2017-01-22T23:33:48.036-06:00What's wrong with this picture? Someone stole a USB "pen drive" from MAPFRE Life Insurance Company of Puerto Rico. The storage device had PHI on it, including names, DOB, and SSN of 2200 people. No risk analysis, no risk management plan, and no encryption plan. OCR levied a fine for these HIPAA violations of $2.2 million (which is supposedly "low" because of the tenuous financial condition of
2017-01-16T15:22:27.570-06:00New Year, Recurring Tasks: It's a new year, so that should get you thinking about two things: reporting any "small" breaches of unsecured PHI that occurred during 2016 (you have until the end of February to do so, using the HHS on-line reporting tool) and planning your next HIPAA risk assessment. You do that annually, don't you? Of course you do, maybe not at the beginning of the year, but
2017-01-11T18:11:13.512-06:00OCR Announces First Fine for Failing to Provide Timely Notice: As you know, HIPAA requires Covered Entities to notify affected individuals if there is a breach of their unsecured PHI. Specifically, 45 CFR 165.404(b) requires each affected individual to be notified of the breach "without unreasonable delay and in no case later than 60 calendar days after discovery of a breach." Presence Health
2017-01-04T15:12:54.863-06:00Non-HIPAA Post: My students all know this, but the pre-existing condition exclusion will not work unless there is a mandate.
2016-12-26T16:28:01.596-06:00Section 1557 of the ACA: Notice of Non-Discrimination. I'm going through old emails, and had kept this one, knowing I should make a blog post on it. This goes on the list of things too many HIPAA covered entities fail to do (like good risk analyses, policies and procedures, etc.). This is actually old news, but part of the ACA requires all HIPAA covered entities to notify patients (
2016-12-22T10:59:42.106-06:00Community Health Plan of Washington Breach: Not much information here, but what appears to be a Medicaid managed care plan suffered some sort of data breach that potentially exposed information about approximately 400,000 people. UPDATE: Here's a little more information, via Justin Shafer (@JShafer817 on Twitter)*. Although you never know with Justin, I suspect he might have found an
2016-12-12T14:20:46.543-06:00New Guidance from OCR: Last week the Office for Civil Rights issued some additional guidance on disclosures that are permitted under HIPAA for "public health activities." Covered entities don't need patient authorization to use and disclose PHI for public health activities such as reporting communicable diseases or tracking adverse events relating to FDA-approved drugs and devices. The CDC's
2016-12-05T12:37:20.683-06:00Glendale (CA) Adventist snooping case: A per diem nurse apparently went snooping in 528 patient files.
2016-12-01T10:45:49.075-06:00Phishing: You might've heard of this earlier, but someone is using OCR's Phase II audits as a pretext for sending what OCR is calling "a phishing email." I haven't seen an actual email (if someone has one, send it my way), but I'm not sure it's exactly phishing so much as spam. Apparently the email says you may be included in OCR's HIPAA Privacy, Security, and Breach Rules Audit Program, but
2016-11-29T16:28:46.475-06:00What does the Trump Administration mean for healthcare? Here's one perspective.
2016-11-17T15:45:22.531-06:00California data breach notification law undergoes changes: I don't think this is ultimately as big a deal as I initially thought, but Governor Jerry Brown has signed into law a revision to the California data breach notification law, requiring notification where encrypted data is part of the breach. Under existing law, if the data is encrypted, no breach notification is required. Under the new
2016-11-14T14:27:12.831-06:00Idaho State University: Update: My apologies, this appeared in a newsfeed of mine last week, and while I was surprised I hadn't seen it otherwise, I figured out I might have missed it. Turns out it's not current news, and I did, in fact, report on it back in 2013 when it happened. Thanks to Dissent Doe for pointing that out. Today's earlier post: A contractor failed to reactivate a firewall
2016-11-09T13:27:01.675-06:00Off-Topic: A friend emailed from Florida asking what I thought about the election. Here's my hot take. Surprised but not surprised. Do you read Scott Adams? He writes the Dilbert cartoon. He’s been saying all along that Trump would win just because Trump is a master of persuasion. Read his post from yesterday on confirmation bias and you’ll see what he’s up to. If you have time, it
2016-11-08T15:12:18.912-06:00Off Topic: This is a post for HMGT-6330. The additional links are: Private Insurance numbers Paying the Penalty Insurers leaving Who is affected CO-OP info CO-OP troubles Overall Obamacare Troubles
2017-01-17T17:08:46.799-06:00Hmm, I'd expect a better level of understanding from the National Coordinator for Health Information Technology. Or maybe it's just the reporting that's bad, and something is lost in the translation. At the Brainstorm Health conference yesterday, Dr. Vindell Washington, head of ONCHIT, said that patient data belongs to the patient (true), and that the providers who hold the data do not own it
2016-10-21T22:37:33.474-05:00(OT) Candy Corn Beer. I blame Steve Badger.
2016-10-19T13:50:45.456-05:00Interesting (Yet Entirely Wrong) Article: A doctor writing for Slate shows that he doesn't know how HIPAA works (see the first comment - all the way at the bottom of the comments). But hey, at least he spelled it right. . . .
2016-10-18T13:53:52.432-05:00Speaking of Risk Assessments, OCR and ONC have revised their HIPAA Risk Assessment Tool.
2016-10-18T13:49:30.376-05:00Yelp: Doctors' hands are tied when patients complain.
2016-10-19T14:28:20.236-05:00Another Day, Another big HIPAA settlement: $2,140,500 paid by St. Joseph Hospital of Irvine, California. The hospital installed a new server for its "meaningful use" process, but didn't remove the default settings that made the server generally accessible over the internet. They hired consultants and did some risk analysis, but none of it was system-wide; I'm not sure that a system-wide review
2016-10-18T06:25:35.873-05:00Robocalls for Flu Shots: Interesting article on the intersection of two federal privacy-related laws: HIPAA and the TCPA. The Telephone Consumer Protection Act protects consumers against unwanted commercial phone calls, but there are exceptions for healthcare and treatment. A Safeway customer got a flu shot at a Safeway pharmacy and gave Safeway her cell phone number. The next year, Safeway
2016-10-13T17:04:16.384-05:004 Steps to Safeguard PHI: Good advice, if somewhat obvious.
2016-10-10T13:45:33.758-05:00The Lesson of Care New England: Even if the breach isn't caused by it, the fact that you failed to manage your BAAs can cost you almost half a million dollars (OK, $400,000; I was telling some folks at a conference today it was $500,000, but I mis-remembered the amount, obviously). That's the lesson: once OCR comes to investigate, whether as the result of a breach, a complaint, or an audit,
2016-09-29T14:27:57.572-05:00Filing PHI in Court Documents: It's OK for providers to sue patients who don't pay their bills; providers don't have to work for free, and they aren't slaves of their patients. However, if you do so, make sure you don't include any PHI more than is necessary for the filing, and consider seeing a qualified protective order for any PHI you really need to disclose. The disclosure is permitted as
2016-09-28T13:09:37.486-05:00HHS' HIPAA guidance doesn't reach NIST standards: That's the GAO's conclusion, and they're right. However, while NIST's CyberSecurity Framework (CSF) is a good place to get guidance and a worthy goal of any entity looking for data security, it's not really required. HIPAA is for every covered entity, and the vast majority of HIPAA covered entities (think one-doctor practices) won't have the