Subscribe: HIPAA Blog
http://hipaablog.blogspot.com/atom.xml
Preview: HIPAA Blog

HIPAA Blog



A discussion of medical privacy issues buried in political arcana



Updated: 2016-09-24T08:19:14.951-05:00

 



0 Comments

2016-09-23T17:29:26.598-05:00

Magical Incantations of Blockchain: I must confess: I was a liberal arts major, and I've never written a line of code in my life.  So maybe I'm just an idiot (a real possibility), but I just don't see how Blockchain works, and how it's going to be the next great thing in healthcare.  My understanding is that the benefit of Blockchain is that there's no intermediary in transactions, and no



0 Comments

2016-09-22T15:19:37.448-05:00

Want Some Free HIPAA Advice? Are you a North Texas healthcare provider looking for help and ideas on how to conduct a good risk analysis for your organization?  How would you like the assistance of a dozen Masters of Healthcare Management graduate students in analyzing your business operations and HIPAA risks, to help determine if your HIPAA policies and procedures are up to snuff?  If you're



0 Comments

2016-09-22T11:09:26.621-05:00

Providers Must Understand [and Practice] Cybersecurity: Ft. Worth's own Theresa Meadows serves on HHS' Health Care Industry Cybersecurity Task Force and has some good points to make.  Like understanding your risks.  



0 Comments

2016-09-20T00:44:19.490-05:00

YouTube broadcasts of plastic surgery procedures?  Yes, they can do that, as long as they have sufficient patient consent.  It's the patient's PHI, and if they agree, it's OK.  But if you're the provider, make sure their consent is sufficient.  



0 Comments

2016-09-22T10:29:51.221-05:00

Q from @JShafer817:  We do not encrypt SMS messages and they are absolutely not secure enough for PHI in general, whether or not we encrypted them for out part of the journey.  In other words Jeff.. SMS sucks.. and once it leaves the server it isn't encrypted anyways...  So.. should SMS be used for... appt confirmations??? A: HIPAA requires reasonable safeguards to protect the



0 Comments

2016-08-30T14:18:53.098-05:00

SCAN Health Plan (CA) and Appalachian Regional Healthcare (KY and WV) get breached.  The former sounds like an insider breach, the latter a ransomware or malware attack.



0 Comments

2016-08-30T11:31:26.452-05:00

Wanna see a pacemaker get hacked?  Not sure how legit this is, and there's still no documented evidence of an actual hacked medical device, but the possibility will keep mystery and thriller writers going for a while. . . .



0 Comments

2016-08-30T11:27:22.857-05:00

Cybersecurity continues to be a big concern for healthcare providers. 



0 Comments

2016-08-27T10:54:16.062-05:00

Beer Science: Beer IS science.  Seriously, I know more about chemistry, and specifically enzymatic reactions, because of homebrewing than I ever learned in school.  Then again, I was a liberal arts major. . . .



0 Comments

2016-08-27T10:36:49.280-05:00

Let's try this again, again: OCR to investigate smaller breaches. This makes sense if they want to look at entities with lots of small breaches, breaches involving the exact same fact scenario, or breaches that cause a lot of damage even though there are only a relative few victims (i.e., less than 500 affected individuals).  Timing of notifications matters: OCR will find out that a big



0 Comments

2016-08-26T13:13:54.244-05:00

Jason Pierre-Paul: this is sort of insider-baseball stuff (can you say that about a case involving a football player?), but a court is allowing the suit to go forward.  Pierre-Paul is suing ESPN for violating his privacy and Florida medical confidentiality laws.  The network certainly did not directly violate HIPAA (because the network is not a "covered entity" under HIPAA), but query whether



0 Comments

2016-08-11T12:25:10.812-05:00

Reminder: Just because you're a healthcare provider does not mean HIPAA is applicable to you. I was having a conversation just last night regarding this issue: HIPAA only applies to health plans, health care clearinghouses, and health care providers "who transmit any health information in electronic form in connection with a transaction covered by" HIPAA.  The 8 HIPAA-covered transactions are:



0 Comments

2016-08-08T17:57:42.917-05:00

Are Ransomware Attacks Per Se HIPAA breaches?  "Not Necessarily," says this National Law Review article.  Of course, I agree.  But this is just plain wrong: "If, however, the ePHI is encrypted by the ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is



0 Comments

2016-08-08T10:11:16.238-05:00

Newkirk, BCBS-KS breaches: Newkirk is a business associate of a lot of health plans, printing insurance cards for plan members (not too sure what happened there, since the article is behind the WSJ paywall).  Blue Cross Blue Shield of Kansas is one of Newkirk's customers, apparently, and about 800,000 of their customers are impacted.  No SSNs or financial information, but insurance information



0 Comments

2016-08-08T10:03:56.597-05:00

Yes, Healthcare Data is Attractive to Hackers: For a number of reasons, as reflected in the value of health information on the "Dark Web."  But is the healthcare industry reacting appropriately and increasing defenses?  There sure seem to be a lot of breaches being reported, but don't mix in the settlements of old cases with new breaches.  In fact, so far, 2016 is experiencing substantially



0 Comments

2016-08-08T09:58:01.527-05:00

Yes, it is a Big Year for HIPAA Fines: but is it proof of more enforcement (or more strict enforcement), or just bigger fines?  Personally, I've had several clients avoid fines where I thought OCR would levy something, but that might be my expectations changing, not the underlying enforcement environment.  (For the record, none of those clients deserved a fine, nor could they really afford one,



0 Comments

2016-08-05T11:32:06.494-05:00

Threat-Sharing: It's a big deal these days, whether it's the proposed federal Cybersecurity Information Sharing Act ("CISA"), Presidential policy on Cyber Incident Coordination, or private industry-specific activities like HITRUST's cyber threat exchange (CTX).  Now HHS is getting into the act.  These are all nascent, but I think some good intelligence might come from all of this.



0 Comments

2016-08-04T16:42:49.945-05:00

Biggest Fine Yet (IIRC): Illinois' Advocate Health has been fined $5.55 million by OCR for a series of HIPAA failings.  Looks like a lack of a good risk assessment, lack of physical access controls, and BAA failures are part of the mix.



0 Comments

2016-08-03T16:17:12.055-05:00

It's a Banner Day for Breaches. Banner Health suffers a huge one: 3.7 million patients.  Actually, it looks like 2 breaches in one for the huge western-US healthcare provider.  One went after payment card data from food and drink locations at Banner facilities, and the second one went after patient records.  



0 Comments

2016-08-03T14:21:41.216-05:00

Hacker World Problems: a Ukrainian hacker stole 100,000 documents from Central Ohio Urology Group (mostly internal documents, like surgery schedule spreadsheets) and posted them online. Was he trying to sell the data on the Dark Web?  Engaging in identity theft?  Extorting payments from the group? No, he's trying to bring public awareness to the "fact" that the Pentagon is poisoning people in



0 Comments

2016-07-27T10:51:07.826-05:00

Medical Device Security: I still think this is in the realm of TV shows and movies (I've been binge-watching Mr. Robot lately), but while the likelihood is slim, the possibility of hacking a medical device should certainly concern the healthcare IT crowd. Here's an interesting graphic I got from Arxan Technologies that is certainly food for thought.



0 Comments

2016-07-22T10:39:23.003-05:00

No, No, No.  No, @HealthPrivacy, you cannot draft regulations via guidance.  This is just plain wrong.  If a covered entity has, in the course of a reasonable risk analysis, determined that emailing of unencrypted PHI is not secure, then the covered entity is not required to email unencrypted PHI to individuals exercising their access rights.  The regulations do not say that, and you can't



0 Comments

2016-07-21T11:13:50.211-05:00

Ransomeware: 4 steps for fighting it.  I'd add my own 4 steps, if I haven't already: Patch management and current virus software: whenever vulnerabilities are discovered in software, the developers usually send out patches.  Make sure your organization is signed up to get those patches and promptly applies them.  It's extremely unlikely you'll be attacked between the time the vulnerability is



0 Comments

2016-07-21T11:18:26.076-05:00

Breaking News: Entities not covered by HIPAA have privacy and security gaps.  Well, duh. HIPAA isn't intended to be some European-style data rights law that grants everyone specific rights in their own data and the right to demand that third parties, with which they may have no direct relationship and which otherwise owe them no specific duties, either limit their uses/disclosures of that data



0 Comments

2016-07-20T18:02:27.762-05:00

I think we knew this: cyber attacks increasing in the health care industry.  Interesting take on the article: the ACA pushed medical practices to adopt EMRs before they were technologically proficient enough, and now cyber attacks are the price we pay for not really being shovel-ready. I call bullshit.  Plenty of tech-savvy companies have been hacked.  It's not a "not ready for prime time"