HIPAA Blog

[ Friday, October 21, 2011 ]

 

HIPAA 5010 News: While most of this blog is focused on HIPAA's privacy and security requirements, there are other parts of HIPAA as well. One of the "other" components of HIPAA is the transactions and code sets business, which basically sets forms (format and content) for specific electronic healthcare transactions, such as submission of bills. The theory is that by reducing the number of different electronic forms/formats, and requiring everyone to use the same form/format, duplicative "translation" efforts can be eliminated and cost savings will occur. The American National Standards Institute (ANSI), the same group that sets standard sizes for light bulb screw-in threads and electrical plugs, sets these standards, and they are occasionally revised.

The original (I believe) HIPAA transaction and code set forms were called the 4010 formats; however, new standards, called 5010, have been proposed. All healthcare entities engaging in standard transaction via electronic formats were supposed to start testing the 5010 formats by January 1 of 2011, and everyone is required by law to switch to 5010 by January 1, 2012.

Unfortunately, not everyone is ready. If you're not ready, you could hire a "clearinghouse" to translate your current forms into 5010 format, so by the time your transactions hit the electronic marketplace, they are up to snuff. It seems that California's Medicaid program is not ready, and will not be translating. Rather, they are requiring all Medi-Cal participants to translate their 5010 formats back into 4010 format. Can they do that? Not without violating HIPAA.

It will be interesting to see how the HIPAA enforcement agencies treat the largest Medicaid program in the country when it boldly decides not to comply with HIPAA.

(Big) Hat tip to Stanley Nachimson for flagging this.
Jeff [11:27 AM]

[ Monday, October 17, 2011 ]

 

Medical Identity Theft: It's growing, says American Medical News. As with other data losses, as usual, if you want to look for the highest risk areas, look to where someone can profit from the data theft. With a regular data breach, it's not the medical information that's valuable, it's the social security numbers and other information that enables identity theft. And if it's not ID Theft the miscreants are after, it's medical identity theft.
Jeff [7:29 AM]

 

Spectrum Health System (Worcester, Mass), a mental health and substance abuse provider, has reported the theft of a hard drive, one containing patient identifying data (including SSNs). Of course, the nature of the services make the information particularly sensitive. The data wasn't encrypted, but was double-password protected.
Jeff [7:24 AM]

[ Friday, October 14, 2011 ]

 

Nemours Data Loss: The Nemours Foundation, which operates health facilities in Delaware, Pennsylvania, New Jersey and Florida, has lost 3 backup tapes containing patient data. The data, which includes names, DOBs, SSNs, and bank account information, is coded, but apparently not encrypted.

The good news is that the data is old (pre-2005) and there's no indication the tapes were stolen: they were in a storage cabinet that got removed when the the building was remodeled. My guess is that they are in a commercial landfill somewhere (a few layers above Jimmy Hoffa). It's actually kinda amazing that they even knew the tapes were gone.
Jeff [10:37 AM]

[ Thursday, October 13, 2011 ]

 

Totally Off-Topic, but Awesome Nevertheless.

The Most Interesting Baseball Player in the World:




Jeff [11:28 AM]

[ Wednesday, October 12, 2011 ]

 

Today's data breach news: As seems so often to be the case, portable data storage is the Achilles heel of PHI security. In New Hampshire, a flash drive with data of 2000 patients was stolen from a clinic employee's car. The flash drive was in a computer bag in a locked car; presumably the thief thought he was getting a computer, not a flash drive. The data apparently wasn't encrypted, but fortunately it didn't have social security numbers or credit card numbers either.

Meanwhile, in Baltimore, the lawyer representing Dr. Mark Midei (the alleged stent over-user) in multiple malpractice claims lost a portable hard drive containing medical records of 161 of the plaintiffs. This one makes for some interesting reading. The law firm claims that the data was taken home nightly as a security precaution (basically, a data backup). But the data wasn't encrypted. And the firm waited two months before sending notice letters. The firm isn't a covered entity, but it's certainly a business associate, which would make it subject to the HIPAA Security Rule and the privacy provisions of HITECH. The plaintiff lawyer is pretty sanguine about it, calling it an honest mistake. I suspect the data has long been erased and this breach won't ever result in harm to the individuals whose data was on there (like the New Hamshire case, the value of the hard drive to a likely thief would be the hardware, not the data), but it's a pretty bad story.
Jeff [9:21 AM]

[ Thursday, October 06, 2011 ]

 

This seems about right: Doctors are big users of social media, but do not use it to connect with patients, and even avoid patient forum sites.
Jeff [2:41 PM]

 

Stanford Update: The New York Times has picked up the Stanford data breach story I noted below; that definitely explains a lot about how the data ended up where it did. As a further twist on the story, a plaintiff has already appeared and filed suit (what damages she can show, I can't begin to imagine), but Stanford has vowed to defend itself vigorously. Good on 'em.
Jeff [8:50 AM]

[ Wednesday, October 05, 2011 ]

 

Kermit (Winkler County), Texas Update: If you followed the Winkler County case at all, this is a pretty interesting denouement: Two nurses in this small west Texas town filed a complaint against the local doctor. It was obvious that there was a clash of personalities and a personal feud going on. But the doctor got his pal the local prosecutor to file charges against the nurses for improperly disclosing PHI in filing the complaints with the Medical Board. That backfired -- the nurses were acquitted, and the doctor and prosecutor both wound up being charged with misconduct. The prosecutor was found guilty of Misuse of Official Information, Official Oppression, and Retaliation. Apparently his prediliction for prostitutes became part of the case.
Jeff [8:44 AM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template

A discussion of medical privacy issues buried in political arcana

E-mail me at jdrummond-at-jw.com

- Archives - March 2002 April 2002 May 2002 June 2002 July 2002 August 2002 September 2002 October 2002 November 2002 December 2002 January 2003 February 2003 March 2003 April 2003 May 2003 June 2003 July 2003 August 2003 September 2003 October 2003 November 2003 December 2003 January 2004 February 2004 March 2004 April 2004 May 2004 June 2004 July 2004 August 2004 September 2004 October 2004 November 2004 December 2004 January 2005 February 2005 March 2005 April 2005 May 2005 June 2005 July 2005 August 2005 September 2005 October 2005 November 2005 December 2005 January 2006 February 2006 March 2006 April 2006 May 2006 June 2006 July 2006 August 2006 September 2006 October 2006 November 2006 December 2006 January 2007 February 2007 March 2007 April 2007 May 2007 June 2007 July 2007 August 2007 September 2007 October 2007 November 2007 December 2007 January 2008 February 2008 March 2008 April 2008 May 2008 June 2008 July 2008 August 2008 September 2008 October 2008 November 2008 December 2008 January 2009 February 2009 March 2009 April 2009 May 2009 June 2009 July 2009 August 2009 September 2009 October 2009 November 2009 December 2009 January 2010 February 2010 March 2010 April 2010 May 2010 June 2010 July 2010 August 2010 September 2010 October 2010 November 2010 December 2010 January 2011 February 2011 March 2011 April 2011 May 2011 June 2011 July 2011 August 2011 September 2011 October 2011 November 2011 December 2011 January 2012

[ Advertisers ]
Electronic Medical Records

Health Insurance from Chartis Direct

Presciption Drug Information

Foot Problems

[ Links ]
Jackson Walker home page
My (official Jackson Walker) Bio
HHS' Administrative Simplification page
OCR's HIPAA Privacy page
ICD-10 Codes
NIST's HIPAA Security Implementation page
HIPAA.org page
TCS standard-setting
HIPAA Summit's page
Harvard's HIPAA colloquium
Workgroup for EDI
Siemen's HIPAA page
Phoenix Health System's HIPAAdvisory
Beacon Partner's HIPAAcomply
FindLaw's HIPAA law page
HIPAAComplete
HIPAADocs
AMA's HIPAA page
AHA's semi-HIPAA page
American Health Lawyers Assn
SHARP (the Southern SNIP)
Boundary Information Group's HIPAAinfo.net
HIPAA academy
MedAbiliti's Health Innovation Daily News
Thompson-West's Privacy Litigation Reporter
HIPAAnswers (HIPAA compliance solutions)
Healthcare Intelligence Network Blog
Prescription Drug Encyclopedia
Compliance Home Portal
HIPAA Training (Supremus Group)
MPMsoft (HIPAA-compliant billing software)
DMEPOS Surety Bonds
Hospital.com
Human Resources Daily Advisor

[ WebRings ]
< ? law blogs # >

[ Syndicated RSS Feed ]
Click Here