Don't Land on the Office for Civil Rights’ “Wall of Shame”

By George F. Indest, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law
As of February 2013, there are 537 cases listed on the Office for Civil Rights’ (OCR) “Wall of Shame.” These are breaches of unsecured health information affecting 500 or more individuals. The reports of these breaches of patient confidentiality are required by the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The OCR continuously updates this list of breaches on its website. These breaches include a brief summary of each case that OCR has investigated and closed, as well as the names of private practice providers who have reported breaches of unsecured health information to the OCR.
Click here to see the OCR’s “Wall of Shame.”


Most Breaches on the “Wall of Shame” Involve Laptops and Portable Devices.
Six healthcare organizations listed on the “Wall of Shame” reported security breaches that involved one million or more patient records. Among the largest breaches reported was one by the TRICARE Management Activity, which reported 4.9 million records lost when back up tapes for computer systems went missing. Another major breach involved WellPoint, the largest managed health care company in the Blue Cross and Blue Shield Association. The company reported 31,700 of its customer records were compromised during a three-year time frame. The breach was believed to be caused by an unauthorized hack into a network server.
According to an article in Modern Healthcare, a majority of the breaches on the “Wall of Shame” involve laptops, backup disks and other portable devices that were stolen. These devices contained patient information and were not encrypted. Had the files been protected by encryption, these organizations would not have landed on the list.
Click here to read the article from Modern Healthcare.


New HIPAA and HITECH Rules.

The OCR under the U.S. Department of Health and Humans Services (HHS) recently released stronger rules and protections governing patient privacy. On January 17, 2013, the HHS announced the omnibus rule to strengthen the privacy and security protection established under the Health Insurance Portability and Accountability Act (HIPAA) of 1996. These changes also improve the HITECH Act by making it clear when breaches must be reported to the OCR. Once reported, the breaches are then placed on the “Wall of Shame.” It’s important to review these changes, as to stay off the list. Click here to learn more on the new HIPAA rules.


It's In Your Best Interest to Get a HIPAA Risk Assessment.

Since the HIPAA laws have changed, you need to edit your privacy forms and procedures. Many health providers simply don't have the time to re-review their policies and revise documents. A HIPAA risk assessment is a thorough review and analysis of areas where you may have risk of violating the HIPAA laws.  Federal regulations require that covered entities have this assessment done. To learn more on HIPAA risk assessments, click here.


Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.
The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).
For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.


Sound Off.
Have you ever heard of the “Wall of Shame? What do you think of this list? Please leave any thoughtful comments below.


Sources:
Modern Healthcare. “Hoping for ‘Progress’ on Health Data Breaches.” Modern Healthcare. (January 8, 2013). From: http://www.modernhealthcare.com/article/20130108/BLOGS02/301089998/joe-blog-sad-sign-of-progress-in-health-data-breaches
Mearian, Lucas. “‘Wall of Shame’ Exposes 21M Medical Record Breaches.” Computerworld. (August 7, 2012). From: http://www.computerworld.com/s/article/9230028/_Wall_of_Shame_exposes_21M_medical_record_breaches


About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

The Health Law Firm" is a registered fictitious business name of George F. Indest III, P.A. - The Health Law Firm, a Florida professional service corporation, since 1999.

Copyright © 1996-2012 The Health Law Firm. All rights reserved. 

Are Online Doctors’ Notes a Violation of HIPAA Privacy Rights?

By Danielle M. Murray, J.D.

According to the Orlando Sentinel, a study published in the Annals of Internal Medicine shows that patients like to read their doctors’ notes.  In the study, published in April of 2012, doctors put their notes online, and gave patients online access to the file.  While some patients had privacy concerns, ninety-nine percent (99%) of them requested to keep access to the file after the study was over.

To read the entire article from the Orlando Sentinel, click here.


Patients Believe Online Notes Help to Start Better Communication about Health.
Patients interviewed for the study felt that the notes reiterated important points that they had discussed with their doctors.  Study participants were able to be reminded of key information, and many said they felt that they were more compliant with the doctors’ recommendations.

Doctors didn't report feeling limited or overwhelmed by having to take notes in the computer system used for the study, and they continued to allow access to the notes following the study.

Other Options for Doctors' Offices.
If a doctor does not feel comfortable using an online system, or simply does not have the time or money to convert to an electronic system, the article suggests that doctors can simply add a new procedure to their current, handwritten record-keeping system.  Doctors can have staff routinely make a copy of the patient’s notes and mail the notes, or have the notes picked up by the patient, within a set time after the visit.


Review Your HIPAA Responsibilities.
As a health attorney advising physicians, medical groups and medical facilities, I have to look at the legal risks of such arrangements.

While putting records online or even creating an app for patients to access records is convenient, such an arrangement can inadvertently allow the records to fall into the hands of third parties.  I don't know of many doctors’ offices with in-house staff to manage their document server and online secure servers for such an undertaking.  Even so, streamlining the process generally requires special software, which was created by and likely monitored by a third-party software developer.

I would first suggest that any health professional looking to digitize or allow remote access to records have a contract ready for their technology associate to sign.  The contract should clearly state the obligations of each party, and it should incorporate all Health Insurance Portability and Accountability Act (HIPAA) privacy and security responsibilities.  I would not suggest piecing something like this together on your own; seek counsel, such as experienced health law attorneys, to do this for you.

If you are unsure about HIPAA privacy rights, click here for part one and click here for part two of a blog series on possible violations.


Contact Health Law Attorneys Experienced with Investigations of Health Professionals and Providers.
The attorneys of The Health Law Firm provide legal representation to physicians, nurses, nurse practitioners, CRNAs, dentists, pharmacists, psychologists, health facilities and other health providers in Department of Health (DOH) investigations, OCR HIPAA audits, breach of privacy investigations, HIPAA risk assessments, Drug Enforcement Administration (DEA) investigations, FBI investigations, Medicare investigations, Medicaid investigations and other types of investigations of health professionals and providers.

To contact The Health Law Firm, please call (407) 331-6620 or (850) 439-1001 and visit our website at www.TheHealthLawFirm.com.


Comments?
As a health professional, do you make notes available to your patients? Does putting such notes online worry you? Please leave any thoughtful comments below.

Source:

Pittman, Genevra. “Patients Like Reading Their Doctors' Notes: Study.” Orlando Sentinel. (October 1, 2012). From: http://www.orlandosentinel.com/health/sns-rt-us-patients-like-reading-their-doctors-notes-stbre-20121001,0,925182.story

About the Author: Danielle M. Murray is an attorney with The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Avenue, Altamonte Springs, Florida 32714

 

 

"The Health Law Firm" is a registered fictitious business name of George F. Indest III, P.A. - The Health Law Firm, a Florida professional service corporation, since 1999.

Copyright © 1996-2012 The Health Law Firm. All rights reserved.

Florida Man Faces Federal Charges For Accessing Patient Records

By: Lance O. Leider, J.D., and George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

Federal court records from August 13, 2012, show that a former Florida Hospital employee faces fraud-conspiracy charges after he illegally accessed patient records in a solicitation scheme, according to the Orlando Sentinel. The breach in patient information was first thought to involve 2,000 patients, but according to a Federal Bureau of Investigation (FBI) affidavit, more than 700,000 patient records were accessed between 2009 and 2011.
When the news broke about a privacy breach at Florida Hospital back in October of 2011, we wrote about this incident. To read that blog, click here.



Florida Hospital Clerical Worker Accessing Medical Records.
Hospital records show a clerical worker in the emergency department of Florida Hospital’s Celebration location was fired in July 2011. According to the Orlando Sentinel, he was allegedly fired when it was discovered that he had accessed the medical records of a Florida Hospital doctor who was fatally shot in a hospital parking garage.
The FBI affidavit reveals that hospital officials found inappropriate access to 763,000 patient records between 2009 and the third quarter of 2011, by the same worker.
To read the entire FBI affidavit, click here.


Hospital Patients Would Receive Calls for Lawyer and Chiropractor Referrals.
Federal Investigators said the worker was looking specifically for information on car accident victims. He would allegedly sell that information to unnamed co-conspirators.
In the Orlando Sentinel article, some patients said about a week after their hospital visit, they would receive calls offering to refer a lawyer or chiropractor.
The FBI also allegedly found payments from co-conspirators to the worker.
Click here to read the entire article from the Orlando Sentinel.


Worker Faces Serious Charges.
The Florida Hospital worker has been indicted on charges of conspiracy to defraud the United States and payment to a non-licensed physician.

Contact Health Attorneys Experienced in the Confidentiality of Medical Records.

Our attorneys provide advice and legal opinions on confidentiality of medical records and medical information, including the HIPAA Privacy Regulation, and are available to testify as expert witnesses on these issues.
For a list of applicable Federal and Florida legal authorities on "super-confidential" medical information pertaining to certain types of medical information such as mental health, HIV and drug or alcohol treatment records click here.
To contact The Health Law Firm please call (407) 331-6620 or (850) 439-1001 and visit our website at www.TheHealthLawFirm.com.

Sources:
United State of America v. Dale Munroe, No. 6:12-mj-1378 United States District Court, Middle District of Florida, Orlando Division. (August 13, 2012). available at http://www.thehealthlawfirm.com/uploads/USA_v_Munroe.pdf.
Weiner, Jeff. “Ex-Florida Employee Faces Federal Charges in Patient-Records Scheme.” Orlando Sentinel. (August 31, 2012). From: http://articles.orlandosentinel.com/2012-08-31/news/os-florida-hospital-privacy-theft-arrest-20120831_1_patient-records-medical-records-access
Kealing, Bob. “Florida Hospital Breach Affects 700,000 People.” WESH Orlando. (August 30, 2012). From: http://www.wesh.com/news/central-florida/Florida-Hospital-breach-affects-700-000-people/-/11788162/16438736/-/12x54xdz/-/index.html

About the Authors: Lance O. Leider is an attorney with The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com  The Health Law Firm, 1101 Douglas Avenue, Altamonte Springs, Florida 32714, Phone:  (407) 331-6620.

George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law.  He is the President and Managing Partner of The Health Law Firm, which has a national practice.  Its main office is in the Orlando, Florida, area.  www.TheHealthLawFirm.com  The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone:  (407) 331-6620.

"The Health Law Firm" is a registered fictitious business name of George F. Indest III, P.A. - The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2012 The Health Law Firm. All rights reserved.