Wyoming Hospital HIPAA violations: Several Wyoming hospital workers have been fired for improperly accessing medical records. The punished employees looked at other people's PHI, but some of the employees are in trouble still for looking at their own PHI. That's a little over the top; every patient has a right to access his/her medical records under HIPAA. In fact, that's a part of the law itself. When the employee is the patient, he/she has the right to access the information. Of course, as an employee, he/she should only access what he/she is working on, which probably isn't himself/herself. So, they have a right to the information, but the hospital probably has a right to say, when you're also an employee, you have to follow the right channels and not self-help. Jeff [8:22 AM]
[ Tuesday, September 25, 2007 ]
Free EHR: Mercy Health Partners, which operates a 5-hospital system in Cincinnati, Ohio, is offering physicians a free EHR system to its affiliated doctors. Jeff [2:20 PM]
TJ Maxx data breach update: the company offers a settlement. Jeff [2:18 PM]
[ Monday, September 24, 2007 ]
Good news, bad news: There apparently are fewer data breaches occurring. But they're more damaging when they happen. Jeff [12:54 PM]
[ Saturday, September 22, 2007 ]
Off Topic, but Healthcare Related: I love John Stossel. The erstwhile ABC reporter is such a no-nonsense guy, and nobody's better at speaking up when the emperor has no clothes. I'm a believer that health insurance ought to be like car insurance -- it doesn't cover oil changes or new tires, and you've got to pay a big chunk before the insurance kicks in. The coverage comes when something big/catastrophic happens. If health insurance were like that, premiums would sure be a lot cheaper.
A return of the health insurance market to an "assurance" market (covering catastrophic or high-dollar events, but not daily wear and tear), plus a return of "mutual" insurance companies (where the company tries to match premiums and payouts, and actually manage risk, rather than trying to make money for stockholders), and our "uninsured" crisis would be over. Jeff [12:47 AM]
[ Friday, September 21, 2007 ]
Indiana wants you (to protect PHI): Like his counterpart in Texas, the Indiana Attorney General is going after businesses who are not tidy with their trash. Specifically, he's going after pharmacies, and the pharmacists who man them, for throwing away papers containg social security numbers and other patient information without shredding them. News crews did the original dumpster-diving. The complaints against the individual pharmacists (one is here) indicate that the trashing of the PHI without destroying it violates HIPAA, and that state law requires the pharmacist to ensure the operation of the pharmacy within the requirements of all laws; so, he's not charging them with violating HIPAA (he can't really; only HHS can do that), but he is charging them with violating state law because they violated HIPAA. Nice bootstrapping. Jeff [9:41 AM]
Texas Health Resources: a local Dallas nonprofit hospital group has sent out letters to about 8,000 patients noting that a temp worker in its billing office stole credit card information of a patient and misused it. The system acted fast, fired the worker, and brought in the police, who have arrested her. Innocent until proven guilty is the legal standard for how the law will treat that worker, but THR definitely did the right thing with a quick firing, followed by throwing the book at her. As you all know, I'm a big fan of the "object lesson" in dealing with employees who breach HIPAA intentionally. Jeff [9:33 AM]
Physician emailing: It's becoming more common. Not as common as in other businesses, for good reason. Jeff [9:30 AM]
[ Thursday, September 20, 2007 ]
Slightly off topic: a former employee at MedCo Health Solutins, the online prescription and pharmacy management company, has pled guilty to setting up a malware "logic bomb" to disrupt the MedCo computer system when he feared he would be fired in a downsizing. The logic bomb was discovered before it went off, but it it did, it would've prevented pharmacists from seeing potential adverse drug interactions.
Dude, I know you're scared of getting laid off and want to punish the company that's stupid enough to lay you off, but you coulda killed someone.
He's almost certainly going to jail. Which is appropriate. Jeff [10:48 AM]
[ Tuesday, September 18, 2007 ]
More EMR Pushback: Health care chief info officers talk about other hurdles to EMR adoption here. Jeff [12:49 PM]
Ameritrade perhaps not so proactive: someone thinks Ameritrade knew of its breach a year ago and still put info into the database. Jeff [12:47 PM]
Go. Click. Watch. John Payne used to be my across-the-street neighbor. The first time I met him, I noticed that he sort of swung his arm at me to shake my hand, and his grip was pretty weak. I found out shortly thereafter that we was selling his house: even though the house had an elevator in it, it was too small for a wheelchair, which he would need shortly. Because he has amyotrophic lateral schlerosis, ALS, Lou Gherig's Disease.
John Ondrasik is the singer, songwriter, and piano player for the band Five for Fighting. He's a great songwriter, and he produced a video for his song "100 Years" that you can see here. Watch it a couple of times. For each viewing, Glenn Tullman/Allscripts and Bert and Cyndie Silva are each donating $1 to ALS research.
So take a look. Take several looks.
While you're at it, there are lots of interesting videos there. Here's on on autism (another personal issue for my family). There are many more, on a lot of different topics, here. Jeff [10:41 AM]
[ Monday, September 17, 2007 ]
EHRs are vulnerable. Information in EHRs can be accessed improperly. So says this study. Uh, just in case you didn't know. Jeff [4:13 PM]
Bleg: A client asked me the other day if I knew of any consultants who were not tied to a particular EMR company but could look at a medical practice's current EMR and determine whether they would be better off with a different one or should keep the one they've got. Basically, they're looking to determine if the EMR they are using is the best for their practice, considering the number of doctors, patient mix, range of procedures, way the practice works, existing/legacy information systems, etc.
Their current EMR supplier says they've got the best match product. There's another EMR provider that's willing to send a consultant to look at their practice and advise whether they should stay or switch (but the client thinks that's probably a foregone conclusion).
So, do you know of a consultant they could hire to see if they're doing the right thing? If so, email me. My email is on the left. Jeff [4:08 PM]
Another Data Breach: this time it's traders at Ameritrade. They're reacting proactively -- and fast. Jeff [12:34 PM]
Hurdles to Physician Adoption of EMRs: I noted on Friday how voice integrating recognition software could make EMRs more adoptable, and also noted an article on some physician pushback issues. That article is backed up by a podcast with Bruce Landis (from here in Dallas), which you can access here. I listened, and it's interesting (it's in 2 parts). Jeff [12:20 PM]
Maryland Court Notes Federal Right to Privacy: in this case, a state physician licensing board was reviewing the care provided by a particular doctor, and subpoenaed the records of the doctor's patients. The doctor refused to provide them, claiming for the patient a federal constitutional right to privacy. (Hey, today's Constitution Day, so I'll reprint in full the text of the constitution dealing with privacy: _____________________. There ya go!)
The state board has a statutory right to the records without patient consent; the court did not overrule the statute as unconstititional, but ruled that in this case the patient's constitutional rights outweighed the state's interest. Should every physician in Maryland now refuse to hand over records to the state board until a court determines whether, in that case, the patient's constitutional rights outweigh the state's need to conduct oversight over physicians?
Case via Jim Pyles.
UPDATE: OK, that's a goofy-arsed case. The psychiatrist's records were subpoenaed by the State Board in a complaint brought by the husband and father of 3 of the doctor's patients (guess what -- there was an "acrimonious" divorce going on), who claimed the doctor over-medicated them. He notified the patients and they said don't disclose, so he and the patients' counsel all responded that the patients were asserting their federal constitutional privacy rights and he wouldn't give up the records. The state did not try to enforce the subpoena, and the psychiatrist and patients' counsel did not move to quash it: it just sat there. 11 months later, the board brought a case against the doctor for failing to cooperate in an investigation, since he hadn't produced the subpoenaed info. Upon that threat, he re-asked the patients and their counsel if they were still standing behind their constitutional right to privacy; if he didn't hear from them, he'd assume they were willing to let the info go. They either said OK or didn't respond (the divorce was probably settled by then), so he sent the info on and the State Board said he did not over-medicate them, and dismissed the complaint. BUT, the State Board still wanted to harangue the doctor over his failure to cooperate in the first place (which failure should've been mooted by the later cooperation).
That's not all. An administrative law judge ruled on summary motion that the doctor didn't fail to cooperate, since he had good reason not to. But the board didn't buy it, and still found him guilty. An appellate court from that case overruled the board's guilty determination and sent it back to the ALJ for a full case. The ALJ again decided there was no crime, but again the Board rejected that finding and found him guilty. Again it went to an appellate court, which again overruled the Board and said he shouldn't be found guilty.
SO, the records were produced, but the Board wanted to beat up on the doctor anyway. So the Maryland Supreme Court had to step in, and we get an excellent example of the way bad facts make for bad law.
Electronic Medical Records efficiency: Financial cost is a big component of switching to an EMR, but there are other "costs," such as the cultural change required when any change in normal operations occurs, and the additional time that may be needed when entering information on a keyboard rather than in scribbled doctor notes and dictation. One way to reduce the keyboarding time is to integrate voice recognition software into the EMR, so that the dictation is an automatic part of the EMR. Pretty good idea.
Off topic: the Angry Pharmacist blog (probably oughtta be "mad" rather than "angry"). Kinda reminds me of this guy, at least in writing style (and at least way back when he used to be funny). (Via the professor). Jeff [5:33 PM]
Off Topic: The Illinois Imaging Center Leasing Cases. I represent a lot of radiologists, and this is a big item in the radiology field right now. Here's the set-up: due to concerns about over-utilization and ensuring that physicians choose where to refer their patients based on the best and most appropriate care for the physician, it is generally illegal for a physician to seek or receive a payment or kickback in exchange for referring a patient to another provider, if the patient is a government-pay patient (in some states, the same restriction applies regardless of who's paying for the patient's care). A physician sees a patient and determines that the patient needs a CT scan or an MRI. The physician can send the patient any number of independent imaging centers to have that done, but the imaging centers can't give the physician a financial incentive to use them. Conversely, the physician could own (or lease) his own CT scanner in his own office and send the patients there as an ancillary service, and that would be OK too. It would be illegal for one of the imaging centers to tell the physician, if you send a patient here, we'll give you 10% of what we get when we bill for that patient. What if one of the imaging centers told the physician, we will rent you our imaging center for that one scan, and charge you 90% of our normal charge, and you can then bill the patient's payor 100%? That would effectively be the same thing as the 10% kickback, but it would look a little more like the physician having his own CT scanner.
Well, not surprisingly, there are a lot of physicians and imaging centers who have arrangements that look like that. The problem is determining if the arrangement is more like the kickback or more like the ancillary service. The Illinois Attorney General has come after a couple dozen imaging centers, accusing them of setting up similar deals as a blatant attempt to pay a kickback while disguising it as an equipment lease. The case is naturally drawing lots of attention, and there's a recent development: the AG will have to refile the case with specific allegations about each of the imaging centers and how they have set up their arrangements. It's not a big setback for the AG, but she'll have to put in a little more work on the front end. Jeff [11:03 AM]
Mobile Security 101: If your business has employees who connect from remote locations, here are some good, basic tips. Can't argue with any of these. Jeff [9:10 AM]
[ Wednesday, September 12, 2007 ]
Hospital IT Issues: This is slightly off-topic, but a few readers are intimately involved in hospital technology issues, either as CIOs, IT department heads, or the like, and I thought they might be interested in this free White Paper available from DataLoom via InformationWeek. The primary thrust is that performance and quality measures will become a very big issue for hospitals, and they'll need to make sure their information systems allow them to capture and track that information. Requires registration, but it looks like it's free. Jeff [11:52 AM]
[ Friday, September 07, 2007 ]
Responding to Data Loss Incidents: I was recently interviewed by Theresa Defino, a reporter for Atlantic Information Service's Report on Patient Privacy, regarding appropriate corporate steps to take in the event you suffer a data breach. The Report is a subscription service, but they've put this issue online as a teaser. (Drummond, a teaser? yeah, right)
Anyway, check it out. I've always found the AIS publications to be very worthwhile and full of good tips and timely information. Jeff [4:49 PM]
Encrypting the Hard Drive: This may be a potential fix for the problem of data loss from stolen laptops: an automatically encrypted hard drive. A thief would have to enter at least a password and perhaps more levels of identity authentication to access the data on the hard drive.
I've long said that for HIPAA purposes, if you're requiring encryption of internet emails and other data in transit, but not encrypting data at rest, you're essentially locking the doors to your car while you're driving on the interstate and not while it's parked in the driveway at night. Seagate's product is protecting data at rest, and if it's on a laptop, it's data at rest that's also sort of in transit (in a physical, not electronic, sense). They're also coming out with an automatically encrypting hard drive for desktop computers (wow, does anybody really use those anymore?), which is also smart, since office thefts occur too. Good idea; me likey. Jeff [9:45 AM]
[ Thursday, September 06, 2007 ]
Free Webinar: I just received an email from Compliance 360 regarding a free web seminar they are holding on HIPAA compliance issues. The webinar title: "Health & Human Services HIPAA Audit – Are You Prepared?" It takes place Tuesday, September 18 at 2-3 pm EST (or do they mean EDT?). To register, go here. Jeff [10:45 AM]
Interesting Kansas case: Here's an interesting Kansas case. If you have strong opinions about abortion, this will probably interest you. Plus, it looks like the District Attorney and State Attorney General, who obviously have divergent opinions, switched roles. But underlying it is a relatively simple HIPAA case. I think there will be more to this. Jeff [10:07 AM]
[ Wednesday, September 05, 2007 ]
Court Protects Records of Medical Marijuana Users in Oregon: A federal grand jury in Washington state is investigating marijuana growers in Washington and Oregon, and has subpoenaed the medical records of some Oregon residents who use medical marijuana under Oregon's law allowing it. The patients and the State of Oregon objected to the subpoenas, and the US District Court in Washington agreed.
There's more to this story; in the Supreme Court's decision in the Raich case, federal restrictions on sale and use of marijuana overrode California's state law allowing personal growing and consumption of marijuana pursuant to a doctor's prescription. It would seem that the Raich decision would come into play here, since the federal restriction on marijuana would seem to override the state law allowing it for medical purposes. If the federal grand jury presses the issue (I've sat on a grand jury before -- not federal, though -- and if they want to push it, they will, but this might be something they don't think they really need to decide on probable cause), I think this District Court might be overruled. Jeff [9:47 AM]
Free PHRs in South Carolina: Blue Cross Blue Shield of South Carolina is going to make available a free personal health record platform to allow beneficiaries and their providers to access, maintain, and share medical records. The program will use a secure website for access. Jeff [9:43 AM]
[ Tuesday, September 04, 2007 ]
NPI news: The NPI registry went live online today. Marty Jensen reports. Jeff [5:26 PM]
http://www.blogger.com/template-edit.g?blogID=3380636
Blogger: HIPAA Blog - Edit your Template
A discussion of medical privacy issues buried in political arcana
