HIPAA Blog

[ Thursday, July 29, 2010 ]

 

Interesting: The breach notification rule came out in "Interim Final" form on 8/24 of last year, and became effective "as is" thirty days later, on 9/23/09. However, HHS accepted comments for 60 days and, in response to those comments, HHS developed a final rule (i.e., "final final") that they sent to OMB for grading on May 14. Well, today HHS withdrew the final final rule for further consideration, because the issue is "complex." Of course it is.
Jeff [2:31 PM]

[ Wednesday, July 28, 2010 ]

 

Mayo goes all twittery: Lee Aase steps up.
Jeff [10:07 AM]

[ Tuesday, July 27, 2010 ]

 

Rite Aid Data Breach Settlement: $1 Million for throwing prescriptions and labeled pill bottles into regular trash. The problem showed up as a result of some dumpster-diving by local TV news reporters.
Jeff [3:39 PM]

 

New Data Breach Tool: HITECH now requires HIPAA-covered entities and business associates to provide notice to affected parties in the event of data breaches involving unsecured PHI, but not for breaches where there's not a substantial risk of harm. How do you determine whether an incident rises to the level of a breach, or whether a breach carries a risk of harm substantial enough to require notification? IDExperts has a tool, called RADAR (Risk Assessment Documentation And Reporting) that helps covered entities and business associates track and analyze breaches to determine whether notification is required.
Jeff [12:07 PM]

 

State AGs and HIPAA Enforcement: This may be the biggest impact of HITECH -- more enforcers with more incentive to enforce will matter more than bigger penalties.
Jeff [10:53 AM]

[ Monday, July 26, 2010 ]

 

Interesting Stat: I attended a lunch presentation put on by Scott & Scott and Chartis here in Dallas today, and picked up this statistic:

Roughly 5.8% of American adults have been victims of medical identity theft,
with $20,160 being the average cost per victim.

Jeff [11:09 PM]

[ Friday, July 23, 2010 ]

 

Open Notes: A very interesting study coming down the road on whether transparency in medical records is a good idea or not.
Jeff [10:15 AM]

[ Wednesday, July 21, 2010 ]

 

New Regs Highlights: From my soon-to-be copresenter Rebecca Herold and Dom Nicastro, some highlights of the new HIPAA regs that were published in the July 14 Federal Register. I'll have an eAlert on the new regs out probably today or tomorrow.
Jeff [10:47 AM]

 

Big Boston Data Breach: South Shore Hospital sent back-up computer files to an off-site contractor for destruction, but the shipment wasn't received. Data on 800,000 patients and employees might've been in the files. I really doubt anything untoward happened, and it might not even count as a data breach under HIPAA, but there's a Massachusetts data breach law that requires the notification.
Jeff [10:37 AM]

[ Tuesday, July 13, 2010 ]

 

Anonymous no more: The previously un-named "private practice" data breachers on the HHS big data breach (i.e. > 500 names) web page have now been revealed.
Jeff [2:47 PM]

 

Meaningful Use Rules: the Stimulus bill added financial incentives (both carrots and sticks) to healthcare providers to encourage them to adopt electronic medical record technologies and become "meaningful users" of that technology. What does "meaningful use" mean? The latest regulations are out.

More commentary later; I've still got to finish the HITECH HIPAA rules from last week, which I'll post more on later.

UPDATE: here's HealthLeader's take on winners and losers in the Meaningful Use Rules.
Jeff [10:45 AM]

[ Friday, July 09, 2010 ]

 

Off Topic: over a nice meal of grilled pork chops (yes, it's raining, but you can grill with an umbrella just fine -- in fact, you get to revisit the meal the next couple of times you open up the umbrella), herb rolls and a Greek salad, I've been enjoying this:






Jeff [7:35 PM]

 

Jeff [1:58 PM]

 

From the Data Breach List: Here's some excellent advice from Post & Schell's Edward Shay:


Jeff [1:35 PM]

[ Thursday, July 08, 2010 ]

 

HHS Presser: Here's the statement from the HHS Press Conference this morning.
Jeff [3:46 PM]

 

HHS Presser: I wanted to ask a question about the "harm" rule, so I pressed *1 and gave my name. I was returned to the press conference, but after the second question, everything went dead. My line is still open, just dead. OK, now they announce that the press conference is over. That's pretty stupid. They didn't say, "Well, we're out of time, thanks for all your questions." They just answered 2 questions (the answers were "no" and "no") and the line went dead.

Well done, guys. I'm sure the rest of your "outreach" and your "listening tour" will be handled just as well. Sheesh.

PS: my question: When the Data Breach interim final rule was published, there was an "Easter Egg" in it for covered entities that suffered a breach of unsecured PHI. If you can reasonably conclude that there's no substantial risk of financial, reputational, or other harm from the breach, you don't have to make a notification. That gives any covered entity almost carte blanche to decide that almost any breach need not be reported. Several congressmen (I think Markey and Waxman included) wrote HHS to say that's not what we intended when we wrote the legislation. My question was whether HHS in this NPRM would follow the congressmen's wishes and walk back the "no harm" rule. The answer is "No," although the subtext of the answer might be that because that was in a different rule-making (an interim final rule rather than a NPRM), if it is addressed, it will be addressed separately. But they gave no indication at all that there would be any walk-back on the "no harm" rule. Party on, Wayne!
Jeff [10:11 AM]

 

HHS Presser: Answering a question from AIS, NPRM does not address Breach Notification Provisions (i.e., the "harm" standard), nor does it address the new accounting for disclosures rules. That will come later.
Jeff [10:05 AM]

 

HHS Presser: Deborah Peel asks a question: Concerned whether NPRM fulfills promises if HHS doesn't even define "privacy." When will a definition be provided? Want to make sure public gets to participate in listening tour.

Answer: we welcome your input. We will consider whether defining privacy is necessary; right now it's not part of the NPRM.

Followup: what are you doing about Data Mining? Answer: with BAs being directly liable, that should help us punish them if they misuse the information. Breach website will help tell when this is happening.
Jeff [9:56 AM]

 

HHS Presser: David Blumenthal (National Coordinator for Health Information Technology (otherwise known as Office of the National Coordinator, or ONC): More discussion (context) of NPRM and new websites

Goal: interoperable, private and secure Health Information System.

Adding Joy Pritts is a big step.

Net technologies to give patients choice of how to control use of their PHI.

New infrastructure to give advice and support: regional extension centers, HIEs at State level, training HIT workforce under HITECH including education on protecting Privacy and Security.

Working with Howard Schmidt on govt-wide cybersecurity.

National dialogue -- listening tour (ed: ugh.)
Jeff [9:50 AM]

 

HHS Presser: Director of OCR Georgina Verdugo. Announces new Notice of Proposed Rule Making (NPRM) (i.e., the new HIPAA regs), which reinforces HIPAA privacy.

BAs having liability
New limits on fundraisiing
No sales of PHI
More ability of patients to prevent PHI from being disclosed to Plans (i.e., the "hide" rule)

Huh. So far, sounds like no news (other than what we've been talking about for the last 17 months).
Jeff [9:47 AM]

 

HHS Press conference: ONC has a Chief Privacy Officer, Joy Pritts.

www.hhs.gov/healthprivacy is new website on HHS' privacy page.
Jeff [9:44 AM]

 

HHS Presser: Sebelius: Health IT infrastructure investment is the big government effort, but docs and patients will only participate if info is secure.

New rule out today: most sweeping improvements on Privacy and Security since 2003. How does it improve? Increases penalties. But penalties only apply to plans, providers and clearinghouses. Until now. Under the new rule, BAs can be penalized.

New website logging HIPAA breaches. (Thought this was out there already.)
Jeff [9:41 AM]

 

HHS Presser: this will be my Twitter feed too, so apologies for the multiple posts. K. Sebelius currently speaking -- big obstacle to care = lack of up-to-date info on our health (our financial data is a click away, but our medical records are on paper in a hospital somewhere).
Jeff [9:40 AM]

 

HHS conference call: I'm currently holding. I got at least 6 links to the call, so I suspect they have much more phone traffic than they're used to.
Jeff [9:38 AM]

 

New HIPAA Regs are out: You can see all 234 pages here. The version printed in the Federal Register will be shorter, probably around 100 pages, unless there are charts. Obviously, I haven't had a chance to peruse them, but will in the next day or so, perhaps over the weekend.

Will be on an HHS press conference momentarily, and will post anything interesting.
Jeff [9:22 AM]

[ Wednesday, July 07, 2010 ]

 

Totally, totally off-topic: But this is way too funny. Westboro Baptist Church is a radical Kansas church led by Fred Phelps that protests at completely inappropriate places, like funerals for soldiers, with signs that say things like "God hates fags." Apparently, they think the reason American soldiers die in Iraq and Afghanistan is because America doesn't outlaw homosexual behavior. Or something.

It's an interesting law-school-exam situation of the appropriate limits of free speech. The WBC people have a right to say those things, just as others have a right to say they are nuts/bigots/whatever. But do they have the right to say what they're saying when and where they're saying it? Even if they have the legal right, should they (that's not a legal question, though).

Back during the Bush administration, there was a group called "Protest Warriors" who would counter-protest the anti-war protests with clever signs that said things like, "except for ending slavery, fascism, and communism, WAR NEVER SOLVED ANYTHING" (with the first part in small print). Basically hoisted the protesters on their own petards, mainly with funny signs. They wouldn't engage the protestors, just snidely made fun of them.

Anyway, here's a pretty funny series of photos of what happened with WBC went to Google in San Francisco and protested there. Very, very clever. I love the Rick Roll signs (third picture down, after the imbedded video; if you don't know what that is, Google it).
Jeff [11:00 AM]

 

University of Florida: Here's a sort of old-fashioned data breach, printing social security or Medicare numbers on address labels when notices are sent out. I suspect that might violate a Florida state law as well; most states have statutes to prevent printing out full credit card numbers on receipts or social security numbers on other documents.
Jeff [8:22 AM]

 

HealthNet/Connecticut Update: HealthNet has settled with Connecticut AG (and Senate candidate) Richard Blumenthal in regards to its data breach issues. $250,000 plus credit monitoring. Not too bad; they probably paid more than that in legal fees.

UPDATE: More here. And Dom Nicastro reminds me that this is the first action by a state AG since the HITECH revisions to HIPAA gave that power to them.
Jeff [7:51 AM]

[ Tuesday, July 06, 2010 ]

 

Six Messy Database Breaches: the first six months of 2010 had many breaches, but these six highlight some specific issues that might lead to breaches, and should be a focus as you look for ways to secure your systems.
Jeff [11:51 AM]

 

EMRs vs Privacy: More consumer fears outlined.
Jeff [8:27 AM]

 

Lincoln Hospital, NYC: Data breach involving lost data disks.
Jeff [8:24 AM]

[ Friday, July 02, 2010 ]

 

From Dom Nicastro: the OCR list of big data breaches reaches 100 entries.
Jeff [3:51 PM]

 

California Hospital Data Breaches: I noted a few weeks ago that several California hospitals had been fined for breaches of confidential information. Jana Aagaard posted on the AHLA listserve earlier this week a good set of resources to help understand California breach rules, which apply to hospitals and nursing homes but not individual physicians. A copy of the law can be found here. A list of recent penalties imposed by the state can be found here. And some further analysis behind the recent breaches can be found here.

Lots of good info there.
Jeff [12:34 PM]

[ Thursday, July 01, 2010 ]

 

New Link: if you're a Human Resources officer, you might find this HR Daily Advisor interesting.
Jeff [4:52 PM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template

A discussion of medical privacy issues buried in political arcana

E-mail me at jdrummond-at-jw.com

- Archives - March 2002 April 2002 May 2002 June 2002 July 2002 August 2002 September 2002 October 2002 November 2002 December 2002 January 2003 February 2003 March 2003 April 2003 May 2003 June 2003 July 2003 August 2003 September 2003 October 2003 November 2003 December 2003 January 2004 February 2004 March 2004 April 2004 May 2004 June 2004 July 2004 August 2004 September 2004 October 2004 November 2004 December 2004 January 2005 February 2005 March 2005 April 2005 May 2005 June 2005 July 2005 August 2005 September 2005 October 2005 November 2005 December 2005 January 2006 February 2006 March 2006 April 2006 May 2006 June 2006 July 2006 August 2006 September 2006 October 2006 November 2006 December 2006 January 2007 February 2007 March 2007 April 2007 May 2007 June 2007 July 2007 August 2007 September 2007 October 2007 November 2007 December 2007 January 2008 February 2008 March 2008 April 2008 May 2008 June 2008 July 2008 August 2008 September 2008 October 2008 November 2008 December 2008 January 2009 February 2009 March 2009 April 2009 May 2009 June 2009 July 2009 August 2009 September 2009 October 2009 November 2009 December 2009 January 2010 February 2010 March 2010 April 2010 May 2010 June 2010 July 2010 August 2010 September 2010 October 2010 November 2010 December 2010 January 2011 February 2011 March 2011 April 2011 May 2011 June 2011 July 2011 August 2011 September 2011 October 2011 November 2011 December 2011 January 2012

[ Advertisers ]
Electronic Medical Records

Health Insurance from Chartis Direct

Presciption Drug Information

Foot Problems

[ Links ]
Jackson Walker home page
My (official Jackson Walker) Bio
HHS' Administrative Simplification page
OCR's HIPAA Privacy page
ICD-10 Codes
NIST's HIPAA Security Implementation page
HIPAA.org page
TCS standard-setting
HIPAA Summit's page
Harvard's HIPAA colloquium
Workgroup for EDI
Siemen's HIPAA page
Phoenix Health System's HIPAAdvisory
Beacon Partner's HIPAAcomply
FindLaw's HIPAA law page
HIPAAComplete
HIPAADocs
AMA's HIPAA page
AHA's semi-HIPAA page
American Health Lawyers Assn
SHARP (the Southern SNIP)
Boundary Information Group's HIPAAinfo.net
HIPAA academy
MedAbiliti's Health Innovation Daily News
Thompson-West's Privacy Litigation Reporter
HIPAAnswers (HIPAA compliance solutions)
Healthcare Intelligence Network Blog
Prescription Drug Encyclopedia
Compliance Home Portal
HIPAA Training (Supremus Group)
MPMsoft (HIPAA-compliant billing software)
DMEPOS Surety Bonds
Hospital.com
Human Resources Daily Advisor

[ WebRings ]
< ? law blogs # >

[ Syndicated RSS Feed ]
Click Here