tag:blogger.com,1999:blog-33806362012-01-31T12:09:25.572-06:00HIPAA BlogA discussion of medical privacy issues buried in political arcanaJeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.comBlogger19181100tag:blogger.com,1999:blog-3380636.post-62041453930067362232012-01-31T12:06:00.002-06:002012-01-31T12:09:25.592-06:00University of Miami Data Breach: flash drive with patient data stolen from doctor's car. How unusual! No SSN or similar financial data (good), but apparently not encrypted (bad).Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-6618754649854592772012-01-31T11:39:00.002-06:002012-01-31T11:43:19.252-06:00Guest Post:How HIPAA Can Affect College StudentsNormally the media publishes stories about HIPAA in relation to medical data breaches by negligent clinicians out of compliance or in the context of the law creating a significant burden for practices now trusted to maintain their patients’ records with the utmost vigilance. Though HIPAA was intended for the salutatory purpose of making health care Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-50548969433108307752012-01-31T11:37:00.002-06:002012-01-31T11:39:13.488-06:00Beaten down by contracts of adhesion. I just totally clicked through the new Google privacy policy, accepting it without even reading it. Now, my life really is an open book.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-55399981741466183162012-01-25T17:36:00.002-06:002012-01-25T17:43:15.644-06:00Going to HIMSS? #HIMSShero I've gotten a couple of emails about this new player in the health IT business: DrFirst (@DrFirst). The stated focus is to help physicians migrate to EHRs, with an apparent big focus on ePrescribing (including a controlled substance e-prescribing solution). If you're going to HIMSS, check them out at Booth 5456. In the interim, check out their introductory video; if youJeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-89003885000635073232012-01-25T12:43:00.002-06:002012-01-25T12:46:55.561-06:00HIPAA White Paper from ProofPoint: I was reviewing an InfoWeek health tech email and saw a link to a Dark Reading article on the latest HIPAA email security rules. It led me to this white paper. I don't know who they are or what they're pushing, and in full disclosure I just sort of scanned over this, but it looks pretty interesting. They go back and talk about the original EDI focus of HIPAA, Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-59391471585641386692012-01-23T17:42:00.002-06:002012-01-23T17:47:51.591-06:00HIPAA-compliant authorizations in electronic format: I received the following from one of the outreach folks as HHS:Greetings,In April 2012 individuals applying for Social Securitydisability benefits online will be able to sign the “Authorization to DiscloseInformation to the Social Security Administration” (Form SSA-827)electronically. As a result, your readers may begin receiving some of Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-21049964105349315002012-01-23T09:08:00.003-06:002012-01-23T09:11:37.964-06:00Breach Notification: a couple of articles to clip and hold onto, just, ya know, in case:Richard Mackey (first of a series)Greg FreemanJeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-15561139022166680442012-01-20T09:47:00.003-06:002012-01-20T09:50:40.597-06:002011 Year in Review, 2012 Year in Preview: While I hate to promote another law firm, McDermott Will & Emory is a good health law shop, and they've posted a White Paper on 2011 events and 2012 predictions for Data Protection and Privacy. I haven't had a chance to review it yet. but will try to get to it this weekend, and will update this post if I see anything exceptional. Also, don't know if thisJeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-54654911607209732982012-01-20T09:15:00.005-06:002012-01-20T09:33:22.418-06:00Accretive Health (Minnesota) Data Breach: The Minnesota AG has sued a healthcare service group for Fairview Health and North Memorial in Minnesota hired Accretive as their debt collection company, and Accretive lost a laptop with unencrypted patient data. The data included stuff you'd expect a debt collector to need (names, SSNs, amounts owed, even procedures performed), but the data also Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-26105993557673492872012-01-18T12:39:00.002-06:002012-01-18T12:43:38.539-06:00Go to Jail: 13 months in jail for a computer specialist with an Atlanta physician practice who left the practice, joined a new practice, and hacked into the old practice to steal patient data and use it for direct-mail soliciations for his new employer. He also deleted the information off of his old employer's computers.This shows the need for good employee exit policies and access termination Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-77054850968934316642012-01-16T16:45:00.002-06:002012-01-16T16:50:12.526-06:00OT: 1% of Americans eat up 22% of all healthcare spending; half of all healthcare spending is spent on only 5% of the citizenry.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-29460258698300630582012-01-16T16:33:00.002-06:002012-01-16T16:36:15.271-06:00Social Media in Healthcare: Who is using social media, what are they using, and how are they using it? Here'a a pretty neat infographic from Ray Lau at Innovative Data Solutions.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-22927189642873072312012-01-09T08:12:00.003-06:002012-01-09T08:14:46.483-06:00Seven Health IT Trends to Watch in 2012: From Government Health IT. Of course, most are data breach or other HIPAA issues.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-58394390094364891522012-01-05T17:46:00.002-06:002012-01-05T17:56:32.522-06:00A List Inspired by Spinal Tap: According to Dark Reading, the number 1 trend of the top 11 trends for healthcare data in 2012 will be data breaches involving portable devices. Class action litigation is #2 (hey Sutter, you're a trendsetter!). Why a top 11? Only 1 reason.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-18012295425742411902012-01-03T17:03:00.001-06:002012-01-03T17:03:47.721-06:00Forbes Notes the surge in HIPAA complaints and problems in 2011.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-28705473217396203522012-01-03T13:39:00.002-06:002012-01-03T13:41:49.177-06:00DWI: Doctoring While iPhoning. Texting or using a cell phone while performing heart bypass surgery is much more common than I would have ever thought.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-34802128409803906692012-01-02T09:50:00.002-06:002012-01-02T09:52:52.385-06:005010 Standards: By the way, here's information on the new 5010 standards. They became effective yesterday, although they won't be enforced for a few more months. They will be eventually, to be sure, so if you haven't already gone there, you need to get moving.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-42200172341546776262011-12-30T08:34:00.002-06:002011-12-30T08:36:56.195-06:00Loma Linda Breach: An employee at Loma Linda University Medical Center took home medical records. I'm guessing that, as a nurse, she didn't need to work on her dictation or anything of the sort. She has been fired.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-28901686725976216092011-12-28T10:32:00.003-06:002011-12-28T10:40:31.080-06:005010 News: MGMA is asking for more time for transition to 5010. The deadline in January 1, 2012, and was there for a couple of years. HHS has already pushed back a 3-month grace period, and now MGMA wants 6. I'm not technical enough to know why this is such a problem, but can't folks just get this switched over? Then again, how important can it be to make the switch? What advantages does 5010 Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-19455418527937090322011-12-28T10:28:00.002-06:002011-12-28T10:30:47.879-06:00Nothing to See Here: Here's a story about nothing: customers of small pharmacies complain of privacy violations when the pharmacies are sold to Walgreens and their records are sent there. Isn't that a HIPAA violation? No, it's not. It is definitely part of "healthcare operations" to transfer records to a successor provider, which is the case here. If you don't want Walgreens to have your records,Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-23140725658678144212011-12-20T09:50:00.003-06:002011-12-20T09:57:03.097-06:00UCLA Update: You may remember that a UCLA physician took home a portable hard drive which was stolen from his house (along with the slip of paper with the password to access the data). UCLA has now been sued for $16 million ($1,000 per patient, the California statutory damages amount).Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-19056173181828385042011-12-20T09:17:00.002-06:002011-12-20T09:19:41.231-06:00Georgia Hospital Feels the Security Rule Blues: One of the required elements of the security rule standards is the adoption of appropriate software protection, such as virus scanning and other malware prevention and protection. Why is this important? A computer virus can close your hospital.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-91377740188185086762011-12-19T22:47:00.002-06:002011-12-19T22:54:12.059-06:00Why There's a HIPAA Privacy Rule: HIPAA's transaction and code set rules drove the move to electronic records (and eventually EMRs and EHRs). Data in electronic form poses a much greater risk of improper access than paper records, for a number of obvious reasons. It was due to that increased risk that the HIPAA Privacy and Security Rules came into play.The New York Times has discovered the same Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-38556977920418016412011-12-13T14:47:00.002-06:002011-12-13T14:50:23.413-06:00Encryption and Data Loss Prevention: There are a couple of interesting links in today's Dark Reading email: a report on email and data loss, and a white paper on encrypting data in transit and at rest. Both are free, but you must register to access the papers.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-27255397180737416312011-12-12T18:29:00.002-06:002011-12-12T18:35:47.057-06:00Florida Law HIPAA preemption: A Florida federal district court has ruled that a Florida statute that requires nursing homes to provide copies of a former resident's medical records to spouses, guardians, proxies and attorneys upon request is preempted by HIPAA. In Opis Management v. Dudek, the court ruled that the Florida statute requires the disclosure, but HIPAA prevents it (inless the spouse, Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-82487985309339155362011-12-09T14:49:00.002-06:002011-12-09T14:54:30.611-06:00Q&A with Larry Ponemon: Wherein the IT expert talks about how a big healthcare data breach could be worse than an oil spill. Interesting, and a little scary.UPDATE: More on Ponemon's recent report (should that be Pwnemon?) here; of course, I already covered it here.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-76950720043655236062011-12-02T11:06:00.002-06:002011-12-02T11:11:11.813-06:00Three Steps to Minimize the Data Breach Epidemic: from Government Health IT:Inventory your PHI/PIIDevelop an Incident Response PlanReview your Business Associate AgreementsNot a bad starting point. I'd also say you should re-do your HIPAA Security risk analysis. Part of that will be inventorying your PHI, and part of the result should include your incident response plan. The best thing you can toJeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-84103960468391767412011-12-02T10:57:00.002-06:002011-12-02T11:03:19.333-06:00HCPro Survey: Dom notes a recent survey by HCPro (apparently it's not just Ponemon out there asking questions) which indicates that only 17% or healthcare organizations are prepared for an audit. OCR is starting its audit process with a total of 150 "covered entities" over the next 14 months, with 20 or so getting started in November (so far, I haven't heard any names mentioned). I have no idea Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-85737191979065814262011-12-02T10:31:00.003-06:002011-12-02T10:42:44.147-06:00Ponemon Report on Healthcare Data Breaches: There's a new report from the Ponemon Institute that indicates a growing number of data breaches in the healthcare sector. The truth of the trend may be questionable -- it could be that breaches are noticed more now than they were in the past due to the high profile of HIPAA after HITECH. But regardless, there are some interesting nuggets in the data:Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-80859444862090666252011-11-30T17:16:00.003-06:002011-11-30T17:18:15.777-06:00The Year in Data Theft: InfoWeek's Dark Reading site gives a breakdown of the big data breaches over the last year; click on the Comodo logo for the slide show. TriCare is the healthcare industry's entrant; they must've put this together before Sutter.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-73754005786800064342011-11-30T15:23:00.003-06:002011-12-01T17:35:43.016-06:00"We Can't Wait." HHS has issued a press release on steps it is taking to encourage providers to adopt health information technology. Yawn. Another day, another press release, right?Not exactly. This press release doesn't start with the bland, dry bureaucrat-speak you usually see, it's got a punchy tag line. HHS can't wait for doctors and hospitals to get on the bandwagon and get with this whole Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com1tag:blogger.com,1999:blog-3380636.post-65168164073087146922011-11-23T10:19:00.002-06:002011-11-23T10:25:19.019-06:00"Strong" Passwords: We recently had information security training here at JW, and one thing that was stressed was strong passwords. Frankly, that's the weakest link for non-crackhead malicious breaches. It's hard to keep a strong password regime up, particularly since you should also not use the same password for multiple accounts or uses (but if you use multiple ones, you have so many more to Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-72564913303001220502011-11-20T12:05:00.002-06:002011-11-20T12:09:58.312-06:00Why Recycling is Bad: A paralegal at a Minneapolis law firm decided to donate the firm's paper trash to her child's school for use as scrap paper for after-school art projects; you know, the paper only has printing on one side, and the other side could be used for artwork. Unfortunately, some of the scrap paper contained medical records of the firm's clients. Oops.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-77863718293784809202011-11-18T10:41:00.003-06:002011-11-18T11:08:34.844-06:00The Other HIPAA: CMS is backing off the requirement that everyone switch to the newest transaction standards by January 1; actually, the requirement is still there, but CMS has said they won't enforce it until April 1, 2012. The HIPAA 5010 standards for electronic transactions, which replace the 4010 standards, were supposed to be tested during 2011, with all electronic transactions in the Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-88418924497931842622011-11-18T07:35:00.002-06:002011-11-18T09:15:49.226-06:00UPDATE: Sutter Health. More on the Sutter Health data loss, noting it's part of a "trend." Also note the "crackhead" connection.UPDATE 2: It was actually a desktop computer, rather than a laptop. Which goes to show, if you are a covered entity under HIPAA, you should really seriously consider encrypting it all.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-75145202452203596742011-11-17T11:03:00.002-06:002011-11-17T11:05:06.438-06:00Speaking of Laptop Thefts: Smartphones are probably even more likely to be lost or stolen. How secure are yours? InfoWeek has some thoughts, ideas and advice.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-65711844570400872972011-11-17T10:36:00.004-06:002011-11-17T11:05:50.851-06:00Sutter Health: We may have a new winner in the "most records lost at one time" category. Sutter Health has announced a HIPAA data loss involving over 4 million people. That's 4,000,000, or roughly 1 out of every 75 Americans. The loss was the result of a stolen computer (naturally), which was not encrypted (of course). Fortunately, there was no financial information or social security numbers, soJeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-46023523870641129192011-11-09T20:07:00.002-06:002011-11-09T20:23:39.120-06:00HHS Officers Grilled on Capitol Hill: As reported by BNA (subscription required), the Senate Judiciary Subcommittee on Privacy, Technology and the Law called up a group of HHS officers to question them on medical privacy breaches and the number of prosecutions. The Senators felt that HHS isn't doing enough, because there aren't enough prosecutions going on. The risk raised by increasing the Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-16780503085287533022011-11-08T19:53:00.004-06:002011-11-08T19:57:23.496-06:00HIPAA Audits are coming: HHS announces the audit program, and states that the audits will start in November 2011 and be finished by December 2012. It will be interesting to see who is selected for auditing. . . .UPDATE: Dom has more details (i.e., he's not as lazy as me).Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-90786493533126532782011-11-07T09:30:00.002-06:002011-11-07T09:34:06.713-06:00Crackheads again, UCLA version: As I was saying, now it's a UCLA Health System hard drive stolen from a doctor's house. 16,000 patients affected. Encryption, anyone? Password protected, but with the password written on a piece of paper that was also stolen. No social security numbers, which is good.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-37985921491265219912011-11-07T09:22:00.002-06:002011-11-07T09:29:04.055-06:00Baltimore X-Ray Theft: As a further data point on my "unified crackhead" theory of healthcare data breaches, someone stole thousands of x-ray films from a Baltimore hospital. Were they preying on the sensitive nature of the data as health-related? No. They weren't even after the identifying information that could be used for identity theft, much less medical identity theft. As with 99% of all Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-72375475762347532542011-11-04T15:18:00.002-05:002011-11-04T15:21:03.415-05:00TRICARE update: As mentioned below, a bunch of TRICARE backup data tapes were stolen. Almost certainly they haven't been accessed, and there's no known harm done to anyone. But TRICARE and the contractor (SAIC) are offering a free year of credit monitoring to anyone who might be affected and is worried.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-22113498968213626962011-10-21T11:27:00.003-05:002011-10-21T11:36:12.076-05:00HIPAA 5010 News: While most of this blog is focused on HIPAA's privacy and security requirements, there are other parts of HIPAA as well. One of the "other" components of HIPAA is the transactions and code sets business, which basically sets forms (format and content) for specific electronic healthcare transactions, such as submission of bills. The theory is that by reducing the number of Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-5985889333565460992011-10-17T07:29:00.003-05:002011-10-17T07:32:39.030-05:00Medical Identity Theft: It's growing, says American Medical News. As with other data losses, as usual, if you want to look for the highest risk areas, look to where someone can profit from the data theft. With a regular data breach, it's not the medical information that's valuable, it's the social security numbers and other information that enables identity theft. And if it's not ID Theft the Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-26596250740462705972011-10-17T07:24:00.002-05:002011-10-17T07:28:40.317-05:00Spectrum Health System (Worcester, Mass), a mental health and substance abuse provider, has reported the theft of a hard drive, one containing patient identifying data (including SSNs). Of course, the nature of the services make the information particularly sensitive. The data wasn't encrypted, but was double-password protected.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-80740294628227509692011-10-14T10:37:00.003-05:002011-10-14T10:44:30.831-05:00Nemours Data Loss: The Nemours Foundation, which operates health facilities in Delaware, Pennsylvania, New Jersey and Florida, has lost 3 backup tapes containing patient data. The data, which includes names, DOBs, SSNs, and bank account information, is coded, but apparently not encrypted. The good news is that the data is old (pre-2005) and there's no indication the tapes were stolen: they were Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-22581874378112951412011-10-13T11:28:00.002-05:002011-10-13T11:31:37.655-05:00Totally Off-Topic, but Awesome Nevertheless.The Most Interesting Baseball Player in the World:Sorry, Detroit fans.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-33245166598933178332011-10-12T09:21:00.002-05:002011-10-12T09:36:24.188-05:00Today's data breach news: As seems so often to be the case, portable data storage is the Achilles heel of PHI security. In New Hampshire, a flash drive with data of 2000 patients was stolen from a clinic employee's car. The flash drive was in a computer bag in a locked car; presumably the thief thought he was getting a computer, not a flash drive. The data apparently wasn't encrypted, but Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-26767106410275471012011-10-06T14:41:00.002-05:002011-10-06T14:42:11.396-05:00This seems about right: Doctors are big users of social media, but do not use it to connect with patients, and even avoid patient forum sites.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-73703567115147518892011-10-06T08:50:00.003-05:002011-10-06T08:55:46.905-05:00Stanford Update: The New York Times has picked up the Stanford data breach story I noted below; that definitely explains a lot about how the data ended up where it did. As a further twist on the story, a plaintiff has already appeared and filed suit (what damages she can show, I can't begin to imagine), but Stanford has vowed to defend itself vigorously. Good on 'em.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-2565807210282130442011-10-05T08:44:00.003-05:002011-10-05T08:51:42.199-05:00Kermit (Winkler County), Texas Update: If you followed the Winkler County case at all, this is a pretty interesting denouement: Two nurses in this small west Texas town filed a complaint against the local doctor. It was obvious that there was a clash of personalities and a personal feud going on. But the doctor got his pal the local prosecutor to file charges against the nurses for improperly Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-63924660588359088692011-09-29T21:50:00.003-05:002011-09-30T09:47:19.518-05:00TRICARE breach: A contractor, Science Applications International Corp (SAIC) lost a bunch of backup tapes when they were stolen from an employees car while in transit, says BNA (subscription required). Apparently the data is hard to access, but not encrypted. 4.9 million patients involved. My bet: crackhead. Some crackhead broke into the car and stole something that looked good. Once he saw what Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-60906779619415785102011-09-29T11:33:00.002-05:002011-09-29T11:37:14.929-05:00I'm no expert, but this may be a HIPAA violation. Oh, wait, I am an expert. . . .Actually, it's possible that it's not a HIPAA violation, if the steps the physician took were reasonable and sufficient, and the breach occurred despite taking those reasonable steps. That's a subjective standard, and perhaps could be met. HIPAA doesn't require perfection, just reasonable steps for protection. But atJeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-21669990164558435022011-09-27T10:09:00.002-05:002011-09-27T10:15:37.459-05:00Proactively Protecting PHI: Here's an interesting article by M. Eric Johnson of Dartmouth on the greater risks to data in healthcare. Keep in mind that a lot of it is more scare story than tragedy -- very few of the millions of breaches have resulted in any damage to any patient, financial or otherwise. Also keep in mind that while medical information may be incredibly sensitive, much isn't (Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-84523256237583306842011-09-23T09:22:00.002-05:002011-09-23T09:29:58.834-05:00HHS Privacy Policy Form: As promised, HHS had published a Privacy Policy form for entities that offer or use web-based personal health records. It's interesting, but is also sort of a hodge-podge. It appears to be targeted to PHR-offering companies, rather than providers who may access a PHR when a patient arrives at the provider and says, "you can get my health history at this website." It also Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-57513699735430028542011-09-22T17:32:00.002-05:002011-09-22T17:39:19.316-05:00Non-Privacy HIPAA: There seems to be a problem with the HIPAA transaction code for "eligibility." One of the initial components of HIPAA administrative simplification (where privacy and security reside) relates to what we sometimes call "transaction and code sets," where the industry was supposed to settle on specific forms for data and content in specific regularly-occurring "transactions" in Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-19191876352773132702011-09-22T17:21:00.003-05:002011-09-22T17:29:36.713-05:00PWC Report on Healthcare Data Breaches: According to a new report out by PricewaterhouseCoopers' Health Research Institute, a majority of healthcare providers aren't taking necessary steps to ensure security of new technologies like mobile devices. They are taking advantage of those technologies and adapting their operations to use increasing amounts of electronic data, but just aren't taking theJeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-15683165462666816702011-09-21T08:38:00.004-05:002011-09-22T17:32:12.080-05:00Massachusetts Data Breach Totals: 2,000,000. Massachusetts has its own data breach reporting law, which so far has resulted in reports of 2 million individuals being involved in data loss incidents of some sort. Most interesting quote: "About 2.1 million residents were affected by the various incidents, though it's unknown whether any of them were actually defrauded as a result of the data leaks.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-85744806542540241582011-09-20T15:14:00.003-05:002011-09-20T15:17:30.605-05:00There is a Plan. You can relax; if you thought the Office of the National Coordinator for Health Information Technology (was called ONCHIT, now just ONC) was just going willy-nilly worward without a strategic plan in place, you can rest assured that they do have a Strategic Plan. At least for the next year or so.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-21407067625654731572011-09-20T13:35:00.002-05:002011-09-20T13:37:04.204-05:00HIPAA Pain: How to Cope. InfoWeek weighs in on how concerned covered entities are regarding breaches, how most breaches aren't structural or organizational but rather are human error, and why things are going to get harder and worse.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-78777294892961313062011-09-20T13:32:00.003-05:002011-09-20T13:34:56.964-05:00State AGs and HIPAA: As you probably know, the HITECH Act allows state attorneys general to prosecute covered entities for HIPAA violations. With a handful of notable exceptions, not too many state AGs are pursuing those, but more may in the future (OCR has held training sessions to bring AGs up to speed on how to do it). Here's an article on the state of the playing field (with some pretty sharpJeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-68824906766904318742011-09-19T12:39:00.001-05:002011-09-19T12:41:00.162-05:002012 HIPAA Audits: Here's an interesting White Paper from Clearwater Compliance on the impending HIPAA audits coming next year. I haven't had a chance to read it yet, but it should be interesting to see what types of predictions are being made.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-87228102481469183872011-09-19T09:29:00.002-05:002011-09-19T09:47:53.724-05:00Medical Home Arrangements and HIPAA: A North Dakota clinic has opted out of a medical home plan established by Blue Cross Blue Shield of North Dakota because they believe the arrangement violates HIPAA. BCBS provides patient information to a consultant who mines the data for quality of care purposes. The consultant looks for best practices or areas where physicians or physician groups could Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-87076596908814217172011-09-19T09:19:00.002-05:002011-09-19T09:26:29.795-05:00Interesting Hospital Privacy Case: A cop in Hawaii posts a picture on his facebook page with the caption, "See when you like steal copper." The picture is of a suspected copper thief, in a hospital bed, with burns all over his body. The Honolulu Police Department and the District Attorney are trying to figure out a way to charge the cop with a crime. HPD has no social media policy, so the cop Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-57375656536173086562011-09-16T10:17:00.002-05:002011-09-16T10:21:47.309-05:00Indiana University Laptop Theft Breach: The PHI of about 3,000 patients of IU Medical School (including about 200 social security numbers) have potentially been exposed due to the theft of a laptop from one of its physicians. The laptop was password protected, but the data was not encrypted. According to the school, they are using the incident as a learning opportunity, which is a good idea. TheyJeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-52114480919318909142011-09-15T12:19:00.002-05:002011-09-15T12:25:34.163-05:00HIPAA Criminal Guilty Plea: This is an interesting one. A guy pretends to be a doctor. He approaches a bunch of other doctors, and gets the other doctors to hire him to be an allergist for them, giving patients allergy shots at the doctor's office and at health fairs. Fake doc turns over all his receipts to the employing doc, except he keeps between half and 85% as his compensation. For the Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-30329266948144887682011-09-13T15:38:00.002-05:002011-09-13T15:41:30.998-05:00Peyton Manning on HIPAA: When asked to explain what specific issues were causing doctors to not clear him to practice, the Indianapolis Colts QB said, "I don't know what HIPAA stands for, but I believe in it and I practice it. So, uh, I'll leave it at that."Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-38317284980773307242011-09-13T10:45:00.002-05:002011-09-13T11:17:53.044-05:00HIPAA Rumblings from HHS: HHS just held its Consumer Health IT Summit, with a handful of major players in HIT and assorted government flacks. Three relatively big announcements:CLIA: HHS has proposed a new rule to allow individuals to access PHI that is held by a clinical lab. Under original HIPAA, individuals did not have the right to access their lab results or other PHI that was held by a Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-89840551361653000262011-09-12T08:58:00.002-05:002011-09-12T09:04:35.329-05:00Stanford Data Breach: Data left online unintentionally leads to a data breach involving 20,000 ER patients at Stanford Hospital. The data included no SSNs or birth dates, which is good, but did include name and diagnosis, which isn't. What is odd is that the data made it from a Stanford vendor to the "Student of Fortune" website as an example of how to convert data into a graph. But the biggest Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-38738093283226159912011-09-09T09:40:00.001-05:002011-09-09T09:41:58.275-05:00Telemedicine: very interesting article on how new technology and a patient's own privacy concerns/efforts will drive new developments in telemedicine.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com1tag:blogger.com,1999:blog-3380636.post-46191225258429127622011-09-08T10:07:00.002-05:002011-09-08T10:16:48.917-05:00HHS Reports: Almost 8 million records. Over 30,000 separate breaches. That's the current status of the breaches that have been reported to HHS, according to HHS' report to Congress required by HITECH. Two things to remember about these breaches. First, almost all of them were breaches of fewer than 500 records; only about 250 out of over 30,000 breaches were "big" breaches. Second, almost all of Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-55612440636991486982011-08-25T16:17:00.002-05:002011-08-25T16:18:25.204-05:00At the risk of confusing myself, here's another place where I've been known to occasionally blog.
Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-82606926093942575982011-08-25T09:03:00.003-05:002011-08-25T09:17:54.353-05:00OCR's Standard Response: In the event of a breach that involves noncompliance and some serious impact, you might still get a "resolution agreement" from OCR rather than a fine/penalty (assuming you cooperate, of course). However, according to Theresa Defino at AIS, you should still expect to be requried to re-write your policies, retrain your employees, institute some serious monitoring, and pay Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-88901416437139179032011-08-24T22:54:00.002-05:002011-08-24T22:57:41.128-05:00Off Topic: It's nice to know, but it doesn't really matter, as long as the lager yeast actually works. I've got a 5-gallon carboy in my garage fridge, full of this fall's Marzen, lagering away at 45 degrees (a little on the chilly side, but I'll warm it up later).
Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-86139252488630679682011-08-23T16:25:00.002-05:002011-08-23T16:31:58.172-05:00When Medical Privacy and Law Enforcement Collide: One headachey area for HIPAAcrats occurs when the demands of the law, and particularly law enforcement, require disclosure of information that is protected under HIPAA. HIPAA specifically addresses a lot of ways police officers can get information from HIPAA covered entities, as well as some limitations. For example, a covered entity can give the Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-46149158216175866092011-08-22T22:18:00.001-05:002011-08-22T22:20:14.085-05:00Digitized data + internet access + PHI = potential trouble. For "data leaks," at least. But then again, you already knew that.
Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-73354360676085773472011-08-22T22:06:00.002-05:002011-08-22T22:11:07.156-05:00Lost Thumb Drive Results in 500 Breach Notifications: St. Francis Hospital in Delaware misplaced a flash drive that had names of mothers who participated in a prenatal program 10 years ago. No social security numbers were involved, and it doesn't sound like particularly revealing information; also, the flash drive was recovered, apparently with the data intact. I don't know all the information, Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-62172370067395075402011-08-22T08:01:00.001-05:002011-08-22T08:03:39.073-05:00The Risks of PHI on the Internet.
Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-69544100694825829512011-08-16T10:33:00.002-05:002011-08-16T10:45:32.093-05:00HIPAA Hot Spots: Dom Nicastro and Adam Greene discuss the issues that OCR has identified as "hot spots" that deserve special focus by covered entities:
Incident detection and response
Review of access logs
Wireless network security
Password and user access management
Loss or theft of mobile devices
Up-to-date software
Role-based access and other access management
All of these are things that Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-75113906356757037392011-08-08T09:16:00.002-05:002011-08-08T09:17:47.243-05:00Brigham and Women's Breach: apparently a physician working for the hospital lost a hard drive with medical information on over 600 patients.
Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-24588802413066843822011-08-08T09:12:00.002-05:002011-08-08T09:15:47.614-05:00KPMG - HIPAA Auditor and HIPAA Breacher: OK, KPMG is a huge company and with a substantial healthcare business. And any big player is going to suffer an occasional problem. But Dom Nicastro points out that the company now charged with conductinig OCR's first rounds of HITECH-required audits once was the subject of a HIPAA breach due to the loss of a flash drive containing PHI. I'm sure KMPG will Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-40878161951319433872011-08-05T08:13:00.002-05:002011-08-05T08:15:12.148-05:00CMS' HIPAA Audit Authority: Will CMS audit business associates as well as covered entities when KPMG gets started? According to Dom, they don' t know.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-46247713506459577542011-08-03T09:27:00.002-05:002011-08-03T09:29:41.327-05:00More Access Report Pushback: the American Hospital Association submitted its comments to the proposed accounting-of-disclosures rule, and like most of the other provider commenters, has pushed back hard against the new requirement to log all instances when any person or entity accesses PHI in a designated record set.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-2186012271282857862011-08-01T15:15:00.002-05:002011-08-01T15:23:01.163-05:00HIPAA goodies from HealthLeaders: First, Dom Nicastro has some good analysis on how the new accounting-of-disclosures rule, particularly the access report, can put healthcare providers in a bind if they get sued for malpractice. Of course, when you have access to the experts like Dom, . . . .And Margaret Tocknell notes how the comments coming in on the proposed rule are heavily in the "Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-50882299620639741312011-07-29T11:35:00.001-05:002011-07-29T11:37:11.788-05:00What do you do when you suffer a data breach? ID Experts has a handy little 10-step guide that's got some good ideas in it.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-63015250684485844182011-07-28T09:42:00.003-05:002011-07-28T09:47:02.168-05:00Reaction to the New HIPAA Accounting of Discosures Rule: AHIMA has come out against it. Yesterday, MGMA noted the problems with the proposed rule.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-70633603817818902302011-07-26T08:48:00.002-05:002011-07-26T08:54:26.068-05:00Thinking of Buying a New EHR? If you've got a large old home-grown or legacy electronic medical record system and have been avoiding the multi-million dollar cost of replacing it with something certified by CCHIT, you might want to hold off on pulling the trigger. Many such players think they have to replace their old systems for "meaningful use" purposes, since their old systems aren't certifiedJeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-57075453834536139942011-07-22T09:58:00.002-05:002011-07-22T10:01:15.794-05:00CHIME Notes Problems with New Accounting Rule: The healthcare CIO organization has weighed in on the new accounting for disclosures rule, and notes what Chris Apgar and I noted in our HCPro seminar on Tuesday: that the new rule goes too far, the access report requirement is too much, and it assumes technological capabilities that just aren't there.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-64506788179913266102011-07-19T08:27:00.001-05:002011-07-19T08:29:17.457-05:00Boson's Beth Israel: Seems like a contractor caused the problem, but a lack of proper virus protection resulted in a virus that sniffed out patient data on 2,000 patients.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-42534347065259810642011-07-15T09:34:00.001-05:002011-07-15T09:38:25.491-05:00More Boston Problems: Harvard also seems to have a problem involving a research project.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-22146519657074087542011-07-15T09:28:00.001-05:002011-07-15T09:30:33.586-05:00Possible Tufts HIPAA violation? Apparently involves medical info sent to a fax machine. Apparently only a disability form was supposed to be sent, but part of the medical record was sent instead. The hospital denies wrongdoing. I guess we'll see.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-83902917821725569392011-07-14T08:51:00.002-05:002011-07-14T08:54:02.277-05:00EHRs for Physican Practices: Are you in the market for an EHR? Family Practice Management magazine has a great survey of family practice doctors, broken out by size of practice and dozens of other metrics. I'd highly recommend a review of this article before you buy.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-8472140860699025982011-07-14T08:45:00.001-05:002011-07-14T08:46:31.447-05:00Doctors and Facebook: keeping separation between your personal and professional life.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-1728773451690116322011-07-09T11:47:00.002-05:002011-07-09T11:48:26.474-05:00Cyber Insurance: Interesting article on insuring against data breaches and other potential cyber liabilities.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-75826691857234836992011-07-09T08:45:00.002-05:002011-07-09T08:48:41.878-05:00Mayo Clinic, Social Media Leader: Thanks to Lee Aase, Mayo stays way out in front in the use of social media by healthcare players. If you're considering integrating social media strategies into your marketing plan (and you should be, at least considering it), you need to keep a close eye on the legal hurdles, but should also look to the market leaders to figure out what works, what doesn't, and Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-47368513211820528162011-07-08T17:33:00.001-05:002011-07-08T17:40:02.254-05:00Guest Blogger: As regular readers will be aware, I occasionally allow guest bloggers to post on HIPAABlog. Today, Pat Walling of Medical Coding Career Guide has a guest commentary on physical safeguards, and what might be necessary. Certainly reasonable precautions must be taken; however, in some instances, it may be necessary for patients to let providers know of problems, and for providers to Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-90964647227444216442011-07-07T16:11:00.001-05:002011-07-07T16:13:08.085-05:00UCLA Snooping fine. UCLA has agreed to a $865,500 HIPAA fine associated with two celebrity snooping violations (who are the celebs? they're not saying).Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-73829546216823329922011-07-07T09:56:00.002-05:002011-07-07T10:02:22.127-05:00Health Data Recovery After a Disaster: the HIPAA Security Rule requires covered entities (and via HITECH, business associates as well) to have emergency operations and disaster recovery policies and procedures in place. We saw how those can work, and should work, in the Joplin, Missouri tornado. If you haven't given this any serious consideration, I'd suggest you do so promptly. Gienna Shaw at Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-32435181054573599612011-07-07T09:48:00.001-05:002011-07-07T09:51:10.846-05:00HHS' Wall of Shame: some highlights of the HHS website for large data breaches:11,404,950 fellow citizens’ PHI breached (thats about equal to the population of the entire state of Ohio) 292 reported breaches to HHS by Covered Entities 58 Business Associates accomplices involved/culpable "Harm" STILL self-determined by CEs versus California law! Top 5 Data Breachers and their "havoc" on us: HealthJeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-24587623698769749812011-07-07T09:40:00.002-05:002011-07-07T09:45:38.334-05:00Miami's Holy Cross Hospital: another hospital employee stealing data for ID theft purposes.Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0