HIPAA Blog

[ Friday, July 29, 2011 ]

 

What do you do when you suffer a data breach? ID Experts has a handy little 10-step guide that's got some good ideas in it.
Jeff [11:35 AM]

[ Thursday, July 28, 2011 ]

 

Reaction to the New HIPAA Accounting of Discosures Rule: AHIMA has come out against it. Yesterday, MGMA noted the problems with the proposed rule.
Jeff [9:42 AM]

[ Tuesday, July 26, 2011 ]

 

Thinking of Buying a New EHR? If you've got a large old home-grown or legacy electronic medical record system and have been avoiding the multi-million dollar cost of replacing it with something certified by CCHIT, you might want to hold off on pulling the trigger. Many such players think they have to replace their old systems for "meaningful use" purposes, since their old systems aren't certified. However, CCHIT (the Certification Commission for Health Information Technology) has a special program that allows healthcare entities to seek certification for their in-place system. Apparently, it's not too hard to do. Something to consider.
Jeff [8:48 AM]

[ Friday, July 22, 2011 ]

 

CHIME Notes Problems with New Accounting Rule: The healthcare CIO organization has weighed in on the new accounting for disclosures rule, and notes what Chris Apgar and I noted in our HCPro seminar on Tuesday: that the new rule goes too far, the access report requirement is too much, and it assumes technological capabilities that just aren't there.
Jeff [9:58 AM]

[ Tuesday, July 19, 2011 ]

 

Boson's Beth Israel: Seems like a contractor caused the problem, but a lack of proper virus protection resulted in a virus that sniffed out patient data on 2,000 patients.
Jeff [8:27 AM]

[ Friday, July 15, 2011 ]

 

More Boston Problems: Harvard also seems to have a problem involving a research project.
Jeff [9:34 AM]

 

Possible Tufts HIPAA violation? Apparently involves medical info sent to a fax machine. Apparently only a disability form was supposed to be sent, but part of the medical record was sent instead. The hospital denies wrongdoing. I guess we'll see.
Jeff [9:28 AM]

[ Thursday, July 14, 2011 ]

 

EHRs for Physican Practices: Are you in the market for an EHR? Family Practice Management magazine has a great survey of family practice doctors, broken out by size of practice and dozens of other metrics. I'd highly recommend a review of this article before you buy.
Jeff [8:51 AM]

 

Doctors and Facebook: keeping separation between your personal and professional life.
Jeff [8:45 AM]

[ Saturday, July 09, 2011 ]

 

Cyber Insurance: Interesting article on insuring against data breaches and other potential cyber liabilities.
Jeff [11:47 AM]

 

Mayo Clinic, Social Media Leader: Thanks to Lee Aase, Mayo stays way out in front in the use of social media by healthcare players. If you're considering integrating social media strategies into your marketing plan (and you should be, at least considering it), you need to keep a close eye on the legal hurdles, but should also look to the market leaders to figure out what works, what doesn't, and what raises real risk. Mayo's a good example to follow.
Jeff [8:45 AM]

[ Friday, July 08, 2011 ]

 

Guest Blogger: As regular readers will be aware, I occasionally allow guest bloggers to post on HIPAABlog. Today, Pat Walling of Medical Coding Career Guide has a guest commentary on physical safeguards, and what might be necessary. Certainly reasonable precautions must be taken; however, in some instances, it may be necessary for patients to let providers know of problems, and for providers to seek solutions.

Pat's post follows:

Is Soundproofing Hospital/Clinical Rooms Required for HIPPA Compliance?

One of the requirements of the Health Insurance Portability and Accountability Act (HIPAA) is that there are “physical barriers that protect against uses and disclosures not permitted by the privacy rule.” This is generally enacted by pulling curtains and making sure that confidential information is disclosed to a patient when roommates are not present, but the mere image of a physical barrier without the sound muffling qualities to accompany it may not be enough. Health care professionals more often than not are aware of this issue, and take “bedside” reports and the like out of earshot or make sure to whisper. Reports made during changes of shift or in the process of medical coding are made on paper or in rooms away from patient ears. However, this ambiguity in the language of HIPAA can leave a loophole large enough to drive a medical equipment truck through, and may have the effect of leaving patients feeling as though they have no legal recourse when they feel their privacy has been violated.

Clinics often compensate by making sure to have patient consent to talk about their maladies in a certain place, and then chalk up any mishaps to incidental disclosure, because this inclusion does not require every risk be eliminated so long as they have implemented reasonable safeguards. However, patients may not always be aware of who else may be listening. For example, I myself went to my own family doctor recently, who was in a new building where the ventilation system was very open between rooms. After my vitals were taken and I was left waiting for my doctor to examine me, I heard the entire conversation in the next room over, even with my bad hearing, with an elderly female patient concerning the plan of care for her hemorrhoids. I knew her name, and even learned the name of her dog and her shopping habits. While clinics and hospitals may be aware of the issues, even beyond a pulled curtain patients do not expect private rooms to pose privacy issues. In a small community such as the one my clinic is in, the patient's name may be easily recognized, and if I were a lesser person her information may quickly have become town gossip. If that woman were potentially so embarrassed, there would be little recourse for her to gain compensation under incidental disclosure, and more patients in the future may face similar problems if the sound continued to carry so clearly through the ventilation.

Perhaps soundproofing is not entirely the answer though. While in many cases the burden of implementing effective privacy for everyone is impossible, such as in hallway beds, but in cases where soundproofing is difficult patients should be made aware of the issues at hand in revealing patient information. If private rooms are known to carry sound and cannot be renovated, then that should be explained as well, and a room should be made available that is sound-proof for such conversations if necessary. One way or another, the “physical barrier” may not really be enough to prevent violation of patient privacy.
Jeff [5:33 PM]

[ Thursday, July 07, 2011 ]

 

UCLA Snooping fine. UCLA has agreed to a $865,500 HIPAA fine associated with two celebrity snooping violations (who are the celebs? they're not saying).
Jeff [4:11 PM]

 

Health Data Recovery After a Disaster: the HIPAA Security Rule requires covered entities (and via HITECH, business associates as well) to have emergency operations and disaster recovery policies and procedures in place. We saw how those can work, and should work, in the Joplin, Missouri tornado. If you haven't given this any serious consideration, I'd suggest you do so promptly. Gienna Shaw at HealthLeaders has a trifecta today on data recovery in a disaster:

• How to recover health data after a disaster.


• 5 must-have provisions in a data recovery contract.


• 5 places to search for lost data.

Jeff [9:56 AM]

 

HHS' Wall of Shame: some highlights of the HHS website for large data breaches:

• 11,404,950 fellow citizens’ PHI breached (thats about equal to the population of the entire state of Ohio)


• 292 reported breaches to HHS by Covered Entities


• 58 Business Associates accomplices involved/culpable


• "Harm" STILL self-determined by CEs versus California law!


• Top 5 Data Breachers and their "havoc" on us:


• 
  

  
  

  Health Net, Inc. of CA and IBM, their Business Associate – 1,900,000

  
  

  NYC Health & Hospitals Corp North Bronx Healthcare Network - 1,700,000

  
  

  AvMed, Inc. - 1,220,000

  
  

  BCBS TN - 1,023,209

  
  

  South Shore Hospital - 800,000

Hat tip: Bob Chaput of Clearwater Compliance
Jeff [9:48 AM]

 

Miami's Holy Cross Hospital: another hospital employee stealing data for ID theft purposes.
Jeff [9:40 AM]

[ Wednesday, July 06, 2011 ]

 

More HIPAA 5010 Grumblings: Does this mean that the requried conversion to 5010 will be put off? I wouldn't bet on it. If you (or your clearinghouse, crosswalk, billing company, billing software vendor, etc.) haven't tested 5010 form transactions yet, I'd suggest doing it before the end of the summer. Take the time and effort to get into 5010 formats; you're going to have to eventually (unlike some of the "proposed" regs, this isn't going to go away).
Jeff [9:01 AM]

 

Indiana Wellpoint Data Breach Fine: Wellpoint's Indiana operations (which run Anthem BCBS in Indiana) has agreed to a $100,000 fine, plus agreed to provide credit watch services and reimbursement for ID theft problems, for violating an Indiana law that requires companies that suffer a data breach to promptly notify affected individuals and the state AG. The company had inadvertently exposed member data, including social security numbers, on a publicly available website; when it was brought to their attention they shut down the website pronto, but didn't notify potentially affected individuals for several months. This is not a HIPAA fine, but one that covered entities (and others) should be aware of: most states have some sort of data breach notification statute, and if you suffer a breach, you must review not only your HIPAA obligations, but your state law obligations as well.
Jeff [8:55 AM]

[ Tuesday, July 05, 2011 ]

 

OCR Auditing Activities: It appears that OCR is moving forward with its obligation to conduct audits of CEs and BAs to gauge HIPAA compliance. Some time ago they hired Booz Allen to identify audit candidates, and I figured Booz would also conduct the audits. But OCR has hired KPMG to actually do the audits.

Like Adam Greene, I'm not sure this paints a definitive picture of how these audits will move forward (much less when), whether they'll be punitive or collaborative, or any other specific information. Cynical folks might see this as a good reason to hire KPMG if you're concerned about your HIPAA vulnerabilities.
Jeff [12:43 PM]

[ Saturday, July 02, 2011 ]

 

HIPAA Transactions and Code Sets News: I'm always surprised to see news about the "transactions and code sets" provisions of HIPAA; it always seems like they are just settled, and it's only big categorical changes, like the switch to the 5010 standards, that makes the news. But apparently there are still permutations and customizations required by certain payors, which is too bad since HIPAA was supposed to end that. Anyway, HHS has issued two new rules to further standardize 2 of the covered transactions: eligibility for coverage, and status of a claim.
Jeff [11:06 AM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template

A discussion of medical privacy issues buried in political arcana

E-mail me at jdrummond-at-jw.com

- Archives - March 2002 April 2002 May 2002 June 2002 July 2002 August 2002 September 2002 October 2002 November 2002 December 2002 January 2003 February 2003 March 2003 April 2003 May 2003 June 2003 July 2003 August 2003 September 2003 October 2003 November 2003 December 2003 January 2004 February 2004 March 2004 April 2004 May 2004 June 2004 July 2004 August 2004 September 2004 October 2004 November 2004 December 2004 January 2005 February 2005 March 2005 April 2005 May 2005 June 2005 July 2005 August 2005 September 2005 October 2005 November 2005 December 2005 January 2006 February 2006 March 2006 April 2006 May 2006 June 2006 July 2006 August 2006 September 2006 October 2006 November 2006 December 2006 January 2007 February 2007 March 2007 April 2007 May 2007 June 2007 July 2007 August 2007 September 2007 October 2007 November 2007 December 2007 January 2008 February 2008 March 2008 April 2008 May 2008 June 2008 July 2008 August 2008 September 2008 October 2008 November 2008 December 2008 January 2009 February 2009 March 2009 April 2009 May 2009 June 2009 July 2009 August 2009 September 2009 October 2009 November 2009 December 2009 January 2010 February 2010 March 2010 April 2010 May 2010 June 2010 July 2010 August 2010 September 2010 October 2010 November 2010 December 2010 January 2011 February 2011 March 2011 April 2011 May 2011 June 2011 July 2011 August 2011 September 2011 October 2011 November 2011 December 2011 January 2012

[ Advertisers ]
Electronic Medical Records

Health Insurance from Chartis Direct

Presciption Drug Information

Foot Problems

[ Links ]
Jackson Walker home page
My (official Jackson Walker) Bio
HHS' Administrative Simplification page
OCR's HIPAA Privacy page
ICD-10 Codes
NIST's HIPAA Security Implementation page
HIPAA.org page
TCS standard-setting
HIPAA Summit's page
Harvard's HIPAA colloquium
Workgroup for EDI
Siemen's HIPAA page
Phoenix Health System's HIPAAdvisory
Beacon Partner's HIPAAcomply
FindLaw's HIPAA law page
HIPAAComplete
HIPAADocs
AMA's HIPAA page
AHA's semi-HIPAA page
American Health Lawyers Assn
SHARP (the Southern SNIP)
Boundary Information Group's HIPAAinfo.net
HIPAA academy
MedAbiliti's Health Innovation Daily News
Thompson-West's Privacy Litigation Reporter
HIPAAnswers (HIPAA compliance solutions)
Healthcare Intelligence Network Blog
Prescription Drug Encyclopedia
Compliance Home Portal
HIPAA Training (Supremus Group)
MPMsoft (HIPAA-compliant billing software)
DMEPOS Surety Bonds
Hospital.com
Human Resources Daily Advisor

[ WebRings ]
< ? law blogs # >

[ Syndicated RSS Feed ]
Click Here