[ Wednesday, May 29, 2013 ]
Jackson Health System breach: The Miami health system
lost boxes of paper records when they were being sent for digitization or being returned. The records don't have SSNs or account information, so probably not an ID theft problem.
Jeff [8:05 PM]
[ Tuesday, May 21, 2013 ]
Idaho State University Settles for $400,000: They left a
server firewall down, putting 17,500 patients' PHI at risk. Seems pretty steep. . . .
Jeff [7:34 PM]
[ Monday, May 13, 2013 ]
Prescription Reminders: CVS' move to stop providing manufacturer-funded prescription reminder services has triggered
calls from pharmacy trade groups to HHS, asking them to loosen up the "marketing" rules to allow these things to proceed. I tend to agree -- the tight marketing rules are too convoluted and too easy to violate, and activities that are much more beneficial than harmful are caught in the regulatory net.
Jeff [5:50 PM]
[ Friday, May 10, 2013 ]
University of Rochester Medical Center data breach: a
resident lost a flash drive, probably in the laundry. The flash drive had PHI on a little more than 500 patients, but it was . . . drum roll please . . . unencrypted, resulting in the need for a breach report. AND, since there were more than 500 patients, the report must go to the press as well.
Jeff [5:16 PM]
Jeff [4:46 PM]
[ Tuesday, May 07, 2013 ]
"Storage" Creates a BA Relationship: Where do you store your old medical records? Lots of small practices rent a self-storage unit somewhere to keep boxes of old paper medical records. Those storage facilities don't consider themselves to be in the "medical record storage" business, don't intend to access the records, don't "maintain" them in the traditional sense of the word, don't have policies and procedures or other safeguards in place (other than locks on the doors), and probably won't be willing to sign a business associate agreement (or if they sign one, probably wouldn't do a good job of complying with it). In common-law terms, there is no "bailment," and they don't consider themselves to be bailees. Under the original HIPAA rules, they had a very strong argument that they were not business associates.
However, under the Omnibus Rule, they almost certainly are business associates. Even if they protest and deny any intent to become one, they probably still are. "Conduits" such as the post office, FedEx and UPS get a special exception, but storage companies don't. Here's what the commentary in the Omnibus Rule says:
We note that the conduit exception is limited to
transmission services (whether digital or hard copy), including any temporary
storage of transmitted data incident to such transmission. In contrast, an
entity that maintains protected health information on behalf of a covered
entity is a business associate and not a conduit, even if the entity does not
actually view the protected health information. We recognize that in both
situations, the entity providing the service to the covered entity has the
opportunity to access the protected health information. However, the difference
between the two situations is the transient versus persistent nature of that
opportunity. For example, a data storage company that has access to protected
health information (whether digital or hard copy) qualifies as a business associate,
even if the entity does not view the information or only does so on a random or
infrequent basis. Thus, document storage companies maintaining protected health
information on behalf of covered entities are considered business associates,
regardless of whether they actually view the information they hold. To help
clarify this point, we have modified the definition of “business associate” to
generally provide that a business associate includes a person who “creates,
receives, maintains, or transmits” (emphasis added) protected health
information on behalf of a covered entity.
Document storage companies like Iron Mountain clearly are covered; what about regular storage companies who don't specialize in storing documents, but are simply self-storage warehouses? Given that the risk of improper access (by an inside or outside actor) are basically the same, I would think you must treat them the same.
Jeff [11:37 AM]
[ Monday, May 06, 2013 ]
The HIPAA Omnibus Rule Blows Up Refill Reminders: Some of the hardest components of the Omnibus Rule to figure out are the changes to marketing and restrictions on sale of PHI. Any communication urging the recipient to purchase a good or service is marketing. When a physician gives you a prescription, he's urging you to buy that drug; is that marketing? There is an exemption that allows for delivery of that prescription, since it's for treatment of the individual.
However, the exemption doesn't apply if the provider is paid for making the communication. Because of that limit on the exemption,
CVS has decided to stop sending refill reminders, since they were being paid to do so by the manufacturers of the drugs that were being refilled.
Jeff [5:01 PM]
[ Wednesday, May 01, 2013 ]
Meaningful Use and HIPAA: If you are a healthcare provider who is receiving federal incentive payments under the HITECH Act for "meaningful use" (i.e., you are a meaningful user of an Electronic Medical Record, have attested to it, and receive incentive payments from CMS), you stand a
5% chance of being audited, either before or after payment is made. One of the certifications you must attest to is that you have conducted a HIPAA Security Rule risk assessment. Apparently, lots of EMR meaningful users have attested to this, even though they haven't done it.
IDExperts asks the question, "Do you really need security to attest to meaningful use?" The answer is an absolute and unequivocal yes.
Frankly, if you are a covered entity and haven't done a HIPAA risk analysis, you are currently in breach of HIPAA. And have been since April 2005.
That's eight years this month. If you get audited for HIPAA, or audited for MU, or suffer a breach, how are you going to explain that?
Jeff [2:15 PM]
http://www.blogger.com/template-edit.g?blogID=3380636
Blogger: HIPAA Blog - Edit your Template
