RSS
Twitter
Doctors In Tennessee Have Been Faxing Patient Info To The Wrong Place For Years
from the that-seems-bad dept
Live in Tennessee? Thought the records at your doctor's office were private? You might want to check again. Michael Scott alerts us to the news that a bunch of doctors offices in Tennessee have been accidentally faxing patient records, including confidential info, to a small solar company in Indiana... for three years. Luckily, the guy on the receiving end says he's been shredding the records as they come in, but he's getting pretty damn frustrated. He's contacted tons of people, including the Governor of Tennessee, but no luck. The faxes keep coming. Apparently, the problem is that the phone number of the business is close to the one that doctors are supposed to use. Given the number of faxes, my guess is that it's not so much people mistyping it into their fax machines each time, but at some point there must have been a typo in a mailing or on a website or something. Of course, we won't even get started on why these record transfers are still handled by fax. That's another post for another day...
Reader Comments (rss)
(Flattened / Threaded)
"Luckily, the guy on the receiving end says he's been shredding the records as they come in, but he's getting pretty damn frustrated. He's contacted tons of people, including the Governor of Tennessee, but no luck. The faxes keep coming."
Well, duh. Until he *stops* shredding them and solving the problem for them, no one was going to bother to fix anything.
(reply to this comment) (link to this comment)
Re:
++
For pointing the absurdly humorous "catalyst" behind the absurdly humorous story.
(reply to this comment) (link to this comment)
In a related story, the doctor's offices are now filing a lawsuit requiring a judge to shut down the phone number for the solar company because it is receiving confidential information that it didn't ask for.
Wait ... oh that's right. It's only the Internet where people can get away with that sort of thing. People's e-mail accounts mean nothing compared to the all powerful fax machine.
(reply to this comment) (link to this comment)
Shut down the phone number? In the version of the lawsuit that I read, they wanted the entire business burned to the ground and the owner to attend a "memory erasure" session at the local Men In Black office.
(reply to this comment) (link to this comment)
"He's contacted tons of people, including the Governor of Tennessee, but no luck."
The second he contacts newspapers with the names of the doctors' offices/hospitals, I can almost guarantee the problem will be solved.
(reply to this comment) (link to this comment)
Re:
I work in the healthcare industry and, trust me, it's much worse then you could ever imagine.
(reply to this comment) (link to this comment)
It happened in Canada a few years back...
http://pqasb.pqarchiver.com/thestar/access/750124971.html?dids=750124971:750124971&FMT= ABS&FMTS=ABS:FT&type=current&date=Dec+01%2C+2004&author=Ellen+Roseman&pub=Toront o+Star&desc=Trust+misdirected+at+CIBC&pqatl=google
(reply to this comment) (link to this comment)
I work in Medical Billing, and I have to tell you that faxing patient information would never fly with our compliance department. There are lots of forms we have to fax to insurers from time to time (claim appeals and the like), but these do NOT have any PHI on them.
(reply to this comment) (link to this comment)
The doctor in my town a Doctor was caught TWICE discarding PC from his office when he got the new ones... no wiping of data just placed them outside his medical office with a small sign that said take for free.
Once is a mistake but twice!!!!! And these are the times the guy that collected the PC spoke up... Had it happened before or since and the collector was silent?
Not all doctors are smart.. They are just really specialized and can be really smart in the are they focused on, but just plain dumb in some very common areas of knowledge.
(reply to this comment) (link to this comment)
Re: Re:
I don't get why its gone on for three years. Presumably the records were faxed for a reason, and no one on the other *intentioned* end questioned why they were never receiving the faxes they were expecting? Or maybe it was a data warehouse and they were getting the data by other means as well as the (fail) fax method?
(reply to this comment) (link to this comment)
Re:
Friend of mine worked for a liability lawyer, he was constantly swearing at doctors for being as stupid was they were. Apparently malpractice accidents are VERY common. I hate to say.
(reply to this comment) (link to this comment)
Re: Re: Re:
he should have contacted Techdirt sooner.
(reply to this comment) (link to this comment)
Re: Happened Before
It happened to me once several years ago. My fax started throwing out pages and pages of very personal medical information. It was a private doctor so it was solved with one call and I burned the pages. Sensitive information should require the receiving fax machine to identify itself as a valid recipient.
(reply to this comment) (link to this comment)
I Wonder...
I wonder when Bill Keith, owner of SunRise Solar Inc. in Indiana who received the faxes, will be charged by Governor (Phil) Bredesen's office under HIPAA legislation for receiving private medical information?
(reply to this comment) (link to this comment)
HIPAA ??
Wow! Anyone familiar with HIPAA knows what a HUGE fine the medical organization could face if this problem was reported to the feds. I believe the penalty is $10,000 per event.
Contrary to the comments above, I do NOT believe that events of this magnitude are very common. Yes they occur, but to have it happen over and over without correction... that's not common. Most healthcare providers and organizations are very aware of HIPAA, and do not want to run afoul of it.
(reply to this comment) (link to this comment)
Re: HIPAA ??
Fines for individuals start at $100 per incident, max $25,000 total. Fines for institutions- $25,000 per incident, 1.5 million total. I think that's what it is currently. Those are fines for being an idiot and not complying. Fines for doing something intentionally and criminal (ie identity theft/fraud) can get you a $250,000 fine and 10 years in the pokey.
(reply to this comment) (link to this comment)
how's that saying go?
"Once is an incident.
Twice is a trend.
Three times is enemy fire."
(reply to this comment) (link to this comment)
Re: Re:
Most docs become docs for the perks and prestige, not for practicing medicine. I routinely talk to doctors who have no clue at all what the hell they are doing, but they've got the attitude problem despite it all.
(reply to this comment) (link to this comment)
Re: Re: Re:
Aye. I wonder if they even still recite the Hippocratic Oath at medical school anymore?
(reply to this comment) (link to this comment)
Re: I Wonder...
Sorry but you have the wrong party non-health institutions are not bound by HIPAA. The doctors' office is though and violated HIPAA by disclosing confidential information.
(reply to this comment) (link to this comment)
Re:
I noticed the obvious parallels to the Bank vs. Gmail vs. Doe story as well. I wasn't going to repeat myself, but Mike's last line about confidential information going over fax lines got me riled up again. The problem isn't just that the fax went to the wrong place. The bigger problem is that every phone line and exchange involved in those faxes had access to the same confidential information. Anyone with the right phone tap or phone equipment access at the right time has full access to that same confidential information, without anyone else necessarily knowing about it, even when it does go to the correct receiver.
To all you technophobe bureaucrat idiots who want the convenience of modern communications without any of the responsibility: no communications medium can EVER be considered truly confidential unless it is encrypted, and only then when the receiver has exclusive access to the primary key. If you don't understand simple terms like PGP and SSL, you should assume all your communications can be tapped and recorded, by anyone at all who has a reason to care. If you are responsible for any confidentiality in any exchange, and you don't use end-to-end encryption in that exchange, you have failed and deserve to be sued. Criminal negligence should be the least of the charges brought against you, especially if you operate in a bank or hospital.
Phones can be tapped and recorded by anyone with determination and half a brain. Email is like a postcard -- everyone with any equipment involved in the message hand-offs can read it clear as day. Anyone with access to the lines in between can tap and record the email, just as easily as a phone conversation. In real space, envelopes can be seen through, opened and closed, without anyone on either end knowing about it. Fingerprint dust can even pick up traces of the ink writing that touched the sides of the envelope, well after the letter has been taken out. Anyone with any physical or visual access to writing can copy it with impunity, until the medium containing the writing is thoroughly destroyed. Trash belongs to no one, and can be read by anyone. Faxes are no more secure than phone conversations -- they can be tapped, recorded, and replayed with impunity. Very little sophistication is required in the process. Your cell phone is even easier to tap -- it can be tapped by anyone in radio receiver range of the same cell tower as you, with the right equipment (which just requires money, not intelligence).
The most sophisticated aspect of comms taps, like the ones the NSA has on the entire world, is automated message post-processing. The only thing that separates the NSA from anyone with any electronics knowledge is the ability to filter through billions of communications, based on keywords (via email, OCR, or automated transcription/translation), and voice print recognition, all without any human involvement. That is the feature that allows them to tap a single trunk at a single AT&T office, and still get nearly every trans-national communication ever made, without needing to tap or control every individual ISP. They can break weak encryption, and good encryption just slows them down. In essence, their only real advantage is the sheer magnitude of their processing resources. Otherwise spying is easy, and anyone can do it.
(reply to this comment) (link to this comment)
Re: Re: Re:
Most docs become docs for the perks and prestige...
And the money.
(reply to this comment) (link to this comment)
@zenasprime
Hmmm. Attitude much Mr. Z.B.?
Its amazing with the lousy attitudes on both sides of the fence that any usable medical software exists. How can there be any productive collaboration when two professions that need work together treat each other in rude, condescending and arrogant ways, or are disparaging of the other's motives. In case you didn't know, zenasprime, IT people sometimes have exactly that reputation among the "endusers" who actually provide healthcare.
(reply to this comment) (link to this comment)
When is the medical world going to join the future and get rid of the fax machine? There are so many more efficient ways of doing things...
Here's a great and relevant article on the subject:
http://case-connect.com/blog/2009/07/28/20th-century-fax/
(reply to this comment) (link to this comment)
RERE
Its fun using a fax machine! its cool as you can recort the sounds onto tape and play it back later on!
It is good fun.
But yes there are some good reasons to move to the 21st century.
(reply to this comment) (link to this comment)
Add Your Comment