[ Wednesday, March 05, 2014 ]
Jeff [4:55 PM]
weekly breach roundup is here
[ Tuesday, February 25, 2014 ]
Mental Health and HIPAA:
Jeff [10:01 AM]
The mental health arena has always been a tricky playing field for HIPAA and privacy, for obvious reasons. Mental health information is particularly sensitive, but it is often imperative that the information be shared since the patient might not be able to make appropriate decisions. This becomes painfully acute when mental health issues contribute to tragedy such as the Sandy Hook and Virginia Tech shootings. Information not shared due to privacy concerns might have prevented the incident or lessened its impact.
HHS is trying to assist providers and others on how to bridge this gap. They have issued guidance here
, and FAQs here
. If you practice in the mental health field, this is worthwhile information.
[ Wednesday, February 19, 2014 ]
Model NoPPs in English and Spanish:
Jeff [8:51 PM]
OCR has issued 16 different formats
for Notices of Privacy Practices, 8 in English and 8 in Spanish. Each language set is further divided into 4 formats for providers and 4 formats for health plans. The four formats are booklet, layered, full page, and text-only.
Jeff [7:38 AM]
: As noted, this insurance plan was fined $6.8 million
. But the fine was levied by the Puerto Rican authorities, not OCR. Keep in mind, HIPAA penalties may be capped at $1.5 million, but you are facing state penalties as well.
Jeff [7:35 AM]
weekly breach report
is out, featuring a $6.8 Million fine for Triple-S Salud.
[ Monday, February 17, 2014 ]
Happy 5th birthday, HITECH Act.
Jeff [3:35 PM]
[ Wednesday, February 12, 2014 ]
Google Cloud Accepts HIPAA Responsibilities:
Jeff [10:41 AM]
Google, which has consented to signing BAAs since the Omnibus Rule became effective, is making Google Cloud even more HIPAA friendly
for developers and others using the cloud. Not sure just how big this news is, but it does illustrate a nice trend, as vendors and other business associates (and subcontractors) who are more removed from direct healthcare services begin to recognize the reach of the law.
[ Tuesday, February 11, 2014 ]
Did AOL's CEO violate HIPAA?
Jeff [4:41 PM]
In explaining why the company was making its 401(k) a little less generous, Tim Armstrong
said increased costs for health benefits meant that retirement benefits would have to come down a little. He specifically mentioned a couple of "distressed babies" that cost the company health plan a million bucks each. Is that a HIPAA breach?
I don't think so. If he got the information from the health plan and wasn't supposed to, that could be a HIPAA violation. HIPAA requires companies to erect a firewall between the company's health plan (and the health data it holds on employees) and the rest of the company, particularly HR. Presumably, the CEO isn't on the health plan side, so he shouldn't have access to individual health information that the health plan holds, analyzes, and transmits. However, the health plan CAN share "summary health information" with the business side, and this could certainly be that.
There's also the question of whether this is PHI at all. To be PHI, it must be individually identifiable. Obviously, he didn't name the babies. But if it would be possible to identify the babies or their mothers/fathers who are the AOL beneficiaries, it could be PHI. I don't know how many employees work at AOL, but some employees would presumably know if a coworker had a baby with lots of medical issues. One of the AOL employees (actually, the wife of the employee, Deanna Fei) went public that she and her baby were one of the ones mentioned by Armstrong, because her husband's co-workers began asking him if his baby was one of them.
Which illustrates a little quandry that occasionally pops up when the policy
behind HIPAA is examined: HIPAA requires that health information be treated as if it is entirely private, when often it is much more public that a lot of other personal information. I probably don't know how much my co-worker gets paid, but I almost certainly will know my coworker is pregnant; I'll probably know if she has problems with the pregnancy, if the baby is born prematurely, if he/she is in a neonatal ICU for an extended period of time, etc. While my co-worker could keep all that information private, the fact is that people tend to be friends with co-workers, and people tell (some of) their health information to their co-workers.
In the AOL case, Mr. Fei apparently told his co-workers about his baby and his/her medical issues; otherwise, how would they know it might be him that Anderson was talking about? The only thing Anderson spilled that wasn't already known was the total cost.
One final note: when I first heard that the AOL CEO was in trouble for cutting the 401(k) and blaming it on "distressed babies," I thought he was referring to AOL workers. Particularly those at the Huffington Post.
HIPAA CLIA change: Not everyone agrees
Jeff [6:53 AM]
that it's a good idea for patients to get their PHI directly from the lab. There's a risk, for sure, when patients get information unfiltered and unexplained; that's probably why CLIA labs were excluded from the "access" requirement in the first place.
[ Monday, February 10, 2014 ]
Medical Records Update for Paralegals
Jeff [4:56 PM]
: If you missed my Lorman presentation last month (uh, Bob, I'm looking at you), it's available in recorded format here
How does the Target data breach affect healthcare entities?
Jeff [10:38 AM]
You can read my take on it here
[ Saturday, February 08, 2014 ]
Got a good digital NoPP? ONCHIT is looking for the best one.
If your on-line Notice of Privacy Practices is the best there is, the Office of the National Coordinator for Healthcare Information Technology has a prize for you.
Jeff [7:00 AM]
[ Thursday, February 06, 2014 ]
Ruh-Roh: St. Joseph in Bryan, Texas
Jeff [1:37 PM]
has apparently been hit with a "huge" data breach involving a server attack, with over 400,000 patients and employees affected. Social security numbers and medical data are both involved.
For Your Viewing Pleasure:
Jeff [11:10 AM]
It's the HHS HIPAA YouTube Channel
. I don't know if viewing these will help you become HIPAA-compliant, but I'm pretty sure they won't count as "training" of your staff. Still, interesting to see.
[ Monday, February 03, 2014 ]
CLIA Lab exception to HIPAA going away:
Jeff [1:46 PM]
Under HIPAA, individuals have a right to access all of their PHI held by covered entities, with a few limited exceptions. One exception was that CLIA-covered labs did not have to provide such access: CLIA limits those labs to only providing test results to an "authorized person." This generally means the ordering physician or the physician who will use the test results or communicate them to the patient, not the patient him/herself. Because of the CLIA limit, HIPAA contained an exception for CLIA labs, so that they were not required to provide access to their patients, the way other covered entities must.
That will now change, to be effective late September/early October
. HIPAA will now require CLIA labs to also provide patients with copies of their PHI, if the patient requests.
Unity Health (Wisconsin) Breach:
Jeff [8:10 AM]
Encryption would've alleviated the need to report this lost hard drive
. Probably nothing happened to the data, but if you can't tell, you probably can't get below the "low risk of compromise" threshold. 42,000 people affected.
[ Thursday, January 30, 2014 ]
Jeff [6:44 AM]
on Obamacare taxes
(they do call them "fines" and "penalties;" how unconstitutional of them).
Data Breaches at Texas Psych Facilities:
Jeff [6:40 AM]
It's happening a lot recently. None of these seem particularly big
, but they are indicative of a problem that some policies and training ought to help cure.
[ Wednesday, January 29, 2014 ]
Jeff [7:22 PM]
if you're a HIPAA/privacy geek in Houston (or want to be in Houston), check out this position opening
. It would involve working with some top notch folks.
Malvern Group's weekly breach/incident report
Jeff [9:17 AM]
is out. Thanks so much to them, now I don't feel guilty that I don't catalogue and re-blog every breach report I hear.
[ Wednesday, January 22, 2014 ]
Current Breach Activity
Jeff [10:23 AM]
: Malvern Group's weekly list of HIPAA and other data breaches
Jeff [10:21 AM]
: If you're looking for HIPAA training and the like, I've got a handful of webinars and in-person educational presentations coming up (all times Central):
- Today (1/22/14), noon - 1:00: Texas Medical Association webinar: HIPAA Training for the Medical Office Staff; info here.
- January 29, 2014, noon - 1:30: Lorman Education Services webinar: Medical Records Update for Paralegals: Releases, Retention, and Confidentiality Requirements; info here.
- February 13, 2014, Dallas, Tx, 9:00 am - 4:30 pm (HIPAA presentation 2:55 - 4:30): Lorman Education Services live seminar: Medical Records Law in Texas; info here.
- February 19, 2014, noon - 1:00: Texas Medical Association webinar: Complying with HIPAA Security; info here
- February 25, 2014, Ft. Worth, Tx, 9:00 am - 4:30 pm (HIPAA presentation 2:55 - 4:30): Lorman Education Services live seminar: Medical Records Law; info here.
- April 1, 2014, Houston, Tx, 8:30 am - 4 pm (HIPAA presentation 2:00 - 4:00): PESI Continuing Education Seminars live seminar: Texas Mental Health and the Law 2014; info here.
Feel free to email me, comment on the blog, or message me on Twitter (@JeffDrummond) with questions.
[ Friday, January 17, 2014 ]
New Mexico Forced Colonoscopy case:
Jeff [12:29 PM]
I was quoted in Theresa Defino's AIS story on this case
, where a man in New Mexico was arrested on drug charges because a drug dog sniffed his car seat. The cops figured the man had secretly hidden drugs in his, er, butt. The cops got a search warrant (but for a different county), and took the man to a hospital in the next county (the local hospital refused to cooperate), where they got the hospital and a couple of doctors to help take X-rays, give the man an enema, and finally a colonoscopy. Turns out he had no drugs, and he sued the cops for civil rights violations, as well as the hospital and the doctors for medical battery and HIPAA violations.
The city and county have settled for $1.6 million. Good. The case against the hospital and the doctors goes on.
UPDATE: more quotage here
[ Monday, January 13, 2014 ]
Transactions and Code Sets News: Health Plans must certify to compliance with HIPAA transaction and code set rules.
Jeff [1:31 PM]
I saw this news last week but thought it was simply HHS saying health plans are covered by HIPAA; which they are, naturally. Health plans are covered entities, and must comply with the Privacy Rule and Security Rule.
But the point is that they must all use standard transactions. This goes back to the earliest part of HIPAA, based on trying to standardize electronic data interchange transactions in the healthcare industry, and the drafting of specific forms, data sets, and formats to be used in every payment transaction, for example. Get rid of the legacy systems and individual payor formats and use standard documentation. It's interesting to see this come up again. Frankly, everyone in the health industry ought to be using standard formats, and to the extend a lot of smaller players (small health plans specifically) aren't doing so, then either we don't need the standards or we aren't enforcing the requirements like we should be.
Small Data Breach Reporting: Welcome to 2014! Covered entities must report all (small) breaches occuring in 2013 to the Secretary of HHS by the end of February. If you had a big breach, one involving 500 or more individuals, you should have reported to the affected individuals and HHS (and local media) within 60 days of becoming aware of the breach, but if you had a small breach, you needed to notify the individuals within 60 days, but need not notify HHS until year-end.
Jeff [12:17 PM]
Sometimes you'll have a handful of small technical breaches (records faxed to the wrong number, for example), which involve a quick and easy note to the patient. Those are often put out of mind once they're done. But the annual reporting requirement is still there, even though you might've forgotten about that little incident. . . .
The year-end reporting requirement is easier but still a little tech-intensive. It involves filling out a form on the HHS website for each breach incident, which involves actual input by the covered entity, so it takes a little time. But it's painless, and it's the law.
Phoebe Putney loses a desktop computer:
Jeff [8:40 AM]
A Georgia hospital employee
was rearranging her office and boxed up her password protected, but not encrypted, desktop computer and left the box in the hall. Presumably she did not put a "no basura" sign on it, because it disappeared, never to be found again. 6700 - 6800 patients' PHI, plus a handful of social security numbers. Two employees were fired for not following policies (makes me wonder who the second one was, assuming the redecorating employee was one).
If the computer had been encrypted, we wouldn't even know about it.
[ Thursday, January 02, 2014 ]
Interesting NJ Case:
Jeff [6:35 PM]
An employee of Omnicell, a vendor of pharmacy management computing services (and a business associate) of a slew of hospitals, had a laptop stolen. The laptop contained names and PHI of a bunch of patients of the hospitals. The laptop was password protected, but not encrypted. I blogged about the breach
about a year ago.
One of the patients filed a class action lawsuit against Omnicell and the slew of hospitals. But the federal court threw them out
, because they could not prove damages. I did not hear of a settlement with OCR, so that's still potentially out there. To some extent, this case proves that the administrative fines are likely to be worse than the potential legal claims of victims, since it's so hard to show damages for a HIPAA breach.
[ Tuesday, December 31, 2013 ]
A Little Slow on Posting Notice?
Jeff [4:37 PM]
Colorado Medicaid suffered a data breach
in November but is just now notifying affected individuals. A little under 2000 affected. The breach was the use of a personal email account, so there probably was no harm, no foul. But why did it take so long?
[ Saturday, December 28, 2013 ]
What's a good set of Policies and Procedures worth?
Jeff [8:01 PM]
I've drafted dozens of them, including the form set currently available from the Texas Medical Association. On average, I've probably charged around $5,000 to $10,000 for a worked-over set of policies (including adaption to the client's specific needs, assisting with risk analysis, adding in forms for BAAs and NoPPs, etc.). That's a lot of money for some clients, and many balk at a price tag that high.
But what is the set worth? If you're Adult & Pediatric Dermatology in Massachusetts, the number is $150,000. APDerm lost a flash drive
with PHI on it: as far as anyone knows, nothing happened to the PHI. But, the loss triggered an OCR investigation, which uncovered that APDerm hadn't adopted policies and procedures. That failure triggered a $150,000 fine.
$5,000 sounds pretty cheap.
Of course, if APDerm had policies and procedures, they might've decided to encrypt all flash drives, or not allow them at all, and the breach might not have occurred at all. That, really, is the value of a good set of policies and procedures.
[ Thursday, November 21, 2013 ]
De-Identification Certification Experts: If you know of any, please email me.
Jeff [11:28 AM]
HIPAA states that PHI is no longer PHI if it is de-identified according to HIPAA. There are 2 ways to de-identify: strip out 18 specific identifiers (the "safe harbor"), or get an Expert Opinion (the "expert certification"). It's hard to get usable information if you strip out all of the 18 items, since you have to strip out any dates other than years, and a lot of times you need to know the time between treatments, for example, or the time from diagnosis to treatment. So, often you need to go the other route and get an expert certification. I've gotten a few and know the names of some folks who are acknowledged experts, but my list is really short, and I'd like to expand it. Let me know if you have someone you'd recommend.
[ Monday, November 18, 2013 ]
A Covered Entity can be a Business Associate of another Covered Entity.
Jeff [11:19 AM]
This is well-settled
("A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity
") from the beginning of HIPAA, but some people continue to think that since their client is a covered entity, it need not sign a business associate agreement when it provides services for another covered entity and creates, receives, maintains or transmits PHI in connection with the services.
[ Tuesday, November 05, 2013 ]
California Update (Happy News for Kaiser):
Jeff [2:05 PM]
California's Confidentiality of Medical Information Act requires California entities to protect medical information, and prohibits them from disclosing the information except in proper purposes. In a case I noted earlier
, UCLA had an issue when a physician took home a portable hard drive, which was stolen from his house. The hard drive was encrypted, but the encryption key was on a sticky note stuck to the hard drive, so UCLA couldn't rely on the encryption. However, a California appeals court has ruled
that the plaintiff must prove that the information was actually disclosed, not just lost.
This is good news for Sutter, which had a theft at one of its offices involving a desktop computer
(believe it or not) with PHI on 4,000,000 people. Since CMIA allows for $1,000 statutory/nominal damages per person, that's a $4 Billion potential loss. However, unless the plaintiffs can prove that the PHI was discosed, not just lost, then the damages might not be there.
[ Friday, November 01, 2013 ]
Jeff [11:12 AM]
The "Hide Rule" gets some attention: Modern Healthcare (subscription required) has an article
Jeff [11:07 AM]
on presentations made at AHIMA relating to the "hide rule," which allows a patient to prohibit a provider from giving information to an insurer or other payor if the patient pays in full "out of pocket." It's easy to just not send the data at the time of service since the patient paid, but many EMRs don't allow a provider to appropriately tag the data so it doesn't get out to a payor at some later date. That makes things hard to comply with, a situation that HHS knows about but can't do anything about (since the "hide rule" is hardwired into the statute [HITECH], HHS can't just waive it away in the regulations -- hey, wait a minute, this administration does that all the time . . . .).
[ Monday, October 28, 2013 ]
Jeff [10:30 AM]
[ Tuesday, October 22, 2013 ]
Another Social Media Question:
Jeff [1:27 PM]
Most of the time, we discuss doctors, hospitals and others using social media, and concerns regarding when those uses might involve the use or disclosure of PHI. Here's an interesting article
on doctors using social media to check up on patients for medical compliance issues. Definitely a tricky issue.
AHMC (California) Data Breach: 2 laptops stolen
Jeff [1:17 PM]
. Data on 729,000 patients from 6 hospitals. Good physical security, password protection, but no encryption. Reportable, of course.
[ Wednesday, October 09, 2013 ]
SLU Phishing Attack:
Jeff [11:01 AM]
Here's an interesting HIPAA breach
that didn't start out that way. St. Louis University was hit by a sophisticated (and apparently realistic) phishing attack that allowed a hacker to get access to email accounts and direct deposit information of a handful of SLU employees. It seems the initial phishing attack was to redirect direct deposits into the hackers' accounts. Not a HIPAA issue, right?
Upon further review, conducted I'm sure by the inestimable HIPAAcrat Karen Pyatt, it was discovered that the hack also allowed access to a handful of email accounts that contained PHI of about 3000 SLU patients. Mostly the PHI was diagnosis-related, but some social security numbers were there too. The 3000 have been notified.
Hat tip: Malvern Group.
Physician Rating Websites:
Jeff [10:53 AM]
An interesting article
in Family Practice Management (the publication of the American Academy of Family Physicians) on how doctors should handle website reviews, particularly bad ones. Not a whole lot of new info, but confirms that it's tough to deal with bad reviews. Whatever you do, don't use or disclose PHI in responding to a bad review: just because the patient posts his/her own PHI (even if they lie in doing so), that doesn't give the provider the right to use or disclose the PHI further.
[ Monday, October 07, 2013 ]
Jeff [12:43 PM]
[ Friday, October 04, 2013 ]
Harris Methodist Ft. Worth: This was news
Jeff [7:26 AM]
several months ago; microfiche files were found in some public places, when the information was supposed to have been destroyed. Why are they just now notifying patients?
[ Wednesday, October 02, 2013 ]
Santa Clara Valley Hospital breach: Stolen laptop
Jeff [1:44 PM]
. Encrypted? Of course not.
Another Holy Cross Breach:
Jeff [1:32 PM]
The Ft. Lauderdale hospital is struck by another employee stealing
patient identities, this time apparently for tax return fraud. Hat tip: Malvern Group
[ Thursday, September 26, 2013 ]
Skype is not an approved telemedicine technology:
Jeff [1:07 PM]
At least not in Oklahoma
[ Wednesday, September 25, 2013 ]
Holy Cross Data Breach:
Jeff [10:09 PM]
a former hospital employee
apparently accessed the data for identity theft purposes.
That Didn't Take Long:
Jeff [4:58 PM]
We already have our first data breach
by a Health Insurance Exchange (HIX). Broker information rather than patient/beneficiary information, but still. . . .
[ Friday, September 20, 2013 ]
Refill Reminder Guidance:
Jeff [12:25 PM]
As I noted last week
, HHS agreed, in connection with a suit filed against it, to offer some guidance on how the refill reminder exception to the marketing prohibition is supposed to work. If you've spent any time trying to figure out what you can and can't do under HIPAA relating to marketing, you know it's frustratingly confusing. So troubling that Adheris sued HHS to try to get a federal court to determine what it could and couldn't do.
Now, HHS has provided some guidance
, along with some FAQs. The jury's still out on whether this will be enough.
NoPP Revisions Delayed
Jeff [12:19 PM]
: No need to worry about Monday's D-Day for revising your HIPAA Notice of Privacy Practices -- if you're a CLIA of CLIA-exempt Lab
, that is. The rest of you, keep drafting.
[ Tuesday, September 17, 2013 ]
HHS Publishes Model Notice of Privacy Practices:
Jeff [5:17 PM]
I haven't looked at it yet, but if you want to see it, it's here
. Hopefully this isn't the first one you've looked at. . . .
Is HHS the Real Grinch? This article
Jeff [7:36 AM]
thinks HHS is too harsh, but I think the last sentence gives it away: the covered entity is a victim, to be sure, but the patients are much more innocent as victims. The covered entity could've avoided the whole problem by encrypting, but chose not to. Who's in the wrong, then?
Blogger: HIPAA Blog - Edit your Template