I just did a your same search but on year 2013 and we already have 5 reported breaches.
Thanks for keeping me and all the readers informed on these various security issues.
Discussion on:
View:
Show:
Michael, you should write horror stories, here I am in my world of bliss and almost every article you write scares me half to death.
I just did a your same search but on year 2013 and we already have 5 reported breaches.
Thanks for keeping me and all the readers informed on these various security issues.
I just did a your same search but on year 2013 and we already have 5 reported breaches.
Thanks for keeping me and all the readers informed on these various security issues.
I've had others make the same suggestion. It would be interesting to see what I would come up with. Or, maybe not.
Just because they Legislate that things are secure doesn't mean that they are.
or perhaps you could read that as
Just because you are Paranoid doesn't mean that there isn't someone out there who wants your Data for their own ends.
As for protecting your own Medical Records personally I don't think that it's possible unless of course you do not involve yourself in Paid Employment, Visit any Medical Type Person and this doesn't just mean Doctors and generally don't use the Internet.
Even then it's not going to stop all your Medical Records being available just what is available and minimize what Data can be mined.
Col
or perhaps you could read that as
Just because you are Paranoid doesn't mean that there isn't someone out there who wants your Data for their own ends.
As for protecting your own Medical Records personally I don't think that it's possible unless of course you do not involve yourself in Paid Employment, Visit any Medical Type Person and this doesn't just mean Doctors and generally don't use the Internet.
Even then it's not going to stop all your Medical Records being available just what is available and minimize what Data can be mined.
Col
Is the thought of all the records going into one huge database, like what they are trying to pull together. I would thing the bad guys are beside themselves.
The Road to Hell is Paved with Good Intentions.
The idea of having all your Medical Records in one location so that in an emergency they are accessible for your treatment is a great idea and will mean things like you not being administered medications you are allergic to.
Of course the down side is that when things break down who ever gets to look has complete access to the same records. With Computer Storage it's easier to get lots of different peoples Medical Records or any other Records for that matter. In the past when everything was on Paper it took lots of Paper to get 1 persons Records and quite often involved several Semi's of Paper to get a few thousand peoples records.
Today those several semi's can fit on a CD or something even smaller and be invisible when it's smuggled out of the building.
But this is nothing new just because a Government says that things should be Secure in no way implies that they are, and that a individual will not circumvent the poor in place security. It's exactly what Bradley Manning is accused of doing and in that case it's a perfect example of Stupidity taking control of the system and no safe guards at all being put in place. The people working there where told not to do something and then where trusted not to do it.
Only a complete Idiot would believe that that was going to happen, even the Bureaucrats know that people are not trustworthy and place ways to at the very least slow the Naughty People down a little bit.
But as they always correctly say any Security is only as Good as the Weakest Link and today that Weakest Link is very weak to Nonexistent. Way to many people will post things like that willingly on FB without a second thought till it comes back to bite then on the A$$. Of course with that belief with their own data they don't think twice about other peoples data either.
But then again maybe I'm just paranoid.
edited to add Incidentally if you think things are bad now just wait till your Genetic Data is included in your Medical Records when that happens and it will very soon things are going to get a Whole Lot Worse.
Currently we have no idea of what new medical developments will be introduced in the next 10 years let alone any longer so the detail involved will get a lot more detailed and much more specific to just you well at the very least the person who's Medical Records you have access to.
Col [/maniacal laughter]
The idea of having all your Medical Records in one location so that in an emergency they are accessible for your treatment is a great idea and will mean things like you not being administered medications you are allergic to.
Of course the down side is that when things break down who ever gets to look has complete access to the same records. With Computer Storage it's easier to get lots of different peoples Medical Records or any other Records for that matter. In the past when everything was on Paper it took lots of Paper to get 1 persons Records and quite often involved several Semi's of Paper to get a few thousand peoples records.
Today those several semi's can fit on a CD or something even smaller and be invisible when it's smuggled out of the building.
But this is nothing new just because a Government says that things should be Secure in no way implies that they are, and that a individual will not circumvent the poor in place security. It's exactly what Bradley Manning is accused of doing and in that case it's a perfect example of Stupidity taking control of the system and no safe guards at all being put in place. The people working there where told not to do something and then where trusted not to do it.
Only a complete Idiot would believe that that was going to happen, even the Bureaucrats know that people are not trustworthy and place ways to at the very least slow the Naughty People down a little bit.
But as they always correctly say any Security is only as Good as the Weakest Link and today that Weakest Link is very weak to Nonexistent. Way to many people will post things like that willingly on FB without a second thought till it comes back to bite then on the A$$. Of course with that belief with their own data they don't think twice about other peoples data either.
But then again maybe I'm just paranoid.
edited to add Incidentally if you think things are bad now just wait till your Genetic Data is included in your Medical Records when that happens and it will very soon things are going to get a Whole Lot Worse.
Currently we have no idea of what new medical developments will be introduced in the next 10 years let alone any longer so the detail involved will get a lot more detailed and much more specific to just you well at the very least the person who's Medical Records you have access to.
Col [/maniacal laughter]
The PRC website mentioned this about genetic data:
"A 2008 federal law, the Genetic Information Nondiscrimination Act of 2008 (GINA) prohibits employers and most health insurance plans from denying you employment or health benefits based on genetic information. Further, GINA says that neither your employer nor your health insurer can request, require or purchase genetic information about you.
For tips on how to protect the privacy of your genetic information, see the website for the non-profit organization Council for Responsible Genetics (CRG): www.councilforresponsiblegenetics.org/geneticprivacy/tips.html."
"A 2008 federal law, the Genetic Information Nondiscrimination Act of 2008 (GINA) prohibits employers and most health insurance plans from denying you employment or health benefits based on genetic information. Further, GINA says that neither your employer nor your health insurer can request, require or purchase genetic information about you.
For tips on how to protect the privacy of your genetic information, see the website for the non-profit organization Council for Responsible Genetics (CRG): www.councilforresponsiblegenetics.org/geneticprivacy/tips.html."
Do you honestly believe that most people when asked for this data will not simply say yes?
Currently we don't have 1 overriding test where a simple sample can be taken and analyzed cheaply. It's coming so that Medical professionals will be able to treat the person for things that they don't as yet have but are likely to get. It's called Preventative Medicine.
There are also many other things as yet not perfected that are going to very quickly outstrip any current legislation and as an example I call your attention to the Genetic Sample attached to all Medical Records in the X Files.
While I very much doubt that we'll have that type of thing I do believe that we will have something similar without the need to store Samples in everyones Medical Files.
But by the same token I don't see why it will be necessary to keep Medical Records and Financial Information Separate. Some Bright Spark will decide that some sort of Centralized Data Base covering everything about everyone is a great idea and start the ball rolling to get it.
I'm betting that they'll even roll several Organizations with their Own Legislation into one and give it a Fancy New Name with lots of Lovely Sounding Legislation which has even less Protective Powers than are currently available.
Col
Currently we don't have 1 overriding test where a simple sample can be taken and analyzed cheaply. It's coming so that Medical professionals will be able to treat the person for things that they don't as yet have but are likely to get. It's called Preventative Medicine.
There are also many other things as yet not perfected that are going to very quickly outstrip any current legislation and as an example I call your attention to the Genetic Sample attached to all Medical Records in the X Files.
While I very much doubt that we'll have that type of thing I do believe that we will have something similar without the need to store Samples in everyones Medical Files.
But by the same token I don't see why it will be necessary to keep Medical Records and Financial Information Separate. Some Bright Spark will decide that some sort of Centralized Data Base covering everything about everyone is a great idea and start the ball rolling to get it.
I'm betting that they'll even roll several Organizations with their Own Legislation into one and give it a Fancy New Name with lots of Lovely Sounding Legislation which has even less Protective Powers than are currently available.
Col
I'm the HIPAA security officer for my organization, and the number one thing I tell people is to never give your social security number. You'll be asked for it multiple times, but decline to give it. Also, if you have a PO Box, give that as your address.
All breaches are reportable, but not all incidents are breaches. In January each year, all incidents that are classified as breaches have to be reported to CMS for your state. If a breach is 500 or more records, those have to be reported immediately, and in some cases have to be reported to media outlets in your state, and surrounding states.
The majority of breaches that occur are still related to paper, for example, a recent one was a storage locker that went up for auction due to non-payment. When the buyer opened the boxes, he found that they were full of medical records for an entity that no longer existed. There is nothing in place to take records when a provider retires, dies, or is otherwise no longer practicing. The buyer contacted that states, CMS office, and they had no idea what to do. They told him to shred them, which he did.
The next highest number of breaches occur when devices are lost or stolen. This is easily prevented by encrypting the device, but more importantly, by not allowing data to be stored locally. Workstations, laptops, and mobile devices should be set up so that even if a user puts something on the desktop, it's wiped out when they log out.
After that, cases of identity theft occur when criminals deliberately work to get someone hired at an organization, usually in registration, and systematically steal people's identities.
All breaches are reportable, but not all incidents are breaches. In January each year, all incidents that are classified as breaches have to be reported to CMS for your state. If a breach is 500 or more records, those have to be reported immediately, and in some cases have to be reported to media outlets in your state, and surrounding states.
The majority of breaches that occur are still related to paper, for example, a recent one was a storage locker that went up for auction due to non-payment. When the buyer opened the boxes, he found that they were full of medical records for an entity that no longer existed. There is nothing in place to take records when a provider retires, dies, or is otherwise no longer practicing. The buyer contacted that states, CMS office, and they had no idea what to do. They told him to shred them, which he did.
The next highest number of breaches occur when devices are lost or stolen. This is easily prevented by encrypting the device, but more importantly, by not allowing data to be stored locally. Workstations, laptops, and mobile devices should be set up so that even if a user puts something on the desktop, it's wiped out when they log out.
After that, cases of identity theft occur when criminals deliberately work to get someone hired at an organization, usually in registration, and systematically steal people's identities.
Your experience and comments are appreciated and agree with what I have been seeing when I do a PRC search.
It should be noted that paper records are not part of the security rule, only electronic records. So, the example of the storage locker given above, while considered a privacy breach, has no 'required' security rules associated with it.
Privacy does not exist the law is an illusion that it does but reality is clear. So why does the law exist? To access to your records that should of been private.
As I see it, if those who need to see my records get to, great. I am concerned about those who aren't supposed to and the "lax care" afforded our records currently makes it easier for them to sneak a peek.
Medical Privacy even under HIPAA is far from solid. For years insurance companies and Medicare have requested your medical records to see what the doctor did, was it a covered benefit, and especially is there documentation to support the charge code submitted for payment? Medicare and insurers look for every possible way to down-code, i.e. pay less for the service provided. Doctors and their billing departments do make errors, but insurers and Medicare are fraudulent much more than doctors in trying to pay less than is deserved. But I digress. You (and I) don't know who gets to see your records. If you are referred to a specialist or admitted to the hospital or seen in an emergency room, how many people do you think see or have access to your records? Fortunately people working in Medicare or an insurance company don't have time to read (and copy) your medical record. And lawyers sometimes will try to get records without proper authorization or signed releases. I have had lawyers threaten me if I did not give them ORIGINAL records rather than COPIES.
Privacy is not what you think it is or should be.
Privacy is not what you think it is or should be.
I'm curious to learn what kind of situation would put you in that position. If I'm being too inquisitive, just tell me to knock it off.
Michael, I am not sure which point you want me to expand upon. I'll start with the last comment about lawyers. Before I retired our small multispecialty clinic used film in our xray studies. The lawyers wanted our original films for court cases, but if those films were damaged, destroyed or lost, we would not have the films for comparison when studies like chest x-rays were repeated. Now with digital recording of x-ray studies the "copies" are the same as the "originals." As to Medicare problems we would have a doctor order a chest xray on somebody scheduled for surgery. The doctor would just put "pre-op" for a history. He/she would not say that the patient had a history of bad lung disease or heart failure. Medicare will deny any chest x-ray done on a person before surgery. Many people do not need a chest x-ray prior to surgery, but Medicare does not trust the ordering physician to have the knowledge or the good sense to decide who needs a chest exam before surgery. Most of the time I would then review the medical record and find out what was wrong with the patient and why the chest x-ray was ordered. Then we would resubmit the bill to Medicare and almost always get paid. I did this eb=ven though I knew by the time I saw the record, added the additional history and then we re-billed Medicare, there was no profit. But I refused to give my services away for free. Incidentally, by now I have seen the patient's record, my clerk has and probably the person in billing has seen the record. Privacy? Not as much as you might think.
I understand now and I would like to thank you for going the extra bit to help people. As I see it, I'd want you looking at my records.
At least in hospitals with computer systems and an electronic medical system. However, ALL accesses are tracked and logged. If you're not that person's doctor, PA, nurse, surgeon, or nutritionist, or in finance or quality, you'd better have a good reason for looking at a record, or expect to find another job and pay a very large fine.
Is access being gained by those not under any regulation or bad guys that are well aware that what they're doing is not legal.
In a busy hospital.. what's a little password sharing between busy non-IT staff?
Your privacy will soon be at an even higher risk. With the HITECH act that was part of ARRA, hospitals must meet different levels of meaningful use, or they will be penalized through reduced Medicare and Medicaid payments. As part of that, it was mandated that all covered entities participate in a Health Information Exchange, or HIE. This means that your information, without your permission, will have to be sent to the HIE, and participating organizations will have access to your information at will.
At this point, there's no good way to lock that information down. Luckily, you can't participate in an HIE if there's not one, and there are very few out there right now. Hopefully, they will get the kinks worked out, but don't hold your breath.
At this point, there's no good way to lock that information down. Luckily, you can't participate in an HIE if there's not one, and there are very few out there right now. Hopefully, they will get the kinks worked out, but don't hold your breath.
I was trying to remember the acronym HIE. Those are the repositories that will decide our fate.
Before this abomination was flushed out of the goobermint comode all over our privacy I warned, and warned and warned and warned everyone who would listen that the above, and worse, would be the INTENDED result.
General rule 1: whatever government says is the goal of a "law" is actually the target. "protecting your privacy" means invading it without recourse. "stopping terrorism" means terrorizing the people with fake bogeymen. (see HL Mencken on that score)
You're not paranoid, Michael, not in the least. Keep it up and keep going, there's bound to be a critical mass someday that'll stand up and put an end to this kind of deceitful meddling.
BTW when this abomination was the topic of the day in DC I had fairly regular access to a lot of congress critters. Almost all of them pretended to understand the dangers, but it became clear after the fact that congress does not work for the people that elect them... not even close.
Government itself and to a lesser degree the insurance companies wanted this "law." Of course the goal was to get their hands on every bit of info about every last living being possible. (of course nowadays they announce they read every email, monitor every call etc and just about nobody gives a crap)
I can't wait until 'we the people' simply refuse to be mindless drones for this magical mind control mechanism we call "the state."
General rule 1: whatever government says is the goal of a "law" is actually the target. "protecting your privacy" means invading it without recourse. "stopping terrorism" means terrorizing the people with fake bogeymen. (see HL Mencken on that score)
You're not paranoid, Michael, not in the least. Keep it up and keep going, there's bound to be a critical mass someday that'll stand up and put an end to this kind of deceitful meddling.
BTW when this abomination was the topic of the day in DC I had fairly regular access to a lot of congress critters. Almost all of them pretended to understand the dangers, but it became clear after the fact that congress does not work for the people that elect them... not even close.
Government itself and to a lesser degree the insurance companies wanted this "law." Of course the goal was to get their hands on every bit of info about every last living being possible. (of course nowadays they announce they read every email, monitor every call etc and just about nobody gives a crap)
I can't wait until 'we the people' simply refuse to be mindless drones for this magical mind control mechanism we call "the state."
One of my must reread yearly, authors. The gentleman knew what he was doing and could write.
At the hospital system where I work we just started using a pharmacy database that pulls in every prescription the patient has gotten from a major pharmacy in the last six months. It is a requirement of the Joint Commission for Hospital Accreditation that hospitals reconcile all patient meds - home and in the hospital - so this is another tool that we have to use.
Many patients ask how we got the information. The information comes from an insurance database that keeps track of every prescription that your insurance or medicare plan has paid for. The only way out is to opt out at the Pharmacy when it comes to their privacy practices. How many of you have even read your pharmacies privacy practices much less opted out of them reporting your medication history to anyone that asks?
Many patients ask how we got the information. The information comes from an insurance database that keeps track of every prescription that your insurance or medicare plan has paid for. The only way out is to opt out at the Pharmacy when it comes to their privacy practices. How many of you have even read your pharmacies privacy practices much less opted out of them reporting your medication history to anyone that asks?
I appreciate your input. Would that insurance database be similar to or actually the MIB?
The insurance database mentioned is called a pharmacy benefits manager, or PBM. I encourage you to do some research to really get worked up about these nefarious organizations.
These companies, such as ExpressScripts and Medco, are a kind of intermediary in the pharmaceutical transaction process. Even if a patient opts out at the pharmacy level, the PBM is still collecting the data, they just don't get to share it with the pharmacist.
These companies, such as ExpressScripts and Medco, are a kind of intermediary in the pharmaceutical transaction process. Even if a patient opts out at the pharmacy level, the PBM is still collecting the data, they just don't get to share it with the pharmacist.
I appreciate your answer, I read about those during my research.
The vast majority of these breaches in fact are not "breaches" but loss of the device - most left on airplanes, taxis, etc. If (and that is a big if) the IT provider is doing their job, the device can be tracked, erased and disabled. Additionally, and most importantly, whole disk encryption needs to be employed making the data completely useless to anyone without the proper credentials and those credentials have to meet certain complexity criteria. Removal of the disk will not provide a workaround.
Also, you failed to mention the financial penalties involved for the companies that fail to secure their data and the incentives on the whistle-blowers to report such instances. These penalties are enormous (often multiples of yearly revenue) and motivate most well-intentioned organizations to protect their data as best they can.
Also, you failed to mention the financial penalties involved for the companies that fail to secure their data and the incentives on the whistle-blowers to report such instances. These penalties are enormous (often multiples of yearly revenue) and motivate most well-intentioned organizations to protect their data as best they can.
We can argue your use of "vast majority" but that was not my intent. My goal was to raise people's awareness of what is currently happening.
I also question your saying "penalties motivate most well-intentioned organizations." That does not sound like what a well-intentioned company would base their ethics on. And penalties are just a small part of the entire risk-assessment done by the company. There are several instances where an assessment was done and the penalty was cheaper than incorporating the fix. So guess what they did.
I also question your saying "penalties motivate most well-intentioned organizations." That does not sound like what a well-intentioned company would base their ethics on. And penalties are just a small part of the entire risk-assessment done by the company. There are several instances where an assessment was done and the penalty was cheaper than incorporating the fix. So guess what they did.
my wife and I have to file hipaa permission forms every year in Minnesota or if one of us is hospitalized the doctors can't inform the other. She's on my medical insurance but if they call up about something for her I can't discuss it with them.
Yet... every yob in the county health department can get their hands on any of our medical records along with dozens (hundreds?) of others.
"I'm from the government and I'm here to help you." RUN! Run to the nearest exit!
Yet... every yob in the county health department can get their hands on any of our medical records along with dozens (hundreds?) of others.
"I'm from the government and I'm here to help you." RUN! Run to the nearest exit!
I do the same, I never thought of it, but I wonder if that is a federal or state requirement.
It would definitely be better if health care professionals were unable to get to your medical records without your explicit permission every single time, wouldn't it? What if you are unconscious?
Do you have any concept of how many people MUST touch your records for a normal office visit to take place? Would you prefer that there were NO rules to govern what or how those people handle your information?
The county health department cannot request your records without reason, this is part of the protection that HIPAA provides. Public health concerns ARE a valid reason. How do you think things like TB outbreaks are noted and contained so quickly? Records are pulled for everyone who may have had contact. Have you had your immunizations? Are they up to date? Good, you won't be bothered. If you have not, you will be asked to seek medical attention so, you know, you don't die.
What happens if you are in a car accident in another state? Should health professionals be required to seek your permission before viewing your records and providing treatment?
I have news for you. In most cases, your records simply represent a unit of work for the people involved, including the doctor. The sooner they can be shot of your lab-work and your records, the better.
Your doctor CAN, indeed, discuss your wife's medical conditions, care, and payments with you as long as she does not object. However, your doctor WILL NOT do so over the phone simply because you say you are her husband. Were he to do so, the incident would be seen as a breach and reported.
Do you have any concept of how many people MUST touch your records for a normal office visit to take place? Would you prefer that there were NO rules to govern what or how those people handle your information?
The county health department cannot request your records without reason, this is part of the protection that HIPAA provides. Public health concerns ARE a valid reason. How do you think things like TB outbreaks are noted and contained so quickly? Records are pulled for everyone who may have had contact. Have you had your immunizations? Are they up to date? Good, you won't be bothered. If you have not, you will be asked to seek medical attention so, you know, you don't die.
What happens if you are in a car accident in another state? Should health professionals be required to seek your permission before viewing your records and providing treatment?
I have news for you. In most cases, your records simply represent a unit of work for the people involved, including the doctor. The sooner they can be shot of your lab-work and your records, the better.
Your doctor CAN, indeed, discuss your wife's medical conditions, care, and payments with you as long as she does not object. However, your doctor WILL NOT do so over the phone simply because you say you are her husband. Were he to do so, the incident would be seen as a breach and reported.
You bring up valid points. It once again shows the complexity of what we are dealing with.
...for bringing this to light.
If you do a Google search for 'tweets from surgery,' you'll find another disturbing trend.
And no, you're not at all paranoid. I wish more would become aware, and aware to the point of asking a *lot* of questions.
I think we, as a society, have crossed the line with 'technology.' There is a growing, all-pervasive attitude that personal privacy and security are of no concern. A simple thing like checking permissions on an app for unknown(s) having complete control and access of your device seems to be a thing of the past.
And the marketing of 'social presence' as somehow being mandatory starting almost at birth is hard to comprehend.
I don't know the answer...
If you do a Google search for 'tweets from surgery,' you'll find another disturbing trend.
And no, you're not at all paranoid. I wish more would become aware, and aware to the point of asking a *lot* of questions.
I think we, as a society, have crossed the line with 'technology.' There is a growing, all-pervasive attitude that personal privacy and security are of no concern. A simple thing like checking permissions on an app for unknown(s) having complete control and access of your device seems to be a thing of the past.
And the marketing of 'social presence' as somehow being mandatory starting almost at birth is hard to comprehend.
I don't know the answer...
I did the search, that was strange. I wonder what the benefit is?
As a long time health care administrator and CIO, the opinions and fears of those outside the industry point out my own myopic view of how we protect the privacy of our patients. Thank you for addressing this important topic.
I truly believe that the majority of medical practices -- your local physicians -- are not only well intentioned, but actually do a good job of ensuring the privacy of their patient information. When HIPAA first took effect I thought it was a colossal waste of time because we were already protective of this sensitive information. We've been force-fed HIPAA for so many years, though, that many practices are indeed driven by fear to be protective of the information, often to the chagrin of our patients and staff. Internally, we require strong passwords, lock down computers, encrypt hard drives, restrict and sandbox wireless networks, and so much more. We require photo ID of patients, and have numerous (lawyer approved) forms for information release, family members we can talk to, if we can leave a voice mail, ad nauseum. Beyond that, there are red flag rules that govern how we handle financial transactions. It is a pain for us all, but patients appreciate our being conscientious about their privacy.
I feel the real problem and danger with health data leakage is actually with the "allowed" information release pathways. By allowing an insurance company to pay medical claims on our behalf, we grant them the right to request all the medical information they want--and they do. By filling a prescription and having your insurer pay for it, you've given the pharmacy benefit manager the ability to aggregate your drug use data. Think about that for a moment.
The insurers need this information ostensibly to adjudicate claims. It is folly to think that is all they do with that data. An individual patient's health data isn't all that interesting, but when you have data on thousands and thousands of patients, well that's another story.
Having said all of this, I believe that the move to electronic health records has created a more secure environment in the physician office than the paper world provided. A fundamental difference is that we can restrict who has access, can quantify who has accessed the record, and easily see what was looked at and if it was passed along--something we could never do in the paper world. Unfortunately, this makes any data breach potentially much larger and far more catastrophic.
I truly believe that the majority of medical practices -- your local physicians -- are not only well intentioned, but actually do a good job of ensuring the privacy of their patient information. When HIPAA first took effect I thought it was a colossal waste of time because we were already protective of this sensitive information. We've been force-fed HIPAA for so many years, though, that many practices are indeed driven by fear to be protective of the information, often to the chagrin of our patients and staff. Internally, we require strong passwords, lock down computers, encrypt hard drives, restrict and sandbox wireless networks, and so much more. We require photo ID of patients, and have numerous (lawyer approved) forms for information release, family members we can talk to, if we can leave a voice mail, ad nauseum. Beyond that, there are red flag rules that govern how we handle financial transactions. It is a pain for us all, but patients appreciate our being conscientious about their privacy.
I feel the real problem and danger with health data leakage is actually with the "allowed" information release pathways. By allowing an insurance company to pay medical claims on our behalf, we grant them the right to request all the medical information they want--and they do. By filling a prescription and having your insurer pay for it, you've given the pharmacy benefit manager the ability to aggregate your drug use data. Think about that for a moment.
The insurers need this information ostensibly to adjudicate claims. It is folly to think that is all they do with that data. An individual patient's health data isn't all that interesting, but when you have data on thousands and thousands of patients, well that's another story.
Having said all of this, I believe that the move to electronic health records has created a more secure environment in the physician office than the paper world provided. A fundamental difference is that we can restrict who has access, can quantify who has accessed the record, and easily see what was looked at and if it was passed along--something we could never do in the paper world. Unfortunately, this makes any data breach potentially much larger and far more catastrophic.
Your comments mirror much of the material I gleaned from my interviews. What you are concerned about is also what concerns others. Your example is similar to mine when I tell people whether they use their credit card on the internet or not is immaterial. What matters is they used a credit card, and their information now resides in a database/s.
Also, thank you for taking the time to share your experiences, it is certainly appreciated.
Also, thank you for taking the time to share your experiences, it is certainly appreciated.
The HITECH Act expanded a "person" at a "covered entity" that is subject to the privacy and security rules of HIPAA to include not only providers, but all employees. In addition, the HITECH Act also expanded the definition of a "covered entity" to include any business associates. These are outside firms that work with the medical information safeguarded by a covered entity. Furthermore, should a business associate further subcontract any work, that subcontractor, too, is considered a "covered entity".
HIPAA is not perfect, but it is better protection than that which existed before, which was none. I can tell you from experience that almost every medical provider views the minimal protections that HIPAA gives the consumer as an unnecessary burden on their time and effort. The fact that HIPAA requires a breach to be reported and tracked exposes just how lightly medical professionals take your privacy. It also requires that breaches are reported to professional and state regulatory bodies. The staggering numbers show that HIPAA is working, even if it does give ammunition to alarmist conspiracy nuts who do incomplete research, like Mr. Kassner
HIPAA is not perfect, but it is better protection than that which existed before, which was none. I can tell you from experience that almost every medical provider views the minimal protections that HIPAA gives the consumer as an unnecessary burden on their time and effort. The fact that HIPAA requires a breach to be reported and tracked exposes just how lightly medical professionals take your privacy. It also requires that breaches are reported to professional and state regulatory bodies. The staggering numbers show that HIPAA is working, even if it does give ammunition to alarmist conspiracy nuts who do incomplete research, like Mr. Kassner
I have never been called an alarmist conspiracy nut before. As for incomplete research, you are entitled to that opinion.
FWIW Michael you're one of the few voices in the dark bothering to tackle the sticky wickets... I hope you stick around for a long while 
I hope I'm just presenting the facts in such a way everyone can make an informed decision. If I was attempting FUD, I believe I would approach my writing quite a bit differently.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
