2013: Issue 1 - Focus on HIPAA/Privacy
First OCR Settlement Involving a "Small" Breach Focuses on Mobile Device Security
By: James B. Wieland and Joshua J. Freemire*
In what is best understood as a follow-up to both the recent settlement with MEEI and the release of its mobile device security guidance, HHS OCR recently released details of a settlement reached with the Hospice of Northern Idaho (HONI) that again focuses on the entity’s failure to properly secure mobile technology containing protected health information (PHI). HONI will pay a $50,000 fine and has entered into a two-year Corrective Action Plan (CAP) that notably does not include provisions for independent monitoring of HONI’s compliance activities.Click to continue...
Guidance on De-Identified Protected Health Information Offers In-depth Instruction on Technical Issues
By: James B. Wieland and *Joshua Freemire
The HITECH Act required the Secretary of Health and Human Services to publish a number of “Guidance” documents to inform the health care industry and its advisors about practical aspects of HIPAA compliance and HITECH implementation. At the end of November 2012, the Secretary published one such document Guidance Regarding Methods for De-Identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act Privacy Rule. The Guidance does not break any new ground, but it does provide a practical instruction on how to take advantage of de-identification to make the essence of large data bases of protected health information available for secondary use. These information caches are increasingly valued for public or other population-based analytics purposes such as epidemiology and private purposes such as business planning and, in some instances, marketing or fund-raising.Click to continue...