[ Tuesday, April 22, 2014 ]
Recent Enforcement News:
Jeff [3:04 PM]
OCR announces two new substantial fines
: $1.7 million in one case and $250 in another, both involving unencrypted computers.
[ Thursday, April 17, 2014 ]
OT: Club Schmitz is Closing.
Jeff [4:16 PM]
Since sometime in the mid 1990's, most summers I host a group of summer clerks at my law firm at something we like to call "Dallas Dives." While other lawyers take the clerks to lunch at different "dive" locations around the city, my Friday midday trek is always to the same place, Club Schmitz. Opened in 1948 (and they've never changed the grease in the fryers since), it is the prototypical dive: burgers, cheap beer, and all things fried, served in broken-down cracked-vinyl booths and wobbly tables arrayed across a broken linoleum floor. Golden Tee has replaced the pinball machines, but the pool table and shuffleboard are still there. The building is a squat one-story cinder-block fortress, with bars on the windows and one door out each side. A good place for a gangster's hideout, since the cinderblocks could stop bullets and there's always a way to escape. It's the closest thing to a McSorley's
that Dallas could hope for. And it is no more, or will be May 31
I have no idea how many times I've been to Club Schmitz, and couldn't even guess. I don't know the exact date of my first visit, either, but I can say with some certainty that it was probably in September of 1980, early in my first semester at the University of Dallas (when the drinking age in Texas was 18). Club Schmitz, along with Diamond H and Luke's Outhouse, was a UD hangout, for cheap beer and cheap burgers and chili. There were plenty of old folks hanging around, but they weren't bothered by the boisterous college kids; I figure now that they saw themselves in us to some degree, perhaps even envying us.
Schmitz was usually a nighttime place for us back then. When I moved back to Dallas in 1994, at some point I went there for lunch. And went again. And again and again. It wasn't a daily thing or anything; I probably got in the habit of going once a month or so. Often with friends, clients, co-workers, other lawyers, but as often alone. I found that I could take work there, spread out at one of the booths near a window (to get some sunlight in an otherwise dark bar), and get more done over lunch -- with no disruptions -- than I could in the entire morning in my office. Every third or fourth trip, I'd run into someone I knew from work, church, school, the real world, managing partners of law firms and executives of energy companies, all taking advantage of the guilty pleasure of a greasy lunch. More than once I saw the Chairman of Southwest Airlines, Herb Kelleher, there with a handful of Southwest execs. Everyone goes to Schmitz's.
My one somewhat constant Schmitz companion was my associate Karen Pyatt. If we were out seeing a client, or just needed to get out for lunch, Schmitz was always on the list of choices. Sometimes it was her, sometimes me, but occasionally one of us just needed
the grease, and off we went. Karen still refers to Carol, one of the two usual waitresses (not the one who waives at the trains), as the "Hotel California waitress:" sort of a you-can-check-out-but-you-can-never-leave type who is always there at lunch. We came in one noontime and Carol immediately came to our table with a pair of sunglasses. "Are these yours? I think you left them last time." They were, and I had. It had probably been a month before that I left them, but she knew I'd be back. And I was. When was the last time that happened to you at a restaurant?
I don't know the last time I actually had to place an order -- I always get the same thing: "double double pops, all the way." Double meat, double cheese, all the trimmings, and tater pops; not tater tots, these are chopped potato bits with jalapeno peppers and cheese, deep fried into hush-puppy-sized balls of heaven. And a huge glass of iced tea (it would've always been beer at UD, but if I did that now, I'd never go back to work). When I walk in, I always know that Carol or the other waitress has spotted me when I hear them call back to the bar for my iced tea. She'll deliver my iced tea, and ask, "the usual?" I'll say, "of course," and she'll say, "good, because I already put in the order."
Most summers, during the Dallas Dive visit, at least one of the summer clerks (law students between their second and third year of law school, interning with the law firm to try to show off their skills and earn an offer back for a post-law school job) will ask how long I've been going there. I'll tell them that I started Schmitzing sometime in September 1980. Once, upon hearing that, before she could stop herself, a young woman blurted out, "Wow, that's before I was. . . . " Have you ever seen someone try to suck the words they've just spoken back into their mouth? She was mortified that she had just insulted a partner and the firm she wanted to work for. I just smiled and said, yes, I've been coming here longer than you've been alive. Hopefully you'll appreciate the charm and understand why.
I'll drag one more class of summer clerks, the last one, out there next month; we had originally planned on May 30 for the Dallas Dive visit, but decided to move it up a week -- the penultimate day will probably be too crowded for the size of the group we're likely to bring.
My youngest Mary loves the place; my wife Anne Marie, despite her UD credentials, doesn't.
It's not for everyone, but it really has been my place for a while. And I'm really sad to see it go.
[ Wednesday, April 16, 2014 ]
Jeff [7:29 AM]
[ Monday, April 14, 2014 ]
Jeff [3:32 PM]
[ Thursday, April 10, 2014 ]
Jeff [12:16 PM]
I'm listening to Kristen Rosati talk on "Anatomy of a Health Care Data Breach at the UT's Health Law CLE seminar. A couple of key points on hands-on dealing with a breach:
- No definition of "compromise"
- If misdirected email, recipient agrees to delete, and you can "document the heck out of it," probably don't need to report it.
- Risk analysis should document analysis of each factor if determining that reporting isn't required.
- Prepare in advance for a breach: who needs to be involved, including a committee of stakeholders; maybe lawyer (especially outside counsel) to protect attorney-client privilege;
- Move quickly to interview appropriate folks, including law enforcement if applicable;
- Implement correction action, even before correction action starts (map the steps out and follow up on them)
- Mitigate, fix, retrain, and document every step
- Fix within 30 days -- if no "willful neglect," it gives you an affirmative defense
- Make sure your notice has all of the specific regulatory requirements, especially once Marketing changes it
- Notification to media also has to be within reasonable time, but not necessarily at same time as notice to individuals (can give individuals a little advance notice to manage relationships)
Look at your BAAs and make sure notice responsibility from BAs is clear, including who go report to (regular "notice" provision probably isn't right, you want them notifying the Privacy Officer). Also, BA reporting time is subsumed into CE's reporting, so it should definitely be shorter than 60 days (hopefully within time for CE to meet the 30-day response for an affirmative defense). BA's might want to keep a matrix of their reporting obligations under all of their different BAAs.
OCR reviews the 500+ breach reports daily and regional offices confirm that entity actually submitted the report. If you get that call from OCR, you should already be working with your response team. Even though OCR folks are nice, it is a formal investigation, so keep a record of your communications with OCR.
State AG penalties are capped at the old $25,000 level, not the new $1.5 million level. Each individual and each day of violation count as separate violations (you get to $1.5 million quickly), and one act can violate more than one requirement.
On the flight down, I read HCCA's monthly magazine, and saw a Privacy Officer refer to "LoProCo" as shorthand for "low probability of compromise;" I will use that handle.
[ Wednesday, April 09, 2014 ]
Jeff [11:44 AM]
[ Friday, March 28, 2014 ]
Jeff [1:55 PM]
HIPAA Security Risk Analysis:
Jeff [12:27 PM]
Regular readers will know that I regularly advise HIPAA covered entities to undertake and repeat regular "risk analysis" reviews. It's been required under HIPAA since April 2005, and you simply can't have decent, appropriate policies and procedures without doing a risk analysis first: how do you show that you've taken appropriate security steps if you don't even know where your security risks are?
Additionally, as I've noted before, if you're taking "Meaningful Use" moneys (in connection with adopting EMR technology), then you must certify that you've done such a risk.
There's already been one indictment for a False Claims Act violation against a hospital CFO who certified that the hospital did a security audit and was a "meaningful user," when they weren't. I'm hearing now that CMS is auditing MU stipend recipients and asking for proof of their risk analysis, and the policies and procedures generated by the analysis.
Whether you've done your risk analysis or not (you have to regularly re-do it, too), you should look at this Security Risk Assessment toolbox
provided by HHS under HealthIT.gov. There is not a standard template for what a Risk Assessment should look like, since it's entirely dependent on the specific facts of the specific entity.
You have a HIPAA obligation to do it. You may have a MU obligation to do it. And frankly, you have an obligation to your patients/customers to do it. So, . . .
[ Wednesday, March 26, 2014 ]
Jeff [5:51 PM]
[ Monday, March 24, 2014 ]
Five Steps to
Jeff [2:45 PM]
Preventing Help Prevent Security Breaches:
Had to fix the headline. These definitely will help
, but aren't guarantees. There are no guarantees.
[ Thursday, March 20, 2014 ]
Interesting Post-Omnibus Rule Trend:
Jeff [4:58 PM]
Covered Entities exercising greater oversight of their Business Associates' security measures. I've seen this a lot in post-Omnibus BAAs, as well as in some of the HIPAA press and seminar circuits; here's a good example
of the type of advice consultants are giving. What's particularly interesting about this development is that the HITECH Act and the Omnibus Rule directly place greater HIPAA privacy and security requirements onto Business Associates. Why, now that the law directly requires it, are Covered Entities taking a more hands-on approach to this? If anything, changes in the law should make it less necessary to be contractually specific. Interesting.
[ Wednesday, March 19, 2014 ]
Using Cloud Service BAs to Police Your Other BAs?
Jeff [3:58 PM]
Covered entities are rightfully suspicious of the privacy and security offered by their vendors and other BAs. Some cloud-based service providers are offering to help
providers manage their BAs and ensure they're doing what they need to do.
[ Tuesday, March 18, 2014 ]
Colorado Hospital Gets Hacked:
Jeff [2:18 PM]
Glenwood Springs' Valley View Hospital discovered a virus
on its computers that appears to have been placed there by hackers. The virus captures screen shots of patient data and stores it in a hidden, encrypted file, apparently for later retrieval. This, along with the Bryan, Texas case
, indicate that even small or rural hospitals need to be aware that they may be targeted by hackers.
[ Monday, March 17, 2014 ]
HIPAA Compliance for Law Firms:
Jeff [12:14 PM]
Law firms that create, receive, maintain or transmit PHI on behalf of clients that are HIPAA covered entities are, by definition, business associates, but with attorney-client privilege and other ethical restrictions, are very, very different from most vendor BAs. While BAAs are still needed, take careful consideration that you don't waive the attorney-client privilege or negate the value of your malpractice insurance by an overreaching indemnification provision.
Recent news on possible NSA spying on law firms and their clients has raised an additional concern. As BAs, law firms must have Security Rule safeguards in place to protect PHI. Law firms that deal with financial institutions have additional information security requirements. These might not necessarily foil the intrepid spooks at the NSA, but they should help counter what Scott Vernick says
might be a greater threat: law firm insiders. Additionally, if you're a BA, you have HIPAA employee training requirements (which may be specific under state law). So, do the right thing.
Jeff [8:42 AM]
[ Thursday, March 13, 2014 ]
New Ponemon Study Out:
Jeff [8:33 AM]
There's a new study out on the costs of PHI data breaches. I haven't really had a chance to dive into it, but here's some discussion
of it. Breaches may be down overall, but criminal data theft for medical identity theft purposes is way up.
[ Wednesday, March 12, 2014 ]
Upcoming Mental Health and HIPAA presentations:
Jeff [6:21 PM]
I've actually got 2 coming up. The first is live in Houston on April 3; I'll be presenting the last 2 hours of an all-day seminar for PESI
on "Texas Mental Health and the Law," giving the HIPAA/medical records portion of the presentation. The seminar is at the Sheraton North Hotel near Bush Intercontinental Airport in Houston.
The second is a live webinar for Lorman
on Mental Health Medical Record Compliance (lots of HIPAA stuff, plus information specific to minors and "Part 2" entities) on May 14. It'll also be recorded, and will be available after that, but you really want to hear it live so you can ask me questions.
If you attend either, email me and let me know what you think.
Jeff [4:54 PM]
[ Monday, March 10, 2014 ]
Happy Anniversary to this blog, which turned 12 last Saturday. That's right, my first post was March 8, 2002.
Jeff [3:03 PM]
LA County HHS breach
Jeff [7:52 AM]
hit the offices of a Business Associate and stole computers. The computers had unencrypted PHI. Have I mentioned how encryption is a good and valuable tool?
[ Friday, March 07, 2014 ]
First Fine Against a County Government Unit:
Jeff [4:30 PM]
Skagit County, Washington gets the honors
. To the tune of $215,000. Ouch! Notifications were not provided, and policies weren't sufficient. Of course, in some ways this is a head-scratcher: the Skagit County Public Health Department provides healthcare services to county residents who can't otherwise afford healthcare, so that's $215,000 that the Department won't have to help those folks. Sure, those folks need protection, perhaps more than others, but still, this seems awfully punitive.
[ Wednesday, March 05, 2014 ]
Jeff [4:55 PM]
weekly breach roundup is here
[ Tuesday, February 25, 2014 ]
Mental Health and HIPAA:
Jeff [10:01 AM]
The mental health arena has always been a tricky playing field for HIPAA and privacy, for obvious reasons. Mental health information is particularly sensitive, but it is often imperative that the information be shared since the patient might not be able to make appropriate decisions. This becomes painfully acute when mental health issues contribute to tragedy such as the Sandy Hook and Virginia Tech shootings. Information not shared due to privacy concerns might have prevented the incident or lessened its impact.
HHS is trying to assist providers and others on how to bridge this gap. They have issued guidance here
, and FAQs here
. If you practice in the mental health field, this is worthwhile information.
[ Wednesday, February 19, 2014 ]
Model NoPPs in English and Spanish:
Jeff [8:51 PM]
OCR has issued 16 different formats
for Notices of Privacy Practices, 8 in English and 8 in Spanish. Each language set is further divided into 4 formats for providers and 4 formats for health plans. The four formats are booklet, layered, full page, and text-only.
Jeff [7:38 AM]
: As noted, this insurance plan was fined $6.8 million
. But the fine was levied by the Puerto Rican authorities, not OCR. Keep in mind, HIPAA penalties may be capped at $1.5 million, but you are facing state penalties as well.
Jeff [7:35 AM]
weekly breach report
is out, featuring a $6.8 Million fine for Triple-S Salud.
[ Monday, February 17, 2014 ]
Happy 5th birthday, HITECH Act.
Jeff [3:35 PM]
[ Wednesday, February 12, 2014 ]
Google Cloud Accepts HIPAA Responsibilities:
Jeff [10:41 AM]
Google, which has consented to signing BAAs since the Omnibus Rule became effective, is making Google Cloud even more HIPAA friendly
for developers and others using the cloud. Not sure just how big this news is, but it does illustrate a nice trend, as vendors and other business associates (and subcontractors) who are more removed from direct healthcare services begin to recognize the reach of the law.
[ Tuesday, February 11, 2014 ]
Did AOL's CEO violate HIPAA?
Jeff [4:41 PM]
In explaining why the company was making its 401(k) a little less generous, Tim Armstrong
said increased costs for health benefits meant that retirement benefits would have to come down a little. He specifically mentioned a couple of "distressed babies" that cost the company health plan a million bucks each. Is that a HIPAA breach?
I don't think so. If he got the information from the health plan and wasn't supposed to, that could be a HIPAA violation. HIPAA requires companies to erect a firewall between the company's health plan (and the health data it holds on employees) and the rest of the company, particularly HR. Presumably, the CEO isn't on the health plan side, so he shouldn't have access to individual health information that the health plan holds, analyzes, and transmits. However, the health plan CAN share "summary health information" with the business side, and this could certainly be that.
There's also the question of whether this is PHI at all. To be PHI, it must be individually identifiable. Obviously, he didn't name the babies. But if it would be possible to identify the babies or their mothers/fathers who are the AOL beneficiaries, it could be PHI. I don't know how many employees work at AOL, but some employees would presumably know if a coworker had a baby with lots of medical issues. One of the AOL employees (actually, the wife of the employee, Deanna Fei) went public that she and her baby were one of the ones mentioned by Armstrong, because her husband's co-workers began asking him if his baby was one of them.
Which illustrates a little quandry that occasionally pops up when the policy
behind HIPAA is examined: HIPAA requires that health information be treated as if it is entirely private, when often it is much more public that a lot of other personal information. I probably don't know how much my co-worker gets paid, but I almost certainly will know my coworker is pregnant; I'll probably know if she has problems with the pregnancy, if the baby is born prematurely, if he/she is in a neonatal ICU for an extended period of time, etc. While my co-worker could keep all that information private, the fact is that people tend to be friends with co-workers, and people tell (some of) their health information to their co-workers.
In the AOL case, Mr. Fei apparently told his co-workers about his baby and his/her medical issues; otherwise, how would they know it might be him that Anderson was talking about? The only thing Anderson spilled that wasn't already known was the total cost.
One final note: when I first heard that the AOL CEO was in trouble for cutting the 401(k) and blaming it on "distressed babies," I thought he was referring to AOL workers. Particularly those at the Huffington Post.
HIPAA CLIA change: Not everyone agrees
Jeff [6:53 AM]
that it's a good idea for patients to get their PHI directly from the lab. There's a risk, for sure, when patients get information unfiltered and unexplained; that's probably why CLIA labs were excluded from the "access" requirement in the first place.
[ Monday, February 10, 2014 ]
Medical Records Update for Paralegals
Jeff [4:56 PM]
: If you missed my Lorman presentation last month (uh, Bob, I'm looking at you), it's available in recorded format here
How does the Target data breach affect healthcare entities?
Jeff [10:38 AM]
You can read my take on it here
[ Saturday, February 08, 2014 ]
Got a good digital NoPP? ONCHIT is looking for the best one.
If your on-line Notice of Privacy Practices is the best there is, the Office of the National Coordinator for Healthcare Information Technology has a prize for you.
Jeff [7:00 AM]
[ Thursday, February 06, 2014 ]
Ruh-Roh: St. Joseph in Bryan, Texas
Jeff [1:37 PM]
has apparently been hit with a "huge" data breach involving a server attack, with over 400,000 patients and employees affected. Social security numbers and medical data are both involved.
For Your Viewing Pleasure:
Jeff [11:10 AM]
It's the HHS HIPAA YouTube Channel
. I don't know if viewing these will help you become HIPAA-compliant, but I'm pretty sure they won't count as "training" of your staff. Still, interesting to see.
[ Monday, February 03, 2014 ]
CLIA Lab exception to HIPAA going away:
Jeff [1:46 PM]
Under HIPAA, individuals have a right to access all of their PHI held by covered entities, with a few limited exceptions. One exception was that CLIA-covered labs did not have to provide such access: CLIA limits those labs to only providing test results to an "authorized person." This generally means the ordering physician or the physician who will use the test results or communicate them to the patient, not the patient him/herself. Because of the CLIA limit, HIPAA contained an exception for CLIA labs, so that they were not required to provide access to their patients, the way other covered entities must.
That will now change, to be effective late September/early October
. HIPAA will now require CLIA labs to also provide patients with copies of their PHI, if the patient requests.
Unity Health (Wisconsin) Breach:
Jeff [8:10 AM]
Encryption would've alleviated the need to report this lost hard drive
. Probably nothing happened to the data, but if you can't tell, you probably can't get below the "low risk of compromise" threshold. 42,000 people affected.
[ Thursday, January 30, 2014 ]
Jeff [6:44 AM]
on Obamacare taxes
(they do call them "fines" and "penalties;" how unconstitutional of them).
Data Breaches at Texas Psych Facilities:
Jeff [6:40 AM]
It's happening a lot recently. None of these seem particularly big
, but they are indicative of a problem that some policies and training ought to help cure.
[ Wednesday, January 29, 2014 ]
Jeff [7:22 PM]
if you're a HIPAA/privacy geek in Houston (or want to be in Houston), check out this position opening
. It would involve working with some top notch folks.
Malvern Group's weekly breach/incident report
Jeff [9:17 AM]
is out. Thanks so much to them, now I don't feel guilty that I don't catalogue and re-blog every breach report I hear.
[ Wednesday, January 22, 2014 ]
Current Breach Activity
Jeff [10:23 AM]
: Malvern Group's weekly list of HIPAA and other data breaches
Jeff [10:21 AM]
: If you're looking for HIPAA training and the like, I've got a handful of webinars and in-person educational presentations coming up (all times Central):
- Today (1/22/14), noon - 1:00: Texas Medical Association webinar: HIPAA Training for the Medical Office Staff; info here.
- January 29, 2014, noon - 1:30: Lorman Education Services webinar: Medical Records Update for Paralegals: Releases, Retention, and Confidentiality Requirements; info here.
- February 13, 2014, Dallas, Tx, 9:00 am - 4:30 pm (HIPAA presentation 2:55 - 4:30): Lorman Education Services live seminar: Medical Records Law in Texas; info here.
- February 19, 2014, noon - 1:00: Texas Medical Association webinar: Complying with HIPAA Security; info here
- February 25, 2014, Ft. Worth, Tx, 9:00 am - 4:30 pm (HIPAA presentation 2:55 - 4:30): Lorman Education Services live seminar: Medical Records Law; info here.
- April 1, 2014, Houston, Tx, 8:30 am - 4 pm (HIPAA presentation 2:00 - 4:00): PESI Continuing Education Seminars live seminar: Texas Mental Health and the Law 2014; info here.
Feel free to email me, comment on the blog, or message me on Twitter (@JeffDrummond) with questions.
[ Friday, January 17, 2014 ]
New Mexico Forced Colonoscopy case:
Jeff [12:29 PM]
I was quoted in Theresa Defino's AIS story on this case
, where a man in New Mexico was arrested on drug charges because a drug dog sniffed his car seat. The cops figured the man had secretly hidden drugs in his, er, butt. The cops got a search warrant (but for a different county), and took the man to a hospital in the next county (the local hospital refused to cooperate), where they got the hospital and a couple of doctors to help take X-rays, give the man an enema, and finally a colonoscopy. Turns out he had no drugs, and he sued the cops for civil rights violations, as well as the hospital and the doctors for medical battery and HIPAA violations.
The city and county have settled for $1.6 million. Good. The case against the hospital and the doctors goes on.
UPDATE: more quotage here
[ Monday, January 13, 2014 ]
Transactions and Code Sets News: Health Plans must certify to compliance with HIPAA transaction and code set rules.
Jeff [1:31 PM]
I saw this news last week but thought it was simply HHS saying health plans are covered by HIPAA; which they are, naturally. Health plans are covered entities, and must comply with the Privacy Rule and Security Rule.
But the point is that they must all use standard transactions. This goes back to the earliest part of HIPAA, based on trying to standardize electronic data interchange transactions in the healthcare industry, and the drafting of specific forms, data sets, and formats to be used in every payment transaction, for example. Get rid of the legacy systems and individual payor formats and use standard documentation. It's interesting to see this come up again. Frankly, everyone in the health industry ought to be using standard formats, and to the extend a lot of smaller players (small health plans specifically) aren't doing so, then either we don't need the standards or we aren't enforcing the requirements like we should be.
Small Data Breach Reporting: Welcome to 2014! Covered entities must report all (small) breaches occuring in 2013 to the Secretary of HHS by the end of February. If you had a big breach, one involving 500 or more individuals, you should have reported to the affected individuals and HHS (and local media) within 60 days of becoming aware of the breach, but if you had a small breach, you needed to notify the individuals within 60 days, but need not notify HHS until year-end.
Jeff [12:17 PM]
Sometimes you'll have a handful of small technical breaches (records faxed to the wrong number, for example), which involve a quick and easy note to the patient. Those are often put out of mind once they're done. But the annual reporting requirement is still there, even though you might've forgotten about that little incident. . . .
The year-end reporting requirement is easier but still a little tech-intensive. It involves filling out a form on the HHS website for each breach incident, which involves actual input by the covered entity, so it takes a little time. But it's painless, and it's the law.
Phoebe Putney loses a desktop computer:
Jeff [8:40 AM]
A Georgia hospital employee
was rearranging her office and boxed up her password protected, but not encrypted, desktop computer and left the box in the hall. Presumably she did not put a "no basura" sign on it, because it disappeared, never to be found again. 6700 - 6800 patients' PHI, plus a handful of social security numbers. Two employees were fired for not following policies (makes me wonder who the second one was, assuming the redecorating employee was one).
If the computer had been encrypted, we wouldn't even know about it.
[ Thursday, January 02, 2014 ]
Interesting NJ Case:
Jeff [6:35 PM]
An employee of Omnicell, a vendor of pharmacy management computing services (and a business associate) of a slew of hospitals, had a laptop stolen. The laptop contained names and PHI of a bunch of patients of the hospitals. The laptop was password protected, but not encrypted. I blogged about the breach
about a year ago.
One of the patients filed a class action lawsuit against Omnicell and the slew of hospitals. But the federal court threw them out
, because they could not prove damages. I did not hear of a settlement with OCR, so that's still potentially out there. To some extent, this case proves that the administrative fines are likely to be worse than the potential legal claims of victims, since it's so hard to show damages for a HIPAA breach.
[ Tuesday, December 31, 2013 ]
A Little Slow on Posting Notice?
Jeff [4:37 PM]
Colorado Medicaid suffered a data breach
in November but is just now notifying affected individuals. A little under 2000 affected. The breach was the use of a personal email account, so there probably was no harm, no foul. But why did it take so long?
[ Saturday, December 28, 2013 ]
What's a good set of Policies and Procedures worth?
Jeff [8:01 PM]
I've drafted dozens of them, including the form set currently available from the Texas Medical Association. On average, I've probably charged around $5,000 to $10,000 for a worked-over set of policies (including adaption to the client's specific needs, assisting with risk analysis, adding in forms for BAAs and NoPPs, etc.). That's a lot of money for some clients, and many balk at a price tag that high.
But what is the set worth? If you're Adult & Pediatric Dermatology in Massachusetts, the number is $150,000. APDerm lost a flash drive
with PHI on it: as far as anyone knows, nothing happened to the PHI. But, the loss triggered an OCR investigation, which uncovered that APDerm hadn't adopted policies and procedures. That failure triggered a $150,000 fine.
$5,000 sounds pretty cheap.
Of course, if APDerm had policies and procedures, they might've decided to encrypt all flash drives, or not allow them at all, and the breach might not have occurred at all. That, really, is the value of a good set of policies and procedures.
Blogger: HIPAA Blog - Edit your Template