HIPAA Blog

[ Thursday, November 18, 2004 ]

 

WiFi for the benefit of patients: There are a growing number of commercial locations where wireless internet access, or wifi, is popping up. Restaurants, car repair and tune-up shops, generally places where customers cool their heels for more than a few minutes are good locations for offering wifi as a customer service. The bank lobby in the tunnel concourse of my office building here in Dallas offers it, so if you're eating from one of the food court restaurants, you can surf the net at the same time. Now, according to this article, it's happening in physicians' offices. "'Instead of reading the old People magazine, you can go to People.com or whatever and get your latest gossip,' Alcantar said."

Don't confuse wifi for your waiting room with wifi for your back office, though. Many physician practices are moving to wireless technology for their office networks; if you do so, regardless of whether you offer wifi to your waiting room patients, you must make sure that the network is secure. But you knew that, right?

Jeff [11:33 AM]

[ Wednesday, November 17, 2004 ]

 

Limbaugh Case update: The Florida appeals court has sent the issue to the Florida Supreme Court to make a state-wide determination on whether the prosecutors had an obligation to notify Rush Limbaugh proir to seizing his medical records pursuant to a search warrant, and give him an opportunity to have a judge rule whether prosecutors ought to see his records and, perhaps, redact portions not relevant to the case. I'm no expert on the Florida state law issues involved here, it seems like there's a conflict between the state statutory requirements that require prosecutors to give notice prior to seizing medical records and case law that allows police and law enforcement prosecutors to use search warrants to seize records (including medical records) in connection with a police investigation. The trial court allowed the records to be used in connection with the initial charge and refused to exclude them as improperly-obtained evidence, and the appeals court originally agreed that the trial court did not exceed its discretion. However, Limbaugh and his attorney challenged the decision of the appeals court, asking the court to review its decision and/or send it to the Florida Supreme Court. The appeals court apparently declined to reverse itself, but did send it on to the Supremes.

Of course, this is the same Supreme Court that botched Gore v. Bush so badly that the US Supreme Court had to step in and fix it.

There's no real HIPAA issue here; Rush's doctor can hand over the records when requested pursuant to a search warrant that the doctor reasonably determines is a good, legal search warrant. And Limbaugh and his lawyer are not charging that the doctor did anything wrong. But they are complaining that the prosecutors should have used the state statutory scheme and given Rush notice (and the opportunity to have a judge decide) prior to the prosecutors even seeing what was in those files.

Jeff [4:00 PM]

 

Another RFID story in the New York Times.

Jeff [9:38 AM]

[ Tuesday, November 16, 2004 ]

 

Just got a nice note from Bob Coffield, a health lawyer with Flaherty, Sensabaugh & Bonasso in West Virginia (a state I fondly remember from my trips to visit Monongahela General Hospital in Morgantown) and fellow health law blogger. He's also a lecturer for Lorman on HIPAA issues. Check out his blog at www.healthcarebloglaw.blogspot.com.

Jeff [5:26 PM]

 

More on the RFID story: from USA Today.

Jeff [11:13 AM]

 

Here's an interesting snipped I just received in an email from Medical Newswire's Hospital Compliance Wire, discussing emergency and disaster planning (this is copyrighted material, and I'm assuming this is fair use since I got it in an email for free):


DURHAM, NC (Hospital Compliance Wire) Are you having a hard time helping your staff get their heads around your disaster recovery procedure? With a little guided practice, your team will be sniffing out disasters in no time.

Plan of action: Make a list of the emergency and disaster situations your organization might face, suggests Stephen Priest, a consultant with Professor Steve & Associates in Bedford, VT. Decide how your facility will handle each scenario and then see how your employees respond, he says.

Remember: In an emergency, you must continue to operate. With a disaster, operation is impossible and you've got to find a way to get recover, Priest says. Here are some sample scenarios:

INSTRUCTIONS: For each scenario below, note whether the situation is an emergency, a disaster or both. On a separate sheet of paper, write how you'd respond.

1. A patient in one of your waiting rooms goes into cardiac arrest. The only doctor in the department is a visiting physician who does not have authorization to see the patient's medical record.
2. A doctor shows up for work Saturday morning, but cannot find her badge. Without that token, she cannot access any e-PHI.
3. You are entering patient information in your electronic records management system when a three-block power outage occurs. Your entire facility is without power.4. A patient presents for a hernia removal. You see that he is scheduled for today, but you cannot find his medical record.
5. An e-mail virus hits your network. Your computers are down indefinitely and all data from the last 24 hours is destroyed.
6. A glitch in your system wipes out a month's worth of the financial information your facility needs to send out bills.
7. A pipe bursts in your medical records room.
8. A physician who often refers his patients to your facility calls for backup support after a hurricane destroys his office.
9. A patient presents for surgery on her brain tumor, but can remember neither the time of her appointment nor her doctor's name.
10. You get a call in the middle of the night that a fire just destroyed an entire lab, including its equipment and supplies.

It's a pretty neat little exercise for Privacy and Security officers to see how well your staff might respond to disasters and emergencies. I'm sure you can think of some other scenarios, too. This might be a useful exercise to go through several times a year, as part of your regular HIPAA training, to make sure your people are thinking of what might happen and how to anticipate, plan, and respond when the unexpected occurs.

Jeff [10:57 AM]

 

Looking for EHR background information? Here's a free white paper by PhysiciansEHR on the uncomfortable interface between electronic health records and privacy and security. You've got to register, but it's free.

Jeff [10:46 AM]

[ Monday, November 15, 2004 ]

 

From the HIT list: There was a very lively, interesting discussion this Monday on the American Health Lawyers' Association Health Information Technology listserv. The initial query: can a covered entity get an individual to authorize the covered entity to treat the individual's information in a way that violates the Security Rule? We all know that a covered entity can make uses and disclosures that would be violations of the Privacy Rule if the individual who is the subject of the PHI signs a proper HIPAA authorization. The authority to do so is written right there in the Privacy Rule: 45 CFR Sec. 164.502(a)(1)(iv), referencing Sec. 164.508. But there's nothing written in the Security Rule that would allow an individual to authorize a covered entity to waive a requirement of the Security Rule for the individual.

The discussion quickly devolved into two camps: of course you can, and of course you can't. On the Can side, the point is made that the information is the patient's, and the Privacy Rule requires the covered entity to make concessions to the individual if the individual wants the information provided in a particular way. If the individual told his doctor to send his PHI to the New York Times, the doctor would probably have to do so. If the individual told the doctor to email his records to the Times in unencrypted format, or to send the information over shortwave radio to a receiver in remote Alaska, even if the doctor had determined that unencrypted email or radio transmission was unacceptable under his Security Rule risk analysis, the prerogative belongs to the patient and the doctor should comply.

In the Can't camp, the analysis is that the security rule is drafted by and enforced by regulators, and they didn't give anyone the right to wire around it. They'll be the ones enforcing it, even if the patient isn't bothered by the breach (or even ordered it). Additionally, the legal authorities are making determinations of the benchmark [however amorphous that is] for security for everyone, and it's not up to an individual to remake that determination (sort of a nanny-state approach). A further example would be a patient who presented to a surgeon asking for a right leg amputation, but signed a waiver allowing any limb to be amputated: it would still be malpractice for the surgeon to cut off the bad limb, even if the patient waived any claims for it; there might not be a malpractice case, but the licensing authorities should get involved. And perhaps patients shouldn't be able to waive or authorize such bad behavior, since the waiver or authorization could be coerced or gotten through deceit. If a practice has done a Security Rule risk analysis and determined that it is unreasonable under any circumstances to send out unencrypted email, then it should stick to that and protect the patient from himself.

Of course, there are ways around these hypotheticals. The covered entity can provide the PHI to the patient, who could then email it to the NY Times or short-wave it. And encrypting isn't that hard to do anyway. Also, keep in mind that the Security Rule doesn't have too many required acts or duties, but rather required the covered entity to review its processes and situation and make determinations of what is reasonable and appropriate for it to do to comply. The covered entity could have some trap doors or escape hatches built into its policies and procedures that allow it to take the requested action: for example, the covered entity's email policy could say, "We will require encryption of all outgoing email, unless specific circumstances warrant otherwise; a determination will be made by the Security Officer whether such circumstances exist."

Anyway, an interesting discussion.

Jeff [5:29 PM]

 

Lots of stuff in the news today: In the New York Times, an article on "tiny antennas" (actually, RFID, or radio frequency ID, devices) placed on bottles of certain drugs, which would allow the movement of the bottles to be tracked. RFIDs are basically "bar codes that bark;" they submit a very weak radio frequency so, for example, a shopping cart full of products, each with an RFID antenna, could pass through or by a reader and the reader would be able to tell what products were in the cart, the exact number, make, model, brand, etc. There are obvious uses of RFIDs in the retail industry; you could eliminate grocery checkout lines entirely. There are a couple of advantages that RFID would also bring to the drug distribution chain: prevention of counterfeiting (fake drug bottles won't have the RFID tag) and tracking of dangerous drugs. That's why Viagra (in the former case) and Oxycontin (in the latter) are the initial targets of RFID. Of course, that's also why it's scary from a privacy point of view: these are the exact types of things one might want to keep private.

In the Denver Business Journal, we hear talk of how Denver physicians are a driving force behind the development and implementation of electronic medical records. And in the Boston Business Journal, an article encouraging health industry participants to get moving on HIPAA security compliance. In the Chicago Tribune, an article on the increasing use of email by physician for direct patient contact. Bear in mind the encryption issue, though; email is very easy and a great tool, but hazardous to your privacy in any number of ways. Finally, in the (Harrisburg, PA) Patriot-News, an article about a woman who is suing her physicians' practice because the group used her medical file in an advertisement (it seems that one of the practice's doctors is pictured holding a medical file which is this woman's real file -- it has her name, social security number, and indicates that she had a mammogram).

(hat tip to Alan Goldberg and HealthLeaders for some of these.)

Jeff [10:50 AM]

[ Monday, November 08, 2004 ]

 

New Link: Just added a new link on the left for HIPAAnswers, a large full-purpose, web-enabled provider of HIPAA compliance tools. If you're looking here for general guidance, there are quite a few links on the left that you just may find helpful. If you're wanting to get linked, just email me.

As an editorial note, I don't endorse any of the pages I link to, but I also won't link to anyone I feel I can't or shouldn't endorse. If you know what I mean, and I think you do.

Jeff [5:27 PM]

 

Pre-emption in Texas: Here's a little light reading. The Texas Attorney General's office has published its preemption analysis, as required by the Texas legislature. I guess I'm going to have to read it. It's almost 500 pages long, though.

Jeff [2:36 PM]

 

Update on the first HIPAA criminal conviction: the defendant gets sentenced. The prosecution recommended 12 months, the judge throws on an extra 4. The defendant said he committed the identity theft and ran up the credit card charges to provide for his family -- yeah, to provide video games and porcelain figurines for them.

Jeff [10:17 AM]

 

Paperwork reduction: The American Hospital Association has sent a letter to Tommy Thompson requesting that HHS take action and implement standards to streamline the cumbersome process of providing an accounting of disclosures. As you know, patients have a right to know what their medical information is and how it has been used and disclosed. Patients should expect providers and others to use their medical information for treatment, payment, and healthcare operations, and should know that their information may be disclosed in manners that the patient has specifically authorized. But if their information is disclosed for other purposes, HIPAA requires that covered entities account for those disclosures. The trouble is that accounting for these disclosures can be awfully troublesome.

Fortunately, there are few requests for accountings of disclosures, and it is a very small fraction of total disclosures that are even subject to the accounting requirement. However, when a patient asks for an accounting, it can tie up a medical records department. Personally, I think HHS did a pretty good job balancing this. The accounting rule starts like the general HIPAA rule: a universal proclamation, followed by allowed exceptions. The general HIPAA rule is "Thou shall not disclose PHI," followed by exceptions: with permission; for treatment, payment and healthcare operations; as requried by law. The universal proclamation of the accounting rule is "Thou shall tell patients when and where you've disclosed their PHI," followed by exceptions: when disclosed for treatment, payment, and operations; when disclosed pursuant to an accounting; and certain other instances where informing the patient of the disclosure might cause more harm than good.

I understand the AHA's position, though. It sure wouldn't hurt if HHS provided some guidance, such as a baseline or minimal acceptable accounting program (sort of like HHS did with the model BAA).

Jeff [9:01 AM]

[ Friday, November 05, 2004 ]

 

Brailer: There's an "indelible linkage" between healthcare IT and healthcare safety and quality. David Brailer, the "National Information Technology Coordinator" at HHS, spoke to a Commonwealth Fund gathering yesterday and noted the seemingly obvious: healthcare safety and quality will rise when technology is used for good purposes.

Right now, the only link I've got to the story is through BNA, which is pay-only. I'll update if I get a free media link. And, Blogger is acting up, so posting may be light over the next few days.


Jeff [11:45 AM]

[ Wednesday, November 03, 2004 ]

 

HIAA in Action: Here's an article on Johns Hopkins' troubles implementing HIPAA (and figuring out what they're really supposed to be doing -- if they just took the approach that "we should do what's best for the patient unless we know HIPAA prevents it," they wouldn't have these types of near-death experiences). And here's an older article on HIPAA's unintended consequences.

Hat tips: Kirk Nahra and John Cody.

PS: Sorry for the bad links; Blogger problems today, perhaps election related.

Jeff [5:05 PM]

[ Monday, November 01, 2004 ]

 

Electronic Medical Records as an election issue? Of course not, but what if. . . .

Jeff [9:58 AM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template

A discussion of medical privacy issues buried in political arcana

E-mail me at jdrummond-at-jw.com

- Archives - March 2002 April 2002 May 2002 June 2002 July 2002 August 2002 September 2002 October 2002 November 2002 December 2002 January 2003 February 2003 March 2003 April 2003 May 2003 June 2003 July 2003 August 2003 September 2003 October 2003 November 2003 December 2003 January 2004 February 2004 March 2004 April 2004 May 2004 June 2004 July 2004 August 2004 September 2004 October 2004 November 2004 December 2004 January 2005 February 2005 March 2005 April 2005 May 2005 June 2005 July 2005 August 2005 September 2005 October 2005 November 2005 December 2005 January 2006 February 2006 March 2006 April 2006 May 2006 June 2006 July 2006 August 2006 September 2006 October 2006 November 2006 December 2006 January 2007 February 2007 March 2007 April 2007 May 2007 June 2007 July 2007 August 2007 September 2007 October 2007 November 2007 December 2007 January 2008 February 2008 March 2008 April 2008 May 2008 June 2008 July 2008 August 2008 September 2008 October 2008 November 2008 December 2008 January 2009 February 2009 March 2009 April 2009 May 2009 June 2009 July 2009 August 2009 September 2009 October 2009 November 2009 December 2009 January 2010 February 2010 March 2010 April 2010 May 2010 June 2010 July 2010 August 2010 September 2010 October 2010 November 2010 December 2010 January 2011 February 2011 March 2011 April 2011 May 2011 June 2011 July 2011 August 2011 September 2011 October 2011 November 2011 December 2011 January 2012 February 2012 March 2012 April 2012 May 2012 June 2012 July 2012 August 2012 September 2012 October 2012 November 2012 December 2012 January 2013 February 2013 March 2013 April 2013 May 2013 June 2013 July 2013 August 2013 September 2013 October 2013 November 2013 December 2013 January 2014 February 2014 March 2014 April 2014 May 2014 June 2014 July 2014 August 2014 September 2014 October 2014 November 2014 December 2014 January 2015 February 2015 March 2015 April 2015 May 2015 June 2015 July 2015 August 2015 September 2015 October 2015 November 2015 December 2015 January 2016 February 2016 March 2016 April 2016 May 2016 June 2016 July 2016 August 2016 September 2016 October 2016 November 2016 December 2016 January 2017 February 2017 March 2017 April 2017 May 2017 June 2017 July 2017 August 2017 September 2017 October 2017 November 2017 December 2017 January 2018 February 2018 March 2018 April 2018 May 2018 July 2018 August 2018 September 2018 October 2018 November 2018 December 2018 January 2019 February 2019 March 2019 April 2019 May 2019 June 2019 July 2019 August 2019 September 2019 October 2019 November 2019 December 2019 January 2020 February 2020 March 2020 April 2020 May 2020 June 2020 July 2020 August 2020 September 2020 October 2020 November 2020 December 2020 January 2021 February 2021 March 2021 April 2021 May 2021 June 2021 August 2021 September 2021 October 2021 November 2021 December 2021 January 2022 February 2022 March 2022 April 2022 May 2022 June 2022 July 2022 August 2022 September 2022 October 2022 November 2022 December 2022 February 2023 March 2023 April 2023 June 2023 July 2023 August 2023 September 2023 October 2023 November 2023 December 2023 January 2024 February 2024 March 2024 April 2024

[ Advertisers ]

[ Links ]
Jackson Walker home page
My (official Jackson Walker) Bio
HHS' Administrative Simplification page
OCR's HIPAA Privacy page
ICD-10 Codes
NIST's HIPAA Security Implementation page
HIPAA.org page
TCS standard-setting
HIPAA Summit's page
Harvard's HIPAA colloquium
Workgroup for EDI
Siemen's HIPAA page
Beacon Partner's HIPAAcomply
FindLaw's HIPAA law page
HIPAAComplete
HIPAADocs
AMA's HIPAA page
AHA's semi-HIPAA page
American Health Lawyers Assn
SHARP (the Southern SNIP)
Boundary Information Group's HIPAAinfo.net
HIPAA academy
MedAbiliti's Health Innovation Daily News
Thompson-West's Privacy Litigation Reporter
HIPAAnswers (HIPAA compliance solutions)
Healthcare Intelligence Network Blog
Prescription Drug Encyclopedia
Compliance Home Portal
HIPAA Training (Supremus Group)
PracticeSuite Practice Management Blog
DMEPOS Surety Bonds
Hospital.com
Human Resources Daily Advisor

[ WebRings ]
< ? law blogs # >

[ Syndicated RSS Feed ]
Click Here