Spectre and Meltdown are critical security vulnerabilities caused by mistakes in the way processor hardware is designed. Spectre and Meltdown exploit the same underlying vulnerability in chip design, taking advantage of a technique called speculative execution to gain access to data that would otherwise be private.
By Kate Willet
Earlier this year, a Utah nurse, Alex Wubbels, was arrested for refusing to allow a law enforcement officer to draw blood from an unconscious patient. State and federal laws prohibited her from allowing a law enforcement officer to draw blood without a warrant or patient consent, but the officer proceeded to handcuff her for refusing to honor his request.
Alex Wubbels was correct about the patient privacy laws she cited to protect her patient, and has since reached a $500,000 settlement with Salt Lake City and the Utah University hospital where she was employed. The Salt Lake City police department fired the arresting officer. [Read more…]
Margaret C. Scavotto, JD, CHC
Management Performance Associates
Compliance officers and HIPAA privacy and security officers typically worry about HIPAA violations all day long. But does your public relations department?
An arrest and a press release
In May 2017, a not-for-profit health system in Texas entered a $2.4 million settlement with the OCR to resolve allegations that it violated the HIPAA Privacy Rule.
A patient presented a fake ID at a health system OB/GYN clinic. The clinic called the police – which complied with the Privacy Rule’s provisions for reporting a crime on the premises. But, then the health system issued a press release about the arrest. The press release title included the patient’s name.
Why the press release? The patient is an immigrant from Mexico, and her arrest drew protesters to the hospital. The protesters asserted that hospitals should be immigrant “safe zones.” One can see why the hospital would feel the need to address the matter. But, the OCR found that, by identifying the patient in the press release, the health system went too far under HIPAA. [Read more…]
The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Clinical and Economic Health (HITECH) are the two major regulations that determine how compliance is conducted in the healthcare industry. HITECH has increased the enforcement of HIPAA’s somewhat dated data security provisions. HITECH has also promoted the use of electronic health records by providing funding to healthcare providers through the Office of the National Coordinator at the Dept. of Health & Human Services (HHS), and through Medicare and Medicaid incentives. It is all part of a larger push that was started in 2010, to allow for secure data sharing and privacy protection among providers, insurers, and patients.
The shift from paper-based record keeping to digital records has been happening across all industries, but there has been a real focus and effort in US healthcare to develop a health information technology system that all medical offices can access. From the Rand Corporation in 2009; “After 15 years, the nationwide adoption of electronic medical records and of networking among health care providers could save more than $77 billion each year in terms of efficiency alone.” The savings would come from eliminating losses due to waste and the costs associated with lost or leaked patient information. [Read more…]
By Margaret Scavotto, JD
Director of Compliance Services
Management Performance Associates
This summer, Aetna made headlines when it used a contractor to send a mailing to 12,000 members. The mailing involved letters sent in windowed envelopes typical of mass business mailings. For some patients, the following language, revealing the members’ HIV status, was visible through the envelope window: “The purpose of this letter is to advise you of the options…Aetna health plan when filling prescriptions for HIV Medic…members can use a retail pharmacy or a mail order pharma….”
This breach of sensitive patient information had health care providers scratching their heads: We didn’t think about this as a risk. How can we possibly anticipate every possible HIPAA breach?
Four months later, we see another HIPAA gaffe involving – yes – a mass mailing. This time, the breach involved a not-for-profit community health plan that provides care and coverage to Medicaid patients with chronic health conditions – like HIV.
The health plan mailed flyers to HIV patients, promoting an HIV research project. The mailroom was careful to assemble the mailing so that no PHI was visible through the envelope window. But, the language “Your HIV detecta” could potentially be seen through the paper envelope. [Read more…]
Media focus on large data breaches involving laptop thefts or hacking incidents has grown significantly, but basic incidents still abound and can pose greater threat to patients.
Recently, a conference attendee discussed an incident with our HIPAA Compliance Consultant, Kathryn Ayers Wickenhauser. The attendee’s practice had several checks disappear en route to the bank for deposit. The attendee questioned if this constituted a reportable HIPAA breach, because the checks were not necessarily written by patients, didn’t contain clinical information, nor did the practice know if the information had been seen or found by anyone.
It’s no surprise that clinic team members wanted to avoid labeling this as a breach. Labeling this as a breach would mean answering to many patients who would be justifiably angry. Further, because it was a batch of checks, it would require having to reconcile what payments were lost in the process.
Despite the instinct to turn and run, we must consider whether patient health information (PHI) is unsecured. The Office of the Inspector General (OIG) defines health information as any form or medium that:
- Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university or health care clearinghouse; and
- Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual.
We can garner that because at least some of these payments are for the provision of healthcare, it would be considered PHI. In addition, although not clinical data, checks have addresses, names, and phone numbers — all patient identifiers indicating a patient is involved with the clinic. If we are unaware of where the information is, we know the information is insecure and can safely determine that this is a breach.
As healthcare service providers, we have a duty to protect our patients. The root of HIPAA is to protect patients and maintain integrity. Although the checks may not include clinical information, or could have been for a purpose other than treatment, a batch of checks contain bank routing numbers, account numbers, names, and addresses on the check, allowing would-be thieves to write eChecks on the patient’s dime. If we are to assume that releasing an annual check-up to an uncovered entity is a potential risk to the patient, we can certainly presume that releasing access to one’s bank account could be a potential risk as well.
[bctt tweet=”Checks and Compliances @DataFileTech” via=”no”]