Category: Data Privacy and Security
Posted on November 5, 2014 in Data Privacy and Security, EHRs, Health Information Technology, HIPAA, HITECH ACT, IT, Meaningful Use, Mobile Devices
Written by: Ralston, Justin C.
On October 31, 2014, the U.S. Department of Health and Human Services Office of Inspector General (“OIG”) released the Work Plan for Fiscal Year 2015 (“Work Plan”). The Work Plan confirms OIG will continue to concentrate a great deal of their enforcement efforts on the security and vulnerabilities of protected health information (“PHI”) contained in electronic health records (“EHRs”). The continued focus on data security contained in EHRs aligns with the goals of the OIG Strategic Plan 2014-2018, where OIG identified EHRs as one of its key focus areas until at least 2018.
Given the increased frequency and publication of health information breaches, it is no surprise the OIG for the first time indicated it plans to examine hospitals’ contingency plan policies and procedures to determine if adequate safeguards are in place in the event systems containing PHI are damaged. OIG also indicated it will continue to examine the Centers for Medicare & Medicaid Services’ (“CMS”) oversight of hospitals’ security controls over networked medical devices, such as dialysis machines, radiology systems and medication dispensing systems. OIG will also continue to conduct audits of eligible hospitals and professionals who received Medicare and Medicaid Meaningful Use Incentive payments to determine whether such payments were proper.
It is worth noting the Work Plan did not include assessing the security and vulnerabilities of portable devices containing PHI as a priority. This may be an indication OIG has completed its review of the issue.
Click here to read OIG’s Work Plan.
If you have any questions or would like additional information about these topics, please contact:
- Jeff Short at (317) 977-1413 or firstname.lastname@example.org;
- Justin Ralston at (317) 977-1477 or email@example.com; or
- Your regular Hall Render attorney.
Posted on April 15, 2014 in Data Privacy and Security, Health Information Technology, HIPAA, IT, Uncategorized
Written by: William A. Dummett
Following recent news about the Heartbleed exploit, CloudFlare, a San Francisco-based security services company, challenged hackers to use Heartbleed to get private encryption keys that would unlock secure data. It reported multiple winners to its challenge. By obtaining the private key for an SSL/TLS certificate, an attacker could set up a fake website that passes the security verification. They could also decrypt traffic passing between a client and a server, known as a man-in-the-middle attack, or possibly unscramble encrypted communications they’ve collected in the past…. Continue Reading →
Posted on August 30, 2013 in Data Management, Data Privacy and Security, Health Information Technology, IT
Written by: Joshua P. Reading
Health information technology solutions that are remotely hosted or cloud based are becoming more common. In these scenarios, a health care provider is allowing its data – often times including protected health information (“PHI”) – to flow through or be stored in the vendor’s data center. If PHI is involved, the parties should determine whether a Business Associate Agreement (“BAA”) is necessary for HIPAA compliance. But knowing a vendor’s security standard – regardless of whether a BAA is in place – can provide the health care provider confidence that its data will be protected, with a lower risk of damaging breaches occurring…. Continue Reading →
Posted on February 22, 2013 in Data Management, Data Privacy and Security, Health Information Technology, HIPAA, IT, Mobile apps, Mobile Devices, Mobile Medical Apps, Records Retention, Social Media
Written by: Dahlby, Mark R.
On February 1, 2013, the Federal Trade Commission (FTC) issued two publications recommending ways that key players in the mobile marketplace, such as operating system providers, application developers, advertising networks and analytics companies, can promote mobile privacy and security.
Establishing an Effective Records Management and Data Retention Program: Health Care Industry Considerations
Posted on November 6, 2012 in Data Management, Data Privacy and Security, EHRs, Health Information Technology, HIPAA, HITECH ACT, IT, Mobile Devices, Mobile Medical Apps, Records Retention
Written by: admin
Attached is a link to a webinar that I recently conducted with Teramedica on Establishing an Effective Records Management and Data Retention Program: Health Care Industry Considerations.
This one-hour webinar helps health care organizations gain tactical insight into the essential legal and business requirements of establishing an effective records management and data retention program. Patient data storage and data access is becoming one of the most costly and challenging areas of health care delivery.… Continue Reading →
Posted on July 9, 2012 in Data Privacy and Security
Written by: Michael T. Batt
In analyzing a claim under Article 4A (Electronic Funds Transfers) of the Uniform Commercial Code, the U.S. Court of Appeals for the First Circuit determined that a bank did not utilize commercially reasonable security procedures when it failed to monitor risk reports and decreased the dollar threshold which triggered use of challenge questions by customers. Patco Construction Company, Inc. v. Peoples United Bank (July 3, 2012) . The practical take away from this ruling is that “commercially reasonable security” requires active monitoring and that the effectiveness and commercially reasonableness of security procedures can be impacted by treating all transactions as “high risk.”… Continue Reading →
Posted on March 29, 2012 in Data Privacy and Security, Health Information Technology, Mobile apps, Mobile Devices, Mobile Medical Apps, Uncategorized
Written by: Alisa C. Kuehn
The public comment period regarding securing health information while using mobile devices ends on March 30, 2012. Information regarding ONC’s Mobile Device Roundtable discussion and a link to provide comments can be found here.
Should you have any questions, please contact Alisa Kuehn at 317.977.1475 or firstname.lastname@example.org.
Written by: Ammon R. Fillmore
The U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced on Tuesday, March 13, 2012, that Blue Cross Blue Shield of Tennessee (“BCBST”) will pay $1,500,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). BCBST had previously notified HHS that 57 unencrypted hard drives containing protected health information, social security numbers, diagnosis codes, dates of birth, and other sensitive information were stolen from a BSCST leased facility.
This settlement represents the first enforcement action by OCR under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act Breach Notification Rule. HITECH requires that covered entities report a protected health information breach for 500 individuals or more both to the media and to HHS. BCBST reported the breach, but according to OCR, failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule.
For additional details regarding the enforcement action and settlement click here.
Should you have any questions, please contact Ammon Fillmore at 317.977.1492 or email@example.com.
Written by: admin
On Monday, March 5th, the American National Standards Institute (“ANSI”) issued its long-awaited report, “Financial Impact of Breached Protected Health Information” (http://webstore.ansi.org/phi/). The Report provides a good summary of the current state of health data privacy and security in the U.S., HIPAA legislative history, and some potential measures that can be taken to strengthen the protection of health data privacy and security. Most interesting, the Report also discusses the financial impact of breached PHI, giving examples of actual costs that an organization might incur when a data breach occurs.
Let us know what you think of the Report’s findings and what steps your organization is taking to protect PHI. We’re also interested in any insights you have for other organizations to better protect PHI.
Should you have any questions, please contact Mark Garsombke at 414.721.0907 or firstname.lastname@example.org