- A woman was watching television at night when she came upon footage documenting her husband’s death. She had never been contacted for permission.
- A doctor hired a private investigator to investigate a patient.
- A woman went online and found that a website had made public some 6,000 paternity cases.
These privacy breaches, Ornstein said, can be “very, very harmful” to individuals.
He also described stories of staff at various nursing homes posting explicit and abusive pictures of residents on Snapchat.
“Nobody contemplates the role of social media in HIPAA,” he said.
Joy Pritts, a health information privacy and security consultant, said she views HIPAA not so much as broken, as outmoded. She compared it to an old computer that needs to be replaced.
The original rules were written in 2000, she said – a lifetime ago in the Internet age. Even the updated rules, from 2009, are outdated. Compounding that, many rules are sector specific and difficult to change.
In the age of Facebook, she said, some policymakers now say that as a culture we don’t value privacy the way we once did.
“Is HIPAA broken?” she said. “It certainly needs change. It’s certainly out of date. We really need an overarching national privacy law.”
Neil Eggeson, an attorney in Indiana, says he is one of the only lawyers in the country willing to sue on behalf of people like those Ornstein described.
“I get these phone calls every single day,” he said.
The law does not allow people to sue privately, he said. He has found a way around this by suing for malpractice. He described a few cases he has won: including one from a young man whose HIV diagnosis was made public by a collections agency. But the vast majority of such cases never get filed, he said, “because they never find me.”
Deven McGraw, who became deputy director for health information privacy for the Office for Civil Rights earlier this year, said her office is “ground zero for health care privacy issues,” overseeing all regulations that constitute HIPAA and having primary responsibility for enforcing them.
Depending on who you ask, she said, “we are either not doing enough or are doing too much.”
Those who think they are doing too much worry that HIPAA stands in the way of allowing health care data to be shared to allow for collaboration and innovation between agencies. Those who say they are doing too little worry about privacy breaches like those described.
McGraw says she has a small staff – 120 people work with the Office for Civil Rights nationwide, and she has 12 on her privacy staff, with a budget of $45 million to $47 million. They field 17,000 complaints a year, mostly from individuals whose privacy has been violated. They also deal with health care information breaches. In the past several years, 150 million people were affected by large breaches, she said. There have also been 179,000 small breaches, affecting fewer than 500 people each.
“At some point I can’t squeeze more blood from my turnips,” she said. “I need more turnips.”
Some tips from the session:
- Use HIPAA Helper, courtesy of ProPublica, to search for HIPAA violations in your area or about a topic you might be interested in (Enter a word like “Facebook” or “widow” or “colonoscopy,” Ornstein said.)
- Look up #HIPAA (and other hashtags) on Twitter to find a wealth of human stories. “When you’re bored at night, you should be searching hashtags,” Ornstein quipped.
- The nursing home abuses were found through a search of CMS nursing home inspection reports.
- Stay ahead of policies before they become cemented into law. Right now, Pritts says, laws to watch that are in danger of being weakened include: mental health, Americans with Disabilities Act and the Genetic Information Nondiscrimination Act. “They’re hard issues but they’re going to have long-term repercussions,” said Joy Pritts.
- To preempt denial based on HIPAA, ask for interviews with a signed HIPAA waiver.
- Ask people to request their own medical records, since they are legally entitled to them, but you’re not.
- Don’t deal with front office staff. Ask for a compliance officer. If a request is denied because of HIPAA, ask to know what specific provision of HIPAA.
- Dead people do have HIPAA rights. With respect to most provisions of HIPAA, protections last 50 years after death.