2016-10-21T22:37:33.474-05:00(OT) Candy Corn Beer. I blame Steve Badger.
2016-10-19T13:50:45.456-05:00Interesting (Yet Entirely Wrong) Article: A doctor writing for Slate shows that he doesn't know how HIPAA works (see the first comment - all the way at the bottom of the comments). But hey, at least he spelled it right. . . .
2016-10-18T13:53:52.432-05:00Speaking of Risk Assessments, OCR and ONC have revised their HIPAA Risk Assessment Tool.
2016-10-18T13:49:30.376-05:00Yelp: Doctors' hands are tied when patients complain.
2016-10-19T14:28:20.236-05:00Another Day, Another big HIPAA settlement: $2,140,500 paid by St. Joseph Hospital of Irvine, California. The hospital installed a new server for its "meaningful use" process, but didn't remove the default settings that made the server generally accessible over the internet. They hired consultants and did some risk analysis, but none of it was system-wide; I'm not sure that a system-wide review
2016-10-18T06:25:35.873-05:00Robocalls for Flu Shots: Interesting article on the intersection of two federal privacy-related laws: HIPAA and the TCPA. The Telephone Consumer Protection Act protects consumers against unwanted commercial phone calls, but there are exceptions for healthcare and treatment. A Safeway customer got a flu shot at a Safeway pharmacy and gave Safeway her cell phone number. The next year, Safeway
2016-10-13T17:04:16.384-05:004 Steps to Safeguard PHI: Good advice, if somewhat obvious.
2016-10-10T13:45:33.758-05:00The Lesson of Care New England: Even if the breach isn't caused by it, the fact that you failed to manage your BAAs can cost you almost half a million dollars (OK, $400,000; I was telling some folks at a conference today it was $500,000, but I mis-remembered the amount, obviously). That's the lesson: once OCR comes to investigate, whether as the result of a breach, a complaint, or an audit,
2016-09-29T14:27:57.572-05:00Filing PHI in Court Documents: It's OK for providers to sue patients who don't pay their bills; providers don't have to work for free, and they aren't slaves of their patients. However, if you do so, make sure you don't include any PHI more than is necessary for the filing, and consider seeing a qualified protective order for any PHI you really need to disclose. The disclosure is permitted as
2016-09-28T13:09:37.486-05:00HHS' HIPAA guidance doesn't reach NIST standards: That's the GAO's conclusion, and they're right. However, while NIST's CyberSecurity Framework (CSF) is a good place to get guidance and a worthy goal of any entity looking for data security, it's not really required. HIPAA is for every covered entity, and the vast majority of HIPAA covered entities (think one-doctor practices) won't have the
2016-09-27T11:03:42.268-05:00Why did Care New England Pay $400,000 for Failing to Update Internal BAAs? The healthcare system management entity is technically a business associate of the related providers, and thus there must be business associate agreements between the provider entities and the management entity. They apparently entered into appropriate agreements in 2005, but failed to update them in 2013 after the
2016-09-23T17:29:26.598-05:00Magical Incantations of Blockchain: I must confess: I was a liberal arts major, and I've never written a line of code in my life. So maybe I'm just an idiot (a real possibility), but I just don't see how Blockchain works, and how it's going to be the next great thing in healthcare. My understanding is that the benefit of Blockchain is that there's no intermediary in transactions, and no
2016-09-22T15:19:37.448-05:00Want Some Free HIPAA Advice? Are you a North Texas healthcare provider looking for help and ideas on how to conduct a good risk analysis for your organization? How would you like the assistance of a dozen Masters of Healthcare Management graduate students in analyzing your business operations and HIPAA risks, to help determine if your HIPAA policies and procedures are up to snuff? If you're
2016-09-22T11:09:26.621-05:00Providers Must Understand [and Practice] Cybersecurity: Ft. Worth's own Theresa Meadows serves on HHS' Health Care Industry Cybersecurity Task Force and has some good points to make. Like understanding your risks.
2016-09-20T00:44:19.490-05:00YouTube broadcasts of plastic surgery procedures? Yes, they can do that, as long as they have sufficient patient consent. It's the patient's PHI, and if they agree, it's OK. But if you're the provider, make sure their consent is sufficient.
2016-09-22T10:29:51.221-05:00Q from @JShafer817: We do not encrypt SMS messages and they are absolutely not secure enough for PHI in general, whether or not we encrypted them for out part of the journey. In other words Jeff.. SMS sucks.. and once it leaves the server it isn't encrypted anyways... So.. should SMS be used for... appt confirmations??? A: HIPAA requires reasonable safeguards to protect the
2016-08-30T14:18:53.098-05:00SCAN Health Plan (CA) and Appalachian Regional Healthcare (KY and WV) get breached. The former sounds like an insider breach, the latter a ransomware or malware attack.
2016-08-30T11:31:26.452-05:00Wanna see a pacemaker get hacked? Not sure how legit this is, and there's still no documented evidence of an actual hacked medical device, but the possibility will keep mystery and thriller writers going for a while. . . .
2016-08-30T11:27:22.857-05:00Cybersecurity continues to be a big concern for healthcare providers.
2016-08-27T10:54:16.062-05:00Beer Science: Beer IS science. Seriously, I know more about chemistry, and specifically enzymatic reactions, because of homebrewing than I ever learned in school. Then again, I was a liberal arts major. . . .
2016-08-27T10:36:49.280-05:00Let's try this again, again: OCR to investigate smaller breaches. This makes sense if they want to look at entities with lots of small breaches, breaches involving the exact same fact scenario, or breaches that cause a lot of damage even though there are only a relative few victims (i.e., less than 500 affected individuals). Timing of notifications matters: OCR will find out that a big
2016-08-26T13:13:54.244-05:00Jason Pierre-Paul: this is sort of insider-baseball stuff (can you say that about a case involving a football player?), but a court is allowing the suit to go forward. Pierre-Paul is suing ESPN for violating his privacy and Florida medical confidentiality laws. The network certainly did not directly violate HIPAA (because the network is not a "covered entity" under HIPAA), but query whether
2016-08-11T12:25:10.812-05:00Reminder: Just because you're a healthcare provider does not mean HIPAA is applicable to you. I was having a conversation just last night regarding this issue: HIPAA only applies to health plans, health care clearinghouses, and health care providers "who transmit any health information in electronic form in connection with a transaction covered by" HIPAA. The 8 HIPAA-covered transactions are:
2016-08-08T17:57:42.917-05:00Are Ransomware Attacks Per Se HIPAA breaches? "Not Necessarily," says this National Law Review article. Of course, I agree. But this is just plain wrong: "If, however, the ePHI is encrypted by the ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is
2016-08-08T10:11:16.238-05:00Newkirk, BCBS-KS breaches: Newkirk is a business associate of a lot of health plans, printing insurance cards for plan members (not too sure what happened there, since the article is behind the WSJ paywall). Blue Cross Blue Shield of Kansas is one of Newkirk's customers, apparently, and about 800,000 of their customers are impacted. No SSNs or financial information, but insurance information