[ Friday, September 04, 2015 ]
Jeff [11:29 AM]
UCLA hasn't been in the news like this since Wooden was coaching basketball there. This time, though, it's good news.
A temp worker at a UCLA-affiliated medical practice looked up the patient's STD data and sent it to the temp's current boyfriend, who was the patient's former boyfriend. The patient sued UCLA for not keeping tighter grip on her PHI; UCLA defended itself, saying the temp violated law and policy, and it's not UCLA's fault when an employee goes rogue. The court agreed with UCLA, and dismissed the case.
Interesting Ashley Madison tie-in, though.
[ Wednesday, September 02, 2015 ]
Laptop Theft Reveals Other HIPAA Problems; Net Result? $750,000 Fine. Cancer Care Group,
Jeff [2:29 PM]
a radiation oncology practice in Indiana, had a laptop stolen with data relating to 55,000 patients. It was not encrypted. But more importantly, OCR's investigation showed no initial risk analysis and no policies on removing data on devices. CCG was not required
to forbid the taking of data out on a laptop, nor was it required
to only do so with encryption in place. But is was required
to do a risk analysis, and if it had done so, probably would've decided to take those steps. But the fact that it didn't need to do so no longer matters because there's no risk analysis in the first place.
If you are a covered entity and have a breach, OCR WILL ASK FOR YOUR ORIGINAL RISK ANALYSIS,
as well as any updates. If you never did one, if the one you did was a little sloppy, if it was a long time ago, if you're a lot smart now, if your business has changed . . . you need to do one. If you don't, and if you have a breach, even if you might be innocent of major mistakes causing the breach, you're likely to be fined.
You have been warned.
[ Tuesday, September 01, 2015 ]
Go here and vote for my blog!
Jeff [4:40 PM]
It's nominated in the Niche and Specialty category. I'd appreciate it. Thanks.
"Hip apologies and procedures": That's what my voice-recognition software does with "HIPAA policies and procedures."
Jeff [10:28 AM]
[ Wednesday, August 26, 2015 ]
Texting in the Healthcare Environment:
Jeff [9:48 AM]
Here's a pretty good article
highlighting the benefits and risks in texting in healthcare, with some pretty good tips as well on how to text safely and correctly if you're going to do it. Key point: "while text messaging has significant benefits, many healthcare providers do not recognize the privacy, security, and malpractice risks posed by text messaging. These risks can be mitigated through the application of technology and proper policies and procedures.
[ Monday, August 24, 2015 ]
UCLA and Medical ID Theft:
Jeff [10:44 AM]
An interesting article
from the LA Times. If the intro paragraphs are indicative of how UCLA has handled this breach, I'd be awfully concerned if I ever got care at a UCLA facility. Hate to say that, but one victim gets letters intended for 9 different people? That's an additional breach. When your breach response causes more breaches, you're not doing something right (actually, you might not be doing anything right). What's the phrase, "First, do no harm"?
[ Thursday, August 20, 2015 ]
Jeff [2:48 PM]
of 4 recent breaches
shows how the data breach scene is a big worry in the healthcare space these days.
[ Tuesday, August 18, 2015 ]
Advocate (Chicago) Data Breach Lawsuit Dismissal Upheld:
Jeff [10:05 AM]
The court's basic ruling is that hypothetical future increased risk of identity theft is not "harm"
for which one may sue for damages. Data on 4 million individuals was potentially disclosed, but only 2 people suffered actual identity theft (which could have been caused by some other information loss).
This will be the big issue that will impact the potential cost of data breaches (due to the ability of plaintiff's lawyers to bring class-action lawsuits): whether the mere likelihood that you are at a greater risk of something bad happening is actual damage/harm for which a lawsuit may be brought and monetary compensation awarded.
Colorado DHS Breach
Jeff [9:47 AM]
: The Colorado Benefit Management System, which coordinates Medicaid, food and welfare assistance for the state, suffered a second data breach
when letters were sent to the wrong addresses. It's not entirely clear if this is a HIPAA breach, but probably is. of the 3,000 or so affected individuals, some PHI was involved in about half of the disclosures. And since CBMS apparently provides services to Colorado's Medicaid program, it probably is an improper disclosure by a business associate of a covered entity. Ultimately, minimal information was disclosed, and to a limited loop of recipients, so it's probably a no harm, no foul situation. But it's another example of the need to be careful out there.
[ Thursday, August 13, 2015 ]
Breaches Without Damages:
Jeff [11:04 AM]
With hackers going after medical information, and with the availability and flow of PHI necessary for proper provision of healthcare, data breaches may be inevitable. But damages from breaches might be avoidable, or at least might be minimized. This seems like it's obvious advice
, but good planning, solid policies, sufficient employee and staff training, and cyber-liability insurance can all reduce the likelihood of a breach, and prevent the potential for lose-the-company types of damages.
[ Wednesday, August 12, 2015 ]
Should the DEA be able to get medical records via subpoena, or is a warrant necessary?
Jeff [2:29 PM]
That's the question the 5th Circuit is going to have to answer
. And while the issue is definitely of interest to the telemedicine crowd, it certainly raises privacy concerns, especially if those medical records are yours or mine.
Do you trust the federal government not to abuse this sort of power? Once upon a time I did, but not so much anymore.
Jeff [11:06 AM]
I'm sorry, but I can't help but think of Orwell:
Jeff [11:03 AM]
Or maybe Jacques Derrida. We are now living in a truly Post-Modern world
A patient with an XY chromosome pair was admitted to a Brooklyn hospital and placed in a semi-private room with another patient with an XY chromosome. Of course, OCR investigated. While no fine was levied, the hospital had to adopt a slew of new policies and train its staff.
Consider the possibilities. . . .
[ Wednesday, August 05, 2015 ]
MIE (Indiana) Breach:
Jeff [3:39 PM]
While I was away on vacation
, Indiana EHR vendor Medical Information Exchange apparently was hacked. Now, the breadth of the hack is becoming known
, and it looks pretty bad. As many as 3.9 million people are potentially affected. Fortunately, financial data wasn't included, but SSNs were, as well as lots of medical information. Whoever is putting together this big data project on the Dark Web is going to have a lot of info to work from. The Indiana AG is investigating
, which means big fines are likely.
[ Tuesday, August 04, 2015 ]
Jeff [2:18 PM]
[ Friday, July 31, 2015 ]
Social Media and HIPAA:
Jeff [11:15 AM]
I haven't given a speech on medical use of social media in a couple of years so I haven't been thinking about it, but it seems to keep coming up. Here's a decent articl
e highlighting the risk that what you think is "de-identified" isn't.
[ Tuesday, July 28, 2015 ]
Bleg (blog-based beg):
Jeff [11:43 AM]
If you like the blog, go here
and nominate it for the niche/specialty category.
[ Monday, July 27, 2015 ]
Georgia CCSP Breach:
Jeff [11:10 AM]
A state senior services organization suffered a data breach,
apparently when an email was sent, that included diagnosis data for about 3,000 people. Apparently no social security numbers of other ID-theft type of data was included in the breach.
[ Tuesday, July 21, 2015 ]
Cell Phones in the OR:
Jeff [1:12 PM]
I saw the headline for this article
in the Atlantic, but when I read it I saw it wasn't focused on what I perceive to be the bigger problem. The Atlantic is looking at the "don't text and drive" aspects, while my usual concern with texting has to do with security and medical record issues, so I didn't link to it. But then I got my afternoon email from FierceHealthIT,
and sure enough they highlighted the data privacy and security issues OR texting raises.
In my experience, if you call a surgeon's cell phone during normal "operating" hours, you're as likely as not to get someone (a scrub nurse or tech, usually) answering the phone with the phrase, "Dr. _______'s phone." And if everyone's dropped their phones in the same location and a phone goes off with a text, someone's going to pick up each phone to see who got the text. AND, unless you're using secure texting software, the nurse or tech is likely to read PHI that he or she shouldn't have access to. You can see the problem there -- So think before you text, especially in the OR.
So Many Breaches, But So Few Lawsuits:
Jeff [10:42 AM]
Wonder why? It's mainly because a plaintiff in a lawsuit generally must show how he/she has been damaged, and to be honest, most data breaches don't cause calculable damages. And courts tend to throw out cases where the damages are purely speculative, as in these Illinois cases
. Sometimes identity theft occurs and you can prove it. Sometimes, as in the Walgreens case
, actual pain and suffering can be proven. But if the breach merely causes the plaintiff to be at greater risk of identity theft and nothing more, that's going to be a hard case for a plaintiff to win.
[ Monday, July 20, 2015 ]
More on the UCLA data breach here.
Jeff [4:06 PM]
Using HIPAA as an Excuse:
Jeff [4:03 PM]
Interesting article in the NYTimes
on misunderstanding HIPAA. Just wish they wouldn't spell it "Hipaa." It's an acronym; use all caps.
[ Friday, July 17, 2015 ]
Jeff [1:53 PM]
[ Thursday, July 16, 2015 ]
Good News, HIPAA's designed to do just that
Jeff [2:47 PM]
: John Halamka (
primary draftsman of the original HIPAA regulations
Beth Israel Deaconess CIO) and Deven McGraw (current OCR Deputy Director for Health Information Privacy) have jointly penned a commentary at AHRQ
warning against overly-zealous PHI protection that prevents proper data transfers (to other providers and caregivers) or jeopardizes care (when data protection efforts prevent legitimate patient identification or cause mis-identification).
Covered Entities sometimes hide behind HIPAA and refuse to share data when it can be and should be shared. Sometimes there's an underlying commercial reason to resist data sharing; the current issue of EHR non-interoperability is a good example of that. Sometimes it's well-intentioned overzealousness. Most of those incidents involve someone misconstruing HIPAA's restrictions, and it's led some critics to say that HIPAA needs to "keep up with the times."
As John and Deven point out, though, "HIPAA's framework may need to flex and bend to meet the needs of a new health data ecosystem." The good news is that HIPAA's original and current framework do just that. What's reasonable and appropriate, what's the minimum necessary amount of PHI, what technology is safe and appropriate, and what safegaurds are reasonable all change with the circumstances, including changing technological capabilities, risks, protections, and options.
HIPAA's technological neutrality, scalability, and reasonableness standards ensure that it's always up to date. Be safe, keep your data secure, and err on the side of protecting data, but don't harm your patients or hinder the delivery of healthcare to them. If you think you can't share data, double check that impulse, particularly if there might be an ulterior motive for refusing to share the data.
UPDATE: I brainfarted and conflated John Halamka with John Parmagiani. Fixed above; in the words of my former governor, Oops.
[ Monday, July 13, 2015 ]
St. Elizabeth (Brighton, MA) breach:
Jeff [1:59 PM]
Not having policies and procedures, not vetting internet-based document storage apps (e.g., Dropbox), and losing laptops and flash drives can cost you a quarter million dollars. At least that's what it cost St. Elizabeth Medical Center
What's interesting to note in the settlement agreement is that it was not simply using Dropbox (or whatever app they were using) that resulted in the violation, it was that they didn't do a risk analysis on whether they should use it. I suspect that if they had done a risk analysis and reasonably determined that using Dropbox was safe (maybe the data was mostly de-identified, maybe the Dropbox access was tightly controlled and audited, maybe some other safeguards made is palatable), OCR wouldn't have fined them, or at least not this much.
Failing to have done a risk analysis on using Dropbox might also indicate that SEMC didn't do other risk analyses; at any rate, not doing one on the Dropbox use eliminates their ability to claim that it was safe regardless.
I can't urge more strongly that you do a risk analysis, and redo it regularly (probably every year, unless you've got a really good reason to wait longer).
[ Thursday, July 09, 2015 ]
Jeff [3:32 PM]
If you follow sports you probably know that a couple of NFL players lost fingers due to fireworks accidents over the 4th of July weekend. But Adam Schefter, an ESPN reporter, just tweeted a screen shot
of Jason Pierre-Paul's medical record showing that his right index finger was amputated. How did the ESPN reporter get the medical records?
NFL players have less medical record privacy than other folks due to their collective bargaining agreement and their individual contracts. In fact, part of the NFL's rules require teams to post "injury reports" every week during the season, which obviously contain medical information. The teams aren't HIPAA covered entities (nor, obviously, is ESPN), but team trainers may be (especially if they are doctors), and facilities where players are treated are. So while they might have to give up some privacy, that's limited. When Peyton Manning injured his neck and missed time playing for the Indianapolis Colts (which led to his release and move to Denver), he said
, "I don't know what HIPAA stands for, but I believe in it and I practice it."
So, how did Adam Schefter get the records?
Breach Notification: Great article
Jeff [12:36 PM]
on when to report a data breach, and why over-reporting can be as bad as under-reporting. Be honest and legit in your breach risk analysis, but be fair to yourself as well. And be prepared: if you report something, you're likely to have to "open the kimono" to OCR. If your HIPAA activities have not been up to par, be ready for some harsh scrutiny.
Big takeaway: Do your risk analysis. Maybe it wouldn't have stopped the breach, you can't prove that, so the excuse won't fly. When was the last time you did a formal risk analysis? Idaho State paid $400,000 because it hadn't done one in several years.
[ Wednesday, July 01, 2015 ]
Cybersecurity: The New Front Line in the HIPAA Security War?
Jeff [2:33 PM]
Some recent headlines have indicated that a majority of HIPAA breaches are now the result "intentional" or "criminal" actions; that may be true, but the implication that the theft of the data is intentional isn't. In most cases involving theft, a phone, laptop, or other valuable asset is the true target of the "intentional" or "criminal" act, not the data on the device.
However, it is true that intentional attempts to steal data have dramatically increased, through cybersecurity incidents. Two-thirds of respondents to this HIMSS survey
said their organizations were victims of some form of cybersecurity issue recently. Obviously, the respondent pool is primarily made up of large healthcare businesses and not small practices, so this could be over-represented; but it's also true that HIMSS members are much more likely to be focusing on, and defending against, cyber intrusions. Smaller operators, like smaller physician practices, aren't as attractive a target in terms of the amount of data that could be stolen, and are also less likely to be as interconnected as a large business. On the other hand, their defenses will be much lower.
A la Willie Sutton, cyber thieves will always target the big players because "that's where the data is." But small providers have just as much to worry about: cyber thieves would like a more "target-rich environment," but might also be attracted to the lack of safeguards and protections in the small provider community.
As always, now is a good time to take a look at what you're doing to find your vulnerabilities, fix your weaknesses, cover your risks, and prepare for bad incidents. When did you last do a risk analysis, and did you address cybersecurity specifically?
[ Wednesday, June 24, 2015 ]
Jeff [5:06 PM]
was just a bored employee snooping on about 5 random patients a day. Seems like no harm/no foul; but it would be really interesting to hear what the employee thought he/she was doing.
[ Saturday, June 20, 2015 ]
Medical Identity Theft:
Jeff [5:01 AM]
There's certainly been a lot of talk about medical identity theft (here and elsewhere) lately, but now we know that it's on the rise
: according to the Ponemon Institute
, these types of thefts are up 22% over the preceding year. Of course, Medical ID thefts still only make up a small portion of overall data breach incidents, it's still extremely troubling, given the potential for life-or-death consequences.
[ Wednesday, May 27, 2015 ]
Beacon Health (South Bend, Indiana):
Jeff [10:09 AM]
Another day, another hack. Today's unlucky victim is Beacon Health.
It looks like only emails were compromised, and so far there's no actual evidence of misuse. No indication of how it happened, but I'd suspect phishing.
[ Friday, May 22, 2015 ]
Next Phase of OCR Audits:
Jeff [2:11 PM]
Have you received a survey notice from OCR in the last few days? It appears that the long-awaited second phase of audits if finally rolling out
. Nobody outside OCR knows for sure if these are all that are coming, or if everyone who gets a survey will get audited. So, if you got a survey, it doesn't necessarily mean you'll be audited (but it's more likely than if you didn't). And if you didn't get a survey it doesn't necessarily mean you're in the clear (but again it's more likely than if you got a survey).
[ Wednesday, May 20, 2015 ]
Latest Hack Victim: CareFirst BCBS.
Jeff [5:10 PM]
Doesn't sound so bad, but I've learned to wait for the rest of the shoes to drop.
[ Wednesday, May 13, 2015 ]
Indiana State Medical Association Breach:
Jeff [3:00 PM]
The IT chief of the ISMA, of all people, lost a laptop and two hard drives
containing Social Security Numbers and medical information of about 40,000 beneficiaries of the Association's health insurance plan. Apparently they were (i) unencrypted and (ii) left in plain sight in his unlocked car. In addition, he failed to report the theft for 24 hours.
Possible upside: ISMA's insurance is through Anthem, so maybe all of the data had already been stolen when Anthem got hacked.
[ Tuesday, May 05, 2015 ]
Is this a HIPAA breach? A guy had a leg amputated
Jeff [5:20 PM]
, and the hospital threw the leg in the trash, with the patient's name written on it. The cops found it in the landfill and, as you might expect, checked up on the guy, thinking foul play might've been involved.
One could argue that, while the name written on the leg is definitely an identifier, the leg itself is not "information" and therefore this could not be protected health information. However, the presence of the leg (with the idenfitier) implies
some information, even if it's not "information" itself.
I would suspect OCR would consider this to be PHI, based on past experience, but if you wanted to say it wasn't, I'd say you at least would have a leg to stand on.
Hat tip: Ron Holtsford
Baltimore Riots: Anyone know whether CVS suffered a data breach when their store was looted? An inquiring reader of the blog (from
Jeff [4:42 PM]
Birmingham Montgomery, AL) raised the issue, and it's definitely interesting.
My assumption would be that the store operates on some sort of dumb terminal pharmacy information system for the drug records, so that there's no real data stored in any of their drugstores; it appears on the in-store computers while they are being used, but isn't stored there, so that when the computers are powered down and disconnected from the central network, they don't have PHI. Of course, there would be some PHI in the form of paperwork, particularly in the bags of filled-but-not-purchased prescriptions. There might be some other paper records as well. And CVS should have disaster recovery systems to determine whose filled prescriptions were potentially taken, but I'm not sure how well they'd be able to tell if any other paper records were compromised.
Could be an interesting exercise at CVS right about now. . . .
Jeff [4:28 PM]
this time it's Partners Healthcare in Boston
, and 3300 patients are affected. The good news is that the EHR itself wasn't compromised, just some PHI in some email accounts (presumably internal emails only . . . ).
[ Tuesday, April 28, 2015 ]
Jeff [9:20 AM]
[ Monday, April 27, 2015 ]
Another Pharmacy Trashing Patient Information
Jeff [10:24 PM]
: This time it's a small compounding pharmacy (Cornell Prescription Pharmacy in Denver) rather than a national chain, but unshredded paper records in the trash
are the culprit. Importantly, the pharmacy did not have HIPAA policies and procedures in place. No known harm was done, but the fine was $125,000.
"Failure to implement any written policies and procedures" equals $125,000. Key word: any.
[ Monday, April 20, 2015 ]
Workplace Wellness Programs:
Jeff [12:57 PM]
Do you have one? Is it covered by HIPAA? Maybe, maybe not
Big HIPAA fines are coming
Jeff [11:11 AM]
. . . . I keep hearing this
, and I'm sure there will be some doozies.
[ Wednesday, April 15, 2015 ]
More on Medical Identity Theft
Jeff [11:55 PM]
: certainly getting a lot of attention
UPDATE: I've got to say that's a little misleading. "Nearly 60% were the result of theft" makes is sound like there were 600 breaches affecting about 20 million people, where the data was stolen for nefarious purposes. But that ain't true in the least. Yes, that many people had their data impacted by a theft, but the theft was not a theft of the data -- it was a theft of a laptop or flash drive or cell phone or some other piece of technology that could be sold (the equipment, not the data) for a profit. In virtually all of those cases, the thief had zero interest in the data. Those are "crackhead" cases, and in virtually all of those, the thief deleted or destroyed the data at the first opportunity. Theft, yes; theft of the data, not really.
[ Friday, April 10, 2015 ]
Another Individual HIPAA Criminal prosecution:
Jeff [1:49 PM]
this time a hospital respiratory therapist
who accessed patient data. No indication in the article what she was attempting to do with the data, but since it's a criminal complaint, I suspect either identity theft or personally-motivated snooping.
[ Tuesday, March 31, 2015 ]
Jeff [2:18 PM]
[ Monday, March 30, 2015 ]
Jeff [4:10 PM]
[ Thursday, March 26, 2015 ]
Medical Identity Theft:
Jeff [9:25 AM]
yet another story
on how it's the fastest growing type of identity theft. Some good points about your strategy for preventing it: it should include
- Encryption: at least consider it, but realize that sometimes -- for example, in the Anthem hack, the hackers got access to system administrator accounts, so they had the encryption key anyway.
- Data Loss Prevention: DLP encompasses several concepts, such as software to analyze data access and use, and systems to see when data is moved into or out of the system. It is always a good idea.
- Cyber insurance: check out prices and see if it's worthwhile to you. But make sure you know what you are buying: what is covered, what isn't, who pays first dollar, who picks the breach response and rehabilitation vendors, and where does the coverage end.
[ Tuesday, March 24, 2015 ]
A "Security Culture":
Jeff [4:25 PM]
does your hospital have one? Here are four traits
common to hospitals with a security culture, at least according to Sue Schade of FierceHealth IT. Although I think the middle two have a whiff of rent-seeking, I can't argue with 1 and 4.
[ Monday, March 23, 2015 ]
2015: Year of the Healthcare Data Breach.
Jeff [10:32 AM]
It's sure in the news
a lot right now.
[ Thursday, March 19, 2015 ]
What To Do If You're Hacked: These should be self-evident
Jeff [2:21 PM]
, but might not be. They are all elements in a decent "Breach Incident Response Plan." Do you have a BIRT? You should get one; email me and I'll give you some help.
Target: I hear (h/t Lynn Block) that Target has settled the class action for $10,000,000, offering up to $10,00 to any individual who can prove damages caused by the breach. That's certainly a lot cheaper than I would have expected, and I suspect it's well below the "brand damage" losses Target suffered already.
Jeff [1:44 PM]
Blogger: HIPAA Blog - Edit your Template