But Don’t Worry, Your Health Information is Secure: the Enforcers are Themselves Incompetent and Broke

Another in my “But Don’t Worry, Your Health Information is Secure” series (see http://hcrenewal.blogspot.com/search/label/medical%20record%20privacy) … a promise blindly made by the healthcare information technology hyper-enthusiasts.

The Office of the Inspector
General for HHS just issued a report finding that the Office of Civil
Rights (OCR), which is charged with enforcing the HIPAA/HITECH law, had
itself failed to adequately protect the security
of the health information it handled. Specifically OIG found that OCR
“focused on system operability to the detriment of system and data
security.”

From “The Office for Civil Rights Did Not Meet All Federal
Requirements in Its Oversight and Enforcement of the
Health Insurance Portability and Accountability Act Security Rule”
, p.
ii (Nov. 2013).  http://oig.hhs.gov/oas/reports/region4/41105025.asp

Summary:

The Office for Civil Rights (OCR) did not meet certain Federal
requirements critical to the oversight and enforcement of the Health
Insurance Portability and Accountability Act Security Rule (Security
Rule). OCR had not assessed risks, established priorities, or
implemented controls for its Federal requirements to provide for
periodic audits of covered entities to ensure their compliance with
Security Rule requirements.
In addition, OCR’s Security Rule
investigation files did not contain required documentation supporting
key decisions made because management had not implemented sufficient
controls, including supervisory review and documentation retention, to
ensure investigators follow investigation policies and procedures for
properly initiating, processing, and closing Security Rule
investigations.
Further, OCR had not fully complied with Federal
cybersecurity requirements for its information systems used to process
and store investigation data because it focused on system operability [I presume they mean ‘interoperability’ – ed.] to
the detriment of system and data security.

We recommended that OCR (1) assess the risks, establish priorities,
and implement controls for its HITECH auditing requirements; (2) provide
for periodic audits in accordance with HITECH to ensure Security Rule
compliance at covered entities; (3) implement sufficient controls, such
as supervisory reviews and documentation retention, to ensure policies
and procedures for Security Rule investigations are followed; and (4)
implement the National Institute of Standards and Technology Risk
Management Framework for systems used to oversee and enforce the
Security Rule. In its comments on our draft report, OCR generally
concurred with our recommendations and described the actions it has
taken to address them. In specific comments on our second
recommendation, however, OCR explained that no funds had been
appropriated for it to maintain a permanent audit program and that funds
used to support audit activities previously conducted were no longer
available.

The enforcers are themselves negligent, incompetent and broke.  And hospitals are expected to keep electronic protected health information secure?

I comment no further.  What more could I possibly write?

— SS

Dec. 9, 2013 Addendum:

This woman would probably agree that this is a problem

Dec. 9, 2013
http://www.thestar.com/news/gta/2013/11/28/disabled_woman_denied_entry_to_us_after_agent_cites_supposedly_private_medical_details.html

Disabled woman denied entry to U.S. after agent cites supposedly private medical details

A Toronto woman is shocked after she was denied entry into the U.S. because she had been hospitalized for clinical depression.

Ellen Richardson went to Pearson airport on Monday full of joy about flying to New York City and from there going on a 10-day Caribbean cruise for which she’d paid about $6,000.

But a U.S. Customs and Border Protection agent with the Department of Homeland Security killed that dream when he denied her entry.

“I was turned away, I was told, because I had a hospitalization in the summer of 2012 for clinical depression,’’ said Richardson, who is a paraplegic and set up her cruise in collaboration with a March of Dimes group of about 12 others.

The Weston woman was told by the U.S. agent she would have to get “medical clearance’’ and be examined by one of only three doctors in Toronto whose assessments are accepted by Homeland Security. She was given their names and told a call to her psychiatrist “would not suffice.’’

At the time, Richardson said, she was so shocked and devastated by what was going on, she wasn’t thinking about how U.S. authorities could access her supposedly private medical information.

“I was so aghast. I was saying, ‘I don’t understand this. What is the problem?’ I was so looking forward to getting away . . . I’d even brought a little string of Christmas lights I was going to string up in the cabin. . . . It’s not like I can just book again right away,’’ she said, referring to the time and planning that goes into taking a trip as a disabled person.

Richardson said she’d had no discussion whatsoever with the agent at the airport about her medical history or background.

Read the whole thing.

— SS