Faxes, Security Theater, and Blaming HIPAA

Last post I wrote about seeing a new doctor and how her office made, um, creative use of PDF forms.

The other so-unfunny-it’s-almost-funny part of the story is how the sheer incompetence on the part of both my old and new doctors offices lead to me having to hand deliver my medical records.

Five weeks before the appointment I delivered a copy of the transfer request for my medical records to Hostile Medicine Ltd in person. I did this to avoid any ambiguity regarding whether or not they received the request, and also because one of their redeeming characteristics is they are open Saturdays.

Which is kinda revolutionary for a doctor. Being available for customers when they need you isn’t really the medical industry’s thing.

As recounted before, I was emailing with the new doctor’s office right up until the day before the appointment. I asked if they had my records during that email thread.

they still haven’t faxed us anything yet.

Faxed.

whatyear

I snicker when I see fax numbers. I tend to see them in correspondence and ads for doctors, lawyers, and accountants. People who, for the most part, think the jury is out on this whole technology thing, while at the same time managing simple information with a distorted view of its complexity and security requirements. We can send emails from devices in our pockets. My freaking landscaper sends email invoices. But doctors still fax things to each other.

I can imagine what some of you are saying right now. “But faxes are more secure! HIPAA! HIPAA! ”

When you say that, is it because you think the phone network is secure and can’t be hacked?

Or because every fax machine in the world speaks a well-documented protocol that would be pretty easy for someone to eavesdrop on?

Or because you have no idea who is at the fax machine on the other end when your doctor sends that oh-so-private-bill to your insurance company but dials the number incorrectly?

The idea that faxes are any more secure than plain text email is unvarnished bullshit.

And the excuse that “HIPAA doesn’t allow that in email” is also bullshit. Here is explanation of the rules from HHS itself.

And beyond that, let’s try some critical thinking: why is it that you can release your records to be sent to another doctor or the insurance company, but you can’t get information emailed to you? Why are emails from your insurance company or doctor (if your lucky enough to have one that will use it) devoid of any useful information at all?

Probably because many of the people administering your medical information can’t handle critical thought. Or they are controlled by lawyers. (Is that redundant?)

Refusing to email records and redacting any emails you do send to the point of being little more than links is security theater. It’s making you take off your shoes and leaving your water bottle in the trash.

And lest we forget, email isn’t the only option doctors have to send information between each other and to you. Try a quick search for “secure file transfer”.

So, I called Hostile Med and after 1 disconnect and 30 minutes on hold was told that they mailed a disk three weeks earlier.

I called the new doctor’s office. I was told they don’t accept disks. Because they have “a very strict firewall.”

2608113Firewalls don’t keep you from copying files from disks. There are security apps that will do that, but they are not firewalls.

Am I being tough? I don’t think so. It’s 2015. You work in an office and your primary job is to communicate with the outside world. Learn how it works. This stuff is not new anymore.

Yes, it’s sad and lame that, in 2015, Hostile Med is mailing CDs with medical records. But a policy that won’t allow someone to insert a disk and read from it is the computing equivalent of making everyone take their shoes off at the airport. Enable Windows Defender and copy the damn files.

I asked why, when they had apparently received the disks weeks earlier, they didn’t tell me there was a problem. That email went unanswered. Maybe the firewall stopped it.

So I went to the Hostile Med, got copies of the relevant records, and brought them with me.

After my appointment the receptionist gave me the CDs they had been sent.

Yes. Disks. There were two.

She told me they were unusable. I couldn’t resist: “You mean because of your firewall?”

No, they couldn’t figure out what was on them. So either the story changed or my question about why they waited weeks before raising a flag (and only after being asked,) made them think that they should take a look at the disks.

I brought the disks home and inserted them in a drive to take a look.

First, they were identical. In identical envelopes with the same postmarked date. So, emailing let’s say – password-protected PDFs – is not secure, but mailing 2 identical disks to someone only expecting one is?

After a few minutes of playing around (and Googling) I figured out that the files on the disks were compressed with WinAce. (No. I never heard of it either, and it doesn’t give you any additional security features at all.) The disk(s) had no instructions whatsoever on them as to how to extract the files. They were effectively what we called “coasters” back in the days when we actually used disks.

The funny bit though is that the compressed data took up about 3.4 Megabytes. CDs hold around 670 Megabytes. Why bother compressing the files at all?

And the decompressed data? You guessed it! 3.4 Megabytes.

A failure on all fronts. And as long as throwing up security! and HIPAA! and computers are hard! are acceptable excuses, the failures will continue.

It’s The Circle of Stupid

I really like my doctor. But I hate dealing with his office and staff.

He works at an office with 6 or 7 other doctors. It’s always crowded, and calling to book an appointment involves 10 minutes or more on the phone and a moderate likelihood of being disconnected.

I think the automated phone system at Hostile Medicine Ltd. reflects their attitude toward patients: making an appointment is option #7.

Let me illustrate what it’s like another way: I recently took the car in to have the tires replaced. The guy at the counter there showed me more care and compassion than the staff at Hostile Med.

When I went in for my regular physical in August I was diagnosed with diabetes. I kinda knew this was coming. My shoulder surgery a few years put me on a very sedentary trajectory and just about everyone on my father’s side of the family ended up with it in their 50s. But that’s another few blogs that will be coming in the future.

He quickly wrote a prescription, told me to lose weight, told me that there was a nutritionist on staff there at Hostile Medicine Ltd. (I had already asked if he could recommend one before he had told me the news) and then sent me on my way.

After dealing with a scheduling issue and 2 frustrating phone calls with Hostile Med’s nutritionist I decided it was time to move on. It may even be time to move on to a new primary care physician.

I have what some would call a “Cadillac” medical plan, although It’s not half as ugly or ostentatious in my opinion. (And I wish the premiums were as low as those lease prices they quote during baseball games.) I can “refer” myself to a specialist. I found one that takes my coverage and was pleased to find a reasonably well-designed website with great information about the doctors and what they do. I called and made an appointment. It was a few weeks away, but that was fine.

Nothing about this is urgent and I know what to do: get back to exercising, lose weight, and stop whining about my shoulder. But I had read conflicting information about what to eat, what the prescription I was given really does, and when to check blood my sugar. Even though my doctor had told I didn’t need to check my blood sugar, I got a device. (I like devices.)

I was directed back to the website to download intake forms in advance. Wow! Less wasted time at the first appointment! There was also a form to have my records transferred to them by my regular doctor.

The intake forms were PDF forms! Even better! Five pages of history and HIPAA bullshit was filled out and emailed very quickly.

This is where the fun starts. I received an email a few days later.

Good Afternoon,

When I printed out the New patient forms you filled out.
It printed out “BLANK.” Would you be able to fill out the new patients forms and email it back to us?

My first thought was “Why the hell would you print it out?” (Oh boy. I had no idea.)

My second was “Why is this my problem?” I downloaded their form and even filled it out using Acrobat Reader instead of one of the myriad other PDF readers to avoid issues. (I was once burned by Apple’s Preview.) I even saved and reopened to make sure the data was there before I sent it.

I opened the files again and did a print preview. The fields were empty! Something was wrong with those forms.

I replied:

When I open the file I still see all of my entries, but they will not print here either. I don’t even see them in a “print preview.”
I filled the form using Adobe Reader as instructed. Is there another app I should use?

The answer:

I would just say print out the new patient forms and just fill them out.

You can always bring them the day of your appointment.

So the solution was more work for me! I double checked their website but nope, they’re not affiliated with Hostile Med.

Curiosity finally got the best of me and I opened the form in Acrobat Pro and examined the form.

snip_20151014215257

PDFs have form fields that won’t print on purpose. Could Adobe be any worse? (Don’t answer that.) This form, which they apparently want to print, had that attribute set. On every field on every page. I set them to visible and emailed it in with a note on how I got it to work.

No acknowledgement that the problem was on their end. But I was off the hook with regards to filling out five pages again, by hand.

Finally my appointment came around and I found myself sitting in the doctor’s office answering the kind of questions and learning the kinds of things that my doctor at Hostile Med apparently didn’t have time for.

She asked me if I had filled in an intake form and I explained that I had and had emailed it in.

“Oh.” The doctor said while looking at her computer. “I guess it wasn’t printed and scanned in yet.”

The mind reels.

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑