Tag Archives: hipaa

Globe photographer finds medical records in landfill

Andrew Van Dam

About Andrew Van Dam

Andrew Van Dam of The Wall Street Journal previously worked at the AHCJ offices while earning his master’s degree at the Missouri School of Journalism.

The Boston Globe‘s Liz Kowalczyk tells the story of how one of the paper’s staff photographers stumbled upon a massive medical privacy breach while dumping his trash.

landfill

Photo by D’Arcy Norman via Flickr

As Tinker Ready points out on Boston Health News, it’s a reminder that stories are everywhere … and shredders are not. Kowalcyzyk traced the documents to a billing intermediary.

Kowalcyzk uses the landfill scene to demonstrate just how difficult it is for hospital officials to keep confidential information from slipping through the cracks.

The photographer said he saw health and insurance records from at least four hospitals and their pathology groups — Milford, Holyoke, Carney, and Milton — mostly dated 2009. The Globe notified the hospitals. It is unclear how many other hospitals’ records might have been discarded in the dump.

(Hat tip to Tinker Ready)

Reporter’s dumpster diving led to HIPAA deal

Andrew Van Dam

About Andrew Van Dam

Andrew Van Dam of The Wall Street Journal previously worked at the AHCJ offices while earning his master’s degree at the Missouri School of Journalism.

With a $1 million settlement, HHS and Rite Aid have closed the book on a HIPAA privacy case that began with a journalist’s investigative reporting in 2006. In a nut shell, Rite Aid employees across the country were tossing prescriptions and pill bottles out without taking measures to secure the sensitive information they held.

They were exposed by Bob Segall, Jim Hall and Bill Ditton of WTHR-Indianapolis. For the story, Segall eventually checked dumpsters in 12 cities nationwide and found unsecured information in all of them. Segall told the tale of how he broke the story, and how other reporters could do the same, in this article for AHCJ members.

For those unfamiliar with the case’s background, NPR’s April Fulton can get you up to speed. CVS settled with HHS last year, and NPR’s Fulton reports that Walgreens will be next.

HIPAA’s role in transplant story, correction

Pia Christensen

About Pia Christensen

Pia Christensen (@AHCJ_Pia) is the managing editor/online services for AHCJ. She manages the content and development of healthjournalism.org, coordinates AHCJ's social media efforts and edits and manages production of association guides, programs and newsletters.

The Village Voice says things are rather tense at the New York Post after it incorrectly reported on Monday that an alleged killer received a liver transplant at New York-Presbyterian Hospital. Frederik Joelving of Reuters Health reported on Tuesday that the hospital denied the transplant had taken place there.

Cover of Monday's New York Post.

That was followed by a correction in the Post on Wednesday morning. The original story is no longer available on the Post‘s site but is available through Google’s cache.

According to the Village Voice, which quotes unnamed sources in the Post newsroom, “Rupert Murdoch was so enthralled with the story when it ran, that he called Post editor-in-chief Col Allan to personally congratulate him on it.” It also says the tip for the story came from Allan.

Because of the Post‘s story, the hospital eventually had to deny that Johnny Concepcion, accused of killing his wife, received a transplant there after eating rat poison in a suicide attempt. Hospital comments on whether a patient has been treated are fairly unusual as hospitals try not to run afoul of the privacy rules outlines in the Health Insurance Portability and Accountability Act.

In fact, the Post‘s correction says the hospital declined to comment before it published the original story, citing HIPAA, but that “Curiously, the hospital now sees itself free to publicly discuss Concepcion’s case.”

Speaking of HIPAA, The Reporters Committee for Freedom of the Press recently released “FERPA, HIPAA & DPPA: How federal privacy laws affect newsgathering,” a guide to federal privacy protection laws.

The section on HIPAA explains the history of the privacy rules, the Standards for Privacy of Individually Identifiable Health Information, and discusses how it has been misunderstood and misused to keep information from reporters. AHCJ President Charles Ornstein, a senior reporter at ProPublica, is quoted extensively and offers examples of its misapplication. The piece also outlines what the law does allow.

Visiting some health care blogs you might not know

Andrew Van Dam

About Andrew Van Dam

Andrew Van Dam of The Wall Street Journal previously worked at the AHCJ offices while earning his master’s degree at the Missouri School of Journalism.

FierceHealthcare, a site that says it’s geared toward health executives, spotlighted nine health care bloggers and, once they realized all nine were male, five female health bloggers. We thought we’d point out some blogs that our readers might not have on their radar.

Tip: To navigate those slide shows, just click on the tiny mug shot hiding in the bottom right corner well beyond the point where you assume the post has already ended.

Worth a visit

popHealth Populi: Jane Sarasohn-Kahn’s strategy seems to be to take something interesting and current, illustrate it with a chart or graphic and then riff on that idea, bringing in other sources as needed. The upshot is that her site’s updated almost daily with something you usually haven’t already heard somewhere else.

Dr. Greiver’s EMR: While the list included a number of wonky HIT blogs, I found that I learned the most from Canadian physician Michelle Greiver’s running updates on her transition to electronic medical records. I recommend taking a few minutes to start from the beginning and scan Greiver’s journey. You’re sure to come across a heap of fascinating anecdotes, from how EMRs make flu shot clinics more efficient to how much she dislikes insurance companies.

HealthBlawg: Health attorney and consultant David Harlow’s Blawg (shorthand for Law-Blog) often touches on topics of interest to health journalists, including electronic medical records, privacy and, of course, HIPAA.

Hoban reports on uneven H1N1 death disclosure

Andrew Van Dam

About Andrew Van Dam

Andrew Van Dam of The Wall Street Journal previously worked at the AHCJ offices while earning his master’s degree at the Missouri School of Journalism.

WUNC reporter and AHCJ member Rose Hoban put together a story about uneven disclosure of H1N1 deaths by public health officials and the possible benefits and risks of providing more information. In the end, Hoban reported, it comes down to balancing individual privacy and the public interest.

On the official side, Hoban spoke to Megan Davies, M.D., North Carolina’s epidemiologist, who referred to the lack of a “compelling public health need” to provide H1N1 death data on a county-by-county level, pointing out that in many areas it would be easy for locals to take that information, match it with recent death records and come up with the name of the infected person. Davies said that, in cases like that, she fears the infected person’s family would be stigmatized.

“The fear of contagion’s a really primitive thing that comes up in people,” Davies said.

Additionally, Hoban says, officials are bound by medical ethics, state laws and federal health privacy regulations (which, she notes, generally don’t cover people who are already dead).

For another perspective, Hoban spoke with AHCJ board member Felice Freyer of The Providence Journal. Freyer discussed AHCJ’s report that disclosure had been uneven across the country, and said that officials should share information unless there’s a compelling reason not to.

“Public health officials can’t do their job if they don’t have the trust of the public and no-ones going to trust them if they hide information for no reason,” Freyer said.

Former CDC lead legal counsel Gene Matthews agreed, noting that “Too little information can be a bigger headache than too much.” According to Matthews, this problem has been exacerbated by the Internet where, “If the public health officials don’t provide enough information, the outsiders will simply make it up.”

Hackers hold Va. prescription database hostage

Scott Hensley

About Scott Hensley

Scott Hensley runs NPR's online health channel, Shots. Previously he was the founding editor of The Wall Street Journal's Health Blog and covered the drug industry and the Human Genome Project for the Journal. Hensley serves on AHCJ's board of directors. You can follow him at @ScottHensley.

Some very nasty folks disabled a Virginia state Web site containing confidential prescription information, reportedly deleting more than 8 million patient records from a database used by pharmacists to combat drug abuse.

Illustration by d70focus via Flickr.com

Illustration by d70focus via Flickr.com

The bad guys want $10 million to restore the data. Let’s hope somebody made a backup.

The hackers apparently struck the Virginia Department of Health Professions last week, trashing a secure site for the Virginia Prescription Monitoring Program. Brian Krebs of The Washington Post’s blog Security Fix has the story.

The department’s site is still having trouble. But you can find out how the monitoring program worked by reading this 2004 report, hosted on a Wisconsin server that’s still chugging along.

A report on the break-in and the $10 million ransom demand was first posted on Wikileaks.org.

State and federal official have opened criminal investigations, the Post reported. Neither the Virginia department nor the FBI would comment on details of the hackers’ claims or the status of investigations, the Post wrote.

Thomas Claburn of Information Week writes:

Extortion demands of this sort have become relatively common in data breach cases. Last October, for instance, Express Scripts, a prescription drug management company based in St. Louis, received a letter that threatened the release of millions of patient records.

According to Claburn, the technique of capturing data, encrypting it, then selling access to the former owner has become popular enough to earn its own name: cryptoviral extortion.

Computerworld reports that just last week the former information technology director for LifeGift, a nonprofit organ and tissue donation center that is the sole provider of organ procurement services for more than 200 Texas hospitals, pleaded guilty to a charge that she broke into the organization’s computer network and deleted organ donation database records, invoice files, and database and accounting software — and the backup files  — according to the U.S. Department of Justice.