HIPAA – not what you think it is

HIPAA pedestal

HIPAA (the Health Insurance Portability and Accountability Act of 1996 along with its subsequent amendments) was never intended to interfere with patient care. It was about insurance – it is not the Health Information Privacy Protection Act aka HIPPA that does not and has never actually existed.

For one, it does not apply everywhere you have medical information. Here is where it does not typically apply (there may be a few exceptions, but in general, HIPAA does not apply here)

  • your employer for pre-employment physicals, wellness, or workers’ comp
  • your kids’ school (other privacy laws may apply FERPA)
  • your health apps and devices, like Fitbit or Loseit
  • DNA companies, like 23andme

 

Surprised?  I could write papers on any one of these topics, and I probably have written papers on them. But here’s another kicker – HIPAA does not automatically apply to your doctor or hospital.

Okay, so in reality, HIPAA probably does apply to most everyone’s doctor and hospital, but it’s not automatic just because they provide medical treatment. They have to engage in particular data transmissions related to health plans, claims, and care (for the actual definitions, see HIPAA, particularly sections 1172 and 1173) or in general here. So if you see a provider who does not file on insurance and does not send information about your care or status electronically, then HIPAA does not apply.

But also, HIPAA does not interfere in patient care. A medical provider can share information about a patient if it is deemed to be in the patient’s best interest to do so (barring perhaps the patient specifically restricting information being given to a particular person). HIPAA also does not prevent a family member from accompanying a patient to other parts of a facility for testing. I’ve seen this often when staff takes a patient to get x-rays and tells family members that they are unable to accompany the patient due to HIPAA. There may be other reasons, but HIPAA is not one of them – unless the facility is in flagrant violation of any sense of confidentiality expectations.

Also, and I have done this myself, HIPAA does not stop an individual from providing information about a patient to a medical provider. If the facility is doing or not doing something to your loved one as a patient that concerns/worries/bothers you, you can absolutely call them and provide information and relay your concerns. This nonsense about providers and staff refusing to talk to someone because HIPAA forbids it is ridiculous. They cannot provide information that is confidential (unless there is an exception), but they can certainly listen. And often, they need to listen because it may be information they are missing that could be critical to the patient’s care.

Last, when you go to a new doctor and they ask you to fill out forms for your prior doctor to get your past medical records – uh, HIPAA actually does not require that. It has become the industry practice to do so and in general, is a good practice to ensure that it really is you asking for your specific records to go to this new doctor… but HIPAA does not require authorization for health care purposes (treatment or payment). If that form is interfering with obtaining necessary medical care – there is a problem.

So, HIPAA is not everything you may think it is. If you have questions, let me know. I am happy to write about privacy.

“I have a quick question…..”

quick question.png

The conversation starts with …. I have a quick question..It’s never quick to ask or quick to answer – especially when to really answer the question, more information is required. I should never say never. If your question is “Is it okay to kidnap a stranger and keep them locked up for ten years while I bilk all their life savings?” – the answer is really quick. No.

Otherwise, most of the time when someone wants to ask a quick question of an attorney, they are generally looking for a valid legal response, even if the attorney disclaims it is not legal advice.

Don’t get me wrong, most of us love intellectual debates and/or discussing our passions. Asking me about privacy is like asking a new mom about her babe – it’s a miracle if I ever shut up. (Those who know me..quit laughing! I am limited to one cup of coffee daily)

The point is – there is rarely a “quick question.” If you really do intend it to be a quick question, do your homework first and only ask the remaining issue. Here’s a good scenario:

Quick question: 
“Should I report my doctor for a HIPAA breach if they mailed me the wrong lab results?”

Why it’s not quick:

  • Who are you thinking you should report the doctor to – the medical board, the U.S. Office for Civil Rights, a non-US regulatory authority, state attorney general, state insurance office, employer, insurer? The list can be very long.
  • Is your doctor under any requirements that address privacy, other than the physician requirement for confidentiality? (HIPAA does not apply to everyone)
  • What information did you receive and how do you know it’s not you? – are the lab results for a test you did not have, is there another name on the test, is it not your patient ID, was the address wrong and the post office delivered it to the right address or post office delivered it to the wrong address? – lots of ways this could be wrong.
  • Did you discover this yourself or were you informed?
  • Why do you want to report it? (public obligation, anger, want to sue, etc.)
  • Have you been harmed? (not necessarily critical to being a breach, but is important)
  • Has the other patient been harmed? (or would they be)
  • Do you still have the information?
  • Have you reported this to the doctor? if so, what what his/her response?

and other questions would follow based on responses.

My quick answer would be – you should let the doctor know and return the information to him/her without keeping a copy, but take notes on the entire interaction. This may or may not be the correct answer depending on the responses to the questions above that I would not know if I did not ask. 

And the “quick questioner” will probably still ask a follow-up question or respond with more information. Making the quick question and quick-perhaps accurate- response still not so quick.

If people really wanted to ask a quick question – they would do the homework and come to the attorney (or privacy officer) with a really quick question –

“Hey, my doctor in Indiana mailed me the lab results for another patient with that patient’s name on it and it is HIV results. I know it is a breach under HIPAA, but it appears my address is connected to that name. I told the doctor’s office and I shredded it, but should I report this to the Office for Civil Rights?”

Quick answer:
“Oh, that’s bad. Yes, you can report to the Office for Civil Rights, although you don’t have to, and they can match it to your doctor’s breach disclosure list, which is not required until the year is over for one-offs. You can also follow up and ask your doctor if they let the other patient know, but they don’t have to tell you. Make sure they correct your address linked to that patient and make sure your name is not on his/her address and no information on you has been sent there.”

This is not unique to privacy or to attorneys. This happens to pretty much everyone. If the quick question is a conversation starter, because you are looking for a way to start chatting, fine. It could be awkward and you might get a rude response or create a bad impression.

If, however, you really do think that you can ask someone who knows (perhaps an “expert”) a question related to their knowledge and expertise and the person is a friend, good acquaintance, or close work colleague – sure, do it. But be respectful, do your homework, and provide concise, clear, and critical facts. Do not turn it into a verbal essay and please explain up front that if it is not so quick from their point-of-view just to say so – you get that there may be complexities that you don’t see.

If this person does answer, you should provide them with a thank you, such as a gift card to their favorite coffee or food place, flowers, thank you item, or effusive thank you card. They won’t expect it – cause who does that? – and it will become a pleasurable experience for them and you.

 

 

Explaining “Privacy Attorney”

privacy wutPeople often ask me what I do as an attorney (disclaimer….I do not take clients, I work for a company). When I say I’,m a privacy attorney, the reactions range from polite confusion to complete incomprehension to vague niceties.

My typical response is “Here in the US, you hear about HIPAA HIPAA HIPAA and patients patients patients, right? In all other countries with privacy laws, you don’t have protection because you’re a patient, but because you’re a person.”

It’s a much bigger deal.

Privacy is something that we have lost in this digital world. We need to reclaim our privacy.

The most  movement in personal data protection law is coming out of the European Union, but privacy (data protection) laws are prevalent in Asia-Pacific, Canada, and Latin America. And the level of protection varies greatly – from protecting only employee data, to everyone’s personal data, to online, mobile, financial, etc.

If you are an individual, pay attention to what you share online and how you maintain the security of your data (don’t write your passwords down on a post-it note and stick it to your computer and don’t email ID and credit cards without encryption…and that include efax). If you’re a business, pay attention to what data you collect, whether you need to collect it, how you use it, share it, and secure it – and for goodness sake, know how you long you retain it and DESTROY it.

That’s what a privacy attorney does. In a very small yet profound nutshell.

Microwaves, wiretapping, and genetics

Thanks to a friend and colleague, Prof. Gary Marchant at the Sandra Day O’Connor College of Law at ASU, I was invited to join Gary and Caroline Lynch to speak with 3TV’s Politics Unplugged’s Dennis Welch on March 19, 2017.

The questions were on three main topics…

It was quite lucky that each of us has recently researched or worked with one of these topics respectively.

Caroline took the first issue on wiretapping and discussed the relevant laws and historical context. It is possible, but it is unlikely that Trump was targeted directly.

On genetics, there is a bill working its way through Congress that would permit employers to collect genetic information, in this case related to wellness programs. Unfortunately, under the Genetic Information Nondiscrimination Act  of 2008, genetic information includes information about relatives, which is standard information doctors ask during physicals – do you have a family history of heart attacks, high blood pressure, cancer, etc.

On microwave spying – well, that one came to me.  Microwaves are not typically equipped with cameras and microphones, but they could be and the average consumer – or heck, even the sophisticated consumer – would not know it. In fact, in 2016, a hacker used a series of smart toasters to take down multiple major websites. It’s possible, but unlike Samsung TVs, not likely.

My favorite quote in the entire video is when Dennis asked for our last words of wisdom. Yours truly announced that we’re not paranoid if it’s really happening…

For the full video, watch here. https://www.youtube.com/watch?v=cX5UYk19Uhc&t=36s 

(and no, no one warned me that there was no table. they were in process of moving studios…so knees together, ladies!)

User or Loser: two factor authentication

img_20170212_075558

This week I have received 5 “congratulations,  your email blanketyblank.royal@gmail.com has been created. ” But for two factor authentication,  I would be hacked.

Let’s discuss what this is and why you need it.

Two factor authentication means you use two “things” to verify your account. You might use a password plus a security question: standard for banks.  Security questions are not the best type for two reasons: 1) the answers are the games you play on social media… where were you born,  what was your high school mascot, your favorite teacher,  your first car, etc.? And 2) if the questions are obscure enough,  you forget the answers. My first pet could be the first one I know of (my parents’ dog), the first one they got me, or the first one I got myself.  For kicks and giggles…Who out there doesn’t use his/her mother’s maiden name?

So, other second factors include recognizing a token upon log-in, biometrics, and sending a verification code to phone or email.  The latter is my favorite.

Why is two factor (or multi-factor) authentication important? To prevent theft and fraud. Is there anyone who uses a computing device who has not been affected by a data breach, such as Yahoo’s 2 billion email hack? If you think not,  you just aren’t aware of it yet.

When passwords are breached, thieves have fun. They have automatic scripts that run your email address (and any usernames in your email, such as account set up notifications) and password against all known bank and credit card sites. Often people use the same password and simple iterations of that password, like password11, password22, etc., on everything.  Stop doing that!!

With two factor authentication,  you’ll know if someone is trying to hack you and you’ll put a virtual foot up a hacker’s virtual butt… and his/her real fraudulent plans.

Use it or lose.

 

Privacy Officers are like Washing Machines

washing-privacyPrivacy Officers (whether attorneys or non-attorneys) are a lot like washing machines. Aside from the obvious resemblance that we handle dirty laundry, let’s consider some of the other similarities.

If there is no agitation going on, nothing’s really getting done: Like other compliance roles, privacy may not always sit well with colleagues who may see us as roadblocks to their great ideas. This is one reason why in Europe, privacy officers are afforded a huge measure of protection – they must be able to act independently without fear of reprisal or role reduction. On the other hand, we are here to help get the job done right, so sometimes, we just need time to churn and roll it around a few times!

Front Load  vs. Top Load: Privacy programs function in a variety of different ways and there are benefits in all. Personally, I prefer a front load (seeing privacy as an equal partner, horizontal) rather than top load (pushing duties and mandates down, vertical build), but they all get the job done.

Newer Models: Are the fresh new models really better? Or do they simply have more bells and whistles even though the core job is still a high quality result?

Added Technology: However, maybe those newer models do come with some extra technology, such as sensing the load, adding in steam cleaning, and using less detergent. There are lots of significant considerations when employers look for years of experience – maybe they need years, but maybe they need technical enhancements.

Washing Only, Please: Regardless of any bells and whistles, we really just want a machine that washes clothes. We don’t want a machine that does clothes, dishes, cooking, and floor cleaning (which sounds cool as a concept, but in reality would simply be overloaded and do nothing at a high standard).

Quiet vs. Clunkers: There are some who shake, rattle, and roll and others that are extra quiet. Neither really speak to quality, it’s just a different way of working.

We need the Right Settings to Deliver the Right Results: ‘nough said.

Capacity Limits (Overflows are Bad): Stuff too much in and expect too much done – and you get poor results. Sure, the laundry will be a little cleaner, but only marginally. Similarly, putting in too much detergent, bleach, softener – not good. Right amounts at the right times result in optimum work.

Wash first, then Dry: There’s an order to the process. Washing comes first. Cleaning by Design. If you just throw your clothes in the dryer without washing them first, you accomplish nothing meaningful other than getting warm sheets that feel good, but eventually the dirt on them causes real problems.

Don’t Leave the Laundry In: Ever had a load of laundry that was clean, but no one did anything with it after that?  Similarly, once we provide recommendations, if the business doesn’t act on it, the final product will smell a little musty.

Don’t Remove Laundry Before its Done: No one wants to manage soaking, sudsy laundry. Let the machine do its work. Now, if I could manage to be like the front load machines and simply not permit anyone to open the door without putting some controls in place…

We All Need Washing Machines: Seriously, who doesn’t use a washing machine? Whether you have one at home or use a laundromat (lots of machines, pay per load, able to handle huge loads – great business model), washing machines are simply a staple of modern life.

Consistent Work Product: Load after load. Great results. Doing the job right.

Complaints of Doing Laundry: So everyone complains about doing laundry, but the machine really does the massive, core job. Sure you have to give us the laundry to do along with the right tools – and yes, you have to do something with the clean clothes. And yet, complaints complaints complaints about “Ugh. Laundry Day.” Would you prefer not to have a washing machine or just have loads of dirty laundry lying around, getting in the way, stinking? Eventually, you could not actually walk around your house with all the piles of laundry or you’d just have to resign yourself to wearing dirty clothes. Oh wait – just go buy new clothes?  Eventually, you’d run into the same problem or run out of money. Just let the washing machine do its job and we’re all happier.

 

 

 

Do-Si-Do – dancing with privacy: Trump and Cybersecurity

Dprivate-danceruring the current U.S. president’s administration, we have seen a tremendous effort in protecting digital assets and cybersecurity. Industry experts tend to feel that although the initiatives do not take us as far as we need to go, they have covered immense mileage. Will this change under the new administration? Experts disagree on the answer.

President-elect Trump’s website provides an overview of his initiative, namely launching cyber-offense. We must keep in mind that this website is pre-office and like many presidents, subject to change once reality hits. But let’s look closer at some hints we have at what might be coming or disappearing.

On his campaign website, Trump declares four points as his vision:

  • Order an immediate review of all U.S. cyber defenses and vulnerabilities, including critical infrastructure, by a Cyber Review Team of individuals from the military, law enforcement, and the private sector.
    • The Cyber Review Team will provide specific recommendations for safeguarding different entities with the best defense technologies tailored to the likely threats, and will followed up regularly at various Federal agencies and departments.
    • The Cyber Review Team will establish detailed protocols and mandatory cyber awareness training for all government employees while remaining current on evolving methods of cyber-attack.
  • Instruct the U.S. Department of Justice to create Joint Task Forces throughout the U.S. to coordinate Federal, State, and local law enforcement responses to cyber threats.
  • Order the Secretary of Defense and Chairman of the Joint Chiefs of Staff to provide recommendations for enhancing U.S. Cyber Command, with a focus on both offense and defense in the cyber domain.
  • Develop the offensive cyber capabilities we need to deter attacks by both state and non-state actors and, if necessary, to respond appropriately.

These are ambitious goals and he further elaborated on them in several speeches, such as the one he highlights on that page to the Retired American Warriors.

Cabinet choices: some of the individuals selected for cabinet positions (Attorney General and Director of the CIA) are causing a few concerns in the privacy world according to CNBC.

The president-elect’s selections for attorney general — Sen. Jeff Sessions, R-Ala. — and CIA director — Rep. Mike Pompeo R-Kan. — have argued publicly that the government needs greater surveillance powers.

McSherry said Pompeo poses a particularly worrying risk to American citizens’ privacy, as he has advocated for things like the routine mass collection and use of “social data” from third parties, like Facebook and Alphabet‘s Google. Pompeo has also called for Edward Snowden to be put to death, said Chris Calabrese, vice president for policy at the Center for Democracy and Technology.

In addition, Trump reportedly disagreed stringently with Apple’s refusal to help the FBI hack into a terrorist cell phone (you remember that story, right?). Supposedly, Trump called for a boycott of Apple products. Now we all have opinions on what was the right thing to do there, but I personally know few people who supported assisting the FBI (I opposed it and I am a diehard FBI fangirl). The issue is no matter how much we love the law enforcement of the USA, we also love the people of the USA and that includes all of their rights and responsibilities guaranteed under the Constitution. We can argue all day long what exactly that means, but if the arm of the government kept its fingers in the pies it should, there would be no problem with privacy. Unfortunately, the zeal for ferreting out bad guys seems to carry no counterweight with some law enforcement. And the history there is unden
iable.

But let’s get back to the Trump administration and cybersecurity.

He is openly supportive of the US launching offensive cyberattacks (as evidenced by his own statement provided above). Now, I am not a politician or policy-maker, but I see both good and bad there. I’d love to hear from true cyber-experts if that is the way to go. In most competitions, being strong defensively as well as offensively is highly advised. But will there be a system of checks and balances that draws a clear, uncrossable line? BEFORE there is real harm?

I, for one, truly hope that the new administration continues to build on the advancements made by the current administration. As a nation, we must protect ourselves; but as individuals, we must also protect ourselves and each other. We must avoid a mob-mentality and not give in to mass hysteria…unless a situation becomes so untenable that it takes a national uprising to protect our rights and wellbeing.

I am just not sure what direction that takes or what music it’s dancing to…

What I am sure of is that Trump thinks more in terms of business than politics. Given his recent meeting with Silicon Valley icons, my hope is that he will play ball – or as the title suggests  dance like a businessman (sorry, not sorry) and look for the greater partnerships, which just might be a good thing for us, our privacy rights, and our national cybersecurity efforts. We will have to watch carefully and quickstep if we see it going the other direction. I am afraid this is not one issue that can be stopped easily if it gains tremendous movement – and that can apply in either direction. So here’s to dancing in the right direction!