Globe photographer finds medical records in landfill
Filed under: Health journalism, Hospitals, Hot Health Headline
The Boston Globe’s Liz Kowalczyk tells the story of how one of the paper’s staff photographers stumbled upon a massive medical privacy breach while dumping his trash.
Photo by D’Arcy Norman via Flickr
As Tinker Ready points out on Boston Health News, it’s a reminder that stories are everywhere … and shredders are not. Kowalcyzyk traced the documents to a billing intermediary.
Kowalcyzk uses the landfill scene to demonstrate just how difficult it is for hospital officials to keep confidential information from slipping through the cracks.
The photographer said he saw health and insurance records from at least four hospitals and their pathology groups — Milford, Holyoke, Carney, and Milton — mostly dated 2009. The Globe notified the hospitals. It is unclear how many other hospitals’ records might have been discarded in the dump.
Reporter’s dumpster diving led to HIPAA deal
Filed under: Health journalism, Hot Health Headline
With a $1 million settlement, HHS and Rite Aid have closed the book on a HIPAA privacy case that began with a journalist’s investigative reporting in 2006. In a nut shell, Rite Aid employees across the country were tossing prescriptions and pill bottles out without taking measures to secure the sensitive information they held.
They were exposed by Bob Segall, Jim Hall and Bill Ditton of WTHR-Indianapolis. For the story, Segall eventually checked dumpsters in 12 cities nationwide and found unsecured information in all of them. Segall told the tale of how he broke the story, and how other reporters could do the same, in this article for AHCJ members.
For those unfamiliar with the case’s background, NPR’s April Fulton can get you up to speed. CVS settled with HHS last year, and NPR’s Fulton reports that Walgreens will be next.
HIPAA’s role in transplant story, correction
Filed under: Health journalism, Hospitals, Public records
The Village Voice says things are rather tense at the New York Post after it incorrectly reported on Monday that an alleged killer received a liver transplant at New York-Presbyterian Hospital. Frederik Joelving of Reuters Health reported on Tuesday that the hospital denied the transplant had taken place there.
Cover of Monday's New York Post.
That was followed by a correction in the Post on Wednesday morning. The original story is no longer available on the Post’s site but is available through Google’s cache.
According to the Village Voice, which quotes unnamed sources in the Post newsroom, “Rupert Murdoch was so enthralled with the story when it ran, that he called Post editor-in-chief Col Allan to personally congratulate him on it.” It also says the tip for the story came from Allan.
Because of the Post’s story, the hospital eventually had to deny that Johnny Concepcion, accused of killing his wife, received a transplant there after eating rat poison in a suicide attempt. Hospital comments on whether a patient has been treated are fairly unusual as hospitals try not to run afoul of the privacy rules outlines in the Health Insurance Portability and Accountability Act.
In fact, the Post’s correction says the hospital declined to comment before it published the original story, citing HIPAA, but that “Curiously, the hospital now sees itself free to publicly discuss Concepcion’s case.”
Speaking of HIPAA, The Reporters Committee for Freedom of the Press recently released “FERPA, HIPAA & DPPA: How federal privacy laws affect newsgathering,” a guide to federal privacy protection laws.
The section on HIPAA explains the history of the privacy rules, the Standards for Privacy of Individually Identifiable Health Information, and discusses how it has been misunderstood and misused to keep information from reporters. AHCJ President Charles Ornstein, a senior reporter at ProPublica, is quoted extensively and offers examples of its misapplication. The piece also outlines what the law does allow.
Visiting some health care blogs you might not know
FierceHealthcare, a site that says it’s geared toward health executives, spotlighted nine health care bloggers and, once they realized all nine were male, five female health bloggers. We thought we’d point out some blogs that our readers might not have on their radar.
Tip: To navigate those slide shows, just click on the tiny mug shot hiding in the bottom right corner well beyond the point where you assume the post has already ended.
Worth a visit
Health Populi: Jane Sarasohn-Kahn’s strategy seems to be to take something interesting and current, illustrate it with a chart or graphic and then riff on that idea, bringing in other sources as needed. The upshot is that her site’s updated almost daily with something you usually haven’t already heard somewhere else.
Dr. Greiver’s EMR: While the list included a number of wonky HIT blogs, I found that I learned the most from Canadian physician Michelle Greiver’s running updates on her transition to electronic medical records. I recommend taking a few minutes to start from the beginning and scan Greiver’s journey. You’re sure to come across a heap of fascinating anecdotes, from how EMRs make flu shot clinics more efficient to how much she dislikes insurance companies.
HealthBlawg: Health attorney and consultant David Harlow’s Blawg (shorthand for Law-Blog) often touches on topics of interest to health journalists, including electronic medical records, privacy and, of course, HIPAA.
Hoban reports on uneven H1N1 death disclosure
Filed under: Health data, Health journalism, Hot Health Headline, Public health
WUNC reporter and AHCJ member Rose Hoban put together a story about uneven disclosure of H1N1 deaths by public health officials and the possible benefits and risks of providing more information. In the end, Hoban reported, it comes down to balancing individual privacy and the public interest.
On the official side, Hoban spoke to Megan Davies, M.D., North Carolina’s epidemiologist, who referred to the lack of a “compelling public health need” to provide H1N1 death data on a county-by-county level, pointing out that in many areas it would be easy for locals to take that information, match it with recent death records and come up with the name of the infected person. Davies said that, in cases like that, she fears the infected person’s family would be stigmatized.
“The fear of contagion’s a really primitive thing that comes up in people,” Davies said.
Additionally, Hoban says, officials are bound by medical ethics, state laws and federal health privacy regulations (which, she notes, generally don’t cover people who are already dead).
For another perspective, Hoban spoke with AHCJ board member Felice Freyer of The Providence Journal. Freyer discussed AHCJ’s report that disclosure had been uneven across the country, and said that officials should share information unless there’s a compelling reason not to.
“Public health officials can’t do their job if they don’t have the trust of the public and no-ones going to trust them if they hide information for no reason,” Freyer said.
Former CDC lead legal counsel Gene Matthews agreed, noting that “Too little information can be a bigger headache than too much.” According to Matthews, this problem has been exacerbated by the Internet where, “If the public health officials don’t provide enough information, the outsiders will simply make it up.”
Hackers hold Va. prescription database hostage
Some very nasty folks disabled a Virginia state Web site containing confidential prescription information, reportedly deleting more than 8 million patient records from a database used by pharmacists to combat drug abuse.
Illustration by d70focus via Flickr.com
The bad guys want $10 million to restore the data. Let’s hope somebody made a backup.
The hackers apparently struck the Virginia Department of Health Professions last week, trashing a secure site for the Virginia Prescription Monitoring Program. Brian Krebs of The Washington Post’s blog Security Fix has the story.
The department’s site is still having trouble. But you can find out how the monitoring program worked by reading this 2004 report, hosted on a Wisconsin server that’s still chugging along.
A report on the break-in and the $10 million ransom demand was first posted on Wikileaks.org.
State and federal official have opened criminal investigations, the Post reported. Neither the Virginia department nor the FBI would comment on details of the hackers’ claims or the status of investigations, the Post wrote.
Thomas Claburn of Information Week writes:
Extortion demands of this sort have become relatively common in data breach cases. Last October, for instance, Express Scripts, a prescription drug management company based in St. Louis, received a letter that threatened the release of millions of patient records.
According to Claburn, the technique of capturing data, encrypting it, then selling access to the former owner has become popular enough to earn its own name: cryptoviral extortion.
Computerworld reports that just last week the former information technology director for LifeGift, a nonprofit organ and tissue donation center that is the sole provider of organ procurement services for more than 200 Texas hospitals, pleaded guilty to a charge that she broke into the organization’s computer network and deleted organ donation database records, invoice files, and database and accounting software — and the backup files — according to the U.S. Department of Justice.
TV report leads to $2.25 million HIPAA settlement
Filed under: Health journalism, Hot Health Headline
A report by Bob Segall of WTHR-Indianapolis prompted the federal investigation that led to CVS Pharmacy’s agreement to pay $2.25 million for violating consumers’ privacy by not properly disposing of “protected health information such as labels from prescription bottles and old prescriptions.”
The acting director of HHS’ Office for Civil Rights said Segall’s award-winning investigation “formed the basis of the [federal] investigation.”
Segall won a 2006 Award for Excellence in Health Care Journalism for his investigation. He also wrote about how he reported the story in an article for AHCJ: How we did it: Diving into prescription privacy.
CVS will pay $2.25 million and initiate a plan to protect consumer privacy. (Photo by afagen via Flickr)
“I think I was as surprised as anyone when i got a call from HHS” telling him about the settlement. Segall says that for the past two-and-a-half years, he has been calling the Office of Civil Rights every 60 to 90 days to find out the status of its investigation.
“After two years, I wasn’t expecting their investigation would lead to anything,” Segall says. “It’s not every day that they impose fines for HIPAA violations.”
He says the victims in Indiana were pleasantly surprised, though some are disappointed they won’t be seeing any of the $2.25 million.
“As a journalist who deals with the repercussions of HIPAA on almost a daily basis, there are so many times brick walls are put up for journalists” in the name of HIPAA privacy rules. Segall says he is gratified to see the law “really does have some teeth and the Office of Civil Rights is really going to pursue cases like this one.” While he says we’ve all seen alleged violations in which nothing is done, this settlement will send a message to companies that deal with consumer health information.
“I think it’s nice to see that this law, that for journalists does nothing but stand in the way, does help consumers.”
Reports on health indicators, HIPAA released
The Institute of Medicine has proposed 20 specific health indicators to measure the overall health and well-being of Americans. These 20 indicators will “help Americans track the nation’s progress on improving our health and the effectiveness of public health and care systems,” the report says.
The indicators include things like life expectancy, mortality, unhealthy days, chronic disease and psychological distress.
“Stakeholders and Public Should Use 20 Specific Health Indicators to Measure and Track Health and Well-Being of Americans” is available as a free download from the National Academies Press.
HIPAA privacy rule is inadequate
The National Academies Press also has published “Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research,” a report that concludes the HIPAA Privacy Rule does not protect privacy as well as it should, and that it impedes important health research.
From the report: “The HIPAA Privacy Rule is difficult to reconcile with other federal regulations governing research involving people and their personally identifiable information. Moreover, organizations that collect and use health data vary greatly in how they interpret and follow the rule, and the rule does not apply uniformly to all health research. The committee’s review of published reports, testimony from patient and privacy advocates and the health research community, and other sources of information led it to conclude that the way the rule is currently interpreted does not adequately protect privacy and impedes important health research.”
The report notes that security breaches are a growing problem for health information databases and that encryption should be required for all laptops, flash drives, and other portable media containing such data.
A report brief is available as a four-page PDF. Journalists can get PDF or printed copies of the full report by contacting the National Academies Office of News and Public Information at 202-334-2138 or news@nas.edu.
-
Join us in Atlanta
for Health Journalism 2012
Fellowship applications
due Feb. 27
New at HealthJournalism.org
- Data gives depth to investigation of patient safety
- What reporters should know about Alzheimer’s and related dementias
- Apply for fellowships to attend Health Journalism 2012
- AHCJ asks Supreme Court to permit broadcast of arguments in health reform case
- Tips for print, online journalists to embrace broadcast opportunities
- Numbers reveal how often, or how rarely, states check doctors’ disciplinary records
- How I did it: Falsified charts in nursing homes linked to patient care
- Access Denied: Looking at a lack of health care availability
- Transparency & medical errors: Public reporting of patient harm is a potent force
