[ Wednesday, December 10, 2014 ]
Jeff [7:35 AM]
[ Tuesday, December 09, 2014 ]
Some Folks are Catching Up at Lexology:
Jeff [1:30 PM]
(i) on the Connecticut decision
allowing a state cause of action to proceed using HIPAA as a guide (but acknowledging the lack of a private cause of action under HIPAA itself); and (ii) on the Indiana case
holding Walgreens liable for an employed pharmacist's apparent improper access to PHI. Of course, you read about them here first. . . .
[ Monday, December 08, 2014 ]
$150,000 fine for Alaska Mental Health Agency's Failure to Protect ePHI: Malware on the computer system
Jeff [7:28 PM]
compromised data of 2,743 patients, but the bigger issue is the failure of the organization to keep its information systems up to date. The malware apparently took advantage of security issues in the software for which patches had been issued, but the agency didn't keep track of patch management. Basically, it's proof that adopting decent policies isn't nearly enough if you don't regularly make sure you've got reasonable risks covered. The bulletin also pushes the HIT Security Rule Risk Assessment Tool
: hint, hint, if you haven't reviewed this and compared your current security to what's in here, you're likely gonna get fined if there's a breach.
[ Friday, December 05, 2014 ]
Jeff [11:20 AM]
[ Wednesday, December 03, 2014 ]
Employee Snooping at Cleveland's University Hospitals.
Jeff [2:41 PM]
It's being blamed on lax oversight
; policies were good enough, but access auditing and other gatekeeper activities might have exposed the problem much earlier. Trust but verify, a wise man once said. . . .
Jeff [12:00 PM]
[ Tuesday, November 25, 2014 ]
Beth Israel Deaconness, BYOD angle:
Jeff [10:46 AM]
As previously noted here
, someone stole a laptop from a physician at Beth Israel Deaconness hospital in Boston. The laptop didn't belong to the hospital, but the hospital knew the doctor was using it for patient data, and (of course) it wasn't encrypted. The hospital has settled the state-law breach issues
(and the state AG HIPAA enforcement issue) with the Massachusetts state officials, for a $100,000 fine. I asssume there will be no OCR fine in this case, since HIPAA was specifically included in settlement with the state AG.
[ Wednesday, November 19, 2014 ]
Jeff [2:16 PM]
Prime Healthcare Services' Shasta Regional Medical Center in California was fined by the State of California
in a case involving an advocacy group trying to make the hospital look bad. A patient disclosed her own medical information related to her stay at Shasta Regional Medical Center; when the press asked the hospital executives about the matter, they disclosed the patient's information in defending the hospital, which served as the basis for the state and federal fines. Apparently the patient also sued, but lost;
the court determined that the patient had implicitly waived her privacy rights by making the initial disclosure to the hospital, and that therefore there was no improper disclosure of private information or any harm suffered by the patient.
Hat tip: Theresa Defino
Jeff [7:33 AM]
Hospital employees steal patient identities
, file false tax returns. HIPAA breach, but really just plain old identity theft.
[ Tuesday, November 18, 2014 ]
Brigham & Women's Hospital Laptop and Phone Theft: approximately 1000 patients affected
Jeff [1:19 PM]
. Can't really tell if the devices were encrypted, but don't know if that would matter if the robbers made the victim give up the codes. As the commenter notes, I wonder why it took 2 months to report this -- hopefully that was at the request of the police.
[ Monday, November 17, 2014 ]
Walgreens' $1.4 Million Verdict:
Jeff [1:13 PM]
an Indiana court has upheld
a $1.4 Million judgment against Walgreens. A Walgreens employed pharmacist accessed prescription records of her boyfriend's ex-girlfriend, and apparently disclosed the details to the boyfriend. Presumably, the employee violated all sorts of rules, procedures, policies, and training, and I would assume Walgreens argued that she was acting outside the scope of her employment when she accessed the records. But the court has held Walgreens liable, and the appellate court affirmed it, based on negligent supervision and retention, and invasion of privacy.
[ Sunday, November 16, 2014 ]
Jeff [2:08 PM]
[ Friday, November 14, 2014 ]
$19,000 per victim?
Jeff [4:20 PM]
That's the alleged cost per person
of a HIPAA breach, although it's the cost if the breach victim is actually a victim of medical identity theft.
Jeff [4:13 PM]
Are you a lawyer with covered entity clients? Are you worried about HIPAA? Want to know what your obligations are as a business associate? You might want to check out this webinar
[ Thursday, November 13, 2014 ]
Ebola and HIPAA:
Jeff [3:04 PM]
I've heard lots of folks questioning how healthcare providers such as Texas Health Presbyterian Hospital here in Dallas were able to issue press releases and discuss the health condition and treatment of the Ebola patients they treated. It's an interesting question: the providers can't talk about it unless the patients authorize them to do so, but they must also disclose data to governmental agencies when required by law to do so (whether those government agencies may then disclose the data depends on whether they are covered by HIPAA [usually not] or some other privacy law [usually are]).
However, what normally happens in high-profile medical cases, whether they be "epidemic-disease-fo-the-day" or some high-profile incident like a terrorist attack, is that the provider coordinates with the patients, asks them how much information they want disclosed (if any), and respects their wishes.
Here's a pretty good article on what Emory Healthcare did
with their Ebola patients where the press was concerned.
Jeff [2:45 PM]
[ Wednesday, November 12, 2014 ]
Jeff [12:05 PM]
[ Tuesday, November 11, 2014 ]
HIPAA-compliant website issues:
Jeff [7:27 AM]
here's an interesting blog post
on HIPAA issues encountered relative to a specialty pharmacy website hosting arrangement.
[ Monday, November 10, 2014 ]
Jeff [3:18 PM]
Wondering how those hospitals are able to discuss the status and prognosis of their Ebola patients? OCR has just recently published a Bulletin on "HIPAA Privacy in Emergency Situations"
as a reminder to covered entities about the who/what/how/when of making these sorts of disclosures.
[ Wednesday, November 05, 2014 ]
HIPAA Private Cause of Action:
Jeff [3:30 PM]
Long-time HIPAAcrats know that there's no private cause of action for a HIPAA violation. In other words, if your doctor violates HIPAA and discloses your PHI to the National Enquirer, you can't sue him for violating HIPAA
. Depending on where you live, you may be able to sue him for violating a similar state law, a state data breach law, a law requiring physicians to maintain confidentiality, or on common-law grounds such as invasion of privacy. In such a suit, the doctor's failure to follow HIPAA would probably be pretty good evidence that he did not act reasonably, and would help your case. But unless you had some statutory or common-law claim, you can't sue just for a violation of HIPAA.
A recent Connecticut case implies
that you can sue for a HIPAA breach in that state. Actually, a better description would be that "a violation of HIPAA regulations may constitute a violation of generally accepted standards of care." In other words, you can sue for negligence based on a violation of HIPAA; you just can't sue based on the HIPAA violation alone.
[ Wednesday, October 29, 2014 ]
It May Be a Dirty Little Secret, But It's Not Necessarily a HIPAA Violation: Venture Beat has figured out
Jeff [3:35 PM]
that a lot of healthcare providers text using unencrypted devices operating over regular cellular networks. Yes, they do. And yes, many of us strongly urge against them doing so. But it's not necessarily a HIPAA violation to do so. As I would've commented on the post itself if it didn't mean letting Venture Beat "manage my Google contacts":
To say "This is a clear violation of HIPAA" is fatuous and false. It's not very secure and not very smart; it could be a violation of an entity's policies and procedures; it could in some instances be a violation if it is absolutely and legally unreasonable to use such a communications device in such a fashion. But HIPAA is scalable and technologically neutral; encryption IS NOT A REQUIRED ELEMENT under HIPAA.
HIPAA covered entities should conduct risk analyses and do their best to secure their data as much as possible, including eliminating unsecure texting wherever possible. But just because it's a bad idea doesn't mean it's against the law (or, in this case, against the regulations).
California AG's Data Breach Report:
Jeff [12:29 PM]
California healthcare providers (and other covered entities) (and other folks outside California) should be sure to read this
. She specifically calls on healthcare providers to "Consistently use strong encryption to protect medical information on laptops and on other portable devices and should consider it for desktop computers." If this is what's happening in California, it's either happening in your state too, or will be soon.
[ Thursday, October 23, 2014 ]
Sutter Health, Eisenhower Updates (California) :
Jeff [2:38 PM]
I've previously mentioned the Sutter Health desktop computer theft case, and the ensuing potential $4 billion class action case, that was dismissed because there was no proof that the data on the computer was ever actually accessed or used. The state supreme court has upheld the appellate court's dismissal
of the case.
Eisenhower ws facing a $500 million class action suit for the loss of a laptop containing names and personal information of 500,000 folks, but apparently no medical histories, conditions, or treatment. Because of that, the case has been tossed.
[ Tuesday, October 21, 2014 ]
Medical Identity Theft:
Jeff [3:30 PM]
It's becoming even more common. Here's why.
Rigorously following HIPAA is the best preventive.
[ Friday, October 17, 2014 ]
Ebola, Public Health, Emergency, and Related Disclosure Questions:
Jeff [3:26 PM]
Some of the AHLA ListServs are buzzing today with questions about how and why Texas Health Presbyterian Hospital (which is just over a mile from my house) has disclosed the names of the two nurses who have caught Ebola. Normally, a hospital can't disclose the names of patients, except for treatment, payment, healthcare operations, with patient consent, or as required by law or otherwise allowed by HIPAA. HIPAA allows covered entities to disclose PHI in emergency situations, and generally health care providers are required to disclose infectious disease information to state and federal epidemiology agencies. Some have also speculated that Presby might have patient consent to make the disclosures, in which case they clearly would be allowed.
HHS has helpfully provided an FAQ
relating to disclosures in the case of a bioterrorism threat of public health emergency, and has also provided a decision tool
for healthcare providers faced with determining whether there is a public health emergency or emergency preparedness reason for a disclosure.
Hat tip: Alan Goldberg.
[ Monday, October 13, 2014 ]
Community Health Systems update:
Jeff [10:12 AM]
As previously reported
, CHS was hacked. The sequelae has started: one of the community hospitals in New Mexico has been sued
, and the attorneys are seeking class certification.
The lesson here is that the severity of the breach and the actual harm caused by loss of confidentiality may be miniscule compared to the legal costs of just fighting a thousand different plantiff's lawyers.
[ Friday, October 10, 2014 ]
Accounting for Disclosures: Have you been worrying about how to comply with the accounting for disclosures rule that HHS published way back in 2011? No? Hell, even I'd forgotten about it, even though I gave quite a few speeches and webinars about it. It's a mess, and raised all kinds of issues based on who "touched" the file, not just to whom it was disclosed. It was to have become effective January 1, 2015. However, HHS has just announced that they will delay the effectiveness and reopen the rule for comment. That's the right thing for them to do.
Jeff [11:39 AM]
People rarely ask for accountings of disclosures, and often do so for (illegitimate) aggressive or litigious purposes. So making the industry jump through hoops for such a rare reason is sensible.
[ Thursday, October 09, 2014 ]
Jeff [1:50 PM]
[ Tuesday, September 16, 2014 ]
Get In Line: App developers are frustrated
Jeff [11:40 AM]
with the imprecision of HIPAA. Actually, I'm not sure exactly what relief they are looking for. HHS is not going to write regs that say, "you can't use PHI except for treatment, payment, or healthcare operations, unless you do it with a mobile app, then it's all OK, do whatever you want."
HIPAA is conceptual in nature; you've just got to understand that and deal with it.
Mississippi CHS Data Breach Lawsuits:
Jeff [11:29 AM]
Suits are beginning to be filed
in the CHS hacking case. Class status is being sought.
[ Monday, September 15, 2014 ]
Temple University Data Breach:
Jeff [9:45 AM]
This time it was a desktop computer
that was stolen, with 3780 patients affected. Not encrypted, of course. This shows that, while it's an excellent idea to encrypt all mobile devices, don't forget about encrypting non-mobile devices as well (in this case, the non-mobile desktop went mobile when it was stolen).
[ Friday, September 12, 2014 ]
Huntsville, AL Lab Data Breach:
Jeff [9:57 AM]
A clinical lab in my old hometown of Huntsville, Alabama is notifying patients, since their billing contractor put some of their data on a server that was accessible to Google
searches. They've notified 7,000 patients. Presumably the lab had a business associate agreement with the billing company, and presumably that BAA will require the billing company to pay for the notification.
Is this "willful neglect"? If so, expect a sizeable fine.
[ Thursday, September 11, 2014 ]
Jeff [8:06 PM]
Jeff [1:47 PM]
Big Data is a big deal, and despite the protections of HIPAA, given enough data from non-HIPAA-covered sources, the right person (or computer) can figure out a lot about a person, potentially including medical data. I discussed this in a radio interview this summer, when the press was buzzing about this, but here's another article
[ Wednesday, September 10, 2014 ]
OCR Audits are Coming: This isn't news, or at least it shouldn't be.
Jeff [1:31 PM]
And when OCR comes, the first thing they're going to ask for is documentation of (i) your initial risk analysis and any updates or further assessments and (ii) your current policies and procedures. IF YOU DO NOT HAVE THIS DOCUMENTATION, . . . . well, it's not going to be pretty.
You can't say you weren't warned.
Can De-Identification Ruin Data for Research?
Jeff [1:06 PM]
My boy Daniel Barth-Jones
has an article
in FierceBigData discussing MOOCs, MUACs, and how concerns that de-identification might skew research results shouldn't be the death of deidentification or anonymization.
[ Tuesday, September 09, 2014 ]
Jeff [9:27 AM]
[ Wednesday, September 03, 2014 ]
Business Associate Agreement Deadline Approaching: the Omnibus Rule made a few relatively minor changes to the business associate agreement requirements, and imposed an initial deadline of September 23, 2013 for compliance. However, it did allow a certain "grandfathering" of BAAs that met the then-existing requirements and were already in place; that grandfathering was not limitless, and only allowed covered entities and business associates to keep their existing BAAs in place for an additional year. That year is about to end (NB: there's some confusion about whether September 22 or 23, 2014 is the appropriate date, but I don't think OCR will make that fine a distinction).
Jeff [5:19 PM]
If you are still operating on BAAs from 2003, you definitely need to update them to include what was required under the Security Rule in 2005, as well as what's required by HITECH and Omnibus (2009 and 2013, respectively). Now would be a good time to review your BAAs, particularly if you did not do so in 2013 or 2014.
One word of caution, though. A lot of covered entities are in the last month of pushing through "updated" BAAs, demanding their business associate vendors sign their new forms because they are absolutely required. All well and good, so far. However, many of these covered entites (hospital systems, I'm looking at you) are adding new, non-required provisions such as indemnification, encryption, and off-shoring requirements. In effect, they are trying to renegotiate their underlying agreements, and using the BAA requirement as a Trojan Horse.
My advice to covered entities: don't do that. If you need to update the BAA to meet Omnibus, do what is necessary, and nothing more. If you want to renegotiate the deal, or even if you want to require your BAs to jump through stricter hoops than you required before, that's OK, but be up front about it and don't try to hide behind the Omnibus Rule "required" changes.
My advice to business associates: read closely the new BAA, compare it with the old one, and call out your customers if they try to slide something by you.
Let's all be open and honest out there, OK?
[ Tuesday, September 02, 2014 ]
Texas Hospital Employee Indicted for HIPAA violation
Jeff [8:17 PM]
: Joshua Hippler worked at some hospital in East Texas (the DOJ isn't saying which one) and apparently took PHI for personal gain
. I'm sure there's more to the story, and will let you know when I find out more.
Health Care and Identity Theft: Interesting article
Jeff [9:06 AM]
. But the premise that data breaches in healthcare equal ID Theft isn't true. Much of reportable healthcare data breaches do not include any of the data useful for identity thieves. When lab test results are sent to the wrong office, or a hospital can't locate a piece of computer hardware, or someone steals a laptop that is subsequently scrubbed clean so it can be resold, and in each case there is a name but no social security number, date or birth, mother's maiden name, etc., the chances of identity theft are very low. But it's still a HIPAA breach, and reportable.
That doesn't lessen the fact that medical identity theft is a big problem, and carries huge, life-threatening risks. The industry should follow the FTC Red Flags Rule and implement triggers to detect medical identity theft, and work efficiently to correct bad medical records that are left behind.
[ Tuesday, August 26, 2014 ]
Jeff [6:44 PM]
[ Friday, August 22, 2014 ]
Jeff [8:28 AM]
[ Tuesday, August 19, 2014 ]
ICYMI: Rhode Island Hospital Pays Mass. AG for HIPAA Breach:
Jeff [1:42 PM]
In a rare cross-border reach, the Massachusetts attorney general fined a Rhode Island hospital
(and the hospital paid the fine) for breaching the security of PHI of a bunch of Massachusetts residents. The breach violated HIPAA, but also violated MA's stringent data encryption and breach law. The MA statute purports to have a "long arm" reach (it applies to anyone who deals with the PHI of MA residents, regardless where the record-keeper is located), but it would be hard to the MA AG to achieve jurisdiction over actors in other states. However, I suspect in this case the RI hospital gets MA Medicaid funds and otherwise may do business in MA, so they probably felt they had to play along.
[ Monday, August 18, 2014 ]
Community Health Systems:
Jeff [1:21 PM]
An APT hacker group
got into Community Health System's database and stole names, SSNs and DOBs of 4.5 million patients of Community's physician network. The good news: the hackers are usually looking for medical device development data, which they didn't get. More good news: no credit card data got out. But, it's still a big ole HIPAA breach.
[ Wednesday, August 13, 2014 ]
Weaponizing Your Breach Detection System:
Jeff [4:10 PM]
If you're a HIPAA covered entity, you need a breach detection system, even if it's just your normal access audit reviews plus your employees keeping their eyes and ears open for something funny. The more sophisticated your systems and operations, the more formal your breach detection system should be. For the bigger players, your breach detection system is probably not doing all it should. Here's an interesting article
on ways to change the focus, and thereby improve the product, of your breach detection system.
[ Monday, August 11, 2014 ]
Baby Pictures = HIPAA Violation.
Jeff [2:15 PM]
OK, this article
has made a big splash, and it's generated a lot of talk in the HIPAAverse. And it's generally accurate, but there's a lot unexplained around the margins. Yes, baby pictures are PHI if the baby is/was a patient of the practice. But a consent form is a pretty simple document, one that every covered entity should have as a handy and ready-to-use form, and it's simple to ask a parent/patient to sign it before you put their kid's picture up on the wall (it could even be part of the patient sign-in packet). Pretty much everyone who provides you with a picture would be willing to do so.
[ Friday, August 01, 2014 ]
Hospital Accuses Mother of Patient of Violating HIPAA By Taking Pictures of Him During Appointment.
Jeff [10:40 AM]
The hospital based its position on the fact that it has a policy that prohibits visitors from taking cell phone photos on hospital premises. Of course, the mother is not a covered entity, and even if she was, as personal representative of her son, she'd be entitled to consent to the release of his PHI via the pictures. But before condemning the hospital, keep this in mind: the hospital is also trying to prevent the mother from disclosing of the PHI of others besides the woman's son. If her pictures include other patients, that could be a problem. The hospital is reviewing its policies, and I suspect a reasonable accomodation will be reached.
[ Thursday, July 31, 2014 ]
Phase 2 of OCR's Audit Program is Coming Up
Jeff [10:40 PM]
. Good article
[ Tuesday, July 29, 2014 ]
Medical Identity Theft:
Jeff [11:09 AM]
Just a quick example of how it can go wrong
. If you're a provider, seriously consider using the FTC "Red Flags Rule" materials to prevent medical identity theft: not only will your patients be safer, so will your pocketbook. Don't forget that if you treat patient A and patient A has stolen B's identity, you'll end up billing B, and when B's insurance finds out, you'll have to reimburse the money; and A will likely be long gone at that point, and you'll be left holding the bag.
You may not be required to implement the FTC policies, but you certainly should consider them.
Don't Text and Heal:
Jeff [11:03 AM]
Texting and HIPAA don't go well together; as I've said many times, texting is insecure, impermanent, and ill-suited for record-keeping purposes. Texting PHI by providers could result in improper medical record-keeping, because information that would be recorded in the medical record if it were emailed or telephoned does not get charted, and many texting platforms do not retain information for indefinite periods of time. Texting also may turn the provider's communication into "telemedicine" under state law. Texts are much less secure because they rarely are encrypted (like emails often are), and even if not encrypted (which isn't an actual requirement), they are much more easily accessible: anyone picking up your password-locked iPhone can see the first few words of recent texts without even unlocking the phone. Unless you've carefully chosen a secure texting service, the risks are definitely not worth the convenience.
So far, there have been no HIPAA enforcement actions by OCR based on texting, but that's probably only because OCR has enough complaint-originated work to keep itself busy. But other areas of HHS are closely looking at texting, and trying hard to get the industry to shape up. In fact, CMS recently assigned an "e-level deficiency" to a nursing home
that was texting lab results between doctors and nurses. Both sender and recipient were authorized to receive the PHI, but the method of sending it, via unsecure texts, was sufficient to cause the deficiency. The net result was a 10-part "Directed Plan of Correction" which included hiring an outside expert to train staff, revising policies and procedures, and notifying all residents of the issue.
This should be fair warning. It is only a matter of time before OCR lays someone low for bad texting activities. This nursing home had to incur some substantial costs (both financial and reputational) to fix this problem, but it's nothing to the 6- or 7-figure hammer OCR will likely lay down.
Don't text. Unless you've thoroughly analyzed the options and are prepared to defend yourself in case of a texting-related breach, it's hard to see how the benefits of convenience outweigh the risks.
Blogger: HIPAA Blog - Edit your Template