HIPAA Blog

[ Wednesday, February 24, 2010 ]

 

How Secure Are You? As evidenced by the Galveston case I posted on yesterday, this story from the FTC should serve as a wake-up call that you need to make sure your employees aren't using your work computers to access peer-to-peer file sharing for their personal stuff. That can provide a link, intentionally or not, for someone to access your system and potentially get into your customers' data.

I've been working on lots of policies and procedures over the last few weeks (get yours updated if you haven't already), and most of mine include policies on employees not using email or internet access for non-business purposes. If your policies say this, now may be a good time to reiterate it and start enforcing it. The lesson from the FTC couldn't be more clear. . . .
Jeff [9:13 AM]

[ Monday, February 22, 2010 ]

 

When Rogue Employees Attack: a data/identity thief goes after UT Medical Branch (Galveston) patients, taking a job with a billing contractor to get access to patient identity data.
Jeff [11:23 PM]

 

Publicly-Disclosed Data Breaches: As you should know, the data breach reporting requirements have been effective since September; if you're a covered entity and suffered a data breach, you needed to report to the individual and, if it involved 500 or more people, to HHS and the local media. HHS is then obligated to annually post the data breaches reported to it.

And now they have. Check out the data breaches. What strikes me is what I've always called the "crackhead" issue -- see how many are computer thefts. I'd bet every one of those resulted in no disclosed information, since all of those computers were probably immediately scrubbed of any information so they could be fenced.

UPDATE: not everyone is pleased with the level of detail provided by HHS in its report.
Jeff [9:25 PM]

 

Effectiveness vs Enforcement. I spent some time Friday discussing with a reporter the distinction between a statute becoming effective and it being enforced. Apparently, there's been some stir in the air, at the least generated by the appearance of some HHS folks at various venues explaining HHS' lack of regulations on the business associate provisions of HITECH (which became effective on Wednesday, 2/17/10). It seems that, in the face of questions such as, "how can you enforce this provision when you haven't given us regs yet," the administrators have indicated that they are delaying the enforcement of the BAA regs. Other lawyers definitively have that impression.

However, others in the administration want to be absolutely clear that there's no delay in the effectiveness of the regs, and that enforcement and effectiveness don't necessarily mean the same things. But they all also scrupulously state, at the beginning of any public appearance, that they aren't speaking on behalf of the agency and don't bind the agency by what they say.

All this means that (i) the enforcement date for the BAA provisions of HITECH was last Wednesday, and if you don't have your BAAs revised, you could be in violation of HIPAA (there is a school of thought that says HITECH automatically amended every BAA, so even if you didn't amend it yourself, consider it amended); (ii) it's probably unlikely that HHS or OCR is going to start subjecting laggard covered entities to the Spanish Inquisition, given that they couldn't get their stuff done in time either; but (iii) that's not a total get-out-of-jail-free card, just a mitigating factor. Remember, HITECH gave us new HIPAA enforcers in the 50 states Attorneys General (and gives a financial incentive to the wronged individuals whose data is compromised), so even if HHS gives an "honor among thieves" pass to those who fail to fix their BAAs, you can't count on others to let you off the hook.

Just sayin'.
Jeff [12:23 AM]

[ Thursday, February 18, 2010 ]

 

HITECH due dates: You saw my post yesterday -- it was the due date for most of the HITECH revisions to HIPAA. However, I've been asked a couple of times in the last few days when certian parts of the HIPAA revisions are applicable, specifically the data breach rules. The HITECH act itself says the Secretary must post regs within 180 days, and that the rules will be applicable 30 days after the regs are posted. However, the Secretary posted the data breach interim rule September 23, but gave 180 days for compliance (I guess they were applicable October 22, but weren't actually required to be complied with for 5 more months).

At any rate, AHIMA has a chart showing the due dates for various HITECH provisions. Good stuff.
Jeff [2:05 PM]

[ Wednesday, February 17, 2010 ]

 

Today is the Day.

One year ago, February 17, 2009, the President signed the American Recovery and Reinvestment Act of 2009 ("ARRA"), sometimes called the Stimulus Bill. Within ARRA was an act with the clever acronymic name of the Health Information Technology for Economic and Clinical Health Act (or "HITECH"), which contained a number of health-technology-wish-list items like financial incentives for the adoption of electronic health records, health technology infrastructure grants, and a dramatic expansion of HIPAA. Much of the HIPAA expansion becomes effective TODAY.

If you are a covered entity, you must (i) make sure your Business Associate Agreements are in line with the HITECH requirements, (ii) make sure you are prepared to investigate and report any data breaches, and (iii) make sure your policies and procedures are sufficient.

If you are a business associate, HIPAA now applies directly to you. You must abide by the restrictions that are required to be in business associate agreements, even if you haven't actually entered into those agreements (which probably means that you are just as liable as the covered entity for the failure to enter into a business associate agreement). You are now required to comply with the HIPAA Security Rule, which means you must run a risk analysis and adopt policies and procedures to institutionalize the administrative, technical and physical safeguards necessary to protect the confidentiality, integrity, and availability of the information.

Failure to do so means you are in violation of HIPAA. There hasn't been much enforcement of HIPAA in the past, except where extreme violations or other obvious crimes have been committed. However, HITECH also (i) increased the potential fines for HIPAA violatins, (ii) allows your state Attorney General to enforce HIPAA against you, and (iii) allows the injured individual to get a piece of the pie if there's a financial recovery. Because of this, you can bet there will be more HIPAA enforcement, and particularly more penalties.

So:

1. Fix your Business Associate Agreements
2. Set up data breach notification investigation/action plans
3. Fix/adopt policies and procedures.

The costs for failing to do so will be much higher than they were in the past.
Jeff [11:08 AM]

[ Tuesday, February 16, 2010 ]

 

Another Top 50 Blogs Listing: This time for nursing assistants.
Jeff [2:52 PM]

[ Monday, February 15, 2010 ]

 

Illinois school dental records: A question from the audience:

Here in Illinois, the public schools require all students in 2nd grade (and a
couple others) to furnish proof of dental checkups, along with some diagnosis
information on a form to be signed by the dentist. This bugs the
crap out of me -- it's none of their damn business! My question to you is,
can the dentist provide this information to the school district absent my
consent? If not, then it seems to me that the IL legislature is
conditioning attendance at public schools with giving up your rights under
federal law. Does this sound reasonable?

Can they do it, and is it reasonable, aren't exactly the same question. HIPAA allows disclosures of PHI without consent or authorization to the extent required by state law. It's not uncommon for schools to condition enrollment on the student having current vaccinations. There's clearly a public health connection there, that I don't really see with dental checkups (one kid won't catch a cavity from another, while she may catch TB). However, it seems that the state could argue some compelling interest for the dental record requirement, and the requirement would be legally (and Constitutionally) valid.

Whether the dentist can directly provide the information, rather than requiring the parents to provide it or not enroll their child in school, depends on how the law is drafted. But if the law required dentists to report, I believe it would pass HIPAA muster.
Jeff [11:25 AM]

[ Friday, February 12, 2010 ]

 

Winkler County, Texas Nurses Trial: The two nurses accused of improperly disclosing government information (patient records) have been acquitted. The nurses were charged in connection with their reporting of a doctor on the State Medical Board, and including patient information in their report to the Board. It's pretty surprising that such a case would be brought, and unless the reporting is really in egregiously bad faith, reporting should not be prosecuted.

Seems like the nurses didn't like the doctor and had an axe to grind. But, it also seems that common sense prevailed. The Board never comments on investigations, but the fact that it's not currently proceeding against the doctor probably means the process worked the way it should.
Jeff [12:33 PM]

[ Wednesday, February 10, 2010 ]

 

HIPAA's Relevance: How dare she ask this question? Actually, the concern that OCR isn't doing much/enough rests on the assumption that there are a lot of violations that aren't being pursued. What if most healthcare providers and health plans actually are good stewards of the privacy and confidentiality of their patients and beneficiaries? But the real reason why some of us care about HIPAA (and why you should), other than that privacy really is important in its own right, is because (i) individual State Attorneys General can now enforce HIPAA, and (ii) injured individuals can get a slice of the recovery pie. OCR may be slow to act, but they're no longer the only sheriff in town.
Jeff [1:41 PM]

[ Tuesday, February 09, 2010 ]

 

California Data Breach: Social Security numbers were printed on the outside of envelopes sent to about 50,000 Adult Day Health Care program participants.
Jeff [9:14 AM]

[ Friday, February 05, 2010 ]

 

New HIPAA Privacy and Security Rules On the Way? According to Sue McAndrew, OCR's Deputy Director for Health Information Privacy, who spoke at the 18th National HIPAA Summit this week, a "proposed HIPAA privacy and security rule" is forthcoming, and Ms. McAndrew was surprised it hasn't been published yet. Keep your eyes peeled; I wonder if it will impact the impending February 17 compliance date?

Via BNA (subscription required).
Jeff [10:25 AM]

[ Thursday, February 04, 2010 ]

 

Five HIPAA Stumbling Blocks: From Chris Apgar, via Dom Nicastro

1. No risk analysis
2. No policies and procedures
3. No training
4. No compliance audits
5. No disaster/recovery plans

Right now, I'm revising a lot of policies and procedures prior to the February 17 deadline, and many, many folks never did a risk analysis. Most covered entities have policies and procedures, but they were part of their original Privacy Rule compliance effort, and many of those don't have any of the policies required by the Security Rule.

With February 17 looming, now is a good time to dust those off and get them up to snuff.
Jeff [10:37 AM]

[ Wednesday, February 03, 2010 ]

 

A nice mention: Top 50 Health IT blogs.
Jeff [7:37 PM]

 

EMR useful info: Are you in the process of acquiring an electronic medical record system? If you don't already have one, you should at least be looking into this. Here's a useful list of tips to help you save money while you do so.
Jeff [12:32 PM]

[ Monday, February 01, 2010 ]

 

Non-HIPAA Breach in Alaska: PwC loses state retirement data.
Jeff [11:15 AM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template

A discussion of medical privacy issues buried in political arcana

E-mail me at jdrummond-at-jw.com

- Archives - March 2002 April 2002 May 2002 June 2002 July 2002 August 2002 September 2002 October 2002 November 2002 December 2002 January 2003 February 2003 March 2003 April 2003 May 2003 June 2003 July 2003 August 2003 September 2003 October 2003 November 2003 December 2003 January 2004 February 2004 March 2004 April 2004 May 2004 June 2004 July 2004 August 2004 September 2004 October 2004 November 2004 December 2004 January 2005 February 2005 March 2005 April 2005 May 2005 June 2005 July 2005 August 2005 September 2005 October 2005 November 2005 December 2005 January 2006 February 2006 March 2006 April 2006 May 2006 June 2006 July 2006 August 2006 September 2006 October 2006 November 2006 December 2006 January 2007 February 2007 March 2007 April 2007 May 2007 June 2007 July 2007 August 2007 September 2007 October 2007 November 2007 December 2007 January 2008 February 2008 March 2008 April 2008 May 2008 June 2008 July 2008 August 2008 September 2008 October 2008 November 2008 December 2008 January 2009 February 2009 March 2009 April 2009 May 2009 June 2009 July 2009 August 2009 September 2009 October 2009 November 2009 December 2009 January 2010 February 2010 March 2010 April 2010 May 2010 June 2010 July 2010 August 2010 September 2010 October 2010 November 2010 December 2010 January 2011 February 2011 March 2011 April 2011 May 2011 June 2011 July 2011 August 2011 September 2011 October 2011 November 2011 December 2011 January 2012

[ Advertisers ]
Electronic Medical Records

Health Insurance from Chartis Direct

Presciption Drug Information

Foot Problems

[ Links ]
Jackson Walker home page
My (official Jackson Walker) Bio
HHS' Administrative Simplification page
OCR's HIPAA Privacy page
ICD-10 Codes
NIST's HIPAA Security Implementation page
HIPAA.org page
TCS standard-setting
HIPAA Summit's page
Harvard's HIPAA colloquium
Workgroup for EDI
Siemen's HIPAA page
Phoenix Health System's HIPAAdvisory
Beacon Partner's HIPAAcomply
FindLaw's HIPAA law page
HIPAAComplete
HIPAADocs
AMA's HIPAA page
AHA's semi-HIPAA page
American Health Lawyers Assn
SHARP (the Southern SNIP)
Boundary Information Group's HIPAAinfo.net
HIPAA academy
MedAbiliti's Health Innovation Daily News
Thompson-West's Privacy Litigation Reporter
HIPAAnswers (HIPAA compliance solutions)
Healthcare Intelligence Network Blog
Prescription Drug Encyclopedia
Compliance Home Portal
HIPAA Training (Supremus Group)
MPMsoft (HIPAA-compliant billing software)
DMEPOS Surety Bonds
Hospital.com
Human Resources Daily Advisor

[ WebRings ]
< ? law blogs # >

[ Syndicated RSS Feed ]
Click Here