Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

10 Ways Many Dental Offices Are Breaching HIPAA

Written by:

The following is a guest blog post by Trevor James.

If you work in the health/dental/medical space, you already know that HIPAA violations are a serious matter. Fines today for not complying with HIPAA laws and regulations are a minimum of $100-$50,000 per violation or record and a maximum of $1.5 million per year for violations of the same provision. Some violations also carry criminal charges with them, resulting in jail time for the violators.

Many dental offices are breaching HIPAA laws without realizing it or have employees doing so without their knowledge.

If you’re a dentist, office manager, or someone who’s been tasked with ensuring HIPAA security within your group, here are the 10 most common ways dental offices are breaching HIPAA regulations so your practice doesn’t make the same mistakes as others.

1. Devices with patient information being stolen

This is a common HIPAA violation for dental offices. It’s important to ensure the devices your dental office uses, like USB flash drives, mobile devices and laptops, are carefully handled and securely stored to prevent them and the patient information on them from being stolen.

2. Losing a device with patient information

Along the same lines as above, it’s also easy (and common) for an employee to lose those kinds of devices. USB flash drives and mobile devices are smaller items, so it’s easy to misplace them. When that happens, it’s easy for sensitive patient information to end up in the wrong hands.

Train your employees on the importance of properly handling these devices and set up some sort of tracking device, like downloading the Find My iPhone app or Where’s My Droid, to help you locate a device if it ends up lost.

3. Improperly disposing of papers and devices with patient information

When it comes time to get rid of papers or devices containing dental records or billing information, be sure you properly dispose of them. Crumpling paper in a ball and throwing it in the trash isn’t the correct way to do things nor is shutting down a device and then tossing it in the garbage. Use a paper shredder and wipe your devices clean of all information before disposing of them.

4. Not restricting access to patient information

Unauthorized access to a patient’s dental information will get you in serious trouble with HIPAA. Patients trust your office with this personal information, so be smart when handling such information so other patients, employees and relatives who aren’t allowed access don’t come across it.

A dental practice breached HIPAA in a case relating to this when they put a red sticker reading “AIDS” on the outside cover of patient folders and those not needing to know said information were able to read it while employees handled the folders. Don’t make simple, costly mistakes like they did.

5. Hacking/IT incidences

Most patient dental information now is stored on computers, laptops, mobile devices, and in the cloud. Today’s technology allows dental practices to more easily communicate, and look up and share patient information or their status on these devices.

The downfall of this technology is the people who are just as smart or smarter than your technology and hack into your devices or systems to get their hands on patient information. Make sure every device has some type of passcode or authentication to get on, install encryptions and enable personal firewalls and security software.

6. Sending sensitive patient information over email

While it’s not a violation to send these kinds of emails, it is a violation if the email is intercepted and/or read by someone without authorized access. Use encryptions and double check that whomever you’re sending the email to is supposed to be receiving the email.

7. Leaving too much patient information over a phone message

A patient may give you the A-Okay to call them, but be sure you don’t leave a message disclosing too much of their information. A friend or family member could check your patient’s message and hear things they shouldn’t, making said patient upset, or equally as bad, you could call the wrong number and say more than you should, which would probably make your patient even more upset with you. Your safest bet when calling a patient and they don’t answer is to leave a message for them to call you back.

8. Not having a “Right to Revoke” clause

When your dental office creates its HIPAA forms, you have to give your patients the right to revoke the permissions they’ve given to disclose their private dental information to certain parties. Not providing this information means your HIPAA forms are invalid and releasing subsequent information to another party puts you in breach of HIPAA.

9. Employees sharing stories about patient cases

People talk. It’s a simple fact. Employees talk with one another and they also talk to patients every workday. Remind them, though, that discussing a patient’s information to an employee lacking authorized access or to other patients is unprofessional and puts your whole practice at risk of being fined by HIPAA.

10. Employees snooping through files

It might seem shocking — or maybe not to some — but employees have been caught snooping through patient and co-worker files before. They do this to find out information for themselves but also because relatives or friends ask them to find things out about a certain person. Snooping is wrong and unprofessional on all levels.

Make sure your employees are clear on this and that they understand how bad the consequences can be for them and your office for doing so.

HIPAA violations in dental offices are all too common. Now that you know the top 10 ways dental offices are breaching HIPAA, you can take every precaution necessary to prevent your practice from violating any HIPAA laws and regulations.

About The Author

Trevor James is the marketing manager for Dentrix Ascend, a cloud based dental practice management software and Viive, a dental practice software for Mac’s.

July 28, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

HIPAA Risk Assessment Infographic

Written by:

I’ll admit that I’m a sucker for infographics. I usually post the various EHR infographics I find on EMR Thoughts, but this one seemed more appropriate to post on EMR and HIPAA. You can find all of the various EHR and Health IT infographics I’ve posted on this Healthcare IT Infographic pinterest board as well.

Thanks to Coalfire for putting together this HIPAA Security Risk Analysis Myths infographic.

Update: David Harlow offered this interesting note that might be helpful to some “The infographic suggests that only covered entities need to undergo a security risk assessment. In the EHR context that makes sense, since them with EHRs are CEs, but of course Business Associates need to do this too.”

HIPAA Risk Assessment Infographic

July 25, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Meaningful Use Audits, RAC Audits, and HIPAA Audits

Written by:

The following is a guest post by Barry Haitoff, CEO of Medical Management Corporation of America.
Barry Haitoff
Healthcare has always been a deeply regulated industry, so in many ways healthcare organizations are already used to dealing with government scrutiny. However, we’ve recently seen a number of new audit programs hit the healthcare world that didn’t exist even a few years ago. Here’s a look at a few of them you should be prepared for.

Meaningful Use Audits
This is one of the newest audit programs to hit healthcare. Depending on your attestation history, it could have a tremendous impact on your organization’s financial health. These EHR incentive audits have been happening across every size organization and are conducted by the CMS hired auditing firm, Figliozzi and Company of Garden City, N.Y. If you get a letter or email from Figliozzi you’ll know what it is right away. An EHR incentive audit is a big deal since the meaningful use program is all or nothing. If they find even one thing wrong with your meaningful use attestation, you could lose ALL of your EHR incentive money.

CMS recently released an informative guidance document outlining the supporting documentation needed for an EHR incentive audit. Pages 4 and 5 of the document go through the self-attestation objectives and others detailing the audit validation and suggested documentation needed for each. If you’ve attested to meaningful use, then you’ll want to take some time to go through the document to make sure you can provide the necessary documentation if needed. In many cases this simply includes dated screenshots to prove measure completion. While many EHR vendors can be helpful in the meaningful use audit process, you should not totally rely on them.

In a recent blog post, Jim Tate makes a compelling case for why you might want to consider doing a mock EHR incentive audit and how to make sure that the audit is effective. Although smaller organizations won’t likely be able to afford an outside audit, having it done by someone in your organization that wasn’t involved in the attestation is beneficial. The CMS guidance document could be used as a guide. A mock audit could help discover any potential issues and help you put mitigation strategies in place before you have a real audit and your hands are tied.

Recovery Audit Contractor (RAC) Audits
RAC audits are currently on hold as CMS works to improve the program and deal with the enormous audit backlog. We still haven’t heard from CMS about when the RAC audits will resume, but we should hear something later this summer. While no RAC audits are occurring right now, that doesn’t mean that once the RAC audits resume, the claims you’re filing today can’t and won’t be audited.

The best thing you can do to be prepared for RAC audits is to make sure that your documentation and billing ducks are in a row. A great place to start is to look at your most common denials and look at how you can improve your clinical documentation, coding and billing for each of these denials. Also, make sure that your process for responding to audits is standardized and effective. The RAC audit is just one example of an audit performed by payers. Don’t be surprised if you’re subjected to audits from other agencies or commercial payers.

RAC audits recovered billions of dollars in overpayments in recent years. You can be sure that they will continue and that other similar initiatives are coming our way. There’s just too much incentive for the government not to do it.

HIPAA Audits
The US Department of Health and Human Services’ Office for Civil Rights (HHS OCR) first started doing HIPAA audits as part of a 2011 pilot program. It’s fair to say that HHS OCR’s audit program was one of discovery as much as it was of compliance. However, the HITECH Act and Omnibus Rule have started to up the ante when it comes to enforcement of HIPAA. HHS OCR announced that they’d be surveying 800 covered entities and 400 business associations to select the next round of audit subjects. An OCR Spokesperson said, “We hope to audit 350 covered entities and 50 BAs in this first go around.”

Unlike previous audits that were done by KPMG, these HIPAA audits will be done by OCR staff. One area that these audits will likely focus on is the HIPAA Security Risk Assessment. The importance of doing this cannot be understated and is illustrated by the fact that it’s a requirement for meaningful use. I will be surprised if these audits don’t also focus on the new HIPAA Omnibus Rule requirements. I’m sure many of the HIPAA audits will catch organizations that never updated their HIPAA policies to comply with HIPAA Omnibus.

Summary
No one enjoys an audit of any sort. However, being well prepared for an audit will provide some level of comfort to yourself and your organization. Now is your opportunity to make sure you’re well prepared for these audits that could be coming your way. These audit programs likely aren’t going anywhere, so take the time to make sure you’re prepared.

Medical Management Corporation of America, a leading provider of medical billing services, is a proud sponsor of EMR and HIPAA.

July 14, 2014 I Written By

NY Med Social Media Firing

Written by:

Update: Katie Duke stopped by and left the following comment that’s worth noting:

Thank you for this article and review. I did not violate any aspect of the social media policy or HIPPAA and was technically fired for what my manager calls “we just don’t want you working here anymore and you’re insensitive” (as referring to the post)

I have been in the spotlight for several years and thoroughly respect the rules and regulations of our profession and it’s presence on social media. My goal is to change the portrayal of nursing in the media. We all make mistakes and we must learn from them. Do I feel it was a terminable offense? No- I feel I should have been counseled or even given some constructive criticism. After all- I am a great nurse and was with NYP for 7 years and of their motto is to put patients first then they should advocate more for the retention and growth of the nurses they have. Nurses are NOT disposable. Thank you for this venue to get the dialogue going about this rather controversial and taboo topic.

I applaud Katie’s efforts since I’ve often commented how nurses are an afterthought during an EHR selection and implementation process and that’s a pity since they’re such an important part of the organization. I imagine this same thing applies to other hospital policies. Thanks for your added comments Katie.

Last night was the premiere of the second season of NY Med on ABC. I saw the previous season and enjoyed it and so I was interested to see the new season. I like all of the show except for Dr. Oz who is obviously there because he has a big name and not because he’s actually practicing medicine. I love the quote I read online “Dr. Oz is a fake even when he’s scrubbing in. His mask isn’t on while he’s fake scrubbing.” All of the Dr. Oz parts felt very contrived so they could get him involved in the show. When real cardiology was being practiced, he called in the leading expert, or at least someone who actually could help the patient.

Dr. Oz part aside, the 3 ER nurses are my favorite part of the show. I remembered 2 of the 3 from last season and so I was really glad to see that they were back. Those are some firecracker nurses that always face interesting situations in the ER.

While the show isn’t perfect since as soon as you turn a camera on, people change, it’s still an interesting look into the challenges that many doctors and nurses face on the front lines of healthcare. While Grey’s Anatomy is a well written, entertaining drama and sometimes taps trending topics for its story, it’s not a good depiction of reality.

With the above review, I was particularly intrigued last night when Katie Duke, one of the ER nurses, got Fired from the hospital for posting a picture on Instagram. It was pretty interesting to see both the other ER nurses and Katie’s first hand response to her being fired and escorted from the building.

Since this is EMR and HIPAA, let’s talk about the HIPAA implications of what Katie did. They didn’t show the picture she posted for very long, but there were no people in the picture. Just a room after they’d had a trauma case in the ER. Basically, at quick glance I can’t imagine there’s any HIPAA violation with the picture. She did tag the picture with a number of hashtags. The only one that seemed in question was the “#Man vs 6 train” one, but that’s not a HIPAA violation either or would be an enormous stretch to make the case that it is a violation.

I think it’s fair to say she didn’t violate HIPAA with her instagram post. However, that doesn’t mean she didn’t violate a hospital social media policy. I’d be interested to see New York Presbyterian’s (the hospital who fired her) social media policy. It’s hard to guess at what the policy might include. I’ve seen really strict social media policies, really open social media policies and organizations with no policy (that’s scary). Given their policy, it might very well have been appropriate to fire her. In fact, if it wasn’t, Katie Duke seems like someone who would fight back in court if it wasn’t appropriate.

While Katie Duke was fired from New York Presbyterian, she was hired at Roosevelt on the West Side. I wonder what they said to Katie about social media when they hired her. In the NY Med episode they show her doing well. Although, they noted that she was great with patients, but was having a challenge getting up to speed on their computer system. Makes me wonder what EHR they use in their ED. Although, I think it’s safe to say that this could be said about any ER nurse in any ER regardless of the computer system they use. It just takes some time to get up to speed on an EHR.

In case you’re wondering, Katie Duke has launched a website and on July 1st she’s launching a YouTube show, she has an endorsement deal with Dickies and Cherokee scrubs, has speaking engagements around the country, and a line of merchandise around the phrase “Deal With It.” I guess that’s how she’s chosen to deal with the firing. If you look at her Twitter account, you can see a lot of nurses who really look up to her and appreciate her.

The discussion of social media in the workplace is an important one and it’s really important that you understand your employer’s views on the subject if you’re going to take part in it. Although, I think we all have to appreciate the irony of a hospital firing someone for posting a picture to instagram while that same hospital has a bunch of cameras video recording in their hospital for a TV show on ABC. Feels pretty hypocritical, do as I say, not as I do.

What do you think? Did you see the show? Where will social media sharing take us in healthcare and what will be the good and bad consequences of it?

June 27, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Criminals Have Their Eyes on Your Patients’ Records

Written by:

The following is a guest blog post by Art Gross, Founder of HIPAA Secure Now!
Art Gross Headshot
It’s one thing to have a laptop stolen with 8,000 patient records or for a disgruntled doctor to grab his patients’ records and start his own practice.  It’s another when the Cosa Nostra steals that information, siphons money from the patient’s bank account and turns it into a patient trafficking crime ring.  Welcome to organized crime in the age of big data.

Organized crime syndicates and gangs targeting medical practices and stealing patient information are on the rise. They’re grabbing patient names, addresses, insurance details, social security numbers, birth dates, etc., and using it to steal patients’ identities and their assets.

It’s not uncommon for the girlfriend of a gang member to infiltrate a medical practice or hospital, gain access to electronic health records, download patient information and hand it over to the offender who uses it to file false tax returns. In fact gang members often rent a hotel room and file the returns together, netting $40,000-$50,000 in one night!

Florida is hotbed for this activity and it’s spreading across the country.  In California, narcotics investigators took down a methamphetamine ring and confiscated patient information on 4,500 patients. Investigators believe the stolen information was being used to obtain prescription drugs to make the illicit drug.

Value of patient records

Stolen patient information comes with a high price tag if the medical practice is fined by HIPAA. One lost or stolen patient record is estimated at $50, compared to the price of a credit card record which fetches a dollar.  Patient records are highly lucrative. The below charts shows the value of patient information that might be sitting in an EHR system:

Amount of Patient Records Value of Patient Records
1,000 $50,000
5,000 $250,000
10,000 $500,000
100,000 $5,000,000

 
Protect your practice

Medical practices need to realize they are vulnerable to patient record theft and should take steps to reduce their risk by implementing additional security.  Here are seven steps that organizations can take to protect electronic patient information:

  1. Perform a security risk assessment – a security risk assessment is not only required for HIPAA Compliance and EHR Meaningful Use but it can identify security risks that may allow criminals to steal patient information.
  2. Screen job applicants – all job applicants should be properly screened prior to hiring and providing access to patient information. Look for criminal records, frequent job switches or anything else that might be a warning sign.
  3. Limit access to patient information – employees should have minimal access necessary to perform their jobs rather than full access to electronic health records.
  4. Audit access to patient information – every employee should use their own user ID and password; login information should not be shared. And access to patient information should be recorded, including who accessed, when, and which records they accessed.
  5. Review audit logs – organizations must keep an eye on audit logs. Criminal activity can be happening during a normal business day. Reviewing audit logs can uncover strange or unexpected activity. Let’s say an employee accesses, on average 10 patient records per day and on one particular day they retrieve 50 to 100 records.  Or records are being accessed after business hours. Both activities could be a sign of criminal activity. The key is to review audit logs regularly and look for unusual access.
  6. Security training – all employees should receive security training on how to protect patient information, and make sure they know any patient information activity is being logged and reviewed.  Knowing that employee actions are being observed should dissuade them from using patient information illegally.
  7. Limit the use of USB drives – in the past it would take a truck to steal 10,000 patient charts. Now they can easily be copied onto a small thumb/USB drive and slipped into a  doctor’s lab coat.  Organizations should limit the use of USB drives to prevent illegal activity.

The high resale value of patient information and the ability to use it to file false tax returns or acquire illegal prescriptions make it a prime target for criminals.  Medical practices need to recognize the risk and put proper IT security measures in place to keep their patient information from “securing” hefty tax refunds

About Art Gross

Art Gross co-founded Entegration, Inc. in 2000 and serves as President and CEO. As Entegration’s medical clients adopted EHR technology Gross recognized the need to help them protect patient data and comply with complex HIPAA security regulations. Leveraging his experience supporting medical practices, in-depth knowledge of HIPAA compliance and security, and IT technology, Gross started his second company HIPAA Secure Now! to focus on the unique IT requirements of medical practices.  Email Art at artg@hipaasecurenow.com.

June 26, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Another View of Privacy by Dr. Deborah C. Peel, MD

Written by:

I thought the following TEDx video from Deborah C. Peel, MD, Founder and Chair of Patient Privacy Rights, would be an interesting contrast with some of the things that Andy Oram wrote in yesterday’s post titled “Not So Open: Redefining Goals for Sharing Health Data in Research“. Dr. Peel is incredibly passionate about protecting patient’s privacy and is working hard on that goal.

Dr. Peel is also trying to kick off a hashtag called #MyHealthDataIsMine. What do you think of the “hidden privacy and data breaches” that Dr. Peel talks about in the video? I look forward to hearing your thoughts on it.

June 25, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

7 Mobile Apps Every Doctor Should Have

Written by:

The following is a guest blog post by Cliff McClintick, chief operating officer of Doc Halo. Cincinnati-based Doc Halo sets the professional standard for health care communication offering secure messaging for physicians, medical practices, hospitals and healthcare organizations. The Doc Halo secure messaging solution is designed to streamline HIPAA-compliant physician and medical clinician sharing of critical patient information within a secure environment.

For many physicians, the days of manila folders and paper charts are a distant memory.

For many others, they never existed.

But patient records are only one area where technology is redefining how doctors work. Newer tools, especially mobile apps, are taking the place of 3,000-page reference books, phone-tag inducing pagers and even plastic anatomical models.

About 78 percent of physicians in a Kantar Media survey released in January said they used smartphones for both professional and personal tasks. They had downloaded an average of seven apps in the last six months.

Here are a few app categories that can make any doctor’s life easier:

  • Drug database. The old way to find out about a drug — what it does, proper dosing, potential interactions — was to flip through a rather large tome. Web-based drug databases eliminated much of the page-turning, and now mobile apps are making the process even handier.
  • Journal reference. Doctors are increasingly relying on mobile devices to help them keep up with research in their field. About 21 percent of physicians use smartphones to read medical journals, according to Kantar Media, and 28 percent use tablets to read them. The New England Journal of Medicine makes recent articles, along with images, audio and video, available through its free NEJM This Week app for iPhone and iPod Touch. Many other medical publishers have similar offerings.
  • Secure texting. Physicians text as much as anybody. Regular SMS text messages, however, are not HIPAA-compliant. Physician messaging platforms developed by companies such as Doc Halo allow doctors to text about work while keeping their patients’ health information safe. Features to look for include encryption with federally validated standards, limited data life for messages and a remote mobile wipe option in case the phone is lost. Secure texting eliminates the games of phone tag caused by the pagers that are still in use at many hospitals.
  • EMR. Records are going mobile, too, with large and small EMR vendors alike releasing mobile apps. In a survey last year, Black Book Rankings found that only 8 percent of doctors used a mobile device for accessing patients records, ordering tests, viewing results or ordering medications. But 83 percent said they would do so if their current EMR had the capability.
  • Image viewer. Several apps now let doctors view X-ray, CT, MRI and other diagnostic images on their mobile devices. Physicians get an initial impression based on the app and then take a closer look when they get to a full imaging workstation with higher resolution. The U.S. Food and Drug Administration regulates these apps as medical devices.
  • Billing. These apps help physicians capture diagnoses and billing codes on the go, such as when seeing patients in the hospital. Doctors can instantly transmit the data to their front desk or a billing company, speeding up payment and reducing the chance of lost charges.
  • Patient education. These apps, which are often specialty-specific, allow doctors to call up images and even videos of body parts and their functions — and malfunctions. For example, a cardiologist might use a video showing what mitral valve prolapse looks like. Plastic models look nice, and they’re a great way for patients to get a hands-on sense of certain conditions and treatments. But they’ll never match the number of structures and processes these apps can illustrate.

No app can replace the knowledge and skill that a physician develops through years of training and experience. These mobile tools provide convenience and remove barriers to efficient practice, allowing doctors to spend more time on patient care.

Doc Halo, a leading secure physician communication application, is a proud sponsor of the Healthcare Scene Blog Network.

June 16, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

HIPAA Security and Audits with Mac McMillan

Written by:

In case you missed the recent HIPAA Privacy and Security hangout I did with Mac McMillan, CEO of Cynergistek, you’re missing out. I think this HIPAA interview is an extension of what we started in our post “6 Reality Checks of HIPAA Compliance.” There’s a real awakening that’s needed when it comes to HIPAA. I love in this hangout when Mac says that the patience in Washington for those that aren’t HIPAA compliant is running low. An example of that is another topic we discus: HIPAA audits. The first round of HIPAA audits were more of a barometer of what was happening. The next round we’ll likely be much more damaging.

Watch the entire HIPAA interview with Mac McMillan to learn even more:

May 20, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Where Are the Big Business Associate HIPAA Breaches?

Written by:

It seems like I have HIPAA and security on my mind lately. It started with me writing about the 6 HIPAA Compliance Reality Checks whitepaper and then carried over with my piece looking at whether cloud adoption addresses security and privacy concerns. In the later post, there’s been a really rich discussion around the ability of an enterprise organization to be able to secure their systems better than most healthcare organizations.

As part of that discussion I started thinking about the HHS HIPAA Wall of Shame. Off hand, I couldn’t think of any incidents where a business associate (ie. a healthcare cloud provider) was ever posted on the wall or any reports of major HIPAA breaches by a large business associate. Do you know of some that I’ve just missed?

When I looked at the HIPAA Wall of Shame, there wasn’t even a covered entity type for business associates. I guess they’re not technically a covered entity even though they act like one now thanks to HIPAA Omnibus. Maybe that’s why we haven’t heard of any and we don’t see any listed? However, there is a filter on the HIPAA Breach disclosure page that says “Business Associate Present?” If you use that filter, 277 of the breaches had a “business associate present.” Compare that with the 982 breaches they have posted since they started in late 2009.

I took a minute to dig into some of the other numbers. Since they started in 2009, they’ve reported breaches that affected 31,319,872 lives. My rough estimate for 2013 (which doesn’t include some breaches that occurred over a period of time) is 7.25 million lives affected. So far in 2014 they’ve posted HIPAA breaches with 478,603 lives affected.

Certainly HIPAA omnibus only went into effect late last year. However, I wonder if HHS plans to expand the HIPAA Wall of Shame to include breaches by business associates. You know that they’re already happening or that they’re going to happen. Although, not as often if you believe my previous piece on them being more secure.

As I considered why we don’t know of other HIPAA business associate breaches, I wondered why else we might not have heard more. I think it’s naive to think that none of them have had issues. Statistics alone tells us otherwise. I do wonder if there is just not a culture of following HIPAA guidelines so we don’t hear about them?

Many healthcare business associates don’t do much more than pay lip service to HIPAA. Many don’t realize that under the new HIPAA omnibus they’re going to be held accountable similar to a covered entity. If they don’t know those basic things, then can we expect them to disclose when there’s been a HIPAA breach? In healthcare organizations they now have that culture of disclosure. I’m not sure the same can be said for business associates.

Then again, maybe I’m wrong and business associates are just so much better at HIPAA compliance, security and privacy, that there haven’t been any major breaches to disclose. If that’s the case, it won’t last forever.

April 29, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Do Security and Privacy Concerns Drive Cloud Adoption?

Written by:

In one of my recent conversations with Dr. Andy Litt, Chief Medical Officer at Dell, he made a really interesting but possibly counter intuitive observation. While maybe not a direct quote from him, I took away this observation from Dr. Litt:

Security and privacy drives people to the cloud.

Talk about an ironic statement. I imagine if I were to talk to a dozen CIOs, they would be more concerned about the security and privacy implications of the cloud. I don’t imagine most would look at the cloud as the solution to some of their security and privacy problems.

However, Dr. Litt is right. Many times a cloud based EHR or other software is much more secure than a server hosted in a doctors office. The reality is that many healthcare organizations large or small just can’t invest the same money in securing their data as compared with a cloud provider.

It’s not for lack of desire to make sure the data is secure and private. However, if you’re a small doctor’s office, you can only apply so many resources to the problem. Even a small EHR vendor with a few hundred doctors can invest more money in the security and privacy of their data than a solo practice. Although, this is true for even very large practices and even many hospitals.

One reason why I think many will disagree with this notion is because there’s a difference between a cloud provider who can be more secure and private and one who actually executes on that possibility. It’s a fair question that everyone should ask. Although, this can be verified. You can audit your cloud provider and see that they’re indeed putting in security and privacy capabilities that are beyond what you’d be able to do on your own.

What do you think? Is hosting in the cloud a way to address security and privacy concerns?

April 24, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.