2017-04-21T13:32:46.870-05:00It's Hard to Violate HIPAA When You're Not Covered By It: A New York trial court has ruled that the New York Organ Donor Network can't refuse to hand over records to a whistleblower because of HIPAA. A disgruntled ex-employee, who claims he was fired for whistleblowing, is seeking records from the Donor Network, which sought to avoid discovery of the records due to HIPAA. The trial judge
2017-04-21T13:25:21.160-05:00A Small Fine: OCR announced one of their smallest HIPAA fines yesterday. Center for Children's Digestive Health, in suburban Chicago, agreed to pay a $31,000 fine for failing to have a BAA in place with its document management and destruction company, FileFax. The press release indicated that the investigation started with an "investigation of a business associate," which is presumably FileFax
2017-04-13T14:42:50.152-05:00Metro Community (Colorado): A federally-qualified health center falls victim to a phishing attack. The attack is not their fault, and they respond appropriately. All good, right? Wrong. Even though they did nothing wrong here, they had never done an initial risk analysis. They did a risk analysis after the phishing attack; apparently, even if they had done it before the attack, they still
2017-04-10T16:33:40.604-05:00Doctors and Bad Yelp Reviews: Well, Yelp isn't the only one. There are quite a few social media sites that allow customers to post reviews of businesses. What happens when a reviewer posts a bad review? What can the business do? In some cases, the business can sue the reviewer, particularly if the business can prove that the review is false. In fact, that just happened in respect to a
2017-04-07T12:52:52.354-05:00Has Health IT's Rapid Growth Rendered HIPAA Obsolete? Of course not. HIPAA is, at its root, conceptual; no new healthcare delivery systems, and certainly no change in technology, can surplant the basic concepts of HIPAA: health data is only worthwhile if it is used, but it is also private and deserves privacy and security; health data should not be used or disclosed except for proper purposes
2017-04-07T11:24:16.243-05:00A question from the audience: Q: At our group therapy counseling sessions, we have the clients sign in on a sign in sheet that is passed around once group therapy starts. No one but the clients in group, the therapist, and the billing department sees the sign in sheet. We are required by the state agency we serve to have a sign in sheet, and since we bill insurance, we need to be able to
2017-03-20T15:04:09.402-05:00Well, this is embarrassing: Cybersecurity contractor hit by W2 phishing scam.
2017-03-01T13:44:30.398-06:00Interesting Question: HIPAA lawyer Adam Greene was interviewed at HIMSS, and noted that HHS is close to publishing the regulations implementing the HITECH revisions that allow affected individuals to get a share of the fines levied by OCR. As you should know, there's no private cause of action for a HIPAA violation, so unless a victim of a data breach can prove damages in a regular tort claim
2017-02-22T12:20:21.658-06:002 Healthcare Data Breaches up 40%, Affect 25% of Consumers: According to the Identity Theft Research Center, Healthcare represents one third of all data breaches, and the number of reported breaches has risen from 780 in 2015 to 1093 last year. Hacking, physical theft of data, and employee error have been leading causes, but expect phishing to be the next big winner. Meanwhile, an Accenture
2017-02-17T12:46:25.702-06:00Another Day, Another Monster Fine: This time it's Memorial Healthcare System (Florida), with a $5.5 million fine for not following access controls and allowing terminated employees to continue accessing medical records after being terminated. They had policies and procedures to terminate access, but dropped the ball with that employee, who kept accessing records for a year (I suspect the former
2017-02-14T14:47:31.587-06:00On the News: Some dude talking about HIPAA and misdirected faxes.
2017-02-09T16:33:16.431-06:00Interesting case, wrong conclusion: University of Pittsburg Medical Center suffered a data breach where 62,000 employees' SSNs and tax data were breached, but a Pennsylvania court has determined that as an employer, it has no duty to its employees to protect data. The article compares it to the Children's Medical Center of Dallas breach, but that's a different kettle of fish: the Children's
2017-02-01T16:34:02.067-06:00Children's Medical Center of Dallas fined $3.2 Million: Well, this is the first I've heard of this, which is awfully close to home. Apparently, a lost unencrypted Blackberry in 2009 and a stolen unencrypted laptop in 2013 exposed a failure to implement and follow risk management plans, including the failure to secure and encrypt mobile devices. Big entities with somewhat obvious problems will
2017-01-27T14:37:23.254-06:00Medical Identity Theft: an Illinois paramedic apparently altered patient records to falsely show that Fentanyl and Morphine were dispensed to patients during an ambulance run, so that he could steal the drugs for himself. As Kirk Nahra points out in the article, insiders are still one of the biggest threats to an organization.
2017-01-22T23:33:48.036-06:00What's wrong with this picture? Someone stole a USB "pen drive" from MAPFRE Life Insurance Company of Puerto Rico. The storage device had PHI on it, including names, DOB, and SSN of 2200 people. No risk analysis, no risk management plan, and no encryption plan. OCR levied a fine for these HIPAA violations of $2.2 million (which is supposedly "low" because of the tenuous financial condition of
2017-01-16T15:22:27.570-06:00New Year, Recurring Tasks: It's a new year, so that should get you thinking about two things: reporting any "small" breaches of unsecured PHI that occurred during 2016 (you have until the end of February to do so, using the HHS on-line reporting tool) and planning your next HIPAA risk assessment. You do that annually, don't you? Of course you do, maybe not at the beginning of the year, but
2017-01-11T18:11:13.512-06:00OCR Announces First Fine for Failing to Provide Timely Notice: As you know, HIPAA requires Covered Entities to notify affected individuals if there is a breach of their unsecured PHI. Specifically, 45 CFR 165.404(b) requires each affected individual to be notified of the breach "without unreasonable delay and in no case later than 60 calendar days after discovery of a breach." Presence Health
2017-01-04T15:12:54.863-06:00Non-HIPAA Post: My students all know this, but the pre-existing condition exclusion will not work unless there is a mandate.
2016-12-26T16:28:01.596-06:00Section 1557 of the ACA: Notice of Non-Discrimination. I'm going through old emails, and had kept this one, knowing I should make a blog post on it. This goes on the list of things too many HIPAA covered entities fail to do (like good risk analyses, policies and procedures, etc.). This is actually old news, but part of the ACA requires all HIPAA covered entities to notify patients (
2016-12-22T10:59:42.106-06:00Community Health Plan of Washington Breach: Not much information here, but what appears to be a Medicaid managed care plan suffered some sort of data breach that potentially exposed information about approximately 400,000 people. UPDATE: Here's a little more information, via Justin Shafer (@JShafer817 on Twitter)*. Although you never know with Justin, I suspect he might have found an
2016-12-12T14:20:46.543-06:00New Guidance from OCR: Last week the Office for Civil Rights issued some additional guidance on disclosures that are permitted under HIPAA for "public health activities." Covered entities don't need patient authorization to use and disclose PHI for public health activities such as reporting communicable diseases or tracking adverse events relating to FDA-approved drugs and devices. The CDC's
2016-12-05T12:37:20.683-06:00Glendale (CA) Adventist snooping case: A per diem nurse apparently went snooping in 528 patient files.
2016-12-01T10:45:49.075-06:00Phishing: You might've heard of this earlier, but someone is using OCR's Phase II audits as a pretext for sending what OCR is calling "a phishing email." I haven't seen an actual email (if someone has one, send it my way), but I'm not sure it's exactly phishing so much as spam. Apparently the email says you may be included in OCR's HIPAA Privacy, Security, and Breach Rules Audit Program, but
2016-11-29T16:28:46.475-06:00What does the Trump Administration mean for healthcare? Here's one perspective.
2016-11-17T15:45:22.531-06:00California data breach notification law undergoes changes: I don't think this is ultimately as big a deal as I initially thought, but Governor Jerry Brown has signed into law a revision to the California data breach notification law, requiring notification where encrypted data is part of the breach. Under existing law, if the data is encrypted, no breach notification is required. Under the new