HIPAA Compliance for Medical Practices
67.5K views | +29 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Report: Unregulated data sometimes just as sensitive as HIPAA-covered data | mobihealthnews

Report: Unregulated data sometimes just as sensitive as HIPAA-covered data | mobihealthnews | HIPAA Compliance for Medical Practices | Scoop.it

In a new report from the California HealthCare Foundation, the report’s author, health economist and consultant Jane Sarasohn-Kahn concludes that while the increasing amount of consumer wellness and fitness data collected today has a lot of value for personalized healthcare, it also presents new risks for consumer privacy.

For one thing, as healthcare moves out of the hospital and onto the wrist, the smartphone, or the Facebook wall, healthcare data moves out of the realm of HIPAA, the law designed to protect patients’ healthcare data. HIPAA can’t protect things like your Fitbit steps, what health search terms you enter into Google, or where you check in on FourSquare.

As Deloitte’s Harry Greenspun puts it in the CHCF report, “It’s one thing to know you’re on a statin. It’s another thing to know that you eat fast food three times a week. What is more predictive?”

HIPAA also doesn’t govern “health scores”, algorithm-generated numbers used by insurers that are similar to credit scores for health. These scores are built entirely from data that rests outside the purview of HIPAA.

“Digital dust can have health implications, even if the actual ‘dust’ is devoid of health information,” Deven McGraw of Mannatt, Phelps and Phillips tells Sarasohn-Kahn in the report. “[The FICO Medication Adherence Score] and other ‘scores’ could have significant implications for consumers — arguably as significant as a score generated using health data.” 

What makes health scores, including the FICO score and the Individual Health Risk Score mandated under the Affordable Care Act, so problematic is that, unlike credit scores, consumers can’t even gain access to their own health scores.

Politico’s Arthur Allen recently raised the question of whether the use of these scores by employers to isolate at-risk employees is ethical. Allen points out that the trend seems to partly be a result of the ACA’s ban on payors denying coverage to people with pre-existing conditions. Since they can no longer choose not to cover unhealthy individuals, instead they’re turning to data mining to try to prevent as many expensive chronic conditions as possible.

“Used together, the electronic medical records and wellness promotion enable companies to find their sickest, most expensive employees, and push and cajole them into healthier lifestyles,” Allen writes. “The wider use of health care data analytics raises many questions. Does it work? Is the intrusion ethical? Where’s the line between encouragement and coercion?”

But the CHCF report suggests, as Patient Privacy Rights’ Deborah Peel has also contended, that non-HIPAA healthcare data is getting around and not just to employers and insurers. Data brokers buy and sell bundles of non-HIPAA consumer health information and the subject of all that data isn’t aware it’s being collected. They also have no recourse to access it themselves. Even data that is de-identified can often be re-identified, as a number of studies have shown.

And while many people are often unaware of the risks to their data, surveys show just as many are aware but continue to use online and mobile health services that put their data at risk. Sarasohn-Kahn points to data from an iHealthBeat study that found 72 percent of patients willing to share their data believed it could be used to deny them health insurance, and 66 percent believed it could be used to deny them jobs.

The CHCF report concludes with three recommendations for tackling some of these privacy problems. One, control needs to be returned to the consumer, in the form of laws that give people a right to access their own data or clearer and more explicit privacy policies on apps and services. Two, government regulation should be simplified.

“It has become clear that existing laws and policy frameworks have not kept pace with the technology,” Sarasohn-Kahn writes. “Furthermore, there is no over-arching national law that addresses citizens’ privacy. Instead, user-generated data and health information relate to a patchwork of laws and regulations for which responsibility falls into many federal agencies, along with individual state regulations for specific health and privacy issues.”

Finally, another possibility is personal health data lockers, cloud-based technology that would allow people to keep a tighter hold on their own data. Drchrono is currently dabbling in this space, according to the report, as is Dr. Robert Rowley, former chief medical officer at Practice Fusion, with his new startup FlowHealth.

more...
No comment yet.
Scoop.it!

Yes, a Person Can be Criminally Prosecuted for Violating HIPAA - Health Insurance Portability and Accountability Act | The National Law Review

Yes, a Person Can be Criminally Prosecuted for Violating HIPAA - Health Insurance Portability and Accountability Act | The National Law Review | HIPAA Compliance for Medical Practices | Scoop.it

As reported by HealthcareInfoSecurity.com, a former hospital employee is facing criminal charges brought by federal prosecutors in Texas for alleged violations of the privacy and security requirements under the Health Insurance Portability and Accountability Act (HIPAA). You may remember that back on June 1, 2005, the Department of Justice issued an opinion supporting the prosecution of individuals under HIPAA’s criminal enforcement provisions.  42 U.S.C. § 1320d-6(b). In 2010, we reported on a doctor in California who was sentenced to four months in prison for snooping into medical records. So, while prosecutions for privacy violations under HIPAA are not common, under certain circumstances individuals can be criminally prosecuted for violating HIPAA.

When is a violation of HIPAA criminal.

In short, a person that knowingly and in violation of the HIPAA rules commits one or more of the following puts himself in jeopardy of criminal prosecution under HIPAA:

  • use or cause to be used a unique health identifier,

  • obtain individually identifiable health information relating to an individual, or

  • disclose individually identifiable health information to another person.

If convicted, the level of punishment depends on the seriousness of the offense:

  • fine of up to $50,000 and/or imprisonment for up to a year for a simple violation

  • fine up to $100,000 and/or imprisonment up to five years if the offense is committed under false pretenses

  • a fine of up to $250,000 and/or imprisonment up to ten years for offenses committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm.

Texas Prosecution

According to the DOJ, the former East Texas hospital employee has been indicted for criminal violations of HIPAA. The individual is being charged with wrongful disclosure of individually identifiable health information. The DOJ alleges that from December 1, 2012, through January 14, 2013, while an employee of the hospital (a HIPAA covered entity), the individual obtained protected health information with the intent to use the information for personal gain. If convicted, the individual faces up to ten years in prison.

Although not common, criminal prosecutions like this one can be an important reminder to workforce members of HIPAA covered entities that violating the HIPAA rules can result in more than the loss of their jobs. Some covered entities inform their employees of the potential for criminal sanctions as part of their new hire and annual trainings.



more...
No comment yet.
Scoop.it!

Rhode Island is No. 1 HIPAA enforcer in state rankings

Rhode Island is No. 1 HIPAA enforcer in state rankings | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare providers may feel more pressure of Health Insurance Portability and Accountability Act enforcement in states like Rhode Island and Alaska, according to data compiled by TrueVault, a HIPAA compliance company.

From 2003 to 2013, Rhode Island emerges as the top enforcer of HIPAA violations and is the only state in which more than 40% of violations result in corrective action.

Other top enforcers were listed as Alaska, Washington, Oregon, Idaho, Wyoming and New Hampshire. Corrective action resulted between 30% and 40% of HIPAA violations in those states, the report said.  

States with the lowest enforcement results were Iowa, Nebraska and Kansas, where less than 20% of violations resulted in corrective action.

A Corrective Action Plan can be part of a plan post-HIPAA violation to implement policies and procedures to safeguard privacy of patients or residents, such as increased training and monitoring.

It is believed that the federal government will be ramping up HIPAA enforcement, according to comments made by a Department of Health and Human Services official last month.



more...
No comment yet.
Scoop.it!

Device thefts main source of HIPAA rifts

Device thefts main source of HIPAA rifts | HIPAA Compliance for Medical Practices | Scoop.it

Nearly 15 million individuals were affected by more than 450 large-scale health data breaches in 2010 and 2011, investigators said in a recent report to Congress. The theft of devices containing protected information continued to be the biggest source of Health Information Portability and Accountability Act violations, they added.

About half of all breaches each year have been due to stolen storage devices, investigators from the Department of Health and Human Services' Office of Civil Rights noted.

The $10 million in HIPAA fines collected since June 2013 will be “low compared to what's coming up,” said Health and Human Services Chief Regional Civil Rights Counsel Jerome Meites in a June speech at the American Bar Association conference. While Meites said his views were his own, he believes the government will be looking to make an example out of non-compliant providers.

Unauthorized access to records and improper disclosure are top reasons cited for HIPAA breaches. Long-term care operators and other providers are under increasing pressure to keep personal health information shielded from unauthorized parties. Large-scale prosecutions have not occurred in the long-term care profession, which nonetheless remains on high alert about other provider breakdowns noted in the media.

Until 2011, the vast majority of HIPAA privacy breaches were due to direct provider breakdown or accidents, OCR investigators reported. Starting in 2011, however, business associates of providers became the most common source of most large-scale breaches.

Additionally, nearly 30% of all large breaches involved paper records in 2011, researchers noted.

OCR officials said they successfully resolved more than 90% of the 77,000 allegations of HIPAA privacy and security rule violations. More than half did not qualify as “an eligible case” under HIPAA prosecution rules.



more...
No comment yet.
Scoop.it!

New Head Chosen For HIPAA Enforcement

New Head Chosen For HIPAA Enforcement | HIPAA Compliance for Medical Practices | Scoop.it

The Office for Civil Rights, the Health and Human Services’ division responsible for enforcing HIPAA, is getting a new director after the official departure of Leon Rodriguez.

HHS Secretary Sylvia Mathews Burwell sent out an internal email to staff on the appointment of Jocelyn Samuels as OCR director, replacing Leon Rodriguez, according to Gov Info Security. Rodriguez was officially confirmed by the Senate to serve as director of the U.S. Citizenship and Immigration Services at the Department of Homeland Security June 24.

Samuels will be leaving her post as acting assistant attorney with the Department of Justice in the civil rights division, responsible for enforcing federal law pertaining to discrimination based on race, sex, national origin, and disability, to come to OCR.

Prior to her appointment at DOJ, Samuels served in the role of vice president for education and employment at the National Women's Law Center. She has also served as labor counsel to Sen. Edward Kennedy and as senior policy attorney at the Equal Employment Opportunity Commission. She received her law degree from Columbia University.

"Leon is in the process of planning his departure, and we look forward to Jocelyn joining us here at OCR in the near future," an OCR spokeswoman tells Information Security Media Group. Dates for Rodriguez to leave OCR and for Samuels to join the agency were not disclosed.

In an email to HHS staff obtained by ISMG, secretary Burwell writes, "Jocelyn's wealth of experience and commitment to the mission of OCR will be great assets to her as she takes on this new role. I am looking forward to Jocelyn joining the team here at HHS in the near future."

Samuels will be in charge of HIPAA compliance and the official audit program scheduled to begin this year. These audits will include both desk audits, which officials anticipate will number between 150 and 200, and 50 on-site audits.

To date, OCR has levied $26 million in HIPAA settlements against entities found to have violated HIPAA privacy, security and breach notification rules. Just this June, the six-hospital Parkview Health System in Fort Wayne, IN agreed to settle to the tune of $800,000 over an incident that involved dumping medical records unattended in a physician's driveway.



more...
No comment yet.
Scoop.it!

HIPAA Complaints Vex Healthcare Organizations - InformationWeek

HIPAA Complaints Vex Healthcare Organizations - InformationWeek | HIPAA Compliance for Medical Practices | Scoop.it

Since 2013, complaints to the Department of Health and Human Services have risen regarding Health Insurance Portability and Accountability Act violations.

The number of Health Insurance Portability and Accountability Act (HIPAA) violation complaints received by the Department of Health and Human Services spiraled upward in 2013. Complaints are on a similar high-speed trajectory for 2014, according to analysis by TrueVault.

"The number of complaints through May 2014 is up 45.7% over the number received through May in 2013, so we believe that we will continue to see complaints surge through 2014," Morgan Brown, vice president of growth at TrueVault, said in an interview. As of May 2014, there had been 6,701 complaints, versus 4,599 a year earlier.

Sponsor video, mouseover for sound
 

Of those complaints, corrective action was required in 26% of cases HHS reviewed. Only 14% of complaints resulted in no action -- a statistic that "points to the severity of the problem of keeping patient data safe and secure," said Brown.

[Paraplegics can walk again, with help. Read First Robotic Exoskeletons For Paraplegia Win FDA Approval.]

Increased consumer awareness might be one reason, he said. Regulatory changes are another.

"At the same time, we'll see enforcement activity rise with the enactment of the new Omnibus Final Rule regulations that went into effect last year," he said. "The new rule introduced new, higher fines and requires that all business associates meet HIPAA compliance standards. Previously, only covered entities were subject to the law."



(Source: TrueVault)

Jerome Meites, an HHS chief regional civil rights counsel, warned late last year that the government would pursue organizations more aggressively for HIPAA violations. Audits, which began in 2013, will continue through 2015, he said.

In addition, states enacted their own data security and enforcement policies. Of the approximately 90,000 complaints received through 2013, only 32,000 fell under the jurisdiction of the HHS Office of Civil Rights. Of these, 22,026 required corrective action, while investigation of 9,899 found no violation.

Of the 521 complaints the OCR referred to the Department of Justice for potential criminal justice, the DoJ has agreed to pursue only 54 of them.

Executives agreed that the Omnibus Rule will generate larger penalties and more criminal enforcement. "HIPAA is all about risk management," Art Gross, president and CEO of HIPAA SecureNow, told us. "I've seen the shift in awareness since last September with the Omnibus Rule."

Patients or others affected by a HIPAA breach have another recourse, too.

"There is no private cause of action under HIPAA, but that does not prevent aggrieved parties from suing companies who have caused a breach under common law for privacy violations and negligence, among other things," TrueVault's Brown said. "Also, individuals may lodge complaints with the government, which can investigate and bring enforcement actions."

Experts said healthcare organizations and their business associates should use the threat of more audits, penalties, and criminal enforcement as another incentive to invest more resources toward protecting patient data.

"With the growing number of mobile devices, tablets, and laptops used in patient management, healthcare organizations need to ensure that they have the proper administrative, physical, and technical safeguards in place as mandated by the law to ensure compliance and to reduce breaches. This includes both proper training and regular compliance audits with the staff and the proper technical safeguards to ensure that devices that are lost or stolen have data that is password protected and encrypted, and that devices can be remotely wiped as needed," Brown said. "In addition, healthcare organizations need to ensure that their technology partners are also compliant and are using best practices when it comes to device and data security."



more...
No comment yet.
Scoop.it!

HIPAA Data Breaches | JD Supra

HIPAA has been on the books since 1996. With the advent of electronic health records, HHS adopted security regulations to require covered entities to protect the integrity, confidentiality, and availability of electronic personal health information (PHI).

The Security Rule was adopted in 2003 and includes data breach notification requirements. The Office of Civil Rights at HHS is responsible for enforcing the Security Rule and other HIPAA requirements.

The definition of a covered entity includes health plans, health care clearinghouses, and any health care provider who transmits health information in electronic form.

The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. Covered entities must (1) ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit; (2) identify and protect against reasonably anticipated threats to the security or integrity of the information; (3) protect against reasonably anticipated, impermissible uses or disclosures; and (4) ensure compliance by their workforce.4

HHS recognizes that covered entities range from the smallest provider to the largest, multi-state health plan. The Security Rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments based on the following factors: (1) size, complexity, and capabilities; (2) technical, hardware, and software infrastructure; (3) costs of security measures, and (4) the likelihood and possible impact of potential risks to e-PHI.

A breach is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.

An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of the following factors: (1) the nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; (2) the unauthorized person who used the protected health information or to whom the disclosure was made; (3) whether the protected health information was actually acquired or viewed; and (4) the extent to which the risk to the protected health information has been mitigated.

Since 2008, HHS has reported that there have been over 800 breaches involving over 500 or more individuals, and 92,000 breaches involving fewer than 500 individuals. The total civil monetary penalties and resolution agreements total $18.6 million.

Interestingly, almost half of all the significant breaches have been the result of theft; almost 20 percent were the result of unauthorized access or disclosure, and 11 percent were caused by the loss of laptops, paper records, desktop computers or portable electronic devices.

In 2013, the five largest data breaches involved:

People Affected

Cause

4,029,000

4 laptops stolen

729,000

2 laptops stolen

277,000

Microfiche improperly disposed

187,500

Patient information mailed to other patients

32,100

Business Associate stored data on non-secured website

The average cost of a general US data breach is approximately $200 per record.


more...
No comment yet.
Scoop.it!

HIPAA Compliance and Security Top Cloud Adoption Concerns for US Healthcare Providers

HIPAA Compliance and Security Top Cloud Adoption Concerns for US Healthcare Providers | HIPAA Compliance for Medical Practices | Scoop.it

Over 80 percent of healthcare organizations are currently using cloud services, mostly in SaaS form, according to a recent report by the Healthcare Information and Management Systems Society (HIMSS). Hosting of clinical applications and data, health information exchange and backups were the most used cloud services for healthcare organizations.

The 2014 HIMSS Analytics Cloud Survey documents the use and concerns of healthcare organizations use of cloud services. It also explores the value of these services to the organization and the likelihood they will use cloud more in the future.

CIOs and IT directors accounted for the majority of the 150 survey respondents. Although the study comes out of a small sample size, providers should note these concerns as the results are similar to the much larger cloud adoption study by Skyhigh. Security was cited as the top issue in both studies. This concern is certainly valid since healthcare is more vulnerable to security breaches than other companies.

A recent MarketsandMarkets report predicts that the healthcare cloud computing market will rise at a CAGR of 29.8 percent to $6.5 billion by 2018. Recognizing the needs and concerns of this market could provide a new source of revenue for cloud providers.

Most healthcare organizations already using cloud services plan to do so in the future. Three quarters of the respondents use private or hybrid clouds. Possible areas of expansion are archival data, backup and additional hosting of operational data.

Of the groups not currently using cloud, 66 percent planned to do so in the future. Only four percent of them planned to add cloud in the next year, and under 20 percent were in negotiations with cloud providers. Cloud security was the top reason these organizations have not yet adopted cloud. This could be an area of opportunity for providers if the concerns around cloud security were fully addressed.

The top things healthcare organizations consider when looking for a cloud provider are security and the willingness to enter into a Business Associate Agreement (BAA, a requirement of the US HIPAA Act). Nearly 60 percent of respondents cited these two concerns as the most important. More than half thought years in business and customer service were important factors to consider.

Clearly there are advantages to cloud adoption. Over 60 percent of organizations experienced greater capacity and technological capability. Financial metrics, streamlining of the business process, improved security and productivity were all a result of cloud adoption.

Better regulatory compliance was only experienced by a quarter of the healthcare organizations surveyed. This may be another area in which service providers could help their customers. Companies like Logicworks are already taking advantage of this by focusing on security and regulatory compliance.

more...
No comment yet.
Scoop.it!

What If Your EHR Only Had 25 Doctors? | EMR and HIPAA

What If Your EHR Only Had 25 Doctors? | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

I recently had lunch with an EHR vendor that had an extremely small number of providers. I’ve known this EHR vendor for about 5 years, so this isn’t a new EHR vendor that’s trying to establish themselves in the industry. Instead they’ve focused on having a small, nimble team that’s focused on making the EHR work the right way for the doctors. It’s a novel approach I know, but pretty interesting that his business can survive with so few providers. Also worth noting is that the EHR is certified for meaningful use stage 2 as well.

Now think for a minute how the development process of an EHR vendor would be better if your EHR only had 25 doctors (For the record, the EHR vendor above has a few more than 25 doctors). Would it be much easier to satisfy just 25 physician users? Imagine the personalized service you could provide your users.

One of the real challenges I’ve seen with EHR vendors is that when they’re small, they are extremely responsive to their end users and the end users are very happy. As the EHR vendor grows, they lose that personal touch with the end users and many of those originally happy end users become dissatisfied with their EHR experience.

The problem with scaling an EHR user base is that you can’t make everyone happy. You have to make compromises that will be great in some people’s eyes and terrible in another person’s mind. What large EHR vendors do to try and solve this problem is they create configurable options that allow the end user to customize their system to meet their personal needs. Problem solved, right?

The problem with these configurations is two fold. First, you can’t make everything configurable. Once you go down the path of making everything configurable, it never ends. There’s always something else that could be made more configurable. So, the culture of configurability leads to unsatisfied users who can’t customize everything (even if what they want to customize shouldn’t matter).

Second, if everything is configurable, then it makes the implementation that much more complex. I’ve written before about the need for EHR vendors to have great “out of the box” user experience, but balancing that with allowing the user to configure everything that’s needed. This is a real challenge and most fail. Just look at the number of high priced EHR consulting companies out there. Many of them could better be defined as EHR configuration companies since the configuration needs are so large and complex.

Returning to where we started, when you’re an EHR vendor with 25 doctors you don’t have to build in all the flexibility and configurability. You’re small enough that as an EHR vendor you can do any needed customizations and configurations for the end user. Plus, with this kind of personalized service you can charge a little extra as well.

When you look at EHR development, there’s a spectrum of approaches starting with a fully in house, custom designed EHR through a fully outsourced EHR that can apply to any organization or specialty. In many ways a 25 doctor EHR has a lot of the same benefits of a fully custom EHR software, but spreads the costs of development across more doctors.

As a business, maybe a 25 doctor EHR company won’t dominate the world. Maybe they won’t have a huge exit to some other company or an IPO. However, that doesn’t mean it’s not a great small business if it’s doing something you love. Once you get World Domination out of your sites, it changes a lot of things about how you do business.



more...
No comment yet.
Scoop.it!

Risk Analysis: How to Do it Right under HIPAA and HITECH

Risk Analysis: How to Do it Right under HIPAA and HITECH | HIPAA Compliance for Medical Practices | Scoop.it

This story first appeared in the Orange County Register and the Los Angeles Register.

Thieves, hackers and careless workers have breached the medical privacy of nearly 32 million Americans, including 4.6 million Californians, since 2009.

Those numbers, taken from new U.S. Health & Human Services Department data, underscore a vulnerability of electronic health records.

These records are more detailed than most consumer credit or banking files and could open the door to widespread identity theft, fraud, or worse.

Consider the case of Tustin-based GMR Transcription Services Inc. The Federal Trade Commission alleges that in 2011 a GMR subcontractor put transcribed medical audio files on a computer server that was then indexed by Google. (link is external)

The files contained patients’ medical histories, including psychiatric disorders, alcohol use and drug abuse. GMR settled the FTC lawsuit in January. In a statement after the settlement (link is external), GMR said the files were no longer searchable and that it was exiting the medical transcription business.

Despite ever-tighter federal regulations, “we recognize that sometimes security is still compromised,” said Dr. Jacob Reider (link is external), HHS’ deputy national coordinator for information technology.

The government is trying to combat potential privacy breaches with a carrot-and-stick approach. It’s offering early adapters of electronic health records advice, an online security assessment tool (link is external), even a “cybersecure” (link is external) computer game to help them learn.

But it’s also threatening, and in rare cases imposing, big fines on insurers, hospitals or doctors that lose control of records.

In May, HHS levied a record $4.8 million penalty (link is external) against New York-Presbyterian Hospital and its partner, Columbia University. The grounds: In September 2010 some 6,800 patients’ records were accidentally exposed to Internet search engines.

That incident is one of 1,045 cases listed on HHS’ so-called “wall of shame,” a website (link is external) mandated by the 2009 stimulus act that lists every health privacy breach affecting at least 500 individuals.

Individual cases highlight just how weakly protected many medical records are: Hundreds of thousands, even millions of records are typically kept on a single computer. Those records, usually protected by a password, are often not encrypted. That makes them readable by anyone who can crack the password.

“There are some healthcare providers who are not going to have any problem” safeguarding electronic health records, said Pam Dixon, executive director of the World Privacy Forum (link is external) in San Diego. “There are other health care providers who are just like a sieve.”

The government does “provide good guidance,” said Justin Brookman, consumer privacy director at the Center for Democracy & Technology (link is external), a Washington, D.C., nonprofit that promotes online privacy. “But most of the breaches we’ve seen have been people not following” that guidance.

There is “a 1 percent chance of very bad things happening,” Brookman added. “It is foreseeable or should be foreseeable.”

Other examples:

  • Sometime between Feb. 14 and March 27, 2014, computer “malware” captured information from three computers at the UC Irvine Student Health Center (link is external) and fed data involving 1,813 students – including names, addresses, insurance and bank information, as well as medical information – to unauthorized servers. UCI is upgrading its security.
  • In October 2013, someone broke into a sixth-floor office in Alhambra and stole two laptops. The laptops contained information for 729,000 patients of AHMC Healthcare (link is external), which runs Anaheim Regional Medical Center and five hospitals in Los Angeles County. The computers contained patients’ names, Medicare and insurance identification numbers, diagnosis codes and insurance payments. Spokesman Gary Hopkins said there is no evidence patient information was ever used.
  • In one of the biggest breaches in California history, an unencrypted desktop computer was stolen from the Sacramento administrative office of Sutter Medical Foundation (link is external) in October 2011. The computer contained personal medical information, including diagnoses and procedures, for 943,000 patients. In response, Sutter sped up efforts to encrypt its computers.




more...
No comment yet.
Scoop.it!

HIPAA Violation Results in $4.8 Million Settlement | JD Supra

While most healthcare providers know to pay close attention to the HIPAA rules when setting up their information technology systems, recent events have demonstrated that this close scrutiny should also be applied to computer reconfigurations and other IT system changes. According to the Department of Health and Human Services Office for Civil Rights (“OCR”), a “reconfiguration” of a computer server involving two healthcare providers caused the health information of 6,800 patients to be disclosed to Internet search engines. The healthcare providers, New York-Presbyterian Hospital and Columbia University Medical Center, each entered into a settlement and a Corrective Action Plan with OCR requiring payment of $4.8 million to OCR.

According to OCR, the hospitals failed to conduct an accurate and thorough risk analysis that incorporates all information technology (“IT”) equipment, applications, and data systems utilizing electronic protected health information (“ePHI”). Additionally, they failed to implement processes for assessing and monitoring all IT equipment, applications, and data systems that were linked to their patient databases prior to the breach incident, and failed to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level. The hospitals also failed to implement appropriate policies and procedures for authorizing access to their patient databases, and they failed to comply with their HIPAA security policies on information access management.

Under the HIPAA Security Rule, most healthcare providers are required to conduct a risk analysis of, among other things, their IT equipment. Healthcare providers are also required to implement HIPAA security policies and procedures to reduce their risk of a potential HIPAA violation and vulnerabilities in their IT systems. Whenever a change is made to a healthcare provider’s IT systems, a new risk analysis should be conducted to identify any potential risk of improper disclosure of ePHI as a result of the change. Any such risk must be eliminated or sufficiently reduced prior to implementing the change to avoid a violation of HIPAA and the costly penalties that go along with it.



more...
No comment yet.
Scoop.it!

HIPAA Compliance: What Every Developer Should Know - InformationWeek

HIPAA Compliance: What Every Developer Should Know - InformationWeek | HIPAA Compliance for Medical Practices | Scoop.it

The recent launches of Apple Health and Google Fit have stirred a lot of interest in health app development. If you're developing a healthcare-focused mobile application or software for wearable devices, it's important that you understand the laws around protected health information (PHI) and HIPAA compliance. While not all healthcare applications fall under HIPAA rules, those that collect, store, or share personally identifiable health information with covered entities (such as doctors and hospitals) must be HIPAA-compliant.

Sponsor video, mouseover for sound
 

HIPAA was written nearly 20 years ago, before mobile health applications were ever envisioned. Because of this, some areas of the law make it hard to determine which apps must be HIPAA-compliant and which are exempt. Below are some considerations developers must address to determine whether their healthcare apps must be HIPAA-compliant or not.

Mobile devices and data security
Considering the numerous ways security breaches can occur with a mobile device, it's no wonder government entities like the US Department of Health and Human Services are leery about how PHI is handled on smartphones and wearables.

[Privacy violations are on the rise throughout the healthcare industry. Read HIPAA Complaints Vex Healthcare Organizations.]

If your application is going to send or share health data to a doctor, hospital, or other covered entity, it must be HIPAA-compliant. Adhering to the Privacy and Security Rules of HIPAA is essential, especially considering the dangers that come with handling protected health data on a device:

  • Phones, tablets, and wearables are all easily stolen and lost, meaning PHI could be compromised.
  • Social media and email are easily accessible by the device, making it easy for users to post something that breaches HIPAA privacy laws.
  • Push notifications and other user communications can violate HIPAA laws if they contain PHI.
  • Users may intentionally or unintentionally share personally identifiable information, even if your app's intended use doesn't account for it.
  • Not all users take advantage of the password-protected screen-lock feature, making data visible and accessible to anyone who comes in contact with the device.
  • Devices like the iPhone do not include physical keyboards, so users are more likely to use basic passwords that are not as safe as complex options.

While not all of these factors are under your control as a developer, it's important to take all the steps possible to comply with HIPAA guidelines.

Determining if an app must be HIPAA-compliant
Not all health-related apps must be HIPAA-compliant. In fact, most apps in the market today are not. Fortunately, it's easy to determine whether or not your app must be compliant.

The information that does need to be compliant is personal information that directly identifies an individual and that is -- or can be -- transmitted to a covered entity. This protected health information can include everything from medical records and images to scheduled appointment dates.



If your app is used to record and share patient information with a covered entity in any way, it must be HIPAA-compliant.

On the other hand, your app probably does not need to be HIPAA-compliant if it performs tasks such as the following:

  • Allows users to record their weight and exercise routines
  • Gives users access to medical reference information
  • Lets average users look up illness information
  • Defines various illnesses or diseases
  • Lets users keep up with their daily diets

If the app is to be used by average people (as opposed to medical personnel or staff and contractors of covered entities), then it likely does not need to be HIPAA-compliant.

But not all apps used by medical personnel need to be compliant. For example, applications that let doctors or other professionals



more...
No comment yet.
Scoop.it!

Secure vs. HIPAA Compliant: What’s the Difference for Text Messaging?

Secure vs. HIPAA Compliant: What’s the Difference for Text Messaging? | HIPAA Compliance for Medical Practices | Scoop.it

The need for physicians and other healthcare team members to be in constant communication with each other has never been higher. Secure texting applications seek to provide healthcare professionals a quick and convenient way to connect while complying with the Health Insurance Portability and Accountability Act (HIPAA) and other privacy regulations.

Text messages are, in principle, an excellent way to transfer information on the go. They are useful in communication between doctors, nurses, office staff and even patients. Text messaging is a viable replacement for older, less efficient technologies such as the pager. Texting is real-time communication which email doesn’t equal. Physicians have shown an affinity for the method. In a study published in 2014, well over half of physicians at pediatric hospitals reported sending and receiving work-related text messages, and 12 percent said they sent more than 10 messages per shift [1].

Unfortunately, despite being used frequently in healthcare, standard text messages and most “secure” applications lack the encryption and other features needed to avoid potentially costly and embarrassing HIPAA infractions. Such violations, if due to “willful neglect,” can lead to fines of $50,000 per violation, to a maximum “of $1.5 million a year [2]. The right physician messaging solution keeps PHI private while making healthcare professionals’ lives easier and improving quality of care.  Choosing an app that will truly keep your patients’ data safe, however, can be a challenge because “secure” does not always mean “HIPAA-compliant.” HIPAA-compliant is much more stringent and unfortunately most applications just aren’t.



more...
No comment yet.
Scoop.it!

EHR Vendors Need to Expand Their Definition of Customer Service | EMR and HIPAA

EHR Vendors Need to Expand Their Definition of Customer Service | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

Living in Las Vegas I likely have a skewed idea of what customer service means. In the tech world, we have Zappos headquarters in downtown Las Vegas. Most of you are likely familiar with Zappos unique approach to customer service. They really have taken customer service to the next level and created an entire company culture around the customer service they provide. The same could be said for the experience that the various casinos on the strip offer their customers. They do a really amazing job at most casinos providing an amazing customer service experience.

With this background, I find it really smart of Kareo to open an office in Las Vegas. Although, that’s not really the point of this post. Instead, I want to focus on the idea that most EHR vendors need expand their idea of customer service.

As I look at the world of EHR customer service I see so many organization lacking. Certainly we see examples of terrible EHR customer service that include calling into a call center in another country where the person doesn’t speak English and has no power to actually solve a user’s problems (Disclaimer: I don’t have a problem with call centers in other countries if they are well trained and can actually solve problems). Of course, the same thing can apply to a call center in the US who can’t solve the users’ actual problems. Both are terrible customer service and a problem in the industry. However, there’s a far more painful problem that I don’t think most EHR vendors consider a part of their customer service plan and 99% of EHR vendors have done terrible at this.

Adding new features and accommodating an EHR user’s feature request is just as much a part of the EHR customer service experience as the person who answers the phone. I can assure you that every EHR vendor out there would get rated an F the past few years when it comes to this form of EHR customer service. Why do I know this? I know this because every EHR vendor has been focused on meaningful use that they haven’t had the time to add any meaningful EHR user feature requests and features outside of meaningful use.

This isn’t EHR vendors’ fault. The end users have required it and EHR vendors have had to spend the time doing it. However, EHR customer service has suffered as a consequence. Don’t believe me. Look through all the EHR press releases that have been released over the past couple years. Find me the plethora of press releases that talk about the innovations that EHR vendors have created for their end users that aren’t related to meaningful use. I get the press releases and they’re MIA.

That’s not to say that EHR vendors have done nothing for end users. They’ve made some incremental progress on a few things, but meaningful use has zapped their development time. Stage 2 was even worse. I look forward to the new day where EHR vendors can focus on great customer service and EHR features and not just MU.



more...
No comment yet.
Scoop.it!

New HIPAA Reports to Congress Shed Light on OCR Enforcement | JD Supra

The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued two reports to Congress, as required by the HITECH Act. The compliance report details OCR’s enforcement activities for 2011 and 2012 and sheds light on what covered entities and business associates can expect from OCR going forward. This is not the first signal that OCR’s enforcement efforts are shifting and accelerating. The breach report summarizes the breaches affecting 500 or more individuals and offers a glimpse of what OCR is seeing for breaches affecting less than 500 individuals.

HIGHLIGHTS

OCR’s Compliance Report for 2011-2012

OCR has received approximately 77,000 complaints since the Privacy Rule compliance date (April 14, 2003) as of the end of 2012 and has closed 91% of these complaints. More than half of the complaints OCR receives are closed after a determination that OCR does not have jurisdiction to investigate the matter.

OCR clarifies that it opens compliance reviews for all breaches affecting 500 or more individuals. Additionally, OCR may open compliance reviews in response to notifications of breaches affecting fewer than 500 individuals or as it becomes aware of potential non-compliance (such as through media reports). Unlike complaints, OCR does not provide information regarding the number of compliance reviews it has closed. Notably, OCR’s recent enforcement action against New York Presbyterian Hospital and Columbia University resulting in a $4.8 million settlement stemmed from a breach reported in 2010. In light of the three-year time lapse between the breach and the settlement, the industry may expect to see more enforcement action from breaches reported in earlier years.

This compliance report also highlights OCR’s audit program. While not new information, OCR again emphasizes that 89% of the 115 entities audited in the pilot audits were not fully compliant with HIPAA. OCR also noted that audit findings relating to security accounted for a disproportionately high number of total findings. To date, most OCR settlement cases involve security incidents.

OCR’s Breach Report for 2011-2012

OCR’s breach report confirms that it received more than 200 large breach reports for both 2011 and 2012 – only a slight increase from 2010. There was a huge jump in the number of individuals affected by breaches in 2011, but this was mostly attributable to a couple of particularly large breach incidents (impacting approximately 4.9 million and 1.9 million individuals, respectively). As of today, OCR has not posted a summary on its website for either of these breaches, potentially indicating that these breaches are still being investigated.

While theft and loss remain the top causes of large breaches, there appears to be an uptick of the impact of breaches related to hacking or IT incidents. In 2011 these breaches affected only 1% of individuals affected by large breaches. By 2012, this number jumps up to 27%. This report is also the first time in which OCR referenced a “ransom” attack, in which a malicious outsider makes electronic protected health information inaccessible until a ransom is paid.

The breach report also highlights breaches by business associates. In 2011 in particular, most large breach incidents were attributable to health care providers, but more individuals were affected by large breaches attributable to business associates (because the business associate breach incidents were disproportionately large). OCR also has indicated that it will include business associates in future audits.

Much of the information on large breaches already is made publicly available through OCR’s website, and Davis Wright now maintains more up to date summary information of such large breaches on its Privacy & Security Law Blog. The breach report, however, sheds new light on the breaches affecting fewer than 500 individuals. The number of reports OCR received in 2011 and 2012 (25,705 and 21,194, respectively) do not deviate much from the number of reports received in 2010 (2009 only accounted for a little more than the last quarter of the calendar year); however, the number of individuals affected by small breaches spiked in 2011 and 2012. The number of individuals affected more than tripled from 2010 to 2011, and increased further in 2012. This comes just a year after OCR announced its first settlement against a covered entity for a small breach.

Additionally, there are some clear trends in the small breaches reported to OCR:

The vast majority (84% for 2011; 83% for 2012) of these small breaches are happening at the health care provider level. More small breach incidents involve paper records than electronic protected health information (62% for 2011; 61% for 2012).

The number one cause of small breaches for both years was unauthorized access or disclosure (84% for 2011; 74% for 2012), which may include misdirected communications, such as records or bills mailed to the wrong patient or an old address.

Although theft and loss did not account for a large number of the small breach reports, together they affected a disproportionate number of individuals (46% for 2011; 42% for 2012).

Key Takeaways for Covered Entities and Business Associates

OCR is ramping up enforcement. OCR indicates in the compliance report that it is “realign[ing] its enforcement efforts.” OCR has completed six settlements in the past four months with settlement amounts totaling approximately $7.79 million, doubling the total settlement amounts obtained in 2013. An OCR attorney also recently indicated that the settlements to date in 2014 “pale in comparison” to what is to come.

OCR is focused on Security Rule enforcement. OCR recommends covered entities and business associates pay particular attention to compliance regarding key aspects of the Security Rule. According to OCR, better compliance in these areas may reduce common breaches. This includes:

  • Risk analysis and risk management. Conducting a thorough security risk analysis and risk management plan, identifying and addressing the potential risks and vulnerabilities to all electronic protected health information. The risk analysis and risk management plan also should be updated from time to time.
  • Security evaluation. Conducting periodic security evaluations and ensuring that appropriate physical and technical safeguards remain in place during operational changes, including facility or office moves or renovations, and conducting appropriate technical evaluations for software, hardware, and websites upgrades that may impact protected health information.
  • Portable electronic devices. Safeguarding protected health information stored and transported on portable electronic devices, including through encryption and policies and procedures.
  • Physical Access Controls. Verifying physical safeguards limit access to facilities and workstations used to maintain or access protected health information.
  • Proper Disposal. Ensuring policies and procedures account for the proper disposal of protected health information in both paper and electronic forms. Electronic devices and media that may contain protected health information should be purged or wiped before they are recycled, discarded, or returned to a third party, such as a leasing agent.

These are important areas for covered entities and business associates to address, but a compliance program is only as good as its weakest link. With HIPAA audits in the near future, covered entities and business associates should ensure they have appropriate safeguards in place and have updated all policies and procedures, training materials and business associate agreements in light of the Omnibus Final Rule changes. The OCR audit protocol is a good place for covered entities to start: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html. OCR used this protocol to assess covered entities’ compliance in the pilot audits. We caution that OCR has not updated this protocol to reflect changes made by the Omnibus Final Rule. This protocol also does not identify provisions applicable to business associates. Additional resources on HIPAA audits are available through Davis Wright Tremaine, including our Audit Toolkits: http://www.dwt.com/hipaatoolkit/.

Business associates may represent a particularly high risk, as their breaches often affect more individuals.

  • From September 2009 to June 28, 2014, business associates accounted for approximately 26% of large breaches. However, large breaches involving business associates have affected 48% of all individuals affected by large HIPAA breaches.
  • As with covered entity breaches, theft was the number one cause of large business associate breaches from September 2009 to June 28, 2014.
  • While paper records accounted for the highest number of large business associate breach incidents (24%) for the same time period, less than 6% of individuals affected by large business associate breaches were affected by breaches of paper records.



more...
No comment yet.
Scoop.it!

HIPAA Violations Will Soon Be More Expensive | JD Supra

The U.S. Department of Health and Human Services (HHS) intends to use higher fines and a new round of audits to send a strong message to the healthcare industry about complying with the Health Insurance Portability and Accountability Act (HIPAA).

Jerome B. Meites, a chief regional civil rights counsel at HHS, expects "the past 12 months of enforcement to pale in comparison to the next 12 months." His recent comments signal more aggressive punishment for privacy breaches and security lapses, and a more extensive HIPAA audit strategy by HHS’ Office of Civil Rights (OCR).

Meites noted the enormous number of complaints to OCR about lost or stolen unencrypted devices or media. Despite OCR’s continuous warnings to covered entities and their business associates about their obligation to ensure the security of information on these devices, many have yet to perform a comprehensive risk assessment and remain unaware of the potential dangers. Meites emphasized the government's concern about these issues, stating that both portable-media devices and an entity's failure to perform a comprehensive risk assessment were factors in many data-breach cases that resulted in significant financial settlements.

Risk-assessment procedures are expected to be a primary focus when OCR continues its HIPAA compliance audit program later this year. OCR has identified approximately 1,200 companies — about 800 covered entities (healthcare providers, insurers and clearinghouses) and 400 business associates — for potential HIPAA audits.

Enhanced enforcement efforts and the new round of audits highlight the importance of complying with the strict standards imposed by HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act for the protection and privacy of certain health information.

Entities can help avoid increased regulatory scrutiny and potential costly violations by ensuring they have both a strong HIPAA training program and a well-informed workforce.

more...
No comment yet.
Scoop.it!

HIPAA Violation Results In $4.8 Million Settlement - Food, Drugs, Healthcare, Life Sciences - United States

HIPAA Violation Results In $4.8 Million Settlement - Food, Drugs, Healthcare, Life Sciences - United States | HIPAA Compliance for Medical Practices | Scoop.it

While most healthcare providers know to pay close attention to the HIPAA rules when setting up their information technology systems, recent events have demonstrated that this close scrutiny should also be applied to computer reconfigurations and other IT system changes. According to the Department of Health and Human Services Office for Civil Rights ("OCR"), a "reconfiguration" of a computer server involving two healthcare providers caused the health information of 6,800 patients to be disclosed to Internet search engines. The healthcare providers, New York-Presbyterian Hospital and Columbia University Medical Center, each entered into a settlement and a Corrective Action Plan with OCR requiring payment of $4.8 million to OCR.

According to OCR, the hospitals failed to conduct an accurate and thorough risk analysis that incorporates all information technology ("IT") equipment, applications, and data systems utilizing electronic protected health information ("ePHI"). Additionally, they failed to implement processes for assessing and monitoring all IT equipment, applications, and data systems that were linked to their patient databases prior to the breach incident, and failed to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level. The hospitals also failed to implement appropriate policies and procedures for authorizing access to their patient databases, and they failed to comply with their HIPAA security policies on information access management.

Under the HIPAA Security Rule, most healthcare providers are required to conduct a risk analysis of, among other things, their IT equipment. Healthcare providers are also required to implement HIPAA security policies and procedures to reduce their risk of a potential HIPAA violation and vulnerabilities in their IT systems. Whenever a change is made to a healthcare provider's IT systems, a new risk analysis should be conducted to identify any potential risk of improper disclosure of ePHI as a result of the change. Any such risk must be eliminated or sufficiently reduced prior to implementing the change to avoid a violation of HIPAA and the costly penalties that go along with it.


more...
No comment yet.
Scoop.it!

Health Insurance Portability and Accountability Act (HIPAA) Violation Results in $4.8 Million Settlement | The National Law Review

Health Insurance Portability and Accountability Act (HIPAA) Violation Results in $4.8 Million Settlement | The National Law Review | HIPAA Compliance for Medical Practices | Scoop.it

While most healthcare providers know to pay close attention to the HIPAA rules when setting up their information technology systems, recent events have demonstrated that this close scrutiny should also be applied to computer reconfigurations and other IT system changes. According to the Department of Health and Human Services Office for Civil Rights (“OCR”), a “reconfiguration” of a computer server involving two healthcare providers caused the health information of 6,800 patients to be disclosed to Internet search engines. The healthcare providers, New York-Presbyterian Hospital and Columbia University Medical Center, each entered into a settlement and a Corrective Action Plan with OCR requiring payment of $4.8 million to OCR.

According to OCR, the hospitals failed to conduct an accurate and thorough risk analysis that incorporates all information technology (“IT”) equipment, applications, and data systems utilizing electronic protected health information (“ePHI”). Additionally, they failed to implement processes for assessing and monitoring all IT equipment, applications, and data systems that were linked to their patient databases prior to the breach incident, and failed to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level. The hospitals also failed to implement appropriate policies and procedures for authorizing access to their patient databases, and they failed to comply with their HIPAA security policies on information access management.

Under the HIPAA Security Rule, most healthcare providers are required to conduct a risk analysis of, among other things, their IT equipment. Healthcare providers are also required to implement HIPAA security policies and procedures to reduce their risk of a potential HIPAA violation and vulnerabilities in their IT systems. Whenever a change is made to a healthcare provider’s IT systems, a new risk analysis should be conducted to identify any potential risk of improper disclosure of ePHI as a result of the change. Any such risk must be eliminated or sufficiently reduced prior to implementing the change to avoid a violation of HIPAA and the costly penalties that go along with it.



more...
No comment yet.
Scoop.it!

Should You Be Able to Opt Out of HIPAA Just Like An Email Newsletter? | MDDI Medical Device and Diagnostic Industry News Products and Suppliers

Should You Be Able to Opt Out of HIPAA Just Like An Email Newsletter? | MDDI Medical Device and Diagnostic Industry News Products and Suppliers | HIPAA Compliance for Medical Practices | Scoop.it

America is a nation of choice.

Especially to someone who can remember only two government-controlled TV channels as a pre-teen in India in the 1980s, the choice that we as Americans have not only in terms of the idiot box, but everything else, is sometimes dizzying.

That choice has become even more widespread with advances in technology. We are forever making choices. We are constantly opting in and out. 

Except when it comes to healthcare. There, no matter what we would prefer, we are held fast to HIPAA. Imagine being only allowed to communicate using feather quills and ink while email and texting were readily available. 

Now Dr. Mark Blatt, Intel's Worldwide Medical Director, is expounding a radical though rational idea. Let patients decide whether they want to opt out of HIPAA guidelines. Blatt recently participated in the U.S. House of Representative’s Energy and Commerce Committee roundtable discussion, 21st Century Cures, to talk about balancing health IT innovation and regulation.

Following that discussion, in a blog post, Blatt writes the following:

My message to the representatives and the panel was that we should be creating a climate that favors risk, and shouldn’t pass regulations that so protect citizens that nothing happens. After all, healthcare data belongs to the patient and it should be their right to use it however they want to. What if they want to opt out of HIPPA guidelines? They should be able to. What if I want one facility to send my data to another electronically? I should be able to. We don’t live in a one-size-fits-all society anymore and we should give patients choices when it comes to their personal health data and care.

Blatt is advocating that people be given the freedom to opt out of HIPAA in the same way that we decide to opt out of marketing emails and newsletters routinely.

A recent experience with HIPAA gets me to wholeheartedly support this. I needed my almost 3-year-old's lab results from a few months ago, but a simple phone request was not enough. I needed to sign and mail or fax a medical records release form. The form was available for download, but scanning and emailing was not an option. Not sure who this extra layer of bureaucracy was protecting, but it did bring annoyance for sure.

Several high-profile people are also chaffing under HIPAA restrictions. Here's a portion of what Google co-founder Larry Page told venture capitalist Vinod Khosla at the recent KV (Khosla Ventures) CEO Summit:

Imagine you had the ability to search people's medical records in the U.S. Any medical researcher can do it. Maybe they have the names removed. Maybe when the medical researcher searches your data, you get to see which researcher searched it and why. I imagine that would save 10,000 lives in the first year. Just that. That's almost impossible to do because of HIPPA. I do worry that we regulate ourselves out of some really great possibilities that are certainly on the data-mining end.

Choice perhaps can solve some of healthcare's problems. If patients understand HIPAA guidelines and decide that they want none of it, they should have a right to. After all, HIPAA is not exactly protecting people in the same way seats belts do in cars. 

For that to happen one must acknowledge that healthcare laws are perhaps a bit out of sync with how people and technology have evolved. That doesn't necessarily mean that HIPAA needs to be jettissoned altogether. Only that people - especially the Gen Y that Dr. Blatt talks about - should get a choice to opt out.

Maybe it’s time to admit to ourselves that the current healthcare systems needs to be unwound and undone. Medical treatment is no longer only available through human interaction. The Gen Y generation wants convenient, inexpensive care that is never wrong. They are willing to sacrifice a friendly relationship with an elderly doctor so that the care is affordable and accurate. You have to balance things. It’s about choice. Allow for face-to-face care, or another way. Young people today want to push a button on a mobile device and get immediate, cheap help. Let them.

I hope that the representatives in the room last week don’t pass laws that favor one form of care over the other. If they really want to be effective and change the healthcare system, they should create a level playing field for both types of care and let the consumer choose.

Truer words were perhaps never better spoken.



more...
No comment yet.
Scoop.it!

Is Healthcare IT Hiring Part of the Problem with Healthcare? | EMR and HIPAA

Is Healthcare IT Hiring Part of the Problem with Healthcare? | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

I’ve been thinking quite a bit lately about hiring in healthcare IT since Healthcare IT Central joined the Healthcare Scene family. Recently I started thinking about the way we hire people in healthcare IT. Here are two facets of what we hire in healthcare:

  • We hire those who know healthcare.
  • We hire those who know old technologies.

When you think about the health IT software world it includes things like MUMPS, Fax Machines, and lots of client server. Where else in technology do you find that combination of old technology. Or as I read on Twitter today, “Why do we think that client server is going to survive in healthcare? Didn’t Microsoft show us how that was a failed long term strategy.” Ok, that wasn’t an exact quote, but you get the gist. Plus, I don’t want to dwell on client server vs cloud systems here either (I’ve got a great post coming where we can do that). I just want to illustrate that healthcare is home to a lot of old technology (see the pager if you need added evidence).

Now think about the people we have to hire to work on these old technologies. Do the innovators and creators of the world want to work on old technologies? Of course, they don’t. Sure, there are some exceptions, but they are exceptions. As a rule, the really innovative, creative thinkers are going to want to work on the latest and greatest technology.

This tweet from Greg Meyer (@Greg_Meyer93 if you prefer) highlights the divide really well:

The reality of healthcare is that we have an industrial workforce and industrial products. Should we expect creative results? Maybe we need to switch up how we think about hiring and how we approach technology if we want to really disrupt healthcare. Or maybe healthcare will just get so bad and so far behind that it will create a gap that will allow someone from outside healthcare to enter and disrupt it all.

thinking

more...
No comment yet.
Scoop.it!

Technology lapse stalled HIPAA request

Technology lapse stalled HIPAA request | HIPAA Compliance for Medical Practices | Scoop.it

On Monday, July 7, at 4:37 p.m. my husband was riding his bicycle on Governor Printz Boulevard and was hit by a car. He was airlifted to Christiana Hospital. I was never notified. I heard the news from a friend who heard it on his scanner. I called the non-emergency police to inquire and was told nothing because of Health Insurance Portability and Accountability Act, the health care privacy act. I understand that, but because he has no memory of how and what happened I was hoping the police report would give us some answers but I am unable to get that info.

I was told I must pay $25 to get said report ($60 if a fatality) and send a self-addressed envelope with payment to Dover. I have done that and have yet to receive this report. I wrote to Congressman John Carney to express my distress and simply ask where this money goes and why can't this be done electronically to expedite information for family and insurance claim purposes, with no response. This is a stressful situation for all and regardless of the monetary issue, why make us wait when this could be achieved faster with technology?



more...
No comment yet.
Scoop.it!

Unclear HIPAA rules permit healthcare data offshoring … for now

Unclear HIPAA rules permit healthcare data offshoring … for now | HIPAA Compliance for Medical Practices | Scoop.it

Over the past decade, much discussion has taken place about the implications of the Health Information Portability and Accountability Act covered entities and their business associates leveraging cheaper offshore solutions for services such as radiology, transcription and even treatment planning. The issues surrounding the solutions' quality, data integrity and covered entities sidestepping state licensing of staff requirements are vast, but we are going to primarily deal with HIPAA Security and Privacy and related civil and criminal implications here.

To date, the bottom line has been that the Health Information Portability and Accountability Act (HIPAA) rules lacks statutory clarity in regard to the issue of offshoring and the myriad of privacy and jurisdictional challenges offshoring creates. I do believe, however, the enforcement of covered entities' (CEs) obligations to ensure their business associates (BAs) properly regard and defend Protected Health Information (PHI) raises regulatory questions about the future legitimacy of offshoring. Now that BAs have similar regulatory obligations as CEs, I believe the government will exert pressure around the issue of offshoring.

With the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Department of Health and Human Services' (HHS) release of the Final Omnibus Rule on January 17, 2013, the extension of statutory obligation to BAs makes for an interesting twist in offshoring. The Omnibus Rule reaffirmed and strengthened the reach of HHS's Office of Civil Rights (OCR) and Department of Justice (DOJ) with respect to BAs within the United States and its territories, but it did nothing directly to the offshoring of PHI.

Along with the obligation to comply with HIPAA rules, HITECH instated the associated direct civil and criminal liability of domestic BAs beyond breach of contract. The subsequent publication of the Omnibus Final Rule reinforced these. Under the Final Rule, the OCR has the power to domestically deal out civil penalties, corrective actions and long-term monitoring, while the DOJ has the power to domestically deliver a criminal prosecution. Through enforcement under HITECH, the State attorneys general also have the power to cause pain to U.S.-based companies, because the attorneys general are empowered to bring civil actions in federal district courts for state residents who have been damaged or whose rights were violated by information breaches.

In reality, there is no legitimate way for the OCR, the DOJ or the FTC to reach into foreign countries and deal out civil penalties -- no less criminal ones.

The State attorneys' general authority, however, is limited to where the federal government is already active: "If the Secretary has instituted an action against a person under subsection (a) with respect to a specific violation of this part, no State attorney General may bring an action under this subsection against the person with respect to such violation during the pendency of that action."

In recent months, the Federal Trade Commission (FTC), through its own rulings, has also laid claim on the State attorneys' general ability to institute fines, monitor and otherwise harass CEs and BAs domestically.

So all of this is well and good, but, in reality, there is no legitimate way for the OCR, the DOJ or the FTC to reach into foreign countries and deal out civil penalties -- no less criminal ones.

Even domestically, the OCR finds it difficult to collect penalties from the likes of Cignet Health of Maryland. In the vast majority of cases, the primary motivation for international firms to comply is only contractual and may be reputational, and the rights given to foreign corporations within the BAs' home country puts limitations on their exposure.

According to a report by the Office of the Inspector General (OIG) released April 2014, the OIG has similar concerns. To quote the OIG: "For example, Medicaid agencies or domestic contractors who send PHI offshore may have limited means of enforcing provisions of BAAs [business associate agreements] that are intended to safeguard PHI. Although some countries may have privacy protections greater than those in the United States, other countries may have limited or no privacy protections to support HIPAA compliance."

I would also argue that international privacy protections may cover only the data of their own citizens. While the OIG report is about Medicaid agencies, which cover a limited -- albeit large -- population, the fact that the OIG raised these concerns means we should be concerned with this for other entities. I predict this thinking about limiting the risk by limiting offshoring will catch on in Washington.

While Medicaid, unlike Medicare, does not require permission from the federal government to transfer information offshore, some states do not allow the offshoring of PHI for Medicaid at all. This complicates the issue. Since the Affordable Care Act, insurers and provider networks began to cross state borders through exchanges that involve Medicaid subsidies to patients in states that have these limitations. The OIG report, combined with the FTC reaching into the HIPAA regulatory universe and with states deciding to prohibit Medicaid data from leaving the country, creates potential future problems for those that choose to offshore.

Let me add one more twist to all of this: Outsourced offshore IT, storage and/or software as a service vendors. As we have seen here, the OIG has concerns about the potential for data getting passed offshore. States have placed specific limitations on Medicaid information leaving their states. What about data intentionally or inadvertently sent -- or illegally taken -- offshore through IT support services, datacenter disaster recovery efforts and even load balancing? I know that's an entirely different article, but it's still something to consider here.

I would argue that in the event of a major offshore breach, an enterprising lawyer could use all of this to show a lack of "reasonableness" in the decision to offshore in the first place.



more...
No comment yet.
Scoop.it!

Millions of Electronic Medical Records Breached | Center for Health Reporting

Millions of Electronic Medical Records Breached | Center for Health Reporting | HIPAA Compliance for Medical Practices | Scoop.it

This story first appeared in the Orange County Register and the Los Angeles Register.

Thieves, hackers and careless workers have breached the medical privacy of nearly 32 million Americans, including 4.6 million Californians, since 2009.

Those numbers, taken from new U.S. Health & Human Services Department data, underscore a vulnerability of electronic health records.

These records are more detailed than most consumer credit or banking files and could open the door to widespread identity theft, fraud, or worse.

Consider the case of Tustin-based GMR Transcription Services Inc. The Federal Trade Commission alleges that in 2011 a GMR subcontractor put transcribed medical audio files on a computer server that was then indexed by Google. (link is external)

The files contained patients’ medical histories, including psychiatric disorders, alcohol use and drug abuse. GMR settled the FTC lawsuit in January. In a statement after the settlement (link is external), GMR said the files were no longer searchable and that it was exiting the medical transcription business.

Despite ever-tighter federal regulations, “we recognize that sometimes security is still compromised,” said Dr. Jacob Reider (link is external), HHS’ deputy national coordinator for information technology.

The government is trying to combat potential privacy breaches with a carrot-and-stick approach. It’s offering early adapters of electronic health records advice, an online security assessment tool (link is external), even a “cybersecure” (link is external) computer game to help them learn.

But it’s also threatening, and in rare cases imposing, big fines on insurers, hospitals or doctors that lose control of records.

In May, HHS levied a record $4.8 million penalty (link is external) against New York-Presbyterian Hospital and its partner, Columbia University. The grounds: In September 2010 some 6,800 patients’ records were accidentally exposed to Internet search engines.

That incident is one of 1,045 cases listed on HHS’ so-called “wall of shame,” a website (link is external) mandated by the 2009 stimulus act that lists every health privacy breach affecting at least 500 individuals.

Individual cases highlight just how weakly protected many medical records are: Hundreds of thousands, even millions of records are typically kept on a single computer. Those records, usually protected by a password, are often not encrypted. That makes them readable by anyone who can crack the password.

“There are some healthcare providers who are not going to have any problem” safeguarding electronic health records, said Pam Dixon, executive director of the World Privacy Forum (link is external) in San Diego. “There are other health care providers who are just like a sieve.”

The government does “provide good guidance,” said Justin Brookman, consumer privacy director at the Center for Democracy & Technology (link is external), a Washington, D.C., nonprofit that promotes online privacy. “But most of the breaches we’ve seen have been people not following” that guidance.

There is “a 1 percent chance of very bad things happening,” Brookman added. “It is foreseeable or should be foreseeable.”

Other examples:

  • Sometime between Feb. 14 and March 27, 2014, computer “malware” captured information from three computers at the UC Irvine Student Health Center (link is external) and fed data involving 1,813 students – including names, addresses, insurance and bank information, as well as medical information – to unauthorized servers. UCI is upgrading its security.
  • In October 2013, someone broke into a sixth-floor office in Alhambra and stole two laptops. The laptops contained information for 729,000 patients of AHMC Healthcare (link is external), which runs Anaheim Regional Medical Center and five hospitals in Los Angeles County. The computers contained patients’ names, Medicare and insurance identification numbers, diagnosis codes and insurance payments. Spokesman Gary Hopkins said there is no evidence patient information was ever used.
  • In one of the biggest breaches in California history, an unencrypted desktop computer was stolen from the Sacramento administrative office of Sutter Medical Foundation (link is external) in October 2011. The computer contained personal medical information, including diagnoses and procedures, for 943,000 patients. In response, Sutter sped up efforts to encrypt its computers.

more...
No comment yet.
Scoop.it!

Impact of New HIPAA Enforcement Leader

Impact of New HIPAA Enforcement Leader | HIPAA Compliance for Medical Practices | Scoop.it

As the Department of Health and Human Services' Office for Civil Rights prepares for a change in its top leadership, information security leaders are watching to see whether the strategies of the HIPAA enforcement agency might shift as well.

On July 9, OCR Director Leon Rodriguez, who held the post of the nation's top HIPAA privacy and security rules enforcer at HHS since 2011, was sworn in as the new director of U.S. Citizenship and Immigration Services, a unit of the Department of Homeland Security.

But his successor at OCR, Jocelyn Samuels, who currently serves as the acting assistant attorney general for the Civil Rights Division at the U.S. Department of Justice, won't be starting in her new post for a while.

"Transition demands at the Department of Justice have delayed Ms. Samuel's arrival for a few weeks," an OCR spokeswoman tells Information Security Media Group. "In the interim, HHS leadership are acting in her stead."



Jocelyn Samuels

Samuels was named last week by HHS Secretary Sylvia Mathews Burwell to replace Rodriguez. He was nominated by President Obama in December and confirmed by the Senate in June 2014 as the director of U.S. Citizenship and Immigration Services, which has nearly 18,000 employees and administers the nation's immigration and naturalization system.

DOJ Work

While Samuels has served in the civil rights division at DOJ, the agency has paid particular attention to pursuing Americans With Disabilities Act cases and enforcement actions related to the Supreme Court's Olmstead ruling, which provides rights to individuals with disabilities to live outside of institutionalized care, notes the Boston Globe in a June 24 article about the 15th anniversary of the court's decision. Other healthcare-related cases pursued by the DOJ during Samuel's tenure involved rights of the hearing impaired, notes Elizabeth Hodge, a healthcare compliance attorney at the Tampa, Fla.-based office of national law firm Akerman LLP. "There were cases fining hospitals as well as smaller practices" over their lack of access to healthcare for the hearing impaired, she says.

In addition to enforcing HIPAA compliance through activities that include breach investigations and random compliance audits, OCR also enforces protection against unfair healthcare treatment or discrimination based on race, color, national origin, disability, age, gender or religion. While Samuel's arrival to OCR will not change the mission of the agency, how its limited resources are divvied up for its various enforcement activities could potentially shift.

Challenges Ahead

The greatest challenge facing Samuels is OCR's need for additional financial and human resources, says David Holtzman, a former senior adviser at OCR who's now a vice president at the security consulting firm CynergisTek.

OCR's mission and responsibility was significantly expanded through Congressional mandates in the HITECH Act and the Affordable Care Act, he notes. "For example, the HITECH Act required OCR to expand enforcement of the HIPAA rules to business associates, required investigation and imposition of penalties on HIPAA violations due to willful neglect, and established an audit program. The ACA expanded the rights of individuals to access healthcare without regard to their sexual orientation or gender identity. However, Congress did not appropriate additional funding to carry out this mission."

Holtzman calls on Samuels to "continue the efforts begun by her predecessor to use her 'bully-pulpit' to raise the visibility of OCR and work with Secretary Burwell for appropriation of additional support for OCR's mission."

Striking a Balance

Even when it comes to OCR's various HIPAA enforcement activities, which range from breach and complaint investigations to the planned resumption this fall of the HIPAA compliance audit program, Samuels will be faced with a delicate juggling act, says privacy and security attorney Adam Greene, a partner with Davis Wright Tremaine in Washington.

"One of the biggest challenges for Ms. Samuels will be to ensure that the agency continues to strike a reasonable balance with respect to enforcement," says Greene, who also formerly was a member of the OCR staff. "OCR initially focused on voluntary compliance rather than seeking financial penalties and settlements, and some within healthcare complained that the lack of enforcement led to insufficient resources allocated to HIPAA. Now, we have started to see more multi-million dollar settlements, and some question whether the penalties are disproportionate to the conduct and harm."

A challenge for Samuels, Greene says, is "to strike the balance where HIPAA is seen as having 'teeth' but covered entities and business associates can still count on OCR as being reasonable when there are areas of ambiguity or privacy or security issues occur despite good efforts at compliance."

Enforcement Actions

In OCR's latest HIPAA enforcement activity, the agency in June announced an $800,000 settlement with Indiana-based community health system Parkview Healthcare for a 2009 breach involving paper medical record dumping and affecting between 5,000 and 8,000 patients. That settlement followed a $4.8 million resolution agreement revealed in May involving two New York healthcare organizations - New York-Presbyterian Hospital and Columbia University. The OCR investigation into that incident, which involved unsecured patient data on a network and affected about 6,800 patients, uncovered other HIPAA compliance issues, including the lack of a risk analysis and failure to implement appropriate security policies.

Those OCR settlements are among 21 HIPAA resolution agreements that included financial payments since 2008, plus one case that involved a civil monetary penalty, which is considered more punitive. However, since the HIPAA Omnibus Rule took effect last year, OCR has indicated that it's ramping up HIPAA enforcement, which includes plans to resume the HIPAA compliance random audit program later this year (see HIPAA Enforcement: A Reality Check).

OCR's enforcement strategy to date of issuing HIPAA resolution agreements and sometimes hefty financial settlements to a small number of select covered entities has been an effective compliance tool, Hodge contends.

"Given OCR's limited resources, targeted resolution agreements that bring focus on a variety of compliance issues and breaches, and a range of different kinds of covered entities, grab attention," she says. "The next thing we might see are resolution agreements involving business associates."

Under HIPAA Omnibus, business associates are directly liable for HIPAA compliance.

But those cases also take up OCR resources. "I believe it is important that director Samuels work with secretary Burwell to put into place the resources needed to effectively respond to the large number of complaints being received by OCR," Holtzman says.

"All too often, complaint investigations and compliance reviews begun by OCR drag on for many, many months because there are not enough investigators in the regional offices to keep up with the complaints filed by consumers. Almost all complaint investigations can be resolved informally through the voluntary corrective action of covered entities," he says. "Covered entities and business associates deserve the opportunity to a prompt investigation and resolution of these agency enforcement activities."



more...
No comment yet.
Scoop.it!

OCR clarifies omnibus HIPAA questions | Government Health IT

Last week I had the opportunity to attend and present at this year’s American Health Lawyers Association (AHLA) annual conference in New York. It turned out to be an excellent opportunity for exchanging ideas as well as offering in-depth discussions of many of the compliance challenges in healthcare. Additionally, it was a chance to hear first-hand from the Office of Civil Rights (OCR) regarding various aspects of the rules and their interpretations. What OCR is thinking or how they interpret the rules has always been a major topic of interest.

That was indeed the case as the discussion turned to the subject of Business Associates (BAs). The rule is clear: BAs must comply with the technical, administrative and physical safeguard requirements under the security rule and those use or disclosure limitations expressed in the contract and the privacy rule. 

Right? Well, maybe that’s not so clear.

There was a fair amount of discussion around the fact that not all BA relationships are equal and that there may be cases where not all security provisions apply. In those instances where this can be determined at the point of contracting, it was opined that the contract and/or the Business Associate Agreement (BAA) can include the phrase “as applicable” to recognize that not all security rule provisions may apply. It is important though when going this route to clearly identify what does and does not apply so that expectations are set and both sides know how to perform. 

[See also: Top 10 Government Health IT stories of 2014, thus far.]

Another hot topic that was discussed (and seemingly put to bed by OCR) involved the question of whether encrypting data relieved a vendor of its BA responsibilities.  You might recall that OCR let it be known shortly after the Omnibus Rule was released that they would consider the idea that encryption might be relevant as a factor when determining BA responsibilities or status. The question posed was if the vendor simply hosted the data or the system containing the data, and the data was encrypted by the Covered Entity (CE) who then retained the keys, to such that the vendor could not gain access to the information should this not obviate BA status. The short answer was no, it does not relieve those responsibilities. The rationale was simple. Organizations that host a CE’s electronic protected health information (ePHI) or systems containing ePHI, have security responsibilities that go beyond simple access management. They have responsibilities for areas such as contingency planning, physical security, etc. that have little to do with access management and are absolutely required for anyone maintaining critical systems or ePHI. So, final answer: encryption does not relieve vendors from BA responsibilities.

There were several other topics regarding BAs discussed such as how liability flows from CE to BA to each successive layer of subcontractor and how the Federal Common Law of Agency applies, which is discussed in the Preamble of the Rule, meaning that the CE is responsible for the actions of those it elects to designate as its agents. As always, it is important to not only read the body of the rule, but the Preamble language as well because it typically explains and expands on the rule for interpretation purposes.

The last topic I’ll address is that of the Conduit Exemption. OCR’s representative provided a good explanation of how to apply this exemption and the background for the provision. When the exemption was first conceived electronic transmission of data was not the issue. The issue was the transportation of hard copy PHI through mail services. The conduit provision is very limited. It focuses on transportation or transmittal of PHI. There is no retention of the data contemplated.

[From sister site Medical Practice Insider3 crazy HIPAA breaches.]

Storage if it occurs is incidental to the transmission or transportation process and occurs only for the minimal amount of time necessary to support that process. When the question was asked ‘how does this exemption apply to electronic transmissions?’ the criteria did not change. If a vendor is simply providing transport of ePHI then storage, if necessary, should only occur for that brief period necessary for the information to pass through the vendor’s environment. If the vendor hosts the information, holds it for any reason, beyond what is required to move it through their environment they are a BA and the Conduit Exemption does not apply. 

I leave you with one interesting “conundrum” as the participants in the discussion described it to ponder. It applies to the use of personal email at work, meaning allowing workforce members to use their personal email (Google, Yahoo, etc.) while on the job. The question posed was whether or not the CEs permitted use of personal services created a BA relationship by default, and should workforce members use their personal service to transmit ePHI. Think not only email, but texting, images, etc. Several were of the opinion that this did create a BA relationship.

While you are wrapping your head around the potential implications of that one let me say, this was a great conference. AHLA organized a first class agenda and an excellent faculty that generated a lot of very interesting, thought provoking and relevant discussions. I heartily recommend it for any internal counsel or law team working with healthcare.



more...
No comment yet.