HIPAA Blog

[ Thursday, January 30, 2014 ]

 

Interesting Infographic on Obamacare taxes (they do call them "fines" and "penalties;" how unconstitutional of them).

Jeff [6:44 AM]

 

Data Breaches at Texas Psych Facilities: It's happening a lot recently.  None of these seem particularly big, but they are indicative of a problem that some policies and training ought to help cure.

Jeff [6:40 AM]

[ Wednesday, January 29, 2014 ]

 

Help Wanted: if you're a HIPAA/privacy geek in Houston (or want to be in Houston), check out this position opening.  It would involve working with some top notch folks.

Jeff [7:22 PM]

 

Malvern Group's weekly breach/incident report is out.  Thanks so much to them, now I don't feel guilty that I don't catalogue and re-blog every breach report I hear. 

Jeff [9:17 AM]

[ Wednesday, January 22, 2014 ]

 

Current Breach Activity: Malvern Group's weekly list of HIPAA and other data breaches is up.

Jeff [10:23 AM]

 

Upcoming Presentations: If you're looking for HIPAA training and the like, I've got a handful of webinars and in-person educational presentations coming up (all times Central):

  1. Today (1/22/14), noon - 1:00: Texas Medical Association webinar: HIPAA Training for the Medical Office Staff; info here.
  2. January 29, 2014, noon - 1:30: Lorman Education Services webinar: Medical Records Update for Paralegals: Releases, Retention, and Confidentiality Requirements; info here.
  3. February 13, 2014, Dallas, Tx, 9:00 am - 4:30 pm (HIPAA presentation 2:55 - 4:30): Lorman Education Services live seminar: Medical Records Law in Texas; info here.
  4. February 19, 2014, noon - 1:00: Texas Medical Association webinar: Complying with HIPAA Security; info here
  5. February 25, 2014, Ft. Worth, Tx, 9:00 am - 4:30 pm (HIPAA presentation 2:55 - 4:30): Lorman Education Services live seminar: Medical Records Law; info here.
  6. April 1, 2014, Houston, Tx, 8:30 am - 4 pm (HIPAA presentation 2:00 - 4:00): PESI Continuing Education Seminars live seminar: Texas Mental Health and the Law 2014; info here.
Feel free to email me, comment on the blog, or message me on Twitter (@JeffDrummond) with questions.

Jeff [10:21 AM]

[ Friday, January 17, 2014 ]

 

New Mexico Forced Colonoscopy case: I was quoted in Theresa Defino's AIS story on this case, where a man in New Mexico was arrested on drug charges because a drug dog sniffed his car seat.  The cops figured the man had secretly hidden drugs in his, er, butt.  The cops got a search warrant (but for a different county), and took the man to a hospital in the next county (the local hospital refused to cooperate), where they got the hospital and a couple of doctors to help take X-rays, give the man an enema, and finally a colonoscopy.  Turns out he had no drugs, and he sued the cops for civil rights violations, as well as the hospital and the doctors for medical battery and HIPAA violations. 

The city and county have settled for $1.6 million.  Good.  The case against the hospital and the doctors goes on. 

UPDATE: more quotage here.

Jeff [12:29 PM]

[ Monday, January 13, 2014 ]

 

Transactions and Code Sets News: Health Plans must certify to compliance with HIPAA transaction and code set rules.

I saw this news last week but thought it was simply HHS saying health plans are covered by HIPAA; which they are, naturally.  Health plans are covered entities, and must comply with the Privacy Rule and Security Rule.

But the point is that they must all use standard transactions.  This goes back to the earliest part of HIPAA, based on trying to standardize electronic data interchange transactions in the healthcare industry, and the drafting of specific forms, data sets, and formats to be used in every payment transaction, for example.  Get rid of the legacy systems and individual payor formats and use standard documentation.  It's interesting to see this come up again.  Frankly, everyone in the health industry ought to be using standard formats, and to the extend a lot of smaller players (small health plans specifically) aren't doing so, then either we don't need the standards or we aren't enforcing the requirements like we should be.

Jeff [1:31 PM]

 

Small Data Breach Reporting: Welcome to 2014! Covered entities must report all (small) breaches occuring in 2013 to the Secretary of HHS by the end of February.  If you had a big breach, one involving 500 or more individuals, you should have reported to the affected individuals and HHS (and local media) within 60 days of becoming aware of the breach, but if you had a small breach, you needed to notify the individuals within 60 days, but need not notify HHS until year-end.

Sometimes you'll have a handful of small technical breaches (records faxed to the wrong number, for example), which involve a quick and easy note to the patient.  Those are often put out of mind once they're done.  But the annual reporting requirement is still there, even though you might've forgotten about that little incident. . . .

The year-end reporting requirement is easier but still a little tech-intensive.  It involves filling out a form on the HHS website for each breach incident, which involves actual input by the covered entity, so it takes a little time.  But it's painless, and it's the law. 

Jeff [12:17 PM]

 

Phoebe Putney loses a desktop computer: A Georgia hospital employee was rearranging her office and boxed up her password protected, but not encrypted, desktop computer and left the box in the hall.  Presumably she did not put a "no basura" sign on it, because it disappeared, never to be found again.  6700 - 6800 patients' PHI, plus a handful of social security numbers.  Two employees were fired for not following policies (makes me wonder who the second one was, assuming the redecorating employee was one).

If the computer had been encrypted, we wouldn't even know about it. 

Jeff [8:40 AM]

[ Thursday, January 02, 2014 ]

 

Interesting NJ Case: An employee of Omnicell, a vendor of pharmacy management computing services (and a business associate) of a slew of hospitals, had a laptop stolen.  The laptop contained names and PHI of a bunch of patients of the hospitals.  The laptop was password protected, but not encrypted.  I blogged about the breach about a year ago. 

One of the patients filed a class action lawsuit against Omnicell and the slew of hospitals.  But the federal court threw them out, because they could not prove damages.  I did not hear of a settlement with OCR, so that's still potentially out there.  To some extent, this case proves that the administrative fines are likely to be worse than the potential legal claims of victims, since it's so hard to show damages for a HIPAA breach. 

Jeff [6:35 PM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template