ARTICLES

Privacy Protection

• Openness and Transparency
  • A description of an emergency department pilot that does not appear to have clear articulation of purpose
  • Ex-Kaiser worker put links to data on patients on Web. A fired Kaiser Permanente Web technician who dubs herself the "Diva of Disgruntled" was ordered Wednesday to stop posting links to confidential patient information on her Internet blog. Kaiser delayed in acknowledging the breach.
  • Organization fined for leaving personal health data on a web site. This article cites a prominent organization for "allowing a site to languish" when it contained personal health information.
  • Patients Express Growing Concern ABout their Privacy. Sacramento Business Journal
• Data Issues
  • NY Health Official critical of BIOSENSE (collection limitation, purpose specification)
  • Lawsuit alleges pharmacy information used for drug company marketing (purpose specification)
• Security Safeguards and Controls
  • Medical center pulls unsecure drug information form
  • Pakistani transcriber threatens UCSF over back pay. San Francisco Chronicle, October 22, 2003.

Architectures and Technology

• Internet 2 Middleware site
• Source ID Federated Identity Management Home Page
• What is Federated Identity Management (eWeek, 11/10/2003)
• Wikipedia SAML Page
• New Zealand e-Government Home Page
• Liberty Alliance Home Page
• Liberty Alliance ONC Response
• Security, ID Systems and Locks: The Book on Electronic Access Control (Amazon.com)

Patient Notification, Consent and Access

• Individual Participation and Control
  • The Quest for Privacy Can Make Us Thieves, R. Klitzman, NY Times, May 9, 2006
  • Private medical information isn't so private. Your private medical information may not be so private. While the Health Insurance Portability and Accountability Act, or HIPAA, was supposed to ensure a national standard for medical-record privacy, significant loopholes, as well as a lack of federal enforcement....
  • Markle Foundation Model Privacy Policies.
  • Unauthorized release of medical history leads to suit. Deandre Commons filed suit against Southern Illinois Health Care Foundation (SIHCF) and two employees in St. Clair County Circuit Court Sept. 30, alleging private medical information was wrongfully disclosed to his employer.
  • University hospital sued over release of patient records. The suit was filed earlier this year on behalf of approximately 800 patients with liver diseases, including hepatitis C. The complaint alleges that patient records were turned over by University Hospital's internal medicine chairman to Pharmacy I.V. Assoc....
  • Connecting for Health Notification and Consent white paper
• Patients Access to Their Own Health Information
  • Connecting for Health. Patient Access to their Own Information.
  • MedlinePlus on Personal Health Records. The National Library Of Medicine's list of personal health record resources.
  • Kohane and Altman, Health Information Altruists. New England Journal of Medicine, Nov. 10, 2000

Privacy Breaches

• System Vulnerabilities
  • Hackers pull off biggest ever credit card heist - vnunet.com. The online security breach is almost certainly the largest ever case of identity theft, and is just another occurrence in a series of exposures of confidential information.
  • Former students' private records mysteriously appear on Web. Dozens of case files detailing children's medical, family and behavioral histories were posted on the Willamette Education Service District's Web site, violating state and federal privacy laws.
  • OSU info on patients appeared on Internet. About 2,800 patients who scheduled appointments at Ohio State University Medical Center one day in 2004 had their personal information posted on the Internet, hospital officials said yesterday. The information included names, addresses, phone numbers,
  • Ex-Kaiser worker put links to data on patients on Web. A fired Kaiser Permanente Web technician who dubs herself the "Diva of Disgruntled" was ordered Wednesday to stop posting links to confidential patient information on her Internet blog.
  • Kaiser apologizes by mail for privacy breach. Kaiser Permanente members who still have copies of their Rocky Mountain Health summer issue should destroy that mailing label.
  • Hospital hack points to need for standards - December 20, 2000. The recent hacking of 5,000 administrative patient files from one of the country's top hospitals underscores the lack of firm, clear, universal standards to ensure the security of online medical records. Although officials are crafting regulations governing....
  • Hacker Steals Air Force Officers' Personal Information. Social Security numbers, birth dates and other private data on roughly 33,000 Air Force officers — about half the branch's officer corps — were stolen from a military computer database, the service informed its personnel late last week.
  • Hospital Records Hacked. Hacker easily penetrates hospital net, pilfers thousands of patient records.
• Data Theft
  • Burned By ChoicePoint Breach, Potential ID Theft Victims Face a Lifetime of Vigilance - February 24, 2005 More than 9.9 million Americans were victims of identity theft last year. Many victims are dumbfounded by the dearth of federal and state laws aimed at protecting their credit histories and other information about them.
  • ChoicePoint data theft widens to 145,000 people CNET News.com. The Atlanta-based company said that it plans to inform approximately 110,000 consumers outside the state of California whose information may have been accessed in the criminal scheme, originally reported on Tuesday. The company has already told some 35,00
  • UCLA laptop theft exposes ID info. Representatives of the University of California, Los Angeles, are warning 145,000 blood donors they could be at risk for identity theft due to a stolen university laptop.
  • Medical group: Data on 185,000 people was stolen. A California medical group is telling nearly 185,000 current and former patients that their financial and medical records may have been exposed following the theft of computers containing personal data.
  • Private medical information isn't so private. Your private medical information may not be so private. While the Health Insurance Portability and Accountability Act, or HIPAA, was supposed to ensure a national standard for medical-record privacy, significant loopholes, as well as a lack of federal enforcement....
  • Look out for ID theft. In the Northern Virginia incident, a hospital employee was arrested for
    allegedly stealing personal information from 35 patients and seven nurses and using that information to open fraudulent credit card accounts. The employee has been charged with conspiracy...
  • StarBulletin.com - News - 2005/10/21. Wilcox Memorial tells 130,000 people it lost a computer drive of personal information

Model Legislation, Policies, Agreements, and Procedures

• HIPAA - Uses and disclosures for which consent, an authorization, or opportunity to agree or object is not required. A covered entity may use or disclose protected health information without the written consent or authorization of the individual as described in §§ 164.506 and 164.508, respectively, or the opportunity for the individual to agree or object as described..
• An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
• Confidentiality of Individually-Identifiable Health Information. Recommendations of the Secretary of Health and Human Services, pursuant to section 264 of the Health Insurance Portability and Accountability Act of 1996...
• Louisiana HIPAA Preemption Decision: In this case, a Louisiana appeals court looks at HIPAA and the state statute regarding the disclosure of medical records pursuant to a subpoena. Louisiana HIPAA Preemption Decision: In this case, a Louisiana appeals court looks at HIPAA and the state statute regarding the disclosure of medical records pursuant to a subpoena
• Public Records - Are City Health Department Lead Citation Records Open to Public? ISSUE: Does Ohio's Public Records Act require a city health department to provide a requesting party with copies of lead citations that the department has issued to owners of residential properties when the citations reveal that a child residing in the su...
• Feds Bar Ride-Alongs from D.C. Ambulances - Emergency Medical Services (EMSResponder.com). According to the letter, "disclosures of protected health information to persons other than health care providers, as would occur in the context of a ride-along program, would require an authorization of the individual or their personal representative."