I finally have a serious prediction for 2008: I predict that unauthorized access of medical records will be the new lost laptop story.
Reporting on the compromise of data through laptop loss/theft over the past few years has raised public awareness around data breaches and disk encryption. The upswing in incidents involving hospital employees accessing celebrity medical records will have a similar affect on awareness. I mention this because a former UCLA Medical Center employee was indicted yesterday on charges stemming from similar activity. What made this a criminal case and not just another firing is that the employee sold these records to a "media outlet" (tabloid).
The reason this is significant is that stories like this in the media raise public awareness about HIPAA requirements and medical provider capabilities. Those capabilities being the ability to review who accessed a patient's medical record and when, and that the hospitals have a way of determining whether or not the access was appropriate. The end result will likely be two-fold. First, more patients will be aware of these capabilities, and will start doing things like asking doctors and hospitals for this information. And secondly, the hospitals that aren't currently reviewing the logs from their EMR systems will feel some pressure to start doing so.
Showing posts with label hipaa. Show all posts
Showing posts with label hipaa. Show all posts
Wednesday, April 30, 2008
Monday, February 4, 2008
AB1298
A colleague of mine sent me this article, which should be of interest to pretty much everyone in the health care or human resources fields. AB1298 is an assembly bill that updates SB1386, California's much-copied breach disclosure law. The bottom line is that now an individual's health insurance ID number (which is hopefully not also their SSN) is considered PII much the same way a credit card number is. And when that data along with the corresponding name is breached, you must notify the victim.
It makes perfect sense. That number, combined with proper billing information, is enough to receive health care services from any participating medical provider. And, while I have pretty decent credit, I don't have a platinum card with a six-figure limit. But, if it were medically necessary, my insurer could be charged that kind of bill. And I would be responsible for the deductible. And, unlike my credit card's maximum personal loss, my deductible is not $50. So as an individual I stand to suffer greater financial loss if my medical identity is stolen versus my credit card.
In an America where health coverage is a problem for 47M people and the rising cost of health care is a problem for the rest, it doesn't seem at all far-fetched that trading in stolen health insurance information could become a lucrative criminal enterprise. And that would make health care data a real target.
It makes perfect sense. That number, combined with proper billing information, is enough to receive health care services from any participating medical provider. And, while I have pretty decent credit, I don't have a platinum card with a six-figure limit. But, if it were medically necessary, my insurer could be charged that kind of bill. And I would be responsible for the deductible. And, unlike my credit card's maximum personal loss, my deductible is not $50. So as an individual I stand to suffer greater financial loss if my medical identity is stolen versus my credit card.
In an America where health coverage is a problem for 47M people and the rising cost of health care is a problem for the rest, it doesn't seem at all far-fetched that trading in stolen health insurance information could become a lucrative criminal enterprise. And that would make health care data a real target.
Wednesday, October 10, 2007
On George Clooney and HIPAA
Palisades hospital in New Jersey has suspended 27 employees for accessing actor George Clooney's medical record after he was treated there following a motorcycle crash. I don't disagree with the employees' suspension, but the hospital spokesperson told reporters, "What these individuals did was violate a HIPAA regulation. We can not say that they actually released any of this information to the media."
It's clear that someone did leak to the media information from his medical record, but the hospital doesn't know who. Additionally, these employees had access to patient EMR data as employees of a covered entity (the hospital). So I'm picking a nit here, but I do believe the hospital has admitted that it doesn't know which of the 27 employees suspended, if any, actually violated HIPAA. As far as I can tell they were, under the law, authorized to view Clooney's medical record. Of course, what they did was still inappropriate, unprofessional, unethical, and probably a violation of hospital policy.
But perhaps the best-slash-worst part of this whole situation is that a union rep defending some of the suspended employees has been quoted as saying, "There are hospital obligations to have security systems so that a breach can't occur -- obviously that failed."
It's clear that someone did leak to the media information from his medical record, but the hospital doesn't know who. Additionally, these employees had access to patient EMR data as employees of a covered entity (the hospital). So I'm picking a nit here, but I do believe the hospital has admitted that it doesn't know which of the 27 employees suspended, if any, actually violated HIPAA. As far as I can tell they were, under the law, authorized to view Clooney's medical record. Of course, what they did was still inappropriate, unprofessional, unethical, and probably a violation of hospital policy.
But perhaps the best-slash-worst part of this whole situation is that a union rep defending some of the suspended employees has been quoted as saying, "There are hospital obligations to have security systems so that a breach can't occur -- obviously that failed."
Thursday, July 19, 2007
Good HIPAA Resource
HIPAA isn't new, but - and maybe because I work in an environment where it's the primary regulatory standard - I regularly have conversations with colleagues and vendors about how we adhere to HIPAA standards and specifically the nuances of how we believe it translates into actual best practices on the ground. Like anything that is both legal and technical, HIPAA is riddled with self-referencing jargon, and defining these terms is useful to any serious conversation about HIPAA compliance. To that end, I stumbled on a really nice encyclopedia of HIPAA terms at U of Miami's med school. Too useful not to share.
Wednesday, March 21, 2007
Health & Human Services Is Teething
Lots and lots of people have declared HIPAA irrelevant and ineffective because of the lack of direct federal oversight and the perception that the penalties it could potentially level at an organization were weak in comparison to things like SOX.
But, OH SNAP!! The Health and Human Services Inspector General is auditing providers. I've got in my inbox a copy of the FAX sent to _____ Hospital in Georgia about their audit. No mention of complaint or prior incidence. Just a friendly, "Hi, we're coming to audit you," letter complete with data collection document.
It has always been my stance that if what's lacking in compliance is enforcement, then it's important to comply, because enforcement is only a budget line item away. So I guess I'm saying, "I told you so!" to everyone who has greatly exaggerated the rumors of HIPAA's death.
So, uh... think warm thoughts doc, cuz that thermometer is mighty cold.
But, OH SNAP!! The Health and Human Services Inspector General is auditing providers. I've got in my inbox a copy of the FAX sent to _____ Hospital in Georgia about their audit. No mention of complaint or prior incidence. Just a friendly, "Hi, we're coming to audit you," letter complete with data collection document.
It has always been my stance that if what's lacking in compliance is enforcement, then it's important to comply, because enforcement is only a budget line item away. So I guess I'm saying, "I told you so!" to everyone who has greatly exaggerated the rumors of HIPAA's death.
So, uh... think warm thoughts doc, cuz that thermometer is mighty cold.
Subscribe to:
Posts (Atom)