Health Law
HIPAA Blog 
Discussion of medical privacy issues buried in political arcana.
Post Frequency: 1/day Last Entry: November 20, 2009 at 14:30:00 Recent Entries: 375
By Jeffery P. Drummond
Go to HIPAA Blog, find other Health Law blogs, or browse all law blogs.
Search
Posts
Healthcare Reform: Here's a great
Posted on November 20, 2009Healthcare Reform: Here's a great article. The key point is #3 (which is the point I've made over and over again): the problems with the American healthcare system are the result of OPM ("other people's money").
EMRs: the privacy concerns connected
Posted on November 19, 2009EMRs: the privacy concerns connected with electronic medical records seem to be getting greater and more visible play these days. There is, no doubt, a trade-off in privacy whenever medical information is in electronic format.
EMRs: So far, the benefits of switching
Posted on November 16, 2009EMRs: So far, the benefits of switching to electronic medical records aren't exactly overwhelming. Something to keep in mind when the debate over healthcare reform starts to overheat.
What if Quizno's Were Run Like
Posted on November 11, 2009What if Quizno's Were Run Like Healthcare? This is pretty funny, and goes a long way to explain what's wrong with the healthcare system.
Anthem BCBS (Connecticut) Data
Posted on November 10, 2009Anthem BCBS (Connecticut) Data Breach: I noted below that Anthem Blue Cross Blue Shield had a laptop stolen that had data on about 18,000 doctors, including some social security numbers (not PHI, though, so it's [probably] not a HIPAA violation). The information was unencrypted, which was against company policy...
Interesting Georgia personal representative
Posted on November 05, 2009Interesting Georgia personal representative decision: Well, interesting if you're a HIPAA geek. The Georgia Supreme Court has ruled that a spouse of a deceased person is that person's "personal representative" for HIPAA purposes. It seems the complicating factor in Alvista Healthcare Center v...
Data Breach experience: Here's
Posted on November 03, 2009Data Breach experience: Here's an interesting first-person perspective of a data breach victim. Understandable (if not really balanced) concerns about the ability of research organizations to use data without consent.
Survey: As I mentioned below,
Posted on November 02, 2009Survey: As I mentioned below, SoftwareAdvice is taking a survey on EMR adoption. They've decided to hold the survey open until Thursday, November 5th to see if they can compile more data. You can take the survey here.
Red Flags Update: I didn't see
Posted on October 31, 2009Red Flags Update: I didn't see this until this morning, but knew it was coming. Sunday is November 1, the date the much-delayed Red Flags Rule would become enforceable against "creditors" (financial institutions, which obviously ought to implement identity theft prevention programs, have been under the Red Flags Rule for about a year)...
Cost-efficient technology: HIPAA
Posted on October 30, 2009Cost-efficient technology: HIPAA issues abound, obviously, but there sure are some good iPhone and smartphone apps that doctors and patients can use that deliver a big bang for the buck.
Red Flags and Small Businesses:
Posted on October 29, 2009Red Flags and Small Businesses: To stop ID theft, businesses need to follow the Red Flags Rule. TJMaxx and other high-profile breaches show that. But is it even more important for small businesses to follow the Red Flags Rule? Some say so.Pro: small businesses have less technology, so lower technological defenses against ID theft...
5 Vulnerabilities that Lead to
Posted on October 28, 20095 Vulnerabilities that Lead to Identity Theft: Interesting article in InfoWeek's Dark Reading on areas to watch for ID theft. I thought it would be about specific items and behaviors that could pose risks, but it's more global than that. Interestingly, #5 is "Healthcare...
New Advertiser: You may or may
Posted on October 27, 2009New Advertiser: You may or may not be aware that HHS now requires all providers of durable medical equipment, prosthetics, orthotics and supplies to obtain a $50,000 surety bond. If you're looking for DMEPOS bonds, you might want to check out JW Surety Bond Consultants (no relation to my own JW, Jackson Walker)...
Curb Your Enthusiasm: The digitization
Posted on October 26, 2009Curb Your Enthusiasm: The digitization of medical records is not the cure-all some claim it will be. As with just about every other component of the health reform debate, nothing will be as good (the public option will end the uninsured problem), bad (death panels will kill grandma), or efficient (cutting fraud and abuse will save $500 billion) as the most vocal proponents/critics say...
Cost of a (non-HIPAA) Data Breach:
Posted on October 22, 2009Cost of a (non-HIPAA) Data Breach: FTC fines ChoicePoint $275,000 for 2008 breach.
Hospital bans Facebook: New England
Posted on October 21, 2009Hospital bans Facebook: New England Baptist Hospital has banned its employees from using Facebook at work over privacy and time-wasting concerns. The second concern is definitely apt; as for the first, that's probably punishing the medium when the message is the potential problem...
Red Flag Reduction Reax: Some disagree
Posted on October 20, 2009Red Flag Reduction Reax: Some disagree with the new legislation to exempt small providers from the Red Flags Rule.
Second Life: Interesting article
Posted on October 19, 2009Second Life: Interesting article on Children's Memorial Hospital in Chicago's use of Second Life for training and peer support for disabled patients. I'm still not very sure how to purposefully navigate through Second Life: I have an identity there and an avatar that looks nothing like me, thankfully, but have never had any successful interactions there...
RED FLAGS UPDATE:In case you're
Posted on October 15, 2009RED FLAGS UPDATE:In case you're following the Red Flags issue (the latest FTC compliance date was shifted to November 1), here's some big, big news: The House Financial Services Committee has quickly (and without Republican objection) moved forward a bill that would fully exempt healthcare, legal, and accounting firms with fewer than 20 employees from the definition of "creditor" under the Red
Express Scripts: a 2008 successful
Posted on October 06, 2009Express Scripts: a 2008 successful hacker into the pharmacy benefits management company's data base might have exposed personal information 700,000 people.
70,000,000 Records; Is That a Lot?
Posted on October 05, 200970,000,000 Records; Is That a Lot? The National Archives hosts a database that allows veterans to request copies of their medical records and discharge data. One of the hard drives went out, so the Archives sent it to the contractor to fix. The contractor couldn't fix, so it sent it to another contractor to recycle...
Bookmark this Permalink: HHS has
Posted on October 01, 2009Bookmark this Permalink: HHS has published its instructions for submitting a notice of a data breach involving PHI here. Count the number of affected individuals and follow the instructions.
Business Associate Agreements:
Posted on September 26, 2009Business Associate Agreements: The HITECH provisions of HIPAA contain some big changes for business associates, as well as some changes to business associate agreements. But the specifics aren't that well defined. What should you do? Should you amend your existing BAAs? Should you adopt a new form of BAA for new relationships, but keep the existing form to see what happens? Well, according
New York: Here's a story (subscription
Posted on September 24, 2009New York: Here's a story (subscription required) about a NY scam similar to the Miami scam mentioned Tuesday. A lawyer and seven employees of a public hospital were arrested for running a scam where medical information of auto accident victims was taken by the hospital employees and sold to the lawyer, who used the information to file personal injury suits and get the patients unnecessary care
More Miami Misappropriation: I
Posted on September 22, 2009More Miami Misappropriation: I think this is a spill-over and an addition of new parties to a previous story, but a Miami cosmetician has pled guilty to buying medical records for resale to a plaintiff's lawyer, who would solicit the patients to become his clients...
Off Topic: Health Reform: Interesting
Posted on September 17, 2009Off Topic: Health Reform: Interesting article.
Cool: I'm a top 25 blog for nursing
Posted on September 14, 2009Cool: I'm a top 25 blog for nursing assistants and CNAs.
Business Associate compliance:
Posted on September 09, 2009Business Associate compliance: As you know, HITECH added a layer of responsibility onto business associates, so they are effectively treated as covered entities for many purposes. This means covered entities and business associates need to beef up their compliance efforts...
Physician trends and information:
Posted on September 04, 2009Physician trends and information: This is a pretty fascinating study from the Center for Studying Health System Change on current statistics relative to US physicians. 3/4 of practicing doctors are white; 3/4 are male; about half of doctor revenue comes from Medicare and Medicaid; most doctors provide some charity care to financially strapped patients, with the charity care rates going up with
Paging the AMA: Here's how you
Posted on August 28, 2009Paging the AMA: Here's how you do it. The AMA (American Medical Association) has been fighting the FTC over whether doctors should be subject to the Red Flags Rule, and the FTC just won't agree to the AMA's perfectly good reasons. The ABA (American Bar Association) has had the same complaint with the FTC, although the ABA has been much more aggressive, not waiting for the FTC to specifically
Self-diagnosing your network: Here's
Posted on August 25, 2009Self-diagnosing your network: Here's a pretty good paper, from Tripwire and InformationWeek, on your network and your HIPAA responsibilities. It requires free registration, but it's worth it.
Interim Final Rule on Breach Notification:
Posted on August 21, 2009Interim Final Rule on Breach Notification: The reviews are in. Some point out the new burdens (particularly due to the extreme limitation on what counts as "secured" PHI), some the improved features (like the harm threshold, allowing providers to not report breaches if there's little likelihood of harm).
Health Reform: Another excellent
Posted on August 19, 2009Health Reform: Another excellent article outlining the problems with the current proposals and some principles, if not outright proposals, for reforms that might be effective.
FTC issues by the deadline, HHS
Posted on August 17, 2009FTC issues by the deadline, HHS not so much: The Federal Trade Commission made the HITECH deadline to issue guidelines for PHR vendors and application providers to track and report data breaches. The deadline for doing so as mandated by HITECH was today...
Healthcare Reform: "Death panels."
Posted on August 14, 2009Healthcare Reform: "Death panels." Much has been made of this. Sarah Palin referred to them in calling Obamacare "evil:" ?The Democrats promise that a government health care system will reduce the costof health care, but as the economist Thomas Sowell has pointed out, governmenthealth care will not reduce the cost; it will simply refuse to pay the cost...
OT: Beer. Forget about the watermelon
Posted on August 13, 2009OT: Beer. Forget about the watermelon wheat beer I bottled last Sunday, this is sick (and I mean that in the good way [I think]).
Health Reform: The Whole Foods
Posted on August 12, 2009Health Reform: The Whole Foods alternative to ObamaCare.
Healthcare Reform: This may be
Posted on August 07, 2009Healthcare Reform: This may be the best article I've read so far. And he's right: our healthcare system isn't broken, it's amazing. It's not perfect, but it's amazing. If we changed the way we pay for it, and managed our expectations regarding what we can have and how much it really costs, we might be able to continue it.
Off topic: This is sad. He was
Posted on August 06, 2009Off topic: This is sad. He was an unbelievable surgeon, but more so a great man. I was fortunate to call him a friend.
Health Reform: Interesting op-ed
Posted on August 05, 2009Health Reform: Interesting op-ed on the Wyden-Bennett Healthy Americans Act. I don't know what other baggage comes with the Act, and I don't know if it's really appropriate for the federal government to mandate that free people buy health insurance, but that may be the only alternative to allowing providers to refuse to provide care without payment...
Social Media: Somewhat off-topic
Posted on August 03, 2009Social Media: Somewhat off-topic (since most of my social media posts relate to social media and medical record privacy, or the use of social media in healthcare advertising), but this story is a good reason to be careful when you're using any sort of social media...
Social Media: I've presented a
Posted on July 30, 2009Social Media: I've presented a couple of speaking engagements on social media in healthcare marketing in the last couple of months. For those of you still wondering what social media is, how it works, and how it could be helpful, this is a great (if somewhat profane) slide deck.
Guest Post: Kat Sanders
Posted on July 30, 2009Guest Post: I got a request to allow a guest post, and since I'm lazy enough to let anyone write for me, I decided to allow it. See below:HIPAA Enforcement ? When It Matters and When it Doesn?tThe HIPAA rule that protects patient privacy has been around for some time now, and it has always been in the midst of some controversy or the other...
Red Flags Update: The FTC has again
Posted on July 29, 2009Red Flags Update: The FTC has again delayed enforcement of the Red Flags Rule, which requires financial institutions and other "creditors" to establish identity theft protection programs to (i) identify "red flags" that would indicate that a customer or client might be the victim of identity theft (ii) detect when a "red flag" has been raised, and (iii) take steps to address any identity theft
HIPAA confusion: Doctors' offices
Posted on July 27, 2009HIPAA confusion: Doctors' offices sometimes get confused. One of the basic patient rights enumerated in HIPAA is the right of the patient to have access to his/her medical records.
Preemption: In Minnesota, HIPAA
Posted on July 24, 2009Preemption: In Minnesota, HIPAA doesn't preempt state law that allows an individual to pursue a state-law cause of action against a provider for improperly disclosing medical information. Well, of course not: HIPAA's preemption is only of weaker state laws...
Arkansas Snoopin': This is the
Posted on July 23, 2009Arkansas Snoopin': This is the follow-up to the Little Rock news reporter case. Three hospital people have pleaded guilty to HIPAA violations for snooping in medical records. The doctor involved got 2 weeks probation, the two non-doctors got fired. This is at least the second HIPAA case for Jane Duke, the Arkansas prosecutor.
OCR is Hiring: does that mean more
Posted on July 20, 2009OCR is Hiring: does that mean more enforcement, or more policy-making?
Healthcare reform: A nice synopsis
Posted on July 17, 2009Healthcare reform: A nice synopsis of the house bill.
Health Reform = Health Rationing:
Posted on July 16, 2009Health Reform = Health Rationing: Peter Singer has finally said it. I'm glad someone has, because this part of the conversation must be had. So far, it's all Santa Claus and the Easter Bunny: people ought to have healthcare for free (hey, apparently it's a "right"!), but instead of talking about how we're going to pay for it, let's talk about how we're paying too much right now! Singer's
Do state privacy laws deter EMR
Posted on July 15, 2009Do state privacy laws deter EMR adoption? Are physicians and hospitals less likely to adopt electronic medical record technology due to the existence in their state of stricter privacy laws? Apparently, says this study.
OT: More Healthcare Reform news.
Posted on July 14, 2009OT: More Healthcare Reform news. If the problem is that we pay too much for healthcare, why do all the proposed health reform bills cost money, rather than save money? This is why there will be no health reform this year.See this, too. Especially see the last page: primary care physicians can't afford to live in NYC...
Dr. Dappen Leaves Medicare: The
Posted on July 13, 2009Dr. Dappen Leaves Medicare: The story of one doctor's decision to leave Medicare. I'm sure Steve Pearlstein thinks he's a greedy bastard. This happens when the hassles of the system aren't worth the cost. If the doctor is good enough, he doesn't need Medicare, so he'll abandon it...
OT: Social Media Marketing. I
Posted on July 10, 2009OT: Social Media Marketing. I have been and will be speaking on this (sign up and listen, it's free!), but there is a huge push to market using Twitter and other social media marketing milieu. One thing to be aware of: even if you stay away from these marketing tools out of fear or extreme caution, you need to be following what OTHERS are saying about you in these media...
OT: what I did on the 4th of July.
Posted on July 09, 2009OT: what I did on the 4th of July. Quite a performance. You've got to look a long way down to find my name, but it's the first time I've run competitively since high school (which was the last time I was a runner at all).
Fighting ARRA's National Health
Posted on July 08, 2009Fighting ARRA's National Health Information System: Also from BNA: "Provisions of the American Recovery and Reinvestment Act of 2009 that call for a national health information system for managing patient health records violate privacy and due process rights of those patients under the U...
6 Rules: From Dom Nicastro (and
Posted on July 07, 20096 Rules: From Dom Nicastro (and for Paul Moore), some sage advice on the right way to approach HIPAA.
Tweets on a Plane: I'm currently
Posted on July 01, 2009Tweets on a Plane: I'm currently on American Airlines flight 446, DFW-PHL, somewhere over the Appalacian Mountains, and blogging. On-board wi-fi. Don't know if its a blessing or a curse. It's like I haven't left my office, except I can't take phone calls.
NIH comment site
Posted on June 30, 2009NIH comment site: The National Institutes for Health have responded, in a way, to the report by the Health Privacy Project of the Center for Democracy and Technology on the need for better de-identification of PHI when it's used in research or for putlic health by setting up a comment site where interested participants can discuss the matter.
Physician email: as more and more
Posted on June 30, 2009Physician email: as more and more payors agree to pay for it, doctors are conducting more online communications with their patients. But you better have a secure connection and use encryption technologies.
HIPAA Sanctions Policy: As noted
Posted on June 29, 2009HIPAA Sanctions Policy: As noted here, HITECH reiterated and refined the tiered penalty structure of HIPAA itself, and it's probably a good idea for every covered entity to have a tiered sanction policy for employees, staff and others who violate HIPAA...
Wired Patient Rights: I absolutely
Posted on June 23, 2009Wired Patient Rights: I absolutely agree with this: ". . . informed, motivated patients must play a much greater role in managing their own health if the policy goals of improving the quality of care and curbing costs are to be achieved."More individual responsibility will be the greatest, if not the only, driver of improvements to the healthcare system...
Healthcare Reform
Posted on June 18, 2009Healthcare Reform: This is a little off-topic, but not too far. I'm often asked what I think about the various health reform proposals. I haven't had a chance to draft out my ideas and issues on health reform, despite promising several folks I would do so...
Physician Data Breaches: According
Posted on June 17, 2009Physician Data Breaches: According to the AMA, physicians have an ethical duty to report electronic medical record breaches to affected patients.
Cedars Sinai
Posted on June 16, 2009Cedars Sinai employee steals data, goes to jail. Jessica Hardwick didn't tell me about this.
social media
Posted on June 15, 2009Social Media and Healthcare: I'll be speaking in a few hours on the legal implications of using social media and Web 2.0 platforms for marketing healthcare services, but noticed this timely report from the Pew Research Center. 61% of adults do internet research for healthcare purposes...
4 HITECH areas to act on now: It's
Posted on June 15, 20094 HITECH areas to act on now: It's hard to say what you should be doing specifically without regs being issues, but these are all good points.
Red Flags FAQ
Posted on June 12, 2009Red Flags FAQ: The group of federal regulatory agencies (the FTC and a bunch of financial regulators like FDIC) who put out the Red Flags Rule have issued FAQs. I've skimmed but haven't read them yet; however, I wanted to pass this along anyway. There's nothing specific about physicians or other medical providers.
Hawaii case
Posted on June 11, 2009One Year in Jail: a woman who works at a medical clinic accesses her friend's sister-in-law's medical records (because the friend and sister-in-law are fighting) and finds out the sister-in-law has HIV/AIDS. The woman posts that info on her MySpace page...
Online enrollment required: Under
Posted on June 11, 2009Online enrollment required: Under the health reform packages being considered, all health plans will have to have online enrollment. At least that's the part of healthcare reform you'd expect InformationWeek to find newsworthy.
Ross Martin
Posted on June 08, 2009Ross Martin, M.D.: Holy. Freakin. Cow. This is amazing. And all you need to know about HITECH.
CVS
Posted on June 02, 2009CVS: You may remember that CVS got tagged with a $2+ million fine for failing to protect patient data (mainly, they dumped records). Now, they've announced some of their plans to improve their operations and better protect the information. Of course, shredding is a big part...
New Advertiser
Posted on June 01, 2009New Advertiser: please welcome my new advertiser, AIG Direct Health Insurance. If you're looking for an individual insurance policy, this is a good place to go.
Testy, testy: CCHIT is accused
Posted on May 29, 2009Testy, testy: CCHIT is accused of whoring for HIMSS, which is accused of whoring for tech vendors. Personally, I think that's an unfair indictment of both organizations. HIMSS is made up of tech pros; it's obviously influenced by tech vendors, since many of the tech pros work there and the rest deal with those vendors and their products...
AEtna Web Site Hacked: 65,000 people
Posted on May 28, 2009AEtna Web Site Hacked: 65,000 people offered credit monitoring: It's a job application website, not medical records, so not exactly a HIPAA issue.
UNC + IBM = improved quality?
Posted on May 28, 2009UNC + IBM = Improved Quality? That's what they're hoping for.
Tenet Florida employee medical record theft
Posted on May 27, 2009Tenet Employee Caught Stealing Medical Records: Your basic identity theft/credit card fraud case. But since it involves medical records, HIPAA is implicated, and the story indicates that the duo will be charged with criminal HIPAA violations. Under the original DOJ guidelines that say employees can't violate HIPAA (the thief was a records tech, not a nurse or other specialty that might be
HIPAA enforcement under the HITECH
Posted on May 26, 2009HIPAA enforcement under the HITECH Act: The HITECH provisions in the so-called stimulus bill revise HIPAA and add additional enforcement powers, but how will they really be enforced? We'll have to wait for regulations, but in the interim, the Office of the National Coordinator for Health Information Technology has issued a white paper indicating how it will carry out the new enforcement powers.
Tips for catching snoopers
Posted on May 22, 2009Tips for Catching Snoopers: This is a pretty useful little article. Bottom line: use honeypots to catch those who are inclined to snoop before they actually snoop on something important. You don't know if your next patient is going to be the Octomom, so you don't know which files to more closely guard...
Data Breach, But No Proof of Damages:
Posted on May 21, 2009Data Breach, But No Proof of Damages: I just saw an interesting case out of Iowa (via BNA, subscription required), Doe v. Central Iowa Health System, Iowa, No. 07-1017, 5/15/09, where an employee/patient who had attempted suicide sued several hospitals and other providers over improper access to his medical records by coworkers...
Red Flags Rule
Posted on May 18, 2009Red Flags Rule: I've noted below and in eBriefs that healthcare providers are expected by the FTC to comply with the Red Flags Rule and adopt identity theft prevention programs. You have until August 1 to do so.
Octomom Snooping Case
Posted on May 15, 2009Octomom Snooping Case: Kaiser hospital fined $250,000 for failing to prevent employees from snooping. Frankly, that seems unfair; the hospital acted pretty quickly to punish the snoopers. . . .
Scare Force One -- NOT
Posted on May 13, 2009Totally off topic: Here is the antithesis of the "Scare Force One" fiasco.
Johns Hopkins insider data theft
Posted on May 13, 2009More Insider Data Theft: this time, it's Johns Hopkins. Again, the HIPAA issue here is not the medical aspect of the information, but the demographic part that's useful for identity theft.
Securing against the Inside Job
Posted on May 11, 2009Securing Against the Inside Job: Most of the security focus baked into HIPAA relates to protecting the PHI you send, use and maintain focuses on outside threats. The Virginia prescription drug hacking case is a good recent example. But, where is your biggest threat? It's not so much an outsider; most cases of data loss due to outside actors are laptop and pda thefts, or office break-ins.
most disturbing thing
Posted on May 05, 2009Off Topic: Perhaps the most disturbing thing I've ever seen. Last week I was in New York for the CIT Healthcare Finance Conference, a gathering of small healthcare businesses and potential financing sources, where company executives give short presentations on their companies and then meet with possible investors or lenders...
Virginia Rx data breach, hackers, ransom
Posted on May 05, 2009Virginia Rx Data Breach, Hackers, and Ransom: It seems some hackers got into the Virginia state program that tracks prescription drug use to try to locate prescription drug abusers and drug-seekers. They took down all the data and left up a ransom note, asking for $10,000,000...
Swine Flu
Posted on April 30, 2009Swine Flu: Don't panic. Wash your hands regularly, and use hand sanitizers if you're not near a good clean rest room. Stay home (work from home) if you're sick. That's it. I predict that American H1N1 flu deaths will be less than 1% of the average annual US flu death toll.
Red Flags Rule
Posted on April 30, 2009Red Flags Rule: FTC announces delay in enforcement date from May 1 (i.e., tomorrow) to August 1. In the interim, they'll provide a template for "creditors" who are at low risk for identity theft. I don't think this is the relief the AMA was looking for.
doctor shortage
Posted on April 28, 2009Doctor shortage, and what it portends for healthcare reform.I saw this in James Taranto's column in the WSJ today:Does President Obama understand economics? This passage, from a Friday speech onhigher education, suggests not:"And yet, in a paradox of American life, atthe very moment it's never been more important to have a quality highereducation, the cost of that kind of education has never
Air Force One Fly-by
Posted on April 28, 2009Totally Off-Topic, but . . . well, stunning.Which raises a couple of thoughts:1. If scaring the crap out of a terrorist is torture, what's scaring the crap out of thousands of New Yorkers? A photo op.2. What's the carbon footprint of this little photo shoot? More or less than every Hummer in America idling for an hour? Just curious...
offshore transcription
Posted on April 20, 2009Offshore Transcription: This shouldn't surprise anyone, but much medical transcription is done overseas. Obviously, there are HIPAA issues. And there is some "scare language" in the article ("Asian transcriptionists often strain to understand what American doctors have dictated...
HHS issues guidance on what makes
Posted on April 17, 2009HHS issues guidance on what makes PHI "unsecured" for new data breach rules: This is hot off the presses, and I haven't had time to read it yet, but a quick scan leads me to believe that my original impression was correct: you've got to encrypt for ePHI to be "secured...
Moses Cone Data Breach: Another
Posted on April 15, 2009Moses Cone Data Breach: Another stolen laptop, another hospital scrambling to offer credit reporting to patients whose information was stolen. The data was password-protected, and in a software program that requires some training to use, but it wasn't encrypted; does that count as "unsecured PHI" under the new HIPAA rules post-ARRA? We won't know for sure until the regs come out...
Privacy Rules hinder EMR adoption
Posted on April 15, 2009Do Privacy Rules Hinder EMR Adoption? Apparently they do. This all goes back to my underlying issue of privacy versus healthcare delivery. Markets work better with free-flowing information, and most systems do too. Perfect privacy (nobody knows your PHI, not even your doctor) is bad for your healthcare...
Reaction to HITECH and ARRA
Posted on April 13, 2009What's your reaction been to ARRA and HITECH? The so-called Stimulus Bill (ARRA) contained the acronymiously adventurous HITECH provisions (that's the Health Information Technology for Econimic and Clinical Health Act), which strengthened HIPAA penalties, added more potential HIPAA regulators and enforcers, and made more people subject to HIPAA...
OT: Health Reform: here's a pretty
Posted on April 08, 2009OT: Health Reform: here's a pretty good article on healthcare reform. I still doubt we'll see healthcare reform, any more than we'll see cap-and-trade in energy or the US adopting the new version of Kyoto (Copenhagen this time), mainly because there's too much anectode, too much hyperbole, to many wish lists, and not enough serious thought...
ARRA text
Posted on April 07, 2009(So-called) Stimulus Bill Text: As I noted below, the American Recovery and Reinvestment Act was actually passed with a bunch of handwritten notes on it changing some of the language, some if it substantively (the country's in the very best of hands)...
Medical records at closed physician practice
Posted on April 03, 2009What happens to the records when a doctor closes shop? It depends on how it happens, but it can be a messy, troubling situation. A doctor in Acton, Mass. abruptly shut his practice because the state was chasing him for practicing without a license. He just abandoned the records, and they were about to be shredded when a local hospital stepped in to take possession of them...
Internet security generally
Posted on April 03, 2009Internet Security Generally: As you work your way through the Red Flags Rule, now is a good time to rethink your Security Rule policies and procedures, or at least give a quick think about whether your original security risk analysis is still applicable, accurate, and effective...
Red Flags Rule
Posted on April 03, 2009Red Flags Rule: You may or may not know about this (or may or may not care), but you better have made a decision as to whether you're going to take care of this by May 1. I'd suggest you do so. And while you're at it, think about rethinking your Security Rule policies and procedures, too...
Upcoming Gigs: I keep meaning to
Posted on April 02, 2009Upcoming Gigs: I keep meaning to post on here my upcoming speaking gigs; I don't just blog HIPAA, I talk it too. Anyway, here's my current agenda:April 21: I'll be in NYC at the 4th Annual CIT Healthcare Conference, hearing new market entrants pitch their businesses and asking HIPAA-related questions...
From the World Privacy Forum: an
Posted on April 01, 2009From the World Privacy Forum: an patient's guide to HIPAA. With some useful information for the non-HIPAAcrat.
NEJM report on EMR adoption in hospital
Posted on March 26, 2009How complete is hospital adoption of EMR technology? According to this report by the New England Journal of Medicine, not very. 1.5% for complete EMR adoption, with Computerized Physician Order Entry (the easiest and most cost-effective sliver of the EMR universe) adopted by only 17% of hospitals...
Mass. General Data Breach: Another
Posted on March 24, 2009Mass. General Data Breach: Another day, another data breach. This time, it's limited to 66 Massachusetts General Hospital patients. Their paper records were left on a subway train. Unlike most data breaches, where the concern is social security numbers or other information that could be used for identity theft, the data here was billing records, which do contain name and date of birth, but
Slightly OT: The (so-called) Stimulus
Posted on March 23, 2009Slightly OT: The (so-called) Stimulus Bill. You can read below my somewhat extensive posts on the HIPAA provisions in the American Recovery and Reinvestment Act (sometimes called the Stimulus Bill, the Porkulus Bill, and various other names, but in the spirit of neutrality we call it ARRA)...
Miami Data Breach
Posted on March 23, 2009Miami Data Breach: Somebody stole a hard drive from Jackson Memorial Hospital with drivers' license data on hospital visitors. No social security numbers, which is good. And it's hard to tell if the information was PHI, based just on what I read in the story...
cellphone texting by physician office
Posted on March 23, 2009Physician office texting: Here's an interesting story of a physician's office using cell phone text-messaging for patient notifications. Certainly do-able, and probably a cost-saver, but you must make sure you're cellphone numbers are good, you get buy-in from the patients (with easy opt-out), minimize the information flow over the text process (don't discuss test results, just notify of the
NoPP on cd = written?
Posted on March 20, 2009NoPP on CD: Just received a fairly interesting question on the requirement to deliver a notice of privacy practices (NoPP). HIPAA requires covered entities to provide them to the people whose health information the covered entity will be handling (patients of providers, beneficiaries of health plans)...
David Blumenthal named NC
Posted on March 20, 2009NC Named: David Blumenthal, M.D., has been named to be the National Coordinator for Health Information Technology (i.e., the NC in ONCHIT). John Halamka is happy. He's certainly a solid Massachusetts Democrat.
Federal healthcare data breach re nuclear employees
Posted on March 18, 2009Here's a Healthcare Data Breach With a Twist: It seems medical data on a bunch of federal Department of Energy nuclear power employees might have been lost. OK, I can think of several way this could be worse. . . .
New Data Breach rules and preemption
Posted on March 18, 2009Do the New Data Breach Rules Pre-Empt State Data Breach Laws? (And if so, partially or completely?) Excellent question and answer from Edward Shay of Post & Schell: In an exchange on the AHLA's HIT listserv this morning, hipaacrat Shay had the following to say (HITECH is the HIPAA portion of ARRA):"Yesterday on the HITECH Part I conference call, Dan Orenstein asked me if I thought that HITECH
PHRs get patients involved
Posted on March 18, 2009PHRs Get Patients Involved in Their Own Care: This makes sense, and is one of the good reasons why increased use and access of personal health records (as opposed to electronic medical records or electronic health records*, which are the records in doctors' offices and hospitals) is a good thing...
Physicians using technology
Posted on March 18, 2009Physician Adoption of Technology: According to this article, it's growing, but is hindered by frustration doctors feel in dealing with the technology. It's hard to change over to an EMR, resulting in wasted time; EMR systems too often aren't interoperable; the software designers don't understand what doctors want and need...
Data Breaches at Binghamton
Posted on March 18, 2009Data Breach at SUNY-Binghamton: (Actually, it now appears to call itself Binghamton University, but still looks like a member of the State University of New York system) Here's a story about some data breaches at Binghamton, which may result in the recently-hired CISO getting fired...
Cloud computing and security
Posted on March 18, 2009Into the Cloud: Very interesting article on "cloud computing" and the security and privacy issues raised thereby. This is a very live issue, and draws several articles a day on the InfoWeek website.
ARRA
Posted on March 17, 2009Epilogue on the Stimulus Bill: So what does it all mean? I don't think we can say for sure, but covered entities and business associates should start looking over their policies and procedures, and their forms, and start making some changes. These provisions have varying start times, and most are subject to further rulemaking by the Secretary of Health and Human Services...
ARRA stuff
Posted on March 17, 2009Stimulus Bill Potpourri for $500, Alex: There's also a passel of additional HIPAA junk in trunk of this bill:Other Specific Disclosure Rules. There are several additional rules included in the HIPAA provisions of ARRA intended to address specific situations...
ARRA provisions
Posted on March 17, 2009More from the Stimulus Bill: There are also changes in HIPAA enforcement. Depending on how you look at it, this could be good; or bad.Improved Enforcement. There was some confusion whether an employee of a covered entity could be subject to HIPAA criminal penalties...
Sam's Club EMR
Posted on March 12, 2009Would you buy an EMR system from Sam's Club? Actually, with the partners involved (Dell and eClinicalWorks), it sounds like a pretty good deal. Part of the chicken-and-egg issue of EMR is not buying the tech stuff until everyone uses it, but nobody uses it until everyone buys it...
"Free" is a problem
Posted on March 12, 2009"Free" May Be A Problem: according to this article, there's the additional concern that "free" software EMR solutions, if they come about, won't be the cure either, in no small part because of the "moral hazard" argument. Physicians may not be as likely to embrace a new EMR project, support it, or work with it simply because it's free; the perceived value won't be there...
Why WalMart matters
Posted on March 12, 2009Why WalMart (or more accurately, Sam's Club) Matters: I noted immediately below the story on Sam's Club (partnering with Dell and eClinicalWorks) to provide low-cost EMRs to small physician practices. It's important to note that physicians don't get as much Stimulus money as hospitals do for EMR, it's paid out over time, and the punishment for not going electronic (in the future) will be
Milestone
Posted on March 09, 2009Milestone: Yesterday was the 7th anniversary of this blog's first post. You'd think there would be more answers than questions by now. . . .
Preexisting conditions debate
Posted on February 26, 2009The Pre-Existing Conditions Debate Heats Up: As you know if you've read this blog before, HIPAA originated because of the insurance concept of the pre-existing condition. Your insurance isn't "portable" (the "P" in HIPAA) if you can be denied because of a pre-existing condition...
State Data Breach Notification Laws
Posted on February 26, 2009State Data Breach Notification Laws: I've been trying to get my hands around the new PHI data breach notification requirements of the ARRA (the Stimulus Bill), and been talking to a lot of folks about it. One constant question is how this data breach notification statute will interact with the various state statutes...
No takers for free govt insurance
Posted on February 25, 2009Slightly Off topic: what happens if you pass a bill to put 4 million uninsured children on a governmental child insurance program, but they don't sign up? One thing never, never, never mentioned in the uninsured/underinsured debate is how many are that way by choice...
Stimulus Bill HIPAA provisions
Posted on February 18, 2009I'm in denial. Yes, I'm still dumbfounded by the utter stupidity of the so-called Stimulus Bill, on so many levels, that I haven't focused on the HIPAA provisions buried therein. I promise I will post on them. But for now, know that Business Associates will be treated like Covered Entities for breach and enforcement purposes...
CVS settlement
Posted on February 18, 2009This just in, via Modern Healthcare:CVS to pay $2 million over alleged HIPAA violationsCapping a first-of-its kind joint investigation by the Federal Trade Commission and the HHS Civil Rights Office, drugstore and pharmacy benefits management giant CVS Caremark has agreed to pay $2...
OT: Kosenske case
Posted on February 17, 2009Off-Topic: Stark and the Unabomber: I wrote an eAlert a few weeks ago about a case out of Pennsylvania called US ex rel. Kosenske v. Carlisle, in which a hospital failed to update a contract with it anesthesia group and, therefore, was determined to have violated Stark (resulting in a lot of false claims)...
25 tools for self-googling
Posted on February 17, 2009What's being said about you online? I got an email from Kelly Sonora noting this article with some tools to help you find out what's being said about you online. Not HIPAA-specific, but something worth looking into.
Stiumulus bill and balancing privacy with usefulness
Posted on February 11, 2009On the Stimulus Bill: As we've discussed here before, more discussion of attempts to balance patient privacy with the usefulness of the use and disclosure of otherwise protected health information.
competing stimulus bills
Posted on February 10, 2009Privacy issues in the Stimulus Bills: the House and Senate versions each contain privacy provisions, but apparently the House bill has been influenced by the privacy watchdog groups, while the Senate bill has been influenced by industry groups. I'm sure it'll suck one way or the other.
New Data Breach: This time, Kaiser
Posted on February 10, 2009New Data Breach: This time, Kaiser employees are the victim of a true (alleged) identity thief. Not PHI, apparently. though.
New OCR website
Posted on February 10, 2009New OCR Website: just hours after I sent a link to the old site to a partner of mine, the US HHS Office of Civil Rights (the enforcement agency for HIPAA privacy) has a new website up with information on the HIPAA privacy rule and the Patient Safety Rule.
IOM proposes new privacy structure
Posted on February 05, 2009IOM: HIPAA is flawed. The Institutes of Medicine had determined that the current privacy regime in HIPAA hinders medical research, and they're proposing a new privacy regime, at least where medical research is involved. They do put their finger on the issue -- best privacy and best healthcare are diametrically opposed, and the problem is finding a good balance.
EMR pushback
Posted on February 05, 2009EMR's not to everyone's liking: Here's an interesting policy-driven push-back piece on EMRs. Not all they're cracked up to be, and possibly a camel's nose issue.
Off Topic - Kosenske
Posted on February 04, 2009Off-Topic: Just so you won't think all I do is HIPAA: I've got a couple other things I do, professionally-speaking. Not to mention fishing.
Stimulus bill HIPAA provision`
Posted on February 03, 2009Read the Stimulus Bill? OK, I haven't either. But BNA tells me (subscription required) that section 4410(e) grants authority to the 50 states' Attorneys General to enforce the provisions of HIPAA. I don't know if this monster Bill will pass (like I did with the physician-owned hospital provisions in the House version of the SCHIP bill, I suspect it will not pass as written), but if it does, this
Data Breach costs
Posted on February 03, 2009Another Good Reason to Avoid Data Breaches: the cost. On average, companies pay about $200 per customer record in responding to a data breach. And that's even if nothing bad happens. And if that's not enough: if you're in the healthcare business, you'll lose 6...
Detroit
Posted on January 30, 2009Detroit Receiving Hospital: An interesting medical record access case is brewing in Detroit. A patient in a psych unit died, and a federally-funded state-appointed advocacy group has sued for access to peer review and other records. The hospital refused, citing privacy restrictions...
Making BAs into CEs
Posted on January 30, 2009Making BAs into CEs: The sausage is still being made in Washington, DC, but it's looking like the so-called stimulus bill will increase at least some of the existing health information privacy requirements. According to this article, the House version of the bill contains provisions that will impose the same HIPAA privacy requirements that are already applicable to health plans, providers and
Finally, A Reasonable Approach:
Posted on January 27, 2009Finally, A Reasonable Approach: Or at least that's what it seems at first blush. The Center for Democracy and Technology has issued a paper that proposes a new framework for thinking about patient consent and medical record privacy. I've only glanced over it, but they seem to have hit the nail on the head: the system should assume consent for normal/usual/proper uses, so the delivery,
Surgeon General's family PHR site
Posted on January 14, 2009HIPAA FAQs for SG's FPHR site (huh?): I mentioned a couple of weeks ago that the Surgeon General is promoting a government-sponsored site for individuals to compile their personal family health histories, sort of a family personal health record (FPHR)...
influential blogs
Posted on January 08, 2009Am I influential? Someone thinks this blog is one of the top 100 health care policy blogs. Who am I to disagree?
Healthcare IT and Privacy at war:
Posted on December 29, 2008Healthcare IT and Privacy at war: BNA has a report (subscription required) on some current conflicting letters urging action by the new Congress on healthcare IT and patient privacy. It seems the Confidentiality Coalition is urging Congress to encourage and stimulate spending on healthcare IT, but wants to make sure they don't overdo it with privacy protections that hinder HIT adoption...
FTC report on use of social security
Posted on December 24, 2008FTC report on use of social security numbers: I've stated over and over, the biggest problem with medical data theft/loss is the fact that the information can be used for fraud, ID theft, or related evils, not that the medical part of the information could be used for any value (other than the California snoopin'/celebrity issues)...
Politics and EMRs
Posted on December 24, 2008New push for EMRs? Some folks (not surprisingly those with an economic interest in such a strategy) are strongly advocating to the new Obama administration that greater use of electronic medical records is a necessary part of any healthcare reform. Of course, that's half the story; what about privacy (of course, the author says stringent privacy protections must be baked in; of course; he even
Slightly OT: The impending/current
Posted on December 15, 2008Slightly OT: The impending/current doctor shortage: I have a particular pet peeve that occasionally bubbles to the surface. I think the last time I brought it up was in response to a medical school resident. He was in the age category that HR folks would call a "millenial" -- these are the post-generation-X (and post-gen Y) young adults who are just entering the job market and as a group have a
State health IT efforts
Posted on December 11, 2008State Health IT Efforts: States are starting to push for health IT, according to the Government Health IT website. Here's a report from the National Conference of State Legislatures tracking the bills passed state by state. What's in store, at the state or federal level? Will subsidies continue (carrots), or will states and the feds (particularly CMS) require adoption of IT, particularly as a
HIPAA Insurance: There was plenty
Posted on December 04, 2008HIPAA Insurance: There was plenty of talk early on about whether "HIPAA Insurance" would evolve as a form of D&O or malpractice insurance, either to insure against losses and damages for a HIPAA breach by a covered entity or an indemnification or other loss suffered by a business associate who breaches a BA Agreement...
NIST HIPAA security guide
Posted on December 04, 2008NIST weighs in: This is cool (OK, geeky and long, but still potentially very useful): the National Institute of Standards and Technology has a very important job: they standardize everything, so things work together in industry, commerce, society, etc...
HIPAA and FERPA
Posted on December 03, 2008HIPAA and FERPA: One of the interesting boundaries of HIPAA is FERPA, the Family Educational Rights and Privacy Act. HIPAA obviously restricts the use and disclosure of Protected Health Information or PHI, which is broadly described as any information about past, present or future health or medical conditions or the payment therefor...
California snoopin guilty plea
Posted on December 02, 2008California Snoopin' Update: The admin employee at Ronald Reagan UCLA Medical Center has pleaded guilty to a state felony count of accessing confidential information for commercial gain. Apparently, she snooped and sold the information she found to tabloid reporters...
Iowa snoopers
Posted on November 19, 2008It's not just California: In Iowa, hospital employees snoop, too. One fired, 7 disciplined = a good start. Teach 'em a lesson.
Lawyer survey
Posted on November 18, 2008Lawyer Survey: Are you a lawyer? Are you being affected by the recession? Well, the ABA Journal wants your input. They are conducting a survey, which you can access here, and they're asking blawgers to spread the word. So, if you fit the criteria, please go fill out the survey.
Six Steps to Insuring Data Privacy:
Posted on November 12, 2008Six Steps to Insuring Data Privacy: The CIO Blog at InformationWeek has an interesting post outlining six steps for making sure you keep your electronic data private. What's interesting is that the first two are specifically required by the HIPAA Security Rule: you must do a security assessment and risk analysis, and you must appoint a Security Officer...
Health Information Trust Alliance
Posted on November 12, 2008Health Information Trust Alliance: From the AHLA daily briefings:The Wall Street Journal (11/12) [subscription needed] reports that "a group of large healthcare companies is trying to create a common set of security practices, but it remains to be seen whether they can persuade businesses in the fragmented industry to join their effort...
HIPAA Exam Question: Scenario: Susie,
Posted on November 11, 2008HIPAA Exam Question: Scenario: Susie, RN, gets a phone call and the caller ID shows it is coming from Jane (a co-worker). Jane asks how an employee can get a pregnancy test done. Susie tells her to go to the lab and the results will be sent to the clinic and then she can come in to see a provider...
Baylor laptop theft
Posted on November 06, 2008Baylor Health System suffers data loss: A laptop was stolen from the car of a manager of HealthTexas Provider Network, the physician organization within the Baylor Health Care System. The laptop had names and some medical procedure information (CPT codes) for about 7,500 patients, but the data wasn't comprehensive, and apparently contained social security numbers, so Baylor's offering free
Georgia Preemption case
Posted on November 05, 2008Georgia Courts Rule on Preemption: From BNA: "Defense attorneys wishing to engage in ex parte communications with a plaintiff's treating physicians must comply with the privacy rule under the Health Insurance Portability and Accountability Act, the Georgia Supreme Court ruled Nov...
Portland VA
Posted on November 03, 2008Oregon VA error posts personal info online: In a case of open government/open records versus personal privacy, the VA in Portland, Oregon posted some spending information to an online website that allows the public to keep track of government spending...
HHS lax HIPAA enforcement
Posted on October 31, 2008OIG slaps down HHS for lax HIPAA enforcement: The OIG has sent HHS a letter grading it's HIPAA enforcement activities. Apparently the OIG wants HHS to be more like it, at least in terms of aggressiveness. HHS' mechanism for complaints is good, but they need to investigate more, says the OIG...
California Snoopin'
Posted on October 31, 2008California Snoopin' update: 1000 patients had their medical records improperly accessed at UCLA Medical Center. Heads should roll.
ACT/AIC Leadership Conference
Posted on October 30, 2008ACT/AIC Leadership Conference: Below is an email I got from Alan Goldberg, who got it from Tom Evans of KMK Consulting: Earlier this week, I was privileged to join over 250 government and more than 600 IT professionals for the American Council for Technology (ACT)/Industry Advisory Council (IAC) 2008 Executive Leadership Conference in Williamsburg, Virginia...
UPI
Posted on October 30, 2008UPI Costs and Benefits: The Rand Corporation has a monograph out discussing the benefits to efficiency and quality, and the risks to privacy, of finally migrating to the HIPAA-required Unique Patient Indentifier. We've moved to one number for each payor and one number for each provider, but can't get to the one number for each patient to complete the third leg of the stool...
Kentucky: No HIPAA private cause of action
Posted on October 28, 2008Kentucky: No HIPAA Private Cause of Action: In Young v. Carran, Ms. Young sued her baby-daddy's law firm for letting him have her psychiatric records. Apparently Young and the daddy Martin were in a child custody fight. Martin got the right for his lawyers to access Young's medical records, but he wasn't allowed to see them...
Aetna and Microsoft's HealthVault
Posted on October 22, 2008Aetna and Microsoft's HealthVault: Aetna is rolling out HealthVault to its subscribers to use to make their Aetna-internal PHR portable. We'll see how it works. Personally, I tried tinkering around in HealthVault and found it relatively user-unfriendly and non-intuitive (jeez, who'da thunk Microsoft would make a user-unfriendly, non-intuitive product? Vista, anyone [and I don't mean the VA's
Medical Identity Theft and the unique patient identifier
Posted on October 21, 2008Medical Identity Theft and the Unique Patient Identifier: One of the goals of HIPAA was to increase the digitization and electronification of information. If we standardize the information and computerize it, we'll drive a lot of the inherent inefficiency out of the healthcare industry...
Watch your Excel
Posted on October 17, 2008Watch your Excel: Some first-year associate at Cleary Gottlieb is probably out of a job because of a formatting error in dealing with Excel. I suspect a software program was used to make the conversion; if they'd just printed out the Excel spreadsheet, reviewed it in hard copy, and used a multi-function device to scan it into pdf format, they wouldn't be facing this problem.
Medical ID Theft
Posted on October 17, 2008Medical Identity Theft: This is becoming a hot topic; expect some federal legislation, some experts say.
Nevada encryption law
Posted on October 14, 2008Nevada encryption law: This is the first I've heard of it, but apparently there's a new law in Nevada that requires the encryption of any "personal information" (name + either SSN, driver's license number, or [account number + password]) if it's sent by electronic means other than fax outside the business...
California
Posted on October 08, 2008More California: more news stories on the new California hospital medical record privacy bureaucracy here and here.
HHS FAQ
Posted on October 07, 2008Is the Privacy Rule suspended during emergencies? That a frequently asked question that HHS has decided to answer on its website FAQs. The answer is no, but the Secretary can suspend parts, particularly the paperwork-type rules, special-circumstance rules, and rules related to notifying relatives and friends...
California snoopin'
Posted on October 02, 2008More California: Here's Modern Healthcare's take on it.
WalMart-Dossia
Posted on October 02, 2008Wal-Mart: It seems Wal-Mart has included electronic personal health records for all its employees as part of its open enrollment process for next year's beneficiaries. Wal-Mart is part of the Dossia consortium of large employers that's trying to make PHRs available to employees and encourage employees to use a PHR to maintain medical information and manage their healthcare.
California Snoopin: Ahnuld signed
Posted on October 01, 2008California Snoopin: Ahnuld signed the law creating the new state agency to enforce the new hospital medical record privacy law.
employee cell phone cameras MySpace
Posted on September 22, 2008Cell Phone Cameras: In Albuquerque, 2 UNM Hospital workers took pictures of patients receiving treatment, and posted them on their MySpace pages. Once discovered, they got fired. Good. Seriously, just how dumb is that? The hospital should have a policy prohibiting it, but do you really need an explicit policy not to take pictures of patients and post them on the internet? Isn't that common
OIG guidance re friends and family
Posted on September 16, 2008Friends and Family: the OIG has issued new guidance for providers to follow when trying to determine when they can provide PHI to friends and family of patients.
media disposal
Posted on September 15, 2008How do you dispose of old backup tapes? Obviously, you follow your document retention policy. But what should that policy look like? Duration is definitely an issue; there are legal requirements for certain records, business uses, and other reasons to keep them a long time, as well as good reasons for deleting them as soon as possible (legal risks [including simply the cost of responding to
Medical ID theft
Posted on September 10, 2008Medical Identity theft accounts for 3% of all identity theft cases, according to this article.
Piedmont and Providence: Feds finally
Posted on September 08, 2008Piedmont and Providence: Feds finally put teeth into HIPAA, according to ComputerWeek. I'm not so sure. So far, nothing's come from Piedmont, except other audits and an attractive government contract for PwC. And Providence was a settlement of a bad (in the sense of being high-profile) data breach, and the penalty amount isn't really enough to scare too many people...
new California healthcare data breach law
Posted on September 02, 2008New California legislation: From a post to the AHLA Health Information Technology listserv: Here's a summary of the two companion legislative bills; they are all but signed, and will take effect January 1, 2009. The scuttlebutt in Sacramento is that the bills are directly driven by Governor Schwarzenegger's personal interest in their passage, following unauthorized access by UCLA Medical Center
Snoopin
Posted on August 28, 2008Celebrity Snoopin': USA Today is on the case. The lawyers quoted are right: celebrities have as much right as anyone to the privacy protections of HIPAA, but tabloids aren't responsible or liable for republishing medical information about celebrities...
Britney/UCLA/California snoopin'
Posted on August 27, 2008Britney Update: More news from California on the "California Snoopin'" problem exposed by the LA Times regarding UCLA Medical Center and celebrity patient medical records. The California legislature has proposed legislation to require hospitals to have plans in place to safeguard medical records from inappropriate viewing, and to set up a state agency to review the plans and fine hospitals up to
Data Breaches in 2008 so far
Posted on August 26, 2008Data Breach Problem: It keeps getting worse. We've already had as many personal data breaches this year so far as we had in all of 2007, and it's only August.
Health ID Theft
Posted on August 22, 2008Health Identity Theft: another article. Again, insiders are the most likely culprit.
Snooping, selling records
Posted on August 19, 2008More medical record snooping issues: This time from Iowa. Part of the problem is healthcare employees snooping in medical records. This is understandable and should be expected. It's not acceptable, and those who do it should be severely punished...
Self-care tools
Posted on August 19, 2008Self-Care Tools: Interesting article in the Wall Street Journal on technological devices that help patients (and their physicians, if they so wish) control and manage their care. This is just the type of thing to drive technology into the healthcare delivery system: get techno benefits to patients that are easy to see, and the system will incorporate the technology...
Providence CSO speaks
Posted on August 18, 2008Providence CSO Speaks: Eric Cowperthwaite, chief security officer at Providence Health and Services, gave an interview with CSOOnline discussing Providence's problems with HIPAA. He's understandably cautious, but it's nice that he's willing to talk about it...
health social networking issues
Posted on August 18, 2008Facebook for your Health: I don't know if you saw this over the weekend, but the Washington Post ran a story on Saturday about a personal healthcare social networking program set up by WellNet, a health management company. I'm not clear on how WellNet is set up; it doesn't look like an HMO, but rather an information management company that helps employers understand and manage employee health
More Providence post-mortem
Posted on August 15, 2008More on Providence: AIS has a pretty good wrap-up of the Providence "resolution agreement," including some interesting "follow the money" answers.
Medicare EHR Pilot Program
Posted on August 12, 2008EHRs for Medicare Patients: Medicare is going to start up a pilot program in Arizona and Utah to provide electronic health record options to Medicare patients. Old folks + technology = funny results sometimes, but it's certainly true that the elderly, as the biggest consumers of healthcare, stand to gain the most from the efficiencies and safety that EHRs can bring...
Michigan Governor
Posted on August 08, 2008Michigan Governor's PHI Hacked: It's not only the UCLA Medical Center (or NY Presby for Clinton) that has a problem. It seems Sparrow Hospital in Michigan also has a problem with employees peeking into the medical records of the rich and famous (or at least powerful).
HHCC provides EMRs
Posted on August 06, 2008Electronic Medical Records: Hartford Healthcare Corporation, parent of Hartford Hospital and Midstate Medical Center in Connecticut, is taking advantage of the Stark exception to subsidize the purchase and installation of an Allscripts electronic medical record system with several big physician groups affiliated with the hospital system.
UCLA celeb med record snoopers
Posted on August 05, 2008UCLA: It turns out there were a whole lot more prying eyes at UCLA Medical Center than originally thought.
EHR praise for Dossia
Posted on August 01, 2008Dossia gets props: In EHR news, a federal panel pushing for healthcare IT has given high praise to Google, Microsoft, and others participating in the Dossia patient-controlled electronic health records initiative.
Georgia BC/BS data breach
Posted on July 29, 2008Data Breach in Georgia: Apparently, Blue Cross and Blue Shield of Georgia didn't test out a change in their computer system, and somehow addresses on EOBs got mismatched. The result was about 200,000 Explanation Of Benefit letters were sent to the wrong addresses...
Congress pushes EMRs: Sorry for
Posted on July 25, 2008Congress pushes EMRs: Sorry for the lack of postings, but I've been vacationing in the face of a hurricane. Anyway, I saw this in some email headline clippings this morning: The House has moved forward the acronymally abominous "Protecting Records, Optimizing Treatment, and Easing Communications through Healthcare Technology Act", to be known as the "PRO(TECH)T Act...
Providence Settlement
Posted on July 18, 2008Providence Settlement: Way back in 2006, I reported (and kept you all well updated) on an attempted laptop theft involving medical records on home health patients at Providence Health System in Oregon. An employee took home disks with patient records on them for "safekeeping," but locked them up, in one of those laptop travel cases, in his car in the driveway...
Medical ID theft survey
Posted on July 16, 2008Medical Identity Theft: There's been plenty of news on medical identity theft, and it seems that the general public is getting the idea that this could be a big problem. As I've said along, it's not the medical information in the PHI that's worth stealing, it's the financial info.
P2P filesharing data breach
Posted on July 09, 2008Latest Data Breach, with an interesting twist: Peer-to-peer or filesharing arrangements allow people to share music, movies, and other items downloaded to their computers. But they can also be used to by a hacker to sniff around in other parts of the participant's computer, which is exactly what lead to the latest data breach to hit the news...
Why docs don't use EHRs
Posted on July 07, 2008Why doctors don't use EHRs: Why are doctors hesitant to use EHRs? On the whole, doctors generally embrace technology. Certainly medical technology, like imaging modalities. And they seem to be generally ahead of the curve with techno toys like iPhones and the like...
security breaches
Posted on July 03, 2008Security Breaches: having a tough perimeter is great, but you must watch for inside (or near-inside) jobs. According to this story, most breaches come from your business associates, not from outside hackers.
EHRs
Posted on June 26, 2008This looks promising: The trouble with electronic medical records is getting people within the healthcare business, particularly providers, to use them. There are a couple of legitimate fears -- the "betamax" fear, where a provider doesn't want to invest in the "wrong" EMR; the "culture" fear, which is just inertia in dealing with paper records, and the "privacy" fear, which derives from the
Medical ID Theft
Posted on June 25, 2008Medical Identity Theft: great article from the Wall Street Journal. Hat tip: Kirk Nahra.
Booz Allen Hamilton contract
Posted on June 13, 2008Healthcare Identity Theft: the Office of the National Coordinator for healthcare IT has contracted with consulting firm Booz Allen Hamilton to find ways to fight medical ID theft. The goal is to find ways to detect and prevent people from stealing the medical identity of others so as to get insurance when they don't have it.
Hacker punished
Posted on June 13, 2008An Object Lesson in Managing Employee Termination: A federal jury in San Diego has sentenced a computer engineer to 5 years in jail, and ordered him to pay $400,000 in restitution, for hacking into his ex-employer's computer system and deleting records...
PHRs
Posted on June 12, 2008Latest Personal Health Record News: USA Today reports on the plethora of companies offering electronic personal health records, either to their employees or to the public (and duly notes the medical record privacy concerns). Microsoft's HealthVault has gotten a lot of press lately, but just between you and me, I find HealthVault hard to use...
Medical ID theft
Posted on June 02, 2008Medical ID Theft: Interesting article in this morning's Dallas Morning News on medical identity theft. I'm constantly harping that the biggest damage from medical record privacy is not the loss of actual medical information, but the risk that other information (especially social security numbers or other account or financial information) will be used for ID theft...
UCSF task force
Posted on May 29, 2008UCSF Update: the University of California-San Francisco Medical Center suffered a couple of high-profile PHI breaches recently. The Chancellor of the university has appointed a task force to review what similar systems are doing elsewhere in the nation, and adopt appropriate procedures.
EMR penetration in Texas
Posted on May 28, 2008EMR Penetration in Texas: the Dallas Morning News has an article on the rates of physician adoption of EMR technology in Texas. Pretty basic stuff -- high cost and fear of non-interoperability drive the decision not to go electronic -- and little discussion of the privacy angle...
anti-fundraising article
Posted on May 27, 2008This is pretty ridiculous: Nonprofit hospitals survive on fundraising, volunteer efforts, etc. Some would close without that type of support. HIPAA allows covered entities to use the demographic information they have on patients to solicit donations from those patients...
Google's online PHR launches
Posted on May 20, 2008Google this: If you haven't seen the news yet, Google has launched its much-touted new online personal health record, Google Health. It will be interesting to see how it all works out. Is there a market for this? Will privacy concerns ruin the soup? We'll see.
OCR Brochures
Posted on May 19, 2008OCR HIPAA Privacy Brochures: The Office of Civil Rights, assigned to enforce HIPAA privacy, has published HIPAA privacy brochures for consumers, in several languages. You can access them here.
Doctor email
Posted on May 16, 2008Doctor Email: Most people want to be able to communicate with their doctor by email. Many would even be willing to pay extra for it. But still, most doctor's don't do it. Why? Mainly because of concerns about privacy and security. The privacy Nazis have them scared...
PHR by cellphone
Posted on May 15, 2008iPHR?: AccessMyRecords.com, an online personal medical record vendor, has added functionality that will allow smartphone users to access their medical records via their cell phones. Very interesting idea, from the "patient empowerment" standpoint. But I'm sure the privacy nazis think it's a terrible development...
Privacy Needed for E-Prescribing
Posted on May 14, 2008Privacy Needed for E-Prescribing Efforts: The Coalition for Patient Privacy has asked Congress to implement 11 specific measures to make sure that the drive toward electronic prescribing of medications does not lead to the disclosure of patient medical information...
Oklahoma criminal HIPAA violation
Posted on May 14, 2008Now from Oklahoma: from today's Modern Healthcare Daily Dose news email: Okla. woman faces prison, fine for HIPAA violation A 30-year-old Oklahoma City woman pleaded guilty to one count of a criminal violation of the privacy protection provisions of the Health Insurance Portability and Accountability Act of 1996, according to a news release by U...
UCLA snoopers
Posted on May 13, 2008It's now up to 68: That's how many UCLA Medical Center staff members have been implicated in the celebrity-PHI-snooping scandal that came about after Britney went wacko.
New OCR Data website
Posted on May 12, 2008New from OCR: The Office of Civil Rights of HHS, which is tasked with enforcing the HIPAA privacy rule, has a new website where they've put a whole ton of information on HIPAA violations, enforcement actions, complaint receipts, and lots of other information, on a state-by-state basis...
Sevocity EMR
Posted on May 09, 2008Sevocity is OK: The Certification Commission for Health Information Technology has certified the EMR system offered by Conceptual Mindworks. Sevocity passed the CCHIT's requirements for security, interoperability, and functionality. And the folks at Conceptual Mindworks are good folks, too -- I've worked with them for years on ensuring that Sevocity meets and exceeds all HIPAA requirements.
video
Posted on May 07, 2008National HIPAA Summit video: this week's installment: Organizing a Privacy Program.
Identity thiefs use PHI
Posted on May 07, 2008PHI is a Data Thief's Gold Mine: As this article in USA Today points out, data thieves know that medical information is a good place to find the information they need to steal your identity. There are two branches of this to be aware of: the thieves who get your social security number and other information to set up bogus credit cards and otherwise access your credit and/or accounts for their
New HIPAA Summit video - GLB and HIPAA
Posted on April 30, 2008New Video Posted: this is a pretty cool feature. The National HIPAA Summit folks have loaded some of their presentations onto streaming video, so you can watch them from the comfort of your computer screen. Here's the latest, featuring hot topics in HIPAA, Gramm-Leach-Bliley and state privacy laws.
UCLA Staffer Lawanda Jackson
Posted on April 29, 2008UCLA Staffer Charged: Lawanda Jackson, an administrative staffer at UCLA Medical Center, has been charged with selling celebrity medical information to tabloids. More to come.
Access to medical records
Posted on April 29, 2008Access to Medical Records: For some people, there's not enough access. For certain others (sorry, subscription needed for the WSJ piece), too much. That's the problem with fetishizing "privacy" or "interoperability." There's got to be at least a recognition that there needs to be balance.
Doctor email
Posted on April 23, 2008Doctor email: Guess what? Most doctors don't communicate with patients via email. I'm not surprised.
UMiami data theft
Posted on April 22, 2008University of Miami Data Theft: Seems some computer files were stolen from a van belonging to the University of Miami's storage company. However, the data was stored using a proprietary program that basically serves to encrypt the information, so the University feels comfortable that nobody's information is at risk...
Your relatives' DNA
Posted on April 21, 2008You have the right to remain silent (but your relatives' DNA might testify against you): Interesting case pointed out to me by Theresa Defino at AIS Report On Patient Privacy shows how police are using DNA of relatives of suspects to pin the suspects for crimes...
PHRs for Spimes
Posted on April 21, 2008PHRs for Spimes: Seattle-based tech lawyer John Christiansen, a solid contributor to the AHLA's Health Information Technology listserv, posted an interesting observation about personal health records last night on the HIT list: I Seem to Be a Spime: Why Nobody Wants EHRs and PHRs How's that for an obscure subject line? Please bear with me; I will explain...
Andrea Smith
Posted on April 17, 2008Arkansas felony HIPAA conviction: The DOJ took a plea from a 25-year-old LPN for the highest degree HIPAA criminal charge -- disclosing PHI for personal gain. I've corresponded with the husband in the case, and it's not as bad as it seems. Elementally, though, the government's case is solid, if the result is draconian...
Google, Microsoft PHR efforts
Posted on April 17, 2008A different twist: I've noted here the efforts by some big tech companies, like Microsoft and Google, to get into the personal health record business. They hold and transfer lots of data, so it would make sense this would be a service they'd be in. Obviously, there are privacy issues -- particularly with Microsoft, there's a sense of distrust that they'd do the right thing and resist efforts to
video
Posted on April 16, 2008This week's HIPAA video: it's on coordinating your privacy and security operations.
Wellpoint Data Breach
Posted on April 16, 2008Wellpoint Data Breach: Seems health insurer Wellpoint inadvertently exposed some subscriber data to access via internet. There was some health information such as subscription records, but the worst is probably information that could be used for identity theft...
NY Pres Data Theft
Posted on April 14, 2008New York Presbyterian: Yet another story of a staff member improperly accessing records, but in this case, it's theft rather than idle (idol?) curiosity. He didn't steal medical information, but rather demographic information that could potentially be used for ID theft, and he sold it for 75 cents a name.
UCLA breaches
Posted on April 14, 2008UCLA Privacy Breaches: someone commented earlier on the post about Britney, and how the doctors weren't punished as harshly as the staff. My suspicion was that the doctors aren't employees, so the hospital doesn't have the ability to punish them as much (for example, the hospital can't revoke their medical staff privileges without giving them a fair hearing)...
HIPAA effectiveness questioned
Posted on April 09, 2008Is HIPAA Enough? In the wake of the UCLA celebrity-watching debacle, it seems a lot of folks are looking at it and determining that the law isn't strong enough. I say, this looks a lot like the response of knee-jerks who say more gun control would prevent gun tragedies like Virginia Tech...
Kroll study
Posted on April 09, 2008A New Study: According to a study by Kroll Fraud Solutions, health care industry participants pay so much attention to medical record privacy and compliance that they miss the boat when it comes to patient identity theft. Now, Kroll is in that business, so it's understandable that that's what they'd see; but I tend to agree...
Schwarzenegger
Posted on April 08, 2008From Modern Healthcare's "Daily Dose" newsletter: Schwarzenegger vows to tackle privacy woes SchwarzeneggerCalifornia Gov. Arnold Schwarzenegger said his administration will work with hospitals to stop patient data security breaches, adding that he is among the celebrities whose confidential records have been breached...
More celebrity sightings (UCLA)
Posted on April 07, 2008More Celebrity Sightings: Seems Britney wasn't the first UCLA Medical Center patient to suffer a little medical record peek-a-boo. According to this story, at least one "rogue" employee went sniffing into medical records of quite a few celebrities. As Kirk Nahra points out, this is a pretty good opportunity to look at your own access logging practices to see if you have employees peeking where
NPI by May 23
Posted on April 04, 2008National Provider Identifier: If you're not using an NPI by now, you can't do a HIPAA electronic transaction without it, starting May 23.
New HIPAA video
Posted on April 02, 2008New HIPAA video: on CHP, CHSS, CHA and other certifications.
Wellness Plans
Posted on April 02, 2008Wellness Plans: According to this article, they might not be as useful as some people think. Why is this on-topic? Well, one of the potential weak spots for wellness plans (where a company or insurer offers some benefit to employees or beneficiaries who live healthy lifestyles -- since those healthy lifestyles reduce health insurance costs) is the HIPAA non-discriminition rule...
California PHR
Posted on April 02, 2008California Physician Clinic offers Free PHR to Patients: Bright Health Physicians, apparently in connection with installing an electronic medical record system, will offer an on-line internet-accessable personal health record for its patients. This seems like a good model to push out PHRs to patients -- start with the primary care doctors who will have most if not all of the records for most of
Wal-Mart abandons subrogation claim
Posted on April 02, 2008Wal-Mart Abandons Subrogation Claim: This story is off-topic, but interesting for healthcare players. A Wal-Mart employee was hurt in a traffic accident. Her insurance through Wal-Mart (that's right, contrary to what you've been told, apparently Wal-Mart DOES provide insurance to its employees) paid her medical bills, which amounted, apparently, to $400,000...
HHS announces enforcement stats
Posted on March 31, 2008Enforcement so far: From BNA: The Department of Health and Human Services has not imposed any fines for violations of the Health Insurance Portability and Accountability Act's privacy rule, but stricter penalties may be necessary in the future if violators do not voluntarily come into compliance, an HHS official said March 27...
who really pays?
Posted on March 28, 2008Who really pays for healthcare? Please read this article. I get so bugged when people say, reflexively, that "the government ought to pay for" this or that. I also get bugged when people say corporations or businesses ought to pay. The government doesn't have money, at least not its own...
CareFirst BCBS (baltimore) data release
Posted on March 27, 2008Maryland HMO accidently releases data: Dates of birth and social security numbers were inadvertently accessible through a website of CareFirst BlueCross BlueShield's dental HMO. No known ID theft from it yet, but free credit checking has been offered.
Dr. Woodcock
Posted on March 27, 2008[Off topic] OK, I'll admit it: I'm totally juvenile. But still, read this article, and see if you can see what made me snort coffee out my nose. This type of post is why Jackson Walker won't let me put this blog on jw.com.
Texas AG - CVS
Posted on March 27, 2008CVS Settles with the Texas AG: I've reported before on the complaint filed by the Texas Attorney General, Greg Abbott, against CVS, after some dumpster-diving showed that CVS was throwing out, in the regular trash, paper records that contained PHI. The case has been settled, with CVS agreeing to institute new policies and procedures to protect information, and paying a $315,000 fine...
video - information security
Posted on March 26, 2008New Video: on information security in a healthcare environment.
NYT editorial on NIH data loss
Posted on March 26, 2008Editorializing: Here's a stupid editorial by the NY Times (wait, is that redundant?) on how the NIH breach points out the need for a new medical privacy law. As you probably know (I didn't even blog about it, it was so heavily covered), a researcher at the National Institutes of Health had stolen from the trunk of his/her car a laptop with information about cardiac imaging patients...
Heparin, Chinese contamination
Posted on March 21, 2008Slightly Off-Topic: Heparin with MSG: You've doubtless heard about the tainted Heparin causing deaths in America. Turns out the blood thinner in question was manufactured in China, and instead of the proper ingredients had over-sulfated chondroitin sulfate in it...
HIPAA video
Posted on March 19, 2008This week's HIPAA video: More video; this week, it's on a recent study of the implications of HIPAA on medical research and electronic medical records. Ain't the internet cool? Thanks, Al Gore!
provider's privacy
Posted on March 17, 2008Who gets medical privacy? That's an interesting question discussed in this article in the Miami Herald. Do medical practitioners, who are expected to protect the medical record privacy of their patients, deserve the same privacy rights when they are being investigated for substance abuse or similar impairments, where their medical records are part ofthe investigation and proof?
Britney
Posted on March 15, 2008Clinton, Clooney, . . . and now Britney: 13 UCLA Medical Center employees have been fired, and 6 doctors face disciplinary action, after they all wrongfully snooped into Britney Spears' medical records. The hospital warned them, but they didn't listen.
Health Privacy Project
Posted on March 12, 2008Meet the new boss: The Health Privacy Project has been adopted by the Center for Democracy and Technology.
video
Posted on March 12, 2008This week's HIPAA summit video: Privacy and Security lessons from outside the health sector.
EHR features
Posted on March 11, 2008What can your EHR do for you? A lot; if it's set up and connected right, an electronic health record can not only store your information, it can capture new information and push your medical information out to your hospital and physicians. Obviously, all that sharing raises privacy issues...
Compliance resources: Just added
Posted on March 06, 2008Compliance resources: Just added a couple of links to the left: Compliance Home Regulatory Compliance Portal, which contains lots of HIPAA compliance resources, and the Supremus Group's on-line HIPAA training site.
Web Video on HIPAA Privacy Enforcement:
Posted on March 04, 2008Web Video on HIPAA Privacy Enforcement: Saw this recently, and it's really worth watching. It's from the 16th National HIPAA Summit, and it's Linda Sanches' presentation on privacy rule enforcement. Linda's the Senior Advisor to OCR's privacy training and outreach efforts.
Another reader question
Posted on March 04, 2008Another reader question: I recently brought my daughter to the emergency room. They gave me several forms to sign. One form stated "Please sign below to acknowledge that you HAVE RECIEVED...." and basically listed the Hipaa statement and the Patient Bill of Rights...
Related Law Articles
COBRA Continuation of Healthcare Coverage after Layoff
Pensions and Health Care Coverage for Dislocated Workers
Related Law Questions
Is it libel to write blog posts and/or online reviews about a local business that defames one's reputation?
Libel is the form of defamation expressed in fixed-- usually written form. Sland...
#1 Online Legal Resource
On 08-28 at 21:13PM
Ten months later, Fed must reveal names of emergency lending recipients #FOIA
On 08-25 at 19:02PM
Squeaky Fromme, would-be Ford assassin and Manson devotee, released from prison
On 08-14 at 15:19PM
Likely unintended consequence of cash-for-clunkers stimulus is dampening of 2010 spending
On 08-14 at 14:34PM
Palm seeks to halt Palm Pre Android theme on copyright and trademark ground
On 08-12 at 17:30PM
Congressional investigation demonstrates Karl Rove lied about his active role in US attorney's firing
On 08-12 at 16:20PM
Family of New York City swine flu victim to sue city for failure to secure school #nyc #swineflu
On 08-12 at 12:59PM
Real Network's DVD copying software deemed to break DMCA's anti-circumvention provisions
On 08-12 at 12:57PM
Prepaid funeral operators indicted for $100 Million fraud
On 08-12 at 12:53PM
NY Jets join Cincinnati, Dallas, Green Bay, Houston & Seattle #NFL teams offering branded state lottery games
On 08-12 at 12:43PM
Are you the author of this blog? Adding USLaw.com to your Blogroll increases relevance. You qualify to display a USLaw Network badge.
Suggest changes to this blog's description or nominate another for inclusion. Register for updates.
Is it libel to write blog posts and/or online reviews about a local business that defames one's reputation?
Libel is the form of defamation expressed in fixed-- usually written form. Sland...
 |
|
Contact Us | About Us | Celebrity Law Blog |
Our Partners | Disclaimer
| Law Blog Directory
| Law Jobs
| Law Tweets
| GoDaddy Hosting
All original material © 1999-2009 by USLaw.com. |