HIPAA Blog

[ Thursday, October 27, 2005 ]

 

Deter potential wrongful access: If your operations are large and geographically dispersed, you probably have the ability for offsite users to link in, usually via password protection. But you also will have calls from offsite users who don't have or forgot their password (especially if they're only occasionally accessing the home network). That's a good way for unauthorized users to seek to get improper access, by pretending to be an offsite worker who forgot a password. This is more of a problem for financial institutions than healthcare institutions (as I've said before, most healthcare information isn't that valuable, but personal and financial information -- social security numbers, account numbers, and the like -- is), but to the exten you have that type of valuable information, the risk is still there.

Medical NewsWire's recent email blast had a good post on this, which I've cut and pasted below. Check it out, and think about those issues. There are other instances where you want to "authenticate" the identity of a seeker of information, whether they are posing as a remote staff member or a referring physician's office. These are some good tips.

Shoddy authentication procedures could allow data thieves to make off with your patients' data -- especially when providing password support to offsite employees. Provide your tech team with these pointers to ensure they properly verify all users before handing out sensitive information.

Authenticate All Remote Users

Your technology staff member may recognize a remote user's name or voice and be tempted to skip over your authentication procedures. But you must impress upon all staffers the importance of verifying each and every caller before giving them any password information, says Frank Ruelas, compliance officer with Gila River Health System in Sacaton, AZ.

Experts offer these field-tested examples as possible security questions for your staff members:

* Question #1: Can you provide two types of identification?

"We used to ask for the last four digits of users' Social Security numbers," says Michael Gagnon, director of infrastructure and security officer for Fletcher Allen Health Care in Burlington, VT.

With the increased focus on security, Gagnon says he now assigns his users a Personal Identification Number to use instead of the Social Security number. You should ask for at least two forms of identification to make it more difficult for data thieves to hack into your system.

Try these other methods of identification: Hire date, home telephone number, number of years employed or badge number. Good idea: Note in your policy what type of ID you'll require so that remote users can be prepared with answers.

Watch out: Crooks can easily obtain employee information through social engineering, Gagnon warns. If your user produced two pieces of commonly hijacked information -- such as a Social Security number and a department telephone number -- you should request a further method of authentication.

* Question #2: How many clinicians are on schedule today?

If you have any doubts about a caller's authenticity, ask them a site-specific question, Gagnon suggests. The best question? "A tricky one, such as 'How is Dr. O'Brien doing?' when there is no Dr. O'Brien at that site," he offers. You can also ask about a personnel type if you know there is no need for those staffers at the site -- such as asking someone claiming to be a home user about lab techs or asking a home health worker about visiting physicians.

* Question #3: What is the name of two documents you worked on yesterday?

You can also ask the caller to pinpoint a file they modified or an e-mail they sent in the past 24 hours, Ruelas advises. "It's rare that a hacker would notice these types of small details," he explains.

Call Users Back With Answers

If the remote user correctly answers your authentication questions, your tech staffer can reset their passwords and share the new information with her. But don't do it all in one phone call. "Contact the user through a telephone number you can verify, such as her cell phone or pager number," Ruelas recommends.

Important: Configure your system to accept the temporary password only once. Then set up a continuous loop that forces the users to create a unique, strong password that no one else knows.

The Bottom Line: Your offsite employees will inevitably forget their passwords or enter them incorrectly enough times to cause your system to lock down their accounts. By coaching your staffers on how to handle legitimate callers, you'll stand a better chance of weeding out any criminals trying to steal your patients' PHI.

Jeff [10:37 AM]

 

Landscape Artists: The National Institute of Standards and Technology is developing a web-based repository of information on healthcare technology standards. The idea is to foster some cooperation and communication between the various public and private industry participants who are effectively establishing standards for technology and electronic data interchange, in order to speed the development of good standards. They're looking for input, too.
Jeff [10:06 AM]

[ Wednesday, October 26, 2005 ]

 

Another Hospital loses data: This time it's a Hawaiian hospital that lost a "thumb drive" mini-hard drive that contained non-medical patient data. Even though it's not medical information, it's probably PHI because it identifies the individuals and (presumably) the hospital, and just the fact that a person may have been in the hospital is probably enough to meet the definition of PHI. Worse, this is the type of data that has value, since it had names, addresses, and social security numbers.

Hat tip: HIPAAdvisory's HIPAA News.
Jeff [2:36 PM]

[ Wednesday, October 19, 2005 ]

 

Massachusetts EMR Initiative: You may have heard that BCBS of Mass. has agreed to fund the soup-to-nuts installation of EMR systems in all the physician offices in three Massachusetts medical communities -- Brockton, North Adams, and Newburyport (where I went whale-watching last summer) -- through the Massachusetts eHealth Collaborative. There's a good story here on the effort and its progress.
Jeff [11:48 AM]

[ Wednesday, October 12, 2005 ]

 

HIPAA Case: Here's an interesting HIPAA case in New Jersey.
Jeff [10:59 AM]

[ Tuesday, October 11, 2005 ]

 

Ohio Preemption Case: Oral arguments occur today at the Ohio Supreme Court in Columbus, Ohio. The Cincinnati Enquirer sought records from the Cincinnati Health Department relating to citations issued to property owners to clean up lead paint on their residential properties. All of the citations came about because a child living at the property in question was found to have lead poisoning, so disclosing the citations would be a big clue that a child at that address at the time of the citation had lead poisoning; all you would have to do is find out who lived at the address at the time, and you'd have a pretty good idea of who the child was with lead poisoning. Full description here. The Health Department refused the information, the Enquirer appealed, and the Supreme Court has the case.

Better yet, you can get watch live oral arguments or see video of archived oral arguments by going here. That's pretty cool.

Hat tip: Michael Mullen, Asst. A.G. of North Dakota
(North Dakota? That'll make Ellen happy)


UPDATE: See 3/21/06 entry. The court applied the "required by law" exception, so the Health Department must disclose to the newspapers, even though PHI is included.
Jeff [11:41 AM]

 

Grand Rounds is up, hosted this week by Doulicia, a non-practicing (guess she finally got it right) lawyer. What's a lawyer doing hosting Grand Rounds? A pretty good job, that's what. Actually, I found it pretty interesting, given the law-health world I live in.

On a related law-health matter, there's an article in the Austin American-Statesman that I just saw on the HealthLeaders indicating that medical malpractice insurance premium rates have gone down after passage of the state's tort reform efforts (basically limiting non-economic damages -- pain and suffering, as opposed to lost earning capacity and cost of care -- to $250,000). I'll link the article as soon as I can get to a computer that'll let me.

UPDATE: here's the link; it's the Austin Business Journal, not the A-S.
Jeff [10:07 AM]

 

More on VISTA: Here are some helpful hints from Hospital News Wire:

Unless you've been living under a rock, you've heard the news -- the Centers for Medicare & Medicaid Services (CMS) is taking matters into its own hands by offering a low-cost electronic health records (EHRs) system for private physician offices.

VistA-Office EHR will offer providers key functions, including order entry, documentation, results reporting and improved ability for non-technology experts to download, install and configure the system with little to no support -- all at an affordable price.

While many health care specialists agree that this is a move in the right direction, an equal number are not so sure. "It's sort of like when you get a new puppy," says Frank Ruelas, compliance officer for Gila River Health Care Corporation in Sacaton, AZ. "You're so happy to have the puppy that you don't think about how much work it requires," he adds.

Here are some of the questions you'll need to answer before you or any of your affiliates decide to adopt the new system:

Who Will Be In Charge Of The System?

"Smaller providers usually have one person doing what a large facility may dedicate a whole department to," Ruelas points out. That means one or two people may have to carry out the entire implementation of VistA-Office EHR -- a job best handled by multiple staffers.

The people tasked with technology projects in smaller offices do not generally have the same resources or access to training as those working in complex offices. Best bet: Before you give a project of this scale to an office staff member, make sure
that person is certified to work with networks and other high-complexity technologies, Ruelas advises.

Smart idea: Do not rest the responsibility for implementing and maintaining VistA-Office EHR on one employee's shoulders. "If that person leaves or becomes unavailable due to an illness and there is no one else to step into her shoes, then you've hit a major speed bump," Ruelas says.

Who Will Provide Your Technology Support?

This is an important question with any new system, but it is especially crucial with VistA-Office EHR because support for the system is limited. Therefore, your staffers may have to figure out many elements on their own. "You don't want people practicing on your system -- they could accidentally corrupt your data and leave you worse off than before," Ruelas counsels.

Important: If your staff members are not aware of the many features VistA-Office EHR offers -- and what the default settings are -- they could fail to close off your patients' PHI to data thieves.

How Will We Communicate With Other Providers?

VistA-Office EHR is an open source product, meaning it was developed and distributed free-of-charge with the understanding that others would improve upon it, explains David Patino, clinic manager and compliance expert for Physical Therapy Services Of Morristown, NJ.

Because users can tinker with the product, it's feasible that your customized VistA-Office EHR system could be entirely different from your affiliate's system. Therefore, you'll have to coordinate with other providers about how you'll store and share information -- or run the risk of using a system other providers cannot communicate with.

Note: "This product is not being put out as a standard, but that may change over the next five to 10 years," Patino stresses. If it becomes the standard for the health care
industry, you can expect to lose the ability to customize it as freely as other open source products.

How Will You Recover From Disasters?

Many private physicians are housed in buildings owned by a separate party, which
shifts most of the disaster recovery responsibilities out of the office. However, with VistA-Office EHR, as with any digital file system, physicians have to be able to recover their systems without any data loss and without sacrificing their patients' care.

Good idea: "You need to run a parallel system that you can fall back on after a disaster," Ruelas advises. "Many people think of this as double work and double headache, but the alternative is much scarier," he says.

The Bottom Line

VistA-Office EHR contains the same vulnerabilities as other electronic records systems, Patino says. "The second you take patients' PHI off paper and turn it into
digital files to put on a network, you risk it being accessed inappropriately," he notes.
Best practice: Stick to the basics. "If your network is secure, anything you have on the network is secure -- regardless of the system you're running," Patino claims. Tight policies and procedures will help you use VistA-Office EHR without ruining your compliance efforts.

I'd second a few of those notions. You need to consider responsibilities and capabilities before jumping into VISTA with both feet; who on your staff will take charge of it? Can they do it? Do you need to outsource it? Should you go ahead and pay for a fully-supported EMR provided by another vendor?

Start with the premise that the system is going to crash; how will your office handle it? First, make sure you can live without the system (and can live with the system going out on you) before you immerse yourself in it. Think like a lawyer, and consider, "what's the worst thing that can happen?" Because it just might, and even if it doesn't, something definitely will go wrong, and you just need to be prepared.
Jeff [9:53 AM]

[ Friday, October 07, 2005 ]

 

American Health Information Community meetings: Alan Goldberg, intrepid moderator of the Health Information Technology listserv (the "HIT List") run by the American Health Lawyers' Association and all-around HIPAAcrat good-guy, has been attending the meetings of the American Health Information Community, the group put together by the Bush administration to push for adoption of information technology solutions in the healthcare industry. He's reported to the listserv a list of potential breakthroughs being discussed by the Community.

I tell you what, you read through that list and can't help but think, "Of course." Why hasn't the industry embraced all of these things?

There are two answers. First, the devil's in the details. How exactly you do what they want done, in a fashion that in interoperable, isn't always that easy. People have different needs, expectations, desires, and opinions about what should be most important or first. Second, there are unanticipated consequences to all of these great, good ideas. Electronic health records easily available over the internet would be great to help sickly folks fleeing a hurricane or other natural (or unnatural -- i.e., terrorist) disaster, but could also be an easy route to identity theft or discrimination in employment or lending.

That said, the only way to get over those two road bumps is to have some momentum pushing forward. There are answers, and there are decisions to be made, and perhaps the Community will turn out to be instrumental in pushing this forward.
Jeff [12:14 PM]

 

Blawgers: The NY Times has an article on lawyers who blog and, as I've come to expect from the Gray Lady, they really have a knack for sounding like they don't quite understand how this whole computer thing works. Sort of like talking to my mother-in-law. There's a scene in "Monty Python and the Holy Grail" where the lord is telling the guards to stand watch and keep his son locked up in the tower, but it's clear the guards don't understand what they're supposed to do when they try to leave with the lord when he walks out. Reading internet stuff on the NYT is sorta like that. Don't get me wrong, they do have technology reporters and stuff and they know the computer business and technology generally. I just don't think they understand blogs. They certainly don't understand blawgs.

I view the blogging lawyer community as having 4 primary components: bloggers who happen to be lawyers (Powerline's Hinderaker, Daily Kos' Zuniga), law professors who blog (Glen Reynolds, the Volokh crowd), law students who blog (W&V among many many others), and lawyers who blog on the law itself (yours truly, Ernest Svenson). There are some subdivisions (lawyers who blog include those that blog on the law generally, like Ernie, or those who blog on a particular subject in the law, like me on HIPAA, Howard Bashman on appellate stuff, and Gary O'Connor on statutory construction) and there are some that are amalgamations of the first and last categories above (like Denise Howell and Bill Dyer), but who are lawyers first and bloggers second -- and it shows in what they write about, more than how they write.

An article about "blawgers" that starts off with a mention of Daily Kos isn't aboug blawgers. It's about bloggers; they might be lawyers, but that's not a lawblog.
Jeff [11:34 AM]

[ Thursday, October 06, 2005 ]

 

From Madison, Illinois: A man has sued Southern Illinios Health Care Foundation and two of its employees for wrongfully disclosing his private medical information to his employer. No further information yet, but I suspect this case, like the other recent Illinios case (Tomczak), will be styled around the Illinois physician-patient privilege rather than HIPAA. I'll keep you posted.

(Hat tip: Michele Miller)
Jeff [5:20 PM]

 

Did You Know: If you're reading this blog because you're involved in the healthcare industry, you've almost certainly heard of Modern Healthcare, the healthcare industry magazine. What you may not know is that you can subscribe to a service Modern Healthcare offers called "Modern Healthcare's Daily Dose," which is a daily (weekdays, that is) newsbrief email on the 4-6 top stories of the day in healthcare.

In addition to the Daily Doses, occasionally they'll send out "breaking news" emails during the day to alert subscribers to individual stories of interest. I just got one of those today, which I thought would be particularly interesting to readers of this blog:

Breaking News

HHS announces winners of key IT contracts

HHS named a trio of contract winners charged with advancing the department's
aggressive information technology platform, including widespread implementation
of electronic medical records. The organizations are the American National
Standards Institute (ansi.org),
for IT standards and harmonization; the Certification Commission for Healthcare
Information Technology (cchit.org),
an alliance of well-known healthcare IT associations, for compliance
certification; and the Health Information Security and Privacy Collaboration,
formed by the Research Triangle Institute (rti.org),
for privacy and security issues. The contracts are worth a total of $17.5
million. HHS Secretary Mike Leavitt disclosed the contract winners in a speech
this morning to the National Quality Forum, and at deadline, HHS was holding a
conference call for the news media to provide more details. The department
delayed announcing the winners from a Sept. 30 deadline. It requested proposals
in June.

In his speech at the NQF, Leavitt discussed accelerating the widespread
adoption of EMRs, in advance of President Bush's 10-year deadline, and described
the contracts as "a very important part of moving forward with the vision and
mission we share." The contracts come a day before the first scheduled meeting
of the 16-member American Health Information Community, which is expected to
steer development of a national health IT network.

UPDATE: In addition to these contracts, there's more (from BNA, registration required):

Meanwhile, HHS's Agency for Healthcare Research and Quality announced the
award of more than $22.3 million to 16 grantees to implement health IT systems
to improve safety and quality of care. AHRQ said these projects will help the
agency "use the results from these real-world laboratories that are crucial to
moving forward with broader implementation of health IT in American health
care."

Jeff [11:10 AM]

 

What they're talking about in Washington: Last week the US House Committee of Government Reform (insert your own joke here) held hearings on efforts to bring information technology to the healthcare industry. You can find the opening statement of the chairman of the committee here, along with links to the testimony of witnesses such as Dr. Brailer. It's really a tea-leaves-reading exercise, but if you're into it, you can probably pick out some themes that are bound to recur.
Jeff [10:49 AM]

[ Wednesday, October 05, 2005 ]

 

EMRs Get Another Government Push: HHS is going to propose regulations that will allow hospitals to provide free or reduced-cost electronic medical record (EMR) hardware and software to physicians in an effort to speed up the process of physician adoption of EMR technology and standards. OIG is going to draft a "safe harbor" under the antikickback statute to do the same thing where electronic prescriptions are concerned. The press release is here, but the regs aren't out yet.

UPDATE: Here's the e-prescribing safe harbor. (Hat tip: Christina Solis)
Jeff [3:36 PM]

[ Monday, October 03, 2005 ]

 

Louisiana HIPAA Preemption Decision: In this case, a Louisiana appeals court looks at HIPAA and the state statute regarding the disclosure of medical records pursuant to a subpoena, and finds them compatable. Therefore, HIPAA does not preempt the state statute, since it is fairly easy to meet both statutes with the same set of facts. The court did find that the state prosecutor didn't do the necessary things to meet either statute, though, so the state's case was thrown out. Nice work by the defense lawyer.

Of course, the best part of the decision is this: "HIPAA is a massive federal statute that consists of extensive regulations." This court gets it, for sure.

Hat tip: Alan Goldberg.
Jeff [10:54 AM]

[ Saturday, October 01, 2005 ]

 

Spam-O-Rama: Don't know why, but some spam bot found this blog today and started spamming the comments. Fortunately, Blogger allows for "word verification" (where to take an action to send information, such as posting a comment or setting up the blog to begin with, you have to type in the word that appears on the screen). This prevents automated spamming things like SpamBots from using the blog comments to send out spam. So, if you want to post a comment, you have to type in the word verification. Sorry for the extra step, and always feel free to comment.
Jeff [9:40 PM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template

A discussion of medical privacy issues buried in political arcana

E-mail me at jdrummond-at-jw.com

- Archives - March 2002 April 2002 May 2002 June 2002 July 2002 August 2002 September 2002 October 2002 November 2002 December 2002 January 2003 February 2003 March 2003 April 2003 May 2003 June 2003 July 2003 August 2003 September 2003 October 2003 November 2003 December 2003 January 2004 February 2004 March 2004 April 2004 May 2004 June 2004 July 2004 August 2004 September 2004 October 2004 November 2004 December 2004 January 2005 February 2005 March 2005 April 2005 May 2005 June 2005 July 2005 August 2005 September 2005 October 2005 November 2005 December 2005 January 2006 February 2006 March 2006 April 2006 May 2006 June 2006 July 2006 August 2006 September 2006 October 2006 November 2006 December 2006 January 2007 February 2007 March 2007 April 2007 May 2007 June 2007 July 2007 August 2007 September 2007 October 2007 November 2007 December 2007 January 2008 February 2008 March 2008 April 2008 May 2008 June 2008 July 2008 August 2008 September 2008 October 2008 November 2008 December 2008 January 2009 February 2009 March 2009 April 2009 May 2009 June 2009 July 2009 August 2009 September 2009 October 2009 November 2009 December 2009 January 2010 February 2010 March 2010 April 2010 May 2010 June 2010 July 2010 August 2010 September 2010 October 2010 November 2010 December 2010 January 2011 February 2011 March 2011 April 2011 May 2011 June 2011 July 2011 August 2011 September 2011 October 2011 November 2011 December 2011 January 2012 February 2012 March 2012 April 2012 May 2012 June 2012 July 2012 August 2012 September 2012 October 2012 November 2012 December 2012 January 2013 February 2013 March 2013 April 2013 May 2013 June 2013 July 2013 August 2013 September 2013 October 2013 November 2013 December 2013 January 2014 February 2014 March 2014 April 2014 May 2014 June 2014 July 2014 August 2014 September 2014 October 2014 November 2014 December 2014 January 2015 February 2015 March 2015 April 2015 May 2015 June 2015 July 2015 August 2015 September 2015 October 2015 November 2015 December 2015 January 2016 February 2016 March 2016 April 2016 May 2016 June 2016 July 2016 August 2016 September 2016 October 2016 November 2016 December 2016 January 2017 February 2017 March 2017 April 2017 May 2017 June 2017 July 2017 August 2017 September 2017 October 2017 November 2017 December 2017 January 2018 February 2018 March 2018 April 2018 May 2018 July 2018 August 2018 September 2018 October 2018 November 2018 December 2018 January 2019 February 2019 March 2019 April 2019 May 2019 June 2019 July 2019 August 2019 September 2019 October 2019 November 2019 December 2019 January 2020 February 2020 March 2020 April 2020 May 2020 June 2020 July 2020 August 2020 September 2020 October 2020 November 2020 December 2020 January 2021 February 2021 March 2021 April 2021 May 2021 June 2021 August 2021 September 2021 October 2021 November 2021 December 2021 January 2022 February 2022 March 2022 April 2022 May 2022 June 2022 July 2022 August 2022 September 2022 October 2022 November 2022 December 2022 February 2023 March 2023 April 2023 June 2023 July 2023 August 2023 September 2023 October 2023 November 2023 December 2023 January 2024 February 2024 March 2024 April 2024 May 2024

[ Advertisers ]

[ Links ]
Jackson Walker home page
My (official Jackson Walker) Bio
HHS' Administrative Simplification page
OCR's HIPAA Privacy page
ICD-10 Codes
NIST's HIPAA Security Implementation page
HIPAA.org page
TCS standard-setting
HIPAA Summit's page
Harvard's HIPAA colloquium
Workgroup for EDI
Siemen's HIPAA page
Beacon Partner's HIPAAcomply
FindLaw's HIPAA law page
HIPAAComplete
HIPAADocs
AMA's HIPAA page
AHA's semi-HIPAA page
American Health Lawyers Assn
SHARP (the Southern SNIP)
Boundary Information Group's HIPAAinfo.net
HIPAA academy
MedAbiliti's Health Innovation Daily News
Thompson-West's Privacy Litigation Reporter
HIPAAnswers (HIPAA compliance solutions)
Healthcare Intelligence Network Blog
Prescription Drug Encyclopedia
Compliance Home Portal
HIPAA Training (Supremus Group)
PracticeSuite Practice Management Blog
DMEPOS Surety Bonds
Hospital.com
Human Resources Daily Advisor

[ WebRings ]
< ? law blogs # >

[ Syndicated RSS Feed ]
Click Here