Support our online development, and advance our onground research initiatives in free market economics, as we seek to showcase the brightest Next-Gen minds.
THE ME-P DISCLAIMER: Posts, comments and opinions do not necessarily represent iMBA, Inc., but become our property after submission. Copyright © 2006 to-date. iMBA, Inc allows colleges, universities, medical and financial professionals and related clinics, hospitals and non-profit healthcare organizations to distribute our proprietary essays, photos, videos, audios and other documents; etc. However, please review copyright and usage information for each individual asset before submission to us, and/or placement on your publication or web site. Attestation references, citations and/or back-links are required. All other assets are property of the individual copyright holder.
When Will Costs Outweigh Health Information Technololgy?
[By Darrell K. Pruitt; DDS]
At what point will security data breaches become so costly that dentists will abandon computerization and return to pegboards and ledger cards?
Senate Judiciary Committee
A week ago, the Senate Judiciary Committee approved two separate bills which would mandate that dentists who store digital PHI notify patients if their data is breached. Of course, that would be the ethical thing to do anyway, wouldn’t it?
Senate Bill 139, also known as the Data Breach Notification Act, was introduced by Dianne Feinstein of California and is similar to existing state notification bills – including California’s own landmark Bill 1386 which set the standard 7 years ago.
Two Hundred Ten Dollars Cost – Per Record – for Notification
Considering that in October, the Ponemon Institute reported that it costs an estimated $210 per record to notify patients of a breach, there are a lot of angry lawmakers who are missing the point. Mandated fines for a breach are meaningless. Simply notifying thousands of patients of a breach will bankrupt any dental practice, even if it is an insurance company employee who loses a laptop computer containing a dentists’ patients’ personal data – like a BCBS employee did recently with over 800,000 physicians’ personal information.
Personal Data Privacy and Security Act
Even now, a dentist whose practice is a victim of a breach, whether it is from stolen computer, hacker or dishonest employee, might take a quick look at the notification path to certain bankruptcy and gamble that patients’ data won’t be used before hiding the incident. That is why Senator Patrick Leahy of Vermont has sponsored the other breach bill which reflects the prevailing attitude of frustrated constituents throughout the nation. It is known as the Personal Data Privacy and Security Act.
Leahy is more concerned with punishment than with breaches themselves. In addition to a fine, he would establish a jail term of up to five years for failing to disclose a breach when required.
http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=111_cong_bills&docid=f:s1490is.txt.pdf
§ 1041. Concealment of security breaches involving sensitive personally identifiable information
‘‘Whoever, having knowledge of a security breach and of the obligation to provide notice of such breach to individuals under title III of the Personal Data Privacy and Security Act of 2009, and having not otherwise qualified for an exemption from providing notice under section 312 of such Act, intentionally and willfully conceals the fact of such security breach and which breach causes economic damage to 1 or more persons, shall be fined under this title or imprisoned not more than 5 years, or both.”
If dentists want to continue to use computers in their practices, Leahy would have them put serious skin into the game. The bill was read twice and referred to the Committee on the Judiciary.
On the ADA Advocacy page, dental leaders still maintain that electronic dental records will lower the cost of dentistry. And as recently as last month, the ADA House of Delegates again publicly endorsed the adoption of eDRs, yet still neglect to adequately warn ADA members of their dangers, now including possible imprisonment.
Assessment
ADA President Dr. Ron Tankersley is already irrelevant.
Conclusion
Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.
Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com
OUR OTHER PRINT BOOKS AND RELATED INFORMATION SOURCES:
- DICTIONARIES: http://www.springerpub.com/Search/marcinko
- PHYSICIANS: www.MedicalBusinessAdvisors.com
- PRACTICES: www.BusinessofMedicalPractice.com
- HOSPITALS: http://www.crcpress.com/product/isbn/9781466558731
- CLINICS: http://www.crcpress.com/product/isbn/9781439879900
- ADVISORS: www.CertifiedMedicalPlanner.org
- BLOG: www.MedicalExecutivePost.com
- FINANCE: Financial Planning for Physicians and Advisors
- INSURANCE: Risk Management and Insurance Strategies for Physicians and Advisors
Share this:
Filed under: Health Law & Policy, Information Technology, Practice Management, Pruitt's Platform | Tagged: ADA, Darrell Pruitt, Data Breach Notification Act, dentists, Dianne Feinstein, EHRs, EMRs, HIPAA, Patrick Leahy, Personal Data Privacy and Security Act, PHI, Ponemon Institute, Ron Tankersley, Senate Bill 139 |
The Leading Business Education Network for Doctors, Financial Advisors and Health Industry Consultants 
Food for Thought
According to David C. Kibbe MD, and Brian Klepper PhD, it’s become PC to ask tough questions about eHRs, quality, security and health care costs.
But, isn’t that what Albeto Borges MD, and Darrell Pruitt DDS, have been doing here on the Medical Executive-Post for some time now?
http://www.thehealthcareblog.com/the_health_care_blog/2009/12/2009-a-year-of-surprises-and-change-for-the-ehr-technology-market.html#comments
The folks who were mocking these thought-leaders, as mere Luddites, seem strangely silent now.
Hope Hetico; RN, MHA
[Managing Editor]
LikeLike
Are you telling me I was being mocked? I had no idea.
Darrell Pruitt; DDS
LikeLike
Questions for the Belo debate – Medina, Hutchison and Perry
I submitted the following questions for the Belo Texas Gubernatorial Debate on Friday between Republicans Debra Medina, Senator Kay Bailey Hutchison and Governor Rick Perry. Wish me luck.
Question 1.
Over 90% of healthcare providers keep thousands of patients’ records on computers. If a computer is stolen in a burglary, or hacked, providers are lawfully obligated to notify each patient whose identity is at risk. Regardless of the law, warning those who could be hurt is the only ethical thing to do.
Unfortunately, because self-reporting a data breach can bankrupt a practice, under-reporting will continue unabated in Texas, and everyone will suffer. Any ideas how to solve this dilemma?
Question 2.
It is well known that the state of Texas struggles to entice dentists to serve those on Medicaid and CHIPS programs for fees that sometimes don’t even cover the cost to deliver dental care – regardless of the state’s requirement that dentists have arbitrary NPI (National Provider Identifier) numbers to participate.
Thousands of Texas dentists must feel the same way I do, because one third of us never “volunteered” for the number that nobody will discuss. Any ideas how to solve this dilemma?
D. Kellus Pruitt; DDS
LikeLike
Short discussion about medical data breaches
“Dr. Larry Emmott is one of the most entertaining speakers in dentistry and he is considered the leading dental high tech authority in the country. He has over thirty years of experience as a practicing general dentist in Phoenix, AZ.” – bio on Emmott on Technology, LLC Facebook
It’s been a busy news day. Here’s a short thread about data breaches in dental offices with a dental technology expert. Watch our conversation grind to a merciful halt:
Darrell Pruitt – Dr. Emmott, recently HHS released details of 36 privacy breaches that put healthcare customers at risk of identity theft. Among those listed is a dental practice in Missouri that lost 9,300 individuals’ PHI. According to the Ponemon Institute, just to notify their dental patients will cost the practice almost half a million dollars. Later, there will be HIPAA fines on top of a crushed reputation around town – all because a computer was stolen in a burglary.
I ask you, how can the benefits of digital possibly be worth such a risk – not only to the dentist, but the dentist’s patients?
Yesterday at 7:11pm · .Emmott on Technology. LLC
– Darrell, This is interesting. However I don’t see how notification will cost half a million?? That seems waaaay out of line.
9 hours ago · Darrell Pruitt
– If you think $50 per patient for notification is waaaay out of line, let me tell you more about the results of a Ponemon Institute investigation completed in October.
They estimate that the cost of notifying patients is not only $50 per person, but the loss of future sales is another $150. That’s right – $200 per digital PHI.
7 hours ago · Darrell Pruitt
– Here is what will kill the practice. As part of the HITECH/HIPAA, if a dentist fumbles 500 or more individuals’ PHI, then the local media must be informed of the breach.
I was a victim of identity theft. Victims get very angry. If my physician failed to adequately protect my information, I’d never return. Nor would I go to a physician who is on a list for data breaches. Would you?
6 hours ago · Darrell Pruitt
– That makes it a little difficult to get enthusiastic about paperless practices, doesn’t it?
4 hours ago · Emmott on Technology. LLC
– Darrell Darrell. I am very interested in learning more … but am frankly sceptical [sic]. Do you have links to your claims?
I do not see why making a notification should involve anything more than an e-mail at almost zero cost. I have never heard of a HIPAA fine for a stolen computer. That is urban myth territory.
Now if you have links to credible sources I am very interested in learning about it.
3 hours ago · Darrell Pruitt
– Never mind.
———————————————————-
Do you know what I liked most about my conversation with Dr. Emmott? His salutation, “Darrell Darrell … “ That put me in my place as a newbie on technology matters. He’s indeed entertaining. Larry Larry is a comedian.
D. Kellus Pruitt; DDS
LikeLike
For those of you who might be wondering about an inside joke, today Dr. Larry Emmott learned about the Ponemon Institute. I learned about the research institution 3 years ago, but I’m not that entertaining.
D. Kellus Pruitt; DDS
LikeLike
“I do not see why making a notification should involve anything more than an e-mail at almost zero cost. I have never heard of a HIPAA fine for a stolen computer. That is urban myth territory.” – Dr. Larry Emmott, March 2, 2010.
http://www.facebook.com/pages/Phoenix-AZ/Emmott-on-Technology-LLC/167616526582?ref=mf
Darrell K. Pruitt; DDS
LikeLike
Dr. Larry Emmott, meet Mr. Jim Pyles
Dr. Larry Emmott, who often represents dental software giant Dentrix Dental Systems, told me yesterday, “I do not see why making a notification should involve anything more than an e-mail at almost zero cost. I have never heard of a HIPAA fine for a stolen computer. That is urban myth territory.”
Instead of searching “Ponemon Institute his own damn self, he told me: “Now if you have links to credible sources I am very interested in learning about it.”
James C. Pyles is a well-known attorney in the HIT world. He has built a fine reputation fighting for patients’ privacy rights while dangerous people sell software packages as fast as they can. Mr. Pyles responded this morning to “Short discussion about data breaches.”
http://community.pennwelldentalgroup.com/forum/topics/short-discussion-about-data
I’ll let Mr. Pyles fill in the details for Dr. Emmott:
Darrell,
This is most entertaining. Perhaps you could refer Dr. Emmott to the breach notice requirements in section 13402 of the HITECH Act, the enhanced civil and criminal penalties for failure to comply in section 13410, the new required investigation requirements at section 13410(c), the new authority for state Attorneys General to bring enforcement actions in federal court in section 13410(e), the first case filed by Attorney General Blumenthal (brother of the HHS National Coordinator) in Connecticut against Health Net seeking damages for not notifying individuals fast enough, and the lawsuits for breach of privacy under state law that are settling generally in the $20 million range.
Many of the enhanced privacy protections in the HITECH Act were motivated by precisely the attitude exhibited by Dr. Emmott. Within 3 years of the February 17, 2009 effective date of the HITECH Act, individuals who are harmed by violations will be entitled to receive a percentage of any civil monetary penalty or settlement for a violation.
Dr. Emmott is likely to be a fertile source of revenue for patients whose privacy is breached. What may have been a myth in the past is quickly becoming a reality.
Jim
James C. Pyles, Principal
POWERS PYLES SUTTER & VERVILLE PC
1501 M Street NW, Seventh Floor
Washington, DC 20005-1700
———————————————————
Thanks, Jim
Dr. Larry Emmott will get the news one way or another.
D. Kellus Pruitt; DDS
LikeLike
Big Bother is too Nosy!
I was recently surveyed by an insurance company for my demographic info. They actually had a space for “ethnicity” that they were requesting. When I called to object to this level of info, they at first stated that it was to determine what other languages were spoken at my office. When I told them that their question was not worded correctly, they then told me that the state Department of Welfare was requiring them to obtain this info. I objected to this and refused to answer.
Like most Americans, I am of multiple “ethnicities.” If they want to know my race, they can ask me that more directly. If they want what languages I speak, they can ask that too.
Why does the state Dept of Welfare care about medical practitioners’ “ethnicity” and not qualifications? Nowhere did they ask about my certifications or continuing education! Who are these geniuses, and why are they asking these intrusive questions?
Dr. Teresa N. Tobin; DPM
Huntingdon Valley, PA,
tntdpm@comcast.net
Source: PMNews #3876
LikeLike
Felony?
Several years ago, I cannot now recall the insurance company, but right under the question of “Have you been charged with any felony” was the following question; “Are you, or have you been, investigated or charged for child molestation?”
DUH! comes to mind here. It makes you wonder about the intelligence of the people who come up with these questions, doesn’t it. And for the record, although sorely tempted to do otherwise, I did answer “NO.”
Dr. David E. Gurvis, DPM
Avon, IN
deg1@comcast.net
Source: PMNews #3877
LikeLike
Data breaches – HHS now posts dentists’ names
Just like I warned ADA and TDA leaders years ago, the Department of Health and Human Services has begun posting the names of dentists who suffer breaches of their patients’ identities. If dentists do the right thing and self-report a data breach of over 500 records, once their names are listed on the HHS Website, their careers will be irreversibly damaged. So where is leadership on this critically urgent issue? They’ve been in deep hiding for at least four years.
Unless one counts a clueless TDA Delegate I met recently, all state and national leaders in dentistry close the door on all discussion of the dangers of paperless practices – as policy. I contend that leadership continues to irresponsibly shield HIPAA and eDRs from scrutiny simply because of selfish interests. It’s clear to me that a few influential leaders in my professional organization successfully manipulated the investment of members’ money as well as their own careers into the promotion of paperless dental practices, and now the bureaucratic fantasy is falling apart fast.
I also confidently report that many of those same eDR Champions continue to deceive membership through their self-serving bastardization of “Evidence-Based Dentistry.” Thanks to the ADA’s Entrenched, EBD is now just another meaningless buzzword: A huge loss to science for the benefit of a few.
Link: http://www.healthleadersmedia.com/page-1/TEC-253685/Private-Practices-Revealed-On-Patient-Breach-Website
Link: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
Darrell K. Pruitt; DDS
LikeLike
Lexington Clinic Breach
Can you imagine what it must be like to have to notify your patients that their identities have been fumbled? “Stolen Lexington Clinic laptop contained patient information” by Mary Meehan was posted yesterday.
http://www.kentucky.com/2012/01/30/2049109/stolen-lexington-clinic-laptop.html
According to Ponemon Institute estimates, the breach will cost the clinic over $200 per patient record even if the breach wasn’t their fault. For example, if a dentist’s HIPAA Business Associate, such as a cloud computing provider, happens to hire a dishonest employee who steals medical identities to sell for $50 each, the notification of the dentist’s patients will ruin his or her reputation in the community forever. Yet the W. K. Kellogg Foundation, with help from the ADA and a dental school instructor, intends to hijack the EDRs paid for by dentists for real-time cost control using “new payment and incentive mechanisms” – regardless of how much the ambitious stakeholders endanger the welfare of clueless, vulnerable Americans.
http://www.drbicuspid.com/index.aspx?d=1&sec=sup&sub=pmt&pag=dis&ItemID=309643&wf=1099
Doesn’t it piss you off at least a little to learn that the nation’s dental leaders refuse to discuss possible solutions such as simply de-identifying electronic dental records? Or are you satisfied that the direction the W. K. Kellogg Foundation and hangers-on are taking our dental practices is for the common good?
D. Kellus Pruitt DDS
LikeLike
The ADA shows interest in de-ID
Can you keep a secret?
Today the ADA contacted me to ask for information concerning de-identification of EDRs through tokenization. Evidently, I’m considered by some to be a national expert. Imagine that! A determined small town boy makes good in a hidden, esoteric niche.
In response, I happily provided several pages of leads I’ve openly shared with readers for over 5 years. My pleasure.
Although traditional news outlets are unlikely to report on the quiet, desperate consideration of de-identifying dental records anytime soon, I say there is a better than even chance that de-ID and/or tokenization could be described in major dental industry publications before the ADA Annual Session convenes on October 31. That would be swell, except that I have been banned from commenting on virtually all those publications for years.
Remember. Not a word about the ADA’s interest in de-ID to anyone. After this many years of shopping dentistry’s only common sense solution to identity theft, I sure don’t want to jinx its chances of high level consideration now.
Darrell
LikeLike
Community Health Systems breach fallout
“Six hospitals sued for patient data breach – Six plaintiffs are suing six Mississippi hospitals and their parent company, alleging the facilities did not properly secure sensitive patient information. The complaint, filed Sept. 11 in federal court in the Southern District of Mississippi, says the plaintiffs were patients at the hospitals, and are at increased risk of identity theft because identifying information was made available to ‘thieves and hackers.’”
[By Clay Chandler for The Clarion-Ledger]
September 15, 2014.
http://www.clarionledger.com/story/business/2014/09/15/hospitals-sued-data-breach/15666399/
“The complaint demands a jury trial. It claims that, between April and June, a group of hackers in China acquired the information from a database operated by Community Health Systems. Tennessee-based CHS owns the six hospitals listed as defendants.”
And … even more
McKesson data breach
“McKesson subsidiary exposed over 10,000 patients’ information via Google search; data exposed for more than 4 months – PST Services, a McKesson subsidiary providing medical billing services, reportedly had a breach that impacted multiple clients and left more than 10,000 patients’ information exposed via Google search for over four months. The full scope of the breach has yet to be determined.”
By Dissent Doe for PHIprivacy.net
[September 15, 2014]
http://www.phiprivacy.net/mckesson-subsidiary-exposed-over-10000-patients-information-via-google-search-data-exposed-for-more-than-4-months/
Darrell K. Pruitt DDS
LikeLike