Surgeon Sentenced to Federal Prison for Violation of HIPAA
By Barbara Rogan, LogLogic General Counsel
Quick, what are the first five things you think of when I say “cardiothoracic surgeon.” I bet convicted criminal wouldn’t even be in the top 100…
On Tuesday, Huping Zhou, a cardiothoracic surgeon formerly with UCLA Healthcare system, was convicted of 4 misdemeanor counts of violating HIPAA (here’s link to USAO press release: http://www.justice.gov/usao/cac/pressroom/pr2010/079.html). Apparently, after Dr. Zhou was told that his services were no longer needed for unrelated reasons, Dr. Zhou couldn’t resist peeking into the medical records of his supervisor, many of his colleagues, and several celebrities, including Tom Hanks, Drew Barrymore, and Arnold Schwarzenegger (http://www.cbsnews.com/8301-504083_162-20003669-504083.html) without legal or medical reason. For his misdeeds, Dr. Zhou will serve four months in Federal Prison for his crimes.
Just for fun, let’s change the facts a bit… What if Dr. Zhou, instead of working for UCLA, worked for a third party service provider who had a contract with UCLA? Prior to 2009, Dr. Zhou would likely have not faced prosecution as he would have been the employee of a Business Associate (i.e. an entity that provided services to health care providers) of a Covered Entity. Lots of lawyerly gobbledy-gook in that, but essentially it means, that Dr. Zhou would not be heading for prison.
Seems a bit silly to change the outcome based on who Dr. Zhou worked for. Congress agreed.
In 2009 the HITECH Act extended the criminal liability portions of the HIPAA act to such business associates. Now, even under the scenario where Dr. Zhou worked for a Business Associate, he would be subject to criminal liability the same as if he worked for a Covered Entity.
We here at LogLogic have put together a summary of the key provisions of the HITECH Act (http://www.loglogic.com/solutions/compliance/hitech.php) as well as a white paper (http://www.loglogic.com/resources/white-papers/hitech-act/) on how our Log Management solutions can help. The information we have gathered and summarized is of value to any company who is a Business Associate or may be asked to be a Business Associate in the future.
Posted by Bill Roth on April 29, 2010 in Healthcare , Legal Nerd , Security | Permalink | Comments (0)
Healthcare moves out of the news cycle, but your work is just starting!
By Barbara Rogan
LogLogic General Counsel
On Tuesday, Obama signed the final piece of the health care legislation into law. For the Tuesday signing ceremony, the media focused its attention on the student loan reforms, rather than the new health care provisions. Clearly, healthcare has moved out of the news cycle. Today the media and much of the news-reading public is on to other things.
However, for companies, health care reform is just starting to be implemented and there’s work to be done. Key provisions of laws passed just last year are now in effect and your business may very well be affected.
If you recall, last year, as part of the stimulus package, Congress passed and President Obama signed into law the Health Information Technology for Economic and Clinical Health Act, or HITECH Act for short. The news media at the time focused on the reforms to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as it relates to electronic health records (EHR) and the notification requirements for breaches of health records. What was not well covered were the new obligations facing Business Associates that would go into effect in February 2010.
Well, February 2010 has come and gone and the provisions affecting Business Associates are now the law of the land. Business Associates, vendors whose customers are hospitals and other health care providers and who must interact with protected health information to provide their services, must now comply with HIPAA regulations or face direct enforcement of the HIPAA obligations by the government.
Under the original HIPAA act, health care providers were required to contractually obligate Business Associates to comply with the HIPAA data privacy and protection provisions. If you were a Business Associate, you had contractual obligations and you paid contract penalties if you breached them, but you could not be sued under HIPAA directly. The HITECH act changes that. Now Business Associates face contractual obligations/penalties as well as the possibility of government enforcement of the provisions, either through civil or criminal penalties.
Because this is such a sea change in the law, we at LogLogic have put together a summary of the key provisions of the HITECH Act as well as a white paper on the topic. The information we have gathered and summarized is of value to any company who is a Business Associate or may be asked to be a Business Associate in the future.
Don’t let the news cycle fool you – health care reform and the HITECH Act is not yesterday’s news. If you are a Business Associate, it’s today’s urgent to-do.
Posted by Lex Van den Berghe on March 31, 2010 in Healthcare , Legal Nerd | Permalink | Comments (0)
Health Care Providers to Self-Police Themselves on Privacy Harm
In an article that hit the web this week, a new DHHS rule is purported to allow health care providers to determine if their privacy breaches have caused any harm. While I understand the nature of assigning the reporting burden to healthcare companies, I don’t think this new rule is in the public’s (or patient’s) best interest. We already know that most complaints related to HIPAA are not investigated. This new provision all but ensures that most breaches will not even be reported.
Let’s not kid ourselves…although we’d all like to think that our health care organizations are worthy of our trust and good faith (and many are), when all is said and done, they are businesses and they need to keep the bottom line in mind at all times. These new “self-service” breach notification rules could put some of us on the unpleasant receiving end of what happens when the fox holds sentry over the chicken coop.
With that said, it’s worth pointing out that in a recent independent survey of several hundred IT practitioners in the healthcare industry, a whopping 80 percent of the respondents reported that their organization had experienced one or more data breaches involving the loss or theft of electronic health information in the past year!
The real solution is stringent monitoring, along with input from an external party, like a privacy ombudsman. This is a model followed today by many press organizations, as well as police departments with regard to misconduct complaints.
Read the full article here: http://bit.ly/4CaTPG
Posted by Lex Van den Berghe on November 19, 2009 in Healthcare | Permalink | Comments (0)
Are IT Security Professionals the Last Line of Defense for Patient Privacy?
By Dominique Levin
EVP Marketing and Strategy
As the national debate about overhauling the $2.5 trillion United States healthcare system rages, the federal government is already investing tens of billions of dollars as part of the stimulus program to push our medical care industry to shift from paper to computer records.
In our rush to computerize patient records to reap the benefits of higher quality of care and safety, and to better control fraud, who is making sure that our private medical records are being protected?
To better understand the issues, we at LogLogic spoke with some of our largest healthcare customers about their steps to bolster patient privacy protection. We also partnered with the independent research firm the Ponemon Institute to survey 542 senior IT practitioners from healthcare organizations with an average of more than 1,000 employees about how secure they believe electronic patient medical records are.
According to the October 2009 Ponemon report, “Electronic Health Information at Risk: A Study of IT Practitioners,” 80 percent of healthcare organizations had experienced at least one incident of lost or stolen electronic health information in the past year – four percent had more than five patient data breaches. More than two-thirds of these healthcare organizations had already digitized at least a quarter of their patient records and a third had digitized more than half.
The most surprising finding was the almost three-quarters of respondents said their organization failed to make patient record protection a priority.
At LogLogic, we think this presents a unique opportunity for IT security professionals to take a leadership role in this critical national issue. There are new rules mandated by the Health Insurance Portability and Accountability Act (HIPAA) that became effective in September that are important steps towards bridging the traditional gap between “Cover Your Ass” compliance and real IT security.
To find out more highlights and read a complete copy of the Ponemon Institute study and the LogLogic healthcare customer survey, please take a moment to register at our site at www.loglogic.com/resources/analyst-reports/ponemon-electronic-health-info-at-risk/
In LogLogic’s interviews with senior security professionals responsible for overseeing the protection of hospital patient records, a consensus emerged that best practices in securing patient privacy go beyond HIPAA compliance. New technologies allow hospitals to more closely monitor and protect patient privacy than ever before. The recent changes in HIPAA also put more stringent requirements on medical organizations to secure patient privacy. Hospital security professionals today have a unique opportunity to be patient privacy heroes.
If you’re in the healthcare industry, do you feel you have a role to play as a privacy hero? Let us know. We want to hear from you.
Posted by Dominique Levin on October 20, 2009 in Healthcare | Permalink | Comments (0)
June 2010
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | ||
| 6 | 7 | 8 | 9 | 10 | 11 | 12 |
| 13 | 14 | 15 | 16 | 17 | 18 | 19 |
| 20 | 21 | 22 | 23 | 24 | 25 | 26 |
| 27 | 28 | 29 | 30 |
Categories
Archives
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
- October 2005
- September 2005
Blogroll
Blogroll
Compliance
Good Reading
- Internet and Web Security Review
- Log Management ROI
- Log Management Best Practices
- SANS Institute Log Management White Paper