Joseph Goldstein reports:
Slowly, and largely under the radar, a growing number of local law enforcement agencies across the country have moved into what had previously been the domain of the F.B.I. and state crime labs — amassing their own DNA databases of potential suspects, some collected with the donors’ knowledge, and some without it.
Read more on NYTimes. Note that it is not just suspects whose DNA is being amassed, but crime victims, too. And SCOTUS’s decision in King will only encourage more of this.
And speaking of outrageous breaches, Elise Viebeck reports:
A top House committee launched another probe of the Internal Revenue Service (IRS) Tuesday after a lawsuit alleged that the agency improperly seized millions of personal medical records in California.
In a letter, Republican leaders on the Energy and Commerce panel asked the IRS to explain how it handles confidential medical information.
“While [federal] privacy rules restrict the ability of a covered entity to release protected health information, those rules appear to impose no restrictions on the IRS’s ability to use such information after it is obtained,” the lawmakers wrote.
Read more on The Hill.
The letter requests a response from the IRS by June 21.
I don’t know if you can hear me, but I generally groan when I read a settlement that permits the party to make no admission of guilt. The FTC permits it, and HHS also permits it. I understand why they may choose to do that, but seriously, there are some breaches that are just so egregious that they demand a finding or acknowledgement of guilt.
Since January of last year, I’ve been covering the privacy debacle that is the Prime Healthcare/Shasta Regional Medical Center case (previous coverage here, here, here, here, and here, here). To say that I consider their conduct to be one of the most obvious cases of a knowing HIPAA breach would be to put it mildly, despite the entities’ denials of any wrongdoing and repeated assertions that their conduct is permissible. Today, Chad Terhune of the Los Angeles Times reports that while they continue to appeal the state’s $95,000 penalty for the breach, they have reached a settlement with HHS over the breach:
Hospital chain Prime Healthcare Services Inc. has agreed to pay $275,000 to settle a federal investigation into alleged violations of patient privacy.
The case stemmed from allegations that Prime Healthcare and its Shasta Regional Medical Center violated patient confidentiality by sharing a woman’s medical files with journalists and sending an email about her treatment to nearly 800 hospital employees.
Last year, California regulators fined the Ontario hospital chain $95,000 for the unauthorized disclosure of medical information in this matter. The company said it’s appealing that state fine.
In the federal settlement announced Tuesday, Prime Healthcare did not admit to any wrongdoing. The company and hospital said they “firmly believe that they would have prevailed in this matter based upon the merits.” (emphasis added by me)
That statement is from their press release, where they wrote:
In reaching the agreement, SRMC admitted to no wrongdoing pertaining to the alleged violation of patient privacy. Prime Healthcare and SRMC firmly believe that they would have prevailed in this matter based upon the merits. However, in view of the unnecessary expense to both SRMC and to the taxpayers of the United States, they reached an agreement to settle the matter and pay $275,000 as a “Resolution Amount.”
Oh, they’re worried about expense to taxpayers? How considerate of them.
In light of their repeated public statements, I really really wish HHS had not settled this case. I realize that $275,000 may seem like a large fine given that it was “only” one patient whose data were intentionally disclosed, but to allow them to insist that they did nothing wrong is offensive.
Read more on the L. A. Times. As of the time of this posting, HHS has not posted any press release on its site with the settlement agreement, so I’ll have more on this later.
There was some great reporting by Jordan Robertson of Bloomberg while I was away:
Hospitals in the U.S. pledge to keep a patient’s health background confidential. Yet states from Washington to New York are putting privacy at risk by selling records that can be used to link a person’s identity to medical conditions using public information.
Consider Ray Boylston, who went into diabetic shock while riding his motorcycle in rural Washington in 2011. He careened off the road and was thrown into the woods, an accident that was covered only briefly, in the local newspaper. Boylston disclosed his medical condition and history to a handful of loved ones and the hospital that treated him.
After Boylston’s discharge, Washington collected the paperwork of his week-long stay from Providence Sacred Heart Medical Center in Spokane and added it to a database of 650,000 hospitalizations for 2011 available for sale to researchers, companies and other members of the public. The data was supposed to remain anonymous. Yet because of state exemption from federal regulations governing discharge information, Boylston could be identified and his medical background exposed using only publicly available information.
Read more on Bloomberg News. As part of his investigative reporting, Jordan worked with Latanya Sweeney, who’s well-known for her research on re-identifying supposedly de-identified information. Hopefully his reporting will start some serious discussions in states that do sell data to researchers and others.
All About Information writes:
Yesterday, the Court of Appeal for British Columbia vacated an order that required non-party physicians to provide a class action plaintiff with the contact information of patients who were potential class members. It rendered a principled judgement on physician-patient confidentiality
Read more about the decision in Logan v. Hong on All About Information.
h/t, Dan Michaluk
Comments (0) 
Themocracy