The HIMSS blog recently posted some answers to frequently asked questions about Privacy & Security. 

The complete post is available at their site, here are the questions they covered: 

1.       What new privacy and security laws were contained in ARRA?

2.       What is the “HIPAA NPRM?” 

3.       Once and for all, is encryption required by HIPAA?

4.        I heard that HHS has withdrawn its submittal for government review of the “Breach Notification Final Rule.”  Does this mean that our organization can assume that we do not have to make any notifications until HHS resubmits the rule?

5.       Can we really expect that HHS will step up enforcement of HIPAA and the new HITECH requirements?

Questions 1-3 are answered in the first post and 4-5 in the second. 

There is a lot of good information in both posts, and you can post additional questions in the comments. Take a look!

An article at Information Week indicates that providers should comply with fair information practices when exchanging patients’ personal health data, based on recommendations from a workgroup advising the federally charted Health IT Policy Group. Last week  the workgroup sent a letter to national health IT coordinator David Blumenthal, issuing preliminary recommendations on how to ensure privacy and security when doctors and hospitals exchange patient information to fulfill the first stage of meaningful-use requirements for electronic records.

The team noted more work is necessary regarding areas like remedies for violations, for example. They also recommended adopting guidelines set out in the Fair Information Practices, a code established in 1973. "This overarching set of principles, when taken together, constitute good data stewardship and form a foundation of public trust in the collection, access, use, and disclosure of personal information," the team’s letter said.

According to Information Week, the principles cover individuals’ rights to obtain and correct personal information and consent to the exchange of identifiable information; openness and transparency about policies and procedures; and protections against inappropriate use and disclosure, among other elements of privacy and security.

Check out the Health Data Management article or search HHS’ Health IT site to read these and other recommendations. 

What do you think of these security recommendations?

Thousands of Boston area patients may need to worry about the location of their paper medical records. A Boston Globe photographer found piles of intact hospital and insurance records from at least four different hospitals at a public dump. These documents should have been either shredded or incinerated, and contained names and addresses of patients as well as results of cancer tests and lab work information. 

"Doctors with two of the hospitals–Kevin Dole of Caritas Carney and John Blanchette of Holyoke Medical Center–both said they used the same billing company–Goldthwait Associates, which would have been responsible for getting rid of the physical records. Goldthwait also provides billing services for the two other known hospitals involved, Milton Hospital and Milford Regional Medical Center."

Hospital officials believe the records dumped date back two to three years; they are currently determining which patients underwent pathology testing. Milton Hospital expects to notify between 8,000 and 12,000 patients, which Holyoke expects to notify twice that number. 

No ruling has been made yet to determine if the hospitals, the doctors, or the billing company are ultimately responsible for this incident. 

Read the full story: http://www.fiercehealthcare.com/story/patient-records-found-dump/2010-08-13

What happens to your paper records and how does your billing company handle them?

Can you imagine? William Wells, the patient, had been stabbed more than 12 times by resident at his nursing home, but when he got to St. Mary Medical Center’s ER, some nurses and other staff took photos of him and posted them on Facebook. 

This patient privacy breach occurred April 9 at the Long Beach, California-based hospital and led to the firing of four staff members, and discipline for three more. This incident is one of nine potential breaches of patient privacy at the hospital this year.

Read the whole story at http://www.latimes.com/news/local/la-me-facebook-20100809,0,5049805,print.story.

Does your hospital have  a clear policy on how they would handle this and other types of patient privacy breaches?

 Hospitals are getting more concerned about patient privacy and confidentiality, especially if staff use Facebook and similar sites while working. To make sure no patient information is posted online, some hospitals are blocking employees from using the sites at work. Some hospitals have even fired employees for inappropriately discussing patient issues online.

Read the article at http://www.latimes.com/news/local/la-me-facebook-20100809,0,7484743.story 

What do you think? What’s an appropriate way to respond to hospital employees posting patient information online?