Wednesday, March 07, 2007

Question: Do you know where your credit card info is? Answer: Literally, everywhere.

Those of us in health care IT are obsessed with security, and rightly so -- we're dealing with some of the most personal information imaginable, and none of this works if it doesn't engender the trust of patients and physicians alike. So, I guess I'm more attuned to security policies and technologies than any normal person ought to be.

With that in mind, I was intrigued by the story that the restaurant chain Ruby Tuesday is moving to an "ultra-secure credit card processing system". (Maybe it's just me, but their adding the word "ultra" here doesn't make me feel better -- reminds me of Animal House, when Dean Wormer puts Delta House on "double secret probation"). As described by the company's hometown newspaper, The Daily News Journal, the system "leaves no credit card information at the restaurant and is instead sent to the bank in encrypted form."

I'll bet that most people would be surprised to learn that they weren't already doing this. You kept my credit card information? But you already got your money -- who gave you permission to keep it beyond that. You're going to start using encrypted communication? You mean, you don't do that now???

A USA Today story on the same topic reports that some restaurants like Hooters and Legal Seafoods are now looking at using mobile credit card systems that allow the credit card transactions to happen at your table. (Many possibile jokes here -- I'm not going there.) I was in Europe last summer with my family and I noticed that every restaurant we went to in Spain and France had such devices. I don't know why the US is so far behind.

The story also reports that Massachusetts (my home state) is considering a law that would penalize companies for credit card data breaches. That's interesting, because Massachusetts is one of a minority of states that doesn't have a breach notification law today (please see: Massachusetts among 16 states that don't have breach notification laws).

I've written before about my personal experiences at Marshall's and Home Depot where I learned how much info they keep (please see: Identity theft and digital records). Think of all of the loosely protected mini-repositories of credit card info out there -- basically every store you go to -- and how much of that information is flying through the ether without basic encryption protections. Patients and physicians should take comfort knowing that modern health IT systems and processes aim higher than that.


The Critical patient said...


This is, as always, an interesting point, and even though you highlight the efforts to make sure that data is securely held, I worry about an area that seems to be overlooked.

I did a study on HIPAA compliance amongst New Hampshire hospitals - plus a couple in Mass. - in July last year, and concluded that NONE of them were HIPAA compliant where electronic notices were concerned.

They either had no published electronic privacy notices, (a HIPAA requirement if you have a website), or they were not at a readability standard for the general public, ("plain language" being another requirement).

The OCR at HHS has a great selection of simple to read and understand notices, but I have yet to see one in circulation. For once, we can't blame Government!

One hospital actually makes patient data available to anyone who works in the hospital, (including volunteers), so that nice lady who lives next door and volunteers on Tuesdays can apparently check your latest blood results! I found that shocking.

So cheers for those hospitals who are concerned about privacy and are taking real action to preserve my records so that only those who need to see them can.

However, no credit to those hospitals who have vague and indecipherable notices which allow them latitude to give a wide range of people access to our personal information.

It would be interesting to check on those HIPAA notices in hospitals that you are assisting, and see how they stack up. The point being, plug every leak you can.


The Critical Patient (

Micky Tripathi said...

I completely agree with you. What's more, hospitals are much better than physician practices, where there is extremely high variability in security and privacy practices. I tried in the blog to be careful in saying "modern" IT and processes, and that they "aim" higher, in order to suggest that current practice isn't great but new technology and practices are better. Sounds like I was too obtuse.

So let me be more direct: I believe that one of the greatest benefits of EHRs and health information exchange is that they will dramatically improve privacy protection and security by bringing greater standardization and best practices to physician office (and hospital) policies and technologies. For example, in the MAeHC projects we are requiring hardware/software security audits in each practice, privacy and security training and certification, explicit role-based access assignments, etc etc. Patients will also be able to get an audit log of who has accessed their record, at the practice-level or at the network-level. These types of protections and safeguards are a pipe-dream in a paper-based world.

Thanks for your comments.

Mike said...

I would like to introduce one website for your website visitors if they are interested to know more about HIPAA Compliance and this website acts as a resource to find more information on many different regulatory authorities also.

R. Williams said...

it's sad that people have to get nervous now to even use their credit cards at restaurants and doctor's offices. with merchant accounts and secure credit card processing, these problems should become a non-issue.

i'm also wondering if the hospitals in new hampshire are the only ones that are having these problems. as a former hospital employee and someone well-knowledged on HIPAA, the oversights stated in this article are highly problematic. why haven't these hospitals been properly investigated??