[ Tuesday, January 27, 2015 ]
Reporting Breaches of Less Than 500 Individuals
Jeff [12:50 PM]
: Don't forget that for "small" breaches (those involving less than 500 people), even though you need not report to OCR at the same time you report to the patient, you must still report to OCR during the first 2 months of the next calendar year. We are about halfway through that reporting period, so don't forget to log those minor breaches.
In other words, if you sent a breach notification to anyone in 2014, and did not at the same time notify OCR, then you need to do so now. You may have sighed with relief that you did not need to notify OCR (and the media) at the time, and your notification now will not lead to a "wall of shame" posting, but you must still notify OCR.
You can do so by going here
and following the link to "Breaches Affecting Fewer Than 500 Individuals."
[ Monday, January 26, 2015 ]
Jeff [11:44 AM]
Jeff [11:36 AM]
How does HIPAA apply to health apps? It seems pretty easy to me (follow the trail from the covered entity -- plan, provider, or clearinghouse -- to see if the app provider is a BA, subcontractor BA, etc.), but apparently there's some confusion
in the industry, since OCR has indicated they will give guidance soon.
[ Sunday, January 25, 2015 ]
New Jersey Requires Encryption:
Jeff [4:38 PM]
Beginning August 1, Garden State insurers
and healthcare providers must now encrypt all PHI
they collect or possess. It's more restrictive than HIPAA (where encryption is not required but is an addressable standard) so it's not preempted. This will raise issues for multi-state providers and insurers.
UPDATE: the new New Jersey bill only applies to "health insurance carriers," not to providers. The blog post I linked to implied that healthcare providers were also covered. Not so.
Hat tip: Theresa Defino
[ Tuesday, January 20, 2015 ]
Healthcare.gov: Who Has Access to What Data?
Jeff [1:56 PM]
It seems a lot of vendors can access information
of people who log onto healthcare.gov to look for Obamacare insurance or information. I wonder if these vendors are subject to BAAs or other privacy and confidentiality restrictions. I don't believe the website is a HIPAA covered entity. . . .
Is HIPAA Enforcement Increasing?
Jeff [1:54 PM]
Or is the delay in the roll-out of the 2nd phase of audits indicative of lackluster enforcement by OCR? That's what some are saying
[ Monday, January 12, 2015 ]
Bleg: I'm looking for recommendations for HIPAA auditors, to review a covered entity for HIPAA compliance. Let me know if you have any recommendations.
Jeff [3:16 PM]
Jeff [2:06 PM]
Jeff [1:06 PM]
[ Friday, January 09, 2015 ]
Bad Employee Does Not Always Equal Employer Liability
Jeff [4:30 PM]
: Kettering Health Network was sued
by a woman whose estranged husband, while an employee of Kettering, wrongfully accessed her and family members' medical records. She sued on a qui tam action, alleging the hospital wrongfully took Meaningful Use funds. The court ruled against her, saying Kettering in fact did what they were supposed to under Meaningful Use: they installed controls and did the risk analysis. The controls obviously weren't fool-proof, cause that fool husband got around them. But it was actually the hospital that caught him, proving that the controls were at least of some use.
This is not exactly opposite of the Indiana Walgreens case (there are tons of differentiating factors), but indicates that just because an employee goes rogue, it doesn't necessarily mean the employer has to be liable.
[ Monday, January 05, 2015 ]
Medical Reality TV Shows and Potential HIPAA Violations:
Jeff [11:54 AM]
Interesting (but obviously one-sided -- it is the New York Times) article on a family's lawsuit
against a hospital for allowing seemingly de-identified PHI to be used in a reality TV show. The patient's face was blurred, but the family was able to tell it was him.
[ Tuesday, December 30, 2014 ]
Jeff [1:44 PM]
[ Tuesday, December 23, 2014 ]
Jeff [1:13 PM]
2014 OCR Enforcement Actions:
Jeff [1:01 PM]
Ed Zacharias runs down OCR's year of settlements
. I tend to agree that enforcement will continue to increase, and that having good, regularly updated policies and procedures (based on a valid and thorough risk assessment), and following them, might not completely insulate you, but will go a long way to keeping fines down.
Boston Children's Hospital:
Jeff [10:49 AM]
a laptop stolen from a physician traveling in South America results in a $40,000 fine for the hospital
. (via BNA, subscription required). This just settles the state law issues (Massachusetts' AG being one of the more aggressive ones), so HIPAA fines may loom on the horizon. Guess what? Encryption would've fixed the problem. To be fair, the hospital did have an encryption policy, but the doctor didn't follow it.
Jeff [9:56 AM]
[ Thursday, December 18, 2014 ]
Jeff [1:33 PM]
[ Wednesday, December 10, 2014 ]
Jeff [7:35 AM]
[ Tuesday, December 09, 2014 ]
Some Folks are Catching Up at Lexology:
Jeff [1:30 PM]
(i) on the Connecticut decision
allowing a state cause of action to proceed using HIPAA as a guide (but acknowledging the lack of a private cause of action under HIPAA itself); and (ii) on the Indiana case
holding Walgreens liable for an employed pharmacist's apparent improper access to PHI. Of course, you read about them here first. . . .
[ Monday, December 08, 2014 ]
$150,000 fine for Alaska Mental Health Agency's Failure to Protect ePHI: Malware on the computer system
Jeff [7:28 PM]
compromised data of 2,743 patients, but the bigger issue is the failure of the organization to keep its information systems up to date. The malware apparently took advantage of security issues in the software for which patches had been issued, but the agency didn't keep track of patch management. Basically, it's proof that adopting decent policies isn't nearly enough if you don't regularly make sure you've got reasonable risks covered. The bulletin also pushes the HIT Security Rule Risk Assessment Tool
: hint, hint, if you haven't reviewed this and compared your current security to what's in here, you're likely gonna get fined if there's a breach.
[ Friday, December 05, 2014 ]
Jeff [11:20 AM]
[ Wednesday, December 03, 2014 ]
Employee Snooping at Cleveland's University Hospitals.
Jeff [2:41 PM]
It's being blamed on lax oversight
; policies were good enough, but access auditing and other gatekeeper activities might have exposed the problem much earlier. Trust but verify, a wise man once said. . . .
Jeff [12:00 PM]
[ Tuesday, November 25, 2014 ]
Beth Israel Deaconness, BYOD angle:
Jeff [10:46 AM]
As previously noted here
, someone stole a laptop from a physician at Beth Israel Deaconness hospital in Boston. The laptop didn't belong to the hospital, but the hospital knew the doctor was using it for patient data, and (of course) it wasn't encrypted. The hospital has settled the state-law breach issues
(and the state AG HIPAA enforcement issue) with the Massachusetts state officials, for a $100,000 fine. I asssume there will be no OCR fine in this case, since HIPAA was specifically included in settlement with the state AG.
[ Wednesday, November 19, 2014 ]
Jeff [2:16 PM]
Prime Healthcare Services' Shasta Regional Medical Center in California was fined by the State of California
in a case involving an advocacy group trying to make the hospital look bad. A patient disclosed her own medical information related to her stay at Shasta Regional Medical Center; when the press asked the hospital executives about the matter, they disclosed the patient's information in defending the hospital, which served as the basis for the state and federal fines. Apparently the patient also sued, but lost;
the court determined that the patient had implicitly waived her privacy rights by making the initial disclosure to the hospital, and that therefore there was no improper disclosure of private information or any harm suffered by the patient.
Hat tip: Theresa Defino
Jeff [7:33 AM]
Hospital employees steal patient identities
, file false tax returns. HIPAA breach, but really just plain old identity theft.
[ Tuesday, November 18, 2014 ]
Brigham & Women's Hospital Laptop and Phone Theft: approximately 1000 patients affected
Jeff [1:19 PM]
. Can't really tell if the devices were encrypted, but don't know if that would matter if the robbers made the victim give up the codes. As the commenter notes, I wonder why it took 2 months to report this -- hopefully that was at the request of the police.
[ Monday, November 17, 2014 ]
Walgreens' $1.4 Million Verdict:
Jeff [1:13 PM]
an Indiana court has upheld
a $1.4 Million judgment against Walgreens. A Walgreens employed pharmacist accessed prescription records of her boyfriend's ex-girlfriend, and apparently disclosed the details to the boyfriend. Presumably, the employee violated all sorts of rules, procedures, policies, and training, and I would assume Walgreens argued that she was acting outside the scope of her employment when she accessed the records. But the court has held Walgreens liable, and the appellate court affirmed it, based on negligent supervision and retention, and invasion of privacy.
[ Sunday, November 16, 2014 ]
Jeff [2:08 PM]
[ Friday, November 14, 2014 ]
$19,000 per victim?
Jeff [4:20 PM]
That's the alleged cost per person
of a HIPAA breach, although it's the cost if the breach victim is actually a victim of medical identity theft.
Jeff [4:13 PM]
Are you a lawyer with covered entity clients? Are you worried about HIPAA? Want to know what your obligations are as a business associate? You might want to check out this webinar
[ Thursday, November 13, 2014 ]
Ebola and HIPAA:
Jeff [3:04 PM]
I've heard lots of folks questioning how healthcare providers such as Texas Health Presbyterian Hospital here in Dallas were able to issue press releases and discuss the health condition and treatment of the Ebola patients they treated. It's an interesting question: the providers can't talk about it unless the patients authorize them to do so, but they must also disclose data to governmental agencies when required by law to do so (whether those government agencies may then disclose the data depends on whether they are covered by HIPAA [usually not] or some other privacy law [usually are]).
However, what normally happens in high-profile medical cases, whether they be "epidemic-disease-fo-the-day" or some high-profile incident like a terrorist attack, is that the provider coordinates with the patients, asks them how much information they want disclosed (if any), and respects their wishes.
Here's a pretty good article on what Emory Healthcare did
with their Ebola patients where the press was concerned.
Jeff [2:45 PM]
[ Wednesday, November 12, 2014 ]
Jeff [12:05 PM]
[ Tuesday, November 11, 2014 ]
HIPAA-compliant website issues:
Jeff [7:27 AM]
here's an interesting blog post
on HIPAA issues encountered relative to a specialty pharmacy website hosting arrangement.
[ Monday, November 10, 2014 ]
Jeff [3:18 PM]
Wondering how those hospitals are able to discuss the status and prognosis of their Ebola patients? OCR has just recently published a Bulletin on "HIPAA Privacy in Emergency Situations"
as a reminder to covered entities about the who/what/how/when of making these sorts of disclosures.
[ Wednesday, November 05, 2014 ]
HIPAA Private Cause of Action:
Jeff [3:30 PM]
Long-time HIPAAcrats know that there's no private cause of action for a HIPAA violation. In other words, if your doctor violates HIPAA and discloses your PHI to the National Enquirer, you can't sue him for violating HIPAA
. Depending on where you live, you may be able to sue him for violating a similar state law, a state data breach law, a law requiring physicians to maintain confidentiality, or on common-law grounds such as invasion of privacy. In such a suit, the doctor's failure to follow HIPAA would probably be pretty good evidence that he did not act reasonably, and would help your case. But unless you had some statutory or common-law claim, you can't sue just for a violation of HIPAA.
A recent Connecticut case implies
that you can sue for a HIPAA breach in that state. Actually, a better description would be that "a violation of HIPAA regulations may constitute a violation of generally accepted standards of care." In other words, you can sue for negligence based on a violation of HIPAA; you just can't sue based on the HIPAA violation alone.
[ Wednesday, October 29, 2014 ]
It May Be a Dirty Little Secret, But It's Not Necessarily a HIPAA Violation: Venture Beat has figured out
Jeff [3:35 PM]
that a lot of healthcare providers text using unencrypted devices operating over regular cellular networks. Yes, they do. And yes, many of us strongly urge against them doing so. But it's not necessarily a HIPAA violation to do so. As I would've commented on the post itself if it didn't mean letting Venture Beat "manage my Google contacts":
To say "This is a clear violation of HIPAA" is fatuous and false. It's not very secure and not very smart; it could be a violation of an entity's policies and procedures; it could in some instances be a violation if it is absolutely and legally unreasonable to use such a communications device in such a fashion. But HIPAA is scalable and technologically neutral; encryption IS NOT A REQUIRED ELEMENT under HIPAA.
HIPAA covered entities should conduct risk analyses and do their best to secure their data as much as possible, including eliminating unsecure texting wherever possible. But just because it's a bad idea doesn't mean it's against the law (or, in this case, against the regulations).
California AG's Data Breach Report:
Jeff [12:29 PM]
California healthcare providers (and other covered entities) (and other folks outside California) should be sure to read this
. She specifically calls on healthcare providers to "Consistently use strong encryption to protect medical information on laptops and on other portable devices and should consider it for desktop computers." If this is what's happening in California, it's either happening in your state too, or will be soon.
[ Thursday, October 23, 2014 ]
Sutter Health, Eisenhower Updates (California) :
Jeff [2:38 PM]
I've previously mentioned the Sutter Health desktop computer theft case, and the ensuing potential $4 billion class action case, that was dismissed because there was no proof that the data on the computer was ever actually accessed or used. The state supreme court has upheld the appellate court's dismissal
of the case.
Eisenhower ws facing a $500 million class action suit for the loss of a laptop containing names and personal information of 500,000 folks, but apparently no medical histories, conditions, or treatment. Because of that, the case has been tossed.
[ Tuesday, October 21, 2014 ]
Medical Identity Theft:
Jeff [3:30 PM]
It's becoming even more common. Here's why.
Rigorously following HIPAA is the best preventive.
[ Friday, October 17, 2014 ]
Ebola, Public Health, Emergency, and Related Disclosure Questions:
Jeff [3:26 PM]
Some of the AHLA ListServs are buzzing today with questions about how and why Texas Health Presbyterian Hospital (which is just over a mile from my house) has disclosed the names of the two nurses who have caught Ebola. Normally, a hospital can't disclose the names of patients, except for treatment, payment, healthcare operations, with patient consent, or as required by law or otherwise allowed by HIPAA. HIPAA allows covered entities to disclose PHI in emergency situations, and generally health care providers are required to disclose infectious disease information to state and federal epidemiology agencies. Some have also speculated that Presby might have patient consent to make the disclosures, in which case they clearly would be allowed.
HHS has helpfully provided an FAQ
relating to disclosures in the case of a bioterrorism threat of public health emergency, and has also provided a decision tool
for healthcare providers faced with determining whether there is a public health emergency or emergency preparedness reason for a disclosure.
Hat tip: Alan Goldberg.
[ Monday, October 13, 2014 ]
Community Health Systems update:
Jeff [10:12 AM]
As previously reported
, CHS was hacked. The sequelae has started: one of the community hospitals in New Mexico has been sued
, and the attorneys are seeking class certification.
The lesson here is that the severity of the breach and the actual harm caused by loss of confidentiality may be miniscule compared to the legal costs of just fighting a thousand different plantiff's lawyers.
[ Friday, October 10, 2014 ]
Accounting for Disclosures: Have you been worrying about how to comply with the accounting for disclosures rule that HHS published way back in 2011? No? Hell, even I'd forgotten about it, even though I gave quite a few speeches and webinars about it. It's a mess, and raised all kinds of issues based on who "touched" the file, not just to whom it was disclosed. It was to have become effective January 1, 2015. However, HHS has just announced that they will delay the effectiveness and reopen the rule for comment. That's the right thing for them to do.
Jeff [11:39 AM]
People rarely ask for accountings of disclosures, and often do so for (illegitimate) aggressive or litigious purposes. So making the industry jump through hoops for such a rare reason is sensible.
[ Thursday, October 09, 2014 ]
Jeff [1:50 PM]
[ Tuesday, September 16, 2014 ]
Get In Line: App developers are frustrated
Jeff [11:40 AM]
with the imprecision of HIPAA. Actually, I'm not sure exactly what relief they are looking for. HHS is not going to write regs that say, "you can't use PHI except for treatment, payment, or healthcare operations, unless you do it with a mobile app, then it's all OK, do whatever you want."
HIPAA is conceptual in nature; you've just got to understand that and deal with it.
Mississippi CHS Data Breach Lawsuits:
Jeff [11:29 AM]
Suits are beginning to be filed
in the CHS hacking case. Class status is being sought.
[ Monday, September 15, 2014 ]
Temple University Data Breach:
Jeff [9:45 AM]
This time it was a desktop computer
that was stolen, with 3780 patients affected. Not encrypted, of course. This shows that, while it's an excellent idea to encrypt all mobile devices, don't forget about encrypting non-mobile devices as well (in this case, the non-mobile desktop went mobile when it was stolen).
[ Friday, September 12, 2014 ]
Huntsville, AL Lab Data Breach:
Jeff [9:57 AM]
A clinical lab in my old hometown of Huntsville, Alabama is notifying patients, since their billing contractor put some of their data on a server that was accessible to Google
searches. They've notified 7,000 patients. Presumably the lab had a business associate agreement with the billing company, and presumably that BAA will require the billing company to pay for the notification.
Is this "willful neglect"? If so, expect a sizeable fine.
[ Thursday, September 11, 2014 ]
Jeff [8:06 PM]
Blogger: HIPAA Blog - Edit your Template