The indictment charged him with “knowingly and in violation of this part . . . obtaining individually identifiable health information relating to an individual.” 42 U.S.C. § 1320d-6(a)(2).

Zhou, who had entered a conditional plea of guilty, which preserved his right to appeal on this issue, contended that “knowingly” meant that he had to have known that obtaining the information was illegal.

In USA v. Huping Zhou, No. 10-50231, the United States Court of Appeals for the Ninth Circuit rejected his interpretation of the statute, holding that one only had to knowingly obtain the information (apparently as opposed to unintentionally or accidentally obtaining it) and affirmed his conviction. Stated perhaps more clearly, ignorance of the law is no excuse.

And don’t forget that UCLA was fined $865,000 for having insufficient security, which led to this breach.

The moral of this story is to know your HIPAA statute, the Department of Health and Human Services (“DHHS”) privacy and security regulations implementing HIPAA, and the changes to HIPAA brought about by the HITECH Act, particularly regarding criminal penalties. If you don’t know the penalties or the law or where you stand in terms of liability, please do yourself (yes, and me) a favor and buy my HIPAA books, CD, and training video and workbook available elsewhere on this website. As a matter of fact, just buy the entire Health Information Compliance Library, which also includes a year’s subscription to the Premium Member section of the website so that you can stay up to date on the latest developments in HIPAA law. It’s now not just about getting meaningful use compliant to get the incentives. It’s about, among other things, avoiding that free all-expenses-paid trip to Leavenworth.

By the way, I am currently writing a new short story, the sequel to Womble, titled “Womble and the Honey Trap.” Will our less-than James Bond type agent survive the gorgeous Iranian agent’s honey trap to obtain secret information about the timing of Israel’s attack to take out Iran’s nuclear facilities? Stay tuned.

The conference will explore the current health information technology security landscape and the HIPAA Security Rule, highlight the present state of health information security, and provide practical strategies, tips, and techniques for implementing the HIPAA Security Rule. I will be attending the conference for several reasons.

First, Day 1 will include “Beyond HIPAA: The FTC Privacy Report.” The Federal Trade Commission (“FTC”) has been looking into issues associated with privacy, and Jon Tomes and I are of the opinion that some HIPAA violations could also be FTC violations. On March 26, 2012, the FTC issued a final report setting forth best practices for businesses to protect the privacy of American consumers and give them greater control over the collection and use of their personal data. I am very interested to hear what DHHS thinks of the report and its effect on health care professionals.

Second, also on Day 1, OCR will provide information about the recently launched audit program that I mentioned in my blog item posted January 22, 2012. OCR will also give its views regarding the security of mobile devices. Further, American Health Information Management Association (“AHIMA”)’s Dan Rode, friend and former Healthcare Financial Management Association (“HFMA”) colleague of our Veterans Press editor Alice McCart, will be presenting on “Integrity Protections.”

Third, on Day 2, the Director of OCR, Leon Rodriguez, starts off the day with what looks to be a very interesting and exciting list of regulatory topics, according to the agenda.

You still have time to register for the conference.

One further reason that I am looking forward to attending the conference is that I hope to make time at the end of each day to work on the short story that Jon Tomes has insisted that I write. In “Dog Dvorak,” I will fictionalize how I actually found and rescued a client’s adult son from the crack cocaine ghettos of Columbus, GA. Watch for the short story and more blog posts from me as the conference gets under way.

I am currently working on “Anita, the Art Bounty Hunter (working title),” a novel about an art dealer who is hired by the Federal Bureau of Investigation to help with sting operations against fraudulent art dealers. Our heroine, Anita, and the FBI agent, Paul, are posing as husband and wife on a cruise ship where a dealer auctions overpriced and sometimes fraudulent art to passengers. It’s great fun to write! If any of you have horror stories or even pleasant anecdotes about having been on a cruise that sells art, please let me know.

My first vampire romance, “A Unit of Blood,” is finished if I could ever get my editor to edit it. And I am halfway through with writing the sequel. I also have another short story finished and awaiting editing. My editor has this strange theory that she should first edit my nonfiction HIPAA books, which actually make a decent amount of money! The book that she is currently editing for me is “Mental and Behavioral Health and HIPAA: An Uneasy Alliance.”

“This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” said Leon Rodriguez, Director of OCR, according to the press release. “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”

According to the press release, OCR’s investigation also revealed the following issues:

• PCS failed to implement adequate policies and procedures to appropriately safeguard patient information.
• PCS failed to train and document that it had trained any employees on its policies and procedures on the Privacy and Security Rules.
• PCS failed to identify a security official and conduct a risk analysis.
• PCS failed to obtain business associate agreements with internet-based email and calendar services where the provision of the service included storage of and access to its EPHI.

Moral of the story: Get HIPAA compliant now. You will have to comply with HIPAA and the HITECH Act anyway, so why not bite the bullet and do it now? You can help yourself avoid a hefty settlement that would surely include big bucks and a corrective action plan. And you will be taking good care of your patients/clients. And you will sleep better. If you need help, first, you can buy my Health Information Compliance Library, and second, you can hire my consulting company, EMR Legal, Inc., to help you become compliant.

Second, I posted a new policy on the Premium Member section of the website, and it’s an important one. Because Blue Cross Blue Shield of Tennessee was recently fined $1.5 million for theft of computer equipment containing protected health information (“PHI”) largely because they had failed to update their risk analysis when they changed storage locations for the equipment as discussed in my post on March 16, 2012, I wrote a Risk Analysis Policy. I have been ranting about the importance of risk analysis for more than a decade, but for some reason had never written a policy requiring risk analysis. But now I have. Consider whether your covered entity or business associate should adopt it.

Third, two more chapters of HIPAA Hysteria are posted on the Premium Member section. Note that Chapter 11 fictionalizes an actual meeting of the HIPAA Risk Analysis Team of the hospital where the novel is set. Although I would love for you to get so anxious to get the rest of the story that you buy the book so that you don’t have to wait for forthcoming chapters, we do want to make the Premium Membership valuable, and if you are patient, you can eventually get all of the novel for free! Maybe by the time all 48 chapters have been posted (at the rate of 2 new chapters a month), I will have finished the sequel, “HITECH Hysteria,” about acquiring an electronic medical record and an OIG complaint investigation.

Veterans Press now has six short stories available on Kindle under the Kindle Direct Publishing program. Besides Kevin Goes to Jump School, the others are, in chronological order of publication: The 51^st Way to Leave Your Lover, Pat Summit, I’m Not—the Memoir of a Reluctant Girls’ Basketball Coach, Using Military Tactics to Survive Continuing Education, and Womble, all by me, and the short story by our new author, William K. Millar Jr., Christmas 1969. Whatever else one may say about them, they are an eclectic mix, but everyone who has commented on them has found them humorous or, in the case of Christmas 1969, quite touching. When my workout buddy, a friend of mine named Kevin, read Kevin Goes to Jump School, he emailed me, “I roared and I roared!!!!!!!!!!!!!!”

But although the HITECH Act expanded HIPAA criminal liability to include “employees and other individuals,” improper disposal would not appear to be a criminal violation. And strong doubt exists that the former doctor, who lost his license a few years ago, is or was even a covered entity. He stated that he was a cash-only business, which seems likely for an abortionist. Some of the records did have insurance numbers on them, but unless he transmitted such data in connection with a standard transaction in electronic format, he was not a covered entity before he lost his license, and even if he was such then, it would seem that he would no longer be a covered entity now that he is not practicing medicine. Thus, gross as it was, it was not a HIPAA violation.

Another commentator opined that he could not be disciplined under HIPAA because HIPAA does not proscribe any standards for the proper destruction of paper records. Although it does not do so in terms, the Privacy Rule’s requirement for “appropriate safeguards” to protect PHI from misuse would certainly require paper records to be shredded, incinerated, or the like. The lack of specific standards did not prevent the $2.25 million dollar fine against CVS pharmacy for improper disposal of pharmacy vials and prescriptions.

Any thoughts? And thanks to the woman who found them unsecured and took appropriate action. The records are now safeguarded.

Read more in this article from the Kansas City Star.

Apparently, someone stole a laptop from a former contractor that contained PHI of 34,503 patients. The PHI included names, addresses, Social Security numbers, identification numbers, medical record numbers, birthdates, admission dates, diagnosis-related information, and discharge dates. The laptop was not encrypted, but was password protected. The contractor had downloaded the data to his personal laptop in violation of hospital policy.

One would hope that the hospital had a business associate contract in place that would require the former contractor to continue to protect the PHI in the event that a need existed to maintain it. Otherwise, the contractor should have destroyed the data or returned it to the hospital.

The hospital sent breach notification letters to the patients as required by the HITECH Act and offered one year of paid credit monitoring and identity theft alert services to patients with SSNs on the laptop. It also reported the breach to OCR.

The hospital reported that it has now required encryption of all laptops.

Because DHHS fined Blue Cross Blue Shield of Tennessee $1.5 million for its breach as discussed in my March 16, 2012, post, one has to wonder whether Howard University may face a similar sanction. Whether the breach consists of willful neglect that OCR must investigate depends, it seems, on whether the hospital had a proper HITECH Act business associate contract in place or, if not (a covered entity may treat an independent contractor that works on site as a member of the workforce), had reasonable and appropriate security measures in place, including proper training of the independent contractor. One wonders whether or not the hospital had a written termination (of access) procedure and followed it. We will likely learn more about this breach as time goes on, but even this much information dramatizes the importance of recognizing that covered entities’ business associates can get the hospital into trouble.

After I had stumbled across his books on Amazon and had written and posted reviews of them, we started an email correspondence, and he invited me to Evansville. Fortunately, my most recent HIPAA seminar swing was Charleston, West Virginia, Lexington and Louisville, Kentucky, and Evansville. He had also asked me to write a back cover blurb for Return to Valhalla, which I viewed as an honor. Steven King, Lee Child, and the like may do that sort of thing often, but it was my first time. Mike had sent me the first two-thirds of the final novel in the trilogy, so I have been eagerly awaiting its completion, now scheduled for this summer.

Mike had to stop at Evansville’s best pizza joint, where Evansville University was having a party. I never did figure out what the party was about, but the people couldn’t have been nicer, and I could see why the place was known for its pizza. Then, off we went to the RiRa Irish Pub for some great beer, fish and chips, and fascinating conversation. We talked about his forthcoming novels and my recent works. He’s going to read one of my short stories and my completed, but not yet edited, vampire romance, A Unit of Blood.

A retired high school English teacher and football coach, Mike now, besides writing, arranges tours of Europe using the knowledge that he gained from researching the Ericka books to make the tours truly memorable. When we talked about writing, he surprised me by saying that he didn’t enjoy the writing nearly as much as the research. But he certainly does both equally well.

In short, it was a memorable evening. We have similar tastes in food, beer, and life in general, and I’m hoping to get him out to Kansas City to have some of my barbeque in the near future. I highly recommend that you read the first two books in the Ericka series so that you will be ready for the third one when it comes out. They, along with Proper Suda, are available on Amazon and also as ebooks.