Monday, June 11, 2012
I do not usually tell personal stories in scholarship, but this is a blog, and I’m experimenting! I hope my story will be of more general interest, especially to those of you who are following the tsunami of enthusiasm for health information technology and exchange. I am deeply concerned about the security and privacy issues raised by many of the types of data flows that are occurring (often of identifiable information), especially under the rubric of “treatment, payment, and health care operations” (TPO). TPO uses and disclosures are permitted without patient authorization under HIPAA—and, at least until final rules are issued under the HITECH Act, do not need to be included in any required accounting to patients of uses and disclosures of their protected health information.
So here’s the story. Some of my protected health information was recently included in what is right now listed as the largest data breach (of many very large data breaches) to date so far in 2012. In March 2012, records of some 780,000 persons, including Social Security numbers of over 250,000, were downloaded from a server at the Utah Department of Health to somewhere in Eastern Europe. An employee had failed to set a password with sufficient strength, leaving the server vulnerable to outside attack. These were records of patients on Medicaid, children on the state’s CHIP program, and persons about whom a provider had made an inquiry about Medicaid eligibility. All that the public knows about where the data went—the investigation may of course have revealed more—is that it was a downloaded somewhere in Eastern Europe and the assumption is that it was done by cyber-criminals. I learned that my information—my name and Social Security number, and I don’t actually know what else—was included in the breach because I was sent a letter from the Health Department. As “compensation,” I have been offered (and accepted) one year of free credit monitoring—hardly likely to be effective if a sophisticated criminal knows to wait a year before using the downloaded information.
So how, I asked, was my protected health information on a server at Utah’s health department? Other than having chaired the state’s Health Data Committee until July 2011, I had no connection with the health Department. I am not on Medicaid, nor is there any reason for any provider to believe I might be likely to be eligible for Medicaid. If I hadn’t received the letter from the Health Department (and it was not sent certified mail, or with any indication that any special information was included in it), I never would have guessed that I was at risk in the breach.
Here’s how—at least as far as I can tell. As HIPAA permits, I have asked for accountings of disclosures of my health information from any provider I have seen during the time frame in question—from dentist to primary care physician. Only one so far has refused to give me the requested information, including information about disclosures for TPO: a hospital owned by the for-profit IASIS chain, at which I received a routine mammogram some 6 months before the breach.Any inquiries about Medicaid eligibility, they said, were TPO—so at least for now did not need to be included in a request for an accounting. So I cannot confirm that it was that facility. But by process of elimination (and there wasn’t much to eliminate; I’m pretty boring, health-wise), it looks like the only candidate. And it’s the candidate responsible for supplying the Health Department with the largest number of records involved in the breach.
There’s more. Apparently this hospital routinely inquires about the possibility that patients in the facility might be Medicaid-eligible. They do this, their representative told me helpfully, because they want to protect the patients from bills that they cannot pay. And they do this about patients for whom they have full payment information on file—in my case, insurance numbers indicating that I was double covered by the University of Utah, and would thus have no co-pays. Here’s what their letter to me said: “[Hospital]’s processes and procedures for querying the state for Medicaid coverage on patients who have presented with a primary insurance is comparable to other hospitals and health systems across the country. It is the Hospital’s practice to verify if certain patients, who may have private insurance, would also be eligible for supplemental coverage through the state Medicaid program. There are a significant number of Utah residents who are covered by Medicaid who are not aware they have this coverage.” Given that they knew I had both my own and my husband’s coverage, I remain mystified by why they thought I might also be Medicaid-eligible. Perhaps their practice is to routinely make this inquiry about every patient, which is why they were such a large source of the health information involved in the breach. If this is national practice, it might come as a surprise to many.
And there’s more. As they are required to do, the hospital has a Notice of Privacy Practices (NPP). Under 45 CFR 164.520(b)(1)(ii), the NPP must provide at least one example of uses and disclosures for TPO, and must "include sufficient detail to place the individual on notice of the uses and disclosures that are permitted or required by this subpart and other applicable law." Here’s what the NPP actually says: “Treatment includes sharing information among health care providers involved with your care. For example, your physician may share information about your condition with the pharmacist to discuss appropriate medications, or with radiologists or other consultants in order to make a diagnosis. The Hospital may use your medical information as required by your insurer or HMO to obtain payment for your treatment and hospital visit. We also may use and disclose your medical information to improve the quality of care (e.g., for review and training purposes)." An inquiry about Medicaid eligibility was hardly “required by my user or HMO to obtain payment.” I think this is arguably a HIPAA violation as it does not provide anyone with sufficient detail to place them on notice that inquiries about Medicaid or for that matter any other insurance eligibility just might be hospital practice. I’m also mulling the argument that it might be sufficiently misleading—and it certainly put many at risk of harm, although of course it was the Health Department that kept the information for too long and failed to set a password with adequate trength—to constitute an unfair trade practice under the FTC Act.
I am of course reasonably sophisticated about such matters and hopefully also sensible enough to be able to protect myself from identity theft. But I am very concerned about the many others in Utah who may not have a clue that they were included in this data breach. Anyone who has moved and didn’t get the Health Department letter, for example, might easily assume the breach doesn’t apply to them. It has been publicized as a breach about Medicaid and S-CHIP patients, and about patients for whom eligibility inquiries were made. But I don’t think most people would assume that these inquiries are routine, even when they are known to have coverage. The breach is especially worrying because many of the patients involved were children, without credit histories to monitor and without perhaps even the knowledge that they might need to take protective steps at some future time. I’m complaining from a position of privilege, insurance-wise—but part of what is so offensive to me about the breach, the state’s response, and the hospital’s actions is that many of the people involved are not as privileged or as knowledgeable as I am.
For those interested in some first-rate reporting about the breach, Kirsten Stewart’s stories in the Salt Lake Tribune are well worth reading—they are on LexisNexis.