[ Tuesday, June 29, 2010 ]
Wellpoint Data Breach: almost half a million potential exposures. This seems to be linked to the Anthem Blue Cross data breach I reported Friday.UPDATE: more here and here.
Jeff [9:26 PM]
[ Saturday, June 26, 2010 ]
Red Flags and Doctors: The FTC has agreed to hold off enforcing the Red Flags Rule, which requires financial institutions and "creditors" to adopt anti-ID theft policies, against physicians until the American Bar Association's challenge is finally ruled on. Under the original rule, doctors, lawyers, and anyone else who takes payment after services have been performed may be considered a "creditor," a rather expansive reading by the FTC. The ABA filed suit against the FTC, demanding that the Red Flags Rule not include lawyers in the definition of "creditors." The American Medical Association and other physician groups instead resorted to a letter-writing campaign to keep the FTC from applying the Red Flags Rule to physicians. The ABA suit led to a quick judicial determination that lawyers are not covered by the Rule; the FTC has appealed. The AMA finally saw the light and also filed suit; the court initially required the FTC to hold off on applying the Rule to doctors until the suit was over, and the FTC agreed to delay enforcement of the Rule to at least December 1, 2010.However, the FTC has now agreed to exempt doctors until the ABA appeal is finalized. If the lawyers win on appeal, expect physicians to be exempted as well.
Jeff [10:19 AM]
[ Friday, June 25, 2010 ]
Anthem Blue Cross data breach: Insurance application information (including social security numbers) involving residents of the LA area may have been accessed by attorneys suing Anthem Blue Cross in a class action lawsuit. As many as 230,000 people may have been affected. I doubt there will be any ID theft issues coming from this, and I'm not sure if there's even a HIPAA issue (depending on the information that was out there), but it's still a black eye for Anthem.Jeff [10:09 AM]
[ Thursday, June 24, 2010 ]
Playing Defense: What types of activities do you monitor in your computer systems and medical records to ensure that your HIPAA policies and procedures are being met? Gartner is putting on a free webinar next Tuesday outlining 10 database activities you should monitor to uncover and prevent data breaches. You should consider attending if this is an issue for you.Jeff [10:37 AM]
[ Wednesday, June 23, 2010 ]
The New Regs are Coming!! Word is that July 8 will be the publication date. That is later than I predicted -- I thought we'd see them in time to take them to the beach to read over the July 4 weekend.Hat tip: Jud DeLoss
UPDATE: via Dom Nicastro.
Jeff [4:00 PM]
[ Friday, June 18, 2010 ]
Interesting: Microsoft establishes centralized fraud alert system for reporting stolen data. Will be good for researchers to determine vulnerabilities and track impact of lost and stolen data.Jeff [1:51 PM]
[ Thursday, June 17, 2010 ]
Nice mention: on a list of blogs and articles about understanding HIPAA.Jeff [11:29 AM]
[ Wednesday, June 16, 2010 ]
Red Flags Update: BNA is reporting that the FTC will agree to exempt health care providers from the Red Flags Rule requirements while the AMA's lawsuit against the FTC proceeds. Doesn't mean they're giving up entirely, just that while the suit is ongoing, the Rule isn't applicable to doctors.Jeff [3:43 PM]
[ Monday, June 14, 2010 ]
What a Lovely Audience!I'm in Chicago (Evanston, actually) at the Health Care New Media Marketing Conference, put on by Q1 Productions.
Jeff [11:39 AM] From Dark Reading: Tips on interfacing with law enforcement after a data breach. Not too much concrete, and it would've been nice to be in that conference, but it's worth thinking about. If you're a big provider, you really should be prepared for the when, rather than the if, of a data breach.
Jeff [8:54 AM]
[ Friday, June 11, 2010 ]
Five California Hospitals fined for data breaches (via BNA; subscription required). Fines range from $25,000 to $325,000, and mainly relate to the failure of the facilities to prevent employees from unauthorized access. Can't tell for sure if these are snooping cases or something more.UPDATE: Here's the story for free, if you're not a BNA subscriber.
UPDATE 2: At least the UCLA hospital involved snoopin' -- on Michael Jackson's records.
Jeff [5:33 AM]
[ Wednesday, June 09, 2010 ]
Big Merger in Health IT: Misys was one of the original medical information systems that pushed offered electronic medical record platforms, and merged some time ago with Allscripts, which originally focused on IT in the prescription medicine business. Now, AllscriptsMisys is merging with Eclipsys, another player in the EMR realm.One of the hurdles for EMR adoption (and healthcare IT generally) is interoperability -- whether systems can communicate with each other, so a patient with several different providers doesn't need multiple EMRs, and the EMRs of the various providers can communicate with one another so that changes to one are picked up in the others. There's a bit of a chicken-and-egg issue with this as well: we want the best system to survive in the market, not have an artificial choice foisted upon us (think VHS vs Beta, or WordPerfect vs Word), but it's hard to get a product in use over a large enough population to prevent too many varieties.
This merger may turn out to be a major turning point in the standardization of EMR systems.
Jeff [9:07 AM] Social Media Risks: I'm gearing up for my speech in Chicago next week, so I'm thinking about social media issues. I just came across this whitepaper on the top five risks to business pursuing a social media strategy, from the IT pro group ISACA. Their basic premise: social networking is here to stay and is a necessary part of business; you can't stop your employees from Facebooking and Twittering, but you can control and manage them; it's much better to approach it from the aspect of managing, controlling and directing, than trying to block or supress. The top five: viruses/malware, records management control, content control, brand hijacking, and managing consumer expectations. The first five have obvious HIPAA implications, particularly records management. At any rate, if you've got any social media marketing presence, you need to integrate your HIPAA policies and procedures into it and make sure they all jibe.
Jeff [8:56 AM]
[ Tuesday, June 08, 2010 ]
Data Breach Examiner: I recently had the chance to meet with Rick Kam and Christine Arevalo of ID Experts. ID Experts assists clients in dealing with data breaches, both of the HIPAA variety and the commercial variety. They can assist with determining the extent and scope of the damage, notifying affected individuals, and coordinating the entire response in a way that complies with appropriate state and federal laws.One thing they do is provide an email newsletter called Data Breach Examiner; volume 2 arrived in my email box this morning.. It's a tremendous resource; unfortunately it's subscription only and apparently not on the website anywhere (although you can subscribe for free there). The lead story tells how good triage can improve a data breach outcome.
Highly recommended.
Jeff [6:04 PM]
[ Monday, June 07, 2010 ]
Learn something new every day: thanks to Jim Brashear of ZixCorp, I now know that there's a statute in Massachusetts requiring anyone who owns of licenses personal information (first name or initial + last name + social security, drivers license, financial account, credit card, or similar number) must have a comprehensive information security program and must establish and maintain a security system for its computers that, at a minimum, encrypts all personal information transmitted on public networks or wirelessly, or that resides on laptops or portable devices.Driving more toward encryption . . . .
Jeff [4:42 PM]
[ Friday, June 04, 2010 ]
HIPAA limits on ex parte contacts: Interesting Georgia case just reported by BNA (subscription required). Lawyers for a medical malpractice defendant hospital wanted to talk to the physicians who had treated plaintiff. Georgia law permits that access where the plaintiff has put his medical condition at issue in the litigation. However, HIPAA states that the disclosure should be subject to a protective order, wherein the party receiving the information agrees that it will only be used in connection with the litigation and will be returned or destroyed when the litigation is over. The Georgia Supreme Court allowed the hospital to have access to the physicians (noting that the physicians were not compelled to participate or produce information) but noted that the protective order should limit the disclosure of the PHI to that information relevant to the medical condition the plaintiff put into issue in the lawsuit.Obviously, the plaintiff's lawyers wouldn't want those discussions to be ex parte; they'd want to be there to know what the doctors are telling the defendant. But it seems, in Georgia, if a plaintiff puts his medical condition at issue in a lawsuit, his doctors can talk to the defendant's lawyers if they want to, as long as there's a sufficiently closely drawn protective order on file in the case.
Jeff [2:03 AM]
[ Thursday, June 03, 2010 ]
Physicians, Hospitals sharing medical records online: It's definitely a growing trend, and there's lot to recommend using web-based tools rather than hosting your own server. But there are obvious HIPAA issues (even though Gienna only gets to them at the end): how do you protect that information? What processes and procedures does the service provider have in place? Presumbly everything is encrypted in storage and in transit. . . .Jeff [8:59 AM]
[ Wednesday, June 02, 2010 ]
Maybe: Should doctors be exempt from the Red Flags Rule?Jeff [12:37 PM] http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template
