Tag Archives: privacy

Privacy Rule Burden: 62.3 Million Hours – WOW

Posted by on July 31, 2009 No comments

A notice in published July 29 in the Federal Register starkly demonstrates administrative burdens of complying with the HIPAA privacy rule.

The Department of Health and Human Services published the notice as part of its intent to continue requiring documentation of compliance. The notice lists a dozen documentation requirements, such as authorization to use and disclose protected health information, and notices of privacy practices.

In total, HHS estimates an industry-wide annual reporting burden of nearly 62.3 million hours-98% of which covers dissemination of a notice of privacy practices and patient acknowledgement. Accounting for use and disclosure of PHI make up most of the remaining burden.

The notice is available at gpoaccess.gov/fr/index.html.

via Privacy Rule Burden: 62.3 Million Hours.

How will California’s tougher-than-HIPAA privacy laws impact U.S.? – FierceHealthIT

Posted by on July 27, 2009 No comments

Last September, California enacted the toughest patient privacy protections in the country, even tougher than HIPAA. They include specific penalties for medical-record snooping, rules requiring providers to report breaches far more quickly than HIPAA and requirements that safeguards like passwords be put in place. The new laws even establish a new state office supervising patient privacy and imposing fines when violations occur.

via How will California’s tougher-than-HIPAA privacy laws impact U.S.? – FierceHealthIT.

Kaiser hospital hit with another fine for privacy violation – FierceHealthIT

Posted by on July 20, 2009 No comments

The California Department of Public Health issued an administrative penalty of $187,500 this week against the facility after concluding that the hospital didn’t do enough to protect patient health information. Bellflower Hospital was previously slapped with a $250,000 fine in May for violations taking place in mid-March during Nadya Suleman’s inpatient stay.

via Kaiser hospital hit with another fine for privacy violation – FierceHealthIT.

PCI Council Releases Guidelines for Wireless Network Security #PCI

Posted by on July 17, 2009 No comments

Nearly a year after ordering the phase-out of Wired Equivalent Privacy (WEP), a technology introduced in 1999 to protect data flowing over wireless networks, the PCI Security Standards Council this week released new guidelines for enhanced wireless security.

via News.

Michael Jackson doctor went too far #HIPAA

Posted by on July 13, 2009 No comments

And HIPAA does apply to deceased individuals. “It doesn’t matter whether a patient is dead or alive — the HIPAA and state privacy law protections still apply,” Stephen K. Phillips, a healthcare attorney in San Francisco, told me. “A deceased patient’s rights accrue to his/her legal representative for enforcement and redress purposes.”

At the same time, said Phillips, it’s possible that Jackson may have given Klein permission to discuss his PHI, or private health information, in public. In that case, Phillips said, “you haven’t violated the law by doing so, unless and until that authorization is withdrawn.” I tried to contact Klein to clarify these important points several times, but never received a response. His attorney didn’t get back to me either.

via Michael Jackson doctor went too far | Salon.

PCI DSS Incident Response: The Legal Perspective #PCI

Posted by on July 9, 2009 No comments

The SANS Institute InfoSec Reading Room recently published an article by Christian J. Moldes entitled PCI DSS and Incident Handling: What is required before, during and after an incident. Moldes’ whitepaper is a good starting point for developing an incident response plan to address payment card security breaches. The paper hits upon the key aspects of payment card security breach handling from an information security professional’s point of view. The paper, however, speaks little of the legal implications of a payment card security breach, and the incident response considerations that arise out of those implications.

via InfoSecCompliance.com – Technology, Privacy and Security Law & Risk Management » Blog Archive » PCI DSS Incident Response: The Legal Perspective.

FTC Issues Final Order In CVS Caremark Data Security Case – data privacy/Privacy #HIPAA

Posted by on June 25, 2009 No comments

The Federal Trade Commission today approved a final consent order settling claims that CVS Caremark violated customers’ privacy and the Health Information Portability and Accountability Act (HIPAA) when it failed to dispose of records properly last year.

via FTC Issues Final Order In CVS Caremark Data Security Case – data privacy/Privacy – DarkReading.

EU Lays Out Privacy Rules for Facebook, MySpace and other social-networking Web sites – WSJ.com

Posted by on June 23, 2009 No comments

European regulators have laid out operating guidelines for Facebook, MySpace and other social-networking Web sites to ensure they comply with the region’s privacy laws, in a move to address concerns about the handling of users’ personal information.

via EU Lays Out Privacy Rules – WSJ.com.

URAC seeks feedback on HIPAA standard revisions

Posted by on June 20, 2009 No comments

Independent accrediting agency URAC is seeking comments on draft revisions to its Health Insurance Portability and Accountability Act privacy and security standards.

The changes reflect requirements established in the American Recovery and Reinvestment Act of 2009, URAC said in its draft revisions. Under the law, business associates of covered entities will have to comply with security standards as well as additional privacy standards based on their access to electronic health information. URAC said updating its standards will help ensure accredited organizations meet the act’s requirements.

Comments are due by Aug. 3, and the organization expects to have a final draft ready for its board of directors to review in October. URAC last updated its HIPAA-related standards in October 2008

via URAC seeks feedback on HIPAA standard revisions – Modern Healthcare.

PCI-DSS: Not on health care provider’s radar

Posted by on June 20, 2009 No comments

Health care providers are certainly no stranger to data privacy and security standards related to protected health information (PHI). Although these providers and their respective organizations are well versed in rules, policies and requirements of HIPAA, few are aware that the PCI-DSS rules apply to their businesses and even fewer are compliant. When HIPAA compliancy mandates were looming, health care providers seriously performed “gap analyses” to understand risks and then developed policies, instituted practices and acquired technologies.

via PCI-DSS: Not on health care provider’s radar – SC Magazine US.