Red Flags Rule: FTC announces delay in enforcement date from May 1 (i.e., tomorrow) to August 1. In the interim, they'll provide a template for "creditors" who are at low risk for identity theft. I don't think this is the relief the AMA was looking for. Jeff [5:04 PM]
Swine Flu: Don't panic. Wash your hands regularly, and use hand sanitizers if you're not near a good clean rest room. Stay home (work from home) if you're sick. That's it. I predict that American H1N1 flu deaths will be less than 1% of the average annual US flu death toll. Jeff [11:26 AM]
Doctor shortage, and what it portends for healthcare reform.
I saw this in James Taranto's column in the WSJ today:
Does President Obama understand economics? This passage, from a Friday speech on higher education, suggests not: "And yet, in a paradox of American life, at the very moment it's never been more important to have a quality higher education, the cost of that kind of education has never been higher." Something that is more valuable than ever is also more costly than ever? That isn't a paradox, it's a tautology!
This is further discussed by Glen Reynolds here [go read it -- we don't "produce" doctors, people have to choose to become doctors]. I've said more often than anyone wants to hear that we, as a country, want our doctors to make lots and lots of money. Right now (or at least up until the market crashed), going to med school is stupid unless you're charitably altruistic or not that smart. When I went to law school, the really smart kids coming out of college went to medical school. Law school was a step behind, and business school somewhat behind that. And doctors made more than lawyers ,who made more than B-school grads. Now, if you're really smart, you become an investment banker first, a lawyer second, and a doctor third. You can become an investment banker right out of college; if you add in B-school, it's two more years. To be a lawyer, you gotta put in 3 more unpaid years of law school before you start earning the big bucks. To be a doctor, it's 4 more years of tough graduate school, followed by 2 - 10 years of residencies, fellowships, and other low-pay, long-hours, high-stress drudgery. And all to make less than a lawyer, and a lot less than a banker?
Yes, I'm looking forward to the administration's healthcare reform proposals.
1. If scaring the crap out of a terrorist is torture, what's scaring the crap out of thousands of New Yorkers? A photo op.
2. What's the carbon footprint of this little photo shoot? More or less than every Hummer in America idling for an hour? Just curious.
3. For some reason, I'm now really curious to see the administration's health care reform proposals. Jeff [11:33 PM]
[ Monday, April 20, 2009 ]
Offshore Transcription:This shouldn't surprise anyone, but much medical transcription is done overseas. Obviously, there are HIPAA issues. And there is some "scare language" in the article ("Asian transcriptionists often strain to understand what American doctors have dictated. . . "), but even the exemplar in the article is a medical school graduate; what kind of talent are you going to find here in the US of A who will work for that wage? Surely not a medical school graduate, probably not a college graduate, hopefully a high school graduate, but maybe not even that. Think they'd strain to understand what an American doctor dictated (especially if the American doctor is, like many are, foreign-born)?
I just don't have a big problem with this. I couldn't care less if Dinah Barrete knows my deepest, darkest medical secret. I may not want other people in my office to know, but I don't really care if somebody who doesn't know me and never will, who I've never met and never will, knows that stuff.
Obviously, there needs to be tight security for ID theft; if I were a cyberhacker trying to steal identities, that might look like a rich vein. BUT, if little identifying data is going over the overseas cables, and it's mainly medical info (I assume there's no account or financial information going over the lines), the risk is pretty small. Jeff [9:34 AM]
[ Friday, April 17, 2009 ]
HHS issues guidance on what makes PHI "unsecured" for new data breach rules:This is hot off the presses, and I haven't had time to read it yet, but a quick scan leads me to believe that my original impression was correct: you've got to encrypt for ePHI to be "secured."
UPDATE: well, actually, there's another technology/methodology that will make the PHI "secured": destruction. So, you've got to encrypt or destroy. That's all there is. If you have paper data and it isn't destroyed, you can't be sure it's not "unsecured," regardless of how tightly you have it locked down. If you have electronic PHI that isn't encrypted because you're using it, it is "unsecured" and any data loss, regardless of how unforseeable, requires public disclosure on your part. This is not helpful.
HHS is seeking comments on this guidance. I'd encourage you to send in comments. Particularly with regard to usual operations, such as data "in use" that isn't encrypted but is protected by access controls and physical protections like locked doors. Locked file cabinets should be a sufficient "methodology" for securing paper records. Password-protected or zipped files, coupled with good physical security, should be a sufficient technology/methodology combo.
This isn't a good start. We obviously need a secretary at HHS.
UPDATE II: I started to say, "I'm not the only one with this analysis." But I realized that Dom's article was written Friday, obviously before the HHS "guidance" came out. Still, I don't think much of this guidance, I've got to say. . . .
UPDATE III: If you subscribe to BNA, here is their post.
Do Privacy Rules Hinder EMR Adoption? Apparently they do. This all goes back to my underlying issue of privacy versus healthcare delivery. Markets work better with free-flowing information, and most systems do too. Perfect privacy (nobody knows your PHI, not even your doctor) is bad for your healthcare.
Moses Cone Data Breach:Another stolen laptop, another hospital scrambling to offer credit reporting to patients whose information was stolen. The data was password-protected, and in a software program that requires some training to use, but it wasn't encrypted; does that count as "unsecured PHI" under the new HIPAA rules post-ARRA? We won't know for sure until the regs come out.
Sounds like a crackhead laptop theft, not an ID theft attempt, so my suspicion is that the data was scrubbed off the laptop as soon as the thief could do so.
What's your reaction been to ARRA and HITECH? The so-called Stimulus Bill (ARRA) contained the acronymiously adventurous HITECH provisions (that's the Health Information Technology for Econimic and Clinical Health Act), which strengthened HIPAA penalties, added more potential HIPAA regulators and enforcers, and made more people subject to HIPAA. But I haven't seen that many people with panic in their eyes like when HIPAA first came out. I'm not alone.
Actually, that article is spot-on. To the extent anyone is doing anything with this tranch of HIPAA regulation, it's that they're revisiting their existing policies. I'm recommending to clients that they do the same.
I'm also recommending that, while they're at it, they use that impetus, and the structure of their HIPAA Security policies, to develop Red Flags Rule compliance programs. As I n0te in the eBrief, it's not exactly clear that most healthcare providers are subject to the Red Flags Rule. But the FTC thinks you are, and while you might win that fight, it could be expensive. It's a lot cheaper, and can be a value-added component of your HIPAA Security policies, to put an Identity Theft Prevention Program in place. I've done it with a couple of clients now, and it can be pretty cheap and easy if you've got a good HIPAA Security program in place. Use the team that put your HIPAA Security policies together, follow the FTC guidance, draft a policy, and you're done. [Well, you've got to follow it too, but that's something you really should do anyway.] Jeff [10:23 AM]
[ Wednesday, April 08, 2009 ]
OT: Health Reform: here's a pretty good article on healthcare reform. I still doubt we'll see healthcare reform, any more than we'll see cap-and-trade in energy or the US adopting the new version of Kyoto (Copenhagen this time), mainly because there's too much anectode, too much hyperbole, to many wish lists, and not enough serious thought. But this article is pretty good. Not great, but pretty good.
(So-called) Stimulus Bill Text: As I noted below, the American Recovery and Reinvestment Act was actually passed with a bunch of handwritten notes on it changing some of the language, some if it substantively (the country's in the very best of hands). Well, the Government Printing Office has finally gotten the bill printed in the language that was actually passed, pencil marks and all. You can read all 407 pages here. Jeff [11:32 AM]
[ Friday, April 03, 2009 ]
What happens to the records when a doctor closes shop? It depends on how it happens, but it can be a messy, troubling situation. A doctor in Acton, Mass. abruptly shut his practice because the state was chasing him for practicing without a license. He just abandoned the records, and they were about to be shredded when a local hospital stepped in to take possession of them.
State law normally requires physicians to protect the records, and Texas' State Medical Board requires physicians to let the patients know when the practice is closing shop. But if the physician dies, leaves the area, or otherwise isn't subject to the jurisdiction of the licensing board, then what? Jeff [10:56 AM]
Red Flags Rule: You may or may not know about this (or may or may not care), but you better have made a decision as to whether you're going to take care of this by May 1. I'd suggest you do so. And while you're at it, think about rethinking your Security Rule policies and procedures, too.
Internet Security Generally: As you work your way through the Red Flags Rule, now is a good time to rethink your Security Rule policies and procedures, or at least give a quick think about whether your original security risk analysis is still applicable, accurate, and effective. As you do so, keep these sober thoughts, from a guy whose business is in this space, in mind.
It's a scary world out there. Keep an eye on the barn door before the horse gets out. Jeff [9:55 AM]
[ Thursday, April 02, 2009 ]
Upcoming Gigs: I keep meaning to post on here my upcoming speaking gigs; I don't just blog HIPAA, I talk it too. Anyway, here's my current agenda:
April 21: I'll be in NYC at the 4th Annual CIT Healthcare Conference, hearing new market entrants pitch their businesses and asking HIPAA-related questions. Not a speaking gig, but if you're gonna be there, find me and say hi.
June 11: tele-seminar on "Medical Records: Releases, Retention and Confidentiality." Put on by Lorman. Doesn't have a direct link yet. CORRECTION/UPDATE: now there's a direct link, here.
June 14: I'll be speaking at the Texas Osteopathic Medicine Association Annual Convention in Arlington, Texas. Don't have a time and exact topic picked out yet, but it'll be between 8 am and noon and will probably involve Stark/Anti-Kickback and physician business ventures.
June 15: I'll be in Phoenix speaking on legal risks of online and electronic communications for healthcare providers at the Health Care New Media Marketing Conference. Will be getting all Web 2.0-ey on ya. As you might expect, this type of conference has its own Facebook.
September 19: I'll be speaking on medical record release issues to the Texas Medical Association Committee on Physician Health and Rehabilitation at the Westin LaCantera Resort in San Antonio. No website info on this yet.
If you're at one of these events, please let me know that you are a blog reader. I'm so needy for validation, apparently. Especially the Phoenix gig on June 15 -- that's got such a neat connection to what I do with blogging. Hope to see you there (or somewhere).
From the World Privacy Forum: an patient's guide to HIPAA. With some useful information for the non-HIPAAcrat. Jeff [1:41 PM]
http://www.blogger.com/template-edit.g?blogID=3380636
Blogger: HIPAA Blog - Edit your Template
A discussion of medical privacy issues buried in political arcana
