HIPAA Blog

[ Thursday, August 25, 2011 ]

 

At the risk of confusing myself, here's another place where I've been known to occasionally blog.

Jeff [4:17 PM]

 

OCR's Standard Response: In the event of a breach that involves noncompliance and some serious impact, you might still get a "resolution agreement" from OCR rather than a fine/penalty (assuming you cooperate, of course). However, according to Theresa Defino at AIS, you should still expect to be requried to re-write your policies, retrain your employees, institute some serious monitoring, and pay out some cash.

Jeff [9:03 AM]

[ Wednesday, August 24, 2011 ]

 

Off Topic: It's nice to know, but it doesn't really matter, as long as the lager yeast actually works. I've got a 5-gallon carboy in my garage fridge, full of this fall's Marzen, lagering away at 45 degrees (a little on the chilly side, but I'll warm it up later).

Jeff [10:54 PM]

[ Tuesday, August 23, 2011 ]

 

When Medical Privacy and Law Enforcement Collide: One headachey area for HIPAAcrats occurs when the demands of the law, and particularly law enforcement, require disclosure of information that is protected under HIPAA. HIPAA specifically addresses a lot of ways police officers can get information from HIPAA covered entities, as well as some limitations. For example, a covered entity can give the police information, including PHI, for purposes of identifying a suspect or victim, but they can't give them DNA without a court order.

Some HIPAA Privacy Officers take their privacy obligations to extremes that exceed what HIPAA requires. That appears to be what's happening in Rhode Island.

Jeff [4:25 PM]

[ Monday, August 22, 2011 ]

 

Digitized data + internet access + PHI = potential trouble. For "data leaks," at least. But then again, you already knew that.

Jeff [10:18 PM]

 

Lost Thumb Drive Results in 500 Breach Notifications: St. Francis Hospital in Delaware misplaced a flash drive that had names of mothers who participated in a prenatal program 10 years ago. No social security numbers were involved, and it doesn't sound like particularly revealing information; also, the flash drive was recovered, apparently with the data intact. I don't know all the information, but I suspect many providers would've concluded after their risk analysis that there was no substantial risk of harm, and therefore no breach. But St. Francis sent out notifications.

Jeff [10:06 PM]

 

The Risks of PHI on the Internet.

Jeff [8:01 AM]

[ Tuesday, August 16, 2011 ]

 

HIPAA Hot Spots: Dom Nicastro and Adam Greene discuss the issues that OCR has identified as "hot spots" that deserve special focus by covered entities:

1. Incident detection and response


2. Review of access logs


3. Wireless network security


4. Password and user access management


5. Loss or theft of mobile devices


6. Up-to-date software


7. Role-based access and other access management

All of these are things that every covered entity should have addressed in their policies and procedures. And now that you know OCR is concerned about these, they should get special attention.

Jeff [10:33 AM]

[ Monday, August 08, 2011 ]

 

Brigham and Women's Breach: apparently a physician working for the hospital lost a hard drive with medical information on over 600 patients.

Jeff [9:16 AM]

 

KPMG - HIPAA Auditor and HIPAA Breacher: OK, KPMG is a huge company and with a substantial healthcare business. And any big player is going to suffer an occasional problem. But Dom Nicastro points out that the company now charged with conductinig OCR's first rounds of HITECH-required audits once was the subject of a HIPAA breach due to the loss of a flash drive containing PHI. I'm sure KMPG will factor that "s**t happens" defense in when it conducts its audits. . . .

Jeff [9:12 AM]

[ Friday, August 05, 2011 ]

 

CMS' HIPAA Audit Authority: Will CMS audit business associates as well as covered entities when KPMG gets started? According to Dom, they don' t know.
Jeff [8:13 AM]

[ Wednesday, August 03, 2011 ]

 

More Access Report Pushback: the American Hospital Association submitted its comments to the proposed accounting-of-disclosures rule, and like most of the other provider commenters, has pushed back hard against the new requirement to log all instances when any person or entity accesses PHI in a designated record set.
Jeff [9:27 AM]

[ Monday, August 01, 2011 ]

 

HIPAA goodies from HealthLeaders: First, Dom Nicastro has some good analysis on how the new accounting-of-disclosures rule, particularly the access report, can put healthcare providers in a bind if they get sued for malpractice. Of course, when you have access to the experts like Dom, . . . .

And Margaret Tocknell notes how the comments coming in on the proposed rule are heavily in the "me-no-likey" camp. Providers in particular are opposed to the rule. Of course, you can still get your comments in, but better hurry; you've got probably another half-hour or so.
Jeff [3:15 PM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template

A discussion of medical privacy issues buried in political arcana

E-mail me at jdrummond-at-jw.com

- Archives - March 2002 April 2002 May 2002 June 2002 July 2002 August 2002 September 2002 October 2002 November 2002 December 2002 January 2003 February 2003 March 2003 April 2003 May 2003 June 2003 July 2003 August 2003 September 2003 October 2003 November 2003 December 2003 January 2004 February 2004 March 2004 April 2004 May 2004 June 2004 July 2004 August 2004 September 2004 October 2004 November 2004 December 2004 January 2005 February 2005 March 2005 April 2005 May 2005 June 2005 July 2005 August 2005 September 2005 October 2005 November 2005 December 2005 January 2006 February 2006 March 2006 April 2006 May 2006 June 2006 July 2006 August 2006 September 2006 October 2006 November 2006 December 2006 January 2007 February 2007 March 2007 April 2007 May 2007 June 2007 July 2007 August 2007 September 2007 October 2007 November 2007 December 2007 January 2008 February 2008 March 2008 April 2008 May 2008 June 2008 July 2008 August 2008 September 2008 October 2008 November 2008 December 2008 January 2009 February 2009 March 2009 April 2009 May 2009 June 2009 July 2009 August 2009 September 2009 October 2009 November 2009 December 2009 January 2010 February 2010 March 2010 April 2010 May 2010 June 2010 July 2010 August 2010 September 2010 October 2010 November 2010 December 2010 January 2011 February 2011 March 2011 April 2011 May 2011 June 2011 July 2011 August 2011 September 2011 October 2011 November 2011 December 2011 January 2012

[ Advertisers ]
Electronic Medical Records

Health Insurance from Chartis Direct

Presciption Drug Information

Foot Problems

[ Links ]
Jackson Walker home page
My (official Jackson Walker) Bio
HHS' Administrative Simplification page
OCR's HIPAA Privacy page
ICD-10 Codes
NIST's HIPAA Security Implementation page
HIPAA.org page
TCS standard-setting
HIPAA Summit's page
Harvard's HIPAA colloquium
Workgroup for EDI
Siemen's HIPAA page
Phoenix Health System's HIPAAdvisory
Beacon Partner's HIPAAcomply
FindLaw's HIPAA law page
HIPAAComplete
HIPAADocs
AMA's HIPAA page
AHA's semi-HIPAA page
American Health Lawyers Assn
SHARP (the Southern SNIP)
Boundary Information Group's HIPAAinfo.net
HIPAA academy
MedAbiliti's Health Innovation Daily News
Thompson-West's Privacy Litigation Reporter
HIPAAnswers (HIPAA compliance solutions)
Healthcare Intelligence Network Blog
Prescription Drug Encyclopedia
Compliance Home Portal
HIPAA Training (Supremus Group)
MPMsoft (HIPAA-compliant billing software)
DMEPOS Surety Bonds
Hospital.com
Human Resources Daily Advisor

[ WebRings ]
< ? law blogs # >

[ Syndicated RSS Feed ]
Click Here