Tag: Privacy Rule

Mobile Data Security a Big Concern

Posted on | by SOS Blog | 2 Comments on Mobile Data Security a Big Concern

Do you use a laptop that contains patient information? Do you have a list of your patients with their telephone numbers, email addresses and appointment schedule in your smart phone? Are those devices encrypted?

The number of mobile devices we utilize to conduct our businesses has expanded beyond belief. What can we do to make sure that our patient data is not at risk if we utilize these devices to access their information? As providers of behavioral healthcare services, we have special responsibility to protect the sensitive information related to the care of our clients.

The U.S. Department of Health and Human Services is very concerned about the spread of these devices and their innate insecurity. They have developed a special section of their healthit.gov web site to focus on these privacy and security needs.

The HHS video on the topic focuses on five issues:

  1. Lost mobile device
  2. Stolen mobile device
  3. Downloaded virus or malware
  4. Shared mobile device
  5. Unsecured Wi-Fi network

Take a look when you get a chance and learn more about how to protect PHI when using mobile devices. And don’t forget, encryption gives you ‘safe harbor’ under HIPAA, even if you were to experience a data breach.

Does your organization have policies about using mobile devices to access PHI? How do you manage your experience with mobility? Please share your comments below.

 

Ongoing HIPAA Care: What is your plan?

Posted on | by SOS Blog | 2 Comments on Ongoing HIPAA Care: What is your plan?

Here at SOS Software, we have been in an ongoing process to develop, maintain, and implement detailed policies and procedures to assure that we are doing everything possible to act as responsible Business Associates to our Covered Entity customers. We have been holding monthly training for our staff in which we all take a pre-test, watch an instructional video together, discuss what we have learned, take a post-test to measure how much we have learned, then discuss the results of our testing to be sure we all understand these important concepts.

HIPAA (Health Insurance Portability and Accountability Act of 1996) mandated that electronically stored protected health information (PHI) be handled in such a fashion as to assure the privacy of the patients to whom it belongs. The HITECH (Health Information Technology for Economic and Clinical Health) sections of ARRA (the American Recovery and Reinvestment Act of 2009) also required additional security measures be utilized for all PHI. HITECH extended the same privacy and security requirements to Business Associates of Covered Entities as to the entities themselves.

We have been distressed to find that many of our customers have no idea what HIPAA actually requires. While it is true that the requirements are scalable (small organizations like solo psychiatric or psychological practices do not need to do as much as large ones), some customers seem to think that scalability means they need to do nothing since they are not a community mental health center or a hospital. This is far from accurate.

Every organization that handles PHI is responsible to assure that the privacy and security of that information is guaranteed. Not doing a security risk assessment, not having an incident response plan, not having a disaster plan, not having usable backups of your patient information off site . . . all of these things could easily be considered “willful neglect” by the Office of Civil Rights (OCR), the agency responsible for enforcing HIPAA. If an unhappy patient reports you to OCR as ignoring the requirements of HIPAA and you are found to be guilty of “willful neglect”, OCR must penalize you. Are you prepared to pay at least a $10,000 to $50,000 fine . . . or worse?

If the items I just mentioned above are not very familiar to you, that means you and your organization may not have done your HIPAA homework. You may not need to start at the beginning, but reviewing some of our old posts and links might help you get started. We have found that there are many resources available on the Internet free or at low cost. You might consider some of those. Seth plans to attend a free webinar he got notice of last week. He has started a workgroup of some of our customers who are trying to help themselves and one another move their security and privacy programs forward.

What do you need to do to become HIPAA compliant?

What do you or your organization already do to assure your compliance?

Do you know who your Privacy Officer is?

Please share some of the steps you and your organization have taken to assure that your organization is HIPAA compliant. Let us know what you do on an ongoing basis to be sure new employees are educated to the requirements. Just enter your comments below.

 

UCLA and WellPoint Fined for Data Breaches

Posted on | by SOS Blog | Leave a Comment on UCLA and WellPoint Fined for Data Breaches

I am sure many of you remember the reports dating back to 2005 that celebrity patient files were being viewed by casual lookers…employees who had access to the University of California at Los Angeles (UCLA) Health System electronic medical record (EMR) but who had no legitimate reason to view those records. Well, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has entered into an agreement with UCLAHS to settle potential HIPAA violations for $865,500. Additionally, UCLA has made a commitment to correct gaps in their security, to improve their policies and procedures to better safeguard patient information, and to adequately educate their employees.

In a separate case, FierceHealthPayer reported that WellPoint will pay $100,000 to the state of Indiana because they waited several months before notifying Indiana officials of a security breach that could have exposed the data of 32,000 members.

It also will reimburse each affected member up to $50,000 for any breach-related losses as part of the settlement reached with the Indiana Attorney General.                                                                  [Read more; Subscribe]

For me, the important issues here are the following:

  • OCR is serious about data breaches and safeguarding patient protected health information (PHI).
  • State laws are just as important as Federal law. You must know and follow those local regulations as well as HIPAA and HITECH.
  • The cost of a data breach is significant and would put many small provider organizations out of business.

Have you reviewed your security and privacy practices and policies this year? Are you confident that your PHI practices are solid and that your employees are using the procedures as written? How do you review these and how do you educate your employees?

Please share your experiences and concerns about data privacy and security with us below.

HIPAA Privacy Requirements: Serious business

Posted on | by SOS Blog | 1 Comment on HIPAA Privacy Requirements: Serious business

In the past year, the Office for Civil Rights, the federal office responsible for enforcing HIPAA privacy requirements, has finalized the rule by which all covered entities and their business associates are required to protect the personal and health information of patients they serve. The rule details the actions a breach of the privacy rule requires including notification of patients. In the past month, OCR has begun to publish significant fines to organizations who have been found responsible for a breach of that privacy rule.

Lots of folks have been waiting to see what kind of fines the OCR would impose upon organizations found responsible for breaches. We are beginning to find out.

On February 14, 2011, HHS entered into an agreement with Massachusetts General Hospital in which the hospital organization agreed to pay $1 million because of the loss of data of 192 patients of one of its outpatient practices. The information lost was on paper and was lost on a subway train. The hospital also agreed to enter into a Corrective Action Plan (CAP) including the implementation of policies and procedures to protect the PHI of its patients.

For those of you who thought these requirements do not affect you if you do not keep any patient information in an electronic form, it is clear that is not how OCR views it. Paper is also vulnerable and OCR is determined to protect that PHI.

The second announced fine was placed on Cignet Health of Prince George’s County Maryland. They were fined $4.3 million. They were accused of denying 42 patients access to their medical records, failed to cooperate with OCR in their investigation of the complaints, indeed failed to reply to OCR’s notifications. OCR determined that “the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule.”

For those of you who have thought that not keeping records of treatment might be the safest course of action, please think again. If you cannot provide the record when a patient requests it, they have every right to complain and to seek a judgement against you.

Of course, your organizations all have Privacy Policies. Do you know what they are? Do you follow the Procedures that your organization has developed? Does everyone? Part of the requirement is that employees be properly trained in what the policies and procedures are and that their training is regularly refreshed. Oh, and yes, part of the requirement is that the Privacy Officer makes sure the owners of the practice or the Executive Director or Board of Directors is well-informed about how the policies are implemented.

How is your organization doing with the stricter Privacy Rule requirements imposed by the HITECH Act? Please share your thoughts, fears and struggles with these requirements and how they affect your organization. Just enter your comments below.

Privacy: Where are you now?

Posted on | by SOS Blog | Leave a Comment on Privacy: Where are you now?

One of our customers recently shared a NY Times column about photos you post on the web revealing where they were taken. Geotags provided by some digital cameras and many smartphones with built-in GPS features indicate where the photo was taken. If you post a photo of your child’s at-home birthday party taken with geotags turned ‘on’ in the camera/phone you used, everyone who looks at the photo can also know just where you live.

The technology, while very useful in operating your GPS or helping you keep track of where your teenager is at this moment, is also a potential privacy threat because it embeds the longitude and latitude of where the photo was taken. 

While many people are not very concerned about this matter, others fear that this is just one more step in the gradual erosion of our ability to protect our privacy. This is largely because most people do not even know about geotags and have no idea that they can be turned on and off. The above-mentioned article by Kate Murphy points you in the direction of controlling who has access to where your photos were taken.

The Web site ICanStalkU.com provides step-by-step instructions for disabling the photo geotagging function on iPhone, BlackBerry, Android and Palm devices.

Those of us who work in the behavioral healthcare world have long been concerned with issues of privacy for our patients and consumers of our services. We work hard to assure that only appropriate individuals have access to their treatment records, demographic and other protected health information (PHI). In fact, the law requires us to assure that only those who have a right to access this information have the ability to do so.

What are the implications for geotags on the issue of PHI? Right now, you need to post a photo on the internet or utilize an application that specifically makes use of the geotagging capability of your device to reveal your location. What happens when that capability is not revealed to you…or when it is revealed in a use statement that is so dense with legalese that you do not even read it? Here is a scenario from a not very distant future.

As a case manager for a community behavioral health organization, I want to be sure that I can always reach persons who use our services in case of an emergency. As a result, I keep a listing of the phone numbers of all my clients in my smartphone. Any time a new client comes in or a current client changes their contact information, I synchronize my phone list with my computer list. It has become so easy to do over my wireless network at home and the office that I am always up-to-date. Besides, having the list with me when I make a home visit means I can confirm my appointments before I head to see the consumer. I only include first name and phone number so confidentiality is protected, and my phone is password-protected.

I know I am not supposed to, but I also use my phone for some of my personal activities. I like to surf the web when I am waiting to see a client or while sitting in the train station. I have not disabled the features of newgoogle that customize the advertisements I get to match the web surfing I do…in fact I kind of enjoy it. I don’t use Twitter very often, but I like to check in every once in a while. And the new video feature is a great way to see where my friends are when they tweet. Last week I tweeted from the train and from the park across the street from my client’s apartment. Sometimes, I insist my kids do video calls with me so I can see where they are. I never thought I would enjoy this new technology so much!

What’s wrong with this picture? Is the client’s PHI actually protected? Do you see any concerns in this scenario? How far are we from someone who telephones us being able to know immediately exactly where we are? Is the casual attitude of many people toward privacy and technology something to be concerned about? Is our ignorance about the technology we use acceptable?

What do you think…am I just a bit paranoid? Is the customer who sent me this article concerned about something that is of no consequence? Where do you stand on the issues around privacy and technology? Please share your comments below.