Archive for HIPAA News
The PHI of approximately 90,000 UW Medicine patients was compromised when a health system employee opened an email attachment containing malicious software (malware) in October, according to a statement on the UW Medicine website.
The malware accessed data from the health system’s Harborview Medical Center and University of Washington Medical Center patients. The files may have contained patient names, dates of birth, medical record numbers, addresses, telephone numbers, dates of service, amounts charged for services, Social Security numbers, and Medicare numbers where applicable, according to UW Medicine. The health system does not believe the breach was a targeted effort to obtain patient data, according to the statement.
With most of the provisions of the HIPAA omnibus rule now in effect, separating fact from fiction is important with respect to HIPAA compliance. HealthIT.gov recently published a list of the top 10 security risk analysis myths, and proceeded to set the record straight so covered entities and business associates can continue on their paths to compliance.
The following is a breakdown of the first five myths on the list:
- Myth: Security risk analysis is optional for small providers.
Reality: All HIPAA covered entities and providers who want to receive EHR incentive payments must conduct a risk analysis.
- Myth: By installing a certified EHR, you have fulfilled the security risk analysis meaningful use requirement.
Reality: You must perform a full security risk analysis of a certified EHR. Security requirements apply to all ePHI maintained by your organization, not just information stored in your EHR.
- Myth: Your EHR vendor took care of everything you need to do with regard to privacy and security.
Reality: Your organization is responsible for conducting a complete risk analysis. EHR vendors are not responsible for ensuring their products comply with the HIPAA Privacy and Security Rules.
- Myth: You must outsource the security risk analysis.
Reality: Small practices can often perform their own risk analysis by relying on self-help tools. However, a thorough risk analysis that stands up to a compliance review likely necessitates the assistance of expert knowledge outside your organization.
- Myth: A checklist will suffice for the risk analysis requirement.
Reality: Checklists can help you start your risk analysis, but cannot help you perform or document a systematic security analysis.
Using a workplan template and a checklist together can minimize the risk of disclosing PHI during multi-site research, advises BMC Medical Informatics and Decision Making.
The workplan template serves as a guide for programmers involved in multi-site programming to communicate how the program should run, what output the program creates, and whether that outcome may contain PHI. The checklist ensures the output meets expectations and does not contain unallowable PHI, according to the article.
Conducting healthcare research across multiple sites can often increase the risk of a privacy or security breach, according to the article. The multi-site researchers who wrote the paper concluded that data privacy tools should do the following:
- Allow for a range of permissible PHI
- Identify types of data protected by HIPAA
- Help analysts identify allowable PHI in a project and understand how they can protect that PHI during data transfer
An October 24 U.S. House of Representatives hearing on HealthCare.gov sparked a debate over whether the Obamacare website violates users’ privacy, International Business Times has reported. During the hearing, Rep. Joe Barton, R-Texas, said a source code in the Obamacare website states that users have “no reasonable expectation of privacy about communication or data stored on the system,” the online newspaper reported. However, users of the website cannot view this portion of the source code. Barton alleged that the website violates HIPAA, according to the article.
Rep. Diana DeGette, D-Colo., said during the hearing that HealthCare.gov does not violate HIPAA because the only medical information users enter when using the site is whether they are smokers, International Business Times reported.
Department of Veterans Affairs (VA) employees or contractors are responsible for 14,215 HIPAA privacy violations at 167 facilities from 2010 through May 2013, according to a recent Pittsburgh Tribune-Review investigation. The violations affected at least 101,018 veterans and 551 VA employees, the newspaper reported.
Reporters analyzed the VA Risk Management and Incident Response Resolution Team reports, which revealed a history of medical record snooping and the loss of sensitive data such as Social Security numbers. Since 2010, criminal investigators found 11 instances of VA employees stealing veterans’ identities or prescriptions, according to the report.
The newspaper uncovered the following information during its investigation of records from 2010 through May 2013:
- The VA reported one in every 365 privacy violations to the OIG.
- Providers violated the privacy of 2,856 veterans by illegally releasing patient information or failing to obtain patient consent for studies.
- The VA compromised the PHI of 16,183 veterans by failing to encrypt data on electronic media that were lost or stolen.
- VA employees compromised the PHI of 836 veterans and two VA employees when they lost paperwork in restrooms.
- VA employees compromised the PHI of 1,118 veterans by faxing medical records to the wrong destinations.
- The VA provided prescriptions or paperwork of 5,254 veterans to the wrong person. One in five of these incidents resulted in the disclosure of veterans’ birth dates, complete or partial Social Security numbers, or diagnoses.