Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Is Your Accountant Sending Your Information Offshore? | Main | Many, Many Methods Of Cyberattacks »

Insider Threat Examples: HIPAA Violations Go UnPenalized In Iowa

When I got my Sunday Des Moines Register out of the orange box across the road this morning, the front page headline leaped out at me, "Medical privacy law fails to stop snooping."

In one of the incidents described, a woman was incredibly embarrassed and humiliated after all the intimate details about an operation she had on her uterus, including her full name, that were in her doctor's files were apparently published in marketing material...

"The article [which was published in her hometown newspaper] included her full name and occupation. There were details of what was called her "embarrassing" and "odd" medical problem of heavy menstrual flow. The article described her physician's treatment and said, "Now Jill no longer experiences heavy and irregular periods." Jill says she was subjected to public ridicule, humiliation and depression. She is now suing a medical-services company and its public relations firm for the alleged unauthorized use of her name and medical condition in a promotional piece that masqueraded as a news article."

Isn't this amazing?

Doesn't it make you mad to know that we've had the Health Insurance Portability and Accountability Act (HIPAA) in effect for years, and still the Department of Health and Human Services (HHS) has only just recently applied just one sanction for what seems to be ongoing news reports of flagrant HIPAA violations?

It seems many other Iowans have also been victims of inappropriate access to their protected health information (PHI), largely as a result of insiders getting into patient files simply because of curiosity and gossiping and not for any job-related requirement.

"Jill isn't the only Iowan to complain of medical-privacy violations. A Des Moines Sunday Register review of state and federal records shows that dozens of Iowa health care workers have been disciplined by their employers for snooping through the medical records of HIV-positive men, pregnant teenagers, victims of domestic violence and emergency-room patients.

Not one of them has been prosecuted for violating the federal patient-privacy law known as HIPAA, an acronym for the Health Insurance Portability and Accountability Act. When enforcement of the law began in 2003, it was touted as an effective tool in the fight to improve patient privacy."

The article details many situations where healthcare provider workers continued to access and tell others outside of their provider about patient details, even after multiple warnings to not do so.

Do you ask your healthcare provider what they do to safeguard your protected health information (PHI)? The more people ask and make this an issue, to more compelled healthcare providers will be to follow the HIPAA requirements.

If you are responsible for information security and privacy at a healthcare provider, are you pushing the personnel and contracted staff to be sure and follow the required safeguards? I know many information security and privacy practitioners I've spoken with from healthcare providers have told me many tales of the huge challenges involved.

If you are doctors, nurses, or otherwise employed by a healthcare provider, please know and follow the requirements for keeping your patients' information privacy and PHI appropriately safeguarded!

Earlier this year I went to a new doctor, and was given a stack of sheets to fill out and sign on the first visit. One of the sheets was almost bare expect for a brief couple of sentences similar to, "I have read and understand this medical center's notice of privacy practices. I understand that I will not receive treatment or care unless I sign my name to indicate my receipt of the notice of privacy practices." It then had a line for my signature. However, within that large pile of papers, I could not find the notice of privacy practices (NPP)!!

When the doctor came, I asked her where the NPP was. She said, "Oh, it's basically the same as every other doctor provides." Then she looked at me like I was asking a ridiculous question.

"But," I replied, "You are asking me to provide my signature to indicate that I have actually received a copy, that I read it, and I understand it. I can't sign this paper without getting a copy and reading it."

The doctor...yes, the doctor...rolled her eyes and muttered something about not having to "dig one of those out" for a long, and "no one else ever wants to see them," but then she did get me a copy. And after reading it, I pointed out to her how it could be improved upon. It was actually very horribly written, heavy with legaleze, but probably was considered to technically meet the HIPAA requirements for the components of an NPP.

If patients don't hold their healthcare providers accountable to follow information security and privacy requirements, and if the HHS does not hold them accountable, then who is going to keep *YOUR* intimate medical details from being printed in promotional materials for medical vendors who provide training or equipment to your provider? Who will keep the healthcare provider workers from spreading your intimate PHI all over town...or posting on the Internet?

You don't want to end up in a situation like Jill, do you?

Tags:                      
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on August 17, 2008 8:26 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/788

Comments

can you tell me if the state of wisconsin has this law in effect? where i live, in an independent living facility, are going to hook up with the "medical" system which doctors use the "epic medical system". they claim they can enter this "epic" system and see my medical records. is this true? i do not think anyone other than my doctor should be able to read this information. thank you

Posted by: pat morgan | August 17, 2008 10:19 PM

Hi Pat,

Yes, HIPAA applies to all the U.S. states, including Wisconsin.

I've never heard of Epic Medical System before your question, but a quick search turned up this: http://www.epicsystems.com/. If this is the same system that you are asking about, I found it rather odd that their website's privacy policy was about how they participate in the EU Data Protection Directive Safe Harbor program.

You may want to ask your doctors and facility administrators for details about how they protect your PHI, and other personally identifiable information (PII). For example, some questions you could ask...

Do they ensure only those with a business need to perform their job responsibilities can access and see your PHI?

How do they protect your PHI on the network and in computers? Is it encrypted?

Are they sending your PHI outside the U.S.? Since they have a policy written around Safe Harbor (if this is, indeed, their site) it seems they might. If so, why? Who is accessing your PHI outside the U.S.? And how are they protecting it?

There are many more questions you could ask, but this should get a good conversation started.

The short answer is, yes, all healthcare providers, and other covered entities in the U.S., must follow all the many security and privacy requirements as detailed within HIPAA.

Thanks for your message,

Rebecca

Posted by: Rebecca Herold Author Profile Page | August 18, 2008 8:08 AM

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.