« November 2011 | Main | January 2012 »

December 28, 2011

HIPAA Breach Notification: Houston we have a problem?

You know that data breaches (across industries) have made the big time when you are looking at Bloomberg's Businessweek Year in Review issue and this topic is highlighted. Here are some startling numbers:

  • 262,812,546 confirmed number of records exposed or stolen from more than 800 incidents.
  • 37% rise in the number of hacking incidents over last year.
  • Hacking as the most common breach: 81%
  • Stolen hardware 4.4%
  • Virus phishing 2.7%
  • Lost hardware 2.1%
  • Other 9.8%

It is unclear where Bloomberg got these numbers. Anecdotally it is surprising to see hacking as the most common breach because in healthcare this does not appear to be the case (yet). Obviously, getting hard/reliable information regarding data breaches will continue to be a challenge, but the problem is big and BIGGER. The "bad guys" are quite sophisticated and will follow the data the leads to money. Healthcare in particular is quite rich from an identity theft perspective.

HSGLogo Looking for best of breed HIPAA Training?

To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.

If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?

 

 

Posted at 08:40 AM in HIPAA Breach Notificaiton, HIPAA Compliance, HITECH Act |

December 27, 2011

HIPAA Compliance: Will 2012 be a compliance inflection point?

PORTLAND, OR – A panel of healthcare experts representing privacy, trends, technology, regulatory, data breach and governance have identified the top seven trends in healthcare information privacy for 2011.

via www.healthcareitnews.com

The expert predictions above where regarding 2011, you could use almost the same predictions for 2012. We are still waiting for OCR to finalize important rules, and as predicted for 2011, major breaches will continue to occur in 2012.


HSGLogoDr. Halamka has indicated that

(paraphrasing): "2012 is going to be the

year of increased compliance."

 

The question remains is 2012 the year the healthcare industry wakes up to fact that the privacy and security status quo is fraught with business (e.g. reputation) and regulatory (e.g. cost of breach notification) risk? The answer, we believe, is a "yes" for many organizations. The year 2011 was filled with EHR implementations, meaningful use, and ICD-10, among a host of other concerns. Despite all of that, heathcare organizations began to "grok" the implications of the HITECH Act and to develop plans to meet their regulatory compliance requirements. 

At least one prominent healthcare CIO has declarded that 2012 is going to be the year of increased compliance. Sure, Dr. Halamka was specifically referring to his organization, BUT it is probably a good proxy for what others are thinking as well.

HSGLogo Looking for best of breed HIPAA Training?

To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.

If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?

Posted at 11:34 AM in HIPAA Compliance |

December 21, 2011

Facebook is not a Covered Entity, but what if it were?

After a 3 month audit by the Office of the Irish Data Protection Commissioner (DPC), Facebook has issued a statement that “a DPC report demonstrates how Facebook adheres to European data protection principles and complies with Irish law.” Still, Facebook has committed to making a wide range of changes to its privacy policies and features. These include deleting or anonymizing retained user data, increasing access to and educating users about data and application privacy, and notifying users about the facial recognition feature “Tag Suggest”.

via techcrunch.com

If Facebook ("FB") were a covered entity we would expect to sees LOT OF COMPLAINTS filed with OCR! Why? Because FB has deep pockets and as Jesse James once infamously said "that is where the money is."

Remember, that HITECH Section 13410(c)(3) state as follows:

(3) ESTABLISHMENT OF METHODOLOGY TO DISTRIBUTE PERCENTAGE OF CMPS COLLECTED TO HARMED INDIVIDUALS.— Not later than 3 years after the date of the enactment of this title, the Secretary shall establish by regulation and based on the recommendations submitted under paragraph (2), a methodology under which an individual who is harmed by an act that constitutes an offense referred to in paragraph (1) may receive a percentage of any civil monetary penalty or monetary settlement collected with respect to such offense.

Which basically says that HHS must develop a methodology for giving indivduals a "piece of the action." What do you think this is going to do to the numbers of individuals filing complaints? Also, due to the number of baby boomers retiring covered entities and business associates are going to overwhelmed with legitimate patient requests for PHI, and should start preparing now to respond accordingly.

HSGLogo Looking for best of breed HIPAA Training?

To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.

If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?

 

 

Posted at 04:24 PM in HIPAA Compliance |

December 20, 2011

HIPAA Compliance: We are from NIST and we want to protect your BIOS?

A new draft computer security publication from the National Institute of Standards and Technology (NIST) provides guidance for vendors and security professionals as they work to protect personal computers as they start up.

via www.nist.gov

It is far from clear (at the moment) whether this kind of protection would ever be considered "reasonable and appropriate" under the HIPAA Security Rule, but it is an indication of where cybersecurity is headed. Unlike global warming, there is not even a pretense of a debate surrounding the importance of cybersecurity. These kinds of threats are what keep healthcare CIOs up at night and (obviously) not just because of regulatory compliance issues. Malware poses a real threat to an organization's operations and the bad guys are getting more sophisticated all the time.

Here's the thing, given that the threats are real and the potential for harm devastating, OCR simply cannot afford to tolerate covered entities and/or business associates ignoring the security basics. The HIPAA Security Rule represents a robust implementation of security 101, continue to ignore it at your own peril.

HSGLogo Looking for best of breed HIPAA Training?

To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.

If you need tools that will help with your compliance initiatives then check out the HSG Store. Are you for an Internet Lawyer with HITECH /HIPAA experience? 

 

 

Posted at 05:18 PM in HIPAA Compliance |

December 17, 2011

HITECH / HIPAA Newsletter: December 2011

This month's article explores the use of social media and mobile devices in the healthcare industry and the potential risks associated with such rampant use. It is not a question of whether or not covered entities ("CEs") should engage in this type of use, the fact of the matter is that they are doing so in large numbers. This phenomenon is not about to stop anytime soon, nor should it. Social media and mobile devices provide CEs with a way to engage their patients in a manner that allows CEs to differentiate their offerings in an increasingly more competitive marketplace.

To read the rest of the article sign up for our FREE newsletter or read it in the archives.

HSGLogo Looking for best of breed HIPAA Training?

To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.

If you need tools that will help with your compliance initiatives then check out the HSG Store. Are you for an Internet Lawyer with HITECH /HIPAA experience? 

 

Posted at 01:11 PM in HIPAA Compliance, HITECH Act, HITECH/HIPAA | | Comments (0)

December 14, 2011

HIPAA Compliance: Are all business associates created equal?

A Baltimore law firm lost a portable hard drive containing information about its cases, including medical records for 161 stent patients suing cardiologist Dr. Mark G. Midei, a firm client, for alleged malpractice at St. Joseph Medical Center in Towson.

via www.baltimoresun.com

This article completely misses the point with respect to the applicability of HIPAA to lawyers. Lawyers are clearly business associates of covered entities. Under the HITECH Act business associates are required to comply with the HIPAA Security Rule. There is no "hole" in the law (or exemption) that excludes lawyers. In fact, lawyers are expressly named in the definition of a business associate. This law firm's covered entity is on-the-hook for providing breach notification to the patients whose records were comprised. Furthermore, the covered entity should have had  a business associate contract in place with its law firm.

So are all business associates created equal? The answer to that question is yes, in the sense that ALL must comply with the law as written. However, from a practical perspective, a law firm's compliance with the HIPAA Security Rule is not likely to be the same as a cloud-based EHR's vendor compliance and this is completely "appropriate and reasonable" under the Security Rule's Flexibility principle. Covered entities are going to have little choice other than to structure their business associate contracts specifically to the type of function performed by the business associate, and business associates will need to comply consistent with the function performed.

HSGLogo Looking for best of breed HIPAA Training?

To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.

If you need tools that will help with your compliance initiatives then check out the HSG Store. Are you for an Internet Lawyer with HITECH /HIPAA experience? 

 

Posted at 12:55 PM in HIPAA Compliance, HITECH Act, HITECH/HIPAA | | Comments (0)

HIPAA Compliance: Robust solutions for small organizations

Watch this video from Dumatek that clearly illustrates the availability of robust solutions for small covered entities and business associates.

HSGLogo Looking for best of breed HIPAA Training?

To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.

If you need tools that will help with your compliance initiatives then check out the HSG Store. Are you for an Internet Lawyer with HITECH /HIPAA experience?

 

Posted at 09:47 AM | | Comments (0)

December 08, 2011

HIPAA Breach Notification Framework Overview Video?

Our HITECH Breach Notification Framework gets you up to speed regarding the 800 pound gorilla of the HITECH Act. We walk you through a methodology for determining when notification is triggered, and how to notify patients, HHS, and prominent media according to applicable law.

We also discuss the processes you need to have in place in order to track security incidents effectively in your organization. Finally, we provide a set of tools and templates that allows covered entities and business associates to quickly ramp up their breach notification compliance programs.

Watch the overview video. 

Posted at 06:09 PM | | Comments (0)

December 07, 2011

HIPAA Compliance: Money $$ Quote from the 2011 Ponemon Survey?

Here's the money quote from the recently released Ponemon Data Breach Research:

The research indicates that the closer the personnel are to the data—such as billing and I.T.—the higher the probability of not following policies and procedures. Forty-two percent of respondents say administrative personnel in their organizations do not understand the importance of protecting patient data. In addition, only 22 percent of organizations say their budgets are sufficient to minimize data breaches. 83 percent of hospitals have clearly written policies and procedures to notify authorities of a data breach, but 57 percent don’t believe their policies are effective. The increased use of outside resources and business associates—associated with the downsizing of hospital staff—is having a direct impact on privacy and security. Sixty-nine percent of organizations say that they have little or no confidence in business associates ability to secure patient data.

HSGLogoIf you think education is expensive,

try ignorance of breach notification

costs on for size.

Let's analyze this precious bit(s) of information:

  1. The fact that administrative personnel do not understand the importance of safeguarding PHI points to a lack of training (42% don't get it?). That much is clear.
  2. Only 22% of organizations have budget to minimize data breaches. I wonder how many of these same organizations have budgets capable of handing a major breach? If you think education is expensive, try ignorance.
  3. 57% don't believe that their policies are effective. No kidding, really? Policies alone are never going to get the job done. Organizations need robust processes that underpin their policies and tracking mechanisms to let them know how well they are doing.
  4. 69% percent of organizations say that they have little or no confidence that BA's can secure patient data. Why expect them to be any better than you?

Here's the bottom line. It is these kinds of results that tell you that the compliance status quo simply will never hold. Major multi-million dollar breaches will continue to occur until healthcare organizations change the way they think about compliance.

HSGLogo Looking for best of breed HIPAA Training?

To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.

If you need tools that will help with your compliance initiatives then check out the HSG Store. Are you for an Internet Lawyer with HITECH /HIPAA experience?

 

Posted at 07:50 AM in HIPAA Compliance, HITECH Act | | Comments (0)

December 05, 2011

HIPAA Compliance: Anatomy of a data breach from the trenches?

This column is about a security incident that my company caused earlier this year. It’s a long and detailed description. I’m confident that those of you have never been through a security incident will find the article tedious. I invite you to read just the ending on lessons learned, or save your hard-earned free time for one of HIStalk’s other excellent columns.

via www.histalkpractice.com

The article above does an excellent job of presenting a "blow-by-blow" (literally in some case) analysis of what it is like to experience, and effectively manage, a data breach (in this case a subcontractor of a business associate). It is a process fraught with complexity and risk, requiring rapid fire decision making and analysis while at the same time collaborating with a host of stakeholders and advisers (e.g. business partners, government agencies, executive management, legal, etc.).

That is one of the reasons that our Model Business Associate Contract requires a covered entity and a business associate to develop a breach communication plan thirty days (you can obviously substitute your own number) after the execution of the contract. When (usually not if in our current environment) a breach occurs you at least want to have some basics in place with respect to a game plan.

Although MAeHC apparently did an excellent job of working their way through these challenges, they were literally inventing the plan as they went. To be clear, some of this is unavoidable, but having a breach notification framework in place before the fact would go a long ways toward providing a degree of sanity in an otherwise chaotic business decision making environment.

HSGLogo Looking for best of breed HIPAA Training?

To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.

If you need tools that will help with your compliance initiatives then check out the HSG Store. Are you for an Internet Lawyer with HITECH /HIPAA experience?

Posted at 08:35 AM in HIPAA Breach Notificaiton, HIPAA Compliance | | Comments (0)

Next »
My Photo

About

NEWSLETTER


  • Email Newsletter icon, E-mail Newsletter icon, Email List icon, E-mail List icon
    Sign up for a FREE
    HITECH / HIPAA
    Compliance Newsletter

    Enter your email address

Categories

CC

Tools

  • Google Analytics

Become a Fan

Essays and Such

  • HIPAA Survival Guide (PDF)
    Read the HSG in PDF format.
  • HIPAA Survival Guide (online)
    Practical advice for health care practitioners.

  • Search, KM & the Practice of Law

  • Silicon Stories eBook

  • Dirty Little Secret

  • Competitive Advantage

  • Process Patterns

  • Movie Making and Software Development

  • The Missing Factory

  • Architecture: Shack, House or Skyscraper?

  • The Talent Wars

  • Knowledge Management and Infotainment

  • What comes after what comes next?

June 2013

Sun Mon Tue Wed Thu Fri Sat
            1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30            

Archives

More...