HIPAA Blog

[ Thursday, December 17, 2009 ]

 

Off Topic (purchasing health insurance): I got a tip to this survey from a reader. Are you purchasing insurance in the individual market, or on behalf of a small employer? You might want to look at this survey; I suspect the sellers of health insurance are aware of how this information changes hands and is used by purchasers of insurance.
Jeff [11:40 AM]

 

New Hampshire: Wentworth-Douglass Hospital in Dover, NH is hip-deep in an apparent data breach problem. As noted here, someone was improperly accessing data in the hospital's pathology records and changing the information. The hospital investigated the breach and notified doctors whose patient's records were accessed, but did not notify the patients. Now, according to BNA (subscription requried), CMS is investigating. There seem to be two issues at play here that are instructive for HIPAA covered entities: first, it seems that the investigation has ramped up not because the breach was particularly bad (although changing pathology data can sure be disastrous), but because the hospital didn't respond correctly. Secondly, the catalyst for the investigation seems to be the claim by a couple of pathologists that they were retaliated against by the hospital for reporting the breach and demanding action. This proves two points: first, accidents (and hackers) happen, and nobody expects perfection. Your efforts to prevent it up front must be good, but failure isn't proof that they weren't. But HIPAA compliance doesn't end when you adopt reasonable precautions through good policies and procedures. You must react to those breaches that do occur, and your reaction must be reasonable too. Secondly, always remember that it's those within the castle walls that can cause you the most trouble. External hackers do exist, but in most cases there's an "inside man" that either initiates the problem (see the Gibson case) or perhaps unwittingly leverages it (see the UCSF story from yesterday). Always cover your flank -- if there's a constituency or individual pushing for a particular response to a HIPAA problem, make sure their issues are addressed. That doesn't mean you have to do what they say, but be aware that if you don't (or if they feel their concerns were neglected or improperly dealt with), they might be your ultimate problem.
Jeff [9:16 AM]

[ Wednesday, December 16, 2009 ]

 

Red Flags Update: In case you haven't looked lately, check out the FTC's Red Flags Rule page, where there are several click-through programs, including a video program and the template for low-risk businesses. I'm on a conference call right now with an FTC person, and her unofficial feel is that the reason for the latest delay is to allow the FTC to decide how to respond to the ABA case and whether/how to appeal. I think they're still trying to figure out if Congress will act further as well. The Red Flags program won't go away; it's just a question of whether you are a "creditor" according to the definition. From a HIPAA standpoint, much of what the Red Flags Rule does nicely dovetails with what all covered entities should be doing from a privacy and security standpoint; so, I'm not telling you what to do, but you might consider whether a Identity Theft Protection Program is a good idea, regardless of whether the Red Flags Rule does (or should) apply to you.
Jeff [11:29 AM]

 

UCSF Data Breach: Apparently, there was a successful "phishing" incursion into the records of about 600 University of California - San Francisco patients. The data was accessed because a USCF Medical School physician inadvertently disclosed his user name and password in response to a phony email asking for the information (the typical "phishing" attack). This goes to show that sometimes, "social engineering" makes your humans your weakest link.
Jeff [11:20 AM]

 

More slightly-off-topic: Those of us who deal with HIPAA privacy issues often have to overflow into other privacy laws, particularly Gramm-Leach-Bliley, which protects personal information in the financial context. The various federal agencies with GLB responsibilities recently issued a joint model privacy notice form.
Jeff [11:12 AM]

 

Slightly Off-Topic: Here's a list of the Top 9 data breaches for the last year involving banks and other financial institutions. Interesting the geographic and stylistic breadth of the breaches. Remember, privacy and security systems are only as strong as their weakest link.

Hat tip: Chris Volkmer, John Podvin.
Jeff [11:08 AM]

[ Tuesday, December 15, 2009 ]

 

Keeping Up with HIPAA: How do you know that you're current with your HIPAA risk assessments? We've got new law that will be enforceable in a couple of months, with very few regulations. Neither the law nor the regulations will say what specific steps, processes, programs or hardware you might need. How do you know that you've done enough to be compliant?

There's no good answer to that question, other than Justice Stevens' "know it when you see it" standard. HIPAA isn't specific with regard to technology or process; rather, it's "scalable." That's both a feature and a bug: it allows the market and industry to adapt and develop best solutions, but it also prevents individual participants from knowing with certainty that they've met the minimum requirement.

Ultimately, you've got to work hard enough and make good enough decisions. Consult with the right people within and outside your organization, know where you are/what you've got/where you need to go, and go there. Security is a process, not a place.
Jeff [10:38 AM]

[ Monday, December 14, 2009 ]

 

Got paper? Paper-based data breaches on the rise. Which raises 2 issues. First, the new HITECH data breach reporting rules only apply to "unsecured" data, so a breach of "secured" data need not be reported. Unfortunately, with paper records, the only way to "secure" is to "destroy," making the records useless to both intended and unintended users. So if there's a paper record data breach, it's reportable. Second, most states followed the lead of California and adopted state data breach notification laws (focusing on personal or financial information, which usually includes health information but not exclusively), but in many of those states (Texas, for example), the data breach law specifically addresses computerized records. There are often other state laws that require careful handling of records that contain personal information (i.e., shredding before dumpstering), but many breach notification laws only address electronic or computerized information.
Jeff [8:56 AM]

[ Friday, December 11, 2009 ]

 

Federal Data Breach Law? As you know, California started the trend of general-business data breach notification laws, with most other states following. Now, a bill has passed the US House that would impose a federal data-breach law. Don't know if it's really needed, given state efforts already, and don't know if it would be harsher than the HITECH data breach rules, but something to keep an eye on. (Of course, the Senate's doing nothing but healthcare these days -- won't even pick up the small-company Red Flags relief bill that passed the House unanimously).
Jeff [8:19 AM]

[ Wednesday, December 09, 2009 ]

 

Houston Snoopin': The Harris County Hospital District, which runs Ben Taub Hospital, the Level 1 trauma center and huge public hospital. has fired 16 employees for snoopin'. A medical school resident who was assigned to Ben Taub was shot in a grocery store parking lot and rushed to Ben Taub. Lots of folks who probably knew the young doc but weren't involved in her care checked out her chart, and got fired for it.

Pretty severe sanction, but probably intended to send a message -- don't snoop, dawg.

Well, I didn't intend this to be my 1500th post, but this is it. 7.75 years writing this blog . . . .
Jeff [7:31 AM]

[ Monday, November 30, 2009 ]

 

Medical Identity Theft is on the Rise: According to the Wall Street Journal. It seems likely. But remember, medical identity theft is somewhat a crime of opportunity -- if you don't need medical care, you don't need to steal someone's medical identity. Regular identity theft is profitable regardless of your health situation.
Jeff [8:57 AM]

 

Latest HIPAA Data Breach: Apparently, BCBS of Tennessee is preparing a monster notification effort after a hard drive was stolen at a remote training facility. Based on the story, I'd put it pretty low on the risk scale: the data wasn't encrypted, but it was encoded and scrambled, and the facts make it look like hardware theft, not data theft.
Jeff [8:53 AM]

[ Thursday, November 26, 2009 ]

 

Totally and Ridiculously off-topic, but funny: Frank J's list of things to be thankful for.
Jeff [9:43 AM]

[ Wednesday, November 25, 2009 ]

 

Encryption: More sage advice from Dom Nicastro. Then again, what would you expect, given who he's taking advice from?

Actually, early on in the life of the HIPAA Security Rule, many IT guru types jumped onto the encryption bandwagon with both feet, saying things like "encryption is industry standard and failure to encrypt is per se an unreasonable violation of the Security Rule," or "sending email over the internet in clear text (i.e., unencrypted) is a violation of the Security Rule." Well, the Security Rule has always listed encryption as an adoptable standard, not a required one; that means any covered entity must review its operations, practices, capabilities and finances and determine whether it should encrypt, but that it may reasonably determine that encryption is not necessary for structural, organizational, operational, or financial reasons. I have consistently advised people that you have to take an honest look, but if you determine that encryption isn't necessary, you don't have to do it.

That reasoning holds true today: you are still Security Rule compliant if you've made this determination. HOWEVER, under the new Data Breach Rules, your obligations upon a data breach are dramatically higher if you do not encrypt. Encryption, done properly, will be a "get out of jail free" card in you have a data breach.

I'd call that a game changer.

So, am I guilty of changing my opinions? To quote the only thing Keynes said that was right: "When the facts change, I change my mind. What do you do sir?"
Jeff [12:35 PM]

[ Friday, November 20, 2009 ]

 

Healthcare Reform: Here's a great article. The key point is #3 (which is the point I've made over and over again): the problems with the American healthcare system are the result of OPM ("other people's money").
Jeff [12:30 PM]

 

Speaking of Medical Records: Check out Bob Coffield's blog for a paper medical record, circa 1030. Pretty cool.
Jeff [9:27 AM]

 

EMRs: A study says they don't save money, either. Of course, if you're a physician practice that takes Medicare, you'll lose money if you don't adopt one. D'ya ever notice whenever the government puts unnatural incentives on some economic action, it results in uneconomic activity (viz. "cash for clunkers")? If EMRs add efficiencies and save medical practices money, medical practices will adopt them. When the government tries to skew the natural economic incentives, you get . . . clunkers (for which you have to spend a lot of taxpayer cash).
Jeff [8:42 AM]

[ Thursday, November 19, 2009 ]

 

EMRs: the privacy concerns connected with electronic medical records seem to be getting greater and more visible play these days. There is, no doubt, a trade-off in privacy whenever medical information is in electronic format.
Jeff [5:21 PM]

 

What to do in case of a breach: I've done a lousy job of keeping up with this, but this is the last part of a really nice series by Dom Nicastro on how to avoid breaches, what to do when one happens, and how to follow up.
Jeff [5:09 PM]

[ Monday, November 16, 2009 ]

 

EMRs: So far, the benefits of switching to electronic medical records aren't exactly overwhelming. Something to keep in mind when the debate over healthcare reform starts to overheat.
Jeff [11:09 AM]

 

Ready for HITECH? You are alone, according to this survey. 94% of healthcare entities aren't ready for the February 2010 effective date of the HITECH revisions to HIPAA. Caution, it's a small sample size, but I suspect most of us have a lot of work to do.
Jeff [11:04 AM]

[ Wednesday, November 11, 2009 ]

 

What if Quizno's Were Run Like Healthcare? This is pretty funny, and goes a long way to explain what's wrong with the healthcare system.
Jeff [11:34 AM]

[ Tuesday, November 10, 2009 ]

 

Anthem BCBS (Connecticut) Data Breach: I noted below that Anthem Blue Cross Blue Shield had a laptop stolen that had data on about 18,000 doctors, including some social security numbers (not PHI, though, so it's [probably] not a HIPAA violation). The information was unencrypted, which was against company policy. Well, the Connecticut AG is on the case, alleging Anthem of acting too slowly in notifying the victims and not providing enough credit protection to the doctors.

This will be interesting to watch, since it might be a little taste of what we'll be in for when state AGs get to enforce HIPAA.
Jeff [10:31 AM]

[ Thursday, November 05, 2009 ]

 

Interesting Georgia personal representative decision: Well, interesting if you're a HIPAA geek. The Georgia Supreme Court has ruled that a spouse of a deceased person is that person's "personal representative" for HIPAA purposes. It seems the complicating factor in Alvista Healthcare Center v. Miller was the fact that the information was being sought by the surviving wife who was pursuing a wrongful death action on her own behalf against the nursing home, and no executor of the estate of the deceased husband had been appointed yet. The court found no problem with the wife obtaining the records in her capacity as personal representative of her deceased husband and then using the information in connection with her personal cause of action for wrongful death; since she's not a covered entity, the nature of her intended use is irrelevant if she has authority to obtain the information in one capacity or another.

Via BNA. Story here, opinion here (may need a subscription).
Jeff [10:19 AM]

[ Tuesday, November 03, 2009 ]

 

Data Breach experience: Here's an interesting first-person perspective of a data breach victim. Understandable (if not really balanced) concerns about the ability of research organizations to use data without consent.
Jeff [10:57 AM]

[ Monday, November 02, 2009 ]

 

Survey: As I mentioned below, SoftwareAdvice is taking a survey on EMR adoption. They've decided to hold the survey open until Thursday, November 5th to see if they can compile more data. You can take the survey here.
Jeff [11:40 AM]

 

Miami HIPAA/ID Theft sentencing: As noted below, the Miami ID theft ring at Palmetto General Hospital resulted in two convictions of a medical records employee and an outside accomplice. The hospital employee got 2 years and 5 days (?) and the accomplice got 11 months in jail.

Via BNA (subscription required).
Jeff [10:44 AM]

[ Saturday, October 31, 2009 ]

 

Red Flags Update: I didn't see this until this morning, but knew it was coming. Sunday is November 1, the date the much-delayed Red Flags Rule would become enforceable against "creditors" (financial institutions, which obviously ought to implement identity theft prevention programs, have been under the Red Flags Rule for about a year). And when the eve of enforcement rolls around, FTC punts. Which they did yesterday, delaying enforcement all the way to June 1, 2010. This time the delay was requested by members of Congress: the House has already passed, 400-0, legislation removing professional practices with fewer than 20 employees and certain other businesses that meet certain characteristics indicative of a low risk of ID theft, but the Senate has not moved a bill yet.

Coincidently, this happened the same day that a Federal Judge ruled that the FTC cannot enforce the Red Flags Rule against attorneys.
Jeff [9:44 AM]

[ Friday, October 30, 2009 ]

 

Cost-efficient technology: HIPAA issues abound, obviously, but there sure are some good iPhone and smartphone apps that doctors and patients can use that deliver a big bang for the buck.
Jeff [9:48 AM]

[ Thursday, October 29, 2009 ]

 

Red Flags and Small Businesses: To stop ID theft, businesses need to follow the Red Flags Rule. TJMaxx and other high-profile breaches show that. But is it even more important for small businesses to follow the Red Flags Rule? Some say so.

Pro: small businesses have less technology, so lower technological defenses against ID theft. They also tend to be more likely to fall victim to social engineering activities. They also can't bear the potential cost of a data breach/ID theft claim, since they have fewer customers to spread that cost/risk over.

Con: they tend to know their customers better and are more likely to ask questions. With fewer customers, they are more likely to notice an abberation, since their customers will fall into a tighter pattern of behavior and account activity. They have less staff to bear the bureaucratic burden of compliance with regulations like the Red Flags Rule.

Arguments both ways.
Jeff [8:54 AM]

[ Wednesday, October 28, 2009 ]

 

Arkansas Snoopin' update: Sentences have been handed down in the Little Rock, Arkansas snoopin' case, which involved the brutal murder of Ann Pressly, a Little Rock news anchor. A doctor and two hospital employees were caught accessing the medical records of the victim, and have each been sentenced to a year's probation, plus fines and community service.
Jeff [1:38 PM]

 

EHR Adoption Due to Stimulus Bill Provisions: Have the EHR provisions in the so-called Stimulus Bill impacted your decision and/or timing about adopting electronic medical records? The folks at SoftwareAdvice are surveying folks to see if the statutory changes caused healthcare providers to take action, or just go looking. Go take the survey if you have any insights.
Jeff [11:14 AM]

 

5 Vulnerabilities that Lead to Identity Theft: Interesting article in InfoWeek's Dark Reading on areas to watch for ID theft. I thought it would be about specific items and behaviors that could pose risks, but it's more global than that. Interestingly, #5 is "Healthcare."
Jeff [8:41 AM]

[ Monday, October 26, 2009 ]

 

Curb Your Enthusiasm: The digitization of medical records is not the cure-all some claim it will be. As with just about every other component of the health reform debate, nothing will be as good (the public option will end the uninsured problem), bad (death panels will kill grandma), or efficient (cutting fraud and abuse will save $500 billion) as the most vocal proponents/critics say. Here, the Washington Post points out that not everyone thinks electronic medical records are a panacea.
Jeff [10:20 AM]

[ Thursday, October 22, 2009 ]

 

Cost of a (non-HIPAA) Data Breach: FTC fines ChoicePoint $275,000 for 2008 breach.
Jeff [9:54 AM]

[ Wednesday, October 21, 2009 ]

 

Hospital bans Facebook: New England Baptist Hospital has banned its employees from using Facebook at work over privacy and time-wasting concerns. The second concern is definitely apt; as for the first, that's probably punishing the medium when the message is the potential problem. It's an interesting dilemma for all businesses, but the privacy/patient information issue is particularly relevant for healthcare concerns. Ultimately, every organization needs a social media policy.
Jeff [7:34 AM]

[ Tuesday, October 20, 2009 ]

 

Red Flag Reduction Reax: Some disagree with the new legislation to exempt small providers from the Red Flags Rule.
Jeff [8:57 AM]

[ Monday, October 19, 2009 ]

 

Second Life: Interesting article on Children's Memorial Hospital in Chicago's use of Second Life for training and peer support for disabled patients. I'm still not very sure how to purposefully navigate through Second Life: I have an identity there and an avatar that looks nothing like me, thankfully, but have never had any successful interactions there. Is there a "Second Life for Dummies" site somewhere?
Jeff [8:03 AM]

[ Thursday, October 15, 2009 ]

 

RED FLAGS UPDATE:
In case you're following the Red Flags issue (the latest FTC compliance date was shifted to November 1), here's some big, big news: The House Financial Services Committee has quickly (and without Republican objection) moved forward a bill that would fully exempt healthcare, legal, and accounting firms with fewer than 20 employees from the definition of "creditor" under the Red Flags Rule. It will also allow any company to seek an exemption directly from the FTC.

You can read below (and here, here and here) some of my other posts, but the gist is this: The FTC passed rules required by Congress under FACTA that require financial services companies and "creditors" to adopt identity theft prevention programs designed to spot "red flags" indicating that a customer may be a victim of identity theft. "Creditors" is broadly defined, so the AMA wrote a letter to the FTC asking for clarification that doctors aren't "creditors" generally. The FTC wrote back and said almost all doctors are, which started a war of words between the FTC and the AMA (and a bunch of other physician organizations), but which also led the FTC to serially delay the effective date of the Red Flags Rule. Further, the ABA took a more direct route, suing the FTC to remove lawyers from the definition of "creditors." As far as I know, the AICPA has sat on the sidelines, figuring they'll get the benefit of the efforts of the doctors and lawyers.

This Congressional action will settle the matter for small practices of lawyers, doctors and accountants, but won't impact the issue for larger organizations. It will be interesting to see if conceding the fight for the majority of AMA members will cool the AMA's lather; I don't suspect this will have any impact on the ABA lawsuit.

UPDATE: the bill to limit the applicability of the Red Flags Rule to companies with 20 or more employees has passed the House. However, there's no companion legislation in the Senate at this time, so it might just die where it is.

UPDATE 2: should've mentioned that it passed the House 400-0. Can't they get someone in the Senate to pick it up?
Jeff [9:48 AM]

[ Tuesday, October 06, 2009 ]

 

Express Scripts: a 2008 successful hacker into the pharmacy benefits management company's data base might have exposed personal information 700,000 people.
Jeff [11:57 AM]

 

FTC Endorsement Rule: In light of the (unconstitutional) FTC guidance published yesterday requiring bloggers to disclose any compensation for endorsement, let me state that anyone listed under the "Advertisers" to the left has paid for that spot. Most of the "Links" are unpaid, but some might've plied me with liquor. Rest assured, the grand total of what I've been paid in cash for posts or links during the entire 7.5-year run of this blog is less than what I charge for an hour of my time.

UPDATE: Like I was sayin': read Jarvis.
Jeff [9:29 AM]

[ Monday, October 05, 2009 ]

 

70,000,000 Records; Is That a Lot? The National Archives hosts a database that allows veterans to request copies of their medical records and discharge data. One of the hard drives went out, so the Archives sent it to the contractor to fix. The contractor couldn't fix, so it sent it to another contractor to recycle. Unfortunately, nobody scrubbed the data off of the drive, which may hold medical information and social security numbers for up to 70 million people. After all of the Stimulus Bill and Healthcare Reform talk of billions and trillions of dollars, I'm a little dazed, but it still seems like 70 million is a lot of folks. Of course, so far there's no indication that the information actually fell into the wrong hands, nor is there proof of just how much information was out there (tags like "up to" or "as many as" are pretty much red herrings), and the last time the VA had a big data breach, nothing came of it. But still, not something you want to see.
Jeff [1:50 PM]

 

Not what we intended: Congressmen react to Secretary Sibelius' "no harm" standard for notifying of data breach. Apparently, that's too loose a standard for the Congressmen, who did not intend for HHS to give away such a big escape hatch for data breachers.
Jeff [1:45 PM]

 

Data breach for physicians: Here's a twist. Yeah, it's the same old story of the stolen laptop, but this time the information was physician info (including some social security numbers), lost by an insurance company.
Jeff [7:38 AM]

[ Thursday, October 01, 2009 ]

 

Bookmark this Permalink: HHS has published its instructions for submitting a notice of a data breach involving PHI here. Count the number of affected individuals and follow the instructions.
Jeff [4:55 PM]

[ Friday, September 25, 2009 ]

 

Business Associate Agreements: The HITECH provisions of HIPAA contain some big changes for business associates, as well as some changes to business associate agreements. But the specifics aren't that well defined. What should you do? Should you amend your existing BAAs? Should you adopt a new form of BAA for new relationships, but keep the existing form to see what happens?

Well, according to Susan McAndrew, OCR's deputy director for health information privacy, HHS is drafting rules that specify what need to go into your BAAs. My advice so far has been to wait; maybe you should adopt some new, relatively generic references to the new HITECH provisions and put them into your standard form BAA, but don't worry about amending your existing BAAs. I'm sticking with that advice.

Jeff [10:18 PM]

[ Thursday, September 24, 2009 ]

 

New York: Here's a story (subscription required) about a NY scam similar to the Miami scam mentioned Tuesday. A lawyer and seven employees of a public hospital were arrested for running a scam where medical information of auto accident victims was taken by the hospital employees and sold to the lawyer, who used the information to file personal injury suits and get the patients unnecessary care at clinics that were part of the scam. The scam works particularly well in "no-fault" auto insurance states like NY.
Jeff [9:26 AM]

 

Social Media in Healthcare: I'll be speaking again next year at Q1 Production's 2nd Annual Healthcare New Media Marketing Conference, this time in Chicago. June 14-15, 2010. I'll be discussing the legal implications of using social media in healthcare, particularly in healthcare marketing.
On that note, here's a story about a hospital system and a physician recruiting agency using Facebook and Twitter to pursue their physician recruiting efforts. To paraphrase Willie Sutton, you gotta market where the customers are.
Jeff [9:16 AM]

[ Tuesday, September 22, 2009 ]

 

Twitter: Here's a Good Question. Answer: not if there's no PHI. Tweets are very short; most wouldn't be identifiable.
Jeff [6:11 PM]

 

More Miami Misappropriation: I think this is a spill-over and an addition of new parties to a previous story, but a Miami cosmetician has pled guilty to buying medical records for resale to a plaintiff's lawyer, who would solicit the patients to become his clients.

Like one of the commentators says, it's 99% of the lawyers that give the rest a bad name.

Jeff [11:17 AM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template

[ Advertisers ]
Electronic Medical Records

Health Insurance from AIG

Canada Online Pharmacy

[ HIPAA Training]

Auditing Requirements and IT Responsibilities for HIPAA electronic record security regulation

Be Prepared for a HIPAA Security Audit

HIPAA Compliance and Workforce Training for Medical Practices

A discussion of medical privacy issues buried in political arcana

E-mail me at jdrummond-at-jw.com

- Archives - March 2002 April 2002 May 2002 June 2002 July 2002 August 2002 September 2002 October 2002 November 2002 December 2002 January 2003 February 2003 March 2003 April 2003 May 2003 June 2003 July 2003 August 2003 September 2003 October 2003 November 2003 December 2003 January 2004 February 2004 March 2004 April 2004 May 2004 June 2004 July 2004 August 2004 September 2004 October 2004 November 2004 December 2004 January 2005 February 2005 March 2005 April 2005 May 2005 June 2005 July 2005 August 2005 September 2005 October 2005 November 2005 December 2005 January 2006 February 2006 March 2006 April 2006 May 2006 June 2006 July 2006 August 2006 September 2006 October 2006 November 2006 December 2006 January 2007 February 2007 March 2007 April 2007 May 2007 June 2007 July 2007 August 2007 September 2007 October 2007 November 2007 December 2007 January 2008 February 2008 March 2008 April 2008 May 2008 June 2008 July 2008 August 2008 September 2008 October 2008 November 2008 December 2008 January 2009 February 2009 March 2009 April 2009 May 2009 June 2009 July 2009 August 2009 September 2009 October 2009 November 2009 December 2009

[ Links ]
Jackson Walker home page
My (official Jackson Walker) Bio
HHS' Administrative Simplification page
OCR's HIPAA Privacy page
NIST's HIPAA Security Implementation page
HIPAA.org page
TCS standard-setting
HIPAA Summit's page
Harvard's HIPAA colloquium
Workgroup for EDI
Siemen's HIPAA page
Phoenix Health System's HIPAAdvisory
Beacon Partner's HIPAAcomply
FindLaw's HIPAA law page
HIPAAComplete
HIPAADocs
AMA's HIPAA page
AHA's semi-HIPAA page
American Health Lawyers Assn
SHARP (the Southern SNIP)
Boundary Information Group's HIPAAinfo.net
HIPAA academy
MedAbiliti's Health Innovation Daily News
Thompson-West's Privacy Litigation Reporter
HIPAAnswers (HIPAA compliance solutions)
Healthcare Intelligence Network Blog
Prescription Drug Encyclopedia
Compliance Home Portal
HIPAA Training (Supremus Group)
MPMsoft (HIPAA-compliant billing software)
Canada Online Pharmacy
DMEPOS Surety Bonds

[ WebRings ]
< ? law blogs # >

[ Syndicated RSS Feed ]
Click Here