MIAOULIS WRITES:
With the one year anniversary of HITECH fast approaching (February 17), certain requirements will take effect. One right given to consumers is the right to receive their Electronic Health Record in electronic form. I believe this creates some concerns for healthcare organizations. What form will the electronic access be? It will also be very interesting if the patient information is breached AFTER the electronic release. As with paper records, I believe that the electronic access records should be marked to indicate that it was released to the patient (background water mark, etc.). Providing the information in a secure fashion is also probable a good idea (password, encryption, etc.). What is absolutely certain, is that organization must provide the information and should evaluate their process.
Friday, January 29, 2010
Wednesday, January 27, 2010
Hard Drives Pilfered from BlueCross BlueShield (Chattanooga)
Insurer BlueCross BlueShield officials this week are telling hundreds of thousands of members that somehow a thief managed to steal a total of 57 computer hard drives from a closet at Chattanooga, Tenn. call center.
In a statement, BlueCross BlueShield spokeswoman Mary Thompson said that while the data was encoded, it was not encrypted. She said the drives contained more than 1.3 million audio files of recorded conversations between customer service representatives and customers.
The drives also included 300,000 video files from images on customer service reps' computer screens, including Social Security numbers, birth dates, addresses and medical information.
While the bulk of the estimated 220,000 to 500,000 members affected by the data breach are Tennessee residents, BlueCross BlueShield said there at least 500 members from another 32 states who had their data exposed in the heist.
http://www.esecurityplanet.com/features/article.php/3860531/Hard-Drives-Pilfered-from-BlueCross-BlueShield.htm
Drive, Patient Data Go Missing in California Theft
January 15, 2010
More than 15,000 Kaiser Permanente patients in Northern California this week are being notified that their personal information, including birth dates, addresses, phone numbers and medical-record numbers, was exposed last month after an unencrypted external storage drive was stolen from an employee's car.
http://www.esecurityplanet.com/features/article.phpr/3858931/article.htm
MIAOULIS NOTE: These were breaches of physical security. A reminder to us all that it is just not electronic breaches that are covered. Your risk analysis should certainly include a review of physical controls. As always, when reading these stories, ask yourself "could it happen here, what controls do we have in place to prevent this?"
In a statement, BlueCross BlueShield spokeswoman Mary Thompson said that while the data was encoded, it was not encrypted. She said the drives contained more than 1.3 million audio files of recorded conversations between customer service representatives and customers.
The drives also included 300,000 video files from images on customer service reps' computer screens, including Social Security numbers, birth dates, addresses and medical information.
While the bulk of the estimated 220,000 to 500,000 members affected by the data breach are Tennessee residents, BlueCross BlueShield said there at least 500 members from another 32 states who had their data exposed in the heist.
http://www.esecurityplanet.com/features/article.php/3860531/Hard-Drives-Pilfered-from-BlueCross-BlueShield.htm
Drive, Patient Data Go Missing in California Theft
January 15, 2010
More than 15,000 Kaiser Permanente patients in Northern California this week are being notified that their personal information, including birth dates, addresses, phone numbers and medical-record numbers, was exposed last month after an unencrypted external storage drive was stolen from an employee's car.
http://www.esecurityplanet.com/features/article.phpr/3858931/article.htm
MIAOULIS NOTE: These were breaches of physical security. A reminder to us all that it is just not electronic breaches that are covered. Your risk analysis should certainly include a review of physical controls. As always, when reading these stories, ask yourself "could it happen here, what controls do we have in place to prevent this?"
Friday, January 15, 2010
HIT security panel troubled by risk assessment void
A Health & Human Services Department advisory panel on privacy and security expressed concerns Monday over the inability of many healthcare providers to perform basic risk assessments of their health information assets, a tenet of the proposed “meaningful use” guidelines just released by the Centers for Medicare and Medicaid Services.
Dixie Baker, a member of the privacy and security workgroup of the Health IT Policy Committee, said she was surprised by a 2009 survey discussed at a recent HHS Health IT Standards Committee meeting that showed that 48 percent of the responding providers, mostly hospitals, performed no risk assessment.......
However, panelists said, there is little in the meaningful use policy that defines the scope of the required assessment. Instead, the requirement is based loosely on privacy and security rules contained in the Health Insurance Portability and Accountability Act (HIPAA).
http://www.govhealthit.com/newsitem.aspx?nid=72926
MIAOULIS NOTE: All healthcare organizations should evaluate or begin their risk assessment program if they intend to meet meaningful use. 1) Identify your data and where it is located (2) review controls, threats, etc. to the data (3) Implement controls to address high risk areas (4) Start over at #1. If you have questions or need help, please contact me.
Dixie Baker, a member of the privacy and security workgroup of the Health IT Policy Committee, said she was surprised by a 2009 survey discussed at a recent HHS Health IT Standards Committee meeting that showed that 48 percent of the responding providers, mostly hospitals, performed no risk assessment.......
However, panelists said, there is little in the meaningful use policy that defines the scope of the required assessment. Instead, the requirement is based loosely on privacy and security rules contained in the Health Insurance Portability and Accountability Act (HIPAA).
http://www.govhealthit.com/newsitem.aspx?nid=72926
MIAOULIS NOTE: All healthcare organizations should evaluate or begin their risk assessment program if they intend to meet meaningful use. 1) Identify your data and where it is located (2) review controls, threats, etc. to the data (3) Implement controls to address high risk areas (4) Start over at #1. If you have questions or need help, please contact me.
Kaiser AGAIN
AP Thousands of Bay Area Kaiser members are finding out their personal information has been compromised.
Officials for Kaiser say someone stole a storage device with details of about 15,500 Northern California patients -- about 9,000 of them from the Bay Area.
The device includes patients' names, medical numbers, and medical treatment information but not Kaiser says include social security numbers or financial information. Some of the information was password protected but it was not encrypted, the Chronicle reported
http://www.nbcbayarea.com/news/local-beat/Kaiser-Patients-Medical-Secrets-Stolen-81326377.html
MIAOULIS NOTE: Encrypt, encrypt, encrypt. Passwords are NOT enough.
Officials for Kaiser say someone stole a storage device with details of about 15,500 Northern California patients -- about 9,000 of them from the Bay Area.
The device includes patients' names, medical numbers, and medical treatment information but not Kaiser says include social security numbers or financial information. Some of the information was password protected but it was not encrypted, the Chronicle reported
http://www.nbcbayarea.com/news/local-beat/Kaiser-Patients-Medical-Secrets-Stolen-81326377.html
MIAOULIS NOTE: Encrypt, encrypt, encrypt. Passwords are NOT enough.
Media, FBI, HITECH, Ambulance Chasing, State Legislature
The hospital should have disclosed the breach immediately, said a 40-year-old UMC patient whose personal information the kind that can be used for identity theft was leaked. The man, who went to the public hospital Nov.Ê1 after a motorcycle accident, learned his privacy had been breached only when a Las Vegas Sun reporter told him Wednesday afternoon.........The FBI has launched an investigation into violations of the federal Health Insurance Portability and Accountability Act, better known as HIPAA which includes penalties of up to $250,000 in fines and 10 years in jail.
The Sun reported the leak the latest scandal to hit the beleaguered hospital after the newspaper obtained 21 UMC patient face sheets cover sheets that include overviews of each case from a source who was concerned about the leak. The sheets were from Oct. 31 and Nov. 1 and were for people involved in traffic accidents.
The Suns source said he was several degrees removed from the leak and did not know how the records were being released from the hospital, but that they were allegedly being sold for months, or even years, to ambulance-chasing attorneys so they could mine for clients.
http://www.legalaccess.org/article/Patients%20at%20risk%20of%20identity%20theft%20may%20wait%2060%20days%20to%20find%20out/?k=j83s12y12h94s27k02
MIAOULIS NOTE: Just another in a long line of breaches. This one may have involved paper, an authorized user. The bottom line is that this type of reporting may continue to grow. As always: Could this happen at your facility? What are you doing to prevent, identify and report this type of incident.
The Sun reported the leak the latest scandal to hit the beleaguered hospital after the newspaper obtained 21 UMC patient face sheets cover sheets that include overviews of each case from a source who was concerned about the leak. The sheets were from Oct. 31 and Nov. 1 and were for people involved in traffic accidents.
The Suns source said he was several degrees removed from the leak and did not know how the records were being released from the hospital, but that they were allegedly being sold for months, or even years, to ambulance-chasing attorneys so they could mine for clients.
http://www.legalaccess.org/article/Patients%20at%20risk%20of%20identity%20theft%20may%20wait%2060%20days%20to%20find%20out/?k=j83s12y12h94s27k02
MIAOULIS NOTE: Just another in a long line of breaches. This one may have involved paper, an authorized user. The bottom line is that this type of reporting may continue to grow. As always: Could this happen at your facility? What are you doing to prevent, identify and report this type of incident.
CNN: Give us our data
While there are no statistics on how many patients have trouble accessing their own records, there have been "repeated" complaints to the Department of Health and Human Services, according to a senior health information privacy specialist at the department's Office for Civil Rights, which enforces the federal law that gives patients access to their records.
"It's crazy ridiculous when you can't walk out of a doctor's office or hospital with a copy of your medical records if you ask for them," says Deven McGraw, director of the health privacy project at the Center for Democracy and Technology.
"Lack of information kills people," she says. "Having your medical records can save your life."
http://www.cnn.com/2010/HEALTH/01/14/medical.records/
"It's crazy ridiculous when you can't walk out of a doctor's office or hospital with a copy of your medical records if you ask for them," says Deven McGraw, director of the health privacy project at the Center for Democracy and Technology.
"Lack of information kills people," she says. "Having your medical records can save your life."
http://www.cnn.com/2010/HEALTH/01/14/medical.records/
Connecticut AG sues Health Net over security breach
HARTFORD, CT – Connecticut Attorney General Richard Blumenthal has filed a lawsuit against Health Net of Connecticut, alleging the company failed to secure patient medical records and financial information prior to a security breach.
Blumenthal filed the suit on Wednesday, calling it "historic." The lawsuit also asserts that Health Net failed to promptly notify consumers endangered by the security breach, which involved 446,000 Connecticut enrollees........
The case marks the first action by a state attorney general involving HIPAA violations since the Health Information Technology for Economic and Clinical Health Act (HITECH), contained in the American Recovery and Reinvestment Act of 2009, authorized state attorneys general to enforce HIPAA.
"Sadly, this lawsuit is historic – involving an unparalleled healthcare privacy breach and an unprecedented state enforcement of HIPAA," Blumenthal said. "Protected private medical records and financial information on almost a half million Health Net enrollees in Connecticut were exposed for at least six months – most likely by thieves – before Health Net notified appropriate authorities and consumers."
Health Net executives were not immediately available for comment.
The lawsuit also names UnitedHealth Groupm Inc. and Oxford Health Plans, LLC. While those companies did not cause the data breach, the companies have acquired ownership of Health Net of Connecticut.
http://www.healthcareitnews.com/news/connecticut-ag-sues-health-net-over-security-breach
According to the lawsuit, on or about May 14, 2009, Health Net officials learned that a portable computer disk drive disappeared from the company's Shelton office. The disk drive contained protected health information, Social Security numbers and bank account numbers for approximately 446,000 past and present Connecticut enrollees.
MIAOULIS NOTE: Lawsuits such as this increase the impact of breaches to all healthcare organizations. Identify your data and protect it (Encrypt) whenever possible. Make sure you have a tested incident response process which includes HITECH and your States Breach Notification requirements. The time to act is NOW.... The timeline is very interesting in that the breach occured prior to the HITECH compliance date, however state law was in affect. For a copy of the lawsuit: http://www.courthousenews.com/2010/01/15/HealthNet.pdf]
Blumenthal filed the suit on Wednesday, calling it "historic." The lawsuit also asserts that Health Net failed to promptly notify consumers endangered by the security breach, which involved 446,000 Connecticut enrollees........
The case marks the first action by a state attorney general involving HIPAA violations since the Health Information Technology for Economic and Clinical Health Act (HITECH), contained in the American Recovery and Reinvestment Act of 2009, authorized state attorneys general to enforce HIPAA.
"Sadly, this lawsuit is historic – involving an unparalleled healthcare privacy breach and an unprecedented state enforcement of HIPAA," Blumenthal said. "Protected private medical records and financial information on almost a half million Health Net enrollees in Connecticut were exposed for at least six months – most likely by thieves – before Health Net notified appropriate authorities and consumers."
Health Net executives were not immediately available for comment.
The lawsuit also names UnitedHealth Groupm Inc. and Oxford Health Plans, LLC. While those companies did not cause the data breach, the companies have acquired ownership of Health Net of Connecticut.
http://www.healthcareitnews.com/news/connecticut-ag-sues-health-net-over-security-breach
According to the lawsuit, on or about May 14, 2009, Health Net officials learned that a portable computer disk drive disappeared from the company's Shelton office. The disk drive contained protected health information, Social Security numbers and bank account numbers for approximately 446,000 past and present Connecticut enrollees.
MIAOULIS NOTE: Lawsuits such as this increase the impact of breaches to all healthcare organizations. Identify your data and protect it (Encrypt) whenever possible. Make sure you have a tested incident response process which includes HITECH and your States Breach Notification requirements. The time to act is NOW.... The timeline is very interesting in that the breach occured prior to the HITECH compliance date, however state law was in affect. For a copy of the lawsuit: http://www.courthousenews.com/2010/01/15/HealthNet.pdf]
Tuesday, January 5, 2010
The New Katrina (NYTIMES)-LIABILITY
MIAOULIS NOTE: This brings up an interesting concept of liability with regards to contingency planning and emergency prepardness. The organization was aware of a risk and did not implement new controls.
http://www.nytimes.com/2010/01/03/weekinreview/03fink.html
Three years before Hurricane Katrina inundated New Orleans, a senior executive at Pendleton Memorial Methodist Hospital assessed its vulnerability to the sort of flooding that had been long feared there......
The LaCoste trial is set to begin on Monday. “This could be a new theory of liability against health care institutions — lack of emergency preparedness,” said Kristin McMahon, an attorney and chief claims officer for IronHealth, a company that insures hospitals. “The courts across the country will be looking at it.”
The case has already been precedent-setting in Louisiana. The state’s Supreme Court decided the allegations were based on general negligence claims, as opposed to medical malpractice in which damages would be capped at $500,000. This markedly increased hospital owners’ potential liability.
Mrs. LaCoste’s family alleges that the hospital was negligent for having inadequate emergency power systems, evacuation plans and floodwater protection. They say a fuel pump that failed after it was flooded caused the higher generator to shut down — an event they say could have been avoided if the hospital had invested less than $10,000 in a submersible pump.
The hospital’s owners argue in court filings that Hurricane Katrina was an “act of God” that could not be foreseen, that the hospital was not negligent, and that it would be unreasonable to expect a hospital to be impervious to all of the unlikely catastrophes its emergency plans contemplate, including tornadoes and a “terrorist event.”
http://www.nytimes.com/2010/01/03/weekinreview/03fink.html
Three years before Hurricane Katrina inundated New Orleans, a senior executive at Pendleton Memorial Methodist Hospital assessed its vulnerability to the sort of flooding that had been long feared there......
The LaCoste trial is set to begin on Monday. “This could be a new theory of liability against health care institutions — lack of emergency preparedness,” said Kristin McMahon, an attorney and chief claims officer for IronHealth, a company that insures hospitals. “The courts across the country will be looking at it.”
The case has already been precedent-setting in Louisiana. The state’s Supreme Court decided the allegations were based on general negligence claims, as opposed to medical malpractice in which damages would be capped at $500,000. This markedly increased hospital owners’ potential liability.
Mrs. LaCoste’s family alleges that the hospital was negligent for having inadequate emergency power systems, evacuation plans and floodwater protection. They say a fuel pump that failed after it was flooded caused the higher generator to shut down — an event they say could have been avoided if the hospital had invested less than $10,000 in a submersible pump.
The hospital’s owners argue in court filings that Hurricane Katrina was an “act of God” that could not be foreseen, that the hospital was not negligent, and that it would be unreasonable to expect a hospital to be impervious to all of the unlikely catastrophes its emergency plans contemplate, including tornadoes and a “terrorist event.”
Monday, January 4, 2010
It's 2010, Are you HIPAA Compliant? (MIAOULIS WRITES)
With all the new enforcement, penalties, and regulations the one question everyone wants anwered is "Are we HIPAA Compliant?". This can be a tricky question because no one can be 100% sure of what compliant means. In evaluating organizations I use the following criteria in determining compliance
Also, remember to determine if reasonable controls have been implemented, organizations need a documented risk analysis process.
- Does the organization have a written policy?
- Has the organization implemented REASONABLE controls?
- Does the organization have documentation to prove they are compliant?
Also, remember to determine if reasonable controls have been implemented, organizations need a documented risk analysis process.
Providence mixes up state workers' new health plan IDs
About 4,500 state employees received an unwelcome surprise from Providence Health Plans this month: an enrollment packet containing other workers' names, their dependents, and their insurance identification numbers.
Providence Health Plans' chief executive, Jack Friedman, apologized for the error."We feel very badly," Friedman said. "The good news on this, is no proprietary medical information is going to get to anybody. This is not going to get in the way of anybody getting health care they need."
Friedman said a printer jammed during a run of 6,500 letters, and after being reset started printing the wrong information on the reverse side for about 4,500 letters. He said the company will re-issue member identification numbers and cards to all 6,500 people by next week.http://www.oregonlive.com/business/index.ssf/2009/12/providence_mixes_up_state_work.html
Providence Health Plans' chief executive, Jack Friedman, apologized for the error."We feel very badly," Friedman said. "The good news on this, is no proprietary medical information is going to get to anybody. This is not going to get in the way of anybody getting health care they need."
Friedman said a printer jammed during a run of 6,500 letters, and after being reset started printing the wrong information on the reverse side for about 4,500 letters. He said the company will re-issue member identification numbers and cards to all 6,500 people by next week.http://www.oregonlive.com/business/index.ssf/2009/12/providence_mixes_up_state_work.html
Subscribe to:
Posts (Atom)