IHealth Beat e-newsletter today is reporting an incident involving a stolen computer involving a Houston, TX area hospital in which 16,000 patient records might be compromised.
This type of incident shows the vulnurability of laptop computers, hand held devices and other mobile technology. It is not clear from the article that these were laptops -- in fact they might have been desktop systems since they were at a third party vendor's location as a part of a coversion process from paper to electronic health records.
The article citing an article in the April 26, 2005, Houston Chronicle states: Christus St. Joseph Hospital in Houston is informing 16,000 patients that their medical records and Social Security numbers may have been on a computer that was stolen in January, the Houston Chronicle reports. The computer was one of two machines stolen from Gateway File Systems, which was digitizing paper medical records for the hospital.
Hospital officials say evidence shows that the thieves were interested in the computers and not the data on them and that there is no indication that anyone's identity has been compromised, the Chronicle reports. The medical data on the computer were password-protected and encrypted. The hospital has terminated its contract with Gateway File Systems, said India Chumney Hancock, a hospital spokesperson.
According to the hospital's letter to patients, the only records that may have been affected are for patients who sought treatment in the emergency department in 2004; patients who sought outpatient services in radiology, sports medicine and rehabilitation from August through September 2003 and April through June 2004; and patient charts from 2001.
Hancock said the data on the stolen computer represents less than 1% of all the hospital's patient records, the Chronicle reports. The second stolen machine did not contain health records, said Gateway File Systems CEO Brian Harper (Crowe, Houston Chronicle, 4/26).
Tuesday, April 26, 2005
Monday, April 18, 2005
DHHS Issuing Proposed Rule On HIPAA Enforcement on April 18, 2005
The American Health Lawyers Association (AHLA) is reporting today that the Department of Health and Human Services (DHHS) has issued the final installment of the Health Insurance Portability and Accountability Act (HIPAA) Enforcement Rule on the imposition of civil money penalties for violations of the standards promulgated under HIPAA's Administrative Simplification provisions.
The proposed rule would make existing rules related to HIPAA enforcement applicable to all Administrative Simplification rules, not just the Privacy Standards.
The proposed rule completes the Enforcement Rule by addressing, among other things, the investigation process, bases for liability, determination of the penalty amount, grounds for waiver, conduct of the hearing, and the appeals process. Comments on the proposed rule are due sixty days after its publication in the Federal Register.
A full copy of proposed rule can be found via today's Federal Register here. You can also obtain a copy of the proposed rule at the Office for Civil Right, DHHS website here: http://www.hhs.gov/ocr/hipaa/enforNPRM.pdf.
The proposed rule would make existing rules related to HIPAA enforcement applicable to all Administrative Simplification rules, not just the Privacy Standards.
The proposed rule completes the Enforcement Rule by addressing, among other things, the investigation process, bases for liability, determination of the penalty amount, grounds for waiver, conduct of the hearing, and the appeals process. Comments on the proposed rule are due sixty days after its publication in the Federal Register.
A full copy of proposed rule can be found via today's Federal Register here. You can also obtain a copy of the proposed rule at the Office for Civil Right, DHHS website here: http://www.hhs.gov/ocr/hipaa/enforNPRM.pdf.
Tuesday, April 12, 2005
Security Breach Information for those of you who are alumni, parents or friends of Tufts University
One of my colleagues from the American Health Lawyers Association alerted me to an April 8, 2005 letter issued by the Vice President for Institutional Advancement for Tufts University.
If you are an alum or friend of the University you can get additional security information about the Tufts University security matter here.
Yet another example of the a recent security and privacy related breach involving personal data. This is about the fourth or fifth incident that I have seen at a college or university over the same number of months.
I just hope my alma mater -- Bethany College and the West Virginia University College of Law take note of these events and make sure that their respective systems are secure and confidential data maintained on alumi and friends of the institution is protected.
If you are an alum or friend of the University you can get additional security information about the Tufts University security matter here.
Yet another example of the a recent security and privacy related breach involving personal data. This is about the fourth or fifth incident that I have seen at a college or university over the same number of months.
I just hope my alma mater -- Bethany College and the West Virginia University College of Law take note of these events and make sure that their respective systems are secure and confidential data maintained on alumi and friends of the institution is protected.
Update on LexisNexis Privacy & Security Breach
Today Yahoo News is reporting that a larger pool of U.S. Citizens were impacted by the privacy and security breach reported by LexisNexis last month. For more details on the announced privacy breach you can read my post on the orginal report by Lexis Nexis in March, 2005.
Originally LexisNexis reported that the matter involved only 32,000 individuals but now is reporting that the personal information of 310,00 U.S. citizens may have been stolen.
According to the article, "An investigation by the firm's Anglo-Dutch parent Reed Elsevier determined that its databases had been fraudulently breached 59 times using stolen passwords, leading to the possible theft of personal information such as addresses and Social Security numbers."
LexisNexis issued an April 12, 2005 press release on the results of its preliminary investigation. The press release is titled "LexisNexis Concludes Review of Data Search Activity, Identifying Additional Instances of Illegal Data Access".
Originally LexisNexis reported that the matter involved only 32,000 individuals but now is reporting that the personal information of 310,00 U.S. citizens may have been stolen.
According to the article, "An investigation by the firm's Anglo-Dutch parent Reed Elsevier determined that its databases had been fraudulently breached 59 times using stolen passwords, leading to the possible theft of personal information such as addresses and Social Security numbers."
LexisNexis issued an April 12, 2005 press release on the results of its preliminary investigation. The press release is titled "LexisNexis Concludes Review of Data Search Activity, Identifying Additional Instances of Illegal Data Access".
Medical and Health Data Privacy & Security Breach Reported
Another privacy and security breach was reported last week by MSNBC News and other news sources on April 8, 2005. The article from MSNBC can be found here.
This one involved a "low tech" approach involving the theft of laptop computers which contained sensitive patient data and health information, inclduing, names, addresses, Social Security numbers and billing codes that could be used to deduce medical histories.
According to the article, "San Jose Medical Group began sending letters to current and former patients in California earlier this week after thieves stole two office computers on March 28. The computers contained names, addresses, Social Security numbers and billing codes that could be used to deduce medical histories. It was unclear whether any patients have become victims of identity theft, police said...."
This one involved a "low tech" approach involving the theft of laptop computers which contained sensitive patient data and health information, inclduing, names, addresses, Social Security numbers and billing codes that could be used to deduce medical histories.
According to the article, "San Jose Medical Group began sending letters to current and former patients in California earlier this week after thieves stole two office computers on March 28. The computers contained names, addresses, Social Security numbers and billing codes that could be used to deduce medical histories. It was unclear whether any patients have become victims of identity theft, police said...."
Thursday, April 07, 2005
Charleston Daily Mail Editorial Comment by Roane General Hospital Nurse
Today's Charleston Daily Mail contained the following editorial concerning the implementation of the privacy rule under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") written by Peggy Engelkemier, R.N. from St. Albans who works at Roane General Hospital. The editorial echos the frustrations that health care providers have faced trying to understand and practically implement the requirements under HIPAA. It also points out that many patients as health care consumers remain uninformed about what impact the regulations have on the handling of their own health information.
Following is a copy of the editorial from the April 7, 2005 Charleston Gazette:
Following is a copy of the editorial from the April 7, 2005 Charleston Gazette:
Many patients don't understand the privacy rulePrior to the April 2003 implementation of the privacy rule, all health care providers were instructed to read, comprehend and educate their employees on the rule.
The complexity of the rule and lack of governmental guidance led to confusion, frustration and wasted resources.
Still, health care providers, threatened with civil and criminal penalties for noncompliance, attempted to educate their employees on the privacy rule.
Many employees were educated through brief encounters with privacy officers or referred to volumes of policy manuals.
This added to the existing confusion and resulted in inconsistencies among employees of the same entity. Again, fear of noncompliance drove health care providers to attempt to educate their consumers on the privacy rule.
Many health care providers educate consumers through their written Privacy Practices Notice. However, many consumers do not read the notice and remain uninformed of the benefits of the rule.
The government's poor implementation of the privacy rule has resulted in confused, frustrated health care providers and uninformed, dissatisfied consumers. Most importantly, consumers have not been able to reap the benefits of the new privacy safeguards.
Consumers must believe that the health care system safeguards their protected health information. Only then will individuals seek care without the fear of health information disclosure.
Peggy Engelkemier, R.N.St. Albans
Engelkemier works at Roane
General Hospital
Patient privacy goes blowing in the wind
MSNBC and the Associated Press reports that about 3,000 highly detailed patient hospital statements and records from the Cleveland Clinic blew across busy downtown streets and sidewalks Tuesday after a box fell off a delivery truck.
The patient statements included patient names, patient numbers, home addresses, insurers and policy numbers, treating physicians, admission and discharge dates and detailed billing information.
According to the news report the Cleveland Clinic was in the process of contacting all affected patients on Wednesday. The records were from two members of the Cleveland Clinic Hospital System — Lakewood and Marymount hospitals.
This is just one more example of recent reports involving the accidental release of medical and health information. This release is more traditional in the sense that it involved the release of paper data rather than a release or failure of securing electronic health data.
The patient statements included patient names, patient numbers, home addresses, insurers and policy numbers, treating physicians, admission and discharge dates and detailed billing information.
According to the news report the Cleveland Clinic was in the process of contacting all affected patients on Wednesday. The records were from two members of the Cleveland Clinic Hospital System — Lakewood and Marymount hospitals.
This is just one more example of recent reports involving the accidental release of medical and health information. This release is more traditional in the sense that it involved the release of paper data rather than a release or failure of securing electronic health data.
Friday, April 01, 2005
AHIMA - Health Information Privacy and Security Week
The American Health Information Management Assocition (AHIMA) is sponsoring April 10–16, 2005, as National Health Information Privacy and Security Week. The national event is intended to highlight the importance of protecting the privacy and security of patient information. For more information about the event go here.
Privacy Officer may want to take a look at these suggested AHIMA ideas for Privacy and Security Week activities.
As more and more data moves from paper to electronic there is a greater need to make sure that health data is maintained securely and privately. As we have seen in some very high profile breach of privacy cases in the last few months there is an ever increasing need for those in the health care industry to scrutinize and take seriously privacy and security issues.
Privacy Officer may want to take a look at these suggested AHIMA ideas for Privacy and Security Week activities.
As more and more data moves from paper to electronic there is a greater need to make sure that health data is maintained securely and privately. As we have seen in some very high profile breach of privacy cases in the last few months there is an ever increasing need for those in the health care industry to scrutinize and take seriously privacy and security issues.
Wednesday, March 30, 2005
Medicare Proposes Updates to the Hospital Conditions of Participation
Below is a copy of the press release from The Centers for Medicare & Medicaid Services (CMS) regarding the proposed rule published in the Federal Register on March 25, 2005 modifying four of the current hospital conditions for participation (CoP).
The Federal Register version of the proposed rule can be found here. The final rule will be published after comments are received and reviewed by CMS. Comments on the proposed rule can be made either electronically or mail and must be submitted by May 24, 2005.
The proposed rule codifies earlier guidance issued by CMS's Survey & Certification Group on January 28, 2002, "Clarification of Hospital Admission and Presurgical History and Physical Examination (H&P) Requirements". The proposed rule states "[t]his proposed rule would codify the guidance provided in the January 28, 2002 memorandum . . . ."
One issue that I have already seen discussed among some of my health care lawyer colleagues is whether the proposed rule conflicts with JCAHO's H&P Update Requirements (see below) announced on December 3, 2004. I have yet to fully review this issue but it may be one worth looking at if you consider submitting comments on the proposed rule.
MEDICARE NEWS
For Immediate release
CMS Office of Media Affairs
March 24, 2005
MEDICARE PUBLISHES PROPOSED RULE UPDATING HOSPITAL CONDITIONS OF PARTICIPATION
The Centers for Medicare & Medicaid Services (CMS) today announced a proposed rule to alleviate hospitals of overly burdensome regulations and allow doctors and nurses to focus more time and energy on patient care.
The proposed rule would revise requirements in the hospital conditions of participation (CoPs) for completion of history and physical (H&P) examinations, authentication of verbal orders, securing medications, and completion of post anesthesia evaluations.
"Based on extensive input from health professionals and the health care community, we are proposing to revise some specific aspects of our regulations to provide better support of the delivery of high-quality, up-to-date care at a lower cost," said CMS Administrator Mark B. McClellan, M.D., Ph.D.
These revisions were contained in the notice of proposed rule making (NPRM) published December 19, 1997, entitled "Medicare and Medicaid Programs; Hospital Conditions of Participation; Provider Agreements and Supplier Approval," which contained extensive revisions to the entire set of hospital CoPs. Other changes in the hospital CoPs are coming, building on these steps to avoid unnecessary burdens while promoting high-quality care.
"To keep up with changes in effective medical practice, we believe it is in the interest of the health care community as a whole for us to move forward with these changes," McClellan said.
The revised requirements include:
* H&P examination. The proposed requirement would expand the number of permissible practitioners who may perform the H&P and the time frame for its completion.
* Authentication of verbal orders. This regulation would require that all orders, including verbal orders, must be dated, timed, and authenticated by a practitioner responsible for the care of the patient. During a five year transition period from publication of the final rule, it would allow all orders, including verbal orders, to be dated, timed and authenticated by the prescribing practitioner or another practitioner responsible for the care of the patient. This would respond to public comments, reduce burden, and provide flexibility for hospitals in meeting the requirements for authentication of verbal orders. CMS expects that sunsetting this flexibility after a five year period is sufficient time for the adoption of changes in health care information technology to make it easy for prescribing practitioners to authenticate all of their own orders in a timely fashion. Additionally, the proposed rule states that in the absence of a State law specifying the timeframe for authentication of verbal orders, verbal orders would need to be authenticated within 48 hours. Finally, this requirement clarifies and reinforces current regulations regarding who may accept verbal orders, authentication of all orders for drugs and biologicals, and authentication of medical record entries.
* Security of Medications. This regulation requires that all drugs and biologicals be kept in secure areas, or locked when appropriate, to prevent unauthorized persons from obtaining access. This regulation addresses community concerns, provides flexibility for hospitals in determining control of nonscheduled drugs and biologicals, and is more patient-focused and outcome-oriented than the current requirement.
* Post anesthesia evaluation. This requirement permits the post anesthesia evaluation for inpatients to be completed and documented by any individual qualified to administer anesthesia. The current CoP requires that the individual who administers the anesthesia do this evaluation.
The intent of this proposed rule is to ensure that our requirements are consistent with current standards of practice, to provide hospitals and practitioners greater flexibility in meeting the needs of patients, and to reduce unnecessary regulatory burden for hospitals.
JCAHO's H&P Update Requirements December 3, 2004 (JCAHO's FAQ section for hospitals)
December 3, 2004H & P Update Requirements
Q: What are the requirements for histories and physical examinations and any updates?
A: The H & P must be performed within 24 hours of the inpatient admission (PC.2.120 EP 2) or you can utilize one that was performed up to 30 days prior to the inpatient admission or the outpatient services for which your medical staff per MS.2.10 EP 11 has determined require an H & P. It must be performed by a practitioner who has been granted privileges to do so (MS.2.10 EP 8). In 2004 at PC.2.120 EP 7 an update (by an LIP with privileges to perform H & Ps) is required at the time of admission when using an H & P that was performed before admission. This is different than in 2003 when the update was only needed when there were significant changes or the H & P was 8 - 30 days old as required by CMS. However, since the entire H & P must be performed and documented (in the format and location defined by the organization) and in the record within 24 hours, when using an H & P that was performed prior to admission or the outpatient procedure, the update can also be within 24 hours of the inpatient admission or at the time of the outpatient services for which your medical staff has determined require an H & P.
In addition the method (s) used to evaluate the patient to identify the need for any update to their condition and the detail and location of the update documentation would be defined by the organization. The admission H & P is good for the entire length of stay. There has never been a requirement for an update to the H & P within 24 hours prior to inpatient surgery. Any changes in the patient's condition prior to surgery would be documented in the progress notes.
The Federal Register version of the proposed rule can be found here. The final rule will be published after comments are received and reviewed by CMS. Comments on the proposed rule can be made either electronically or mail and must be submitted by May 24, 2005.
The proposed rule codifies earlier guidance issued by CMS's Survey & Certification Group on January 28, 2002, "Clarification of Hospital Admission and Presurgical History and Physical Examination (H&P) Requirements". The proposed rule states "[t]his proposed rule would codify the guidance provided in the January 28, 2002 memorandum . . . ."
One issue that I have already seen discussed among some of my health care lawyer colleagues is whether the proposed rule conflicts with JCAHO's H&P Update Requirements (see below) announced on December 3, 2004. I have yet to fully review this issue but it may be one worth looking at if you consider submitting comments on the proposed rule.
MEDICARE NEWS
For Immediate release
CMS Office of Media Affairs
March 24, 2005
MEDICARE PUBLISHES PROPOSED RULE UPDATING HOSPITAL CONDITIONS OF PARTICIPATION
The Centers for Medicare & Medicaid Services (CMS) today announced a proposed rule to alleviate hospitals of overly burdensome regulations and allow doctors and nurses to focus more time and energy on patient care.
The proposed rule would revise requirements in the hospital conditions of participation (CoPs) for completion of history and physical (H&P) examinations, authentication of verbal orders, securing medications, and completion of post anesthesia evaluations.
"Based on extensive input from health professionals and the health care community, we are proposing to revise some specific aspects of our regulations to provide better support of the delivery of high-quality, up-to-date care at a lower cost," said CMS Administrator Mark B. McClellan, M.D., Ph.D.
These revisions were contained in the notice of proposed rule making (NPRM) published December 19, 1997, entitled "Medicare and Medicaid Programs; Hospital Conditions of Participation; Provider Agreements and Supplier Approval," which contained extensive revisions to the entire set of hospital CoPs. Other changes in the hospital CoPs are coming, building on these steps to avoid unnecessary burdens while promoting high-quality care.
"To keep up with changes in effective medical practice, we believe it is in the interest of the health care community as a whole for us to move forward with these changes," McClellan said.
The revised requirements include:
* H&P examination. The proposed requirement would expand the number of permissible practitioners who may perform the H&P and the time frame for its completion.
* Authentication of verbal orders. This regulation would require that all orders, including verbal orders, must be dated, timed, and authenticated by a practitioner responsible for the care of the patient. During a five year transition period from publication of the final rule, it would allow all orders, including verbal orders, to be dated, timed and authenticated by the prescribing practitioner or another practitioner responsible for the care of the patient. This would respond to public comments, reduce burden, and provide flexibility for hospitals in meeting the requirements for authentication of verbal orders. CMS expects that sunsetting this flexibility after a five year period is sufficient time for the adoption of changes in health care information technology to make it easy for prescribing practitioners to authenticate all of their own orders in a timely fashion. Additionally, the proposed rule states that in the absence of a State law specifying the timeframe for authentication of verbal orders, verbal orders would need to be authenticated within 48 hours. Finally, this requirement clarifies and reinforces current regulations regarding who may accept verbal orders, authentication of all orders for drugs and biologicals, and authentication of medical record entries.
* Security of Medications. This regulation requires that all drugs and biologicals be kept in secure areas, or locked when appropriate, to prevent unauthorized persons from obtaining access. This regulation addresses community concerns, provides flexibility for hospitals in determining control of nonscheduled drugs and biologicals, and is more patient-focused and outcome-oriented than the current requirement.
* Post anesthesia evaluation. This requirement permits the post anesthesia evaluation for inpatients to be completed and documented by any individual qualified to administer anesthesia. The current CoP requires that the individual who administers the anesthesia do this evaluation.
The intent of this proposed rule is to ensure that our requirements are consistent with current standards of practice, to provide hospitals and practitioners greater flexibility in meeting the needs of patients, and to reduce unnecessary regulatory burden for hospitals.
JCAHO's H&P Update Requirements December 3, 2004 (JCAHO's FAQ section for hospitals)
December 3, 2004H & P Update Requirements
Q: What are the requirements for histories and physical examinations and any updates?
A: The H & P must be performed within 24 hours of the inpatient admission (PC.2.120 EP 2) or you can utilize one that was performed up to 30 days prior to the inpatient admission or the outpatient services for which your medical staff per MS.2.10 EP 11 has determined require an H & P. It must be performed by a practitioner who has been granted privileges to do so (MS.2.10 EP 8). In 2004 at PC.2.120 EP 7 an update (by an LIP with privileges to perform H & Ps) is required at the time of admission when using an H & P that was performed before admission. This is different than in 2003 when the update was only needed when there were significant changes or the H & P was 8 - 30 days old as required by CMS. However, since the entire H & P must be performed and documented (in the format and location defined by the organization) and in the record within 24 hours, when using an H & P that was performed prior to admission or the outpatient procedure, the update can also be within 24 hours of the inpatient admission or at the time of the outpatient services for which your medical staff has determined require an H & P.
In addition the method (s) used to evaluate the patient to identify the need for any update to their condition and the detail and location of the update documentation would be defined by the organization. The admission H & P is good for the entire length of stay. There has never been a requirement for an update to the H & P within 24 hours prior to inpatient surgery. Any changes in the patient's condition prior to surgery would be documented in the progress notes.
Tuesday, March 29, 2005
West Virginia HCA Hospitals "For Sale"
An article in today's Charleston Gazette reports that HCA has put its West Virginia hospital up for sale, including St. Francis Hospital in Charleston, Putnam General Hospital in Teays Valley, St. Joseph's Hospital of Parkersburg and Raleigh General Hospital in Beckley.
The article states that that no buyer or buyers have currently been identified but that the HCA wants the sale to be completed by the 4th quarter of 2005. The article states that HCA is selling the West Virginia hospitals along with a group of 6 other hospitals, including two hospitals in Tennessee and one each in Virginia, Louisiana, Oklahoma and Washington. According to HCA it is selling these particular hospitals in rural markets so that it can continue its trend to focus on large urban and suburban markets.
HCA's press release on the sale of the 10 hospitals states as follows:
HCA also announced its intention to divest 10 acute care hospitals located in six states. The 10 hospitals are located primarily in rural and small urban markets, in contrast to the majority of the Company's remaining hospitals which are located in large urban or suburban markets.
"The divestitures will allow the Company to redeploy capital to support our hospitals in growing urban markets," stated Jack O. Bovender, Jr., HCA's Chairman and CEO. "These facilities are viable community assets. We believe that increased focus and attention and the ability to continue to successfully compete for capital should provide these facilities the best opportunity for success in the future. Many of the facilities to be divested have been a part of HCA for several years and, although it was a difficult decision, we believe the divestitures are in the best long-term interests of the Company, the affected hospitals and their local communities."
As a group, the 10 hospitals to be divested had 2004 net revenues of $654 million. Hospital divestiture list:
1. Clinch Valley Medical Center, Richlands, VA 200 beds
2. Grandview Medical Center, Jasper, TN 70 beds
3. River Park Hospital, McMinnville, TN 127 beds
4. St. Joseph's Hospital, Parkersburg, WV 325 beds
5. Saint Francis Hospital, Charleston, WV 155 beds
6. Raleigh General Hospital, Beckley, WV 369 beds
7. Putnam General Hospital, Hurricane, WV 68 beds
8. North Monroe Medical Center, Monroe, LA 255 beds
9. Southwestern Medical Center, Lawton, OK 212 beds
10. Capital Medical Center, Olympia, WA 119 beds
The article states that that no buyer or buyers have currently been identified but that the HCA wants the sale to be completed by the 4th quarter of 2005. The article states that HCA is selling the West Virginia hospitals along with a group of 6 other hospitals, including two hospitals in Tennessee and one each in Virginia, Louisiana, Oklahoma and Washington. According to HCA it is selling these particular hospitals in rural markets so that it can continue its trend to focus on large urban and suburban markets.
HCA's press release on the sale of the 10 hospitals states as follows:
HCA also announced its intention to divest 10 acute care hospitals located in six states. The 10 hospitals are located primarily in rural and small urban markets, in contrast to the majority of the Company's remaining hospitals which are located in large urban or suburban markets.
"The divestitures will allow the Company to redeploy capital to support our hospitals in growing urban markets," stated Jack O. Bovender, Jr., HCA's Chairman and CEO. "These facilities are viable community assets. We believe that increased focus and attention and the ability to continue to successfully compete for capital should provide these facilities the best opportunity for success in the future. Many of the facilities to be divested have been a part of HCA for several years and, although it was a difficult decision, we believe the divestitures are in the best long-term interests of the Company, the affected hospitals and their local communities."
As a group, the 10 hospitals to be divested had 2004 net revenues of $654 million. Hospital divestiture list:
1. Clinch Valley Medical Center, Richlands, VA 200 beds
2. Grandview Medical Center, Jasper, TN 70 beds
3. River Park Hospital, McMinnville, TN 127 beds
4. St. Joseph's Hospital, Parkersburg, WV 325 beds
5. Saint Francis Hospital, Charleston, WV 155 beds
6. Raleigh General Hospital, Beckley, WV 369 beds
7. Putnam General Hospital, Hurricane, WV 68 beds
8. North Monroe Medical Center, Monroe, LA 255 beds
9. Southwestern Medical Center, Lawton, OK 212 beds
10. Capital Medical Center, Olympia, WA 119 beds
Monday, March 28, 2005
Preliminary Injunction Granted - Kaiser Permanente v. Cooper
For those of you who have been following the Kaiser Permanente matter involving a former employee, Elise Cooper, you can now view a copy of the preliminary injunction granted by Judge James A. Richman of the Superior Court of California (Alameda County) on March 24, 2005, in the matter of The Permanente Medical Group, Inc. and Kaiser Foundation Health Plan, Inc. v. Elisa D. Cooper, No. RG05-203029.
The order granting the preliminary injunction states that Ms. Cooper (aka Diva of Disgruntled) is ordered, pending resolution of the case, to: (1) stop using, disclosing, disseminating, distributing or making publicly available in any way, including but not limited to distribution through the Internet, any materials containing any health information of Plaintiffs or their memnbers, and (2) remove such materials from any web site under Defendant's control.
The order granting the preliminary injunction states that Ms. Cooper (aka Diva of Disgruntled) is ordered, pending resolution of the case, to: (1) stop using, disclosing, disseminating, distributing or making publicly available in any way, including but not limited to distribution through the Internet, any materials containing any health information of Plaintiffs or their memnbers, and (2) remove such materials from any web site under Defendant's control.
CMS Issues Complaint Procedures for Investigating and Resolving Violations of the Aministrative Simplification Rules (HIPAA)
On March 25, 2005, the Centers for Medicare & Medicaid Services (CMS) issued the federal register notice setting forth the procedures for filing with the Secretary of the Department of Health and Human Services a complaint of non-compliance by a covered entity with certain provisions of the administrative simplification rules under 45 CFR parts 160, 162, and 164. The federal register notice also describes the procedures the Department employs to review the complaints.
The complaint procedures do not apply to the regulations adopted under section 264 of the Health
Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. 104–191, as amended, known as
the Privacy Rule. The Secretary has delegated to the Office for Civil Rights the authority to receive and investigate complaints as they may relate to the Privacy Rule codified at 45 CFR parts 160 and 164. For the purpose of this notice, ‘‘administrative simplification provisions’’ means the administrative simplification regulatory requirements under HIPAA, other than privacy.
The effective date of the rule is April 25, 2005.
The complaint procedures do not apply to the regulations adopted under section 264 of the Health
Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. 104–191, as amended, known as
the Privacy Rule. The Secretary has delegated to the Office for Civil Rights the authority to receive and investigate complaints as they may relate to the Privacy Rule codified at 45 CFR parts 160 and 164. For the purpose of this notice, ‘‘administrative simplification provisions’’ means the administrative simplification regulatory requirements under HIPAA, other than privacy.
The effective date of the rule is April 25, 2005.
Friday, March 25, 2005
Mountaineers Madness Moves On to the Elite 8
Tonight the West Virginia Mountaineers moved on to the Elite 8 by beating Bobby Knight and the Texas Tech Red Raiders 65-60 in The Pitt, Albuquerque, New Mexico. Kevin Pittsnogle scored 22 points to lead the Mountaineers.
The Mountaineers will now face the Louisville Cardinals on Saturday at 4:40 p.m. Everyone in the state of West Virginia will be tuned in to watch the Moutaineers make its bid to move on to the 2005 Final Four. This run by the Moutaineers is great for the players, the team, the University and the State of West Virginia.
One of the most exicting points of this years Moutaineer team is to watch different players step up night after night. Pittsnogle, Gansey, Beilein, Sally, Fischer and the list goes on. I think one of the reasons teams have had touble handling the Mountaineers is because they come out with a different look every night.
It is great to see Coach Beilein getting the credit that he deserves at putting together a great year end run to the Final Four.
The Mountaineers will now face the Louisville Cardinals on Saturday at 4:40 p.m. Everyone in the state of West Virginia will be tuned in to watch the Moutaineers make its bid to move on to the 2005 Final Four. This run by the Moutaineers is great for the players, the team, the University and the State of West Virginia.
One of the most exicting points of this years Moutaineer team is to watch different players step up night after night. Pittsnogle, Gansey, Beilein, Sally, Fischer and the list goes on. I think one of the reasons teams have had touble handling the Mountaineers is because they come out with a different look every night.
It is great to see Coach Beilein getting the credit that he deserves at putting together a great year end run to the Final Four.
Friday, March 18, 2005
Kaiser Permanente Files New Motions Against the Diva of Disgruntled Blogger
An article in today's San Jose Mercery News reports that Kaiser Permanente filed new motions in an existing lawsuit against a former employee, Elisa D. Cooper, aka the "Diva of Disgruntled" asserting claims based on invasion of privacy and breach of a confidentiality agreement.
This follows up the announcement by Kaiser last week that it was notifying 140 patients in California that personal information, including names, addresses, telephone numbers, medical record numbers and results of routine lab tests, had been posted on the Web. According to the article today:
For more details and some interesting commentary on this matter check out Matthew Holt's most recent post on The Health Care Blog. Also, for more information about Ms. Cooper's termination from Kaiser you can read her post titled "Details of My Termination from Kaiser." You can also see the nature of the complaint that Ms. Cooper filed with the Office of Civil Rights who are responsible for investigating potential violations under the Privacy Rules of the Health Insurance Portability & Accountability Act of 1996 (HIPAA).
Also check out the March 16, 2005 ComputerWorld article for coverage of this matter.
This follows up the announcement by Kaiser last week that it was notifying 140 patients in California that personal information, including names, addresses, telephone numbers, medical record numbers and results of routine lab tests, had been posted on the Web. According to the article today:
Kaiser has since acknowledged that it constructed the unsecured technical Web site but said it id not know if patient information was included on it. Cooper said she tried to notify Kaiser about he breach only to be rebuffed, and she subsequently filed a Federal health privacy complaint with the U.S. Department of Health and Human Services, which in turn contacted Oakland-based Kaiser.Also, the article reports that the California Department of Managed Health Care (DMHC) is investigating both Ms. Cooper and the actions of Kaiser Permanente. The DMHC has also ordered Ms. Cooper to stop posting certian information to her blog.
For more details and some interesting commentary on this matter check out Matthew Holt's most recent post on The Health Care Blog. Also, for more information about Ms. Cooper's termination from Kaiser you can read her post titled "Details of My Termination from Kaiser." You can also see the nature of the complaint that Ms. Cooper filed with the Office of Civil Rights who are responsible for investigating potential violations under the Privacy Rules of the Health Insurance Portability & Accountability Act of 1996 (HIPAA).
Also check out the March 16, 2005 ComputerWorld article for coverage of this matter.
Monday, March 14, 2005
Kaiser Permanente Gadfly
Matthew Holt's "The Health Care Blog" has an interesting followup post on Kaiser Permanente's announcement last week about the breach of privacy involving patient health information of 140 individuals. The blog post also contains some interesting followup comments by the Gadfly and others.
UPDATE:
Yesterday, March 16, 2005, Matthew Holt posted an update on the outcome of the hearing involving the injunction filed by Kaiser Permanente against the Gadfly. The Gadfly also has a recent post on her blog giving her perspective on the outcome of the injunction hearing. the post is titled "My Morning in Court".
UPDATE:
Yesterday, March 16, 2005, Matthew Holt posted an update on the outcome of the hearing involving the injunction filed by Kaiser Permanente against the Gadfly. The Gadfly also has a recent post on her blog giving her perspective on the outcome of the injunction hearing. the post is titled "My Morning in Court".
Friday, March 11, 2005
Private Patient Data Posted Online Blog by Disgruntled Former Kaiser Employee
Today I read an article (see below) from the iHealthBeat newsletter reporting on an article which appeared in the March 11, 2005, San Jose Mercury News. This will be the 3rd well published breach of private data in as many weeks (see my post on ChoicePoint and Lexis-Nexis). This is also interesting because it involves blogging and employee issues which is the topic of much debate these days due to some other recent high profile cases.
Based on the comments in the article it appears that a privacy related complaint under the Privacy Rule created under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was filed either by one of the parties involved or the blogger and former employee herself since the Office of Civil Rights is now involved and investigating. The article points out that the former employee may face significant fines and penalties, however the article does not point out that the health care provider responsible for complying with the HIPAA mandates may also face such charges.
I did some quick Googling and seemed to come across the blog of "Diva of Disgruntled" which is interestingly titled "Corporate Ethics". The blog contains a recent post today in response to the news break on the matter.
It will be interesting to watch this one unwind.
Following is the iHealthBeat article:
Kaiser Permanente is alerting 140 patients in Northern California that a disgruntled former employee posted private information about them on her blog, the San Jose Mercury News reports. The information includes medical record numbers, patient names and information about some routine lab tests, but not the test results. Kaiser in January learned of the breach from the federal Office of Civil Rights and has been investigating the issue since then, said Kaiser spokesperson Matthew Schiffgens. However, Schiffgens said Kaiser on Wednesday asked the Internet service provider hosting the blog to remove the data, the Mercury News reports. The former employee, who calls herself the "Diva of Disgruntled," said that the company posted the patient information on an unsecured Web site and that Kaiser took it down only after she pointed it out, the Mercury News reports. She said she reposted the information to another site to illustrate how easy it was for someone to access the information, which she said had been on the Internet for a year. She said she also filed a complaint with the federal Office of Civil Rights. Schiffgens said Kaiser has been unable to confirm the woman's claims that it posted private patient data, but he said the woman still breached her obligation to protect member confidentiality by posting the information herself. Schiffgens said Kaiser might take legal action against the woman, the Mercury News reports. Under HIPAA rules, she could face fines of up to $250,000 and 10 years in prison for unlawfully disclosing patient data (Feder Ostrov, San Jose Mercury News, 3/11).
Based on the comments in the article it appears that a privacy related complaint under the Privacy Rule created under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was filed either by one of the parties involved or the blogger and former employee herself since the Office of Civil Rights is now involved and investigating. The article points out that the former employee may face significant fines and penalties, however the article does not point out that the health care provider responsible for complying with the HIPAA mandates may also face such charges.
I did some quick Googling and seemed to come across the blog of "Diva of Disgruntled" which is interestingly titled "Corporate Ethics". The blog contains a recent post today in response to the news break on the matter.
It will be interesting to watch this one unwind.
Following is the iHealthBeat article:
Kaiser Permanente is alerting 140 patients in Northern California that a disgruntled former employee posted private information about them on her blog, the San Jose Mercury News reports. The information includes medical record numbers, patient names and information about some routine lab tests, but not the test results. Kaiser in January learned of the breach from the federal Office of Civil Rights and has been investigating the issue since then, said Kaiser spokesperson Matthew Schiffgens. However, Schiffgens said Kaiser on Wednesday asked the Internet service provider hosting the blog to remove the data, the Mercury News reports. The former employee, who calls herself the "Diva of Disgruntled," said that the company posted the patient information on an unsecured Web site and that Kaiser took it down only after she pointed it out, the Mercury News reports. She said she reposted the information to another site to illustrate how easy it was for someone to access the information, which she said had been on the Internet for a year. She said she also filed a complaint with the federal Office of Civil Rights. Schiffgens said Kaiser has been unable to confirm the woman's claims that it posted private patient data, but he said the woman still breached her obligation to protect member confidentiality by posting the information herself. Schiffgens said Kaiser might take legal action against the woman, the Mercury News reports. Under HIPAA rules, she could face fines of up to $250,000 and 10 years in prison for unlawfully disclosing patient data (Feder Ostrov, San Jose Mercury News, 3/11).
Thursday, March 10, 2005
West Virginia Health Care Authority Issues Draft CON Standards on Cardiac Cath and Cardiac Surgery for Comment
The West Virginia Health Care Authority has published new standards for Cardiac Catheterization Standards and Cardiac Surgery Standards under the State Health Plan. The notice on the West Virginia Health Care Authority's website shows that providers in West Virginia have a 30 day public comment period that ends on April 8, 2005 to comment on the draft standards.
The current Cardiac Catheterization Standards were approved by the Governor of West Virginia on August 22, 2002. The current Cardiac Surgery Standards were approved by the Governor of West Virginia on May 5, 2004.
For those unfamiliar with the Certificate of Need (CON) process, West Virginia has a statutorily mandated CON review process which requires health care provider projects, new services, etc. to obtain CON approval prior to starting the project or new service. The CON review process typical includes the determination of need, consistency with the State Health Plan, and financial feasibility. Need for the project is determined using CON Standards, which generally include population-based quantifiable need methodologies. Financial feasibility includes the evaluation of the reasonableness of proposed charges to patients and the determination as to whether the expense and revenue projections demonstrate fiscal viability for the proposed project. Other review criteria include quality, accessibility, and continuum of care.
The current Cardiac Catheterization Standards were approved by the Governor of West Virginia on August 22, 2002. The current Cardiac Surgery Standards were approved by the Governor of West Virginia on May 5, 2004.
For those unfamiliar with the Certificate of Need (CON) process, West Virginia has a statutorily mandated CON review process which requires health care provider projects, new services, etc. to obtain CON approval prior to starting the project or new service. The CON review process typical includes the determination of need, consistency with the State Health Plan, and financial feasibility. Need for the project is determined using CON Standards, which generally include population-based quantifiable need methodologies. Financial feasibility includes the evaluation of the reasonableness of proposed charges to patients and the determination as to whether the expense and revenue projections demonstrate fiscal viability for the proposed project. Other review criteria include quality, accessibility, and continuum of care.
Wednesday, March 09, 2005
Confidential Information on 32,000 People Stolen from Lexis-Nexis Database
Today Lexis-Nexis announced that hackers stole confidential information on 32,000 people. According to an news article from PC World the following information was stolen from a Lexis-Nexis subsidiary called Seisint. PCWorld reports that:
The hackers stole passwords, names, addresses, Social Security numbers, and drivers license numbers of legitimate customers of the company's Seisint division. Seisint collects data on individuals that law enforcement agencies and private companies use for debt recovery, fraud detection, and other services.
Here is a press release issued by Lexis-Nexis regarding the investigation into the privacy breach. Lexis-Nexis acquired Seisint in September 2004 for $775 Million. Due to the privacy breach I suspect that the price of the acquisition just went up substantially.
This is the second high profile breach of confidential health data in as many weeks. In mid February there was a report of a breach of 145,000 individuals confidential information at ChoicePoint. For more information on this particular breach read the following article from PCWorld. Interesting on March 4, 2005 ChoicePoint announced its decision to exit those lines of its business which involve the sale of confidential and sensitive consumer data.
Friday, March 04, 2005
My dad has been experimenting with Hello, software that allows you to share your digital photo, and Picassa, software which allows you to find, edit and organize digital photos that reside on your hardrive. These software downloads are part of Google's positioning to take over the desktop from Microsoft.
I have played around with Picassa and have found it very user friendly and intuitive. I think they have found a niche that needed to be filled. As an example, my dad is one of the most knowlegeable computer uses in the 80+ year old category and has been using computers back to the first macintosh that my sisters and I purchased for him in the late 1980s. However, something that has always been confusing for him is the ability to navigate the Explorer features, how to (and where to) save documents, files and now digital photos. Picassa brings to him the ability to have the software find and organize the photos on his hard drive.
He has been using Picassa for a couple of months and just recently sent me an invitation to join Hello so that we can share digital photos back and forth. I have been meaning to download and try out Hello, since I was interested in the feature that allows me to now share photos up to my Blogger blog (Blogger is another product/business swept up by Google). Above is a test post of a photo of my 9 month old during a recent trip to Florida with her, my wife and my 4 year old.
Wednesday, March 02, 2005
Pizza and Privacy: ACLU Privacy Video
Today someone referred me to an online video put out by the American Civil Liberties Union (ACLU) to demonstate how technology can be used, even by your local pizza business, to access and reveal sensetive financial, medical, employment and other personal data.
Although the video is done in fun it does make one thing about being more cautious with releasing personal and private information.
v
Here is a press release issued by the ACLU discussing the online pizza delivery privacy video.
Although the video is done in fun it does make one thing about being more cautious with releasing personal and private information.
v
Here is a press release issued by the ACLU discussing the online pizza delivery privacy video.
Subscribe to:
Posts (Atom)