Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

The Wackiest HIPAA Data Breaches of 2013

Written by:

The following is a guest post by David Vogel, blogger for Layered Tech.
David Vogel
2013 was a historic year for HIPAA violations, with more than 5.7 million patients affected and the second-largest breach ever reported in the U.S. Department of Health & Human Services online database.

The year also featured some of the strangest violations ever seen, including some incredible security whiffs, business associate failures, and criminal shenanigans. Let’s dive into the top five “funny if they weren’t true” data breaches of the past year:

News Crew Goes Dumpster Diving for Patient Records
When an Indianapolis parishioner stumbled across medical records in recycling dumpster on church property, an investigative reporter from the local NBC affiliate jumped in, literally. What the reporter found were thousands of patient records containing medical history, Social Security numbers, credit card info and other data.

Upon investigation, the dumped records were tied back to the Comfort Dental offices in Marion and Kokomo Indiana, which closed after the dentist who ran the offices lost his medical license due to fraudulent billing.

You can’t make this sort of thing up.

To add further intrigue, before calling in the Feds, the news crew loaded up the boxes of records and stored them at the studio. According to the reporter, their past experiences with finding private health information taught them the “way to best protect this info and to get action is to do exactly what we did.”

The files have since been handed over to officials, who have determined that 5,388 people were affected.

Indiana news reporter Bob Segall investigates patient records dumped in church recycling bin. Courtesy: WTHR-TV

Indiana news reporter Bob Segall investigates patient records dumped in church recycling bin. Courtesy: WTHR-TV

Miniaturized Medical Data Float Around Fort Worth
In May of 2013, Fort Worth residents found sheets of microfiche from the ’80s and ’90s in a park and other public areas in Fort Worth. The sheets, which contained miniaturized medical records from Texas Health Fort Worth, had been destined for destruction, but apparently lost by the business associate (BA) contracted to shred them.

The bad news for the 277,014 patients potentially affected? The microfiche sheets likely contained Social Security numbers among the medical records. The slight glimmer of hope? Microfiche format and readers have become very rare, lessening the chance of the records being recognized and misused.

Example microfiche sheet via Wikimedia

Example microfiche sheet via Wikimedia


X-Rays Worth Their Weight in Silver
When Raleigh Orthopaedic Clinic hired a contractor to transfer x-ray films to digital images, they ended up on the wrong side of a nefarious scam. In March, the clinic discovered that their contractor instead sold the films to a recycling company to be scrapped for their silver, leaving the clinic with no digital version of the x-rays, no validation of their destruction, and the 6th-largest HIPAA breach of 2013 (17,300 patients affected).

No Privacy for Kim Kardashian and Baby North West
When celebrities Kim Kardashian and Kanye West checked into L.A.’s Cedars-Sinai Medical Center for the birth of their child, it wasn’t just paparazzi looking for the inside scoop. Six staffers were fired from the hospital in the days following the birth of baby North West for having “inappropriately accessed” patient data. The resulting investigation found that five of the suspects snooped on the patient records using the log-ins of the physicians for whom they worked, which also violated hospital policy. The other suspect had access to the patient database for billing purposes.

Image via Wikimedia

Image via Wikimedia

Felon Gets Hospital Job, Steals Records for Tax Scam
A failed attempt to cash a fraudulent check led to the discovery of one of the most disturbing HIPAA breaches of 2013. The story starts when Oliver Gayle, a Miami man with past felony convictions for racketeering and grand theft, got a temp job at the Mount Sinai Medical Center in Miami Beach using an inaccurate background check. Gayle then began accessing and printing hundreds of patient records and transactional information from the Hospital’s account database. The stolen records went unnoticed until a bank notified police about an attempt to cash a bad check, and gave a description of the car Gayle was driving.

What happened next was like a story out of America’s Dumbest Criminals.

When Gayle was pulled over, Police found that he had more than 15 suspensions to his driver’s license, and prepped to have the car towed. However, Gayle first requested that officers bring along an open bag from the car. Inside the bag, officers found a treasure trove of patient and financial information, including more than a hundred Mount Sinai records, copies of U.S. Treasury checks, Social Security numbers, fraudulent tax returns and a counterfeit U.S. Visa.

Gayle has since been convicted for his identity theft tax refund scheme, and faces prison time for several decades’ worth of fraud and identity theft charges. In the meantime, Mount Sinai may face penalties for the HIPAA violations, which affected 628 people.

About the Author: David Vogel is a blogger for Layered Tech, a leading provider of HIPAA-compliant hosting and private cloud. Connect with David on Twitter (@DavidVogelDotCo) and Google+ (+David Vogel).

January 16, 2014 I Written By

Is Your EMR Compromising Patient Privacy?

Written by:

Two prominent physicians this week pointed out a basic but, in the era of information as a commodity, sometimes overlooked truth about EMRs: They increase the number of people with access to your medical data thousands of times over.

Dr. Mary Jane Minkin said in a Wall Street Journal video panel on EMR and privacy that she dropped out of the Yale Medical Group and Medicare because she didn’t want her patients’ information to be part of an EMR.

She gave an example of why: Minkin, a gynecologist, once treated a patient for decreased libido. When the patient later visited a dermatologist in the Yale system, that sensitive bit of history appeared on a summary printout.

“She was outraged,” she told Journal reporter Melinda Beck. “She felt horrible that this dermatologist would know about her problem. She called us enraged for 10 or 15 minutes.”

Dr. Deborah Peel, an Austin psychiatrist and founder of the nonprofit group Patient Privacy Rights, said she’s concerned about the number of employees, vendors and others who can see patient records. Peel is a well-known privacy advocate but has been accused by some health IT leaders of scaremongering.

“What patients should be worried about is that they don’t have any control over the information,” she said. “It’s very different from the paper age where you knew where your records were. They were finite records and one person could look at them at a time.”

She added: “The kind of change in the number of people who can see and use your records is almost uncountable.”

Peel said the lack of privacy causes people to delay or avoid treatment for conditions such as cancer, depression and sexually transmitted infections.

But Dr. James Salwitz, a medical oncologist in New Jersey, said on the panel that the benefits of EMR, including greater coordination of care and reduced likelihood of medical errors, outweigh any risks.

The privacy debate doesn’t have clear answers. Paper records are, of course, not immune to being lost, stolen or mishandled.

In the case of Minkin’s patient, protests aside, it’s reasonable for each physician involved in her care to have access to the complete record. While she might not think certain parts of her history are relevant to particular doctors, spotting non-obvious connections is an astute clinician’s job. At any rate, even without an EMR, the same information might just as easily have landed with the dermatologist via fax.

That said, privacy advocates have legitimate concerns. Since it’s doubtful that healthcare will go back to paper, the best approach is to improve EMR technology and the procedures that go with it.

Plenty of work is underway.

For example, at the University of Texas at Arlington, researchers are leading a National Science Foundation project to keep healthcare data secure while ensuring that the anonymous records can be used for secondary analysis. They hope to produce groundbreaking algorithms and tools for identifying privacy leaks.

“It’s a fine line we’re walking,” Heng Huang, an associate professor at UT’s Arlington Computer Science & Engineering Department, said in a press release this month “We’re trying to preserve and protect sensitive data, but at the same time we’re trying to allow pertinent information to be read.”

When it comes to balancing technology with patient privacy, healthcare professionals will be walking a fine line for some time to come.

November 20, 2013 I Written By

James Ritchie is a freelance writer with a focus on health care. His experience includes eight years as a staff writer with the Cincinnati Business Courier, part of the American City Business Journals network. Twitter @HCwriterJames.

Atlanta Hospital Sues Exec Over Allegedly Stolen Health Data

Written by:

In most cases of hospital data theft, you usually learn that a laptop was stolen or a PC hacked. But in this case, a hospital is claiming that one of its executives stole a wide array of data from the facility, according to the Atlanta Business Chronicle.

In a complaint filed last week in Atlanta federal court, Children’s Healthcare of Atlanta asserts that corporate audit advisor Sharon McCray stole a boatload of proprietary information. The list of compromised data includes PHI of children, DEA numbers, health provider license numbers for over 500 healthcare providers, financial information and more, the newspaper reports.

According to the Children’s complaint, McCray announced her resignation on October 16th, then on the 18th, began e-mailing the information to herself using a personal account. On the 21st, Children’s cut off her access to her corporate e-mail account, and the next day she was fired.

Not surprisingly, Children’s has demanded that McCray return the information, but as of the date of the filing, McCray had neither returned or destroyed the data nor permitted Children’s to inspect her personal computer, the hospital says. Children’s is asking a federal judge to force McCray to give back the information.

According to IT security firm Redspin, nearly 60 percent of the PHI breaches reported to HHS under notification rules involved a business associate, and 67 percent were the result of theft or loss. In other words, theft by an executive with the facility — if that is indeed what happened — is still an unusual occurrence.

But given the high commercial value of the PHI and medical practitioner data, I wouldn’t be surprised if hospital execs were tempted into theft. Hospitals are just going to have to monitor execs as closely they do front-line employees.

November 1, 2013 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Scanning Is a Feature of Healthcare IT and Will Be Forever

Written by:

When I first started writing about EMR and EHR, I regularly discussed the idea of a paperless office. What I didn’t realize at the time and what has become incredibly clear to me now is that paper will play a part in every office Forever (which I translate to my lifetime). While paper will still come into an office, that doesn’t mean you can’t have a paperless office when it comes to the storage and retrieval of those files. The simple answer to the paper is the scanner.

A great example of this point was discussed in this post by The Nerdy Nurse called “Network Scanning Makes Electronic Medical Records Work.” She provides an interesting discussion about the various scanning challenges from home health nurses to a network scanner used by multiple nurses in a hospital setting.

The good people at HITECH Answers also wrote about “Scanning and Your EHR Implementation.” Just yesterday I got an email from someone talking about how they should approach their old paper charts. It’s an important discussion that we’re still going to have for a while to come. I’m still intrigued by the Thinning Paper Charts approach to scanning, but if I could afford it I’d absolutely outsource the scanning to an outside company. They do amazing work really fast. They even offer services like clinical data abstraction so you can really enhance the value of your scanned charts.

However, even if you outsource your old paper charts, you’ll still need a heavy duty scanner for ongoing paper that enters your office. For example, I have the Canon DR-C125 sitting next to my desk and it’s a scanner that can handle the scanning load of healthcare. You’ll want a high speed scanner like this one for your scanning. Don’t try to lean on an All-in-One scanner-printer-copier. It seems like an inexpensive alternative, but the quality just isn’t the same and after a few months of heavy scanning you’ll have to buy a new All-in-One after you burn it out. Those are just made for one off scanning as opposed to the scanning you have to do in healthcare.

David Harlow also covers an interesting HIPAA angle when it comes to scanners. In many cases, scanners don’t store any PHI on the scanner. However, in some cases they do and so you’ll want to be aware of this so that the PHI stored on the device is cleaned before you dispose of it.

Certainly many organizations are overwhelmed by meaningful use, ICD-10, HIPAA Omnibus, and changing reimbursement. However, things like buying the right scanner make all the difference when it comes to the long term happiness of your users.

Sponsored by Canon U.S.A., Inc.  Canon’s extensive scanner product line enables businesses worldwide to capture, store and distribute information.

October 11, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

How to Be HIPAA Compliant in the Cloud, in Five Steps

Written by:

The following is a guest post by Gilad Parann-Nissany, Founder and CEO of Porticor.

The Health Insurance Portability and Accountability Act (HIPAA) is the legal framework for keeping private health information – private. HIPAA protects personal health information from being exposed, and in particular – in the IT world – HIPAA defines how Electronic Personal Health Information (EPHI) should be protected. It imposes rules and also penalties.

A central goal for cloud-based health systems should be to achieve “Safe Harbor.” This means that your data is so well protected, even if bad things happen, you can reasonably show that EPHI was not exposed. This is HIPAA nirvana.

Some could say that HIPAA compliance is complex. Spoiler: they would be right. However, as Lao Tzu, founder of Chinese Taoism once said: “The journey of a thousand miles begins with one step.” Or, in our case, five steps.

1.     Investigate
Scope out your system, people and procedures
Start by studying your system architecture and your procedures and deciding where sensitive data resides and which procedures are relevant.

Nowadays, it is very popular to use cloud infrastructure for building out systems – rightly so, given the operational advantages. Cloud systems can be made HIPAA compliant. Start by making sure that all cloud accounts, cloud servers, cloud network segments and cloud storage – that will contain or process sensitive EPHI – are on your list.

Make sure you’ve also considered procedures and even people – they need to be part of your scope. Also consider which people should not see cloud-based EPHI – for example cloud provider employees and other cloud service providers you use.

2.     Analyze Risks
Discover where your Electronic Personal Health Information could get compromised
Go over everything on your list, whether a person, organization or a technical entity, and analyze where they get in contact with EPHI and the degree of risk involved. Document these risks carefully – they are the basis of your HIPAA compliance.

At this point, also consider possible mitigations to risks. Encryption and solid management of cloud encryption keys is one of the most important tools in your toolbox – if you encrypt data properly and keep the keys safe, you may enjoy “safe harbor,” and mitigate many of the penalties and risks of HIPAA.

3.     Define Policies
Establish procedures for security and privacy
HIPAA compliance is not just about doing things well, but also all about properly documenting that you have done them well. Going over your scoping list from step 1, you should identify the policies and procedures for each item, person or organization – that would ensure EPHI never leaks. Another set of documents should define your privacy policies.

Again, this is an important place to consider mitigations. As you go over the list and construct your procedures, pay attention to things that could go wrong. In the real world, something always goes wrong. Build in mitigations so that even if bad things happen – you will still enjoy “safe harbor.”

Ask your cloud service providers for a Business Associate Agreement, which ensures that they too have gone through a similar process – and are responsible for the service they provide you and its implications for HIPAA compliance.

4.     Train your people
Educate your employees and make sure your service providers are trained!
This is an obvious point, yet one of the most important ones. Trained staff make all the difference.

And yes, as always in HIPAA, it is not enough to train the staff, but also document the training. Require these proofs also from your service providers.

5.     Prepare for a breach
Be ready in case disaster strikes
Bad stuff happens. How will you deal with it? You need to plan this ahead of time, and – as always – also document your planning.

Our entire approach is based on achieving “safe harbor” – when you go through your “bad stuff” checklist, think carefully how each point can be mitigated. Often solid encryption will help, and one of the first things you want to check in the event of a breach – was the data encrypted and the keys kept safe? Make this part of your procedures.

HIPAA compliance in the cloud is within reach
By taking the right approach, thinking carefully through safe harbor possibilities, and covering the entire scope of your project – you can achieve proper HIPAA compliance and protect patient privacy. This is also a major competitive advantage for your business.

About the Author
Gilad Parann-Nissany, Founder and CEO of Porticor, is a cloud computing pioneer. Porticor infuses trust into the cloud with secure, easy to use, and scalable solutions for data encryption and key management. Porticor enables companies of all sizes to safeguard their data, comply with regulatory standards like PCI DSS, and streamline operations.

September 10, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

The HIPAA Final Rule and Staying Compliant in the Cloud

Written by:

The following is a guest post by Gilad Parann-Nissany, Founder and CEO of Porticor.

The HIPAA Omnibus Final Rule went into effect on March 26, 2013.  In order to stay compliant, the date for fulfilling the new rules is September 23, 2013, except for companies operating under existing “business associate agreements (BAA),” who may be allowed an extension until September 23, 2014.

As healthcare and patient data move to the cloud, HIPAA compliance issues follow.  With many vendors, consultants, internal and external IT departments at work, the question of who is responsible for compliance comes up quite often.  Not all organizations are equipped or experienced to meet the HIPAA compliance rules by themselves.  Due to the nature of the data and the privacy rules of patients, it is important to secure the data correctly the first time.

HIPAA and the Cloud
Do you have to build your own cloud HIPAA compliance solutions from scratch?  The short answer is no.  There are solutions and consulting companies available to help move patient data to the cloud as well as secure it following HIPAA compliance rules and best practices.

The following checklist provides a guide to help plan for meeting the new HIPAA compliance rules.

A Cloud HIPAA Compliance Checklist

1. Ensure “Business Associates” are HIPAA compliant

-          Data Centers and cloud providers that serve the healthcare industry are in the category of “business associates.”

-          Business Associates can also be any entity that “…creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity.”  This means document storage companies and cloud providers now officially have to follow HIPAA rules as well.

-          Subcontractors are also considered business associates if they are creating, receiving, transmitting, or maintaining Protected Health Information (PHI) on behalf of a business associate agreement.

-          As a business associate they must meet the compliance rules for all privacy and security requirements.

What can you do?

Ensure business associates and subcontractors sign a business associate agreement and follow the HIPAA compliance rules for themselves and any of their subcontractors. A sample Business Associate Agreement is available on the HHS.gov website.

What happens if you are in violation?

The Office of Civil Rights (OCR) investigates HIPAA violations and can charge $100 – 50,000 per violation.  That gets capped at $1.5 million for multiple violations.  The charges are harsh to help ensure that data is safe and companies are following the HIPAA rules.

2. Data Backup

- Health care providers, business associates, and subcontractors must have a backup contingency plan.

- Requirements state that it has to include a:

Backup plan for data, disaster recovery plan, and an emergency mode operations plan

- The backup vendor needs to encrypt backup images during transit to their off-site data centers so that data cannot be read without an encryption key

- The end user/partner is required to encrypt the source data to meet HIPAA compliance

What can you do?

If you handle the data backup internally, set a plan to meet HIPAA compliance and execute it.
If you have external backup solution providers, ensure they have a working plan in place.

3. Security Rules

-          Physical safeguards need to be implemented to secure the facility, like access controls for the facility

-          Develop procedures to address and respond to security breaches

-          There are an additional 18 technical security standards and 36 implementation specifications as well

What can you do?

Put a plan in place to protect data from internal and external threats as well as limiting access to only those that require it.

4. Technical Safeguards

Health care providers, business associates, and subcontractors must implement technical safeguards. While many technical safeguards are not required – they do mitigate your risk in case of a breach. In particular, encryption of sensitive data allows you to claim “safe harbor” in the case of a breach.

v  Study encryption and decryption of electronically protected health information

v  Use AES encryption for data “at rest” in the cloud

v  Use strong – and highly protected – encryption key management; this is the most sensitive and difficult piece on this list – consider to use split-key cloud encryption or homomorphic key management

v  Transmission of data must be secured: use SSL/TLS or IPSec

v  When any data is deleted in the cloud any mirrored version of the data must be deleted as well

v  Limit access to electronically protected health information

v  Audit controls and procedures that record and analyze activity in information systems which contain electronically protected health information

v  Implement technical security measures such as strong authentication and authorization, guarding against unauthorized access to electronically protected information transmitted over electronic communication networks

What can you do?

Adopt strong encryption technology and develop a plan to ensure data is transmitted, stored, and deleted securely. Develop a plan to monitor data access and control access.

5. Administrative Safeguards

For organizations to meet HIPAA compliance they must have HIPAA Administrative Safeguards in place to “prevent, detect, contain and correct security violations.”  Policies and procedures are required to deal with: risk analysis, risk management, workforce sanctions for non-compliance, and a review of records.

v  Assign a privacy officer for developing and implementing HIPAA policies and procedures

  • Ensure that business associates also have a privacy officer since they are also liable for complying with the Security Rule

v  Implement a set of privacy procedures to meet compliance for four areas:

Risk Analysis
“Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity”

Risk Management
“Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).”

Workforce Sanctions for Non-Compliance
“Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.”

Review of Records
“Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”

v  Provide ongoing administrative employee training on Protected Health Information (PHI)

v  Implement a procedure and plan for internal HIPAA compliance audits

What can you do?

Develop an internal plan to meet HIPAA compliance and have a privacy officer to implement requirements.  Ensure that policies and procedures deal with analysis of risk, management of risk, policy violations, and sanctions for staff or contractors in violation of the policy.  Develop and maintain documentation for internal policies to meet HIPAA compliance as it will help define those policies to your organization and could assist during a HIPAA audit.

Gilad Parann-Nissany, Founder and CEO of Porticor, is a cloud computing pioneer. Porticor infuses trust into the cloud with secure, easy to use, and scalable solutions for data encryption and key management. Porticor enables companies of all sizes to safeguard their data, comply with regulatory standards like PCI DSS, and streamline operations.

September 3, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Don’t Let a Business Associate Compromise Your HIPAA Compliance

Written by:

The following is a guest post by Kari Woolf, Senior Global Product Marketing Manager, Novell.
Kari Woolf - Senior Global Product Marketing Manager at Novell
Traditional healthcare organizations are no longer the only enterprises expected to comply with the strict rules and regulations of the Health Insurance Portability and Accountability Act (HIPAA). The U.S. Department of Health and Human Services (HHS) recently issued the final omnibus rule of HIPAA, which creates significant liability for many technology enterprises, as it has extended the requirement of HIPAA compliance to healthcare “business associates.”

Defining an “organization” and a “business associate.”

A healthcare organization is a healthcare provider, health plan or healthcare clearing house. A business associate is defined as any company that provides its services to healthcare providers, health plans or healthcare clearing houses. These organizations have always been required to comply with HIPAA. Under the new omnibus rule of HIPAA, business associates are now required to be HIPAA-compliant as well. Even companies that may not view electronic protected health information (ePHI), but store, transfer, conduct transactions or in any way manage files for healthcare organizations must comply, and healthcare organizations have to have a business associate agreement in place with those companies.

What does this mean for healthcare organizations?

Organizations often let their employees use cloud-based solutions because they believe sharing internally is not in violation of any HIPAA ordinance. However, any time a file is shared via the cloud it is then in the hands of a company that could be considered a business associate. In most cases, these business associates are not HIPAA-compliant, creating an unnecessary risk for the organization.

The business associate might get in trouble—but the healthcare organization is almost sure to get in trouble. HIPAA regulators are cracking down on traditional healthcare organizations. HHS recently announced the first HIPAA breach settlement involving less than 500 patients at the Hospice of North Idaho (HONI). According to the HHS resolution agreement, HONI did not evaluate the likelihood and impact of potential risks to the confidentiality of ePHI maintained in and transmitted using portable devices. This resulted in a $50,000 fine, a two year probation period and extensive reporting requirements for up to six years.

What can healthcare organizations do?

Regardless of any regulations, organizations must enable employee access to important materials from whichever devices or locations employees need to work from. This challenges IT to maintain control of ePHI while still enabling employees to access and share files.

An on-premise solution is a viable option for these organizations to remain HIPAA compliant. Employee productivity and user experience don’t have to be abandoned, as a robust on-premise solution can enable a cloud-like, user-friendly experience with corporate data and files. Organizations can remain HIPAA compliant with certain, trusted cloud solutions, but IT needs to ensure that the cloud provider they choose has the enterprise experience to keep data safe, and with controls and restrictions that only allow the right people to access the right files. Consumer-focused cloud solutions like Dropbox won’t be sufficient for HIPAA compliance. SkyDrive from Microsoft, for example, just announced that IT can now see who has viewed and altered certain documents from the platform. While this is a step in the right direction, visibility alone does not prevent data breaches; it only serves as a notification after the fact, when it may already be too late.

Here’s a quick list of action items to help you maintain HIPAA compliance:

  1. Consider an on-premise solution: Reconsider whether the trouble of relying on a business associate is worth the benefit. On-premise solutions offer all the same capabilities that cloud solutions do, and in fact, most on-premise solutions are more mature and offer better features. Most importantly, they provide a secure foundation for accessing and working with ePHI.
  2. Conduct a full audit of third-party apps in use: Popular mobile apps like Dropbox, Evernote and even Gmail are not HIPAA-compliant. Using these apps constitutes giving ePHI to noncompliant business associates.  Employees may not realize this—they simply want to use the apps they’re familiar with. You need to police the issue. Not sure how to do this? A good mobile device management solution should have tools to help you.
  3. Use a mobile device management tool that can remotely wipe a device if it is lost or stolen: This empowers the network administrator to track and manage access to sensitive data. If a device with ePHI is compromised the network administrator can quickly and efficiently delete the data and minimize any risks. Better yet…
  4. Use your mobile devices as gateways, not destinations: Employees are going to use mobile devices, and there’s little sense in trying to stop them. Instead, make sure those devices don’t become the destination for your ePHI and instead act as a gateway. Employees can access files through their mobile devices without having the actual files on the mobile devices. On-premise solutions will keep ePHI in your data center without it being compromised through cloud storage and file-sharing services.    
  5. Audit mobile devices frequently: All organizations need to have an updated auditing schedule for mobile devices to ensure they are in compliance with any and all organization and regulatory requirements.
  6. Sign a business associate agreement with any outside organization that touches your ePHI: If a cloud vendor or other business associate won’t sign an agreement, find one that will or consider an on-premise solution.

Kari Woolf is a Senior Product Marketing Manager and Collaboration Marketing Lead for Novell. She has been with the company for more than 14 years in a variety of marketing and communications capacities. In addition to her high tech marketing experience, she served as an account manager and content director for a creative agency specializing in live events. She holds a Bachelor of Arts degree in Political Science from Brigham Young University.

August 5, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

HIPAA Fines and Penalties in a HIPAA Omnibus World

Written by:

Lately I’ve been seeing a number of really lazy approaches to making sure a company is HIPAA compliant. I think there’s a pandora’s box just waiting to explode where many companies are going to get slammed with HIPAA compliance issues. Certainly there are plenty of HIPAA compliance issues at healthcare provider organizations, but the larger compliance issue is going to likely come from all of these business associates that are now going to be held responsible for any HIPAA violations that occur with their systems.

For those not keeping up with the changes to HIPAA as part of the HITECH Act and HIPAA Omnibus, here are a couple of the biggest changes. First, HITECH provided some real teeth when it comes to penalties for HIPAA violations. Second, HIPAA Omnibus puts business associates in a position of responsibility when it comes to any HIPAA violations. Yes, this means that healthcare companies that experience HIPAA violations could be fined just like previous covered entities.

To put it simply, hundreds of organizations who didn’t have to worry too much about HIPAA will now be held responsible.

This is likely going to be a recipe for disaster for those organizations who aren’t covering their bases when it comes to HIPAA compliance. Consider two of the most recent fines where Idaho State University was fined $400k for HIPAA violations and the $1.7 million penalty for WellPoint’s HIPAA violations. In the first case, they had a disabled firewall for a year, and the second one failed to secure an online application database containing sensitive data.

Of course, none of the above examples take into account the possible civil cases that can be created against these organizations or the brand impact to the organization of a HIPAA violation. The penalties of a HIPAA violation range between $100 to $50,000 per violation depending on the HIPAA violation category. I’ll be interested to see how HHS defines “Reasonable Cause” versus “Willfull Neglect – Corrected.”

I’ve seen far too many organizations not taking the HIPAA requirements seriously. This is going to come back to bite many organizations. Plus, healthcare organizations better make sure they have proper business associate agreements with these companies in order to insulate them against the neglect of the business associate. I don’t see HHS starting to search for companies that aren’t compliant. However, if they get a report of issues, they’ll have to investigate and they won’t likely be happy with what they find.

The message to all is to make sure your HIPAA house is in order. Unfortunately, I don’t think many will really listen until the first shoe falls.

July 25, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Brand Damages More than Legal Damages in HIPAA Violation

Written by:

I was recently discussing with someone the possible legal damages of a HIPAA violation by a healthcare organizations business associate. We all know that thanks to HIPAA omnibus, the business associate will now be held liable for any HIPAA breaches or violations that occur. One question I haven’t seen addressed was whether the covered healthcare organization entity would be held responsible for the business associates breaches or violations. Before, the healthcare organization would be the only one with consequences. Are the consequences for the healthcare organization still the same if a business associate has a HIPAA breach?

I think the answer probably depends on the business associate agreement. Although, maybe you can’t shield yourself of liability from business associates negligence just with a well done business associate agreement. Hopefully some of me healthcare lawyer readers can shed light on this subject.

One thing I am sure of is that the legal damages pale in comparison to the damages to a brand when a HIPAA violation occurs even when the violation is completely the responsibility of the business associate. Healthcare organizations are still going to be held responsible for the violation. No doubt we’ll hear the phrase, “the healthcare organization should have properly vetted and checked that their business associates were following HIPAA.”

While we can all agree that many healthcare organizations aren’t as diligent as they should be with business associates, should the healthcare organization have to babysit all of their business associates?

Like most things in life, there has to be a balance. You can’t play big brother with all of your business associates. You’ll drive your business associates crazy and waste a lot of resources in the process. However, I think we can look to HIPAA for the guidelines. Every healthcare organization should have a well thought out understanding and process for how they decide who they work with as business associates.

The reality is that regardless of who takes on the legal consequences of a HIPAA violation, the healthcare organization is the one that has to worry most about the damage to their brand.

July 9, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

4500 Patient Records Found During Drug Bust

Written by:

In the healthcare world, it seems that HIPAA privacy violations & HIPAA Lawsuits are the car accidents that people can’t resist checking out. In most cases, people in healthcare are mostly interested to see what happened with the HIPAA violation and what the consequences were for that violation. In fact, these violations wake people up to the HIPAA policies better than any other means, but I digress.

Since this blog is called EMR and HIPAA, I try and cover various HIPAA related issues I hear about in the news. Today’s HIPAA breach is pretty crazy. It was discovered during a drug bust by the Alameda County Sheriff’s department. During the drug related investigation they found information for 4,500 patients from three hospitals: Alta Bates Summit, Sutter Delta, and Eden Medical Center.

Sutter Health posted a notice about the breach. The notice says that the information could have included: a patient’s name, Social Security number, date of birth, gender, address, zip code, home phone number, marital status, name of employer and work phone number. Sutter has offered free credit monitoring services for those patients who are involved. Plus, they have a hotline set up for those who have questions.

This situation is a bit unique since it seems they haven’t been able to identify exactly which hospital the patients are from. If that’s the case, then releasing all of the patient data to all 3 hospitals could be a breach as well, no? I’m good with making sure you notify everyone on the list that could be affected. They should be notified, but I’d be interested to know which parts of the 4,500 patients was shared with which hospital.

I wonder if large organizations like Sutter Health are creating a permanent department for breaches.

June 12, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.