Blue Cross Blue Shield accidentally releases medical data of 3,700 members

A printing error on EOBs disclosed private medical information of about 3,700 Delaware Blue Cross Blue Shield members to the incorrect subscribers.

Information on one side of the form contained a recipient member’s correct name; the other side contained the name of another member and information about their medical treatment. Letters were mailed to subscribers to notify them of the error.

Insurance Commissioner Matt Denn announced a hearing @ 1 p.m. Dec. 30 at the Wilmington office of the insurance department, to investigate how how this happend and what should be done to correct the problem.  This is the first major privacy violation in his 4 years in office.

When Complaining About Your Job Becomes a Privacy Violation

A woman in Pennsylvania likely thought she was just complaining about her job in the way that millions of people do every day. But Stephanie Sicilia, who works for an OB/GYN, has placed herself and her employer in jeopardy of hefty fines and even imprisonment after she allegedly complained about patients on her MySpace page.

The MySpace posts didn’t mention patients by name, but at least one patient said she recognized the identity of a patient who was described in a post as having an abortion. The posts could be considered violations of the Health Insurance Portability and Accountability Act (HIPPA).

Penalties for violating HIPAA vary, depending on the nature of the violation. A common penalty is a fine of up to $50,000 and/or a year in prison.

Senators consider their options for health IT overhaul

Senators Enzi and Kennedy discuss legislation linking nationwide electronic data base to economic stimulus.

An aide to Health, Education, Labor and Pensions ranking member Michael Enzi said today that the senator has not seen sufficient details of an economic proposal to know whether adding health IT to the mix would “blow the budget.” HELP Chairman Edward Kennedy and Enzi introduced legislation more than a year ago aimed at reducing health providers’ administrative costs and minimizing the sometimes fatal errors caused by a lack of patient information. Privacy issues and funding concerns prevented the measure from reaching the floor.

CIGNA Chief Medical Officer Jeffrey Kang, at a health IT conference today, cited Obama’s campaign pledge to invest $10 billion per year over five years in health IT and lawmakers’ continued interest in the issue. “We’ve gone as far as we can vis-a-vis what the private sector can do. Now it’s time for [government] to fill in the gaps that the private sector can’t do by itself,” he said.

5 Bay Area firms named 2009 Technology Pioneers

From Proteus Biomedical….Can’t remember if you took your medicine this morning? Don’t worry, the pill sent a reminder to your cell phone as it went down the hatch.

Proteus Biomedical envisions a future when drugs and medical devices do double duty. Beyond their core role as therapies, a drug capsule or pacemaker, could become a scout inside the body dispatching data back to patients and doctors.The company’s digestible microsensors, about the size of a grain of sand, are activated by the watery environment of the digestive tract.From there, the encrypted information is sent wirelessly to Proteus and compiled into an online chart that can be checked by patients and others they authorize, such as their doctors and relatives.

Aggregate information collected by the company, stripped of patient identities, could become a valuable data bank to track global drug use and to follow disease outbreaks, he said. The worldwide data points could be captured by Global Positioning System devices. Marc Rotenberg, executive director of the Electronic Privacy Information Center, said such medical tracking systems might jeopardize patient privacy. “It’s not that they’re necessarily going to create a privacy problem, but there are real risks that have to be fully assessed,” he said.

Obama Policymakers Turn to Campaign Tools

Network of Supporters Tapped on Health-Care Issues
Barack Obama’s incoming administration has begun to draw on the high-tech organizational tools that helped get him elected to lay the groundwork for an attempt to restructure the U.S. health-care system.
Former senator Thomas A. Daschle, Obama’s point person on health care, launched an effort to create political momentum yesterday in a conference call with 1,000 invited supporters culled from 10,000 who had expressed interest in health issues, promising it would be the first of many opportunities for Americans to weigh in.

The phone that feels the flu before you do (AP)

The “Zicam Cold & Flu Companion” warns Google phone users of the number of people who are sneezing and shaking in their zip code.

Matrixx Initiatives Inc., an Arizona company that makes of over-the-counter cold and flu remedies under the Zicam brand, released a program this week for the T-Mobile G1, also known as the “Google phone,” that warns the user how many people in an area are sneezing and shaking with winter viruses.

The “Companion” is available for free from the Android Marketplace, and will soon be available on the iPhone. Google Inc., which created the G1’s operating system, launched its own state-by-state Web-based flu tracker recently.

HIPAA Privacy Complaints Drop by 35% in November

OCR said it received only 421 complaints in its HIPAA privacy enforcement program in November 2008 for a total of 40,669 complaints since the program started in April 2003. OCR received 656 complaints in October.

Of the 11,355 complaints that fell within OCR’s power to act, 7,570 required corrective actions by the covered entity. The remaining investigations 3,785 did not uncover a HIPAA violation.

In other words, about one-third of the complaint investigations uncovered no violation.

About 18.6% of total complaints resulted in changes in the policies and procedures of the covered entities in November.

After five years, HHS still has not imposed a civil penalty. HHS pointedly did not impose civil monetary penalties in its agreement with Providence Health (08/08 HIP/SA, p.1) That enforcement action, according to industry observers, mimicked the FTC’s approach to data security issues.

Moreover, the facts of the case indicate that Providence was held accountable for HIPAA security violations rather than privacy violations.

OCR said that it resolved more than 80% of all complaints received. However, that percentage also includes the sizeable number of complaints that did not fall within HHS’s jurisdiction or for some technical reason about two thirds of total complaints.

RFID Chips: A Privacy And Security Pandora’s Box?

A research article published in the current issue of the International Journal of Intellectual Property Management suggests that Big Brother could be opening a privacy and security Pandora’s Box if human rights, particularly regarding data protection are not addressed in the design of new RFID applications.

Radio-frequency identification (RFID) chips can be found tagging everything from groceries and clothing to the experimental swipe-free credit cards used to pay for those goods. In library cards, warehouse inventories, and under-skin pet tags. They are also used for prisoner and parole tags, in hospital patient wristbands, and in smart passports.

According to Eleni Kosta and Jos Dumortier of the Katholieke Universiteit Leuven in Belgium, the benefits of RFID technology in innovation are beyond question. However, the threats posed to personal privacy should be taken into account at the design phase of the applications. Their increasingly widespread deployment means individuals do not necessarily know when, how and what kind of information about them is being transmitted at any given time from an RFID in a passport, in their shopping bags, or even when they visit the library.

No data-mining zone

1st Circuit Court of Appeals court ruling upholds New Hampshire law preventing pharmacies and data-miners from using physician prescribing patterns for marketing research.

The plaintiffs in the New Hampshire case, data-miners IMS Health and SDI Health (formerly Verispan), argued that the law infringed upon their free speech rights. Industry stakeholders eHealth Initiative, the National Alliance for Health Information Technology, the National Association of Chain Drug Stores, SureScripts (now SureScripts-RxHub) and Wolters Kluwer Health filed briefs in support of the industry position. Privacy advocates are thrilled the claims were rejected. Pam Dixon, Executive Director of the San Diego-based World Privacy Forum, a not-for-profit advocacy group, said the decision in New Hampshire case “sets a critical prescedent.”

Palmer Jones, executive vice president of the New Hampshire Medical Society was happy with the outcome. “Half of the docs in the country don’t even know that when they write a prescription, that pharmacy company sells that information to data-mining companies,” Palmer said. “Once they understand that, it’s overwhelming.”

Two other states, Maine and Vermont, have similar laws restricting data-mining of health information. The Maine law, also challenged in the 1st Circuit,  was overturned. The Vermont law is currently being challenged in the Second Circuit Federal Courts.

CMS criticized for lax enforcement of HIPAA security rules

Agency officials disputed the OIG findings but agreed to enhance compliance-assurance activities.
… Patients’ privacy depends on the security of health information, said Deborah C. Peel, MD, founder and chair of the consumer advocacy organization Patient Privacy Rights. “Privacy means you have control of the data, and you can’t have privacy as long as these databases are insecure. Even if you have a totally secure system, if you give out a thousand master keys, the security is meaningless.”
Dr. Peel said such risks generally would not come to light in a largely complaint-driven process. “People can’t complain, because they don’t know what is going on in these complex systems,” she said, adding that most HIPAA security complaints start out as privacy breaches when patients realize their information was disclosed improperly.