HIPAA Blog

[ Wednesday, April 28, 2010 ]

 

Zhou goes to jail: 4 months for California Snoopin'. But, he didn't just look at celebrity records; he also looked at the medical records of the boss who fired him. That's creepier.
Jeff [5:01 PM]

 

Like a lot of other things: Costs of data breaches are much higher in the US.
Jeff [4:38 PM]

[ Monday, April 26, 2010 ]

 

Social Media: This is a little off-topic, but I occasionally speak on the particular privacy issues raised by the use of social media in healthcare marketing. Gienna Shaw at Healthleaders has an interesting article on how to choose your social media coordinator and strategy.
Jeff [11:05 AM]

[ Wednesday, April 21, 2010 ]

 

Mass. Eye and Ear Data Breach: Interesting story. A Mass. Eye and Ear Infirmary doctor was lecturing in South Korea and his laptop was stolen. The data was password protected, the computer had LoJack on it, and an automatic hard-drive scrubber that could be activated in case of emergency (although some commentators have noted that the hard-drive eraser won't work until the computer is connected to the internet). They have notified the individuals affected, put a notice on their website, and published this press release. The data almost certainly wasn't compromised, and didn't contain really bad stuff like Social Security numbers. Sounds like Mass Eye and Ear did a bang-up job.

But. . . .

If they had encrypted, rather than password-protected, they wouldn't have to put out the notice, do the press release, or otherwise deal with any of this. There's no data breach notification requirements if the data is "secure," and if it's encrypted, it's secure.

One tiny extra step would have really saved them time, money, frustration, damage to reputation, etc.
Jeff [11:42 AM]

[ Thursday, April 15, 2010 ]

 

Why no names? I recently posted that some folks are unhappy that, when HHS lists the covered entities with data breaches involving over 500 people, they don't always list the name of the entity. In some cases, they just say it's a "private practice" without saying which private practice. Dom Nicastro has ferreted out an answer why HHS does that -- they're applying the Privacy Act of 1974 (what? there was privacy before HIPAA?), which says they can only release the name if the covered entity gives its approval.

UPDATE (or, Nicastro gets results): the ferreting out has resulted in a change of heart on HHS' part -- they will now list the names. According to HHS, the Privacy Act allows them to list the entity's name without consent only for a purpose that is "compatible with the purpose(s) for which the information was collected." Is disclosing the names compatable with the purpose for which the information was collected? I guess it depends on why you think HHS is collecting information on >500 person disclosures. Is it to shame the disclosers? To warn the general public about possible disclosures, to the extent the general public dealt with those entities? Is it to give an anonymized snapshot of just how much data leakage there is? If it's the first 2, then HHS could, under the Privacy Act, name names. If the purpose of the data breach list is just to give a blind idea of how bad privacy protection is all over, then they can't name names.

Whichever the answer is (who knows? I guess only Congress knows), HHS has defaulted from naming names being contrary to the purpose(s) of the list, to being part of the purpose(s) of the list.

In other words, HHS will now name names.
Jeff [2:49 AM]

 

New HIPAA Regs one step closer: Earlier this week, HHS' Office of Civil Rights sent their draft of new HIPAA regulations to the Office of Management and Budget for review. These are the regs that we've all been awaiting, which should give us some specifics on what we need to do with business associate agreements, along with guidance on how to comply with all of the other provisions in the HITECH Act.

UPDATE: Dom explains it all.
Jeff [2:41 AM]

[ Tuesday, April 13, 2010 ]

 

Interesting NIST paper: This publication from NIST is a good, common-sense discussion of how to properly protect "personally identifiable information." It's not specifically HIPAA-oriented, but it sure makes sense when you do a risk analysis (which you should be doing regularly under the Security Rule; you know that, right?). Figure out what you've got, don't keep what you don't need, categorize based on impact value, and protect accordingly. They quote McGeorge Bundy: "If we guard our toothbrushes and diamonds with equal zeal, we will lose fewer toothbrushes and more diamonds." True.
Hat tip: Alan Goldberg
Jeff [11:18 AM]

[ Monday, April 12, 2010 ]

 

The AMA jumps on the encryption bandwagon: When the Security Rule initially came out in the spring of 2003 (and became effective April 2005), the question of encryption was an "addressable" one -- in other words, encryption was not required. Covered entities had to consider whether it was necessary, but if the entity determined it was not, the entity did not have to adopt encryption technologies. I occasionally advised clients that they did not have to adopt encryption technology, even though some in the industry said it had become "industry standard" and therefore was really necessary. I disagreed; depending on the context, safe data transfer practices would be sufficient.

HITECH changed that (actually, the regulations defining "secured" data under HITECH). The new data breach rules give you a "get out of jail free" card, and that card is encryption: that's because, if you encrypt, you can avoid the data breach disclosure problem. Data breaches must be disclosed to the individual and HHS, but only if the data is unsecure; and HHS defines "secure" to mean encrypted. In fact, encryption is really the only way to secure PHI.

The AMA has now taken a similar stance. As you can see from this, physicians and physician practices should look again at encryption technology and adopt it if possible. You should consider it for data in transit or at rest. It's not free, but it may save you a ton of money and embarrasment in the long run if your data breaches are not reportable.
Jeff [11:19 AM]

 

HIPAA (but not privacy) News: there's a part of HIPAA that prevents health plans from discriminating based on health condition (to keep insurers from cherrypicking or charging more for those with worse health conditions). The regulations for the nondiscrimination provisions are cowritten by HHS, the IRS, and the Dept. of Labor, since they tend to impact those administrations. And the major focus is on "wellness plans," making sure they aren't surrogates for discriminating, where "wellness" is code for "healthier."

As originally drafted, the benefit an insurer (typically an employer) could give a beneficiary (typically an employee) as a bonus for complying with a wellness plan was an amount equal to 20% of the total premium (what the employer pays plus what the employee pays). The PPACA (the health reform law) has now increased that benefit to 30%.
Jeff [8:56 AM]

[ Thursday, April 08, 2010 ]

 

Non-HIPAA Data Breach News: Customers of Countrywide Financial have sued the company for allowing employees to steal and sell personal information.
Jeff [11:18 AM]

[ Tuesday, April 06, 2010 ]

 

John Muir Data Breach: 2 stolen laptops with password-protected but apparently not encrypted data means 4,500 notifications.
Jeff [8:53 AM]

[ Friday, April 02, 2010 ]

 

Florida Identity Theft from Cancer Patients: There's no HIPAA claims made here, although the case looks pretty identical (other than in terms of scale) to the Gibson case. Pretty dispicable; if they're guilty, I hope they get long sentences.
Jeff [5:18 PM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template

A discussion of medical privacy issues buried in political arcana

E-mail me at jdrummond-at-jw.com

- Archives - March 2002 April 2002 May 2002 June 2002 July 2002 August 2002 September 2002 October 2002 November 2002 December 2002 January 2003 February 2003 March 2003 April 2003 May 2003 June 2003 July 2003 August 2003 September 2003 October 2003 November 2003 December 2003 January 2004 February 2004 March 2004 April 2004 May 2004 June 2004 July 2004 August 2004 September 2004 October 2004 November 2004 December 2004 January 2005 February 2005 March 2005 April 2005 May 2005 June 2005 July 2005 August 2005 September 2005 October 2005 November 2005 December 2005 January 2006 February 2006 March 2006 April 2006 May 2006 June 2006 July 2006 August 2006 September 2006 October 2006 November 2006 December 2006 January 2007 February 2007 March 2007 April 2007 May 2007 June 2007 July 2007 August 2007 September 2007 October 2007 November 2007 December 2007 January 2008 February 2008 March 2008 April 2008 May 2008 June 2008 July 2008 August 2008 September 2008 October 2008 November 2008 December 2008 January 2009 February 2009 March 2009 April 2009 May 2009 June 2009 July 2009 August 2009 September 2009 October 2009 November 2009 December 2009 January 2010 February 2010 March 2010 April 2010 May 2010 June 2010 July 2010 August 2010 September 2010 October 2010 November 2010 December 2010 January 2011 February 2011 March 2011 April 2011 May 2011 June 2011 July 2011 August 2011 September 2011 October 2011 November 2011 December 2011 January 2012

[ Advertisers ]
Electronic Medical Records

Health Insurance from Chartis Direct

Presciption Drug Information

Foot Problems

[ Links ]
Jackson Walker home page
My (official Jackson Walker) Bio
HHS' Administrative Simplification page
OCR's HIPAA Privacy page
ICD-10 Codes
NIST's HIPAA Security Implementation page
HIPAA.org page
TCS standard-setting
HIPAA Summit's page
Harvard's HIPAA colloquium
Workgroup for EDI
Siemen's HIPAA page
Phoenix Health System's HIPAAdvisory
Beacon Partner's HIPAAcomply
FindLaw's HIPAA law page
HIPAAComplete
HIPAADocs
AMA's HIPAA page
AHA's semi-HIPAA page
American Health Lawyers Assn
SHARP (the Southern SNIP)
Boundary Information Group's HIPAAinfo.net
HIPAA academy
MedAbiliti's Health Innovation Daily News
Thompson-West's Privacy Litigation Reporter
HIPAAnswers (HIPAA compliance solutions)
Healthcare Intelligence Network Blog
Prescription Drug Encyclopedia
Compliance Home Portal
HIPAA Training (Supremus Group)
MPMsoft (HIPAA-compliant billing software)
DMEPOS Surety Bonds
Hospital.com
Human Resources Daily Advisor

[ WebRings ]
< ? law blogs # >

[ Syndicated RSS Feed ]
Click Here