HIPAA Blog

[ Tuesday, May 31, 2011 ]

 

What does a Data Breach Cost? For some organizations, it's $100,000 per day.
Jeff [4:59 PM]

 

Speaking of going to jail for HIPAA violations, Dom has a story about a guy in Alabama going up the river for 6 years. It's really a healthcare fraud case, but there's a HIPAA component because he accessed PHI of various individuals to use their identity and insurance to purchase drugs he could then resell.
Jeff [4:55 PM]

 

Liability for Corporate Officers: A couple of my partners and I spoke to one of our hospital clients recently, addressing aboug 250 staff members for a compliance primer and overview. One part of the presentation, about current enforcement activity by the OIG and Department of Justice, caught the attention of pretty much everyone in the room: the government's latest tactic of going after the corporate officers directly. The theory is sometimes called the Responsible Corporate Officer doctrine. A corporate officer can be personally held liable for criminal activity of his company, even if he didn't know about the wrongdoing, if he could have or should have known and failed to find out and stop it. There are several high-profile cases going on right now; even though the corporate officers may settle for a small fine, the OIG will follow up and exclude them from participating in the Medicare or Medicaid programs. This can leave people who build a multi-year career in healthcare virtually unemployable in their profession, simply because someone in their company broke the law and they failed to detect and stop it.

Obviously, there's a HIPAA connection here. We haven't seen this theory yet in any HIPAA enforcement activities, but there are criminal liabilities for HIPAA violations. That means a corporate officer could face criminal charges if his company violates HIPAA, and any guilty plea, even as part of a plea bargain, might be the end of that executive's career.

Just a little something to keep in mind.
Jeff [4:44 PM]

 

From the NY Times: Newsworthy data breaches are causing federal regulators (and legislators) to look more closely at healthcare data security. It doesn't take a psychic to see where this leads: more robust enforcement and bigger fines and penalties. Get ready for it (and take your HIPAA obligations seriously).
Jeff [4:38 PM]

 

Somewhat off topic: Looking for a nursing job?
Jeff [4:36 PM]

[ Friday, May 27, 2011 ]

 

OCR letter: An interesting blog post about OCR's investigative response to a small medical practice that suffered a laptop theft. I'm not particularly surprised by what they're asking for. But what it should highlight is that if you haven't done a Security Risk Analysis (you were required to do it in 2003 and "periodically" update it), you're going to have a hard time explaining that failure if you suffer a breach.
Jeff [11:52 AM]

 

Accounting Rule Released Today: In addition to laying out the rules providers and plans must abide by in using and disclosing PHI, the original privacy rule sought to outline the specific rights every individual has in their own PHI. One of those rights is a right to know where your information has gone, in the form or a right to request an accounting of disclosures from a covered entity. Obvioualy, there are a lot of disclosures that are usual and customary, and a requirement to provide a full accounting to any patient who asked would be unweildy and expensive. So while the accounting requirement is broadly drafted, many (almost all, actually) disclosures are exempted from the disclosure requirement. A covered entity does not have to account for disclosures that are made for treatment, healthcare or operations purposes (which accounts for virtually all disclosures in the ordinary course of business), disclosures to the individual, or disclosures pursuant to an authorization by the individual. There's a rational basis for these exclusions: individuals should know or expect that these types of disclosures will be made.

The HITECH Act changed the accounting requirement somewhat for covered entities that use electronic health records. Specifically, the exception for treatment, payment, and healthcare operations (TPO) is removed. The thought is that covered entities that use EHRs should be able to easily and automatically track TPO disclosures, simply by setting the EHR to do so. I'm not so sure that's actually as easily done as said.

Today, HHS has pre-published its regulations regarding the new "accounting for disclosures" rule. I haven't reviewed yet, but will do so and will let you know what I think.

UPDATE (already, yeah): Kirk Nahra says they look ugly and obtrusive, and even go beyond what HITECH calls for. The industry concern was that HITECH implied that it would be easy to set an EHR to do the accounting, which isn't the case in some (if not many, if not most) EHRs. Apparently HHS' response to those concerns is, "Drop dead."
Jeff [9:57 AM]

[ Thursday, May 19, 2011 ]

 

Press Release: I'm not sure how useful this is, but small providers certainly are particularly vulnerable to information security problems.
nCircle and HITRUST announce security service for small healthcare providers.
Jeff [1:52 PM]

[ Tuesday, May 17, 2011 ]

 

How do ONC and OCR deal with security? Apparently not very well, according to the OIG.
Jeff [4:15 PM]

[ Monday, May 16, 2011 ]

 

Charging for copies: The LA times notes, correctly, that covered entities must provide access to, and copies of, medical records, but they can charge a reasonable fee for them. Texas state law sets the fee that can be charged. HIPAA does not allow the covered entity to charge for the time its staff spends, though.
Jeff [9:21 AM]

[ Thursday, May 12, 2011 ]

 

Is Social Media an Effective Marketing Tool for Healthcare? So asks HealthLeaders. I think the answer to that specific question is, "probably not," but I don't think that's really the right question. I'd ask if social media is an essential marketing tool for healthcare. I think it is, since I think social media is a required element of any healthcare entity's marketing strategy, and perhaps any business entity's marketing strategy. Even if it's just a defensive position of watching what's being said about you on social media sites, or tracking your own staff and employees, you can't ignore social media. Whatever you include in your marketing bag of tricks, you've got to address social media. That makes it essential, if not actually effective for marketing purposes.
Jeff [3:05 PM]

[ Monday, May 09, 2011 ]

 

Mass Firing for Mass HIPAA Breach: A high school party in Blaine, Minn. got out of hand and resulted in the hospitalization of 11 teenagers (and one death). Apparently, a lot of employees at the hospitals where they were sent couldn't resist snooping into their medical records. The hospital responded (appropriately, in my opinion) by firing 32 employees. Absolutely appropriate, and a nice "object lesson" not only for the ex-employees, but for all the employees who remain.

Hat tip: Phil Zarone of Horty Springer
Jeff [11:28 AM]

[ Thursday, May 05, 2011 ]

 

Social Media usage: Interesting new survey by SCCE and HCCA on entities' use of social media, adoption of policies, and monitoring of employee use. Still evolving, but it is definitely evolving.
Jeff [10:55 AM]

 

Off-Topic: If 26 out of 50 agree to something, would you say "more than 2 dozen" or "more than half"? Seems like subtle bias to me. . . .
Jeff [7:06 AM]

[ Monday, May 02, 2011 ]

 

A top fifty listing: Healthcare law and legislation blogs.
Jeff [4:41 PM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template

A discussion of medical privacy issues buried in political arcana

E-mail me at jdrummond-at-jw.com

- Archives - March 2002 April 2002 May 2002 June 2002 July 2002 August 2002 September 2002 October 2002 November 2002 December 2002 January 2003 February 2003 March 2003 April 2003 May 2003 June 2003 July 2003 August 2003 September 2003 October 2003 November 2003 December 2003 January 2004 February 2004 March 2004 April 2004 May 2004 June 2004 July 2004 August 2004 September 2004 October 2004 November 2004 December 2004 January 2005 February 2005 March 2005 April 2005 May 2005 June 2005 July 2005 August 2005 September 2005 October 2005 November 2005 December 2005 January 2006 February 2006 March 2006 April 2006 May 2006 June 2006 July 2006 August 2006 September 2006 October 2006 November 2006 December 2006 January 2007 February 2007 March 2007 April 2007 May 2007 June 2007 July 2007 August 2007 September 2007 October 2007 November 2007 December 2007 January 2008 February 2008 March 2008 April 2008 May 2008 June 2008 July 2008 August 2008 September 2008 October 2008 November 2008 December 2008 January 2009 February 2009 March 2009 April 2009 May 2009 June 2009 July 2009 August 2009 September 2009 October 2009 November 2009 December 2009 January 2010 February 2010 March 2010 April 2010 May 2010 June 2010 July 2010 August 2010 September 2010 October 2010 November 2010 December 2010 January 2011 February 2011 March 2011 April 2011 May 2011 June 2011 July 2011 August 2011 September 2011 October 2011 November 2011 December 2011 January 2012

[ Advertisers ]
Electronic Medical Records

Health Insurance from Chartis Direct

Presciption Drug Information

Foot Problems

[ Links ]
Jackson Walker home page
My (official Jackson Walker) Bio
HHS' Administrative Simplification page
OCR's HIPAA Privacy page
ICD-10 Codes
NIST's HIPAA Security Implementation page
HIPAA.org page
TCS standard-setting
HIPAA Summit's page
Harvard's HIPAA colloquium
Workgroup for EDI
Siemen's HIPAA page
Phoenix Health System's HIPAAdvisory
Beacon Partner's HIPAAcomply
FindLaw's HIPAA law page
HIPAAComplete
HIPAADocs
AMA's HIPAA page
AHA's semi-HIPAA page
American Health Lawyers Assn
SHARP (the Southern SNIP)
Boundary Information Group's HIPAAinfo.net
HIPAA academy
MedAbiliti's Health Innovation Daily News
Thompson-West's Privacy Litigation Reporter
HIPAAnswers (HIPAA compliance solutions)
Healthcare Intelligence Network Blog
Prescription Drug Encyclopedia
Compliance Home Portal
HIPAA Training (Supremus Group)
MPMsoft (HIPAA-compliant billing software)
DMEPOS Surety Bonds
Hospital.com
Human Resources Daily Advisor

[ WebRings ]
< ? law blogs # >

[ Syndicated RSS Feed ]
Click Here