Search Realtime IT Compliance
Entries from Realtime Community | IT Compliance tagged with 'patient privacy'
HIPAA And Surveillance In Hospitals
Over the years there have been many...too many...instances where doctors have performed the wrong types of surgeries on patients, and even the wrong surgeries on completely wrong patients......
CEs and BAs: Be HIPAA/HITECH Compliant Or Pay A Hefty Penalty
The HHS released HITECH Act Enforcement Interim Final Rule today......
What Happens To Privacy During Pandemics?
I am talking to increasing numbers of privacy and information security pros who are concerned about not only getting their pandemic plans in place, but also wanting to know what kinds of privacy issues need to be addressed within the...
Is Encryption Enough to Achieve Privacy?
Of course the answer is no. But there are many reasons! Tune in this afternoon at 4:00pm Pacific time to hear Anyck Turgeon, Scott Draughon and me discuss this topic and talk about encryption laws and the impacts to privacy....
HITECH Impacts Over 734,178 "Small Business" HIPAA Covered Entities
The Department of Health and Human Services (HHS) 45 CFR Parts 160 and 164: "Breach Notification for Unsecured Protected Health Information; Interim Final Rule" (Breach Notice Rule) has been written about a lot. But much of what is written overlooks...
HITECH Act Virtual ToC
This was another very busy week, and I didn't have a chance to post as much as I would have liked. Part of what kept me busy was an unusually increased amount of email......
HHS & FTC Breach Notice Rules: First Time NIST Standards Specifically Referenced
The Department of Health and Human Services (HHS) issued their interim final rule for breach notification standards on August 19. Federal Trade Commission (FTC) issued their final rule of breach notification standards on August 17. The HHS rule covers all...
Fired Because Photo of Surgery Room Was A "HIPAA Violation"
I received a very interesting question yesterday, and I wanted to share it and my response here because it is a great HIPAA topic to discuss that I have not seen written about before. I've removed the identifying information, and...
8,918 HIPAA Violation Investigations Have Required Corrective Actions
Here are some important websites to bookmark for you to reference when you need help...beyond what I have on my blog and at my website :)...if you are a US Health Insurance Portability and Accountability Act (HIPAA) Covered Entity (CE)...
HIPAA/HITECH Breach Notice Rule: Applies To PHI of Deceased Individuals + Training A Key Element
After a few days unable to make time to post to the blog, or technical difficulties preventing me when I did make time, I'm happy to resume my posting! Today I want to offer a few thoughts about the breach...
You Need These Things When You Get HIPAA Audited!
I get a bit irritated when I see a vendor touting their "compliance solution" products as making organizations "HIPAA Compliant" or "PCI DSS Compliant" or whatever your regulation of choice happens to be, and then, upon inspection of their products,...
OCR Adding To Staff For Increased HIPAA Compliance Enforcement Activities
Monday the HHS announced they were moving responsibility for both HIPAA Security Rule and Privacy Rule under the OCR. That same day they also announced they were expanding the HIPAA "privacy enforcement team." (Scroll down on this page to see...
OCR Adding To Staff For Increased HIPAA Compliance Enforcement Activities
Monday the HHS announced they were moving responsibility for both HIPAA Security Rule and Privacy Rule under the OCR. That same day they also announced they were expanding the HIPAA "privacy enforcement team." (Scroll down on this page to see...
HIPAA Enforcement Will Improve With OCR Responsible for Both Privacy Rule & Security Rule
Today the US Department of Health and Human Services (HHS) announced that the OCR will now be responsible for both the HIPAA Privacy Rule and the Security Rule. Perhaps this is an indicator of more enforcement to come. As a...
(Lack Of) Encryption Is A Basis For Notification Under The HITECH Act
This week one of my tweeps asked me the following: "What's your interpretation of encryption obligations for PHI data-at-rest under HITECH? Many parties are sweating this now." Great question!...
HITECH Act: Breach Notification Is Necessary Based Upon Items Used In De-Identification
Continuing along the discussion of the HITECH Act this week, I want to consider a couple of questions I recently discussed with a CISO at a healthcare insurer about when breach notification is necessary......
Healthcare Worker Gets 1 Year In Prison For Posting HIV Victim's Medical Records On Internet
Today a report discussed how a healthcare worker obtained medical information about a patient with HIV that was then posted on the Internet......
HITECH Act does *NOT* make HIPAA, or HIPAA advice, "obsolete"!
A couple of weeks ago I was surprised and concerned by a statement made in one of my many listservs by a lawyer commenting on HIPAA books and past advice given for HIPAA compliance......
Most Laws Are Flawed, But It Is Up To Us To Make Them Better & Make Them Work
Rafal Los makes some very good points in his post "Analysis of the Stimulus Bill and Healthcare Privacy" from a few days ago. I started writing all my thoughts as a comment to him, but then decided it would work...
HIPAA & Calling Out Full Names In Waiting Rooms
Over the years I have done several interviews for articles about HIPAA compliance. I recently did an interview for an HCPro article, "Physician offices: Tackle a different set of privacy training challenges." (Sorry, this is not publicly posted to my...
Report on Healthcare Provider HIPAA Progress
Here's an interesting report from URAC about healthcare providers and HIPAA compliance progress......
HIPAA Company-Applied Sanction: Hospital Employee Fired For Snooping Through 431 Patient Files
I thought it would be a good follow-up to my post from Saturday to point out a recent instance for how HIPAA covered entities (CEs) are applying their own organizational sanctions against personnel who violate their information security and privacy...
HIPAA Violation: Medical Clinic Leaves Box With PHI On Public Dumpster
This summer I had planned to do a dumpster-diving project with my sons, but then the Iowa floods postponed those plans. However, after reading the following I'm motivated to plan to do this in the spring after basketball and G&T...
New HHS Guidance States HIPAA Does Not Apply To PHRs
I hope you are all having a wonderful holiday season! I hadn't planned to take the past few days off from blogging, but something like the flu (probably the flu) hit me like a bag of bricks on Christmas day...
HIPAA Violation: Healthcare Worker Writes About Patients On MySpace
What was this worker for a healthcare provider thinking...didn't/doesn't the provider provide any kind of information security or privacy training or awareness communications...?...
CMS Gets Heat Over Not Actively Enforcing HIPAA
To date the Centers for Medicare and Medicaid Services (CMS) has not actively pursued HIPAA Security Rule compliance. Instead they have depended upon complaints to drive their investigations. However, as this article nicely points out, depending upon patients and healthcare...
Example Of How Many Healthcare Providers Do Not Understand HIPAA
HIPAA is misunderstood by many personnel who work for healthcare providers; probably because they do not receive effective or good training about HIPAA. Here is a good example of how healthcare providers inappropriately withhold information in the name of HIPAA......
HIPAA Compliance During Emergencies and Disasters
Yesterday the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) posted a new HIPAA frequently asked question (FAQ) to their site; a great question that many organizations do not even consider until after the fact......
New HHS Guides For HIPAA Privacy Rule
Did you see that the Department of Health and Human Services (HHS) released some new guidance documents for the Healthcare Portability and Accountability Act (HIPAA) Privacy Rule compliance activities on September 17? I need to go through them more thoroughly,...
Medical Identity Theft Is On The Rise
For day 2 of Global Security Week I want to highlight the growing problem of medical identity theft......
Six Ways Organizations Can Lessen Mobile Computing Risks
Geesh, every single day there is at least one news report about a stolen or lost mobile (laptop, notebook, PDA, Blackberry, etc.) computer! Today one of the reports was about a laptop computer, containing cleartext information about 11,000 hospital patients,...
Risks & Compliance: Giving Personnel Access to Their Own, And Coworkers', Records is Generally a Bad Idea
I get several questions from folks about various information security, privacy and compliance issues. I answer all I can. Most of them are great, thought-provoking questions that help to spawn a nice discussion! I recently got a very good and...
Yet Another Stolen Laptop With Clear Text Patient PII
Yet another in a long procession of laptop thefs, "Stolen laptop contains personal info of 2,500 patients". Here are the first few paragraphs......
3rd HIPAA Criminal Indictment; Another Insider Job
On February 15, Leslie A. Howell, from Oklahoma City, OK, was indicted for violating the Health Insurance Portability and Accountability Act (HIPAA) of 1996 as part of an identity theft scheme....
Blog Info OK'd To Use To Make Medical Insurance Coverage Decision
Hopefully most people know by now that whatever you post on the Internet is not private, and that basically anyone can read it. Hopefully most people know by now that it is a growing trend for employers to use information...
A Stolen Health Insurer's Laptop With PII Is Not Necessarily A HIPAA Violation
While scanning the news blurb summaries today, the statement, "This is a violation of HIPAA." caught my eye. Hmm...let's see what this is about... This statement was actually within the reader comments to the story, "Blue Cross reports theft of...
CMS Announces Plans To Actively Audit Hospitals For HIPAA Compliance
The U.S. Centers for Medicare and Medicaid Services (CMS) announced last week that they plan to audit 10 - 20 hospitals for HIPAA compliance in the next 9 months according to a Government Health IT article....
CMS Hires A Fox To Guard The HIPAA Henhouse
I just read a very interesting article, "CMS' HIPAA watchdog presents potential conflict" that made me go Hmmm!! The genesis of the article is that the Centers for Medicare and Medicaid Services (CMS), the agency that is responsible for the...
7 More Reasons Why Sending Cleartext IM and Email Is *NOT* Secure Even If Your Doc Says It Is...Part 2
As a continuation of my blog posting from Monday, here are 7 additional reasons to add to the previous 4 for why sending cleartext instant messages (IMs) and email is not secure:...
Sending Cleartext IM and Email Is *NOT* Secure Even If Your Doc Says It Is...Part 1
I got some interesting comments and questions, and lots of good direct feedback, about my blog post on sending cleartext patient information last week, "HIPAA: Beware Doctors Who Claim They Don't Have To Follow Safeguard and Privacy Requirements" so I...
HIPAA: Beware Doctors Who Claim They Don't Have To Follow Safeguard and Privacy Requirements
My good friend Alec recently made me aware of a very interesting blog post made by a physician (thanks Alec!) that is frankly quite troubling....
HIPAA, The Insider Threat & Prison Time
It seems there are more and more stories related to patient privacy and HIPAA popping up lately. Today another story caught my eye related to them....
Another Hospital Suspends Staff For Violating HIPAA Requirements
A couple of weeks ago I blogged about the Ivinson Memorial Hospital applying sanctions to their staff for violating HIPAA requirements. They have set a good example...another hospital has also applied sanctions...suspending 27 of their staff members for violating HIPAA...
A Hospital Actively Enforcing HIPAA Requirements!
It is great to see a story published about a hospital, actually any type of organization that is a covered entity (CE), that is actively and seriously trying to be in compliance with HIPAA requirements....
The First Ever HIPAA Audit: Where's The Report? Does It Have Beef?
Gosh, I just had a flashback to the "Where's the Beef" commercial from years ago... :) The U.S. Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule went into effect in April, 2001, and gave covered entities (CEs) two years...
HIPAA & 4 Lessons From an Insider Threat Example: Former Healthcare IT Manager Hacks Into System and Deletes PHI
There are so many ways in which bad things can happen with the authorized access personnel and business partners have to sensitive data, personally identifiable information (PII), and business systems. Many times the bad things that happen are a result...
HIPAA Violation in Divorce Proceeding?
During a divorce case in Illinios, K.S. Kim claimed a hospital violated HIPAA by sending her health records to her ex-husband's attorney....
HIPAA: More Changes and Initiatives by HHS
I've been reading so much about HIPAA lately; no enforcement actions yet, but a lot of changes, proposals and initiatives. Two more I read about recently:...
HIPAA: Advisory Workgroup Proposes PHI Security and Privacy Requirements Should Apply to All Organizations
The Department of Health and Human Services (HHS) has a Confidentiality, Privacy, and Security Workgroup, also known as the American Health Information Community, that is made up of practitioners, IT folks, lawyers and other leaders outside of the government who...
Admitted HIPAA Noncompliance at UPMC: Penalties Must Be Applied to Make Laws Effective
On April 13 the Pittsburgh Tribune-Review reported that the University of Pittsburgh Medical Center (UPMC) admitted to using the records of 80 patients, including names and Social Security numbers, for a presentation they made at a 2002 symposium, in violation...
HIPAA Security Rule and Privacy Rule Enforcement Reportedly Going To Be Pursued In 2007
Something that has bothered me, and many others, for a very long time is how there have been absolutely no enforcement actions for the Health Insurance Portability and Accountability Act (HIPAA) privacy rule or security rule since they went into...
HIPAA: Privacy and the Press
An interesting editorial ran this past Sunday in the Mason City, Iowa Globe Gazette about HIPAA, "The Price of Privacy: HIPAA has far-ranging implications" The title intrigued me. Yes, indeed there will be far-ranging implications to effectively start handling protected...
HIPAA: Congressional and GAO Reports Say HHS Needs To Make Changes To Protect Patient Privacy
According to a congressional testimony report posted February 1, "Private Health Records: Privacy Implications of the Federal Government's Health Information Technology Initiative," the Department of Health and Human Services (HHS) needs to do more to address privacy and security concerns...
HIPAA Mobile and Remote Computing Security Guidance from CMS
Today I received notice that the Centers for Medicare & Medicaid Services (CMS) just issued a new publication, "Security Guidance for Remote Use” which is actually dated 12/28/2006. "This document is intended to provide HIPAA covered entities with general information...
Psychotherapy Notes Fiasco and HIPAA: Bad Legislation, Bad Enforcement, or Bad Covered Entity?
The Pittsburgh Post-Gazette ran an interesting story today, "Spread of records stirs fears of privacy erosion." Basically this describes the trials and tribulations of a woman was denied disability benefits from her insurer following a car accident because of notes...
Medical Identity Theft and HIPAA
On Wednesday the Queens Gazette ran a report on medical identity theft. This certainly is an issue of concern. I blogged about medical identity theft earlier this year. Combining identity theft with unauthorized access to medical information certainly can lead...
HIPAA: Report Shows Most Complaints Not Investigated
Government Health IT published an interesting report today, "Most privacy complaints are not investigated." From the article: "The Department of Health and Human Services investigated less than 25 percent of 22,964 privacy complaints submitted to HHS’ Office for Civil Rights...