Category Archives: privacy breach

$100,000 HIPAA Fine – Way Too Little, and Way Too Late

After more than five – FIVE – years of the HIPAA rules, and bazillions of small private practices of doctors, dentists, chiropractors, optometrists, shrinks, etc., NOT being compliant with the rules, and bazillions more patients who have no clue what their HIPAA healthcare privacy rights are, HHS finally got off their heinie and fined a hospital system in Washington State because it kept leaving those pesky laptops lying around, getting stolen, and not doing anything about it.  More than 386,000 patients’ healthcare information was lost on those laptops.  (Note to self — isn’t almost every loss of patient information lately been due to the loss of a laptop?  Must investigate why hospitals let members of their workforce walk out the door with laptops full of patient data. . .)

But wait – what’s that you say?!  It’s not a fine??  Why, by gosh and by golly, you’re right.  HHS has declined to call this a “fine” – they’re calling it a Resolution Amount.  Oh.  Yeah, that makes it all better.

Here’s how HHS describes it: “In the agreement, Providence agrees to pay $100,000 and implement a detailed Corrective Action Plan to ensure that it will appropriately safeguard identifiable electronic patient information against theft or loss. The Resolution Agreement relates to Providence’s loss of electronic backup media and laptop computers containing individually identifiable health information in 2005 and 2006. . .

“On several occasions between September 2005 and March 2006, backup tapes, optical disks, and laptops, all containing unencrypted electronic protected health information, were removed from the Providence premises and were left unattended. The media and laptops were subsequently lost or stolen, compromising the protected health information of over 386,000 patients. HHS received over 30 complaints about the stolen tapes and disks, submitted after Providence, pursuant to state notification laws, alerted patients to the theft. Providence also reported the stolen media to HHS. OCR and CMS together focused their investigations on Providence’s failure to implement policies and procedures to safeguard this information.

“As a result, Providence agrees to pay a $100,000 resolution amount to HHS and implement a robust Corrective Action Plan that requires: revising its policies and procedures regarding physical and technical safeguards (e.g., encryption) governing off-site transport and storage of electronic media containing patient information, subject to HHS approval; training workforce members on the safeguards; conducting audits and site visits of facilities; and submitting compliance reports to HHS for a period of three years.”

After pulling up the handy calculator that Microsoft ® XP ® so nicely provides, I’ve calculated that each patient’s healthcare info was worth, let’s see, 100,000 divided by 386,000 =  about .259; which is 25.9¢.  Is that right?  Let’s check: (.259)(386000) = 99,974.  Okay, close enough. 

What this means is, if you were one of those folks whose healthcare information was stolen because Seattle-based Providence Health & Services couldn’t get its act together over a more than two-year period and ENCRYPT the data contained on the laptops, tapes, etc., or even PREVENT them from being stolen in the first place (GPS locator, anyone?  Sheesh, even my cell phone has one.), your healthcare info was worth a measly 25.9¢. 

All I can say is: wow.

Whether you’re a Democrat or a Republican or a Libertarian, or a Green, or an Independent, etc., a radical change in leadership at the level of the Cabinet position of Secretary of Health & Human Services (HHS) is called for.  You and your family’s health information has got to be worth more than a little over a quarter.  Really.

So, think carefully and VOTE.

I blog regularly about the HIPAA Privacy & Security Rules.  If you’ve got a question about the privacy of your healthcare records, email me at  I would be happy to help you if I can.



PHRs? No, No, NO

They’re not quite here yet, but they’re coming.  PHRs.  Personal Health Records.  And they sound like the greatest thing since the proverbial sliced bread. 

You’ll love them, until you don’t.

You probably think your medical record is yours.  You probably believe that all the information contained in all the records maintained by all the docs, dentists, shrinks, chiropractors, etc., that you’ve ever been treated by, belong to you.  All those other people are just keeping your records for “safekeeping.”  But really, if you wanted them, you could have them.  After all, they’re about you, right?

So along comes a nice web-based company, a big one, one you’ve heard of and boy, are they legit.  You trust them.  They wouldn’t be that big and have such a huge Internet presence if they weren’t on the up and up, right?

And this nice big company has a new service: a Personal Health Record, a PHR.  For a modest fee, you can arrange to have your docs, and dentists, and shrinks, and all the rest of them, download your health records into the PHR.  Now all your information is yours, all yours, right?

Or, maybe your employer has arranged for all its employees to store their health records, and those of their families, in a PHR.  Free!  You won’t pay a dime!  

Not so fast.

Let’s take a look at all the pros (very short list) and all the cons (very long list) of the fabulous new internet-based PHR. 

Oh, wait, actually there are no pros, only a lot of cons.

1.  Physical and electronic safety and security

First, it’s possible that something could happen to the computer where your PHR is stored.  Fires, hurricanes, tornados, and other disasters really do happen; so do mistakes in server rooms (the secure places where the computers live) when the fire alarm system malfunctions and sprays all the servers with water or halon or whatever they use in server rooms.  Oh, well.  Stuff happens. 

But the company that is storing your PHR probably has a disaster recovery plan.  Well, you hope they do, anyway.  You also hope that they perform daily backups (make copies of the data), and store the backups of your information on a server at a separate location.  And, even more, you hope that they test their backup and recovery routines – and make sure that if there is a disaster and they have to download a copy of your PHR from that other location, the new downloaded copy really works.  Because if it doesn’t, well, too bad about your PHR, it’s gone.

And, of course, you hope that your PHR company, because they’re such a giant, well-known organization, has a terrific Internet Security Policy, and a practically impenetrable firewall around their servers so that no hackers can electronically access your PHR without authorization.  Well, you hope the firewall is strong, but really, even the federal government’s computers are sometimes hacked, and they have the best security of all.  And there have been hundreds of breaches of servers that hold consumer information; just use google to look up “privacy breaches” and see what you get.  My personal favorite for this kind of information is

But what if the worst happens, and your kid’s personal health information is breached and stolen from the family PHR.  Does the PHR company owe you anything beyond a notification and an apology?  What’s in the fine print in that contract you signed with them?  Your kid may suffer legitimate damages – her credit may be scarred even though she’s only eight years old, but you’re going to have to clean it up so that it doesn’t affect her ability to get student loans in about ten years.  Can you sue the PHR on behalf of your child and recover damages?  Just what did that pesky fine print say about all that?

Let’s make it even worse – what if the PHR is being paid for by your employer?  What if you never even saw the fine print, because the contract is between the PHR and your company?  Who is going to make your daughter’s credit whole again?  If you get a “too bad, so sad” comment from the PHR company or your employer, who do you sue?  Both of them, neither of them?

Or, how about this scenario: what happens if your kids get hold of the password to your PHR?  Let’s say your tweener tries to log on to your PHR, but can’t get past the password.  He clicks “Forgot Your Password?”  And then he goes to your email account and gets the instructions to set a new password.  He sets the new password, and then trolls through the PHR.  The next time you log onto the PHR, you enter your password but it doesn’t work, so you think nothing about it other than you just don’t remember the password.

Oh, yeah, and then there’s the PHR’s Privacy Policy.   

There is no federal requirement that a PHR tell you should they change their privacy policies.  Do you read the privacy policies that your bank, and your credit card companies send every year?  Thought not.  Do you think you’ll read your PHR’s privacy notice each year?  Probably not.

Believe it or not (and I know how hard this is for some of you to believe), your health records are a lot more secure in your various providers’ offices than they are in an online storage scheme like a Personal Health Record.  Your providers are required to protect your records, and they have a lot of incentives to do so.  A for-profit company doesn’t have those same requirements.

2.  What if some information in your PHR is wrong?

Let’s say that recently you were treated for a minor condition at one of your health providers, and you’ve downloaded a copy of your health record from your PHR to review the information about your latest problem.  But there’s a mistake.  Instead of a note about your case of hives, you see a note about your ongoing recovery from your recent hip replacement. 


Nope, nothing about your recent issues with urticaria (those pesky hives), but lots of info about the hip replacement, your upcoming physical therapy, blah blah blah.

Did your provider accidentally upload another patient’s health information?  Or did the PHR system have a bug and upload the correct information to the wrong internal file?  Who made the mistake?  Who do you call?  If you call your provider, will his office manager insist that they did not make the mistake?  If you call the PHR, will they insist that your provider did indeed make the mistake?  They said, they said.  Where will that leave you?  How many hours will you have to spend on hold, waiting for a representative to talk with you about this problem?

And what about the other patient?  Who is going to inform them of the very clear privacy breach that occurred?

The HIPAA Privacy Rules have a process that the provider must follow whenever you obtain a copy of your health records and find an error.  But the PHR doesn’t have to follow the HIPAA Privacy Rules.  You’ll probably have to follow your PHR’s rules, whatever they are.  Whether they will help you or not is just unknown at this point.

I know of a patient who thought that he’d be able to get greater benefits from his employer if he was diagnosed with a serious mental health condition.  He filed a request to have his medical record amended to include a diagnosis of schizophrenia.  He claimed that during a visit to an ER at some point in the past, someone in the ER asked him if he’d ever been diagnosed with schizophrenia.  A review of his records for that ER visit revealed that no such question had ever been raised, nor was there any evidence in his records that he’d ever been evaluated for or diagnosed with that disease.  His request for the amendment to the record was, of course, denied.

But what if that same patient had a PHR, and had the ability to amend his health records himself?  What if his record suddenly showed a diagnosis of schizophrenia?  What if he were now able to obtain federal or state benefits?  Probably wouldn’t happen, because in this extreme case he would be examined by other providers to determine whether or not he did suffer from schizophrenia prior to treatment.  But what about someone else, who puts a far less serious diagnosis in their PHR?  These things can all be checked and verified, but how much extra time and effort will have to be taken?  And when these kinds of things become more common than not, will health providers even trust PHRs? 

3.  Who will be able to get a copy of your PHR?  And, will they tell you when they do?

Right now, there are a number of instances in which your health provider may give a copy of your records to a third party without your prior authorization.  But in all of those instances the provider is required to keep a record of those disclosures, and you can see the record of those disclosures any time you want – requesting an “accounting of disclosures” from your providers is one of the specific rights that the HIPAA Privacy Rules give you.

But PHRs are not required to follow the HIPAA Privacy Rules, and they don’t necessarily have to tell you when they share or disclose your health records with a third party. 

Let’s say your PHR company accepts advertising.  You’re looking at your records online, and up comes an ad for a cholesterol lowering drug.  Makes sense, right?  After all, you’re in your 40s, and your cholesterol is a little high. 

What?!  How is it possible that an ad for a statin drug just happened to pop up when you’re online? 

It happened because your PHR shared your health information with their advertisers.  No one told you that your health information would be shared, if not outright sold, for marketing purposes.  Must have been something about it in the fine print of that contract you forgot to read (or your employer forgot to give you a copy of). 

The HIPAA Privacy Rules prohibit the disclosure or sale of your health information for marketing purposes without your written authorization.  But PHRs are not required to follow the HIPAA Privacy Rules.  You think all those ads on TV for Viagra® and other medications are annoying?  Just wait till they follow you online and become personalized.  As far as the advertising partners of your PHR are concerned, you’re not a patient, you’re a consumer.   

And then there are the cases where you believe that a health provider made a mistake with your care or treatment, and you believe you are entitled to damages.  Can opposing counsel get a copy of your records without your even knowing about it?  Maybe.  Depends on your PHR, of course, and their policies. 

Or, maybe you were accused of, say, a DUI.  In most cases the courts require that a subpoena be utilized in order to obtain your records.  Okay.  Under the HIPAA Privacy Rules you have a right to know when your records are being obtained by the use of a subpoena.  But your PHR doesn’t come under the HIPAA Privacy Rules, hence you may never know that your records have been subpoenaed and your attorney will not have the opportunity to contest the subpoena.  Not so great.

There are other questions to consider, too.  If the PHR is owned by your employer, will they snoop?  If the PHR is owned by your insurance company, will they snoop?  What happens if your PHR is privately owned (you pay them a fee to store your records), and is subsequently sold to an overseas company?  Will they care about American privacy laws?  I could come up with lots of other what ifs.  You probably can, too.

Mr. Robert Gellman is very helpful in his white paper for the World Privacy Forum, Personal Health Records: Why Many PHRs Threaten Privacy(1), with the following tidbit:


“A 2007 study of PHR privacy policies conducted for the Department of Health and Human Services found that only 3 percent, or one in 30, of PHR privacy policies state that explicit consumer consent (is) necessary prior to the vendor sharing any of the data in the PHR.”(2)

Three percent, huh?  Not so great.

4.  Who really owns the health information in your PHR?

What if your employer owns your PHR?  Does this mean that Human Resources can learn whether you’re a diabetic, morbidly obese, or a smoker, and subsequently raise your health insurance rates, or make weight loss a condition of your continued employment? 

What happens to your health data when you move on to another job?  What if your new employer doesn’t have a PHR?  Will you have to pay for a private PHR?  Or will your data just be erased – and what proof will you have that your health information was really “erased”?

What if your insurance company owns the company that stores your PHR?  No authorizations needed here – the insurance company will have instant access to everything about you.  And so will every other insurance company.  What happens when your new employer offers you health insurance from the company that owned your PHR at your last company?  And what happens if they refuse to insure you based on information they’ve gathered, without your consent or knowledge? 

Not so great.

5.  Provider-Patient Confidentiality

Questions about provider-patient confidentiality are not rhetorical.  Will that confidentiality exist, in a legal sense, when you or your provider upload your health information to a commercial PHR? 

Mr. Gellman makes a great point about this in Personal Health Records: Why Many PHRs Threaten Privacy: “. . . it seems certain that a prosecutor or another person who wants a consumer’s health record will argue that the consumer” – that’s YOU – “waived any privilege by sharing the record with a third party.  A court is likely to agree that the patient waived the privilege by consenting to the disclosure (to the third party).”


Once again, you’re just another consumer, no longer a patient.  And your provider-patient confidentiality rights may fly right out the window the first time you utilize a PHR.

*  *  *

Look, HIPAA may not be the most robust protection for health information, but it’s better than nothing.  Trusting your health information to a PHR means that you’ve got nothing – no federal, and probably no state, health privacy protection laws.  Sure, maybe the FTC might get involved in a dispute, but what do they know about health privacy?

At some point you’re going to be approached about utilizing a PHR.  It may be free, or it may be one that you pay for.  It may be sponsored by your employer, or by some other third party.  When that time comes, here’s my advice: Just say NO.  Once you open your most private information, and that of your children, to a commercial enterprise, that genie will be out of the bottle, and you and your family may suffer greatly as a result.

1. Original publication February 20, 2008 at Document URL:  Also, see:

2. See R. Lecker at al, Review of Personal Health Record (PHR) Service Provider Market, Jan 5 2007, ).

Should You Bother Getting a Copy of Your Medical Records?

Why yes, you should.

I manage the HIPAA program at a large medical center in the South. About 70-75% of the complaints I receive are about the accuracy of the patient’s medical record. That’s a lot of complaints.

Sometimes the patients want changes made to their records that are just outright fraud. For example, there was the patient last year who wanted me to make his provider add a diagnosis of bi-polar disorder, so that he, the patient, could get more government benefits. Nevermind that the patient didn’t have bi-polar disorder, or any other diagnosed mental disorder; he just wanted the extra money from the benefits.

More often, though, the patients who contact me have legitimate concerns about the information that has been recorded in their medical records. Right now I’ve got a patient whose provider erroneously copied and pasted another patient’s post-surgical notes into his online medical record. The patient is post-op hip replacement. The other patient is post-op removal of a possible cancerous mole. Aside from the obvious problems associated with this kind of mix-up, there are significant potential patient safety issues, as well.

I could give you many more examples of mistakes that have been made in medical records. The point is that you really should request a copy of your medical records from each of your providers. You need to read the records and see what’s in them.

Here are a few things to keep in mind: you have a statutory (legal) right to a copy of your medical records as long as they have not been sequestered as part of a medical-legal action, and you cannot obtain a copy of handwritten notes that are maintained by a mental health provider. Other than that — you have an absolute right to a copy of your records.

Second, keep in mind that your medical records are about you, but they do not belong to you. So the idea that you should be able to get your medical records because “they’re yours” is not true. You are entitled only to a copy of them.

Third, you may get a copy of the medical records of a family member if you have written authorization from the family member to obtain a copy. Parents, you generally don’t need an authorization from your (minor, unemancipated) children in order to get a copy of their records; obtaining copies of medical records for teens, in which there are questions regarding birth control and certain procedures, is dependent on the laws of the state in which you reside.

Most important, your request must be in writing. Your provider has up to 60 days to provide you with the copy of your records, and your provider may charge you a reasonable copying fee.

Had trouble getting a copy of your medical records? Contact me privately at I would be happy to help. And yes, I expect to launch a website within the next 30-60 days. In the meantime, I’m glad to help you with any questions you may have about your medical privacy.

Is your health information a little safer today?

Are your medical records a little safer today?

Maybe.  But probably not.

After five years and tens of thousands of complaints, Health & Human Services finally put some teeth into their HIPAA Privacy rule, and two weeks ago fined a hospital system in Seattle $100,000 for HIPAA privacy and security violations.

$100,000?  That’s more than a fine.  That’s a statement.

But is it enough?

Let’s see, the HIPAA privacy rules went into effect in April, 2003.  There have been dozens and dozens of privacy breaches since then.  A few prosecutions.  And one fine.

In just the past couple of days:

—  There were as many as 500 victims of a privacy breach that occurred in Ft Bend County, TX, at the local Kelsey Seybold Clinic.

—  An unknown number of medical records were stolen at Grady Memorial Hospital in Atlanta, GA.

—  A potential database intrusion is alleged to have occurred at Saint Mary’s Regional Medical Center in Reno, NV, with as many as 128,000 records breached.

And only one fine.

And you know, that fine was for events that occurred in 2005 and 2006.  Why does it take HHS two years to investigate and levy fines against a hospital system in which several laptops were stolen, which compromised more than 350,000 medical records?

The maximum civil fine that HHS can levy is $250,000.  One would think that the theft of 350,000 records would merit more than a $100,000 fine.  But it’s a start.

Have a problem getting copies of your or your family’s medical records?  Concerned that maybe your medical records aren’t as secure as they could be?  Let me know.  Post a comment.  I can help.