Re: BCBS Breach in Tennessee

The Office of Civil Rights in the Dept of Health and Human Services (OCR) slapped the wrist of BCBS of Tennessee.

One million people’s protected health information was breached because Blue Cross Blue Shield (BCBS) of Tennessee violated data security laws. The settlement cost BCBS a little more than $1.00 per person—hardly a deterrent to other corporations or adequate punishment. However, that amount happens to be the same as the highest possible fine permitted by law (HITECH).

Still it appears that criminal charges could have been filed for “willful disregard” rather than OCR accepting a settlement. OCR’s finding that legally-required “adequate administrative and physical safeguards” were lacking is evidence of “willful neglect”.

Worst of all, the one million victims received NO protection against future ID theft or medical ID theft. OCR could have also required BCBS to mitigate future patient harms, but didn’t. New technologies can protect against medical ID theft by enabling patients to review all new claims, so they can detect and prevent fraudulent claims and erroneous data from being entered into their records.

Why didn’t OCR propose that BCBS adopt remedies to protect the patients whose records were breached from further misuse and theft?  Shouldn’t OCR help protect victims?

Proposed United States medical privacy rules deemed inadequate

In Tennessee, the theft of 57 computer hard drives at a health insurance call center exposed personal information on as many as one million people. In Virginia, the hacking of a government prescription database compromised millions of records. In California and beyond, celebrity peepers have snooped on the medical particulars of stars.

This is already a digitized world, as the health system juggles vast volumes of the most deeply private information. Add to that the acceleration in US doctors’ offices of electronic record-keeping, spurred by hefty aid from a government eager to reap efficiencies in medical care.

Trying to keep all of that information properly corralled is a tall order. And President Barack Obama’s administration has backtracked on a major attempt to sort out the thicket of privacy rules supporting that effort.

The Health and Human Services Department published a set of regulations governing how health care providers must respond when medical privacy is breached. The rules, although not final, had the force of law. But now the department is retracting them. “This is a complex issue,” the department said by way of understatement.

Privacy advocates and members of Congress had sharply criticized the controls as inadequate. After a period of reflection — and reportedly pressure from the White House — the department appeared to agree…

Watchdogs asserted that health professionals should not be the judge of whether a breach is significant enough to a patient’s livelihood or reputation. “That puts the foxes in charge of the hen coops,” says Dr. Deborah C. Peel, founder and chair of the Patient Privacy Rights Foundation, which presses for strict consumer safeguards. “It shows the incredible overbearing influence of industry in the crafting of regulations. The idea that someone else knows when you’re harmed better than you do, doesn’t make sense.”

HHS Withdraws Controversial Breach Notification Rule under HITECH

A recent HHS decision to withdraw the HIPPA final “breach notification” rule drew praise from patient privacy advocates, who cited the need for stronger privacy protections…

The Patient Privacy Rights Foundation, a privacy watchdog organization, called the move “a huge step in the right direction,”and reiterated its objections to the “harm standard.”

New privacy rules, old technology creating a lot of headaches

What’s driving people craziest about the big national push to convert to EMRs? Maybe it’s the technology that some people don’t like. Maybe it’s resistance to change. Perhaps it’s the short timeline to implement before the stimulus program starts–Oct. 1 for hospitals, Jan. 1 for physician practices. There’s a lot of uncertainty, too, since the rules for “meaningful use” of EMRs aren’t final yet and are very much subject to change.

All of those are legitimate concerns, but they pale in comparison to the privacy issue.

The American Recovery and Reinvestment Act tightens HIPAA privacy and security rules, though just like the 1996 HIPAA legislation, it leaves many of the details up to the regulators at HHS. The 2002 “treatment, payment and healthcare operations” exception to the privacy rule is disappearing, meaning that healthcare organizations will have to obtain consent before disclosing personally identifiable health data to third parties.

Health Care’s Digital Privacy Debate

As President Obama has learned over the last year, Americans tend to get angry when you try to fix the country’s dysfunctional health care system. But even as the national debate over universal coverage drags on, there’s another sticky issue ahead for health reform: digital privacy.

In a study released Monday by the privacy-focused Ponemon Institute, Americans registered a deep distrust of anyone in either the federal government or private industry who might store digital health records like those that the Obama administration has encouraged hospitals to create. Of the 868 Americans surveyed about their views on digitizing and storing health records, only 27% said they would trust a federal agency to store or access the data–the same percentage as those who would trust a technology firm like Google ( GOOG – news – people ), Microsoft ( MSFT – news – people ) or General Electric ( GE – news – people ).

Hospital Workers Sharing Music? They May Also Be Sharing Your Medical Records

Health care workers using Gnutella or other peer-to-peer (P2P) networks to share music and video, may be putting you at risk for medical identity theft, Dartmouth researchers find.
If Pres. Obama has his way, the medical records of every American will be digitized by 2014. The stimulus package (read the text here) includes $19 billion in funding to pay for the effort and calls for the appointment of a chief privacy officer to advise the U.S. Department of Health and Human Services on how best to protect this sensitive information. If a new study of how easily your medical records can be found online by others is any indication, the new chief privacy officer (to be appointed over the next 12 months) will have his work cut out for him because an increase in digital medical records would likely mean an increase in medical identity theft.
Using software written specifically for scanning Internet-based peer-to-peer (P2P) file sharing networks, Eric Johnson, an operations management professor at Dartmouth College’s Tuck School of Business in Hanover, N.H., and colleagues recently found confidential medical files, involving thousands of people, including patient billing records and insurance claims containing Social Security numbers, birth dates, medical diagnoses and psychiatric evaluations. (The same type of information could have been found without the special search software, although not as quickly because the researchers would have had to search individual computers on each of the P2P networks they visited.)

Economic Stimulus Package Likely To Cost $850 Billion, With Up to $90B for State Medicaid Programs

The economic stimulus package under development by President-elect Barack Obama and congressional Democrats likely will cost almost $850 billion, including up to $90 billion in additional federal funds for state Medicaid programs…

…In related news, privacy and civil liberties groups on Wednesday sent letters to Pelosi, Senate Majority Leader Harry Reid (D-Nev.), and Obama to encourage them to include privacy protections in any provisions in the economic stimulus package that seek to increase adoption of EHRs, CongressDaily reports. The groups — which included the American Civil Liberties Union, Consumer Action, the National Association of Social Workers and Patient Privacy Rights — said that such protections are needed to prevent unauthorized access to and sale of the medical information of patients. At a briefing on Wednesday, Ashley Katz, executive director of Patient Privacy Rights, said, “We all want to innovate and improve health care, but without privacy our system will crash as any system with a persistent and chronic virus will.”

Sen. Olympia Snowe (R-Maine), Rep. Edward Markey (D-Mass.) and Rep. Lloyd Doggett (D-Texas) have expressed support for such protections. Markey in a statement said, “Without robust safeguards, the health IT systems we are planning for today could turn the dream of integrated, seamless electronic health networks into a nightmare for consumers.”



Bipartisan Coalition Sends Letter To Congress Urging Privacy Protections With Health IT

At today’s news conference, the Coalition for Patient Privacy is releasing a letter sent to Congress advocating for the inclusion of privacy safeguards with any funding given to implement health IT systems in the proposed economic stimulus package.

In the letter, the bipartisan coalition, representing over 30 organizations, individual experts and the Microsoft Corporation, welcomes the renewed commitment in Congress to protecting consumers over special interests, but makes clear that trust is essential to health IT adoption and participation, and only attainable with privacy protections.

The coalition is calling on Congress to “A.C.T.”, by providing: accountability for access to health records, control of personal information, and transparency to protect medical consumers from abuse. Consumer trust is essential to health IT adoption and participation, and only attainable with privacy safeguards. Through these three tenets, implementation of health IT is not only attainable, but would protect the right to privacy for consumers, employees, and providers.

Coalition wants privacy included with healthcare IT funding in stimulus package

WASHINGTON The Coalition for Patient Privacy urged Congress Wednesday to include privacy safeguards with any funding earmarked for healthcare IT in an economic stimulus package expected to hit President-elect Barack Obama’s desk shortly after inauguration.

The bipartisan coalition, representing more than 30 organizations, individual experts and the Microsoft Corporation, said trust is essential to public adoption of healthcare IT…

…Ashley Katz, executive director of Patient Privacy Rights, said the coalition is asking for “very basic, common sense protections.”

“We all want to innovate and improve healthcare. But without privacy, our system will crash as any system with a persistent and chronic virus will,” she said. “Americans will avoid participation or, worse, avoid care altogether and undoubtedly misrepresent the truth about their medical history.”

Report: Putting Health IT in Stimulus Would Be Catalyst for Adoption

A panel of health industry experts urged Congress Monday to include health information technology measures in the economic stimulus package widely expected to become law in the weeks following President-elect Barack Obama’s inauguration.

Doing so would be “a breakthrough” for health IT adoption, Chip Kahn, president of the Federation of American Hospitals, said at a briefing to release a new report touting health IT by the consulting firm Booz Allen Hamilton. “The broad adoption of health IT requires the kick-start of federal funding and interoperability policies that first prioritize the free flow of the most essential medical data.”

In recent days, some news reports have suggested that the stimulus will include $20 billion to promote the adoption of electronic medical records, though support has not been unanimous.