HIPAA Blog

[ Tuesday, January 31, 2012 ]

 

University of Miami Data Breach: flash drive with patient data stolen from doctor's car. How unusual! No SSN or similar financial data (good), but apparently not encrypted (bad).

Jeff [12:06 PM]

 

Guest Post:

How HIPAA Can Affect College Students
Normally the media publishes stories about HIPAA in relation to medical data breaches by negligent clinicians out of compliance or in the context of the law creating a significant burden for practices now trusted to maintain their patients’ records with the utmost vigilance. Though HIPAA was intended for the salutatory purpose of making health care safer and more feasible for the average American, some of its key components made unintentional victims out of certain demographics. Though it may not be self-evident, college students represent a sizeable proportion of people beleaguered by the red tape that HIPAA constructs around the American health care system. In fact, most college students don’t even understand the ramifications of HIPAA legislation until they inadvertently come up against one of its many key components.

Becoming of age
Once a child turns 18, they are in command of their medical records and relevant history. Under HIPAA, the parents of a young adult 18 or older cannot request for information concerning their medical history unless they receive their written consent. So by the time most students enter college for their first year, they are expected (in legal terms) to manage their health care on their own. This fact usually comes as a shock to students who normally rely on their parents to schedule doctor’s visits, transfer records to schools or employers, and generally keep an eye on their health care coverage. Students can combat their ignorance of their obligations as young adults with medical records by requesting and reviewing previous records from their family doctors for the most up-to-date material on their general health. Though the prospect of reviewing one’s own health records might seem strange, a great deal of college students never consider their medical history unless they suffer from a serious condition that requires constant attention.

Students of age can also review their privacy rights at the U.S. Depart of Health and Human Services’ website, which offers a comprehensive (if a little dense) explanation for most issues related with the privacy rights of American citizens with health care. It’s an important resource for anyone to read, but it’s more critical for college students who are mostly in the dark about their newfound medical privacy rights.

Under the family health insurance plan
Somewhat paradoxically, college students cannot have their parents access their medical history after they hit the 18 year mark, but they can continue to be covered on their parents’ insurance plans. Now normally this wouldn’t seem like that big of a deal: students go to doctors’ appointments as they deem necessary and the parents pay the insurance without ever needing to consult their children’s medical records.

But say for instance that a college student is going to school out of state and they have a condition that must be treated regularly, preferably in the state where they go to school. The continuing of treatment out of state will likely require collaboration between the doctor’s office in the student’s home state and the office in the state where they go to school. If the case is particularly complicated, the parents may try to help to ease the burden by collaborating with the doctors on behalf of their children. Not so fast. Remember that under HIPAA, those over 18 are the only ones allowed access to medical records and related histories. Even if a parent provides the insurance that covers their child’s care in another state, they cannot access the information necessary to facilitate a transfer of medical information between two offices without the written consent of the patient. In many case, the patient may have to write their consent in front of an official witness to testify the legitimacy of their signature! Though this is an extreme circumstance, it’s best for college students to know where they stand when it comes to the privacy of their medical records.

Byline:
This is a guest post by Kimberly Wilson. Kimberly is from accredited online colleges, she writes on topics including career, education, student life, college life, home improvement, time management, etc.

Jeff [11:39 AM]

 

Beaten down by contracts of adhesion. I just totally clicked through the new Google privacy policy, accepting it without even reading it. Now, my life really is an open book.

Jeff [11:37 AM]

[ Wednesday, January 25, 2012 ]

 

Going to HIMSS? #HIMSShero I've gotten a couple of emails about this new player in the health IT business: DrFirst (@DrFirst). The stated focus is to help physicians migrate to EHRs, with an apparent big focus on ePrescribing (including a controlled substance e-prescribing solution). If you're going to HIMSS, check them out at Booth 5456. In the interim, check out their introductory video; if you comment on it, you might win a night out on the town in Vegas (presumably during HIMSS). And if there really is a guy in that suit, take a picture and email it to me.

Jeff [5:36 PM]

 

HIPAA White Paper from ProofPoint: I was reviewing an InfoWeek health tech email and saw a link to a Dark Reading article on the latest HIPAA email security rules. It led me to this white paper. I don't know who they are or what they're pushing, and in full disclosure I just sort of scanned over this, but it looks pretty interesting. They go back and talk about the original EDI focus of HIPAA, which, if you go back to the beginning of this blog (almost 10 years ago), you'll see that's something I regularly referenced.

Jeff [12:43 PM]

[ Monday, January 23, 2012 ]

 

HIPAA-compliant authorizations in electronic format: I received the following from one of the outreach folks as HHS:




Greetings,

In April 2012 individuals applying for Social Security
disability benefits online will be able to sign the “Authorization to Disclose
Information to the Social Security Administration” (Form SSA-827)
electronically. As a result, your readers may begin receiving some of these
electronically signed authorizations from Social Security on behalf of their
patients or clients.

Help us give your readers a valuable heads up about eAuthorization.
Your readers look to you for guidance on issues important to them. In my last
email to you, I inquired about including an article in your eNewsletter or
posting information on your website, as an effective way to communicate
eAuthorization. By receiving information in advance of the April 2012 launch,
your readers will be well informed and will have the opportunity to prepare.

We have included an article with information about eAuthorization to
include in your various publications. Please let us know if you thought this
information was helpful and how you shared this information with your readers.
We welcome all ideas and will work with you to get information formatted to meet
you organizations needs.

Thank you again for your assistance with this.


So starting in April, keep your eyes out for electronically-signed HIPAA-compliant (allegedly) authorizations from the Social Security Administration for folks seeking SS benefits. More information here.

Jeff [5:42 PM]

 

Breach Notification: a couple of articles to clip and hold onto, just, ya know, in case:

Richard Mackey (first of a series)
Greg Freeman

Jeff [9:08 AM]

[ Friday, January 20, 2012 ]

 

2011 Year in Review, 2012 Year in Preview: While I hate to promote another law firm, McDermott Will & Emory is a good health law shop, and they've posted a White Paper on 2011 events and 2012 predictions for Data Protection and Privacy. I haven't had a chance to review it yet. but will try to get to it this weekend, and will update this post if I see anything exceptional. Also, don't know if this link will work for everyone (the tip came to me via LinkedIn). Leave me a comment on this post if you can't reach the link or want to comment on the paper itself.

Jeff [9:47 AM]

 

Accretive Health (Minnesota) Data Breach: The Minnesota AG has sued a healthcare service group for Fairview Health and North Memorial in Minnesota hired Accretive as their debt collection company, and Accretive lost a laptop with unencrypted patient data. The data included stuff you'd expect a debt collector to need (names, SSNs, amounts owed, even procedures performed), but the data also included information on chronic conditions and how the patient is responding to treatment. The AG believes that the medical information should not have been shared with Accretive.

This makes for an interesting case, because it has 2 distinct components. To the extent Accretive should have encrypted or otherwise protected the data, it's probably a HIPAA violation by them for failure to implement reasonable physical and technical security safeguards; but that's a question of fact, since encryption is not a required element. Accretive is also directly liable under HITECH, although under the original HIPAA rules, it would have only been Fairview and North Memorial that would have been impacted.

The second element is the question of whether Fairview and North Memorial violated the "minimum necessary" rule by giving Accretive the medical condition and progress information. One could argue (I probably would if I were them) that the information is relevant to debt collection -- to make a claim you might need to say what the debt was for, and to argue the value of the services, it might be necessary to know how the patient fared with the treatment.

It will be an interesting case. The AG has gone after the "villain" debt collector, and so far left the hospital entities alone. Let's see if she keeps that strategy. She is obviously grandstanding, pitting "Wall Street investors" against poor, suffering patients. This is exactly the sort of thing I have been warning about in connection with the HITECH changes that give enforcement power to state attorneys general.

Jeff [9:15 AM]

[ Wednesday, January 18, 2012 ]

 

Go to Jail: 13 months in jail for a computer specialist with an Atlanta physician practice who left the practice, joined a new practice, and hacked into the old practice to steal patient data and use it for direct-mail soliciations for his new employer. He also deleted the information off of his old employer's computers.

This shows the need for good employee exit policies and access termination protocols, especially if it's possible to access your system from the outside.

Jeff [12:39 PM]

[ Monday, January 16, 2012 ]

 

OT: 1% of Americans eat up 22% of all healthcare spending; half of all healthcare spending is spent on only 5% of the citizenry.

Jeff [4:45 PM]

 

Social Media in Healthcare: Who is using social media, what are they using, and how are they using it? Here'a a pretty neat infographic from Ray Lau at Innovative Data Solutions.

Jeff [4:33 PM]

[ Monday, January 09, 2012 ]

 

Seven Health IT Trends to Watch in 2012: From Government Health IT. Of course, most are data breach or other HIPAA issues.

Jeff [8:12 AM]

[ Thursday, January 05, 2012 ]

 

A List Inspired by Spinal Tap: According to Dark Reading, the number 1 trend of the top 11 trends for healthcare data in 2012 will be data breaches involving portable devices. Class action litigation is #2 (hey Sutter, you're a trendsetter!).

Why a top 11? Only 1 reason.

Jeff [5:46 PM]

[ Tuesday, January 03, 2012 ]

 

Forbes Notes the surge in HIPAA complaints and problems in 2011.

Jeff [5:03 PM]

 

DWI: Doctoring While iPhoning. Texting or using a cell phone while performing heart bypass surgery is much more common than I would have ever thought.

Jeff [1:39 PM]

[ Monday, January 02, 2012 ]

 

5010 Standards: By the way, here's information on the new 5010 standards. They became effective yesterday, although they won't be enforced for a few more months. They will be eventually, to be sure, so if you haven't already gone there, you need to get moving.

Jeff [9:50 AM]

[ Friday, December 30, 2011 ]

 

Loma Linda Breach: An employee at Loma Linda University Medical Center took home medical records. I'm guessing that, as a nurse, she didn't need to work on her dictation or anything of the sort. She has been fired.

Jeff [8:34 AM]

[ Wednesday, December 28, 2011 ]

 

5010 News: MGMA is asking for more time for transition to 5010. The deadline in January 1, 2012, and was there for a couple of years. HHS has already pushed back a 3-month grace period, and now MGMA wants 6. I'm not technical enough to know why this is such a problem, but can't folks just get this switched over? Then again, how important can it be to make the switch? What advantages does 5010 have over 4010?


Hmm, what if HHS published an interim final rule, effective in 90 days, to include practice management software vendors who have a billing component into the definition of "clearinghouse"? The article states that vendors and clearinghouses are not covered by HIPAA. Au contraire; clearinghouses are (and should be, for just this reason), but vendors aren't. If vendors are the problem getting to 5010, put the onus on them and make them liable to the Feds for any failure to get to 5010, and I bet that would cure the delay.


Jeff [10:32 AM]

 

Nothing to See Here: Here's a story about nothing: customers of small pharmacies complain of privacy violations when the pharmacies are sold to Walgreens and their records are sent there. Isn't that a HIPAA violation? No, it's not. It is definitely part of "healthcare operations" to transfer records to a successor provider, which is the case here. If you don't want Walgreens to have your records, ask them to transfer your records to a new pharmacy.

Jeff [10:28 AM]

[ Tuesday, December 20, 2011 ]

 

UCLA Update: You may remember that a UCLA physician took home a portable hard drive which was stolen from his house (along with the slip of paper with the password to access the data). UCLA has now been sued for $16 million ($1,000 per patient, the California statutory damages amount).

Jeff [9:50 AM]

 

Georgia Hospital Feels the Security Rule Blues: One of the required elements of the security rule standards is the adoption of appropriate software protection, such as virus scanning and other malware prevention and protection. Why is this important? A computer virus can close your hospital.

Jeff [9:17 AM]

[ Monday, December 19, 2011 ]

 

Why There's a HIPAA Privacy Rule: HIPAA's transaction and code set rules drove the move to electronic records (and eventually EMRs and EHRs). Data in electronic form poses a much greater risk of improper access than paper records, for a number of obvious reasons. It was due to that increased risk that the HIPAA Privacy and Security Rules came into play.

The New York Times has discovered the same thing.

Jeff [10:47 PM]

[ Tuesday, December 13, 2011 ]

 

Encryption and Data Loss Prevention: There are a couple of interesting links in today's Dark Reading email: a report on email and data loss, and a white paper on encrypting data in transit and at rest. Both are free, but you must register to access the papers.

Jeff [2:47 PM]

[ Monday, December 12, 2011 ]

 

Florida Law HIPAA preemption: A Florida federal district court has ruled that a Florida statute that requires nursing homes to provide copies of a former resident's medical records to spouses, guardians, proxies and attorneys upon request is preempted by HIPAA. In Opis Management v. Dudek, the court ruled that the Florida statute requires the disclosure, but HIPAA prevents it (inless the spouse, guardian, etc. is a "personal representative" of the former resident). Via BNA (subscription required).

Jeff [6:29 PM]

[ Friday, December 09, 2011 ]

 

Q&A with Larry Ponemon: Wherein the IT expert talks about how a big healthcare data breach could be worse than an oil spill. Interesting, and a little scary.

UPDATE: More on Ponemon's recent report (should that be Pwnemon?) here; of course, I already covered it here.

Jeff [2:49 PM]

[ Friday, December 02, 2011 ]

 

Three Steps to Minimize the Data Breach Epidemic: from Government Health IT:


  1. Inventory your PHI/PII

  2. Develop an Incident Response Plan

  3. Review your Business Associate Agreements

Not a bad starting point. I'd also say you should re-do your HIPAA Security risk analysis. Part of that will be inventorying your PHI, and part of the result should include your incident response plan. The best thing you can to is find out what your troubles are. When you're sick and you go to the doctor, or even if you're feeling fine and you go for an annual physical, the first thing the doctor does is get your vitals and lab work. That's what your risk analysis should be -- a regular checkup to spot trouble (or at least trouble spots to watch) before it happens.


Jeff [11:06 AM]

 

HCPro Survey: Dom notes a recent survey by HCPro (apparently it's not just Ponemon out there asking questions) which indicates that only 17% or healthcare organizations are prepared for an audit. OCR is starting its audit process with a total of 150 "covered entities" over the next 14 months, with 20 or so getting started in November (so far, I haven't heard any names mentioned). I have no idea how many "covered entities" there may be in the US, but 150 is a tiny, tiny fraction. So the odds of being a targeted entity at this point are slim. BUT, this is a good time to think about getting your organization into a position that you could at least manage an audit, even if you don't think you could completely pass it.

At the very least, don't make yourself "low hanging fruit."

Jeff [10:57 AM]

 

Ponemon Report on Healthcare Data Breaches: There's a new report from the Ponemon Institute that indicates a growing number of data breaches in the healthcare sector. The truth of the trend may be questionable -- it could be that breaches are noticed more now than they were in the past due to the high profile of HIPAA after HITECH. But regardless, there are some interesting nuggets in the data:

More here.

Jeff [10:31 AM]

[ Wednesday, November 30, 2011 ]

 

The Year in Data Theft: InfoWeek's Dark Reading site gives a breakdown of the big data breaches over the last year; click on the Comodo logo for the slide show. TriCare is the healthcare industry's entrant; they must've put this together before Sutter.

Jeff [5:16 PM]

 

"We Can't Wait." HHS has issued a press release on steps it is taking to encourage providers to adopt health information technology. Yawn. Another day, another press release, right?

Not exactly. This press release doesn't start with the bland, dry bureaucrat-speak you usually see, it's got a punchy tag line. HHS can't wait for doctors and hospitals to get on the bandwagon and get with this whole computer thingy, so the press release starts out, "We can't wait."

Hmm, that sounds familiar. Where have I heard "we can't wait" before, and recently? Oh yeah, it's Obama's 2012 reelection campaign slogan.

If you thought the US Department of Health and Human Services was an organ of the Democratic Party, . . . you're apparently right.

Sheesh.

UPDATE: a reader named Ben writes in the comments:




I've read your blog for many years, and always found it very helpful. But I
don't read it for political commentary.



And I generally try to keep this blog free from political commentary, more or less. It's no secret I'm a conservative (although I have no allegiance to the Republican party, a/k/a the "stupid party"), and that naturally flavors my way of viewing things. But if I wanted to write political rants here, I'm free to do so, since it's my blog. And Ben (and all the rest of you) are free to not read my rants. I'll give you a full refund of your subscription fees, too.

But the HHS is not, and shouldn't be, the President's political mouthpiece. He's President, so he gets to appoint the top folks and run it as he likes, with policies pointed in the direction he likes, subject to the specific boundaries set by Congress. Just like he gets to fly around the country on Air Force 1 (at a large cost of taxpayer dollars) and tie up traffic in Manhattan for political fundraisers; as long as there's some non-political purpose as a fig leaf for part of the trip, then he's allowed to do so. Regardless of which party he leads.

But he doesn't get to use HHS for political purposes. He doesn't get to use HHS to provide care only to Democrats, or to grant waivers only to states that voted for him. HHS belongs to all of us, not to the President. Just as the President's political operatives can meet with him in the White House but can't use White House resources for campaigning, he can guide the HHS in a way that suits him politically but can't use it as a campaign tool. It's not right, it violates a public trust, and it creates an appearance that HHS is a partisan organization.

I would call out a Republican president who did the same thing. Of course, if it were a Republican, I wouldn't be the only one.

Jeff [3:23 PM]

[ Wednesday, November 23, 2011 ]

 

"Strong" Passwords: We recently had information security training here at JW, and one thing that was stressed was strong passwords. Frankly, that's the weakest link for non-crackhead malicious breaches. It's hard to keep a strong password regime up, particularly since you should also not use the same password for multiple accounts or uses (but if you use multiple ones, you have so many more to remember -- and you shouldn't write them down anywhere either, at least not anywhere near where they might be used, i.e. where they might be useful).

Regardless of your level of concern regarding strong passwords, at the very least don't use weak passwords. Here's a list of 25 to aviod, along with some recommendations for strong passwords.

Jeff [10:19 AM]

[ Sunday, November 20, 2011 ]

 

Why Recycling is Bad: A paralegal at a Minneapolis law firm decided to donate the firm's paper trash to her child's school for use as scrap paper for after-school art projects; you know, the paper only has printing on one side, and the other side could be used for artwork. Unfortunately, some of the scrap paper contained medical records of the firm's clients. Oops.

Jeff [12:05 PM]

[ Friday, November 18, 2011 ]

 

The Other HIPAA: CMS is backing off the requirement that everyone switch to the newest transaction standards by January 1; actually, the requirement is still there, but CMS has said they won't enforce it until April 1, 2012. The HIPAA 5010 standards for electronic transactions, which replace the 4010 standards, were supposed to be tested during 2011, with all electronic transactions in the healthcare industry being conducted under the new standards by 1/1/12.
California Medicaid (Medi-Cal) stated recently that they just won't be ready to make the switch, and just won't do it (despite it being legally required). What will CMS do if Medi-Cal still isn't ready by April Fool's Day? I bet we'll see another extension. It seems that if you're big enough and say you won't abide by the law, the Feds will just change the law for you. Maybe it's not an issue of being big enough, but blue enough; I wonder how CMS would have responded if it was Texas' Medicaid program that refused to make the switch. . . .

UPDATE: here's another link to the story. The Modern Healthcare link may be subscription only.

Jeff [10:41 AM]

 

UPDATE: Sutter Health. More on the Sutter Health data loss, noting it's part of a "trend." Also note the "crackhead" connection.

UPDATE 2: It was actually a desktop computer, rather than a laptop. Which goes to show, if you are a covered entity under HIPAA, you should really seriously consider encrypting it all.

Jeff [7:35 AM]

[ Thursday, November 17, 2011 ]

 

Speaking of Laptop Thefts: Smartphones are probably even more likely to be lost or stolen. How secure are yours? InfoWeek has some thoughts, ideas and advice.

Jeff [11:03 AM]

 

Sutter Health: We may have a new winner in the "most records lost at one time" category. Sutter Health has announced a HIPAA data loss involving over 4 million people. That's 4,000,000, or roughly 1 out of every 75 Americans. The loss was the result of a stolen computer (naturally), which was not encrypted (of course). Fortunately, there was no financial information or social security numbers, so it is highly unlikely that there will be any actual harm done because of this (and even if sensitive information had been on the computer, there probably would not have been any actual harm, due to the "crackhead" rule). But Sutter gets a pretty bad black eye.

Have we reached the point where encryption is now a practical requirement? I think maybe so. Computers will be stolen. Flash drives will be lost. It sucks to lose a $2,000 computer, but if it's encrypted, that's the extent of your loss.

Jeff [10:36 AM]

[ Wednesday, November 09, 2011 ]

 

HHS Officers Grilled on Capitol Hill: As reported by BNA (subscription required), the Senate Judiciary Subcommittee on Privacy, Technology and the Law called up a group of HHS officers to question them on medical privacy breaches and the number of prosecutions. The Senators felt that HHS isn't doing enough, because there aren't enough prosecutions going on. The risk raised by increasing the footprint of electronic records was noted.

Jeff [8:07 PM]

[ Tuesday, November 08, 2011 ]

 

HIPAA Audits are coming: HHS announces the audit program, and states that the audits will start in November 2011 and be finished by December 2012. It will be interesting to see who is selected for auditing. . . .

UPDATE: Dom has more details (i.e., he's not as lazy as me).

Jeff [7:53 PM]

[ Monday, November 07, 2011 ]

 

Crackheads again, UCLA version: As I was saying, now it's a UCLA Health System hard drive stolen from a doctor's house. 16,000 patients affected. Encryption, anyone? Password protected, but with the password written on a piece of paper that was also stolen. No social security numbers, which is good.

Jeff [9:30 AM]

 

Baltimore X-Ray Theft: As a further data point on my "unified crackhead" theory of healthcare data breaches, someone stole thousands of x-ray films from a Baltimore hospital. Were they preying on the sensitive nature of the data as health-related? No. They weren't even after the identifying information that could be used for identity theft, much less medical identity theft. As with 99% of all hardware or "property" data losses due to the malfeasance of a third party (thefts of hard drives, computers, etc.), the goal was pure theft of a resellable asset. In this case, it's not the silvery images on the film, it's the silver in the film. Of course, that would destroy the PHI (and "secure" it for HIPAA/HITECH purposes), once the extraction procedure is done.

If you're looking for an explanation of a hardware/property data loss, the answer is almost always that the data is on its way to destruction, because the incident is purely a theft of the property, and if anything, the data is a hinderance to the crackhead thief.

Jeff [9:22 AM]

[ Friday, November 04, 2011 ]

 

TRICARE update: As mentioned below, a bunch of TRICARE backup data tapes were stolen. Almost certainly they haven't been accessed, and there's no known harm done to anyone. But TRICARE and the contractor (SAIC) are offering a free year of credit monitoring to anyone who might be affected and is worried.

Jeff [3:18 PM]

[ Friday, October 21, 2011 ]

 

HIPAA 5010 News: While most of this blog is focused on HIPAA's privacy and security requirements, there are other parts of HIPAA as well. One of the "other" components of HIPAA is the transactions and code sets business, which basically sets forms (format and content) for specific electronic healthcare transactions, such as submission of bills. The theory is that by reducing the number of different electronic forms/formats, and requiring everyone to use the same form/format, duplicative "translation" efforts can be eliminated and cost savings will occur. The American National Standards Institute (ANSI), the same group that sets standard sizes for light bulb screw-in threads and electrical plugs, sets these standards, and they are occasionally revised.

The original (I believe) HIPAA transaction and code set forms were called the 4010 formats; however, new standards, called 5010, have been proposed. All healthcare entities engaging in standard transaction via electronic formats were supposed to start testing the 5010 formats by January 1 of 2011, and everyone is required by law to switch to 5010 by January 1, 2012.

Unfortunately, not everyone is ready. If you're not ready, you could hire a "clearinghouse" to translate your current forms into 5010 format, so by the time your transactions hit the electronic marketplace, they are up to snuff. It seems that California's Medicaid program is not ready, and will not be translating. Rather, they are requiring all Medi-Cal participants to translate their 5010 formats back into 4010 format. Can they do that? Not without violating HIPAA.

It will be interesting to see how the HIPAA enforcement agencies treat the largest Medicaid program in the country when it boldly decides not to comply with HIPAA.

(Big) Hat tip to Stanley Nachimson for flagging this.

Jeff [11:27 AM]

[ Monday, October 17, 2011 ]

 

Medical Identity Theft: It's growing, says American Medical News. As with other data losses, as usual, if you want to look for the highest risk areas, look to where someone can profit from the data theft. With a regular data breach, it's not the medical information that's valuable, it's the social security numbers and other information that enables identity theft. And if it's not ID Theft the miscreants are after, it's medical identity theft.

Jeff [7:29 AM]

 

Spectrum Health System (Worcester, Mass), a mental health and substance abuse provider, has reported the theft of a hard drive, one containing patient identifying data (including SSNs). Of course, the nature of the services make the information particularly sensitive. The data wasn't encrypted, but was double-password protected.

Jeff [7:24 AM]

[ Friday, October 14, 2011 ]

 

Nemours Data Loss: The Nemours Foundation, which operates health facilities in Delaware, Pennsylvania, New Jersey and Florida, has lost 3 backup tapes containing patient data. The data, which includes names, DOBs, SSNs, and bank account information, is coded, but apparently not encrypted.

The good news is that the data is old (pre-2005) and there's no indication the tapes were stolen: they were in a storage cabinet that got removed when the the building was remodeled. My guess is that they are in a commercial landfill somewhere (a few layers above Jimmy Hoffa). It's actually kinda amazing that they even knew the tapes were gone.

Jeff [10:37 AM]

[ Thursday, October 13, 2011 ]

 

Totally Off-Topic, but Awesome Nevertheless.

The Most Interesting Baseball Player in the World:



Sorry, Detroit fans.

Jeff [11:28 AM]

[ Wednesday, October 12, 2011 ]

 

Today's data breach news: As seems so often to be the case, portable data storage is the Achilles heel of PHI security. In New Hampshire, a flash drive with data of 2000 patients was stolen from a clinic employee's car. The flash drive was in a computer bag in a locked car; presumably the thief thought he was getting a computer, not a flash drive. The data apparently wasn't encrypted, but fortunately it didn't have social security numbers or credit card numbers either.

Meanwhile, in Baltimore, the lawyer representing Dr. Mark Midei (the alleged stent over-user) in multiple malpractice claims lost a portable hard drive containing medical records of 161 of the plaintiffs. This one makes for some interesting reading. The law firm claims that the data was taken home nightly as a security precaution (basically, a data backup). But the data wasn't encrypted. And the firm waited two months before sending notice letters. The firm isn't a covered entity, but it's certainly a business associate, which would make it subject to the HIPAA Security Rule and the privacy provisions of HITECH. The plaintiff lawyer is pretty sanguine about it, calling it an honest mistake. I suspect the data has long been erased and this breach won't ever result in harm to the individuals whose data was on there (like the New Hamshire case, the value of the hard drive to a likely thief would be the hardware, not the data), but it's a pretty bad story.

Jeff [9:21 AM]

[ Thursday, October 06, 2011 ]

 

This seems about right: Doctors are big users of social media, but do not use it to connect with patients, and even avoid patient forum sites.

Jeff [2:41 PM]

 

Stanford Update: The New York Times has picked up the Stanford data breach story I noted below; that definitely explains a lot about how the data ended up where it did. As a further twist on the story, a plaintiff has already appeared and filed suit (what damages she can show, I can't begin to imagine), but Stanford has vowed to defend itself vigorously. Good on 'em.

Jeff [8:50 AM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template