HIPAA Blog

[ Saturday, February 28, 2009 ]

 

Time to Get Serious About HIPAA? InformationWeek has a policy paper out (free registration required) advising businesses to get serious about HIPAA compliance. They note the Providence $100K settlement, followed by the CVS $2.25M settlement. It's hard to call 2 data points a trend, but add in the hiring of PriceWaterhouse Coopers by the Department of Health and Human Services, and it sure looks like storm clouds are gathering. The paper also gives a common-sense 10-step program for getting your ducks in a row.

Of course, some of us have been "serious about HIPAA" for some time. There is an interesting article included with the paper about one CEO's decision to ignore HIPAA until the feds started moving, and save the implementation money; this is the same advice one of my partners gave back in 2000: the penalties aren't that high, there's no private cause of action, so the probability of getting caught and punished was slim. The CEO (and Dan) turned out to be right. BUT, as the post below notes, it's more than just the HIPAA cost that you have to figure in. Outside of HIPAA, most healthcare providers have at least an ethical duty to protect PHI, and in many states a legal one; and if you're doing HIPAA well, you're much less likely to suffer one of these costly data breaches.

Jeff [9:29 AM]

 

Cost of Data Breaches: The cost to business of a data breach rose again last year, to over $200 per affected customer, according to a new Ponemon study. A big component is the cost to the business of customer "churning": it's not the cost of fines and penalties, or even lawsuits from injured customers, it's the costs to your business reputation if you can't keep your customers' data safe.
Jeff [9:19 AM]

[ Thursday, February 26, 2009 ]

 

State Data Breach Notification Laws: I've been trying to get my hands around the new PHI data breach notification requirements of the ARRA (the Stimulus Bill), and been talking to a lot of folks about it. One constant question is how this data breach notification statute will interact with the various state statutes. Of course, it's handy to know what the state laws are. Here's a handy website that provides just that.

Hat Tip: Theresa Defino at AIS.
Jeff [5:16 PM]

 

The Pre-Existing Conditions Debate Heats Up: As you know if you've read this blog before, HIPAA originated because of the insurance concept of the pre-existing condition. Your insurance isn't "portable" (the "P" in HIPAA) if you can be denied because of a pre-existing condition. But you can't blame insurers for running their business that way, and as a responsible health insurance customer, I don't want to pay for free-riders.

Based on Obama's not-State-of-the-Union address the other night, universal access (which already exists -- no hospital or doctor will refuse you care, they may just refuse to provide you free care) got big play. It is still unknown how it will all play out.

Here's an interesting article on pre-existing conditions. What's particularly funny is how they subjects don't want pre-existing exclusions to impact them, but also complain about the rising cost of insurance (which rises because insurers have to pay more for the healthcare that's being provided to beneficiaries, which will skyrocket if those beneficiaries include free-riders).
Jeff [10:08 AM]

[ Wednesday, February 25, 2009 ]

 

Slightly Off topic: what happens if you pass a bill to put 4 million uninsured children on a governmental child insurance program, but they don't sign up? One thing never, never, never mentioned in the uninsured/underinsured debate is how many are that way by choice. Can't afford it? Hey, I know people making $200,000 a year who "can't afford" to pay their taxes; "can't afford it" can be as low a bar as you want it to be. Here's an example of what I'm talking about. There was a story (LA Times, I think) a few years ago about how much of the CHIP money in California was spent not on providing care, but sending social workers into the community to try to sign people up (for basically free insurance). They had a hard time getting takers.
Jeff [3:58 PM]

[ Wednesday, February 18, 2009 ]

 

This just in, via Modern Healthcare:

CVS to pay $2 million over alleged HIPAA violations
Capping a first-of-its kind joint investigation by the Federal Trade Commission and the HHS Civil Rights Office, drugstore and pharmacy benefits management giant CVS Caremark has agreed to pay $2.25 million in a settlement agreement over alleged deceptive and unfair trade practices and alleged violations of the privacy protections under the Health Insurance Portability and Accountability Act of 1996, the two federal agencies said in news releases.

The investigation of CVS began after news media in several states reported finding prescription drug and other personal information had been dumped into unsecured trash containers at its pharmacies, according to an FTC statement. CVS Caremark had run afoul of FTC deceptive business practices guidelines by claiming "CVS/pharmacy wants you to know that nothing is more central to our operations than maintaining the privacy of your health information,” the FTC statement said. The FTC also alleged the drug seller’s security practices were unfair. Under the FTC settlement, the company has agreed to undergo an independent audit of its security program every two years for the next 20 years.

Under the HHS agreement, CVS agreed to pay what the government describes as “a $2.25 million resolution amount,” to implement a corrective action plan that requires employee training and employee sanctions for noncompliance, and to “engage an outside independent assessor to evaluate compliance for three years.”

UPDATE: Here's the FTC press release, and here's a copy of the "Resolution Agreement."

UPDATE II: Here's the HHS press release, and here's a press release from CVS.

Jeff [4:01 PM]

 

I'm in denial. Yes, I'm still dumbfounded by the utter stupidity of the so-called Stimulus Bill, on so many levels, that I haven't focused on the HIPAA provisions buried therein. I promise I will post on them. But for now, know that Business Associates will be treated like Covered Entities for breach and enforcement purposes. There's lots and lots of other stuff in there, and I will get to it. For now, check out this. But jeez, if the lawmakers who drafted and voted on it, and the President who signed it, haven't read it yet, why do you think I would have?
Jeff [11:53 AM]

[ Tuesday, February 17, 2009 ]

 

Off-Topic: Stark and the Unabomber: I wrote an eAlert a few weeks ago about a case out of Pennsylvania called US ex rel. Kosenske v. Carlisle, in which a hospital failed to update a contract with it anesthesia group and, therefore, was determined to have violated Stark (resulting in a lot of false claims). Ultimately, I got interviewed; here's a write-up on the case.
Jeff [9:56 AM]

 

What's being said about you online? I got an email from Kelly Sonora noting this article with some tools to help you find out what's being said about you online. Not HIPAA-specific, but something worth looking into.
Jeff [9:35 AM]

[ Wednesday, February 11, 2009 ]

 

On the Stimulus Bill: As we've discussed here before, more discussion of attempts to balance patient privacy with the usefulness of the use and disclosure of otherwise protected health information.
Jeff [11:04 AM]

[ Tuesday, February 10, 2009 ]

 

New OCR Website: just hours after I sent a link to the old site to a partner of mine, the US HHS Office of Civil Rights (the enforcement agency for HIPAA privacy) has a new website up with information on the HIPAA privacy rule and the Patient Safety Rule.
Jeff [8:19 PM]

 

Privacy issues in the Stimulus Bills: the House and Senate versions each contain privacy provisions, but apparently the House bill has been influenced by the privacy watchdog groups, while the Senate bill has been influenced by industry groups. I'm sure it'll suck one way or the other.
Jeff [11:55 AM]

 

New Data Breach: This time, Kaiser employees are the victim of a true (alleged) identity thief. Not PHI, apparently. though.
Jeff [11:00 AM]

[ Thursday, February 05, 2009 ]

 

EMR's not to everyone's liking: Here's an interesting policy-driven push-back piece on EMRs. Not all they're cracked up to be, and possibly a camel's nose issue.
Jeff [3:28 PM]

 

IOM: HIPAA is flawed. The Institutes of Medicine had determined that the current privacy regime in HIPAA hinders medical research, and they're proposing a new privacy regime, at least where medical research is involved. They do put their finger on the issue -- best privacy and best healthcare are diametrically opposed, and the problem is finding a good balance.
Jeff [11:44 AM]

[ Wednesday, February 04, 2009 ]

 

Off-Topic: Just so you won't think all I do is HIPAA: I've got a couple other things I do, professionally-speaking. Not to mention fishing.
Jeff [1:46 PM]

[ Tuesday, February 03, 2009 ]

 

Read the Stimulus Bill? OK, I haven't either. But BNA tells me (subscription required) that section 4410(e) grants authority to the 50 states' Attorneys General to enforce the provisions of HIPAA. I don't know if this monster Bill will pass (like I did with the physician-owned hospital provisions in the House version of the SCHIP bill, I suspect it will not pass as written), but if it does, this could be interesting. We will end up with behavior in one state being aggressively prosecuted, while the same behavior in another state will go unmolested.
Stay tuned.

UPDATE: By the way, here's another take on some of the other privacy provisions in the Stimulus Bill: privacy nuts like 'em, interoperability fans not so much.

Another UPDATE: the Institute for Legal Reform, a tort-reform group affiliated with the US Chamber of Commerce, has weighed in, even sending a letter to the Senate, pointing out that state AGs sometimes team up with plaintiff's lawyers to take on cases like this, so that including this provision will result in abusive lawsuits. Personally, I'm a little more concerned about having 50 different interpretations of what's acceptable under HIPAA, but after what happened when state AGs teamed up with tobacco lawyers, they may have a point.

Jeff [11:03 AM]

 

Another Good Reason to Avoid Data Breaches: the cost. On average, companies pay about $200 per customer record in responding to a data breach. And that's even if nothing bad happens.
And if that's not enough: if you're in the healthcare business, you'll lose 6.5% of your patients.
All that is before HIPAA kicks in. Even if you are never cited by OCR, even if you negotiate a $100,000 settlement with them, that cost is a drop in the bucket compared to the other costs to your business. More reasons to really comply with HIPAA.
Jeff [10:57 AM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template

A discussion of medical privacy issues buried in political arcana

E-mail me at jdrummond-at-jw.com

- Archives - March 2002 April 2002 May 2002 June 2002 July 2002 August 2002 September 2002 October 2002 November 2002 December 2002 January 2003 February 2003 March 2003 April 2003 May 2003 June 2003 July 2003 August 2003 September 2003 October 2003 November 2003 December 2003 January 2004 February 2004 March 2004 April 2004 May 2004 June 2004 July 2004 August 2004 September 2004 October 2004 November 2004 December 2004 January 2005 February 2005 March 2005 April 2005 May 2005 June 2005 July 2005 August 2005 September 2005 October 2005 November 2005 December 2005 January 2006 February 2006 March 2006 April 2006 May 2006 June 2006 July 2006 August 2006 September 2006 October 2006 November 2006 December 2006 January 2007 February 2007 March 2007 April 2007 May 2007 June 2007 July 2007 August 2007 September 2007 October 2007 November 2007 December 2007 January 2008 February 2008 March 2008 April 2008 May 2008 June 2008 July 2008 August 2008 September 2008 October 2008 November 2008 December 2008 January 2009 February 2009 March 2009 April 2009 May 2009 June 2009 July 2009 August 2009 September 2009 October 2009 November 2009 December 2009 January 2010 February 2010 March 2010 April 2010 May 2010 June 2010 July 2010 August 2010 September 2010 October 2010 November 2010 December 2010 January 2011 February 2011 March 2011 April 2011 May 2011 June 2011 July 2011 August 2011 September 2011 October 2011 November 2011 December 2011 January 2012

[ Advertisers ]
Electronic Medical Records

Health Insurance from Chartis Direct

Presciption Drug Information

Foot Problems

[ Links ]
Jackson Walker home page
My (official Jackson Walker) Bio
HHS' Administrative Simplification page
OCR's HIPAA Privacy page
ICD-10 Codes
NIST's HIPAA Security Implementation page
HIPAA.org page
TCS standard-setting
HIPAA Summit's page
Harvard's HIPAA colloquium
Workgroup for EDI
Siemen's HIPAA page
Phoenix Health System's HIPAAdvisory
Beacon Partner's HIPAAcomply
FindLaw's HIPAA law page
HIPAAComplete
HIPAADocs
AMA's HIPAA page
AHA's semi-HIPAA page
American Health Lawyers Assn
SHARP (the Southern SNIP)
Boundary Information Group's HIPAAinfo.net
HIPAA academy
MedAbiliti's Health Innovation Daily News
Thompson-West's Privacy Litigation Reporter
HIPAAnswers (HIPAA compliance solutions)
Healthcare Intelligence Network Blog
Prescription Drug Encyclopedia
Compliance Home Portal
HIPAA Training (Supremus Group)
MPMsoft (HIPAA-compliant billing software)
DMEPOS Surety Bonds
Hospital.com
Human Resources Daily Advisor

[ WebRings ]
< ? law blogs # >

[ Syndicated RSS Feed ]
Click Here