The Salt Lake Tribune reports on a case concerning the privacy and security of personal data in Utah:
When University of Utah health law professor Leslie Francis learned her name and Social Security number had been exposed in the state’s Medicaid breach, she decided to do what any scholar might do — investigate.
She deduced that, like the majority of breach victims, her information was sent to the Utah Department of Health by a provider inquiring whether she was covered by Medicaid.
That was a surprise, because she is insured through her employer and none of her providers had declared in privacy notices that they may bill Medicaid. What’s more, when she asked the hospital she believes is at fault to fess up — citing the Health Insurance Portability and Accountability Act (HIPAA) — the hospital refused, citing the same law.
“I can’t confirm that it was [Salt Lake Regional Medical Center]. But by process of elimination, it looks like the only candidate,” she said, explaining she went to the hospital six months before the breach for a routine mammogram.
The hospital is owned by IASIS Healthcare, which has been tied to a disproportionate share of breached records. […]
She is filing complaints with the Health and Human Services’ Office of Civil Rights and the Federal Trade Commission, which could subject IASIS to federal fines.
No matter what the feds decide, the Utah Hospital Association is crafting a “clearer, bolder” uniform privacy notice for use by the state’s hospitals and clinics, said the association’s CEO and President Rod Betit. Lawmakers, too, are exploring legislative remedies.