Updated: Slides from Webinar on HIPAA Privacy and Security Rules

Posted on October 7, 2010 by Steve Fox and Vadim Schick

Post & Schell, in collaboration with Kroll Fraud Solutions, presented a free webinar examining the crucial changes and updates to the HIPAA Privacy and Security Rules included in the Notice of Proposed Rulemaking (NPRM) issued by the Office of Civil Rights of the U.S. Department of Health and Human Services on July 8, 2010. Post & Schell's Steve Fox and Vadim Schick highlighted the key provisions in the NPRM, including:

  • New restrictions on use and disclosure of protected health information (PHI) for marketing, fundraising, and other commercial purposes
  • Providing patients with e-copies of their PHI
  • Extension of HIPAA Privacy and Security Rules to business associates
  • Effect of new rules on business associate agreements

In addition, our guest presenter for this webinar, Alex Ricardo, CIPP of Kroll Fraud Solutions, discussed the practical implications of this new set of regulations on covered entities and business associates, including:

  • Assessing an organization's policies, procedures and practices for compliance with the HIPAA Rules and these updates
  • Reviewing current contractual agreements and relationships with business associates and their subcontractors
  • Training staff of the organization
  • Breach preparedness and breach response

You can view or download the slides from this presentation by clicking here.

For more information, contact Vadim Schick at vschick@postschell.com or 202-661-6945.

Tags: , , , , , , , , , , , , , ,

Final breach notification rules delayed

Posted on July 29, 2010 by Steve Fox and Vadim Schick

On August 19, 2009, pursuant to the HITECH Act, the Department of Health and Human Services (HHS) published the interim final regulations regarding breach notification requirements for health care providers and other entities covered by HIPAA. The rule became effective on September 23, 2009. 

During the 60 day public comment period, HHS received 120 comments, after which HHS developed a final rule and submitted it to the Office of Management and Budget for regulatory review on May 14, 2010.  However, on July 27, 2010, HHS issued a statement that they are withdrawing the final rule from OMB:

HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department’s experience to date in administering the regulations. This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. We intend to publish a final rule in the Federal Register in the coming months.

HHS's withdrawal remains a bit of mystery.  However, Post & Schell's Ed Shay has a couple of thoughts, which you can read after the jump.

Ed Shay believes one of the reasons could be the controversy regarding the "harm threshold" element of the rule, which we discussed earlier this year.  This "harm threshold" essentially requires the organization which discovers a breach to undergo a risk assessment test to determine whether a breach would cause "significant harm" to the affected person.  According to Ed:

Apart from the politics of the IFR, there is the underlying reality of asking the industry to reach reasonably consistent determinations on risk of harm. I am sure many on this list have now been through the exercise of evaluating risk of harm, an exercise which leave room for a wide range of judgment in my opinion. Some covered entities will over-report, others will under-report [especially when reporting a 500+ breach may invite a large penalty for the underlying unauthorized use or disclosure. I think that he guidance on what goes into the risk of harm analysis is quite limited, even when one pursues the reference to the OMB circular, or state law which varies greatly on what constitutes reputational harm. Based upon almost one year of reported HIPAA breaches that have very likely been compared by OCR to breaches reported under state laws in states with no risk of harm proviso, OCR may be finding that a lot that OCR expected to be reported is not being reported--with the inference being that risk of harm has proven too judgment dependent in its implementation.

If risk of harm is not the issue, then I would offer that finalizing subcontractor BAs would have to precede finalizing breach notification. If subcontractor BAs survives the proposed rule, then reporting upstream has to be addressed in final breach notification rules.

You can find HHS's brief press release on the subject by clicking here.
Tags: , , , , , , , , , , , ,

Updated: breaches and fines on the rise

Posted on June 16, 2010 by Steve Fox and Vadim Schick

The number of reported health information breaches is growing rapidly: 32 breaches were reported on the OCR web site from September 2009 to February 2010, but the number almost tripled, to 93 breaches, by June 11, 2010.  Such significant increases in reported breaches may be attributed to the notification and reporting requirements in the HITECH Act, which went into effect this year.  We cannot possibly report or list all of the relevant breaches, but we would like to highlight a few important ones:

  • On May 28, 2010, Cincinnati.com reported that “Cincinnati Children's Hospital Medical Center is beefing up its computer security after a laptop computer containing more than 61,000 patient records was stolen.”  Information lost included not only PHI, but also Social Security numbers and even credit card data.  The records on the laptop were password protected, but they were not encrypted.  The hospital reported the breach, hired a consulting company to deal with same, and offered affected individuals ID theft protection at no charge.  The cost of this breach has already been extremely high, but it could be even higher if credit card companies go after Children's Hospital for losses associated with loss of improperly stored credit card information. 
  • Five hospitals in California were fined a combined total of $675,000 by the California Department of Public Health for patient privacy violations, failing to prevent unauthorized access to confidential patient medical information of 245 patients, which were improperly accessed by a total of 32 employees.  On June 10, 2010, Press-Enterprise reported that the Community Hospital of San Bernardino was fined by the state of California a total of $325,000 for breaches of more than 200 patient records by two employees in 2009.  Violations were significant, but, considering the fine, far from gruesome.

Please click here to read more.

In the first instance,

an unidentified radiology technician accessed 204 records for 177 patients between Jan. 10, 2009, and Feb. 22, 2009, without having a clinical reason to do so. The investigation report doesn't indicate whether the employee used the information she got or contacted the patients.

In a second investigation, inspectors found that a medical imaging department employee allowed a friend who was visiting her into a restricted access room where the employee worked. The visitor could overhear patients discuss their personal information with the employee, a report states.

This should serve as an important reminder about the far-reaching nature of medical information privacy laws -- both federal and local.  California has a particularly strict medical privacy law, enacted in 2008.  Breach does not mean just a lost laptop, hacking or intentional access of a celebrity's records, as we saw last year in California.  It could be a wide range of activities, and hospitals and other providers should pay close attention to the fast-changing regulatory environment, create or modify their policies and procedures accordingly and, perhaps even more crucially, train their staff to comply with such necessary policies and procedures.

"Missing records on stolen laptop from Cincinnati Children's Hospital," Cincinnati.com (May 28, 2010).

"SB hospital fined $325,000 for breach of patient records," Press-Enterprise (June 10, 2010).

"Large Patient Information Breaches List Nears Century Mark," Health Leaders Media (June 16, 2010).
Tags: , , , , , , , , , , , , ,

Medical associations sue FTC over Red Flags Rule

Posted on May 24, 2010 by Steve Fox and Vadim Schick

Just days prior to the latest enforcement deadline of the Red Flags Rule ("RFR"), medical and osteopathic associations sued the Federal Trade Commission (FTC) over the applicability of RFR's identity theft prevention requirements to their member organizations.  FTC is to begin enforcement of the Rule on June 1, 2010.  Among other claims, medical associations are seeking the U.S. District Court for the District of Columbia to prevent the FTC from defining healthcare providers as "creditors" under FACTA.  According to Health Data Management:

'The worst part is, I think, from a strictly ethical point of view, that you have to approach every new patient with suspicion about their identity,' said AMA spokesman Robert Mills. 'That violates every precept of the physician-patient relationship; the FTC is asking doctors to violate their role as trusted healer and counselor.'

The physician groups say that the rule requires them to set up identity theft prevention and detection programs, which aren't necessary, and said the FTC was 'arbitrary and capricious' in extending the application of the law to them. Also, the extension of the Red Flag Rule to doctors would do nothing to improve care, the physician groups say.

<...> According to the lawsuit, complying with the Red Flags Rule 'imposes significant burdens on physicians, particularly sole practitioners, and those practicing in small groups.'

Since most personal health information is already protected by HIPAA, including as modified by the HITECH Act, medical associations argue that the additional privacy safeguards imposed by RFR are simply not necessary.  In addition, the American Bar Association succeeded in excluding lawyers from RFR requirements.  Physicians argue that the exemption of lawyers should apply to healthcare professionals.

We will keep you posted regarding any developments in this case.  However, until the court rules on the AMA's motion, healthcare organizations should remember the June 1, 2010 enforcement date for the Red Flags Rule.  Click here for more information regarding the RFR requirements, but keep in mind the new enforcement date of June 1, 2010.

"Lawsuit: Red Flags Rule Violates Doctor/Patient Relationship," Health Data Management (May 21, 2010).
Tags: , , , , , , , , , ,

Connecticut radiologist breaches privacy of hundreds

Posted on April 1, 2010 by Steve Fox and Vadim Schick

HealthImaging.com reported yesterday that a Connecticut radiologist, previously affiliated with the Griffin Hospital in Derby, Conn. "accessed patient radiology reports on the hospital's PACS using the passwords of other radiologists and an employee within the radiology department. The passwords were obtained and/or used without their knowledge." From HealthImaging.com:

From the investigation conducted by Griffin, it appears the radiologist who gained unauthorized access scanned the PACS directory listings of 957 patients who had radiology studies performed at Griffin during the period and selected and downloaded the image files of 339 of these patients.

On and after Feb. 26, Griffin received inquiries on behalf of patients regarding unsolicited contact by the physician who offered to perform professional services at another area hospital despite the patients' interest in having those services provided at Griffin. The inquiries prompted the investigation that revealed unauthorized intrusions into Griffin's PACS and, thereby, the breach of protected patient health information.

This should serve as a reminder for healthcare providers regarding maintaining the safeguards necessary to prevent wrongful access to patient data.  For example, and there is no indication that this is what occurred in this case, clinicians and other hospital staff should not keep their system passwords on sticky notes next to or on their monitors.  Even if you believe that everyone in your office is fully trustworthy, you never know who can get a hold of such restricted information as usernames and passwords.  The reputational and financial damage to your organization could be very substantial; and your contract with the PACS system vendor is unlikely to indemnify or protect you from such losses.

"Radiologist breaches data, images of nearly 1,000 patients via PACS," HealthImaging.com (March 31, 2010).

Tags: , , , , , , , , , , , , , , ,

In the news: medical ID theft on the rise; CHIME comments on meaningful; and more

Posted on March 24, 2010 by Steve Fox and Vadim Schick
  • Javelin Strategy & Research survey found over 275,000 cases of medical identity theft in 2009, with an average price tag greater than $12,000 per incident.  This is twice as many cases as in 2008.  Keeping health information safe is going to be of paramount importance in the next decade, especially considering the steep rise in use of electronic health records. According to Computerworld.com (citing a study by IDC, a research firm), "about a quarter of all Americans -- 77 million people -- already have an EHR, up from 14% from in 2009." By 2015, experts believe the number will reach up to 60%, partially due to the transformation of the health IT industry by the HITECH Act.
  • In its comments to CMS regarding the meaningful use NPRM, College of Healthcare Information Management Executives (CHIME) insisted that the present "all or nothing" approach to achieving meaningful use is going to prevent significant numbers of eligible providers from receiving any incentive payments under the HITECH Act.  According to American Medical News:

Among CHIME's suggestions: a gradual implementation process that would allow physicians to qualify for incentives by achieving 25% of meaningful use objectives by 2011, 50% by 2013, 75% by 2015, and 100% by 2017.

'Without an approach that rewards progress or provides sufficient time, organizations with limited resources will likely have little chance of qualifying for payments, thus widening the 'digital divide' in the country,' CHIME wrote.

  • U.S. Senate passed a bill which, if approved by the House and signed by the President, would limit the definition of "hospital-based" eligible professionals to just those practicing in an inpatient or emergency room hospital setting.  If passed, this change would make the Medicare and Medicaid EHR incentive payments available to a far wider range of eligible professionals.
  • CCHIT may be getting some competition from the Drummond Group, which announced plans to become an ONC-authorized certifying body of EHR technology (ONC-ATCB).

"U.S. Senate backs expanded physician eligibility for MU," HealthImaging.com (March 11, 2010).

"Drummond Group in EHR testing for the 'long term'," Healthcare IT News (March 12, 2010).

"Patient Billed for Liposuction as Medical Theft Rises," Bloomberg.com (March 23, 2010).

"As health data goes digital, security risks grow," Computerworld.com (March 22, 2010).

"EMR meaningful use rules warrant gradual approach," American Medical News (March 17, 2010).
Tags: , , , , , , , , , , , , , , ,

In the news: Privacy breaches and de-identification

Posted on January 11, 2010 by Steve Fox and Vadim Schick
  • According to LA Weekly, Huping Zhou, a former employee at the UCLA Healthcare System, pleaded guilty to federal charges of breaches of patient privacy.  Zhou, 48, accessed the UCLA patient records system 323 times during the three-week period, mostly looking for the files of celebrities, after being let go by the hospital. Names of targeted celebrities have not been revealed.  This case follows a similar breach at UCLA Medical Center, when Lawanda Jackson, a former nurse at the Center, plead guilty to wrongfully accessing information of Britney Spears and Farrah Fawcett.
  • Delaware Online reports about a new unfortunate trend in medical identity theft -- searching for copies of discarded prescriptions:  "In the latest crime trend to hit Delaware, police are reporting that people looking for drugs such as Oxycontin and Vicodin are stalking customers who throw away prescription bags containing paperwork with details about their pills and themselves. They use the personal information to call in prescriptions and charge them to the victims' insurance. Then they turn around and sell the drugs."  According to Bruce DiVincenzo, chief agent of Delaware's Office of Narcotics and Dangerous Drugs:

They're making their own scripts by ordering paper from the Internet," he said. "It's the patient's name that they want, because that person is actively listed as a customer of the pharmacy and will not raise suspicion."

Pharmacies like CVS and Happy Harry's (a subsidiary of Walgreens) take certain precautions to prevent such identity theft, including checking ID's before filling prescriptions and reminding customers to be careful with their receipts and copies of prescriptions.

  • According to Washington Technology, HHS is looking for a contractor to research the effectiveness of "de-identifying" PHI:

Under this new contract, HHS will research re-identifying the data and matching it to a specific individual.

'The contractor shall take one or more HIPAA Privacy Rule de-identified data sets and, using methods and technologies that exclude 'brute force' matching, demonstrate the ability or inability to re-identify the data,' the notice states.

The re-identification must be an accurate and unambiguous match to an individual.

"Former UCLA Health Worker Pleads Guilty To Accessing Celebrities' Medical Records," LA Weekly (January 8, 2010).

"Delaware crime: Trash-picking identity theft targets pharmacy customers," Delaware Online (January 6, 2009).

"HHS wants contractor to test privacy of 'anonymous' data," Washington Technology (January 5, 2010).
Tags: , , , , , , , , , , ,

Identity thieves target victims of accidents at a medical center in Nevada

Posted on November 20, 2009 by Steve Fox and Vadim Schick

This article serves as a great reminder about the importance of safeguarding your patients' data, both from thieves outside and, unfortunately, from within the organization.  Via Las Vegas Sun:

Private information about accident victims treated at University Medical Center has apparently been leaking for months, the Sun has learned, allegedly so ambulance-chasing attorneys could mine for clients.

Sources say someone at UMC is selling a compilation of the hospital’s daily registration forms for accident patients. This is confidential information — including names, birth dates, Social Security numbers and injuries — that could also be used for identity theft.

Hospital officials knew of rumors of the leaks since the summer, but doubted them until provided evidence Thursday by the Sun. Now they’re scrambling to catch up to a crisis that may affect hundreds, if not thousands, of patients.

The full article is available here.

"UMC has patient privacy leak," Las Vegas Sun (November 20, 2009).

Tags: , , , , , ,

HHS releases interim final regulations on HIPAA enforcement changes

Posted on November 2, 2009 by Steve Fox and Vadim Schick

Pursuant to the HITECH Act, the Department of Health and Human Services (HHS) released interim final regulations updating enforcement rules for violations of HIPAA.  As reported in Healthcare IT News:

Prior to the HITECH Act, the penalty could be no more than $100 for each violation or $25,000 for all identical violations of the same provision.

A healthcare provider, health plan or clearinghouse could also bar the secretary's imposition of a civil money penalty by demonstrating that it did not know that it violated the HIPAA rules.

Section 13410(d) of the HITECH Act strengthened the enforcement by establishing tiered ranges of increasing minimum penalty amounts, with a maximum penalty of $1.5 million for all violations of an identical provision. A covered entity can no longer bar the imposition of a civil money penalty for an unknown violation unless it corrects the violation within 30 days of discovery.

The interim final rule with request for comments, published last week, conforms the HIPAA enforcement regulations to the revisions made by the HITECH Act. This rule will become effective on Nov. 30. HHS will consider all comments received by Dec. 29.

You can find the full text of the rule is here.

"HIPAA violators could face fines up to $1.5M," Healthcare IT News (November 2, 2009).

Tags: , , , , , , , ,

HIT Standards Committee endorses privacy and security standards

Posted on September 21, 2009 by Steve Fox and Vadim Schick

On September 15, 2009, the HIT Standards Committee endorsed a set of privacy and security standards for electronic health record systems. 
These standards will be recommended to Dr. David Blumenthal, the National Coordinator for Health Information Technology, as a basis for establishing the privacy and security criteria for, inter alia, "certified EHR technology" as defined under the HITECH Act.  Eligible healthcare providers must meet the criteria for "meaningful use" of "certified EHR technology" in order to qualify for significant incentives available under the HITECH Act.

The committee’s Privacy and Security Workgroup included access control, authentication, authorization and transmission of health data among the requirements that electronic health record systems must include by 2011 in order to meet the definition of "certified EHR technology."   Specifically for 2011, the Standards Committee approved the Workgroup's recommendation to require certified products to provide the capabilities necessary to support the HIPAA and ARRA security and privacy requirements and best practices for “meaningful use.”  The endorsed privacy and security standards will become more rigorous in 2013 and 2015.

You can find the spreadsheet of endorsed privacy and security standards here.

You can also view the presentation from the Workgroup here.

"Federal panel okays EHR security, privacy standards," Government Health IT (September 15, 2009).

 

 

Tags: , , , , , , , , , , , , ,

New York Times reports on privacy concerns about use of de-identified health information

Posted on August 10, 2009 by Steve Fox and Vadim Schick

The New York Times reported on Americans' growing concern regarding commercial use of their personal health information, especially the use of re-identified prescription drugs information for marketing purposes.  

The article points out correctly that the Recovery Act of 2009 (ARRA) included a few key changes to the present privacy regime, which would make it more difficult for pharmacies and data mining companies to use patient information for marketing or fundraising purposes.  While the new law (and the upcoming applicable HHS regulations sanctioned by ARRA) will close a few loopholes in the current medical privacy regime, data mining companies like IMS Health and Verispan do not seem to be overly worried about these new developments:

The law won’t shut down the medical data mining industry, but there will be more restrictions on using private information without patients’ consent and penalties for civil violations will be increased. Government agencies are still writing new regulations called for in the law.  <...>

IMS Health reported operating revenue of $1.05 billion in the first half of 2009, down 10.6 percent from the period a year earlier. [An IMS representative] said he did not expect growing awareness of privacy issues to affect the business.

The Times article also touches on a few other important areas of concern for privacy advocates:  the effect of widespread adoption and use of electronic health records (EHR's) and personal health records (PHR's) on privacy and security of patients' protected health information.  

Interestingly, the article notes that while "Microsoft and WebMD acknowledge that the privacy rules in the stimulus law apply to them," "Google says the law’s prohibitions do not apply to it, except for its duty to report any breaches of medical privacy."  According to a Google spokeswoman, "Google is bound by the privacy policy that people agree to when they sign up."  Right after the enactment of the Recovery Act, Google claimed that the additional privacy rules included in the ARRA did not apply to its PHR products.  However, Google acknowledged the applicability of ARRA's data breach notification requirements a few months thereafter.  This quote in the Times may reintroduce, if not underscore, Google's ambiguous attitude toward applicability of the new privacy and security rules.

"And You Thought a Prescription Was Private," The New York Times (August 9, 2009).

 

 
Tags: , , , , , , , , , , , ,

LA Times reminds providers that patients are entitled to copies of their medical records

Posted on July 27, 2009 by Steve Fox and Vadim Schick

The Los Angeles Times reported on a story of a patient trying to obtain a copy of her blood tests from her doctor's office.  The office wanted to charge the patient $25 to retrieve the test results and send them to her via first-class mail (refusing to fax such results to her for free).

Under both HIPAA and California privacy laws, however, the patient was entitled to such records with only minimum administrative charges:

Most providers are required to follow both HIPAA and the California law, deferring to whichever offers greater consumer protection in cases where the laws differ. As a result, [this patient's] doctor had no legal basis for charging the $25 administrative fee for her lab results.

Under California law, healthcare providers are allowed to charge a fee for the cost of copying a patient's medical record and for the postage to mail it. But the cost cannot exceed 25 cents per page for photocopies and 50 cents per page for microfilm.

The law in California also permits doctors to charge a "retrieval fee" for locating patient records and for making them available. But HIPAA does not allow it. Because HIPAA offers consumers greater protection than California law in this area, doctors in the state cannot charge patients fees beyond those allowed for photocopying.

 

The doctor's office was also wrong about refusing to fax the test results to the patient, claiming it would violate patient confidentiality and potentially compromise the privacy and security of her information.

But under HIPAA, sending health information by fax is not prohibited. In addition, the law states that the provider must give patients the information they ask for in the format they request.

The full article is available here.

"Those Medical Tests Are Yours," Los Angeles Times (July 27, 2009).
Tags: , , , , , ,

Steve Fox on the ARRA privacy requirements

Posted on April 22, 2009 by Vadim Schick

In an interview with Thompson's Compliance Information Center, Steve Fox urged healthcare providers to begin the compliance process to meet the new data privacy and security requirements imposed under the American Recovery and Reinvestment Act of 2009: 

“The main message for providers is that ARRA is not something they can wait until next year for,” said Steven J. Fox, Esq., a partner at the law firm Post & Schell in Washington D.C. and co-author of the Guide to Medical Privacy & HIPAA.  Although Fox does not advise covered entities to completely overhaul their HIPAA compliance programs before HHS issues regulations, he does say they should begin reviewing all of their current privacy and security policies and procedures and comparing them with the new ARRA requirements. Entities should conduct “a thorough self analysis to determine where they stand.

Covered entities also should train their staff so they understand the importance of privacy and security. Under ARRA’s new penalty provisions, there is an increased potential of significant fines being levied, so entities should prepare by readying their staff for new requirements.

“People need to be trained and retrained to understand how their jobs are changing” as a result of the ARRA privacy and security provisions, Fox said. But, he cautioned “it is premature to do an overhaul of training programs” right away. “Someone needs to revise the whole compliance training program to include all of the ARRA changes — but not too far in advance before the changes are required,” he said.

This interview also headlined IAPP's Daily Dashboard briefing on April 16, 2009.

 

Tags: , , , , ,

This just in: New HHS guidance about securing protected information

Posted on April 17, 2009 by Steve Fox and Vadim Schick

From HHS:

On April 17, 2009, HHS issued guidance specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of American Recovery and Reinvestment Act of 2009 (ARRA). This guidance was developed through a joint effort by OCR, the Office of the National Coordinator for Health Information Technology (ONC), and the Centers for Medicare and Medicaid Services (CMS).

This guidance relates to two forthcoming breach notification regulations – one to be issued by HHS for covered entities and their business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Sec. 13402 of HITECH) and one to be issued by the Federal Trade Commission (FTC) for vendors of personal health records and other non-HIPAA covered entities (Sec. 13407 of HITECH). HITECH requires these regulations to be published within 180 days of enactment. If the entities subject to the regulations apply the technologies and methodologies specified in the guidance to secure information, they will not be required to provide the notifications required by the regulations in the event the information is breached.

The Guidance can be viewed (in PDF) here.

Tags: , , , , , , , ,

In the news: CVS and Google; Connect Open Source Software; and more

Posted on April 8, 2009 by Steve Fox and Vadim Schick
  • CVS pharmacy customers now have the ability to download their prescription and medication histories to Google Health accounts after CVS and Google expanded their partnership.  Patients at CVS' walk-in MinuteClinics are also able to add summaries of their visits to their Google Health accounts.  It would be interesting to find out if CVS and Google ever executed a Business Associate Agreement.  After the enactment of the HITECH Act, Google famously maintained that its personal health records product is not a subject to the new legislation and certain privacy and security provisions under HIPAA.  ("CVS-Google Health pact now includes drugstores", AP, April 6, 2009.)
  • The federal government released Connect, and open source software which allows public and private entities to share health information via the National Health Information Network.  The source code is free to download (the code and its documentation are available here), but organizations choosing to acquire and use this product will be responsible for costs associated with the installation and maintenance of Connect.  The Social Security Administration, Department of Defense, Veterans Affairs, and the CDC are among the many government agencies using this software for health information exchange already.  ("NHIN software released to open-source community", Government Health IT, April 7, 2009.)

     

 

  • This Business Week article analyzes the various data privacy and security concerns facing health care providers and patients alike.  ("Putting Patient Privacy in Peril?", Business Week, April 6, 2009.)
  • The New York Times reports that New York-Presbyterian Hospital became "the first large institution to move beyond the pilot stage this week as it begins to offer consumer-controlled health records for patients... New York-Presbyterian has been working with Microsoft for more than a year, not only on technical matters but also ease-of-use concerns with patients. The introduction will be gradual, beginning with heart patients, who will be told of the potential benefits of personal health records when they visit a New York-Presbyterian hospital or outpatient clinics."  Once again, it would be very interesting to find out if NYB and Microsoft signed a Business Associate Agreement, or if Microsoft acknowledged whether it is now subject to certain privacy and security provisions under HIPAA.  ("A Hospital Is Offering Digital Records", New York Times, April 5, 2009.)

 
Tags: , , , , , , , , , , , , ,