1. Privacy Law Today - What’s at Stake? Part Three: Health Care


    “The government issued a final rule [recently] that laid out goals for a second stage in its initiative to promote electronic record-keeping in the health field… One patient engagement objective mandates that hospitals and doctors provide patients with online access to their own medical records, while another requires providers to forward summary-of-care records for referrals and transfers. Providers must also set up a secure online messaging system patients can use to communicate with their doctors electronically.” (Mintz Levin

    Healthcare is going digital, that much is certain. Less certain: the safety of your medical records. 

    Like any data, digital information about your health care – medical reports, medications, and doctor visits, but also billing records, social security numbers, and credit card details – is stored and processed on laptops and servers and “in the cloud.” And that which makes it accessible – to you, your doctor, your insurance company, and others – also makes it vulnerable. 

    In fact, your protected health information may already be in the hands of a hacker, writes Judy Selby at law firm BakerHostetler

    “On December 6, 2012, the Ponemon Institute issued its Third Annual Benchmark Study on Patient Privacy & Data Security. The key findings were that a shocking 94 percent of healthcare organizations in the study had at least one data breach in the past two years, and 45 percent report that they had more than five breaches.” 

    There’s another aspect of the healthcare privacy issue that deserves equal attention: what is done with the information by people who are in fact authorized to look at it? 

    Safeguards like the Genetic Information Nondiscrimination Act, have been put into place to protect individuals against the misuse of their genetic information. But as the data gets more sophisticated (and more revealing), the risks of sharing it go up, in large part because the laws have not yet caught up with the science. From Antoinette F. Konski of Foley & Lardner

    “[T]he Presidential Commission for the Study of Bioethical Issues (the Commission) issued guidelines to address ethical and legal issues that arise as a result of whole genome sequencing… The Commission recognized that current U.S. governance and oversight of genomic data do not fully protect individuals from the risks associated with sharing their whole genome sequence data and information, which sharing is necessary to advance the technology and realize its full potential.” 

    Hacking and misuse of genetic data may capture headlines, but they’re hardly the only ways your health information can be compromised. Here are five more:

    1. The old standby - theft:

    “Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. … agreed to pay … $1.5 million to settle alleged HIPAA violations associated with the theft of an unencrypted personal laptop containing the electronic personal health information of approximately 3,500 MEEI patients and research subjects.  MEEI did not admit any liability or wrongdoing in connection with the settlement. The laptop belonged to a physician affiliated with MEEI and was stolen in February 2010 while the physician was lecturing in South Korea.” (King & Spalding

    2. Snooping by healthcare employees:

    “Mr. Zhou, a former UCLA Health System research assistant, accessed the health records belonging to his immediate supervisor, his co-workers and various celebrities who received care at UCLA. The government alleged that Mr. Zhou improperly accessed the UCLA patient records system 300 times. Mr. Zhou was criminally charged under a HIPAA provision that imposes misdemeanor penalties on any ‘[p]erson who knowingly and in violation of this part…obtains individually identifiable health information relating to an individual…’” (Polsinelli Shughart

    3. Over-zealous debt collection efforts:

    “Accretive Health purportedly placed debt collectors, who were indistinguishible from hospital employees, in emergency rooms to require patients to make overdue payments before they could receive treatment.  Attorney General Swanson claimed that such tactics violated the … Health Insurance Portability and Accountability Act (HIPAA) by giving the company’s debt collectors access to health records…” (Mintz Levin)

    4. Misuse of “de-identified” protected health information:

    “[T]he Department of Health and Human Services Office for Civil Rights (OCR) released long-overdue guidance on how covered entities subject to the Health Insurance Portability and Accountability Act can de-identify protected health information (PHI) for research, comparative effectiveness studies, policy assessment, life sciences research, and other secondary uses… This OCR guidance … allows considerable flexibility in ways that covered entities may de-identify PHI. This puts the onus on covered entities to carefully consider the risks associated with various methods of de-identification of PHI.” (Foley & Lardner

    5. Poor Internet security procedures:

    “[Health and Human Services Office for Civil Rights] investigated the physician practice following a report that it had been posting clinical and surgical appointments on a publicly accessible Internet-based calendar.  OCR’s investigation, dating back to 2003, found that Phoenix Cardiac Surgery had failed to implement sufficient policies and procedures to appropriately safeguard patient information.” (Mintz Levin

    Maybe it’s just better not to get sick. Ever.


    This post is part of a five-part series on privacy law, in which we take a look at how lawyers and law firms are both framing the questions and identifying the solutions regarding: 

    Digital privacy and security  

    Consumer data protection  

    Health care 

    Employee privacy

    Telemarketing and “Robocalls”


    The updates:


    Related reading:


    Follow @Privacy_Law on Twitter»


  1. pod313 reblogged this from pod313
  2. athinapowers reblogged this from is-that-jdsupra
  3. is-that-jdsupra posted this