Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

HIPAA Applies To Those Who Don’t Know About It

Posted on May 17, 2012 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Now here’s a pretty how-to-do for HIPAA lawbreakers. According to a new appellate decision in California, people convicted of accessing patient records illegally can be punished whether or not they knew it was illegal.

The case, United States v. Zhou, concerned the acts of one Huping Zhou, a former research assistant in rheumatology at the University of California at Los Angeles Health System. After being fired from his job as a research assistant in 2003, Zhou accessed patient records without authorization at least four times (and obviously, got caught).  After some sparring over charges, the feds eventually prosecuted him for HIPAA violations.

For years, the case worked its way through the system, with Zhou taking the position that he didn’t know accessing the patient records was illegal, and for that reason should not be found guilty.

Last month, the case ended up in the United States District Court for the Central District of California last month. It took the judges only a few weeks to decide that yes, Zhou was responsible even though he may not have known that his data spying was illegal under HIPAA.  Wow.

The HIPAA provision the judges relied on was the following:

HIPAA provides that: “[a] person who knowingly and in violation of this part — (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, shall be punished as provided in subsection (b).” 42 U.S.C. § 1320d-6(a).

And their analysis of Zhou’s defense did not go the way he had hoped. Again, from the appellate decision:

[T]he plain text of Section 1320d-6(a)(2) [of HIPAA]  is not limited to defendants who knew that their
actions were illegal. Rather, the misdemeanor applies to defendants who knowingly obtained individually identifiable health information relating to an individual, and obtained that information in violation of HIPAA.

In other words,  if you knowingly snoop into patient records, you’re on the hook even if you never knew HIPAA existed. (Note, I am not a lawyer or court-watcher, but this is how most legal commentators have interpreted the decision.)

While I like my privacy as much as anyone else, this case does trouble me. While it’s unlikely that a hospital staffer would think PHI peeping was OK, some healthcare workers — in settings such as, say, home care or a small mental health practice — might have no idea that the Department of Justice might come knocking at their door.

Wouldn’t it be more logical to prosecute the hospital for being so insecure that its data could be accessed by an angry ex-employee?  If it were my PHI, that’s where I’d be venting my wrath.

Fitbit Privacy or Lack Thereof – Exposing Sexual Activity of Its Users

Posted on September 13, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Well, privacy rears its ugly head in healthcare again. I don’t want to treat a person’s privacy lightly, but I must admit that I kind of had to laugh at the breach I’m about to tell you about. I think you’ll see why.

I first read about this privacy breach on this Techcrunch article (They originally found it on nextWeb). Here’s a quote from the Techcrunch article:

Yikes. Users of fitness and calorie tracker Fitbit may need to be more careful when creating a profile on the site. The sexual activity of many of the users of the company’s tracker and online platform can be found in Google Search results, meaning that these users’ profiles are public and searchable.

I’ve been a big fan of Fitbit and other devices like that which are trying to track a person’s health and fitness. I think there’s a real market for these devices, but this is a pretty ugly misstep for Fitbit. Although, a search for sexual activity and FitBit isn’t returning results any more. Here’s the Fitbit blog post which details the steps they’ve taken to secure their users profiles. Seems like a reasonable and a smart response to the privacy issue.

Before I go any farther, we should be clear that this isn’t a HIPAA violation. The patient put their information online and agreed to have that information out there. We could argue how much they really agreed to have their profile public, but I’m quite sure that Fitbit would be fine in a HIPAA lawsuit. However, that doesn’t mean they’re not taking the hit for poor decisions.

What can future healthcare app and device companies learn from the Privacy issues at Fitbit?

1. Default healthcare profiles to private. Allow the user to opt in to make it public. Some might want it public, but no company should assume it should be public. This isn’t Facebook.

2. Consider more granular privacy controls. I may want part of my profile public, but part private (ie. sexual activity in a fitness application).

3. Be aware of what you allow search engines to index. There’s a whole category of hackers called Google Hackers. They use Google to find sensitive information like the story above. It’s amazing the power of Google hacking.

Some suggestions to e-patients that put their health data online:

1. Be careful about what information you’re putting online.

2. Check out where the information you put online will be available. Is it private? Is it public? Is it partially public? Can search engines see it?

There’s little doubt that more and more healthcare information is going to be put online by patients. We’re going to see more and more privacy issues like the one mentioned above. This incident will do little to deter this trend. However, hopefully it can serve as a learning experience for Fitbit and other healthcare companies that are entering this new world of online health information.

Guest Post: Meaningful Use and HIPAA

Posted on March 9, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

John’s Note: One of the requests I got in the recent survey I did was to cover more details of HIPAA. So, I’m glad to have John Brewer (yes, another John) providing some guest posts on the subject.

Do they go together like peanut butter and jelly?  Cookies and milk?

Nothing quite as good as these…but they do go together…now.

HIPAA has been around for some time.  Many argue that HIPAA has no “teeth”.  Sure it has big fines…but when’s the last time you heard of a physician getting fined for a HIPAA violation?

In steps Meaningful Use.

Buried in the details of the Stage 1 Core Objectives is a single block that refers to the seemingly innocuous statement of “Conduct a risk analysis per 45CFR164.308(a)(1)”.

A risk analysis seem simple enough…right?

Dig a little deeper and you’ll see something a bit more unpleasant.  164.308(a)(1) requires the following:

  • Risk analysis – clear enough…
  • Risk management – with reference to 164.306(a) – Uh oh…
  • Sanction policy
  • Information System Activity Review

Whew…now it is starting to get ugly.  Where shall we start?

As usual, I like to go from easiest to most difficult.

The easiest thing to tackle here is the Information System Activity Review.

This is a mouth full, but your shiny new Meaningful Use certified EHR will have a report for this, which will cover most of this requirement.

In order for this report to show information that is useful, you need to ensure you have setup the users in your EHR in the correct way.

By this I mean:

  • Each user must have their own login,
  • Each user must only have access to the areas of the EHR that are appropriate for their position,
    • By this I mean, the front desk “receptionist” should only have access to the calendar section of the EHR, whereas a nurse would have full medical record access.

Next time we’ll attack the Sanction Policy.

John Brewer is the founder of HIPAAaudit.com.  He and his team help physicians run HIPAA Compliant practices in the simplest, most pain free way.