HIPAA Blog

[ Tuesday, June 30, 2009 ]

 

Arkansas Snoopin': Two hospital employees and a staff doctor have been charged with illegally accessing patient records in the case of a Little Rock news anchor who was brutally murdered. The case is in Federal court, but the article does not indicate whether the charges are being brought under HIPAA or some other statute. I'll keep you posted.
Jeff [3:29 PM]

 

NIH comment site: The National Institutes for Health have responded, in a way, to the report by the Health Privacy Project of the Center for Democracy and Technology on the need for better de-identification of PHI when it's used in research or for putlic health by setting up a comment site where interested participants can discuss the matter.
Jeff [9:24 AM]

 

Physician email: as more and more payors agree to pay for it, doctors are conducting more online communications with their patients. But you better have a secure connection and use encryption technologies.
Jeff [9:19 AM]

[ Monday, June 29, 2009 ]

 

HIPAA Sanctions Policy: As noted here, HITECH reiterated and refined the tiered penalty structure of HIPAA itself, and it's probably a good idea for every covered entity to have a tiered sanction policy for employees, staff and others who violate HIPAA. You do have a sanctions policy, don't you?
Jeff [9:42 AM]

[ Tuesday, June 23, 2009 ]

 

Wired Patient Rights: I absolutely agree with this: ". . . informed, motivated patients must play a much greater role in managing their own health if the policy goals of improving the quality of care and curbing costs are to be achieved."

More individual responsibility will be the greatest, if not the only, driver of improvements to the healthcare system. If there is no expectation that individuals will be responsible (financially, personally, emotionally) for the state of their health and the financing of their care, there will be no governor on the cost or care or its financing.

Jeff [8:46 AM]

 

Business Associates: Interesting article on the issues HITECH have raised regarding business associates. Two interesting points: "many" experts think business associates won't be ready to comply directly with HIPAA, and some covered entities don't even know who all their BAs are. Huh? Most BAs know they must provide privacy and confidentiality if they deal with medical records as part of their normal business; virtually all have signed business associate agreements specifically requiring them to do so. And frankly, there's not that big a difference being contractually obligated to comply (at risk of losing your business revenue) versus being directly obligated (at risk of an enforcement action). In fact, I'm willing to bet there have been a lot more contract terminations due to HIPAA breaches than enforcement actions. Also, covered entities tend to be compliance-aware; they know their businesses are highly regulated, and they know to keep up with that. I'd suspect most CEs have done a pretty good job making sure their BAs all are under BAA contracts.
Jeff [8:26 AM]

[ Thursday, June 18, 2009 ]

 

Healthcare Reform: This is a little off-topic, but not too far. I'm often asked what I think about the various health reform proposals. I haven't had a chance to draft out my ideas and issues on health reform, despite promising several folks I would do so. I will, though, soon. In the meantime, I think this is a worthwhile outlining of the issues raised, at least by the Kennedy plan. More to come.
Jeff [10:09 AM]

[ Wednesday, June 17, 2009 ]

 

Physician Data Breaches: According to the AMA, physicians have an ethical duty to report electronic medical record breaches to affected patients.
Jeff [1:12 PM]

[ Tuesday, June 16, 2009 ]

 

Cedars Sinai employee steals data, goes to jail. Jessica Hardwick didn't tell me about this.
Jeff [9:53 PM]

[ Monday, June 15, 2009 ]

 

4 HITECH areas to act on now: It's hard to say what you should be doing specifically without regs being issues, but these are all good points.
Jeff [9:26 AM]

 

Social Media and Healthcare: I'll be speaking in a few hours on the legal implications of using social media and Web 2.0 platforms for marketing healthcare services, but noticed this timely report from the Pew Research Center. 61% of adults do internet research for healthcare purposes. They're also using social media tools to find information and disseminate what they've found. The related research links are also very interesting.
Jeff [5:25 AM]

[ Friday, June 12, 2009 ]

 

Red Flags FAQ: The group of federal regulatory agencies (the FTC and a bunch of financial regulators like FDIC) who put out the Red Flags Rule have issued FAQs. I've skimmed but haven't read them yet; however, I wanted to pass this along anyway. There's nothing specific about physicians or other medical providers.
Jeff [8:25 AM]

[ Thursday, June 11, 2009 ]

 

One Year in Jail: a woman who works at a medical clinic accesses her friend's sister-in-law's medical records (because the friend and sister-in-law are fighting) and finds out the sister-in-law has HIV/AIDS. The woman posts that info on her MySpace page. She's caught, fired, . . . and sentenced to 1 year in jail for "unauthorized computer access."

I feel sorry for the woman, but I do like the deterrent effect.
Jeff [2:49 PM]

 

Online enrollment required: Under the health reform packages being considered, all health plans will have to have online enrollment. At least that's the part of healthcare reform you'd expect InformationWeek to find newsworthy.
Jeff [7:48 AM]

[ Monday, June 08, 2009 ]

 

Ross Martin, M.D.: Holy. Freakin. Cow. This is amazing. And all you need to know about HITECH.
Jeff [5:44 PM]

[ Thursday, June 04, 2009 ]

 

Creepy story from Sears.
Jeff [6:14 PM]

[ Tuesday, June 02, 2009 ]

 

CVS: You may remember that CVS got tagged with a $2+ million fine for failing to protect patient data (mainly, they dumped records). Now, they've announced some of their plans to improve their operations and better protect the information. Of course, shredding is a big part.

The HITECH provisions of the so-called Stimulus Bill require covered entities to publicly report data breaches of "unsecured" PHI, which HHS has defined as to be all data that isn't encrypted or destroyed. As I noted below, hard copies of data can't be encrypted, and unless you're done with them entirely, they can't be destroyed. But if you ARE done with them, then destruction is basically required; that means shredding of paper documents. And it seems like CVS got the message.
Jeff [9:54 AM]

[ Monday, June 01, 2009 ]

 

New Advertiser: please welcome my new advertiser, AIG Direct Health Insurance. If you're looking for an individual insurance policy, this is a good place to go.
Jeff [6:10 PM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template

A discussion of medical privacy issues buried in political arcana

E-mail me at jdrummond-at-jw.com

- Archives - March 2002 April 2002 May 2002 June 2002 July 2002 August 2002 September 2002 October 2002 November 2002 December 2002 January 2003 February 2003 March 2003 April 2003 May 2003 June 2003 July 2003 August 2003 September 2003 October 2003 November 2003 December 2003 January 2004 February 2004 March 2004 April 2004 May 2004 June 2004 July 2004 August 2004 September 2004 October 2004 November 2004 December 2004 January 2005 February 2005 March 2005 April 2005 May 2005 June 2005 July 2005 August 2005 September 2005 October 2005 November 2005 December 2005 January 2006 February 2006 March 2006 April 2006 May 2006 June 2006 July 2006 August 2006 September 2006 October 2006 November 2006 December 2006 January 2007 February 2007 March 2007 April 2007 May 2007 June 2007 July 2007 August 2007 September 2007 October 2007 November 2007 December 2007 January 2008 February 2008 March 2008 April 2008 May 2008 June 2008 July 2008 August 2008 September 2008 October 2008 November 2008 December 2008 January 2009 February 2009 March 2009 April 2009 May 2009 June 2009 July 2009 August 2009 September 2009 October 2009 November 2009 December 2009 January 2010 February 2010 March 2010 April 2010 May 2010 June 2010 July 2010 August 2010 September 2010 October 2010 November 2010 December 2010 January 2011 February 2011 March 2011 April 2011 May 2011 June 2011 July 2011 August 2011 September 2011 October 2011 November 2011 December 2011 January 2012

[ Advertisers ]
Electronic Medical Records

Health Insurance from Chartis Direct

Presciption Drug Information

Foot Problems

[ Links ]
Jackson Walker home page
My (official Jackson Walker) Bio
HHS' Administrative Simplification page
OCR's HIPAA Privacy page
ICD-10 Codes
NIST's HIPAA Security Implementation page
HIPAA.org page
TCS standard-setting
HIPAA Summit's page
Harvard's HIPAA colloquium
Workgroup for EDI
Siemen's HIPAA page
Phoenix Health System's HIPAAdvisory
Beacon Partner's HIPAAcomply
FindLaw's HIPAA law page
HIPAAComplete
HIPAADocs
AMA's HIPAA page
AHA's semi-HIPAA page
American Health Lawyers Assn
SHARP (the Southern SNIP)
Boundary Information Group's HIPAAinfo.net
HIPAA academy
MedAbiliti's Health Innovation Daily News
Thompson-West's Privacy Litigation Reporter
HIPAAnswers (HIPAA compliance solutions)
Healthcare Intelligence Network Blog
Prescription Drug Encyclopedia
Compliance Home Portal
HIPAA Training (Supremus Group)
MPMsoft (HIPAA-compliant billing software)
DMEPOS Surety Bonds
Hospital.com
Human Resources Daily Advisor

[ WebRings ]
< ? law blogs # >

[ Syndicated RSS Feed ]
Click Here