HIPAA Blog

[ Monday, December 28, 2009 ]

 

User Authentication: With HITECH adding new emphasis on HIPAA, particularly security issues that can prevent a data breach (or at least the reporting requirements), many covered entities are re-thinking their need to encrypt PHI. That's now a very good idea, even if it's costly or a hassle. But you should also revisit your authentication protocols. You've obviously got usernames and passwords, but is that enough? Perhaps not. Here's an interesting article on different types of secondary authentication methods, some of which sound very easy and pretty cool.
Jeff [10:20 AM]

[ Wednesday, December 23, 2009 ]

 

Pretty Interesting: Or scary. The 9 Coolest Hacks of 2009.
Jeff [11:29 AM]

[ Thursday, December 17, 2009 ]

 

Off Topic (purchasing health insurance): I got a tip to this survey from a reader. Are you purchasing insurance in the individual market, or on behalf of a small employer? You might want to look at this survey; I suspect the sellers of health insurance are aware of how this information changes hands and is used by purchasers of insurance.
Jeff [11:40 AM]

 

New Hampshire: Wentworth-Douglass Hospital in Dover, NH is hip-deep in an apparent data breach problem. As noted here, someone was improperly accessing data in the hospital's pathology records and changing the information. The hospital investigated the breach and notified doctors whose patient's records were accessed, but did not notify the patients. Now, according to BNA (subscription requried), CMS is investigating. There seem to be two issues at play here that are instructive for HIPAA covered entities: first, it seems that the investigation has ramped up not because the breach was particularly bad (although changing pathology data can sure be disastrous), but because the hospital didn't respond correctly. Secondly, the catalyst for the investigation seems to be the claim by a couple of pathologists that they were retaliated against by the hospital for reporting the breach and demanding action. This proves two points: first, accidents (and hackers) happen, and nobody expects perfection. Your efforts to prevent it up front must be good, but failure isn't proof that they weren't. But HIPAA compliance doesn't end when you adopt reasonable precautions through good policies and procedures. You must react to those breaches that do occur, and your reaction must be reasonable too. Secondly, always remember that it's those within the castle walls that can cause you the most trouble. External hackers do exist, but in most cases there's an "inside man" that either initiates the problem (see the Gibson case) or perhaps unwittingly leverages it (see the UCSF story from yesterday). Always cover your flank -- if there's a constituency or individual pushing for a particular response to a HIPAA problem, make sure their issues are addressed. That doesn't mean you have to do what they say, but be aware that if you don't (or if they feel their concerns were neglected or improperly dealt with), they might be your ultimate problem.
Jeff [9:16 AM]

[ Wednesday, December 16, 2009 ]

 

Red Flags Update: In case you haven't looked lately, check out the FTC's Red Flags Rule page, where there are several click-through programs, including a video program and the template for low-risk businesses. I'm on a conference call right now with an FTC person, and her unofficial feel is that the reason for the latest delay is to allow the FTC to decide how to respond to the ABA case and whether/how to appeal. I think they're still trying to figure out if Congress will act further as well. The Red Flags program won't go away; it's just a question of whether you are a "creditor" according to the definition. From a HIPAA standpoint, much of what the Red Flags Rule does nicely dovetails with what all covered entities should be doing from a privacy and security standpoint; so, I'm not telling you what to do, but you might consider whether a Identity Theft Protection Program is a good idea, regardless of whether the Red Flags Rule does (or should) apply to you.
Jeff [11:29 AM]

 

UCSF Data Breach: Apparently, there was a successful "phishing" incursion into the records of about 600 University of California - San Francisco patients. The data was accessed because a USCF Medical School physician inadvertently disclosed his user name and password in response to a phony email asking for the information (the typical "phishing" attack). This goes to show that sometimes, "social engineering" makes your humans your weakest link.
Jeff [11:20 AM]

 

More slightly-off-topic: Those of us who deal with HIPAA privacy issues often have to overflow into other privacy laws, particularly Gramm-Leach-Bliley, which protects personal information in the financial context. The various federal agencies with GLB responsibilities recently issued a joint model privacy notice form.
Jeff [11:12 AM]

 

Slightly Off-Topic: Here's a list of the Top 9 data breaches for the last year involving banks and other financial institutions. Interesting the geographic and stylistic breadth of the breaches. Remember, privacy and security systems are only as strong as their weakest link.

Hat tip: Chris Volkmer, John Podvin.
Jeff [11:08 AM]

[ Tuesday, December 15, 2009 ]

 

Keeping Up with HIPAA: How do you know that you're current with your HIPAA risk assessments? We've got new law that will be enforceable in a couple of months, with very few regulations. Neither the law nor the regulations will say what specific steps, processes, programs or hardware you might need. How do you know that you've done enough to be compliant?

There's no good answer to that question, other than Justice Stevens' "know it when you see it" standard. HIPAA isn't specific with regard to technology or process; rather, it's "scalable." That's both a feature and a bug: it allows the market and industry to adapt and develop best solutions, but it also prevents individual participants from knowing with certainty that they've met the minimum requirement.

Ultimately, you've got to work hard enough and make good enough decisions. Consult with the right people within and outside your organization, know where you are/what you've got/where you need to go, and go there. Security is a process, not a place.
Jeff [10:38 AM]

[ Monday, December 14, 2009 ]

 

Got paper? Paper-based data breaches on the rise. Which raises 2 issues. First, the new HITECH data breach reporting rules only apply to "unsecured" data, so a breach of "secured" data need not be reported. Unfortunately, with paper records, the only way to "secure" is to "destroy," making the records useless to both intended and unintended users. So if there's a paper record data breach, it's reportable. Second, most states followed the lead of California and adopted state data breach notification laws (focusing on personal or financial information, which usually includes health information but not exclusively), but in many of those states (Texas, for example), the data breach law specifically addresses computerized records. There are often other state laws that require careful handling of records that contain personal information (i.e., shredding before dumpstering), but many breach notification laws only address electronic or computerized information.
Jeff [8:56 AM]

[ Friday, December 11, 2009 ]

 

Federal Data Breach Law? As you know, California started the trend of general-business data breach notification laws, with most other states following. Now, a bill has passed the US House that would impose a federal data-breach law. Don't know if it's really needed, given state efforts already, and don't know if it would be harsher than the HITECH data breach rules, but something to keep an eye on. (Of course, the Senate's doing nothing but healthcare these days -- won't even pick up the small-company Red Flags relief bill that passed the House unanimously).
Jeff [8:19 AM]

[ Wednesday, December 09, 2009 ]

 

Houston Snoopin': The Harris County Hospital District, which runs Ben Taub Hospital, the Level 1 trauma center and huge public hospital. has fired 16 employees for snoopin'. A medical school resident who was assigned to Ben Taub was shot in a grocery store parking lot and rushed to Ben Taub. Lots of folks who probably knew the young doc but weren't involved in her care checked out her chart, and got fired for it.

Pretty severe sanction, but probably intended to send a message -- don't snoop, dawg.

Well, I didn't intend this to be my 1500th post, but this is it. 7.75 years writing this blog . . . .
Jeff [7:31 AM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template

A discussion of medical privacy issues buried in political arcana

E-mail me at jdrummond-at-jw.com

- Archives - March 2002 April 2002 May 2002 June 2002 July 2002 August 2002 September 2002 October 2002 November 2002 December 2002 January 2003 February 2003 March 2003 April 2003 May 2003 June 2003 July 2003 August 2003 September 2003 October 2003 November 2003 December 2003 January 2004 February 2004 March 2004 April 2004 May 2004 June 2004 July 2004 August 2004 September 2004 October 2004 November 2004 December 2004 January 2005 February 2005 March 2005 April 2005 May 2005 June 2005 July 2005 August 2005 September 2005 October 2005 November 2005 December 2005 January 2006 February 2006 March 2006 April 2006 May 2006 June 2006 July 2006 August 2006 September 2006 October 2006 November 2006 December 2006 January 2007 February 2007 March 2007 April 2007 May 2007 June 2007 July 2007 August 2007 September 2007 October 2007 November 2007 December 2007 January 2008 February 2008 March 2008 April 2008 May 2008 June 2008 July 2008 August 2008 September 2008 October 2008 November 2008 December 2008 January 2009 February 2009 March 2009 April 2009 May 2009 June 2009 July 2009 August 2009 September 2009 October 2009 November 2009 December 2009 January 2010 February 2010 March 2010 April 2010 May 2010 June 2010 July 2010 August 2010 September 2010 October 2010 November 2010 December 2010 January 2011 February 2011 March 2011 April 2011 May 2011 June 2011 July 2011 August 2011 September 2011 October 2011 November 2011 December 2011 January 2012

[ Advertisers ]
Electronic Medical Records

Health Insurance from Chartis Direct

Presciption Drug Information

Foot Problems

[ Links ]
Jackson Walker home page
My (official Jackson Walker) Bio
HHS' Administrative Simplification page
OCR's HIPAA Privacy page
ICD-10 Codes
NIST's HIPAA Security Implementation page
HIPAA.org page
TCS standard-setting
HIPAA Summit's page
Harvard's HIPAA colloquium
Workgroup for EDI
Siemen's HIPAA page
Phoenix Health System's HIPAAdvisory
Beacon Partner's HIPAAcomply
FindLaw's HIPAA law page
HIPAAComplete
HIPAADocs
AMA's HIPAA page
AHA's semi-HIPAA page
American Health Lawyers Assn
SHARP (the Southern SNIP)
Boundary Information Group's HIPAAinfo.net
HIPAA academy
MedAbiliti's Health Innovation Daily News
Thompson-West's Privacy Litigation Reporter
HIPAAnswers (HIPAA compliance solutions)
Healthcare Intelligence Network Blog
Prescription Drug Encyclopedia
Compliance Home Portal
HIPAA Training (Supremus Group)
MPMsoft (HIPAA-compliant billing software)
DMEPOS Surety Bonds
Hospital.com
Human Resources Daily Advisor

[ WebRings ]
< ? law blogs # >

[ Syndicated RSS Feed ]
Click Here