Unusual Legal Case: Small Social Circles, Boundaries, and Harm

This legal case shows how much our social circles interrelate and how easily boundaries can be violated.  If you ever believe that you are safe from boundary violations in a current, complex culture, you may want to rethink this position.  A lesson for all in this legal case.  I will excerpt a fascinating portion of this case.

Roetzel and Andres
jdsupra.com
Originally posted 10 June 20

Possible Employer Vicarious Liability For Employee’s HIPAA Violation Even When Employee Engages In Unauthorized Act

Here is the excerpt:

When the plaintiff came in for her appointment, she handed the Parkview employee a filled-out patient information sheet. The employee then spent about one-minute inputting that information onto Parkview’s electronic health record. The employee recognized the plaintiff’s name as someone who had liked a photo of the employee’s husband on his Facebook account. Suspecting that the plaintiff might have had, or was then having, an affair with her husband, the employee sent some texts to her husband relating to the fact the plaintiff was a Parkview patient. Her texts included information from the patient chart that the employee had created from the patient’s information sheet, such as the patient’s name, her position as a dispatcher, and the underlying reasons for the plaintiff’s visit to the OB/Gyn. Even though such information was not included on the chart, the employee also texted that the plaintiff was HIV-positive and had had more than fifty sexual partners. While using the husband’s phone, the husband’s sister saw the texts. The sister then reported the texts to Parkview. Upon receipt of the sister’s report, Parkview initiated an investigation into the employee’s conduct and ultimately terminated the employee. As part of that investigation, Parkview notified the plaintiff of the disclosure of her protected health information.

The info is here.

Premera Blue Cross Breach May Have Exposed 11 Million Customers' Medical And Financial Data

By Kate Vinton
Forbes
Originally published March 17, 2015

Medical and financial data belonging to as many as 11 million Premera Blue Cross customers may have been exposed in a breach discovered on the same day as the Anthem breach, the health insurance company announced Tuesday.

Premera discovered the breach on January 29, 2015. Working with both Mandiant and the FBI to investigate the attack, the company discovered that the initial attack occurred on May 5, 2014. Premera Blue Cross and Premera Blue Cross Blue Shield of Alaska were both impacted, in addition to affiliate brands Vivacity and Connexion Insurance Solutions. Additionally, other Blue Cross Blue Shield customers in Washington and Alaska may have been affected by the breach.

The entire article is here.

Practitioner Pointer: Does the use of Skype raise HIPAA compliance issues?

Practitioners should be aware of the risk involved.

By Legal and Regulatory Affairs staff
American Psychological Association - Practice Central
Originally published April 24, 2014

Given the growing use of technology for communication, many practitioners are interested in knowing whether popular options are compatible with Health Insurance Portability and Accountability Act (HIPAA) requirements. Skype, whose basic features are free and easy to use, is one such option of interest to practicing psychologists.

HIPAA does not specify the kinds of technologies that covered entities should use for creating, receiving, storing or transmitting electronic patient health information (ePHI). Under the HIPAA Security Rule, covered entities must conduct individual risk assessments about the technologies (hardware, software, etc.) they use that store or transmit ePHI.

The entire story is here.

N.S.A. Able to Foil Basic Safeguards of Privacy on Web

By NICOLE PERLROTH, JEFF LARSON and SCOTT SHANE
The New York Times
Published: September 5, 2013

The National Security Agency is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age, according to newly disclosed documents.

The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show.

The entire article is here.

With this information, how will you contemplate and explain important clinical issues such as privacy of Protected Health Information as a part of informed consent?

Looking at the HIPAA Final Omnibus Rule: An Attorney’s Perspective

By Mark Hagland
Healthcare Informatics
Originally published August 18, 2013

The stringent requirements embedded in what is being called the “HIPAA Final Omnibus Rule”—a set of regulations published by the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) on Jan. 25—are changing the ground rules for healthcare provider organizations across the U.S. when it comes to safeguarding protected health information (PHI). Those requirements extend the privacy, security, enforcement, and breach notification rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for economic and Clinical Health (HITECH) Act.

With compliance with the “Omnibus Rule” required by September 23, healthcare leaders have no time to waste when it comes to understanding and addressing the new requirements.

Recently, Kathryn Coburn, who is of counsel with the Los Altos, Calif.-based law firm of Cooke, Kobrick & Wu, LLP, spoke with HCI Editor-in-Chief Mark Hagland regarding this important topic. The Santa Monica-based Coburn has spent 30 years in healthcare law. Below are excerpts from that interview.

The entire interview is here.

Thanks to Ken Pope for this information.

EHR Adoption Steady, but More Work Needed

By David Pittman
MedPage Today
Originally published July 9, 2013

Physicians are continuing to adopt electronic health records at a steady clip, but more work is needed to have those systems communicate with each other, according to two studies published Tuesday.

In 2012, 72% of physicians had adopted some type of EHR system and 38.2% had capabilities required for a basic system (P<0.05), a review by the CDC's National Center for Health Statistics in Hyattsville, Md., found.

The number of basic EHR adopters was up from just over 25% in 2010, Chun-Ju Hsiao, PhD, and colleagues reported in a study that appeared online in Health Affairs. A basic EHR was defined as having seven capabilities including recording patient history and clinical notes, viewing lab results and imaging reports, and using computerized prescription ordering.

The entire story is here.

'Protecting' Psychiatric Medical Records Puts Patients At Risk Of Hospitalization

Medical News Today
Originally published January 6, 2013

Medical centers that elect to keep psychiatric files private and separate from the rest of a person's medical record may be doing their patients a disservice, a Johns Hopkins study concludes.

In a survey of psychiatry departments at 18 of the top American hospitals as ranked by U.S. News & World Report's Best Hospitals in 2007, a Johns Hopkins team learned that fewer than half of the hospitals had all inpatient psychiatric records in their electronic medical record systems and that fewer than 25 percent gave non-psychiatrists full access to those records.

Strikingly, the researchers say, psychiatric patients were 40 percent less likely to be readmitted to the hospital within the first month after discharge in institutions that provided full access to those medical records.

"The big elephant in the room is the stigma," says Adam I. Kaplin, M.D., Ph.D., an assistant professor of psychiatry and behavioral sciences and neurology at the Johns Hopkins University School of Medicine and leader of the study published online in the International Journal of Medical Informatics. "But there are unintended consequences of trying to protect the medical records of psychiatric patients. When you protect psychiatric patients in this way, you're protecting them from getting better care. We're not helping anyone by not treating these diseases as we would other types of maladies. In fact, we're hurting our patients by not giving their medical doctors the full picture of their health."

The entire story is here. 

To Encrypt Email or Not to Encrypt Email? Practical Answers to a Question That Is Surprisingly Complex

by Elizabeth H. Johnson
Poyner Spruill LLP
Originally posted on October 5, 2012


Health care providers frequently ask us whether they have to encrypt emails, particularly those sent to patients who have asked for an emailed copy of their health records. Since patients have a right to receive electronic copies of their health records, emailing them a copy when they ask for it seems like the right thing to do.

Unfortunately, the decision actually is more complicated. HIPAA requires that all electronic transmissions of protected health information (PHI) be encrypted. That means ALL of them … fax, email, web-based and otherwise. The requirement applies regardless of the identity of the recipient or patient, and the recipient cannot “undo” or waive the requirement by consenting to the receipt of unencrypted emails.

(cut)

One more time in English? Health care providers are allowed to send PHI in unencrypted emails but only after they engage in the analysis described above and document their determination. It is a violation of the HIPAA Security Rule to send unencrypted emails containing PHI without first having performed and documented that analysis. A single violation can carry a penalty as high as $50,000, a useful figure to contemplate if you think encryption is too expensive to implement. Encryption also carries the benefit of qualifying for a “safe harbor” under HIPAA’s breach notification requirements. A security incident that would otherwise require notification is not considered a breach if the PHI affected were encrypted and the encryption key has not been compromised.

The entire article is here.

Thanks to Marlene Maheu for this article via LinkedIn.

ONC advancing Blue Button, CDS standards efforts

Automating the Blue Button to Exchange PHI

Mary Mosquera
Senior Editor, Government Health IT
Originally published on September 26, 2012

Developers in an ONC voluntary community are beginning to drill down into what will be required to automate the Blue Button feature to exchange patient health information at the consumer’s request under different scenarios.

The Blue Button enables patients to view and download their information in simple text format and is currently available to veterans, military service members and Medicare beneficiaries. A few private sector health organizations have begun to make it available to their members.

The ONC’s Standards & Interoperability Framework community has just created three panels to identify standards and tools to push personal data to a specific location, such as using Direct secure messaging protocols and the Consolidated Clinical Document Architecture (CDA), and allowing a third-party application to access personal health data on demand, in a pull transmission, according to Doug Fridsma, MD, director of ONC’s Office of Standards and Interoperability and acting chief scientist.

The entire story is here.

Reducing the Risk of a Breach of PHI from Mobile Devices

Latest HHS Fine Hits The Massachusetts Eye and Ear Infirmary

by Rick Kam, ID Experts
Originally published on September 26, 2012

The Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc. (MEEI), will pay $1.5 million to the Department of Health and Human Services (HHS) for potential violations of the HIPAA Security Rule. In the HHS release, they explain that it wasn’t just one issue or misstep that led to the fine, but rather a series of errors and inaction.

“…such as conducting a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices, implementing security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained, and transmitted using portable devices, adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices, and adopting and implementing policies and procedures to address security incident identification, reporting, and response.”

The entire story is here.

Cancer Care Group Data Breach Exposes Nearly 55,000 Patients

By Kyle Murphy
EHR Intelligence
Originally published August 28, 2012

In a press release today, Cancer Care Group (Indianapolis, IN) announced that a laptop computer containing its computer server backup media was stolen from an employee’s locked care on July 19, 2012. The breach has potentially exposed the protected health information (PHI) or personally identifiable information (PII) of close to 55,000 individuals, including the organization’s own employees. The latest incident comes less than a month after Apria Healthcare reported a similar incident in Arizona where an employee’s car was broken into and a laptop containing information for 11,000 patients stolen.

The entire story is here.

Data breach leads to $1.7M fine for Alaska DHSS

By Erin McCann
Healthcare Finance News
Originally published June 27, 2012

The Alaska Department of Health and Social Services (DHSS) – the state’s Medicaid agency – has agreed to pay $1.7 million to the U.S. Department of Health and Human Services (HHS) to settle possible violations of the HIPAA Security Rule, making it the second largest settlement for HIPAA violations to date.

As part of the settlement, the state has also agreed to take corrective action to properly safeguard the electronic personal health information (PHI) of their Medicaid beneficiaries.

The HHS Office for Civil Rights (OCR) began its investigation following a breach report submitted by Alaska DHSS as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The report indicated that a portable electronic storage device (USB hard drive) possibly containing PHI was stolen from the vehicle of a DHSS employee. PHI from an estimated 2,000 individuals was stored on the device.

The entire story is here.

Editorial Note: Please do not tranfer large amounts of personal data from a secure data bank to a jump drive, lap top or other portable storage device.

Howard University Data Breach due to Stolen Laptop

NBC Channel 4 in Washington.
Originally published on March 28, 2012


A heads up if you have personal information on file with Howard University Hospital.

The facility sent letters to more than 34,000 patients about a laptop stolen in January.

The entire story is here.

Editorial note:
This story is yet another example of protected health information data loss due to a stolen laptop. 

A guiding principle can be derived from multiple stories like this: Prevent data breaches by not taking PHI home in a laptop or portable storage device.

Health industry lacks patient data safeguards: poll

by Alina Selyukh

(Reuters) - New technologies are flooding into the healthcare world, but the industry is not adequately prepared to protect patients from data breaches, according to a report published on Thursday.

A vast majority of hospitals, doctors, pharmacies and insurers are eager to adapt to increasingly digital patient data. However, less than half are addressing implications for privacy and security, a survey of healthcare industry executives by PricewaterhouseCoopers LLP found.

The original article is here.

HHS: More than 5.4M patients affected by data breaches in 2010

Written by the Editorial Staff of CMIO.net

In U.S. Department of Health and Human Services’ annual report to Congress, Secretary Kathleen Sebelius reported that between Jan. 1, 2010, and Dec. 31, 2010, breaches involving 500 or more individuals were less than 1 percent of the breaches reported, but accounted for more than 99 percent of the more than 5.4 million individuals who were affected.

As part of the Health IT for Economic and Clinical Health (HITECH) Act, the HHS secretary is required to annually report to Congress on the number and nature of data breaches, and actions taken to respond to the breaches.

The number is growing because between Sept. 23, 2009, and Dec. 31, 2009, breaches involving 500 or more individuals were less than 1 percent, but accounted for more than 99 percent of the more than 2.4 million individuals affected by a breach of protected health information. The largest breaches occurred as a result of a theft, an error or failure to adequately secure protected health information. The greatest number of incidents resulted from human or technological error and involved the protected health information of just one individual, HHS’ report said.

The largest breaches in 2010, much like 2009, occurred as a result of a theft, HHS reported. However, compared with 2009, the number of individuals affected by the loss of electronic media or paper records containing protected health information in 2010 was greater than the number of individuals affected by unauthorized access or human error.

The report said the 2010 incidents involved an additional category, improper disposal of paper records by a covered entity or business associate. The greatest number of reported incidents in 2010 resulted from small breaches involving human or technological error, with the most common incidents involving protected health information of only one or two individuals.

HHS said in its report that the breach notification requirements are achieving their objectives: Increasing public transparency of breaches and increasing accountability of the covered entities.

The secretary indicated that covered entities and business associates are providing breach notifications. Millions of affected individuals are receiving notifications, local media are being notified in the regions affected, and the secretary is receiving breach reports. To provide increased public transparency, information about breaches involving 500 or more individuals is available on the Office of Civil Rights (OCR) website. 

Also, the report said that more entities are taking remedial action to provide relief and mitigation to individuals and taking further action to prevent future breaches. In addition, OCR continues to exercise its oversight responsibility for reviewing and responding to and investigating breaches involving 500 or more individuals.

More than 250 breaches involving 500 or more individuals occurred in 2009 and 2010, and OCR has closed approximately 76 cases where it determined that the covered entity properly complied with the notification requirements, and corrective actions were taken. In the remaining cases, OCR continues to investigate and is working with the covered entities to ensure remedial action is taken to prevent future incidents.

For breaches involving less than 500 individuals, a covered entity must notify the secretary. HHS received approximately 5,521 reports of smaller breaches that occurred between Sept. 23, 2009, and Dec. 31, 2009. These smaller breaches affected approximately 12,000 individuals. HHS received more than 25,000 reports of smaller breaches occurring between Jan. 1, 2010, and Dec. 31, 2010. These smaller breaches affected more than 50,000 individuals.

The majority of the smaller breaches involved misdirected communications. Often, a clinical or claims record was mistakenly mailed or faxed to the wrong individual. In other instances, test results were sent to the wrong patient, files were attached to the wrong record, e-mails were sent to the wrong address and member ID cards were mailed to the wrong individuals. HHS said the covered entities reported fixing “glitches” in software that incorrectly compiled patient lists, revised policies and procedures, and trained or retrained employees who mishandled protected health information.

Info dump yields $40K settlement

By Bryan Cohen
Legal Newsline

North Carolina Attorney General Roy Cooper announced on Wednesday that a Charlotte doctor has paid $40,000 for allegedly dumping files that contained patients' financial and medical information. 

Dr. Ervin Batchelor owns and operates the Carolina Center for Development and Rehabilitation, which is a psychological testing and treatment facility located in Charlotte. In June 2010, the facility allegedly disposed of 1,000 patient files illegally by dumping them at the West Mecklenburg Recycling Center.

The files allegedly contained health information, insurance account numbers, drivers' license numbers, Social Security numbers, dates of birth, addresses and names for 1,600 people.

"Any business you entrust with your information has a duty to keep it safe," Cooper said. "Sensitive financial and health information should never be carelessly dumped, putting customers and patients at risk of identity theft."

Under a state law Cooper pushed through the General Assembly in 2005, businesses that dispose of records containing personal identifying information must destroy or shred those records so that identity thieves can't retrieve information from discarded files that have been carelessly thrown away. Medical records also face added restrictions under federal health privacy laws.

The Carolina Center records were recovered by Mecklenburg County, N.C., officials, who contacted Cooper's office.

As part of a settlement, Batchelor paid $40,000 and agreed to abide by both federal and state laws that protect people's personal financial and health information.

The Carolina Center has already notified the patients whose information was placed at risk. State law requires businesses, as well as state and local government agencies, to notify consumers if a security breach may have put their personal information at risk. The breaches of security must also be reported to the Consumer Protection Division. Since state laws on security breaches took effect in 2005 and 2006, a total of 889 breaches involving information and more than 3.3 million state consumers have been reported.

Cooper's CPD has won settlements in multiple other document dumping cases, including against a Gastonia, N.C., movie rental store, two mortgage lenders from the Charlotte area and a Greensboro, N.C., urgent care clinic.

Computer theft impacts 400K S. Carolina patients

by Angela Moscaritolo

In one of the largest health care data breaches this year, a computer containing hundreds of thousands of patient records was stolen from South Carolina's Spartanburg Regional Healthcare System.

How many victims? 400,000.

What type of personal information? Social Security numbers, names, addresses, dates of birth and medical billing codes.

What happened? A desktop computer containing the sensitive data was stolen from an employee's car on March 28. The employee was authorized to have the computer.

Details: The health care system posted a notification about the breach on its website in late May, though it did not reveal how many patients were affected. The U.S. Department of Health and Human Services last week revealed the number of impacted individuals.

There is no evidence that the information has been misused.

What was the response? Spartanburg reported the theft to authorities. An investigation was launched. The company also took unspecified steps to enhance its security procedures. Affected individuals have been notified and offered a free subscription for identity theft consultation and credit monitoring services.

Letter to patients can be found here.

HHS.gov site that documents breaches of unsecured protected health information affecting 500 or more individuals can be found here.