All posts tagged HIPAA

Is HIPAA Enforcement Too Lax?

Daniel Solove
Founder of TeachPrivacy

title

By Daniel J. Solove

ProPublica has been running a series of lengthy articles about HHS Office for Civil Rights (OCR) enforcement that are worth reading.

A Sustained and Vigorous Critique of OCR HIPAA Enforcement

A ProPublica article from early in 2015 noted that HIPAA fines were quite rare. The article noted that from 2009 through 2014, more than 1,140 large data breaches were reported to OCR, affecting 41 million people. Another 120,000 HIPAA violations were reported affecting fewer than 500 people. “Yet, over that time span,” the article notes, “the Office for Civil Rights has fined health care organizations just 22 times. . . . By comparison, the California Department of Public Health . . . imposed 22 penalties last year alone.”

Continue Reading

Blogging Highlights 2015: Health Privacy+Security Issues

Daniel Solove
Founder of TeachPrivacy

HIPAA Training

I’ve been going through my blog posts from 2015 to find the ones I most want to highlight.  Here are some selected posts about health privacy and security:

Why HIPAA Matters: Medical ID Theft and the
Human Cost of Health Privacy and Security Incidents

care

Continue Reading

Why HIPAA Matters: Medical ID Theft and the Human Cost of Health Privacy and Security Incidents

Daniel Solove
Founder of TeachPrivacy

Why HIPAA matters

By Daniel J. Solove

Whenever I go to a doctor and am asked what I do for a living, I say that I focus on information privacy law.

“HIPAA?” the doctors will ask.

“Yes, HIPAA,” I confess.

And then the doctor’s face turns grim.  At first, it looks like the face of a doctor about to tell you that you’ve got a fatal disease.  Then, the doctor’s face crinkles up slightly with disgust. This face is so distinctive and so common that I think it should be called “HIPAA face.”  It’s about as bad as “stink eye.”

Continue Reading

Patient Access to Medical Records Under HIPAA: Significant Reform Needed

Daniel Solove
Founder of TeachPrivacy

Doctor taking notes in his office, isolated

by Daniel J. Solove

Recently, I wrote about the challenges in accessing health information about family members.  In this post, I will explore patients’ access to their own medical records.

HIPAA doesn’t handle patient access to medical records very well. There are many misunderstandings about patient access under HIPAA that make it quite difficult for patients to obtain their medical information quickly and conveniently.

Getting records is currently like a scavenger hunt. Patients have to call and call again, wait seemingly forever to get records, and receive them via ancient means like mail and fax. I often scratch my head at why fax is still used today — it’s one step more advanced than carrier pigeon.

Continue Reading

HIPAA’s Friends and Family Network: Access to Health Information

Daniel Solove
Founder of TeachPrivacy

HIPAA Training Blog Sharing PHI with Friends and Family 02

by Daniel J. Solove

Suppose your elderly mother is being treated at the hospital for a heart condition. Your mother tells her doctor that you can have access to her health information. The doctor, however, doesn’t disclose the information to you.

The doctor thinks that you can only have the information with a signed written authorization. Is this correct?

No. HIPAA doesn’t require a signed or even a written authorization. If a patient tells a doctor that protected health information (PHI) can be shared with family or friends, then that’s all that is needed. The doctor can disclose it to you.

So has the doctor violated HIPAA by refusing to disclose the PHI?

Continue Reading

New Resource Page: Text of HIPAA’s Training Requirements

Daniel Solove
Founder of TeachPrivacy

HIPAA Training Requirements Text 01

by Daniel J. Solove

I recently created a new resource page for the TeachPrivacy website: Text of HIPAA’s Training Requirements.  This page provides excerpts of the training provisions in the HIPAA Privacy Rule and the HIPAA Security Rule.

This page is designed to be a useful companion page to our resource page, HIPAA Training Requirements: FAQ.  The FAQ discuss my interpretation of the HIPAA training provisions, but the full text of those provisions is located on the separate new resource page above.

Continue Reading

Health Data Security in Crisis, Phase 2 Audits, and Other HIPAA Privacy + Security Updates

Daniel Solove
Founder of TeachPrivacy

title image

By Daniel J. Solove

Co-authored with Professor Paul Schwartz

This post is part of a post series where we round up some of the interesting news and resources we’re finding. We have split the health/HIPAA material from our updates on other topics. To see our updates for other topics, click here.

For a PDF version of this post, and for archived issues of previous posts, click here.

Continue Reading

Privacy Law: From a National Dish to a Global Stew

Daniel Solove
Founder of TeachPrivacy

title image

By Daniel J. Solove
This post is co-authored by Professor Neil Richards

The recent case of Google v. Vidal-Hall in the UK has generated quite a buzz, with Omer Tene calling it the “European privacy judicial decision of a decade.”

The case illustrates several fascinating aspects of the developing global law of privacy, with big implications for online marketing, Big Data, and the Internet of Things.

At first blush, it is easy to see the case as one more divergence between how privacy is protected in the EU and US, with a European Court once again showing how much eager it is to protect privacy than an American one. But the biggest takeaway from the case is not one of divergence; it is one of convergence!

Continue Reading

The Health Data Breach and ID Theft Epidemic

Daniel Solove
Founder of TeachPrivacy

Title image

By Daniel J. Solove

When you go to the hospital, you might worry about catching a staph infection or pneumonia, but you should also worry about contracting a nasty case of medical identity theft. Most people suffer significant harm from medical ID theft, and few are completely cured. This ailment is spreading dramatically as data spurts out of healthcare organizations these days as if from a ruptured aorta.

In January of this year, an article citing U.S. Department of Health and Human Services (HHS) statistics noted that in the past 5 years, there have been roughly 120,000 reported data breaches involving HIPAA protected health information. These breaches have involved more than 31 million individuals.

Continue Reading

Why the Anthem Data Breach Is Needlessly Harmful

Daniel Solove
Founder of TeachPrivacy

Title image

By Daniel J. Solove

Recently, Anthem, one of the largest health insurance providers, suffered a massive data breach involving personal data on up to 80 million people. According to Anthem, the data breached includes “names, dates of birth, member ID/ social security numbers, addresses, phone numbers, email addresses and employment information.”

Continue Reading

Lawsuits for HIPAA Violations and Beyond: A Journey Down the Rabbit Hole

Daniel Solove
Founder of TeachPrivacy

hipaa lawsuits 1

by Daniel J. Solove

At first blush, it seems impossible for a person to sue for a HIPAA violation. HIPAA lacks a private cause of action. So do many other privacy and data security laws, such as FERPA, the FTC Act, the Gramm-Leach-Bliley Act, among others. That means that these laws don’t provide people with a way to sue when their rights under these laws are violated. Instead, these laws are enforced by agencies.

Continue Reading

The Most Alarming Fact of the HIPAA Audits

Daniel Solove
Founder of TeachPrivacy

hipaa audits 1

law blog 2

by Daniel J. Solove

Are privacy and security laws being enforced effectively? This post is post #5 of a series called Enforcing Privacy and Security Laws.

Under the Health Insurance Portability and Accountability Act (HIPAA), various organizations can be randomly selected to be audited – even if no complaint has been issued against them and even if there has been no privacy incident or breach.

What the audits thus far have revealed is quite alarming. I’ll discuss more on that later.

Continue Reading

Ebola and Privacy: Snooping, Confidentiality, and HIPAA

Daniel Solove
Founder of TeachPrivacy

Ebola Virus Confidential

by Daniel J. Solove

The recent cases of Ebola in the United States demonstrate challenges to health privacy in today’s information age — both in preventing employees from snooping into patient information as well as preventing the disclosure of patient identities.

Continue Reading

The Brave New World of HIPAA Enforcement

Daniel Solove
Founder of TeachPrivacy

hipaa enforcement

law blog 2

by Daniel J. Solove

Are privacy and security laws being enforced effectively? This post is post #4 of a series called Enforcing Privacy and Security Laws.

hhs logoThe Health Insurance Portability and Accountability Act (HIPAA) regulations govern health information maintained by various entities covered by HIPAA (“covered entities”) and other organizations that receive health information from covered entities when performing functions for them. HIPAA is enforced by the Office for Civil Rights (OCR) in the Department of Health and Human Services (HHS). Additionally, state attorneys general (AGs) may enforce HIPAA – only a few federal privacy laws can also be enforced by state AGs.

Continue Reading

6 Lessons from the Costliest HIPAA Settlement to Date

Daniel Solove
Founder of TeachPrivacy

Costliest HIPAA Settlement blog 1

by Daniel J. Solove

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced the costliest HIPAA settlement to date — a $4.8 million settlement with New York and Presbyterian Hospital (NYP) and Columbia University (CU). The case involved the disclosure of protected health information on the Internet. Here are some lessons from this latest case:

Continue Reading

Waking Up the C-Suite to Privacy and Security Risks

Daniel Solove
Founder of TeachPrivacy

waking up the c suite

by Daniel J. Solove

I was recently interviewed in the Journal of AHIMA on how the C-suite is waking up to the new realities of privacy and data security risks. Before the HITECH Act in 2009, HIPAA enforcement was based on a cooperative model where HHS was not punitive in its approach. Now, big fines are being issued. There is auditing. The climate has changed.

Privacy and security risks are quite costly. This is true not just under HIPAA, but also as a general matter. At many organizations, the C-Suite doesn’t fully appreciate the magnitude of the risk. Back about 10 years ago, for many organizations, privacy and security risks were barely on the radar. Now they are recognized for many organizations, but the significance of the risk is often not fully understood or appreciated.

Continue Reading

The Battle for Leadership in Education Privacy Law: Will California Seize the Throne?

Daniel Solove
Founder of TeachPrivacy

Blank chalkboard and stack of books

by Daniel J. Solove

This post was co-authored by Professor Paul Schwartz, Berkeley Law School.

Education was one of the first areas where privacy was regulated by a federal statute. Passed in the early 1970s, the Family Educational Rights and Privacy Act (FERPA) was on the frontier of federal privacy regulation. But now it is old and ineffective. With the growing public concern about the privacy of student data, states are starting to rev up their engines and become more involved. The result could be game-changing legislation for the multi-billion dollar education technology industry.

Continue Reading