Archive for May, 2012
Navigating the new world of social media is challenging for many professionals, but perhaps none more so than the medical profession—physicians and other healthcare professionals must balance a tell-all online culture with the HIPAA Privacy Rule’s mandate to protect patient privacy.
With their ever-increasing popularity, social media sites such as Facebook and Twitter™ blur the lines between private and professional identities. Physicians must carefully consider their online lives and consider that navigating a public space can get them in trouble, say two Boston physicians.
Arash Mostaghimi, MD, MPA, and Bradley H. Crotty, MD, physicians at Beth Israel Deaconess Medical Center, offered recommendations in “Ideas and Opinions: Professionalism in the Digital Age,” published April 19, 2011, in the Annals of Internal Medicine.
This article is adapted from an article that originally appeared in the April Briefings on HIPAA published by HCPro, Inc.
For a number of reasons, folks seem to be hesitant to purge hard-copy records that are greater than the six-year retention requirements for HIPAA (Security or Privacy).
Consequently, people are asking if they need to keep the original training sheets on file or can they scan them and get rid of the paper copies?
The answer is that certainly these hard copies can be kept on file indefinitely but there is not a requirement that prevents a covered entity from scanning and filing documents used to substantiate that it has trained its workforce such as class attendance roster sign in sheets.
There are a number of other common questions that are coming up given how long folks are keeping records on file but I wanted to share this one first because it seems to be coming up more and more.
A Massachusetts hospital will pay the state $750,000 in a settlement following a breach of PHI that included missing unencrypted computer backup tapes and affected more than 800,000 patients in 2010, the state attorney general office reported May 24.
South Shore Hospital reported the breach to Attorney General Martha Coakley’s office in July 2010. The information breached included individual’s names, Social Security numbers, financial account numbers and medical diagnoses.
The breach is the eighth largest since entities began reporting breaches affecting 500 or more individuals to OCR in September 2009.
In February 2010, South Shore Hospital of Weymouth, MA, shipped three boxes containing 473 unencrypted back-up computer tapes with 800,000 individuals’ personal information and PHI, according to the AG’s office. The hospital contracted with Archive Data Solutions to erase the back-up tapes and resell them.
The hospital did not inform Archive Data, however, that personal information and PHI was on the backup computer tapes nor did South Shore Hospital determine whether Archive Data had sufficient safeguards in place to protect this sensitive information. Multiple companies handled the shipping of the boxes containing the tapes.
In June 2010 South Shore Hospital learned that only one of the boxes arrived at its destination in Texas. The missing boxes have not been recovered although there have been no reports of unauthorized use of the personal information or protected health information of affected individuals to date.
According to the AG’s office, South Shore Hospital:
- Failed to implement appropriate safeguards, policies, and procedures to protect consumers’ information
- Failed to have a Business Associate Agreement in place with Archive Data
- Failed to properly train its workforce with respect to health data privacy
According to the consent judgment, South Shore Hospital has also agreed to take a variety of steps in order to ensure compliance with state and federal data security laws and regulations, including requirements regarding its contracts with business associates and third-party service providers engaged for data destruction purposes.
The hospital also agreed to undergo a review and audit of certain security measures and to report the results and any corrective actions to the Attorney General. The state has credited South Shore $275,000 to reflect security measures it has taken subsequent to the breach.
A Massachusetts Eye and Ear Infirmary employee did not want to pay her electric bill. So she turned to some of her facility’s patients for help.
And now she has criminal charges pending.
Fallon Delacruz was fired, and she and her brother, Emmanuel, have been charged with identity theft and larceny after they used patients’ Social Security numbers to open accounts with National Grid, according to a May 19 report in the Patriot Ledger in Quincy, MA.
Mass. Eye and Ear has offered one year of free credit monitoring to potentially affected patients, and sent mail notifications to about 3,600 patients whose Social Security numbers Delacruz was able to access.
“We are saddened and disappointed that this former employee appears to have chosen to violate both our trust and that of our patients,” Mass. Eye and Ear president and CEO John Fernandez said in a statement. “We sincerely apologize for any inconvenience and concern caused by this incident.”
A HIPAA conviction stands for UCLA Healthcare System researcher Huping Zhou, according to a May 16 FierceEMR article.