Site moved to, redirecting in 1 second...

143 posts categorized "Privacy"

April 15, 2014

HIPAA Privacy and Security Compliance: Should You Care?

Open doorThe HIPAA/HITECH Omnibus Rule became effective just over one year ago. The compliance date was just over six months ago. Within about another six months (plus or minus), Federal regulators – at the Office for Civil Rights at the US Department of Health and Human Services – will begin a new round of HIPAA compliance audits. They are already actively involved in complaint investigations governed by the “new” HIPAA rules. Other Federal, state and territorial authorities are actively involved in HIPAA and related health data privacy and security enforcement activity: the Federal Trade Commission, the Secret Service, the Puerto Rico Health Insurance Administration, state attorneys general. The “Wall of Shame” on the OCR website adds information about newly disclosed data breaches on a regular basis. Fines under the new HIPAA rules may hit $1.5 million or more. Fines under other regulatory schemes have climbed significantly higher. Compliance agreements, follow-up audits and more await those covered entities (health care providers or payors) (CEs) or business associates (everyone else in the health care ecosystem – billing services, marketing HIPAA-download-button-2 agencies, consultants, shredding contractors, attorneys, accountants, etc.) (BAs) unfortunate enough to experience a lapse in their HIPAA compliance programs and to have occasion to file a breach notification, or to be the subject of a complaint investigation or random audit.  

Continue reading "HIPAA Privacy and Security Compliance: Should You Care?" »

April 07, 2014

FDASIA Health IT Report Issued; Comments Welcomed on Three-Agency Approach

Pages from HealthITreport_FINALThe FDA, the FCC and ONC issued a long-awaited joint report with a proposed strategy and recommendations for a risk-based framework for regulation of Health IT.

The report identifies four key priority areas and outlines next steps to take in each area:  

I. Promote the Use of Quality Management
II. Identify, Develop, and Adopt Standards and
Best Practices;
III. Leverage Conformity Assessment Tools; and
IV. Create an Environment of Learning and
Continual Improvement

This report should be read together with the FDA framework for regulation of mobile medical applications which was supposedly up in the air pending release of this report. It now seems that they are directed at related, but different, parts of the ecosystem. Both are part of a bigger story, including pending legislaton.

Continue reading "FDASIA Health IT Report Issued; Comments Welcomed on Three-Agency Approach" »

March 27, 2014

Unlocking the Power of Health Data

3769904793_e08235af58_zA Perspectives piece I wrote was published this week by iHealthBeat - Unlocking the Power of Health Data. In it I argue for patient-controlled sharing of rich data, as opposed to HIPAA-regulated stripping of identifiers in order to eliminate the risk to patient privacy as data is shared for research and other purposes. Googler Larry Page and Josh Stevens of Keas have argued recently in favor of broader uses of health data, but the issue of HIPAA keeps coming up in those conversations. Most connected patients seem comfortable with the idea of sharing health data, and as more of us get connected, this sentiment is only likely to spread.

As I wrote at iHealthBeat:

I have discussed the patient donation of data before, and the first objection I heard was from a data scientist who worried that the volume of patient records collected in this manner would be too small to yield any meaningful insights. While this may be true at first, I believe that over time patients will come to prefer to set their own limits on data sharing rather than be stuck with the one-size-fits-none approach available under HIPAA. In addition, the data made available through these repositories will be more valuable than that available as de-identified data for research precisely because there are more identifiers attached.

Are we ready for a new paradigm in data sharing and big data analysis?

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

photo: flickr cc Tripp

March 12, 2014

Where are they now? Accretive Health

4160791089_fcd3180714_nRegular readers of HealthBlawg will recognize the name Accretive Health from a February 2012 post, First lawsuit filed against a Business Associate under HIPAA / HITECH.

Well, the company has gone through a number of personnel changes at the top, plans to make some deep staffing cuts, and is working on restating its financials to account for earlier irregularities. The latest restated financials aren't ready to be filed -- they haven't been fully audited yet -- and as a result the company's stock is about to be delisted (but it may still be traded on the OTC market).

Continue reading "Where are they now? Accretive Health" »

January 29, 2014

HIPAA Enforcement: Who's in Charge?

The recent FTC decision in the LabMD case (pdf) (full docket here) has HIPAA-watchers scratching their heads, tugging their beards, and generally wondering about reconciling FTC-style litigation-based regulation with OCR-style rule-based regulation of health care data privacy and security. The FTC has confirmed that it considers itself to have overlapping jurisdiction to enforce HIPAA under its general enabling legislation. 

Here's my take: For a covered entity or business associate that has all its ducks in a row – HIPAA Privacy, Security and (for Covered Entities) Breach Notification policies and procedures, a completed risk analysis, training and testing of workforce documented – FTC regulation should not be problematic. I think that the FTC would be hard-pressed to find an entity that is in compliance with HHS HIPAA rules and relevant state law to be in violation of the FTC Act’s prohibition of “unfair … acts or practices.”

Continue reading "HIPAA Enforcement: Who's in Charge?" »

January 03, 2014

Health IT Wisdom at the End of 2013 and Start of 2014

Janus1I am quoted in a couple of year-end / new year pieces on health IT, appearing this week in iHealthBeat and FierceHealthIT.

With new developments over the past year in the realms of telehealth, mobile health and health data privacy and security, and opportunities for accountable care organizations, integration of connected health and implementation of HIPAA compliance plans, there is plenty of material for prognosticators.

Kate Ackerman, Editor-in-Chief at iHealthBeat asked 13 experts three questions.

Here are the questions and my answers; follow the link above to read 12 other perspectives.

Continue reading "Health IT Wisdom at the End of 2013 and Start of 2014" »

December 22, 2013

HIPAA Compliance and The Harlow Group LLC

HIPAA cad logoFor years, I have been helping covered entities, business associates and downstream contractors understand HIPAA and other federal and state health care data privacy and security laws and regulations, and develop and maintain policies and procedures that will help them comply with the law. These businesses range from startups with consumer-facing or health care provider-facing apps and web-based services, to big data analytics shops to health care providers of all sorts. Now that OCR -- the federal HIPAA policeman -- is enforcing the HIPAA / HITECH omnibus rule through random audits, complaint investigations and sanctions, it is more important than ever for covered entities, business associates and downstream contractors to maintain a robust HIPAA compliance program. HIPAA enforcement efforts will likely be stepped up in 2014 (see the November 2013 OIG report on OCR's enforcement efforts, and OCR's response including its plans for the future.) 

The Harlow Group is pleased to announce the first of a number of HIPAA-related partnerships with ... The HIPAA Survival Guide. (Keep reading for discount information.)

Continue reading "HIPAA Compliance and The Harlow Group LLC" »

December 12, 2013

Social Media Policies and "Spying" by Physicians


I recently spoke with Theresa Defino, editor of AIS Health's Report on Patient Privacy about the limits of social media "research" by or on behalf of health care providers. The impetus for this piece was a post written by Art Caplan about a patient being taken off the liver transplant list when social media posts including photos of the patient drinking alcohol came to the attention of the transplant team. (The patient was later put back on the list.)

Is this sort of "Big Brother" approach OK, or was it taken too far? (Follow the link to a discussion of the British case I mention in the article.)

Medical ethicist Art Caplan, my brother at the (HIPAA) bar Adam Greene and I were quoted in the AIS Health article. Greene noted that HIPAA does not cover the posting of information by or about a patient on a social network and its review by a provider. Caplan and I agreed that what's public is public, and what's private is private.

Continue reading "Social Media Policies and "Spying" by Physicians" »

December 11, 2013

Digital Health: Apps, Analytics & Agencies

I spoke yesterday at the Massachusetts Bar Association's "Hot Topics in Healthcare" program. (Webcast live, and available behind a paywall at the link.)

Here are my slides:

Continue reading "Digital Health: Apps, Analytics & Agencies" »

November 10, 2013

David Harlow In the Press

PaperboyHere are a few recent press mentions which may be of interest:

1. Solving Healthcare's Big Data Analytics Security Conundrum covered the presentation I gave at Strata Rx on the idea of patient-controlled donation of data for purposes of data analysis. Putting control in the hands of patients avoids some potential HIPAA issues and may make for richer data sets.

2. Voice of the Patient

Healthcare IT News ran a cover story in its November issue on the use of Open Notes at Beth Israel Deaconess Medical Center. See further discussion of the piece and links to more information on Open Notes at I was interviewed on the issue of patients' rights to access their own medical records.

Continue reading "David Harlow In the Press" »