What is a picture of my brain doing on a PC in the Phillipines? Why Stronger HIPAA Enforcement is Needed
I've been through quite a medical adventure over the past seven months, having had a seizure in January that led to the discovery of a benign brain tumor and its subsequent removal in March.
As I've shared in a prior post, the experience has left me with a much better understanding of just how much data related to my medical history is available electronically and is accessible by a large number of different medical professionals. In my situation, I've been treated at two different hospitals and have seen my personal physician, my surgeon, a few neurologists and a couple radiologists, plus all of their receptionists, nurses and billing personnel. There is also an ambulance service and a health insurance company in the equation.
I have been asked to repeat my social security number and birthdate numerous times, as well as my name, to confirm I am who I say I am. All the while, I'm thinking "I'm not sure I'm comfortable repeating this to everyone, even if you do have a HIPAA policy statement you'd like to give me!"
But, what's that got to do with the title for this post?
Well, in trying to do a little catch up on my back reading, I came across a story in AIS's Health Business Daily on a recent HIPAA patient privacy violation by a plastic surgeon at University of Florida - Jacksonville.
Apparently, the surgeon, Dr. Francis D. Ong, saved digital images of his patients and, in some cases, copies of documents that may that "may have included names, dates of birth, Social Security or Medicare numbers, and other private data, including some individual patient medical information."
Dr. Ong's practice was apparently purchased by UF, including his computer equipment, but he apparently had a mindset that it was "technically still his", so he donated it. Ong is a leader in the Filipino community in Jacksonville, Florida and regularly organizes large donations to be shipped to annually to the Philippines.
Ong has resigned his position with UF- Jacksonville and the Shands Jacksonville Medical Center, although he has indicated he was already planning to not renew his contract.
In the past year, we've seen some incidents surrounding the leaking of medical records of celebrities like George Clooney and Britney Spears, but what happens if it's you or me? In my case, my employer knows of my recent medical issues, but what if I needed to seek employment and someone inappropriately shared records related to my seizure or tumor? How would that impact my prospects for getting the job? What about if I wanted to purchase additional life insurance?
As more and more of our personal health information is available electronically and as more and more healthcare organizations consolidate, as in the case of Dr. Ong's practice, how vulnerable will we become to our information falling into the hands of someone looking to use it to spite you, bribe you, or limit your job opportunities?
The more I have to interact with the healthcare industry, the more certain I am that HIPAA enforcement needs to be taken seriously by the Department of Health and Human Services, the US Congress, and each of us.
Contributed by Mark Tordoff
Personal Health Records provides benefits such as storing and sharing of patients’ health records ensuring the privacy and confidentiality of patients’ information. This wipes out all the errors, associated with the conventional paper based system. It collects and stores the patients’ health information data from all the sources like hospitals, laboratories, healthcare professionals, pharmacies and insurance companies etc.
Posted by: Personal Health Records | December 05, 2008 at 11:06 PM
Your blog only truly scratches the surface as to how very scary healthcare IT has gotten as doctors routinely demand IT staff setup VPN tunnels everywhere, sharing patient records with many entities (labs, analytics, other hospitals, and other doctor offices) -- all with varying degrees of security and all outside the originating hospital's control. How is patient data controlled? It's not.
Start talking to a doctor about patient and network security and you've put yourself out of a job. Seen it first hand.
The healthcare industry is that scary. Especially with physician owned hospitals. People should absolutely be concerned as the issue is prolific and catastrophic.
Don't get me started with the inherent insecurities of healthcare related applications and the complete lack of sense of urgency from healthcare application writers on fixing vulnerabilities...
JMM
Posted by: Jonathan Merrill | July 26, 2008 at 09:35 PM