[ Thursday, July 31, 2014 ]
Phase 2 of OCR's Audit Program is Coming Up.
Good article by McDermott.
Jeff [10:40 PM]
[ Tuesday, July 29, 2014 ]
Medical Identity Theft: Just a
quick example of how it can go wrong. If you're a provider, seriously consider using the FTC "Red Flags Rule" materials to prevent medical identity theft: not only will your patients be safer, so will your pocketbook. Don't forget that if you treat patient A and patient A has stolen B's identity, you'll end up billing B, and when B's insurance finds out, you'll have to reimburse the money; and A will likely be long gone at that point, and you'll be left holding the bag.
You may not be required to implement the FTC policies, but you certainly should consider them.
Jeff [11:09 AM]
Don't Text and Heal: Texting and HIPAA don't go well together; as I've said many times, texting is insecure, impermanent, and ill-suited for record-keeping purposes. Texting PHI by providers could result in improper medical record-keeping, because information that would be recorded in the medical record if it were emailed or telephoned does not get charted, and many texting platforms do not retain information for indefinite periods of time. Texting also may turn the provider's communication into "telemedicine" under state law. Texts are much less secure because they rarely are encrypted (like emails often are), and even if not encrypted (which isn't an actual requirement), they are much more easily accessible: anyone picking up your password-locked iPhone can see the first few words of recent texts without even unlocking the phone. Unless you've carefully chosen a secure texting service, the risks are definitely not worth the convenience.
So far, there have been no HIPAA enforcement actions by OCR based on texting, but that's probably only because OCR has enough complaint-originated work to keep itself busy. But other areas of HHS are closely looking at texting, and trying hard to get the industry to shape up. In fact,
CMS recently assigned an "e-level deficiency" to a nursing home that was texting lab results between doctors and nurses. Both sender and recipient were authorized to receive the PHI, but the method of sending it, via unsecure texts, was sufficient to cause the deficiency. The net result was a 10-part "Directed Plan of Correction" which included hiring an outside expert to train staff, revising policies and procedures, and notifying all residents of the issue.
This should be fair warning. It is only a matter of time before OCR lays someone low for bad texting activities. This nursing home had to incur some substantial costs (both financial and reputational) to fix this problem, but it's nothing to the 6- or 7-figure hammer OCR will likely lay down.
Don't text. Unless you've thoroughly analyzed the options and are prepared to defend yourself in case of a texting-related breach, it's hard to see how the benefits of convenience outweigh the risks.
Jeff [11:03 AM]
[ Monday, July 28, 2014 ]
Self Regional (Greenwood, SC) laptop theft: Two knuckelheads broke into a building and
stole a laptop. They've been caught, but said when they realized what they stole, they threw it into a lake. Divers were not able to find the lakebottomed laptop. Even though no harm has come to anyone, even though (if the crooks are telling the truth, a big "if") the data would likely be unrecoverable, it still must be reported.
Obviously, the data was not encrypted. If it had been, we wouldn't even know about this. Go figure.
Jeff [12:33 PM]
[ Friday, July 25, 2014 ]
Jeff [12:31 PM]
[ Wednesday, July 23, 2014 ]
Sutter Health Data Breach Update: No proof of harm, no statutory damages.
As you know, someone threw a brick through a plate glass door and stole a desktop (!) computer from a Sutter Health location. The desktop had protected health information on 4 million Sutter beneficiaries. The California Confidentiality of Medical Information Act contains a statutory damages amount of $1,000 per person, which implies a potential $4 BILLION fine for Sutter.
Not so fast. A circuit court in California has determined that, since there's no evidence the thief actually looked at the data (as opposed to acquiring and possessing it), there's no proof that the statute was violated. As the court said, it's called "the "Confidentiality of Medical Information Act,' not the 'Possession of Medical Information Act.'" Loss of peace of mind apparently isn't a damage.
While this is the second time the court threw out a claim of breach where loss was certain but actual viewing or use wasn't, I suspect nothing will be settled here until the California Supreme Court (and possibly the US Supreme Court) rules.
Jeff [10:25 PM]
[ Saturday, July 19, 2014 ]
Vendini Settlement: I got a stray email on this, so thought someone might find it interesting. Vendini, a ticketseller like Ticketmaster, apparently allowed a third party to view non-PHI personal information such as credit card data, and a class action suit was filed.
A settlement has been proposed. About all you'll get is the actual cost of your credit monitoring or placing holds on your accounts, and the results of any actual identity theft such as overdraft charges. I'm sure the lawyers will do well, though.
Jeff [8:34 AM]
[ Thursday, July 17, 2014 ]
Big Data in Healthcare: here's an
interesting article. This is all possible, but it's easy to see had this information could be used to the detriment of patients. Privacy concerns obviously abound.
Hat tip: Alan Goldberg
Jeff [9:41 AM]
[ Monday, July 14, 2014 ]
Big Health Data Breaches Are Inevitable, and Are Coming: This article has popped up several places in my morning reading. They are probably right; in fact, some big health data hacks have probably already occurred, but we just don't know about them yet because we don't yet know how the data is being used and aren't able to see it. There are probably millions of individual instances of medical identity theft occurring every day, from the voluntary "sharing" of insurance by cooperative parties (your brother has insurance through his job but you don't so you go to a doctor and pretend to be him so that his insurance will pay for your care) to identity theft facilitated by insiders (a nurse or receptionist issues multiple Oxycontin prescriptions to a legitimate pain patient, but sends the extras to a friend who fills them and resells the pills) to pure identity theft (a hacker gains medical identities and sells them to people who use the unwitting victim's insurance to pay for their care).
Medical identity theft can be much more lucrative that stealing credit card info, since the medical information is more persistent and the credit card info is more transitory (you can get a new credit card number, not a new medical history). That said, you need a purchaser who needs healthcare to complete a medical identity theft, whereas credit card info can always be used immediately.
Jeff [12:45 PM]
[ Wednesday, July 09, 2014 ]
Jeff [5:38 PM]
32,000,000 Victims: According to
this report, 32 million Americans have been victims of EMR data breaches. Some say this is an indictment of the EMR concept, but I think it's more of an acknowledgement that privacy/security is hard, and digitization of information has some risks. Considering this many breaches as proof that EMRs are a bad idea ignores the benefits EMRs also bring. It's important to consider this as an additional cost of digitization of records, and EMR evangelists do tend to ignore the costs. But EMR haters can't ignore the benefits, either.
Balance. . . .
Jeff [4:57 PM]
Jeff [4:19 PM]
[ Thursday, July 03, 2014 ]
Off Topic Slightly: A Goldman Sachs contractor meant to send some confidential data to someone at Goldman using their gs.com address but accidentally sent it to the same name at a gmail.com account. They've been unable to contact the account holder, and Google won't delete the email or divulge info about the account owner without a court order. More here: http://mobile.reuters.com/article/idUSKBN0F729I20140702?irpc=932
Jeff [9:02 AM]
http://www.blogger.com/template-edit.g?blogID=3380636
Blogger: HIPAA Blog - Edit your Template
