HIPAA Compliance for Medical Practices
75.4K views | +1 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

How employee snooping results in HIPAA trouble

How employee snooping results in HIPAA trouble | HIPAA Compliance for Medical Practices | Scoop.it

One of today’s biggest data challenges involves preventing the improper access of protected patient information. When your own employees sneak a peek at patient records without authorization—either out of curiosity or malicious intent—your organization can pay the price.

Mary Chaput, CFO and compliance officer at consultancy Clearwater Compliance LLC in Nashville, Tenn., says the number of cases of employee snooping is probably much larger than the cases reported to federal officials.

“Besides celebrity cases, we call the bulk of them the ‘ex factor,’ for ex-spouse, ex-friend or ex-colleague,” she says. “The organization may apply sanctions, and there may be some remuneration. But the reputational damage could be huge.”
 

Indiana case a game changer

Until recently, violations of HIPAA (Health Insurance Portability and Accountability Act) were investigated and sanctioned solely by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state regulators. But a recent Indiana case has added a new twist: A court of appeals upheld a $1.4 million verdict for a Walgreens pharmacy customer whose prescription information was provided to a third party by a snooping pharmacist.

However, the law does not allow individuals to claim HIPAA violations directly in a privacy lawsuit. Only the government can cite HIPAA violations. Neal Eggeson, the lawyer who successfully argued the case in Indiana, used HIPAA to establish the standard of care. So Walgreens was not sued for violating HIPAA but for negligence. Similarly, the pharmacist was not sued for violating HIPAA but for professional malpractice.

The healthcare industry could see more individuals filing negligence or malpractice lawsuits based on snooping cases in the future, especially if the organization has done little to train employees or investigate allegations.
 

What to do

As of 2012, a practice can be fined $1.5 million per HIPAA violation in cases of willful neglect, in addition to individual lawsuits. So what can behavioral healthcare providers do to limit the risk?
 

1/ Training

“Employee training on this topic needs to be provided initially and then annually at a minimum,” says Angela Dinh Rose, director of HIM practice excellence for the American Health Information Management Association (AHIMA). “Constantly audit your system and check for whether improper access is occurring.”

She says organizations should pay attention to patient complaints. Auditing can help identify possible trends in inappropriate access.
 

2/ Communicate the no-peeking policy to every employee

Every provider organization must communicate its policy to employees and apply appropriate sanctions consistently, Chaput says.

“The reason I say consistently is that some organizations tend to treat executives and top medical staff a little differently,” she says. “Employees have to know what the consequences will be. With snooping, we recommend if they are caught once, they lose their jobs. People have to know why it happened. Sanctions must be rigorous and consistently applied.”
 

3/ Limit access to data

In addition, make sure that employees have only the minimum access necessary to do their jobs, Chaput says. For instance, a receptionist does not need information about medical conditions, so block that employee’s access to it.
 

4/ Monitor VIP patient records

AHIMA’s Dinh Rose says VIP patient records could be specially flagged and their access monitored all day long.

“A popup box could tell employees they are entering a confidential record and all accesses are being audited,” she says. “That gives them one more chance to get out of the file.”
 

5/ Discourage log-in piggybacking

According to Chaput, it is also important to monitor for any inappropriate sharing of user IDs and passwords. For example, some clinicians don’t like logging in and out of an EHR system repeatedly and push the IT staff to make the automatic logoff as long as 30 minutes. But that could leave data available for snooping, she says.
 

6/ Focus on people issues

Much of the media attention about data breaches focuses on hackers breaking into networks, but Chaput points out that 93 percent of breach incidents published on the HHS “Wall of Shame” involve people making mistakes such as leaving an unencrypted laptop in a car or employees snooping.

“Always focus on the people issues,” she says. “Make sure there is a documented policy.”

If there is an incident, tighten up the policy and reinforce it. Completing your due diligence upfront and responding quickly to any incident should help in any type of lawsuit situation.
 

Great examples of costly violations:

In the largest snooping fine to date, the UCLA Health System agreed to pay $865,000 in 2011 to settle potential HIPAA violations involving employees improperly accessing celebrities’ electronic medical records.

In 2009 California regulators used a newly passed law to fine Kaiser Permanente's Bellflower hospital $250,000 for failing to keep employees from snooping in the medical records of Nadya Suleman, the mother who gave birth to octuplets.



more...
No comment yet.
Scoop.it!

State law may provide a remedy for breach of HIPAA’s privacy rules | Lexology

State law may provide a remedy for breach of HIPAA’s privacy rules | Lexology | HIPAA Compliance for Medical Practices | Scoop.it

When a woman received extortion threats and other forms of harassment from an ex-lover, she sued her medical provider for unauthorized disclosure of her medical records. Byrne v. Avery Center for Obstetrics and Gynecology, P.C., 314 Conn. 433 (2014). She further alleged that the threats and harassment directly resulted from a breach of the defendant’s duty of confidentiality under the Health Insurance Portability and Accountability Act (“HIPAA”). During her course of treatment, the defendant provided her with a copy of its notice of privacy practices that expressly stated it would not disclose medical records without obtaining authorization from the patient. Additionally, the plaintiff specifically instructed the defendant not to disclose her medical records to her ex-lover. But, when her ex-lover filed a paternity suit against her and served the defendant with a subpoena requesting a copy of her medical records, the defendant failed to notify her of the subpoena, to file a motion to quash the subpoena, or to appear in court. Instead, the defendant mailed a copy of her medical records to him.

As a result, the plaintiff filed four claims against the defendant. First, the plaintiff alleged that the defendant breached its contract when it disclosed her protected health information (“PHI”) in violation of its notice of privacy practices. Second, she claimed that the defendant was negligent when it failed to care for her PHI and disclosed her PHI without her authorization. Her third and fourth claims were for negligent misrepresentation and negligent infliction of emotional distress.

Since HIPAA does not create a private right of action for breach of its privacy provisions, the trial court interpreted common law claims for negligence and negligent infliction of emotional distress that relate to a breach of HIPAA’s privacy rules as inconsistent with HIPAA. Thus, in reliance on HIPAA’s preemption provision, the trial court granted the defendant’s motion for summary judgment on the claims for negligence and negligent infliction of emotional distress. Notably, the claims for breach of contract and negligent misrepresentation were not dismissed by the trial court, thus these claims were not reviewed on appeal.

On November 11, 2014, the Supreme Court of Connecticut held that HIPAA does not preempt a private cause of action arising from the unauthorized disclosure of PHI based on state common law, thereby reversing the trial court’s dismissal of the plaintiff’s claims for negligence and negligent infliction of emotional distress. Specifically, the Court found that if state law provides a plaintiff with a remedy for a medical provider’s breach of its duty of confidentiality, HIPAA does not preempt the plaintiff’s state law remedies for negligence or negligent infliction of emotional distress. Rather, a state law will be preempted by HIPAA only if it is impossible for a medical provider to comply with both the federal and state laws. Furthermore, a state law is not preempted by HIPAA if it relates to the privacy of PHI and provides an individual with greater privacy protection than HIPAA.

The Court did not analyze whether Connecticut law provides a remedy for a medical provider’s breach of its duty of confidentiality, it only determined that HIPAA would not preempt an available remedy under state law. Thus, the Court did not decide whether the plaintiff was successful in her claims for negligence and negligent infliction of emotional distress. The Court did, however, find that HIPAA may be used to determine the applicable standard of care for such state law claims.



more...
No comment yet.
Scoop.it!

Countering HITECH Privacy Risks from Internet of Things Products

Countering HITECH Privacy Risks from Internet of Things Products | HIPAA Compliance for Medical Practices | Scoop.it

Ready or not, the Internet of Things is poised to change the world – and the way we deliver and receive medical care. Sensors and transmitters are now cheap and small enough to be placed into virtually any product, making it possible for products as diverse as electronic toothbrushes, Fitbits and Apple Watches to connect to the Internet and allow users to control and monitor activities and gather data.

The Internet of Things has profound implications for the healthcare sector. Doctors can use connected devices for tasks like monitoring patient vital signs, analyzing data on exercise activity and much more. But along with the new possibilities comes an increased risk of a data breaches and non-compliance with HITECH privacy rules and HIPAA patient protections. The challenges aren’t necessarily inherent to the devices themselves; they arise from an increase in vulnerability to the network as a whole.

Internet of Things devices that connect with healthcare provider networks introduce a new point of entry to the network, which means devices and connections can be compromised and used to access sensitive data. For healthcare providers, this makes the following questions important: Who is securing the device? Who is controlling communication protocols? It’s similar to the challenges businesses of all types are confronting in the “bring-your-own-device” era, in which workers use personal smartphones and tablets to handle business activities.

The important thing to remember is that a network is only as secure as its weakest link. This was true before Internet of Things devices became a growing trend: The business operations side of healthcare organizations have to contend with employee device security challenges and vulnerabilities associated with partner organizations just like any other business. The difference is that with Internet of Things devices coming online and being used by patients and healthcare providers, there are more opportunities for the security chain to break.

What are the potential weak links? The device itself could be compromised. The device user’s tablet or smartphone could be hacked. The home network that transmits the data to the healthcare provider could be breached. The point is, the nature of the threat hasn’t really changed – the number of entry points has expanded. And that means healthcare providers should be proactive about addressing the issue.

So how can healthcare providers mitigate the risk? One good place to start would be to educate patients who will be using remote devices on security basics. Commonsense tips would include not downloading apps or files from unknown sources and being careful about whom they trust with their data: A password management system, for example, should only be used if it comes from a trustworthy, well-established source.

For healthcare providers, precautions include making sure cloud-based data handlers are compliant with HITECH privacy regulations and that the staff fully understands their obligations, including the most recent HIPAA Omnibus privacy protections. Providers should conduct a thorough analysis of their security environment – including connection points – and have a system in place to perform ongoing assessments as the network evolves.

The Internet of Things has the potential to transform the healthcare industry, giving doctors and patients new tools to monitor health status and wellness activities. But there are significant risks involved. It’s important to remember that everything is based on trust, to some extent. Generally, there’s not much financial incentive for hackers to target individual patients’ data, but metadata from a population can be incredibly valuable, so healthcare providers should use caution and partner with an InfoSec specialist who understands their unique needs.

more...
No comment yet.
Scoop.it!

Data breach trends for 2015: Credit cards, healthcare records will be vulnerable

Data breach trends for 2015: Credit cards, healthcare records will be vulnerable | HIPAA Compliance for Medical Practices | Scoop.it

The data breaches of 2014 have yet to fade into memory, and we already have 2015 looming. Experian's 2015 Data Breach Industry Forecast gives us much to anticipate, and I've asked security experts to weigh in with their thoughts for the coming year as well.

Experian highlights a number of key factors that will drive or contribute to data breaches in 2015. A few of them aren't surprising: Organizations are focusing too much on external attacks when insiders are a significantly bigger threat, and attackers are likely to go after cloud-based services and data. A few new factors, however, merit your attention. 

First, there is a looming deadline of October, 2015 for retailers to upgrade to point-of-sale systems capable of processing chip-and-PIN credit cards. As banks and credit card issuers adopt more secure chip-and-PIN cards, and more consumers have them in hand, it will be significantly more difficult to clone cards or perpetrate credit card fraud. That’s why Experian expects cybercriminals to increase the volume of attacks early in 2015, to compromise as much as possible while they still can.

The third thing that stands out in the Experian report is an increased focus on healthcare breaches. Electronic medical records, and the explosion of health or fitness-related wearable devices make sensitive personal health information more vulnerable than ever to being compromised or exposed.

The risk of health related data being breached is also a concern voiced by Ken Westin, security analyst with Tripwire. He pointed out that part of the reason that retail breaches have escalated is because cybercriminals have developed the technologies and market for monetizing that data. “The bad news is that other industries can easily become targets once a market develops for the type of data they have. I am particularly concerned about health insurance fraud—it’s driving increasing demand for health care records and most healthcare organizations are not prepared for the level of sophistication and persistence we have seen from attackers in the retail segment.”

“There will absolutely be more breaches in 2015—possibly even more than we saw in 2014 due to the booming underground market for hackers and cybercriminals around both credit card data and identity theft,” warned Kevin Routhier, founder and CEO of Coretelligent. “This growing market, coupled with readily available and productized rootkits, malware and other tools will continue to drive more data breaches in the coming years as this is a lucrative practice for enterprising criminals.”

The rise in data breach headlines, however, may not necessarily suggest an increase in actual data breaches. It’s possible that organizations are just getting better at discovering that they’ve been breached, so it gets more attention than it would have in previous years.

Tim Erlin, director of IT risk and security strategy for Tripwire, echoed that sentiment. “The plethora of announced breaches in the news this year is, by definition, a trailing indicator of actual breach activity. You can only discover breaches that have happened, and there’s no indication that we’re at the end of the road with existing breach activity. Because we expect organizations to improve their ability to detect the breaches, we’ll see the pattern of announcements continue through 2015.”

The combination of a rise in actual data breach attacks, and an increase in the ability to discover them will make 2015 a busy year for data breaches. Whether we’re defending against new attacks, or just detecting existing breaches that have already compromised organizations, there will be no shortage of data breach headlines in 2015.




more...
Andrew Margolies's curator insight, December 11, 2014 2:47 PM

Make sure your e-commerce site is protected with the latest advances in online e-commerce security. Find out more at creditcardprocessing.gr8.com.

Scoop.it!

Employer liability for HIPAA violations: a new day dawning? | Lexology

Employer liability for HIPAA violations: a new day dawning? | Lexology | HIPAA Compliance for Medical Practices | Scoop.it

The Indiana Court of Appeals recently issued an opinion in the case of Walgreen Co. vs Hinchy that could permanently alter the landscape for employer liability for HIPAA violations committed by employees.  Health care providers should be aware of this case and take actions to limit their exposure to this type of liability.

Background

In 2010, a Walgreen Co. (“Walgreens”) pharmacist utilized her information access rights to review the prescription records for her current boyfriend’s ex-girlfriend.  The purpose for accessing the records was to obtain information about the ex-girlfriend’s use of prescriptions for birth control and a sexually transmitted disease.  Evidence indicated that the pharmacist also shared the information she found with her boyfriend, who shared it with at least three other individuals.  When the ex-girlfriend became aware of the potential that her information had been improperly accessed, she contacted a local Walgreens pharmacy but was informed by a person at that store that they could not track whether her records had been accessed.

When the ex-girlfriend eventually learned of her ex-boyfriend’s relationship with a Walgreens pharmacist, she again contacted Walgreens, who, after investigation, confirmed that the pharmacist had viewed the information for personal purposes in violation of HIPAA.  Walgreens disciplined the pharmacist with a written warning and by requiring her to take additional online HIPAA training.  The ex-girlfriend subsequently filed suit against both the pharmacist and Walgreens in Marion County, Indiana, alleging claims of negligence/professional malpractice, invasion of privacy/public disclosure of private facts, invasion of privacy/intrusion, negligent training, negligent supervision, negligent retention and negligence/professional malpractice.  In July 2013, a jury found in favor of the ex-girlfriend and held Walgreens and the pharmacist liable for $1.4 million in damages.  Walgreens appealed that verdict to the Indiana Court of Appeals.

The Appellate Court Decision 

The Indiana Court of Appeals affirmed the trial court’s verdict, holding that the trial court did not commit reversible error in its various rulings and that the damages award was not excessive.  The underlying theory of liability for the jury verdict was not clear to the appellate court, but the court noted that sufficient evidence was presented to the jury to justify a verdict based on negligence by virtue of professional malpractice of a pharmacist.  Essentially, the court recognized that pharmacists owe their customers a duty of confidentiality and that a breach of that duty can cause damages to the customer.  Whether the pharmacist’s breach of that duty can also be attributed to Walgreens became the focus of the appellate court’s opinion.

Walgreens alleged on appeal that the trial court should not have sent the case to the jury for claims based on respondeat superior because the employee was acting outside the scope of her employment when she inappropriately accessed the records.  Respondeat superior is the doctrine regarding when an employer will be held liable for the acts of its employees.  Walgreens had argued that the trial court should have determined as a matter of law that Walgreens was not liable for the actions of the pharmacist because those actions were prohibited by Walgreens policy and inconsistent with the HIPAA training Walgreens provided the pharmacist and thus outside the scope of her employment.

The appellate court determined that whether the pharmacist’s conduct was within the scope of her employment was a proper question for the jury since her actions “were of the same general nature as those authorized, or incidental to the actions that were authorized by Walgreen.”  According to the court, since the pharmacist had legitimate access to patient prescription histories on the Walgreens computer system, her misuse of that access for personal reasons remained within the scope of her employment.  The appellate court thus affirmed the jury verdict based upon Walgreens’ respondeat superior liability for the negligence/professional malpractice of the pharmacist.

The appellate court also upheld the amount of the jury verdict, holding that there was sufficient evidence in the record to support holding Walgreens and the pharmacist liable for $1.4 million in damages.  Factors cited by the appellate court in support of the damage amount included:

  • The ex-girlfriend’s records included sensitive information about her use of birth control and treatment for a sexually transmitted disease;
  • The information became known to several people, including the ex-girlfriend’s father; and
  • The ex-girlfriend testified that she experienced emotional harm that affected her ability to care for her child and caused her to begin taking a more expensive antidepressant.

Walgreens argued that the damages were excessive and based on improper factors because the ex-girlfriend did not have any physical injuries or conditions resulting from the breach, she did not lose any wages as a result of the breach, and she did not offer any professional testimony supporting her claimed emotional harm.  The appellate court refused to reweigh the evidence and change the damage amount awarded by the jury.

Impact

In upholding the verdict against Walgreens, the appellate court established some precedent that should get the attention of health care providers.  The case is important in a few ways.  First, it recognizes that a health care provider in Indiana may be held liable for monetary damages arising from a wrongful disclosure of patient information on a professional malpractice theory.  In essence, the court is recognizing the duty of confidentiality as part of the professional standard of care for health care providers.  Second, the court is permitting such liability even in the absence of physical harm or professional testimony to support claimed emotional harm.  This could materially lower the bar for proving damages in these types of cases.

Third, the case establishes that a health care provider could still be liable for a wrongful use or disclosure by an employee even where the employee’s actions directly contravene the provider’s established and implemented confidentiality policies.  Health care providers are required by HIPAA and other authorities to have policies governing the use and disclosure of health information and to train their workforce members to follow those policies.  This case makes it clear that compliance with HIPAA and those other authorities is not sufficient to avoid liability to individuals for the wrongful actions of employees.

Recommendations

In order for health care providers to reduce the likelihood of liability to patients for the wrongful use or disclosure of health information by employees, providers should consider the following recommendations:

  • Ensure that the provider has strict policies forbidding the use or disclosure of patient information for non-work-related purposes and enforce those policies consistently when potential issues arise.  If liability is possible where policies and procedures already are in place, then the failure to have clear policies in this regard will make proving such a case that much easier.
  • Regularly monitor and track access to patient information by workforce members.  Providers should have a process in place for auditing workforce access to patient information that proactively seeks to identify and prevent the potential inappropriate use and disclosure of such information.  Audit processes can serve as an effective deterrent for employees considering such activity.
  • When an instance of potential wrongful use or disclosure is discovered, the provider’s process should require the immediate loss or suspension of the individual’s access to patient information until the issue can be investigated and resolved.
  • Have personnel policies that allow for the imposition of significant disciplinary action, including termination, when an employee uses his or her legitimate access to health information for personal purposes.  Meaningful and decisive disciplinary action might help reduce the likelihood that an individual will bring an action against the provider for the actions of that employee.   The potential for such disciplinary action also can serve as an effective deterrent to employees considering misusing health information.
  • Be sure that policies and procedures are in place governing the receipt of patient complaints and that all appropriate workforce members are trained on those procedures.  How patient complaints are handled from the beginning can be a material factor in a given individual’s decision whether to sue the provider for a wrongful use or disclosure.



more...
No comment yet.
Scoop.it!

Survey: With HIPAA audits looming, small practices far from compliant

Survey: With HIPAA audits looming, small practices far from compliant | HIPAA Compliance for Medical Practices | Scoop.it

NueMD in partnership with Porter Research and The Daniel Brown Law Group, today announced the results of its recent survey on HIPAA compliance within small practices and billing companies. The survey of more than 1,100 healthcare professionals, conducted during October 2014, found medical practices and billing companies are struggling to comply with regulations under the Health InsurancePortability and Accountability Act (HIPAA).

"Understanding HIPAA can be difficult for practices and billing companies, especially if they're already scrambling to keep up with changes like ICD-10 and Meaningful Use," said Caleb Clarke, sales and marketing director at NueMD. "With audits looming, we wanted to get a sense of where the industry stands and provide resources to help those who may be struggling."

The survey found:

  • 66% of respondents were unaware of HIPAA audits
  • 35% of respondents said their business has conducted a HIPAA-required risk analysis
  • 34% of owners, managers, and administrators reported that they were "very confident" that their electronic devices that contain PHI were HIPAA compliant
  • 24% of managers, owners, and administrators at medical practices reported that they've evaluated all of their Business Associate Agreements
  • 56% of office staff and (non-owner) care providers at practices said they've received HIPAA training in the last year

"It's troubling to see that so many practices aren't participating in training programs for their staff, said Daniel Brown, managing shareholder at The Daniel Brown Law Group. "If an audit were to occur at that particular practice, one of the biggest red flags is that the staff is unaware of the HIPAA compliance plan and what their role is in it."



more...
No comment yet.
Scoop.it!

Mobile Health, HIPAA And Health Technology Predictions For 2015

Mobile Health, HIPAA And Health Technology Predictions For 2015 | HIPAA Compliance for Medical Practices | Scoop.it
TrueVault'€™s CEO and Co-Founder, Jason Wang recently shared his predictions on health technology, mobile health and HIPAA for 2015. Maintaining HIPAA compliance for healthcare applications is frustrating and time consuming for developers. TrueVault is known as the first company to make HIPAA compliance convenient for healthcare apps.
Concerns in areas such in costs, administrative, technical and physical safeguards which require custom development and software architecture can take up to months within the development process timeline to complete. 
 
HIPAA complaints and violations will reach all-time highs
HIPAA complaints in 2013 were nearly 4x the number of complaints in 2003, the year the law was enacted. 
The change in HIPAA compliance requirements for BA's in 9/13 means more companies are subject to HIPAA oversight.
The number of complaints filed by July 31, 2014 was 71% higher than the number filed during the same time period in 2013
The sheer number of new devices, applications and users mean even more complaints for HHS.
The amount of health data collected will skyrocket
With the launch of Apple Health, Apple Watch, GoogleFit and SAMI more health data than ever before will be captured by mobile devices.
Industry estimates predict more than 500 million smartphone users will collect mobile health data. 
This is up more than 5x from the 95 million 2013 mobile health users. 
Wearable devices go mainstream
With the Apple Watch, Microsoft Band and other wearable entrants, wearable devices will finally become mainstream. 
IHS estimates that nearly 90 million wearable devices will be sold in 2015 (source) with a market value of more than $5 billion

Data safety concerns will be top of mind for consumers
Mobile health data collection will be tempered by growing consumer concerns over data safety and privacy. 
60% of Americans recently surveyed by GfK are more concerned about online data security than they were last year. 
In a December, 2013 poll by Radius Global Market Research, more than three-quarters of internet users at least ?somewhat agreed? that they would stop using a service, product or retailer if they felt their privacy was violated.  

mHealth companies will need to win consumer trust to gain health data access
Consumers are willing to give data to the companies they trust. 
New startups will need to prove their security bonafides before consumers turn over sensitive health information. 
78% of internet users said they only purchased from companies they trusted. (source)
Adults ranked health data the second most sensitive data they have, behind their social security number in the same Pew survey 


The health care industry is prone to data being at risk of privacy and security breaches. Trust and regulatory compliance is crucial. Data continues to become even more challenging as areas such as cost, risk and complexity are present across different platforms. Health care applications have sensitive data. As businesses move to the cloud this information requires further protection and new security standards.


more...
No comment yet.
Scoop.it!

HIPAA rules on privacy taken too far

HIPAA rules on privacy taken too far | HIPAA Compliance for Medical Practices | Scoop.it

Recently, I was told by a court official in Outagamie County that federal law prohibited the release of the name of a man I had just heard speak in open court.

He was a participant in the county’s Drug and Alcohol Treatment Court. He had been charged with driving while intoxicated as a fourth offense, but was offered a chance to go through a treatment program instead of serving jail time.

I attended the proceeding as a reporter for The Post-Crescent, working on a story for Gannett Wisconsin Media’s statewide probe into repeat drunken drivers. The man had made a point about the costs of the program and I wanted to verify his charge history.

But when I asked for his name, the court official said it could not be released, citing the federal Health Insurance Portability and Accountability Act of 1996. That law, commonly called HIPAA, protects private health information.

It also, as this episode attests, is often misapplied.

In this case, there was no valid reason for withholding the man’s name, and after a discussion with the circuit judge, I was able to obtain it. I ended up using his comment but not naming him in my story.

This was a public program, run by publicly paid officials, involving criminal defendants serving court-ordered sentences. The decision of whether to use this person’s name should be up to the media, not the court official.

As the Reporters Committee for Freedom of the Press has noted, HIPAA remains a “prickly” obstacle for journalists. To help reduce conflicts and confusion, the group has sorted out just who and who isn’t impacted.

Health care organizations like hospitals, life insurers, ambulance services and public health authorities are all subject to HIPAA rules. Firefighters, police, court officials, reporters and patients themselves are not.

Neither are public officials who have nothing to do with the delivery of health care services. And yet, in one instance, a Louisiana State University representative told reporters he couldn’t discuss a player’s knee injury.

“Due to these new medical laws, our hands are tied,” the official said.

Often, the most valuable information available to reporters is found on health facility directories, which are not protected by HIPAA. Hospitals may release an individual’s name, location in the facility and general condition.

HIPAA also doesn’t bar reporters from interviewing patients in a waiting room.

Statistical information related to hospitals, including their billing data, is not covered by HIPAA. Much of this information can be released electronically without names attached.

The Association of Health Care Journalists has produced another useful list of what HIPAA does not protect, including police and fire incident reports, court records, birth and autopsy records.

Felice Freyer, the association’s treasurer and a member of its Right to Know Committee, said HIPAA overreach is widespread.

“Often times, people are unsure about the law and can’t be bothered to check so it’s easier to say ‘no’ and refer to HIPAA,” said Freyer, a health care reporter for the Boston Globe.

“Frequently, hospitals say they can’t let you talk to a patient, but that’s not true.”

No one disputes that people have a right to privacy when it comes to personal medical matters. But that right should not be taken to absurd lengths, beyond what the law prescribes.



more...
No comment yet.
Scoop.it!

Doug Fridsma: Why amending HIPAA makes sense for research

Doug Fridsma: Why amending HIPAA makes sense for research | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA poses an "artificial barrier" to certain types of research that could improve patient care, Douglas Fridsma, M.D., president and chief executive officer of the American Medical Informatics Association (AMIA), says in an interview at Healthcare Info Security.

AMIA has been urging Congress to amend HIPAA to allow use of patients' personal health information without their consent for certain types of "observational" research.

"There are still important safeguards that need to be put in place to maintain the trust that patients place in their providers. The intent was never to open up all research and all data without patients' consent," Fridsma says.

So far, patient PHI can be used without consent only for improving operations within a particular healthcare organization. However, say, if a hospital determines that a surgical checklist reduces post-operative infections in its patients, that finding cannot be published as a research paper without the consent of every patient studied, he says.

"[HIPAA] has this paradoxical effect that says the hospital can use that information to improve its operations, but if it finds something that is tremendously valuable and of generalizable interest, they are not allowed to share that finding more broadly. … So in effect HIPAA is a disincentive to share this generalizable knowledge," he explained.

The changes AMIA is advocating would be only for observational research--somebody noticing a pattern, he adds. This type of research does not involve a treatment intervention.

"People will not be put in clinical trials without their knowledge," he says.

Despite various calls to amend HIPAA, Mac McMillan, chairman of the HIMSS Privacy & Security Policy Task Force, told FierceHealthIT he doesn't foresee any change in the next year, largely due to the political climate.

Meanwhile, the American Health Information Management Association has been on a big push to help healthcare organizations improve their information governance.



more...
No comment yet.
Scoop.it!

Survey: With HIPAA audits looming, small practices far from compliant

Survey: With HIPAA audits looming, small practices far from compliant | HIPAA Compliance for Medical Practices | Scoop.it

NueMD in partnership with Porter Research and The Daniel Brown Law Group, today announced the results of its recent survey on HIPAA compliance within small practices and billing companies. The survey of more than 1,100 healthcare professionals, conducted during October 2014, found medical practices and billing companies are struggling to comply with regulations under the Health Insurance Portability and Accountability Act (HIPAA).

"Understanding HIPAA can be difficult for practices and billing companies, especially if they're already scrambling to keep up with changes like ICD-10 and Meaningful Use," said Caleb Clarke, sales and marketing director at NueMD. "With audits looming, we wanted to get a sense of where the industry stands and provide resources to help those who may be struggling."

The survey found:

  • 66% of respondents were unaware of HIPAA audits
  • 35% of respondents said their business has conducted a HIPAA-required risk analysis
  • 34% of owners, managers, and administrators reported that they were "very confident" that their electronic devices that contain PHI were HIPAA compliant
  • 24% of managers, owners, and administrators at medical practices reported that they've evaluated all of their Business Associate Agreements
  • 56% of office staff and (non-owner) care providers at practices said they've received HIPAA training in the last year

"It's troubling to see that so many practices aren't participating in training programs for their staff, said Daniel Brown, managing shareholder at The Daniel Brown Law Group. "If an audit were to occur at that particular practice, one of the biggest red flags is that the staff is unaware of the HIPAA compliance plan and what their role is in it."



more...
No comment yet.
Scoop.it!

Are Medical Practices Prepared for OCR HIPAA Audits? | HealthITSecurity.com

The Office for Civil Rights of the Department of Health and Human Services will be conducting random HIPAA audits.
Although a timeline has not yet been set, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) will be conducting random HIPAA audits of physician practices, healthcare facilities and business associates (BAs).
The audits will assess each facility’s adoption and implementation of HIPAA safeguards which includes privacy and security risk assessments, security breach notifications, notice of privacy practices and training on policies and procedures. However, according to a survey conducted by NueMD, only 32 percent of medical practices and their staff polled were aware that OCR HIPAA audits would be taking place.
In order for a practice to be HIPAA compliant, a few requirements need to be met, the first of which is creating a compliance plan. Out of the medical practices polled, 58 percent indicated that they had a HIPAA compliance plan while 19 percent said that they didn’t know if they had a plan and 23 percent indicated they did not have a plan.
The compliance plan should cover all aspects of HIPAA compliance including information security, sending and storage, identifying security and privacy officer responsibilities, staff training programs, plan of response to security breaches, and keeping track of and securing electronic devices and communications. Annual HIPAA training should be included as part of a practice’s compliance plan.
Auditors may raise a red flag if a practice’s staff isn’t all on the same page. All staff members within a practice should be made aware of how to react to security breaches and should know who the appointed HIPAA security and privacy officers are.
A practice is also required to adopt a formal policy that details how it will handle a HIPAA security breach. An unauthorized disclosure of electronic protected health information (PHI) could happen through loss or theft of a laptop that contains unencrypted PHI or computer hacking. If improperly secured, data breaches can even occur from within the practice. Even though security breaches are becoming more common and have legal and business impacts, only 45 percent of practices polled indicated that they had a formal policy for a security breach in place.
For a practice to be best prepared for its HIPAA audit it should conduct risk analyses periodically. Only 33 percent of polled practices said that they had performed a risk analysis. An analysis identifies ways in which PHI could be leaked or compromised and helps practices strengthen their compliance plans. When respondents were asked how confident they were that someone was actively monitoring their practice’s HIPAA compliance, only 38 percent answered that they were confident.
The implementation of HIPAA safeguards is important in helping healthcare facilities and their staff keep PHI protected and secure. Practices should prep their HIPAA safeguards while awaiting the OCR’s timeline confirmation.



more...
No comment yet.