Tag Archives: HHS

HIPAA Isn’t Brain Surgery

The other day I noticed that one of my (very competent) colleagues out on the WWW advised that you have a “deep understanding of HIPAA” when advertising his HIPAA training.  I have no doubt that his training is probably stellar.


But, trust me, as a Privacy Officer for the past six years I can tell you that you do not need a deep understanding of HIPAA.    


What you need is to find and rely on those who DO have a solid, boots-on-the-ground understanding of all the major and minor pieces, as well as all of the nuances of the HIPAA privacy rules, and can assist you on an as-needed basis. 


Let’s say that you’re a practice manager, and you’ve been served with a subpoena for copies of the records of one of your patients.  Did you know that you are required by the HIPAA Privacy Rules, to ensure that whoever signed the subpoena has made all other parties aware of the subpoena and provided them with an opportunity to object?  That’s one of the nuances of HIPAA.  And I’ll bet it wasn’t included in that 30-minute training some consultant, with little or no healthcare or compliance experience, sold you.


Did you pay $100s for HIPAA training?  Bought some of those “official HIPAA forms” (no such thing, by the way)?  Did you buy a copier from some company who claimed that their copier (and faxes, and scanners, etc.) were “HIPAA compliant”?  Oops, sorry, there’s no such thing as a “HIPAA-compliant” copier.  (Believe me, you’re not alone — lots of money has been made using the “HIPAA compliant!” label. . .)


If paying all that money for HIPAA training had been enough to keep practices from complaints, then there wouldn’t be 41,000+ complaints filed with HHS in five-plus years. 


That your practice may not have had any complaints doesn’t tell me whether your staff understands their roles regarding HIPAA; it just tells me that your patients don’t know their rights.  Yet.  But that’s changing.  HHS is now getting hundreds more complaints every month.


I’ve been the Privacy Officer responsible for implementation and compliance with the HIPAA Privacy & Security Rules for a large healthcare system for the past six years: 300 beds, 1.5M clinic visits per year, and 6,000+ employees.  THAT’S what gives me a very solid understanding of all the major and minor pieces, not to mention the nuances, of HIPAA Privacy & Security.  The proof is in the pudding — in the past 12 months we’ve had 17 privacy complaints; ten of them were without merit.  Not too shabby.


I’m setting up a HIPAA Privacy & Security practice.  I’ll be offering information based on real experience, with real complaints, and real solutions.  And I’ll be steering you away from almost anything claiming that it’s “HIPAA compliant.”  When it comes to Privacy & Security compliance, most of it relies on the behavior of your staff, and the rest just isn’t that hard.


Keep me in mind.


I blog regularly about HIPAA issues.  If you have a question about either the privacy or security rules, or if you’re having a problem with one of your providers (or one of your patients), email me directly at hipaadiva@yahoo.com.  It would be my pleasure to help you.


Why – You Look Like You Need an Authorization!

Nothing personal, but you really do need an authorization. An authorization signed by you, that can be used by your family members, significant others, and close friends in the event that something happens to you and you are either unconscious, or a physician has declared you to be not competent to make decisions about your care, can be a very handy little item to have.

And not just any old authorization, either. You need one that has all the elements required by the HIPAA Privacy Rules.

Just like me, you probably are relatively healthy, maybe a little high cholesterol and a little too much padding, but really, you’re okay. So you’re thinking no, you really don’t need to carry around an authorization. Umm, yes, you do. And here’s why.

What if you get hit by a bus on the way home tonight? Highly unlikely, and certainly we don’t want this to happen, but stay with me on this. You get hit by a bus, you’re taken to the best Emergency Department in the area, and your husband is called. He comes to the ED, and starts to ask questions about you: how are you, can he see you, what is happening or going to happen to you, etc.

Now, let’s say at this hospital the staff have been trained with respect to the HIPAA Privacy Rules. But, they’ve been badly trained. They think that they can’t talk to your husband about you, because that would be “against HIPAA.”

Or, worse, the staff have been well-trained in the HIPAA Privacy Rules but they just don’t feel like dealing with your husband, so they tell him that they can’t talk to him about you, once again because that would be “against HIPAA” and a violation of your privacy.

Think it can’t happen to you? I sincerely hope it doesn’t. But, it’s in your best interest, and that of your family, too, for you and all adult members of your family to have an authorization on hand that can be used in the event that you are unable to make a decision about your healthcare.

The HIPAA Privacy Rules have some very specific requirements regarding what needs to be included in a valid authorization – one that will be honored by that hospital or any of your healthcare providers, insurance companies, etc. Let’s go through them.

Per the HIPAA Privacy Rules (see 45 CFR 164.508[c][1]-[3]), the authorization must include all of the following items:

1. A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion: what stuff can your healthcare provider disclose to whoever you’ve named in the authorization?

2. The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure: that would be you.

3. The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure: that would be your family members, next of kin, significant other(s), close friends, etc. – who can the hospital or healthcare provider disclose your healthcare information to? (Be sure to include your name here. Trust me.)

4. A description of each purpose of the requested use or disclosure: the statement “at my request” is a sufficient description of the purpose when you initiate the authorization and do not, or elect not to, provide an additional statement of the purpose: either state “at my request” (or similar verbiage), or spell out in plain language the reason why you are authorizing healthcare information about you to be disclosed.

5. An expiration date or an expiration event that relates to (you) or the purpose of the use or disclosure: the statement “end of the research study,” “none,” “December 31, 2010” or all similar language is okay.

6. Your signature and the date. (Note: If the authorization is signed by a personal representative of the individual [for example, by a parent or guardian of a minor], include a description of the representative’s authority to act for the individual.)

7. A statement regarding your right to revoke the authorization in writing.

8. The exceptions to the right to revoke and a description of how you may revoke the authorization.

9. A statement that the covered entity (healthcare provider, hospital, etc.) may not condition treatment, payment, enrollment or eligibility for benefits on whether you sign the authorization: this means they cannot refuse to treat you just because you didn’t sign an authorization (not useful for you in most situations, but nonetheless a requirement).

10. The potential for information disclosed pursuant to the authorization to be subject to re-disclosure by the recipient and no longer be protected by this subpart: this means that you agree that if the hospital, for example, discloses information about you to your significant other – then the hospital is not responsible if your significant other subsequently discloses your information (gossips) to someone else.

11. The authorization must be written in plain language. Yeah.

Here are my recommendations: all adult members of your family, your significant others, and/or close friends, attorney, etc., should have a copy of your authorization for them to obtain healthcare information about you in the event that you are incapacitated, or incompetent, or even just to pick up your latest prescription. And, just as important, you should encourage them to have authorizations, too, with the names of all the individuals they would like to be able to obtain healthcare information about them in the event that they become incapacitated or incompetent, etc.

An authorization DOES NOT replace a medical power of attorney – you should ensure that all adult members of your family have a signed medical power of attorney prepared by a competent attorney in your state.

But, for situations in which a person may be unconscious or otherwise temporarily unable to authorize a disclosure of their current health situation to another family member or friend, having an authorization in your pocket of purse can save everyone a lot of stress and upset.

If you would like a copy of a HIPAA-proof blank authorization that you can use, email me at hipaadiva@yahoo.com, and I’ll send you one, for free. This offer is only valid until I get my website online; when it’s ready to go then I’ll be offering these authorizations for a fee.

I blog here fairly regularly on all subjects related to patient privacy, the HIPAA Privacy & Security Rules, patient advocacy, etc. I invite you to send me any questions you may have about your medical records, healthcare privacy rights, etc., to hipaadiva@yahoo.com.

If you happen to be a nurse or nursing student, check out cathylwhite.wordpress.com for information about legal issues affecting nurses.

$100,000 HIPAA Fine – Way Too Little, and Way Too Late

After more than five – FIVE – years of the HIPAA rules, and bazillions of small private practices of doctors, dentists, chiropractors, optometrists, shrinks, etc., NOT being compliant with the rules, and bazillions more patients who have no clue what their HIPAA healthcare privacy rights are, HHS finally got off their heinie and fined a hospital system in Washington State because it kept leaving those pesky laptops lying around, getting stolen, and not doing anything about it.  More than 386,000 patients’ healthcare information was lost on those laptops.  (Note to self — isn’t almost every loss of patient information lately been due to the loss of a laptop?  Must investigate why hospitals let members of their workforce walk out the door with laptops full of patient data. . .)

But wait – what’s that you say?!  It’s not a fine??  Why, by gosh and by golly, you’re right.  HHS has declined to call this a “fine” – they’re calling it a Resolution Amount.  Oh.  Yeah, that makes it all better.

Here’s how HHS describes it: “In the agreement, Providence agrees to pay $100,000 and implement a detailed Corrective Action Plan to ensure that it will appropriately safeguard identifiable electronic patient information against theft or loss. The Resolution Agreement relates to Providence’s loss of electronic backup media and laptop computers containing individually identifiable health information in 2005 and 2006. . .

“On several occasions between September 2005 and March 2006, backup tapes, optical disks, and laptops, all containing unencrypted electronic protected health information, were removed from the Providence premises and were left unattended. The media and laptops were subsequently lost or stolen, compromising the protected health information of over 386,000 patients. HHS received over 30 complaints about the stolen tapes and disks, submitted after Providence, pursuant to state notification laws, alerted patients to the theft. Providence also reported the stolen media to HHS. OCR and CMS together focused their investigations on Providence’s failure to implement policies and procedures to safeguard this information.

“As a result, Providence agrees to pay a $100,000 resolution amount to HHS and implement a robust Corrective Action Plan that requires: revising its policies and procedures regarding physical and technical safeguards (e.g., encryption) governing off-site transport and storage of electronic media containing patient information, subject to HHS approval; training workforce members on the safeguards; conducting audits and site visits of facilities; and submitting compliance reports to HHS for a period of three years.”

After pulling up the handy calculator that Microsoft ® XP ® so nicely provides, I’ve calculated that each patient’s healthcare info was worth, let’s see, 100,000 divided by 386,000 =  about .259; which is 25.9¢.  Is that right?  Let’s check: (.259)(386000) = 99,974.  Okay, close enough. 

What this means is, if you were one of those folks whose healthcare information was stolen because Seattle-based Providence Health & Services couldn’t get its act together over a more than two-year period and ENCRYPT the data contained on the laptops, tapes, etc., or even PREVENT them from being stolen in the first place (GPS locator, anyone?  Sheesh, even my cell phone has one.), your healthcare info was worth a measly 25.9¢. 

All I can say is: wow.

Whether you’re a Democrat or a Republican or a Libertarian, or a Green, or an Independent, etc., a radical change in leadership at the level of the Cabinet position of Secretary of Health & Human Services (HHS) is called for.  You and your family’s health information has got to be worth more than a little over a quarter.  Really.

So, think carefully and VOTE.

I blog regularly about the HIPAA Privacy & Security Rules.  If you’ve got a question about the privacy of your healthcare records, email me at hipaadiva@yahoo.com.  I would be happy to help you if I can.


HIPAA Complaints — Yes, We Have Some Statistics, and You’re Not Alone

HIPAA privacy and security complaint statistics have been made available for June.  You may not realize it, but the federal HIPAA Privacy program is administered by Health & Human Services (HHS) Office of Civil Rights (OCR). 

Let’s see how things are going.

June 2008 — OCR received 849 HIPAA privacy complaints.  Ouch.

OCR pegged 256 cases that required some kind of action by the HIPAA covered entity (that would be a provider, a hospital, an insurance plan, folks like that who work with your protected health information).  If all 256 of those cases were filed in June, it means that a quick look-see at the complaints, just for June, reveals at least 30% of them will require that the provider or hospital or health plan DO SOMETHING to protect your health information.

OCR made one referral to the Department of Justice for potential prosecution.  Not bad, especially considering that OCR has referred 436 cases to DOJ since April 2003.  We can interpret this one of two ways: either the bad guys are getting better at getting away with stealing your protected health information, or providers, hospitals, and health plans are getting better at protecting it.  (I wouldn’t put any money on the second possibility.)

The most common HIPAA privacy complaints were:

—  Unauthorized disclosures of protected health information

—  Safeguard issues — the doctors, or practices, or health plans, etc., were not taking as good a care of your protected health information as they probably should 

—  Denial of patient requests for copies of their medical records

—  Disclosing too much protected health information 

—  Utilizing invalid authorizations for disclosing protected health information (I’ll explain more about valid authorizations in a future post)

In order, here are the offenders:

—  Private practices

—  Hospitals

—  Outpatient (day surgery) facilities

—  Health Plans (group health plans and health insurance companies)

—  Pharmacies (a small surprise, right?)

The HIPAA Security Rules are administered by CMS — the folks who bring you Medicare.  They received 10 complaints in May — a very big jump for them.

Got a question about your or your family’s protected health information, your medical records, or your HIPAA Privacy & Security rights?  Leave a comment, or send me an email at hipaadiva@yahoo.com.  I’m here to help.  BTW, all posts on my blog, written by me, are (c) 2008 Lane R Hatcher.  If you’d like to reprint, contact me!  And yes, I’m working on a web site.

Is your health information a little safer today?

Are your medical records a little safer today?

Maybe.  But probably not.

After five years and tens of thousands of complaints, Health & Human Services finally put some teeth into their HIPAA Privacy rule, and two weeks ago fined a hospital system in Seattle $100,000 for HIPAA privacy and security violations.

$100,000?  That’s more than a fine.  That’s a statement.

But is it enough?

Let’s see, the HIPAA privacy rules went into effect in April, 2003.  There have been dozens and dozens of privacy breaches since then.  A few prosecutions.  And one fine.

In just the past couple of days:

—  There were as many as 500 victims of a privacy breach that occurred in Ft Bend County, TX, at the local Kelsey Seybold Clinic.

—  An unknown number of medical records were stolen at Grady Memorial Hospital in Atlanta, GA.

—  A potential database intrusion is alleged to have occurred at Saint Mary’s Regional Medical Center in Reno, NV, with as many as 128,000 records breached.

And only one fine.

And you know, that fine was for events that occurred in 2005 and 2006.  Why does it take HHS two years to investigate and levy fines against a hospital system in which several laptops were stolen, which compromised more than 350,000 medical records?

The maximum civil fine that HHS can levy is $250,000.  One would think that the theft of 350,000 records would merit more than a $100,000 fine.  But it’s a start.

Have a problem getting copies of your or your family’s medical records?  Concerned that maybe your medical records aren’t as secure as they could be?  Let me know.  Post a comment.  I can help.