Health IT Privacy and Security Guide Released by ONC
The government, via the Office of the National Coordinator for Health IT (ONC), has issued a new set of guidelines on Privacy and Security of Protected Health Information. The update to the guidance was made in the most part to facilitate the interoperable exchange of healthcare data but also to improve cybersecurity defenses and the understanding of HIPAA Rules, in addition to outlining the core objectives of Stage 2 of the Meaningful Use program. The guidelines set out to explain why PHI must be protected and convey that HIPAA compliance is a responsibility that is shared between everyone employed in the healthcare industry. Advice is provided on how compliance can be achieved under the Health Insurance Portability and Accountability Act and best practices are outlined that should be adopted by Medicare Eligible Professionals (EPs) and HIPAA –covered entities (CEs). The guidelines were last updated in 2011 so an update has been long overdue, especially in light of the 2014 EHR Certification Rule which, like the HIPAA Privacy Rule, allows patients the opportunity to access their...
Denton County Health Dept Reports HIPAA Data Breach
On February 13, 2015, an employee of the Denton County Health Department inadvertently violated the Health Insurance Portability and Accountability Act (HIPAA) when a USB drive was left at a printers shop. The drive contained a personal document that the employee wanted the shop staff to print. The drive also contained the unencrypted Personal Health Information (PHI) of 874 patients who had received medical services through Health Department’s tuberculosis (TB) clinic. The data included the names of patients along with their TB test results; addresses; dates of birth and other PHI. No Social Security numbers were stored on the drive, nor any financial information. Since Personal Identifiers and Health Information have potentially been exposed and the incident involved more than 500 patient records, Denton County Health Department is obliged to report the data breach to the Department of Health and Human Services’ Office for Civil Rights (OCR). The HIPAA Breach Notification Rule also requires Notification Letters to be sent to all affected individuals within 60 days of the...
Criticism of ONC’s EHR Interoperability Plan Builds
The Office of the National Coordinator for Health IT proposed an Interoperability Roadmap in January this year, to help the healthcare industry achieve the benefits that should come from moving over to electronic health record (EHR) systems. The ultimate aim of the plan is to create an environment where medical professionals can share data on patients and access medical information quickly and easily, which in turn should have an important impact on patient outcomes. After the issuing of the first draft, the ONC invited healthcare providers and other holders of healthcare data to read the roadmap and send in comments. That comment period ended on April 3, and many healthcare organizations took the opportunity to help the ONC achieve its goal. Criticism has been constructive and a number of concerns have been raised. Timescale for Critical Actions The Interoperability Roadmap calls for a number of actions to be taken by both stakeholders of healthcare organizations as well as industry regulators. These measures are critical to the overall success of the Interoperability Plan and are...
HIPAA Violation Charge for ProMedica Bay Park Hospital Employee
Criminal prosecutions for HIPAA violations hospital employees are a relatively uncommon occurrence, although another case has recently resulted in legal action with a former employee of ProMedica Bay Park Hospital charged with HIPAA violations for inappropriately accessing 596 patient records. Jamie Knapp was indicted by a federal grand jury in Ohio for unlawfully viewing and obtaining protected identifiable healthcare data and for accessing of a protected computer without authorization. The penalty for these charges is a fine of up to $500,000 and a prison term up to 10 years if prosecutors determine that PHI was taken for personal gain. The inappropriate accessing of PHI is alleged to have occurred between April 1, 2013 and April 1, 2014. A police investigation was conducted last summer after the breach was discovered and Knapp was determined to be the employee responsible for the breach. The data compromised in the incident included patient names and dates of birth as well as Protected Health Information including hospital visit numbers, physician names, medications prescribed,...
American Hospital Association Advises ONC HIPAA is Sufficient
Critics of level of data security required under HIPAA legislation are calling for even greater demands to be placed on holders of Protected Health Information (PHI). Improved security and privacy controls would make it harder for cybercriminals – and other data thieves – from obtaining healthcare data. The Interoperability Roadmap of the Office of the National Coordinator is intended to help achieve nationwide secure health data exchange involving the EHR systems that have now been implemented by many healthcare organizations. The roadmap calls for changes to be made to the existing framework of rules and regulations to improve cybersecurity controls to help achieve interoperability. The American Hospital Association (AHA) disagrees. AHA Voices Opinion on the ONC Interoperability Roadmap The ONC published a draft of the Roadmap back in January and invited healthcare organizations to submit comments. It will assess the feedback it receives before releasing the final version of the Interoperability Roadmap. The ONC has received criticism from many quarters over the first draft, with...



