HIPAA Blog

[ Thursday, March 31, 2011 ]

 

More Upcoming Speaking Engagements: While I'm at it, I'll also be speaking on "Data Security Analysis for Healthcare Providers" for Global Compliance Panel on April 14. I'll be talking about how you analyze your operations for data security, to meet not only the HIPAA requirements but to meet the "meaningful use" rules of HITECH. I should have some good questionnaires, checklists, and the like. Still putting the materials together, but I haven't seen a lot of folks specifically addressing this stuff.
Jeff [9:44 PM]

 

Upcoming Seminar: Just a heads up, but I will be presenting a web conference next week through Lorman on mental health record compliance. It's a big dollop of HIPAA, with some FERPA, "Part 2" (substance abuse treatment center privacy) rules, psychotherapy note exceptions, and patient release rules included. It's not too costly, and if you've ever wanted to hear what I sound like, this is your chance.
Jeff [10:57 AM]

 

Another Hollywood Data Breach: This one with a bit of a twist. It's health data about movie stars, but movie stars of a particular, shall we say, genre.
Jeff [9:08 AM]

[ Wednesday, March 30, 2011 ]

 

New Provider Toolkit: HIMSS and MGMA have teamed up to produce a new product to help small clinics and providers meet their privacy obligations. It's called the "HIMSS Privacy and Security Toolkit. Small providers often find themselves stuck without good solutions for privacy and security obligations; most products can be pretty expensive for a small business, so this might be a good solution. If I get an opportunity to test-drive it, I'll let you know what I think.
Jeff [1:08 PM]

[ Tuesday, March 29, 2011 ]

 

Often-Overlooked Breach Prevention Steps: Some pretty good thoughts here. Hat tip: James Brashear of ZixCorp.
Jeff [1:48 PM]

 

Slightly Off-Topic: HIPAA isn't the only privacy law that can result in fines if you violate it. Other businesses are required to protect credit card information (under the "PCI" or "payment card industry" rules). A group of restaurants in Massachusetts have agreed to pay a big fine to the Massachusetts AG (what is it about those New England AGs?) for failing to protect credit card information. Mass. has one of the most stringent data encryption and breach laws. More info here and here. And for other Mass. data security issues, here. Hat tip: John Kelley and Alan Goldberg.
Jeff [1:33 PM]

[ Monday, March 28, 2011 ]

 

Interesting: A group of consumers in California (actually, I'm betting a group of clever lawyers, really) have sued Walgreens for data-mining the patients' prescription information. Apparently, there's a similar suit against CVS in Pennsylvania. Walgreens isn't selling the PHI; they de-identify the information first. But they have such large amounts of consumer information that, even de-identified, the information could yield useful data on trends, co-medication issues, and other information that would be useful to drug companies and others. So, the consumers aren't suing Walgreens for HIPAA violations; rather, they are saying that the value of the information Walgreens has (and is getting paid for) is really value that belongs to the customers, since it's their data that's beneath it all. I don't know; the value of the data in any particular patient's file is miniscule, if it exists at all, and the real value is having the information of a whole lot of patients in one place. The value, then, comes from what Walgreens does with the information (by amalgamating it), not in the individual files. We'll see how this turns out. Hat tip: Alan Goldberg
Jeff [9:31 AM]

[ Sunday, March 27, 2011 ]

 

Slightly Off Topic, But Kinda Scary: Are you aware of how closely your cell phone is tracking your whereabouts?
Jeff [9:10 AM]

[ Thursday, March 17, 2011 ]

 

Not Yet: For those who asked me when I thought the HIPAA regs would come out, I was wrong. I had predicted yesterday; no real reason for the prediction, just that it was the middle of spring break, which would have been a good time for HHS to screw us over with a big regulatory dump. They're still "imminent," though, so keep your eyes out for them.
Jeff [11:31 AM]

 

OCR Asks for a Bigger Budget. They're gonna need it, it seems.




how to become forensic scientist

Jeff [10:09 AM]

 

HealthNet Update: Here is HealthNet's press release. There may be less there than first meets the eye. It seems that several server drives have gone missing. IBM is HealthNet's business associate, and could end up being the responsible party. And it's not clear if the drives are lost, stolen, misplaced, or something else. If they're misplaced or lost, they could show up later. If they were stolen, the data was probably scrubbed off of them. It doesn't necessarily look like the data has been taken, disclosed*, or used.

Of course, and especially given its own history, HealthNet should have vigorous "encryption in place" protocols for its data, but apparently doesn't. They surely had a chance to prevent at least the notification requirement. That's not good.

*As for "disclosed," in my opinion there must be a recipient for the data to have been "disclosed." It may have been "exposed," but if nobody sees it, I think it isn't "disclosed." If a tree falls in the forest and nobody is around to hear it, . . .
Jeff [9:58 AM]

[ Wednesday, March 16, 2011 ]

 

Data Breach Stats: There's a lot of discussion on the AHLA HIT list this morning about data breach statistics, some of which I'd like to share.

Michael Silhol of HayBoo here in Dallas reports: "At the National HIPAA Summit last week, the OCR reported that there had been more than 14,000 reports of breaches involving fewer than 500 individuals from September 2009 through December 2010. There were also 221 reports of breaches involving more than 500 individuals in the same time period. The large breaches (500+) were broken down by type of breach (i.e., theft 51%, loss 16%, hacking 6%, improper disposal 5% and unauthorized access 21%). They were also broken down by location of breach (laptop 24%, paper records 21%, desktop computer 16%, portable elctronic device, 14%, network server, 10%, email 3%, EMR 2% and other 10%). The OCR presenter did not break the breaches down by size of institution involved."

Alan Goldberg sends these three links from the same conference.

And Dennis Melamed notes that his publication provides current stats monthly, if you are willing to give up your email address to get them.
Jeff [1:21 PM]

 

Medical Identity Theft: I've been preaching about the risks of medical identity theft, as opposed to regular (financial) identity theft, for as long as I've been talking about the Red Flags Rule. If you're a physician, you may not be covered by the rule, but it's still a good idea to have an identity theft prevention program, just to protect yourself from having to correct records or refund a payor when they've paid you for the wrong patient. But there's an even greater reason -- medical identity theft can kill. Literally.

How common is it? More common than even I thought. According to a study by the Ponemon Institute, 1.5 million Americans were victims last year. That's about .5% of the population, or one out of 200 of your patients. A large portion of the theft is among family members, which probably means that it's facilitated by the "victim" (who loans his/her insurance card to an uninsured relative). All the more reason for providers to be gatekeepers to prevent this from happening.
Jeff [10:09 AM]

 

Interesting Article from Health Management Technology: Phil Neray points out how healthcare information is vulnerable, and how most healthcare privacy and security folks are concerned about firewalls and improper access, rather than focusing on the damage that "trusted insiders" can do. It's a good point, but misses a bigger one: all the big HIPAA breaches, and everything that's brought a fine to a covered entity so far, have been improper access issues like lost laptops. There haven't been any "trusted insider" data thefts, or at least not too many, and when those occur, the thieves, rather than the covered entity, pay the price.

Ultimately, Phil may be right: covered entities need to keep an eye on insiders to make sure they aren't "in the till" from an information technology standpoint. But the bigger risk is still data loss. Any covered entity MUST do occasional random audits of access; you've got to review your audit trails. Even if the staff isn't stealing from the data, you still must make sure they aren't snooping or otherwise violating your access policies.

So, if a covered entity is doing HIPAA right, they may not be focusing like a bank on insiders doing bad stuff, but they're still going to notice it with random audits, and they should be focused more on the data loss/data theft issues like stolen laptops and server drives. If you've got a rogue employee doing bad, OCR probably won't punish you, but if you allow your staff to take unencrypted data on the subway, they will.
Jeff [12:06 AM]

[ Monday, March 14, 2011 ]

 

So What? This blog turned 9 back on March 8th.
Jeff [9:12 PM]

 

HealthNet: has stepped into it again.

Hat tip: Dom again.
Jeff [8:18 PM]

 

State AG's HIPAA School: Of all the HITECH amendments and enhancements to HIPAA, the ones that I think may have the most indellible impact on healthcare providers and health plans are the ones that are likely to increase enforcement activities. There are two in particular that stand to have huge impacts: one allows individuals who are injured by a HIPAA breach to obtain a portion of any fines and penalties, and the other allows state Attorneys General to enforce HIPAA directly, rather than requiring them the seek enforcement actions from OCR. This second enhancement is also the most troubling, since it could result in uneven enforcement across the states and differing interpretations by different enforcement agencies. Regardless, this provision in HITECH is going to be big. And OCR is committed to bringing in the additional enforcers: OCR is holding training sessions for State AGs to teach them the ropes of HIPAA prosecution.

Hat tip: Dom Nicastro
Jeff [4:46 PM]

[ Friday, March 11, 2011 ]

 

Biggest Concern About EMRs: among technology leaders in the healthcare industry, security and privacy is the number one concern when considering EMRs.
Jeff [9:24 AM]

[ Wednesday, March 09, 2011 ]

 

Sudden Thought: Does Cignet even really exist? Two weeks ago, the first ever real HIPAA civil penalty was handed down, and it was HUGE. $4.3 Million. That ain't no party, that ain't no disco, that ain't no foolin' around. Cignet, which I thought was a health insurer, which I've heard described as a hospital system, and which Modern Healthcare says is a company with a health plan and 4 physician practice offices, never responded to patient requests for records. They never responded or cooperated with HHS. They eventually delivered the records, but never gave an explanation to the patients regarding the delay. They haven't been quoted in any of the press releases relating to the various stories. They did not respond to requests for comments from Modern Healthcare.

Sorry, but that's all crazy. It makes no sense. Why aren't they out there with PR people, or even their own officers and employees, trying to explain themselves? What company acts this way? What "physician office" acts this way?

I can understand them screwing up in the first place. I can even understand them not cooperating with OCR (really stupid, but it happens sometimes, and I can understand it even if I -- and anyone who knows anything about HIPAA -- would advise strongly against it). But at this point, they're the talk of the HIPAA universe. And they haven't made a peep.

So I'm wondering if it's some Orwelllian false front to get people serious about HIPAA compliance. Maybe I've been reading too much Descartes, or watching too much Charlie Sheen; or maybe I need to go back on my meds. But seriously, I'd have expected a full-blown PR effort on Cignet's part to explain how the uncooperative fools have been sacked and replaced with people who really, really care about HIPAA and privacy. Maybe try to blame it on BP. I dunno, something.

You gotta admit, this whole Cignet silent treatment is just odd.
Jeff [11:24 PM]

 

Average Cost of a Data Breach: The average cost of a data breach for a US company continues to rise. For 2010, US companies that suffered a data breach spent on average $7.2 MILLION due to the breach. Interestingly, companies that reported quickly actually spent more. But don't let that confuse you -- if the breach is a HIPAA breach, you've got an obligation to act quickly. This report deals with all kinds of data breaches, not just HIPAA breaches.
Jeff [11:44 AM]

[ Tuesday, March 08, 2011 ]

 

Doing HIPAA Compliance Right: Dom Nicastro has a nice interview with a California hospital's information security officer on how to do HIPAA the right way.
Jeff [11:44 AM]

[ Monday, March 07, 2011 ]

 

Red Flags Update: The US Court of Appeals for the DC Circuit has dismissed the ABA's case against the FTC. As you may recall, the ABA sued the FTC for implying that the Red Flags Rule applies to lawyers as "creditors" because they bill after they provide services. The AMA, on the other hand, wrote a bunch of letters. The ABA won their suit at the District Court level, while the AMA got extensions from the FTC; their last extension was until the ABA suit was settled. In December, Congress passed a law restricting the definition of "creditor" to money lenders and those who use credit reporting agencies in dealing with their clients, and the President signed it.

The appeals court looked at the new law, and figured it made the ABA argument moot. Which is correct. So, all's well that ends well.

UPDATE: I could've been more clear. The ABA lawsuit was made moot, but the AHA lawsuit, which was pending the ABA result, has now been withdrawn.
Jeff [3:42 PM]

[ Friday, March 04, 2011 ]

 

Stolen Laptops with Unencrypted PHI: that's probably the biggest HIPAA threat most organizations face. Be particularly cautious if you see this Italian dude lurking around your facility. Of course, that goes without saying.
Jeff [4:17 PM]

[ Thursday, March 03, 2011 ]

 

Delaware Hospital Data Theft: This time it's Beebe Medical Center in Lewes, Delaware. An employee took a financial report home to work on it. The report was on paper and in the employee's briefcase, and contained patient names, Medicare numbers and social security numbers for a little over 100 people. The briefcase was in the car when they took a family trip to Florida, where the briefcase was stolen out of the car. So far, there's been not known effect such as ID theft (several of the individuals are dead already), but the hospital is offering credit monitoring for the rest. Personally, I suspect the data has already been destroyed, since it's not what the thieves were looking for. No punishment for the employee, since the data was stolen and not voluntarily disclosed, and taking the data home did not violate hospital policies. Of course, you see the problem here: the hospital should have had policies about protecting data that includes policies about how and when employees can take data out of the hospital. They are developing one now, I'm sure.

Hat tip: Healthleaders.
Jeff [8:43 AM]

[ Wednesday, March 02, 2011 ]

 

Is it a Crackdown? Or just coincidence? Some folks are starting to notice the seeming increase in HIPAA activity.
Jeff [4:49 PM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template

A discussion of medical privacy issues buried in political arcana

E-mail me at jdrummond-at-jw.com

- Archives - March 2002 April 2002 May 2002 June 2002 July 2002 August 2002 September 2002 October 2002 November 2002 December 2002 January 2003 February 2003 March 2003 April 2003 May 2003 June 2003 July 2003 August 2003 September 2003 October 2003 November 2003 December 2003 January 2004 February 2004 March 2004 April 2004 May 2004 June 2004 July 2004 August 2004 September 2004 October 2004 November 2004 December 2004 January 2005 February 2005 March 2005 April 2005 May 2005 June 2005 July 2005 August 2005 September 2005 October 2005 November 2005 December 2005 January 2006 February 2006 March 2006 April 2006 May 2006 June 2006 July 2006 August 2006 September 2006 October 2006 November 2006 December 2006 January 2007 February 2007 March 2007 April 2007 May 2007 June 2007 July 2007 August 2007 September 2007 October 2007 November 2007 December 2007 January 2008 February 2008 March 2008 April 2008 May 2008 June 2008 July 2008 August 2008 September 2008 October 2008 November 2008 December 2008 January 2009 February 2009 March 2009 April 2009 May 2009 June 2009 July 2009 August 2009 September 2009 October 2009 November 2009 December 2009 January 2010 February 2010 March 2010 April 2010 May 2010 June 2010 July 2010 August 2010 September 2010 October 2010 November 2010 December 2010 January 2011 February 2011 March 2011 April 2011 May 2011 June 2011 July 2011 August 2011 September 2011 October 2011 November 2011 December 2011 January 2012

[ Advertisers ]
Electronic Medical Records

Health Insurance from Chartis Direct

Presciption Drug Information

Foot Problems

[ Links ]
Jackson Walker home page
My (official Jackson Walker) Bio
HHS' Administrative Simplification page
OCR's HIPAA Privacy page
ICD-10 Codes
NIST's HIPAA Security Implementation page
HIPAA.org page
TCS standard-setting
HIPAA Summit's page
Harvard's HIPAA colloquium
Workgroup for EDI
Siemen's HIPAA page
Phoenix Health System's HIPAAdvisory
Beacon Partner's HIPAAcomply
FindLaw's HIPAA law page
HIPAAComplete
HIPAADocs
AMA's HIPAA page
AHA's semi-HIPAA page
American Health Lawyers Assn
SHARP (the Southern SNIP)
Boundary Information Group's HIPAAinfo.net
HIPAA academy
MedAbiliti's Health Innovation Daily News
Thompson-West's Privacy Litigation Reporter
HIPAAnswers (HIPAA compliance solutions)
Healthcare Intelligence Network Blog
Prescription Drug Encyclopedia
Compliance Home Portal
HIPAA Training (Supremus Group)
MPMsoft (HIPAA-compliant billing software)
DMEPOS Surety Bonds
Hospital.com
Human Resources Daily Advisor

[ WebRings ]
< ? law blogs # >

[ Syndicated RSS Feed ]
Click Here