Subscribe: HIPAA Blog
http://hipaablog.blogspot.com/atom.xml
Added By: Feedage Forager Feedage Grade B rated
Language: English
Tags:
breach notification  breach  data  don  encrypted  health  healthcare  hipaa  new  ocr  patient  phi  providers  risk  safeway   the 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: HIPAA Blog

HIPAA Blog



A discussion of medical privacy issues buried in political arcana



Updated: 2016-12-04T08:15:38.136-06:00

 



0 Comments

2016-12-01T10:45:49.075-06:00

Phishing: You might've heard of this earlier, but someone is using OCR's Phase II audits as a pretext for sending what OCR is calling "a phishing email."  I haven't seen an actual email (if someone has one, send it my way), but I'm not sure it's exactly phishing so much as spam. Apparently the email says you may be included in OCR's HIPAA Privacy, Security, and Breach Rules Audit Program, but



0 Comments

2016-11-29T16:28:46.475-06:00

What does the Trump Administration mean for healthcare?  Here's one perspective.



0 Comments

2016-11-17T15:45:22.531-06:00

California data breach notification law undergoes changes: I don't think this is ultimately as big a deal as I initially thought, but Governor Jerry Brown has signed into law a revision to the California data breach notification law, requiring notification where encrypted data is part of the breach.  Under existing law, if the data is encrypted, no breach notification is required.  Under the new



0 Comments

2016-11-14T14:27:12.831-06:00

Idaho State University: Update: My apologies, this appeared in a newsfeed of mine last week, and while I was surprised I hadn't seen it otherwise, I figured out I might have missed it.  Turns out it's not current news, and I did, in fact, report on it back in 2013 when it happened. Thanks to Dissent Doe for pointing that out. Today's earlier post: A contractor failed to reactivate a firewall



0 Comments

2016-11-09T13:27:01.675-06:00

Off-Topic: A friend emailed from Florida asking what I thought about the election.  Here's my hot take. Surprised but not surprised.  Do you read Scott Adams?  He writes the Dilbert cartoon.  He’s been saying all along that Trump would win just because Trump is a master of persuasion.  Read his post from yesterday on confirmation bias and you’ll see what he’s up to.  If you have time, it



0 Comments

2016-11-08T15:12:18.912-06:00

Off Topic: This is a post for HMGT-6330.  The additional links are: Private Insurance numbers Paying the Penalty Insurers leaving Who is affected CO-OP info CO-OP troubles Overall Obamacare Troubles



0 Comments

2016-11-03T10:45:41.389-05:00

Hmm, I'd expect a better level of understanding from the National Coordinator for Health Information Technology.  Or maybe it's just the reporting that's bad, and something is lost in the translation.  At the Brainstorm Health conference yesterday, Dr. Vindell Washington, head of ONCHIT, said that patient data belongs to the patient (true), and that the providers who hold the data do not own it



0 Comments

2016-10-21T22:37:33.474-05:00

(OT) Candy Corn Beer.  I blame Steve Badger.



0 Comments

2016-10-19T13:50:45.456-05:00

Interesting (Yet Entirely Wrong) Article: A doctor writing for Slate shows that he doesn't know how HIPAA works (see the first comment - all the way at the bottom of the comments).  But hey, at least he spelled it right. . . .



0 Comments

2016-10-18T13:53:52.432-05:00

Speaking of Risk Assessments, OCR and ONC have revised their HIPAA Risk Assessment Tool.  



0 Comments

2016-10-18T13:49:30.376-05:00

Yelp: Doctors' hands are tied when patients complain.



0 Comments

2016-10-19T14:28:20.236-05:00

Another Day, Another big HIPAA settlement: $2,140,500 paid by St. Joseph Hospital of Irvine, California.  The hospital installed a new server for its "meaningful use" process, but didn't remove the default settings that made the server generally accessible over the internet.  They hired consultants and did some risk analysis, but none of it was system-wide; I'm not sure that a system-wide review



0 Comments

2016-10-18T06:25:35.873-05:00

Robocalls for Flu Shots: Interesting article on the intersection of two federal privacy-related laws: HIPAA and the TCPA.  The Telephone Consumer Protection Act protects consumers against unwanted commercial phone calls, but there are exceptions for healthcare and treatment.  A Safeway customer got a flu shot at a Safeway pharmacy and gave Safeway her cell phone number.  The next year, Safeway



0 Comments

2016-10-13T17:04:16.384-05:00

4 Steps to Safeguard PHI: Good advice, if somewhat obvious.



0 Comments

2016-10-10T13:45:33.758-05:00

The Lesson of Care New England: Even if the breach isn't caused by it, the fact that you failed to manage your BAAs can cost you almost half a million dollars (OK, $400,000; I was telling some folks at a conference today it was $500,000, but I mis-remembered the amount, obviously).  That's the lesson: once OCR comes to investigate, whether as the result of a breach, a complaint, or an audit,



0 Comments

2016-09-29T14:27:57.572-05:00

Filing PHI in Court Documents: It's OK for providers to sue patients who don't pay their bills; providers don't have to work for free, and they aren't slaves of their patients.  However, if you do so, make sure you don't include any PHI more than is necessary for the filing, and consider seeing a qualified protective order for any PHI you really need to disclose.  The disclosure is permitted as



0 Comments

2016-09-28T13:09:37.486-05:00

HHS' HIPAA guidance doesn't reach NIST standards: That's the GAO's conclusion, and they're right.  However, while NIST's CyberSecurity Framework (CSF) is a good place to get guidance and a worthy goal of any entity looking for data security, it's not really required.  HIPAA is for every covered entity, and the vast majority of HIPAA covered entities (think one-doctor practices) won't have the



0 Comments

2016-09-27T11:03:42.268-05:00

Why did Care New England Pay $400,000 for Failing to Update Internal BAAs? The healthcare system management entity is technically a business associate of the related providers, and thus there must be business associate agreements between the provider entities and the management entity.  They apparently entered into appropriate agreements in 2005, but failed to update them in 2013 after the



0 Comments

2016-09-23T17:29:26.598-05:00

Magical Incantations of Blockchain: I must confess: I was a liberal arts major, and I've never written a line of code in my life.  So maybe I'm just an idiot (a real possibility), but I just don't see how Blockchain works, and how it's going to be the next great thing in healthcare.  My understanding is that the benefit of Blockchain is that there's no intermediary in transactions, and no



0 Comments

2016-09-22T15:19:37.448-05:00

Want Some Free HIPAA Advice? Are you a North Texas healthcare provider looking for help and ideas on how to conduct a good risk analysis for your organization?  How would you like the assistance of a dozen Masters of Healthcare Management graduate students in analyzing your business operations and HIPAA risks, to help determine if your HIPAA policies and procedures are up to snuff?  If you're



0 Comments

2016-09-22T11:09:26.621-05:00

Providers Must Understand [and Practice] Cybersecurity: Ft. Worth's own Theresa Meadows serves on HHS' Health Care Industry Cybersecurity Task Force and has some good points to make.  Like understanding your risks.  



0 Comments

2016-09-20T00:44:19.490-05:00

YouTube broadcasts of plastic surgery procedures?  Yes, they can do that, as long as they have sufficient patient consent.  It's the patient's PHI, and if they agree, it's OK.  But if you're the provider, make sure their consent is sufficient.  



0 Comments

2016-09-22T10:29:51.221-05:00

Q from @JShafer817:  We do not encrypt SMS messages and they are absolutely not secure enough for PHI in general, whether or not we encrypted them for out part of the journey.  In other words Jeff.. SMS sucks.. and once it leaves the server it isn't encrypted anyways...  So.. should SMS be used for... appt confirmations??? A: HIPAA requires reasonable safeguards to protect the



0 Comments

2016-08-30T14:18:53.098-05:00

SCAN Health Plan (CA) and Appalachian Regional Healthcare (KY and WV) get breached.  The former sounds like an insider breach, the latter a ransomware or malware attack.



0 Comments

2016-08-30T11:31:26.452-05:00

Wanna see a pacemaker get hacked?  Not sure how legit this is, and there's still no documented evidence of an actual hacked medical device, but the possibility will keep mystery and thriller writers going for a while. . . .