two thumbs up, by Aidan Jones

Frequent readers may remember that I sent a letter to a healthcare provider (who is anonymously referred to as Dr. Leo Spaceman) because he used a four digit, numeric PIN to access all of my medical records (assuming that he would also be using that same one for ANY patient).  Well, Dr. Spaceman responded.

OK, I’m sure his admin responded, not personally him.

But the response is a classic example of someone who has been asked a question like this before and had a pre-canned answer prepped.  I don’t think I’m the only person to observe Dr. Spaceman doing this.

Dear Resident1:

I have received the letter you sent to our office in regards to our privacy practices with our patient medical records.  I appreciate your concerns and assure you our office continues to strive for improvements. We have adopted several different measures over the past several years to ensure proper security of our patients’ health information. To meet additional security measures we implementated our fourth medical records program in 2007 and we are in the process of evaluating new software at this time. The Spaceman Clinic will continue to maintain the highest standards feasible for our patients. We have had security specialist review our procedures and policies previously to make sure we are meeting requirements and we continue to attempt to maintain higher standards than merely the required. One of the main sections in the HIPAA regulations is §164.306.(b)(2) which addresses “flexibility of approach” and discusses that

“a covered entity must take into account the following factors: (i) The size, complexity, and capabilities of the covered entity. (ii) The covered entity’s technical infrastructure, hardware, and software capabilities. (iii) The costs of security measures. (iv) The probability and criticality of potential risks to electronic protected health Information.”

We have and continue to invest in software and hardware to maintain high security standards. I will address these issues with my Administrator and Security Officer to ensure we continue to meet the HIPAA requirements and strive for the highest standard feasible for our office.

Thank you again for the input and information. We look forward to continuing to provide you and your family with the best healthcare in Spaceland.

Sincerely,

Dr. Leo Spaceman

So firstly, I’d like to point out that anyone with search capabilities can find something in HIPAA that proves a point.  In this case, Dr. Spaceman rightly pointed out that there is a flexibility in approach, or as many of us would call, a risk-based approach may be taken to secure the environment.  I agree this is correct, but it totally misses the point.

This particular office stores social security numbers for many of its patients, and is in an area that has affluent residents nearby.  The very same residents who don’t want to have their identity taken and lines of credit opened.  In no world does a password like ‘1990’2 meet the spirit of HIPAA’s security components for covered entities.

The second part of this letter that frustrates me (other than the absolute insistence to use passive voice) is that Dr. Spaceman basically blames the software for this problem.  Another classic example of when people look to technology to solve a people (education) problem.  Rest assured Dr. Spaceman it’s YOU, NOT the software, that is the problem.

Doctors only have so much longer to hide education and people problems behind the “I need this system to work in a crisis” get out of jail free card.  I do want to make sure that doctors working on me have all of my information, but it seems to me that if we’re going to put sensitive information into an electronic medium, it only makes sense to protect it.  We certainly don’t just let anyone grab paper records, why would we allow anyone to grab electronic ones?

This post originally appeared on BrandenWilliams.com.

  1. No, he didn’t say resident, but I think it would be funny and fitting if he did []
  2. That is not his password, but similar construction []