Friday, March 30, 2012

HIPAA law used against state employees???

NOTE: The following is an excerpt from Letters to The Editor that appeared in the Montgomery Advertiser on March 30, 2012 and was Submitted by Julian McPhillips.  Mr. McPhillips is a well known attorney in Alabama.  I believe this gives insight into an attorney's view of how HIPAA is being used.
The Health Insurance Portability and Accountability Act was enacted by Congress in 1996, supposedly to protect the privacy of medical records. That noble purpose has unfortunately been abused right and left by state government to persecute employees out of favor with management. This includes three different women I have represented, one from the Alabama Department of Public Health, one from the State Docks, a third from Auburn University, all fired due to false accusations of HIPAA violations.................
................HIPAA was not created by the U.S. Congress to be a witch hunt tool. Yet, that is exactly what it has become. Legislators wake up, and judges take note. Your help is needed.
 From the McPhillips Web-Site: Mr. McPhillips is better known as “The People’s Lawyer,” a moniker he earned for his work in landmark cases involving civil rights, racial and workplace discrimination, and police brutality. Mr. McPhillips started this firm in 1978 to focus on these cases and provide clients with aggressive representation in court. Today, McPhillips Shinbaum, LLP is a six-attorney civil litigation firm that represents clients throughout Alabama in state and federal court.

Thursday, March 29, 2012


HHS/OCR has created video's about HIPAA and individual rights on YouTube.. 

Here is one of the video's in Spanish:

The OCR Channel can be found at the link below, this includes 7 additional HIPAA videos (English):

Wednesday, March 28, 2012

Howard University Hospital security breach affects 34K patients

WASHINGTON (AP) - Howard University Hospital says a former contractor's personal laptop containing patient information was stolen in January.

The hospital sent letters this week to more than 34,000 patients affected by the breach.
The records held personal information, including Social Security numbers.

The hospital said in a statement that the laptop was password protected and that there is no evidence that the patients' files have been violated.

It said the former contractor downloaded the files to a personal laptop in violation of hospital policy and federal health care rules.
NOTE: Has your organization reviewed your agreements, training, etc. with contractor's who have access to information?  Remember the covered entity (hospital) must notify it's patients that their information may have been breached.  Notice in this article the name of the contractor was NOT mentioned. Encryption is the key, you can get to a laptops data even if it is password protected.  Non-encrypted PHI that is compromised requires reporting to the individual, the press and HHS.  Research encryption today and also review you agreements and processes with contractors/business associates.  Do you know where your data is and do you trust your business associates to protect that data?

Monday, March 19, 2012

Burglary Triggers Medical Records Firm’s Collapse

Impairment Resources LLC filed for bankruptcy Friday after the break-in at its San Diego headquarters led to the electronic escape of detailed medical information for roughly 14,000 people, according to papers filed in U.S. Bankruptcy Court in Wilmington, Del. That information included patient addresses, social security numbers and medical diagnose..................

...............................The company also faced the threat of even more debt with customers and individuals threatening to sue it over the privacy breach.
Impairment Resources reviewed medical records taken on workers’ compensation and auto casualty claims for roughly 600 insurance companies and other customers...

Nobody Cares About HIPAA

Note: Does this describe your organization?  With all the fines, penalties, cost of breaches, I had thought this would change, but that does not appear to be the case. This short article makes the point very well.

Compliance is seen mainly as a costly inconvenience in many organizations.

I mentioned how some organizations with obvious Health Insurance Portability and Accountability Act (HIPAA) compliance issues seem uninterested in putting forth the effort to resolve them. Some won't even acknowledge they have issues. Ben shrugs and matter-of-factly says, "Nobody cares about HIPAA."

That took a minute to soak in, but I got his point. Knowing Ben, I knew his comment was not literal, it was for effect. But generally speaking, he has a strong point. In the greater scheme of many businesses, HIPAA (and other regulations) are commonly seen by management and staff as annoyances and as another meaningless expense.

Some organizations make only token efforts toward compliance, and those efforts are typically the least that can be done for the least cost. There is often an incomplete, one-time effort to "get compliant," but after that, nothing much more.........

A common course of action by this type of leadership is usually one of three approaches: postpone, ignore, or delegate.  The Full article can be found here as the writer explores these three approaches:

Tuesday, March 13, 2012

BCBS-Tennessee has agreed to pay HHS $1,500,000

News Release
March 13, 2012

HHS settles HIPAA case with BCBST for $1.5 million

First enforcement action resulting from HITECH Breach Notification Rule

Blue Cross Blue Shield of Tennessee (BCBST) has agreed to pay the U.S. Department of Health and Human Services (HHS) $1,500,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules, Leon Rodriguez, Director of the HHS Office for Civil Rights (OCR), announced today. BCBST has also agreed to a corrective action plan to address gaps in its HIPAA compliance program. The enforcement action is the first resulting from a breach report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule.

The investigation followed a notice submitted by BCBST to HHS reporting that 57 unencrypted computer hard drives were stolen from a leased facility in Tennessee. The drives contained the protected health information (PHI) of over 1 million individuals, including member names, social security numbers, diagnosis codes, dates of birth, and health plan identification numbers. OCR’s investigation indicated BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule.

“This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program,” said OCR Director Leon Rodriguez. “The HITECH Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients’ right to private and secure health information.”

In addition to the $1,500,000 settlement, the agreement requires BCBST to review, revise, and maintain its Privacy and Security policies and procedures, to conduct regular and robust trainings for all BCBST employees covering employee responsibilities under HIPAA, and to perform monitor reviews to ensure BCBST compliance with the corrective action plan.

HHS Office for Civil Rights enforces the HIPAA Privacy and Security Rules. The HIPAA Privacy Rule gives individuals rights over their protected health information and sets rules and limits on who can look at and receive that health information. The HIPAA Security Rule protects health information in electronic form by requiring entities covered by HIPAA to use physical, technical, and administrative safeguards to ensure that electronic protected health information remains private and secure.

The HITECH Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to HHS and the media. Smaller breaches affecting less than 500 individuals must be reported to the secretary on an annual basis.

Individuals who believe that a covered entity has violated their (or someone else’s) health information privacy rights or committed another violation of the HIPAA Privacy or Security Rule may file a complaint with OCR at:

The HHS Resolution Agreement can be found at

Additional information about OCR’s enforcement activities can be found at

Wednesday, March 7, 2012

Stage 2 - Meaningful Use

NOTE: Encryption and Auditable events are two key components of Stage 2 certification with regards to the security requirements.

The Centers for Medicare and Medicaid Services (CMS), Medicare and Medicaid Programs; Electronic Health Record Incentive Program—Stage 2

The ONC proposed rule proposed stage 2 rules; Health Information Technology: Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, 2014 Edition; Revisions to the Permanent Certification Program for Health Information Technology.

MU Objective: Protect electronic health information created or maintained by the Certified EHR Technology through the implementation of appropriate technical capabilities.

2014 Edition EHR Certification Criteria:
§ 170.314(d)(2) (Auditable events and tamper-resistance)
§ 170.314(d)(3) (Audit report(s))
§ 170.210(e) (Record actions related to electronic health information, audit log
status, and encryption of end user devices)
Encryption of data at rest:
2014 Edition EHR Certification Criterion
§ 170.314(d)(7) (Encryption of data at rest)

The Financial Impact of Breached Protected Health Information

The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security explores the reputational, financial, legal, operational, and clinical repercussions of a protected health information (PHI) breach on an organization, and provides a 5-step method – PHI Value Estimator (PHIve)- to assess specific security risks and build a business case for enhanced PHI security. This tool estimates the overall potential costs of a data breach to an organization, and provides a methodology for determining an appropriate level of investment needed to strengthen privacy and security programs and reduce the probability of a breach. A detailed example of costing a PHI breach using the PHIve method is provided.

Download the ANSI whitepaper here:

The paper is free, but registration is required.

Monday, March 5, 2012

Six Ways to Improve HIPAA Compliance this Year

HIPAA Audits Coming to a Covered Entity Near You, Six Ways to Improve HIPAA Compliance this Year,  AHIMA Advantage - February 2012

Will your organization be one of the chosen 150 pilot audit sites this year? Before the letter arrives, you can work to improve privacy and security at your organization, according to William Miaoulis, CISA, CISM, corporate information security officer at Phoenix Health Systems. “You want to be prepared as if you’re one of the 150 being audited,” said Miaoulis. “The best time to prepare for HIPAA compliance was six years ago. The second best time is today.” Here are 6 ways to help your organization meet HIPAA obligations.


Friday, March 2, 2012


OCR has created youtube information.  These are short video that are well done.  These are great for health care providers and patients.