Archive for May, 2013
More testimony and impassioned pleas over HIPAA:
This time it comes from Gregg Wolfe, who testified before a House subcommittee after he lost his son, Justin, a Temple University student, in December 2012 to an accidental heroin overdose at the age of 21, according to ABC News.
ABC reported the father did not know about his son’s situation.
“With the HIPAA regulations, if I would have known, and would have been apprised that he was doing heroin, a whole different strategy would have been proposed and mandated as far as him getting the proper care that he deserved and needed,” said Wolfe.
Wolfe went on to say danger to a patient or others caused by health problems should supersede HIPAA protections.
“He could have taken out my son’s life — my other son — he could have taken out other people’s lives, not realizing what he was doing, not being malicious,” Wolfe said.
“We should have an exception where the parents or legal caretakers of a minor or emancipated adult with drug abuse or mental health histories who continue to cover them with health coverage or continue to support them financially, have access to their health care records until the age of 26 to prevent them from harming themselves or society,” the father added.
According to the Capitol Hill testimony, many doctors are unclear about where their safe harbor lies, according to ABC News.
The University of Rochester Medical Center has sent letters to a group of former orthopaedic patients, alerting them to the loss of PHI, it announced on its website May 3.
URMC before the website post notified 537 patients that a resident physician misplaced a USB computer flash drive that carried PHI. The flash drive was used to transport information used to study and continuously improve surgical results. The information was copied from other files and so its loss will not affect follow-up care for any patients.
The flash drive included the patients’ names, gender, age, date of birth, weight, telephone number, medical record number (a number internal to URMC), orthopaedic physician’s name, date of service, diagnosis, diagnostic study, procedure, and complications, if any. No address, social security number or insurance information of any patient was included.
The flash drive is believed to have been lost at a URMC outpatient orthopaedic facility. After an exhaustive but unproductive search, hospital leaders believe that the drive likely was destroyed in the laundry. A search of the laundry service, which works exclusively with hospital/medical facilities, also failed to locate the drive.
Affected patients are being given phone numbers to call for further information. In addition, URMC is re-educating faculty and staff about its policy that requires the use of encrypted drives when transporting protected health information on flash drives. Over the past year, URMC also has developed new rules for the use of smart phones, iPads and other mobile devices to safeguard protected health information. In addition, URMC encourages its physicians and staff to access sensitive patient information using its secure network rather than transfer information on portable devices.
HHS has undertaken a campaign to educate HIV positive Black men who have sex with men (BMSM) about their health information privacy rights, including the right to access a copy of their medical record.
The goal of this effort is to educate consumers, in particular HIV positive BMSM, about the HIPAA and their health information privacy rights. The campaign will focus on increasing awareness of individuals’ rights to health information privacy through public service announcements and outreach, including the right to access a copy of their medical record.
An event will take place Friday, May 24, at 10 a.m. at Whitman-Walker Health in Washington, D.C. to learn how we can all protect patients’ rights.
In the business of corrective action plans for HIPAA violations, OCR means business these days. Just take a look at some of the must-dos for Idaho State University, which agreed to pay HHS $400,000 Security Rule violations involving the breach of unsecured electronic PHI of 17,500 individuals who were patients at an ISU clinic:
- Hybridization: ISU shall provide HHS with documentation designating it a hybrid entity and identifying all of its components that have been designated covered healthcare components within 30 days of the effective date.
- Risk management: ISU shall provide HHS with its most recent risk management plan that includes specific security measures to reduce the risks and vulnerabilities to a reasonable and appropriate level for all of its covered healthcare components. ISU shall provide the risk management plan to HHS within 30 days of the effective date for review and approval
- Information System Activity Review: ISU shall provide HHS with documentation of implementation of its policies and procedures regarding information system activity review across all of its covered healthcare component clinics. ISU shall provide the documentation to HHS within 60 days of the effective date for review and approval.
- Compliance Gap Analysis: ISU shall provide documentation of its updated compliance gap analysis activity entitled Post Incident Risk Assessment, as specified by HHS, indicating changes in compliance status regarding each Security Rule provision. Such documentation shall include, but is not limited to, a copy of the contingency plan and the documents implementing the contingency plan as well as a listing of all technical safeguards implemented and the documents implementing the technical safeguards, across its covered healthcare component clinics, within 30 days of the effective date.
- Reportable Events: For a period of two years ISU shall, upon receiving information that a workforce member may have failed to comply with its Privacy and Security policies and procedures, promptly investigate the matter. If ISU, after review and investigation, determines that a member of its workforce has failed to comply with its Privacy and Security policies and procedures, ISU shall notify HHS in writing within 30 days from the date ISU made its determination. Such violations shall be known as “Reportable Events.”
Idaho State University (ISU) has agreed to pay $400,000 to HHS for violations of the HIPAA Security Rule, HHS announced May 21. This settlement involves the breach of unsecured electronic PHI of 17,500 individuals who were patients at an ISU clinic.
OCR, which enforces HIPAA under HHS, opened its investigation after ISU notified HHS that the ePHI of approximately 17,500 individuals was accessible at its Pocatello Family Medicine Clinic because an ISU server firewall was disabled. OCR investigators found that ISU did not apply proper security measures and policies to address risks to ePHI and did not have in place procedures for routine review of information system activity which could have detected the breach in the firewall much sooner.
Overall, ISU failed to ensure the uniform implementation of required Security Rule protections at each of its covered clinics.
Read the OCR resolution agreement.