HIPAA Blog

[ Friday, February 25, 2011 ]

 

Fasten Your Seat Belts: OCR is definitely planning on tightening up HIPAA requirements, as well as ratcheting up penalties. So said Adam Greene at the HIMSS conference.
Jeff [5:21 PM]

[ Thursday, February 24, 2011 ]

 

4.9 Million Patients suffered data breaches in the first year of HITECH, according to this report. Encryption would've solved a lot of those breaches.
Jeff [5:56 PM]

 

OCR is OAR (on a roll): Mass General and its physician organization have just agreed to a $1 million settlement with OCR over HIPAA violations stemming from an incident where a Mass General employee left a scheduling chart on a subway train. The records, which were never recovered included names and medical record numbers of HIV/AIDS patients.

Hat tip: Theresa Defino
Jeff [12:08 PM]

[ Wednesday, February 23, 2011 ]

 

Fine and Dandy: More on the Cignet fine, from Dom Nicastro. He's also got an article up on business associate agreements and HITECH.
Jeff [11:46 AM]

[ Tuesday, February 22, 2011 ]

 

Can You Hear Me Now? $4,300,000!!

OCR has issued a civil penalty for a series of HIPAA violations by Cignet Health of Maryland. Cignet apparently refused to turn over protected health information to individuals when they requested it. 41 separate complaints came from 41 different individuals. More importantly, Cignet apparently completely failed to cooperate with OCR, and obstructed the investigations. OCR had to go to the Federal Court to get Cignet to respond to their subpoena for information. After taking a default judgment, Cignet surrendered the requested records, but did nothing to actually address the complaints.

This is the first ever civil penalty imposed by OCR under HIPAA, and it's obviously a monster. A few other entities have agreed to settlements, and some have been tagged by state Attorneys General for HIPAA violations (under HITECH's dispersal of power to enforce). And there have been some criminal violations. But OCR hasn't handed out any true fines until now. It's also useful to note that this fine takes advantage of the increased penalties under HITECH, particularly the multiplier for "willful neglect."

I don't know what the heck was going on at Cignet, but failing to cooperate with an OCR investigation (much less failing to address customer complaints that raise HIPAA issues) is staggeringly stupid. For years, I've been waiting and hoping that OCR would find the right case and spank somebody, so that it would shake some other healthcare industry participants out of their HIPAA stupor and encourage all to take a closer look at compliance. This may just do the trick.

In the immortal words of Keanu Reeves: "Whoa."

UPDATE: More here. And here.

UPDATE II: still more reaction here.
Jeff [2:17 PM]

[ Monday, February 21, 2011 ]

 

Guest Post: Occasionally other bloggers ask if they can cross-post on the HIPAA Blog. The following guest contribution was submitted by Jamie Davis, who specializes in writing about masters degrees. Questions and comments can be sent to: davis.jamie17@gmail.com.

Odd HIPAA News: Privacy for Pets?

Those well-versed in HIPAA should find the following story pretty amusing (don't worry it turns out okay). The Washington Post recently reported on an incident involving a woman and a dog and the dog's vet refusing to release the dog's health records.

The Post tells the story of a woman, Lynn Westrope, who was out delivering papers when a dog on a leash nipped her on the thigh despite the dog-walker's efforts to prevent it. Westrope was okay, just a minor wound, but she did want to check on the dog's rabies history, so the dog-walker gave her the vet's phone number.

Here is where it gets interesting. Upon calling the vet, Westrope was informed that the vet could not release the dog's medical information without the consent of the owner, who was, unfortunately, away on
vacation and couldn't be reached.

She was stunned. Westrope told the post, "He said, 'I'm sorry. I legally cannot give you the information without the express permission of the owner.'"

Ashley Hughes, a vet from the animal hospital, was also quoted, saying, "It's somewhat like a person's medical records, in that they have to be released by the owner of the dog. So if the dog's owner had called us or called to say it was okay to give this woman the information, it wouldn't have been a problem."

But when asked if it was a legal requirement, Hughes said, it wasn't. It was just "common practice."

So, for those of you who must deal with HIPAA on a daily basis, imagine the further complications you would have to wade through if suddenly this became a constant issue! Or, try this: imagine if the entire privacy issue regarding everyone's health records was just managed via 'common sense'!

Of course, Westrope's comment might say it best. When asked what she thought about the whole situation, she told The Post, "It’s pretty absurd."

But everything worked out in the end for Westrope: the dog was rabies free.

Jeff [9:07 AM]

 

The Doctor will Tweet You Now: Not really; hopefully no doctors actually tweet with or regarding patients, at least not regarding patient-physician issues. Most doctors who tweet do discuss medicine, but not specific patients.
Jeff [9:00 AM]

[ Wednesday, February 16, 2011 ]

 

Cloud Computing and Security: I attended a presentation yesterday on cloud computing for businesses, and came away feeling a little less panicked about the issue of security with cloud computing, mainly because the cloud computing folks know it's an issue even though cloud infrastructure itself doesn't address it. Rather, participants using cloud computing retain responsibility for "compliance" (which would include HIPAA for covered entities, Sarbanes-Oxley for publicly traded companies, PATRIOT Act issues for companies trading overseas, etc.), and address it the same way they would with any vulnerable data -- mainly encryption. Here's a pretty good 2-part analysis of cloud computing and security, looking at the 3 main cloud configurations (IaaS, PaaS, and SaaS). Dont forget to click on part 2, though.
Jeff [2:19 PM]

 

Healthcare Social Media Sites: A recent report analyzed a handful of social media sites designed for diabetes sufferers, and found that they lacked quality control of the information provided, as well as privacy and security of personal information. So be careful out there, those bloggers and twitterers aren't covered by HIPAA (well, most of them aren't).
Jeff [2:14 PM]

[ Tuesday, February 15, 2011 ]

 

Half of all Americans Concerned about Medical Record Security: Or as this article says, "only" half are. More are concerned about security relating to their social security number, banking data, and general contact information. Of course, medical records often contain the first and third areas of concern. . . .
Jeff [1:40 PM]

[ Monday, February 14, 2011 ]

 

The Bronx: A big data breach in the Bronx. The story doesn't make clear what medium the data was in when it was stolen, but it seems to be a vendor's fault. Who leaves a van full of data unlocked and unattended in New York City?
Jeff [10:48 AM]

[ Sunday, February 13, 2011 ]

 

Homeland Security: This is interesting, from the standpoint of understanding how your favorite government handles sensitive personally identifiable information. Obviously, HHS is going to deal with a lot of sensitive information, so their guidelines are useful. It's PII, not PHI, but the policies on how you identify and protect the information are relevant to HIPAA-covered entities too.
Jeff [9:56 AM]

 

OT: Connecticut Facebook Case. Slightly off topic, but I occasionally speak on social media issues. Healthcare entities should have policies and procedures for dealing with social media, both from the standpoint of how the entity uses or allows the use of social media in the active operations of the entity (having a Facebook page) and how employees use social media while on the clock (whether to block or allow Facebook access). This is particularly important for healthcare entities, due to potential HIPAA issues. But as this case indicates, you should also consider one for after-hours use of Facebook. And obviously, know what you can and can't do with that policy.
Jeff [9:40 AM]

[ Friday, February 11, 2011 ]

 

Current state of Data Breaches: there have been a lot reported to HHS.
Jeff [11:03 AM]

 

Accounting Rule is Coming: There was a lot of buzz in the HIPAAsphere yesterday about the announcement by OMB that HHS was about to publish a rule relating the the obligation of Covered Entities (CEs) to account for disclosures of PHI, as changed by HITECH. I wasn't going to write on it until the rule is actually published, but it's getting some press so I thought I should say something.

The original HIPAA Privacy Rule contained a provision requiring CEs to account for all disclosures of PHI; however, there is are exceptions to the accounting requirement for disclosures for treatment, payment, or healthcare operations, disclosures directly to the individual, and disclosures pursuant to an authorization (this, in fact, effectively excludes from the accounting requirement all disclosures in most patient files). If you don't know, HITECH has a provision that removes the exception to the accounting requirement for disclosures relating to treatment, payment, and healthcare operations if the CE uses an Electronic Health Record (EHR). In other words, HITECH requires CEs that use EHRs to account for all disclosures for treatment, payment, and healthcare operations.

It seems obvious to me that the reason this was inserted into HITECH was based on the understanding by the statute-writers that any EHR will automatically tally the disclosures for treatment, payment, and healthcare operations, so accounting for them won't be a problem. Unfortunately, as we've come to find out, this just isn't true for most EHRs -- most do not have this functionality.

So, it will be very interesting to see how HHS deals with this in the regulations. The good news is that almost nobody ever requests an accounting of disclosures. The bad news is that HIPAA doesn't care if nobody asks, it still requires that you be able to do it if they do.

This is an old problem with HIPAA: an apparent lack of understanding of the industry by the people writing the statutes and regulations (to the great credit of the regulation writers at HHS, the problems really are with the statutes, not the regulations, and the reg writers are just stuck trying to put lipstick on pigs). In the original HIPAA statute, "health plans" were included as "covered entities;" this is interesting, since most corporate health plans and ERISA plans aren't "entities" at all in the common meaning of that term. Most ERISA plans are just that: plans. A flight plan, a floor plan, an evacuation plan; those are plans, not entities. They can't provide notices or adopt policies and procedures. Same with ERISA plans -- they are really a set of documents, not an entity. But HIPAA treats them like they are a thing, not an idea. I believe that the statute drafters in 1996 didn't know what they were talking about; they thought any health plan was an insurance plan, and therefore was an insurance company. The reg writers crafted the regulations to fix this problem, with references to "plan sponsors" and the like, but the underlying disconnect is still there.

Same with the EHR accounting rules. It's based on a faulty understanding of what EHRs can do. And while much of HITECH and healthcare reform is supposed to promote and encourage use of EHRs, things like this add heavy, stupid and useless burdens to those folks who are trying to comply. I dunno, but maybe if somebody had taken the time to READ THE BILL before passing it, this might've come up. Maybe not, but it would've been worth a try.

If it's true that we get the government we deserve, we must've done something really bad.
Jeff [10:23 AM]

[ Thursday, February 10, 2011 ]

 

I'm number 1: At least according to this survey. What's that phrase about "faint praise"?

UPDATE: actually, I shouldn't be so flippant, there are some pretty good folks on that list. Just none doing it as long as me.

UPDATE II: I made another list -- Healthsprocket's 46 Healthcare Blogs for Professionals. Today's just my day.
Jeff [11:35 AM]

[ Wednesday, February 09, 2011 ]

 

Medical Identity Theft (non-Red Flags): the FTC has issued an FAQ page relating to medical identity theft, directed primarily at providers and insurers. It's a pretty worth-while effort, and I'd recommend you review it.

This gives some good examples of what can go wrong with medical identity theft. It's not overstating it to say that people can die because of medical identity theft. It's not all that common, but common enough, that I still encourage providers to implement a "Red Flags" ID theft prevention program, even though you may not be a "creditor" who is required to have such a program.
Jeff [2:23 PM]

 

San Fran Medi-Cal Data Breach: a disgruntled employee sent beneficiary records to her home computer, 2 lawyers and 2 union representatives. The data wasn't really medical in nature, but did have SSNs. And since it came from MediCal records, it's still PHI, so it's still a HIPAA breach.
Jeff [12:45 PM]

[ Tuesday, February 08, 2011 ]

 

Good advice from Dom Nicastro: snooping is the most likely cause of your next data breach, and your own employees are the most likely culprits.
Jeff [10:34 AM]

[ Friday, February 04, 2011 ]

 

Keep up the good work: Iowa hospital fires 3 for snooping. Looking at medical records of a group of Iowa football players who are suffering from a mysterious muscle disease.

The best way to prevent snooping is to swiftly and vigorously punish those who fall to that temptation.
Jeff [8:52 AM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template

A discussion of medical privacy issues buried in political arcana

E-mail me at jdrummond-at-jw.com

- Archives - March 2002 April 2002 May 2002 June 2002 July 2002 August 2002 September 2002 October 2002 November 2002 December 2002 January 2003 February 2003 March 2003 April 2003 May 2003 June 2003 July 2003 August 2003 September 2003 October 2003 November 2003 December 2003 January 2004 February 2004 March 2004 April 2004 May 2004 June 2004 July 2004 August 2004 September 2004 October 2004 November 2004 December 2004 January 2005 February 2005 March 2005 April 2005 May 2005 June 2005 July 2005 August 2005 September 2005 October 2005 November 2005 December 2005 January 2006 February 2006 March 2006 April 2006 May 2006 June 2006 July 2006 August 2006 September 2006 October 2006 November 2006 December 2006 January 2007 February 2007 March 2007 April 2007 May 2007 June 2007 July 2007 August 2007 September 2007 October 2007 November 2007 December 2007 January 2008 February 2008 March 2008 April 2008 May 2008 June 2008 July 2008 August 2008 September 2008 October 2008 November 2008 December 2008 January 2009 February 2009 March 2009 April 2009 May 2009 June 2009 July 2009 August 2009 September 2009 October 2009 November 2009 December 2009 January 2010 February 2010 March 2010 April 2010 May 2010 June 2010 July 2010 August 2010 September 2010 October 2010 November 2010 December 2010 January 2011 February 2011 March 2011 April 2011 May 2011 June 2011 July 2011 August 2011 September 2011 October 2011 November 2011 December 2011 January 2012

[ Advertisers ]
Electronic Medical Records

Health Insurance from Chartis Direct

Presciption Drug Information

Foot Problems

[ Links ]
Jackson Walker home page
My (official Jackson Walker) Bio
HHS' Administrative Simplification page
OCR's HIPAA Privacy page
ICD-10 Codes
NIST's HIPAA Security Implementation page
HIPAA.org page
TCS standard-setting
HIPAA Summit's page
Harvard's HIPAA colloquium
Workgroup for EDI
Siemen's HIPAA page
Phoenix Health System's HIPAAdvisory
Beacon Partner's HIPAAcomply
FindLaw's HIPAA law page
HIPAAComplete
HIPAADocs
AMA's HIPAA page
AHA's semi-HIPAA page
American Health Lawyers Assn
SHARP (the Southern SNIP)
Boundary Information Group's HIPAAinfo.net
HIPAA academy
MedAbiliti's Health Innovation Daily News
Thompson-West's Privacy Litigation Reporter
HIPAAnswers (HIPAA compliance solutions)
Healthcare Intelligence Network Blog
Prescription Drug Encyclopedia
Compliance Home Portal
HIPAA Training (Supremus Group)
MPMsoft (HIPAA-compliant billing software)
DMEPOS Surety Bonds
Hospital.com
Human Resources Daily Advisor

[ WebRings ]
< ? law blogs # >

[ Syndicated RSS Feed ]
Click Here