HIPAA Blog

[ Wednesday, April 28, 2004 ]

 

How are you doing on HIPAA security? April 21, 2005 is less than a year away, after all. If you're like most everyone else, you're not doing very well. According to a new survey by URAC (which was the Utilization Review Accreditation Commission or something like that), few providers have done much to make progress toward HIPAA security compliance.

Remember, just as with HIPAA privacy, the only way you'll get close to compliance is if you start figuring out where you are, where you need to go, and how you get there. So get working on your organization's risk analysis. Check with your IT or IS folks, your hardware and software vendors, and your consultants and lawyers. No time like the present.
Jeff [4:48 PM]

 

HIT a priority. Yesterday, President Bush set out his vision for the establishment of standard electronic medical records within the next 10 years. At a speech to the American Association of Community Colleges, he said he would create a sub-cabinet level post for a national leader in health information technology. More on the story here and here. (Here's the actual speech; look about 3/4 down for the EMR discussion.)

It will be interesting to see who gets appointed to this post, and how the process goes. It makes a lot of sense to move toward standardization of electronic medical records, but it will be interesting to see if the migration is smooth and semi-linear of if it's more like the staggering, halting progress toward standardization we're seeing with TCS under HIPAA.

UPDATE: Here's the AMA's take on it: the primary concerns are cost and standardization. Doctors are concerned that they'll spend a lot of money and end up with a "Betamax" rather than a VHS. And here's an op-ed co-written by Newt Gingrich and Patrick Kennedy urging the implementation of electronic medical records.
Jeff [11:28 AM]

 

News on the TCS front: Not really a story, but sort of a recurring theme: I've been hearing more and more complaints from providers about WebMD and its portal/clearinghouse function, specifically regarding the fact that WebMD isn't fully compliant with the Transaction and Code Set rules. The specific things I hear are that in some data sets, the TCS rules require spaces for 3 digits, but the WebMD format only contains spaces for 2 digits. If physicians enter 3 digits, one digit gets dropped when the claim is translated to the X12 format.

Again, I don't know if this is true, and I have absolutely no experience in actually coding claims so I'm not certain whether this charge even makes sense. But as we start staring down the delayed-payment deadline for non-HIPAA-compliant claims to CMS this summer, it will be interesting to watch how this plays out. It seems like a whole lot of physicians and physician groups use WebMD's portal and clearinghouse functions, and if they all go to slow-pay on their Medicare and Medicaid claims, there should be some howling.
Jeff [11:23 AM]

 

Medical record privacy and the banking industry. While I try to keep the focus here on HIPAA, I'm also doing a fair amount of work on other "personal privacy" issues, such as those under Gramm-Leach-Bliley. GLB primarily impacts the way "financial institutions" can use personal information, including personal financial information. With the deconstruction of the depression-era Glass-Steagall law, which prevented the combination of banks and insurance companies, there was some concern that a combined entity like Citigroup (Citibank plus Solomon Smith Barney plus Travelers) would use information gleaned from the banking relationship to refuse insurance coverage. GLB was designed to prevent this cross-over of information.

Additionally, last year the President signed legislation preventing banks from using medical information to make decisions about whether to borrow funds to an otherwise qualified borrower. According the the NY Times, federal regulations are about to be issued in this regard. While an unreconstructed capitalist might think that banks should be able to use any information they want to make lending decisions, the concerns about the misuse of personal medical and health information makes this an attractive piece of legislation. And like the early emphasis on HIPAA itself, it's hard to argue against this regulatory protection. Even the bankers know that opposing this would make them look bad.
Jeff [11:09 AM]

 

Remembering San Francisco: Allina Hospitals and Clinics, a large Minnesota integrated healthcare delivery system, is outsourcing all of its transcription services. Interesting, given the recent news on outsourcing generally and outsourcing of transcription services specifically.
Jeff [10:59 AM]

[ Tuesday, April 27, 2004 ]

 

EMS dispatchers and HIPAA: There's been some interesting back-and-forth on the AHLA health information technology listserv over the last few days about the impact of HIPAA on EMS dispatchers, particularly where they are combined with police dispatchers. Often, the EMS department and 911 dispatchers will be city or county employees. Certainly the EMS part of the business is a "covered entity" under HIPAA, but you usually don't want all of the city employees to be considered to be working for the same covered entity. In other words, if you are the human resources coordinator for a city or county government, you don't want your street repair crew to have to take HIPAA training, but you need your EMS guys to be trained. So, the smart thing to do is to consider the governmental entity a "hybrid entity": part covered entity, part not. The covered entity part gets HIPAA training, and the rest doesn't.

What about your dispatchers? Should they be considered in the covered entity part, or the non-covered entity part? Some of what they do involves PHI, but some doesn't (like fire and police calls where there's no ambulance service).

John Cody, a great contributor to the listserv, has looked into this some and noted the following internet articles and resources:

"HIPAA: The Intersection of Patient Privacy with Emergency Dispatch"

"HIPAA Compliance Strategies: Six Ways Paramedics Are Dealing With New HIPAA Challenges"

"HIPAA Overkill Should Not Delay EMS Response"

"Confidentiality Concerns and Communications"

"Use and Disclosure of PHI for Service Evaluation"

"EMT Held Liable for Damages and Attorneys Fees for Violating Patient's Privacy: Lessons to Be Learned"

Thanks, John.

UPDATE: had some bad links and have fixed all but one. I'm working on that one, too. Hat tip to Donna Higgins at Andrews Publications for pointing that out.

Jeff [6:18 PM]

[ Thursday, April 22, 2004 ]

 

Geek alert. I can not only set the clock on my VCR (do VCR's still have clocks that need setting? Do people actually still have VCRs?), I can set a program to record. But I've never taken a computer course, wouldn't be able to write code, and basically can follow the instructions when installing software on my home PC.

So I'm not going to be your best resource if you want nuts and bolts advice on security; you ought to talk to someone with more computer skills, and there's a ton of folks out there who really know the stuff. But, whenever I come across something that might be of interest to the security crowd, I'll link to it.

Like this. Top 10 security trouble spots relating to Windows operating systems, and top 10 security trouble spots relating to UNIX. It's interesting reading if you're interested by this type of stuff and/or have that required underlying paranoia that drives some folks (you know, the type that check their computer after reading about some scary technology in a Tom Clancy novel). Not that there's anything wrong with being a little (or even a lot) paranoid about security. You know what they say: just because you're paraniod doesn't mean that they're not out to get you.

[Hat tip: Alan Goldberg]
Jeff [9:41 AM]

[ Tuesday, April 20, 2004 ]

 

How many errors can you fit into one newspaper article? Wow. This is something. You've got your myths, you've got your outright errors, all in one article. No providers got an extra year to comply; only small health plans got the extra year, and it's up (as of last Wednesday). And unless they've changed them, providers don't need to redistribute NoPPs; plans do, but not yearly.
Jeff [2:45 PM]

 

HIPAA compliance costs for non-covered entities: Here's an article (free registration required) on the impact of HIPAA on medical device and technology companies that aren't exactly in the "covered entity" category but are required to protect PHI due to their relationships with covered entities. I don't think these costs to the industry were accounted for by HHS when they determined what HIPAA compliance would cost. Not that I necessarily blame them, but I think there are many collateral costs and impacts of HIPAA that weren't acknowledged or considered by HHS when these regulations were drafted.
Jeff [9:45 AM]

[ Monday, April 19, 2004 ]

 

Some good news on industry HIPAA compliance. AHIMA's survey was originally excerpted in Modern Healthcare fairly exclusively, and I couldn't figure out how to link to it. They've (AHIMA, that is) have published the survey results in a linkable format, here. Things are about where you'd expect them to be: fairly good progress, with realistic expectations and reporting.

HIPAA compliance must be an ongoing, evolutionary thing. You can't immediately switch to a new regime, without going through the cultural and organizational battles. But neither the Jeremiahs nor the Pollyannas are right about how good or bad the current situation or prospects are. Which is a good thing. People are doing what they can and taking reasonable steps to get their organizations and operations into HIPAA compliance, and to protect information while still allowing healthcare to be delivered. There will be bad days, and there will be bad stories, cases of overprotection preventing care or family notification, and cases of underprotection allowing the wrong family members access to information. But on balance, things look fairly good.
Jeff [10:54 AM]

[ Thursday, April 15, 2004 ]

 

Yesterday was the day; today's something different. Here's another article on how few small plans are HIPAA-compliant, despite yesterday's deadline. Of course, as the article points out, many of them have other things on their minds.

It's not that hard to become compliant. And as long as you do the things you ought to do (protect the info) and don't do the things you oughtn't (use the info for employment decisions), you'll probably be OK. You should, of course, have taken steps, drafted policies and procedures, and otherwise documented your efforts, simply to prevent some disgruntled employee from attempting to leverage the threat of reporting a HIPAA violation into a lifetime employment agreement. Keep in mind that, even if you never get a visit from OCR, your biggest problems could be a lot closer to home.
Jeff [10:30 AM]

[ Wednesday, April 14, 2004 ]

 

Today's the day for small plans. As this article points out, today's the deadline for small (less than $5,000,000) health plans to be compliant with the HIPAA privacy rule. And "plan" includes any employee health benefit plan, even if it's fully insured.

A "health plan" is any plan that pays for or arranges for the payment for or provision of healtht care services, and includes any plan defined under ERISA. Most of the HIPAA privacy rules for health plans are found at 45 CFR 164.504(f), but the specifics of what the plan must do depend on (i) whether the plan is fully insured and (ii) just how much PHI the plan receives.

One very important distinction in figuring out how your plan complies with HIPAA: the rules apply to your plan, not to your company. This seems like an artificial distinction, but it is very real. Many years ago, if a company provided insurance to its employees, it simply bought insurance from an insurance company like Blue Cross. If an employee or an employee's family member had a health problem, the employer would not know about it other than through the workplace grapevine; if the employee was discrete, the employer would never know that the employee was at high risk to have a heart attack, for example. Since ERISA, companies now self-insure or establish health plans where the "plan" receives health information that might be peeked at by the company; the company never would have received this information in the past, but now could look and, for example, decide to fire the employee who was at risk of a heart attack. There are reasons the plan needs to have and use the information, but the company shouldn't have access to it; that's what HIPAA tries to ensure by making a distinction between the plan and the employer.

General rules for such plans are:

-- Except for "summary plan information" (information stripped of identifiers that is used to shop for coverage and premiums) and information on whether someone is enrolled or not, the plan can't disclose PHI it receives to the company, and the company can't use the information it receives for employment-related decisions.
-- If the plan gets PHI, the plan documents should be amended to make sure the PHI is protected and the plan participants have their rights protected.
-- The plan must restrict uses and disclosures of PHI it holds to HIPAA-allowed uses and disclosures.
-- The "minimum necessary" rule applies to disclosures by the plan.
-- The plan must have a Notice of Privacy Practices (NoPP) and deliver it to the beneficiaries, although the insurer (if the plan is not self-insured) can be the one to provide it.
-- The plan must comply with the administrative requirements of HIPAA (have a privacy officer, train the staff, have a complaint procedure, etc.), but if the plan is not self-insured and doesn't receive PHI other than summary health information and enrollment data, the only administrative requirements it's required to meet are that it can't retaliate against complainers, can't make beneficiaries waive their HIPAA rights, and must document what it's done to comply with HIPAA, including documenting the amendments to the plan if those are done.

Basically, the plan must protect the PHI, and can't let the employer use it for bad purposes. Now, don't be fooled into thinking the employer can't ever have information that might otherwise be considered PHI. Some folks think HIPAA means that you can't announce when someone has had a baby or is sick. If the information only comes from the health plan, then the health plan must keep it secret. But if the employee tells co-workers, or if the information comes to the company from a source other than the health plan (for example, an on-the-job injury or a company physical required as a condition of employment), it isn't entitled to the same level of HIPAA protection.

Now, go and amend those plan documents!
Jeff [8:59 AM]

[ Tuesday, April 13, 2004 ]

 

Deadlines Impending. You should know that tomorrow is the deadline for HIPAA privacy compliance for small health plans (less than $5,000,000 in premiums or payouts). You should also know that there's just a little over a year left before the Security Rule deadline arrives. What are you doing for Security Rule compliance? Here's a good article on the types of things you should already be doing. The earlier you start with your security compliance, the easier it will be to feel comfortable that you're in compliance next April.
Jeff [11:31 AM]

 

Another alleged HIPAA horror story. This one from Chicago. Of course, the caretaker could've asked the patient why he was in the hospital to begin with, and if the patient didn't want to tell him, the hospital really couldn't override the patient's wishes. That was the case before HIPAA, too. And mental health information is clearly the type of information that deserves extra privacy considerations.

The dichotomy is still the root of the problem: if you want the best possible health care for everyone, all medical information about everyone should be available to everyone. If you want the best possible medical record privacy, no medical information about anyone should be available to anyone. The trouble is finding the right balance between those two poles, and while it's never going to be a perfect fit in every situation, HIPAA actually does a fair job of balancing the countervailing interests. You want privacy, and you want individuals to be empowered to make those decisions. But where it's appropriate and necessary for the information to be shared so the patient can be treated, that information should be shared. In the examples in the article where providers couldn't get information, the problem isn't HIPAA; HIPAA would've allowed those information transfers. The problem is the compliance and enforcement environment, the spectre of the Federal Government investigating an improper breach, or the threat of a lawsuit for a HIPAA violation. That's a result of the overzealous "selling" of HIPAA and the "need" for privacy in the face of anecdotal evidence from the likes of the Health Privacy Project.
Jeff [11:28 AM]

[ Thursday, April 08, 2004 ]

 

Early onset Alzheimers. I can't remember if I posted this before, but if you've ever wondered when you need to account for a disclosure, here's a good chart to look at.

You know that HIPAA gives individuals certain specific rights with regard to their own medical information, including the right to know where their PHI has been disclosed. Of course, given how many places PHI is disclosed in day-to-day medical care (from doctor to hospitals, from doctors to specialist and consulting doctors, to pharmacies, to payors, etc.), tracking all of those disclosures would cause the entire health care industry to grind to a halt. So, exceptions were granted for those types of disclosures that the individual ought to know about. You ought to know your doctor is going to give your information to the hospital when you're admitted, and that the hospital will tell your doctor your latest vital signs. So, disclosures for treatment, payment and healthcare operations are not required to be tracked for purposes of accounting for disclosures. Those are the disclosures you "ought to know about." Additionally, if you give your physician written permission (in the form of a HIPAA-compliant authorization), that's a disclosure you "ought to know about" too. So what's left? Well, check out the chart, and you'll see!
Jeff [4:01 PM]

[ Wednesday, April 07, 2004 ]

 

Not exactly on point, but close enough: HealthLeaders has an excellent article on steps to make any IT project easier and more successful. The article outlines 12 rules that aren't quite common sense but sure seem like good ideas if you're doing a major or minor overhaul of your IT assets.

Some of the points are specific to healthcare IT: "Involve as many clinicians in the selection as possible." And, "Walk away from historic clinical data only as a last resort. Porting historical data into the new system builds confidence and support for the new system and adds to clinical relevance." Also, "Beware of computer geeks wearing stethoscopes." Calling Dr. Toppins?

Some of the points are applicable to any project: "A group or committee does not always make intelligent decisions. Consider 'Group IQ' when constructing a committee. 'Group IQ' can be best calculated as the IQ of the group leader divided by the number of people in the group with double-digit IQs." And, "Establish reasonable, but aggressive dates, and then cast them in concrete. If you don't make a target date sacred, you do not have a goal, and you therefore will never hit it. Be prepared to move the date, but do not telegraph that intent. A little death march never hurt anyone."
Jeff [11:32 AM]

[ Monday, April 05, 2004 ]

 

A Decision in the Philadelphia HIPAA case: I mentioned below that a new lawsuit had been filed a few months ago in Federal court in Philadelphia, challenging the revisions to HIPAA that removed the consent requirement. As originally drafted, providers had to obtain written patient consent before using PHI for even routine uses, and had to obtain an authorization for non-routine uses. That requirement was revised (rightly, I think) in amendments to the HIPAA Privacy Rule which stated that as long as your Notice of Privacy Protections described the routine uses you would be implementing, you did not need explicit authorization. This also freed up second-tier providers (such as specialists) to use the information prior to first seeing the patient. Under the original rule, if a primary care physician wanted to refer a patient to a specialist and sent over the chart, the specialist could not even review the chart until the patient showed up and signed a consent. Likewise, the PCP couldn't phone in a prescription to a pharmacy, unless the patient had already used the pharmacy and signed a consent.

The revised rules do allow the patient to request that the provider not use information in any particular way, such as not disclosing to other providers without the patient's specific authorization. Providers don't have to agree with the request, but if they do agree, they have to comply with it. However, in practice, providers simply refuse to agree with any such restrictions.

The challenge in Philly was made by some consumer groups and one particular plaintiff, who had been turned down by three providers when she requested restrictions on the use of her PHI. The judge ruled that she had standing, but ruled in favor of the government on all factual matters. The court basically stated that the rule itself did not exceed the agency's mandate (which I feel, if anything, is the strongest argument against HIPAA's enforceability), the amendment removing the consent requirement was properly promulgated and approved, and the provisions don't violate the 1st and 5th amendment rights of individuals because nobody is compelled to disclose information under HIPAA.

In fact, under the original provisions of HIPAA, a provider needed a patient's consent to use or disclose his or her PHI for treatment, payment, or healthcare operations. A provider could refuse to provide care to a patient if the patient refused to sign the consent. Under the revised rule, the provider can go forward with treatment, payment, and operations (routine uses) without consent, as long as the provider has put the patient on notice (through the NoPP) that the provider will use the PHI in that way. The patient can ask for restrictions, but the provider can refuse.

I do not see how the situation for the plaintiff in the Philly case would have changed based on the amendment to the Privacy Rule. Under the old method, the provider would have asked the patient to sign a consent allowing the provider to use and disclose PHI for routine uses (basically, what the provider can do now). The patient would have refused, just as she refused to allow the provider what it could do under the revised rule. The provider would then have refused to treat the patient.

I agree with the court's decision. I haven't read it all yet, but I think that the basic balancing act between an individual's right to protection and a provider's need to use the information is fairly well struck in HIPAA. If you don't want a provider disclosing your PHI, ask them to restrict their uses and disclosures. Most won't agree, since they don't want to set themselves up to be sued by you if they inadvertently disclose the information or otherwise have to treat your file differently than they treat everyone else's file. It's just too inefficient for them to do that. But that just means that you'll have to shop around for someone who is willing to inefficiently and expensively change their system for you. You will have to look long and hard to find that person, and you'll probably have to pay more, but if that means a more streamlined, cheaper system for the rest of us, that's the price you'll have to pay for your paranoia. Sorry.
Jeff [9:08 AM]

[ Friday, April 02, 2004 ]

 

More San Francisco Treats: David Lazarus of the San Fran Chronicle is all over the "Transcriptionists in India extorting cash in return for not exposing patient records" stories. As noted below, the earlier event has quite a few twists and turns, particularly regarding the failure of the middleman to pay the Pakistani transcriptionist (who only wanted to get paid for the work she did). Now, it comes to light in this story that an Ohio transcription company was also extorted by employees in Bangalore who threatend to expose patient records. An executive from that company actually testified before California legislators, but didn't tell them about the extortion. He had a good excuse, though: the Indian employees didn't actually have any medical records, the information they had was limited to internal company documents that they had stolen from a managers office they had broken into, the employees were caught and arrested (and they confessed), and they're now in jail in India awaiting trial.

I suspect there are more stories out there; but I also suspect that there are just as many stories about that type of extortion or misuse of PHI by American transcriptionists as by foreign transcriptionists.
Jeff [8:36 AM]

 

Courts wade into the HIPAAsphere: I'll post more on this later (and get back to my epistemological discussion of how privacy and healthcare delivery are basically incompatible), but you should know that a handful of federal courts are addressing HIPAA in the context of the partial birth abortion lawsuits. Congress recently outlawed partial birth abortions, and several abortion-rights organizations have challenged the law as unconstitutional. In connection with those lawsuits, the US Department of Justice (defending the ban) have sought deidentified information from certain hospitals relating to partial birth abortions performed there. The hospitals sought court orders that they did not have to disclose the information. The resulting court decisions have rapidly reached the Circuit Court levels, and likely will end up in the supreme court.

Generally, deidentified PHI isn't PHI anymore. However, this is abortion we're talking about, so you can guess how the judicial activism is spinning.

Like I said, more in-depth discussion later. I gotta get some sleep. But I'll actually be in the office all day tomorrow (the first full day since Spring Break), so hopefully I'll get to blog some more.
Jeff [12:20 AM]

 

Security Compliance: controlling access to all systems with ePHI: You probably know that the Security Rule, which comes into force in about a year, requires that access to all systems with electronic PHI (ePHI) be controlled through technical means. This obviously means that you must restrict access to electronic medical record systems, and be able to track who is accessing what (if that's relevant to your systems, of course). But you must also restrict access to other systems that contain ePHI. These would include PACS systems, scheduling systems, and other non-IS systems. How should you go about doing this?

First, determine all the places where you have ePHI, keeping an eye on removable media (floppys and cds), hard drives, and network connections. Second, see what types of protections are on those sytems already, and make sure you know how to use them. Third, explicitly address these systems and devices in your policies, and make sure your policies include an exception for these systems if thery don't have the capacity for access controls (you need some non-technical protection then, like keeping the systems in locked rooms or keeping the info on disks in encrypted format). Finally, when you're acquiring new hardware or software for these systems, acquiring new systems, or entering into maintenance or management contracts relating to these systems, make sure you include you security requirements in the acquisition or maintenance contracts.

Hat tip to HIPAAlert and Clyde Hewitt of Phoenix Health Systems for the points.
Jeff [12:08 AM]

[ Thursday, April 01, 2004 ]

 

Taking HIPAA to the extreme: What's the worst thing that can happen under HIPAA? The law gets misconstrued by an overzealous hospital administrator and family members can't get information on loved ones, leaving panic, worry, and anxiety in their wake. That's what happened here. It will be interesting to see if this guy's crusade leads anywhere. It was kind of funny when it happened to the head of the Georgetown group who pushed so hard for HIPAA and was so virtiolic about the "abuses" of medical information in the medical community, but it's not when it happens to those who deserve to be treated better.

Ultimately, a hospital has the right to disclose PHI to family members if it reasonably determines that they are involved in the care of the individual. Of course, if you make that determination and give PHI to an abusive family member, or if the patient really doesn't want the family members to know, you can find yourself on the receiving end of an OCR call. Hospitals could do a better job with sign-in and registration to make sure they find out if they can talk to family members (or, better yet, if there are some family members that need to be left out of the loop). But most of the problems come from the fact that the threat for violations is too damn harsh and it scares folks away from just doing the reasonable thing.
Jeff [11:40 PM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template

A discussion of medical privacy issues buried in political arcana

E-mail me at jdrummond-at-jw.com

- Archives - March 2002 April 2002 May 2002 June 2002 July 2002 August 2002 September 2002 October 2002 November 2002 December 2002 January 2003 February 2003 March 2003 April 2003 May 2003 June 2003 July 2003 August 2003 September 2003 October 2003 November 2003 December 2003 January 2004 February 2004 March 2004 April 2004 May 2004 June 2004 July 2004 August 2004 September 2004 October 2004 November 2004 December 2004 January 2005 February 2005 March 2005 April 2005 May 2005 June 2005 July 2005 August 2005 September 2005 October 2005 November 2005 December 2005 January 2006 February 2006 March 2006 April 2006 May 2006 June 2006 July 2006 August 2006 September 2006 October 2006 November 2006 December 2006 January 2007 February 2007 March 2007 April 2007 May 2007 June 2007 July 2007 August 2007 September 2007 October 2007 November 2007 December 2007 January 2008 February 2008 March 2008 April 2008 May 2008 June 2008 July 2008 August 2008 September 2008 October 2008 November 2008 December 2008 January 2009 February 2009 March 2009 April 2009 May 2009 June 2009 July 2009 August 2009 September 2009 October 2009 November 2009 December 2009 January 2010 February 2010 March 2010 April 2010 May 2010 June 2010 July 2010 August 2010 September 2010 October 2010 November 2010 December 2010 January 2011 February 2011 March 2011 April 2011 May 2011 June 2011 July 2011 August 2011 September 2011 October 2011 November 2011 December 2011 January 2012 February 2012 March 2012 April 2012 May 2012 June 2012 July 2012 August 2012 September 2012 October 2012 November 2012 December 2012 January 2013 February 2013 March 2013 April 2013 May 2013 June 2013 July 2013 August 2013 September 2013 October 2013 November 2013 December 2013 January 2014 February 2014 March 2014 April 2014 May 2014 June 2014 July 2014 August 2014 September 2014 October 2014 November 2014 December 2014 January 2015 February 2015 March 2015 April 2015 May 2015 June 2015 July 2015 August 2015 September 2015 October 2015 November 2015 December 2015 January 2016 February 2016 March 2016 April 2016 May 2016 June 2016 July 2016 August 2016 September 2016 October 2016 November 2016 December 2016 January 2017 February 2017 March 2017 April 2017 May 2017 June 2017 July 2017 August 2017 September 2017 October 2017 November 2017 December 2017 January 2018 February 2018 March 2018 April 2018 May 2018 July 2018 August 2018 September 2018 October 2018 November 2018 December 2018 January 2019 February 2019 March 2019 April 2019 May 2019 June 2019 July 2019 August 2019 September 2019 October 2019 November 2019 December 2019 January 2020 February 2020 March 2020 April 2020 May 2020 June 2020 July 2020 August 2020 September 2020 October 2020 November 2020 December 2020 January 2021 February 2021 March 2021 April 2021 May 2021 June 2021 August 2021 September 2021 October 2021 November 2021 December 2021 January 2022 February 2022 March 2022 April 2022 May 2022 June 2022 July 2022 August 2022 September 2022 October 2022 November 2022 December 2022 February 2023 March 2023 April 2023 June 2023 July 2023 August 2023 September 2023 October 2023 November 2023 December 2023 January 2024 February 2024 March 2024 April 2024 May 2024 June 2024 July 2024 August 2024 September 2024 October 2024 November 2024 December 2024 January 2025 February 2025 March 2025 May 2025 June 2025 July 2025 August 2025 September 2025 November 2025 December 2025 January 2026 February 2026 March 2026 May 2026

[ Advertisers ]

[ Links ]
Jackson Walker home page
My (official Jackson Walker) Bio
HHS' Administrative Simplification page
OCR's HIPAA Privacy page
ICD-10 Codes
NIST's HIPAA Security Implementation page
HIPAA.org page
TCS standard-setting
HIPAA Summit's page
Harvard's HIPAA colloquium
Workgroup for EDI
Siemen's HIPAA page
Beacon Partner's HIPAAcomply
FindLaw's HIPAA law page
HIPAAComplete
HIPAADocs
AMA's HIPAA page
AHA's semi-HIPAA page
American Health Lawyers Assn
SHARP (the Southern SNIP)
Boundary Information Group's HIPAAinfo.net
HIPAA academy
MedAbiliti's Health Innovation Daily News
Thompson-West's Privacy Litigation Reporter
HIPAAnswers (HIPAA compliance solutions)
Healthcare Intelligence Network Blog
Prescription Drug Encyclopedia
Compliance Home Portal
HIPAA Training (Supremus Group)
PracticeSuite Practice Management Blog
DMEPOS Surety Bonds
Hospital.com
Human Resources Daily Advisor

[ WebRings ]
< ? law blogs # >

[ Syndicated RSS Feed ]
Click Here