[ Wednesday, November 25, 2015 ]
This seems like a stretch:
Jeff [12:08 PM]
doctors offices entered a wrong fax number and instead of sending data to a lab company (Quest Diagnostics), and the lab company gets sued.
Yet Another Reason to Boost Your CyberSecurity:
Jeff [11:59 AM]
it can now impact your credit rating
, at least if you're a non-profit hospital.
[ Tuesday, November 24, 2015 ]
Jeff [10:38 AM]
Connecticut AG Takes HIPAA Action:
Jeff [8:42 AM]
As you know, the HITECH Act gave state attorneys general the ability to pursue legal actions for HIPAA violations in their states. I was just having a conversation yesterday with one of my favorite reporters about the fact that so few state AGs have jumped into this role. One that has is the Connecticut AG's office
, which recently fined Hartford Hospital and its business associate EMC $90,000 because an unencrypted laptop containing the PHI of almost 9,000 patients was stolen from an EMC employee's house.
[ Friday, November 20, 2015 ]
Looking for a good cybersecurity seminar and training session?
Jeff [10:07 AM]
You might want to check this out
Surprise: Only "HIPAA Covered Entities" are covered by HIPAA
Jeff [9:52 AM]
. I think that's why they call them "covered entities."
A couple of points that should be cleared up: HIPAA doesn't apply, but other privacy laws might; if the data is financial, Gramm Leach Bliley would apply; state data laws might also apply, depending on what is in the data and the specific state laws. And the FTC is certainly likely to be interested; just ask LabMD or Wyndham Hotels. Also, as the story indicates, in each case when the data insecurity is brought to the company's attention, they fixed it. Secondly, if you think genetic information is essentially the same thing as what's in your medical record, you don't know much about the practice of medicine (I guess lots of law professors
don't know much about medicine).
PS: yes, I know HIPAA also covers business associates in certain matters. But not in all matters, so I stand by my locution.
[ Monday, November 16, 2015 ]
HIPAA Insurance: Do you have it? Do you like your carrier? Let me know (at jdrummond - at - jw - dot - com). People occasionally ask me for recommendations, and my knowledge can be somewhat limited.
Jeff [11:13 AM]
[ Friday, November 13, 2015 ]
FTC Loses Big Data Breach Case: Of course, LabMD is dead
Jeff [10:04 PM]
from the weight of having to fight the FTC, but you gotta break some eggs to make an omelet, amirite?
LabMD had policies and procedures that were likely sufficient for HIPAA compliance, but an employee violated the policies and posted some P2P software on his company computer that allowed some data to be downloaded by others. As far as can be proven, only one incident of downloading occurred - by a cybersecurity firm working in the P2P space. Possibility of harm? Yes. Probability of harm? Er, no way.
Big H/T: Dissent Doe
UPDATE: I didn't notice until today that the decision was by an Administrative Law Judge, employed by the FTC itself. That makes this even bigger news.
Top 10 Health Tech Hazards in Hospitals:
Jeff [11:12 AM]
Actually, most of these
aren't hardware or software problems, but really human error (what we used to call "meatware"): failure to train, failure to have appropriate policies, failure to operate things correctly. But it does indicate how technology can exacerbate problems or multiply the damage they can cause.
Jeff [9:51 AM]
Jeff [9:16 AM]
State Agencies' Ability to Access Patient Records Without a Warrant: Interesting (if "insider baseball-y") case in California asking whether it violates the California constitution for the California Medical Board to access controlled substance records relating to specific individuals while investigating the individuals' physician. A patient complained to the CMB about his physician; the CMB obtained that patient's records, as well as records of other patients of the same physician, from the California Controlled Substance Utilization Review and Evaluation System (CURES), which is used to track down pill mills. The CMB put the doctor on probation for failing to maintain sufficient records for the patient who complained, but also put him on probation for 2 other patients whose CURES records indicated they had been overprescribed. The doctor sued the CMB, saying they have the right to access the records of the complaining patient, but accessing the records of the other patients violates those patients' right to privacy. The AMA has joined the suit on behalf of the doctor.
Off the top of my head, I would say that the underlying answer is a state law question: does California law allow the CMB to access individual patient records without authorization from the specific patient while conducting a proper investigation the physician? If so, HIPAA would allow it. HIPAA allows HHS to look at an individual patient's medical records while investigating a hospital or physician for Medicare or Medicaid fraud, and I would suspect most state medical practice acts would allow the state medical board to have the same level of access while conducting legitimate board purposes, such as investigating a physician. I suspect the California legislative and regulatory language must me more mushy.
The general rule, of course, is that PHI may be used or disclosed where legally required. A similar case is playing out in Oregon, where the DEA attempted to access records of the Prescription Drug Monitoring Program using administrative subpoenas, and the PDMA refused, demanding that either a search warrant or court order must be presented for them to clear the HIPAA hurdle. There's a federalism slant to that one, and it's police power (the DEA is like the cops) versus administrative power (CMB or CMS have power over California licensed doctors and Medicare/Medicaid providers, respectively), but the underlying question of whether and how the information in those types of databases can be accessed. It certainly makes sense that they could be accessed when looking to take action against the physicians, but not the patients; however, is the patient's right to privacy big enough to prevent that different use? Interesting question (although it really is insider baseball for the casual HIPAA observer).
[ Wednesday, November 11, 2015 ]
Employer Not Liable for Employee's Bad Act
Jeff [1:20 PM]
: An Ohio court is dismissing a hospital from a lawsuit
by a patient whose medical records (including an STD diagnosis) were posted on Facebook by a hospital employee. The hospital, University of Cincinnati Medical Center, argued that the employee's acts were outside of her employment, so the hospital is not liable.
This case stands in contrast to the Hinchy v. Walgreens case
, where a Walgreen's pharmacist looked at the medical records of her boyfriend's ex-girlfriend (looking for STDs, of course). In that case, Walgreens was held liable. Different states, different laws, different courts. And it goes without saying that these cases are only arguably about HIPAA; they really are about the state law requirements in the two states, and about whether the deep-pocket employer has to pay the cost for the damage caused by the rogue employee.
[ Tuesday, November 10, 2015 ]
The Cyber Risks of "Networked Medical Devices": Most medical devices now capture, manipulate, and store data, but many also transmit it to other devices, EMRs, or directly to physicians, labs, clinics, or other providers. These are great advances in science and medicine, but they also bring sometimes unanticipated risks. One of these risks is the vulnerability of the data to hacking, which could include not only theft of the data, but revisions to it as well.
Jeff [2:13 PM]
The OIG has included cybersecurity of networked medical devices on its 2016 Work Plan, which shows how important this issue is.
Are Attorneys Entitled to the "HIPAA Rate"? Interesting question
Jeff [1:59 PM]
. I would say no (and at least Region III of OCR agrees), unless they are "smart shoppers" and have their clients request the record. If the attorney is representing a party other than the patient, though, they'll just have to pay the higher rate.
[ Monday, November 02, 2015 ]
Medical Privacy Rights of Minors:
Jeff [9:50 AM]
Interested in learning more about how HIPAA impacts patients who are minors? What can you tell the parents, and what can you keep from them? I've got a seminar coming up
on the topic if you're interested. Click on the link for a discout.
[ Tuesday, October 27, 2015 ]
Jeff [11:44 PM]
Off Topic: This
made me cry, @NaomiMartin.
I run. I'm not a nut, but I run a lot, or at least I think most people would think it's a lot. I ran the Dallas Marathon last year, this summer I ran a half marathon on the Isle of Skye with my daughter, another half marathon in the spring, and I'll run the Dallas marathon half this year.
But I hate running. I'm not just saying that, I really hate running. It's boring, and most of the year here in Dallas it's ridiculously hot. But I like not being a fat blob (I'm just a little chunky instead), and running helps with that. But it also helps when I'm depressed, which happens a lot more than I'd like to admit. I've got a good life, but depression just happens sometime. When I'm down, I'll sometimes note it on my running app after a run, and I can go back later and look at how running gets me out of depression.
When I'm not training for something (in other words, when it's just my daily run), I like to knock out a 5K every morning. 3.1 miles. And I've got a great route: out my front door, west out of my neighborhood to the running trail (about .75 miles), south down the White Rock Trail running/biking trail for about 1.25 miles, then about 1.1 miles northeast to get back home. Takes me about 30 minutes to make the run, another 10 or so to cool down, depending on how hot it is. I can schedule around it. In fact, here's a picture of my regular 5K run:
Maybe you can see where the trail goes under Walnut Hill.
I would've run that run on Monday, October 12. I would've left my house a little before 8 am, passed under Walnut Hill between 8:10 and 8:15, been back home about 8:30. But it was hot (73 degrees, 73 % humidity), and I knew I'd need at least 10 minutes to cool off. I didn't have to get to the office until 10, and that timing would have been perfect: I'd have just enough time to get ready and would roll into the office right in time for my 10:00 am call. But on October 12, Columbus Day, my youngest daughter Mary had the day off school, and wanted to go to the State Fair with friends. The State Fair opens at 10 am, but I couldn't drop her off then since I needed to be at the office then. So I told her I could take her, but would have to drop off her and her friend at Fair Park 9:45. That did not leave me enough time for the whole 5K. I only had 20 minutes, realistically, or about 2 miles. So, this is what I ran:
At about 8:10 or 8:15 am on October 12, 2015, former Texas A&M wide receiver Thomas Johnson attacked David Stevens on the White Rock Trail, below the Walnut Hill bridge, with a machete,
hacking him to death. David Stevens, like me, was 53 years old that day. On Sunday, Stevens' wife, Patti, unable to cope with the grief of losing the most important thing in her life, committed suicide
Was Thomas' machete meant for me? Was I supposed to be the 53-year-old victim? Was I supposed to be on the scene not to be a victim, but to save Stevens? Was it Mary's unreasonable demand to go to the State Fair, was it Big Tex that saved me? Was it Ursuline Academy scheduling a day off for Columbus Day, was it Christopher Columbus himself that saved me?
I don't know, but hearing the heartbreak in Patti Stevens' voice in the SoundCloud clip at the bottom of the Naomi Martin piece
. . . . . . makes me cry.
Data De-Identification Carries Risk Under HIPAA
Jeff [9:28 AM]
: Interesting article
on the risks of re-identification of de-identified data. Two key points: as Deven McGraw points out, de-identification isn't intended to be a zero-risk proposition. In fact, nothing
in HIPAA is zero-risk. Even permitted disclosures for treatment purposes can over-expose data. The question is how low is the risk, what are the benefits, and do the benefits outweigh the risks.
Second point: spot the red herring. 87% of all Americans are uniquely identified if you know their date of birth, sex, and zip code. Guess what? If you add one more data point (social security number), 100% of all Americans are uniquely identified. However, THAT AIN'T DE-IDENTIFIED DATA! Under the HIPAA safe harbor for de-identification, you must remove date of birth and replace it with year (and, if the person is 90 or older, you can't even use year, just "90 or older"). And you must remove the last 3 digits of zip code (and if the remaining zip code contains fewer than 20,000 people, you have to remove the entire zip code and only use the state name). How many Americans are uniquely identified by YEAR of birth, sex and FIRST 2 DIGITS of zip code (or state), Professor Sweeney?
[ Thursday, October 22, 2015 ]
Must a BAA require the Business Associate to report unsuccessful Security Incidents? Yes.
Jeff [11:26 AM]
I bring this up because it's a recurring issue for me. When negotiating BAAs, the BA often says, "We don't need to report unsuccessful Security Incidents; 'Pings' happen all the time and never cause any problem because they never get anywhere. Asking us to report every ping is burden we can't possible take on." You know what? I agree. HOWEVER, the rules don't. Look at 45 CFR § 164.314(a)2)(i)(C):
“The [business associate agreement ] must provide that the business associate will . . . report to the covered entity any
security incident of which it becomes aware, including breaches . . . . “
(Emphasis mine.) Security incident is defined in 45 CFR § 164.304 as
follows: “Security Incident means the attempted
successful unauthorized access, use, disclosure, modification, or destruction
or information or interference with system operations in an information
system.” (Emphasis mine.) A “ping” is clearly an attempted
unauthorized access, which means it is a “security incident;” and the BAA
provisions say that the BAA must provide that the BA will report all
incidents.” The language clearly states that the BAA (or subcontractor
BAA, which must meet the same requirements) must require the business associate (or subcontractor) to report “pings.” In fact, stating that you need NOT report pings is
directly contrary with the clear language of the regulations.
This is, obviously, a ridiculous
requirement: pings are way too numerous and innocuous to make their reporting
anything but a nuisance. However, reporting them is explicitly called for
in the HIPAA regulations. Since reporting pings is required, I now include it
in my BAAs, but minimize the reporting to the barest minimum to still comply
with the regulations: a minimal number of reports (no more often than quarterly),
with minimal information (a summary statement that “our network system
regularly experiences 'pings,' port scans, and similar exploratory contacts,
none of which result in a successful access to our system” would be
sufficient), and only when requested (which likely will be never).
This complies with the requirements of the regulations but does not
unnecessarily burden anyone.
You can also look at the OCR Frequently Asked Questions page. Go here
and search "Security Incident Procedures," and you'll get the answer to this question:
What does the Security Rule require a covered entity to do to comply with the Security Incidents Procedures standard?
The answer mainly deals with what a covered entity must do to respond or react to pings, but the final sentence is telling: "However, § 164.314(a)(2)(i)(C) and (b)(2)(iv) require contracts between a covered entity and a business associate, and plan documents of a group health plan, respectively, to include provisions that require business associates and plan sponsors to report to the covered entity any security incidents of which they become aware." There's that word "any" again. . . .
[ Tuesday, October 20, 2015 ]
You Have No Privacy:
Jeff [8:54 PM]
A few years ago, I would've said this was fever swamp stuff
, but after the actions of the current administration, particularly the weaponization of the IRS, I wouldn't put it past the government to dredge through your medical records for political purposes. Sadly.
[ Tuesday, October 13, 2015 ]
Nine Cybersecurity Tips: This isn't a bad list
Jeff [10:10 AM]
, and it's easy to see how there's a lot of overlap between cybersecurity concerns/activities/foci and those needed for HIPAA risk analysis and safeguards. Know where stuff is, control access and train users, add in protections, prepare for breaches, and cover the entire data lifecycle. Hard to argue with those concepts.
[ Friday, September 18, 2015 ]
HIPAA and Lawyers:
Jeff [4:25 PM]
Listen to me tell you what you need to know at this seminar
The Battle of the Business Associate Agreements:
Jeff [4:16 PM]
My take is here
[ Wednesday, September 16, 2015 ]
Jackson Health/Jason Pierre-Paul Update:
Jeff [11:17 AM]
Wondering how Jason Pierre-Paul's x-ray and medical information got leaked to ESPN? Apparently, the investigation is still ongoing
[ Friday, September 11, 2015 ]
Jeff [11:38 AM]
A Million Gigabytes of Healthcare Data:
Jeff [11:14 AM]
That's what an average person will generate
in his or her lifetime. Makes the idea of Big Data seem insurmountable, but as the article indicates, IBM's Watson is offering some possible structures and solutions.
[ Thursday, September 10, 2015 ]
Jeff [9:21 AM]
[ Wednesday, September 09, 2015 ]
From the FTC: 10 tips
Jeff [2:13 PM]
for keeping patient data (or any data, for that matter) safe.
[ Friday, September 04, 2015 ]
Jeff [11:29 AM]
UCLA hasn't been in the news like this since Wooden was coaching basketball there. This time, though, it's good news.
A temp worker at a UCLA-affiliated medical practice looked up the patient's STD data and sent it to the temp's current boyfriend, who was the patient's former boyfriend. The patient sued UCLA for not keeping tighter grip on her PHI; UCLA defended itself, saying the temp violated law and policy, and it's not UCLA's fault when an employee goes rogue. The court agreed with UCLA, and dismissed the case.
Interesting Ashley Madison tie-in, though.
[ Wednesday, September 02, 2015 ]
Laptop Theft Reveals Other HIPAA Problems; Net Result? $750,000 Fine. Cancer Care Group,
Jeff [2:29 PM]
a radiation oncology practice in Indiana, had a laptop stolen with data relating to 55,000 patients. It was not encrypted. But more importantly, OCR's investigation showed no initial risk analysis and no policies on removing data on devices. CCG was not required
to forbid the taking of data out on a laptop, nor was it required
to only do so with encryption in place. But is was required
to do a risk analysis, and if it had done so, probably would've decided to take those steps. But the fact that it didn't need to do so no longer matters because there's no risk analysis in the first place.
If you are a covered entity and have a breach, OCR WILL ASK FOR YOUR ORIGINAL RISK ANALYSIS,
as well as any updates. If you never did one, if the one you did was a little sloppy, if it was a long time ago, if you're a lot smart now, if your business has changed . . . you need to do one. If you don't, and if you have a breach, even if you might be innocent of major mistakes causing the breach, you're likely to be fined.
You have been warned.
[ Tuesday, September 01, 2015 ]
Go here and vote for my blog!
Jeff [4:40 PM]
It's nominated in the Niche and Specialty category. I'd appreciate it. Thanks.
"Hip apologies and procedures": That's what my voice-recognition software does with "HIPAA policies and procedures."
Jeff [10:28 AM]
[ Wednesday, August 26, 2015 ]
Texting in the Healthcare Environment:
Jeff [9:48 AM]
Here's a pretty good article
highlighting the benefits and risks in texting in healthcare, with some pretty good tips as well on how to text safely and correctly if you're going to do it. Key point: "while text messaging has significant benefits, many healthcare providers do not recognize the privacy, security, and malpractice risks posed by text messaging. These risks can be mitigated through the application of technology and proper policies and procedures.
[ Monday, August 24, 2015 ]
UCLA and Medical ID Theft:
Jeff [10:44 AM]
An interesting article
from the LA Times. If the intro paragraphs are indicative of how UCLA has handled this breach, I'd be awfully concerned if I ever got care at a UCLA facility. Hate to say that, but one victim gets letters intended for 9 different people? That's an additional breach. When your breach response causes more breaches, you're not doing something right (actually, you might not be doing anything right). What's the phrase, "First, do no harm"?
[ Thursday, August 20, 2015 ]
Jeff [2:48 PM]
of 4 recent breaches
shows how the data breach scene is a big worry in the healthcare space these days.
[ Tuesday, August 18, 2015 ]
Advocate (Chicago) Data Breach Lawsuit Dismissal Upheld:
Jeff [10:05 AM]
The court's basic ruling is that hypothetical future increased risk of identity theft is not "harm"
for which one may sue for damages. Data on 4 million individuals was potentially disclosed, but only 2 people suffered actual identity theft (which could have been caused by some other information loss).
This will be the big issue that will impact the potential cost of data breaches (due to the ability of plaintiff's lawyers to bring class-action lawsuits): whether the mere likelihood that you are at a greater risk of something bad happening is actual damage/harm for which a lawsuit may be brought and monetary compensation awarded.
Colorado DHS Breach
Jeff [9:47 AM]
: The Colorado Benefit Management System, which coordinates Medicaid, food and welfare assistance for the state, suffered a second data breach
when letters were sent to the wrong addresses. It's not entirely clear if this is a HIPAA breach, but probably is. of the 3,000 or so affected individuals, some PHI was involved in about half of the disclosures. And since CBMS apparently provides services to Colorado's Medicaid program, it probably is an improper disclosure by a business associate of a covered entity. Ultimately, minimal information was disclosed, and to a limited loop of recipients, so it's probably a no harm, no foul situation. But it's another example of the need to be careful out there.
[ Thursday, August 13, 2015 ]
Breaches Without Damages:
Jeff [11:04 AM]
With hackers going after medical information, and with the availability and flow of PHI necessary for proper provision of healthcare, data breaches may be inevitable. But damages from breaches might be avoidable, or at least might be minimized. This seems like it's obvious advice
, but good planning, solid policies, sufficient employee and staff training, and cyber-liability insurance can all reduce the likelihood of a breach, and prevent the potential for lose-the-company types of damages.
[ Wednesday, August 12, 2015 ]
Should the DEA be able to get medical records via subpoena, or is a warrant necessary?
Jeff [2:29 PM]
That's the question the 5th Circuit is going to have to answer
. And while the issue is definitely of interest to the telemedicine crowd, it certainly raises privacy concerns, especially if those medical records are yours or mine.
Do you trust the federal government not to abuse this sort of power? Once upon a time I did, but not so much anymore.
Jeff [11:06 AM]
I'm sorry, but I can't help but think of Orwell:
Jeff [11:03 AM]
Or maybe Jacques Derrida. We are now living in a truly Post-Modern world
A patient with an XY chromosome pair was admitted to a Brooklyn hospital and placed in a semi-private room with another patient with an XY chromosome. Of course, OCR investigated. While no fine was levied, the hospital had to adopt a slew of new policies and train its staff.
Consider the possibilities. . . .
[ Wednesday, August 05, 2015 ]
MIE (Indiana) Breach:
Jeff [3:39 PM]
While I was away on vacation
, Indiana EHR vendor Medical Information Exchange apparently was hacked. Now, the breadth of the hack is becoming known
, and it looks pretty bad. As many as 3.9 million people are potentially affected. Fortunately, financial data wasn't included, but SSNs were, as well as lots of medical information. Whoever is putting together this big data project on the Dark Web is going to have a lot of info to work from. The Indiana AG is investigating
, which means big fines are likely.
[ Tuesday, August 04, 2015 ]
Jeff [2:18 PM]
[ Friday, July 31, 2015 ]
Social Media and HIPAA:
Jeff [11:15 AM]
I haven't given a speech on medical use of social media in a couple of years so I haven't been thinking about it, but it seems to keep coming up. Here's a decent articl
e highlighting the risk that what you think is "de-identified" isn't.
[ Tuesday, July 28, 2015 ]
Bleg (blog-based beg):
Jeff [11:43 AM]
If you like the blog, go here
and nominate it for the niche/specialty category.
[ Monday, July 27, 2015 ]
Georgia CCSP Breach:
Jeff [11:10 AM]
A state senior services organization suffered a data breach,
apparently when an email was sent, that included diagnosis data for about 3,000 people. Apparently no social security numbers of other ID-theft type of data was included in the breach.
[ Tuesday, July 21, 2015 ]
Cell Phones in the OR:
Jeff [1:12 PM]
I saw the headline for this article
in the Atlantic, but when I read it I saw it wasn't focused on what I perceive to be the bigger problem. The Atlantic is looking at the "don't text and drive" aspects, while my usual concern with texting has to do with security and medical record issues, so I didn't link to it. But then I got my afternoon email from FierceHealthIT,
and sure enough they highlighted the data privacy and security issues OR texting raises.
In my experience, if you call a surgeon's cell phone during normal "operating" hours, you're as likely as not to get someone (a scrub nurse or tech, usually) answering the phone with the phrase, "Dr. _______'s phone." And if everyone's dropped their phones in the same location and a phone goes off with a text, someone's going to pick up each phone to see who got the text. AND, unless you're using secure texting software, the nurse or tech is likely to read PHI that he or she shouldn't have access to. You can see the problem there -- So think before you text, especially in the OR.
So Many Breaches, But So Few Lawsuits:
Jeff [10:42 AM]
Wonder why? It's mainly because a plaintiff in a lawsuit generally must show how he/she has been damaged, and to be honest, most data breaches don't cause calculable damages. And courts tend to throw out cases where the damages are purely speculative, as in these Illinois cases
. Sometimes identity theft occurs and you can prove it. Sometimes, as in the Walgreens case
, actual pain and suffering can be proven. But if the breach merely causes the plaintiff to be at greater risk of identity theft and nothing more, that's going to be a hard case for a plaintiff to win.
[ Monday, July 20, 2015 ]
More on the UCLA data breach here.
Jeff [4:06 PM]
Using HIPAA as an Excuse:
Jeff [4:03 PM]
Interesting article in the NYTimes
on misunderstanding HIPAA. Just wish they wouldn't spell it "Hipaa." It's an acronym; use all caps.
[ Friday, July 17, 2015 ]
Jeff [1:53 PM]
Blogger: HIPAA Blog - Edit your Template