Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Why HIPAA isn’t Enough to Keep Patient Data Secure

Written by:

The following is a guest blog post by Takeshi Suganuma, Senior Director of Security at Proficio.
Takeshi Suganuma
Just meeting minimum HIPAA safeguards is not enough to keep patient data secure. This should come as no surprise when you consider that HIPAA was developed as a general framework to protect PHI for organizations ranging from small medical practices to very large healthcare providers and payers. After all, one size seldom fits all.

While HIPAA is a general, prescriptive framework for security controls and procedures, HIPAA disclosure rules and penalties are very specific and have increased impact as a result of the Omnibus Final Rule enacted last year. The CIOs and CSOs we talk to are not willing to risk their organization’s reputation by just implementing the minimum HIPAA safeguards.

The collection, analysis, and monitoring of security events is a prime example of where medium to large-sized organizations must do much more than just record and examine activity as prescribed by HIPAA.

The challenge to effectively monitor and prioritize security alerts is exacerbated by the changing security threat landscape. Unlike the visible incursions of the past, new attacks employ slow and low strategies. Attackers are often able to sys­tematically pinpoint security weaknesses and then cover all traces of their presence as they move on to penetrate the other critical IT assets.

Hackers are using multiple attack vectors including exploiting vulnerabilities in medical devices and printers. Networked medical devices represent a significant security challenge for hospitals, because their IT teams cannot upgrade the underlying operating system embedded into these devices. Many medical devices using older versions of Windows and Linux have known security vulnerabilities and are at risk of malware contamination.

Insider threats comprise a significant risk for healthcare organizations. Examples of insider threats include employees who inappropriately access the medical records, consultants who unintentionally breach an organization’s confidentiality, and disgruntled employees seeking to harm their employer. Insider activity can be much more difficult to pinpoint than conventional external activity as insiders have more privileges than an external attacker. Security event monitoring and advanced correlation techniques are needed to identify such suspicious behavior. For example, a single event, such as inappropriate access of a VIP’s medical records, might go unnoticed, but when the same person is monitored saving files to a USB drive or exhibiting unusual email activity, these correlated events should trigger a high priority alert.

The volume of security alerts generated in even a mid-size hospital is staggering – tens of millions a day. Without a tool to centrally collect and correlate security events, it is extremely difficult to detect and prioritize threats that could lead to a PHI data breach. Log management and SIEM systems are part of the solution, but these are complex to administer and require regular tweaking to reflect new security and compliance use cases.

Technology alone is just a starting point. Unfortunately, hackers don’t restrict their activities to local business hours and nor should the teams responsible for the security of their organization. Effective security event monitoring requires technology, process, and people. Many healthcare organizations that lack in-house IT security resources are turning to Managed Security Service Providers (MSSPs) who provide around-the-clock Security Operation Center (SOC) services.

The challenge for today’s security teams, whether internal or outsourced, is to accurately prioritize alerts and provide actionable intelligence that allows a fast and effective response to critical issues. Tomorrow’s goal is to move beyond reporting incidents to anticipating the types of suspicious behaviors and patterns of multi-stage attacks that could lead to data being compromised. Multi-vector event correlation, asset modeling, user profiling, threat intelligence and predictive analytics are among the techniques used to achieve preventive threat detection. The end game is a preemptive defense where real-time analysis of events triggers an automated response to prevent an attack.

The increasing cost of litigation and the loss of reputation that result from an impermissible disclosure of PHI are driving healthcare organizations to build robust security controls and monitor and correlate real-time security events. HIPAA guidelines are a great start, but not enough if CIOs want to sleep easily at night.

March 21, 2014 I Written By

This Geek Girl’s Singing: HIMSS 14 Social Media Finale

Written by:

As one of the inaugural crop of HIMSS Social Media Ambassadors, a second-generation native Floridian, and a former Orlando resident, it is my sworn duty to summarize, recap, and perhaps satirize the last group of Blog Carnival posts, to metaphorically sing the HIMSS opera finale. And you folks submitted some doozies! I’m very grateful to the HIMSS (@HIMSS) and SHIFT Communications (@SHIFTComm) team for providing me with links to all entries. Y’all have been BUSY!

A man after my own heart, and a frequent #HITsm participant who weathers harsh criticism with witty aplomb: Dan Haley’s (from athenahealth, @DanHaley5) piece on 3 Takeaways From HIMSS – Policy And Otherwise caught my attention with the line, “Regulators are from Mars…” He stole my favorite blog entry prize with the line: “Orlando is magical when you are a kid. Kids don’t attend HIMSS.”

First-time attendee Jeffrey Ting (from Systems Made Simple) outlined his experiences with some of my favorite topics in his piece, HIMSS Reflections By A First-Time Attendee: HIEs and interoperability. I agree with him: the Interoperability Showcase’s “Health Story” exhibit was one of the best presentations of the whole conference.

Dr. Geeta Nayyar’s perspective as a board member of HIMSS and CMIO for PatientPoint gave her a unique vantage point for her post, HIMSS 14: A Truly Inspiring Event. Take note, HIMSS conference planners – your monumental efforts were recognized, as was the monumental spirit of the closing keynote speaker, Erik Weihenmayer.

HIMSS Twitter recaps permeated the blogosphere, with my favorite being the inimitable Chuck Webster’s (@wareflo) HIMSS14 Turned It Up To 11 On And Off-Line!. Chuck also periodically provided trend analysis results of year-over-year #HIMSS hashtag traffic for each period of the conference, complete with memes for particular shapes: Loch Ness monster humped-back, familiar faces of frequent tweeters.

Health IT guru Brian Ahier’s (@ahier) wrapped up the “Best In Show” of HIMSS Blog Carnival , complete with Slideshare visuals awarding Ed Parks of Athenahealth “Best Presentation” and providing an excellent summation of must-read posts.

Interoperability was one of the most prevalent themes of HIMSS, and a plethora of posts discussing the healthcare industry’s progress on the path to Dr. Doug Fridsma’s (@Fridsma) High Jump Of Interoperability (Semantic-Level) were submitted to the Blog Carnival. Notable standouts included: Shifting to a Culture of Interoperability by Rick Swanson from Deloitte, and Dr. Summarlan Kahlon’s (of Relay Health), Diagnosis: A Productive HIMSS 2014, which posited that, “this year’s conference was the first one which convinced me that real, seamless patient-level interoperability is beginning to happen at scale.”

And who could forget about patient engagement, the belle of the HIMSS ball? Telehealth encounters, mobile health apps and implications, patient portals, and the Connected Patient Gallery dominated the social media conversation. Carolyn Fishman from DICOM Grid called it, HIMSS 2014: The Year of the Patient, and discussed trepidation patients feel about portal technologies infringing on face-time.

Quantified-self wearable-tech offered engagement opportunities, as well. Having won one such gadget herself, Jennifer Dennard (@SmyrnaGirl) gave props to organizations like Patientco and Nuance for their use (and planned use) of wearable tech in support of employee wellness programs, and posited on the applications of such tech in the monitoring and treatment of chronic disease in her piece, Watching for Wearables at HIMSS14.

Finally, if you’re able to read Lisa Reichard’s (from Billians Health Data) @billians) highlights piece,Top 10 Tales and Takeaways, without busting out into Beatles tunes, you probably wouldn’t have had nearly as much fun as she and I did at HISTalkapalooza, dancing to Ross Martin’s smooth parodies. You also probably don’t have your co-workers frantically purchasing noise-canceling headphones.

I did say I’d be singing to bring HIMSS to a virtual close.

Can’t wait to get back to the metaphorical microphone for HIMSS 2015 in Chicago!

March 14, 2014 I Written By

Mandi Bishop is a healthcare IT consultant and a hardcore data geek with a Master's in English and a passion for big data analytics, who fell in love with her PCjr at 9 when she learned to program in BASIC. Individual accountability zealot, patient engagement advocate, innovation lover and ceaseless dreamer. Relentless in pursuit of answers to the question: "How do we GET there from here?" More byte-sized commentary on Twitter: @MandiBPro.

In 2014, Health IT Priorities are Changing

Written by:

The following is a guest blog post by Cliff McClintick, chief operating officer of Doc Halo. Cincinnati-based Doc Halo sets the professional standard for health care communication offering secure messaging for physicians, medical practices, hospitals and healthcare organizations. The Doc Halo secure texting solution is designed to streamline HIPAA-compliant physician and medical clinician sharing of critical patient information within a secure environment.

2014 is a major year for health care, and for more reasons than one.

Of course, some of the most significant reforms of the Affordable Care Act take effect this year, affecting the lives of both patients and providers.

But it’s also a year in which health care institutions will come to grips with IT issues they might have been putting off. Now that many organizations have completed the electronic health record implementations that were consuming their attention and resources, they’re ready to tackle other priorities.

Expect to see issues related to communications, security and the flow of patient information play big in coming months. At Doc Halo, we’re already seeing high interest in these areas.

Here are my predictions for the top health IT trends of 2014:

  • Patient portal adoption. Web-based portals let patients access their health data, such as discharge summaries and lab results, and often allow for communication with the care team. Federal requirements around Meaningful Use Stage 2 are behind this trend, but the opportunity to empower patients is the exciting part. The market for portals will likely approach $900 million by 2017, up from $280 million in 2012, research firm Frost & Sullivan has predicted.
  • Secure text messaging. Doctors often tell us that they send patient information to their colleagues by text message. Unfortunately, this type of data transmission is not HIPAA-compliant, and it can bring large fines. Demand for secure texting solutions will be high in 2014 as health care providers seek communication methods that are quick, convenient and HIPAA-compliant. Doc Halo provides encrypted, HIPAA-compliant secure text messaging that works on iPhone, Android and your desktop computer.
  • Telehealth growth. The use of technology to support long-distance care will increasingly help to compensate for physician shortages in rural and remote areas. The world telehealth market, estimated at just more than $14 billion in 2012, is likely to see 18.5 percent annual growth through 2018, according to research and consultancy firm RNCOS. Technological advances, growing prevalence of chronic diseases and the need to control health care costs are the main drivers.
  • A move to the cloud. The need to share large amounts of data quickly across numerous locations will push more organizations to the cloud. Frost & Sullivan listed growth of cloud computing, used as an enabler of enterprise-wide health care informatics, as one of its top predictions for health care in 2014. The trend could result in more efficient operations and lower costs.
  • Data breaches. Health care is the industry most apt to suffer costly and embarrassing data breaches in 2014. The sector is at risk because of its size — and it’s growing even larger with the influx of patients under the Affordable Care Act — and the introduction of new federal data breach and privacy requirements, according to Experian. This is one prediction that we can all hope doesn’t come true.

To succeed in 2014, health care providers and administrators will need to skillfully evaluate changing conditions, spot opportunities and manage risks. Effective health IT frameworks will include secure communication solutions that suit the way physicians and other clinicians interact today.

Doc Halo, a leading secure physician communication application, is a proud sponsor of the Healthcare Scene Blog Network.

January 30, 2014 I Written By

The Guide to HIPAA Compliant Text Messaging

Written by:

I’ve written regularly about the need to move to HIPAA compliant text messaging, because Texting (SMS) is NOT HIPAA Secure. To add to that, I recently wrote a post on EMR and EHR about Why Secure Text Messaging is Better than SMS. I throw out the whole “fear of HIPAA” component and paint a picture for why every organization should be moving to a secure text message solution instead of using SMS.

While I think a business case can be made for secure text messaging in healthcare over SMS without using HIPAA, the HIPAA implications are important as well. In fact, imprivata has put out The CIO’s Guide to HIPAA Compliant Text Messaging where they make a good case for why HIPAA compliant text messaging is important and how to get there.

The whitepaper suggests that you have to start with Policy, then choose a Product, and then put it into Practice. Sounds like pretty much every health IT project, no? However, the guide also offers a series of really great checklists that can help you make sure you’re covering all of your bases when it comes to implementing a secure text message strategy.

Of course, the biggest challenge to all of this is that everyone is so busy with MU stage 2 and ICD-10. However, when the HIPAA auditors come knocking, I wouldn’t want to be an organization without a secure text message solution. The best way to battle non-HIPAA compliant SMS messaging in your organization is to provide them an alternative.

Full Disclosure: I’m an adviser to HIPAA compliant messaging company docBeat.

January 23, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

The Wackiest HIPAA Data Breaches of 2013

Written by:

The following is a guest post by David Vogel, blogger for Layered Tech.
David Vogel
2013 was a historic year for HIPAA violations, with more than 5.7 million patients affected and the second-largest breach ever reported in the U.S. Department of Health & Human Services online database.

The year also featured some of the strangest violations ever seen, including some incredible security whiffs, business associate failures, and criminal shenanigans. Let’s dive into the top five “funny if they weren’t true” data breaches of the past year:

News Crew Goes Dumpster Diving for Patient Records
When an Indianapolis parishioner stumbled across medical records in recycling dumpster on church property, an investigative reporter from the local NBC affiliate jumped in, literally. What the reporter found were thousands of patient records containing medical history, Social Security numbers, credit card info and other data.

Upon investigation, the dumped records were tied back to the Comfort Dental offices in Marion and Kokomo Indiana, which closed after the dentist who ran the offices lost his medical license due to fraudulent billing.

You can’t make this sort of thing up.

To add further intrigue, before calling in the Feds, the news crew loaded up the boxes of records and stored them at the studio. According to the reporter, their past experiences with finding private health information taught them the “way to best protect this info and to get action is to do exactly what we did.”

The files have since been handed over to officials, who have determined that 5,388 people were affected.

Indiana news reporter Bob Segall investigates patient records dumped in church recycling bin. Courtesy: WTHR-TV

Indiana news reporter Bob Segall investigates patient records dumped in church recycling bin. Courtesy: WTHR-TV

Miniaturized Medical Data Float Around Fort Worth
In May of 2013, Fort Worth residents found sheets of microfiche from the ’80s and ’90s in a park and other public areas in Fort Worth. The sheets, which contained miniaturized medical records from Texas Health Fort Worth, had been destined for destruction, but apparently lost by the business associate (BA) contracted to shred them.

The bad news for the 277,014 patients potentially affected? The microfiche sheets likely contained Social Security numbers among the medical records. The slight glimmer of hope? Microfiche format and readers have become very rare, lessening the chance of the records being recognized and misused.

Example microfiche sheet via Wikimedia

Example microfiche sheet via Wikimedia


X-Rays Worth Their Weight in Silver
When Raleigh Orthopaedic Clinic hired a contractor to transfer x-ray films to digital images, they ended up on the wrong side of a nefarious scam. In March, the clinic discovered that their contractor instead sold the films to a recycling company to be scrapped for their silver, leaving the clinic with no digital version of the x-rays, no validation of their destruction, and the 6th-largest HIPAA breach of 2013 (17,300 patients affected).

No Privacy for Kim Kardashian and Baby North West
When celebrities Kim Kardashian and Kanye West checked into L.A.’s Cedars-Sinai Medical Center for the birth of their child, it wasn’t just paparazzi looking for the inside scoop. Six staffers were fired from the hospital in the days following the birth of baby North West for having “inappropriately accessed” patient data. The resulting investigation found that five of the suspects snooped on the patient records using the log-ins of the physicians for whom they worked, which also violated hospital policy. The other suspect had access to the patient database for billing purposes.

Image via Wikimedia

Image via Wikimedia

Felon Gets Hospital Job, Steals Records for Tax Scam
A failed attempt to cash a fraudulent check led to the discovery of one of the most disturbing HIPAA breaches of 2013. The story starts when Oliver Gayle, a Miami man with past felony convictions for racketeering and grand theft, got a temp job at the Mount Sinai Medical Center in Miami Beach using an inaccurate background check. Gayle then began accessing and printing hundreds of patient records and transactional information from the Hospital’s account database. The stolen records went unnoticed until a bank notified police about an attempt to cash a bad check, and gave a description of the car Gayle was driving.

What happened next was like a story out of America’s Dumbest Criminals.

When Gayle was pulled over, Police found that he had more than 15 suspensions to his driver’s license, and prepped to have the car towed. However, Gayle first requested that officers bring along an open bag from the car. Inside the bag, officers found a treasure trove of patient and financial information, including more than a hundred Mount Sinai records, copies of U.S. Treasury checks, Social Security numbers, fraudulent tax returns and a counterfeit U.S. Visa.

Gayle has since been convicted for his identity theft tax refund scheme, and faces prison time for several decades’ worth of fraud and identity theft charges. In the meantime, Mount Sinai may face penalties for the HIPAA violations, which affected 628 people.

About the Author: David Vogel is a blogger for Layered Tech, a leading provider of HIPAA-compliant hosting and private cloud. Connect with David on Twitter (@DavidVogelDotCo) and Google+ (+David Vogel).

January 16, 2014 I Written By

IMS IPO and Health Data Privacy

Written by:

The following is a guest post by Dr. Deborah Peel, Founder of Patient Privacy Rights. There is no bigger advocate of patient privacy in the world than Dr. Peel. I’ll be interested to hear people comments and reactions to Dr. Peel’s guest post below. I look forward to an engaging conversation on the subject.

Clearly the way to understand the massive hidden flows of health data are in SEC filings.

For years, people working in the healthcare and HIT industries and government have claimed PPR was “fear-mongering”, even while they ignored/denied the evidence I presented in hundreds of talks about dozens of companies that sell health data (see slides up on our website)

But IMS SEC filings are formal, legal documents and IMS states that it buys “proprietary data sourced from over 100,000 data suppliers covering over 780,000 data feeds globally”. It buys and aggregates sensitive “prescription” records, “electronic medical records”, “claims data”, and more to create “comprehensive”, “longitudinal” health records on “400 million” patients.

* All purchases and subsequent sales of personal health records are hidden from patients. Patients are not asked for informed consent or given meaningful notice.
* IMS Health Holdings sells health data to “5,000 clients”, including the US Government.

These statements show the GREAT need for a comprehensive health data map—–and that it will include potentially a billion places that Americans’ sensitive health data flows.

In what universe is our health data “private and secure”?

January 7, 2014 I Written By

A CIO Guide to Electronic Mobile Device Policy and Secure Texting

Written by:

The following is a guest blog post by Cliff McClintick, chief operating officer of Doc Halo. Doc Halo provides secure, HIPAA-compliant secure-texting and messaging solutions to the healthcare industry. He is a former chief information officer of an inpatient hospital and has expertise in HIPAA compliance and security, clinical informatics and Meaningful Use. He has more than 20 years of information technology design, management and implementation experience. He has successfully implemented large systems and applications for companies such as Procter and Gamble, Fidelity, General Motors, Duke Energy, Heinz and IAMS.
Reach Cliff at cmcclintick@dochalo.com.

One of the many responsibilities of a health care chief information officer is making sure that protected health information stays secure.

The task includes setting policies in areas such as access to the EMR, laptop hard drive encryption,  virtual private networks, secure texting and emailing and, of course, mobile electronic devices.

Five years ago, mobile devices hadn’t caught many health care CIOs’ attention. Today, if smartphones and tablets aren’t top of mind, they should be. The Joint Commission, the Centers for Medicare and Medicaid Services and state agencies are scrutinizing how mobile fits into organizations’ security and compliance policies.

Be assured that nearly every clinician in your organization uses a smartphone, and in nearly every case the device contains PHI in the form of email or text messages. That’s not entirely a bad thing: The fact is, smartphones make clinicians more productive and lead to better patient care. Healthcare providers depend on texts to discuss admissions, emergencies, transfers, diagnoses and other patient information with colleagues and staff. But unless proper security steps are being taken, the technology poses serious risks to patient privacy.

For creating a policy on mobile electronic devices, CIOs can choose from three broad approaches:

  • Forbid the use of smartphones in the organization for work purposes. This route includes forbidding email use on the devices. Many companies have tried this approach, but in the end, it’s not a realistic way to do business. You may forbid the use of the technology and even have members of your organization sign “contracts” to that effect. But even for the people who do comply out of fear, the organization sends the message that it’s OK to violate policy as long as no one finds out.
  • Allow smartphones in the organization but not for transmitting PHI. This approach acknowledges the benefits of the technology and provides guidelines and provisions around its use. This type of policy is better than the first option, as the CIO is taking responsibility for the use of the devices and providing some direction. In most cases there will be guidelines regarding message life, password format, password timeout, remote erase for email and other specifics. And while the sending of PHI would not be allowed, protocol and etiquette would be in place for when the issue comes up. Ultimately, though, this approach can be hard to enforce, and the possibility remains that PHI will be sent to a vendor or out-of-IT-network affiliate.
  • Create a mobile device strategy. This option embraces the technology and acknowledges that real-time communication is paramount to the success of the organization. In healthcare, real-time communication can mean the difference between life and death. With this approach the technology is fully secured and can be used efficiently and effectively.

Recent studies have shown that more than 90 percent of physicians own a smartphone. Texting PHI is common and helps clinicians to make better decisions more quickly. But allowing PHI to be transmitted without adequate security can compromise patient trust and lead to government penalties.

Fortunately, healthcare organizations can take advantage of mobile technology’s capacity to improve care while still keeping PHI safe. In a recent survey of currently activated customers of Doc Halo, a secure texting solution provider, 70 percent of respondents using real-time secure communication reported better patient care. Seamless communication integration and a state-of-the-art user experience ensure that the percentage will only rise.

Doc Halo, a leading secure physician communication application, is a proud sponsor of the Healthcare Scene Blog Network.

January 6, 2014 I Written By

What Happened with EMR and Health IT in 2013?

Written by:

As we wrap up 2013, I thought I’d take a look back at some of the major things that happened in 2013. They will be topics you’re very familiar with, but hopefully this will tie a nice bow on the top of 2013 as we look towards 2014.

ICD-10 Got Real – There are still many organizations that aren’t focusing on ICD-10 or that are underestimating it, but for the most part I’m seeing a lot of concern around ICD-10. I’ve started a whole series on ICD-10 and as I’ve been preparing posts the impact of ICD-10 is going to be huge. I think people are just starting to realize it and 7-8 months from now there’s going to be a lot of organizations that are going to go into panic mode. Some of the panic they could solve if they started working on ICD-10 today. Some of the panic will likely come from outside vendors who end up not delivering ICD-10 the way they should.

ACO’s Are Still a Mystery – Some of the ACO work from the government is coming into some focus, but that barely feels like an ACO to me. Of course, it’s all how you define an ACO. I mostly see defensive efforts by organizations trying to group and align themselves with other organizations for whatever reimbursement changes come down the pipe. However, I don’t think any of them really know what’s coming (and I don’t claim to know either).

Meaningful Use Stage 2 Hit Us – We got a meaningful use stage 2 extension and a meaningful use stage 3 delay, but we didn’t get what many were hoping would be a meaningful use stage 2 delay. That means organizations have little choice but to proceed with meaningful use stage 2. As I’ve seen more and more organizations get into MU stage 2, I’ve seen two main actions: workarounds and complaints.

I believe the inverse relationship between incentives and requirements is starting to become an issue. It will certainly blow up when the even more challenging meaningful use stage 3 requirements hit and the EHR incentives are gone.

Consolidation (Hospital and Physician Practice) – Everyone tells me private practice acquisition is cyclical and at some point we’ll see a return to independent doctors. However, I haven’t seen that cycle happen yet. All I see our hospitals acquiring practices like crazy. Not to mention hospitals joining together as well. I wonder if the prediction I heard of only 5-10 major health systems will play out.

HIPAA Omnibus Landed (and is mostly forgotten) – HIPAA Omnibus is in place whether a practice likes it or not. Most never realized it went into affect or have forgotten it already. Watch for 2014 to be the year that it starts biting organizations in the backside. Give us 4-5 stories about HIPAA Omnibus making a physician’s life miserable and then we’ll see more people getting HIPAA training, fixing their business associate agreements, and maybe even implementing encryption on their devices. Maybe I should have added this to my 2014 wish list I’ll post tomorrow.

Did I miss anything? Probably. So, let’s hear what I missed in the comments. Also, I made some similar comments with a hospital focus over on Hospital EMR and EHR.

December 31, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Top 5 Tips for HIPAA Compliance

Written by:

Manny Jones, health care solution manager at LockPath, recently sent me 5 tips to consider in order to meet HIPAA guidelines. It addresses some of the following questions: What does the HIPAA Omnibus rule mean for me? How do I know if I’m compliant? Where do I even begin?

This list of 5 tips are a good place to start.

1. Be prepared for more frequent audits and a fine structure based on knowledge – The new tiered approach means organizations can face much higher fines if they’re not in compliance with the rule.

2. Update Notice of Privacy Practice (NPP) – These should explain that individuals will be notified if there is a breach, disclosures around areas that now require authorizations, and more. Once updated, organizations should redistribute to patients and others to ensure they’re aware of changes.

3. Develop new processes – These should address additional restrictions on use or disclosure of protected health information (PHI).

4. Identify assets containing PHI – Once an organization has an inventory of these assets, they can determine where safeguards/breach notification obligations apply.

5. Understand the new definitions – Organizations should understand how “breach” and “business associate” are now defined and how they apply to their organization.

For those wanting to really dig into the details of HIPAA compliance, you’ll want to consider a HIPAA Compliance training course. These are easy online courses for both the HIPAA privacy officer or your staff. As is noted above, more frequent audits and fines are coming.

December 17, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Windows XP Won’t Be HIPAA Compliant April 8, 2014

Written by:

As was announced by Microsoft a long time ago, support for Windows XP is ending on April 8, 2014. For most of us, we don’t think this is a big deal and are asking, “Do people still use Windows XP?” However, IT support people in healthcare realize the answer to that question is yes, and far too much.

With Microsoft choosing to end its support for Windows XP, I wondered what the HIPAA implications were for those who aren’t able to move off Windows XP before April 8. Is using Windows XP when it’s no longer supported a HIPAA violation? I reached out to Mac McMillan, CEO & Co-Founder of CynergisTek for the answer:

Windows XP is definitely an issue. In fact, OCR has been very clear that unsupported systems are NOT compliant. They cited this routinely during the audits last year whenever identified.

Unsupported systems by definition are insecure and pose a risk not only to the data they hold, but the network they reside on as well.

Unfortunately, while the risk they pose is black and white, replacing them is not always that simple. For smaller organizations the cost of refreshing technology as often as it goes out of service can be a real challenge. And then there are those legacy applications that require an older version to operate properly.

Mac’s final comment is very interesting. In healthcare, there are still a number of software systems that only work on Windows XP. We’re not talking about the major enterprise systems in an organization. Those will be fine. The problem is the hundreds of other software a healthcare organization has to support. Some of those could be an issue for organizations.

Outside of these systems, it’s just a major undertaking to move from Windows XP to a new O/S. If you’ve been reading our blogs, Will Weider warned us of this issue back in July 2012. As Will said in that interview, “We will spend more time and money (about $5M) on this [updating Windows XP] than we spent working on Stage 1 of Meaningful Use.” I expect many organizations haven’t made this investment.

Did your HIPAA compliance officer already warn you of this? Do you even have a HIPAA compliance officer? There are a lot of online HIPAA Compliance training courses out there that more organizations should consider. For example, the designated compliance officer might want to consider the Certified HIPAA Security Professional (CHSP) course and the rest of the staff the HIPAA Workforce Certificate for Professionals (HWCP) course. There’s really not much excuse for an organization not to be HIPAA compliant. Plus, if they’re not HIPAA compliant it puts them at risk of not meeting the meaningful use security requirements. The meaningful use risk assessment should have caught this right?

I’m always amazed at the lack of understanding of HIPAA and HIPAA compliance I see in organizations. It’s often more lip service than actual action. I think that will come back to bite many in the coming years. One of those bites will likely be organizations with unsupported Windows XP machines.

December 12, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.