HIPAA Blog

[ Monday, November 30, 2009 ]

 

Medical Identity Theft is on the Rise: According to the Wall Street Journal. It seems likely. But remember, medical identity theft is somewhat a crime of opportunity -- if you don't need medical care, you don't need to steal someone's medical identity. Regular identity theft is profitable regardless of your health situation.
Jeff [8:57 AM]

 

Latest HIPAA Data Breach: Apparently, BCBS of Tennessee is preparing a monster notification effort after a hard drive was stolen at a remote training facility. Based on the story, I'd put it pretty low on the risk scale: the data wasn't encrypted, but it was encoded and scrambled, and the facts make it look like hardware theft, not data theft.
Jeff [8:53 AM]

[ Thursday, November 26, 2009 ]

 

Totally and Ridiculously off-topic, but funny: Frank J's list of things to be thankful for.
Jeff [9:43 AM]

[ Wednesday, November 25, 2009 ]

 

Encryption: More sage advice from Dom Nicastro. Then again, what would you expect, given who he's taking advice from?

Actually, early on in the life of the HIPAA Security Rule, many IT guru types jumped onto the encryption bandwagon with both feet, saying things like "encryption is industry standard and failure to encrypt is per se an unreasonable violation of the Security Rule," or "sending email over the internet in clear text (i.e., unencrypted) is a violation of the Security Rule." Well, the Security Rule has always listed encryption as an adoptable standard, not a required one; that means any covered entity must review its operations, practices, capabilities and finances and determine whether it should encrypt, but that it may reasonably determine that encryption is not necessary for structural, organizational, operational, or financial reasons. I have consistently advised people that you have to take an honest look, but if you determine that encryption isn't necessary, you don't have to do it.

That reasoning holds true today: you are still Security Rule compliant if you've made this determination. HOWEVER, under the new Data Breach Rules, your obligations upon a data breach are dramatically higher if you do not encrypt. Encryption, done properly, will be a "get out of jail free" card in you have a data breach.

I'd call that a game changer.

So, am I guilty of changing my opinions? To quote the only thing Keynes said that was right: "When the facts change, I change my mind. What do you do sir?"
Jeff [12:35 PM]

[ Friday, November 20, 2009 ]

 

Healthcare Reform: Here's a great article. The key point is #3 (which is the point I've made over and over again): the problems with the American healthcare system are the result of OPM ("other people's money").
Jeff [12:30 PM]

 

Speaking of Medical Records: Check out Bob Coffield's blog for a paper medical record, circa 1030. Pretty cool.
Jeff [9:27 AM]

 

EMRs: A study says they don't save money, either. Of course, if you're a physician practice that takes Medicare, you'll lose money if you don't adopt one. D'ya ever notice whenever the government puts unnatural incentives on some economic action, it results in uneconomic activity (viz. "cash for clunkers")? If EMRs add efficiencies and save medical practices money, medical practices will adopt them. When the government tries to skew the natural economic incentives, you get . . . clunkers (for which you have to spend a lot of taxpayer cash).
Jeff [8:42 AM]

[ Thursday, November 19, 2009 ]

 

EMRs: the privacy concerns connected with electronic medical records seem to be getting greater and more visible play these days. There is, no doubt, a trade-off in privacy whenever medical information is in electronic format.
Jeff [5:21 PM]

 

What to do in case of a breach: I've done a lousy job of keeping up with this, but this is the last part of a really nice series by Dom Nicastro on how to avoid breaches, what to do when one happens, and how to follow up.
Jeff [5:09 PM]

[ Monday, November 16, 2009 ]

 

EMRs: So far, the benefits of switching to electronic medical records aren't exactly overwhelming. Something to keep in mind when the debate over healthcare reform starts to overheat.
Jeff [11:09 AM]

 

Ready for HITECH? You are alone, according to this survey. 94% of healthcare entities aren't ready for the February 2010 effective date of the HITECH revisions to HIPAA. Caution, it's a small sample size, but I suspect most of us have a lot of work to do.
Jeff [11:04 AM]

[ Wednesday, November 11, 2009 ]

 

What if Quizno's Were Run Like Healthcare? This is pretty funny, and goes a long way to explain what's wrong with the healthcare system.
Jeff [11:34 AM]

[ Tuesday, November 10, 2009 ]

 

Anthem BCBS (Connecticut) Data Breach: I noted below that Anthem Blue Cross Blue Shield had a laptop stolen that had data on about 18,000 doctors, including some social security numbers (not PHI, though, so it's [probably] not a HIPAA violation). The information was unencrypted, which was against company policy. Well, the Connecticut AG is on the case, alleging Anthem of acting too slowly in notifying the victims and not providing enough credit protection to the doctors.

This will be interesting to watch, since it might be a little taste of what we'll be in for when state AGs get to enforce HIPAA.
Jeff [10:31 AM]

[ Thursday, November 05, 2009 ]

 

Interesting Georgia personal representative decision: Well, interesting if you're a HIPAA geek. The Georgia Supreme Court has ruled that a spouse of a deceased person is that person's "personal representative" for HIPAA purposes. It seems the complicating factor in Alvista Healthcare Center v. Miller was the fact that the information was being sought by the surviving wife who was pursuing a wrongful death action on her own behalf against the nursing home, and no executor of the estate of the deceased husband had been appointed yet. The court found no problem with the wife obtaining the records in her capacity as personal representative of her deceased husband and then using the information in connection with her personal cause of action for wrongful death; since she's not a covered entity, the nature of her intended use is irrelevant if she has authority to obtain the information in one capacity or another.

Via BNA. Story here, opinion here (may need a subscription).
Jeff [10:19 AM]

[ Tuesday, November 03, 2009 ]

 

Data Breach experience: Here's an interesting first-person perspective of a data breach victim. Understandable (if not really balanced) concerns about the ability of research organizations to use data without consent.
Jeff [10:57 AM]

[ Monday, November 02, 2009 ]

 

Survey: As I mentioned below, SoftwareAdvice is taking a survey on EMR adoption. They've decided to hold the survey open until Thursday, November 5th to see if they can compile more data. You can take the survey here.
Jeff [11:40 AM]

 

Miami HIPAA/ID Theft sentencing: As noted below, the Miami ID theft ring at Palmetto General Hospital resulted in two convictions of a medical records employee and an outside accomplice. The hospital employee got 2 years and 5 days (?) and the accomplice got 11 months in jail.

Via BNA (subscription required).
Jeff [10:44 AM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template

A discussion of medical privacy issues buried in political arcana

E-mail me at jdrummond-at-jw.com

- Archives - March 2002 April 2002 May 2002 June 2002 July 2002 August 2002 September 2002 October 2002 November 2002 December 2002 January 2003 February 2003 March 2003 April 2003 May 2003 June 2003 July 2003 August 2003 September 2003 October 2003 November 2003 December 2003 January 2004 February 2004 March 2004 April 2004 May 2004 June 2004 July 2004 August 2004 September 2004 October 2004 November 2004 December 2004 January 2005 February 2005 March 2005 April 2005 May 2005 June 2005 July 2005 August 2005 September 2005 October 2005 November 2005 December 2005 January 2006 February 2006 March 2006 April 2006 May 2006 June 2006 July 2006 August 2006 September 2006 October 2006 November 2006 December 2006 January 2007 February 2007 March 2007 April 2007 May 2007 June 2007 July 2007 August 2007 September 2007 October 2007 November 2007 December 2007 January 2008 February 2008 March 2008 April 2008 May 2008 June 2008 July 2008 August 2008 September 2008 October 2008 November 2008 December 2008 January 2009 February 2009 March 2009 April 2009 May 2009 June 2009 July 2009 August 2009 September 2009 October 2009 November 2009 December 2009 January 2010 February 2010 March 2010 April 2010 May 2010 June 2010 July 2010 August 2010 September 2010 October 2010 November 2010 December 2010 January 2011 February 2011 March 2011 April 2011 May 2011 June 2011 July 2011 August 2011 September 2011 October 2011 November 2011 December 2011 January 2012

[ Advertisers ]
Electronic Medical Records

Health Insurance from Chartis Direct

Presciption Drug Information

Foot Problems

[ Links ]
Jackson Walker home page
My (official Jackson Walker) Bio
HHS' Administrative Simplification page
OCR's HIPAA Privacy page
ICD-10 Codes
NIST's HIPAA Security Implementation page
HIPAA.org page
TCS standard-setting
HIPAA Summit's page
Harvard's HIPAA colloquium
Workgroup for EDI
Siemen's HIPAA page
Phoenix Health System's HIPAAdvisory
Beacon Partner's HIPAAcomply
FindLaw's HIPAA law page
HIPAAComplete
HIPAADocs
AMA's HIPAA page
AHA's semi-HIPAA page
American Health Lawyers Assn
SHARP (the Southern SNIP)
Boundary Information Group's HIPAAinfo.net
HIPAA academy
MedAbiliti's Health Innovation Daily News
Thompson-West's Privacy Litigation Reporter
HIPAAnswers (HIPAA compliance solutions)
Healthcare Intelligence Network Blog
Prescription Drug Encyclopedia
Compliance Home Portal
HIPAA Training (Supremus Group)
MPMsoft (HIPAA-compliant billing software)
DMEPOS Surety Bonds
Hospital.com
Human Resources Daily Advisor

[ WebRings ]
< ? law blogs # >

[ Syndicated RSS Feed ]
Click Here