HIPAA Blog

[ Tuesday, August 31, 2010 ]

 

EHR Certification Companies: To meet the meaningful use rules, you'll need to have an EHR that is certified as being compliant. Who does the certifying? HHS has named 2 companies as qualified to do so: some fly-by-night organization out of Chicago called CCHIT, and an Austin company that you know, as soon as you hear the name, is a good group.
Jeff [2:31 PM]

[ Thursday, August 26, 2010 ]

 

More on the "harm" threshold (and its possible demise): During this past week, the AHLA "HIT list" listserv has buzzed with commentary on the "harm" threshold (in large part started by the NYT article mentioned here), whether it should even be in there (or is an unconstitutional expansion of the statute beyond the capacity of HHS to enact), and whether it's a good idea even if it can be instituted via regulation. Dom Nicastro has a nice article comparing the California breach notification statute, which is a net that catches all, to the the HIPAA breach notification provisions, which allow the "no harm" breaches to be excluded from the reporting requirement. Virtually all of the California healthcare breaches reported to the state were not reported to HHS under the "harm" standard (although it's possible some were not reported because they fit into one of the other HIPAA exceptions to reporting). Which means either we need the "harm" threshold to prevent useless and unnecessary reporting, OR we must get rid of the "harm" threshold because it is abused in its use.
Jeff [9:39 AM]

[ Tuesday, August 24, 2010 ]

 

IT Contracts: If you are a healthcare provider, you will likely be buying IT products and services in the very near future (hardware, software, services, etc.). It will also probably come as no surprise to you that the contractors your vendors and sellers will propose to you will actually offer you little or no protection. You might want to consider lawyering up, particularly with someone who is used to dealing with software contracts. Also, these questions mighe be a useful starting point.

PS: Steve Fox, you owe me a beer.
Jeff [9:10 AM]

[ Monday, August 23, 2010 ]

 

End of the "Harm" standard? As I predicted below, the NYT times implies that the reason the final Breach Notification Rule was pulled from publication is to remove the "harm" standard. Of course, it's a ridiculously editorialized "news" article. Just can't play it straight, can they? Has to be a good Democrat, evil Republican/hospital/insurance company story. . . . Most doctors like having the "harm" standard, but they don't fit the "evil" mode for the NYT.

Actually, if they pull the "harm" standard, they'll probably have to allow comment and delay final enforcement.
Jeff [9:16 AM]

[ Friday, August 20, 2010 ]

 

I am not surprised: Health Care Data Breaches Lag Other Industries. First of all, health care industry participants already have a culture of privacy that goes back to Hippocrates. They're used to maintaining confidentiality. Also, so much of medical data is useless from a data theft standpoint. Why would you want to know about my gall bladder? And if you're looking for data to steal that would be worth something to you, you'd target industries where all the data that companies have on their customers are names, addresses, and account or credit card numbers. My MasterCard number from Home Depot is worth a lot more than my cholesterol numbers from my doctor.
Jeff [8:53 AM]

[ Thursday, August 19, 2010 ]

 

Survey Says: Preventing data breaches is the greatest concern of hospital IT folks as they consider migrating to EMR systems.
Jeff [5:00 PM]

 

Tiger Team Report Out: The HIT Policy Committee's "tiger team" has published some recommended privacy and security policies in connection with the federal government's EMR push.
Jeff [4:10 PM]

 

Richard Blumenthal Strikes Again: the Connecticut AG is investigating Yale Medical School in connection with the theft of a laptop containing PHI of 1000 patients. He got $250,000 out of HealthNet, wonder what he'll take here. . . .
Jeff [4:06 PM]

[ Wednesday, August 18, 2010 ]

 

The "Other" HIPAA (transaction and code sets news): I don't usually blog about this part of HIPAA, partly because it is pretty static and boring, and partly because I don't really know or understand the technical nuts and bolts of it. But the "standardized forms" that were generated and are required for use under HIPAA are in for an update (they are going from the the 4010 series of standard transactions to the 5010 series). Transactions will go live in 5010 starting January 1, 2011, and everyone will have to switch from 4010 to 5010 by January 1, 2012.

If this impacts you, check with your medical billing and coding specialist or vendors) to make sure they're ready for the switch.
Jeff [3:25 PM]

 

Red Flags Update: The Council of Medical Specialty Societies has joined the AMA lawsuit to stop the application of the Red Flags Rule to physician practices.
Jeff [3:21 PM]

 

Just because I want to post the headline: Database Threat Modeling and Strip Poker
Jeff [3:18 PM]

 

Cost of Healthcare Data Breaches So Far? How about over $800,000,000 in total?
Jeff [3:13 PM]

[ Tuesday, August 17, 2010 ]

 

What to do when you get breached? Infoweek has an interesting article on the topic. Not HIPAA-specific, but interesting.
Jeff [8:18 AM]

[ Monday, August 16, 2010 ]

 

Missing, but not Breached: This is a pretty bizarre story. A veteran discovered a lot of his medical records missing from the VA. Apparently, a rogue employee at the Milwaukee VFW, which assists veterans in dealing with the VA, decided to take the office paperless by shredding a lot of records of the veterans managed by them. But the missing records are medical records the VA should have, not the limited records the VFW might have, and the VA is standing by its medical record management process; they say they never had those records.

The data wasn't disclosed, so there's not a breach; and since there's no breach, there's no obligation to report under HITECH. But there is likely an improper use under HIPAA.

Hat tip: John Moehrke
Jeff [8:18 AM]

[ Friday, August 13, 2010 ]

 

More Bad Trash Policy: Someone found medical records from four community hospitals in the Boston area dumped without shredding at a town dump. A news photographer saw the huge pile of paper, and investigated mainly because he was mad it wasn't being recycled. Looks like the billing company for the pathology service might be the problem.
Jeff [7:12 AM]

[ Thursday, August 12, 2010 ]

 

Mighty oaks from tiny acorns grow: Those small policy breaches sometimes are the genesis of some spectacular data breaches. Something for compliance folks to keep in mind.
Jeff [9:02 AM]

[ Friday, August 06, 2010 ]

 

Physician Practice Data Breaches: Joe Cantlupetalks about physicians and data breaches. The doctor is a victim (of a burglary or cyber intrusion), but is also responsible for the rest of the victims. Two big take-aways: encryption and the ability to audit access (who looked at what patient files).
Jeff [9:19 AM]

[ Thursday, August 05, 2010 ]

 

Now Walgreens: On the heels of big fines against CVS and Rite Aid, the third drugstore cowboy is also under OCR investigation. Dom Nicastro is all over this story.

UPDATE: If you want to know these companies should've done, here's some advice.
Jeff [9:58 AM]

[ Wednesday, August 04, 2010 ]

 

Rite Aid: Infoweek's Security Blog chimes in.
Jeff [7:07 AM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template

A discussion of medical privacy issues buried in political arcana

E-mail me at jdrummond-at-jw.com

- Archives - March 2002 April 2002 May 2002 June 2002 July 2002 August 2002 September 2002 October 2002 November 2002 December 2002 January 2003 February 2003 March 2003 April 2003 May 2003 June 2003 July 2003 August 2003 September 2003 October 2003 November 2003 December 2003 January 2004 February 2004 March 2004 April 2004 May 2004 June 2004 July 2004 August 2004 September 2004 October 2004 November 2004 December 2004 January 2005 February 2005 March 2005 April 2005 May 2005 June 2005 July 2005 August 2005 September 2005 October 2005 November 2005 December 2005 January 2006 February 2006 March 2006 April 2006 May 2006 June 2006 July 2006 August 2006 September 2006 October 2006 November 2006 December 2006 January 2007 February 2007 March 2007 April 2007 May 2007 June 2007 July 2007 August 2007 September 2007 October 2007 November 2007 December 2007 January 2008 February 2008 March 2008 April 2008 May 2008 June 2008 July 2008 August 2008 September 2008 October 2008 November 2008 December 2008 January 2009 February 2009 March 2009 April 2009 May 2009 June 2009 July 2009 August 2009 September 2009 October 2009 November 2009 December 2009 January 2010 February 2010 March 2010 April 2010 May 2010 June 2010 July 2010 August 2010 September 2010 October 2010 November 2010 December 2010 January 2011 February 2011 March 2011 April 2011 May 2011 June 2011 July 2011 August 2011 September 2011 October 2011 November 2011 December 2011 January 2012

[ Advertisers ]
Electronic Medical Records

Health Insurance from Chartis Direct

Presciption Drug Information

Foot Problems

[ Links ]
Jackson Walker home page
My (official Jackson Walker) Bio
HHS' Administrative Simplification page
OCR's HIPAA Privacy page
ICD-10 Codes
NIST's HIPAA Security Implementation page
HIPAA.org page
TCS standard-setting
HIPAA Summit's page
Harvard's HIPAA colloquium
Workgroup for EDI
Siemen's HIPAA page
Phoenix Health System's HIPAAdvisory
Beacon Partner's HIPAAcomply
FindLaw's HIPAA law page
HIPAAComplete
HIPAADocs
AMA's HIPAA page
AHA's semi-HIPAA page
American Health Lawyers Assn
SHARP (the Southern SNIP)
Boundary Information Group's HIPAAinfo.net
HIPAA academy
MedAbiliti's Health Innovation Daily News
Thompson-West's Privacy Litigation Reporter
HIPAAnswers (HIPAA compliance solutions)
Healthcare Intelligence Network Blog
Prescription Drug Encyclopedia
Compliance Home Portal
HIPAA Training (Supremus Group)
MPMsoft (HIPAA-compliant billing software)
DMEPOS Surety Bonds
Hospital.com
Human Resources Daily Advisor

[ WebRings ]
< ? law blogs # >

[ Syndicated RSS Feed ]
Click Here