October 30, 2009
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued an interim final rule today to conform the enforcement regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to currently effective statutory revisions made pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA).
In this interim final rule, published today in the Federal Register, HHS amends HIPAA’s enforcement regulations that relate to the imposition of civil money penalties to incorporate the HITECH Act’s categories of violations, tiered ranges of civil money penalty amounts, and revised limitations on the Secretary’s authority to impose civil money penalties for established violations of HIPAA’s Administrative Simplification Rules. This interim final rule does not make amendments with respect to those enforcement provisions of the HITECH Act that are not yet effective under the applicable statutory provisions. This interim final rule is effective 30 days after today.
HHS has invited public comments on the interim final rule, which will be considered if received no later than 60 days after today. This interim final rule will be available for public comment at http://www.regulations.gov/.
Saturday, May 30, 2009
Friday, May 22, 2009
HIV patients sue after records lost
Boston Globe
Elizabeth Cooney May 21, 2009
Hospital worker left files on MBTA
Four HIV-positive patients whose records were left behind on an MBTA train by a Massachusetts General Hospital employee are suing the hospital, contending their privacy was breached.
In March, the hospital notified 66 patients who received care at its Infectious Disease Associates outpatient practice that billing records bearing their names, Social Security numbers, doctors, and diagnoses had been lost by a manager who was riding the Red Line. She had brought the paperwork home for the weekend, but left it on the train when she returned to work Monday morning, March 9, according to a hospital security report.
http://www.boston.com/news/local/massachusetts/articles/2009/05/21/hiv_patients_sue_after_records_lost/
Elizabeth Cooney May 21, 2009
Hospital worker left files on MBTA
Four HIV-positive patients whose records were left behind on an MBTA train by a Massachusetts General Hospital employee are suing the hospital, contending their privacy was breached.
In March, the hospital notified 66 patients who received care at its Infectious Disease Associates outpatient practice that billing records bearing their names, Social Security numbers, doctors, and diagnoses had been lost by a manager who was riding the Red Line. She had brought the paperwork home for the weekend, but left it on the train when she returned to work Monday morning, March 9, according to a hospital security report.
http://www.boston.com/news/local/massachusetts/articles/2009/05/21/hiv_patients_sue_after_records_lost/
Thursday, May 21, 2009
Regulated To The Hilt - The Impact of Government Regulations On The Data Center
From Processor Magazine - Miaoulis contributed to this Article
According to William M. Miaoulis, subject matter specialist for Phoenix Health Systems, if you consider the major government regulations, including HIPAA and Sarbox, the impact will be seen for years to come. Miaoulis notes, "Initial impacts include an increased need for processing power; as EMR (electronic medical records) implementations become widespread due to government initiatives, they become more complex, as well as more prevalent in the marketplace. Longer term, organizations will have to take a harder look at redundant facilities and data to ensure that the information to treat patients is available when necessary.” He says the hybrid days when data redundancy was split between a paper chart and an EMR are rapidly approaching extinction. www.processor.com/editorial/article.asp?article=articles/P3114/31p14/31p14/31p14.asp&guid=C2AA7E7804334867A14BD97093E3AB8C
According to William M. Miaoulis, subject matter specialist for Phoenix Health Systems, if you consider the major government regulations, including HIPAA and Sarbox, the impact will be seen for years to come. Miaoulis notes, "Initial impacts include an increased need for processing power; as EMR (electronic medical records) implementations become widespread due to government initiatives, they become more complex, as well as more prevalent in the marketplace. Longer term, organizations will have to take a harder look at redundant facilities and data to ensure that the information to treat patients is available when necessary.” He says the hybrid days when data redundancy was split between a paper chart and an EMR are rapidly approaching extinction. www.processor.com/editorial/article.asp?article=articles/P3114/31p14/31p14/31p14.asp&guid=C2AA7E7804334867A14BD97093E3AB8C
Monday, May 18, 2009
Fawcett's Cancer Battle Highlights Need for Privacy
John Commins, for HealthLeaders Media, May 11, 2009
Fawcett, 62, the one-time Charlie's Angels star and pin-up poster goddess of 1970s America, told the newspaper that her efforts to fight anal cancer were made more difficult when her personal medical records were illegally accessed by at least one employee at UCLA Medical Center. That employee then sold the information for $4,600 to the National Enquirer.
http://www.healthleadersmedia.com/content/232799/topic/WS_HLM2_HR/Fawcetts-Cancer-Battle-Highlights-Need-for-Privacy.html Because of the continuing unwanted publicity about her health, Fawcett had to take her attention away from fighting a deadly disease and devise—on her own—a sting operation to catch the snooping employee. In May 2007, when she learned that her cancer had returned, she told no one. Still, the news came out in the Enquirer within " maybe four days." When Fawcett asked UCLA Medical Center for the name of the snooping employee, she says a hospital official refused to provide it, saying they had a responsibility to " protect our employees." " And I said, 'More than your patients?' . . ." Fawcett told The Times.
LA Times Article: http://www.latimes.com/entertainment/news/la-et-fawcett-interview11-2009may11,0,5790379.story?page=2
Fawcett, 62, the one-time Charlie's Angels star and pin-up poster goddess of 1970s America, told the newspaper that her efforts to fight anal cancer were made more difficult when her personal medical records were illegally accessed by at least one employee at UCLA Medical Center. That employee then sold the information for $4,600 to the National Enquirer.
http://www.healthleadersmedia.com/content/232799/topic/WS_HLM2_HR/Fawcetts-Cancer-Battle-Highlights-Need-for-Privacy.html Because of the continuing unwanted publicity about her health, Fawcett had to take her attention away from fighting a deadly disease and devise—on her own—a sting operation to catch the snooping employee. In May 2007, when she learned that her cancer had returned, she told no one. Still, the news came out in the Enquirer within " maybe four days." When Fawcett asked UCLA Medical Center for the name of the snooping employee, she says a hospital official refused to provide it, saying they had a responsibility to " protect our employees." " And I said, 'More than your patients?' . . ." Fawcett told The Times.
LA Times Article: http://www.latimes.com/entertainment/news/la-et-fawcett-interview11-2009may11,0,5790379.story?page=2
Kaiser Hospital Fined $250,000 for Privacy Breach in Octuplet Case
By Charles Ornstein May 15, 2009
The Bellflower facility, where 23 unauthorized workers accessed Nadya Suleman's records, is the first to be monetarily penalized under a new state law.
California health regulators fined Kaiser Permanente's Bellflower Hospital $250,000 Thursday for failing to keep employees from snooping in the medical records of Nadya Suleman, the mother who set off a media frenzy after giving birth to octuplets in January.
http://www.latimes.com/news/local/la-me-privacy15-2009may15,0,2916906.story
State of California-Health and Human Services Agency
California Department of Public Health
ADMINISTRATIVE PENALTY NOTICE http://s3.amazonaws.com/propublica/assets/docs/kaiser_bellflower_090514.pdf
The Bellflower facility, where 23 unauthorized workers accessed Nadya Suleman's records, is the first to be monetarily penalized under a new state law.
California health regulators fined Kaiser Permanente's Bellflower Hospital $250,000 Thursday for failing to keep employees from snooping in the medical records of Nadya Suleman, the mother who set off a media frenzy after giving birth to octuplets in January.
http://www.latimes.com/news/local/la-me-privacy15-2009may15,0,2916906.story
State of California-Health and Human Services Agency
California Department of Public Health
ADMINISTRATIVE PENALTY NOTICE http://s3.amazonaws.com/propublica/assets/docs/kaiser_bellflower_090514.pdf
Wednesday, May 13, 2009
Johns Hopkins Hospital at center of identity theft probe
Indictment of former employee expected as part of driver's license scheme
By Liz F. Kay liz.kay@baltsun.com
2:55 PM EDT, May 12, 2009
Federal authorities are investigating the theft of patient information, possibly by a former Johns Hopkins Hospital employee, as part of a scheme to make fraudulent Virginia driver's licenses.The employee, who worked in the patient registration area, would have had access to information such as names, addresses, parents' names and Social Security numbers as part of her job duties, according to a letter the hospital sent to the identity theft unit of the state attorney general's office last month.
http://www.baltimoresun.com/news/local/baltimore_city/bal-id-theft0512,0,3470284.story
Miaoulis NOTE: Healthcare organizations need to comply with the FTC "Red Flag Rule". Information about the "Red Flag" rules can be found at http://www.ftc.gov/redflagsrule. You can also contact Phoenix Health Systems for additional information.
By Liz F. Kay liz.kay@baltsun.com
2:55 PM EDT, May 12, 2009
Federal authorities are investigating the theft of patient information, possibly by a former Johns Hopkins Hospital employee, as part of a scheme to make fraudulent Virginia driver's licenses.The employee, who worked in the patient registration area, would have had access to information such as names, addresses, parents' names and Social Security numbers as part of her job duties, according to a letter the hospital sent to the identity theft unit of the state attorney general's office last month.
http://www.baltimoresun.com/news/local/baltimore_city/bal-id-theft0512,0,3470284.story
Miaoulis NOTE: Healthcare organizations need to comply with the FTC "Red Flag Rule". Information about the "Red Flag" rules can be found at http://www.ftc.gov/redflagsrule. You can also contact Phoenix Health Systems for additional information.
Fallon Business Associate Breach - Video
(NECN) - Questions surround a security breach at Worcester-based "Fallon Community Health Plan." Some are wondering why it took several weeks before the company went public with the theft of a computer that contained personal information on roughly 30,000 customers.
NECN's Jennifer Eagan reports.
The link takes you to a video report.
http://www.necn.com/Boston/Health/Security-breach-at-health-care-provider/1201301883.html
Miaoulis - NOTE: This is a reminder that Healthcare organizations should work closely with organizations with whom they share data (business associates).
NECN's Jennifer Eagan reports.
The link takes you to a video report.
http://www.necn.com/Boston/Health/Security-breach-at-health-care-provider/1201301883.html
Miaoulis - NOTE: This is a reminder that Healthcare organizations should work closely with organizations with whom they share data (business associates).
Tuesday, May 12, 2009
Hackers Compromise 160,000 Student Healthcare Records
PCWORLD.COM
The University of California at Berkeley Friday disclosed that hackers broke into restricted computer databases in the campus health-services center, as the university began notifying current and former Berkeley students their personal information may have been taken.
The attackers may have taken information related to health-insurance coverage and certain medical information as well as the University Health Services (UHS) medical-record number, dates of visits or names of healthcare providers seen, as well as information such as Social Security Number, according to the statement released by UC Berkeley.
About 160,000 individuals are believed to be impacted, including about 3,400 Mills College students whose medical care is tied to health care at Berkeley. Social Security Numbers are used as unique identifiers for students enrolled in the campus Student Health Insurance Plans, the university says.
http://www.pcworld.com/businesscenter/article/164640/hackers_break_into_university_health_records.html
The University of California at Berkeley Friday disclosed that hackers broke into restricted computer databases in the campus health-services center, as the university began notifying current and former Berkeley students their personal information may have been taken.
The attackers may have taken information related to health-insurance coverage and certain medical information as well as the University Health Services (UHS) medical-record number, dates of visits or names of healthcare providers seen, as well as information such as Social Security Number, according to the statement released by UC Berkeley.
About 160,000 individuals are believed to be impacted, including about 3,400 Mills College students whose medical care is tied to health care at Berkeley. Social Security Numbers are used as unique identifiers for students enrolled in the campus Student Health Insurance Plans, the university says.
http://www.pcworld.com/businesscenter/article/164640/hackers_break_into_university_health_records.html
Monday, May 11, 2009
JOURNAL OF AHIMA - MAY 2009
Sequestering EHR Data in IT Systems
William M. Miaoulis, Subject Matter Specialist with Phoenix Health Systems wrote an article on "Sequestering EHR Data in IT Systems" for the Journal of AHIMA, May 2009.
http://journal.ahima.org/2009/05/01/journal-of-ahima-may-2009/
You must be a member of AHIMA to read this article, however the Journal also contains information on topics which are available to non-members.
This Months Practice Guide -
"Sanction Guidelines for Privacy and Security Breaches" is available to the public.
http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_043483.hcsp?&dDocName=bok1_043483
William M. Miaoulis, Subject Matter Specialist with Phoenix Health Systems wrote an article on "Sequestering EHR Data in IT Systems" for the Journal of AHIMA, May 2009.
http://journal.ahima.org/2009/05/01/journal-of-ahima-may-2009/
You must be a member of AHIMA to read this article, however the Journal also contains information on topics which are available to non-members.
This Months Practice Guide -
"Sanction Guidelines for Privacy and Security Breaches" is available to the public.
http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_043483.hcsp?&dDocName=bok1_043483
Friday, May 8, 2009
HHS Guidance To Render PHI Unusable
On April 17, 2009, HHS issued guidance specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA). This guidance was developed through a joint effort by OCR, the Office of the National Coordinator for Health Information Technology (ONC), and the Centers for Medicare and Medicaid Services (CMS). For more information, http://www.hhs.gov/ocr/privacy/
Individuals and organizations may submit comments on or before May 21, 2009.
http://www.regulations.gov/fdmspublic/component/main?main=DocumentDetail&o=090000648096d1fb
The guidance document can be found at:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechrfi.pdf
Individuals and organizations may submit comments on or before May 21, 2009.
http://www.regulations.gov/fdmspublic/component/main?main=DocumentDetail&o=090000648096d1fb
The guidance document can be found at:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechrfi.pdf
AHIMA ARRA Analysis
In March 2009 AHIMA published an analysis of the ARRA provisions that specifically addressing the privacy of healthcare data. You can find this analysis at
http://www.ahima.org/dc/documents/AnalysisofARRAPrivacy-fin-3-2009a.pdf
All of the aspects of ARRA are discussed in AHIMA’s analysis which can be found at
http://www.ahima.org/dc
http://www.ahima.org/dc/documents/AnalysisofARRAPrivacy-fin-3-2009a.pdf
All of the aspects of ARRA are discussed in AHIMA’s analysis which can be found at
http://www.ahima.org/dc
Thursday, May 7, 2009
Healthcare Hackers Want $10 Million in Ransom
Hackers Break Into Virginia Health Professions Database, Demand Ransom
Hackers last week broke into a Virginia state Web site used by pharmacists to track prescription drug abuse. They deleted records on more than 8 million patients and replaced the site's homepage with a ransom note demanding $10 million for the return of the records, according to a posting on Wikileaks.org, an online clearinghouse for leaked documents.
http://voices.washingtonpost.com/securityfix/2009/05/hackers_break_into_virginia_he.html?wprss=securityfix
Hackers last week broke into a Virginia state Web site used by pharmacists to track prescription drug abuse. They deleted records on more than 8 million patients and replaced the site's homepage with a ransom note demanding $10 million for the return of the records, according to a posting on Wikileaks.org, an online clearinghouse for leaked documents.
http://voices.washingtonpost.com/securityfix/2009/05/hackers_break_into_virginia_he.html?wprss=securityfix
California Hospital Shootings
Workplace violence is on the rise and this includes Healthcare. The recent shooting at a California Hospital is just one illustration of how this has escalated.
3 Dead in California Hospital Shooting
A hospital worker shot and killed two employees and then killed himself at a medical center Thursday, sending panicked people fleeing, police and witnesses said. http://www.foxnews.com/story/0,2933,516888,00.html
Shootings have been occurring within healthcare organizations, assets including computers have walked out the door, bomb threats and domestic disputes are issues that all healthcare organizations need to address. How prepared is your organization to prevent and/or manage a crisis event?
Why you should be concerned as an organization
Understanding the Threats to your organizations
Understanding the JCAHO Requirements
Steps you can take now to mitigate risks to your patients, visitors and employees.
For More Information, contact Bill at wmiaoulis@hipaasecurityandprivacy.com
3 Dead in California Hospital Shooting
A hospital worker shot and killed two employees and then killed himself at a medical center Thursday, sending panicked people fleeing, police and witnesses said. http://www.foxnews.com/story/0,2933,516888,00.html
Shootings have been occurring within healthcare organizations, assets including computers have walked out the door, bomb threats and domestic disputes are issues that all healthcare organizations need to address. How prepared is your organization to prevent and/or manage a crisis event?
Why you should be concerned as an organization
Understanding the Threats to your organizations
Understanding the JCAHO Requirements
Steps you can take now to mitigate risks to your patients, visitors and employees.
For More Information, contact Bill at wmiaoulis@hipaasecurityandprivacy.com
FTC Will Grant 3 Month "Red Flags" Rule Enforcement Delay
The Federal Trade Commission will delay enforcement of the new “Red Flags Rule” until August 1, 2009, to give creditors and financial institutions more time to develop and implement written identity theft prevention programs. There is still time for your organization to become compliant with these requirements.
http://www.ftc.gov/opa/2009/04/redflagsrule.shtm
Have you developed an Identity Theft Prevention Program?
Is your healthcare organization prepared to prevent, detect, and report Identity Theft Incidents?
Does your staff know how to handle incidents of Medical Identity Theft?
These are issues that all healthcare organizations need to address. How prepared is your organization?
http://www.ftc.gov/opa/2009/04/redflagsrule.shtm
Have you developed an Identity Theft Prevention Program?
Is your healthcare organization prepared to prevent, detect, and report Identity Theft Incidents?
Does your staff know how to handle incidents of Medical Identity Theft?
These are issues that all healthcare organizations need to address. How prepared is your organization?
Subscribe to:
Posts (Atom)