My good friend Alec recently made me aware of a very interesting blog post made by a physician (thanks Alec!) that is frankly quite troubling.
“Because I do not take health insurance, I am free from HIPAA regulations and therefore I can conveniently communicate with you in ways that simply and plainly just make sense in today’s world. People have criticized me, a solo physician who will likely have about 1,000 patients in my practice, about security and privacy (FYI‚Ķall of my patient medical records are encrypted, password protected twice on my laptop and backed up daily to a secure, encrypted remote server). Those who question me seem horribly concerned about my patients‚Äô privacy. Meanwhile, those of you who do have health insurance with the major insurance companies, please beware. Your name, SSN, and medical information are stored along with hundreds of thousands, if not millions, of other people in enormous databases at your mega-insurance company. The people responsible for that CD they‚Äôre using to transport maybe 196,000 people’s PHI aren‚Äôt doing such a good job. I guarantee I won‚Äôt have to provide 12 months of free Equifax to you if you are my patient. Go with the big guys and kiss your privacy goodbye. I personally use Apple’s encryption technology called Filevault. According to Apple, it could take as long as 149 trillion years to crack my password using a computer that could attempt it every second.”
He also notes,
“If any of you are wondering why your own doctor doesn‚Äôt communicate with you using email, IM, and other ways that simply make sense in today’s world, wonder no further. They break federal law with every email and IM since the vast majority of physicians have contracts with insurance companies or Medicare.”
So basically, he’s trying to justify sending sensitive patient information and other personally identifiable information (PII), and specifically protected health information (PHI), in clear text within email messages and instant messaging.
He stresses how he encrypts PHI in storage, but then boasts how he communicates “conveniently” sharing PHI via unencrypted transmissions.
Hopefully his patients understand that transmitting cleartext PHI within email and instant messages is a huge risk. I’ve discussed these risks and related incidents often, such as here.
And he has the nerve to say that if something bad happens to this PHI he is sending in an unsecure manner that he guarantees he “won‚Äôt have to provide 12 months of free Equifax to you if you are my patient.”
Why does his statement that he will not be held responsible for the bad things that happen as a result of his lack of security practices be of reassurance to his patients? Such a statement should make his patients want to find another doctor.
What is even more troubling is that so many of the people leaving comments in response “thank” him for the way he is practicing the transmission of PHI. I wonder how many of these were planted comments?
His interpretations of HIPAA seem to be those that are most advantageous to him. I’m sure many healthcare providers would find it easier to say they don’t have to comply with the law instead of making the effort and investment in actually trying to protect the privacy of their patients and provide the legally required safeguards for their PHI. However, all the good and trustworthy healthcare providers I’ve seen and met are concerned and try to follow their binding regulations.
This doctor is trying to boil down his reasoning for not needing to comply with HIPAA to a very simplistic 13 words, “Because I do not take health insurance, I am free from HIPAA regulations.” His patients, and all individuals, should know it is not this simple!
Determining whether or not a healthcare provider is a covered entity (CE) under HIPAA is much more complicated than this. I cover this issue in detail in my book, “The Practical Guide to HIPAA Privacy and Security Compliance.”
I discuss in detail how to determine whether or not an organization is a covered entity on pages 5 through 11, and all of Chapter 16 (pages 213 – 224) for healthcare provider issues. It involves more than just whether or not health insurance is used by the provider.
Within the HIPAA regulations, 45 CFR § 160.103 has the complete definition of a covered entity.
“Covered entity means:
(1) A health plan.
(2) A health care clearinghouse.
(3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.”
“Transaction means the transmission of information between two parties to carry out financial or administrative activities related to health care. It includes the following types of information transmissions:
(1) Health care claims or equivalent encounter information.
(2) Health care payment and remittance advice.
(3) Coordination of benefits.
(4) Health care claim status.
(5) Enrollment and disenrollment in a health plan.
(6) Eligibility for a health plan.
(7) Health plan premium payments.
(8) Referral certification and authorization.
(9) First report of injury.
(10) Health claims attachments.
(11) Other transactions that the Secretary may prescribe by regulation.”
So this doctor does not qualify under any of these terms?
Well, even if he truly isn’t considered a HIPAA covered entity, it is interesting that this doctor goes to great lengths to point out that the regulatory oversight agency for HIPAA has not applied any fines to covered entities that are not in compliance with HIPAA. Is this a veiled way of saying that, even though he’s not in compliance he doesn’t have to worry because he won’t be caught, or penalized, anyway?
This doctor also goes to great lengths to point to healthcare insurers as having many privacy breaches. This is true, but healthcare providers have also experienced many privacy breaches. It reminds me of that saying, “When you point a finger, you have four fingers pointing back at you.”
Just check the lists of privacy breaches at the Attrition site, the PogoWasRight site, and the Privacy Rights Clearinghouse site and you’ll see that numerous privacy breaches have occurred within healthcare providers.
In fact, the criminal actions that have occurred and been prosecuted under HIPAA (which the doctor himself mentioned) occurred within healthcare providers (which he conveniently did not mention). See a little more about them here and here.
All doctors, whether or not they are a covered entity under HIPAA, should be protecting the privacy of PHI not only in storage but also while it is being transmitted through public networks. If they don’t they are putting the PHI at unacceptable risk.
If this doctor is indeed not covered under HIPAA he certainly is still subject to civil suits when bad things happen to his unsecured patient PHI.
Often if something looks like a duck and quacks like a duck, it really is a duck. The words of this doctor sound like quacks to me!
Tags: awareness and training, encryption, Health Insurance Portability and Accountability Act, HIPAA, Information Security, IT compliance, patient privacy, policies and procedures, privacy, risk management, security risk, security training