HIPAA, or the Health Insurance Portability and Accountability Act of 1996, is a law that among other things codifies patient privacy rules. It says when a doctor or hospital can release data, when they must release data, when they must not release data, what data they can give to whom, and under what circumstances. Compliance is a highly necessary very expensive legal nightmare — and your doctor probably did not attend law school. The 5 year cost of implementing it is estimated at $22.5 Billion. If you really want to know about HIPAA you might try looking here or here, but the short version is this: healthcare providers must try to keep your private data private; they can send information to your insurance company because you sign a form that says they can; they can send your information to an insurance claims clearinghouse for processing — and they have to keep your data private too — because they are a middleman between your doctor and the insurance company; some data must be reported to a state or local health department under state or local law (e.g., sexually transmitted diseases, signs of abuse); data which does not personally identify you can be used in academic medical studies (“total cases of flu reported” or “male patient presented with unusual symptoms”). There are even limits on what they can tell your immediate family without your direct permission.
Figuring out the rules and helping healthcare institutions follow them is big big business. There is physical security of keeping people who don’t belong out of the files. There is educating the staff so they don’t say things they shouldn’t in front of people who do not have a right to know. There is computer security, since most medical offices use electronic billing and some use electronic medical records. Double this concern if anyone uses the internet to obtain the most up-to-date medical data; triple it if anyone uses email to communicate with patients or other healthcare professionals. Beyond all this, theoretically medical offices must insure that other businesses they deal with are also compliant, from the insurance companies and clearing houses, to any outsourced billing, right down to the cleaning service that sweeps the file room.
These things being said, I offer three current news items with HIPAA concerns. The first happened in Denton, TX. Denton, less than an hour north of Dallas-Fort Worth is home to the University of North Texas. It is also home to a pharmacist who refused to fill a prescription for a “morning-after pill” presented by a rape victim. You may recall having seen this story last week. Today’s news is that the pharmacist in question and 2 coworkers have been fired. Yes, one of the issues was that he violated company policy: “Eckerd’s employment manual says pharmacists are not allowed to opt out of filling a prescription for religious, moral or ethical reasons.” Frankly problems could have been avoided with a proper new employee orientation meeting. The other reason he was fired is that he violated HIPAA, and admitted it on CNN: “I actually called my pastor … and asked him what he thought about it.”
Violating company policy is one thing. Violating Federal law is another.
Another news item with HIPAA compliance concerns is being whipped up by none other than Attorney General John Ashcroft. The Government wants 6 hospitals to hand over sensitive medical records for hundreds of women — to determine whether a medical procedure they may have had was medically necessary. Yes, the procedure is a type of abortion, this time. Maybe next time it will be Botox injections; after all, botulism is a dangerous germ that could be used by terrorists you know. The hospitals in question have correctly maintained that turning over the records would violate patient privacy. Legal wrangling before a series of Federal judges has ensued. From the article: “Citing federal case law, the department said in a brief that “there is no federal common law” protecting physician-patient privilege. In light of “modern medical practice” and the growth of third-party insurers, it said, “individuals no longer possess a reasonable expectation that their histories will remain completely confidential.”” Perhaps the Department of Justice should read the HIPAA rules.
Finally, I present what must at first seem tangential. This week Microsoft admitted there is a security flaw in Windows that “could allow hackers to break into personal computers and snoop on sensitive data.” Or three, including one that could “offer up complete control of the computer. From there, the sky’s the limit: a hacker could install new software (including, for instance, Trojan horses), wipe hard drives, hijack files, or any of a thousand other things.” One computer security firm claims there are 7 more to be reported. TechWeb’s Security Pipeline, in an article about the still circulating “MyDoom” virus, says “In other words, there will be vulnerable machines and those machines will become infected, no matter how heroic your efforts. It’s a reminder that even the leanest of enterprises faces security challenges of daunting complexity. Even the most rapidly responsive IT security team must deal with attacks that spread in minutes.”
Yes, they just said that no matter what you do, your Windows network will be attacked by viruses. And personal data on such a computer or network is not secure. Yes, including personal data on, say, the computers your doctor’s office uses for billing your insurance company. It is therefore my contention that Windows is inherently not HIPAA compliant.
Maybe Ashcroft would have better luck sending crackers after those medical files.
Great site, was just reading and doing some work when I found this page