Healthcare & Technology

Link: Health Data Management Article: Medicaid Payer Gives Breach Notification

Thanks to HISTalk for this post..

"CalOptima reports that its claims imaging vendor, ImageNet, accidentally sent out unencrypted DVDs that contained claims from 68,000 of its members. The DVDs were sent to CalOptima via certified mail, but never reached CalOptima. CalOptima actually posted this information and identified ImageNet on its home page."

CalOptima calls it the "potential loss of past medical claims information for approximately 68,000 of its members that was stored on electronic media devices." CalOptima reported that the information  potentially breached included: member names, home addresses, dates of birth, medical procedure codes, diagnosis codes and member identification numbers, including some Social Security numbers. CalOptima provided a toll free number for their members to call.

It will be interesting to see how this situation develops.

Regardless of how you analyze it, this magnitude of a breach requires implementation of the Breach Notification Rules that went into effect September, 2009. The HITECH Act, Section 13402 rules call for:

• Notification to individuals whose PHI was breached.
• Notification to media outlets serving the state or jurisdiction, if unsecured PHI of more than 500 individuals is believed to have been disclosed.
• Posting on HHS Public Website.

Notification must include:
 

• A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.
• A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
• The steps individuals should take to protect themselves from potential harm resulting from the breach.
• A brief description of what the covered entity involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches.
• Contact procedures for individuals to ask questions or learn additional information, which shall include a toll free telephone number, an e-mail address, Web site, or postal address.

Looking for a best of breed HIPAA Compliance Tracking System?

To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.

If you need tools that will help with your compliance initiatives then check out the HSG Store.

Note: We will start conducting HITECH / HIPAA Risk Management Webinars beginning in January, 2010 that may also be of interest. These webinars will be managed as a forum of "round-table" discussions on the pertinent issues, with many opportunities for audience participation and questions.