HIPAA Blog

[ Friday, January 29, 2010 ]

 

Red Flags Update: the AMA is still trying to get physicians exempted from the Red Flags Rule. This week, they sent a letter, co-signed by the American Veterinary Medical Association, the American Osteopathic Association, and the American Dental Association, trying to get tag-along rights on the ABA litigation. As you might know, the ABA sued and won (at the district court) to exempt lawyers from the Red Flags Rule. They all want to be treated the same as the lawyers.

More here.
Jeff [2:37 PM]

 

Port St. Lucie, Florida: medical records found in a dumpster. Apparently thrown out by University Medical Clinics.
Jeff [7:29 AM]

[ Thursday, January 28, 2010 ]

 

Twitter-squatting: You knew it was going to happen. Just as some sneaky (er, entrepreneurial?) folks registered IP addresses and domain names that they knew other businesses would want, and tried to sell those names/addresses to those businesses ("cybersquatting"), apparently some folks are establishing twitter accounts with brand names, celebrity names, and other names that might be worth something. There are ways to fight it, if somebody's twitter-squatting on your twitter name.
Jeff [5:00 PM]

 

Health IT Hacking: Apparently, attempts by hackers to attack healthcare entities increased dramatically in the last quarter of 2009.
Jeff [4:42 PM]

 

Data Breach: This one involves the National Archives, including information on White House staff and visitors.
Jeff [1:10 PM]

[ Wednesday, January 27, 2010 ]

 

Encryption: Since the new data breach rules contain a strong push toward using encryption (only breaches of "unsecured" data need be reported, and encryption is the only recognized security operation), the question is occasionally raise about whether one sort of encryption is "enough" to qualify. If it's on this list, then it's "encrypted" for HITECH purposes.
Jeff [12:10 PM]

 

Latest Data Breach involving ambulatory hardware: Methodist Hospital in Houston had a laptop get up and walk away. Apparently the laptop, which was connected to a piece of diagnostic equipment, had information on about 700 patients, including social security numbers (which, I'm pretty certain, Methodist used as patient identifier -- maybe worth thinking about a different identifier).
Jeff [12:06 PM]

 

More on Doctors, email, and the Internet: Also, consider this: most patients use the internet to get medical information, and if they leave the doctor's office unclear about the information they've received, they'll probably look it up online. Should the doctor be available by email to help? Maybe. At the very least, the doctor should be aware of what's on the internet and what their patients might be thinking.

And since a lot of what patients might become exposed to over the internet is social media related, physicians and hospitals should continue to consider their social media stance, and whether/how to use these tools.

As for what patients might be seeing online, physicians should definitely be aware that it might impact the patient input. Jim Pyles contributed the following story to the HIT listserv:

Patient presents with a large red welt on upper arm and says he has looked
it up on the internet and that it appears to be a 'spider bite.' Medical
student [doing patient intake] takes a history and listens carefully to the
patient. Primary care physician [supervising the student] comes in and
asks the medical student to give her diagnosis. She says 'spider
bite.' The primary care physician says upon merely viewing the welt,
'MRSA.' Correct diagnosis -- severe and progressive MRSA infection.

Lesson for medical student: listen to the patient's symptoms, trust what
you see and ignore the patient's self-diagnosis based on internet
information. Conclusion -- doctors who rely on patient's self-diagnosis
based on internet information do so at their peril.

Jeff [11:52 AM]

 

Physician texting and emailing: I occasionally get questions about whether physicians should use email and/or text messaging to transmit PHI (usually in the context of physicians consulting with each other over a mutual patient), and my usual response is, "if you do, don't use patient names and otherwise de-identify as best you can." It's not secure however you do it, so if it's communication between providers, it's best to just say, "that patient you saw yesterday that I sent you" rather than "Gertrude Jones."

But there's also the question of physicians emailing with patients. That's a harder decision. Every other business operates on email, why not doctors? Partly because the compensation structure works against it; partly because asynchronous communication prevents easy back-and-forth Q&A type discussions which are best between doctors and patients; partly because a doctor needs to see a patient's reaction (including body language) to a statement or question to read into the patient's understanding or veracity; and partly because doctors are afraid that written email might come back to haunt them in a risk management way. However, as you consider whether your doctors should text or email, first consider the need to obtain patient consent to that sort of communication (with full disclosure of the security risks), as well as the likely need to encrypt. Then consider what AHIMA has had to say. Here are some more good thoughts. You might also want to consider the specific hardware and software you use, as this article indicates (I'm not advocating one way or another, mind you).
Jeff [11:38 AM]

 

National Data Bank: David Brailer, Obama's healthcare IT czar, is apparently rethinking the idea of a single national health information exchange, switching the focus away from a single repository to anything that will get practitioners to share health information (locally, regionally, or otherwise). That's probably wise, given this news that most Americans don't really trust the government with their data anyway.
Jeff [11:33 AM]

[ Tuesday, January 26, 2010 ]

 

Social Media: Most hospitals use it. Few do it well.

Want to find out how to do it better? Attend this.
Jeff [9:54 AM]

[ Friday, January 15, 2010 ]

 

FTC Healthcare Data Breach Notification Forms and Other Information: The so-called Stimulus Bill didn't just add breach notification requirements to HIPAA covered entities, it also required the FTC to get involved. The FTC has published this information for web-based business that deal with health information. Good forms at the links.
Jeff [11:56 AM]

[ Thursday, January 14, 2010 ]

 

Tennessee Blue Cross Blue Shield Data Theft: It's not just in Connecticut that hard drives get stolen. It's also happened in Tennessee. 57 hard drives were stolen, containing personal information on as many as half a million people.

Encryption anyone? You've gotta start thinking about it, across the board, for data at rest.
Jeff [12:41 PM]

 

Free Webinar: on the state of healthcare privacy in the US. Not an endorsement, just for your informatin.
Jeff [12:00 PM]

[ Wednesday, January 13, 2010 ]

 

Meaningful Use: I still haven't waded fully into this swampy pond, but if you're wrestling with "meaningful use" and the new regulations (you must be a meaningful user of EHR technology to get stimulus money and/or to not be penalized later), this might be a pretty handy chart to tell how you're doing and where you need to focus.

Hat tip: Chris Thorman at Medical Software Advice.
Jeff [6:13 PM]

 

Connecticut data breach: The Connecticut Attorney General is first out of the gate in using the new delegation under HITECH to directly sue a covered entity for a HIPAA violation. HealthNet lost a computer hard drive with unencrypted patient names and social security numbers. The drive was lost in May, but HealthNet didn't start notifying potential victims until the end of November. As far as I've heard, there's no indication that anyone has been harmed, which probably indicates that the drive wasn't accessed. However, that doesn't mean a violation didn't occur. No harm doesn't necessarily mean no foul.
Jeff [6:05 PM]

 

Top 50: This blog is mentioned as a "top 50" blog for hospital administration and business.
Jeff [2:29 PM]

 

Privacy Links: A huge hat-tip to Walter Suarez at Kaiser for posting about this on the AHLA HIT list:

• State laws on requirements of providers to give patients acces to medical records.
• State laws on patient permission for disclosure of records.
• State laws on releasing clinical lab results.
• State laws on prescriptions and e-prescribing.
• Report on patient matching approaches.

This is some great information if you're looking for state-by-state information.
Jeff [11:11 AM]

 

Things to add to your "to do" list before February 17: You can make this a 12-step program by repeating Step 5 six times. Actually, once you get the process started, it's not particularly legal-intensive. It's just chasing paperwork.
Jeff [11:08 AM]

[ Tuesday, January 12, 2010 ]

 

Social Media Policy: Interesting article on the increasing use of social media by businesses, and the implementation of policies related thereto. Particularly interesting are the sidebars about legal risks. Your social media policy should really be an extension of your HIPAA and other employee communication policies; social media isn't a different thing, it's a different way.
Jeff [10:51 AM]

[ Sunday, January 10, 2010 ]

 

California Snoopin: Former UCLA researcher pleads guilty to 4 criminal counts of violating HIPAA. The Chinese national was accessing patient records of famous people, apparently over 300 times.
Jeff [9:34 PM]

[ Friday, January 08, 2010 ]

 

Changing your NoPP? As you know, the original Privacy Rule requried covered entities to adopt a "Notice of Privacy Practices" to tell patients (or beneficiaries if you're a health plan) how they plan to use and disclose the individuals' PHI. You get this sheet each time you go to a doctor for the first time (it says, almost always in caps and usually bold, "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY." That's because that's how it was written into the Privacy Rule regs).

The question rattling around the AHLA HIT list today was whether HITECH will require covered entities to revise their NoPPs. There are only 2 areas within HITECH that I can think of that might impact what's disclosed in your NoPP: the "hide" rule and the changes to marketing.

The "hide" rule (as I call it) says that if a patient pays for a service completely out of pocket and asks the provider not to tell his/her insurance company about it, the provider must abide by that wish (and "hide" the service/procedure from the insurance company). Most NoPPs generically state that (i) the covered entity will disclose information to payors and (ii) the patient may request that the covered entity not make certain disclosures and, if the covered entity agrees, it will abide by the request; that would normally be sufficient to meet the "hide" rule requirements.

Most NoPPs either are completely silent on marketing (normally because the covered entity doesn't use the PHI for marketing) or have generic information about possibly using PHI for marketing if legally allowed to do so. In either instance, unless the covered entity has changed its mind and wants to start marketing (in which case a change to the NoPP would be required with or without HITECH), no change to the NoPP would be necessary.

All that said, if you're a covered entity, you probably ought to take a look at your NoPP and make sure it still works for you. It might be that you've changed something about your operations since 2003 and really should catch it up. HOWEVER, if you change your NoPP, just remember that you need to start giving out the new one to all patients; you don't have to actively seek out old patients, unless you're going to use their PHI in a way not allowed under the old NoPP, in which case you do need to send it to them.
Jeff [5:00 PM]

 

"Meaningful Use": HHS published regulations outlining what they mean when they say providers must be "meaningful users" of electronic health records to get stimulus money and avoid penalties. I haven't really dug into them yet, and I'm not sure I will, but I can tell you that they haven't been particularly well-received. The AHA thinks they're way too burdensome.
Jeff [3:08 PM]

[ Thursday, January 07, 2010 ]

 

Is this a HIPAA breach? Governor tweets that he's looking forward to legislature's suggestions for cutting costs. A worker at a state university hospital tweets back, "schedule regular medical exams like everyone else instead of paying [university] employees overtime to do it when clinics are usually closed." Turns out the governor had used a university clinic 3 years ago on a Saturday, resulting in the clinic being staffed when it wouldn't otherwise be staffed.

Yes, it is. The fact that the governor visited the clinic is clearly PHI. This may or may not be a disclosure of that PHI, depending on how oblique you think the reference is, but is certainly is a use of the PHI (the fact of the visit) by the worker. There's no exception for either the disclosure (if there is one) or for the use.

And that's not "slightly snarky;" that's full-blown snark.
Jeff [11:26 AM]

[ Tuesday, January 05, 2010 ]

 

Snoopers, Hackers and Lax Policies: the three biggest (or at least highest-profile) breach areas of 2009, and how to address them in 2010.
Jeff [9:04 AM]

 

Assessing HIPAA risks in a post-HITECH environment.
Jeff [9:02 AM]

[ Monday, January 04, 2010 ]

 

Short HITECH-HIPAA Checklist for the New Year:

1. Put together a breach notification policy.
2. Update your business associate agreement form.
3. Find all your existing business associate agreements and update them.
4. Educate your staff about HITECH.
5. Encrypt if you can, or at least where you can.
6. Have and enforce a sanction policy (could be part of #1).

This is also a good time to review all your HIPAA policies and re-educate your staff. The rules have changed, and the risks are much, much higer.

Hat tip: Dom Nicastro
Jeff [8:41 AM]

[ Friday, January 01, 2010 ]

 

Off Topic/Health Reform: Paging Lee Aase. One of the Mayo's Arizona clinics will stop taking new Medicare patieints. Why? It pays too little, and they lose money providing the care. Keep this in mind as health reform and the public option continue to be discussed. . . .
Jeff [2:03 PM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template

A discussion of medical privacy issues buried in political arcana

E-mail me at jdrummond-at-jw.com

- Archives - March 2002 April 2002 May 2002 June 2002 July 2002 August 2002 September 2002 October 2002 November 2002 December 2002 January 2003 February 2003 March 2003 April 2003 May 2003 June 2003 July 2003 August 2003 September 2003 October 2003 November 2003 December 2003 January 2004 February 2004 March 2004 April 2004 May 2004 June 2004 July 2004 August 2004 September 2004 October 2004 November 2004 December 2004 January 2005 February 2005 March 2005 April 2005 May 2005 June 2005 July 2005 August 2005 September 2005 October 2005 November 2005 December 2005 January 2006 February 2006 March 2006 April 2006 May 2006 June 2006 July 2006 August 2006 September 2006 October 2006 November 2006 December 2006 January 2007 February 2007 March 2007 April 2007 May 2007 June 2007 July 2007 August 2007 September 2007 October 2007 November 2007 December 2007 January 2008 February 2008 March 2008 April 2008 May 2008 June 2008 July 2008 August 2008 September 2008 October 2008 November 2008 December 2008 January 2009 February 2009 March 2009 April 2009 May 2009 June 2009 July 2009 August 2009 September 2009 October 2009 November 2009 December 2009 January 2010 February 2010 March 2010 April 2010 May 2010 June 2010 July 2010 August 2010 September 2010 October 2010 November 2010 December 2010 January 2011 February 2011 March 2011 April 2011 May 2011 June 2011 July 2011 August 2011 September 2011 October 2011 November 2011 December 2011 January 2012

[ Advertisers ]
Electronic Medical Records

Health Insurance from Chartis Direct

Presciption Drug Information

Foot Problems

[ Links ]
Jackson Walker home page
My (official Jackson Walker) Bio
HHS' Administrative Simplification page
OCR's HIPAA Privacy page
ICD-10 Codes
NIST's HIPAA Security Implementation page
HIPAA.org page
TCS standard-setting
HIPAA Summit's page
Harvard's HIPAA colloquium
Workgroup for EDI
Siemen's HIPAA page
Phoenix Health System's HIPAAdvisory
Beacon Partner's HIPAAcomply
FindLaw's HIPAA law page
HIPAAComplete
HIPAADocs
AMA's HIPAA page
AHA's semi-HIPAA page
American Health Lawyers Assn
SHARP (the Southern SNIP)
Boundary Information Group's HIPAAinfo.net
HIPAA academy
MedAbiliti's Health Innovation Daily News
Thompson-West's Privacy Litigation Reporter
HIPAAnswers (HIPAA compliance solutions)
Healthcare Intelligence Network Blog
Prescription Drug Encyclopedia
Compliance Home Portal
HIPAA Training (Supremus Group)
MPMsoft (HIPAA-compliant billing software)
DMEPOS Surety Bonds
Hospital.com
Human Resources Daily Advisor

[ WebRings ]
< ? law blogs # >

[ Syndicated RSS Feed ]
Click Here