HIPAA: Beware Doctors Who Claim They Don't Have To Follow Safeguard and Privacy Requirements
My good friend Alec recently made me aware of a very interesting blog post made by a physician (thanks Alec!) that is frankly quite troubling.
"Because I do not take health insurance, I am free from HIPAA regulations and therefore I can conveniently communicate with you in ways that simply and plainly just make sense in today’s world. People have criticized me, a solo physician who will likely have about 1,000 patients in my practice, about security and privacy (FYI…all of my patient medical records are encrypted, password protected twice on my laptop and backed up daily to a secure, encrypted remote server). Those who question me seem horribly concerned about my patients’ privacy. Meanwhile, those of you who do have health insurance with the major insurance companies, please beware. Your name, SSN, and medical information are stored along with hundreds of thousands, if not millions, of other people in enormous databases at your mega-insurance company. The people responsible for that CD they’re using to transport maybe 196,000 people’s PHI aren’t doing such a good job. I guarantee I won’t have to provide 12 months of free Equifax to you if you are my patient. Go with the big guys and kiss your privacy goodbye. I personally use Apple’s encryption technology called Filevault. According to Apple, it could take as long as 149 trillion years to crack my password using a computer that could attempt it every second."
He also notes,
"If any of you are wondering why your own doctor doesn’t communicate with you using email, IM, and other ways that simply make sense in today’s world, wonder no further. They break federal law with every email and IM since the vast majority of physicians have contracts with insurance companies or Medicare."
So basically, he's trying to justify sending sensitive patient information and other personally identifiable information (PII), and specifically protected health information (PHI), in clear text within email messages and instant messaging.
He stresses how he encrypts PHI in storage, but then boasts how he communicates "conveniently" sharing PHI via unencrypted transmissions.
Hopefully his patients understand that transmitting cleartext PHI within email and instant messages is a huge risk. I've discussed these risks and related incidents often, such as here.
And he has the nerve to say that if something bad happens to this PHI he is sending in an unsecure manner that he guarantees he "won’t have to provide 12 months of free Equifax to you if you are my patient."
Why does his statement that he will not be held responsible for the bad things that happen as a result of his lack of security practices be of reassurance to his patients? Such a statement should make his patients want to find another doctor.
What is even more troubling is that so many of the people leaving comments in response "thank" him for the way he is practicing the transmission of PHI. I wonder how many of these were planted comments?
His interpretations of HIPAA seem to be those that are most advantageous to him. I'm sure many healthcare providers would find it easier to say they don't have to comply with the law instead of making the effort and investment in actually trying to protect the privacy of their patients and provide the legally required safeguards for their PHI. However, all the good and trustworthy healthcare providers I've seen and met are concerned and try to follow their binding regulations.
This doctor is trying to boil down his reasoning for not needing to comply with HIPAA to a very simplistic 13 words, "Because I do not take health insurance, I am free from HIPAA regulations." His patients, and all individuals, should know it is not this simple!
Determining whether or not a healthcare provider is a covered entity (CE) under HIPAA is much more complicated than this. I cover this issue in detail in my book, "The Practical Guide to HIPAA Privacy and Security Compliance."
I discuss in detail how to determine whether or not an organization is a covered entity on pages 5 through 11, and all of Chapter 16 (pages 213 - 224) for healthcare provider issues. It involves more than just whether or not health insurance is used by the provider.
Within the HIPAA regulations, 45 CFR § 160.103 has the complete definition of a covered entity.
"Covered entity means: (1) A health plan. (2) A health care clearinghouse. (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter."
"Transaction means the transmission of information between two parties to carry out financial or administrative activities related to health care. It includes the following types of information transmissions:
(1) Health care claims or equivalent encounter information.
(2) Health care payment and remittance advice.
(3) Coordination of benefits.
(4) Health care claim status.
(5) Enrollment and disenrollment in a health plan.
(6) Eligibility for a health plan.
(7) Health plan premium payments.
(8) Referral certification and authorization.
(9) First report of injury.
(10) Health claims attachments.
(11) Other transactions that the Secretary may prescribe by regulation."
So this doctor does not qualify under any of these terms?
Well, even if he truly isn't considered a HIPAA covered entity, it is interesting that this doctor goes to great lengths to point out that the regulatory oversight agency for HIPAA has not applied any fines to covered entities that are not in compliance with HIPAA. Is this a veiled way of saying that, even though he's not in compliance he doesn't have to worry because he won't be caught, or penalized, anyway?
This doctor also goes to great lengths to point to healthcare insurers as having many privacy breaches. This is true, but healthcare providers have also experienced many privacy breaches. It reminds me of that saying, "When you point a finger, you have four fingers pointing back at you."
Just check the lists of privacy breaches at the Attrition site, the PogoWasRight site, and the Privacy Rights Clearinghouse site and you'll see that numerous privacy breaches have occurred within healthcare providers.
In fact, the criminal actions that have occurred and been prosecuted under HIPAA (which the doctor himself mentioned) occurred within healthcare providers (which he conveniently did not mention). See a little more about them here and here.
All doctors, whether or not they are a covered entity under HIPAA, should be protecting the privacy of PHI not only in storage but also while it is being transmitted through public networks. If they don't they are putting the PHI at unacceptable risk.
If this doctor is indeed not covered under HIPAA he certainly is still subject to civil suits when bad things happen to his unsecured patient PHI.
Often if something looks like a duck and quacks like a duck, it really is a duck. The words of this doctor sound like quacks to me!
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
Comments
Well its one thing to discuss liability for infractions between large and powerful
entities having the financial muscle to take care of themselves. What about the
the personal rights that are commonly denied to individuals under the guise of
"HIPAA Regulations". I have reported three covered entities (private Physician
groups serving the public for fees through insurers) that consistently insist that
they have the right to deny my access to my own medical records if they have
been forwarded from another Physician. The Office of Civil Rights has ruled
against them in every instance, yet they continue the practice because there are
never any fines imposed. In every case the entity simply ... complies and continues
knowingly to deny access to others. No penalty, no motivation to change, and the
office personnel save 4 minutes here and 6 minutes there by actions they know
are illegal. It takes 6 to 9 months to process a complaint through an OCR that is
grossly understaffed. They know 95% of individuals cannot or will not pursue this.
And these are individuals that have been "HIPAA trained".
Posted by: Carl Jamison | November 16, 2007 3:12 AM
I applaud you for reporting covered entities who are not following the regulations! And I agree, the regulations must be enforced to be effective. The HHS must staff their enforcement offices (the OCR, CMS and OIG) appropriately. Let your lawmakers know your concerns; now's the perfect time to be a squeaky wheel and get changes made.
Regarding HIPAA training, I have seen very good training, but I have also seen a large amount of *HORRIBLE* training. When HIPAA was enacted I saw several small and large vendors jump on the HIPAA training bandwagon; a couple were offering so-called "HIPAA Certifications", which are meaningless to the regulators, that were developed by individuals with absolutely no healthcare background or experience, and with absolutely no experience in developing *effective* training content!
Patients also need to speak up to their physicians when they see HIPAA infractions. The more people that do this, the more likely changes will be made.
Posted by: Rebecca | November 16, 2007 8:44 AM
I threaten the hell out of someone like yourself who makes their living off HIPAA mindlessly supporting a flawed (albeit possibly well intentioned) federal regulation. I really enjoy hearing you people squirm when I talk about discussing my patient's cold symptoms over IM. There is a major fault in HIPAA. The writers failed to take into account simple common sense in the communication between doctor and patient. Instead, they simply say ALL health information is private health information. How many people in the United States would feel violated if a very bored IM snooper intercepted my discussion between jayparkinsonmd and "iluvstlouis84" about their cold symptoms? No doctor in their right mind, especially myself, would email a patient with the subject line: "Your HIV test was positive." I use common sense Rebecca. As a physician who is not a covered entity (as your expertise should tell you) because I don't engage in any of those listed practices, I am free to communicate with my patients as myself and my patients see fit.
The problems with healthcare are often communication problems. I communicate effectively both verbally and electronically to solve those problems. I am a physician who went to Washington University, Penn State, and Johns Hopkins. I've done two residencies and received my Masters in Public Health. Needless to say, I have impeccable credentials. I wouldn't think of going to Norwich University to learn from an "expert" like yourself.
To call me a quack is to make you look like an ignorant, uneducated, threatened, mindless follower promoting a poorly written law that enables you to be a monetary sinkhole and a burden on the healthcare industry. Greed before common sense and effective communication won't get you very far. Look at how far it's gotten us since 1996.
Posted by: Jay Parkinson | November 19, 2007 12:43 PM
Thanks for your message, Jay.
I know nothing about what kind of doctor you are. However, the bottom line message is that sending clear text patient information through open networks is a very risky practice.
Yes, IM and email is easy, is convenient, and is quick. However, professionals who encourage their customers and patients to send personal information through the Internet must also take the time and be responsible for securing it.
Thank you for giving me the opportunity to talk about this more here http://www.realtime-itcompliance.com/privacy_and_compliance/2007/11/sending_cleartext_im_and_email.htm.
Even if you prefer to ignore the security risks, your patients should be aware of the risks that they are being exposed to by sending their information in clear text.
Posted by: Rebecca | November 19, 2007 9:19 PM
Rebecca,
You are missing the point. There is a spectrum of PHI. After counseling my patients about privacy and finishing with the statement, "Don't tell me something via email or IM that you aren't comfortable telling the whole world," my patients understand and simply don't give a damn about telling me about their allergies over IM or email. The vast majority of my patients don't care about the one in probably 100 million chance that someone is snooping on our IM and cares enough to trace it back to the actual person and then does something negatively (whatever that may be regarding the cold symptoms) with the information they acquired by snooping. I only have one who actually cares and we therefore communicate traditionally and face to face (not by phone because snoopers can listen to phone calls just as easily as IM communication...but you/HIPAA think communicating by phone is safe). Your understanding of privacy is absurd, unrealistic, theoretical, and impractical in today's world. But you have to make a living and go so far as calling me a quack without even meeting me or experiencing me as a physician. I'm glad you aren't my patient. You'd be more interested in privacy than your health. If you "know nothing about what kind of doctor I [am]," why publicly call me a quack? I'm perfectly fine with criticism, as long as it's educated and based on hard facts. Unfortunately, you think that emailing or IM'ing my patients about mundane cold symptoms makes me a quack. What are your standards for a physician who is not a quack? One who refuses to email unless they use your $5,000 HIPAA compliant secure email product? It's very unprofessional of you to call me a quack. But it's your public arena. You have the right to your own uneducated opinion.
Posted by: Jay Parkinson | November 20, 2007 12:25 AM
Thanks for your message and sharing your thoughts, Jay.
The point is still the same: email and IM messages are not secure. There are many vulnerabilities; you can see some here
http://www.realtime-itcompliance.com/privacy_and_compliance/2007/11/sending_cleartext_im_and_email.htm
and more here
http://www.realtime-itcompliance.com/information_security/2007/11/7_more_reasons_why_sending_cle.htm.
The point is that patients and customers should be told and know all the risks that are involved with sharing all types of their personal information via cleartext email and IMs. It should be up to them to decide what pieces of their information should be protected. At the core of privacy is the ability to determine what personal information, of any kind, regardless if it falls under the definition of PHI or not, is shared, how it is shared, and knowing the risks involved when sharing that information with others.
I know nothing about what type of doctor you are and have not written about that; I have pointed out the risks of practicing medical consultation via cleartext email and IMs.
You are obviousy innovative and atypical in your medical practice, and clearly passionate about your work.
I, too, am passionate about making sure people understand the risks involved with sharing their information using innovative new technologies. Too many privacy incidents continue to happen, almost every day you can read about them in the paper or online, because of lack of knowledge of security risks, vulnerabilities within technologies, mistakes, technology misuse, and malicious actions exploiting vulnerabilities.
Rebecca
Posted by: Rebecca | November 21, 2007 1:21 PM