Blog

January 22nd, 2014

Welcome to the Panopticon.  Or surveillance circle-jerk.

With apologies to Tom Lehrer,

Global Surveillance Week!

Chinese spy on the Japanese
Russians Spy on the Chinese
Indians Spy on the Pakistanis
Aussies spy on the Kiwis
North Koreans spy on Dennis Rodman

The NSA spies on everyone
And EVERYONE spies on the Americans

 

A new security report confirms that Chinese hackers spied on The New York Times in 2012, as well as attendees of the G20 Summit in St. Petersburg last fall. Iranian hackers spied on dissidents in the lead up to state elections last May. The Syrian Electronic Army is only getting better, and North Korean hackers were behind a destructive cyberattack that wiped data from South Korean banks last year.

via New Security Report Confirms Everyone Is Spying on Everyone – NYTimes.com.

Topic News
August 17th, 2013

Here’s another excellent reason to NEVER buy digital content from iTunes, Google Play or Kindle.

Cross the border, lose your content…

Jim O’Donnell was at a library conference in Singapore when his Ipad’s Google Play app asked him to update it. This was the app through which he had bought 30 to 40 ebooks, and after the app had updated, it started to re-download them. However, Singapore is not one of the countries where the Google Play bookstore is active, so it stopped downloading and told him he was no longer entitled to his books.

via Cross a border, lose your ebooks – Boing Boing.

Topic News
August 17th, 2013

How much privacy are you willing to give up for security? This conversation has dominated the headlines in recent months and participants in a recent poll on the ASIS LinkedIn Group were nearly split on what has precedent – security or privacy concerns. The question below generated nearly 100 comments from practitioners worldwide.

In a Pew Research poll, 62% said it was more important to allow the gov’t to search for possible terrorist threats even if it meant giving up privacy: Security vs Privacy–Which Side Are You On? 

ASIS 2013/(ISC)2 Security Congress speaker Raj Goel, CSSP, weighed in with the following blog post:

(more…)

Topic News
August 10th, 2012

Hospital Implements New Minimum Necessary Polices for Telephone Messages

Covered Entity: General Hospital

Issue: Minimum Necessary; Confidential Communications

A hospital employee did not observe minimum necessary requirements when she left a telephone message with the daughter of a patient that detailed both her medical condition and treatment plan. An OCR investigation also indicated that the confidential communications requirements were not followed, as the employee left the message at the patient’s home telephone number, despite the patient’s instructions to contact her through her work number. To resolve the issues in this case, the hospital developed and implemented several new procedures. One addressed the issue of minimum necessary information in telephone message content. Employees were trained to provide only the minimum necessary information in messages, and were given specific direction as to what information could be left in a message. Employees also were trained to review registration information for patient contact directives regarding leaving messages. The new procedures were incorporated into the standard staff privacy training, both as part of a refresher series and mandatory yearly compliance training.

via All Case Examples.

Topic Articles, News
August 10th, 2012

Radiologist Revises Process for Workers Compensation Disclosures

Covered Entity: Health Care Provider

Issue: Impermissible Uses and Disclosures

A radiology practice that interpreted a hospital patient’s imaging tests submitted a worker’s compensation claim to the patient’s employer. The claim included the patient’s test results. However, the patient was not covered by worker’s compensation and had not identified worker’s compensation as responsible for payment. OCR’s investigation revealed that the radiology practice had relied upon incorrect billing information from the treating hospital in submitting the claim. Among other corrective actions to resolve the specific issues in the case, the practice apologized to the patient and sanctioned the employee responsible for the incident; trained all billing and coding staff on appropriate insurance claims submission; and revised its policies and procedures to require a specific request from worker’s compensation carriers before submitting test results to them.

via All Case Examples.

Topic Articles, News
August 10th, 2012

Private Practice Provides Access to All Records, Regardless of Source

Covered Entity: Private Practice

Issue: Access

A private practice denied an individual access to his records on the basis that a portion of the individual’s record was created by a physician not associated with the practice. While the amendment provisions of the Privacy Rule permit a covered entity to deny an individual’s request for an amendment when the covered entity did not create that the portion of the record subject to the request for amendment, no similar provision limits individuals’ rights to access their protected health information. Among other steps to resolve the specific issue in this case, OCR required the private practice to revise its access policy and procedures to affirm that, consistent with the Privacy Rule standards, patients have access to their record regardless of whether another entity created information contained within it.

via All Case Examples.

Topic Articles, News
August 10th, 2012

State Hospital Sanctions Employees for Disclosing Patient’s PHI

Covered Entity: Health Care Provider / General Hospital

Issue: Impermissible Disclosure

A nurse and an orderly at a state hospital discussed the HIV/AIDS status of a patient and the patient’s spouse within earshot of other patients without making reasonable efforts to prevent the disclosure. Upon learning of the incident, the hospital placed both employees on leave; the orderly resigned his employment shortly thereafter. Among other actions taken to satisfactorily resolve this matter, the hospital took further disciplinary action with the nurse, which included: documenting the employee record with a memo of the incident; one year probation; referral for peer review; and further training on HIPAA Privacy. In addition to corrective action taken under the Privacy Rule, the state attorney general’s office entered into a monetary settlement agreement with the patient.

via All Case Examples.

Topic Articles, News
August 10th, 2012

Dentist Revises Process to Safeguard Medical Alert PHI

Covered Entity: Health Care Provider

Issue: Safeguards, Minimum Necessary

An OCR investigation confirmed allegations that a dental practice flagged some of its medical records with a red sticker with the word “AIDS” on the outside cover, and that records were handled so that other patients and staff without need to know could read the sticker. When notified of the complaint filed with OCR, the dental practice immediately removed the red AIDS sticker from the complainant’s file. To resolve this matter, OCR also required the practice to revise its policies and operating procedures and to move medical alert stickers to the inside cover of the records. Further, the covered entity’s Privacy Officer and other representatives met with the patient and apologized, and followed the meeting with a written apology.

via All Case Examples.

Topic Articles, News
August 10th, 2012

Physician Revises Faxing Procedures to Safeguard PHI

Covered Entity: Health Care Provider

Issue: Safeguards

A doctor’s office disclosed a patient’s HIV status when the office mistakenly faxed medical records to the patient’s place of employment instead of to the patient’s new health care provider. The employee responsible for the disclosure received a written disciplinary warning, and both the employee and the physician apologized to the patient. To resolve this matter, OCR also required the practice to revise the office’s fax cover page to underscore a confidential communication for the intended recipient. The office informed all its employees of the incident and counseled staff on proper faxing procedures.

via All Case Examples.

Topic Articles, News
August 10th, 2012

Large Health System Restricts Provider’s Use of Patient Records

Covered Entity: Multi-Hospital Healthcare Provider

Issue: Impermissible Use

A nurse practitioner who has privileges at a multi-hospital health care system and who is part of the system’s organized health care arrangement impermissibly accessed the medical records of her ex-husband. In order to resolve this matter to OCR’s satisfaction and to prevent a recurrence, the covered entity: terminated the nurse practitioner’s access to its electronic records system; reported the nurse practitioner’s conduct to the appropriate licensing authority; and, provided the nurse practitioner with remedial Privacy Rule training.

via All Case Examples.

Topic Articles, News