[ Wednesday, March 26, 2008 ]
Here's a stupid editorial
by the NY Times (wait, is that redundant?) on how the NIH breach points out the need for a new medical privacy law. As you probably know (I didn't even blog about it, it was so heavily covered), a researcher at the National Institutes of Health had stolen from the trunk of his/her car a laptop with information about cardiac imaging patients. The medical data contained patient names, imaging test results, diagnoses, etc. (apparently there were no social security numbers or other ID theft type data on the computer), but the data was not encrypted.
Let's Fisk the Times piece: "The National Institutes of Health, which was responsible for safeguarding the data, made things worse by delaying in notifying the patients
." Really? How were things made worse? Was there an improper use that earlier notification could've prevented? As far as I can tell, there has been no improper use at all. In fact, I'm fairly certain (under my "crackhead" theory of data loss) that there has been and will be no data loss; in fact, I can pretty much guarantee that the data was scrubbed off the system entirely and the hard-drive cleaned and re-written so that the stolen laptop could be resold and the thief (and his trading partners) could make some money off of it. In fact, earlier notification might've clued the thieves off that the laptop had valuable information on it, and encouraged them to use it rather than scrub it. There's a perfectly logical argument that the delay in notification would help, rather than hinder, in assuring the information did not fall into the wrong hands (whatever the hell that means -- who is going to improperly use this information? C'mon, be realistic.)
"The data was not encrypted as it should have been, which made it possible for an outsider to read.
" Right. Since it should've been encrypted (under HIPAA's Security Rule covered entities like NIH must take reasonable steps to protect this type of data, and I'd say that it's probably reasonable that encryption -- or at least password-protection, zip-filing, or some sort of hinderance on retrievability -- would be a minimum requirement), the current law covers the situation already. This is the same sort of stupid, knee-jerk response that emcourages new gun laws when a criminal uses a gun in another crime. Sure, the death penalty for murder won't deter the mall shooter, but if only there was an assault weapon ban, these senseless deaths would've been prevented. Right. The researcher broke HIPAA's requirements (in my opinion), and I suspect broke NIH's own policies and procedures. But if only there was a super-HIPAA law, this would've somehow been prevented? Sure.
"The release of this information is serious. Heart patients probably do not want their employers or insurance companies, among others, to know the details of their conditions.
" Probably? I guess so. But what are the odds their employer is going to get the info? Is the Times implicating the employers of these individuals in the theft? Was the crackhead who broke into the car to steal anything of value working for the unknown employers? Did he sell the information to the employers? As for the insurance companies: Gee, don't you think the patient's health insurers, who probably paid for the scans anyway, would already know that information? If not, they certainly could get that information, just by asking for it. Also, the patients probably signed authorizations allowing the insurers to get the information (certainly the case if the Times is talking about life insurance). If my insurer is going to pay for my bypass surgery, I suspect they're going to want to see my cardiac imaging studies so they'll know I really need the surgery. Dontcha think?
"We’ve been down this road before. In 2006, a laptop was stolen from the home of a Department of Veterans Affairs employee. It contained Social Security numbers and birth dates for millions of veterans and military personnel. The Veterans Affairs inspector general later strongly criticized the department’s procedures and its nearly three-week delay in notifying the victims
." Uh, that data included social security numbers, which are ID-theft gold. So it's a different deal. Plus, the argument for delay is the same -- allowing some delay might prevent the thief from knowing the value of what he got, thereby making it all the more likely he'll scrub the hard drive and resell the computer.
"These are good steps, but a larger solution is needed. There should be a federal law imposing strict privacy safeguards on all government and private entities handling medical data.
" OK, again, there is a law already (in addition to NIH policies) that was breached. Having a second law would help how? How about a law outlawing laptops? Outlawing computer data entirely? That would prevent this from happening again. So would a law outlawing cardiac imaging, now that I think of it. . . .
Jeff [10:26 AM]
Blogger: HIPAA Blog - Edit your Template