Posted on

HIPAA overhaul goes live today; HHS likely to ramp up enforcement

[preamble]If we remember a previous post, GOOGLE was found guilty of stealing millions of pieces if private medical information – should not they be the poster child of HIPPA’s attacks?

Now, lets interject a quick thought: What is HIPPA protecting? A Patietns test results? Name and address? Is this REALLY worth the hoopla? Who cares if knows I have high cholesterol – what can they do with it? My address? Hmm – every time i use my credit card someone has my address. Personal information – are we kidding? Lets discuss Facebook and Twitter – more information is on there than in any medical record and the information is more damaging – Lets not forget that all insurance companies and hospitals have been sharing our data and making decisions based upon them for years! Did and does anyone point the finger at the insurance companies? Of course not! Why? Lobbyists or MONEY! They throw a lot of money at our elected officials – you know those spineless people we put in office to help protect us.

Conclusion: HIPPA is useless making the proverbial “mountain out of a mole hill” and misdirecting our attention from what is truly happening – rationing of our health care & out of control costs.

By Dan Bowman
The HIPAA omnibus rule officially goes into effect today–so what does that mean for providers and newly responsible business associates? Plenty.

Marcy Wilder, director of the global privacy and information management practice for Washington, D.C.-based law firm Hogan Lovells, told FierceHealthIT for a special report on the rule that HHS will be much more aggressive with enforcement of violations.

“[Congress] said that they expect HHS, when there is willful neglect involved in a violation, will not focus on informal resolution needs, but rather will take formal action,” she said.

According to Philip Gordon, chair of the Littler Mendelson law firm’s privacy and data protection practice group, more changes are around the corner.

“In terms of HIPAA fundamentals, a lot is going to be the same,” Gordon told “The HIPAA Security Rule was changed very little for [covered entities].”

But Gordon pointed out that the U.S. Department of Health & Human Services has greater discretion to determine compliance penalties–and said that will have an impact on covered entities. The newly tiered penalty structure increases fines to as much as $50,000 for “willful neglect” of information without correction, and $1.5 million for multiple violations of identical provisions.

A trio of attorneys from law firm McGuireWoods recently outlined several steps providers and other covered entities can take to ensure compliance with the rule, according to Becker’s Hospital Review. Their suggestions for preparing for the Sept. 23 deadline included appointing privacy and security officers; conducting frequent risk assessments to identify problem areas; and adopting policies regarding the storage of health data on mobile devices.

Most hospital executives responding to the Healthcare Information and Management Systems Society’s recently published annual leadership survey indicated that their top concern regarding the security of computerized medical information was mobile device security.

Data breaches hit hospitals in two states
By Susan D. Hall

There’s a good reason that CIOs rank data security among their top priorities for 2013: Stories of data breaches continue to be an almost-daily occurrence–including two recent breaches in Mississippi and Utah.

Mobile devices, including laptops, are particularly vulnerable to loss or theft. One of the latest cases comes from the University of Mississippi Medical Center (UMMC), where a shared password-protected laptop has gone missing.

According to the facility, the device contains information on adult patients treated between 2008 and January 2013, including names, addresses, dates of birth, Social Security numbers, diagnoses and treatments. There’s no indication that the information has been accessed.

In Utah, however, the breach is paper-based. Granger Medical Clinic has informed patients of a potential breach after 2,600 medical appointment records slated for shredding disappeared. The records were printed out from an electronic scheduling database, according to The Salt Lake Tribune. The records included the names, dates and times of appointments and the reason for the medical visit, but no addresses, birth dates, medical claim information, Social Security numbers or financial information.

When it comes to health data breaches and hack attacks, the state of Utah can’t seem to catch a break. As FierceHealthIT reported earlier this year, a employee at an outside contractor for the Utah Department of Health lost an unencrypted USB memory stick containing personal information for 6,000 Medicaid clients.

Last fall, hackers infiltrated the Utah Heath Exchange web portal, rendering it essentially useless for a week.  And last March, Eastern European hackers gained access to healthcare information for nearly 780,000 Utah Medicaid patients.

U.S. Department of Health & Human Services Office of Inspector General officials, writing recently in the New England Journal of Medicine, urged healthcare organizations to adopt best practices to ensure data privacy and security, such as erasing hard drives of rented photocopiers. Sounds like good advice should someone in the office decide to print out reams of scheduling data–although a better practice would be not to print it out in the first place.