EyeWorld is the official news magazine of the American Society of Cataract & Refractive Surgery.
Issue link: https://digital.eyeworld.org/i/137624
20 EW NEWS & OPINION June 2013 Insights Privacy and paranoia by J.C. Noreika, MD, MBA J.C. Noreika, MD, MBA C hristopher Hitchens' Why Orwell Matters is required reading for anyone trying to embrace healthcare's acronymic excesses. Part one of this series (EyeWorld, May 2013) reported the circumstances of a practice's credit card breach. This article includes measures to minimize the risk of such malfeasance. As covered entities (CE), medical practices must adhere to mandates ensuring the privacy and security of a patient's personal health information (PHI). HIPAA, the progenitorial law, was passed in 1996. The American Recovery and Reinvestment Act of 2009 (ARRA) required the Office of Civil Rights (OCR) to develop an audit program to monitor HIPAA compliance of CEs. The Health Information and Technology for Economic and Clinical Health (HITECH) Act established four categories of violations with fines ranging from $100 to $50,000 per violation with a cap of $1.5 million per year for repeat violations. Besides trafficking in PHI, ophthalmologists also sell optical goods, contact lenses, and services by credit card. These financial transactions can be the source of identity theft. Identity theft and theft of PHI are maliciously interwoven. Compliance with HIPAA's standards begins with familiarization of the 18 identifiers defining PHI (see sidebar). Wonderfully Orwellian, consider numbers 2, 3, and especially, 18. Misuse of any triggers a HIPAA violation. For breaches affect- pupillary anomalies are followed by anatomical changes that may cause IFIS. in all eyes except two, where an IOL haptic was found to be out of the bag. None of the IOLs appeared tilted on slit lamp examination, but UBM measurement of the distance between the IOL optic edge and posterior surface of the iris in the long axis of the IOL showed a difference of 0.20±0.14 mm when measured on both sides of each eye. This indicated a mild IOL optic tilt. Although the Cionni ring fixation technique has a steeper learning curve, it might be safer in pediatric eyes since it compartmentalizes the anterior/ posterior segment and allows in-thebag IOL implantation. EW 2013 continued from page 18 patients, a significant reduction in pupil diameters was noted. The second group (50 patients treated with alpha-blockers and 30 controls) was analyzed with AS OCT Visante (Carl Zeiss Meditec, Jena, Germany) before cataract surgery. The surgeon reported IFIS occurrence in 35% of the treated cohort and 0% in the control cohort. A significant reduction of iris dilator muscle and of the dilator/ sphincter ratio (DSR) was registered in alpha-blockers users. A cutoff value of 0.76 in the DSR to predict with good sensibility/specificity a risk of IFIS manifestation was highlighted. The authors agree with the hypothesis that the first functional Ultrasound biomicroscopic analysis following Cionni ring and in-the-bag IOL implantation for subluxated lenses Lajja R. Shastri, MS, Viraj Vasavada, MS, Aditya Sudhalkar, MS, Vaishali Vasavada, MS, Abhay R. Vasavada, MS, FRCS UBM evaluation of 30 pediatric eyes at a mean follow-up of 18 months showed that the Cionni modified CTR, its eyelet, transscleral suture, and IOL were safely placed away from the posterior surface of the iris ing more than 500 individuals, the HHS posts an internet "Wall of Shame" publicizing the unfortunate miscreants. Infractions can require the notification of patients and local media outlets. Thirty-five significant breaches are reported each month. Theft or loss of a device such as a laptop is the most common source of a breach. Any portable device or digital media, e.g., jump drives, external hard drives, or backup tapes, must be considered high risk. Paper records are not immune, accounting for 30% of violations. Most of these occur due to improper storage, careless disposal, or unauthorized access especially during conversion from paper to digital format. The black market price for PHI is estimated to be $50 per file; files are commonly sold in lots of 10,000. In comparison, a stolen credit card number can be had for $1. Breaches affecting credit card sales are commonly due to malware embedded in drive-by email or attachments. American Express card numbers are prized because they ordinarily don't stipulate a spending limit. Firewalls and antivirus applications are ineffective once the infected email is opened; the predatory code can be very difficult to detect. Social media and search engines are high-risk sites. It is estimated that 30% of home and small office PCs contain malware. Business associates are a problematic source of malware. All third parties should have access to minimal amounts of transactional data. Devices called skimmers can be physically attached to a PC and record information from a credit card swipe. These are sold on the internet for $25. Inspect all hardware for anomalies. What to do? First, educate yourself; start at www.hhs.gov/ocr/hipaa. Appoint a chief information officer (CIO) responsible for education, oversight, and compliance. Create a policy document addressing all areas of potential liability and include contingencies in the event of an attack. Inventory the office's hardware, especially portable end-user devices. Secure them against theft. Set clear guidelines for the use of BYOD (bring your own device) such as tablets and smartphones. Upgrade antivirus programs and software patches when available. If credit