Need help with HIPAA?

Try these links first:

Consumers

• How do I file a HIPAA complaint or report a violation?
  • Health Information Privacy Complaint Form (PDF)
• What are my HIPAA Rights?
• Where can I go to Learn more about the HIPAA Law?
• What is the Agency that responds to HIPAA Privacy Complaints? Office of Civil Rights
  

Medical Professionals

• The Privacy Rule
• HIPAA Statute
• The Security Rule
• Transactions and Code Set Standards
• Identifier Standards
  • Employer Identifier Standard
  • National Provider Identifier Standard (NPI)

Can't find what you need? Join HIPAALive, Phoenix's online list server of HIPAA professionals.

Current HIPAA News

Regulated To The Hilt - The Impact of Government Regulations On The Data Center

According to William M. Miaoulis, subject matter specialist for Phoenix Health Systems, if you consider the major government regulations, including HIPAA and Sarbox, the impact will be seen for years to come. Miaoulis notes, "Initial impacts include an increased need for processing power; as EMR (electronic medical records) implementations become widespread due to government initiatives, they become more complex, as well as more prevalent in the marketplace. Longer term, organizations will have to take a harder look at redundant facilities and data to ensure that the information to treat patients is available when necessary.” He says the hybrid days when data redundancy was split between a paper chart and an EMR are rapidly approaching extinction.

Fawcett's Cancer Battle Highlights Need for Privacy

John Commins, for HealthLeaders Media, May 11, 2009
Fawcett, 62, the one-time Charlie's Angels star and pin-up poster goddess of 1970s America, told the newspaper that her efforts to fight anal cancer were made more difficult when her personal medical records were illegally accessed by at least one employee at UCLA Medical Center. That employee then sold the information for $4,600 to the National Enquirer.

Because of the continuing unwanted publicity about her health, Fawcett had to take her attention away from fighting a deadly disease and devise—on her own—a sting operation to catch the snooping employee. In May 2007, when she learned that her cancer had returned, she told no one. Still, the news came out in the Enquirer within " maybe four days." When Fawcett asked UCLA Medical Center for the name of the snooping employee, she says a hospital official refused to provide it, saying they had a responsibility to " protect our employees." " And I said, 'More than your patients?' . . ." Fawcett told The Times.

Kaiser Hospital Fined $250,000 for Privacy Breach in Octuplet Case

By Charles Ornstein May 15, 2009
The Bellflower facility, where 23 unauthorized workers accessed Nadya Suleman's records, is the first to be monetarily penalized under a new state law.

California health regulators fined Kaiser Permanente's Bellflower Hospital $250,000 Thursday for failing to keep employees from snooping in the medical records of Nadya Suleman, the mother who set off a media frenzy after giving birth to octuplets in January.

Johns Hopkins Hospital at center of identity theft probe

Indictment of former employee expected as part of driver's license scheme
By Liz F. Kay liz.kay@baltsun.com
2:55 PM EDT, May 12, 2009
Federal authorities are investigating the theft of patient information, possibly by a former Johns Hopkins Hospital employee, as part of a scheme to make fraudulent Virginia driver's licenses.The employee, who worked in the patient registration area, would have had access to information such as names, addresses, parents' names and Social Security numbers as part of her job duties, according to a letter the hospital sent to the identity theft unit of the state attorney general's office last month.

Fallon Business Associate Breach - Video

(NECN) - Questions surround a security breach at Worcester-based "Fallon Community Health Plan." Some are wondering why it took several weeks before the company went public with the theft of a computer that contained personal information on roughly 30,000 customers.
NECN's Jennifer Eagan reports.

The link takes you to a video report.

Miaoulis - NOTE: This is a reminder that Healthcare organizations should work closely with organizations with whom they share data (business associates).

Hackers Compromise 160,000 Student Healthcare Records

PCWORLD.COM
The University of California at Berkeley Friday disclosed that hackers broke into restricted computer databases in the campus health-services center, as the university began notifying current and former Berkeley students their personal information may have been taken.
The attackers may have taken information related to health-insurance coverage and certain medical information as well as the University Health Services (UHS) medical-record number, dates of visits or names of healthcare providers seen, as well as information such as Social Security Number, according to the statement released by UC Berkeley.

About 160,000 individuals are believed to be impacted, including about 3,400 Mills College students whose medical care is tied to health care at Berkeley. Social Security Numbers are used as unique identifiers for students enrolled in the campus Student Health Insurance Plans, the university says.

JOURNAL OF AHIMA - MAY 2009

Sequestering EHR Data in IT Systems
William M. Miaoulis, Subject Matter Specialist with Phoenix Health Systems wrote an article on "Sequestering EHR Data in IT Systems" for the Journal of AHIMA, May 2009.

http://journal.ahima.org/2009/05/01/journal-of-ahima-may-2009/

You must be a member of AHIMA to read this article, however the Journal also contains information on topics which are available to non-members.

CVS Pays $2.25 Million and Toughens Practices to Settle HIPAA Privacy Case

The U.S. Department of Health and Human Services and the Federal Trade Commission today announced that CVS, the nation’s largest retail pharmacy chain, will pay the U.S. government a $2.25 million settlement and take corrective action to ensure it does not violate the privacy of its millions of patients when disposing of patient information such as identifying information on pill bottle labels. 

The settlement, which applies to all of CVS’s more than 6,000 retail pharmacies, follows an extensive investigation by the HHS Office for Civil Rights (OCR) for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.

In a coordinated action, CVS Caremark Corp., the parent company of the pharmacy chain, also signed a consent order with the FTC to settle potential violations of the FTC Act.

OCR, which enforces the Privacy Rule, opened its investigation of CVS pharmacy compliance with the Privacy Rule after media reports alleged that patient information maintained by the pharmacy chain was being disposed of in industrial trash containers outside selected stores that were not secure and could be accessed by the public. At the same time, the FTC opened an investigation of CVS.

OCR and the FTC conducted their investigations jointly.  This is the first instance in which OCR has coordinated investigation and resolution of a case with the FTC.

“OCR is committed to strong enforcement of the HIPAA Privacy Rule to protect patients’ rights to privacy of their health information. We hope that this agreement will spur other health organizations to examine and improve their privacy protections for patient information during the disposal process,” said Robinsue Frohboese, acting director of OCR.  “Such safeguards will benefit consumers everywhere.”

The Privacy Rule requires health plans, health care clearinghouses and most health care providers (covered entities), including most pharmacies, to safeguard the privacy of patient information, including such information during its disposal.

Among other issues, the reviews by OCR and the FTC indicated that:

• CVS failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process; and
• CVS failed to adequately train employees on how to dispose of such information properly.

Under the HHS resolution agreement, CVS agreed to pay a $2.25 million resolution amount and implement a robust corrective action plan that requires Privacy Rule compliant policies and procedures for safeguarding patient information during disposal, employee training and employee sanctions for noncompliance.

HHS and FTC also will require CVS to actively monitor its compliance with the resolution agreement and FTC consent order.  The monitoring requirement specifies that CVS must engage a qualified independent third party to conduct assessments of CVS compliance and render reports to the federal agencies. The HHS corrective action plan will be in place for three years; the FTC requires monitoring for 20 years.

The HHS Resolution Agreement and Corrective Action Plan can be found on the OCR Web site at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cvsresagrcap.pdf.

OCR has posted new FAQs that address the HIPAA Privacy Rule requirements for disposal of protected health information.  They can be found on the OCR Web site at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/disposalfaqs.pdf.

Information about the FTC Consent Order agreement is available at www.ftc.gov.