The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient [electronic protected health information] ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines. The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual’s deceased partner, a former patient of NYP, on the internet.
In addition to the impermissible disclosure of ePHI on the internet, OCR’s investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections. Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI. As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI. Lastly, NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.
The three other tidbits for today are rather counter intuitive:
1. CMS has indefinitely postponed the end to end ICD-10 testing program that it planned to conduct in July 2014 shortly before the then October 1, 2014 compliance date. Of course that date is now extended to October 1, 2015 The FEHBlog guesses that CMS does not want to do testing unless it’s the eleventh hour. The linked Gov Health IT article makes useful observations.
2. Health Affairs published a study on a value based insurance plan design that successfully increase medication adherence. The design did not include a disease management program and only provided mail order drug coverage. Go figure.
3. The Wall Street Journal reported that
Removing the word “cancer” from the terminology used for many slow-growing lesions in the breast, prostate, lung, skin and other body areas could ease patients’ fears and reduce the inclination of doctors to treat them aggressively, says a panel of experts advising the National Cancer Institute.
That makes sense to the FEHBlog. Here’s the suprising part —
“People have to get over the concept that early detection saves lives,” said Laura Esserman, the lead author and director of the Carol Franc Buck Breast Care Center at the University of California, San Francisco. That idea, which took hold in the 1980s, presumed that treating cancers early would reduce those found later and cut cancer deaths as a result, Dr. Esserman said. But while there have been large increases in cancers diagnosed early, the drop in cancer deaths has been smaller than expected. That is leading some experts to conclude that many early cancers aren’t life-threatening and others that are deadly are slipping through the cracks.
“Cancer isn’t just one disease, so we shouldn’t treat it as if it is,” Dr. Esserman said.
Here is a San Francisco Chronicle background article on Dr. Esserman:
Dr. Laura Esserman – the breast cancer researcher, surgeon and visionary who runs the breast cancer center at UCSF – recently received the Journal of Women’s Health Award for outstanding achievement. Esserman is three years into a large-scale research program called Athena, focused on expediting and improving treatment by better understanding risk factors and outcomes. Esserman is 56 and has been at UCSF since 1993. She is known for being passionate about her patients and the science around breast cancer, and for her practice of singing to patients before they go under a general anesthetic.
Impressive woman.