Group items tagged

The recent U.S. stimulus bill includes $18 billion to catapult the health industry toward the world of electronic health records. This is sure to light a fire under every hungry security vendor to position itself as the essential product or service necessary to achieve HIPAA compliance. It should also motivate healthcare IT professionals to learn where their sensitive data is located and how it flows. To be sure, with federal money allocated through 2014 for the task of modernizing the healthcare industry there will be many consultant and vendor businesses that will thrive on stimulus money. Healthcare is unique in that storage of electronic health records is highly distributed between primary care physicians, specialist doctors, hospitals, and insurance/HMO organizations. Information has to be efficiently shared among these entities with great sensitivity towards patient privacy and legitimate claims processing. Patients want to prevent over zealous employers from performing unauthorized background checks on medical history; claim processors want to prevent paying fraudulent claims arising from targeted patient identity theft. The bill has two provisions which turn this into a tremendously challenging plan, and a daunting task for securing patient data: * Citizens will have the right to monitor and control use of their own health data. This implies a large centralized identity and access control service, or perhaps a federated network of patient registration directories. Authenticated users will be able to reach into the network of health databases audit use of their data and payment history. * Health organizations suffering loss of more than 500 patient records must publicly disclose the breach, starting with postings on the government's Health and Human Services website. This allows related organizations to trace the impact of the breach throughout the healthcare network, but care must be taken not to disclose vulnerabilities in the system to intruders

Just days after President Obama signed a law giving billions of dollars to develop electronic health records, a university technology professor submitted a paper showing that he was able to uncover tens of thousands of medical files containing names, addresses and Social Security numbers for patients seeking treatment for conditions ranging from AIDS to mental health problems. Using peer-to-peer applications, which computer users download to share files, most commonly music and movies, M. Eric Johnson, director of the Center for Digital Strategies at Dartmouth College in Hanover, N.H., was able to access electronic medical records on computers that had the peer-to-peer programs stored on their hard drives. The medical files contained detailed personal data on physical and mental diagnoses, which a hacker could use to not only embarrass a patient but also to commit medical fraud. One of the largest stashes of medical data Johnson discovered during two weeks of research he conducted in January was a database containing two spreadsheets from a hospital he declined to identify. The files contained records on 20,000 patients, which included names, Social Security numbers, insurance carriers and codes for diagnoses. The codes identified by name four patients infected with AIDS, the mental illnesses that 201 others were diagnosed as having and cancer findings for 326 patients. Data also included links to four major hospitals and 355 insurance carriers that provided health coverage to 4,029 employers and 266 doctors.

Patients' advocates claimed victory in a battle over the privacy of health records as the U.S. Congress approved the economic stimulus bill, which contains $19 billion for health-care information. U.S. House and Senate negotiators' compromise reflects stricter standards that privacy advocates wanted for marketing, selling and disclosing health data. Both houses approved the $787 billion stimulus plan today and sent it to President Barack Obama for his signature. The legislation contains $2 billion in grants to create a national system of computerized health records and $17 billion in higher Medicare and Medicaid reimbursements for doctors and hospitals to adopt the technology. Electronic records will improve care and reduce costs, Obama said. The legislation also will boost the health-records industry, led by Allscripts-Misys Healthcare Solutions Inc., Quality Systems Inc. and Athenahealth Inc. "We've dramatically improved on the status-quo, wholly unregulated system where private patient data was bought and sold like any commodity," Caroline Fredrickson, director of the American Civil Liberties Union's Washington legislative office, said in an interview today.

A Harvard University fellow has developed a browser extension that stops advertising networks from tracking a person's surfing habits, such as search queries and content they view on the Web. The extension, called Targeted Advertising Cookie Opt-Out (TACO), enables its users to opt out of 27 advertising networks that are employing behavioral advertising systems, wrote Christopher Soghoian, who developed it, on his Web site. Soghoian, a fellow at the Berkman Center for Internet and Society at Harvard and a doctoral candidate at Indiana University, modified a browser extension Google released under an Apache 2 open-source license. Google's opt-out plugin for Internet Explorer and Firefox blocks cookies delivered by its Doubleclick advertising network. A cookie is a small data file stored in a browser that can track a variety of information, such as Web sites visited and search queries, and transmit that information back to the entity that placed the cookie in the browser. Google's opt-out plugin comes as the company announced plans last week to target advertisements based on the sites people visit. Targeted advertising is seen as a way for advertisers to more precisely find potential customers as well as for Web site publishers to charge higher advertising rates. But the behavioral advertising technologies have raised concern over how consumers get enrolled in the programs, what data is being tracked and how the data is protected.

Traditionally, we trust doctors with confidential information about our health in the knowledge that it�s in our own interests. Similarly, few patients object to the idea that such information may be used in some form for medical research. But what happens when this process is subject to scrutiny?How explicit does our consent have to be? Since the introduction of the Data Protection Act 1998 medical researchers have raised concerns over the increasing barriers they face to accessing patient data.These concerns have heightened amongst some researchers since the passing of the Human Tissue Act 2004 introduced in the wake of the Alder Hey and Bristol Royal Infirmary scandals. When scientific advances are unraveling the secrets of DNA and the decoding of the human genome has opened up substantial new research opportunities.Clinical scientists and epidemiologists argue that the requirements being placed upon them are disproportionate to the use they are making of either datasets or tissues samples and, besides, their work is in the public interest.At the heart of the debate lie key questions over trust and consent and how these can best be resolved.To complicate things, it is no longer just medical researchers, but also public health bureaucrats who are keen to have access to our data.Quasi-official bodies have been charged with persuading individuals to change their behaviour and lifestyles in connection with all manner of issues such as diet, exercise, smoking and alcohol consumption.Social Marketing � the borrowing of commercial marketing techniques in the pursuit of 'public goods' � is in vogue amongst public health officials. Empowered by advanced data collection and computing techniques, armed with the latest epidemiological research, and emboldened by a mission to change unhealthy behaviour, public health officials are keen to target their messages to specific 'market segments' in most need of advice.Are government researchers abusing patients' trust? Can an

An Orange County woman accused of using a false identity to obtain breast implants from a plastic surgeon is now facing three felony charges, including commercial burglary, grand theft and identity theft. Yvonne Jean Pampellonne, 30, nicknamed the 'Breast Implant Bandit', appeared in a Westminster court Wednesday. She did not enter a plea and asked that her arraignment be continued so she could hire a new attorney. Pampellone surrendered to police in March after detectives caught up with her using breast implant tracking numbers. Police say that in September of 2008 Pampellonne used the personal information of another woman to establish a line of credit at the Pacific Center for Plastic Surgery in Huntington Beach. Doctors performed $12,000 in liposuction and breast augmentation surgery at the center, police say, charging $12,000 to the phony line of credit and exchanging her existing implants for new ones. Medical staff at the center became suspicious after Pampellonne never returned for follow-up appointments. Because Pampellone had old breast implants replaced, they were able to track her down using the serial numbers that appear on every set of implants. Pampellone faces 3 years, 8 months in prison if convicted. She remains free on $20,000 bail and is due back in court on June 29th.

In New Jersey, and around the country, most doctors still rely on paper records for everything from writing prescriptions to keeping track of their patients' allergies. Only about 1.5 percent of U.S. hospitals have switched to an electronic records systems, and less than 8 percent have even a basic system, according to a recent study by the New England Journal of Medicine.

Four HIV-positive patients whose records were left behind on an MBTA train by a Massachusetts General Hospital employee are suing the hospital, claiming their privacy has been breached. In March the hospital notified 66 patients who received care at its Infectious Disease Associates outpatient practice that billing records bearing their names, Social Security numbers, doctors, and diagnoses had been lost by a manager who was riding the Red Line. She had brought the paperwork home for the weekend, but left it on the train when she returned to work the morning of Monday, March 9, according to hospital security reports. Last week two patients who are HIV-positive filed a suit in Suffolk Superior Court against the hospital and the unidentified billing manager. The unnamed plaintiffs have been joined by two other HIV-positive people. The legal action was first reported in the weekly newspaper Bay Windows. Their lawyer, John Yasi of the Salem law firm Yasi and Yasi, said in an interview he has filed a motion to make the suit a class action that could cover all 66 patients, a significant number of whom are also HIV-positive. "The damages that jump out are the emotional distress surrounding the loss of obviously very sensitive medical information and secondarily the loss of personal security information," he said. "A Social Security number in reality may lead to identity theft, which we all know is a nightmare."

Google never fails to surprise. It's the scope and scale of their ambitions that impresses me ranging as they do from relatively simple applications that are just way cool such as Sky Map, through their Chrome Web browser (which is now looking pretty stable), to the subject of this newsletter: Google Health. Google Health, which was launched as a beta (of course) in spring 2008, is a free repository for your personal health information. Using the service you can create online health profiles for yourself, family members or others you care for (these profiles can include health conditions, medications, allergies and lab results), you can import medical records from hospitals and pharmacies, share your health records with "your care network" (which may include family members, friends and doctors), and browse an online health services directory to find services that are integrated with Google Health. After you sign up you can import your medical records from Allscripts, Anvita Health, The Beth Israel Deaconess Medical Center, Blue Cross Blue Shield of Massachusetts, The Cleveland Clinic, CVS Caremark, Healthgrades, Longs Drugs, Medco Health Solutions, Quest Diagnostics, RxAmerica and Walgreens. What you'll wind up with if you update all of the sections is a pretty complete health profile, which means that privacy has to be a concern. Interestingly, because becoming a subscriber is voluntary it appears that the service is exempt from the provisions of the Health Insurance Portability and Accountability Act of 1996.

Personal profiles on Facebook and other social-networking sites are a trove of inappropriate and embarrassing photographs and discomfiting breaches of confidentiality. You might expect that from your friends and even some colleagues - but what about your doctor? A new survey of medical-school deans finds that unprofessional conduct on blogs and social-networking sites is common among medical students. Although med students fully understand patient-confidentiality laws and are indoctrinated in the high ethical standards to which their white-coated profession is held, many of them still use Facebook, YouTube, Twitter, Flickr and other sites to depict and discuss lewd behavior and sexual misconduct, make discriminatory statements and discuss patient cases in violation of confidentiality laws, according to the survey, which was published this week in the Journal of the American Medical Association. Of the 80 medical-school deans questioned, 60% reported incidents involving unprofessional postings and 13% admitted to incidents that violated patient privacy. Some offenses led to expulsion from school.

"UC San Francisco said late Tuesday it has alerted 600 patients and others that an external hacker may have obtained "temporary access to emails containing their personal information" as a result of a late September phishing scam. The breach occurred about three months ago, and was investigated in mid-October, but wasn't disclosed to the public until Dec. 15. Corinna Kaarlela, UCSF's news director, told the San Francisco Business Times late Tuesday that individuals whose data may have been compromised were notified between Oct. 21, when an in-depth investigation began, and Dec. 11, when it was completed. UCSF said Tuesday that an unnamed faculty physician in the School of Medicine was victimized in late September by the alleged scam. The physician provided a user name and password in response to an email message fabricated by a hacker, that appeared as if it came from those responsible for upgrading security on UCSF internal computer servers. UCSF's Enterprise Information Security unit subsequently identified the breach and disabled the compromised password. UCSF says it conducted an investigation and in mid-October determined that emails in the physician's account ─ including some containing demographic and clinical information and, in a few cases, Social Security numbers ─ may have been exposed."

Dr. Jay Holland of Little Rock and two former employees of St. Vincent Infirmary Medical Center pleaded guilty Monday to misdemeanor violations of the federal medical records privacy law, the U.S. Attorney's Office and the FBI in Little Rock announced. Holland, Sarah Elizabeth Miller of England and Candida Griffin of Little Rock admitted accessing "without any legitimate purpose" the medical records of Anne Pressly, the KATV-TV, Channel 7, reporter who was fatally attacked in her home in October. For the violations of the Health Insurance Portability and Accountability Act, each faces up to one year in prison, a fine of up to $50,000, or both. Sentencing has not been scheduled.