I’ve generally been writing more about the EMR side of EMR and HIPAA lately. For the most part, it seems readers are more interested in EMR and EHR than they are in the details of HIPAA. Although, one of my top posts ever is from back in 2006 about HIPAA Privacy Examples and HIPAA Lawsuits. It seems that people are most interested in HIPAA when it has something to do with a HIPAA violation or lawsuit.

Today’s HIPAA violation could very likely become a HIPAA lawsuit. Plus, it is a word of caution to those about training your staff on HIPAA requirements and also on proper use of social media in healthcare.

Anne Steciw posted about the violation on Search Health IT. Here’s an excerpt from her post:

Details of the health data breach provided by the Los Angeles Daily News indicate that the employee, who was provided by a staffing agency, shared a photo on his Facebook page of a medical record displaying a patient’s full name and date of admission. The employee appeared to be completely ignorant of HIPAA laws.

I’m sure every hospital and healthcare administrator is cringing at this. I’m sure many could share stories of HIPAA issues related with staffing agencies as well. Although, it’s really hard for me to understand how someone even from a staffing agency could be so ignorant to the HIPAA laws. I’m not overstating how ignorant this person was in this situation. The above article explains something even more outrageous and unbelievable:

Even after being told by other posters that he was violating the patient’s privacy, the employee argued: “People, it’s just Facebook…Not reality. Hello? Again…It’s just a name out of millions and millions of names. If some people can’t appreciate my humor than tough. And if you don’t like it too bad because it’s my wall and I’ll post what I want to. Cheers!”

To me this is totally mind boggling. I’m sure many will argue that this person was exhibiting many of the characteristics of the Facebook generation of users. That’s a cop out and an excuse, but does make a larger point that many of the next generation have these outlandish views of what’s theirs and what’s ok and reasonable. Sadly, far too many people think when it’s humor it’s ok to do anything. It’s not and I’m sure those dealing with HIPAA violations won’t find it a reasonable excuse either.

One thing I really hate about stories like this is that they give a bad name to use of social media in healthcare. Social media is like most things which can be used for good or bad. It’s a shame if incidents like this discourage people from accessing the benefits of social media.

This is another good example of how our biggest HIPAA privacy vulnerability is people.

There’s always been some really interesting discussion about EHR vendors selling the data from their EHR software. Turns out that many EHR vendors and other healthcare entities are selling de-identified healthcare data now, but I haven’t heard much public outcry from them doing it. Is it because the public just doesn’t realize it’s happening or because the public is ok with de-identified data being sold. I’ve heard many argue that they’re happy to have their de-identified data sold if it improves public health or if it gives them a better service at a cheaper cost.

However, a study coming out of Canada has some interesting results when it comes to uniquely identifying people from de-identified data. The only data they used was date of birth, gender, and full postal code data. “When the full date of birth is used together with the full postal code, then approximately 97% of the population are unique with only one year of data.”

One thing that concerns me a little about this study is that postal code is a pretty unique identifier. Take out postal code and you’ll find much different results. Why? Cause a lot of people share the same birthday and gender. However, the article does offer a reasonable suggestion based on the results of the study:

“Most people tend to think twice before reporting their year of birth [to protect their privacy] but this report forces us all to think about the combination or the totality of data we share,” said Dr. El Emam. “It calls out the urgency for more precise and quantitative approaches to measure the different ways in which individuals can be re-identified in databases – and for the general population to think about all of the pieces of personal information which in combination can erode their anonymity.”

To me, this is the key point. It’s not about creating fear and uncertainty that has no foundation, but to consider more fully the effect on patient privacy of multiple pieces of personal information in de-identified patient data.

Let’s face it, I haven’t actually been nice to Google of late when it comes to healthcare (or maybe I have, just once). While I believe the criticisms are justified, I can see why some people might think I’m beating a dead horse, namely Google Health. But there are some unresolved questions in the area of privacy that Google really should answer.

Google’s ill-fated attempt at a PHR isn’t completely dead. The company won’t “retire” the online service until January, and will allow users to download their data through Jan. 1, 2013. Naturally, others have stepped up to try to fill the (tiny) void left by Google Health’s demise. To nobody’s surprise, Microsoft is helping the remarkably small number of Google Health users transition their accounts to HealthVault, Microsoft’s own overly hyped, underutilized PHR platform.

What concerns me is what will happen to data already on Google’s servers. Will records be archived? Will sensitive patient health data stay on Google’s servers in perpetuity? Nobody has said for sure.

Are records safe from Google’s data-mining juggernaut? Google has consistently said that it would not use health records for anything other than to steer traffic to its core search engine, but let’s face it, Google’s primary source of revenue is from algorithm-driven advertising.

But, you say, HIPAA protects patients from unauthorized uses of their data, right? Well, remember back to 2009, when the American Recovery and Reinvestment Act expressly made third-party data repositories, health information networks and, yes, personal health records, into HIPAA business associates, effectively holding them to the same rules as covered entities under HIPAA.

Wouldn’t you know, both Google and Microsoft came out and said they were not subject to this provision. No less an insider than former national health IT coordinator Dr. David Brailer, who was a part of the legislative negotiations, told me then that lawmakers had Google Health and HealthVault specifically in mind when they crafted the ARRA language. As far as I know, there haven’t been any reported data breaches involving either PHR platform, so there’s been no need to test whether ARRA actually does apply to them, but if I had my data on Google’s or Microsoft’s servers, I’d be concerned. I’d particularly want to know what Google plans on doing with the data it’s been holding once Google Health does shut down.

Perhaps it’s time for me to make some phone calls.

Many of you have quickly realized that I find it a lot more interesting to write about EMR than I do about HIPAA. Seems like most people prefer to read about EMR than they do HIPAA as well (except for this popular HIPAA Lawsuits post I did eons ago). However, I’m sure that many of you will find this article I found about privacy of medical data quite interesting. Here’s a quote from the beginning of the article which prefaces the health privacy situation quite well.

A pharmaceutical company, Bristol-Myers Squibb Co., sent him an eight-page brochure pitching another medicine, Abilify, used to treat patients “when an antidepressant alone isn’t enough.”

Lexapro was plenty for Spencer, but the mailing stuck in his craw. He has followed the recent debate over the utterly porous privacy of consumer data. But he thought his medical history, at least, was guarded by the special privacy protections of HIPAA, 1996′s Health Insurance Portability and Accountability Act.

Spencer asked a simple question: How did Bristol-Myers Squibb – or the “third-party list company” that the brochure said was the source of his name – know enough to send him that mailing?

The article goes through all the places that had the information that he was on the antidepressant Lexapro: the insurance company, his doctor, the pharmacy. Each of course denied having sold his information. After some digging, Bristol-Myers Squibb gave the actual way they got Spencer’s health information to be able to do a targeted mailing:

Maybe Spencer bought an over-the-counter depression remedy at a store where he has “frequent shopper” card? Maybe he called an 800 number for information? Maybe he answered a survey on health concerns?

I ran all these ideas by Spencer, and he rejected each.

‘Gotcha’?
On Friday afternoon, Bristol-Myers Squibb delivered a “gotcha.” Yes, Spencer was the source of his own privacy breach, according to spokeswoman Laura Hortas.

Hortas says Bristol-Myers Squibb bought the list in question from a reliable list broker. “We only work with list vendors that we know commit to observing U.S. privacy law,” she told me.

And how did the list vendor get Spencer’s name? Hortas says Spencer visited a site called www.WinningSurveys.com at 9:25 p.m. on Dec. 14 and replied to a prompt that said: “Please provide relevant information to me on the following ailments.”

“He selected depression,” Hortas says.

Of course, Spencer denies every having visited that site. The problem is that I bet Spencer is like most Americans and doesn’t really know what sites they’re visiting anyway. I’m still surprised how many people I talk to don’t know the difference between going to www.emrandhipaa.com and typing emrandhipaa in Google to find the site. I see the stats on my blog that show how many people don’t know the difference. I wouldn’t be surprised if Spencer is one of these people.

I’m not trying to defend sites like WinningSurveys.com. There’s a lot of JUNK on the internet that is absolutely terrible, deceptive and in many cases dishonest. It’s really easy to trap someone into providing their personal information to you online (although I don’t agree or use these methods). Many times without people even realizing they’ve done it. Is that a breach of someone’s privacy if they were deceived into giving up their information to win an iPad?

I’m also not saying that companies shouldn’t be held responsible for using health information inappropriately. They should be held accountable according to the laws. I just don’t see any violation of HIPAA laws in this case.

I do love the irony that someone so concerned about privacy of his health information now has an article on Philly.com with his name and his health information. That leads me to believe that Spencer isn’t as concerned about the privacy of his information as he puts on. Maybe he’s just mad that he didn’t have a winning survey. I wonder if he’d won an iPad from the survey if he’d be as concerned about the mailings.