Archive for June, 2013
The HIPAA omnibus rule provides greater protection for PHI by imposing more stringent requirements and limits on a covered entity’s (CE) use and disclosure of that information when it comes to functions such as marketing, sales, and fundraising.
Some of the changes in the new rule make things more difficult for CEs and their business associates (BA), while others make compliance easier, said Jeff Drummond, a partner with Jackson Walker, LLP, in Dallas. Drummond discussed those changes during HCPro’s May audio conference “HIPAA/HITECH Omnibus Rule: Stay Compliant with 2013 Changes.”
OCR reported 12 large patient information breaches in June, bumping the total number of breaches to 619, according to its breach notification website.
OCR, the HIPAA privacy and security enforcer, began posting the breaches in February 2010 to comply with HITECH. Since that time, OCR has reported an average of 15 breaches per month, or one every other day. The breaches date back to September 2009 but began appearing online in February 2010.
Personally identifiable information of more than 6 million Medicare beneficiaries was compromised because of a government contractor’s lack of adequate security controls of USB devices, according to an Office of Inspector General (OIG) report released in June.
OIG assessed the USB device controls at Quality Software Services, Inc. (QSSI), the contractor responsible for testing changes to the CMS Medicare systems and the effect of those changes on beneficiary data. OIG found QSSI had not sufficiently implemented federal requirements for information system security controls over USB ports and devices because QSSI had not:
- Listed essential system services or ports in its system security plan
- Disabled, prohibited, or restricted the use of unauthorized USB device access
“QSSI had not implemented USB security controls because management had not updated its USB control policies and procedures,” OIG wrote in its report.
OIG recommended that QSSI update and implement sufficient policies and procedures to ensure that USB controls comply with federal requirements.
Specifically, QSSI should:
- List essential system services and ports in its system security plan
- Update its policies and procedures to prohibit the use of unauthorized USB devices on its systems that store or process Medicare information
- Limit USB port access to essential connections
- Disable, prohibit, or restrict unauthorized USB device access
Stanford University’s Lucile Packard Children’s Hospital is notifying patients by mail that a password-protected, non-functional laptop computer that could potentially contain limited medical information on pediatric patients was stolen from a secured, badge-access controlled area of the hospital sometime in May, according to a statement on the hospital’s website.
This incident was reported to Packard Children’s on May 8. Immediately following discovery of the theft, Packard Children’s launched an investigation with security and law enforcement. To date, there is no evidence that any pediatric patient data has been accessed by an unauthorized person or otherwise compromised.
Information that could have been on the laptop included patient names, ages, medical record numbers, telephone numbers, scheduled surgical procedures, and name of physicians involved in the procedures over a three-year period beginning in 2009.
The hospital is reaching out to approximately 12,900 patients whose information may have been compromised.
Some medical groups oppose the Obama administration proposal to open new doors into mental-health records for national gun background checks, The Wall Street Journal (WSJ) reported June 12.
HHS proposed the changes to the HIPAA Privacy Rule in April. The changes would call for states to authorize mental-health authorities to transmit records of those declared mentally unfit by a court or other authority to the National Instant Criminal Background Check System (NICS), maintained by the Federal Bureau of Investigation.
The National Association of State Mental Health Program Directors said in a June 7 letter to HHS that the proposal would only serve “to exacerbate the stigma faced by people with mental illnesses and could potentially have a significant chilling effect” on their resolve to seek help, according to WSJ.
Rachel Seeger, OCR spokesperson, told WSJ, “While we do not expect that providers are reporting on their patients directly to NICS,” doctors may need an exemption from the privacy law to report involuntary commitments to state mental-health authorities, which can then pass the records to the FBI database.