Archive for the ‘News’ Category:
Former UCLA researcher sentenced to prison for violating HIPAA privacy rule
Huping Zhou, a licensed cardiothoracic surgeon in China, and a former UCLA School of Medicine researcher, becomes one of the first healthcare workers sentenced to prison for violating the HIPAA privacy rule.
Working as a researcher at the university in 2003 Mr. Zhou began accessing the medical records of his superior, his co-workers and celebrity patients in the UCLA Health System, including Tom Hanks, Drew Barrymore and Arnold Schwarzenegger. FBI reports that he accessed confidential medical records in violation of the HIPAA privacy rule a total of 323 times over a 3-week period.
Zhou has been sentenced to 4 months in federal prison, plus a fine of $2,000. The U.S. Attorney’s Office in Los Angeles said in a press release that this is the first time a healthcare worker has been given jail time for violating the HIPAA privacy rule.
Edward Robinson, attorney for Mr. Zhou, told CBS News his client had “no idea that looking at another person’s medical records was a federal criminal violation for which you could go to jail.”
Subscribe to the comments for this postA webinar on HIPAA and HITECH compliance
A webinar under privacy expert Rebecca Herold will be held on Wednesday, April 27th, which will focus on the real solutions to the 4 key areas that your business needs to focus on for HIPAA HITECH compliance. These areas include assessment of your risks and vulnerabilities, development of policies and procedures, encrypting ePHI for client data protection and having a breach notification plan in case of a problem.
The topics which will be addressed by the industry experts include
Risk Assessments - ACR 2 Solutions, will discuss identifying, quantifying and assessing information security risks using automated technology developed under federal sponsorship for high value military and civilian networks. Risk assessment is mandatory under HIPAA, GLBA, FISMA and other statutes, and is also part of the “Meaningful Use” qualification to receive subsidies under the HITECH act.
Policies and Procedures - Compliance Helper (CH) provides turn-key solutions for those needing policies and procedures based on content developed by Rebecca Herold and Associates. The combination of the ACR 2 Gap report and the Compliance Helper Prepare and Care solution creates a simple and organized process for organizations to become fully HIPAA HITECH compliant.
Email Encryption - The Industry Radar in partnership with industry leading email encryption provider, ZixCorp, and hosting partner Greenview Data, has developed the RadarMail 360 suite with email encryption solutions for both outbound and inbound communication to meet any organization’s needs, regardless of size.
Breach Remediation - ID Experts will discuss the need for a comprehensive data breach response plan and describe best practices for healthcare data breach notification and patient care. They will also review the HHS-mandated risk assessment requirement for breaches involving protected health information (PHI).
Features of HIPAA Online Certificate
HIPAA Online Certificate is a unique self-contained image file that allows your organization to maximize all the control over accessing all the information about its certification efforts
By requesting a certificate of conformance an organization is agreeing to the following terms:
* The file being validated is a real data file that has been generated by processes that truly exist within the organization.
* During the testing lifecycle, when an error was received, the organization modified the actual processes and procedures used to create the file, and did not simply modify the final data file in order to receive a “passed” report.
* The data file is representative of the lines of business that the organization supports for the transaction being certified.
While these rules are simple, they depend upon trust and integrity between trading partners, and not just the automated validation process. When an entity receives a certificate, it indicates that the submitter was able to generate a valid HIPAA file. It means that the partners have done their best to shorten the time between testing and production.
The result of the certification process is a unique self-contained image file that allows your organization maximum control over access to information about its certification efforts.
Each certificate generally contains the following features:
* Certification Definition. Each certificate contains a clear definition of what certification does and does not mean.
* Certifying Organization. Each certificate contains a set of distinguishing information about the certifying organization.
* Implementation Guide. The HIPAA implementation guide used for certification is clearly displayed on each certificate.
* Watermark. A watermark, an embossed version of the certification logo, is located in the background of the certificate with the organization and file information written on top.
* Status. The certification status is clearly indicated in bright blue text.
Webinar on HIPAA compliance under HITECH by the Institute for Health Technology Transformation
The Institute for Health Technology Transformation is the leading organization committed to bringing together private and public sector leaders fostering the growth and meaningful use of technology across the healthcare industry. The institute is set to hold a health information webinar entitled “Case Study: The Challenges of Protecting ePHI to comply with HIPAA under HITECH” on April 13th, 2010 at 11:00am PDT.
At the webinar would be present Wes Wright, vice president and chief technology officer, Seattle Children’s Hospital and Ram Krishnan, senior vice president of products, GuardianEdge who will discuss real-world healthcare environments and associated risks of exposed patient data; new federal and state mandates for the secure collection and exchange of electronic patient health information; changing priorities of managing patient data for an increasing mobile workforce of medical professionals; growing importance of secure endpoint devices to help enable quality of care; and lessons learned in choosing and deploying mobile data encryption for the protection of ePHI.
“As healthcare moves to a wider and deeper electronically connected model, new state and federal personal privacy laws combined with updates to HIPAA are making the regulatory environment more complex than ever,” said Ram Krishnan, senior vice president of products, GuardianEdge. “Healthcare organizations need make sure all of the systems are in place to properly protect their patients’ private information.”
Wes Wright will discuss the delicate balance between enjoying the benefits of a mobile computing environment and mitigating the risks associated with it.
HIPAA ensures benefits from health insurance to individuals with pre-existing conditions
Getting a health coverage is a big issue for plenty of individuals who are unable to purchase private health insurance because they have a known health condition or problem that is very expensive to treat. Insurance companies have the right to refuse to cover such individuals since they are considered as liabilities and may cost the company more than the actual premium that the individuals pay for. The insurer has to pay for medical fees expected from the individual.
In addition, if an individual get sick while on a coverage from one insurance carrier, he may be forced to leave the carrier to search for a new one, if he changes occupation or the original insurer cancels the policy. Then the new insurers will not want to pay for subsequent treatments.
Here, HIPAA or the Health Insurance Portability and Accountability Act which includes a lot of aspects in health care comes to help. HIPAA has already had a profound effect on health care being available to a lot of individuals in America. HIPAA makes sure that individuals with pre-existing conditions still benefit from health insurance.
HIPAA rules that limit the longest amount of time that a pre-existing exclusion can be applied to a group plan. There are ways wherein you can minimize or eliminate the exclusion completely. Using the HIPAA guidelines, the highest amount of time that you need to wait to get more coverage for the pre-existing condition cannot go beyond 12 months or 18 months for those who enrolled late.
There is credible coverage by HIPAA too which pertains to any health insurance you had in the past, given that it was not interrupted over a period of 63 or more days. The time period can extend, depending on the laws of the sate and the kind of insurance plan you had before.
If you have provided sufficient evidence that you had uninterrupted insurance before the current plan, the insurance coverage can be credited toward any pre-existing condition exclusion you have before. If you had a minimum of 1 year of group health insurance during a single occupation then got health insurance at a new work without getting a break longer than 63 days, exclusion on any pre-existing condition you may have cannot be imposed by the new health insurance plan.
Exclusions for hidden pre-existing condition include denial of medical coverage for the treatment of injury stemming from accident before the plan was acquired, counting the coverage of a previous health insurance toward another plan’s lifetime coverage limit and failing to cover a congenital medical condition, if the condition can be covered if found not to be of congenital origin.
IQMax ties up with Transolutions to deliver its mobile dictation platform
IQMax, a healthcare technology provider, has partnered with Transolutions to deliver IQMax’s mobile dictation platform to 150 physicians at a leading acute care facility in the Midwest. Transolutions is a healthcare information company providing medical transcription services and technology document driven solutions to acute care facilities, clinics and surgery centers.
Physicians are using iPAQ mobile devices from Hewlett Packard running the Windows Mobile OS to dictate patient notes and view their patient schedules. IQMax will help physicians view their patient schedules and dictate patient notes anytime, anywhere on the same device that is used to manage their e-mail, calendar, and contact information.
Besides this, IQMax platform keeps patient data secure, unlike many other dictation input methods and also supports HIPAA compliance through data encryption and secure user login.
Thus IQMax improves physician productivity by gving them the freedom to dictate at their convenience while on the move or at the point of care, across any care setting.
“IQMax has built what we believe to be a best in class Enterprise mobile platform. It is a scalable, dependable, and easily deployable technology”, said Chris Allen, director of client relations at Transolutions, in the release.
“Today’s demanding schedules require that physicians maximize the value of every minute. With IQMax, providers have the ability to view patient information and dictate patient notes where it matters most- at the point of care”, said Paul Adkison, founder and CEO of IQMax.
RPost launches an email encryption service upgrade for better HIPAA compliance
RPost, the leader in value added outbound messaging, has set the global standard with its flagship Registered Email® delivery proof, eSignOff® electronic contracting, and secure encrypted email services. The company has now announced an email encryption service upgrade that addresses key findings from a poll of 400 small, mid-sized, and large companies in the insurance, legal and financial sectors that are subject to heightened HIPAA data encryption rules.
The informal poll uncovered the most common dilemma users, compliance officers, and IT departments face when deploying secure encrypted email services. The findings brought into limelight the fact that many secure email systems are too cumbersome, resulting in less use and therefore, potentially more exposure to a downstream data breach. The poll validates the need for encrypted email services that are simple to use, simple to deploy, and more importantly, that provide proof that their correspondence was encrypted end-to-end in case of a HIPAA compliance audit.
As a result, RPost’s upgraded patented service delivers email encryption with end-user simplicity coupled with proof of encrypted delivery for HIPAA compliance while protecting users against potential fines. The service also offers optional auto-delivery of decryption passwords, the ability to reply encrypted, provides court admissible records proving compliance with security requirements, and e-discovery management for decryption of litigation-related email evidence.
“The real challenge with email security is keeping the user experience as simple as standard email while also managing the system,” remarks Zafar Khan, CEO of RPost. “Regulations require that systems are managed to monitor who uses it, when, and with what decryption passwords, to maintain the capability to prove correspondence was encrypted, and to be able to decrypt records in e-discovery situations. RPost solves this with its patented secure encrypted email upgrade that users are reporting as the best that they have seen on the market.”
ZixCorp’s Email Encryption Service to safeguard Christina’s PHI
Zix Corporation is the leader in email encryption services and Christiana Care Health System is one of the country’s largest health care providers, serving more than 600,000 patients yearly. Now, this leading Delaware-based regional health system with two hospitals and numerous satellite facilities has signed a three year contract with Zix according to which ZixCorp’s Email Encryption Service will safeguard Christiana Care’s confidential information and facilitate their compliance with the updated Health Insurance Portability and Accountability Act (HIPAA) legislation.
New HIPAA requirements make it mandatory for healthcare providers for encryption of PHI while in transit so as to safeguard sensitive information through e-mails. The new updates to HIPAA contained in the Health Information Technology for Economic and Clinical Health (HITECH) Act introduce significant new consequences for security breaches.
Karen Gifford, Director of Information Technology for Christiana Care said, “ZixCorp’s Email Encryption Service provides value with an automated and easy-to-use means to assure all our email is secured thus protecting our patient and employee confidential information. The solution takes the manual intervention out by using Lexicons or rules that accurately capture and protect the information. This is critical especially as our government proposes new regulations and reimbursements in protecting protected health information.”
“We’ve designed our Email Encryption Service with the recipient in mind; we understand the need for automatic, transparent, sending and receiving,” said Rick Spurr, Chief Executive Officer for ZixCorp. “Our ZixDirectory members like Christiana Care are able to continue their daily routine with secure email that simply looks like any other email.”
Survey reveals that healthcare organizations are keen to comply with Federal Privacy laws
FairWarning recently commissioned an independent firm to execute a national survey of healthcare providers. The survey included 200 unique hospitals from across the US, the majority of which were compliance, privacy or risk personnel, followed by IT management and executive management. The survey was designed to elicit answers regarding opinion and insights on new healthcare privacy regulations (specifically ARRA HITECH), patient safety, privacy and auditing budgets and information technology risk management.
In the survey, nearly half of healthcare organizations (or 47.3 percent) believed their organization is already compliant with federal privacy laws such as ARRA HITECH and HIPAA and is audit ready. However, nearly one-third of survey respondents stated they will not be compliant with ARRA HITECH requirements by the set deadlines. Again, just 7 percent of respondents have demonstrated that they have both processes and automated systems in place which incorporate cornerstone technologies designed to eliminate security and privacy vulnerabilities.
The greatest concern of the respondents surrounding non-compliance with any of the federal privacy laws, were reputational impact of a failed audit or major privacy breach, financial penalties for non-compliance and media exposure.
“It is highly unlikely that an organization can fully comply with its obligations under HIPAA and the ARRA HITECH without implementing automated systems for patient and user privacy auditing, managing and aggregating accounting of disclosures and identity management,” stated John Houston, Vice President of Privacy and Information Security and Assistant Counsel at the University of Pittsburgh Medical Center. “While respondents felt that their level of compliance was high, their implementation of necessary technologies was much lower.”
The survey findings concluded that healthcare organizations are:
1. Familiar with new healthcare privacy and security regulations, specifically ARRA HITECH
2. Concerned with the reputational impact associated with a breach and breach notification requirements
3. Mobilizing to meet compliance requirements and deploying critical technologies to plug security gaps and meet compliance requirements
4. Allocating budget to meeting new privacy and security requirements
5. Beginning to believe that enforcement of these laws is a government priority and,
6. In need of further education to align spending and technology deployments to government expectations.
How can you ensure HIPAA compliance with WLAN?
With the progress of technology and the growth in need for freedom to access, exchange, store and process the information from any point in the network, Wireless LAN is increasingly being used by doctors, nurses, paramedics and caregivers in order to process the patient data conveniently in large settings of the healthcare setting. WLAN has given the medical world the increased mobility, which makes it easy for the medical personnel to exchange information while on move. This saves time, increases productivity and raises the quality of patient care.
But as it is rightly said, each bright aspect has its darker side. So, it is with WLAN which can seriously compromise the ability of the health care facility to follow the HIPAA compliance laws pertaining to electronic exchange of confidential patient health information. Compared to the wired network, which requires physical access, the open network architecture feature of the WLAN makes it easy for any unauthorized person to get behind the firewall and access the network. This poses a serious threat to the safety of the confidential patient health information, which is stored, exchanged or processed by the network.
To overcome this problem, WLAN should have security features like unique user identification, emergency access procedure, automatic logoff, encryption and decryption system that creates tamper proof communication channel between the sender and authenticated receiver, and the ability to authenticate electronic health information and maintain integrity of the information. The network should maintain its integrity through continuous monitoring and shut out any unauthorized access from any rogue entry point. Clients associating with rogue entry points should be shut off from the network, unless they approach from the authorized access point.
Besides this, any change in the configuration of the access points, which points to unauthorized access should be immediately brought to the notice of the IT manager through proper communication channel. The WLAN should be able to maintain a audit log of the time, nature and resolution of the intrusion and steps taken to avert it.
In the end the WLAN in any healthcare setting should be securely configured in manner so that it becomes safe for the organization to store and exchange the confidential patient health information in line with HIPAA compliance laws.