The Leading Business Education Network for Doctors, Financial Advisors and Health Industry Consultants

Encryption and HHS are Taking Hits

[By D. Kellus Pruitt DDS]

It is bad politics for the President’s Department of Health and Human Services to get caught deceiving voters.

Word gets around much faster than it did before transparency sucked the power from the entrenched.

The NoPP

You know those Notice of Privacy Practices (NoPP) forms we are asked to sign in doctors’ offices? Since it makes no difference to anyone whether patients sign them or not, why needlessly waste everyone’s time? The NoPP is not an agreement, and just because virtually everyone is tricked into signing it, does not mean anyone reads it. HIPAA has become a source of danger to patients, with no redeeming value.

HHS Estimates 

According to the US Department of Health and Human Services own recent estimate:

“… many centuries of time—nearly 35 centuries, in fact, or just short of 30.7 million hours—will be devoted each year by healthcare providers and patients for the dissemination to patients and their acknowledgement of HIPAA notices of privacy practices [NoPP] for protected healthcare information, HHS estimates. Even at just 3 minutes apiece, with 613 million of these routine privacy notices to be delivered, signed and stored, the time adds up…”

-Joseph Conn

… “HHS estimates 32.8 million hours of interaction required to comply with privacy, security rules” …

-ModernHealtcare.com [September 5, 2013]

http://www.modernhealthcare.com/article/20130904/BLOG/309049995?AllowView=VW8xUmo5Q21TcWJOb1gzb0tNN3RLZ0h0MWg5SVgra3NZRzROR3l0WWRMWGJYZjBGRWxyd01qUzMyWmVpNTNnWUpiV2s=&utm_source=link-20130904-BLOG-309049995&utm_medium=email&utm_campaign=hits

Censorship Concerns? 

I tried to bring attention to this absurdity over a year ago – back when HHS was still keeping unfavorable news about EHRs hidden from voters using censorship:

… “Put another way, the ONLY reason for a doctor to ask patients if they feel like signing the NoPP is to protect already busy doctors from a HIPAA fine. How is that not senseless, yet admittedly humorous bureaucratic waste?” …

On July 3, 2012, my opinion of the waste that HHS recently confirmed was censored by an HHS employee from the taxpayer-supported Linkedin site, Health IT and Electronic Health Records. If that is not against federal law, it damn sure should be.

http://www.linkedin.com/groups/IT-in-Healthcare-Why-Building-3993178.S.216432610?qid=bafac2e5-fb9c-4a39-8348-5a3074abff67&trk=groups_items_see_more-0-b-ttl

Among the items that HHS requires providers include in Notices of Privacy Practice is a one-sentence statement addressing data breaches:

…“We will let you know promptly if a breach occurs that may have compromised the privacy or security of your information [unless it is encrypted]”…

http://www.hhs.gov/ocr/privacy/hipaa/npp_booklet_hc_provider.pdf

Now that it is widely known that encryption is no longer acceptably secure, protection from accountability is encryption vendors’ only remaining selling point. HIPAA stipulates that if breached patient information is encrypted according to standards set forth by the National Institute of Standards and Technology (NIST), doctors are freed from the tremendous cost of notifying (former) patients – even though patients’ privacy and security have been nevertheless compromised.

For example, two weeks ago, the NIST abandoned the very encryption standards that HIPAA demands. Oops! (See: “Government Standards Agency ‘Strongly’ Suggests Dropping its Own Encryption Standard,” by Jeff Larson and Justin Elliott, ProPublica, September 13, 2013).

http://www.propublica.org/article/standards-agency-strongly-suggests-dropping-its-own-encryption-standard

###

###

NSA Secrets 

US spy agency NSA’s secret success at decrypting previously impenetrable codes – which was revealed by former NSA contractor Edward Snowden – proves that today’s best encryption is tomorrow’s crossword puzzle. What’s more, once an individual’s medical identity is lost in the cloud, it can never be reeled back in.

And, when DNA records are included, a breach today could put the welfare of generations of Americans at risk.

A Gut-Check 

The ultimate gut-check: If your encrypted identity were fumbled, wouldn’t you want to be notified? Of course you would.

Assessment 

In my opinion, the HIPAA Rule should be immediately amended to demand notification of all individuals involved in all data breaches unless they allow opt out. Who knows? Some might prefer not to be bothered.

What is your opinion; doctor, patient and/or consultant?

Conclusion

Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.

Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com

OUR OTHER PRINT BOOKS AND RELATED INFORMATION SOURCES:

• DICTIONARIES: http://www.springerpub.com/Search/marcinko
• PHYSICIANS: www.MedicalBusinessAdvisors.com
• PRACTICES: www.BusinessofMedicalPractice.com
• HOSPITALS: http://www.crcpress.com/product/isbn/9781466558731
• CLINICS: http://www.crcpress.com/product/isbn/9781439879900
• ADVISORS: www.CertifiedMedicalPlanner.org
• BLOG: www.MedicalExecutivePost.com
• FINANCE:Financial Planning for Physicians and Advisors
• INSURANCE:Risk Management and Insurance Strategies for Physicians and Advisors

Filed under: Information Technology, Op-Editorials, Pruitt's Platform, Risk Management | Tagged: D. Kellus Pruitt DDS, DHHS, HIPAA, Jeff Larson, Joseph Conn, National Institute of Standards and Technology, notice of privacy practices, NSA, US Department of Health and Human Services | 3 Comments »