Practitioners should be aware of the risk involved.
By Legal and Regulatory Affairs staff
American Psychological Association - Practice Central
Originally published April 24, 2014
Given the growing use of technology for communication, many practitioners are interested in knowing whether popular options are compatible with Health Insurance Portability and Accountability Act (HIPAA) requirements. Skype, whose basic features are free and easy to use, is one such option of interest to practicing psychologists.
HIPAA does not specify the kinds of technologies that covered entities should use for creating, receiving, storing or transmitting electronic patient health information (ePHI). Under the HIPAA Security Rule, covered entities must conduct individual risk assessments about the technologies (hardware, software, etc.) they use that store or transmit ePHI.
The entire story is here.
Showing posts with label HIPAA. Show all posts
Showing posts with label HIPAA. Show all posts
Saturday, April 26, 2014
Wednesday, March 19, 2014
HIPAA's Patient Access Rights
By Bruce Borkosky
Published by The Malvern Group
February 2014
This whitepaper is intended as a reference for patients, healthcare providers, and Privacy Officers. It is not legal advice and expresses the opinions of the author.
The goal of the paper is to provide a comprehensive yet understandable review of the many issues involving a patient's access to their PHI in the context of the patient’s rights, treatment considerations and interactions with other providers and the legal system.
It can be read in its entirety, or the reader may wish to use it as reference material, referring to individual sections as the need arises. Patients will be able to use this information to learn about their rights and become more assertive when providers refuse to release records.
Providers can use this information to release (or deny release of) records, thereby potentially avoiding malpractice lawsuits, disciplinary sanctions, or HIPAA complaints.
Administrators and Privacy Officers will be able to use this information to help maintain HIPAA compliance and to help resolve disputes among providers or between providers and patients.
Readers will also discover options for dealing with providers who are reluctant to release records.
The entire paper is here.
Published by The Malvern Group
February 2014
This whitepaper is intended as a reference for patients, healthcare providers, and Privacy Officers. It is not legal advice and expresses the opinions of the author.
The goal of the paper is to provide a comprehensive yet understandable review of the many issues involving a patient's access to their PHI in the context of the patient’s rights, treatment considerations and interactions with other providers and the legal system.
It can be read in its entirety, or the reader may wish to use it as reference material, referring to individual sections as the need arises. Patients will be able to use this information to learn about their rights and become more assertive when providers refuse to release records.
Providers can use this information to release (or deny release of) records, thereby potentially avoiding malpractice lawsuits, disciplinary sanctions, or HIPAA complaints.
Administrators and Privacy Officers will be able to use this information to help maintain HIPAA compliance and to help resolve disputes among providers or between providers and patients.
Readers will also discover options for dealing with providers who are reluctant to release records.
The entire paper is here.
Wednesday, March 5, 2014
Senate challenger Milton Wolf apologizes for posting X-ray photos
By The Associated Press
The Kansas City Star
Originally published February 23, 2014
A tea party-backed Leawood radiologist who is trying to unseat longtime Republican U.S. Sen. Pat Roberts has apologized for posting X-ray photos of fatal gunshot wounds and medical injuries on his personal Facebook page several years ago. But he called the revelation about the images the work of a desperate incumbent.
In addition to the images, Milton Wolf also participated in online commentary layered with macabre jokes and descriptions of carnage, The Topeka Capital-Journal reported.
The report about the images, which came from hospitals in the Kansas City area on both sides of the state line, drew criticism from medical professionals who called their display on social media irresponsible.
The entire story is here.
The Kansas City Star
Originally published February 23, 2014
A tea party-backed Leawood radiologist who is trying to unseat longtime Republican U.S. Sen. Pat Roberts has apologized for posting X-ray photos of fatal gunshot wounds and medical injuries on his personal Facebook page several years ago. But he called the revelation about the images the work of a desperate incumbent.
In addition to the images, Milton Wolf also participated in online commentary layered with macabre jokes and descriptions of carnage, The Topeka Capital-Journal reported.
The report about the images, which came from hospitals in the Kansas City area on both sides of the state line, drew criticism from medical professionals who called their display on social media irresponsible.
The entire story is here.
Monday, February 24, 2014
Medical Start-up Invited Millions Of Patients To Write Reviews They May Not Realize Are Public
By Kashmir Hill
Forbes
Originally posted October 21, 2014
Here is an excerpt:
Much like a Facebook policy change, it seems that doctors and patients wound up having data exposed or used in a way they didn’t expect. But this is a much more serious case in that it involves sensitive health conditions. Medical privacy laws spell out explicitly what health providers and their “business associates,” a.k.a. vendors, are allowed to do with patient information. While Practice Fusion says contacting patients for reviews is a service done on behalf of doctors — as is required by HIPAA — the cynical take is that they used their access to patient records for business purposes — to build a review site to compete with ZocDoc and Yelp.
Deven McGraw, a medical privacy law expert at the Center for Democracy and Technology, was also troubled by the messaging. “Anything they want to do with patient data, they’re supposed to do on behalf of the doctor. It’s not a license or invitation to take the data you get and use it for your own business purposes,” she says.
The entire story is here.
Forbes
Originally posted October 21, 2014
Here is an excerpt:
Much like a Facebook policy change, it seems that doctors and patients wound up having data exposed or used in a way they didn’t expect. But this is a much more serious case in that it involves sensitive health conditions. Medical privacy laws spell out explicitly what health providers and their “business associates,” a.k.a. vendors, are allowed to do with patient information. While Practice Fusion says contacting patients for reviews is a service done on behalf of doctors — as is required by HIPAA — the cynical take is that they used their access to patient records for business purposes — to build a review site to compete with ZocDoc and Yelp.
Deven McGraw, a medical privacy law expert at the Center for Democracy and Technology, was also troubled by the messaging. “Anything they want to do with patient data, they’re supposed to do on behalf of the doctor. It’s not a license or invitation to take the data you get and use it for your own business purposes,” she says.
The entire story is here.
Friday, February 21, 2014
HIPAA data breaches climb 138 percent
By Erin McCann
Healthcareitnews.com
Originally posted February 6, 2014
When talking HIPAA privacy and security, the numbers do most of the talking.
Take 29.3 million, for instance, the number of patient health records compromised in a HIPAA data breach since 2009, or 138 percent, the percent jump in the number of health records breached just from 2012.
These numbers, compiled in a February 2014 breach report by healthcare IT security firm Redspin, though, don't tell the whole story, as these are numbers reported to the U.S. Department of Health and Human Services by HIPAA covered entities.
The entire article is here.
Healthcareitnews.com
Originally posted February 6, 2014
When talking HIPAA privacy and security, the numbers do most of the talking.
Take 29.3 million, for instance, the number of patient health records compromised in a HIPAA data breach since 2009, or 138 percent, the percent jump in the number of health records breached just from 2012.
These numbers, compiled in a February 2014 breach report by healthcare IT security firm Redspin, though, don't tell the whole story, as these are numbers reported to the U.S. Department of Health and Human Services by HIPAA covered entities.
The entire article is here.
Saturday, February 15, 2014
ICD-10 and DSM-5: The Reality
Are You Ready For Two Code Sets on October 1?
By Lisette Wright
Behavioral HealthCare
Originally published January 29, 2014
The ICD-10 transition is proving to be a formidable challenge in the healthcare industry for everyone involved. Provider organizations need to train their clinical staff, worry about revenue cycle disruption, and conduct internal and external testing with all parties. Third-party vendors such as Electronic Health Record companies are also struggling to keep up, with Meaningful Use Stage 2, 2014 Certification, and the ICD-10 transition. Fortunately, there are many trainings available to help you understand the what the ICD-10 transition involves. Unfortunately, most of these trainings are medically-focused, not given by those in the mental health or substance use industry, and they do not really explain how the DSM-5 fits into this transition.
The entire article is here.
By Lisette Wright
Behavioral HealthCare
Originally published January 29, 2014
The ICD-10 transition is proving to be a formidable challenge in the healthcare industry for everyone involved. Provider organizations need to train their clinical staff, worry about revenue cycle disruption, and conduct internal and external testing with all parties. Third-party vendors such as Electronic Health Record companies are also struggling to keep up, with Meaningful Use Stage 2, 2014 Certification, and the ICD-10 transition. Fortunately, there are many trainings available to help you understand the what the ICD-10 transition involves. Unfortunately, most of these trainings are medically-focused, not given by those in the mental health or substance use industry, and they do not really explain how the DSM-5 fits into this transition.
The entire article is here.
Wednesday, November 6, 2013
Are Forensic Evaluations “Health Care” and Are They Regulated by HIPAA?
By Bruce Borkosky, Jon M. Pellett, and Mark S. Thomas
Psychological Injury and Law
June 2013
Abstract
Forensic mental health providers (FMHPs) typically do not release records to the examinee. The Health Insurance Portability and Accountability Act (HIPAA) federal regulations might change this position, given that they have created a basic right of access to health care records. This legislation has led to a disagreement regarding whether HIPAA regulates forensic evaluations. The primary argument (and the majority of scholarly citations) has been that such evaluations do not constitute “health care.” Specifically, in this position, the nature and purpose of forensic evaluations are not considered related to treatment (amelioration of psychopathology) of the patient. In addition, it asserts that HIPAA applies solely to treatment services; thus, forensic evaluations are inapplicable to HIPAA. We describe the evidence for and against this argument, the strengths and limitations of the evidence, and recent court decisions related to it. The weakest part of the “HIPAA does not regulate forensics” argument is that HIPAA has no exclusion criteria based on type of services. It only creates an inclusion criteria for providers; once “covered,” all services provided by that provider are thence forward “covered.” Authoritative evidence for patient access can be found in the HIPAA regulations themselves, the US Department of Health and Human Services’ commentaries, additional statements and disciplinary cases, the research literature, other agency opinion, and legal opinion. It appears that the evidence strongly suggests that, for those forensic mental health practitioners who are covered entities, HIPAA does apply to forensic evaluations. The implication is that FMHPs potentially face various federal, state, and civil sanctions for refusing to permit patient access to records.
The article is here.
Psychological Injury and Law
June 2013
Abstract
Forensic mental health providers (FMHPs) typically do not release records to the examinee. The Health Insurance Portability and Accountability Act (HIPAA) federal regulations might change this position, given that they have created a basic right of access to health care records. This legislation has led to a disagreement regarding whether HIPAA regulates forensic evaluations. The primary argument (and the majority of scholarly citations) has been that such evaluations do not constitute “health care.” Specifically, in this position, the nature and purpose of forensic evaluations are not considered related to treatment (amelioration of psychopathology) of the patient. In addition, it asserts that HIPAA applies solely to treatment services; thus, forensic evaluations are inapplicable to HIPAA. We describe the evidence for and against this argument, the strengths and limitations of the evidence, and recent court decisions related to it. The weakest part of the “HIPAA does not regulate forensics” argument is that HIPAA has no exclusion criteria based on type of services. It only creates an inclusion criteria for providers; once “covered,” all services provided by that provider are thence forward “covered.” Authoritative evidence for patient access can be found in the HIPAA regulations themselves, the US Department of Health and Human Services’ commentaries, additional statements and disciplinary cases, the research literature, other agency opinion, and legal opinion. It appears that the evidence strongly suggests that, for those forensic mental health practitioners who are covered entities, HIPAA does apply to forensic evaluations. The implication is that FMHPs potentially face various federal, state, and civil sanctions for refusing to permit patient access to records.
The article is here.
Thursday, October 17, 2013
More HIPAA enforcement coming
By
Erin McCann
Healthcare IT
News
Originally
published September 24, 2013
When
Office for Civil Rights Director Leon
Rodriguez took the stage Monday to talk HIPAA at the HIMSS Media and Healthcare IT News Privacy
and Security Forum, the timing was perfect.
With
the HIPAA Omnibus Final Rule taking effect Sept. 23, Rodgriguez talked to the
increased enforcement to come, the importance of properly safeguarding patient
privacy and the what-not-to-dos, or the breach blunders, that have resulted in
hefty monetary penalties for some groups who failed to take patient privacy and
security seriously.
"Today
is a critical day for the Omnibus," said Rodriguez, who explained that the
agency is working to strike a balance between effective enforcement and clearly
communicating what all the rules are surrounding patient privacy and security.
Sunday, September 1, 2013
Looking at the HIPAA Final Omnibus Rule: An Attorney’s Perspective
By Mark Hagland
Healthcare Informatics
Originally published August 18, 2013
The stringent requirements embedded in what is being called the “HIPAA Final Omnibus Rule”—a set of regulations published by the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) on Jan. 25—are changing the ground rules for healthcare provider organizations across the U.S. when it comes to safeguarding protected health information (PHI). Those requirements extend the privacy, security, enforcement, and breach notification rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for economic and Clinical Health (HITECH) Act.
With compliance with the “Omnibus Rule” required by September 23, healthcare leaders have no time to waste when it comes to understanding and addressing the new requirements.
Recently, Kathryn Coburn, who is of counsel with the Los Altos, Calif.-based law firm of Cooke, Kobrick & Wu, LLP, spoke with HCI Editor-in-Chief Mark Hagland regarding this important topic. The Santa Monica-based Coburn has spent 30 years in healthcare law. Below are excerpts from that interview.
Healthcare Informatics
Originally published August 18, 2013
The stringent requirements embedded in what is being called the “HIPAA Final Omnibus Rule”—a set of regulations published by the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) on Jan. 25—are changing the ground rules for healthcare provider organizations across the U.S. when it comes to safeguarding protected health information (PHI). Those requirements extend the privacy, security, enforcement, and breach notification rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for economic and Clinical Health (HITECH) Act.
With compliance with the “Omnibus Rule” required by September 23, healthcare leaders have no time to waste when it comes to understanding and addressing the new requirements.
Recently, Kathryn Coburn, who is of counsel with the Los Altos, Calif.-based law firm of Cooke, Kobrick & Wu, LLP, spoke with HCI Editor-in-Chief Mark Hagland regarding this important topic. The Santa Monica-based Coburn has spent 30 years in healthcare law. Below are excerpts from that interview.
Thanks to Ken Pope for this information.
Thursday, July 11, 2013
WellPoint to pay $1.7 million HIPAA penalty
By Rachel Landen and Joseph Conn
ModernHealthcare.com
Published July 11, 2013
WellPoint, which serves nearly 36 million people through its affiliated health plans, has agreed to pay a $1.7 million penalty to HHS for potential violations of the privacy and security rules under the Health Insurance Portability and Accountability Act of 1996.
Between Oct. 23, 2009, and March 7, 2010, access to personal data for 612,402 people—their names, dates of birth, addresses, Social Security numbers, telephone numbers and health information—was made available to unauthorized users as the result of online security weaknesses, HHS said Thursday.
During an investigation of WellPoint's information systems, HHS' Office for Civil Rights found that the Indianapolis-based insurer had not enacted appropriate administrative, technical and physical safeguards for data as required by HIPAA.
The entire story is here.
ModernHealthcare.com
Published July 11, 2013
WellPoint, which serves nearly 36 million people through its affiliated health plans, has agreed to pay a $1.7 million penalty to HHS for potential violations of the privacy and security rules under the Health Insurance Portability and Accountability Act of 1996.
Between Oct. 23, 2009, and March 7, 2010, access to personal data for 612,402 people—their names, dates of birth, addresses, Social Security numbers, telephone numbers and health information—was made available to unauthorized users as the result of online security weaknesses, HHS said Thursday.
During an investigation of WellPoint's information systems, HHS' Office for Civil Rights found that the Indianapolis-based insurer had not enacted appropriate administrative, technical and physical safeguards for data as required by HIPAA.
The entire story is here.
Tuesday, June 18, 2013
Large Hospital Breach Caused by Inside Inappropriate Access
Health Data Management
Originally published May 31, 2013
Bon Secours Mary Immaculate Hospital in Suffolk, Va., is notifying about 5,000 patients after discovering a significant amount of inappropriate access to patients’ electronic health records from two employees inside the facility.
“During an April 2013 audit of a patient’s medical record, the health system identified suspicious access that prompted an investigation,” according to a notice the hospital issued. “The investigation revealed that two members of the patient care team accessed patients’ medical records in a manner that was inconsistent with their job functions and hospital procedures, and inconsistent with the training they received regarding appropriate access of patient medical records.”
The entire story is here.
Originally published May 31, 2013
Bon Secours Mary Immaculate Hospital in Suffolk, Va., is notifying about 5,000 patients after discovering a significant amount of inappropriate access to patients’ electronic health records from two employees inside the facility.
“During an April 2013 audit of a patient’s medical record, the health system identified suspicious access that prompted an investigation,” according to a notice the hospital issued. “The investigation revealed that two members of the patient care team accessed patients’ medical records in a manner that was inconsistent with their job functions and hospital procedures, and inconsistent with the training they received regarding appropriate access of patient medical records.”
The entire story is here.
Wednesday, June 12, 2013
An Ethical Prohibition that Isn’t — And Never Really Was
By Robert E. Erard, Ph.D.
The National Psychologist
March 11, 2013
A decade after the 2002 APA Ethics Code and the HIPAA Privacy Rule should have settled the matter many psychologists continue to believe fervently that they have some special ethical duty to resist all formal requests for their raw test data, even when these requests are accompanied by releases from the test taker and even by subpoenas or court orders.
When asked for their test data, some psychologists claim paternalistically that nobody could ever understand what these mysterious numbers mean without being a licensed psychologist. They seem to ignore the fact that we ourselves have an ethical duty (Ethical Standard 9.10; APA, 2002) to provide test feedback (i.e., explaining those numbers), not to mention that most test publishers routinely sell test forms and computerized test interpretations to psychiatrists, social workers, counselors and others.
Other psychologists contend that either test copyrights or licensing agreements with test publishers prevent them from complying with these requests. They overlook the fact that the Fair Use Doctrine under the Copyright Act of 1976 (2011), the legal rights of test takers to their health care information and discovery rules governing the bases for experts’ opinions in forensic matters have consistently trumped these arguments when they have been put to the test (e.g., see Carpenter v. Yamaha, 2006).
The entire story is here.
The National Psychologist
March 11, 2013
A decade after the 2002 APA Ethics Code and the HIPAA Privacy Rule should have settled the matter many psychologists continue to believe fervently that they have some special ethical duty to resist all formal requests for their raw test data, even when these requests are accompanied by releases from the test taker and even by subpoenas or court orders.
When asked for their test data, some psychologists claim paternalistically that nobody could ever understand what these mysterious numbers mean without being a licensed psychologist. They seem to ignore the fact that we ourselves have an ethical duty (Ethical Standard 9.10; APA, 2002) to provide test feedback (i.e., explaining those numbers), not to mention that most test publishers routinely sell test forms and computerized test interpretations to psychiatrists, social workers, counselors and others.
Other psychologists contend that either test copyrights or licensing agreements with test publishers prevent them from complying with these requests. They overlook the fact that the Fair Use Doctrine under the Copyright Act of 1976 (2011), the legal rights of test takers to their health care information and discovery rules governing the bases for experts’ opinions in forensic matters have consistently trumped these arguments when they have been put to the test (e.g., see Carpenter v. Yamaha, 2006).
The entire story is here.
Thursday, May 9, 2013
Poor Prognosis for Privacy
By Melinda Beck
The Wall Street Journal
Originally published May 1, 2013
The sharing of Americans' health information is set to explode in coming years, with millions of patients' medical records converted to electronic form and analyzed by health-care providers, insurers, regulators and researchers.
That has prompted concerns over privacy—and now, new federal rules that aim to give patients more control over their information are posing technical and administrative problems for the doctors and hospitals that have to implement them.
Information-technology experts say the challenges illustrate how difficult it may be to protect sensitive patient information as digitization of the health-care industry expands.
"The reality is, our ability to exchange electronic information is already well beyond our ability to control it," says John Leipold, CEO of Valley Hope Technology in Norton, Kan., which makes electronic record systems for behavioral-health providers.
The new rules are part of a revision of the 1996 Health Insurance Portability and Accountability Act, known as HIPAA. They went into effect in March, but providers have until Sept. 23 to comply.
One key new provision requires doctors and hospitals not to disclose medical information to a patient's insurer if the patient requests it and pays for the services out-of-pocket. The information can be noted in the patient's medical file, but stopping it being revealed to insurers inadvertently may be difficult, some health-care providers say.
The entire story is here.
You will likely hit a pay-wall for this story.
The Wall Street Journal
Originally published May 1, 2013
The sharing of Americans' health information is set to explode in coming years, with millions of patients' medical records converted to electronic form and analyzed by health-care providers, insurers, regulators and researchers.
That has prompted concerns over privacy—and now, new federal rules that aim to give patients more control over their information are posing technical and administrative problems for the doctors and hospitals that have to implement them.
Information-technology experts say the challenges illustrate how difficult it may be to protect sensitive patient information as digitization of the health-care industry expands.
"The reality is, our ability to exchange electronic information is already well beyond our ability to control it," says John Leipold, CEO of Valley Hope Technology in Norton, Kan., which makes electronic record systems for behavioral-health providers.
The new rules are part of a revision of the 1996 Health Insurance Portability and Accountability Act, known as HIPAA. They went into effect in March, but providers have until Sept. 23 to comply.
One key new provision requires doctors and hospitals not to disclose medical information to a patient's insurer if the patient requests it and pays for the services out-of-pocket. The information can be noted in the patient's medical file, but stopping it being revealed to insurers inadvertently may be difficult, some health-care providers say.
The entire story is here.
You will likely hit a pay-wall for this story.
Saturday, February 2, 2013
HHS Releases Final HIPAA Privacy and Security Update Final Rule
U.S. Department of Health & Human Services
FOR IMMEDIATE RELEASE
Thursday, January 17, 2013
The U.S. Department of Health and Human Services (HHS) moved forward today to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The final omnibus rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.
“Much has changed in health care since HIPAA was enacted over fifteen years ago,” said HHS Secretary Kathleen Sebelius. “The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”
The changes in the final rulemaking provide the public with increased protection and control of personal health information. The HIPAA Privacy and Security Rules have focused on health care providers, health plans and other entities that process health insurance claims. The changes announced today expand many of the requirements to business associates of these entities that receive protected health information, such as contractors and subcontractors. Some of the largest breaches reported to HHS have involved business associates. Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS.
Individual rights are expanded in important ways. Patients can ask for a copy of their electronic medical record in an electronic form. When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan. The final omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.
“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” said HHS Office of Civil Rights Director Leon Rodriguez. “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”
The final rule also reduces burden by streamlining individuals’ ability to authorize the use of their health information for research purposes. The rule makes it easier for parents and others to give permission to share proof of a child’s immunization with a school and gives covered entities and business associates up to one year after the 180-day compliance date to modify contracts to comply with the rule.
The final omnibus rule is based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and the Genetic Information Nondiscrimination Act of 2008 (GINA) which clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes.
The Rulemaking announced today may be viewed in the Federal Register at https://www.federalregister.gov/public-inspection.
The final document is here.
Friday, October 19, 2012
To Encrypt Email or Not to Encrypt Email? Practical Answers to a Question That Is Surprisingly Complex
by Elizabeth H. Johnson
Poyner Spruill LLP
Originally posted on October 5, 2012
Health care providers frequently ask us whether they have to encrypt emails, particularly those sent to patients who have asked for an emailed copy of their health records. Since patients have a right to receive electronic copies of their health records, emailing them a copy when they ask for it seems like the right thing to do.
Unfortunately, the decision actually is more complicated. HIPAA requires that all electronic transmissions of protected health information (PHI) be encrypted. That means ALL of them … fax, email, web-based and otherwise. The requirement applies regardless of the identity of the recipient or patient, and the recipient cannot “undo” or waive the requirement by consenting to the receipt of unencrypted emails.
(cut)
One more time in English? Health care providers are allowed to send PHI in unencrypted emails but only after they engage in the analysis described above and document their determination. It is a violation of the HIPAA Security Rule to send unencrypted emails containing PHI without first having performed and documented that analysis. A single violation can carry a penalty as high as $50,000, a useful figure to contemplate if you think encryption is too expensive to implement. Encryption also carries the benefit of qualifying for a “safe harbor” under HIPAA’s breach notification requirements. A security incident that would otherwise require notification is not considered a breach if the PHI affected were encrypted and the encryption key has not been compromised.
The entire article is here.
Thanks to Marlene Maheu for this article via LinkedIn.
Poyner Spruill LLP
Originally posted on October 5, 2012
Health care providers frequently ask us whether they have to encrypt emails, particularly those sent to patients who have asked for an emailed copy of their health records. Since patients have a right to receive electronic copies of their health records, emailing them a copy when they ask for it seems like the right thing to do.
Unfortunately, the decision actually is more complicated. HIPAA requires that all electronic transmissions of protected health information (PHI) be encrypted. That means ALL of them … fax, email, web-based and otherwise. The requirement applies regardless of the identity of the recipient or patient, and the recipient cannot “undo” or waive the requirement by consenting to the receipt of unencrypted emails.
(cut)
One more time in English? Health care providers are allowed to send PHI in unencrypted emails but only after they engage in the analysis described above and document their determination. It is a violation of the HIPAA Security Rule to send unencrypted emails containing PHI without first having performed and documented that analysis. A single violation can carry a penalty as high as $50,000, a useful figure to contemplate if you think encryption is too expensive to implement. Encryption also carries the benefit of qualifying for a “safe harbor” under HIPAA’s breach notification requirements. A security incident that would otherwise require notification is not considered a breach if the PHI affected were encrypted and the encryption key has not been compromised.
The entire article is here.
Thanks to Marlene Maheu for this article via LinkedIn.
Monday, October 15, 2012
Letting Patients Read the Doctor’s Notes
By PAULINE W. CHEN, M.D.
The New York Times
Originally published on October 4, 2012
Here are some excerpts:
This patient’s experience, like those of so many others who have tried to obtain their medical records, came to mind this week when I read about the long-awaited results of a study in which patients were given complete access to their doctors’ notes. The findings, published in the Annals of Internal Medicine, do more than shed light on what patients want. They make our current ideas about transparency in the patient-doctor relationship a quaint artifact of the past.
Since 1996, when Congress passed the Health Insurance Portability and Accountability Act, or HIPAA, patients have had the right to read and even amend their own records.
In fact, few patients have ever consulted their own records. Most do not fully grasp the extent of their legal rights; and the few who have attempted to exercise them have often found themselves mired in a parallel universe filled with administrative regulations, small-print permission forms, added costs and repeated delays.
(cut)
For one year, the study, aptly called OpenNotes, allowed over 13,000 patients from three medical centers — the Beth Israel Deaconess Medical Center in Boston, the Geisinger Health System in Danville, Pa., and the Harborview Medical Center in Seattle — to have complete access to one part of their medical records, the notes that doctors wrote about them. Within days of seeing their doctors, patients received an e-mail inviting them to read the doctor’s signed note on a secure patient Web site. Two weeks before their return visit, patients received a second e-mail inviting them again to review their doctor’s note from the previous encounter.
After a year, almost all the patients were enthusiastic about the OpenNotes initiative.
Surprisingly, so were the majority of doctors.
The entire article is here.
The research from the Annals of Internal Medicine is here.
The New York Times
Originally published on October 4, 2012
Here are some excerpts:
This patient’s experience, like those of so many others who have tried to obtain their medical records, came to mind this week when I read about the long-awaited results of a study in which patients were given complete access to their doctors’ notes. The findings, published in the Annals of Internal Medicine, do more than shed light on what patients want. They make our current ideas about transparency in the patient-doctor relationship a quaint artifact of the past.
Since 1996, when Congress passed the Health Insurance Portability and Accountability Act, or HIPAA, patients have had the right to read and even amend their own records.
In fact, few patients have ever consulted their own records. Most do not fully grasp the extent of their legal rights; and the few who have attempted to exercise them have often found themselves mired in a parallel universe filled with administrative regulations, small-print permission forms, added costs and repeated delays.
(cut)
For one year, the study, aptly called OpenNotes, allowed over 13,000 patients from three medical centers — the Beth Israel Deaconess Medical Center in Boston, the Geisinger Health System in Danville, Pa., and the Harborview Medical Center in Seattle — to have complete access to one part of their medical records, the notes that doctors wrote about them. Within days of seeing their doctors, patients received an e-mail inviting them to read the doctor’s signed note on a secure patient Web site. Two weeks before their return visit, patients received a second e-mail inviting them again to review their doctor’s note from the previous encounter.
After a year, almost all the patients were enthusiastic about the OpenNotes initiative.
Surprisingly, so were the majority of doctors.
The entire article is here.
The research from the Annals of Internal Medicine is here.
Wednesday, October 10, 2012
Reducing the Risk of a Breach of PHI from Mobile Devices
Latest HHS Fine Hits The Massachusetts Eye and Ear Infirmary
by Rick Kam, ID Experts
Originally published on September 26, 2012
The Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc. (MEEI), will pay $1.5 million to the Department of Health and Human Services (HHS) for potential violations of the HIPAA Security Rule. In the HHS release, they explain that it wasn’t just one issue or misstep that led to the fine, but rather a series of errors and inaction.
“…such as conducting a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices, implementing security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained, and transmitted using portable devices, adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices, and adopting and implementing policies and procedures to address security incident identification, reporting, and response.”
The entire story is here.
Monday, September 10, 2012
Cancer Care Group Data Breach Exposes Nearly 55,000 Patients
By Kyle Murphy
EHR Intelligence
Originally published August 28, 2012
In a press release today, Cancer Care Group (Indianapolis, IN) announced that a laptop computer containing its computer server backup media was stolen from an employee’s locked care on July 19, 2012. The breach has potentially exposed the protected health information (PHI) or personally identifiable information (PII) of close to 55,000 individuals, including the organization’s own employees. The latest incident comes less than a month after Apria Healthcare reported a similar incident in Arizona where an employee’s car was broken into and a laptop containing information for 11,000 patients stolen.
The entire story is here.
EHR Intelligence
Originally published August 28, 2012
In a press release today, Cancer Care Group (Indianapolis, IN) announced that a laptop computer containing its computer server backup media was stolen from an employee’s locked care on July 19, 2012. The breach has potentially exposed the protected health information (PHI) or personally identifiable information (PII) of close to 55,000 individuals, including the organization’s own employees. The latest incident comes less than a month after Apria Healthcare reported a similar incident in Arizona where an employee’s car was broken into and a laptop containing information for 11,000 patients stolen.
The entire story is here.
Tuesday, May 15, 2012
Ignorance no defense for celebrity health records snoop
By Amanda Bronstad
National Law Journal
Originally published May 11, 2012
The Ninth Circuit has refused to toss out charges that a former researcher illegally obtained medical records of patients such as Arnold Schwarzenegger and Tom Hanks.
The court rejected arguments that the HIPAA-related charges should have been dismissed because Huping Zhou didn't know what he was doing was illegal.
The entire article is here.
A subscription is needed for this site.
Thanks to Ken Pope for this informaiton.
National Law Journal
Originally published May 11, 2012
The Ninth Circuit has refused to toss out charges that a former researcher illegally obtained medical records of patients such as Arnold Schwarzenegger and Tom Hanks.
The court rejected arguments that the HIPAA-related charges should have been dismissed because Huping Zhou didn't know what he was doing was illegal.
The entire article is here.
A subscription is needed for this site.
Thanks to Ken Pope for this informaiton.
Tuesday, May 1, 2012
Health records lost, stolen or revealed online
Health privacy problems persist a decade after law went into effect to protect patients
By Deborah Shelton
Chicago Tribune Reporter
Originally published April 23, 2012
Almost a decade after a new law went into effect to strengthen health privacy protections, the number of breaches of patient records and databases across the U.S. suggests that personal health information is not as private or secure as many consumers might want or expect.
Since fall 2009, more than 400 large health care breaches affecting at least 500 people and more than 50,000 smaller breaches have been reported to the federal government.
By Deborah Shelton
Chicago Tribune Reporter
Originally published April 23, 2012
Almost a decade after a new law went into effect to strengthen health privacy protections, the number of breaches of patient records and databases across the U.S. suggests that personal health information is not as private or secure as many consumers might want or expect.
Since fall 2009, more than 400 large health care breaches affecting at least 500 people and more than 50,000 smaller breaches have been reported to the federal government.
One of the largest unauthorized disclosures in recent history of medical records and other private information happened in September, when computer tapes were stolen that contained data on almost 5 million people enrolled in TRICARE, the nation's health program for military members, their families and retirees.
Subscribe to:
Posts (Atom)