Tag Archive | "protected health information"
HIPAA Compliance: Outsource PHI Security Safely With These 5 Steps
Learn these facts before you nail down your HIPAA plan with a consultant. You may be relieved to find a consultant who is willing to take over the overwhelming task of helping you protect the privacy in your medical records — but keep in mind that not all outsourced privacy protection companies are the same. Last week, the Federal Trade Commission (FTC) settled with LifeLock, Inc., a company that offered identity protection services. “According to the lawsuit, LifeLock claimed its service would protect consumers against all forms of identity theft, when, in fact, LifeLock offered only limited protection against only some forms of ID theft,” the FTC’s statement noted regarding its $11 million settlement with LifeLock. If you’d like help staying current with HIPAA privacy regulations, consider these tips before you outsource any of your privacy needs. 1. The Government Does Allow HIPAA Consultants. Practices that are gun-shy about asking for…
Continue reading...Reader Question: Are Photographs PHI Identifiers?
Thursday, March 18, 2010
Question: For demonstration purposes in a sales context, if a picture or video of a patient were used with no identifying information, would this violate Health Insurance Portability and Accountability Act (HIPAA)? Answer: A photo is an identifier, explains Kristen Rosati, a partner at Coppersmith Gordon Schermer Owens & Nelson. Why? Read on …
Continue reading...Study Shows File-Sharing Can Kill Your PHI Security Softly
Thursday, March 11, 2010
Warning: Your physicians are strumming your compliance pain with their file-sharing fingers. If HIPAA compliance is your business, you’ll want to note a new study pointing toward a disturbing trend: doctors risking patient’s personal health information (PHI) through file-sharing — typically without even knowing about it. The study, conducted among U.S. IP addresses containing PHI and using file-sharing features, found that “search terms used in these file-sharing networks showed that a small percentage of the terms would return PHI … files.” This “small percentage” actually translate into thousands of U.S. computers, meaning PHI is out there for the plucking if physicians aren’t careful. “There are people successfully searching for … PHI on the peer-to-peer file-sharing networks,” according to the JAMIA study, “The inadvertent disclosure of personal health information through peer-to-peer file sharing program.” Some Features Difficult to Undo JAMIA divides its study…
Continue reading...HIPAA Compliance: Practical Breach Notification Tips
Wednesday, January 27, 2010
If a breach involves 500+ people, here’s what your health care organization will suffer. Picture this: A nurse hands a patient someone else’s discharge papers but promptly discovers the error and retrieves the protected health information. Would your health care organization have to report that as a breach of unsecured PHI under HIPAA notification rules? The answer: It depends. The scenario wouldn’t constitute a breach — “if the nurse can reasonably conclude that the patient couldn’t have read or otherwise retained the information,” according to the Health & Human Services’ (HHS) interim final rule implementing the new requirements. But suppose the patient turned the corner and was out of sight momentarily and the discharge orders included “a sensitive diagnosis such as HIV, and the facility was in a small community”— or the nurse had reviewed the discharge orders with the patient, says Chicago attorney Michael Roach. Those scenarios could trigger the notification requirements, he…
Continue reading...If a PHI Breach Fits One of These Exceptions, You May Be Home Free
Wednesday, January 27, 2010
Include this information as part of your risk analysis. Knowing what doesn’t count as a breach under new HIPAA notification rules can help you weigh whether to report a disclosure of unsecured protected health information. The rules include four exceptions, as follows: Exception No. 1. An unintended acquisition, access or use of PHI by a person with authority to handle PHI who is acting in good faith. Also, “there’s no further acquisition, access or use of the PHI,” says attorney Kathryn Solley, with Atlanta law firm Seyfarth Shaw LLP.
Continue reading...Follow These 3 Tips to Protect PHI
Tuesday, January 19, 2010
Hint: Paper files can be breached just as easily as electronic files. You may be sure that you’ve dotted all of your i’s and crossed all of your t’s, but if you miss even a small piece of the privacy puzzle, you can compromise your entire system. Take a look at these three reminders to ensure that you’re starting 2010 with your privacy program on the right foot: 1. Don’t Let Paper Get Lost in the Shuffle. You may think of patient privacy exclusively in terms of protecting electronic patient data, but paper files are just as likely to be compromised. “With the advent of the HITECH changes, breaches occurring with paper records will be treated the same way as electronic data,” says Gregory Michaels, manager of security and compliance solutions at BluePrint Healthcare IT in Cranbury, N.J.
Continue reading...Connecticut AG Sues Health Net for Security Breach
Tuesday, January 19, 2010
State prosecutors see HITECH as a big stick. If you practice medicine or run a plan in Connecticut, make sure all your practice or organization’s security breach notification policies are in order: The Attorney General is not messing around when it comes to HIPAA enforcement. Following its loss in May 2009 of a portable disk drive from a corporate office, Health Net of Connecticut, Inc. has become the first health plan to get popped by a state attorney general under the HITECH Act’s new enforcement provisions, which allow state AGs to enforce HIPAA’s penalty provisions for security violations.
Continue reading...Remote Workers? Protect PHI With This Sample Document
Wednesday, January 13, 2010
Don’t have a policy for employees who work with PHI? We’ve got what you need to write one quickly. Your practice has tough decisions to make when allowing employees to handle patients’ private health information (PHI) while working from offsite locations. You may require encryption, you may prohibit them from working on their personal laptops when dealing with PHI, or you may even only allow remote work when it’s done for emergency reasons. But no matter what, you need to communicate your privacy expectations to your employees. Consider this sample document as a guide, contributed by Glenn Allen, information security director with Fairview Health Services in Minneapolis, Minn:
Continue reading...Slightly Snarky Tweet or PHI Breach? You Decide
Wednesday, January 6, 2010
HIPAA & Free Speech clash at Mississippi’s University Medical Center A simple tweet has sparked a HIPAA compliance and public relations mess at Mississippi’s University Medical Center, and an administrative assistant is out of a job as a result, reports a local TV station. The controversy began when Mississippi governor Haley Barbour posted this tweet on his Twitter page: ”Glad the Legislature recognizes our dire fiscal situation. Look forward to hearing their ideas on how to trim expenses.” “Schedule regular medical exams like everyone else instead of paying UMC employees over time to do it when clinics are usually closed,” tweeted UMC administrative assistant Jennifer Carter. She had heard that the governor had come into UMC for a physical one Saturday three years ago, and that the clinic had to be staffed up with 15-20 workers just for his visit. Next: Carter paid dearly …
Continue reading...Sending PHI Via Email? How to Make Sure It Stays Safe
Tuesday, September 8, 2009
Look at alternatives to encryption when you deem them necessary. An email that contains a patient’s protected health information (PHI) can be completely harmless —unless it falls into the wrong hands. But fortunately, there are a few ways that you can head off potential email security breaches. Although many health care providers have started encrypting their emails, you aren’t specifically required to do so yet. As the interim final rule published in the Aug. 24 Federal Register indicates, that “a covered entity may be in compliance with the [HIPAA] Security Rule even if it reasonably decides not to encrypt electronic PHI and instead uses a comparable method to safeguard the information.” Several readers have inquired what might constitute a “comparable method,” and some even asked why this is required in the first place. And we’ve got your answers here …
Continue reading...- tower200: What concerns me most about the Government plan is...
- Jeffrey Zelmanow: To add to the answer, when considering identifiers...
- Jake @ social work jobs: Switching to a better networked system is a huge r...
- Mia: Just wondering whether there will be an interface ...
- Chuck Everett: I don't agree that the iPad will "jump-start" EMR ...
- Industry Group Announces Top 5 HIT Companies for 2010
- OCR May Expand Accounting of Disclosures under HIPAA
- EMR Use Might Distract Clinicians from Patient Interaction
- HHS Online Data Breach List Thrives
- Most Hospital CIOs Cite EMR as Top Priority
- HIT: Just in Time to Cure the Recession?
- HHS Pumps More Money into HIT Adoption Efforts
- Consumers Called to Contribute to ‘Meaningful Use’ Definition
- DEA Clears One Hurdle to “Meaningful Use” of EHR
- Study Shows File-Sharing Can Kill Your PHI Security Softly
Monday, March 22, 2010
0 Comments