Archive for December, 2013
The U.S. Department of Health and Human Services (HHS) ended 2013 with a bang, slapping Adult & Pediatric Dermatology, P.C., in Concord, Mass., (APDerm) with a $150,000 fine for potential HIPAA violations, according to a December 26 press release.
APDerm is the first covered entity to enter into a settlement with HHS for failure to implement breach notification policies and procedures as required by the HITECH Act, according to the press release.
APDerm violated the HIPAA Privacy and Security Rules for failing to conduct a risk analysis after the theft of an unencrypted thumb drive containing the PHI of approximately 2,200 patients from a staff member’s vehicle. The practice also violated the administrative requirements of the Breach Notification Rule by failing to provide written policies and procedures and to train its workforce on HIPAA compliance until February 7, 2012, according to the press release.
In addition, APDerm agreed to a corrective action plan, which requires it to develop a risk analysis and risk management program and provide an implementation report to the Office for Civil Rights, according to the press release.
Q . May organizations include inserts in their current patients’ rights brochures with updated information about their right to receive their medical files electronically, or must they reprint their entire brochures? We have a backstock of brochures and prefer to use them before we reprint them.
A. Reprinting the entire brochure is not required; an insert is permissible as long as it doesn’t contradict information in the actual notice. You should call this a notice of privacy practices (NPP) rather than a patient’s rights brochure because the latter includes rights unrelated to PHI, and there are specific things that must be included in each. Access sample NPPs at www.hhs.gov/ocr/privacy/hipaa/modelnotices.html. Note that the HIPAA Omnibus Rule requires changes beyond the right to receive an electronic copy. Remember that the intent of the NPP is to explain to your patients what you are doing with their information and their rights pertaining to their PHI. Be sure to date your NPP and post the additional information prominently in your facility and on your website.
Editor’s note: This question was answered by Chris Simons, MS, RHIA, director of health information and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, N.H. This information does not constitute legal advice. Consult legal counsel for answers t j o specific privacy and security questions. Send your HIPAA questions to Associate Editor Jaclyn Fitzgerald at email@example.com.
Individuals at UCSF Medical Center are among the latest victims of a breach of PHI caused by laptop computer theft, according to the UCSF website. The physician could not verify whether the computer was encrypted, although it was determined that the physician was authorized to store the individuals’ data on it, according to UCSF.
UCSF sent notification letters to 8,294 affected individuals after a personal laptop computer and paper documents with patient information were stolen from the locked vehicle of a physician at the UCSF School of Medicine Division of Gastroenterology. The computer contained dates of birth, medical record numbers, and Social Security numbers. Information on paper documents included but was not limited to health insurance subscriber numbers, according to UCSF.
Business2Community.com recently published a list of seven questions to ask communications service providers that serve as your business associates (BA). The website recommends asking the following questions before entering into an agreement with a business telephone service provider, fax service provider, or call center:
- Are you a HIPAA-compliant BA?
- What has your company done to ensure compliance?
- Have independent experts assessed your HIPAA compliance?
- Can your communications provider provide my business a HIPAA BA Agreement?
- Can the services that you provide my business be configured to be HIPAA-compliant?
- Can you recommend particular configurations of our system to help us comply?
- Can your firm provide encryption for both “data in motion” and “data at rest”?
Organizations responding to eFax’s Healthcare IT Pulse Survey ranked financial liability over HIPAA noncompliance (37%) as the biggest security concern related to sensitive data. Surprisingly, respondents were less concerned about exposing sensitive medical data (18%), according to the survey.
The majority of survey respondents (54%) say HIPAA compliance is the top concern related to the influx of paperwork attributable to the Affordable Care Act (ACA). The survey identified document management, organization, and record keeping (48%) as a secondary concern related to the ACA.
Online fax was identified by 42% of respondents as the most effective technology solution for HIPAA-compliant security for transmission of sensitive documents. Respondents also ranked the following technologies as the most valuable for ensuring HIPAA compliance:
- IT disaster recovery and offsite backup (48.5%)
- Private cloud (46.5%)
- Audit reports and tracking logs (44.4%)
- Online fax service (36.4%)