HIPAA Blog

[ Saturday, October 31, 2009 ]

 

Red Flags Update: I didn't see this until this morning, but knew it was coming. Sunday is November 1, the date the much-delayed Red Flags Rule would become enforceable against "creditors" (financial institutions, which obviously ought to implement identity theft prevention programs, have been under the Red Flags Rule for about a year). And when the eve of enforcement rolls around, FTC punts. Which they did yesterday, delaying enforcement all the way to June 1, 2010. This time the delay was requested by members of Congress: the House has already passed, 400-0, legislation removing professional practices with fewer than 20 employees and certain other businesses that meet certain characteristics indicative of a low risk of ID theft, but the Senate has not moved a bill yet.

Coincidently, this happened the same day that a Federal Judge ruled that the FTC cannot enforce the Red Flags Rule against attorneys.
Jeff [9:44 AM]

[ Friday, October 30, 2009 ]

 

Cost-efficient technology: HIPAA issues abound, obviously, but there sure are some good iPhone and smartphone apps that doctors and patients can use that deliver a big bang for the buck.
Jeff [9:48 AM]

[ Thursday, October 29, 2009 ]

 

Red Flags and Small Businesses: To stop ID theft, businesses need to follow the Red Flags Rule. TJMaxx and other high-profile breaches show that. But is it even more important for small businesses to follow the Red Flags Rule? Some say so.

Pro: small businesses have less technology, so lower technological defenses against ID theft. They also tend to be more likely to fall victim to social engineering activities. They also can't bear the potential cost of a data breach/ID theft claim, since they have fewer customers to spread that cost/risk over.

Con: they tend to know their customers better and are more likely to ask questions. With fewer customers, they are more likely to notice an abberation, since their customers will fall into a tighter pattern of behavior and account activity. They have less staff to bear the bureaucratic burden of compliance with regulations like the Red Flags Rule.

Arguments both ways.
Jeff [8:54 AM]

[ Wednesday, October 28, 2009 ]

 

Arkansas Snoopin' update: Sentences have been handed down in the Little Rock, Arkansas snoopin' case, which involved the brutal murder of Ann Pressly, a Little Rock news anchor. A doctor and two hospital employees were caught accessing the medical records of the victim, and have each been sentenced to a year's probation, plus fines and community service.
Jeff [1:38 PM]

 

EHR Adoption Due to Stimulus Bill Provisions: Have the EHR provisions in the so-called Stimulus Bill impacted your decision and/or timing about adopting electronic medical records? The folks at SoftwareAdvice are surveying folks to see if the statutory changes caused healthcare providers to take action, or just go looking. Go take the survey if you have any insights.
Jeff [11:14 AM]

 

5 Vulnerabilities that Lead to Identity Theft: Interesting article in InfoWeek's Dark Reading on areas to watch for ID theft. I thought it would be about specific items and behaviors that could pose risks, but it's more global than that. Interestingly, #5 is "Healthcare."
Jeff [8:41 AM]

[ Monday, October 26, 2009 ]

 

Curb Your Enthusiasm: The digitization of medical records is not the cure-all some claim it will be. As with just about every other component of the health reform debate, nothing will be as good (the public option will end the uninsured problem), bad (death panels will kill grandma), or efficient (cutting fraud and abuse will save $500 billion) as the most vocal proponents/critics say. Here, the Washington Post points out that not everyone thinks electronic medical records are a panacea.
Jeff [10:20 AM]

[ Thursday, October 22, 2009 ]

 

Cost of a (non-HIPAA) Data Breach: FTC fines ChoicePoint $275,000 for 2008 breach.
Jeff [9:54 AM]

[ Wednesday, October 21, 2009 ]

 

Hospital bans Facebook: New England Baptist Hospital has banned its employees from using Facebook at work over privacy and time-wasting concerns. The second concern is definitely apt; as for the first, that's probably punishing the medium when the message is the potential problem. It's an interesting dilemma for all businesses, but the privacy/patient information issue is particularly relevant for healthcare concerns. Ultimately, every organization needs a social media policy.
Jeff [7:34 AM]

[ Tuesday, October 20, 2009 ]

 

Red Flag Reduction Reax: Some disagree with the new legislation to exempt small providers from the Red Flags Rule.
Jeff [8:57 AM]

[ Monday, October 19, 2009 ]

 

Second Life: Interesting article on Children's Memorial Hospital in Chicago's use of Second Life for training and peer support for disabled patients. I'm still not very sure how to purposefully navigate through Second Life: I have an identity there and an avatar that looks nothing like me, thankfully, but have never had any successful interactions there. Is there a "Second Life for Dummies" site somewhere?
Jeff [8:03 AM]

[ Thursday, October 15, 2009 ]

 

RED FLAGS UPDATE:
In case you're following the Red Flags issue (the latest FTC compliance date was shifted to November 1), here's some big, big news: The House Financial Services Committee has quickly (and without Republican objection) moved forward a bill that would fully exempt healthcare, legal, and accounting firms with fewer than 20 employees from the definition of "creditor" under the Red Flags Rule. It will also allow any company to seek an exemption directly from the FTC.

You can read below (and here, here and here) some of my other posts, but the gist is this: The FTC passed rules required by Congress under FACTA that require financial services companies and "creditors" to adopt identity theft prevention programs designed to spot "red flags" indicating that a customer may be a victim of identity theft. "Creditors" is broadly defined, so the AMA wrote a letter to the FTC asking for clarification that doctors aren't "creditors" generally. The FTC wrote back and said almost all doctors are, which started a war of words between the FTC and the AMA (and a bunch of other physician organizations), but which also led the FTC to serially delay the effective date of the Red Flags Rule. Further, the ABA took a more direct route, suing the FTC to remove lawyers from the definition of "creditors." As far as I know, the AICPA has sat on the sidelines, figuring they'll get the benefit of the efforts of the doctors and lawyers.

This Congressional action will settle the matter for small practices of lawyers, doctors and accountants, but won't impact the issue for larger organizations. It will be interesting to see if conceding the fight for the majority of AMA members will cool the AMA's lather; I don't suspect this will have any impact on the ABA lawsuit.

UPDATE: the bill to limit the applicability of the Red Flags Rule to companies with 20 or more employees has passed the House. However, there's no companion legislation in the Senate at this time, so it might just die where it is.

UPDATE 2: should've mentioned that it passed the House 400-0. Can't they get someone in the Senate to pick it up?
Jeff [9:48 AM]

[ Tuesday, October 06, 2009 ]

 

Express Scripts: a 2008 successful hacker into the pharmacy benefits management company's data base might have exposed personal information 700,000 people.
Jeff [11:57 AM]

 

FTC Endorsement Rule: In light of the (unconstitutional) FTC guidance published yesterday requiring bloggers to disclose any compensation for endorsement, let me state that anyone listed under the "Advertisers" to the left has paid for that spot. Most of the "Links" are unpaid, but some might've plied me with liquor. Rest assured, the grand total of what I've been paid in cash for posts or links during the entire 7.5-year run of this blog is less than what I charge for an hour of my time.

UPDATE: Like I was sayin': read Jarvis.
Jeff [9:29 AM]

[ Monday, October 05, 2009 ]

 

70,000,000 Records; Is That a Lot? The National Archives hosts a database that allows veterans to request copies of their medical records and discharge data. One of the hard drives went out, so the Archives sent it to the contractor to fix. The contractor couldn't fix, so it sent it to another contractor to recycle. Unfortunately, nobody scrubbed the data off of the drive, which may hold medical information and social security numbers for up to 70 million people. After all of the Stimulus Bill and Healthcare Reform talk of billions and trillions of dollars, I'm a little dazed, but it still seems like 70 million is a lot of folks. Of course, so far there's no indication that the information actually fell into the wrong hands, nor is there proof of just how much information was out there (tags like "up to" or "as many as" are pretty much red herrings), and the last time the VA had a big data breach, nothing came of it. But still, not something you want to see.
Jeff [1:50 PM]

 

Not what we intended: Congressmen react to Secretary Sibelius' "no harm" standard for notifying of data breach. Apparently, that's too loose a standard for the Congressmen, who did not intend for HHS to give away such a big escape hatch for data breachers.
Jeff [1:45 PM]

 

Data breach for physicians: Here's a twist. Yeah, it's the same old story of the stolen laptop, but this time the information was physician info (including some social security numbers), lost by an insurance company.
Jeff [7:38 AM]

[ Thursday, October 01, 2009 ]

 

Bookmark this Permalink: HHS has published its instructions for submitting a notice of a data breach involving PHI here. Count the number of affected individuals and follow the instructions.
Jeff [4:55 PM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template

A discussion of medical privacy issues buried in political arcana

E-mail me at jdrummond-at-jw.com

- Archives - March 2002 April 2002 May 2002 June 2002 July 2002 August 2002 September 2002 October 2002 November 2002 December 2002 January 2003 February 2003 March 2003 April 2003 May 2003 June 2003 July 2003 August 2003 September 2003 October 2003 November 2003 December 2003 January 2004 February 2004 March 2004 April 2004 May 2004 June 2004 July 2004 August 2004 September 2004 October 2004 November 2004 December 2004 January 2005 February 2005 March 2005 April 2005 May 2005 June 2005 July 2005 August 2005 September 2005 October 2005 November 2005 December 2005 January 2006 February 2006 March 2006 April 2006 May 2006 June 2006 July 2006 August 2006 September 2006 October 2006 November 2006 December 2006 January 2007 February 2007 March 2007 April 2007 May 2007 June 2007 July 2007 August 2007 September 2007 October 2007 November 2007 December 2007 January 2008 February 2008 March 2008 April 2008 May 2008 June 2008 July 2008 August 2008 September 2008 October 2008 November 2008 December 2008 January 2009 February 2009 March 2009 April 2009 May 2009 June 2009 July 2009 August 2009 September 2009 October 2009 November 2009 December 2009 January 2010 February 2010 March 2010 April 2010 May 2010 June 2010 July 2010 August 2010 September 2010 October 2010 November 2010 December 2010 January 2011 February 2011 March 2011 April 2011 May 2011 June 2011 July 2011 August 2011 September 2011 October 2011 November 2011 December 2011 January 2012

[ Advertisers ]
Electronic Medical Records

Health Insurance from Chartis Direct

Presciption Drug Information

Foot Problems

[ Links ]
Jackson Walker home page
My (official Jackson Walker) Bio
HHS' Administrative Simplification page
OCR's HIPAA Privacy page
ICD-10 Codes
NIST's HIPAA Security Implementation page
HIPAA.org page
TCS standard-setting
HIPAA Summit's page
Harvard's HIPAA colloquium
Workgroup for EDI
Siemen's HIPAA page
Phoenix Health System's HIPAAdvisory
Beacon Partner's HIPAAcomply
FindLaw's HIPAA law page
HIPAAComplete
HIPAADocs
AMA's HIPAA page
AHA's semi-HIPAA page
American Health Lawyers Assn
SHARP (the Southern SNIP)
Boundary Information Group's HIPAAinfo.net
HIPAA academy
MedAbiliti's Health Innovation Daily News
Thompson-West's Privacy Litigation Reporter
HIPAAnswers (HIPAA compliance solutions)
Healthcare Intelligence Network Blog
Prescription Drug Encyclopedia
Compliance Home Portal
HIPAA Training (Supremus Group)
MPMsoft (HIPAA-compliant billing software)
DMEPOS Surety Bonds
Hospital.com
Human Resources Daily Advisor

[ WebRings ]
< ? law blogs # >

[ Syndicated RSS Feed ]
Click Here