The Office of the National Coordinator for Health Information Technology has withdrawn the proposed rule establishing a certification program for electronic health records software and replaced it with a corrected version.
The public inspection site where the corrected version can be accessed is at www.federalregister.gov/Default.aspx
Monday, March 8, 2010
Proposed HITECH rule for business associates will come soon, says OCR lawyer
An OCR lawyer tells HIPAA Update the HIPAA privacy and security enforcer will release a proposed rule regarding business associate (BA) provisions in HITECH “shortly.”
Adam H. Greene, Office of the General Counsel for OCR, wrote in an e-mail to Update that OCR’s rulemaking will elaborate on the expected date of compliance surrounding the rule.
Per HITECH, BAs had to be compliant with the HIPAA Security Rule and the use and disclosure provisions of the privacy rule by February 17 and had to enter into an updated agreement with their covered entities.
http://blogs.hcpro.com/hipaa/2010/03/proposed-hitech-rule-for-business-associates-will-come-soon-says-ocr-lawyer/
MIAOULIS NOTE: This article comes to us from our friends at HIPAA Update, a great resource for HIPAA/HITECH information.
Adam H. Greene, Office of the General Counsel for OCR, wrote in an e-mail to Update that OCR’s rulemaking will elaborate on the expected date of compliance surrounding the rule.
Per HITECH, BAs had to be compliant with the HIPAA Security Rule and the use and disclosure provisions of the privacy rule by February 17 and had to enter into an updated agreement with their covered entities.
http://blogs.hcpro.com/hipaa/2010/03/proposed-hitech-rule-for-business-associates-will-come-soon-says-ocr-lawyer/
MIAOULIS NOTE: This article comes to us from our friends at HIPAA Update, a great resource for HIPAA/HITECH information.
Saturday, March 6, 2010
Shands notifies 12,500 patients that data at risk
Shands HealthCare has notified about 12,500 patients that a laptop containing their medical information was stolen in January. The unencrypted laptop contained information about patients referred over the past three years to the Shands at the University of Florida gastroenterology clinical services department.
The information includes names, addresses, medical record numbers and medical procedure codes of the patients, as well as the Social Security numbers of about 650 people. http://www.gainesville.com/article/20100302/ARTICLES/3021003/1002
The information includes names, addresses, medical record numbers and medical procedure codes of the patients, as well as the Social Security numbers of about 650 people. http://www.gainesville.com/article/20100302/ARTICLES/3021003/1002
UT Southwestern warns patients that hospital worker stole records
The University of Texas Southwestern Medical Center is advising 12,000 patients to guard against fraud after a former employee was found in possession of a limited amount of patient billing data.
Authorities discovered in September that a cashier in the hospital's finance department, Tracy Renay Thomas of Dallas, had billing and insurance information from 21 patients. The hospital alerted those patients by phone.
http://www.dentonrc.com/sharedcontent/dws/dn/latestnews/stories/030610dnmetutsw.17af75fc2.html
Authorities discovered in September that a cashier in the hospital's finance department, Tracy Renay Thomas of Dallas, had billing and insurance information from 21 patients. The hospital alerted those patients by phone.
http://www.dentonrc.com/sharedcontent/dws/dn/latestnews/stories/030610dnmetutsw.17af75fc2.html
Saturday, February 27, 2010
Hawaii- Tsunami (UPDATED)
UPDATE: Official: Hawaii 'Dodged a Bullet' After Tsunami, Strong Chile Quake
http://www.foxnews.com/story/0,2933,587588,00.html
Hawaii under tsunami warning; Calif. coast, Alaskan islands under advisory
http://www.latimes.com/news/nationworld/nation/wire/sns-ap-us-quake-tsunami-alerts,0,2985213.story
MIAOULIS NOTE: Fortunately, the Tsunami did not cause extensive damage in Hawaii. Still natural disasters (hurricanes, tornados, earthquakes, etc) are scary situations. Healthcare facilities in Hawaii have unique challanges for preparing for a disaster, and for treating patients during a region wide disaster. However, all organizations need a plan for responding to a localized disaster (loss of a computer room) to a a more regional disaster. Healthcare has unique challenges not found in other industries because the information is needed at the point of care. A bank, insurance company, etcs. can move operations to another location. Many business can shut down for a period of time. Healthcare has unique challenges.
When conducting a Business Impact Analysis (Application Criticality Analysis) healthcare should include a focus on a PATIENT Impact Analysis. If you have or are planning on using an external firm to assist you, I believe it is important that they have a strong healthcare background. All too often, firms want to know how many nurses will you need to move to a hot site location or they focus on the financial impact to organizations. If you have question or would like to discuss futher, please contact me.
http://www.foxnews.com/story/0,2933,587588,00.html
Hawaii under tsunami warning; Calif. coast, Alaskan islands under advisory
http://www.latimes.com/news/nationworld/nation/wire/sns-ap-us-quake-tsunami-alerts,0,2985213.story
MIAOULIS NOTE: Fortunately, the Tsunami did not cause extensive damage in Hawaii. Still natural disasters (hurricanes, tornados, earthquakes, etc) are scary situations. Healthcare facilities in Hawaii have unique challanges for preparing for a disaster, and for treating patients during a region wide disaster. However, all organizations need a plan for responding to a localized disaster (loss of a computer room) to a a more regional disaster. Healthcare has unique challenges not found in other industries because the information is needed at the point of care. A bank, insurance company, etcs. can move operations to another location. Many business can shut down for a period of time. Healthcare has unique challenges.
When conducting a Business Impact Analysis (Application Criticality Analysis) healthcare should include a focus on a PATIENT Impact Analysis. If you have or are planning on using an external firm to assist you, I believe it is important that they have a strong healthcare background. All too often, firms want to know how many nurses will you need to move to a hot site location or they focus on the financial impact to organizations. If you have question or would like to discuss futher, please contact me.
Tuesday, February 23, 2010
Enforcement for BA's Delayed
We understand that yesterday Adam H. Greene (Office of the General Counsel, Civil Rights Division, U.S. Department of Health & Human Services), speaking at the ABA’s 11th Annual Conference on Emerging Issues in Healthcare Law, indicated that enforcement of the business associate provisions of the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), which became effective on February 17, 2010, will be delayed until final rules addressing those provisions are published. The HITECH Act’s business associate provisions require business associates to implement the information security safeguards specified by the HIPAA Security Rule, and comply with certain requirements of the HIPAA Privacy Rule.
http://www.huntonprivacyblog.com/2010/02/articles/hipaa-1/hhs-delays-enforcement-of-hitech-act-business-associate-provisions/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+PrivacyInformationSecurityLawBlog+(Privacy+%26+Information+Security+Law+Blog)
MIAOULIS NOTE: These delays are good for folks that have started the process, however, for the organizations that are not taking HIPAA/HITECH or security seriously, it gives them another reason to rationalize non-compliance or not taking security seriously.
http://www.huntonprivacyblog.com/2010/02/articles/hipaa-1/hhs-delays-enforcement-of-hitech-act-business-associate-provisions/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+PrivacyInformationSecurityLawBlog+(Privacy+%26+Information+Security+Law+Blog)
MIAOULIS NOTE: These delays are good for folks that have started the process, however, for the organizations that are not taking HIPAA/HITECH or security seriously, it gives them another reason to rationalize non-compliance or not taking security seriously.
Monday, February 22, 2010
Breaches Affecting 500 or More Individuals
As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. They can be found at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html
The type of items that caused a breach included laptops, paper, email, network servers, desktop computers, Portable USB devices, postcards, backup tapes, and CDS. The number of organizations reporting is not surprising. This writer wonders how many other organizations had breaches that went undetected.
Thursday, February 18, 2010
HITECH One Year Anniversary-Where should you be
MIAOULIS WRITES: Organizations are in a difficult situation. Lets look at some of the new requirements... This article and this blog are intended for general information purposes only and should not be construed as legal advice or legal opinions on any specific facts or circumstances.
BUSINESS ASSOCIATES: Need to take steps to become HIPAA and HITECH compliant.
PATIENT RIGHT TO EHR IN ELECTRONIC FORMAT: I believe organizations should create a plan now for this, watermark the information, secure the information and charge a reasonable fee for providing this. If a consumer asks for it, provide it in some form.
PATIENT RIGHT TO REQUEST RESTRICTION: Individuals have the right to restrict access when paid in full specifically to health plans.
NOTICE OF PRIVACY PRACTICES: So if patient's have new rights, One question left unanswered is should organizations change their notice of privacy practices (NPP), based on what I know, the answer appears to be YES.
MINIMUM NECESSARY: Guidance expected in 6 months (August 18, 2010), however organizations should be taking steps to ensure minimum necessary information. All access to information should be reviewed to determine if to the extent practical information can be limited to a "limited data set" or to the minimum necessary to accomplish the tasks. Limiting, diagnosis, identity theft field information (SSN, Birthday) should also be considered for both internal and external information access.
FUNDRAISING: Opt-out requires language to be clear and conspicuous, although this is not defined, it is important to make this in text at least as large as other text, also it is VERY important that organizations implement controls to ensure that individuals who have opted out are NOT sent additional request.
MARKETING: HITECH prohibits organizations from marketing and defining communications as healthcare operations when the organizations received direct or indirect payment in exchange for making the communication. Basically organizations should only do marketing in limited circumstances such as when sending information about drugs that have been PREVIOUSLY prescribed. This may include information such as refill reminders or educational materials about a drug.
ENFORCEMENT/AUDITS: Although Audits may still be a ways off. Be prepared for an audit, conduct self audits. Do you have a written policy, have you implemented appropriate controls, and can you prove your controls are functioning. See (http://www.hipaasecurityandprivacy.com/2010/02/enforcement-of-hipaa.html)
BREACH NOTIFICATION (SEPTEMBER 23, 2009): Organizations need a policy, a process/procedure for evaluationg breaches and a reporting mechanism. Creating scenarios prior to a breach and decision trees is a solid practice. Remember not all breaches require notification, but a solid analysis is required.
IT IS BETTER TO PREVENT A BREACH, THAN TO REPORT A BREACH.
IT IS BETTER TO DOCUMENT YOUR HIPAA COMPLIANCE THAN BE SUBJECTED TO WILLFUL NEGLECT.
BUSINESS ASSOCIATES: Need to take steps to become HIPAA and HITECH compliant.
PATIENT RIGHT TO EHR IN ELECTRONIC FORMAT: I believe organizations should create a plan now for this, watermark the information, secure the information and charge a reasonable fee for providing this. If a consumer asks for it, provide it in some form.
PATIENT RIGHT TO REQUEST RESTRICTION: Individuals have the right to restrict access when paid in full specifically to health plans.
NOTICE OF PRIVACY PRACTICES: So if patient's have new rights, One question left unanswered is should organizations change their notice of privacy practices (NPP), based on what I know, the answer appears to be YES.
MINIMUM NECESSARY: Guidance expected in 6 months (August 18, 2010), however organizations should be taking steps to ensure minimum necessary information. All access to information should be reviewed to determine if to the extent practical information can be limited to a "limited data set" or to the minimum necessary to accomplish the tasks. Limiting, diagnosis, identity theft field information (SSN, Birthday) should also be considered for both internal and external information access.
FUNDRAISING: Opt-out requires language to be clear and conspicuous, although this is not defined, it is important to make this in text at least as large as other text, also it is VERY important that organizations implement controls to ensure that individuals who have opted out are NOT sent additional request.
MARKETING: HITECH prohibits organizations from marketing and defining communications as healthcare operations when the organizations received direct or indirect payment in exchange for making the communication. Basically organizations should only do marketing in limited circumstances such as when sending information about drugs that have been PREVIOUSLY prescribed. This may include information such as refill reminders or educational materials about a drug.
ENFORCEMENT/AUDITS: Although Audits may still be a ways off. Be prepared for an audit, conduct self audits. Do you have a written policy, have you implemented appropriate controls, and can you prove your controls are functioning. See (http://www.hipaasecurityandprivacy.com/2010/02/enforcement-of-hipaa.html)
BREACH NOTIFICATION (SEPTEMBER 23, 2009): Organizations need a policy, a process/procedure for evaluationg breaches and a reporting mechanism. Creating scenarios prior to a breach and decision trees is a solid practice. Remember not all breaches require notification, but a solid analysis is required.
IT IS BETTER TO PREVENT A BREACH, THAN TO REPORT A BREACH.
IT IS BETTER TO DOCUMENT YOUR HIPAA COMPLIANCE THAN BE SUBJECTED TO WILLFUL NEGLECT.
Wednesday, February 17, 2010
HITECH Compliance Date is Here, but Without Associated Regulatory Guidance
http://www.hhdataprotection.com/2010/02/articles/health-privacyhipaa/hitech-compliance-date-is-here-but-without-associated-regulatory-guidance/
February 17, 2010 marks the compliance date for significant new obligations under the Health Information Technology for Economic and Clinical Health (HITECH) Act, which is part of the American Recovery and Reinvestment Act of 2009, adopted one year ago. It appears the date may come and go without the regulatory guidance that many HIPAA covered entities and business associates expected to inform their compliance decisions.
Many of the new obligations require significant resources for implementation (e.g., amending business associate agreements, adopting new systems for limiting disclosures to health plans and providing copies in electronic formats that can be securely delivered). Yet, the HITECH provisions are unclear in many places. Thus, expending resources without clarifying guidance creates a Catch-22 for many covered entities and business associates subject to the new requirements (e.g., the definition of an Electronic Health Record is opaque, at best, with its dependence on the undefined term “clinician”).
February 17, 2010 marks the compliance date for significant new obligations under the Health Information Technology for Economic and Clinical Health (HITECH) Act, which is part of the American Recovery and Reinvestment Act of 2009, adopted one year ago. It appears the date may come and go without the regulatory guidance that many HIPAA covered entities and business associates expected to inform their compliance decisions.
Many of the new obligations require significant resources for implementation (e.g., amending business associate agreements, adopting new systems for limiting disclosures to health plans and providing copies in electronic formats that can be securely delivered). Yet, the HITECH provisions are unclear in many places. Thus, expending resources without clarifying guidance creates a Catch-22 for many covered entities and business associates subject to the new requirements (e.g., the definition of an Electronic Health Record is opaque, at best, with its dependence on the undefined term “clinician”).
Monday, February 15, 2010
French Judge Issues Arrest Warrant for U.S. Cyclist Floyd Landis
A French judge has issued an international arrest warrant for disgraced U.S. cyclist Floyd Landis for allegedly hacking into a lab computer at a facility run by the country's anti-doping agency, the agency's head told Reuters.......
"French judge (Thomas) Cassuto from the Tribunal de Grande Instance of Nanterre informed us that he had issued an international arrest warrant on Jan. 28 against Floyd Landis, who tested positive for banned testosterone during the 2006 Tour de France, after our laboratory computer system was hacked," Bordry said in an interview with Reuters.
French officials filed a criminal complaint in 2006 over the hacking, which they said was designed to discredit the drug tests they had conducted on Landis. No charges were filed against the 34-year-old at the time.
http://www.foxnews.com/sports/2010/02/15/french-judge-issues-arrest-warrant-cyclist-floyd-landis/
MIAOULIS NOTE: Although this is not a HIPAA/HITECH breach, it does show a risk that organizations in the USA could learn from.
"French judge (Thomas) Cassuto from the Tribunal de Grande Instance of Nanterre informed us that he had issued an international arrest warrant on Jan. 28 against Floyd Landis, who tested positive for banned testosterone during the 2006 Tour de France, after our laboratory computer system was hacked," Bordry said in an interview with Reuters.
French officials filed a criminal complaint in 2006 over the hacking, which they said was designed to discredit the drug tests they had conducted on Landis. No charges were filed against the 34-year-old at the time.
http://www.foxnews.com/sports/2010/02/15/french-judge-issues-arrest-warrant-cyclist-floyd-landis/
MIAOULIS NOTE: Although this is not a HIPAA/HITECH breach, it does show a risk that organizations in the USA could learn from.
Subscribe to:
Posts (Atom)