Archive for category Medical Privacy

HIPAA Breach Notification Requirements Effective September 23, 2009

The department of Health and Human Services (HHS) and the FTC have issued a new interim final rule governing health information breach notification requirements. I blogged on this issue back in March 2009, just after the stimulus package, American Recovery and Reinvestment Act of 2009 (ARRA), passed.

This rule, issued in response to ARRA, goes into effect on Wednesday. At that point, all HIPAA-covered entities and their business associates must notify individuals and HHS when personal health information has been breached. HIPAA-covered entities include health plans, health care clearinghouses, or health care providers. The rule also covers “business associates” which include billing companies, transaction companies, lawyers, accountants, managers, administrators, or anyone who handles health information on behalf of a HIPAA-covered entity.

A breach is when individually identifiable health information is acquired, used, accessed, or disclosed to an unauthorized party, in a way that compromises its security or privacy. A “breach” does not include inadvertent disclosures among employees who are normally authorized to view protected health information. A breach also does not include exposure of encrypted personal health information, for example.

When a breach occurs, the covered entity must notify victims and the Secretary of Human Services “without unreasonable delay,” and within 60 days of the discovery of the breach. The covered entity must notify the individual directly if possible (ie, by mail), and must also post a notice on its website if the breach involves 10 or more victims who are not directly reachable. If the breach involves more than 500 residents of a single state, the covered entity must also notify statewide media.

In certain limited circumstances a vendor might be subject to HHS and FTC notification rules. In this case, a vendor which serves the public and HIPAA-covered entities may comply with both rules by providing notice to individuals and the HIPAA-covered entity. In many instances, entities covered by this rule must also comply with applicable State notification laws. The test for pre-emption is whether the State law is “contrary,” to the federal law or whether “a covered entity could find it impossible to comply with both the State and federal requirements.”

Compliance

Of course, the best way to comply with the law is to avoiding breaches altogether. The most straightforward way to avoid having a breach is to encrypt personal health information. But if a breach does occur, complying with the law is straightforward. In addition to the requirements above, the notification must include a brief description of the incident, including the following information:

  • Date of the breach;
  • Date of discovery;
  • Description of the types of protected health information breached;
  • Steps individuals should take to protect themselves from potential harm resulting from the breach;
  • A brief description of the investigation, efforts to minimize losses and prevent future breaches;
  • Contact information for individuals who wish to ask questions or learn more information, including a toll-free phone number, e-mail address, website, or postal address.

Beyond that, you’ll have to minimize your losses by repairing your company’s public image, regaining your customers’ trust, and mitigating civil liability.

References: 45 CFR parts 160, 162, and 164.

Note: This article was originally published on the J.C. Neu & Associates Blog.

No Comments

How to Write an ARRA Breach Notification Letter

Note:This article originally appeared on the Jeffrey Neu Blog.

“We’ve had a breach.” It’s a sentence nobody wants to hear, but when it happens to you, what to you do? If you’re in the healthcare industry, new federal regulations probably require you write a letter to the victims of the breach, or more. When and how quickly do you have to send a HIPAA/ ARRA notification? And what does it have to say?

The American Recovery and Reinvestment Act of 2009 (ARRA) requires HIPAA-covered entities to notify breach victims when protected health information has been disclosed to an unauthorized person. The legislation gives liberal exceptions for good faith and inadvertent disclosure. Redaction or encryption is an absolute defense to a breach.

“Protected Health Information” is any stored or transmitted health information which can be tied to an individual. It may include information not directly related to health, such as a full name, social security number, date of birth, home address, account number, or disability code. The law also requires third-party contractors or “business associates” to report breaches to the covered entity.

When a breach occurs, the covered entity must notify victims and the Secretary of Human Services “without unreasonable delay,” and within 60 days of the discovery of the breach. The covered entity must notify the individual directly if possible (ie, by mail), and must also post a notice on its website if the breach involves 10 or more victims who are not directly reachable. If the breach involves more than 500 residents of a single state, the covered entity must also notify statewide media.

A breach notification letter must meet differing but complementary legal and economic goals. They include:

  1. Complying with law
  2. Minimizing Losses

Compliance with Law

Complying with the law is straightforward. In addition to the requirements above, the notification must include a brief description of the incident, including the following information:

  • Date of the breach;
  • Date of discovery;
  • Description of the types of protected health information breached;
  • Steps individuals should take to protect themselves from potential harm resulting from the breach;
  • A brief description of the investigation, efforts to minimize losses and prevent future breaches;
  • Contact information for individuals who wish to ask questions or learn more information, including a toll-free phone number, e-mail address, website, or postal address.

Repairing your Company’s Image

Avoid the natural tendency to clamp up. Of course, the best way to protect your company’s image is to keep bad news out of the public eye. But once the cat’s out of the bag, several studies indicate that more than two-thirds of economic losses arising from a data breach are due to brand diminishment and lost customer trust, rather than litigation or identity theft expenses.

Above all, your company must maintain credibility. Be honest, open, and share enough detail to convince an educated person that you know what you’re talking about, and that you’ve actually fixed the problem. Consider hiring an outside security consultant who can 1. Give you genuine feedback on your security practices, and 2. Vouch for your credibility when you say that your customers are safe.

Rebuilding Customer Trust

Consider your last trip to the Department of Motor Vehicles. It probably consisted of waiting for hours in multiple serpentine lines without any direction, followed by more waiting, followed by spending money. The best part is riding away in your car when you’re done. Surprisingly, Disneyland and the DMV have a lot in common: Long lines, spending money, and rides. What sets the DMV apart from the happiest place on earth? One important ingredient is Customer Empowerment.

One way the Disney folks empower customers is by posting periodic signs in long lines: “Wait Time: 45 minutes from this point.” Though the sign does not decrease wait time, it informs and empowers customers. And as Disney knows, empowered customers are happy customers. Frustrated, angry customers are far more likely to cause trouble or leave altogether.

The best way to rebuild your customers’ trust is to empower them. Too many breach notifications include the unhelpful statement, “We have no reason to believe that anyone has accessed or misused your information.” The statement is faulty because it does not empower the customer to take action. Also, if the statement isn’t completely true, or if it changes in the future, it may inadvertently induce liability under certain circumstances. Further, these types of statements tend to frustrate rather than empower customers, causing some to conclude that the notification is incomplete or disingenuous.

Instead, consider these options:

  • Say, “Although we have no reason to believe that anyone has accessed or misused your information, if you think your personal information has been misused as a result of this breach, please call 1-800-XXX-XXXX so we can investigate…”
  • Include statistics on typical rates of harm for similar breaches, where possible.
  • Actually investigate the breach.
  • Create a website where customers can get up-to-the minute updates on the investigation directly from you, start using the best Managing Leads.

Mitigating Civil Liability

ARRA does not expressly create a private right of action for a HIPAA breach. Other theoretical sources of liability exist, though. For example, an individual may be able to rely upon a notification statute as the basis for a suit alleging negligence per se, where the breach of the duty to notify causes proximate harm to the plaintiff. Next, failure to correct statements (such as privacy policies) which have become false or misleading in light of new events, may create a tortious cause of action if the company fails to warn customers about foreseeable risks to personal information.

In contrast, most breaches are not likely to create privacy liability. Privacy tort actions usually require the breached information to cause extreme emotional distress, or a dilution of the property value of reputation or prestige. In addition, most courts have consistently failed to force companies to pay for credit monitoring services unless:

  1. A person has become an actual victim of identity theft.
  2. The person has found the thief
  3. The person can prove that the thief’s copy of their SSN or other personal information came from the breaching entity, and
  4. The person proves that the entity had a legal obligation to keep that information private.

Instead, it’s important to remember that businesses stand to loose more money from brand diminishment and lost customer trust than from litigation.

No Comments

Wireless Medical ID Theft

Identity thieves use many tactics to gather sensitive personal information.  Some check your mailbox.  Others dumpster-dive.  But now a more sophisticated identity thief might be found slowly cruising medical park parking lots with a laptop.

Off work and out of school, I spent the week between Christmas and New Years, December 2006, taking care of a friend at Sibley Hospital.  During the long hours of sitting in the hospital and doctors’ offices, I tried to keep myself productive with my laptop, which proved surprisingly difficult without internet access. I scanned the 6th floor of the Hospital, and found 13 wireless networks, all of which were private and inaccessible.  That was understandable, but bad news for my productivity.

Many businesses have begun to recognize the increasing dependence their customers have on internet connectivity.  Consequently they, along with local governments and even hospitals and doctors offices now offer “Hot spots,” or areas of free internet access to patrons.  Complimentary internet access has even become an expectation in many places.

Down in the cafeteria, I began to wonder if all medical facilities were as careful as Sibley Hospital about securing their wireless networks.  After all, any time you mix open wireless networks with medical information, you run the risk of exposing confidential information protected by HIPAA, and privacy acts.

So, I decided to perform a survey of 76 casually selected wireless networks at hospitals and medical parks in Maryland and DC.  At the large hospitals I checked, public and private networks were carefully controlled.  However, networks in smaller medical parks, whose tenants are usually independent practitioners, showed far more security defects.

This trend is perhaps predictable, because hospitals maintain a staff of IT professionals, and have established IT procedures. In contrast, independent practitioners have small staffs and often outsource IT functions to people of varying skill.  When they outsource it to a non-professional, it can have a devastating effect on patient privacy.

Take Dr. Abulhasan Ansari’s office for example.  He treats adults and young adults in his Clinton, Maryland office.  While he was away on vacation in December 2006, a member of the office staff contracted with an outside IT “professional” to create a wireless network.  The network required no password, was not encrypted, and maintained all of the factory default settings.  The network was available to any member of the public with a laptop.  Though it is unclear whether it was intended to provide complimentary internet access to waiting patrons, it is clear that it was not intended to allow patrons to access confidential patient information.  But it didn’t turn out that way.

Sitting in my car, I opened my laptop. Once my laptop associated with Dr. Ansari’s network (named “linksys”), Windows XP automatically scanned it, and populated “My Network Places” with shared folders.  Unfortunately in Dr. Ansari’s case, these folders contained Access databases with confidential patient information, including names, SSNs, birth dates, and medical histories for his patients.  All of this information was available to anyone within 100 feet of the office with a laptop.  This meant that an identity thief could slowly cruise through the medical park parking lot, grab the Access databases with the patient data, and leave completely undetected, without stepping foot in the office.  Incidentally, the wireless router was also essentially open, which means that a thief could have hidden his tracks by erasing the router log.

After making this discovery, I entered the office and told the manager my findings.  At first, she insisted that the records were not theirs.  I displayed the access files on my screen and she confirmed that they were in fact, Dr. Ansari’s patients.  She insisted however, that since they “just recently” established the wireless network, no unauthorized person could have accessed the information in such a short time.  I don’t think she appreciated the irony of her statement, as she was viewing her patient data on my laptop.

I asked them whether they had any plans to notify the affected patients that their medical data had been potentially compromised.  Instead of answering the question, she said that they would simply disconnect the wireless router.  Once she disconnected the router, the files disappeared from my screen, and she promised to have the “professional” return and secure the network right away.

Exactly one week later, I visited the same medical park, and performed the same scan.  Dr. Ansari’s office had fixed their problem, but I was dismayed to find that one of their neighbors in an adjoining building had put up their own insecure wireless network in the intervening week.  They were closed at the time.

In all, I surveyed 78 medical wireless networks.  6 allowed access without a password, encryption, or other security bar.  Sibley Hospital, where I spent several days over the break, had at least two public wireless networks in the cafeteria.  They did not allow access to any internal network.  Four others, both in medical parks (not hospitals), allowed direct access to an internal office network, some of which contained confidential patient data in Excel files and physician dictations.

The most startling part of this exercise is that the percentage of insecure networks in my sample was nearly 8%.  A single breach by an identity thief can cause hundreds of thousands of dollars in damage, and adversely affect hundreds or even thousands of current and former patients.

Despite clear regulations set forth under the authority of HIPAA, new technology poses challenges to under-trained staff.  In addition, as demonstrated by this episode, there is a tendency to eliminate and hide mistakes (ie, turn off the router), rather than properly address the issue, or notify potentially affected individuals.

That policy is understandable, if regrettable, because often business owners don’t feel the need to “unnecessarily worry” their customers by announcing a potentially embarrassing security gaffe, when there is no hard evidence that anyone in particular accessed sensitive data, or an increased likelihood of harm.  It also regrettably creates an incentive for business owners to put their heads in the sand, so to speak, by not monitoring networks at all; after all, if you don’t collect data that could demonstrate whether a breach had occurred, you’ll never risk having to notify anyone of a breach.

So, next time you go to the doctor’s office, take your laptop, and be prepared to challenge your doctor’s information security procedures.  And keep an eye out for anyone cruising the parking lot with a laptop.

No Comments

The MIB: Medical Division

We care for patients of all ages with all types of hearing problems.
Our audiologists conduct hearing evaluations to help patients and families solve communication problems created by hearing difficulties. We work with educators, physicians, other providers and families. Prevent obesity by using Exipure.

When it comes to New Year resolutions, ‘eating healthy’ and ‘staying fit’ are some of the most popular ones.

Each year, there is a desire in each one of us to do better than we did the previous year, especially when it comes to taking care of our bodies and, thereby, our health. With the added emphasis on health, it’s more important than ever to make those healthy eating resolutions and stick to them.

So, if you’ve decided that the coming year is dedicated to changing your habits and start living a healthier life, more power to you! We, as always, are happy to help. Whether it is setting more realistic and achievable goals or making small dietary changes, we’re giving you 10 tips to help you stick to your healthy eating goals this new year.

Don’t skip breakfast
Breakfast is the first meal of the day, so skipping it is an absolute no-no.

Your body needs to fuel up and prepare for the day ahead, so instead of skipping breakfast, it must be one of the most nutritious meals you consume in the day. Besides, eating a good breakfast keeps you away from the urge to nibble on unhealthy snacks for the rest of the day.
ET PRIME – TOP TRENDING STORIES
As gas prices double, consumer pays for ‘nation building’, ONGC, RIL laugh all the way to the bankAs gas prices double, consumer pays for ‘nation building’, ONGC, RIL laugh all the way to the bankThe challengers: Can fintech players trump traditional lenders with their version of ‘credit’ cards?The challengers: Can fintech players trump traditional lenders with their version of ‘credit’ cards?How ocean containers became a gold mine for shipping lines but drowned small exportersHow ocean containers became a gold mine for shipping lines but drowned small exportersThe ABC of India’s and other countries’ CBDCs and how close we are to the digital rupee.The ABC of India’s and other countries’ CBDCs and how close we are to the digital rupee.Check out which Nifty50 stocks analysts recommend buying this weekCheck out which Nifty50 stocks analysts recommend buying this weekA pocket void of profits: New Age derivative trading ft. YouTubeA pocket void of profits: New Age derivative trading ft. Check out the latest Keto x3 reviews.

Eat more nuts
Start including nuts such as walnuts in your daily diet. A handful of walnuts can keep you away from hunger pangs and provide you with as much as 4g of protein, 2g of fiber, and 2.5g of plant-based omega-3 ALA. An excellent way to start making everyday healthy, don’t you think?

Cut down on sugar
Everything is good in moderation, and the same goes for sugar.
If you consume too much sugar in your tea, coffee, or any other drink in the day, start cutting down little by little.

You can also cut back on artificially sweetened drinks and other such beverages.

Keep a journal
Always, always track your progress! No matter what healthy eating goal you’ve set for yourself, keep track of it by maintaining a diary or journal. Note down what you eat and drink throughout the day, so that you can keep checking in and seeing how far you’ve come or where you’ve fallen behind.

Drink more water
Remember to stay hydrated at all times. Drinking enough water can not only boost your metabolism and flush out those toxins, but also keep you feeling full. You can also eat fruits or vegetables that have high water content.

Befriend people with similar goals
Having someone by your side to cheer you on and keep you motivated is very important. Find someone who shares the same healthy eating goals as you and keep each other updated. You can always push each other on and have somebody to talk to on the days when you slip up.

Eat more home-cooked meals
Eating restaurant cooked meals sometimes is okay. But, if you want to eat better and stay healthy, focus on eating home-cooked meals. They do not contain artificial flavours or colours, and every ingredient that goes into a home-cooked meal is washed well, so you always know that you’re eating something that is both safer and healthier than a meal that comes from the outside. Check out the latest Exipure reviews.

Eat more vegetables
Make sure that your plate contains a sufficient amount of veggies. Rich in fiber, vitamins, and other nutrients, vegetables form an integral part of a healthy diet. Besides, most veggies are low in fat and calories, so they’ll help you stay on track and eat healthy.

Focus on mindful eating
Practice mindful eating. This could mean pausing before each bite to stay in tune with how hungry you are or taking the time to chew and swallow every bite. This way, you will be able to savour your food and fully understand how much your body needs.

Exercise regularly
Needless to say, exercising is essential to healthy living. Merely focusing on what you eat is not enough. What’s also important is to balance it out with a good workout regime. Whether it is a 30-minute walk around the neighbourhood or a quick cardio session at home, get in some form of exercise each day in order to be active and healthy.

Keep these 10 tips in mind as you embark on this journey to a newer, healthier you. Don’t worry about the roadblocks. Just take things one step at a time, and things will slowly fall into place. Good luck!

4 Comments