Data Privacy & Security/HIPAA/HITECH

The Senate Committee on Commerce, Science, and Transportation today released its analysis of the 2013 Target Data Breach, using the “intrusion kill chain” framework from Lockheed Martin as its analytical tool.  In short, the analysis shows that although Target likely failed at multiple steps along the chain to stop the breach, the opening salvo by the attackers was waged on a Target vendor, Fazio Mechanical Services.

Although details are not reported, the report does suggest that the attacker may “have sent malware-laden emails to Fazio at least two months before the Target data breach began.”  Target’s supplier portal and facilities management pages were apparently viewable on the Internet, and files from the sites “allowed the attacker to map Target’s internal network prior to the breach.”  Unfortunately, Fazio was also using a free version of an anti-malware product, which did not provide real-time protection and was intended only for individual consumer use.

Last week, our own Brian Bewley chaired the HCCA Midwest Regional Conference in Overland Park, Kansas.  The conference addressed current compliance issues such as the compliance officer’s evolving role, RAC audits and appeals, and HIPAA.  The conference had a great turnout – in fact, the most attendees in the conference’s history.

Husch Blackwell’s Julianne Story

Adoption of EHR technologies has greatly increased as the result of the EHR Incentive Program. Touted as one of the necessary building blocks for creating integrated delivery systems, EHR is considered vital to improve health quality, efficiency and patient safety.  The EHR Incentive Program has been very successful and CMS has awarded over $10

Marketing Involving PHI

The HIPAA Omnibus Rule made changes to the rules related to marketing involving PHI.  A marketing communication, as defined by HIPAA, is a communication about a product or service that encourages the recipient to purchase that product or service.  Previously, PHI could not be used or disclosed for a marketing communication without authorization unless

On January 17, 2013, the Office for Civil Rights of the U.S. Department of Health & Human Services issued its final rule modifying the HIPAA privacy, security, enforcement, and breach notification rules. The final rule became effective on March 26, 2013, and providers have just over a month left to comply with the new rule.  Compliance is required by September 23, 2013.

Changes to Breach Identification

Under the old standard, a reportable breach was an unauthorized use or disclosure of PHI that posed a significant risk of financial, reputational or other harm to the affected individual. Under the new standard, all unauthorized uses and disclosures of PHI are presumed to be reportable breaches unless, following a risk assessment, it is determined that there is a low probability that the PHI has been compromised.

Previously, we recommended including the following factors in breach risk assessments:

  1. the type and amount of PHI disclosed;
  2. to whom the PHI was disclosed; and
  3. the risk of further disclosure.

Welcome to our new series on HIPAA!

Whether you are feeling a little rusty on HIPAA issues or trying to figure out the new Omnibus rule, we hope you will find this information helpful.  Each week, we will be discussing a new aspect of HIPAA including:

  • HIPAA basics
  • New Omnibus regulations
  • Responding to subpoenas
  • HIPAA disasters
  • Enforcement

Recent national tragedies have refocused the nation on an important question:

Can or should a physician face civil liability for failing to warn of the dangers posed by a patient who later commits violence?

Husch Blackwell attorneys Greg Minana and Justin Stephens addressed this question under Missouri law in an article published in the May/June issue of Missouri Medicine.   In

Are you still trying to understand the changes made in the HIPAA Omnibus Rule?

Do you want an opportunity to ask questions and hear how other providers are handing HIPAA issues?

Do you need a chance to brush up on your HIPAA knowledge and evaluate current strategies? 

If so, then you should consider attending one

Are healthcare providers at your facility texting patient information to each other?  This type of communication is becoming more and more common, but such text messages are often in violation of HIPAA.  To address this issue, Sprint announced last week that it is now offering two texting products that provide the proper security for PHI

If you have been struggling to figure out the risk assessment requirements of the Final HIPAA Omnibus Rule, then you are in luck.  Join us for a webinar!  Husch Blackwell attorneys Pete Enko and Peter Sloan along with Director of Information Management Consulting Deb Juhnke will present the Who, What, When, How and Why