UPDATE: Official: Hawaii 'Dodged a Bullet' After Tsunami, Strong Chile Quake
http://www.foxnews.com/story/0,2933,587588,00.html
Hawaii under tsunami warning; Calif. coast, Alaskan islands under advisory
http://www.latimes.com/news/nationworld/nation/wire/sns-ap-us-quake-tsunami-alerts,0,2985213.story
MIAOULIS NOTE: Fortunately, the Tsunami did not cause extensive damage in Hawaii. Still natural disasters (hurricanes, tornados, earthquakes, etc) are scary situations. Healthcare facilities in Hawaii have unique challanges for preparing for a disaster, and for treating patients during a region wide disaster. However, all organizations need a plan for responding to a localized disaster (loss of a computer room) to a a more regional disaster. Healthcare has unique challenges not found in other industries because the information is needed at the point of care. A bank, insurance company, etcs. can move operations to another location. Many business can shut down for a period of time. Healthcare has unique challenges.
When conducting a Business Impact Analysis (Application Criticality Analysis) healthcare should include a focus on a PATIENT Impact Analysis. If you have or are planning on using an external firm to assist you, I believe it is important that they have a strong healthcare background. All too often, firms want to know how many nurses will you need to move to a hot site location or they focus on the financial impact to organizations. If you have question or would like to discuss futher, please contact me.
Saturday, February 27, 2010
Tuesday, February 23, 2010
Enforcement for BA's Delayed
We understand that yesterday Adam H. Greene (Office of the General Counsel, Civil Rights Division, U.S. Department of Health & Human Services), speaking at the ABA’s 11th Annual Conference on Emerging Issues in Healthcare Law, indicated that enforcement of the business associate provisions of the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), which became effective on February 17, 2010, will be delayed until final rules addressing those provisions are published. The HITECH Act’s business associate provisions require business associates to implement the information security safeguards specified by the HIPAA Security Rule, and comply with certain requirements of the HIPAA Privacy Rule.
http://www.huntonprivacyblog.com/2010/02/articles/hipaa-1/hhs-delays-enforcement-of-hitech-act-business-associate-provisions/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+PrivacyInformationSecurityLawBlog+(Privacy+%26+Information+Security+Law+Blog)
MIAOULIS NOTE: These delays are good for folks that have started the process, however, for the organizations that are not taking HIPAA/HITECH or security seriously, it gives them another reason to rationalize non-compliance or not taking security seriously.
http://www.huntonprivacyblog.com/2010/02/articles/hipaa-1/hhs-delays-enforcement-of-hitech-act-business-associate-provisions/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+PrivacyInformationSecurityLawBlog+(Privacy+%26+Information+Security+Law+Blog)
MIAOULIS NOTE: These delays are good for folks that have started the process, however, for the organizations that are not taking HIPAA/HITECH or security seriously, it gives them another reason to rationalize non-compliance or not taking security seriously.
Monday, February 22, 2010
Breaches Affecting 500 or More Individuals
As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. They can be found at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html
The type of items that caused a breach included laptops, paper, email, network servers, desktop computers, Portable USB devices, postcards, backup tapes, and CDS. The number of organizations reporting is not surprising. This writer wonders how many other organizations had breaches that went undetected.
Thursday, February 18, 2010
HITECH One Year Anniversary-Where should you be
MIAOULIS WRITES: Organizations are in a difficult situation. Lets look at some of the new requirements... This article and this blog are intended for general information purposes only and should not be construed as legal advice or legal opinions on any specific facts or circumstances.
BUSINESS ASSOCIATES: Need to take steps to become HIPAA and HITECH compliant.
PATIENT RIGHT TO EHR IN ELECTRONIC FORMAT: I believe organizations should create a plan now for this, watermark the information, secure the information and charge a reasonable fee for providing this. If a consumer asks for it, provide it in some form.
PATIENT RIGHT TO REQUEST RESTRICTION: Individuals have the right to restrict access when paid in full specifically to health plans.
NOTICE OF PRIVACY PRACTICES: So if patient's have new rights, One question left unanswered is should organizations change their notice of privacy practices (NPP), based on what I know, the answer appears to be YES.
MINIMUM NECESSARY: Guidance expected in 6 months (August 18, 2010), however organizations should be taking steps to ensure minimum necessary information. All access to information should be reviewed to determine if to the extent practical information can be limited to a "limited data set" or to the minimum necessary to accomplish the tasks. Limiting, diagnosis, identity theft field information (SSN, Birthday) should also be considered for both internal and external information access.
FUNDRAISING: Opt-out requires language to be clear and conspicuous, although this is not defined, it is important to make this in text at least as large as other text, also it is VERY important that organizations implement controls to ensure that individuals who have opted out are NOT sent additional request.
MARKETING: HITECH prohibits organizations from marketing and defining communications as healthcare operations when the organizations received direct or indirect payment in exchange for making the communication. Basically organizations should only do marketing in limited circumstances such as when sending information about drugs that have been PREVIOUSLY prescribed. This may include information such as refill reminders or educational materials about a drug.
ENFORCEMENT/AUDITS: Although Audits may still be a ways off. Be prepared for an audit, conduct self audits. Do you have a written policy, have you implemented appropriate controls, and can you prove your controls are functioning. See (http://www.hipaasecurityandprivacy.com/2010/02/enforcement-of-hipaa.html)
BREACH NOTIFICATION (SEPTEMBER 23, 2009): Organizations need a policy, a process/procedure for evaluationg breaches and a reporting mechanism. Creating scenarios prior to a breach and decision trees is a solid practice. Remember not all breaches require notification, but a solid analysis is required.
IT IS BETTER TO PREVENT A BREACH, THAN TO REPORT A BREACH.
IT IS BETTER TO DOCUMENT YOUR HIPAA COMPLIANCE THAN BE SUBJECTED TO WILLFUL NEGLECT.
BUSINESS ASSOCIATES: Need to take steps to become HIPAA and HITECH compliant.
PATIENT RIGHT TO EHR IN ELECTRONIC FORMAT: I believe organizations should create a plan now for this, watermark the information, secure the information and charge a reasonable fee for providing this. If a consumer asks for it, provide it in some form.
PATIENT RIGHT TO REQUEST RESTRICTION: Individuals have the right to restrict access when paid in full specifically to health plans.
NOTICE OF PRIVACY PRACTICES: So if patient's have new rights, One question left unanswered is should organizations change their notice of privacy practices (NPP), based on what I know, the answer appears to be YES.
MINIMUM NECESSARY: Guidance expected in 6 months (August 18, 2010), however organizations should be taking steps to ensure minimum necessary information. All access to information should be reviewed to determine if to the extent practical information can be limited to a "limited data set" or to the minimum necessary to accomplish the tasks. Limiting, diagnosis, identity theft field information (SSN, Birthday) should also be considered for both internal and external information access.
FUNDRAISING: Opt-out requires language to be clear and conspicuous, although this is not defined, it is important to make this in text at least as large as other text, also it is VERY important that organizations implement controls to ensure that individuals who have opted out are NOT sent additional request.
MARKETING: HITECH prohibits organizations from marketing and defining communications as healthcare operations when the organizations received direct or indirect payment in exchange for making the communication. Basically organizations should only do marketing in limited circumstances such as when sending information about drugs that have been PREVIOUSLY prescribed. This may include information such as refill reminders or educational materials about a drug.
ENFORCEMENT/AUDITS: Although Audits may still be a ways off. Be prepared for an audit, conduct self audits. Do you have a written policy, have you implemented appropriate controls, and can you prove your controls are functioning. See (http://www.hipaasecurityandprivacy.com/2010/02/enforcement-of-hipaa.html)
BREACH NOTIFICATION (SEPTEMBER 23, 2009): Organizations need a policy, a process/procedure for evaluationg breaches and a reporting mechanism. Creating scenarios prior to a breach and decision trees is a solid practice. Remember not all breaches require notification, but a solid analysis is required.
IT IS BETTER TO PREVENT A BREACH, THAN TO REPORT A BREACH.
IT IS BETTER TO DOCUMENT YOUR HIPAA COMPLIANCE THAN BE SUBJECTED TO WILLFUL NEGLECT.
Wednesday, February 17, 2010
HITECH Compliance Date is Here, but Without Associated Regulatory Guidance
http://www.hhdataprotection.com/2010/02/articles/health-privacyhipaa/hitech-compliance-date-is-here-but-without-associated-regulatory-guidance/
February 17, 2010 marks the compliance date for significant new obligations under the Health Information Technology for Economic and Clinical Health (HITECH) Act, which is part of the American Recovery and Reinvestment Act of 2009, adopted one year ago. It appears the date may come and go without the regulatory guidance that many HIPAA covered entities and business associates expected to inform their compliance decisions.
Many of the new obligations require significant resources for implementation (e.g., amending business associate agreements, adopting new systems for limiting disclosures to health plans and providing copies in electronic formats that can be securely delivered). Yet, the HITECH provisions are unclear in many places. Thus, expending resources without clarifying guidance creates a Catch-22 for many covered entities and business associates subject to the new requirements (e.g., the definition of an Electronic Health Record is opaque, at best, with its dependence on the undefined term “clinician”).
February 17, 2010 marks the compliance date for significant new obligations under the Health Information Technology for Economic and Clinical Health (HITECH) Act, which is part of the American Recovery and Reinvestment Act of 2009, adopted one year ago. It appears the date may come and go without the regulatory guidance that many HIPAA covered entities and business associates expected to inform their compliance decisions.
Many of the new obligations require significant resources for implementation (e.g., amending business associate agreements, adopting new systems for limiting disclosures to health plans and providing copies in electronic formats that can be securely delivered). Yet, the HITECH provisions are unclear in many places. Thus, expending resources without clarifying guidance creates a Catch-22 for many covered entities and business associates subject to the new requirements (e.g., the definition of an Electronic Health Record is opaque, at best, with its dependence on the undefined term “clinician”).
Monday, February 15, 2010
French Judge Issues Arrest Warrant for U.S. Cyclist Floyd Landis
A French judge has issued an international arrest warrant for disgraced U.S. cyclist Floyd Landis for allegedly hacking into a lab computer at a facility run by the country's anti-doping agency, the agency's head told Reuters.......
"French judge (Thomas) Cassuto from the Tribunal de Grande Instance of Nanterre informed us that he had issued an international arrest warrant on Jan. 28 against Floyd Landis, who tested positive for banned testosterone during the 2006 Tour de France, after our laboratory computer system was hacked," Bordry said in an interview with Reuters.
French officials filed a criminal complaint in 2006 over the hacking, which they said was designed to discredit the drug tests they had conducted on Landis. No charges were filed against the 34-year-old at the time.
http://www.foxnews.com/sports/2010/02/15/french-judge-issues-arrest-warrant-cyclist-floyd-landis/
MIAOULIS NOTE: Although this is not a HIPAA/HITECH breach, it does show a risk that organizations in the USA could learn from.
"French judge (Thomas) Cassuto from the Tribunal de Grande Instance of Nanterre informed us that he had issued an international arrest warrant on Jan. 28 against Floyd Landis, who tested positive for banned testosterone during the 2006 Tour de France, after our laboratory computer system was hacked," Bordry said in an interview with Reuters.
French officials filed a criminal complaint in 2006 over the hacking, which they said was designed to discredit the drug tests they had conducted on Landis. No charges were filed against the 34-year-old at the time.
http://www.foxnews.com/sports/2010/02/15/french-judge-issues-arrest-warrant-cyclist-floyd-landis/
MIAOULIS NOTE: Although this is not a HIPAA/HITECH breach, it does show a risk that organizations in the USA could learn from.
Friday, February 12, 2010
Another Laptop Stolen and another...
AvMed: Data of 208,000 at risk after Gainesville theft
The theft of two company laptops from AvMed Health Plans' corporate offices in Gainesville may have compromised the personal information of more than 200,000 current and former subscribers, as well as their dependents, the company announced.
The personal information includes names, addresses, phone numbers, Social Security numbers and protected health information.
http://www.gainesville.com/article/20100208/ARTICLES/100209476/1002/NEWS01?Title=AvMed-Data-of-208-000-at-risk-after-local-theft
Greensburg medical facility laptops stolen
Two laptop computers containing patient information were stolen from two Greensburg medical complexes over the weekend, city police said Tuesday.
One theft occurred at Dr. Barry Bupp's dental practice in Medical Commons One on South Street, the other in Dr. Elie Abdallah's office in the Medical Arts Building on Shearer Street, police said.
The specific types of records on the laptops couldn't be determined yesterday. One police report listed the data as "patient information," while the other described it as "confidential patient information."
http://www.pittsburghlive.com/x/pittsburghtrib/news/westmoreland/s_665328.html
MIAOULIS NOTE: We all should know the dangers of unencrypted laptops. But remember Smart Phones, Flash Drives, CDs, etc. all contain PHI.
The theft of two company laptops from AvMed Health Plans' corporate offices in Gainesville may have compromised the personal information of more than 200,000 current and former subscribers, as well as their dependents, the company announced.
The personal information includes names, addresses, phone numbers, Social Security numbers and protected health information.
http://www.gainesville.com/article/20100208/ARTICLES/100209476/1002/NEWS01?Title=AvMed-Data-of-208-000-at-risk-after-local-theft
Greensburg medical facility laptops stolen
Two laptop computers containing patient information were stolen from two Greensburg medical complexes over the weekend, city police said Tuesday.
One theft occurred at Dr. Barry Bupp's dental practice in Medical Commons One on South Street, the other in Dr. Elie Abdallah's office in the Medical Arts Building on Shearer Street, police said.
The specific types of records on the laptops couldn't be determined yesterday. One police report listed the data as "patient information," while the other described it as "confidential patient information."
http://www.pittsburghlive.com/x/pittsburghtrib/news/westmoreland/s_665328.html
MIAOULIS NOTE: We all should know the dangers of unencrypted laptops. But remember Smart Phones, Flash Drives, CDs, etc. all contain PHI.
STD: It is not just VIPS
EDWARDSVILLE, Ill. (CN) - Jane Doe claims that while her boyfriend was two-timing her with a Quest Diagnostics manager, the Quest employee looked up Doe's medical test results and told their common boyfriend that Doe has herpes. Doe adds that when the boyfriend denied having the virus, the manager cooked up a bogus test for herself and showed them to the man "in at attempt to get him to admit that the plaintiff (current girlfriend) in fact had herpes."
The words "current girlfriend" occur in parentheses in the complaint in Madison County Court.
http://www.courthousenews.com/2010/02/09/24512.htm
MIAOULIS NOTE: When reading this story, organizations need to ask themselves 1) could this happen here (Answer Probable) (2) what are we do to prevent this (limit the probability/likelihood) (3) What are our policies and practices (3) minimize the impact.
The words "current girlfriend" occur in parentheses in the complaint in Madison County Court.
http://www.courthousenews.com/2010/02/09/24512.htm
MIAOULIS NOTE: When reading this story, organizations need to ask themselves 1) could this happen here (Answer Probable) (2) what are we do to prevent this (limit the probability/likelihood) (3) What are our policies and practices (3) minimize the impact.
Enforcement OF HIPAA
HITECH called for "periodic audits" to ensure HIPAA compliance, but as of today the Office of Civil Rights has not created a calendar of when those periodic audits will take place.
Sue McAndrew, the deputy director for Health Information Privacy for OCR, said at the 18th Annual National HIPAA Summit Thursday that OCR is working with a HIPAA privacy and security expert to help the organization "map out essentially the range of options that we have and what would be the most effective."
OCR is considering its budgetary means as well as the most effective method. "There are 1,000 ways to do this," McAndrew said.
http://www.healthleadersmedia.com/page-1/TEC-246089/OCR-Leader-No-HIPAA-Enforcement-Schedule-Yet
MIAOULIS NOTE: This tells me that Audits are still a ways off, this in effect has minimized the perception the HITECH/HIPAA risks.
Sue McAndrew, the deputy director for Health Information Privacy for OCR, said at the 18th Annual National HIPAA Summit Thursday that OCR is working with a HIPAA privacy and security expert to help the organization "map out essentially the range of options that we have and what would be the most effective."
OCR is considering its budgetary means as well as the most effective method. "There are 1,000 ways to do this," McAndrew said.
http://www.healthleadersmedia.com/page-1/TEC-246089/OCR-Leader-No-HIPAA-Enforcement-Schedule-Yet
MIAOULIS NOTE: This tells me that Audits are still a ways off, this in effect has minimized the perception the HITECH/HIPAA risks.
Subscribe to:
Posts (Atom)