Much has been made about the web-site link http://hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html
of the folks that have reported breaches. Althought difficult to know, the bigger question maybe how many organizations had similar breaches but did not report. The folks that reported are complying with the law by reporting. It will be interesting to see what happens when PHI from an unreported breach is traced back to an organization. My guess, is that will send shock waves to those who do not have a good process for identifying, mitigating and reporting breaches.
Monday, March 29, 2010
Sunday, March 28, 2010
BAG containing documents
The theft of a document containing the names and Social Security numbers of 554 patients at Wake Forest University Baptist Medical Center was hardly unusual.
Federal health officials say that it was the 47th time since September 2009 that patient records of some sort had been breached from hospitals and health-insurance companies nationally.
Such breaches raise questions about the security measures being used by health-care providers on sensitive financial and medical information, as well as the need for records to be removed from secure sites.
In the Wake Forest Baptist case, a bag containing documents with the patient information was stolen Feb. 15 from an employee's locked car in the parking deck of an off-campus outpatient clinic. Hospital officials publicly revealed the theft on March.
http://www2.journalnow.com/content/2010/mar/19/breaches-of-patients-data-raise-questions-on-secur/
MIAOULIS NOTES: Remember it is just not PHI, but paper that can also cause a breach.
Federal health officials say that it was the 47th time since September 2009 that patient records of some sort had been breached from hospitals and health-insurance companies nationally.
Such breaches raise questions about the security measures being used by health-care providers on sensitive financial and medical information, as well as the need for records to be removed from secure sites.
In the Wake Forest Baptist case, a bag containing documents with the patient information was stolen Feb. 15 from an employee's locked car in the parking deck of an off-campus outpatient clinic. Hospital officials publicly revealed the theft on March.
http://www2.journalnow.com/content/2010/mar/19/breaches-of-patients-data-raise-questions-on-secur/
MIAOULIS NOTES: Remember it is just not PHI, but paper that can also cause a breach.
PHI on PERSONAL LAPTOP
The U.S. Veterans Affairs Office of Inspector General has launched a criminal investigation into a security breach of veterans' medical information at the Atlanta Veterans Administration Medical Center, according to an internal document obtained by The Atlanta Journal-Constitution.
The inspector general is investigating a report that a physician assistant stored unauthorized clinical information on her personal laptop regarding veterans who were seen at one of the VA specialty clinics, according to the document.
http://www.ajc.com/news/dekalb/security-breach-at-atlanta-365828.html
MIAOULIS NOTE: What are you doing at your organization? How are you keeping PHI from flowing to unathorized locations? Have you locked down email including Gmail, Hotmail, Yahoo from sending ePHI?
The inspector general is investigating a report that a physician assistant stored unauthorized clinical information on her personal laptop regarding veterans who were seen at one of the VA specialty clinics, according to the document.
http://www.ajc.com/news/dekalb/security-breach-at-atlanta-365828.html
MIAOULIS NOTE: What are you doing at your organization? How are you keeping PHI from flowing to unathorized locations? Have you locked down email including Gmail, Hotmail, Yahoo from sending ePHI?
Saturday, March 27, 2010
10 health IT security breaches
The following breaches of unsecured protected health information were reported to the Health and Human Services Secretary, in accordance with the HITECH Act. http://www.healthcareitnews.com/slideshow/10-health-it-security-breaches
The complete list can be found at http://hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html
The complete list can be found at http://hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html
Friday, March 12, 2010
Lifelock Fined 12 Million - What we can learn
The CEO of Lifelock, Todd Davis, became famous for advertising his Social Security number on television ads and billboards promising his $10 monthly service would protect consumers from identity theft.
The company also offered a $1 million guarantee to compensate customers for losses incurred if they became a victim of identity theft after signing up for the service.
But the Federal Trade Commission said Tuesday that the claims were bogus (http://www.wired.com/images_blogs/threatlevel/2010/03/lifelockcomplaint.pdf) and accused Lifelock, based in Arizona, of operating a scam and con operation. The commission announced, along with 35 state attorneys general, that it had levied a fine of $12 million against the company for deceptive business practices and for failing to secure sensitive customer data. Of that amount, $11 million will go to refund customers who subscribed to the service. Consumers will receive a letter from the FTC and their attorney general explaining how to take part in the settlement
http://www.wired.com/threatlevel/2010/03/lifelock-accused-of-running-con-operation
MIAOULIS NOTE: This again points to the need for organizations to take their minimum necessary (reduce those folks who have access to the FULL SSN, complete Birthdate (Month and Year should be enough), etc.) and by implementing a FTC "Red Flag Program".
The company also offered a $1 million guarantee to compensate customers for losses incurred if they became a victim of identity theft after signing up for the service.
But the Federal Trade Commission said Tuesday that the claims were bogus (http://www.wired.com/images_blogs/threatlevel/2010/03/lifelockcomplaint.pdf) and accused Lifelock, based in Arizona, of operating a scam and con operation. The commission announced, along with 35 state attorneys general, that it had levied a fine of $12 million against the company for deceptive business practices and for failing to secure sensitive customer data. Of that amount, $11 million will go to refund customers who subscribed to the service. Consumers will receive a letter from the FTC and their attorney general explaining how to take part in the settlement
http://www.wired.com/threatlevel/2010/03/lifelock-accused-of-running-con-operation
MIAOULIS NOTE: This again points to the need for organizations to take their minimum necessary (reduce those folks who have access to the FULL SSN, complete Birthdate (Month and Year should be enough), etc.) and by implementing a FTC "Red Flag Program".
Monday, March 8, 2010
Certification Rule Changed----
The Office of the National Coordinator for Health Information Technology has withdrawn the proposed rule establishing a certification program for electronic health records software and replaced it with a corrected version.
The public inspection site where the corrected version can be accessed is at www.federalregister.gov/Default.aspx
The public inspection site where the corrected version can be accessed is at www.federalregister.gov/Default.aspx
Proposed HITECH rule for business associates will come soon, says OCR lawyer
An OCR lawyer tells HIPAA Update the HIPAA privacy and security enforcer will release a proposed rule regarding business associate (BA) provisions in HITECH “shortly.”
Adam H. Greene, Office of the General Counsel for OCR, wrote in an e-mail to Update that OCR’s rulemaking will elaborate on the expected date of compliance surrounding the rule.
Per HITECH, BAs had to be compliant with the HIPAA Security Rule and the use and disclosure provisions of the privacy rule by February 17 and had to enter into an updated agreement with their covered entities.
http://blogs.hcpro.com/hipaa/2010/03/proposed-hitech-rule-for-business-associates-will-come-soon-says-ocr-lawyer/
MIAOULIS NOTE: This article comes to us from our friends at HIPAA Update, a great resource for HIPAA/HITECH information.
Adam H. Greene, Office of the General Counsel for OCR, wrote in an e-mail to Update that OCR’s rulemaking will elaborate on the expected date of compliance surrounding the rule.
Per HITECH, BAs had to be compliant with the HIPAA Security Rule and the use and disclosure provisions of the privacy rule by February 17 and had to enter into an updated agreement with their covered entities.
http://blogs.hcpro.com/hipaa/2010/03/proposed-hitech-rule-for-business-associates-will-come-soon-says-ocr-lawyer/
MIAOULIS NOTE: This article comes to us from our friends at HIPAA Update, a great resource for HIPAA/HITECH information.
Saturday, March 6, 2010
Shands notifies 12,500 patients that data at risk
Shands HealthCare has notified about 12,500 patients that a laptop containing their medical information was stolen in January. The unencrypted laptop contained information about patients referred over the past three years to the Shands at the University of Florida gastroenterology clinical services department.
The information includes names, addresses, medical record numbers and medical procedure codes of the patients, as well as the Social Security numbers of about 650 people. http://www.gainesville.com/article/20100302/ARTICLES/3021003/1002
The information includes names, addresses, medical record numbers and medical procedure codes of the patients, as well as the Social Security numbers of about 650 people. http://www.gainesville.com/article/20100302/ARTICLES/3021003/1002
UT Southwestern warns patients that hospital worker stole records
The University of Texas Southwestern Medical Center is advising 12,000 patients to guard against fraud after a former employee was found in possession of a limited amount of patient billing data.
Authorities discovered in September that a cashier in the hospital's finance department, Tracy Renay Thomas of Dallas, had billing and insurance information from 21 patients. The hospital alerted those patients by phone.
http://www.dentonrc.com/sharedcontent/dws/dn/latestnews/stories/030610dnmetutsw.17af75fc2.html
Authorities discovered in September that a cashier in the hospital's finance department, Tracy Renay Thomas of Dallas, had billing and insurance information from 21 patients. The hospital alerted those patients by phone.
http://www.dentonrc.com/sharedcontent/dws/dn/latestnews/stories/030610dnmetutsw.17af75fc2.html
Subscribe to:
Posts (Atom)