OCR Boosting Security Enforcement

The health care industry can soon expect a greater emphasis on enforcing the HIPAA security rule than in years past.

That’s the message that Susan McAndrew, deputy director for privacy at the Department of Health and Human Services’ Office for Civil Rights, delivered May 11 at the Safeguarding Health Information conference in Washington. OCR sponsored the conference with the National Institute of Standards and Technology.

Federal enforcement of the security rule transitioned in 2009 from the Centers for Medicare and Medicaid Services to the OCR. The office continues to build expertise on the security rule, but much of the transition work is done, McAndrew says. “Transitions are always longer than you expect.”

To boost enforcement of the security rule, OCR has added investigators in 10 regional offices, McAndrew notes. “We’re hoping that with additional feet on the ground, we’ll be able to do many more security cases as the year moves forward.”

The HITECH Act links privacy and security–and enforcement of both HIPAA rules–enabling regulators to look at these issues from a more holistic viewpoint, McAndrew says. As the electronic world moves into the clinical side, the health care industry increasingly will find that privacy and security issues collide, she contends. “Without a sound security policy, privacy will just be a principle.”

Consequently, 2010 is when the industry will really start to see a realization of HITECH’s privacy and security initiatives enacted in 2009, McAndrew says. “We’re hoping to move security to the forefront and make it a real partner with privacy in our enforcement.”

View original source here

Stacks of medical records found in dumpster outside Florissant doctor’s office

A dumpster outside a St. John’s doctor’s office, listed as Dr. David Brown’s, was wide open and filled with patient folders and other medical records.
 
Attorney Nicole Knepper told News 4 that throwing records in a dumpster would be a violation of federal HIPAA regulations. A spokesperson for St. John’s said disposing of medical records in a dumper is not the correct protocol, they should have been shredded. She said the doctor said the files are old and he ran out of space, but it was the wrong thing to do, and he knows he made a mistake. A mistake that has the potential to be costly. Attorney Knepper told News 4 that civil and criminal penalties can be applied. Depending on the facts of each case, you may have a civil case for invasion of privacy as well.

Statement from Dr. David Brown:

In an effort to dispose of some files that were many years old, I made a mistake by using improper procedures for disposal of patient records. Medical practices always have an obligation to protect patient information, regardless of the age of the record. I sincerely regret that this occurred. The files have been retrieved and the records will be disposed of properly. I will fulfill all reporting obligations required by law. I am very sorry for any concern this has caused and want to assure my patients that going forward that I will follow proper disposal procedures.

View original source here

MedClean Technologies, Green Umbrella Solutions Announce Co-Marketing Partnership

Partnership aims to provide delivery of technology and service for medical waste disposal and HIPAA document destruction and recycling.

Continued here:
MedClean Technologies, Green Umbrella Solutions Announce Co-Marketing Partnership

BIG DAY FOR HIPAA/HITECH PROVISIONS

While many of the changes to HIPAA contained in the HITECH amendment, such as increased fines, Attorney’s General enforcement, and Health Data Breach notification came into effect already, February 18th, the law’s one year anniversary, marks a number of significant HIPAA/HITECH milestones.

Here is a sample of some that could affect the secure destruction service provider . . .

1. Application of rules to, and accountability for, Business Associates.  (No longer are BAs solely tied to HIPAA by the BA contract with the Covered Entity, but now, in some respects, operate essentially with all the requirements applied to Covered Entities.)
2. Requirement for HHS to begin conducting mandatory audits.
3. Clarification regarding which entities are required to be business associates. (Both HHS and the FTC have already identified secure destruction services as BAs in earlier guidance publications.  It would difficult to see this changing)
4. HHS and FTC study on privacy and security requirements for PHR vendors and applications (PHR vendors are a new type of Covered Entity under FTC jurisdiction who maintain or process health-related data as a result of offering Internet based services.)
5. First annual guidance on the most effective and appropriate technical safeguards for health information. (This could go either way.  When HHS issued guidance on security measures to avoid data breach, they inadvertently caused many Covered Entities to apply the wrong particle size specification.  If guidance is promulgated in this new document with a similar type of reference, it will  make life a bit more complicated for secure destruction services)
6. HHS to implement a health information privacy educational initiative
7. Clarification regarding the ability to impose criminal penalties against individuals

Data security compliance costs plague firms

Costs of compliance and number of vendors with access to sensitive information are cited by a majority of businesses as stumbling blocks to preparations for new data security regulations taking effect in Massachusetts next March.

Go here to see the original:
Data security compliance costs plague firms

Notification Rule on HIPAA Data Breach Effective Soon

A rule requiring healthcare providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals of a breach of their unsecured protected health information will become effective September 23, 2009.

Here is the original post:
Notification Rule on HIPAA Data Breach Effective Soon

Media Services Implements HIPAA Training Program

Company works with The HIPAA Group on training program.

Originally posted here:
Media Services Implements HIPAA Training Program

Court allows suit against bank for lax security

The ruling highlights an issue that security analysts have been talking about for a long time: the need by companies to show due diligence in protecting customer data against malicious and accidental compromise. Security analysts have warned that companies that can’t prove they took adequate measures to protect data could find themselves expos…

See original here:
Court allows suit against bank for lax security

HIPAA Breach Notice Rules to Take Effect

The U.S. Department of Health and Human Services (HHS) has issued new regulations requiring health care providers, health plans and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals when their protcted health information (PHI) is breached.

Read more:
HIPAA Breach Notice Rules to Take Effect

Dumped medical files exposes 623 patients names, Social Security numbers, dates of birth and medical details

Prompt Med data loss incident circa 2009-08-20

Read more here:
Dumped medical files exposes 623 patients names, Social Security numbers, dates of birth and medical details