Secure Transfer System »     Client Portal Access »

Posts in the ‘Protected Health Information’ Category

The “P” in PHI Does Not Stand for Public

Posted by J. Paul Spencer, CPC, CPC-H in Protected Health Information

A quick look at my personal Facebook page prior to my commencement of this post revealed that I currently have 121 friends that I have connected with through the “popular networking site”.

My experience with Facebook is hit and miss. I am now careful to limit incoming friend requests to “friends of friends”. The reader might find this next bit of information surprising, but I can actually be quite aggressive on certain topics that I come across in my personal life (that was a demonstration of my sarcasm, of course). When I need to pop off about something with the colorful language I learned in my youth as a Philadelphia sports fan, it is best that these are kept sequestered from the majority of my professional contacts. We have LinkedIn for actual professional networking. As a footnote, in order to satisfy any of your lingering curiosity, I have only ever “unfriended” 3 people, and it has been because I discovered retroactively that some of the friends of my actual friends are political troglodytes.

With the generations coming up behind my own (quick note: please do not refer to mine as Generation X; you young punks would be cynical and disconnected too if you grew up around AMC Javelins and Disco music) feeling free to share anything and everything online, intersections with reality are sure to follow. We’ve learned that it’s not a good idea for the local elementary school teacher to post pictures of herself on vacation doing body shots off the locals in Cancun. Additionally, a few frustrated employees have learned that criticizing your employer with language not normally shared in your typical convent earns you an express ticket to the Island of Free Time.

One such intersection with reality was this recent story from Mission Hills, California. An employee at Providence Holy Cross Medical Center, who was recently hired through a staffing agency, came across a patient’s medical record with featured conditions that he found amusing. He then took it upon himself to post the page from the medical record, complete with patient name and date of admission, as a photo on his Facebook page, accompanied by comments that mocked the reasons for the patient’s encounter. When told by his more level-headed, law-abiding friends in the Comments section of the post that he was violating  HIPAA laws, he said (and I must quote this verbatim so the reader can fully internalize it), “People, it’s just Facebook…Not reality. Hello? Again…It’s just a name out of millions and millions of names. If some people can’t appreciate my humor than tough. And if you don’t like it too bad because it’s my wall and I’ll post what I want to. Cheers!”.

It has never been my professional goal, but how I wish I had law enforcement power for just 10 minutes when I read things like this.   

I was born in the semi-mythical Time Before Pong, but there were two lessons I learned before the age of 6. There are five distinct human senses, and everything on television is fake. With new technology, my 22 years in health care and with the story above in mind, allow me to add an extremely important caveat; while your computer can stream television shows, what you type on Facebook is not, in fact, a mythical television show, but reality. Yes, it is two-dimensional, but no, it is not fake. If you create it, it exists. Additionally, thanks to online archiving, if you create it on a popular networking website, it exists beyond your lifespan, allowing succeeding generations to see not only that you had a bad sense of humor, but that your version of belly laughs came at the expense of someone’s legally codified right to privacy.

Social networking, and the prevalence of internet usage in general, offers challenges that did not exist at the time the HIPAA laws came into being. Health care providers of all types now find themselves playing catch-up to a public social structure that is quickly migrating away from meaningful, face-to-face discourse and toward two to three sentences of unexpurgated online communication (complete with photos) to hundreds – or perhaps thousands – at a time. Many employee policies on technology usage remain woefully inadequate for this environment.  

People employed at all levels of the health care field must be made aware of what is and isn’t allowed when discussing their work in a permanent public forum. Since I have your attention, I’ll start, using myself as an example. I’m a compliance officer for a company that does high-end data analytics that allows health care entities to quickly identify their highest areas of compliance and audit risk. We also provide some medical billing services, but I’m not going to tell you for whom. I see protected health information for medical conditions as part of my daily duties, but that also is none of your business, and I keep it at work.

On a personal note, I am currently employed by bosses whom I actually like and respect and who have done wonders for my professional development. If that happened not to be the case, I would save it for happy hour, which I never document or photograph for public consumption anymore, as my multiple glasses of dark beer kept spilling on my camera phone. To round out, I live with my wife, son, dog and obnoxiously loud nocturnal cat, my main hobbies are music and being a fan of ice hockey, and my bar trivia team can usually be found on Wednesday nights trouncing the local competition at O’Lydia’s Pub in Milwaukee.

Now you have all you need to know to begin to update your employee policies for social networking, as well as my general background, demonstrating once again that there are indeed acceptable paths to spreading wisdom on the internet.

Tags: , , , , , , , , , , , , , ,
January 6th, 2012 | 2 Comments »

How The Economy Threatens Patient Data

Posted by J. Paul Spencer, CPC, CPC-H in In the Press, J. Paul Spencer, CPC CPC-H, Protected Health Information

The other day, I was coming home from work and witnessed a troubling site. A couple roughly my age with their dog in tow, obviously down in the luck department, were walking down my back alley in the city of Milwaukee, going through recycling bins and taking out aluminum cans by the dozen in an obvious cash grab. Because Milwaukee has mandatory recycling, this activity is considered theft of city property and is illegal. As a compliance officer, it may strike some as disturbing that I didn’t report this activity immediately to the police. In my defense, it’s never a pleasant moment when the less desirable realities of an economic downturn arrive so starkly at your door, but it is not my duty as a member of the human race to jeopardize the survival of someone else if I face no imminent or immediate personal threat.

History teaches us that increasing levels of desperation become a threat to everything in their midst. Primary among human instincts is the instinct for survival. If established tools of survival in a civilized society are threatened - the big three being food, clothing and shelter – the instinct for survival becomes its own morality, and begins to look for opportunity.

The official unemployment rate in the United States, also known as the U3 index, stands at 9.5% based on the latest statistics available through August. Being a man ruled by facts, I tend to look not at the trumpeted U3 figure, but the U6 unemployment rate, which measures newly unemployed, under-employed and discouraged workers who have stopped looking for work, but still maintain the ability and the will to work. The U6 number stands at a staggering 16.7% currently, and has been as high as 17.1% during 2010.

Taken hand in hand with the home foreclosure crisis, the overall economic picture is beyond bleak. What the chattering class sees is a recession that officially ended in the middle of 2009. What the general public sees is the same economic system that has shifted from manufacturing to services and concentrated wealth into the hands of the few continuing unabated, with the antique promise of “trickle-down” being exposed as a myth. Thinking that jobs will magically appear with this backdrop has become a proposition that has moved from “difficult” to “unrealistic”.  

It was with this new reality in mind that I read a story out of Los Angeles this week concerning a privacy breach of roughly 33,000 medical records at Martin Luther King, Jr. Multi-Service Ambulatory Care Center (MLK-MACC).

Files stored at the facility were discovered as missing on July 29th, prompting a search and investigation by the facility, which led to two uncomfortable discoveries. First, the files in question may have been mistakenly marked for destruction. Second, and central to today’s post, the records were subsequently stolen by an employee and taken to a recycling center so he could cash in on the value of the paper contained in the files.

With this new piece of information, it’s time to review our threats to HIPAA privacy. We have identity theft, which was a motivation of the very first HIPAA violation and continues to this day. Next, we have potential unfettered access to information, leading to the more gossipy among those with access spewing forth patient medical data to anyone who is interested. Beyond these and other threats, we can now include an unnatural curiosity for the profit motive of renewable resources.

If I am in charge of compliance at any health care organization, after reading this, I expand my privacy and security focus from “How do I protect patient information?” to “What isn’t nailed down?”. The breach detailed above involves equal parts negligence and opportunism, but this leads me to do an informal exercise with the reader. If you are reading this from your job in the health care industry, I invite you to look around you for a moment and find something containing patient data that can be easily transported and either sold or stripped for cash. Chances are this exercise didn’t take long. I know the most obvious answers to this question, but being a compliance officer, it would be irresponsible of me to supply these to you. I mean, who’s reading this in the first place? If you read my writing with any sense of anticipation, there’s something devious about you that’s well-established.  

Anyone who regularly deals with securing protected health information should try to take every threat into account. We’ve long known that your typical identity thief can come into an organization with PHI and wreak absolute havoc. As economic threats to social order continue, I challenge all of those charged with protecting patient data to look outside well-known breach threats and sharpen your focus to include threats posed by the current economy. It is up to each and every organization to determine the best way to assess potential breaches caused by economic circumstances of those with access to data, but as the MLK-MACC breach illustrates, the time to do so has rudely arrived.

October 1st, 2010 | 1 Comment »