FYI about HIPPA. Des Moines Register, August 17, 2008 Medical privacy law fails to stop snooping By CLARK KAUFFMAN When Jill went to her doctor two years ago for an operation on her uterus, she didn't expect that details of her problem would later appear in the hometown newspaper. The article included her full name and occupation. There were details of what was called her "embarrassing" and "odd" medical problem of heavy menstrual flow. The article described her physician's treatment and said, "Now Jill no longer experiences heavy and irregular periods." Jill says she was subjected to public ridicule, humiliation and depression. She is now suing a medical-services company and its public relations firm for the alleged unauthorized use of her name and medical condition in a promotional piece that masqueraded as a news article. Jill isn't the only Iowan to complain of medical-privacy violations. A Des Moines Sunday Register review of state and federal records shows that dozens of Iowa health care workers have been disciplined by their employers for snooping through the medical records of HIV-positive men, pregnant teenagers, victims of domestic violence and emergency-room patients. Not one of them has been prosecuted for violating the federal patient-privacy law known as HIPAA, an acronym for the Health Insurance Portability and Accountability Act. When enforcement of the law began in 2003, it was touted as an effective tool in the fight to improve patient privacy. In the five years since then, 38,000 Americans, including 267 in Iowa, have complained of HIPAA violations to the federal Office for Civil Rights. More than half of those complaints nationally have been disposed of with no investigation. Until last year, no one nationally ever was prosecuted for violating HIPAA. No prosecutions have occurred in Iowa, federal officials said. "There are no HIPAA cops out there looking for violations," said Abner Weintraub of the HIPAA Group, a company that advises health care providers on the privacy law. "Enforcement at the Office for Civil Rights is virtually nonexistent," Weintraub said. "Technically, they've still not issued a single fine - not even down to the $100 level, and they could toss those around like candy, if only to wake people up about the seriousness of compliance." Susan McAndrew, deputy director of health information privacy at the Office for Civil Rights, said the office has investigated and resolved 6,800 cases by requiring care providers to make changes in their privacy practices or to take other corrective measures. "OCR has investigated complaints against many different types of entities, including national pharmacy chains, major medical centers, group health plans, hospital chains and small-provider offices," she said. As for Jill, the defendants in her lawsuit are Cytyc Corp., the company that trains doctors on the "NovaSure procedure" that was part of her treatment, and Schwartz Communications, which does public relations work for Cytyc. According to the lawsuit, representatives of Cytyc were with her physician while she was being treated in the doctor's office and they collected information on her background and her condition. Months later, she alleges, a woman named Allison called her at home to inquire about her recovery and to collect more information, presumably as part of medical follow-up by NovaSure representatives. Jill alleges that although she specifically refused Allison's request for permission to use her information in any promotional campaigns, the material made its way into a press release that was sent to two Iowa newspapers and then published, verbatim, in her hometown paper. She alleges the press release was authored by Schwartz Communications - a company that has dozens of clients in the health care field and promotes its ability to provide them with favorable news articles. Officials at both Cytyc and Schwartz Communications declined to comment on the case. Although Jill's full name and hometown are specified in the lawsuit, the Register is not identifying her or any of the other patients whose medical conditions are described in detail as part of this article. Ex-hospital employee accessed patient data The Register's review of state unemployment records shows that some Iowa hospitals and clinics have gaping holes in their systems to safeguard patient information. Last year, a former employee of St. Anthony Regional Hospital in Carroll easily infiltrated the hospital's patient database. According to the records, phlebotomist Stephanie Hills worked at the hospital for about four months on an as-needed basis. She then left for a position at the McFarland Clinic in Carroll. While at the clinic, Hills used her computer to repeatedly look up information on patients at St. Anthony. Although access to the St. Anthony database was restricted through hospital-approved user names and passwords, Hills' user name and password were not terminated once she left her part-time job there. According to officials at the clinic, Hills used her old password to log onto the hospital's database several times per day over a 90-day period. She was accused of accessing the patient information to satisfy her own curiosity. After she was fired, Hills complained that one of her former co-workers at the McFarland Clinic had only received a suspension for publicly gossiping about a 16-year-old patient's positive pregnancy test. "She told this information to a lot of people in town, and the news got around," Hills testified at a state unemployment hearing. Hills was not prosecuted, and there's no indication that the U.S. Office for Civil Rights sanctioned the Carroll hospital for the security breach. Hospital administrator Ed Smith said that while he is not familiar with the case, he is sure any problems with data security have been corrected. "We have policies in place to protect patients' privacy," he said. Why enforcement of privacy law is lacking Critics say one of the main problems with enforcement of the HIPAA law is that health care providers need not report internal violations of patient privacy. "This is a tremendous loophole," said Weintraub, whose company advises health care providers on the privacy law. "Enforcement is left to the health care community to sort of self-police itself, and to the Office of Civil Rights, which has done virtually nothing." McAndrews, the Office for Civil Rights official, said her agency prefers to use corrective-action orders and seek voluntary compliance with the law. "We have found that this is the most effective way to obtain industry compliance with the privacy rule," she said. Dr. Deborah Peel, a practicing physician who heads the advocacy group Patient Privacy Rights, says the problem is not with enforcement but with the law itself. She testified before Congress this summer and complained that a 2002 amendment to the original HIPAA legislation eliminated crucial provisions requiring a patient's consent for disclosure of information about that person. In place of that requirement, Congress gave health care providers broad latitude in disseminating information about a patient without the person's consent, she said. "That took away your ability as a patient to control access to your information," Peel said. "So now there is no real privacy right to be violated. That's why we're not seeing any prosecutions. ... That's why I say it is really 'the anti-privacy law.' " About 56 percent of the 38,000 HIPAA complaints filed in the past five years have never been investigated. The Office for Civil Rights says that is largely because officials determined those complaints did not allege an illegal act or were not filed on time. A total of 437 complaints - less than 2 percent of the total - have resulted in criminal referrals to federal prosecutors. Experts agree that there have been fewer than a half-dozen cases actually prosecuted nationally. So far, prosecutors have focused almost exclusively on the few people who have gained access to patient information with the intent of selling it or using it as part of some other crime, such as identity theft. Health care workers who have obtained medical information improperly and then shared it, free of charge, with friends and neighbors have not been prosecuted. The one exception involves an Arkansas nurse who pleaded guilty this year of violating HIPAA by passing confidential information to her husband, who then threatened to use the information against the patient in court. In the wake of that conviction, U.S. Attorney Jane Duke of Arkansas said the case showed that health care providers need to take HIPAA seriously. "The privacy provisions of HIPAA are serious and have significant consequences if they are violated," Duke said. "Long gone are the days when medical employees were able to snoop around office files for 'juicy' information to share outside the office." Hospitals tolerate repeat violations If Iowa public records related to job misconduct are any indication, however, the days of snooping are still here - and even the repeat offenders needn't fear prosecution. Molly Daly was fired this year from Great River Medical Center in West Burlington, where she worked as a registration clerk. She was accused of sharing information about a female patient who had been treated for injuries stemming from domestic violence. Daly had been disciplined twice before for sharing patient information. In February 2006, Jo Pollman was working as a patient registrar at Shenandoah Memorial Hospital when she allegedly told two people that someone they knew had an appointment in the ob-gyn clinic. The two people showed up at the clinic at the appointed time, resulting in a confrontation with the patient. The hospital's human resources director, Linda Braden, said later that the patient's mother was "just appalled" at the breach of security, but Pollman was not fired. "The CEO made the decision to give her a very stiff warning that said never again would this be tolerated," Braden said. Nine months later, Pollman was fired for more alleged privacy violations. In all, she had received five separate warnings for privacy violations, productivity issues and poor relations with co-workers. That same year, Jodie Vardaman of Clarinda was fired from the Clarinda Municipal Hospital, where she was a nurse. She was accused of passing confidential patient information to her mother. She had previously been warned three times about breaching patient confidentiality. Federal officials acknowledge problems with the enforcement of HIPAA and recently hired a consulting firm to conduct record-security inspections of hospitals, pharmacies, doctors' offices and clinics. However, plans call for those inspections to focus only on those entities that have already been the subject of complaints. Most hospitals have the ability to routinely conduct computer audits that show which workers are accessing which patient files. Even so, some privacy violations go undetected for months. For example, Christine Ingram was fired in May 2006 from her job as a clerk at Davenport's Genesis Medical Center. She was accused of looking at the medical records of a co-worker. State records indicate that when Ingram's superiors realized what happened, they ran an audit of her past computer use and discovered that she had improperly accessed patient files twice before - once in November 2005 and again in April 2006. A Genesis spokesman said the hospital has systems in place to prevent unauthorized disclosure of information. The system includes random computer surveys of employee access, he said. Former UCLA Medical Center employee Lawanda Jackson, who has been charged with selling the records of celebrity patients such as Britney Spears, is alleged to have spent years improperly reviewing the files of hundreds of patients before she was caught. "We have no excuses," said Dr. David Feinberg, chief executive of UCLA Health System. "UCLA should have detected the violations by Ms. Jackson years ago and should have immediately initiated the process to dismiss her." Snooping on co-workers a common problem Weintraub, whose company consults with health care providers on the privacy law, says one survey indicates that as many as 30 percent of the privacy violations nationally involve patients who also were employees of the company where the security breach occurred. That may be because their medical information can be easily accessed by co-workers acting out of either curiosity or concern. When Sandra Beaver asked her supervisor at the Knoxville Hospital Clinic for time off for surgery her physician ordered, her supervisor examined her medical file to determine whether the surgery was really necessary. Although the supervisor was not a doctor, she decided the surgery was not needed then and denied Beaver's request for time off. "I was not happy," Beaver said. "Just because I'm an employee doesn't mean that you, as my supervisor, can look at that information." Peel, who heads the Patient Privacy Rights advocacy group, said individual caregivers who violate the privacy of friends, neighbors and co-workers are not likely to ever be prosecuted under the current HIPAA law. "I don't think that's prosecutable because of the way HIPAA was gutted after it was approved," she said. Weintraub says he is convinced that without prosecution and meaningful penalties, that sort of snooping will continue. "Until serious fines and penalties are levied, people are not going to take this law seriously," he said.