[ Thursday, November 21, 2013 ]
De-Identification Certification Experts: If you know of any, please email me.
Jeff [11:28 AM]
HIPAA states that PHI is no longer PHI if it is de-identified according to HIPAA. There are 2 ways to de-identify: strip out 18 specific identifiers (the "safe harbor"), or get an Expert Opinion (the "expert certification"). It's hard to get usable information if you strip out all of the 18 items, since you have to strip out any dates other than years, and a lot of times you need to know the time between treatments, for example, or the time from diagnosis to treatment. So, often you need to go the other route and get an expert certification. I've gotten a few and know the names of some folks who are acknowledged experts, but my list is really short, and I'd like to expand it. Let me know if you have someone you'd recommend.
[ Monday, November 18, 2013 ]
A Covered Entity can be a Business Associate of another Covered Entity.
Jeff [11:19 AM]
This is well-settled
("A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity
") from the beginning of HIPAA, but some people continue to think that since their client is a covered entity, it need not sign a business associate agreement when it provides services for another covered entity and creates, receives, maintains or transmits PHI in connection with the services.
[ Tuesday, November 05, 2013 ]
California Update (Happy News for Kaiser):
Jeff [2:05 PM]
California's Confidentiality of Medical Information Act requires California entities to protect medical information, and prohibits them from disclosing the information except in proper purposes. In a case I noted earlier
, UCLA had an issue when a physician took home a portable hard drive, which was stolen from his house. The hard drive was encrypted, but the encryption key was on a sticky note stuck to the hard drive, so UCLA couldn't rely on the encryption. However, a California appeals court has ruled
that the plaintiff must prove that the information was actually disclosed, not just lost.
This is good news for Sutter, which had a theft at one of its offices involving a desktop computer
(believe it or not) with PHI on 4,000,000 people. Since CMIA allows for $1,000 statutory/nominal damages per person, that's a $4 Billion potential loss. However, unless the plaintiffs can prove that the PHI was discosed, not just lost, then the damages might not be there.
[ Friday, November 01, 2013 ]
Jeff [11:12 AM]
The "Hide Rule" gets some attention: Modern Healthcare (subscription required) has an article
Jeff [11:07 AM]
on presentations made at AHIMA relating to the "hide rule," which allows a patient to prohibit a provider from giving information to an insurer or other payor if the patient pays in full "out of pocket." It's easy to just not send the data at the time of service since the patient paid, but many EMRs don't allow a provider to appropriately tag the data so it doesn't get out to a payor at some later date. That makes things hard to comply with, a situation that HHS knows about but can't do anything about (since the "hide rule" is hardwired into the statute [HITECH], HHS can't just waive it away in the regulations -- hey, wait a minute, this administration does that all the time . . . .).
[ Monday, October 28, 2013 ]
Jeff [10:30 AM]
[ Tuesday, October 22, 2013 ]
Another Social Media Question:
Jeff [1:27 PM]
Most of the time, we discuss doctors, hospitals and others using social media, and concerns regarding when those uses might involve the use or disclosure of PHI. Here's an interesting article
on doctors using social media to check up on patients for medical compliance issues. Definitely a tricky issue.
AHMC (California) Data Breach: 2 laptops stolen
Jeff [1:17 PM]
. Data on 729,000 patients from 6 hospitals. Good physical security, password protection, but no encryption. Reportable, of course.
[ Wednesday, October 09, 2013 ]
SLU Phishing Attack:
Jeff [11:01 AM]
Here's an interesting HIPAA breach
that didn't start out that way. St. Louis University was hit by a sophisticated (and apparently realistic) phishing attack that allowed a hacker to get access to email accounts and direct deposit information of a handful of SLU employees. It seems the initial phishing attack was to redirect direct deposits into the hackers' accounts. Not a HIPAA issue, right?
Upon further review, conducted I'm sure by the inestimable HIPAAcrat Karen Pyatt, it was discovered that the hack also allowed access to a handful of email accounts that contained PHI of about 3000 SLU patients. Mostly the PHI was diagnosis-related, but some social security numbers were there too. The 3000 have been notified.
Hat tip: Malvern Group.
Physician Rating Websites:
Jeff [10:53 AM]
An interesting article
in Family Practice Management (the publication of the American Academy of Family Physicians) on how doctors should handle website reviews, particularly bad ones. Not a whole lot of new info, but confirms that it's tough to deal with bad reviews. Whatever you do, don't use or disclose PHI in responding to a bad review: just because the patient posts his/her own PHI (even if they lie in doing so), that doesn't give the provider the right to use or disclose the PHI further.
[ Monday, October 07, 2013 ]
Jeff [12:43 PM]
[ Friday, October 04, 2013 ]
Harris Methodist Ft. Worth: This was news
Jeff [7:26 AM]
several months ago; microfiche files were found in some public places, when the information was supposed to have been destroyed. Why are they just now notifying patients?
[ Wednesday, October 02, 2013 ]
Santa Clara Valley Hospital breach: Stolen laptop
Jeff [1:44 PM]
. Encrypted? Of course not.
Another Holy Cross Breach:
Jeff [1:32 PM]
The Ft. Lauderdale hospital is struck by another employee stealing
patient identities, this time apparently for tax return fraud. Hat tip: Malvern Group
[ Thursday, September 26, 2013 ]
Skype is not an approved telemedicine technology:
Jeff [1:07 PM]
At least not in Oklahoma
[ Wednesday, September 25, 2013 ]
Holy Cross Data Breach:
Jeff [10:09 PM]
a former hospital employee
apparently accessed the data for identity theft purposes.
That Didn't Take Long:
Jeff [4:58 PM]
We already have our first data breach
by a Health Insurance Exchange (HIX). Broker information rather than patient/beneficiary information, but still. . . .
[ Friday, September 20, 2013 ]
Refill Reminder Guidance:
Jeff [12:25 PM]
As I noted last week
, HHS agreed, in connection with a suit filed against it, to offer some guidance on how the refill reminder exception to the marketing prohibition is supposed to work. If you've spent any time trying to figure out what you can and can't do under HIPAA relating to marketing, you know it's frustratingly confusing. So troubling that Adheris sued HHS to try to get a federal court to determine what it could and couldn't do.
Now, HHS has provided some guidance
, along with some FAQs. The jury's still out on whether this will be enough.
NoPP Revisions Delayed
Jeff [12:19 PM]
: No need to worry about Monday's D-Day for revising your HIPAA Notice of Privacy Practices -- if you're a CLIA of CLIA-exempt Lab
, that is. The rest of you, keep drafting.
[ Tuesday, September 17, 2013 ]
HHS Publishes Model Notice of Privacy Practices:
Jeff [5:17 PM]
I haven't looked at it yet, but if you want to see it, it's here
. Hopefully this isn't the first one you've looked at. . . .
Is HHS the Real Grinch? This article
Jeff [7:36 AM]
thinks HHS is too harsh, but I think the last sentence gives it away: the covered entity is a victim, to be sure, but the patients are much more innocent as victims. The covered entity could've avoided the whole problem by encrypting, but chose not to. Who's in the wrong, then?
[ Thursday, September 12, 2013 ]
32,800,000 hours per year for HIPAA compliance.
Jeff [4:37 PM]
That's the toll on the industry. 3,500 years. 35 centuries. The good news is that Omnibus only accounts for 619,000 hours. Most of the rest comes with things like getting NoPPs signed. More here
[ Wednesday, September 11, 2013 ]
RX Refill Reminders Guidance Coming:
Jeff [1:01 PM]
HHS is going to issue guidance by September 23, 2013 outlining and explaining HIPAA's requirements relative to prescription drug refill reminders. Many big pharmacy companies have stopped providing the reminders due to confusion caused by unclear language in the "marketing" provisions of the Omnibus Rule, and one group actually sued HHS. That group, Adheris, and HHS have agreed, in a joint order in their court case
, to put the case on hold while HHS puts together guidance.
The marketing provisions of the Omnibus Rule are poorly thought-out and poorly drafted, and the prescription reminder part is actually one of the more clear provisions, in my opinion. Hopefully, HHS will take on the entire marketing provision and fix it.
[ Friday, September 06, 2013 ]
Jeff [5:52 PM]
Medicare is a "health plan" under the HIPAA definition, thereby making it a "covered entity" under HIPAA. As such, it needs a Notice of Privacy Practices. Here is their new one.
[ Wednesday, September 04, 2013 ]
UT Physicians breach:
Jeff [8:12 AM]
Last but not least, an unencrypted laptop was stolen
from the physician group associated with The University of Texas Medical School at Houston. Company policy is to encrypt all laptops, but this one missed somehow. The computer was connected to an electromylograph machine, so that's the type of data it held. Apparently no social security numbers.
St. Louis Area Orthodontist Practice Suffers Break-In. Computers were stolen, containing PHI
Jeff [8:08 AM]
including social security numbers. The computers were password-protected, but not ecrypted. Reporting of the breach came 5 weeks after the incident. About 10,000 patients' data was exposed.
Alaska Email Disaster:
Jeff [8:00 AM]
Hope Community Resources, an Alaska network of social workers and disability volunteers, sent an email to stakeholders
(state workers and others involved in providing services to the disabled) seeking input as part of a re-accreditation process. Unfortunately, they included an attachment that had personal information about Hope's 3700 clients. Doesn't look like social security information, but the mere identity of the patients and their conection to Hope is definitely sensitive information (not to mention PHI).
[ Friday, August 30, 2013 ]
FTC goes after LabMD:
Jeff [11:01 AM]
The Federal Trade Commission is pursuing an action against LabMD
for failing to protect patient data. It's not structured as a HIPAA violation, but rather as a violation of the FTC obligations to protect computerized data. It's not clear from the article if this is a "Red Flags Rule" violation or some other cybersecurity violation, but it sure looks like it could be a HIPAA breach as well.
[ Wednesday, August 28, 2013 ]
Audit Documentation: Interesting article
Jeff [10:40 AM]
on the types of documentation you should consider keeping (as well as drafting and developing, of course) that will help you respond to a HIPAA Audit. Interestingly, if you prepare for the audit (or, more semantically, ensure that you will be prepared for an audit), you will also be in much greater compliance than if you don't.
Hat tip: Malvern Group
[ Monday, August 26, 2013 ]
Advocate (Chicago) Data Breach: Thieves stole computers
Jeff [10:21 AM]
with name, SSN, and other demographic data. The computers were password-protected, but not encrypted. Even though it's not heatlh information, it's PHI, Thus, it's a reportable breach. Wouldn't be if they used encryption. Get it?
[ Thursday, August 15, 2013 ]
13 State AGs Query CMS on Privacy Concerns Related to Navigator Program:
Jeff [4:42 PM]
A group of Republican (most if not all) state attorneys general have written a letter
to HHS Secretary Sebelius pointing out the potential privacy problems posed by the Affordable Care Act's "Navigator" program. These are supposed to help people navigate their way through the ACA insurance mandates and the insurance exchanges, which naturally means the navigators will have access to the health information of the individuals they are helping. A "disaster waiting to happen
," according to Texas AG Greg Abbott. Of course he's right, but you could say that about a lot of the ACA.
Jeff [4:33 PM]
A NY health plan failed to clear the hard drives
on the copiers it leased prior to returning them. The office equipment lessor then resold the machines, including one to CBS News, which found health information on the hard drive. Almost 350,000 patients were impacted. The health plan, Affinity, settled with OCR
for $1.2 million. Lesson to be learned?
[ Wednesday, August 14, 2013 ]
IRS Sued for HIPAA Breach:
Jeff [3:49 PM]
I have a hard time telling if this is real or a politically-inspired fairy tale, but apparently an unnamed California medical provider is suing the IRS
for allegedly stealing patient records on 10 million patients. It looks like the provider might have been the subject of an IRS investigation involving 15 IRS agents who seized records of the business, including medical records. Given the NSA and other spying scandals, not to mention the apparent use of the IRS against tea party and other groups opposed to the current administration, at the very least this will feed the imaginations of those who think the worst about how the government uses data and deals with privacy issues.
Hat tip: Joanna Napp
[ Tuesday, August 06, 2013 ]
Jeff [5:09 PM]
[ Thursday, August 01, 2013 ]
Doctors and Email:
Jeff [10:58 AM]
A favorite topic of mine. Unless you are absolutely certain
you have dotted all of the i's and crossed all the t's, and seriously considered
the HIPAA ramifications if you get it wrong, DO NOT EMAIL WITH PATIENTS
. Here's a pretty good example
of what can go wrong: the patient you are trying to contact isn't at the email address you are using, but a newspaper reporter is
. See how problematic that can be? Each one of these is a HIPAA breach; under the Omnibus Rule standards for breach reporting, many of these are probably reportable. At the very least, the covered entity is obligated to do a risk analysis and try to mitigate (in the last example given, the covered entity clinic did not even try to recover the breached data or ask the improper recipient to destroy the email).
[ Tuesday, July 30, 2013 ]
Oregon Health & Sciences University Reports Cloud-Based Breach
Jeff [11:34 AM]
: An OHSU resident put medical information about 3000 patients on a spreadsheet and stored it on Google Drive
, Google's cloud-based storage platform. I have to say it's not clear that this is a data breach -- it depends on the safeguards to prevent access by unauthorized users. According to OHSU's press release
, Google Drive is password-protected; but OHSU doesn't have a BAA with them, and Google states that it may access information of Google Drive for Google's own purposes, such as improving services. That was apparently sufficient for OHSU to report the use as a breach. OHSU's other 3 big breaches
involved stolen laptops or flash drives.
[ Monday, July 29, 2013 ]
Jeff [10:09 AM]
$1.44 Million Verdict:
Jeff [9:55 AM]
A pharmacist looked up prescription information on her husband's ex-girlfriend (and baby mama) and shared it with the husband. The ex-girlfriend sued Walgreens and the pharmacist and won $1,440,000
. Yes, there is no private cause of action under HIPAA, so this wasn't actually damages for violating HIPAA, but it was a case of damages for another tort (failure to protect the privacy owed under a legal obligation) which was basically proven by virtue of the fact that HIPAA was breached.
[ Tuesday, July 23, 2013 ]
HIPAA Breaches via Stolen X-Rays:
Jeff [11:26 AM]
Old x-ray films are valuable because they contain silver, and thieves have figured that out. This is just the latest
in a series of x-ray thefts. Sort of like laptop theft, the value to the thief is definitely NOT the PHI included in the x-ray; however, it's still a reportable HIPAA breach in most cases.
Jeff [10:53 AM]
[ Monday, July 22, 2013 ]
State Big Data Programs Run Into Privacy Problems: Interesting article
Jeff [3:22 PM]
on how several states, in efforts to either integrate care or profit from compiled databases of PHI, are running into privacy issues. If you ever wondered why you must take so much data out to "de-identify" PHI under the "safe harbor" provisions of 42 CFR 164.514(b)(2), this is why.
[ Tuesday, July 16, 2013 ]
In Florida, HIPAA and Malpractice Law Collide:
Jeff [10:42 AM]
Plaintiff's lawyers are suing to prevent this
from becoming effective, but Florida law now allows a malpractice defendant to interview and obtain PHI from other physicians who treated the plaintiff, ex parte
(without the plaintiff or plaintiff's lawyer being there). The idea is that the plaintiff has brought his/her medical condition into question in bringing the lawsuit, and the defendant has the right to talk to other doctors to see if (i) the other doctors might have contributed to any potential bad outcome or (ii) the other doctors support the accused doctor. The opposition to this idea is that the plaintiff shouldn't have to waive all privacy rights to potentially unrelated medical issues just to get a day in court when he/she's been injured.
But it's not really a HIPAA issue. If the state allows discovery in the course of a judicial proceeding, then that type of disclosure is specifically allowed under HIPAA. There's no conflict with the workings of the regulations, just the underlying question of how to balance these competing concepts of privacy.
[ Sunday, July 14, 2013 ]
Cedars-Sinai Hospital Fires Workers Suspected in Privacy Breaches:
Jeff [10:32 AM]
Seriously, I was not trolling for Kardashian news, just a happy coincidence of HIPAA and TMZ
. LA hospitals obviously have more issues with "snooping," since there's more to snoop. It's a good idea for any health provider who has patients with public personae (not only celebrities, but politicians or sports stars) to keep an open eye for snooping, but keep in mind that most snooping involves friends and family members, and much is good-intentioned. Still, good intent is not a defense for a HIPAA violation.
UPDATE: a little more info
from the LA Times. Not sure how the hospital fired employees that weren't its own, but whatever.
[ Friday, July 12, 2013 ]
And Right Here at Home:
Jeff [9:06 AM]
Ft. Worth's Texas Health Harris Methodist Hospital is notifying some folks
who were patients 20 - 35 years ago that their PHI might have been breached, after a box of microfiche records that was sent off to be destroyed instead turned up in a Dallas park. Names, (presumably old) addresses, birth dates and some social security numbers were in the data. Because it was microfiche, it was not shredded on site by Shred-It, the contractor/busines associate.
This is not the first time I've seen something like this. Be very careful choosing your shredding contractors.
[ Thursday, July 11, 2013 ]
Jeff [10:41 PM]
600,000 individuals affected, but no known misuse of data or identity theft, no known harm done, and credit monitoring offered to all who wanted it. Still, HHS has fined WellPoint $1,700,000
for failing to provide sufficient HIPAA security protection to applicants for its insurance products.
Hat tip: David Maizenberg (first past the post).
[ Wednesday, July 10, 2013 ]
Jeff [3:49 PM]
[ Tuesday, July 09, 2013 ]
Update on Adventist/Sunbelt HIPAA breach class action lawsuit:
Jeff [11:38 AM]
I previously posted
on a the filing of a class action lawsuit against Florida Hospital-Celebration due to a HIPAA breach caused by rogue employees stealing patient data. Now, a Federal judge has dismissed the lawsuit
. The article doesn't indicate it, but the Federal judge indicated that, while Federal HIPAA rules determine the standard of conduct, it really is only a state law claim being made, so it doesn't belong in Federal court. The plaintiff's counsel's comment is interesting, because he doesn't mention re-filing the case in state court. That's where I'd expect this case to end up.
UPDATE: According to Dissent Doe, the case HAS been re-filed in State court
. The lawyer's quote sounded like a surrender line.
[ Tuesday, July 02, 2013 ]
Wedgewood Legacy Medical in Nebraska suffers data loss:
Jeff [8:25 AM]
a lost thumb drive? Not exactly; it sounds like the chip in the thumb drive
is what's gone missing. Regardless, it wasn't encrypted, and about 2000 patients got the notification letter.
[ Friday, June 21, 2013 ]
Data Theft and Meth Labs:
Jeff [4:46 PM]
I pretty regularly refer to the stolen laptop epidemic as a "crackhead" problem -- they aren't stolen by data theives because they have PHI on them, they're stolen because some crackhead wants to fence it and get drug money.
Well, it turns out that in California, there might be a more direct link between stolen PHI and meth labs
-- the records were found in a drug bust (I previously noted the case here
). It's starting to look like this not just a coincidence.
[ Wednesday, June 19, 2013 ]
Five Myths About Privacy
Jeff [9:31 AM]
: This is Washington Post piece
really focused on the NSA data gathering concerns, but professor Solove points out some healthcare impacts as well.
Blogger: HIPAA Blog - Edit your Template