Monday, December 09, 2013

But Don't Worry, Your Health Information is Secure: the Enforcers are Themselves Incompetent and Broke

Another in my "But Don't Worry, Your Health Information is Secure" series (see ... a promise blindly made by the healthcare information technology hyper-enthusiasts.

The Office of the Inspector General for HHS just issued a report finding that the Office of Civil Rights (OCR), which is charged with enforcing the HIPAA/HITECH law, had itself failed to adequately protect the security of the health information it handled. Specifically OIG found that OCR “focused on system operability to the detriment of system and data security.”

From “The Office for Civil Rights Did Not Meet All Federal Requirements in Its Oversight and Enforcement of the Health Insurance Portability and Accountability Act Security Rule”, p. ii (Nov. 2013).


The Office for Civil Rights (OCR) did not meet certain Federal requirements critical to the oversight and enforcement of the Health Insurance Portability and Accountability Act Security Rule (Security Rule). OCR had not assessed risks, established priorities, or implemented controls for its Federal requirements to provide for periodic audits of covered entities to ensure their compliance with Security Rule requirements. In addition, OCR's Security Rule investigation files did not contain required documentation supporting key decisions made because management had not implemented sufficient controls, including supervisory review and documentation retention, to ensure investigators follow investigation policies and procedures for properly initiating, processing, and closing Security Rule investigations. Further, OCR had not fully complied with Federal cybersecurity requirements for its information systems used to process and store investigation data because it focused on system operability [I presume they mean 'interoperability' - ed.] to the detriment of system and data security.

We recommended that OCR (1) assess the risks, establish priorities, and implement controls for its HITECH auditing requirements; (2) provide for periodic audits in accordance with HITECH to ensure Security Rule compliance at covered entities; (3) implement sufficient controls, such as supervisory reviews and documentation retention, to ensure policies and procedures for Security Rule investigations are followed; and (4) implement the National Institute of Standards and Technology Risk Management Framework for systems used to oversee and enforce the Security Rule. In its comments on our draft report, OCR generally concurred with our recommendations and described the actions it has taken to address them. In specific comments on our second recommendation, however, OCR explained that no funds had been appropriated for it to maintain a permanent audit program and that funds used to support audit activities previously conducted were no longer available.

The enforcers are themselves negligent, incompetent and broke.  And hospitals are expected to keep electronic protected health information secure?

I comment no further.  What more could I possibly write?

-- SS

Dec. 9, 2013 Addendum:

This woman would probably agree that this is a problem

Dec. 9, 2013

Disabled woman denied entry to U.S. after agent cites supposedly private medical details

A Toronto woman is shocked after she was denied entry into the U.S. because she had been hospitalized for clinical depression.

Ellen Richardson went to Pearson airport on Monday full of joy about flying to New York City and from there going on a 10-day Caribbean cruise for which she’d paid about $6,000.

But a U.S. Customs and Border Protection agent with the Department of Homeland Security killed that dream when he denied her entry.

“I was turned away, I was told, because I had a hospitalization in the summer of 2012 for clinical depression,’’ said Richardson, who is a paraplegic and set up her cruise in collaboration with a March of Dimes group of about 12 others.

The Weston woman was told by the U.S. agent she would have to get “medical clearance’’ and be examined by one of only three doctors in Toronto whose assessments are accepted by Homeland Security. She was given their names and told a call to her psychiatrist “would not suffice.’’

At the time, Richardson said, she was so shocked and devastated by what was going on, she wasn’t thinking about how U.S. authorities could access her supposedly private medical information.

“I was so aghast. I was saying, ‘I don’t understand this. What is the problem?’ I was so looking forward to getting away . . . I’d even brought a little string of Christmas lights I was going to string up in the cabin. . . . It’s not like I can just book again right away,’’ she said, referring to the time and planning that goes into taking a trip as a disabled person.

Richardson said she’d had no discussion whatsoever with the agent at the airport about her medical history or background.

Read the whole thing.

-- SS


Anonymous said...

Obama tweets while HIT infratructure crashes and US citizens and others are abused. What me worry? HIT is the savior!

Shane Irving said...

I'm starting to wonder if HIPAA is actually a revenue raising method. Perhaps this funding will allow the OCR to recover? Yes, some of the offenses and fines have been warranted (willful negligence and so forth) but some organizations have also done everything reasonably possible and still have had issues. The complexity of systems and workflows required to comply can be staggering for some. I have also seen where others have gone overboard and have isolated (protected) themselves to the extent that patient care is at risk.... But they are HIPAA Compliant.