HIPAA Blog

[ Wednesday, November 30, 2011 ]

 

The Year in Data Theft: InfoWeek's Dark Reading site gives a breakdown of the big data breaches over the last year; click on the Comodo logo for the slide show. TriCare is the healthcare industry's entrant; they must've put this together before Sutter.
Jeff [5:16 PM]

 

"We Can't Wait." HHS has issued a press release on steps it is taking to encourage providers to adopt health information technology. Yawn. Another day, another press release, right?

Not exactly. This press release doesn't start with the bland, dry bureaucrat-speak you usually see, it's got a punchy tag line. HHS can't wait for doctors and hospitals to get on the bandwagon and get with this whole computer thingy, so the press release starts out, "We can't wait."

Hmm, that sounds familiar. Where have I heard "we can't wait" before, and recently? Oh yeah, it's Obama's 2012 reelection campaign slogan.

If you thought the US Department of Health and Human Services was an organ of the Democratic Party, . . . you're apparently right.

Sheesh.

UPDATE: a reader named Ben writes in the comments:

I've read your blog for many years, and always found it very helpful. But I
don't read it for political commentary.

And I generally try to keep this blog free from political commentary, more or less. It's no secret I'm a conservative (although I have no allegiance to the Republican party, a/k/a the "stupid party"), and that naturally flavors my way of viewing things. But if I wanted to write political rants here, I'm free to do so, since it's my blog. And Ben (and all the rest of you) are free to not read my rants. I'll give you a full refund of your subscription fees, too.

But the HHS is not, and shouldn't be, the President's political mouthpiece. He's President, so he gets to appoint the top folks and run it as he likes, with policies pointed in the direction he likes, subject to the specific boundaries set by Congress. Just like he gets to fly around the country on Air Force 1 (at a large cost of taxpayer dollars) and tie up traffic in Manhattan for political fundraisers; as long as there's some non-political purpose as a fig leaf for part of the trip, then he's allowed to do so. Regardless of which party he leads.

But he doesn't get to use HHS for political purposes. He doesn't get to use HHS to provide care only to Democrats, or to grant waivers only to states that voted for him. HHS belongs to all of us, not to the President. Just as the President's political operatives can meet with him in the White House but can't use White House resources for campaigning, he can guide the HHS in a way that suits him politically but can't use it as a campaign tool. It's not right, it violates a public trust, and it creates an appearance that HHS is a partisan organization.

I would call out a Republican president who did the same thing. Of course, if it were a Republican, I wouldn't be the only one.
Jeff [3:23 PM]

[ Wednesday, November 23, 2011 ]

 

"Strong" Passwords: We recently had information security training here at JW, and one thing that was stressed was strong passwords. Frankly, that's the weakest link for non-crackhead malicious breaches. It's hard to keep a strong password regime up, particularly since you should also not use the same password for multiple accounts or uses (but if you use multiple ones, you have so many more to remember -- and you shouldn't write them down anywhere either, at least not anywhere near where they might be used, i.e. where they might be useful).

Regardless of your level of concern regarding strong passwords, at the very least don't use weak passwords. Here's a list of 25 to aviod, along with some recommendations for strong passwords.
Jeff [10:19 AM]

[ Sunday, November 20, 2011 ]

 

Why Recycling is Bad: A paralegal at a Minneapolis law firm decided to donate the firm's paper trash to her child's school for use as scrap paper for after-school art projects; you know, the paper only has printing on one side, and the other side could be used for artwork. Unfortunately, some of the scrap paper contained medical records of the firm's clients. Oops.
Jeff [12:05 PM]

[ Friday, November 18, 2011 ]

 

The Other HIPAA: CMS is backing off the requirement that everyone switch to the newest transaction standards by January 1; actually, the requirement is still there, but CMS has said they won't enforce it until April 1, 2012. The HIPAA 5010 standards for electronic transactions, which replace the 4010 standards, were supposed to be tested during 2011, with all electronic transactions in the healthcare industry being conducted under the new standards by 1/1/12.
California Medicaid (Medi-Cal) stated recently that they just won't be ready to make the switch, and just won't do it (despite it being legally required). What will CMS do if Medi-Cal still isn't ready by April Fool's Day? I bet we'll see another extension. It seems that if you're big enough and say you won't abide by the law, the Feds will just change the law for you. Maybe it's not an issue of being big enough, but blue enough; I wonder how CMS would have responded if it was Texas' Medicaid program that refused to make the switch. . . .

UPDATE: here's another link to the story. The Modern Healthcare link may be subscription only.
Jeff [10:41 AM]

 

UPDATE: Sutter Health. More on the Sutter Health data loss, noting it's part of a "trend." Also note the "crackhead" connection.

UPDATE 2: It was actually a desktop computer, rather than a laptop. Which goes to show, if you are a covered entity under HIPAA, you should really seriously consider encrypting it all.
Jeff [7:35 AM]

[ Thursday, November 17, 2011 ]

 

Speaking of Laptop Thefts: Smartphones are probably even more likely to be lost or stolen. How secure are yours? InfoWeek has some thoughts, ideas and advice.
Jeff [11:03 AM]

 

Sutter Health: We may have a new winner in the "most records lost at one time" category. Sutter Health has announced a HIPAA data loss involving over 4 million people. That's 4,000,000, or roughly 1 out of every 75 Americans. The loss was the result of a stolen computer (naturally), which was not encrypted (of course). Fortunately, there was no financial information or social security numbers, so it is highly unlikely that there will be any actual harm done because of this (and even if sensitive information had been on the computer, there probably would not have been any actual harm, due to the "crackhead" rule). But Sutter gets a pretty bad black eye.

Have we reached the point where encryption is now a practical requirement? I think maybe so. Computers will be stolen. Flash drives will be lost. It sucks to lose a $2,000 computer, but if it's encrypted, that's the extent of your loss.
Jeff [10:36 AM]

[ Wednesday, November 09, 2011 ]

 

HHS Officers Grilled on Capitol Hill: As reported by BNA (subscription required), the Senate Judiciary Subcommittee on Privacy, Technology and the Law called up a group of HHS officers to question them on medical privacy breaches and the number of prosecutions. The Senators felt that HHS isn't doing enough, because there aren't enough prosecutions going on. The risk raised by increasing the footprint of electronic records was noted.
Jeff [8:07 PM]

[ Tuesday, November 08, 2011 ]

 

HIPAA Audits are coming: HHS announces the audit program, and states that the audits will start in November 2011 and be finished by December 2012. It will be interesting to see who is selected for auditing. . . .

UPDATE: Dom has more details (i.e., he's not as lazy as me).
Jeff [7:53 PM]

[ Monday, November 07, 2011 ]

 

Crackheads again, UCLA version: As I was saying, now it's a UCLA Health System hard drive stolen from a doctor's house. 16,000 patients affected. Encryption, anyone? Password protected, but with the password written on a piece of paper that was also stolen. No social security numbers, which is good.
Jeff [9:30 AM]

 

Baltimore X-Ray Theft: As a further data point on my "unified crackhead" theory of healthcare data breaches, someone stole thousands of x-ray films from a Baltimore hospital. Were they preying on the sensitive nature of the data as health-related? No. They weren't even after the identifying information that could be used for identity theft, much less medical identity theft. As with 99% of all hardware or "property" data losses due to the malfeasance of a third party (thefts of hard drives, computers, etc.), the goal was pure theft of a resellable asset. In this case, it's not the silvery images on the film, it's the silver in the film. Of course, that would destroy the PHI (and "secure" it for HIPAA/HITECH purposes), once the extraction procedure is done.

If you're looking for an explanation of a hardware/property data loss, the answer is almost always that the data is on its way to destruction, because the incident is purely a theft of the property, and if anything, the data is a hinderance to the crackhead thief.
Jeff [9:22 AM]

[ Friday, November 04, 2011 ]

 

TRICARE update: As mentioned below, a bunch of TRICARE backup data tapes were stolen. Almost certainly they haven't been accessed, and there's no known harm done to anyone. But TRICARE and the contractor (SAIC) are offering a free year of credit monitoring to anyone who might be affected and is worried.
Jeff [3:18 PM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template

A discussion of medical privacy issues buried in political arcana

E-mail me at jdrummond-at-jw.com

- Archives - March 2002 April 2002 May 2002 June 2002 July 2002 August 2002 September 2002 October 2002 November 2002 December 2002 January 2003 February 2003 March 2003 April 2003 May 2003 June 2003 July 2003 August 2003 September 2003 October 2003 November 2003 December 2003 January 2004 February 2004 March 2004 April 2004 May 2004 June 2004 July 2004 August 2004 September 2004 October 2004 November 2004 December 2004 January 2005 February 2005 March 2005 April 2005 May 2005 June 2005 July 2005 August 2005 September 2005 October 2005 November 2005 December 2005 January 2006 February 2006 March 2006 April 2006 May 2006 June 2006 July 2006 August 2006 September 2006 October 2006 November 2006 December 2006 January 2007 February 2007 March 2007 April 2007 May 2007 June 2007 July 2007 August 2007 September 2007 October 2007 November 2007 December 2007 January 2008 February 2008 March 2008 April 2008 May 2008 June 2008 July 2008 August 2008 September 2008 October 2008 November 2008 December 2008 January 2009 February 2009 March 2009 April 2009 May 2009 June 2009 July 2009 August 2009 September 2009 October 2009 November 2009 December 2009 January 2010 February 2010 March 2010 April 2010 May 2010 June 2010 July 2010 August 2010 September 2010 October 2010 November 2010 December 2010 January 2011 February 2011 March 2011 April 2011 May 2011 June 2011 July 2011 August 2011 September 2011 October 2011 November 2011 December 2011 January 2012

[ Advertisers ]
Electronic Medical Records

Health Insurance from Chartis Direct

Presciption Drug Information

Foot Problems

[ Links ]
Jackson Walker home page
My (official Jackson Walker) Bio
HHS' Administrative Simplification page
OCR's HIPAA Privacy page
ICD-10 Codes
NIST's HIPAA Security Implementation page
HIPAA.org page
TCS standard-setting
HIPAA Summit's page
Harvard's HIPAA colloquium
Workgroup for EDI
Siemen's HIPAA page
Phoenix Health System's HIPAAdvisory
Beacon Partner's HIPAAcomply
FindLaw's HIPAA law page
HIPAAComplete
HIPAADocs
AMA's HIPAA page
AHA's semi-HIPAA page
American Health Lawyers Assn
SHARP (the Southern SNIP)
Boundary Information Group's HIPAAinfo.net
HIPAA academy
MedAbiliti's Health Innovation Daily News
Thompson-West's Privacy Litigation Reporter
HIPAAnswers (HIPAA compliance solutions)
Healthcare Intelligence Network Blog
Prescription Drug Encyclopedia
Compliance Home Portal
HIPAA Training (Supremus Group)
MPMsoft (HIPAA-compliant billing software)
DMEPOS Surety Bonds
Hospital.com
Human Resources Daily Advisor

[ WebRings ]
< ? law blogs # >

[ Syndicated RSS Feed ]
Click Here