Thursday, September 15, 2011

90,000 Healthcare Providers Signed Up for Incentive Payments for Migrating to Electronic Medical Records Systems

90,000 hospitals and other healthcare providers are taking part in the Medicare and Medicaid electronic health records (EHR) incentive programs with 13,000 joining in August alone.
"When we launched in April, we had a trickle, and that trickle is turning into a faucet opening up a little more. If this trend holds, we’ll have the faucet fully going,." - Robert Anthony, CMS’ Office of e-Health Standards and Services.
CMS issued a total of $264 million in payments in August, twice as much as paid out in July, and $652 million for the year to date.
Download a white paper on EHR privacy auditing service. Proactively discover violations of patient privacy, even by nurses, doctors, and other authorized users - with no hardware and no on-site software.
Sources:
(a) EHR incentive program ramps up to 90,000 providers - Government Health IT, September 15, 2011


Friday, September 9, 2011

Top HIPAA Privacy and Security Rule Violation Investigations

The U.S. Department of Health and Human Services Office for Civil Rights (HHS/OCR) has just released its "Annual Report to Congress on HIPAA Privacy Rule and Security Rule Compliance".

A highlight of the report is the summary of complaints received by HHS/OCR of alleged violations of the HIPAA privacy and security rules.

Privacy Rule
The most frequently investigated Security Rule compliance issues are:
  • impermissible uses and disclosures of PHI
  • lack of safeguards of PHI
  • denial of individuals’ access to their PHI
  • uses or disclosures of more than the minimum necessary PHI
  • inability of individuals to file complaints with covered entities
Download a white paper on HIPAA Privacy Rule breach detection as a service. Learn about a service that proactively identifies impermissible uses and disclosures of PHI, even by authorized users - with no hardware and no on-site software.
Security Rule
The most frequently investigated Security Rule compliance issues are:
  • failure to demonstrate adequate policies and procedures or safeguards to address: response and reporting of security incidents
  • security awareness and training
  • access controls
  • information access management
  • workstation security
Covered Entities Required to Take Corrective Action
The most common types of covered entities that have been required to take corrective action, are:
  • private practices
  • general hospitals
  • outpatient facilities
  • health plans
  • pharmacies
NOTE: for most HIPAA covered entities, compliance with the Privacy Rule was required by April 14, 2003, and compliance with the Security Rule by April 20, 2005.

Sources:
(a) Annual Report to Congress on HIPAA Privacy Rule and Security Rule Compliance For Calendar Years 2009 and 2010 - U.S. Department of Health and Human Services' Office for Civil Rights, September, 2011


Thursday, September 8, 2011

Nurse Violates Privacy of 5,800 Patients Over 6 Years

What is the right frequency for patient data privacy audits?

A nurse was fired for 5,800 violations of patient data privacy dating as far back as 2004. The nurse's snooping was discovered in 2011 by a privacy audit at the hospital where she worked in North Bay, Ontario.

The nurse looked at visit histories, prescribed drugs, lab results, and other information a nurse typically uses to perform her job. But the nurse was not part of the "circle of care" for these patients, and therefore had no legitimate reason to access the medical records.
"This person was looking at information out of curiosity." - Marc Bouchard, hospital CIO and Chief Privacy Officer
Once the massive privacy breach was discovered the nurse was interviewed. She is said to have admitted she had no legitimate reason to be looking at the records. Afterwards she was dismissed.

Further investigation lead the hospital to believe that the information inappropriately accessed by this employee was not released to other staff or beyond the hospital and that patient care was never negatively affected.
"It is the health centre’s goal to ensure that necessary health information is readily available to appropriate caregivers to ensure patient safety and quality of care, but that it is not disclosed beyond the circle of care‐givers.." - Pat Stephens, hospital spokesperson
As required by the Personal Health Information Protection Act, the hospital has contacted each affected patient to inform them of the breach of their personal health information as well as reporting the inciden to the Information and Privacy Commission of Ontario. In addition the hospital plans to implement more rigorous audits to detect attempts to inappropriately access health care information.

While that situatoin is, hopefully, an extreme example, it raises the question of how frequently patient data privacy audits should be performed. Not how often your current resources allow you to perform audits, but if you could magically receive an audit of suspicious access to patient data across all patients what would be your prefered frequency?

Your thoughts? Feel free to post your comments anonymously.
Download a white paper on patient privacy audits as an automated service. Learn about a service that proactively identifies unauthorized breaches of patient privacy, even by nurses, doctors, and other authorized users - with no hardware and no on-site software.
Sources:
(a) Breach of Privacy Occurs at North Bay Regional Health Centre Affecting 5,800 Patients - North Bay Regional Health Centre, September 6, 2011
(b) Nurse fired after breach of privacy at hospital, 5,800 patients affected - The Nugget, September 6, 2011


Popular Posts

Copyright © 2010-2011 by Veriphyr Incorporated, All Rights Reserved.

Contact us at Veriphyr.com.