Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

HIPAA Fines and Penalties in a HIPAA Omnibus World

Written by:

Lately I’ve been seeing a number of really lazy approaches to making sure a company is HIPAA compliant. I think there’s a pandora’s box just waiting to explode where many companies are going to get slammed with HIPAA compliance issues. Certainly there are plenty of HIPAA compliance issues at healthcare provider organizations, but the larger compliance issue is going to likely come from all of these business associates that are now going to be held responsible for any HIPAA violations that occur with their systems.

For those not keeping up with the changes to HIPAA as part of the HITECH Act and HIPAA Omnibus, here are a couple of the biggest changes. First, HITECH provided some real teeth when it comes to penalties for HIPAA violations. Second, HIPAA Omnibus puts business associates in a position of responsibility when it comes to any HIPAA violations. Yes, this means that healthcare companies that experience HIPAA violations could be fined just like previous covered entities.

To put it simply, hundreds of organizations who didn’t have to worry too much about HIPAA will now be held responsible.

This is likely going to be a recipe for disaster for those organizations who aren’t covering their bases when it comes to HIPAA compliance. Consider two of the most recent fines where Idaho State University was fined $400k for HIPAA violations and the $1.7 million penalty for WellPoint’s HIPAA violations. In the first case, they had a disabled firewall for a year, and the second one failed to secure an online application database containing sensitive data.

Of course, none of the above examples take into account the possible civil cases that can be created against these organizations or the brand impact to the organization of a HIPAA violation. The penalties of a HIPAA violation range between $100 to $50,000 per violation depending on the HIPAA violation category. I’ll be interested to see how HHS defines “Reasonable Cause” versus “Willfull Neglect – Corrected.”

I’ve seen far too many organizations not taking the HIPAA requirements seriously. This is going to come back to bite many organizations. Plus, healthcare organizations better make sure they have proper business associate agreements with these companies in order to insulate them against the neglect of the business associate. I don’t see HHS starting to search for companies that aren’t compliant. However, if they get a report of issues, they’ll have to investigate and they won’t likely be happy with what they find.

The message to all is to make sure your HIPAA house is in order. Unfortunately, I don’t think many will really listen until the first shoe falls.

July 25, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

EHR and Malpractice Lawsuits

Written by:

Long time reader Carl recently pointed me to this excellent AHIMA article on EHR and Malpractice Lawsuits. It’s first section sums up the current state of EHR and lawsuits quite well:

Medical records are a vital part of any healthcare lawsuit because they document what happened during treatment. Paper medical records are relatively simple aspects of litigation. HIM staff pull the requested chart, track down additional information as necessary, and sometimes provide a deposition on the record’s accuracy.

The process is far more complex with an EHR. The record of a patient’s care that a clinician views on screen may not exist in that form anywhere else. When the information is taken out of the system and submitted into legal proceedings, the court has a very different view—one that often confuses the proceedings and, in the worst instances, raises suspicions about the record’s validity.

The challenges stem from the design of the systems, which were built for care—not court. If the provider struggles in providing documentation, a trial involving malpractice can easily shift its focus from an examination of care to a fault-finding mission with the recordkeeping system. At other times, the provider’s inability to put forward the information in a comprehensible format may raise suspicions that it is missing, withholding, or obscuring information.

I’d probably modify the sentence that says that EHR’s were “built for care-not court” to say that EHR’s were “built for billing-not court”, but the idea is still the same. The big issues for EHR in lawsuits is that there’s no really good precedent for how an EHR will be treated in court. We’re so early in the process of legal cases that use EHR documentation, that we just don’t know how the courts are going to deal with EHR documentation.

Plus, when you consider that there are 300+ EHR companies out there, I’m not sure that a legal case with one EHR software is going to be applied the same way to the other EHR software. Each EHR displays data differently. Each EHR audits users differently. Each EHR stores data differently. So, I expect that each EHR will be looked at in a different way.

The AHIMA article linked above is a good read for those interested in this topic and points out a lot of other issues that could face an HIM staff that’s dealing with a case involving documentation in an EHR. Although, one of the overriding messages is that HIM staff and healthcare organizations are going to need an expert of their EHR involved in the process. In fact, I can see many HIM departments getting trained up on EHR in order to fulfill this need.

What I also see coming is a new group of EHR expert witnesses. Again, I think that these expert witnesses will have to have specific knowledge of a particular EHR to be really effective. I’m sure they’ll come from the ranks of EHR consultants, former EHR employees, and some EHR users. Considering the millions of dollars on the line in these malpractice cases, these EHR expert witnesses stand to make a lot of money.

I don’t want to make it all sound doom and gloom. I expect that there will be many cases involving EHR where a doctor or institution is covered better by an EHR than they were in the paper world. This will be even more true as EHR vendors continue to shore up their EHR audit logs and processes. There’s new legal risks with EHR, but there are also old risks that are removed by using an EHR. We just need to make sure we’re ready for the new risks.

January 23, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Doctors Increasingly Texting, But HIPAA Protection Lacking

Written by:

A new study of physicians working at pediatric hospitals has concluded what we might have assumed anyway — that they prefer the use of SMS texting via mobile phone to pagers. What’s worrisome, however, is that little if any of this communication seems to be going on in a HIPAA-secure manner.

The study, by the University of Kansas School of Medicine at Wichita, asked 106 doctors at pediatric hospitals what avenues they prefer for “brief communication” while at work. Of this group, 27 percent chose texting as their favorite method, 23 percent preferred hospital-issued pagers and 21 percent face to face conversation, according to a report in mHealthWatch.

What’s interesting is that text-friendly or not, 57 percent of doctors said they sent or got work-related text messages.  And 12 percent of pediatricians reported sending more than 10 messages per shift.

With all that texting going on,  you’d figure hospitals would have a policy in place to ensure HIPAA requirements were met. But in reality, few doctors said that their hospital had such a policy in place.

That’s particularly concerning considering that 41 percent of respondents said they received work-related text messages on a personal phone, and only 18 percent on a hospital-assigned phone. I think it’s fair to say that this arrangement is rife with opportunities for HIPAA no-nos.

It’s not that the health IT vendor world isn’t aware that this is a problem; I know my colleague John has covered technology for secure texting between medical professionals and he’s also an advisor to secure text messaging company docBeat. However, not much is going to happen until hospitals get worried enough to identify this as a serious issue and they realize that secure text message can be just as easy as regular text along with additional benefits.

In the mean time, doctors will continue texting away — some getting 50-100 messages a day, according to one researcher — in an uncertain environment.  Seems to me this is a recipe for HIPAA disaster.

November 2, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

The Immortal Life of Healthcare IT, Secure Texting Scam, and iPhone Heart Rate — Around Health Care Scene

Written by:

EMR and EHR

The Immortal Life of Healthcare IT

Patient engagement has evolved in many ways in the past century. While patients used to rely on doctors for any information regarding health care, it’s now common for patients to “diagnose” themselves, before even stepping foot into a doctor’s office. “The Immortal Life” by Henrietta Lacks, and the authors thoughts, are compared and contrasted to life nowadays.

Interview with Verizon Wireless’ Arthur Lane

A leader for mobile health solution development for Verizon’s Connected Health, Arthur Lane, was interviewed over at EMR and EHR this past week. He focuses his work on developing solutions that help with Verizon’s wireless, cloud, and security. The interview focuses on Health IT and mHealth, and what is in the works at Verizon. He discussed the benefits of mHealth, and what is to come in the future.

Hospital EMR and EHR
What Won’t Happen in #HIT By September 2013

There’s a lot going on with Health Care IT, and it seems as if we’re always hearing about the latest and greatest innovation. However, despite the leaps and bounds that are being made, we can’t expect everything in the EMR industry to be perfect by next year. Anne Zeigler talks about things that won’t be happening in #HIT over the next year, including lack of major growth in remote monitoring and no high penetration HIE.

Meaningful Healthcare It News With Neil Versel

Sampling of opinions on meaningful use Stage 2

The meaningful use Stage 2 final rules have caused quite a bit of discussion across the web since they were announced. Some good, some bad. Neil Versel compiled some of the opinions and thoughts he has discovered over the past few weeks, and created this post with some of them.

Wired EMR and EHR Doctor

The Secure Texting Scam

Medical practices may be getting offers from companies that offer “secure texting,” that won’t violated HIPAA standards. However, how secure can texting be? Dr. Michael Koriwchak talks about the “secure texting scam,” and talks about the reasons why secure texting can fail. Don’t get caught in this trap, and end up paying a large amount for a product that might not deliver what you think.

Smart Phone Health Care

Detect Heart Rate With iPhone Camera – #HITsm Chat Discovery

Finding out your heart rate is now easier than ever — simply by using the camera on your iPhone. This new way to detect heart rate requires no special equipment, beyond an iPhone 4. The app tracks the information and allows the user to view changes over time, among other features.

September 9, 2012 I Written By

Katie Clark is originally from Colorado and currently lives in Utah with her husband and son. She writes primarily for Smart Phone Health Care, but contributes to several Health Care Scene blogs, including EMR Thoughts, EMR and EHR, and EMR and HIPAA. She enjoys learning about Health IT and mHealth, and finding ways to improve her own health along the way.

EHR Mandate, HIPAA Privacy Violations, EHR Companies, Benefits of EMR and EHR and more

Written by:

As most long time readers know, I’m a bit of a stats fanatic when it comes to my website. I love to see the internal numbers of what’s happening on my website. In fact, you might remember that I’ve wondered why I’m not as interested in my “health numbers.” Although, I actually am interested. I love getting my cholesterol value after giving blood. I’m using my scale more and more (with sad, but motivating results). The real challenge is that we need personal health data to be as easily created and tracked as website health data, but I digress.

I thought it would be fun to look over the past 3 months on EMR and HIPAA and see which pages and posts are the most popular. Plus, I’ll add some commentary or updates on each.

The most visited posts in the last 3 months was my post on the 2014 EHR Mandate. When you look at the searches I get referred to EMR and HIPAA, you can see why this page has been so popular. I’m actually really glad that doctors get this page since it does a great job describing how there isn’t an EHR mandate. Although, there are incentives, penalties and reasons why you might want to implement an EHR. I’m sure that post has done a lot to dispel the myth of the EHR mandate.

The next most popular post is my very old post on HIPAA Privacy Violations & HIPAA Lawsuits. I expect the reason it’s so popular is that many clinics are worried about HIPAA and any issues they may have with it. Plus, it’s kind of like a car crash, you can’t resist taking a look to see what’s happened. Those two factors make for great blog reading.

My next two most popular pages are both lists of EMR and EHR companies. The second list is from a post on the overwhelming list of EMR and EHR companies I did back in early 2006, but it’s still amazingly popular. A lot has changed since 2006 in the EHR world. It’s fun to look through the list and see which EHR software is still around and see some old names of companies that are no longer with us. One thing that remains the same is the list of EMR and EHR vendors is still overwhelming. Although, maybe that has changed. The list of EMR and EHR vendors might be more overwhelming today than it was in 2006.

I’m really glad to see that so many people are reading my list of EMR & EHR benefits page. Far too many practices have put on their Meaningful Use blinders that they forget to look at the reasons that physicians were implementing EHR software before the government waived $36 billion in front of their face. There are some guaranteed benefits to EHR including: legibility of patient charts and Accessibility of Charts. It’s hard to put a dollar value on those, but they are incredibly valuable.

Another popular post was about Email Not Being HIPAA Secure. The next most popular post after it is ironically “HIPAA Lawsuit – PHI by Un-encrypted Email.” I think many doctors have appreciated the insight about various technologies and how to satisfy HIPAA. Another in that series is the Texting is Not HIPAA Secure.

The final post I’ll look at in this round up is called Example of EMR Stimulus Medicare Penalties. Those EHR penalties are looming and I think this post provides some good perspective and understanding on how big the EHR penalties are for a practice. Sure, each practice needs to add in their own Medicare numbers, but that’s simple math.

June 5, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

HIPAA Applies To Those Who Don’t Know About It

Written by:

Now here’s a pretty how-to-do for HIPAA lawbreakers. According to a new appellate decision in California, people convicted of accessing patient records illegally can be punished whether or not they knew it was illegal.

The case, United States v. Zhou, concerned the acts of one Huping Zhou, a former research assistant in rheumatology at the University of California at Los Angeles Health System. After being fired from his job as a research assistant in 2003, Zhou accessed patient records without authorization at least four times (and obviously, got caught).  After some sparring over charges, the feds eventually prosecuted him for HIPAA violations.

For years, the case worked its way through the system, with Zhou taking the position that he didn’t know accessing the patient records was illegal, and for that reason should not be found guilty.

Last month, the case ended up in the United States District Court for the Central District of California last month. It took the judges only a few weeks to decide that yes, Zhou was responsible even though he may not have known that his data spying was illegal under HIPAA.  Wow.

The HIPAA provision the judges relied on was the following:

HIPAA provides that: “[a] person who knowingly and in violation of this part — (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, shall be punished as provided in subsection (b).” 42 U.S.C. § 1320d-6(a).

And their analysis of Zhou’s defense did not go the way he had hoped. Again, from the appellate decision:

[T]he plain text of Section 1320d-6(a)(2) [of HIPAA]  is not limited to defendants who knew that their
actions were illegal. Rather, the misdemeanor applies to defendants who knowingly obtained individually identifiable health information relating to an individual, and obtained that information in violation of HIPAA.

In other words,  if you knowingly snoop into patient records, you’re on the hook even if you never knew HIPAA existed. (Note, I am not a lawyer or court-watcher, but this is how most legal commentators have interpreted the decision.)

While I like my privacy as much as anyone else, this case does trouble me. While it’s unlikely that a hospital staffer would think PHI peeping was OK, some healthcare workers — in settings such as, say, home care or a small mental health practice — might have no idea that the Department of Justice might come knocking at their door.

Wouldn’t it be more logical to prosecute the hospital for being so insecure that its data could be accessed by an angry ex-employee?  If it were my PHI, that’s where I’d be venting my wrath.

May 17, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Covered Entity Is the Only One with “Egg on their Face”

Written by:

When I first started writing this blog about six years ago, I named it EMR and HIPAA. I was working to implement an EMR at that time (this was well before EHR became in vogue) and I knew that HIPAA was a major talking point in healthcare.

Over time I’ve learned that doctors care enough about HIPAA to make sure that they don’t hear about it again. Up until now, that’s worked pretty well for most doctors. There haven’t been many HIPAA lawsuits and the government has mostly only investigated reported incidents.

We started to see a shift in this with the passing of the HITECH act which many described as giving “teeth” to HIPAA. I think we’re just now starting to see some of those teeth coming to bear with things like the OCR audits that 150 HIPAA covered entities will experience this year. That’s still a pretty small number, but the experience of those 150 is teaching us and the government a lot about areas where healthcare institutions have done a good job with privacy and security and where they likely are weak.

While at HIMSS I had the pleasure to have a brief conversation with CynergisTek CEO and chair of the HIMSS Privacy and Security Policy Task Force, Mac McMillan. I love talking with people like Mac since he is an absolute domain expert in the areas of privacy and security in healthcare. You just start him talking and from memory he’s pouring out his knowledge about these important and often overlooked topics. I loved what he had to say so much that I asked him if he’d do a series of blog posts on the OCR audits which I could publish on EMR and HIPAA. He said he was interested and so I hope we’re able to make it happen.

One simple thing that Mac McMillan taught me in our admittedly brief conversation was the changing role of the business associate in healthcare. In the past, most covered entities kind of hid behind their business associates. Many did little to verify or keep track of the policies and procedures employed by their business associates. With the new HITECH rules for disclosure of breaches and the OCR audits, covered entities are going to have to keep a much better eye on their business associates.

Mac then pointed out to me that the reason covered entities have to take on more responsibility is that they’re the ones that are going to be held responsible and take the blunt of the problem if their business associate has a privacy or security issue. I see it as the Covered Entity will be the one with Egg on their Face.

I don’t think we have to take this to an extreme. However, there’s little doubt that covered entities could do a much better job evaluating the privacy and security of their business associates and hold them to a much higher standard. If they aren’t, I wouldn’t want to be there for the OCR audit with them.

February 28, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Guest Post: Small Breaches Still Reportable – Current State of HIPAA Breach Notification

Written by:


Guest Blogger: Jan McDavid is General Counsel and Compliance Officer at HealthPort, a Release of Information and Audit Management Technology company. You can read more of Jan’s posts on the HealthPort blog.

The following is a 4 part series of blog posts on the HIPAA Breach Notification Rules. Here’s a link to read all of the HIPAA Breach Notification Rules guest posts.

In the world of release of information (ROI), we see the breach of one or two records much more frequently than the massive, over-500 events. Smaller, one- or two-record breaches do not require immediate notification to HHS. The HITECH Act says they should be aggregated and sent to HHS at the end of each year. In 2010, the agency received more than 25,000 reports of smaller breaches affecting more than 50,000 individuals. The complete Annual Report to Congress (PDF) from HHS for 2009 and 2010 is available online.

The most common, inadvertent breaches within the ROI process involve sending the wrong record to the wrong person or third party. It is usually human error that produces these breaches. For example, the CE gets a written request from an insurance company, attorney or patient for medical record #12345. Someone pulls the wrong medical record either paper-based or electronic, say medical record #12344 and sends it. The result—a breach!

Training, education, skilled staff and solid procedures are the best approach to minimizing human error-based breaches, but they are inevitable. If and when it happens, the CE must evaluate sending a notification to the patient.

Another observation about breaches is that reactions to them seem to be very polarizing. Sometimes we see “breach fatigue” by patients. They hear so much about breaches that any leakage of their information is considered “no big deal” and simply a reality of modern, high-tech times. “After all, who really cares about the appendectomy I had ten years ago?” The opposite pole is that some patients become very upset and exhibit a sense of great concern.

Ultimately, the balance between a patient’s right of confidentiality and the provider’s needs for workflow consistency will continue to evolve. In the meantime, until a final breach notification rule is released, every CE must determine for itself how patient notices are analyzed and handled.

November 3, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Guest Post: Expect New Rules to Expand Notification – Current State of HIPAA Breach Notification

Written by:


Guest Blogger: Jan McDavid is General Counsel and Compliance Officer at HealthPort, a Release of Information and Audit Management Technology company. You can read more of Jan’s posts on the HealthPort blog.

The following is a 4 part series of blog posts on the HIPAA Breach Notification Rules.

It is widely expected that Health and Human Service (HHS) final disclosure rules will mandate notification be done in every case. Should this occur as predicted, additional patient education will be needed to avoid the concerns mentioned above.

Further complicating matters is the fact that hospitals must adhere to HHS rules AND those at the state level. State laws in some cases are more onerous than federal laws and they continue to morph. Just trying to stay on top of all the changes may be reason enough to disclose every instance of breached information. Whether it contains protected health information (PHI) or not, some states require patient notification in every instance of the inadvertent release of certain i.d. information.

In next week’s post, we’ll cover whether small breaches are still reportable.

October 27, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Securing PHI Feels A Lot Like Y2K

Written by:

Seems like the comments being made on posts and being emailed to me have been really interesting lately. As I often like to do, I want to highlight those that provide interesting stuff in the comments since many people don’t read all the comments. Here’s one such comment from ip-doctor on my post about de-identified healthcare data.

I am interested in knowing how readers answer John’s question re position on use of de-identified data. My guess is that people don’t know it’s going on and will object to it happening in principle.

Securing PHI feels a lot like Y2K. No doubt breaches occur, and, when they do, they are certainly costly for the offending HCO, but how many examples are there of leaked information being used to harm someone? Seems like the same proscriptions vs. extortion, blackmail, and libel would prevent individuals from using illegally obtained PHI to harm patients.

In fact, the odds that there is a Person A who wishes to harm Person B AND who somehow comes up with Person B’s sensitive PHI AND is able to use it to harm Person B without Person B having ample legal recourse against Person A are hopelessly LONG. Breaches of thousands/hundreds of thousands/millions of records are too large and unspecific to be “used” for nefarious purposes.

We need to secure PHI, but we are hoisting ourselves on our own petards if we let legitimate concerns about the use of patient data block or slow our adoption of EMRs and HCIT for ACOs and PCMHs. Just as there are real benefits associated with use of de-id’ed patient data, there are (significant, hidden) costs with not sharing health data.

The irony here is that the most common, undeniably harmful use of sensitive PHI has been to deny coverage to patients with pre-existing conditions. Kind of makes sense. It is, after all, health information.

Nothing like sharing a post about the fears and challenges associated with sharing data and privacy and following up with a post that talks about how it might not be as big of a risk as many like to make it. Of course, the happy place is somewhere in the middle where we do a good job securing the data while as HIPAA outlines, we avoid placing an undue burden on patient care.

October 19, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.