• Recently Written

  • Software update prevents users Brabeion RoHS
  • If our government to give free insurance?
  • Patient data are never really safe?
  • Importance of dog insurance in the life of your pet
  • Drug HIPA A friendly service Transcript
  • The importance of life insurance for your pet dog
  • If our government is giving away free insurance?
  • If our government is giving away free insurance?
  • Label
  • Health cards

• Categories

  • Healthcare Industry News
  • HIPAA
  • HIPAA (General)
  • HIPAA Compliance
  • HIPAA Compliant Software
  • HIPAA Enforcement
  • HIPAA Jobs
  • HIPAA Law
  • HIPAA Lawsuits
  • HIPAA News
  • HIPAA Privacy
  • HIPAA Regulation
  • HIPAA Security
  • HIPAA Technology
  • HIPAA Training
  • Medical Privacy
  • Privacy News
  • Sarbanes-Oxley

• Archives

  • August 2010
  • July 2010
  • October 2009
  • September 2009
  • July 2009
  • June 2009
  • May 2009
  • January 2009
  • September 2008
  • June 2008
  • April 2008
  • August 2007
  • December 2006
  • November 2006
  • October 2006
  • September 2006
  • August 2006
  • July 2006
  • June 2006
  • May 2006
  • April 2006
  • March 2006
  • February 2006
  • January 2006
  • November 2005
  • October 2005
  • May 2005
  • April 2005
  • March 2005
  • January 2005
  • December 2004
  • November 2004
  • October 2004
  • September 2004

• Admin

  • Log in
  • Wordpress
  • XHTML

• Search

This article is a little dated but has some decent info. Robin Johnson discusses enforcement of HIPAA Laws:

It has been almost one year since the April 14, 2003 effective date of the HIPAA Privacy Rule. 1 At this time, your organization has likely implemented HIPAA privacy policies and procedures, prepared a standard authorization form, appointed a privacy officer, and adopted a notice of privacy practices. The negotiation and execution of your business associate agreements are probably underway or complete.

Despite your best efforts to implement the Privacy Rule conscientiously, you will inevitably face, or perhaps have already faced, an allegation of a breach of privacy (a “privacy incident”). To help you understand what you’ll encounter once such an allegation has been made, this series of articles will define the term “privacy incident” and discuss: (i) how to identify a privacy incident; (ii) the potential consequences of breaching privacy; (iii) the status of government enforcement efforts to-date, and how your organization should respond to it; (iv) how to conduct an internal investigation of an alleged privacy breach; (v) how to deal with the government when a complaint has been filed with the enforcement agencies; and (vi) why civil liability under state laws may be your greatest threat.

What is a Privacy Incident?
A privacy incident involves an allegation of a breach of privacy. A breach of privacy is defined for purposes of this article as:

-a violation of your privacy policies and procedures; or
-other violations of the Privacy Rule.

A potential breach of privacy may be brought to your attention through:

- voluntary reports by your staff;
- reports/complaints brought by a consumer through your internal complaint process;
- reports of a business associate that has made an inappropriate disclosure or otherwise mishandled Protected Health Information (PHI);
- a consumer complaint (or a complaint from a family member or other interested person) that has been filed with the Office of Civil Rights (the “OCR”) of the U.S. Department of Health & Human Services (HHS) and forwarded to your organization for response; or
- a federal investigator contacting your organization from either the OCR, the HHS Office of Inspector General (the “OIG”), or the U.S. Attorneys’ Office.
Potential Consequences

The potential consequences of a privacy incident can be very serious. If a breach of privacy is substantiated, your organization could face:

- civil monetary penalties;
- criminal prosecution; or
- a civil lawsuit filed under state privacy laws.

All in all? Watch out for those HIPAA Rules. You can read more here.

Paul Litwak of the National Council for Community Behaviorl Healthcare says:

By now, any sensible person has had enough of HIPAA. 1 Even those who have been helped most by the HIPAA rules — lawyers and consultants — are getting sick of it. But, for better or for worse, it isn’t over yet. There is one more rule to go — the final Security Rule.

Legal Obligation Relating to Security
Both the HIPAA statute and the final Security Rule require covered entities to:

Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.
Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the Privacy Rule.
Ensure compliance by its workforce.

Real Stories
Here are a few publicly reported events in which the security of health information was compromised and individual privacy rights were compromised. In each case, the organization that held or created the information meant to keep it confidential.

In February 2003, a jury awarded $2.3 million to three women whose mental health treatment records were not kept private by West Virginia University Medical Corp., also called University Health Associates. A records clerk had removed their records, taken them home and to local bars and discussed them with people. The clerk was clearly acting outside the scope of his employment and was fired. Nonetheless, the jury found that the hospital had breached its duty of confidentiality. The verdicts of $766,200 to one woman, $762,000 to another and $750,000 to the third did not include punitive damages.

For eight days, beginning on October 29, 2001, detailed psychological records of at least 62 children and teenagers were accidentally posted on the University of Montana Web site.

Eli Lilly & Co., maker of the antidepressant Prozac, inadvertently divulged the names and e-mail addresses of 600 psychiatric patients in a mass e-mail. The company was investigated by the Federal Trade Commission, and reached a settlement in which it agreed to bolster the security of its Internet site.
A Nevada woman bought a used computer, and discovered the prescription records of thousands of people on the machine’s hard drive. The previous owner was a pharmacy.

Read more here.

ITSPA (Information Technology Solution Providers Alliance) cites statistics that “only 30 percent of health plans, or payers, and 18 percent of healthcare providers are currently HIPAA-compliant, and nearly 26 percent of payers and 40 percent of healthcare providers had experienced a security breach in the last six months”. Are you HIPAA-compliant?

What are your biggest obstacles to getting HIPAA compliant?

ITSPA Advises Small to Medium-Size Businesses to Secure Technology that Will Meet New HIPAA Standards

Wednesday March 23, 5:56 pm ET

DALLAS–(BUSINESS WIRE)–March 23, 2005–On April 20, thousands of small to medium-sized businesses (SMBs) will have to comply with the new regulations required by the Health Insurance Portability and Accountability Act, or HIPAA, that protect the electronic security of patient records, advised the Information Technology Solution Providers Alliance (ITSPA), a national, non-profit alliance that helps SMBs understand how technology and local technology providers can help them succeed.

The HIPAA security rule covers records that track physical conditions, medical treatments and insurance payments. HIPAA, signed into law in 1996, is designed to provide Americans with a number of health insurance benefits such as making coverage available to SMBs, allowing employees to enroll for coverage when they lose other health insurance, prohibiting discrimination in enrollment and premiums charged to employees based on various health-status factors, and limiting exclusions for preexisting medical conditions. Additionally, new HIPAA provisions require increased efficiency and standards related to medical insurance claims processing, as well as strict patient privacy rules.

“Industry surveys indicate that only 30 percent of health plans, or payers, and 18 percent of healthcare providers are currently HIPAA-compliant, and nearly 26 percent of payers and 40 percent of healthcare providers had experienced a security breach in the last six months. These statistics indicate that healthcare SMBs need to move forward aggressively to ensure compliance,” noted ITSPA President, Russell Morgan.

As a first step, healthcare SMBs are urged to fortify their computer hardware security features. PCs and other access devices that haven’t been secured make it easy for records privacy to be violated. In some instances, healthcare SMBs may need to upgrade their information technology to ensure compliance.

“The security rule requires covered SMBs to implement policies and procedures to maintain the confidentiality of patient health information. The Department of Health and Human Services (DHHS) describes the types of businesses that are covered by the various HIPAA regulations. If an SMB provides health care, health care claims processing, or is a health plan provider, it is defined as being a ‘covered entity’. Any SMB that needs help in ensuring compliance with these rules can contact a qualified local Information Technology Solution Provider for assistance in meeting these obligations,” added Morgan.

How To Comply With HIPAA

Members of ITSPA’s Healthcare Advisory Board offered tips to SMB decision makers on how to comply with HIPAA’s security regulation:

* Lock up records and files–Keep cabinets and file cabinets locked that contain healthcare information, and use computer passwords and firewalls to protect online information.
* Beef up computer hardware security features–PCs and other access devices that haven’t been secured make it easy for records privacy to be violated.
* Put safeguards in place–Assign someone the responsibility of handling HIPAA implementation.
* Train employees in HIPAA rules.
* Ask an IT solution provider for help–SMB decision makers who need more information about HIPAA can turn to their local IT solution provider or visit the DHHS Web site (www.cms.hhs.gov/hipaa/) prior to the April deadline to determine whether the security rule applies to their companies. To locate a qualified solution provider in your area, please contact Todd McGee at tmcgee@itspa.net. Additional resources are available at: http://www.himss.org/ASP/topics_hipaa.asp.

About ITSPA:

ITSPA, the Information Technology Solution Providers Alliance, is a non-profit (501.c.6) organization dedicated to helping small and medium companies adopt technology and grow by using local solution providers to solve business problems. SMB customers, solution providers, along with manufacturers, publishers and networking companies who use the solution provider channel, are expected to benefit from the demand for technology generated from its programs. ITSPA began operations with a funding grant from HP. Additional sponsors can be found at our website. ITSPA’s national headquarters are located at 2633 McKinney Avenue, Suite 130-320, Dallas, TX 75204. The general business phone number is 214-542-6594. Visit our web site at www.itspa.net. To locate a qualified solution provider in your area, please contact Todd McGee at tmcgee@itspa.net.

Visit ITSPA to learn more.

Via Yahoo! News

More and more people are realizing that there are new business opportunities relating to HIPAA and HIPAA compliance. In Colorado one doctor started a mobile paper shredding company to help service companies that fall under the requirements of HIPAA and FACTA.

The Pueblo Chieftain Online – Pueblo, Colorado U.S.A

With the passage of HIPAA and now the imminent implementation of the federal Fair and Accurate Credit Transaction Act, nearly every business of any size will be facing higher standards for the protection of their clients’ personal information.

FACTA requires that virtually any documents containing any personal information be destroyed before they are discarded, so businesses of all sizes will be required to be sure that the personal information of their clients is protected.

Failure to do so could result in hefty fines.

The regulation takes effect in June, so the timing could be right for Pueblo’s Mobile Record Shredders.

“I’ve been hit with a lot of patient privacy and HIPAA requirements,” Anaya said. “So I was looking for ways to get documents destroyed and found that nobody was doing it on-site, locally.”

So Anaya and his wife, Julie, joined with Joe and Kellie O’Brien to start Mobile Record Shredders.

California Health Insurance Information and News: Sunday, March 13, 2005

Pre-existing Medical Conditions and Health Insurance – what to do?

We often get calls from people with pre-existing medical conditions who are concerned that a California health insurance company will decline to offer them insurance.

This is a legitimate concern. We estimate that California medical insurance companies decline about one-out-of-four or one-out-of-five people who apply for health insurance coverage. (Note: this is our unscientific estimate – please do not accept this as anything more than an educated guess as to the number of people whom the health insurance companies decline to offer coverage.)

If you have a pre-existing medical condition and want to apply for health insurance here is some advice:

Read the rest of the article: http://www.benefitscafe.com/blog/archive/2005_03_13_index.html#111078379496708458

Nice article by Bruce Schneier, once again confirming that he is an excellent thinker when it comes to network security issues.

Thinking about implementing 2-factor authentication as part of your HIPAA-compliance strategy? Don’t rely too much on this technique, since attackers are beginning to actively target valuable information in ways that defeat 2-factor authentication.

Two-Factor Authentication: Too Little, Too Late

Unfortunately, the nature of attacks has changed over those two decades. Back then, the threats were all passive: eavesdropping and offline password guessing. Today, the threats are more active: phishing and Trojan horses.

Here are two new active attacks we’re starting to see:

Man-in-the-Middle Attack. An attacker puts up a fake bank website and entices user to that website. User types in his password, and the attacker in turn uses it to access the bank’s real website. Done right, the user will never realize that he isn’t at the bank’s website. Then the attacker either disconnects the user and makes any fraudulent transactions he wants, or passes along the user’s banking transactions while making his own transactions at the same time.

Trojan attack. Attacker gets Trojan installed on user’s computer. When user logs into his bank’s website, the attacker piggybacks on that session via the Trojan to make any fraudulent transaction he wants.

See how two-factor authentication doesn’t solve anything? In the first case, the attacker can pass the ever-changing part of the password to the bank along with the never-changing part. And in the second case, the attacker is relying on the user to log in.

The real threat is fraud due to impersonation, and the tactics of impersonation will change in response to the defenses. Two-factor authentication will force criminals to modify their tactics, that’s all.

HIPAA Regulations Force Medical Practices to Reconsider Email and Web Communications

Hagerstown, MD (PRWEB) March 5, 2005 — The latest updates to the Health Insurance Portability and Accountability Act (HIPAA) call for health care providers to adopt secure communication practices to protect Patient Identifiable Data. While not specific as to which technologies should be used, HIPAA does require physicians and health care providers to examine their use of email and online communication and take appropriate measures to ensure that private information is not compromised. Until recently, this meant implementing an expensive secure server or Virtual Private Network (VPN) solutions, or avoiding the use of email and online communication altogether. Recent software developments and innovations, however, have put HIPAA-compliant email and web solutions within reach of the small health-care provider and physician practice.

DatAchieve Digital is introducing ArticSoft’s FormsAssurity product to its suite of medical web development solutions. Unlike earlier security solutions, FormsAssurity encrypts both web-based email and web inquiry forms on the user’s desktop level, before any information is ever sent over the Internet or stored on a server. “We’re excited about the possibilities this offers both physicians and patients,” said David Layton, Director of Business Operations for DatAchieve. “Many small practices have their hands tied when it comes to using email to communicate with patients or staff, and it can be frustrating for a patient to be unable to request a prescription refill or schedule an appointment from their family doctor’s web site.” “FormsAssurity will enable us to offer that convenience to both patients and physicians.”

More HIPAA technology solutions on the horizon for sure…

Via PRWeb

• Featured Links

Resources

Lasoo Online Catalogues

Asbestos Compensation

wholesale beauty

Links

• HIPAA Book
• HIPAA Jobs
• HIPAA News
• HIPAAClicks.com
• HIPAAdvisory
• The HIPAA Summit
• US Gov’s HIPAA Site

Meta

• Log in
• Entries RSS
• Comments RSS
• WordPress.org