HIPAA Blog

[ Friday, May 29, 2009 ]

 

Testy, testy: CCHIT is accused of whoring for HIMSS, which is accused of whoring for tech vendors. Personally, I think that's an unfair indictment of both organizations. HIMSS is made up of tech pros; it's obviously influenced by tech vendors, since many of the tech pros work there and the rest deal with those vendors and their products. Including the vendors in the conversation makes perfect sense, and doesn't make HIMSS a tool of the vendors. Nor does the reliance of CCHIT on HIMSS taint what CCHIT does.
Jeff [10:28 AM]

[ Thursday, May 28, 2009 ]

 

AEtna Web Site Hacked: 65,000 people offered credit monitoring: It's a job application website, not medical records, so not exactly a HIPAA issue.
Jeff [10:20 AM]

 

UNC + IBM = Improved Quality? That's what they're hoping for.
Jeff [9:59 AM]

[ Wednesday, May 27, 2009 ]

 

Tenet Employee Caught Stealing Medical Records: Your basic identity theft/credit card fraud case. But since it involves medical records, HIPAA is implicated, and the story indicates that the duo will be charged with criminal HIPAA violations. Under the original DOJ guidelines that say employees can't violate HIPAA (the thief was a records tech, not a nurse or other specialty that might be bootstrapped into the definition of "provider"), there would be grounds to fight the HIPAA part of the charge. But since ARRA expanded the coverage of criminal violations to business associates, there might be more legitimate claims for a criminal HIPAA violation.

Or would there? It seems to me that the thief wouldn't be a "business associate" of the hospital, but rather a member of the hospital's workforce.

I doubt it will matter. There are sufficient other charges that will easily stick, and I doubt the defendant here will care that she's being charged with a HIPAA violation rather than some other criminal violation; she'll plead down to whatever they give her.
Jeff [9:17 AM]

[ Tuesday, May 26, 2009 ]

 

HIPAA enforcement under the HITECH Act: The HITECH provisions in the so-called stimulus bill revise HIPAA and add additional enforcement powers, but how will they really be enforced? We'll have to wait for regulations, but in the interim, the Office of the National Coordinator for Health Information Technology has issued a white paper indicating how it will carry out the new enforcement powers. Unfortunately, there's not much there other than a reiteration of the HITECH provisions. More specifics, please.
Jeff [10:08 AM]

[ Friday, May 22, 2009 ]

 

Tips for Catching Snoopers: This is a pretty useful little article. Bottom line: use honeypots to catch those who are inclined to snoop before they actually snoop on something important. You don't know if your next patient is going to be the Octomom, so you don't know which files to more closely guard. So maybe you should find out who the potential snoopers are, rather than trying which files to more closely guard.

Sort of like the difference between Israeli airport security and American airport security: the Israelis look for bombers; the Americans look for bombs. Our way is much more egalitarian, but there's is more efficient.
Jeff [9:38 AM]

[ Thursday, May 21, 2009 ]

 

Data Breach, But No Proof of Damages: I just saw an interesting case out of Iowa (via BNA, subscription required), Doe v. Central Iowa Health System, Iowa, No. 07-1017, 5/15/09, where an employee/patient who had attempted suicide sued several hospitals and other providers over improper access to his medical records by coworkers. The jury determined that improper access occurred, but the plaintiff didn't show that the disclosures caused his mental anguish.

I noted early on that the big issue in improper disclosure cases will be the measure of damages (if you violated HIPAA, you've lost the case and are left simply to argue damages). Interestingly, in most cases, there aren't going to be any damages: except for sexual issues, mental health, or drug information, most medical information is pretty damned dull, when you think about it. Wanna see an MRI of my ruptured achilles tendon from a few years ago? I didn't think so. Here, the case DID involve one of those areas, so you'd think damages would be easy to prove. And I think they would've been, except that the plaintiff did not put on any expert testimony of his mental anguish and the physical effects it had; all he had was his own personal testimony that he lost sleep, became less social, etc. If he had hired an expert psychologist to say how screwed up he was (in other words, if he'd focused on damages), he'd have come out with some judgment cash.

Jeff [12:09 PM]

[ Monday, May 18, 2009 ]

 

Red Flags Rule: I've noted below and in eBriefs that healthcare providers are expected by the FTC to comply with the Red Flags Rule and adopt identity theft prevention programs. You have until August 1 to do so.
Jeff [9:11 AM]

[ Friday, May 15, 2009 ]

 

Octomom Snooping Case: Kaiser hospital fined $250,000 for failing to prevent employees from snooping. Frankly, that seems unfair; the hospital acted pretty quickly to punish the snoopers. . . .
Jeff [8:09 AM]

[ Wednesday, May 13, 2009 ]

 

Totally off topic: Here is the antithesis of the "Scare Force One" fiasco.
Jeff [10:29 AM]

 

More Insider Data Theft: this time, it's Johns Hopkins. Again, the HIPAA issue here is not the medical aspect of the information, but the demographic part that's useful for identity theft.
Jeff [9:35 AM]

[ Monday, May 11, 2009 ]

 

Securing Against the Inside Job: Most of the security focus baked into HIPAA relates to protecting the PHI you send, use and maintain focuses on outside threats. The Virginia prescription drug hacking case is a good recent example. But, where is your biggest threat? It's not so much an outsider; most cases of data loss due to outside actors are laptop and pda thefts, or office break-ins. These are "crackhead" cases, where some criminal is trying to steal saleable assets like computers, not the information that's on those computers. Most likely, the data is scrubbed off at the earliest possible time.

Rather, your biggest threat might be from the insider, who doesn't need to get through your firewall; he/she just needs to log on. You do need task-based rules to prevent your workforce members from accessing what they don't need to access; but if an employee needs access for work purposes, it would be all too easy for them to use that access for illegal or improper purposes.
Jeff [9:33 AM]

[ Tuesday, May 05, 2009 ]

 

Virginia Rx Data Breach, Hackers, and Ransom: It seems some hackers got into the Virginia state program that tracks prescription drug use to try to locate prescription drug abusers and drug-seekers. They took down all the data and left up a ransom note, asking for $10,000,000. Nice.
Jeff [12:23 PM]

[ Monday, May 04, 2009 ]

 

Off Topic: Perhaps the most disturbing thing I've ever seen. Last week I was in New York for the CIT Healthcare Finance Conference, a gathering of small healthcare businesses and potential financing sources, where company executives give short presentations on their companies and then meet with possible investors or lenders. Lunch involved a group of healthcare investment bankers talking about the current state of lending in their particular lending spaces, followed by a question-and-answer session. The first question, or more importantly the response to the question, left me with my mouth gaping, staring around at my dining companions to see if I was the only one so aghast. I even sent myself an email via blackberry as I sat there, stunned, since I needed to digest what had just happened.

The reason I'm reminded to comment is this piece in the Detroit Free Press (via my blogfather).

I've been attending events like this CIT conference for 20 years, going back to the very end of the Reagan administration, and often the lunch presentation will have industry experts giving their take on current events in the industry, followed by question and answer sessions. That's what happened in New York. But at every other such event I've ever been at, the industry experts would say what they thought was good and bad about what the then-current administration was doing. They would state their opinions, and why they thought the administration's moves were right or wrong. They would acknowledge if there was a difference of opinion, and would give the other side its due (but state why, in their opinion, that position was wrong, unworkable, misguided, etc.). Sometimes I'd disagree with the speaker, but at least I'd have learned what they thought and why.

Well, in New York, the very first question after the lunch was basically this: "Is the current administration doing the right thing to revive the economy?" The answer:

First, the moderator just stared at the guy who asked the question. Then he replied to the questioner, "Do you?" The questioner persisted: really, I want to know. The moderator turned to the panel of investment bankers and asked if any of them wanted to tackle the question. They all refused. Nobody would say anything.

I was stunned. Why are these guys afraid to speak their minds? Can they not give an honest opinion, if that opinion is critical of the current administration? Are they afraid of the regulators? Are they afraid that, since they're in the finance business, the government will punish them if they say anything controversial? Were they afraid of the repercussions if someone in the room was an Obama fan? I've never seen anything like it. I still, to some extent, can't believe it.

UPDATE: click the permalink below to see the comments, which are worthwhile. Also, see this, as further to my comment.

Jeff [11:29 PM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template

A discussion of medical privacy issues buried in political arcana

E-mail me at jdrummond-at-jw.com

- Archives - March 2002 April 2002 May 2002 June 2002 July 2002 August 2002 September 2002 October 2002 November 2002 December 2002 January 2003 February 2003 March 2003 April 2003 May 2003 June 2003 July 2003 August 2003 September 2003 October 2003 November 2003 December 2003 January 2004 February 2004 March 2004 April 2004 May 2004 June 2004 July 2004 August 2004 September 2004 October 2004 November 2004 December 2004 January 2005 February 2005 March 2005 April 2005 May 2005 June 2005 July 2005 August 2005 September 2005 October 2005 November 2005 December 2005 January 2006 February 2006 March 2006 April 2006 May 2006 June 2006 July 2006 August 2006 September 2006 October 2006 November 2006 December 2006 January 2007 February 2007 March 2007 April 2007 May 2007 June 2007 July 2007 August 2007 September 2007 October 2007 November 2007 December 2007 January 2008 February 2008 March 2008 April 2008 May 2008 June 2008 July 2008 August 2008 September 2008 October 2008 November 2008 December 2008 January 2009 February 2009 March 2009 April 2009 May 2009 June 2009 July 2009 August 2009 September 2009 October 2009 November 2009 December 2009 January 2010 February 2010 March 2010 April 2010 May 2010 June 2010 July 2010 August 2010 September 2010 October 2010 November 2010 December 2010 January 2011 February 2011 March 2011 April 2011 May 2011 June 2011 July 2011 August 2011 September 2011 October 2011 November 2011 December 2011 January 2012

[ Advertisers ]
Electronic Medical Records

Health Insurance from Chartis Direct

Presciption Drug Information

Foot Problems

[ Links ]
Jackson Walker home page
My (official Jackson Walker) Bio
HHS' Administrative Simplification page
OCR's HIPAA Privacy page
ICD-10 Codes
NIST's HIPAA Security Implementation page
HIPAA.org page
TCS standard-setting
HIPAA Summit's page
Harvard's HIPAA colloquium
Workgroup for EDI
Siemen's HIPAA page
Phoenix Health System's HIPAAdvisory
Beacon Partner's HIPAAcomply
FindLaw's HIPAA law page
HIPAAComplete
HIPAADocs
AMA's HIPAA page
AHA's semi-HIPAA page
American Health Lawyers Assn
SHARP (the Southern SNIP)
Boundary Information Group's HIPAAinfo.net
HIPAA academy
MedAbiliti's Health Innovation Daily News
Thompson-West's Privacy Litigation Reporter
HIPAAnswers (HIPAA compliance solutions)
Healthcare Intelligence Network Blog
Prescription Drug Encyclopedia
Compliance Home Portal
HIPAA Training (Supremus Group)
MPMsoft (HIPAA-compliant billing software)
DMEPOS Surety Bonds
Hospital.com
Human Resources Daily Advisor

[ WebRings ]
< ? law blogs # >

[ Syndicated RSS Feed ]
Click Here