Apr 182014
 

Here we go again.

Alden Bourne reports that Matt Warshauer, a history professor at Central Connecticut State University, has encountered privacy obstacles to researching Post-Traumatic Stress Disorder or associated conditions like Soldier’s Heart in past wars. 

[...]

Warshauer discovered Perkins in a patient casebook he was able to look at back in 2011. Soon after, the state passed a law making all such records off-limits to researchers.

There are many more books — now under lock and key — that Warshauer is eager to see. They’re about the size of a photo album and their covers, made of burlap and leather, have started to fall apart. Each contains the records of 325 or so patients and perhaps, of some Civil War veterans who walked across the lawns of the Connecticut Hospital for the Insane in the late 1800?s.

“They mean the motherlode,” Warshauer says. “Those are the books that we need.”

This past February, Warshauer thought he might soon have access to what he needed. Connecticut legislators drafted a bill, allowing the release of medical records 50 years after a patient’s death. But then, with backing from mental health advocates as well as the state Department of Mental Health and Addiction Services, lawmakers inserted an amendment: all names would be redacted, or blacked out, making patient files of little use to historians.

“We feel like we have an obligation to protect the names of individuals who have mental health and substance abuse disorders,” says Pat Rehmer, commissioner of the agency. ”With the amount of discrimination that people experience, there are families that are not going to want to have the fact that their loved one was here at Connecticut Valley Hospital public and I think we have to respect that.”

On that argument, Warshauer accuses Rehmer of talking out of both sides of her mouth, since her agency is currently involved in a campaign to destigmatize mental illness.

“How is saying that, ‘Oh, descendants today will be traumatized by the fact that their great, great, great, great grandfather was impacted by a horrific war, the most horrific war in this country’s history…’ Wouldn’t you be traumatized by that experience?”

Commissioner Rehmer counters that she would not be embarrassed by an ancestor who’d suffered mentally because of his war service. But she points out that not all the medical records relate to combat trauma.

“Some of the diagnoses are genetically linked,” Rehmer says. “So, if you’re great, great, grandfather is diagnosed as bipolar and that becomes public, will there be people who are looking and saying, ‘Oh, you know, the genetics is there, so do we need to think differently about you and your family?’”

Warshauer’s research is now at a standstill. He says one reason he’s not giving up is that he wants to help returning vets from Iraq and Afghanistan with PTSD understand they’re part of a long line of soldiers who have suffered.

“They’re the ones who told me you have no idea how important this work is, how important it is for us to be able to tell this story,” he adds.

He’s hoping the Connecticut legislature comes up with a solution this year or next that would give him access to the additional records. But there’s a chance he won’t have to wait. During our interview, Commissioner Rehmer said she’s willing to meet with the professor to see if there’s a way to get him what he needs, while protecting the privacy rights of long-ago patients and their families.

Note:  I first reported this conflict on this blog back in 2009. There needs to be a way to work this type of concern out because I agree with the researchers, that looking at psychological impact/trauma of past wars is important on so many levels. 
Apr 172014
 

Berea College in Kentucky is notifying current and former patients of the Berea College Health Service of a self-discovered HIPAA violation that has not been associated with any harm to patients. In a notice posted on their website today, they explain:

Berea College Health Service (BCHS), a department of Berea College and medical care provider for the Berea College campus community, recently recognized during a review that it did not have a written agreement to protect patients’ medical privacy with a contractor who handled insurance billing for BCHS from January 2012 through October 2013. The provisions of the Health Insurance Portability and Accountability Act (HIPAA) required BCHS to have such an agreement in place when the contractor began providing services in January 2012.

Although this contractor had access to medical records, including names, addresses, dates of births, insurance numbers, social security numbers, and diagnosis and treatment information, BCHS has no reason to believe that any patient information has been misused or disclosed inappropriately. We did not have a written agreement in place because BCHS failed to request it. The contractor has advised us that patient health information was used and disclosed only for BCHS billing and for no other purpose, and we have been assured that the contractor has returned to BCHS or destroyed any patient information that she might have accessed. Nevertheless, we are obligated to notify you of this issue.

Read the full notice here (pdf).

Apr 142014
 

Nathan Freed Wessler of the ACLU writes:

Today, the ACLU and ACLU of Utah filed an amicus brief in support of a Utah paramedic whose Fourth Amendment rights were violated when police swept up his confidential prescription records in a dragnet search. Law enforcement’s disregard for basic legal protections in the case is shocking.

The United Fire Authority (UFA) is Utah’s largest fire agency, with 26 fire stations in communities surrounding Salt Lake City. Last year, some UFA employees discovered that several vials of morphine in ambulances based at three fire stations had been emptied of medication. Suspecting theft, they called the police. At this point, one would expect police to interview firefighters and paramedics with access to ambulances at those three stations and try to draw up a reasonable list of suspects. But one detective had a different idea.

Within a day or two of receiving the theft report, a detective with the Cottonwood Heights Police Department logged into the Utah Controlled Substances Database and downloaded the prescription histories of all 480 UFA employees. The database tracks patients’ prescriptions for medications used to treat a long list of common medical conditions, and the records can reveal extremely sensitive health information. But unlike some other states, Utah doesn’t require police to get a warrant before accessing this private data. The detective took advantage of this loophole and obtained a great deal of confidential information without going to a judge or demonstrating any individualized suspicion.

Read more on ACLU.

Apr 142014
 

Carl Smith reports on concerns about a new app called Figure 1:

A new picture-sharing phone and tablet application for doctors and medical students is raising concerns about patient privacy.

Figure 1 allows the sharing of medical and clinical pictures between health practitioners to assist colleagues with patient diagnoses and to aid studying students.

It is one of three new clinical picture-sharing apps to hit the Australian market this year.

But Assistant Professor Bruce Arnold from the University of Canberra says Figure 1′s privacy policies rely too much on individual users to keep distinguishing features of patients confidential.

Read more on ABC.

Apr 112014
 

Another update to a breach, previously covered on this blog, that involved information on patients of Apex Laboratory in Florida:

Michael Ali BryantSr., 41, and his wife, Latina Rashawn Bryant, 43, both of Lauderdale Lakes, were sentenced for their participation in a stolen identity tax refund scheme. Michael Bryant was sentenced to 144 months in prison, to be followed by three years of supervised release. Latina Bryant was sentenced to 48 months in prison, to be followed by three years of supervised release.

Both defendants previously pled guilty to one count of aggravated identity theft, in violation of Title 18, United States Code, Section 1028A. Michael Bryant also previously pled guilty to one count of possession of fifteen or more unauthorized access devices, in violation of Title 18, United States Code, Section 1029(a)(3); and Latina Bryant previously pled guilty to one count of using an unauthorized access device, in violation of Title 18, United States Code, Section 1029(a)(2).

Co-defendant Marquis Onigirin Moye, 24, of Pompano Beach, was sentenced on March 28, 2014 to 54 months in prison, to be followed by three years of supervised release. Moye previously pled guilty to one count of possession of fifteen or more unauthorized access devices, in violation of Title 18, United States Code, Section 1029(a)(3), and one count of aggravated identity theft, in violation of Title 18, United States Code, Section 1028A.

Co-defendants Tiffany Shenae Cooper, 33, of Deerfield Beach, and Angela Dione Rosier, 41, of Coral Springs, were sentenced on February 28, 2014. Cooper was sentenced to 57 months in prison, to be followed by three years of supervised release. Rosier was sentenced to 49 months in prison, to be followed by three years of supervised release. The court also ordered both defendants to pay $129,390.06 in restitution to the IRS and the medical services provider whose database had been breached. Cooper previously pled guilty to one count of possession of fifteen or more unauthorized access devices, in violation of Title 18, United States Code, Section 1029(a)(3), and one count of aggravated identity theft, in violation of Title 18, United States Code, Section 1028A. Rosier previously pled guilty to one count of conspiracy to commit access device fraud, in violation of Title 18, United States Code, Section 1029(b)(2).

According to court documents, a confidential source (CS) initially approached Michael Bryant and inquired about purchasing narcotics. Bryant told the CS that he did not have any narcotics but that he did have personal identity information (PII) that he was willing to sell to the CS. The CS made a controlled purchase of ten pages (each page containing approximately 20 to 25 names) of PII. Bryant instructed the CS on how to commit tax fraud using the PII, and provided the CS with specific instructions on what information to enter into the web pages of the internet-based tax services to obtain a tax refund. An examination of the PII revealed that it was from a medical services provider.

Rosier was an employee of the medical services provider. Cooper spoke to Rosier to obtain user names and passwords for current employees of the medical services provider. Cooper admitted to illegally logging on to the medical services provider’s computer network and downloading PII for the purpose of committing various types of fraud. She was assisted in her activities by Rosier and co-defendant Moye.

SOURCE: U.S. Attorney’s Office, Southern District of Florida

Note that the USAO says this affected “thousands of patients” in their headline. It is not clear to me whether they were all patients of Apex Laboratory  or whether another facility was also involved. The Apex Laboratory breach is still not showing up on HHS’s breach tool, and it’s not clear whether they ever reported this breach or not (they hadn’t reported it by January 28, 2014, more than one a half years after they learned of it.