Seems like the comments being made on posts and being emailed to me have been really interesting lately. As I often like to do, I want to highlight those that provide interesting stuff in the comments since many people don’t read all the comments. Here’s one such comment from ip-doctor on my post about de-identified healthcare data.

I am interested in knowing how readers answer John’s question re position on use of de-identified data. My guess is that people don’t know it’s going on and will object to it happening in principle.

Securing PHI feels a lot like Y2K. No doubt breaches occur, and, when they do, they are certainly costly for the offending HCO, but how many examples are there of leaked information being used to harm someone? Seems like the same proscriptions vs. extortion, blackmail, and libel would prevent individuals from using illegally obtained PHI to harm patients.

In fact, the odds that there is a Person A who wishes to harm Person B AND who somehow comes up with Person B’s sensitive PHI AND is able to use it to harm Person B without Person B having ample legal recourse against Person A are hopelessly LONG. Breaches of thousands/hundreds of thousands/millions of records are too large and unspecific to be “used” for nefarious purposes.

We need to secure PHI, but we are hoisting ourselves on our own petards if we let legitimate concerns about the use of patient data block or slow our adoption of EMRs and HCIT for ACOs and PCMHs. Just as there are real benefits associated with use of de-id’ed patient data, there are (significant, hidden) costs with not sharing health data.

The irony here is that the most common, undeniably harmful use of sensitive PHI has been to deny coverage to patients with pre-existing conditions. Kind of makes sense. It is, after all, health information.

Nothing like sharing a post about the fears and challenges associated with sharing data and privacy and following up with a post that talks about how it might not be as big of a risk as many like to make it. Of course, the happy place is somewhere in the middle where we do a good job securing the data while as HIPAA outlines, we avoid placing an undue burden on patient care.

Guest Blogger: Jan McDavid is General Counsel and Compliance Officer at HealthPort, a Release of Information and Audit Management Technology company. You can read more of Jan’s posts on the HealthPort blog.

The following is a 4 part series of blog posts on the HIPAA Breach Notification Rules.

Some hospitals feel that, since the risk analysis only produces subjective results, why bother? They believe that the effort and expense incurred derives no real benefit for CE or patient, and they just notify the potentially affected patient in every instance.

In my opinion, notifying the patient for each breach is a little risky in itself. Patients often have no context in which to view a breach.

For example, losing a flash drive containing unencrypted PHI on 1,000 patients entails obvious risks – the risk of someone finding and misuing the information, for example. The law rightfully requires patient notification in such cases. However, if a patient’s record is inadvertently mailed to a house number that does not exist (perhaps due to a typo which transposed two digits), chances are good that the post office will either return the records to the sender or else the package will go undelivered.

If the records are not accounted for, it is generally accepted that it should be considered a breach; however, telling the patient this may raise an alarm about something that probably will not happen. A thorough risk analysis, although subjective, might conclude that such a breach did NOT have a “substantial risk of reputational or financial harm” to the patient. This was apparently HHS’s thinking when it required the risk analysis to be conducted.

In next week’s post, we’ll cover the possible changes to the breach notification rules.

Guest Blogger: Jan McDavid is General Counsel and Compliance Officer at HealthPort, a Release of Information and Audit Management Technology company. You can read more of Jan’s posts on the HealthPort blog.

The following is a 4 part series of blog posts on the HIPAA Breach Notification Rules.

Eight thousand providers. One question. When do we notify patients of a breach? I hear this question several times a week from all types of covered entities; hospitals, clinics and physician offices. Many are confused or misinformed about the answer. Furthermore, real world experience varies dramatically. Some providers notify everyone. Others notify only when necessary. What’s the answer?

First and foremost, you do not have to notify the patient each and every time there is a breach of protected health information (PHI). The law requires notification only if you meet one of two conditions:
1) When 500 or more records have been breached at the same time, you must notify the patients involved, OR
2) When you as the covered entity (CE) have conducted the required “risk analysis” and determined the patient (or patients) could suffer substantial financial or reputational harm.

The issue with the second requirement is the term “substantial”. It is very subjective and not fully defined within the rules. Conducting a risk analysis and determining the extent would appear to be a classic case of the fox guarding the hen house. As such, many observers expected hospitals NOT to notify, or perhaps under-notify, as the cost of a breach can be very high — both direct costs and the soft cost of reputational harm to the CE. However, we see providers taking a “better safe than sorry” approach and over-notifying.

In next week’s post, we’ll cover the risks of over-notifying after a breach.

There’s been an interesting situation going on between a couple EHR vendors. I first saw this when I got the press release that meridianEMR filed a lawsuit against UroChart. The lawsuit claims that UroChart obtained access to meridianEMR’s data.(Note: See this comment from IT Director of meridianEMR that discusses more details of what happened and how no data was breached.)

Lawsuits aside, meridianEMR is trying to capitalize on the situation by talking about their EMR security monitoring system was what notified them of the breach attack by UroChart. They call it their Advanced Monitoring System (AMS) and say it responds immediately to any breaches attacks and protects patient records.

I’m not sure if it’s a smart move to use a breach of their system as a way to promote their ability to protect patient records. I guess they can argue that their monitoring service was what protected their patient records. However, the lawsuit is claiming that patient records were at risk. I don’t think that’s something any EMR vendor wants tied to their name, is it?

Marketing strategy aside, this security monitoring service is interesting and I can’t say I’ve really seen something like it in any other EMR system. Sure, they all have some sort of audit tracking and trail. However, I think most EMR vendor’s strategy is not detection, but prevention. They harden their systems using the best techniques, but don’t do much to try and detect breaches. Should that be changed?

One problem with breaches is that good hackers know how to even avoid the detection part. I still remember when my friend showed me how he had hacked into a server and you could see him logged in. Then, he ran a script and you couldn’t see him anymore. I guess if you compare it to the physical world, it’s like having a camera watching the front door, but no camera on the back door. However, in the digital world there are lots of different doors, including those we don’t know about.

Some might argue that ignorance is bliss in this instance. Sure, no EMR vendor is going to admit that in public. Neither is a doctor. However, the regulations have made it pretty harsh when you know that there’s been a breach of your system. You basically have to make it known to all the world. However, if you don’t know that your EMR system has been compromised, then you have no such requirements.

I’m sure some people won’t like me saying this, but be sure that many doctors and EMR vendors have thought about this. I’m sure there were parallels in the paper world too. So, let’s not act like this is really that new. Although, certainly technology has made it possible to have much larger breaches.

One thing worth noting is that I haven’t seen a group of healthcare hackers forming. There’s no underground group of people that I’ve heard of that are trying to hack and get access to healthcare data. Financial data is much easier to monetize for a hacker than healthcare data. That’s not to say that healthcare data isn’t valuable and can’t have consequences if it’s put in the wrong hands. However, most hackers do it for the Lulz, for financial gain, or vengeance. Things could certainly change, but I haven’t seen healthcare as a prime target for hackers. I’d love to see if you have evidence that says otherwise.

If you evaluate the list of breaches that are published by HHS, this seems to agree with my above evaluation. Almost every single breach was just due to something being lost, a physical device being stolen (which you can almost guarantee they wanted the laptop and not the healthcare data which they probably didn’t even know was on the laptop), or inappropriate use by someone on a system already.

It will be interesting to see how these EMR security monitoring systems evolve. Plus, will we see more need for these type of protections and monitoring of EMR systems?

Well, privacy rears its ugly head in healthcare again. I don’t want to treat a person’s privacy lightly, but I must admit that I kind of had to laugh at the breach I’m about to tell you about. I think you’ll see why.

I first read about this privacy breach on this Techcrunch article (They originally found it on nextWeb). Here’s a quote from the Techcrunch article:

Yikes. Users of fitness and calorie tracker Fitbit may need to be more careful when creating a profile on the site. The sexual activity of many of the users of the company’s tracker and online platform can be found in Google Search results, meaning that these users’ profiles are public and searchable.

I’ve been a big fan of Fitbit and other devices like that which are trying to track a person’s health and fitness. I think there’s a real market for these devices, but this is a pretty ugly misstep for Fitbit. Although, a search for sexual activity and FitBit isn’t returning results any more. Here’s the Fitbit blog post which details the steps they’ve taken to secure their users profiles. Seems like a reasonable and a smart response to the privacy issue.

Before I go any farther, we should be clear that this isn’t a HIPAA violation. The patient put their information online and agreed to have that information out there. We could argue how much they really agreed to have their profile public, but I’m quite sure that Fitbit would be fine in a HIPAA lawsuit. However, that doesn’t mean they’re not taking the hit for poor decisions.

What can future healthcare app and device companies learn from the Privacy issues at Fitbit?

1. Default healthcare profiles to private. Allow the user to opt in to make it public. Some might want it public, but no company should assume it should be public. This isn’t Facebook.

2. Consider more granular privacy controls. I may want part of my profile public, but part private (ie. sexual activity in a fitness application).

3. Be aware of what you allow search engines to index. There’s a whole category of hackers called Google Hackers. They use Google to find sensitive information like the story above. It’s amazing the power of Google hacking.

Some suggestions to e-patients that put their health data online:

1. Be careful about what information you’re putting online.

2. Check out where the information you put online will be available. Is it private? Is it public? Is it partially public? Can search engines see it?

There’s little doubt that more and more healthcare information is going to be put online by patients. We’re going to see more and more privacy issues like the one mentioned above. This incident will do little to deter this trend. However, hopefully it can serve as a learning experience for Fitbit and other healthcare companies that are entering this new world of online health information.

I don’t know about the rest of you, but a big part of me is getting anxious for the start of college football (for my team it starts tomorrow) and the NFL starting on Thursday. It’s one of my favorite times of the year and probably my wife’s least favorite times, but I digress.

During the #HITsm chat today I saw a great quote that talked about HIPAA from Peyton Manning:
@bwilsonIntel – Ben Wilson
RT @jonmertz: HIPAA qte of the week from Peyton Manning: “I dont know what HIPAA stands for, but I believe in it and I practice it.” #HITsm

In case you don’t follow football, Peyton Manning is recovering from neck surgery and the above comment was a nice way for Peyton to say he didn’t want to talk about his medical information.

How long until someone from Peyton’s doctor’s office or hospital gets canned for looking at his records?

Since we’re talking football, healthcare and HIPAA, I’d be remiss to not mention Arian Foster’s recent tweet. This is what he said:
@ArianFoster – Arian Foster
This is an MRI of my hamstring, The white stuff surrounding the muscle is known in the medical world as anti-awesomeness http://moby.to/zta9xp

That’s right. Arian Foster tweeted a picture of the MRI of his hamstring. Of course, he’s welcome to do this. He’s suffering the consequences of his choice (his team said it’s a violation of their team policies). When I heard about the tweet, all I could think was, It’s amazing what some people will do to make a joke. I know this first hand.

Also, I haven’t dug into Arian’s MRI, but it seems like there might be some info in the corners of his MRI that he might not want people to know, no?

This guest post was provided by Ed Fisher on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. More information: email archiving software.

In today’s business environment, where litigation is an increasingly common way for disputes to be settled, compliance is included in every business plan, and regulations are reaching into business processes everywhere. Email admins must concern themselves with far more than just whether or not email is flowing. They must ensure that messaging meets the various regulations under which their business falls. They may also have to deal with legal holds, compliance reviews, discovery motions, and internal policy enforcement.

An email archiving solution can assist with all of these tasks, and nowhere is this more important than in the Healthcare industry. Email is becoming the preferred method to communicate, and since there are so many ways in which the Health Insurance Portability and Accountability Act (HIPPA) of 1996 can come into play with data sharing between providers and communications with patients, email archiving can be a very important, and potentially far reaching, service you can add to your email system.

PHI data in email communications

HIPAA requirements are unique to the healthcare industry, but the scope of these requirements can extend well beyond the boundaries of the doctor’s office or hospital. Both the burden and the potential penalties for non-compliance have been increased by HITECH. Enterprises that deal with healthcare providers, including professional services companies like accountants, law firms and IT consulting practices, will find themselves subject to provisions of HIPAA and HITECH as soon as they take on a healthcare provider as a client.

One of the trickier aspects for messaging is that HIPAA specifically addresses the need to encrypt Personal Health Information (PHI) in email communications. It is very rare for healthcare providers to send PHI by email as most of them use specialized messaging systems to do this. However, this doesn’t mean healthcare providers are not sending or receiving email that, indirectly, affects the relationship between healthcare provider and the patient or that between the staff and their patients.

There are other items that could be relevant for an investigation. For example, appointment reminders/confirmations (thus validating that the patient was notified); internal email discussions among doctors/nurses (not directly referencing a patient, but talking about treatments or scheduling); and even general HR emails that a doctor was absent due to illness (if the doctor was away when a claim is made that a patient was misdiagnosed, then they would be cleared of wrongdoing) and so on.

Many organizations, not only in healthcare, underestimate the importance of email in terms of content and intellectual property and being able to refer to emails sent six months earlier or last year can be of great benefit. Email archiving is not specifically called for within the text of HIPAA, but by maintaining a copy of every internal email message or any that was sent to or received from partners, vendors, and clients, you can prove conclusively that messages sent contained no PHI, and that any messages that did contain PHI were sent through the proper and encrypted channels.

Some people argue that email archiving is a double-edged sword – damned if you do, damned if you don’t. This is a rather naïve way of looking at email archiving. If you do archive your email, you have assurance that you comply with any regulations in place and if you are subject to legal requests for information that may be traced through an email, you have the ability to find it.

Now the counter argument would be, ‘well, if I don’t have an email archived, I can’t be condemned because the evidence is not there’. Wrong. If you don’t have the email, someone else certainly does and suddenly you’ve found yourself in a worse situation once the evidence is presented.

Proving that you made the effort at attaining compliance is preferable to doing nothing at all.

Document retention

With email archiving, you can also meet the document retention requirements specified within HIPAA. There is a six year retention period for information related to PHI which is mandated by HIPAA. That can be six years from the creation of a message, or the last date on which the message can be considered relevant. As more communications move from in-person, telephone, and facsimile, to email, patient requests and Healthcare professionals’ responses will follow suit. An email archiving solution makes it easy to retain these communications for the six year timeframe, as well as to automatically purge out those communications which are older than six years or tagged as no longer relevant.

Search and discovery

An email archiving solution is also an excellent way to access the repository of information contained within the combined emails of a company. Consider how much of your own email is saved because it contains data or instructions that simply don’t exist anywhere else. An email archiving solution can empower a user to search their own archived messages for all content related to a search string, such as a patient’s name; it can also enable an authorized user to search across all users’ email for information related to a patient, a condition, a particular medicine, or any other topic. There may well come a day when you must do this in response to a legal order, but there will also be plenty of times when you need to find a key piece of information, or simply want to spot check to ensure that all users are following the policies in place to protect patients’ PHI.

With an email archiving solution in place, healthcare providers not only position themselves to show compliance, review users’ actions, and meet current document retention requirements, they are able to build up a historical repository to meet future needs. The health care provider is also able to take advantage of the many benefits of an email archiving solution that are common across all enterprises, including storage, search, and business continuity.

All product and company names herein may be trademarks of their respective owners.

Full Disclosure: GFI Software Ltd. is an advertiser on EMR and HIPAA.

I’m in New York City this week for the second Mobile Health Expo, which wrapped up Thursday afternoon. You may have seen the story I wrote for InformationWeek based on one session related to the security of networked medical devices.

Since I just do news and not commentary for InformationWeek, I figured EMR and HIPAA—specifically, the HIPAA part— was the perfect forum to discuss a small controversy that I may have stirred up with that story.

The two presenters from Indianapolis-based security firm eProtex talked about how connected medical devices have recently been popping up all over the place. “As little as two years ago, we checked some hospitals and found that there was less than one networked clinical device per bed,” eProtex Executive Director Earl Reber said.

With network connection and exposure to the Internet came heightened threats from viruses and malware, both internal and external, Reber and eProtex Chief Security Officer Derek Brost said. Sometimes it’s because devices are so old that they still run DOS and simply weren’t built for the HIPAA era. Other times, the greater reliance on various versions of Windows makes medical devices vulnerable to attacks.

Often, Brost said, hospitals are trying to protecting the wrong assets. “It’s not the actual medical device in most cases [that is at risk]. It’s the individual patient’s health information,” he said.

All this makes a lot of sense, though it is important to note that the warnings are coming from a security vendor with a real interest in selling products and services to prevent and combat insidious threats to medical equipment and other connected devices such as smartphones and tablets.

This was not lost on at least one person, “ZigZagZeke.” In a comment titled “Ignorance,” this poster said in no uncertain terms:

The speaker is using scare tactics to try to make sales of his protection software. Makers of such software are desperately trying to convince people that their Apple products need protection, because as more and more users switch to Apple, sales of anti-virus software are declining. This use of scare tactics is know by an acronym: FUD, which stands for “fear, uncertainty, and doubt.” It is the speaker’s only hope.

I suspect some of the criticism was directed at me for not differentiating between malware and viruses or between Linux/Unix/Macintosh and Windows.

Did I screw up here by not pressing the speakers on these differences, or are Apple devices and operating systems becoming just as vulnerable to data corruption as Windows? Windows became a prime target not just because of security holes, but because of its ubiquity. Now, the iPad and iPhone seem to rule at least the physician market. Wouldn’t that critical mass put Apple iOS in the crosshairs of a growing number of hackers and malware spreaders?

So what’s the real story here? As devices get connected to EMRs and hospital networks and produce more protected health information (PHI), should healthcare providers be concerned about greater HIPAA liability? If so, where should they focus prevention efforts?

Boy, back in the good old days, protecting patient data was comparatively easy. All you had to do was make sure that nobody got their hands on a patient’s paper chart who shouldn’t be looking at it.

After all, simple stuff like locking file rooms and making sure charts never get left in a public place are pretty easy to understand. Sure, paper records get stolen or rifled through now and then — no system is perfect — but putting processes in place to prevent unauthorized chart access isn’t that complicated.

On the other hand, introducing electronic medical records  – plus e-prescribing, digital sharing of lab results and more — is a completely different kettle of fish.

For one thing, providers must control access to medical information stored in their EMR in a far more sophisticated way than they had with paper charts.  For example, while role-based access to data may not sound too threatening to your average IT boss, it’s not exactly intuitive if you’re not a geek. Figuring out just who should get access to what gets a lot more complicated than when you used to just have to pull and route a chart.

Another issue: few clinicians know much about data security, and it’s not likely that they’re going to suddenly get wildly excited about encryption or VPNs.  Sure, you can warn them that it comes down to whether some random stranger (or even a staff member) will steal their patients’ Social Security numbers or broadcast medical secrets. But it’s just about impossible to explain security issues without wandering into scary jargon that will alienate the heck out of many doctors.

Of course, healthcare organizations can make sure their clinicians are trained to understand the importance of  securing their EMR. And they can even explain why specific types of security measures will limit their HIPAA exposure, the best pitch you can make to non-techies.

Still, the bottom line is that moving from paper to EMRs isn’t just a change-management exercise. It forces clinicians to think about how they use, distribute and share data on a profound level. I hope it does, anyway…cause if providers aren’t ready to think about these issues, things aren’t going to be pretty.

Brian Van Zandt, a long time reader of EMR and HIPAA and an account executive at a managed IT services company in New York, NST, sent me the following fascinating question.

I’ve had a conversation with a few people recently about something that been on the news a lot recently. A tornado in the mid west destroyed a hospital and patient records, I heard about x-rays specifically, were found miles from the hospital. In extreme cases like that, are hospitals still liable for penalties from HIPAA for losing patient information?

First, I have to start with my regular disclaimer that I’m not a lawyer, I don’t play one on TV and much prefer being a blogger. Consult a lawyer for legal advice.

With that disclaimer, it’s a fascinating situation to consider. I remember from my business law classes in college that there’s a legal term called “Act of God” which seems like it might have consideration in this situation. I can’t say for sure that the Act of God defense would work when it comes to disclosure of PHI, but it would be interesting to see it play out.

I think the other consideration and question is what efforts did the hospital make to prevent the disclosure of the PHI. How did they act when the tornado warning was announced? What measures had they taken to prevent such an issue from happening since they likely new they were in an area that was prone for tornadoes? What efforts did they put forth once the hospital was destroyed to protect the information that was scattered?

I’m sure there’s a lot more questions that would likely be asked. I’m just trying to start the conversation and hopefully some HIPAA lawyers that read this blog will chime in with more details.

Although, I must admit that my first reaction to reading this question was, would people really have a legal issue with this? My point being that someone would have to bring a legal case against this hospital for us to really find out the legal requirements. It’s just a sad commentary on society if individuals would really bring a HIPAA violation against a hospital that was destroyed by a tornado. I’m all for the legal system when there are issues of negligence. I just don’t see how a tornado’s disclosure of PHI miles away is negligence.

Of course, if the hospital had an EMR, they wouldn’t have to worry about an X-ray being found miles away. Well, unless the hard drive, server, computer, laptop, etc was blown miles away. Hopefully the data center planning took natural disasters like this into account. Although, even if it didn’t, with appropriate device encryption even this wouldn’t be an issue. It would be like having an encrypted laptop stolen. One more reason to have an EMR instead of paper records.

This is an interesting edge case that I’d love to learn about since every healthcare entity could potentially be hit by a natural disaster. Of course, I’ve seen a lot of discussion about providing healthcare during a natural disaster. I hadn’t thought as much about HIPAA during a natural disaster. Maybe that’s how it should be.

On a more personal note, my thoughts and prayers go out to those who’ve been hit by this disaster and others. I didn’t know anyone in Joplin, but we have family in Springfield, MA which had a tornado cause destruction as well as some fires raging in Arizona that are affecting many people we know. I wish them all the best as they deal with challenging situations.