Health Information Compliance Alert

Published on Wed Mar 09, 2005 PDF

2ND PRIVACY THREAT ROCKS FLORIDA HIV/AIDS PATIENTS

If you think a simple e-mail gaffe won't have lasting damage, think again.

John "Jack" Nolan sent an e-mail to 800 county workers last February that contained the names and status of 6,500 residents diagnosed with HIV and AIDS. The county health department worked quickly to erase the e-mail before patients' information wound up in the wrong hands.

But anonymous letters postmarked March 8 led recipients to believe the county's efforts to clean up the mistake were not successful. The letters listed the telephone number of a medical billing firm in Indiana and made specific reference to recipients being HIV positive. An attorney for the Indiana company denies any knowledge of the mailings, the Palm Beach Post reports.

Health department officials do not believe the two incidents are related because the initial e-mailed list did not contain patients' addresses. "This is a separate incident, and I regard this as terrorism," Dr. Jean Malecki, the department's director, told the Post.

The Bottom Line: Train your staffers to be sure no PHI is contained in e-mails before they hit send - or prepare for disastrous consequences.

DON'T ASSUME EX-STALL WILL PROTECT PATIENTS' PHI

Pay special attention to how a worker's employment with your organization ends, or you could end up with a serious security breach.

Calling herself the "Diva of Disgruntled," Elisa Cooper, a former Kaiser Permanente employee, posted 140 northern California patients' PHI - including names and medical records - on her Internet Web site, according to Mercury News.
Kaiser Permanente officials asked the blog's host site, Blogger.com, to remove the PHI last Wednesday, even though the officials first learned of the breach from the federal Office for Civil Rights (OCR) back in January, Kaiser spokesman Matthew Schiffgens said.

Cooper was fired in June 2003. She claims that Kaiser posted the PHI on a technical Web site that was unsecured and later removed, but the former employee was able to repost the PHI on her Weblog. Cooper said her purpose in posting patients' PHI was to show how easily accessible the information was. She also claims to have filed a complaint with OCR about the lax security on the Kaiser Web site.

The Bottom Line: The former employee could be fined up to $250,000 and face 10 years in prison for the illegal PHI disclosure. And, Kaiser could pursue legal action against Cooper, Schiffgens says.

CONNECT YOUR PATIENTS TO THIS DIABETES PROJECT

A personal health record could help your Type 1 diabetic patients better control their disease and eliminate frequent medical visits.

That's the goal of Children's Mercy Hospitals and Clinics' online health record initiative to connect diabetic children to their caregivers. The patients would track their daily glucose levels, diet and insulin dosages in an electronic diary that doctors can access and monitor, the hospital states in a press release.

Technology giant Cerner Corp. has committed $25 million to fund and implement the program, the hospital stated.

The Bottom Line: The initiative's supporters believe this project will prove how personal health records lead to both improved health and reduced health care costs.

HEALTH IT OFFICE WANTS TO EASE YOUR EHR WORRIES

If you're intimidated by the push for electronic health records, you aren't alone.

But the Office of the National Coordinator of Health Information Technology (ONCHIT) is searching for ways to standardize the many separate network initiatives currently under way, including working with industry leaders to develop a minimum set of requirements for EHRs.

The Bottom Line: Keep your sights set on ONCHIT in the coming months as the agency lays out more precise guidelines for e-health networks.