Showing posts with label privacy. Show all posts
Showing posts with label privacy. Show all posts

July 30, 2023

HIPAA Prevents State LEOs from Grazing for PHI -- Doesn't It?

h/t to Samantha Holvey's concise and timely weekly Whealth Care newsletter for addressing a question that is probably on every HIPAA-savvy reader's mind of late: "Can State Attorneys General just randomly scan out of state health records to see whether one of their residents may have committed a health care 'crime'?" This might apply to potentially pregnant patients seeking reproductive diagnosis and treatment, or parents of transgender minors seeking gender-affirming care not available at home.

Having been engaged with HIPAA since its earliest days, I was prepared to repeat my customary, reassuring, "HIPAA is better privacy protection than we had before" speech, but I quickly realized that this time, I was not so sure. See, when we were implementing the three pillars of HIPAA (Privacy | Security | Transactions and Code Sets), back in the aughts, people were most concerned about organizations within the industry misusing the data, or letting it leak out for commercial exploitation.

Very few were worried about a malevolent government. The pre-HIPAA government guardrails that had been erected were still in place, and HIPAA itself was relatively neutral on the matter. Or at least, we implementers were relatively complacent. We thought that, occasional abuse aside, law enforcement organizations would go through existing legal channels to obtain patient records in pursuit of fraud, theft, controlled substance misappropriation, or malpractice.

Now, state after state is passing laws that not only criminalize healthcare procedures that have been common practice for decades, they extend that criminality to procedures performed in states whose own laws preserves their legality. Private citizens can earn bounties by revealing someone has crossed a state line to pursue such treatment. Or even helped fund such an excursion.

And while CMS has published regulatory guidance that explains what sorts of inquiries are already unacceptable under HIPAA, they have also released a Notice of Proposed Rulemaking (NPRM) to tighten the federal regulations against potential state governmental fishing expeditions. The comment period on the NPRM has closed. Can federal regulations be far behind? HIPAA history says not to be too confidents. Some NPRMs were allowed to languish for years. Other draft regulations were never formalized into a Final Rule.

February 1, 2013

Data Security: An Online Hacking Primer

Medical records security has been rising to the top of mind among the healthcare IT community. As HIPAA now has some teeth and has been extended to contractors, it is wise to remember that three in four Americans have fallen or will fall victim to cyber crime as a result of having been hacked. Among the systems that have infamously leaked personal information are those of universities and hospitals. The following infographic offers an overview of the personal information leakage going on out there. Thanks, Allison!

Infographic courtesy OnlineCollegeCourses.com.
______
CarePrecise encourages you to attend the Big Data for Healthcare Forum, April 29 - May 1, 2013.



January 18, 2013

Surprise: You May Now Be Liable Under HIPAA


When the HIPAA privacy rule first went into effect, business associates of hospitals, physicians, etc. didn't have to worry about getting in trouble for releasing data in ways that violate patients' privacy.

No more.

In light of several years of clumsy handling of patient data by contractors and employees, it's perhaps not surprising that HHS is changing the rules to extend the strict HIPAA privacy rules -- and penalties for violations -- to external vendors and IT communities.

If you work in any way with patients' medical data -- whether as a data processor, consultant, IT contractor, EHR installer, whatever -- you'd better get familiar with the new rule that goes into effect March 26. It clarifies when breaches need to be reported to the Office for Civil Rights, scraps the old standards for the use of patient-identifiable data for marketing and fundraising purposes, and expands direct liability under the law to so-called “business associates” of HIPAA-covered entities.

Perhaps equally interesting is that patients once again will have the right to limit release of treatment records to insurance companies if they paid out-of-pocket on that treatment. Look out for problems and potential fines related to goof-ups related to granting access to the wrong business partners on the wrong data. Greatly increased penalties for privacy and security violations under the ARRA are explained in the new ruling.

Read the HHS news release.
Read the rule in the federal register (you've still got time to comment).