HIPAA Blog

[ Wednesday, July 23, 2014 ]

 

Sutter Health Data Breach Update: No proof of harm, no statutory damages.

As you know, someone threw a brick through a plate glass door and stole a desktop (!) computer from a Sutter Health location.  The desktop had protected health information on 4 million Sutter beneficiaries.  The California Confidentiality of Medical Information Act contains a statutory damages amount of $1,000 per person, which implies a potential $4 BILLION fine for Sutter.

Not so fast.  A circuit court in California has determined that, since there's no evidence the thief actually looked at the data (as opposed to acquiring and possessing it), there's no proof that the statute was violated.  As the court said, it's called "the "Confidentiality of Medical Information Act,' not the 'Possession of Medical Information Act.'"  Loss of peace of mind apparently isn't a damage. 

While this is the second time the court threw out a claim of breach where loss was certain but actual viewing or use wasn't, I suspect nothing will be settled here until the California Supreme Court (and possibly the US Supreme Court) rules.

Jeff [10:25 PM]

[ Saturday, July 19, 2014 ]

 

Vendini Settlement: I got a stray email on this, so thought someone might find it interesting.  Vendini, a ticketseller like Ticketmaster, apparently allowed a third party to view non-PHI personal information such as credit card data, and a class action suit was filed.  A settlement has been proposed.  About all you'll get is the actual cost of your credit monitoring or placing holds on your accounts, and the results of any actual identity theft such as overdraft charges.  I'm sure the lawyers will do well, though.

Jeff [8:34 AM]

[ Thursday, July 17, 2014 ]

 

Big Data in Healthcare: here's an interesting article.  This is all possible, but it's easy to see had this information could be used to the detriment of patients.  Privacy concerns obviously abound.

Hat tip: Alan Goldberg

Jeff [9:41 AM]

[ Monday, July 14, 2014 ]

 

Big Health Data Breaches Are Inevitable, and Are Coming: This article has popped up several places in my morning reading.  They are probably right; in fact, some big health data hacks have probably already occurred, but we just don't know about them yet because we don't yet know how the data is being used and aren't able to see it.  There are probably millions of individual instances of medical identity theft occurring every day, from the voluntary "sharing" of insurance by cooperative parties (your brother has insurance through his job but you don't so you go to a doctor and pretend to be him so that his insurance will pay for your care) to identity theft facilitated by insiders (a nurse or receptionist issues multiple Oxycontin prescriptions to a legitimate pain patient, but sends the extras to a friend who fills them and resells the pills) to pure identity theft (a hacker gains medical identities and sells them to people who use the unwitting victim's insurance to pay for their care). 

Medical identity theft can be much more lucrative that stealing credit card info, since the medical information is more persistent and the credit card info is more transitory (you can get a new credit card number, not a new medical history).  That said, you need a purchaser who needs healthcare to complete a medical identity theft, whereas credit card info can always be used immediately.

Jeff [12:45 PM]

[ Wednesday, July 09, 2014 ]

 

Malvern Group's weekly breach email is out.

Jeff [5:38 PM]

 

32,000,000 Victims: According to this report, 32 million Americans have been victims of EMR data breaches.  Some say this is an indictment of the EMR concept, but I think it's more of an acknowledgement that privacy/security is hard, and digitization of information has some risks.  Considering this many breaches as proof that EMRs are a bad idea ignores the benefits EMRs also bring.  It's important to consider this as an additional cost of digitization of records, and EMR evangelists do tend to ignore the costs.  But EMR haters can't ignore the benefits, either.

Balance. . . .

Jeff [4:57 PM]

 

InfoWeek Notices: yes, there are a lot of HIPAA complaints.

Jeff [4:19 PM]

[ Thursday, July 03, 2014 ]

 

Off Topic Slightly: A Goldman Sachs contractor meant to send some confidential data to someone at Goldman using their gs.com address but accidentally sent it to the same name at a gmail.com account. They've been unable to contact the account holder, and Google won't delete the email or divulge info about the account owner without a court order. More here: http://mobile.reuters.com/article/idUSKBN0F729I20140702?irpc=932


Jeff [9:02 AM]

[ Sunday, June 29, 2014 ]

 

University of Cincinnati Medical Center: Apparently a non-clinical employee of the hospital accessed a patient's medical record and learned that the pregnant patient had a sexually-transmitted disease.  The employee gave the information to the man who impregnated her; that man took to Facebook to taunt and ridicule her. The patient complained and the employee was fired; the patient has now sued.

Fun stuff: there's a possibility that disclosing to the baby-daddy would be fine, if the hospital knew that he was "involved in the care" of the pregnant woman.  But that's probably not going to be persuasive since the employee was not a clinical employee and had no business being in those medical records (perhaps she should not even have been able to access those records, depending on the scope of her job responsibilities). And I suspect the baby-daddy and the financial services employee had some personal connection, such that she should have known not to dig into medical records for improper reasons (assuming the hospital did good training, had good policies, etc.).

What's interesting is that OCR is taking an interest because the hospital did not notify OCR about the breach; however, the hospital says they did provide notice, and they have proof of it.  This could be a hole in OCR's reporting website.  Or it could be a confusion about names.

Hat tip: Jennifer Clemons

Jeff [10:37 AM]

[ Thursday, June 26, 2014 ]

 

Deep Security: Is your data network leaking data that makes itself more vulnerable to a targeted hack?  It seems to be the case with lots of hospital networks.  You're still more likely to suffer a HIPAA breach from a lost laptop, but this type of hack could cause you a whole lot more damage.

Jeff [9:12 AM]

[ Wednesday, June 25, 2014 ]

 

NRAD: a Long Island (NY) radiology practice has sent notices to almost 100,000 patients that a radiologist employee improperly accessed their personal information.  This is particularly interesting because HIPAA allows a covered entity to not send notice when the improper access is by an employee who might otherwise be allowed access to the data.  If the access was unintentional or done innocently, the radiology group might not have had to send the notice.  That implies that the practice thinks there's something wrong here.  Stay tuned. . . .

Jeff [9:22 AM]

 

Montana Hack: the computer system of the Montana State Department of Health was hacked, resulting in exposure of ID-theft type information. 

Jeff [9:16 AM]

[ Monday, June 23, 2014 ]

 

Parkview Health Fined $800,000: OK, this wasn't smart, but the fine seems awfully steep, especially since it doesn't appear that the records were accessed.  What happened?  Parkview had records from a retiring physician, apparently intending to give them to other physicians taking over those patients.  I guess some were left over -- 71 cardboard boxes full of them.  The hospital stacked the boxes up in the doctor's driveway, even though they knew she wasn't home.  Not a good idea.

Jeff [2:03 PM]

[ Monday, June 16, 2014 ]

 

Domino's data breach/data hostage issue: As this story illustrates, one of the current scary trends in data breaches is hackers who capture a business-critical database, encrypt it, and hold it for ransom; if you don't pay, you lose all your data.

What's really scary about this story is that Domino's has operations in France.  My respect for French cuisine may never recover

Jeff [12:49 PM]

[ Wednesday, June 11, 2014 ]

 

SAMHSA is Listening: I mentioned earlier that the Substance Abuse and Mental Health Services Administration is trying to figure out whether the "Part 2" rules are hindering the exchange of information necessary for coordination of care in the new interconnected world of HIEs and ACOs.  My favorite health privacy reporter, Theresa Defino, has an article (free registration required) on today's "listening session," where SAMHSA is trying to get constituents to give input. 

Jeff [4:43 PM]

 

Malvern Group's weekly HIPAA breach report is out.  I picked up a few of these specifically already, but there's always more.

Jeff [11:19 AM]

[ Tuesday, June 10, 2014 ]

 

Guest Blogger:  As you know, I occasionally allow a guest blogger or two to provide different perspectives.  Here's one:

Health IT Lag

by Michael Sculley, VP of Marketing, PracticeSuite


BitSight Technology, a security rating firm, reports that the healthcare industry needs to take a lesson from the recent data breaches experienced by Target and eBay. The BitSight report, “Will Healthcare Be the Next Retail?” warrants close attention. It analyzed security breaches and response times of four different industries: Pharmaceuticals and healthcare (healthcare), utilities, retail and finance.

The study was conducted for the year between April 1, 2013, and March 31, 2014. All sectors experienced security incidents. Finance had the fewest incidents and the fastest response time, about three-and-a-half days. Retail and utilities both responded in about four days. Healthcare had more security incidents, yet came in last in response time. It took five full days to respond to security breaches.

The fewest breaches and best response time was in the financial industry. That industry takes cybersecurity very seriously and goes beyond doing what is legally required. It takes extra steps to ensure the security of data. It also readily provides warnings to other industries whenever it becomes aware of potential security threats.

Unfortunately, neither healthcare nor pharmaceuticals view cybersecurity as seriously as they need to. It apparently has not received the appropriate attention from executives at the higher levels. Both industries need to spend more money and provide greater compensation for its data security professionals.

The two industries are in compliance with HIPAA regulations, but spend barely enough money to meet the requirements. Unfortunately, just because they are compliant does not mean they are secure.

The Bitsight report is similar to a recent SANS Institute report. That report emphasized that the healthcare industry has lagged far behind in its cybersecurity and warns that measures need to be taken to reduce risks. Breaches have become so frequent that the U.S. Department of Health & Human Services (HHS) is imposing heavy fines for a health care organization that has a compromised Internet-connected device.

The failure to take proper cybersecurity precautions can be expensive as the New York-Presbyterian Hospital recently discovered. HHS imposed a $3.3 million fine on the hospital. This is the largest penalty ever imposed for use of a compromised server in the health care industry.

____________________________

You can reach Michael at msculley@practicesuite.comPracticeSuite offers billing, practice management, and other medical software products.

Jeff [3:36 PM]

 

Access Health CT (Conn. Obamacare exchange) Data Breach: This, on the other hand, is a reportable breach: a backpack was found abandoned on a Hartford street.  It contained paperwork from the Connecticut Obamacare insurance exchange relating to 400 exchange customers, including names, social security numbers, birthdates, and other printed and handwritten information.  Apparently it was a call center employee's backpack.  They aren't supposed to take that information outside of the premises of the call center. 

It will be interesting to see if there is a fine levied here.

Jeff [10:58 AM]

 

Penn State-Hershey Hospital Breach: Should this have been reported?  A lab tech accessed PHI of 1800 patients via his home computer using a flash drive, and sent some PHI to two doctors via his personal email.  The flash drive wasn't encrypted, nor were the emails.

I'm pretty surprised this did not meet the "low threshold of compromise" standard for non-reporting.  The staff member was authorized to access the PHI, just not outside the security of the hospital's computing environment.  The flash drive wasn't encrypted, but wasn't lost or apparently outside the control of the tech.  The data was definitely PHI, but did not include social security numbers, so it's a low ID theft risk.  The emails were to physicians, presumably proper parties to receive the PHI (just not via unsecure email).  If the data is scrubbed from the tech's personal email account, and the doctors have secure accounts (or also scrub the data), where's the risk of compromise?  That someone snatched the PHI out of the ether while it was being emailed?  Possible, but a very low risk. 

The more I think about it, the more I think this should not have been reported.  This is much more likely to (i) unnecessarily worry patients who receive notices, and (ii) increase the likelihood of "alarm fatigue" by providing a false positive.  Fix the problem, fix your policies if you need to (prevent the use of flash drives or only allow encrypted ones), retrain the staff, sanction this employee, make this a teachable moment . . . but don't ring the alarm bell when it's not necessary.

Jeff [10:47 AM]

[ Monday, June 09, 2014 ]

 

University of Cincinnati Medical Center "Team No Hoes" Facebook Page: If true, I'm hoping this is just a "bad employee" problem.  But the UC Medical Center is being sued because a patient with a sexually-transmitted disease had her medical records posted on the hospital's "Team No Hoes" facebook page by a couple of hospital employees, allegedly at the urging of the patient's former boyfriend. 

I can't cast any judgment without more facts, but it sure sounds like a good time for UC to (i) review their employee training, sanctioning, and other policies, and (ii) review their social media policies.

Jeff [1:32 PM]

 

HIPAA and Mental Health: HIPAA causes a lot of issues as it tries to balance the right to privacy with the effective working of the healthcare system.  One area of acute issues is mental health, particularly involving adults.  Here's an article outlining the issues raised when a child with mental health issues reaches the age of 18, and his parents no longer are automatically treated as his "personal representatives."  Before a child reaches the age of majority (usually 18), his parents usually will have the right to access his records, communicate with his caregivers, and make medical decisions for him; but once he reaches 18, unless he gives his consent, the caregiver is limited in the information he can give to the parents, and the child gets to decide on his treatment.  The caregiver can still provide information to the parents as people "involved in the care of" the patient, but if the patient demands the caregiver keep the information secret, they must do so in most instances.  Plus, even if the caregiver could pass the information to the parents under the "involved in the care" exception, they are sometimes afraid to do so, since that decision could be challenged by the patient.

It's a difficult area where HIPAA's balancing act is going to leave some frustrated.  But I don't think the Murphy bill will help.

Jeff [1:26 PM]

[ Wednesday, June 04, 2014 ]

 

Securing Mobile Devices: InfoWeek has a great article on the importance of and ways to secure mobile medical devices, including not just phones and tablets, but other medical equipment that stores or transmit data.  One takeaway:

Enterprise mobile management best practices include:

Jeff [12:38 PM]

 

Malvern Group's weekly breach update is out.

Jeff [8:04 AM]

[ Tuesday, June 03, 2014 ]

 

The OIG's take on Big Data: A couple of interview clips with Daniel Levinson, the AG, on the risks and compliance issues posed by Big Data.  Brought to you by @HHCA.

Jeff [5:14 PM]

[ Monday, June 02, 2014 ]

 

Montana HHS Hack: apparently the Montana state Department of Health and Human Services got hacked, when they found malware on a server.  No determination of whether anything was improperly accessed or not. 

Jeff [10:44 AM]

[ Tuesday, May 27, 2014 ]

 

"Be Khat Bell."  OK, this is completely off-topic, but a pretty cool thing happened to me this weekend. 

A little back story first.  Last December, I drove to Omaha to bring my oldest daughter home from Creighton University.  She spent the spring semester at Loyola-Chicago's campus in Rome, so needed to move out of her apartment completely over Christmas break.  Gina played volleyball through high school and has played club volleyball in college, and we're a volleyball family: I coached Gina in 7th and 8th grades, and have coached my youngest daughter, Mary, since 3rd grade (she's about to enter 8th).  As luck would have it, the night I would be in Omaha picking Gina up was the first night of the regional round of the NCAA volleyball tournament (wherein the Sweet 16 would become the Final Four), with the University of Nebraska hosting one of the 4 sites.  Again, as luck would have it, that Friday night would see the University of Texas play American University, and Nebraska play University of San Diego.  I attended law school at UT, and Gina attended several overnight volleyball camps at UT, so we're definitely fans of Jerritt Elliott's UT volleyball program.  And since Lincoln is about an hour's drive from Omaha, we decided to go watch some volleyball in the middle of packing up.  StubHub delivered great tickets (the view from our seats is below), and we got to see UT beat American and Nebraska beat USD.  (We were driving home the next day when the UT-Nebraska game started, but got home in time to see UT beat Nebraska; unfortunately, they lost to Wisconsin in the semifinals.)




The games were a blast.  One of Gina's good friends, Creighton club volleyball teammates, and honorary Drummond daughter, Reana Lee, is from Hawaii, as is Sarah Palmer on the UT team.  Of course everyone in Hawaii knows each other, so we talked to Sarah's parents after UT's win (actually, Sarah and Reana played volleyball together in Hawaii and the families know each other).

But back to the story.  During the UT match, I was intrigued by one of the UT players, Khat Bell.  I noticed that whenever Khat was on the sidelines and not on the court (she's a front-row player, but is replaced with a defensive specialist when she rotates off the front row), instead of standing with her teammates watching and cheering on the girls on the court, she was crouched down, like a wide receiver, ready to sprint out onto the court.  Sometimes she'd even put one hand down, like a sprinter.  The other girls on the sidelines laughed, cheered, high-fived, but Khat was poised, like a lion or a jaguar, (or some other "big cat"), her face stressed and serious.  Forget the cheering, forget the celebrating, she only wanted one thing: to get back on the court, pound some volleyballs, and kill some sets.  I found myself watching her rather than the points, to see if she would lighten up, but she never did.  She didn't care what happened on the last point, good or bad: she wanted to be out there, on the court, winning the next point.

This spring, my youngest, Mary, played club volleyball for the first time.  Mary's very hard on herself, frets over past mistakes, and tries to find fault or blame on every bad play (and most good ones too).  After a bad play, she loses energy, and it's obvious that she's fretting, worrying about, and focusing on the last play, not concentrating on the next.  You can read it in her face.  Between matches at one early tournament, I pointed out to her that she was spending too much time focusing on the last point, and it was costing her.  I told her the story of watching Khat Bell on the sidelines.  Khat didn't care whether her last play on the court was a good one or a bad one.  She didn't care if her teammates were playing well or poorly without her.  She didn't care about fault or blame.  She just wanted to get back into the game and play the next point.  And that's what I encouraged Mary to do: forget the last point, and focus on the next. 

I told her, "You've got to find your inner Khat Bell.  You've got to be that person who only looks forward.  You've got to be Khat Bell."

During the rest of the season, one of the things I constantly yelled at her from the sidelines was, "Be Khat" or "Be Khat Bell."  I'd crouch down like a wide receiver about to sprint off at the snap of the ball, so if she didn't hear me, she'd see what I was encouraging her to do.  I'm her dad, so of course she didn't pay any attention to me, or at least pretended she didn't.

Fast foward to last weekend.  Club season is over, and now Mary is trying beach volleyball.  She normally trains on Tuesdays afternoons at The Sandbar in the Deep Ellum part of Dallas, but she's going to miss a few Tuesdays for summer vacation and is making up those training sessions with some Thursday and Sunday practices.  Gina and I took Mary there this past Sunday, and we stayed to watch them train.  Shortly after they started, a tall, sleek athlete sauntered in, with a burnt orange top and black spandex with the UT longhorn on the sides.  Guess who?


If the next best thing to being Khat Bell is being next to Khat Bell, then Mary got there this Memorial Day weekend.  Maybe she'll listen to me now. . . .

Jeff [2:48 PM]

[ Thursday, May 22, 2014 ]

 

KC Hospital Data Breach: Research Medical Center and Midwest Women's Healthcare Specialists made the mistake of dumping patient records without shredding them.  The harm was compounded when they were put in an open dumpster, and the wind blew them down the street and (eventually) into the hands of a TV news reporter. Uh oh.

Jeff [1:41 PM]

[ Wednesday, May 21, 2014 ]

 

Psychotherapy Notes: Under HIPAA, individuals have a right to access almost all of their PHI.  One big exception is psychotherapy notes, which are pretty narrowly defined to exclude diagnosis information, treatment start and stop times, medications, and any other information kept in the regular medical record.  These notes are treated differently because they are often intended for the benefit of the therapist, rather than the patient, and may contain information that, if exposed to the patient, might hinder the therapy.  Thus, the exception allows the therapist to keep her own notes and not have to worry about censoring them, in case the patient asked for a copy.

Boston's Beth Israel Deaconess hospital is now allowing patients to review their therapist's notes, and it's causing a bit of an uproar in the psychotherapist community.  It will be interesting to see how this plays out.

Jeff [5:33 PM]

 

Malvern Group's recent breach report is up.

Jeff [11:41 AM]

 

Social Media Tips: Any casual observer of HIPAA issues knows that social media poses a special risk to healthcare providers.  As a business, you want to have a good social media presence (Facebook page, maybe a Twitter feed) that promotes your business; the fact that you happen to be a healthcare provider doesn't change the business need, but does require special precautions to ensure that you don't inadvertently disclose PHI or violate HIPAA. 

Here's a good, generalized list of social media tips for any business.  In addition, HIPAA covered entities should also, at a minimum, have social media rules built into their policies and procedures, have regular and intensive training on the risks and do's/don't's of social media use, actively manage any social media projects and programs, and quickly respond to any complaints or concerns.

Jeff [11:40 AM]

[ Wednesday, May 14, 2014 ]

 

Malvern Group's weekly HIPAA data breach report is up.

Jeff [2:57 PM]

 

Walgreens Dismissed: Here's a good example of OCR dismissing a HIPAA privacy complaint, because the covered entity had good, if not perfect, prtections in place.

Jeff [7:34 AM]

[ Tuesday, May 13, 2014 ]

 

State Data Breach Laws: Kentucky adopts one, Florida revises its.  Don't forget, whenever you analyze a possible breach situation to see if you have a HIPAA reporting obligation, don't forget to check applicable state law; you may have a different or additional reporting requirement.

Jeff [1:04 PM]

[ Monday, May 12, 2014 ]

 

SAMHSA Seeking Input: The Substance Abuse and Mental Health Services Administration is looking for public input regarding the protection of alcohol and substance abuse treatment records.  Affectionately knows and the "Part 2 Rules," part 2 of 42 CFR (as opposed to part 160 and 164 of 45 CFR, where the HIPAA Privacy and Security rules are) imposes brutally strict nondisclosure rules on federally-supported substance abuse treatment facilities. 

42 CFR disclosures are much more limited than 45 CFR disclosures.  However, with more integrated care (including HIEs and ACOs), it's becoming harder and harder for substance abuse facilities to comply with the strict Part 2 requirements, while also providing coordinated, quality care.  SAMHSA is looking for public comment on how to keep appropriate protections while allowing appropriate data sharing.

More information here.

Jeff [4:27 PM]

[ Wednesday, May 07, 2014 ]

 

Malvern Group's weekly data breach report is up.

Jeff [11:05 AM]

[ Tuesday, May 06, 2014 ]

 

World's Smallest Data Breach: UMass Memorial may win the prize here.  It's still reportable, though. 

Jeff [8:57 AM]

[ Wednesday, April 30, 2014 ]

 

Boston Medical Center: the hospital fired its transcription vendor, because it found that the vendor made PHI available on its physician-access website without password protection.  Obviously the physicians need to be able to access the transcriptions to review and sign off, but appropriate protections must be in place.  Firing the vendor probably gives the covered entity hospital a possible defense against an OCR fine (assuming they didn't/shouldn't have known about the problem earlier).

Jeff [6:42 PM]

 

Malvern Associates' weekly data breach report is out.

Jeff [7:26 AM]

[ Tuesday, April 22, 2014 ]

 

Recent Enforcement News: OCR announces two new substantial fines: $1.7 million in one case and $250 in another, both involving unencrypted computers.

Jeff [3:04 PM]

[ Thursday, April 17, 2014 ]

 

OT: Club Schmitz is Closing.  Since sometime in the mid 1990's, most summers I host a group of summer clerks at my law firm at something we like to call "Dallas Dives."  While other lawyers take the clerks to lunch at different "dive" locations around the city, my Friday midday trek is always to the same place, Club Schmitz.  Opened in 1948 (and they've never changed the grease in the fryers since), it is the prototypical dive: burgers, cheap beer, and all things fried, served in broken-down cracked-vinyl booths and wobbly tables arrayed across a broken linoleum floor.  Golden Tee has replaced the pinball machines, but the pool table and shuffleboard are still there.  The building is a squat one-story cinder-block fortress, with bars on the windows and one door out each side.  A good place for a gangster's hideout, since the cinderblocks could stop bullets and there's always a way to escape.  It's the closest thing to a McSorley's that Dallas could hope for.  And it is no more, or will be May 31.

I have no idea how many times I've been to Club Schmitz, and couldn't even guess.  I don't know the exact date of my first visit, either, but I can say with some certainty that it was probably in September of 1980, early in my first semester at the University of Dallas (when the drinking age in Texas was 18).  Club Schmitz, along with Diamond H and Luke's Outhouse, was a UD hangout, for cheap beer and cheap burgers and chili.  There were plenty of old folks hanging around, but they weren't bothered by the boisterous college kids; I figure now that they saw themselves in us to some degree, perhaps even envying us.

Schmitz was usually a nighttime place for us back then.  When I moved back to Dallas in 1994, at some point I went there for lunch.  And went again.  And again and again.  It wasn't a daily thing or anything; I probably got in the habit of going once a month or so.  Often with friends, clients, co-workers, other lawyers, but as often alone.  I found that I could take work there, spread out at one of the booths near a window (to get some sunlight in an otherwise dark bar), and get more done over lunch -- with no disruptions -- than I could in the entire morning in my office.  Every third or fourth trip, I'd run into someone I knew from work, church, school, the real world, managing partners of law firms and executives of energy companies, all taking advantage of the guilty pleasure of a greasy lunch.  More than once I saw the Chairman of Southwest Airlines, Herb Kelleher, there with a handful of Southwest execs.  Everyone goes to Schmitz's.

My one somewhat constant Schmitz companion was my associate Karen Pyatt.  If we were out seeing a client, or just needed to get out for lunch, Schmitz was always on the list of choices.  Sometimes it was her, sometimes me, but occasionally one of us just needed the grease, and off we went.  Karen still refers to Carol, one of the two usual waitresses (not the one who waives at the trains), as the "Hotel California waitress:" sort of a you-can-check-out-but-you-can-never-leave type who is always there at lunch.  We came in one noontime and Carol immediately came to our table with a pair of sunglasses.  "Are these yours?  I think you left them last time."  They were, and I had.  It had probably been a month before that I left them, but she knew I'd be back.  And I was.  When was the last time that happened to you at a restaurant? 

I don't know the last time I actually had to place an order -- I always get the same thing: "double double pops, all the way."  Double meat, double cheese, all the trimmings, and tater pops; not tater tots, these are chopped potato bits with jalapeno peppers and cheese, deep fried into hush-puppy-sized balls of heaven.  And a huge glass of iced tea (it would've always been beer at UD, but if I did that now, I'd never go back to work).  When I walk in, I always know that Carol or the other waitress has spotted me when I hear them call back to the bar for my iced tea.  She'll deliver my iced tea, and ask, "the usual?"  I'll say, "of course," and she'll say, "good, because I already put in the order."

Most summers, during the Dallas Dive visit, at least one of the summer clerks (law students between their second and third year of law school, interning with the law firm to try to show off their skills and earn an offer back for a post-law school job) will ask how long I've been going there.  I'll tell them that I started Schmitzing sometime in September 1980.  Once, upon hearing that, before she could stop herself, a young woman blurted out, "Wow, that's before I was. . . . "  Have you ever seen someone try to suck the words they've just spoken back into their mouth?  She was mortified that she had just insulted a partner and the firm she wanted to work for.  I just smiled and said, yes, I've been coming here longer than you've been alive.  Hopefully you'll appreciate the charm and understand why.

I'll drag one more class of summer clerks, the last one, out there next month; we had originally planned on May 30 for the Dallas Dive visit, but decided to move it up a week -- the penultimate day will probably be too crowded for the size of the group we're likely to bring. 

My youngest Mary loves the place; my wife Anne Marie, despite her UD credentials, doesn't.
It's not for everyone, but it really has been my place for a while.  And I'm really sad to see it go.

 UPDATE: I went back to Schmitz's today for lunch (only a month left), and asked Carol the name of the other waitress: Andi.  All these years, now I know. 

Jeff [4:16 PM]

[ Wednesday, April 16, 2014 ]

 

Malvern Group's weekly breach report us up. 

Jeff [7:29 AM]

[ Monday, April 14, 2014 ]

 

When your employees steal patients' data.

Jeff [3:32 PM]

[ Thursday, April 10, 2014 ]

 

Right Now: I'm listening to Kristen Rosati talk on "Anatomy of a Health Care Data Breach at the UT's Health Law CLE seminar.  A couple of key points on hands-on dealing with a breach:

Look at your BAAs and make sure notice responsibility from BAs is clear, including who go report to (regular "notice" provision probably isn't right, you want them notifying the Privacy Officer).  Also, BA reporting time is subsumed into CE's reporting, so it should definitely be shorter than 60 days (hopefully within time for CE to meet the 30-day response for an affirmative defense).  BA's might want to keep a matrix of their reporting obligations under all of their different BAAs.

OCR reviews the 500+ breach reports daily and regional offices confirm that entity actually submitted the report.  If you get that call from OCR, you should already be working with your response team.  Even though OCR folks are nice, it is a formal investigation, so keep a record of your communications with OCR.

State AG penalties are capped at the old $25,000 level, not the new $1.5 million level.  Each individual and each day of violation count as separate violations (you get to $1.5 million quickly), and one act can violate more than one requirement.

On the flight down, I read HCCA's monthly magazine, and saw a Privacy Officer refer to "LoProCo" as shorthand for "low probability of compromise;" I will use that handle.

#LoProCo

Jeff [12:16 PM]

[ Wednesday, April 09, 2014 ]

 

Malvern Group's weekly HIPAA alert is up.

Jeff [11:44 AM]

[ Friday, March 28, 2014 ]

 

Windows XP: Good (if mildly profane) blog post outlining some of the hysteria on the impending XP apocalypse (xpocalypse?). 

Here's the article the blog blasts.  And here's a better explanation of what's happening with XP and what HIPAA really requires.

Jeff [1:55 PM]

 

HIPAA Security Risk Analysis: Regular readers will know that I regularly advise HIPAA covered entities to undertake and repeat regular "risk analysis" reviews.  It's been required under HIPAA since April 2005, and you simply can't have decent, appropriate policies and procedures without doing a risk analysis first: how do you show that you've taken appropriate security steps if you don't even know where your security risks are?

Additionally, as I've noted before, if you're taking "Meaningful Use" moneys (in connection with adopting EMR technology), then you must certify that you've done such a risk.

There's already been one indictment for a False Claims Act violation against a hospital CFO who certified that the hospital did a security audit and was a "meaningful user," when they weren't. I'm hearing now that CMS is auditing MU stipend recipients and asking for proof of their risk analysis, and the policies and procedures generated by the analysis.

Whether you've done your risk analysis or not (you have to regularly re-do it, too), you should look at this Security Risk Assessment toolbox provided by HHS under HealthIT.gov.  There is not a standard template for what a Risk Assessment should look like, since it's entirely dependent on the specific facts of the specific entity. 

You have a HIPAA obligation to do it.  You may have a MU obligation to do it.  And frankly, you have an obligation to your patients/customers to do it.  So, . . .

Jeff [12:27 PM]

[ Wednesday, March 26, 2014 ]

 

Malvern Group's weekly data breach email is up.

Jeff [5:51 PM]

[ Monday, March 24, 2014 ]

 

Five Steps to Preventing Help Prevent Security Breaches: Had to fix the headline.  These definitely will help, but aren't guarantees.  There are no guarantees.

Jeff [2:45 PM]

[ Thursday, March 20, 2014 ]

 

Interesting Post-Omnibus Rule Trend: Covered Entities exercising greater oversight of their Business Associates' security measures.  I've seen this a lot in post-Omnibus BAAs, as well as in some of the HIPAA press and seminar circuits; here's a good example of the type of advice consultants are giving.  What's particularly interesting about this development is that the HITECH Act and the Omnibus Rule directly place greater HIPAA privacy and security requirements onto Business Associates.  Why, now that the law directly requires it, are Covered Entities taking a more hands-on approach to this?  If anything, changes in the law should make it less necessary to be contractually specific.  Interesting.

Jeff [4:58 PM]

[ Wednesday, March 19, 2014 ]

 

Using Cloud Service BAs to Police Your Other BAs?  Covered entities are rightfully suspicious of the privacy and security offered by their vendors and other BAs.  Some cloud-based service providers are offering to help providers manage their BAs and ensure they're doing what they need to do.

Jeff [3:58 PM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template