Archive for July, 2012
Nearly 4,000 patients’ PHI may have been compromised when a physician’s personal laptop computer was stolen from a Boston hospital, according to a July 23 report by hospital.
Beth Israel Deaconess Medical Center (BIDMC) is in the process of notifying the approximate 3,900 patients, according to the notice on the hospital’s website.
The computer was stolen from the office of a BIDMC physician on May 22. The computer, which contained a tracking device, has not been recovered nor has the tracking device been activated. Police officials arrested a suspect in the theft.
Meanwhile, BIDMC engaged a national forensic firm to investigate if data was compromised.
According to BIDMC, there has been no indication that any information has been misused. The laptop contained files that included short summaries of medical information used for administrative purposes within BIDMC, but did not contain complete medical records and did not contain patient financial information such as social security numbers. Also included on the stolen laptop were approximately 230 administrative employee records.
“We take the incident extremely seriously, and have now accelerated implementation of a program to assist employees with protecting devices they purchase personally,” said John Halamka MD, BIDMC’s chief information officer. “We deeply regret and apologize for any concern or inconvenience this situation may cause our patients and families.”
BIDMC has enhanced physical security in office buildings and mounted a campaign to raise awareness about data security issues within the organization at all levels, officials said.
Yep. We’re just a month over three years old here blogging about all things HIPAA. Who knew over the past 1,000-plus days we’d see:
- Nearly 500 reports of breaches affecting more than 500 individuals
- Four more entities join the $1 million settlement-with-OCR club for HIPAA violations
- A HIPAA mega rule just about to be released, a potential game-changer
- A new OCR director
Want to join the fun? Start a conversation.
Check out this sneak peek from an August 2012 Briefings on HIPAA article. You can purchase the full story here.
Phyllis Patrick, MBA, FACHE, CHC, wasn’t surprised by the results of the initial 20 OCR HIPAA compliance audits.
“I tell people, if you’re doing the right things and have privacy and security programs in place, you should be okay,” says Patrick, founder of Phyllis A. Patrick & Associates, LLC, in Purchase, N.Y.
However, the many findings that resulted from the initial audits, conducted last winter by KPMG, indicate that many organizations are clearly not okay.
Back to basics
Patrick’s advice is to go back to the basics.
Mac McMillan, CISSP, CEO of CynergisTek in Austin, Texas, also wasn’t surprised by the audit results. He and his consultants assess organizations’ HIPAA compliance, and he knows that issues exist.
In the initial audits, most organizations performed far better with respect to privacy than security. The scattering of small amounts of findings across many different areas indicates no clear trends with respect to privacy shortcomings, McMillan says. His advice? Pay better attention to detail. “Organizations have programs and policies. They just are not disciplined in how they implement them,” he says. “I would say to them, ‘Keep doing what you are doing, but be more diligent.'”
Is one of the toughest states for privacy laws softening?
Some may say that about California’s pursuit of “harmonizing” its state privacy laws with the federal HIPAA laws.
But Golden State officials merely say it’s an effort to eliminate the problems caused by the disparity of federal and state laws in the field of health information exchange. And they say they are following the lead of other states such as Texas and Kansas which have already gone down this road.
The teams leading the charge – California’s Privacy and Security Steering Teams (PST and SST) – are under the direction California Office of Health Information Integrity (CalOHII). They want to “harmonize” the California Confidentiality of Medical Information Act with HIPAA.
“New health information technologies raise new consumer privacy and provider liability concerns that existing laws were never originally created to address,” the teams wrote in a report. “Failure to effectively address these critical concerns could lead to limited participation by patients, providers and vendors in health information exchange, costly legal conflicts, and regression back to inefficient and costly paper based information systems.”
California-based Consumer Watchdog said in a release the effort to harmonize state and federal laws must not “weaken current California privacy protections.”
“Unfortunately CalOHII has offered no way to tell whether this is the case,” wrote John M. Simpson, Consumer Watchdog’s Privacy Project director. “… To be blunt, there is nothing about the process of developing these recommendations so far that leads Consumer Watchdog to believe that the goal is to strengthen privacy protections for Californians’ medical information.”
California officials want to “clarify and augment” privacy rights of Californians and provide healthcare entities a “unified legal framework” for protection of individually identifiable health information.
“Law harmonization will minimize confusion as healthcare providers and plans seek to comply with legal requirements and provide consistency, which will enable safe and secure exchange of personal health information,” according to the CalOHII report. “Harmonizing California privacy and security laws is critical to the successful implementation of health information exchange (HIE) in California.”
California is known for its strict privacy laws. For instance, those discovering a breach of PHI in California must notify state officials within five business days. OCR’s interim final rule on breach notification gives providers up to 60 days to notify.
Would you want more fluidity between your state’s privacy laws and HIPAA?
Weigh in on this post and let us know your thoughts!
A patient gets a call from a hospital and is asked to participate in a survey. The caller says it’s a routine patient survey, but the patient is on edge because it seems the caller knows a little bit too much about her recent stay based on the questions.
That’s pretty much the case out of Clinton, CT, where patients are complaining about a too-close-for-comfort survey call from a health center there, according to the Hartford Courant.
It’s the same health center whose doctor, Tory Z. Westbrook, is accused of sexually assaulting female patients. Some of the questions addressed patients’ comfort level with his medical examinations, according to the Courant.
Two women said their privacy was violated.
According to the article, patient Josie Wright said “the survey’s caller named Westbrook specifically.” Another patient, Melissa Engle, told the surveyor she had concerns because she felt “they were probing her about Westbrook.”
“Shame on the clinic for giving out patient information,” Engle told the Courant.
How does your facility handle patient surveys? Are the questions vetted to ensure no patient feels as if their privacy was violated?
Let us know!