Practical HIPAA basics for Patients and their Families

My daughter was rushed to the ER one evening and I joined her. She was 18, maybe 19. They took her to do an ultrasound and I started walking with the bed. The employees stopped me and said I could not accompany her, she was an adult. She looked at them and said "I want her with me." And they replied that HIPAA would not permit me to accompany her. I explained that I could take the time to educate them as to why that statement was not true and would be happy to educate their supervisors if they also held the same mistaken beliefs, but given my daughter's emergency - if she was okay with going alone, I would not object at this time. My daughter agreed and off they went. I complained the next day.

I have another daughter who was having x-rays done as an outpatient and was also told I could not accompany her due to HIPAA. She was actually a minor. I was prepared in a non-emergent situation with a minor to object, but this daughter was actually quite happy for me not to accompany her - she was 15. Very independent. 

In one case, my mother was in the hospital following surgery and the nurses were giving her a hard time about her lack of following their instructions....and my mom is a nurse. She wasn't following the instructions, because the nurses were only taking into account the immediate situation and not the full history - which was clearly in the record. I called to inform them. Upon the nurse haughtily telling me she could not speak to me about my mother due to HIPAA, my response was that first, HIPAA would not stop her and second, I am not asking her for information, merely providing information to her. She need only listen - not speak. (Yeah, I can be a bit of a prat, but while firm, I was also very polite in all situations described above). 

I have heard HIPAA used as an excuse for so many things - doctors cannot talk to a family, nurses cannot listen to information from families, companies cannot respond to patients directly, etc. ad nauseum. 

So in this post, let me share a few things about HIPAA with you. (HIPAA is the Health Insurance Portability and Accountability Act of 1996, including all its subsequent amendments under the Affordable Care Act and implementing regulations that were effective in 2013 with the HIPAA Omnibus Rule). HIPAA has never been intended to interfere with medical care and in fact, to share patient information for treatment between health care providers, a patient authorization is not required. 

But to help address the situations above, 1) when a person verbally states that they want someone with them, that is patient authorization. And patient authorization is all that is required in HIPAA in order for a health care provider to share information - it does not need to be in writing, especially when the patient, the person, and the provider are standing there together. So when my daughter said she wanted me with her - that was sufficient. And yes, the hospital privacy officer agreed with me and sent us written apologies stating he would ensure that all staff were appropriate educated on that factor. It did not matter that we were related or that she was an adult and I her mother - what mattered was she gave permission. 

This leads into the situation with my other daughter. As a minor, she is not legally capable of providing legal consent, therefore, the parent was the appropriate person to grant consent. Perhaps at 15, her assent is desired or even required under certain state laws for medical treatment, but if an authorization to share medical information was required in writing, the parent or guardian would have to sign for it to be legal (foregoing any discussion here of emancipation and exceptions). Thus, as her parent, it was my right to give myself access to her information and accompany her to testing. 

Let's take that one step further. Perhaps the medical technician in either situation intended to protect the privacy of other patients. So? HIPAA provides for incidental disclosures, which covers situations in which patients are in close proximity and it is near impossible to maintain strict confidentiality. One should take reasonable precautions, but there is nothing illegal about an emergency room that has curtains instead of walls or stage all patients waiting on surgery in the same waiting area. That's not a valid enough reason to override a scared person's need to have their support person with them.

Last, my mother. Believe it or not, providers can share patient information with people the provider feels/knows is involved in the patient's care and wellbeing. Thus, knowing I was the daughter, the choice could have been made legally to provide me with information about my mother. True, this scenario can get complicated and ugly quickly - how could they verify who I am, or whether my mother and I were close, or any number of other variables. And so, it is logical that an entity would not permit employees to make this decision - but there are other ways to handle it. One could check with the patient, ask the doctor, or have an escalation process to find a potential solution rather than shutting out what may have been the only person in the patient's life (not the case here, but the nurse might not have known that). 

I hope this helps you with some basic misunderstandings about HIPAA. Please do not assume that your providers, health care employees, or even all privacy officers understand this - and by no means do I claim to know everything about HIPAA. Few take the time to fully understand all of HIPAA and sometimes a simple straightforward policy by the entity is much easier to train and enforce than are policies that enable HIPAA to be followed in full. And sometimes state law is more strict (I do not know of any, but they could exist). 

One final point, pl ease note that HIPAA is spelled with two As and NOT two Ps, e.g. HIPPA. If you are a consultant or vendor trying to get my business, you at least need to spell it right.

Why are we not Outraged?

Edward Snowden (of the now infamous and controversial U.S. National Security Agency rampant surveillance) has spoken out in his first television interview . He speaks frankly about the threats to his life due to his revelations, but more importantly why he did what he did. A friend of mine posted the link on facebook and I asked this same question there - why are we not more outraged? Why do TV or music celebrities get more comments from both fans and haters than does someone who opened the U.S. pandora's privacy box? It is scandalous!

It is scandalous what the NSA has done. 

It is scandalous that we as a nation do not seem to care. 

In fact, it appears and I allege that the only reason we are starting to hear from our political leaders about fixing the problem is because nations which actually provide privacy rights to their citizens are outraged. They are outraged. We are not.

The White House has spoken now. President Obama finally laid out a plan: consider reforming the PATRIOT Act; improve the public's confidence in governmental oversight; have the Intelligence Community make public information about their surveillance programs - including hiring a privacy officer (more on this later as one has now been appointed); and last, having a high-level group of experts review intelligence and communication technologies. Yours truly was not invited. durn.

What will it take for the people of this nation to actually pay attention to their own privacy and to the entities violating that privacy?? I am honestly perplexed, outraged on your behalf, and frankly, wishing there was a privacy cattle prod that someone with integrity could wield as rampantly as the government wields surveillance. 

Global Data Privacy Day and a 21 year old

I would be remiss if I did not post something about today being Global Data Privacy Day - so woot woot - everyone may now celebrate their privacy!!

right.

Perhaps Snowden is celebrating, but the rest of us in the U.S. at least are dealing with data breaches and privacy violations with little to no government intervention and lots of outrage towards the government from large megadata corporations. I try to be positive and not abscribe deflection motivations towards these large technology companies, but it does require some effort. Yet, I remain optimistic that those companies who collect, share, analyze, combine, and use our data in every way imaginable and some ways never imagined by the common person actually are becoming privacy conscious. If not, fake it till you make it.

But more importantly in my own family - today is my youngest child's 21st birthday. WOW. Happy birthday to her and I am sure everyone reading this (anyone reading this) wishes her the best. 

So what does a 21 year old think about privacy? She grew up in the information age, where every thought, emotion, intention, and action is immediately shared, judged, and forgotten. Except nothing on the internet is ever forgotten. (California just passed a law that minors can request their information on social media to be erased. No one really knows what this means yet, but it's a start.).

It has been proposed that millenials, GenY'ers, have no comprehension of privacy and have missed learning basic etiquette of society - there is no period of reflection when something happens - it is immediate reaction, instantly shared, no sense of privacy. I disagree to some extent. I think the new group of young professionals completely understand what being on the job/on call for the job 24/7 due to smartphones means. I think they treasure quality of life more knowing they have to fit in life around work and school. That leaving work at 6 pm does not mean being off work - and they compensate by enjoying life more.

So I asked my newest adult daughter what privacy means to her. Her first response was "What? What about?" - but perhaps I was a bit blunt and unexpected in my question. So I explained more and am anxiously awaiting her answer as I type this. 8 minutes later, I am still waiting. Perhaps it is not only the newest generation who expect immediate gratification...

We are seeing changes every day in privacy - some for the good, some not so much. Young and old, U.S. or not, corporate or individual - we are all impacted and some will care more than others. Some will do more than others. It's a brand new world every time the sun rises. Take the opportunity to make a change in the way you share/use data whether your own or someone else's - take the opportunity to think about what privacy means to you.

Happy Global Data Privacy Day and Happy Birthday, my child. 

Open Letter Calling for U.S. Government Surveillance Reform

Check out this website:

http://reformgovernmentsurveillance.com/


The website is an open letter from certain U.S. corporations calling for global government surveillance reform and state "The undersigned companies believe that it is time for the world’s governments to address the practices and laws regulating government surveillance of individuals and access to their information." Do you see what companies there are? - Facebook, Google, LinkedIn, AOL, Apple, Microsoft, Twitter, and Yahoo. We have seen a few of these companies in the news highlighting someone's concerns about the companies' lack of data protection or respect for individual privacy.

I am not here to knock their privacy practices. In fact, judging by the jobs either filled or recently opened for these companies to hire privacy professionals, it looks like they are trying to improve any alleged deficiencies (we won't discuss any enforcement action that may have been against any of these companies - we are looking forward, not back).

However, keep reading the page. The companies support five principles:
1.     Limiting Governments’ Authority to Collect Users’ Information;
2.     Oversight and Accountability;
3      Transparency About Government Demands;
4.     Respecting the Free Flow of Information; and
5.     Avoiding Conflicts Among Governments.

So this is all about former National Security Agen­­cy contractor Edward Snowden's surveillance and the European Union's reaction. These are global companies and do not want to suffer any potential repercussions due to the actions of the government. It is admirable for them publicly call for reform of government surveillance. Consider this quote from Marissa Mayer, CEO of Yahoo, which sums up the concerns nicely:

“Protecting the privacy of our users is incredibly important to Yahoo. Recent revelations about       government surveillance activities have shaken the trust of our users, and it is time for the United States government to act to restore the confidence of citizens around the world. Today we join our colleagues in the tech industry calling on the United States Congress to change surveillance laws in order to ensure transparency and accountability for government actions.”

I am particularly intrigued by the goal of enabling the free flow of information. Under this principle, the letter states that

"[t]he ability of data to flow or be accessed across borders is essential to a robust 21st century global economy. Governments should permit the transfer of data and should not inhibit access by companies or individuals to lawfully available information that is stored outside of the country. Governments should not require service providers to locate infrastructure within a country’s borders or operate locally."

Is this a denunciation of data protection laws of other nations that prohibit data on individuals to be exported out of the nation unless the data exporter has proper controls in place...or their governing nation has proper laws in place? The U.S. clearly does not have national data protection controls in place. The EU clearly prohibits data transfers without said proper controls in place (which there are more options than the governing law of the importing nation). This point segues nicely into the last principle of avoiding conflicts among governments.

Skeptics might say that the endeavor is merely to protect these companies.

So what? If the end result is that the U.S. congress passes legislation to protect information on individuals, are we not all better off?

FTC enforcement actions against 12 companies for deceptive practices re: EU/US safe harbor certifications

On January 21, the FTC issued proposed settlement agreements against 12 US companies for deceptive claims that the companies were in compliance with the EU/US safe harbor data protection self-certification program. The public has 30 days to comment on these proposed settlements. (see far below for instructions and links, or just read through the release by the FTC linked above).

What does this mean? In simple terms, the European Union has constitutional data protection rights that the U.S. does not. Some states in the U.S. include the right to privacy in their constitutions, but as a nation - we do not. Please do not get sidetracked on the belief that the U.S. does have a right to privacy in its constitution (which is a common misconception) - I can cover that in more detail in another post, but for now, just accept that the U.S. does not have an explicit constitutional right to privacy even though the U.S. Supreme Court held that the constitution has penumbras, one of which is the right to privacy. Back to topic.

The U.S. also does not have general federal data protection laws. We have sectoral laws - financial, health, education, etc. and states have laws - notably, Massachusetts, California, and Texas. Because of this, the U.S. does not meet the EU standards for data protection, yet many U.S. companies are global and collect data on EU individuals. Unless there is some mechanism recognized by the EU to protect the data on these individuals, the U.S. companies are not permitted to export that data from the EU (and in fact, some EU countries have very strict standards). Let's stick to just the EU in general and not delve into the spiderweb of regulations and laws generated by the various member states.

Did you catch the point above about exporting data on EU individuals? Exporting data does not mean merely putting data in a box and mailing it. It also means electronic access to data from outside the EU borders. Thus, the issue at hand with the FTC.

Approximately 3000 U.S. companies have self-certified to the EU/US safe harbor - a set of principles put in place, overseen by the U.S. Department of Commerce to enable these companies to legally export data from the EU to the U.S.  The FTC enters the fray when companies state on their websites that they adhere to the safe harbor and yet do not do so. Then it becomes deceptive or false claims.

Between 2009 - 2012, only 10 companies faced enforcement by the FTC. 4 years. Now, in one fell swoop, 12 actions. It may be in response to the current scandals about U.S. data leaks or the current proposed EU data protection laws...or a combination of many things. The point is - the FTC is taking affirmative action in this regard. The proposed settlements may not seem incredibly meaningful, but there are one step in the right direction and may be a guidepost for the future. Perhaps U.S. companies will be held accountable. Perhaps the U.S. will pay more attention to protecting the information of its citizens. Perhaps. Perhaps. Perhaps.

Perhaps you will read the proposed settlements and let the FTC know what you think about them. Links below.

Comments in electronic form should be submitted using the following web links:
Apperian, Inc.: Company specializing in mobile applications for business enterprises and security;
Atlanta Falcons Football Club, LLC: National Football League team;
Baker Tilly Virchow Krause, LLP: Accounting firm;
BitTorrent, Inc.: Provider of peer-to-peer (P2P) file sharing protocol;
Charles River Laboratories International, Inc.: Global developer of early-stage drug discovery processes;
DataMotion, Inc.: Provider of platform for encrypted email and secure file transport;
DDC Laboratories, Inc.: DNA testing lab and the world’s largest paternity testing company;
Level 3 Communications, LLC: One of the six largest ISPs in the world;
PDB Sports, Ltd., d/b/a Denver Broncos Football Club: National Football League team;
Reynolds Consumer Products Inc.: Maker of foil and other consumer products;
Receivable Management Services Corporation: Global provider of accounts receivable, third-party recovery, bankruptcy and other services; and
Tennessee Football, Inc.: National Football League team.

Comments in paper form should be mailed or delivered to: Federal Trade Commission, Office of the Secretary, Room H-113, 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.

Goals - SMART ones

Goals. Many people write goals every time they start a new year. They are called resolutions. And it is a running joke that people break resolutions frequently (and pardon the pun for "running joke" as many resolutions are around exercise and weight loss).

Let's examine goals and resolutions. No. let's just examine goals.

Goals are easier to achieve when they are smart goals - Specific, Measurable, Attainable, Relevant, and Time-bound. SMART. Even large goals can be broken down into smaller goals based on the SMART formula.

Specific: a goal should be specific not general. Be clear and decisive what needs to be achieved.
Measurable: make sure your goal can clearly be determined when it is achieved. Don't say "better" - say "10% over last year better." Don't say "get fit" - say able to run one mile in under 9 minutes three times a week. (specific and measurable often work together).
Attainable: don't set yourself up for failure. If you are a couch potato and eighty pounds overweight, the right goal for you may not be losing fifty pound in six months. Make your goal to lose five pounds in three months. If you lose five pounds in one month YEA! then set the next attainable goal. Meanwhile, you are achieving goals and succeeding wildly, making for a much better mindset.
Relevant: your goals should be relevant for you. Do not set goals for yourself to please someone else, unless that directly relates to what you need to be successful in the endeavor. Choose goals that matter. Sure you can set a goal to knit thirteen socks in one month...but do you know how to knit, do you wear hand-knit socks, does this satisfy something in you or achieve something that matters?
Time-bound: this one is pretty self-explanatory and included in examples above. Set a time limit. Call a goal achieved, partially achieved, or failed. Then reset.

My goals are to finish my PhD. This might not even be smart, much less SMART. I am one of the few who wants a doctoral degree in order to earn less money....I am an attorney now and I want to teach, or be involved in education in some forum and felt I needed a PhD to do so. I have completed all my coursework and been approved in most part for my dissertation topic. But I am changing methodology for the study. Thus, I am breaking down the dissertation process into SMART chunks. First, I need to complete the methodology proposal by this May. Then I need to get permissions and arrange for the study. Then I need to write. write. write. revise. revise. revise. It's a long process. My long-term goal is to complete the dissertation in 2015. By breaking it into SMART goals, I just might be able to do it.

This blog is another goal. I have committed to posting one entry per week for three months. I have heard that it takes three months to form a habit, so I am trying to form a habit.

Another goal - as with so many others is to lose weight. My goal is specific to a size, as opposed to weight, but the process is the same. This is another large goal that I have to break down into smaller goals, including activity, food, and some other things.

I have personal goals, professional goals, goals at work and at home, goals purely for me and goals involving others. But in every case, I am working on SMART goals. Periodically, I will come back and report on the goals - part of my blog goals - and you can keep me honest here.

Put this into practice for your own goals. Hold yourself accountable and see how it works. Any goal fits into this systematic process.

Lost 2013

2013 was an interesting year. It was no more interesting than 2012, hopefully less interesting than 2014. I took the year off to do some deep introspection and change some things in my life. I needed to see where I want a blog to go and what I want it to accomplish. Over this time, my friends, fans, and family helped me solidify these plans which fall into several categories: 1) privacy knowledge and awareness, 2) life views and experiences (including getting a PhD and becoming an empty nester, 3) social elements: diversity, leadership, civic education, and career stuff, and 4) culture through the eyes of a redneck. So I make a promise to each of you that I will force myself to blog once a week and provide the information you need. It will be a growth and dedication experience for me - a patient one for you, perhaps.

So today, we'll talk merely about what it takes to make a habit. A habit, by definition, is something one does repetitively over time. You cannot form a habit by doing it once and in some case, having a behavior that is a habit can be proof of a behavior occurring - like fastening a seatbelt or locking a car door. Habits are often performed without active thought - and some are bad and some habits are good. I started fastening my seatbelt consistently in 1990 when I discovered I was pregnant with my oldest child. It is now a habit. I cannot conceive sitting in a car without wearing a seatbelt.

Thus, the plan to is make this blog a habit. I cannot focus enough to make it about one thing - just one thing and I truly admire the people who do. I have a friend who blogs on being an in-house counsel and another who has two blogs - one on being a single male parent and another on movie reviews. All of these are successful and I do not have what they have. Discipline. I recognize this and will try to embrace this to make this blog what you and I need it to be.

We are embarking on a journey to become structurally undisciplined - and to turn this awareness into art. Hold me accountable.