Volume 8, Number 12 • December 2008
Practical News and Strategies From AIS’s HIPAA Compliance Center
Contents
3
If Safety Is an Issue,
Privacy Officers Need
Seat at the Table
5
Boston Hospital Works
With Victims After
Medical Identity Theft
5
CEs Dismiss Nosey Staff
Members
7
Emergency Department
Crowding, Fast Pace
Create HIPAA Risks
8
Case Studies in Patient
Privacy Problems and
Their Solutions
11
Patient Privacy Court
Cases
12
Privacy Briefs
Privacy Protections Are Called Key as
Enrollment Begins in Rhode Island HIN
Just six weeks after enrollment began with a small outreach effort, some 800 individuals have joined a fledgling heath information network (HIN) in Rhode Island, which allows participants to select one of three levels of privacy protections and controls.
And 80% of the members have opted to give their providers full access to their
medical records through the HIN, which officials in the state say is “very encouraging.”
Rhode Island’s HIN, called “currentcare,” has had “a very good start,” says
Edward Quinlan, president of the Hospital Association of Rhode Island, which has
been involved in currentcare’s development and implementation.
The privacy and access levels “are a very important element,” adds Charles Kinney,
chief operating officer of 100-bed Westerly Hospital in Rhode Island, which will soon
begin enrolling patients in the HIN.
Rhode Island’s early success demonstrates what experts believe is true: A nationwide health information network will succeed only if Americans join, and they will do
so only if they feel their privacy concerns have been addressed and if they are able to
exert some control over who sees their records.
Currentcare is a regional HIN, also called a health information exchange, that
would be joined with other regional HIEs to form a national network, which is currently under development with federal support. Currentcare is operated by the Rhode
Island Quality Institute, which spent several years developing the program, culminating in the passage of a law, signed in September, formally establishing currentcare.
continued on p. 10
Access past issues of
RPP, key documents,
and 30 narratives on
privacy and security compliance
at www.AISHIPAA.com. If you don’t have a Web site
password, call 800-521-4323 or
e-mail customerserv@aispub.
com. Please whitelist [email protected] to
ensure e-mail delivery.
Editor
Eve Collins
Contributing Editor
Neal Learner
Executive Editor
Angela Maas
Express Scripts, Some Members Face
Extortion Attempt After Data Breach
Express Scripts, Inc. on Nov. 11 said that some of its clients had received anonymous letters threatening to expose the personal information of members following a
data breach at the pharmacy benefit manager (PBM). Express Scripts, which is offering
a $1 million reward for the arrest and conviction of the person or persons responsible
for the extortion, said it believes the letters are connected to the extortion threat that it
made public on Nov. 6.
The latest letters are similar to the one that Express Scripts received in early October that threatened to post millions of members’ private information on the Internet if
payment demands were not met, the PBM says. The original letter contained personal
information on 75 members, including their names, dates of birth, Social Security numbers and, in some cases, prescription information, according to Express Scripts.
While some observers say the PBM will likely lose business as a result of the breach,
one Wall Street analyst says that he expects the PBM will be able to weather the PR
storm. Other security experts, meanwhile, warn that all PBMs face similar data threats
from organized criminals intent on exploiting their cyber weakness.
continued Published by Atlantic Information Services, Inc., Washington, DC • 800-521-4323 • www.AISHealth.com
An independent publication not affiliated with hospitals, government agencies, consultants or associations
Report on Patient Privacy
December 2008
Express Scripts noted that it and the FBI have
launched investigations to determine who is behind the
threat. In addition, the company on Nov. 11 said that
it had hired Kroll, a prominent risk-consulting firm, to
offer assistance to its members if they become victims
of identity theft because of this incident. Express Scripts
also says it will offer its members free identity-restoration
services if needed.
“Express Scripts is committed to the privacy and security of our members’ personal information, so a threat
like this against our members is outrageous,” George
Paz, president and CEO, said in a written statement. The
company said it deploys “a variety of security systems”
designed to protect members’ personal information.
“However, as security experts know, no data system is
completely invulnerable,” Paz asserted.
The PBM says that it has identified where the data
that were involved in the security breach were stored in
its systems and has instituted enhanced controls. Express
Scripts also maintained that it is unaware now of any
misuse of members’ information.
Subscribers to AIS’s HIPAA Compliance Center receive Report
on Patient Privacy (ISSN: 1539-6487), which is published 12
times a year by Atlantic Information Services, Inc., 1100 17th
Street, NW, Suite 300, Washington, D.C. 20036, 202-775-9008,
www.AISHealth.com.
Copyright © 2008 by Atlantic Information Services, Inc. All rights reserved.
No part of this publication may be reproduced or transmitted by any means,
electronic or mechanical, including photocopy, FAX or electronic delivery
without the prior written permission of the publisher.
Report on Patient Privacy is published with the understanding that the
publisher is not engaged in rendering legal, accounting or other professional
services. If legal advice or other expert assistance is required, the services of
a competent professional person should be sought.
Editor, Eve Collins; Contributing Editor, Neal Learner; Executive
Editor, Angela Maas; Publisher, Richard Biehl; Marketing Director,
Donna Lawton; Fulfillment Manager, Gwen Arnold; Production
Coordinator, Russell Roberts
Call Eve Collins at 800-521-4323 with story ideas for RPP.
In addition to Report on Patient Privacy, subscribers to AIS’s
HIPAA Compliance Center have access to www.AISHIPAA.com,
with archives of past issues of the newsletter, links to government
documents, and 30 searchable narratives written by experts
in privacy and security compliance. Subscribers receive e-mail
notification when a new issue of Report on Patient Privacy is
posted on the Web site. Please whitelist [email protected] to
ensure e-mail delivery.
To order AIS’s HIPAA Compliance Center:
(1) Call 800-521-4323 (major credit cards accepted), or
(2) Order online at www.AISHealth.com, or
(3) Staple your business card to this form and mail it to:
AIS, 1100 17th St., NW, Suite 300, Wash., DC 20036.
Payment Enclosed* ❑ $429
Bill Me
❑ $404
*Make checks payable to Atlantic Information Services, Inc.
D.C. residents add 5.75% sales tax.
The PBM so far has taken all of the right steps, says
one security expert. “Textbook-wise, it looks like they’re
doing everything possible [to address the issue],” says
Harry B. Rhodes, director of practice leadership at the
American Health Information Management Association.
Among other things, the PBM has examined the audit
trail, contacted affected customers and is working with
the FBI on the investigation, he notes.
Still, Rhodes says that now that Express Scripts has
identified where the information came from in its database, the company should be able to start zeroing in on the
people that had access to that information. He points out
that 80% of data breaches are the result of an inside job.
“They need to look at all of their employees, including their current employees,” he suggests. “The current
best practice is [that] you do a background check on
people who have access to this type of information, especially people who can download or move or copy large
portions of information.”
Robert Coffield, a health care attorney at Flaherty,
Sensabaugh & Bonasso, PLLC, says companies cannot
protect against every potential breach. “But you certainly
need to meet a minimum threshold standard,” he says.
“When you fall below that standard, that is when you are
going to be subject to litigation.” Coffield did not offer
any judgments as to the standards of Express Scripts’
security systems.
PBMs Say They Are Prepared
Other PBMs say they have multiple data security
measures in place to ward off similar attacks.
For its part, Medco Health Solutions, Inc. has institutionalized encryption technologies across the enterprise,
and has conducted exhaustive reviews of all HIPAArelated data, according to spokeswoman Ann Smith. All
laptop and desktop computers and business-to-business
information is encrypted, and the company has authentication and access control on its data, in addition to data
security protocols that are proprietary, she explains.
“We are obsessive and extreme on security with layers of backups,” Smith says.
Likewise, CVS Caremark Corp., to its knowledge,
has not received a letter similar to the one described
by Express Scripts, says CVS Caremark spokeswoman
Christine Cramer. “CVS Caremark’s security programs
are robust and have many internal controls that are designed to prevent unauthorized access to confidential
information,” she says.
Key components of CVS Caremark’s security program include the use of leading security technology, a
comprehensive and consistently applied testing and
validation program, and strict protocols related to user
access to confidential data, Cramer says.
EDITORIAL ADVISORY BOARD: Michael D. Bell, Esq., Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C., Wash. D.C.; JOHN BENTIVOGLIO, Esq., Arnold & Porter, Wash. D.C.;
MICHAEL DOSCHER, Senior Manager, Global Healthcare Div., Covansys Corp., Glendale, Calif.; BRIAN GRADLE, Esq., Hogan & Hartson L.L.P., Wash., D.C.; REECE HIRSCH, Esq.,
Sonnenschein Nath & Rosenthal L.L.P., San Francisco., CA; JAMES PASSEY, MPH, Director, Compliance & Risk Management, Valley Health System, Hemet, Calif.; ERIC S. TOWER,
Esq., Associate General Counsel, Advocate Health Care, Oak Brook, Ill.
December 2008
Report on Patient Privacy
Alan Paller, director of research at SANS Institute,
a computer security training organization, says extortionists target companies whose paramount interest is
keeping client information confidential. The health care
industry represents a “perfect extortion target,” he adds.
“It’s a massive crime, in the hundreds of millions of dollars,” he explains. Paller also asserts that it’s likely that
other PBMs have been hit as well. “They may have managed to keep it quiet, or they don’t know yet,” he says.
Companies Can Weather the Storm
“Express Scripts has taken the appropriate steps to
limit the damage” says Kemp Dolliver, a PBM securities
analyst at Cowen and Company, LLC. “This situation
looks like an embarrassment only absent evidence of a
broader problem,” he says, pointing out that Medco also
had a data breach related to a lost laptop computer back
in 2006 that involved data on an Ohio agency with 4,600
members.
“I don’t see competitors loudly touting this,” he says
of the Express Scripts breach. “The company has taken
some steps to get out in front of this with the impacted
individuals and clients to mitigate the damage. They
have to stay on top of this until they know the extent of
the breach.”
Rhodes suggests that Express Scripts publicize all of
the things it has done to fix the problem. It will be especially important for the PBM to show that it has identified where its weaknesses are, has corrected them, and
will have a process in place to do risk assessments constantly and watch for new weaknesses, Rhodes explains.
“You win back the trust,” he says.
“A company this large, they cannot afford this kind
of situation. If they want to be successful, they’re going to
come back with stronger controls.”
Read more at www.esisupports.com. Contact Coffield at [email protected], Rhodes at Harry.rhodes@
ahima.org and Cramer at [email protected]. G
This story is reprinted from AIS’s Drug Benefit News.
For more information, go to www.AISHealth.com.
If Safety Is an Issue, Privacy
Officers Need Seat at the Table
Chuck Burbank recently visited his 75-year-old father in the hospital, and was pleased to see he was wearing a yellow wristband and had a yellow star on his door,
to indicate that he was at high risk for falls. “At his age,
a fall could be devastating,” says Burbank, the HIPAA
coordinator for St. Luke’s Episcopal Health System in
Houston.
Earlier this year, Burbank helped institute a similar
program in one of the hospitals in his system, but it is
only partly in place, with just the yellow bands. The hospital has not yet decided whether it will use red bands,
which indicate allergies, nor purple, to be used for patients who do not want to be resuscitated.
While the wrist bands and a star may seem like easy
methods to improve patient safety — a professed national goal — they are not universally accepted. Despite
a push by the American Hospital Association (AHA) and
other groups, some hospitals have balked at using them,
perhaps out of concern for patient privacy.
Since the privacy rule went into effect in 2003, safety
innovations have emerged that were not in effect or contemplated by the rule. Hospitals must make judgment
calls about whether to implement those that may cause
privacy concerns — and in some cases, they may be making the wrong decision out of fear or misinformation.
As Burbank’s involvement shows, privacy officers
have a vital role to play in these discussions about balancing patient safety and privacy.
They should also build the kind of relationship with
hospital administrators to ensure they will have a seat at
the table, as Burbank has.
Wrist Bands Are Similar to Signs
St. Luke’s includes 700-bed Texas Medical Center and
two smaller community hospitals. Before the wrist band
program was implemented earlier this year, Burbank and
other officials “worked through the privacy issues.”
Burbank read the HIPAA regulation and guidance
documents issued by HHS’s Office for Civil Rights
(OCR), and concluded that the bands would be allowable as part of communications, and fall under incidental
disclosures. “While they don’t talk about wrist bands,
they do talk about signs, and I saw this as the same kind
of thing,” he says.
The bands do not contain any diagnostic information
tied to a particular patient’s identity, he notes, and the
system believes it has taken “reasonable precautions” to
safeguard protected health information associated with
patients who have the wrist bands.
When Burbank gave the OK, the nursing staff was
especially pleased with his ruling on the fall initiative.
“They really wanted to implement the program, and they
were very happy,” he says. He thinks it may just be a
matter of time before the other two hospitals also use the
wrist bands, but he is not certain whether they will adopt
the full program.
Burbank is correct in that the privacy rule does not
address colored wrist bands or falling stars, and OCR has
issued no specific guidance on the use of these programs.
So RPP asked OCR to comment on the bracelets in
particular, and on the emergence of other techniques in
Go to www.AISHealth.com to sign up for FREE e-mail newsletters —
AIS’s Health Business Daily and Government News of the Week.
Report on Patient Privacy
general that hospitals might be using to advance patient
safety, plus whether they are legal under the privacy rule.
“The use of colored bracelets to convey information to hospital staff is essentially no different than other
techniques used by hospitals to provide patient information to physicians and staff,” Susan McAndrew, OCR’s
deputy director for health information privacy, tells RPP.
She says the bracelets are akin to “keeping clipboards
containing patient information at the bedside.”
But before implementing such a program, the hospital must “consider and properly apply” reasonable
safeguards. She notes that if this is done, “incidental disclosures that might result from the bracelets being seen
by others would be allowed.”
Speaking generally, McAndrew says that the rule is
“carefully balanced to provide strong privacy protections
for individually identifiable health information without
impeding the provision of quality health care.”
She notes that the rule “affords health care providers with the flexibility they need to decide on the uses
and disclosures of protected health information that are
necessary for treatment in a hospital setting and to carry
out other health care operations that support treatment of
the individual.” But she cautions that the hospital must
ensure that it also complies with other aspects of the rule,
such as the minimum necessary requirement.
Modifications May Be Needed
The Texas Hospital Association has been working
with its members for 18 months to adopt a wrist band
program. “A few” hospitals have decided against it out
of fears that it could violate the privacy rule, Starr West,
senior director for policy analysis, tells RPP. The purple
bracelet seems to have generated the most opposition,
she says.
“Some of our hospitals really felt strongly that using
a purple wrist band was compromising patient privacy,”
West says. “What we said was, `we are standardizing colors here, not necessarily asking anyone to use the bands.
If you are using them, use the standard colors…and for
heaven’s sake don’t use purple for anything else.’”
Out of the interest of patient privacy and other concerns, some hospitals have modified the bracelet program. For example, upon admission, all patients at the
three acute-care hospitals in the Scottsdale Healthcare
System in Arizona are fitted with a red “bracelet,” upon
which the nursing staff hand-writes their allergies or
“NKA,” for no known allergies.
In this way, no patients stick out for having a red
bracelet, and no patients have refused to wear them since
the program went into place in 2007, says Debbie Weller,
Scottsdale’s manager for patient safety and regulatory
issues, who helped implement the program.
December 2008
In addition, changes were made to make the Do Not
Resuscitate (DNR) part of the effort to be more palatable to
Scottsdale physicians, who said the purple bracelets other
hospitals use were “demeaning to patients,” Weller says.
Instead, these patients have a “jewel” on their bracelet,
a small purple triangle clipped to it permanently. Some
who have a modified DNR have an orange triangle.
Patients who are at risk of falls also have a yellow
bracelet. The bracelet program was developed with representatives from various parts of the system, including
its privacy compliance officer, she adds. “Our compliance
staff were involved in the design and the rollout,” Weller
says.
Staying in Touch With Medical Staff
Scottsdale staff frequently consult with their privacy
officials to ensure they remain in compliance, especially
when they want to implement a new program, put up
new signage, or take some other action to improve patient care or treatment, Weller says.
For example, the staff wanted to ensure that special
instructions were readily accessible when patients were
transferred and when the medical file was not always
available. The compliance staff suggested using a twosided form with preprinted information on one side, and
the individualized instructions written inside. When the
paper was hung by the bedside, the PHI was hidden,
Weller says.
Since he joined St. Luke’s just over a year ago, Burbank has taken steps to form a good relationship with
the nursing and other system staff. “I work very hard to
let them know that I am a resource and that they should
please use me,” he says. “I think it is very important for
them to know who to ask if they have a question or issue.”
Caregivers and other workers in the hospital “may
encounter unique situations, and they may have trouble
knowing what to do if it falls outside standard practices,”
he says. “Things have changed so much” since the privacy rule went into effect.
Privacy Is Not Static
The privacy rule “should not be thought of as a stagnant document,” nor should the security rule, Burbank
adds, noting that compliance officers also must keep
abreast of changing state laws, which are often more
stringent than the federal rules.
Burbank says that the staff has asked him to weigh
in on other similar issues. Medical device manufacturers, for example, had requested permission to use their
equipment in system hospitals with real patients.
So he worked with the staff to hammer out “showcase agreements” to cover these activities to ensure that
Access newsletter archives, links to government documents and expert guidance at www.AISHIPAA.com.
If you don’t already have a Web site password, please call 800-521-4323 or e-mail [email protected].
December 2008
Report on Patient Privacy
they protected patients’ privacy and did not violate the
privacy rule, he says.
Lawrence Hughes, AHA regulatory counsel, says
the organization has taken the same position as OCR. He
also notes that privacy officers should be alert to new developments in patient safety and treatment and how they
might impact privacy compliance. It would be a good
idea to have “whoever is in charge of privacy involved in
all kinds of activities like that,” Hughes says.
Privacy officers should also have “training that is
ongoing” and addresses new and emerging privacy issues, he adds.
Learn more at http://www.ahaqualitycenter.org/
ahaqualitycenter/documentDetailServlet?contentId=
10343&contentTypeDesc=Review. Contact Hughes at
[email protected], Weller at [email protected] and Burbank at [email protected]. G
Boston Hospital Works With Victims
After Medical Identity Theft Occurs
When it comes to medical identity theft, one challenge covered entities (CEs) face is deciding whether or
not to let the victim see his or her medical record and
expunge any erroneous information.
Officials at Massachusetts General Hospital in
Boston has seen a recent wave of medical identity theft
cases and decided to (1) notify the medical identity theft
victims, and (2) help these victims clean up their records.
To do this, the hospital set up a team composed of staff
members representing different departments in the hospital, says Shanda Brown, assistant manager of health
information services (HIS) at Mass General. The departments represented are police and security, registration,
information systems and patient accounts, with the HIS
department coordinating the response.
continued CEs Dismiss Nosey Staff Members
Three hospitals made headlines last month after they fired employees for accessing patient records when the employees
were not directly involved in the patient’s care.
u Shands-Jacksonville Medical Center in Florida
fired 20 hospital workers who improperly accessed
a professional football player’s records during his
hospital stay, reports News4Jax.com. Jacksonville Jaguar Richard Collier was admitted in September with
multiple gunshot wounds. After Collier was released
from the hospital, Shands officials performed an audit
on who accessed his medical records. Admissions
personnel, nurses and patient relations staff were
dismissed for accessing the records when they had no
need to, News4Jax says. A spokesman for the union
representing the employees says the punishment
does not fit the offense and that some of the workers had legitimate reasons to access the information.
“Any allegation of a breach in patient confidentiality
is taken very seriously,” Shands told News4Jax in a
prepared statement. “All allegations are investigated
thoroughly. If it has been determined that a violation
has occurred, disciplinary action up to and including
termination can be used. In order to maintain patient
confidentiality we do not comment on any specific
cases,” it added. A Shands spokesperson did not return RPP’s calls seeking comment.
u St. Vincent Infirmary Medical Center in Little
Rock, Ark., fired six employees for improperly viewing a local news anchorwoman’s medical records,
the Arkansas Democrat Gazette reported on Nov. 20.
Anne Pressly was admitted to St. Vincent on Oct. 20
after being severely beaten in her own home by an
intruder. She died a few days later. St. Vincent officials learned of a breach of her records via an audit
in the days before her death, CEO Peter Banko told
the newspaper. As many as eight people accessed the
records and were put on leave pending investigation,
Banko said. Officials determined that two of the staff
members had valid reasons for viewing the records.
Banko would not tell the newspaper what positions
they held in the hospital, but said none of them were
physicians. Visit www.nwanews.com.
u University of Iowa (UI) Hospitals fired one employee and suspended seven others for improperly
accessing patient information, the school said on
Nov. 14. The breaches were discovered during a routine review of computer access to patient records, UI
explains. The investigation is ongoing, a UI prepared
statement says. “Everyone working or volunteering
at UI Hospitals and Clinics is required to sign a statement attesting to their understanding of the policy
and the privacy rule as part of their annual training,” the statement says. “Furthermore, everyone is
frequently reminded that it is also inappropriate to
discuss a patient’s status, care or other circumstances
with those not involved in the patient’s direct care, or
to discuss a patient in a public setting,” it adds. Visit
www.uihealthcare.com.
Visit www.AISHealth.com/conflist.html to review a free, regularly
updated six-month calendar with dozens of Upcoming Health Business Meetings.
Report on Patient Privacy
There are two different ways the team finds out
about medical identity theft: A person comes in claiming to have been a victim or, most often, a hospital staff
member begins to suspect a patient isn’t who he says he
is during the course of treatment. Either way, the team is
there to support the victim, says Brown, who also spoke
at a Medical Identity Theft Town Hall Meeting in Washington, D.C., in October (RPP 11/08, p. 4).
With about 40 confirmed cases in 2008, Mass General
has incorporated medical identity theft into its regular
training regimen and has told its staff what it is, how it
impacts the victim and the “thief,” who to contact and
when to alert the team. For example, “we had a nurse
remember treating a guy in the emergency department
two weeks earlier under a different name,” she says.
Once the team is alerted that medical identity theft is
occurring, it will try to determine whether the patient is
simply using a made-up name or has actually assumed
the name of an existing patient. “The response and actions of the staff involved are largely dependent on the
issue, so it’s difficult to specify what each member does,
but generally the five departments will be involved in
our cases,” Brown explains. “For example, depending on
the situation, police and security [staff] may be called in
to assist with ID verification. In other cases, this may be
done by the registration staff.”
The HIS or police and security team member will do
a “false patient” interview, depending on how cooperative the patient is. Sometimes he or she will “fess up”
right away because the ID they give doesn’t match what
is in the system, or hospital employees explain to them
how dangerous it is to have their records combined with
someone else’s.
“They get it,” Brown says. “We explain that they
may have a different blood type or may be allergic to certain medications, and all that is important [because] we
are going to treat them based on this record.” Some come
to the realization on their own, like women who came in
seeking prenatal care, but then see a different name listed
on the chart as the baby’s mother.
The “thieves” have a variety of reasons for using
another ID, including immigration status, or the need to
undergo confidential or sensitive tests such as HIV that
they don’t want in their record. Oftentimes the patient is
related to the victim.
A new chapter on “EHRs/PHRs: Privacy and
Security Considerations,” written by Chris Apgar,
President of Apgar & Associates, Portland, Ore., is
being added to the subscriber Web site this month. If
you don’t have your password, call 800-521-4323 or
e-mail [email protected]
December 2008
If the patient is using the identity of a real person,
Mass General’s privacy officer notifies the victim that his
or her identification has been used. In the case of relatives using the information, the victim often knows about
it and will not respond to the notification, Brown says.
But those who do respond find a sympathetic team
at Mass General, she says. “We let them know without
giving them any details on the issue — that a patient presented with enough identifiers to indicate that they were
the actual patient.”
“We hold their hand through record check process.
It’s stressful and we understand that. We’ll give them
our contact information to be a resource if they have any
questions.” The process is a bit like that for general identity theft, including a credit record check. The victim is
also told that his or her medical record was cleaned and
is given the opportunity to review it for erroneous information — “whatever they need to make sure that they
are comfortable that their record is intact,” says Brown.
Disputed Info Goes Into Separate Record
“If a victim disputes the information, we remove it
and put it in a separate record. A note is placed in the
separate record with a brief report indicating where the
information came from. We also maintain a database
with a report of the incident as well as correction steps
taken,” Brown explains.
A provider does not need to be concerned about
disclosing the medical information of an identity thief
because his or her identifying information will likely not
be given to the victim, says Marcy Wilder, former deputy
general counsel for HHS. “Under HIPAA, individuals
have a right to see their records, especially in the case
where they have been a victim of medical identity theft.
Victims need the ability to look at and correct their records,” she says.
“The purpose of disclosing the information to the
victim is so he or she can see and correct the record. Providers don’t need to identify the thief,” Wilder explains.
Also, “you don’t have the right to privacy in someone
else’s medical record, particularly if you have stolen their
identity,” she contends.
Mass General’s procedure on medical identity theft
is a good one to emulate, says Wilder, who is now a
partner in Hogan & Hartson’s Washington, D.C., office.
Providers also should be implementing the Federal Trade
Commission’s Red Flag Rules (RPP 10/08, p. 3). Even
though the deadline for compliance with the rules has
been pushed back, hospitals should be putting their programs in place now, she says.
Contact Brown at [email protected] and Wilder at [email protected]. G
Call 800-521-4323 or visit the MarketPlace at www.AISHealth.com for more information on
AIS’s detailed A Guide to Auditing and Monitoring HIPAA Privacy Compliance.
December 2008
Emergency Department Crowding,
Fast Pace Create HIPAA Risks
Fans of TV hospital dramas know the drill: Ambulance paramedics burst through the emergency department (ED) doors wheeling in a trauma victim. A team
of harried physicians and other caregivers springs into
action, soliciting details about the patient’s condition and
yelling for procedures, “stat!” Meanwhile, a crowd of patients, visitors and bystanders take in every detail — including, sometimes, confidential patient information.
While TV ratchets up the drama, even real-life
EDs are known as high-pressure, high-stress environments where patient privacy may take a back seat to
more pressing life-and-death matters. According to the
American College of Emergency Physicians (ACEP), the
responsibility for ensuring privacy and confidentiality
“may be more challenging and more important in the
emergency department than in many other clinical
settings.”
The primary privacy risk in an ED centers on the
“incidental disclosure” of PHI, says Kathleen Ojala, associate director of compliance at Ohio State Medical Center.
“That occurs because of the pace that most [emergency rooms] work at, and the proximity of individuals
and the physical layout of most emergency departments,” she tells RPP. “It is very difficult to conduct
exchanges of information with other individuals without
the chance of somebody else overhearing that.”
ACEP echoes this point, noting that an ED typically
is a public, crowded environment in which many people
are present. “Semi-open wards, congested hallways and
a fishbowl atmosphere provide little or no physical privacy and limited opportunities to communicate personal
information confidentially,” according to a January 2005
article in the ACEP journal, Annals of Emergency Medicine.
Family Members Are Listening
Compounding this problem is the fact that patients
and family members in emergency departments are apprehensive about what’s going to be happening next,
notes Ojala.
“They are very clued into what the staff are doing
and saying,” she explains. “They have ‘listening ears’
on, and they may really strain to overhear conversations
about another individual, as well as their loved ones.
Incidental disclosure is probably the greatest challenge to
emergency rooms.”
Incidental disclosure is not necessarily a violation of
HIPAA, provided the covered entity has taken reasonable safeguards. Under the privacy rule, EDs must implement polices and procedures for ensuring that disclosure
Report on Patient Privacy
of PHI is limited to the “minimum necessary” to accomplish the purpose of the disclosure and nothing more.
The HHS Office for Civil Rights (OCR) has posted
numerous frequently asked questions (FAQs) on EDs
and ambulances. “The HIPAA Privacy Rule permits an
ambulance services or other health care provider to disclose [PHI] about an individual, without the individual’s
authorization, to another health care provider, such as a
hospital, for that provider’s treatment of the individual,”
says the answer to one FAQ.
“The Privacy Rule recognizes that oral communications often must occur freely and quickly in treatment
settings. Thus, covered entities are free to engage in communications as required for quick, effective, and high
quality health care,” says another FAQ that specifically
mentions EDs as places where everyday precautions may
not be practicable.
Steps EDs Can Take to Ensure Privacy
There are steps that hospitals can take to lower risks
of patient privacy breaches, according to privacy experts.
For instance, EDs should make sure that their “status
board” — where patient information is recorded and
updated — is not in plain view of passersby and other
patients. This was one of the first things that Children’s
Health System in Birmingham, Ala., considered following the release of final HIPAA regulations, according to
Jennifer Denard Brown, R.N., the hospital’s emergency
department information systems administrator. “We saw
that we needed to get rid of our grease board,” she tells
RPP.
In its place, the hospital implemented an “electronic
patient tracking board,” says Brown, who spearheaded
this effort in 2002. The new system started off containing
basic patient documentation and has since made the ED
virtually paperless, she explains. With access to multiple
computer terminals, the hospital’s ED staff can tell what’s
going on throughout the entire department, Brown says.
“That has improved the patient workflow, but has also
made it where we’re not advertising who’s in our department. We made it more private.”
The Alabama facility also took measures to address
privacy concerns raised by crowding in the emergency
room. Before HIPAA, the hospital’s triage area was open.
“We had a ‘holding area,’ which was a large room with
six patient beds behind curtains,” Brown explains. “We
decided that patients needed to have their own rooms.
We turned those curtain areas into actual rooms and also
created private triage rooms, and increased the number of
rooms we have in our department.” The hospital now is
in the process of building a new expansion facility. When
complete, the ED will have more waiting rooms and pa-
Post your Health Business Job Openings at no charge at www.AISHealth.com/HealthJobsList.html.
Report on Patient Privacy
tient rooms, as well as more family conference rooms, she
says, which will even better serve the patient population.
While ED remodeling has become a national trend
— and is improving patient privacy — there will still
be situations in which ED staff are at risk of disclosing
PHI, say other experts. Case in point: when a police officer
accompanies a patient into the ED. This can create a compliance gray area, according to Kirsten Rabe Smolensky,
associate professor of law at The University of Arizona,
and an expert in patient privacy issues.
“It may be unclear whether [the patient] is under
arrest or not, and to what extent the police officer should
be allowed to stay in the room,” she tells RPP. “If someone is a danger to the staff or physicians, it is perfectly
reasonable to have the officer stay. But if it’s a situation
where that’s not the case, you might ask them to step
outside of the room.”
Ojala also notes that ambulance paramedics may be
curious about the outcome of a particular patient and
will query the ED staff. This can present a privacy risk,
she adds.
“It is appropriate for the ambulance company to get
information related to quality concerns, [such as] did they
provide the appropriate treatment for the patient,” Ojala
says. “But in terms of actual outcomes for the patient —
did they survive or not — that would not be appropriate
information to share with that ambulance,” she adds.
Overcrowding, in which patients are waiting in close
proximity, also presents privacy challenges. Ensuring
patient privacy in such an instance may be as simple as
remembering not to speak loudly, Smolensky says. “It’s
a matter of using good judgment,” she adds. “If it makes
sense to lower your voice when you’re talking to a patient in the hallway — and you can do that and still communicate with them — then lower your voice.”
Feds Are Flexible
Smolensky also notes that OCR, which oversees the
privacy rule, appears to give EDs more flexibility in the
way they handle privacy information, given the sometimes chaotic nature of the environment.
OCR recognizes that you are “dealing with emergencies, and you can’t always get patient consent, because
patients may come in and be unconscious,” she says as
an example. This flexibility also applies to situations in
which ED staff must talk with family members about
the patient. “Personal representatives” are another topic
covered by OCR in FAQs posted on the Web site. And in
September, OCR issued guidance on how CEs may share
information with persons involved in the patient’s care,
such as family members, friends or other representatives
(RPP 10/08, p. 1). OCR divided the guidance into two
December 2008
documents: one for patients and one for providers. Each
contained instructions on what to do in certain situations.
For example, the guidance for providers asked: “If
the patient is not present or is incapacitated, may a health
care provider still share the patient’s health information
with family, friends, or others involved in the patient’s care
or payment for care?” The answer is yes. “[A] health care
provider may share the patient’s information…as long as
the health care provider determines, based on professional
judgment, that it is in the best interest of the patient.”
Ojala notes that HIPAA permits health care providers to disclose medical information to a family member,
as long as the information is relevant to the patient’s
current needs.
“If I’m a health care provider and I have access to
the patient’s entire medical record and maybe the patient
had a miscarriage 10 years ago, when I’m dealing with
their family member, the history of the miscarriage is not
relevant today,” she says as an example. “So I’m not going to go ahead and disclose that to the family member.
I need to focus my conversation on what’s relevant in
today’s treatment.”
Less experienced staff, however, can sometime get a
little worried that are they disclosing too much information to the family, Ojala maintains.
“As long as they remember that they are looking for
what’s in the patient’s best interest…you’re going to be
fine,” she says. “When the patient regains consciousness,
he might be unhappy with you about an exchange that occurred, but it goes to the reasonableness that is required by
HIPAA. If the staff can articulate a rational response, then
that’s good. If the patient is still unhappy, we’ll work that
through our usual patient compliant process.”
Contact Ojala at [email protected], Smolensky at [email protected] and Brown
at [email protected]. G
Case Studies in Patient Privacy
Problems and Their Solutions
The following is another in an ongoing series of articles that
is being written for RPP by health care privacy and security consultant Chris Apgar, CISSP, president of Apgar & Associates,
LLC. Contact Apgar at (503) 977-9432 or capgar@apgarand assoc.com.
First scenario: A small rural clinic experienced a
robbery, and all of the servers used to store patient data
were stolen. Fortunately for the small clinic, appropriate
security had been implemented, and all of the data on the
servers were encrypted. Though the patient data could
not be retrieved by the thief, the clinic was located in a
small town where, as soon as the robbery was reported to
Call Bailey Sterrett at 800-521-4323 for rates on bulk subscriptions or site licenses, electronic delivery to
multiple readers, and customized feeds of selective news and data…daily, weekly or whenever you need it.
December 2008
Report on Patient Privacy
the police, the police reported the incident to the local
newspaper.
This is an instance where the clinic took measures
beyond what was required (but is now becoming appropriate practice) and encrypted the patient data “at
rest,” or stored data. Even so, the clinic still stood to come
under fire in the press since word travels quickly in a
small town. From a regulatory perspective, the clinic was
under no obligation to notify patients of the theft. On the
other hand, once the word was out, patients would be
concerned about their privacy, and it was likely that the
clinic staff would be bombarded with questions related
to the theft of the patients’ PHI.
This is a situation where organizations need to look
at the circumstances from a practical rather than a legal
perspective. The solution was fairly simple. The clinic
elected to send a letter to all patients to let them know
that their data could not be read by the thief because it
was encrypted. This saved staff members time responding to concerned patients and avoided a potential lawsuit
that was unlikely to result in any damage awards, but
would have cost the clinic to retain its own counsel to
fight such a civil suit.
Also, this action assisted in bolstering the clinic’s
reputation. Patients were reassured and were less likely
to seek treatment elsewhere because they could not trust
the clinic to protect their medical records.
Billing Staff Contacts Spouse
Second scenario: The billing department of a clinic, in
an attempt to collect a past due amount, contacted the husband of one of its patients and attempted to negotiate payment arrangements. The patient found out about the call
to her husband and proceeded to file a formal complaint
with OCR. She felt her privacy rights had been violated,
especially given the past-due bill was incurred prior to her
marriage to her current husband. She was right.
A covered entity or business associate of a CE cannot
contact a third party — in this case the spouse — about
a patient’s account without specific authorization from
the patient. Even though this could be considered part of
payment activities where no authorization is required to
use and disclose PHI, this holds true only for exchanges
between CEs and/or their business associates.
In this case, the solution would be to establish appropriate policies and procedures and train staff, requiring
they contact only the patient when attempting to collect a
past-due amount unless the patient has specifically authorized disclosure of payment records to a third party.
Third scenario: A specialty clinic made the decision
to market a workshop for patients that was directly related to increasing business in one of its specialty areas. The
clinic developed a mailing list based on diagnosis code.
Some of the marketing flyers were sent to deceased patients. Also, the focus of the workshop revealed to some
degree the patient’s diagnosis, which was of a sensitive
nature. It was not a workshop addressing specially PHI
under state or federal law, but could prove to be embarrassing to the patient and the patient’s family (in the case
of the flyers sent to the deceased patient).
Marketing to Patients Is Prohibited
In this case, two provisions of the HIPAA privacy
rule were violated. HIPAA prohibits marketing to patients with very strict exceptions, and this did not fall
into one of those exceptions. The clinic could have marketed to the patients only if the clinic obtained written
authorization from the patient prior to sending any marketing material. The clinic could have done this during
an appointment (“I’m interested in receiving additional
information about my condition and I authorize [clinic]
to send me condition related marketing material.”),
remembering that many states require that an authorization expire, no matter the period of time noted on the
authorization.
Another option CEs can take advantage of is categorizing workshops as educational opportunities and sending out an announcement to all patients through a patient
newsletter, on the CE’s Web site or potentially through
direct mailing. Given this was a specialty clinic, direct
mailing, even to all patients, may represent a violation of
the privacy rule’s marketing provisions because such a
mailing may reveal the patient’s condition. CEs cannot
target individuals with a certain condition for marketing
purposes unless the marketing is done during an appointment and is related to the patient’s treatment needs, or if
what is being marketed is of nominal value.
The second violation was not taking the time to eliminate any deceased patients from the list of recipients.
The privacy rule provides equal protection for deceased
patients as ones who are not deceased. The mailing was
likely opened by a family member. Unless that family
member fell in the class of individuals who could access
the deceased patient’s PHI (such as a family member
with a power of attorney to act on behalf of the deceased
patient), his or her PHI was inappropriately disclosed.
Even if the clinic had obtained authorization from
the patient before sending any marketing material, the
clinic has a responsibility to reasonably ensure that the
PHI that can be derived from the marketing material
does not wind up in the hands of someone not authorized to view the patient’s PHI. It pays to reasonably ensure that all deceased patients are deleted from a mailing
list prior to sending out any patient-specific mailing. G
Go to www.AISHealth.com to sign up for AIS’s Health Business Daily,
a quick-and-easy daily news feed that is informative, provocative…and free.
10 Report on Patient Privacy
HIN Offers Three Access Levels
continued from p. 1
Currentcare, one of six regional HIEs that received
five-year, $5 million grants from the federal Agency for
Healthcare Research and Quality in September 2004, has
unique features, including the three levels of privacy.
For starters, while some HINs put everyone in the system automatically, Rhode Island’s is voluntary. Individuals
are not enrolled unless they choose to take that step, making currentcare an opt-in, rather than an opt-out, system.
The opt-in feature is a foundation of the HIN.
“You need to have the choice” of whether to join, says
RIQI President Laura Adams, reflecting the views of
Rhode Island stakeholders. “You are out unless you
consent to be in.”
Participants who join have three options regarding access to their PHI: (1) They can give consent for information
to be used only in an emergency; (2) they can list certain
providers — by name — who are allowed access (they are
also permitted to list providers — doctors, hospitals, etc.
— who are not allowed access, with the understanding
that all others are); and (3) they can permit full access to
anyone who is involved in their care.
The three levels of access were built in as a response to
consumer feedback RIQI gathered during many months of
public meetings. Consumers were asked “what it would
take” to win their trust and participation in the system,
Adams says.
How Much Control?
Adams believes the Rhode Island HIN provides
greater and more sophisticated access controls than exist
at other regional HIEs, but also thinks this will change
— that more stringent controls and patient choice will
become the norm.
“There has been a rising awareness at the national
level of the consumers’ right to control their information,
an awakening about the whole issue,” she says. “If this
[HIN] is really going to be consumer focused, then this is
the direction that we need to take.”
There has been a national debate over what kinds of
controls participants in HIEs should have. The National
Committee on Vital and Health Statistics (NCVHS) has
advised HHS that patients should be able to “sequester”
their information by some means, perhaps based on the
age of the information, or the type, such as mental health
or obstetrical-gynecological records.
NCVHS said, in effect, that patients should have control over what goes into the HIE and who sees it.
Currentcare does not go this far because providers
were opposed to what they thought would be an incomplete record, Adams says.
December 2008
“We had a series of discussions around this,” Adams
says. “Many people felt like we already have a system
today that is missing data. The community decided it
would be all-in or all-out.”
But she adds that currentcare has the technical capacity to limit information in this way if officials should ever
decide to change the controls. The state took great pains
to ensure that all stakeholders were involved and that
privacy protections were paramount when it put the HIE
together, she adds.
The controls in place reflect “a good compromise,”
Kinney agrees, and Quinlan echoes those thoughts. “We
did research, we did focus groups, we had women’s
groups, mental health groups, the American Civil Liberties Association…. The length of time that it took [to
create currentcare] is a testament to how inclusive the
process was,” Quinlan says.
Phased Enrollment Under Way
RIQI launched its enrollment and outreach effort
two months ago. Adams describes the process thus far
as “testing various strategies.” Efforts involve hospitals,
hospital-based clinics and employers, all of which can
enroll individuals in currentcare.
“We plan to integrate this [enrollment process] into as
many clinical settings as we can,” says Adams. She adds
that focus groups said that “the place they would feel most
comfortable signing up would be in the care setting. Our
first step is to find out what is working and what is not,”
Adams says. For example, the enrollment forms have
been modified because they were initially confusing to
potential participants.
Care will be taken not to approach patients when
they are in stressful situations, such as in an emergency
room, to ensure they understand how the network
works, including the three levels of privacy and access
that they can select.
The first phase of enrollment was to mail letters
and enrollment forms to a portion of the state’s 200,000
Medicaid beneficiaries; 20,000 such letters were mailed
in early fall, with about 800 people signing up. Of those,
80% gave their providers full access, Adams says.
Enrollment is also taking place at one large outpatient clinic associated with a hospital. “A lot of people are
enrolling their children,” Kinney says. The system affords
a good way, for example, to keep up with immunizations
and other ongoing health issues that may be common to
children, he says.
Rhode Island’s experience will give hospital privacy
officers insight into what could be expected of them as
state HIEs grow and what possible concerns they should
be mindful of. Of course, they will not only be involved
in enrollment, but also have to work with information
Call 800-521-4323 to receive free copies of AIS’s Report on Medicare Compliance, Health Plan Week,
Medicare Advantage News, Drug Benefit News, Inside Consumer-Directed Care and Medicare Part D Compliance News.
December 2008
Report on Patient Privacy
technology officials at the HIE to ensure privacy and
security safeguards are in place.
How enrollment will work at Rhode Island hospitals
is still under discussion. Trying to enroll people when
they are inpatients or seeking care in an emergency situation “is not fair to them,” Kinney says. “We have been
talking about having enrollment days, where people
would come in for enrollment. We are working with
senior centers” to facilitate groups of people who could
be enrolled at the same time, he says.
The next step for the program is to target Warwick,
the state’s second largest city, says Quinlan. Mailings are
11
being sent to the local government, hospitals and provider groups. Warwick was chosen because the outreach
effort is “manageable,” Quinlan says. “We are a state of
a million people. We are test-driving. We are learning as
we go.”
So far enrollment is done through a paper form, but
RIQI hopes to have a form posted on its Web site that
could be submitted electronically. Electronic enrollment
could begin in spring 2009, Adams adds.
Contact Adams at [email protected], Kinney at
[email protected] and Quinlan at
[email protected]. G
PATIENT PRIVACY COURT CASES
This monthly column is written by Rebecca Fayed of the Washington, D.C., office of Sonnenschein, Nath & Rosenthal LLP.
It is designed to provide RPP readers with a sampling of the types of patient privacy cases that courts are now hearing.
It is not intended to be a comprehensive monthly survey of all patient privacy court actions. Contact Fayed at rcfayed@ sonnenschein.com.
u The Supreme Court of Georgia held that HIPAA
preempts Georgia’s rules on ex parte communications with physicians. Following the death of her
husband, Amanda Moreland brought a malpractice
action against Dr. Michael Austin. Moreland produced her husband’s medical records, including
documents pertaining to his treatment by several
other physicians prior to his treatment by Austin.
Thereafter, Austin’s attorney contacted each of the
physicians and asked them to assess the patient’s
“cardiovascular status and his prognosis.” Moreland objected to these “ex parte” contacts, asserting
that they violated the HIPAA privacy rule. The
Georgia Court of Appeals ruled that HIPAA did not
preclude ex parte communications between defense
counsel and a plaintiff’s prior treating physicians
because “in the context of a judicial proceeding, the
Georgia Civil Practice Act places more stringent
requirements than HIPAA does on requests for
documents from a third party health care provider.”
Based on that, the court of appeals concluded that
OCGA § 9-11-34 (c) was not preempted by HIPAA.
Georgia’s high court disagreed, and reversed the
state appeals court ruling.
The court explained that the proper focus of the
case is on the methods used to discover evidence of
plaintiff’s medical condition, not on the discoverability of that evidence. After reviewing HIPAA,
Georgia law and the case law of other jurisdictions,
the court found that HIPAA preempts Georgia law
with regard to ex parte communications between
defense counsel and plaintiff’s prior treating physicians because HIPAA affords patients more control
over the medical records when it comes to informal
contacts between litigants and physicians. The court
further noted that Georgia law “stands in sharp
contrast” to HIPAA in that Georgia law facilitates
and streamlines the litigation process by allowing
defendants’ lawyers to informally contact physicians and orally communicate with them about the
plaintiff’s medical condition once a patient files suit
and puts his medical condition in issue. According
to the court, HIPAA, on the other hand, prevents
a medical provider from disseminating a patient’s
medical information, whether orally or in writing,
without obtaining a court order or the patient’s
express consent.
It follows, therefore, that HIPAA is more stringent
and thus governs ex parte communications between
defense counsel and health care providers. Importantly, the court notes neither its ruling nor the
privacy rule prohibit informal discovery; rather, it
imposes procedural prerequisites. Thus, “in order
for defense counsel to informally interview plaintiff’s treating physicians, they must first obtain a
valid authorization, or a protective order, or ensure
that the patient has been given notice and an opportunity to object to the ex parte contact, all in compliance with the requirements of HIPAA as set forth in
45 C.F.R. § 164.512 (e).” (Moreland v. Austin)
Visit the “Compliance” channel on www.AISHealth.com
to access a wide range of free resources related to HIPAA.
12 Report on Patient Privacy
December 2008
PRIVACY BRIEFS
u The Children’s Hospital (TCH) in Denver has asked
one of its contractors to notify about 1,600 families
that one of the contractor’s employees fraudulently
used one family’s credit card number, says Andrew
Labbo, TCH’s privacy and data security officer. No
TCH employees were involved, he says. The contractor
terminated the employee after it completed a thorough
investigation, Labbo tells RPP. The company, which
handles collection of unpaid bills for TCH, now is notifying the families about the risk of identity theft. Contact Labbo through Elizabeth Whitehead at whitehead.
[email protected].
u Lawanda Jackson pleaded guilty Dec. 1 to selling information from celebrities’ medical records in
violation of HIPAA, The Associated Press reports. Jackson
was an administrative specialist at the UCLA Medical
Center. She was indicted in April by the U.S. Attorney’s
Office for the Central District of California for allegedly
accessing the PHI of celebrity patients and then disclosing it to the media for commercial advantage (RPP 6/08,
p. 1). She faces 10 years in prison and a $250,000 fine.
Her sentencing was scheduled for May, the AP says.
Read more at www.usdoj.gov/usao/cac.
u The Health Texas Provider Network, a subsidiary of
Baylor Health Care System, notified about 100,000
patients that a laptop computer containing some of
their personal information was stolen, the organization said Nov. 4. The laptop was used for administrative purposes and did not contain comprehensive
patient records, the provider says. About 7,400 patients
were notified that their Social Security numbers (SSNs)
and “a limited amount of health information” such as
a treatment code were on the computer. Other patients
were told that it contained some health information, but
no SSNs, Baylor says. Coincidentally, Baylor was in the
process of upgrading its data security, which will allow
the health system to track missing laptops and remotely
erase data if necessary, it explains. The computer was
stolen from an employee’s car. The employee was fired
for breaking protocol by leaving the laptop in her car,
though it was part of her job to visit Baylor locations
and collect patient data on the computer, reports the
Dallas Morning News. A Baylor spokesperson could not
be reached for further comment. Visit www.bhcsnews.
com/securityassistance.
u The University of Florida’s (UF’s) College of Dentistry discovered during an upgrade that one of its
servers may have been inappropriately accessed,
endangering more than 300,000 patients’ information, the school said in October. The data included
names, addresses, birth dates, SSNs and some dental
procedure information for patients dating back to 1990.
There was no credit card information in the database, or
any evidence that the data were viewed or downloaded, a UF statement says. Visit www.dental.ufl.edu.
u Requiring patient consent to use electronic medical records in biomedical research would further
burden researchers and bias their work, says an
online commentary from the journal Nature by Harvard
Medical School lecturer Patrick Taylor. Legislators and
patient advocates support patient consent for any uses
of electronic medical records, especially with a national
health information network in the works. “Although
well intentioned, such arguments spell trouble,” the
article says. “Linked data are crucial for research and
improving health-care quality. People might fear that
information will be revealed or misused, but the impulse to block all access in the absence of consent is
mistaken.” Taylor points out that people can give their
consent for an organization to use their information,
but breaches happen to major retailers and government
agencies all the time. Read more at www.nature.com.
u The American Health Information Management
Assn. is calling for more education for health care
professionals and their employers regarding confidentiality and security of health records in response
to recent high-profile breaches, a Nov. 6 prepared
statement from AHIMA says. The AHIMA House of
Delegates voted to (1) ask health care organizations to
educate employees about the need for improved and
consistent patient privacy and security, (2) bring health
information management professionals to the forefront
of educating about auditing and monitoring access to
health information, and (3) endorse consistent health
care policies and standards when a breach occurs. Visit
www.ahima.org.
u An article in the November/December issue of the
Journal of AHIMA suggests eight tasks that CEs can
use in their release of information (ROI) processes in
the absence of uniform state privacy laws. To streamline the ROI process, AHIMA says, CEs should develop
a comprehensive procedure that is documented, current and easily accessible; give staff access to appropriate state and federal laws; review employees to ensure
that standards are being met; and record performance
statistics, among other things. Visit www.ahima.org.
Call Bailey Sterrett at 800-521-4323 for rates on bulk subscriptions or site licenses, electronic delivery to
multiple readers, and customized feeds of selective news and data…daily, weekly or whenever you need it.
If You Don’t Already Subscribe to the Newsletter,
Here Are Three Easy Ways to Sign Up:
☎
(1) Call us at 800-521-4323
(2) Fax the order form on page 2 to 202-331-9542
(3) Visit the MarketPlace at www.AISHealth.com
If You Are a Subscriber
And Want to Routinely Forward this
E-mail Edition to Others in Your Organization:
Call Customer Service at 800-521-4323 to discuss AIS’s very reasonable
rates for your on-site distribution of each issue. (Please don’t forward
these e-mail editions without prior authorization from AIS, since strict
copyright restrictions apply.)