HIPAA Blog

[ Tuesday, January 31, 2012 ]

 

University of Miami Data Breach: flash drive with patient data stolen from doctor's car. How unusual! No SSN or similar financial data (good), but apparently not encrypted (bad).

Jeff [12:06 PM]

 

Guest Post:

How HIPAA Can Affect College Students
Normally the media publishes stories about HIPAA in relation to medical data breaches by negligent clinicians out of compliance or in the context of the law creating a significant burden for practices now trusted to maintain their patients’ records with the utmost vigilance. Though HIPAA was intended for the salutatory purpose of making health care safer and more feasible for the average American, some of its key components made unintentional victims out of certain demographics. Though it may not be self-evident, college students represent a sizeable proportion of people beleaguered by the red tape that HIPAA constructs around the American health care system. In fact, most college students don’t even understand the ramifications of HIPAA legislation until they inadvertently come up against one of its many key components.

Becoming of age
Once a child turns 18, they are in command of their medical records and relevant history. Under HIPAA, the parents of a young adult 18 or older cannot request for information concerning their medical history unless they receive their written consent. So by the time most students enter college for their first year, they are expected (in legal terms) to manage their health care on their own. This fact usually comes as a shock to students who normally rely on their parents to schedule doctor’s visits, transfer records to schools or employers, and generally keep an eye on their health care coverage. Students can combat their ignorance of their obligations as young adults with medical records by requesting and reviewing previous records from their family doctors for the most up-to-date material on their general health. Though the prospect of reviewing one’s own health records might seem strange, a great deal of college students never consider their medical history unless they suffer from a serious condition that requires constant attention.

Students of age can also review their privacy rights at the U.S. Depart of Health and Human Services’ website, which offers a comprehensive (if a little dense) explanation for most issues related with the privacy rights of American citizens with health care. It’s an important resource for anyone to read, but it’s more critical for college students who are mostly in the dark about their newfound medical privacy rights.

Under the family health insurance plan
Somewhat paradoxically, college students cannot have their parents access their medical history after they hit the 18 year mark, but they can continue to be covered on their parents’ insurance plans. Now normally this wouldn’t seem like that big of a deal: students go to doctors’ appointments as they deem necessary and the parents pay the insurance without ever needing to consult their children’s medical records.

But say for instance that a college student is going to school out of state and they have a condition that must be treated regularly, preferably in the state where they go to school. The continuing of treatment out of state will likely require collaboration between the doctor’s office in the student’s home state and the office in the state where they go to school. If the case is particularly complicated, the parents may try to help to ease the burden by collaborating with the doctors on behalf of their children. Not so fast. Remember that under HIPAA, those over 18 are the only ones allowed access to medical records and related histories. Even if a parent provides the insurance that covers their child’s care in another state, they cannot access the information necessary to facilitate a transfer of medical information between two offices without the written consent of the patient. In many case, the patient may have to write their consent in front of an official witness to testify the legitimacy of their signature! Though this is an extreme circumstance, it’s best for college students to know where they stand when it comes to the privacy of their medical records.

Byline:
This is a guest post by Kimberly Wilson. Kimberly is from accredited online colleges, she writes on topics including career, education, student life, college life, home improvement, time management, etc.

Jeff [11:39 AM]

 

Beaten down by contracts of adhesion. I just totally clicked through the new Google privacy policy, accepting it without even reading it. Now, my life really is an open book.

Jeff [11:37 AM]

[ Wednesday, January 25, 2012 ]

 

Going to HIMSS? #HIMSShero I've gotten a couple of emails about this new player in the health IT business: DrFirst (@DrFirst). The stated focus is to help physicians migrate to EHRs, with an apparent big focus on ePrescribing (including a controlled substance e-prescribing solution). If you're going to HIMSS, check them out at Booth 5456. In the interim, check out their introductory video; if you comment on it, you might win a night out on the town in Vegas (presumably during HIMSS). And if there really is a guy in that suit, take a picture and email it to me.

UPDATE: new link to the video here.

Jeff [5:36 PM]

 

HIPAA White Paper from ProofPoint: I was reviewing an InfoWeek health tech email and saw a link to a Dark Reading article on the latest HIPAA email security rules. It led me to this white paper. I don't know who they are or what they're pushing, and in full disclosure I just sort of scanned over this, but it looks pretty interesting. They go back and talk about the original EDI focus of HIPAA, which, if you go back to the beginning of this blog (almost 10 years ago), you'll see that's something I regularly referenced.

Jeff [12:43 PM]

[ Monday, January 23, 2012 ]

 

HIPAA-compliant authorizations in electronic format: I received the following from one of the outreach folks as HHS:




Greetings,

In April 2012 individuals applying for Social Security
disability benefits online will be able to sign the “Authorization to Disclose
Information to the Social Security Administration” (Form SSA-827)
electronically. As a result, your readers may begin receiving some of these
electronically signed authorizations from Social Security on behalf of their
patients or clients.

Help us give your readers a valuable heads up about eAuthorization.
Your readers look to you for guidance on issues important to them. In my last
email to you, I inquired about including an article in your eNewsletter or
posting information on your website, as an effective way to communicate
eAuthorization. By receiving information in advance of the April 2012 launch,
your readers will be well informed and will have the opportunity to prepare.

We have included an article with information about eAuthorization to
include in your various publications. Please let us know if you thought this
information was helpful and how you shared this information with your readers.
We welcome all ideas and will work with you to get information formatted to meet
you organizations needs.

Thank you again for your assistance with this.


So starting in April, keep your eyes out for electronically-signed HIPAA-compliant (allegedly) authorizations from the Social Security Administration for folks seeking SS benefits. More information here.

Jeff [5:42 PM]

 

Breach Notification: a couple of articles to clip and hold onto, just, ya know, in case:

Richard Mackey (first of a series)
Greg Freeman

Jeff [9:08 AM]

[ Friday, January 20, 2012 ]

 

2011 Year in Review, 2012 Year in Preview: While I hate to promote another law firm, McDermott Will & Emory is a good health law shop, and they've posted a White Paper on 2011 events and 2012 predictions for Data Protection and Privacy. I haven't had a chance to review it yet. but will try to get to it this weekend, and will update this post if I see anything exceptional. Also, don't know if this link will work for everyone (the tip came to me via LinkedIn). Leave me a comment on this post if you can't reach the link or want to comment on the paper itself.

Jeff [9:47 AM]

 

Accretive Health (Minnesota) Data Breach: The Minnesota AG has sued a healthcare service group for Fairview Health and North Memorial in Minnesota hired Accretive as their debt collection company, and Accretive lost a laptop with unencrypted patient data. The data included stuff you'd expect a debt collector to need (names, SSNs, amounts owed, even procedures performed), but the data also included information on chronic conditions and how the patient is responding to treatment. The AG believes that the medical information should not have been shared with Accretive.

This makes for an interesting case, because it has 2 distinct components. To the extent Accretive should have encrypted or otherwise protected the data, it's probably a HIPAA violation by them for failure to implement reasonable physical and technical security safeguards; but that's a question of fact, since encryption is not a required element. Accretive is also directly liable under HITECH, although under the original HIPAA rules, it would have only been Fairview and North Memorial that would have been impacted.

The second element is the question of whether Fairview and North Memorial violated the "minimum necessary" rule by giving Accretive the medical condition and progress information. One could argue (I probably would if I were them) that the information is relevant to debt collection -- to make a claim you might need to say what the debt was for, and to argue the value of the services, it might be necessary to know how the patient fared with the treatment.

It will be an interesting case. The AG has gone after the "villain" debt collector, and so far left the hospital entities alone. Let's see if she keeps that strategy. She is obviously grandstanding, pitting "Wall Street investors" against poor, suffering patients. This is exactly the sort of thing I have been warning about in connection with the HITECH changes that give enforcement power to state attorneys general.

Jeff [9:15 AM]

[ Wednesday, January 18, 2012 ]

 

Go to Jail: 13 months in jail for a computer specialist with an Atlanta physician practice who left the practice, joined a new practice, and hacked into the old practice to steal patient data and use it for direct-mail soliciations for his new employer. He also deleted the information off of his old employer's computers.

This shows the need for good employee exit policies and access termination protocols, especially if it's possible to access your system from the outside.

Jeff [12:39 PM]

[ Monday, January 16, 2012 ]

 

OT: 1% of Americans eat up 22% of all healthcare spending; half of all healthcare spending is spent on only 5% of the citizenry.

Jeff [4:45 PM]

 

Social Media in Healthcare: Who is using social media, what are they using, and how are they using it? Here'a a pretty neat infographic from Ray Lau at Innovative Data Solutions.

Jeff [4:33 PM]

[ Monday, January 09, 2012 ]

 

Seven Health IT Trends to Watch in 2012: From Government Health IT. Of course, most are data breach or other HIPAA issues.

Jeff [8:12 AM]

[ Thursday, January 05, 2012 ]

 

A List Inspired by Spinal Tap: According to Dark Reading, the number 1 trend of the top 11 trends for healthcare data in 2012 will be data breaches involving portable devices. Class action litigation is #2 (hey Sutter, you're a trendsetter!).

Why a top 11? Only 1 reason.

Jeff [5:46 PM]

[ Tuesday, January 03, 2012 ]

 

Forbes Notes the surge in HIPAA complaints and problems in 2011.

Jeff [5:03 PM]

 

DWI: Doctoring While iPhoning. Texting or using a cell phone while performing heart bypass surgery is much more common than I would have ever thought.

Jeff [1:39 PM]

[ Monday, January 02, 2012 ]

 

5010 Standards: By the way, here's information on the new 5010 standards. They became effective yesterday, although they won't be enforced for a few more months. They will be eventually, to be sure, so if you haven't already gone there, you need to get moving.

Jeff [9:50 AM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template