Why HIPAA Matters: Medical ID Theft and the Human Cost of Health Privacy+Security Incidents

By Daniel Solove, LinkedIn,  Wednesday, September 02, 2015

For so many healthcare providers, HIPAA is a source of great aggravation. It's difficult. It's boring. It seems to consist of a lot of inconvenient and costly requirements. I believe that these attitudes about HIPAA are due to a failure to educate healthcare professionals about the reasons why HIPAA matters. HIPAA is not about doing all sorts of needless things for their own sake. It is about protecting patients.

Using Student Medical Records: Department of Education Issues New Guidance

Paul Lannon, Holland & Knight,  Wednesday, September 02, 2015

When is it legal and proper for higher education institutions to use student medical records other than for a student's healthcare? In answering that question, institutions have to balance students' privacy interests, including federal rights under the Family Educational Rights and Privacy Act (FERPA), against legitimate institutional needs. Finding the right balance is not always easy, as highlighted by recent well-publicized cases. Too much access may facilitate misuse or discourage students from seeking campus-based medical services, while too little access may deprive an institution of information important to satisfying a legal obligation or responding effectively to a health or safety emergency.

How to secure a private cloud for health care data

Mahesh Kalva and Andrew Underhill, GCN,  Wednesday, August 05, 2015

Health care IT departments are building private cloud networks and functioning as brokers, offering a private option, but also allowing business managers to choose a range of commodity and hybrid models through the providers with which the internal IT groups already work. When initiating use of a private cloud in health care, a few key steps vital to success include performing ample research, developing a solid risk management policy and ensuring that the ends justify the means from a business perspective.

Factor Compliance into Wearable Tech Plans

Julie Anderson by Julie Anderson, AG Strategy Group
Monday, June 15, 2015

More employers are considering whether to encourage or even require employees to use wearables to reduce workplace injuries, lower workers’ comp claims and even lower health care benefit costs. But they should take note: any potential exposure to workers’ private health information could subject employers to rules under the Health Insurance Portability and Accountability Act (HIPAA). Wearables such as Google Glass, smart safety helmets and any number of sensor-enabled devices can identify hazardous conditions on worksites such as toxic chemical fumes or equipment under excessive pressure. Employers are also looking into clothing that carry embedded biosensors, actuators and gyroscopes to follow movement, heart rate, stress level, fatigue, and countless other metrics … all of it connected wirelessly to mobile devices and computers. But can the use of such devices expose employers to claims of HIPAA violations? What kind of due diligence will they need to do in order to ensure that their use of wearables can’t come back to haunt them later? Julie Anderson, a principal at AG Strategy Group in Washington, D.C. said this is a murky area as policy always lags behind the development and use of technology. HIPAA was passed in 1996, and nine years later in 2005 HIPAA released its first privacy rule as it related to health care data. In 2013 those rules were updated. “It’s a complex set of issues, and it can take that long for policymakers to react to what’s happening in the marketplace, particularly regarding how health care entities are using technology and handling the data they collect,” Anderson said.

Are wearables violating HIPAA?

Julie Anderson by Julie Anderson, AG Strategy Group
Thursday, May 14, 2015

With the development of wearable technologies such as the Nike Fuel Band, Fitbit, and Apple Watch, consumers suddenly have more options to monitor their fitness performance than ever before. And the way these devices capture data poses serious privacy and security issues to individually-identifiable health information that must be addressed.

Commentary: Healthcare must embrace new ISO cloud privacy standard

Julie Anderson by Julie Anderson, AG Strategy Group
Monday, April 27, 2015

A new international privacy standard for cloud providers — ISO 27018 — brings an effective means to better protect health data. The privacy standard mirrors some of HIPAA’s tenets while providing an all-important third-party audit mechanism.

A booster shot for cloud privacy standards?

Julie Anderson by Julie Anderson, AG Strategy Group
Wednesday, April 22, 2015

A 2013 update to HIPAA’s privacy standards put greater restrictions on profit-making uses of PHI but did not go far enough. With the update, cloud providers have the option of adopting stronger voluntary privacy standards. Released in August 2014, the ISO/IEC code of practice (known formally as 27018) outlines standards for how providers of public cloud services should handle personally identifiable information). Though there is some overlap with HIPAA, the ISO/IEC code of practice draws several important distinctions:

HIPAA Regulations v. FERPA Rules In Privacy Rights

Elizabeth Snell, Health Security,  Wednesday, March 11, 2015

HIPAA regulations were created to ensure that patients’ PHI remained secure, and that individuals would not have to worry about their personal information falling into the wrong hands. Similarly, the Family Educational Rights and Privacy Act (FERPA) is a federal law protecting the privacy of student education records. However, recent events have pushed the two laws to the forefront, as individuals’ privacy rights are being called into question. A University of Oregon (UO) student was reportedly going to file a sexual assault-related lawsuit against the school. However, UO allegedly accessed the student’s therapy records from its counseling center and handed them over to its general counsel’s office. The student’s medical records were then used to help defend against her lawsuit.

Healthcare Organizations Have Embraced the Cloud...Now What?

Bob Bogle, Health Data Management,  Friday, January 30, 2015

Despite the initial hesitation, new data suggests that healthcare organizations have moved beyond these once widely-held concerns. One telling finding, via Imprivata’s “2014 Desktop Virtualization Trends in Healthcare” report, is that 40% of healthcare organizations surveyed report now storing protected health information in the cloud. While this is far from the majority, PHI is often considered the most sensitive segment of healthcare data, and that figure is certainly up from years’ past, indicating that a significant shift has taken place with decision makers now placing more trust in cloud infrastructure. Following that shift, what continues to evolve is the benefits that healthcare organizations have realized through the adoption of cloud-based health IT services. With trust on the rise, use cases and benefits of cloud in healthcare continue to surface.

Google, Twitter, Yahoo nab HealthCare.gov data

Julian Hattem, The Hill,  Friday, January 30, 2015

Companies including Google, Twitter, Yahoo and Advertising.com automatically obtain information from people visiting HealthCare.gov, according to analysis by congressional staffers. The finding builds on news last week that dozens of data-tracking companies were able to obtain information about people visiting the federal healthcare website, potentially including information about their age, location and pregnancy status.