I swear I don't mean for Lockdown to turn into the "What The Hell Are They Thinking?" weekly security rant, but as that legendary site used to say, a fish, a barrel, and a smoking gun. This week, we travel to Yakima, Washington, which on further reflection may turn out to have been our first mistake.

Yakima isn't Seattle, or even Tacoma -- it's about two hours away from either of those cities, and in either case its 81,214 residents live on the other side of a rather large mountain range that separates lovely Western Washington from the flatlands of the central area. The point is that while they're not entirely in the sticks out there, the local options for medical care in Yakima are a bit more limited than those to which you might be accustomed. Keep that in mind, if you would. There will be a quiz.

Aram Langhans, a retired science teacher from Yakima, hasn't been feeling well lately. When his primary-care physician at Group Health (an HMO) detected an irregular heartbeat, the doctor sent Mr Langhans over to the Yakima Heart Center to get it checked out. Doctors there were to attach an external heart monitor to Mr. Langhans' chest; he'd wear the device for 24 hours and return it to the clinic so the data could be analyzed.

Like many Americans, Mr. Langhans' family has been hit by identity thieves, and they're a little touchy about having their Social Security numbers visible just anywhere. So when Mr. Langhans' wife noticed his SSN clearly visible at the top of his new Yakima Heart Center file, the couple asked the clinic administrators to get that out of sight. The office manager refused, saying it was "office policy."

After some back-and-forth, the office relented, Mr. Langhans went in for the usual chest-hair shaving and monitor attachment, and the day seemed to be progressing... until someone in the front office stopped Mr. Langhans as he was leaving the clinic. Mr. Langhans was sent to a restroom to remove the device himself (!) and told he wouldn't be treated -- because he'd asked to have the number obscured, which the front office apparently considered suspiciously deadbeat behavior.

And now your quiz. The action taken by the Yakima Heart Center was...

a) Neither immoral nor illegal; the business office needs what it needs, and HIPAA (the Health Insurance Portability and Accountability Act) says Social Security numbers can be collected as part of medical records.

b) Immoral in refusing needed medical care, but legal under HIPAA.

c) Illegal; the clinic isn't allowed to require the Social Security number per HIPAA.

The answer is b) -- not illegal, but certainly not required by Group Health, a spokesman for which deplored the clinic's decision: "No one should be denied care over a paperwork issue like that."

We'll leave the ethics of the Yakima Health Center's business managers out of this. In fact, administrator Shawnie Hass issued a quote to the Yakima Herald-Republic that makes her office sound downright virtuous about it:

The Yakima Heart Center is careful to collect data pertinent to ensuring accuracy of our patient's medical record. Routine information collected for all patients includes name, address, date of birth, Social Security number, gender, and other specific information that helps us verify that individual's identity and insurance enrollment or coverage data. We are careful to maintain confidentiality of all patient information in our system.

Nonsense. Yakima Heart Center may have a flawed system, one that inappropriately indexes patient files based on Social Security numbers, but that's not Mr. Langhans' problem. And there's no context in which that number should be easily visible on his records. What I hear Hass actually saying is this: We're in business to make money, not follow the Hippocratic Oath, and our office manager's convenience trumps patients' privacy concerns. [A not uncommon attitude at health-care facilities in rural or remote communities, in your writer's sad personal experience; the biddies running the office start confusing themselves with actual medical personnel.] Have a nice day. Sorry about the chest hair.

The Social Security number has nothing to do with monitoring a man's heartbeat, but it makes debt collections easier. A number of commenters on the Herald-Republic site advanced that argument that an influx of undocumented and uninsured workers in the area was good and sufficient reason for the center to require the Social Security number from Mr. Langhans.

Again, nonsense. Yakima Heart Center isn't Mr. Langhans' primary care provider; that's Group Health -- which is also, by virtue of being an HMO, Mr. Langhans' insurer. Group Health assumed responsibility for his bill when they referred Mr. Langhans to the clinic. The issue here was simply that Mr. Langhans asked the front office to abide by a higher privacy standard, and that didn't sit well with someone pushing paperwork at Yakima Heart Center.

Even if the number was merely being acquired as backup (and there's no evidence the SSN is used at Yakima Heart Center for patient-ID purposes beyond communication with Group Health), once it hits the center's files, it's protected health information (PHI) and subject to all the protections incumbent on healthcare providers under HIPAA... and, soon, the Health Information Technology for Economic and Clinical Health Act (HITECH Act). HITECH raises the stakes for smaller providers such as Yakima Heart Center, both increasing civil penalties in case there's a breach but mandating that any breach, no matter how few patients it affects, requires public disclosure.

HIPAA and HITECH were developed to improve the quality of healthcare records-keeping and patient privacy. Patients like Mr. Langhans -- clearly paying attention to all those warnings about protecting one's personal data -- are acting as smart consumers when they request that institutions take reasonable precautions with their info. We wish Mr. Langhans all the best of health.

In the meantime, one wonders if a facility that would demand a patient remove sensitive medical equipment from his body by himself in a restroom is really on top of what it takes to handle and protect sensitive personal information.