"Why?", you are obviously asking yourself at this point. "Why would the CHEESE be issuing such a warning on a sleepy and rainy Saturday morn?" "Well, just sit right back and you'll hear a tale...a tale of a faithful trip. That started from this tropic port...aboard this tiny ship."
WAIT!?! I seem to be stuck now in 70's TV shows!!! Back to the point...being afraid. Or, at the very least, CAUTIOUS. On the Internet and with your personal health care information. Now, let me weave my tale of intrigue and espionage. All right. Hopefully INTRIGUE. Because EVERYTHING I'm about to tell you was LEGALLY obtained without any clandestine act. And the manner in which I obtained it lies right beneath your fingertips.
Y'all recall my recent "upset" (hehe...that's putting it mildly!) with Club Med & the Tysabri Issue? Well, I haven't posted much more information about this because I have been allowing Club Med ample time to make necessary "adjustments" I tasked them with in a follow up email letter shortly after my meeting with the *heads of state*...or, enough time to hang themselves with ample rope. Either way, here is an excerpt of my follow up email/letter I sent after the meeting:
**Specific issues raised concerning confidentiality/HIPAA as well as providing direct patient care and accuracy of information to patients will be discussed with departments/employees involved in these concerns.
This was listed in a recap of what we had discussed and what Club Med PROMISED to follow up on. I have not shared THIS part of my Tysabri debacle because it didn't really relate as much to the Tysabri issue itself, but more to the Health Care Delivery System failure that has/is occurring. But, hey...gloves are coming off as I prepare my next and perhaps FINAL letter to Club Med about the Tysabri issue(s)! (So, Club Med...if you are reading this, and YOU know who YOU are!...a follow up letter is a comin' 'round the bend.) Here is the condensed version of just one of MANY issues that happened at Club Med while getting my 7/29/08 infusion:
I was asked to register at the main registration area for my Tysabri infusion. I approached the desk and was greeted by a pleasant enough woman, who asked for my name. Because I already know the Club Med system has more than ONE of me with my exact name (different date of birth, however), I quickly rattled off my date of birth and the last four digits of my social security number...because I KNEW she was going to ask for this anyway. And this is where my interaction got "funky".
The registration lady looks in her computer and asks me, "Are you any relation to HD?" (This person has the same last name as I do in their computer system and is a male)
"Ah, no", I say rather dumbfoundedly, wondering why I am even being asked this question by a total stranger.
"Oh. I thought maybe you were twins with HD because you have the exact same birth date and he is also having a procedure done at Club Med at 1:00PM today", the registration lady says without a care in the world.
One could have heard a pin drop during the deafening silence as I stood perplexed and STARING at this complete imbecile. Did she REALLY say what I just think she said??? Did she REALLY just release this man's private health care information (HIPAA) to me without so much as a THOUGHT that this violates a federal law as well as potentially gets her a$$ fired?!? Yep, she did.
"No", I say with a look of absolute horror and complete awe. "No. We are not twins and I am NOT related to ANYONE in your computer data base."
And thus begins the continued tale of "fear" I am about to tell. I advised the *heads of state* of Club Med of this issue (among others), more to lord it over their heads in hopes the "fear" of serious federal fines might "encourage" them to listen more closely to what I had to say. They assured me of the above red paragraph: "a re-education of employees regarding HIPAA would occur". Somehow, I doubt that. Seeing as how they have YET to send ME the letter they also promised from the Neuro Clinic where I see Dr. SWWNBN...something ELSE they promised:
**"CLUB MED" will be notifying their Tysabri patients in writing with exact costs or clear estimates of what the patient/their insurance agencies can expect to be billed by "CLUB MED" for the delivery of Tysabri medication at the Hospital's ambulatory infusion center. I can also personally expect this information be provided to me as soon as possible so I may have informed consent in my medical treatment choices without further unreasonable delay.
Yeah right...I can see they got "right on that"! LOL
Soooooo...my NEXT and possibly FINAL letter to Club Med (before I take action on contacting all of the regulatory boards, insurance company, my employer, the newspaper, AND the federal agency that regulates HIPAA) that I have been composing will include exactly WHAT can happen when a health care organization releases private HIPAA-protected information on their patients. And, I'm going to demonstrate to YOU, dear CHEESE reader, just how vulnerable YOU can be on the Internet with just your last name and date of birth!
I obviously HAVE the first and last name of "HD", the other Club Med patient, as well as his date of birth. This is WHY I only sign my name as "Linda D." on all correspondence (unless family or someone who already knows me HAS this information) and you only know my birth date falls in July "sometime". This is also why I maintain a Post Office Mail Box address as my primary mailing contact, my phone is unlisted and unpublished, and unless you know me REALLY well, you've never been to my house!
The above paranoia actually comes from being stalked by a former client while leaving Houston and moving to Seattle. At one point, I even had my driver's license address listed as my post office mail box (on the suggestion of a consulting attorney) until the DMV "caught" this and MADE me put my livable address on it! I have had sheriff's deputies try to deliver criminal trial subpoena's to my PMB because they got it off my driver's license...even THEY couldn't find me...this worked. For about three years until I had to renew the license per State protocol.
Anyway, to make a long story LONGER, please take no offense if I NEVER provide you with my last name or date of birth or address...I have reason to potentially DISTRUST YOU!
So, back to the Club Med story. I decided to LEGALLY obtain some information about HD (not to use against HIM) to present to Club Med, just so they could SEE how much information I can get all off the Internet with just this guy's name and date of birth that they without-a-care released to me. **Please let me stress here (because some of you know the work I do lends me access to certain individuals private HIPAA also), everything I obtained about HD was obtained FROM the Internet, and not from any personal files or illegally.** And here's how I did it:
I now know HD's home address, his phone number, the address of the property he sold in 2003, how much his mortgage was, who he sold the property to, that he has not been in the local jail(s) this past year, he has never been sued, his date of marriage, his wife's full name AND her date of birth. **THUD**
How? By using data bases that are available to ANYONE!!! And, if I continued digging (which I am NOT), I'm sure I could find out MUCH, MUCH more about this individual...all legally obtained with just his first and last name and date of birth. BE AFRAID...BE VERY AFRAID.
I'm going to quickly link the data base searches I used on the Internet to find this information. Several are local or regional data bases (but your county or state PROBABLY has these available on the Internet, too).
First, is ZabaSearch.com . You can look up anyone in the United States and, if you know their approximate or actual age, this is helpful, too.
Next is the Sound Politics Washington State Voter Registration. If you are a registered voter in the State of Washington, I'm sorry to tell you that, not only is your current ADDRESS given out here (minus the last digit of the street address, which is listed as "o" or "e" for odd or even number...real tricky...sigh), but also the last time you voted AND your date of birth.
The Washington Courts website as well as my specific County Records website provides marriage records, property transaction records, bankruptcy, lawsuit, and other information...all with just a LAST name and a date of birth.
The King County Jail Inmate Search lets me know if "HD" has been housed in this facility in the past 365 days (or other area local jails).
And, of course, there is always the infamous Reverse Directory that allows one to get the phone number of a specific address without knowing the name of the resident.
And...sigh...there are MANY MORE PUBLIC DATA BASES out there to find you in, ALL WITH LEGALLY OBTAINABLE INFORMATION. I stopped here because I only needed enough information about "HD" to prove my point to Club Med. AND, I have no criminal intent to USE this information, except to "encourage" Club Med to follow through on what they have already PROMISED to do.
But YOU, my friend, should be afraid...BE VERY AFRAID! Because, if someone as knuckle-headed computer illiterate as myself can find this information online, ANYONE can. And just because a website or Blogger or anyone else asks you for your date of birth to "proceed" through an online registration or forms process on line, it does NOT mean you must provide your ACTUAL DOB...make something up...make up a last name...just don't put this information out there for 6 BILLION people to access (in your profile on Blogger/Facebook/AOL/Yahoo, etc! Because chances are, there is at least ONE criminal lying in wait among that 6 Billion population ready to use your personal information.
I'm just sayin'...(reviving my old, infamous, signature line)...
Yup. It came it handy for me when trying to locate a certain person. *ahem*.
ReplyDeleteWell, great. Now I can't stop looking at who is in our jails right now... :P
ReplyDeleteI get paid to find people for a living and have all sorts of access to databases that are law enforcement only access... but some of the best info I can find on people is on public databases - go figure! And, if you're willing to spend around $4, you can get a helluva lot more info.... had officers/law enforcement stalked from people they've arrested, causing all sorts of problems! The Cheese speaks truth - be very afraid!
ReplyDeleteamazing, isn't it?
ReplyDeleteNow, the question is - how do you remove information from some of these databases? especially the ones based on phone listings?
ReplyDeleteAnother place I've discovered that is full of information is Ancestry.com. Amazing the type of details which can be found there.
Hey, did you manage to do anything constructive with the wide range of Tysabri/infusion prices folks shared?
I'm the "go-to" girl in my family because I can find just about anything on the internet. When someone needs info it is I they call first. It's shocking how much info is out there.
ReplyDeleteCrazy, and now I'm going to change the birthdate on my profiles. Good info!!
ReplyDeleteWhen Hippa was first enacted I was pretty jazzed, as I'm a private sort of person.
ReplyDeleteI should have known better. Sigh. I've seen Hippa rules ignored and bypassed on such a regular basis - and I'm not even a frequent flier of the medical industrial complex!
But boy, it sure does come in handy when someone does not want to do something. Hippa and 911 have both become shorthand for "nope, not gonna help you and you can't do anything about it!"
I've read that it is almost impossible to scrub yourself out of enough databases to guard any real amount of privacy - that the solution is to flood the db's with conflicting info.
One person advised getting a new drivers license whenever you visit somewhere for more than a few days. Especially since the states don't talk to each other - as long as you always turn in your old one when you get a new one it's not illegal.
This isn't as effective as it was before the DMV's and the SSA got into bed together - which is a whole nother story.
Brain (if that's her real name) is right - be afraid. But also be bold! Fight back.
That's for being our ever helpful informant!
ReplyDeleteI think One way around the PO Box/address problem is to get a box from one of the UPS centers or such. That way you can put the stores address, with adding suite 655 or sumthing.
Tell me if I'm wrong....
Have you filed a complaint with Health & Human Services? You can do so at hhs.gov/ocr/hipaa. Recommend that you do so -- while threatening "HIPAA!" may get some docs' offices to change their attitude, filing a complaint and showing that you have done so can get even more attention.
ReplyDeleteBe aware that the provider will not be fined. HHS has fined only one HIPAA covered entity since 2003, and they don't even call it a "fine", they call it a resolution agreement.
Also be aware that HHS will take 6-9 months to get to your complaint. HIPAA was mandated but not fully funded. That may change with the new administration.
And, more than likely the provider you mentioned will receive a letter when HHS investigates, and they will respond that they have provided additional training. HHS will be satisfied, and you will receive a letter from them stating the resolution.
I always recommend that everyone (1) get a copy of your medical records from all your providers, including dentists, chirpractors, optometrists, etc., and (2) make sure your records are correct. (3) Get an updated copy every year and keep them in a safe place. DO NOT use an online patient record storage system (PHR)! (4) Ensure that you receive a hard copy of each provider's Notice of Privacy Practices -- they are REQUIRED to give you one. These notices are required to tell you -- in plain English -- how the provider will use and disclose your health information. Pharmacies are notorious for not giving out the NOPP. (5) Check with your doc after you obtain your next prescription -- especially if the script is for a narcotic -- and find out whether they have received a notice from either the pharmacy company or the pharmacy's Pharmacy Benefit Manager, regarding your script. If they have, then file a complaint with HHS as this is a clear violation of your HIPAA rights.
HIPAA has put patients in the driver's seat when it comes to the privacy and confidentiality of their health records, but patients have either not understood their rights, or haven't been using them.
Lane Hatcher
www.hipaadiva.com