Mrs. Jones's privacy at any moment.
Dewey, what part of this looks like authorities should be involved?
Want insurance?
You must sign a waiver of your HIPPA rights. You agree that data given to the insurance company will not be subject to HIPPA regulations.
Seriously, read the fine print. HIPPA does not exist unless your insurance company was unusually dumb. HIPPA is nothing until the law prohibits waiver of rights.
One case which I can comment on (up to a point) is one which I was involved in. There was a period, a while back, where we were just beginning to realize the extent of the spyware problem on PCs and we started to install two or three different antispyware applications on each machine. In this process, we discovered that two of our medical transcriptionists had been infected with keylogger trojans which were sending data to an internet marketing company. This, of course, had to be reported as a HIPAA violation. The authorities did nothing as a result of the incident but we started to take security more seriously anyway.
I had previously argued that these computers should use a particular set of secure, internal, non routed IP addresses which are available on our network (we are part of a large university). In the rush to get the new system going, the people who installed the workstations, had used the regular, less secure IP addresses (which don't require proxies to access the internet). It was surprisingly difficult for me to convince people that using these internal IP addresses was necessary because antispyware software will never be able to catch everything. Not to mention the other security benefits of not being directly visible from the internet. I think many people just don't grok the concept.
These computers were eventually moved to the secure IP address range (with proxy access denied as well) and other additional measures were taken to secure them but I don't think that would have happened without the reporting requirement of HIPAA. Still, it's surprising that there wasn't any more reaction from the authorities. My guess is that they were just swamped with similar reports.
Since no one has pointed it out yet, I should mention that HIPAA stands for the Health Information Portability and Accountability Act. It's the portability part that came first. The accountability part only came after privacy advocates objected. The main purpose of HIPAA was to make it easier to share data among care providers. The medical profession is much more spread out among different specialties and facilities than it ever was in the past.
One of the basic principals of HIPAA is that you can share data with anyone who is directly involved in the care of the patient and anyone who is responsible for billing for that care. I am involved with a clinical laboratory. We take samples from referring physicians, process them and give the results back. Many patients probably don't even realize that they are in our database. It seems to me that this is one of the weaknesses in HIPAA. You ought to have a right to know who has your data.
The principal of medical privacy is there to prevent anyone from avoiding treatment for fear that their information will get out. This not only applies to people with diseases which might have a social stigma but it also applies to a case like that of a criminal on the run. Such a person should not have to avoid medical treatment for fear of being tracked through medical records. This is tantamount to denying medical care. Doctors should not be part of law enforcement (of course that general principal is not absolute when you consider examples like child abuse). I wonder if the level of access by law enforcement to medical data may already be causing some people to avoid, or delay being tested for conditions.
HIPAA needs to to have a number of new provisions. You should be able to find out who has medical records on you, you should be able to get copies and have the original records deleted, or more likely anonymized since many laws require bulk reporting of the occurrence of certain diseases.
It's hard to figure out what's a violation and what isn't; in a 12 mile radius of me there are 7 people with the same first and last name as me, 3 of those people have the same middle initial. Obviously the release of my name wouldn't really be personally identifying, however if my name was qvidis.... it would.
This HIPPA stuff is affecting patient care right now. 3 weeks ago I burnt my hand at work, so the boss drives me to the Port Huron Hospital ER (newly remodeled for increased HIPPA compliance); there is no triage any more because that's HIPPA sensative data. My pain on their scale of 1 to 10 is about 18, I've got about a square inch of skin just flapping in the breeze, my knees are starting to buckle and the info clerk is explaining to another person how to get to the third floor! Eventually I get to be seen in the ER proper, they start an IV push some morphine into it which takes my pain from 18 to 9, cover my burn with gauze and sterile saline and ask me when I had my last tetanus shot. My personal doctor's office has all of the admin stuff done by Mercy hospital, the records are supposed to be available 24-7, so I get a tetanus booster I don't need in the other arm and they call an ambulance to transfer me to the burn center at Detroit Receiving Hospital. I get to DRH's ER give them all of my data which is inputed into their New computer system, get taken up to the burn center only to not be in the computer system, and have the burns deroofed and debrided ( the definition of pain is yet again expanded for me) and sent down to a bed on a med-surg unit. I remember looking at the clock after I burned my hand and it was 6:05 PM thurs., it's now 3:45 am on friday and I'm not in the new computer system, I guess they can't release personal data that can't be found!
Apocalypse Cancelled, Sorry, No Ticket Refunds
So put this and this together, and we read the secret headline "Midaeval Piracy Laws", thereby tying HIPAA in with the MPAA and RIAA and the basic Slashdot anti-Copyright agenda! Yes, it's a *AA conspiracy!
Go on, mod me insightful. It's a slow news week so far.
//Information does not want to be free; it wants to breed.
I work for another giant healthcare company, and I can tell you that where HIPPA is making a huge difference for us is in firings. We've let go MANY people that we'd wanted to fire for various reasons, but it's hard to fire people -- especially those who manage to be incompetent at everything except know how to fight to keep their job. Previously, even when we had a "zero tolerance for errors" (something you'd want at a hospital no?) we still could not fire people who made repeated mistakes without going through a HUGE long drawn out process.
Now, 2 HIPPA violations, and you can fire anyone.
Don't get me wrong, I don't want to fire people, and I'm not looking for a reason. But it's nice now to have a tool that shears past union complaints etc. And in talking to colleagues, they have expressed to me that HIPPA has been a godsend for them too in trimming off legacy employees who were not able to function in a modern environment, but were too "senior" to release just for being technically incompetant.
In re-reading before posting, the above sounds cold. I suppose it is, but I'm just talking about the difference that HIPPA has made for us. And great employees don't get dismissed for HIPPA violations, but in a time and place when noone can be fired with out a preponderance of evidence of incompetance, this is a nice loophole.
Nothing great was ever achieved without enthusiasm
At my employer, as with many companies these days, the health insurance that's offered to employees has changed from a standard insurance provider like Blue Cross (just for example), to "Self-Insured", under the federal Employee Retirement Income Security Act, a.k.a., "ERISA".
What this means, besides the loss of virtually all state-mandated consumer protection in the area of medical reimbursement (because ERISA supercedes all that), is that now, instead of a 3rd party insurer getting my medical billing info, and keeping my employer at least an arm's length away from it, my employer gets to see it all.
So what's the point of "Medical Privacy Laws" if the information is specifically made available to the very people one would probably want to not have access to it?