California Patient Privacy Law Enforcement is Inconsistent
Last week, California’s enforcement of data privacy rules was criticized after the Department of Public Health was found to be inconsistently enforcing state laws. Numerous healthcare organizations have committed serious privacy violations, yet have escaped fines. Two privacy bills were passed in California in 2008 in an effort to better protect the privacy of state residents. One of the aims was to make healthcare organizations more accountable when privacy violations occurred. The laws were introduced following a number of high profile privacy breaches involving hospital employees snooping on the medical records of celebrities (Britney Spears, Farrah Fawcett and Maria Shriver). Since the bills were passed, healthcare organizations in the state can receive heavy fines for privacy violations, although relatively few fines are issued. California Patient Privacy Laws Being Violated with Few Consequences The state of California has some of the strictest laws on data privacy in the country. While action is taken against healthcare organizations by the Department of Public Health when...
No Action Over Patient Privacy Violation Due to HIPAA Loophole
Recently, a New Jersey lawyer discovered that confidential information classed as Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) is not necessarily kept private by providers of healthcare services. Under certain circumstances, the holder of those data may disclose the information publicly without penalty, as recently happened in his case. The lawyer had received treatment for mental health issues at Short Hills Associates in Clinical Psychology between 2012 and 2014. Some of the meetings had not been paid for, and Short Hills Associates filed a lawsuit for non-payment of $4,400 last year. Short Hills Associates is within its rights to take legal action against individuals who do not pay for chargeable medical services; however, in the lawsuit the organization listed the lawyer’s diagnosis and services he had received. That information was detailed in publicly filed court documents. The HIPAA Privacy Rule does permit the disclosure of PHI under certain circumstances, but this should be limited to the minimum necessary...
Online Medical Record Access Not Possible for the Majority of Patients
A recent survey commissioned by personal clinical engagement platform vendor, HealthMine, indicates patients are still finding it difficult to gain online access to their healthcare data, even though the majority of healthcare providers store healthcare data in digital form. 2013 data suggest that 78% of healthcare providers use EHRs and could therefore conceivably provide online access to patient medical data. The recent survey was conducted on 502 consumers who intended to enroll in a 2016 health plan. The survey took place between October and November 2015. The results of that survey show that over half of consumers (53%) do not yet have online access to their medical records, and almost a third (32%) of Americans have difficulty accessing their medical records. 31% of respondents indicated they have trouble accessing biometric information, and 29% said they struggled to gain access to lab records and insurance information. A quarter of respondents had trouble accessing their prescription history. 74% of Americans believe that having access to all of their clinical notes and...
Child Welfare Agency Employee Emails 970 Records to Personal Email Address
Hillsides, a child welfare agency based in Pasadena, CA, has discovered that a former employee emailed highly confidential patient and employee data to a personal email address over the course of a year, in breach of Health Insurance Portability and Accountability Act Rules. The HIPAA breach was discovered on December 8, 2015, and an investigation into the incident was immediately launched. That investigation revealed confidential data had been sent to the employee’s email account on five separate occasions. The first incidence occurred on October 10, 2014. No information has been released to indicate why the information was emailed. When data is taken or emailed to personal email accounts, the individuals responsible usually do so with a view to using the information when they change employer, to sell data to identity thieves, or to personally use the information to commit fraud or identity theft. The latter would be possible in this case as the information contained in the files attached to the emails included patient names, addresses, dates of birth, genders, Social Security...
Potential VA PHI Breach Impacts 1,000 Oregon Veterans
This week, the Oregon Department of Veterans’ Affairs announced it suffered a major privacy breach that could impact 967 Oregon veterans. Copies of DD 214 forms are believed to be in the possession of an unauthorized individual. The DD 214 form is a Certificate of Release or Discharge from Active Duty and contains veterans’ full names, addresses, dates of birth, and Social Security numbers. Data which could potentially be used to steal the identities of veterans and commit fraud. It is not clear at this stage how the individual came to be in possession of the documents, or the reason why that information was taken. According to a statement released by an ODVA spokesperson, there is no reason to suggest that any of the data have been used inappropriately. However, “ODVA is treating this compromise with critical importance.” In order to protect affected veterans from identity theft and fraud, affected veterans have been offered a year of credit monitoring services without charge and notifications of the breach have now been mailed. In order to prevent similar privacy incidents...



