Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

NueMD’s Startling HIPAA Compliance Survey Results

Posted on December 12, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

In a recent HIPAA compliance survey of 1,000 medical practices and 150 medical billing companies, NueMD found some really startling results about medical practices’ understanding and compliance with HIPAA. You can see their research methodology here and the full HIPAA Compliance survey results.

This is the most in depth HIPAA survey I’ve ever seen. NueMD and their partners Porter Research and The Daniel Brown Law Group did an amazing job putting together this survey and asking some very important questions. The full results take a while to consume, but here’s some summary findings from the survey:

  • Only 32 percent of medical practices knew the HIPAA audits were taking place
  • 35 percent of respondents said their business had conducted a HIPAA risk analysis
  • 34 percent of owners, managers, and administrators reported they were “very confident” their electronic devices containing PHI were HIPAA compliant
  • 24 percent of owners, managers, and administrators at medical practices reported they’ve evaluated all of their Business Associate Agreements
  • 56 percent of office staff and non-owner care providers at practices said they have received HIPAA training within the last year

The most shocking number for me is that only 35% of respondents had conducted a HIPAA risk analysis. That means that 65% of practices are in violation of HIPAA. Yes, a HIPAA risk analysis isn’t just a requirement for meaningful use, but was and always has been a part of HIPAA as well. Putting the HIPAA risk assessment in meaningful use was just a way for HHS to try and get more medical practices to comply with HIPAA. I can’t imagine what the above number would have been before meaningful use.

These numbers explain why our post yesterday about HIPAA penalties for unpatched and unsupported software is likely just a preview of coming attractions. I wonder how many more penalties it will take for practices to finally start taking the HIPAA risk assessment seriously.

Thanks NueMD for doing this HIPAA survey. I’m sure I’ll be digging through your full survey results as part of future posts. You’ve created a real treasure trove of HIPAA compliance data.

Firewall & Windows XP HIPAA Penalties

Posted on December 11, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Anchorage Community Mental Health Services, Inc, has just been assessed a $150,000 penalty for a HIPAA data breach. The title of the OCR bulletin for the HIPAA settlement is telling: “HIPAA Settlement Underscores the Vulnerability of Unpatched and Unsupported Software.” It seems that OCR wanted to communicate clearly that unpatched and unsupported software is a HIPAA violation.

If you’re a regular reader of EMR and HIPAA, then you might remember that we warned you that continued use of Windows XP would be a HIPAA violation since Windows stopped providing updates to it on April 8, 2014. Thankfully, it was one of our most read posts with ~35,000 people viewing it. However, I’m sure many others missed the post or didn’t listen. The above example is proof that using unsupported software will result in a HIPAA violation.

Mike Semel has a great post up about this ruling and he also points out that Microsoft Office 2003 and Microsft Exchange Server 2003 should also be on the list of unsupported software alongside Windows XP. He also noted that Windows Server 2003 will stop being supported on July 14, 2015.

Along with unsuppported and unpatched software, Mike Semel offers some great advice for Firewalls and HIPAA:

A firewall connects your network to the Internet and has features to prevent threats such as unauthorized network intrusions (hacking) and malware from breaching patient information. When you subscribe to an Internet service they often will provide a router to connect you to their service. These devices typically are not firewalls and do not have the security features and update subscriptions necessary to protect your network from sophisticated and ever-changing threats.

You won’t find the word ‘firewall’ anywhere in HIPAA, but the $ 150,000 Anchorage Community Mental Health Services HIPAA penalty and a $ 400,000 penalty at Idaho State University have referred to the lack of network firewall protection.

Anyone who has to protect health information should replace their routers with business-class firewalls that offer intrusion prevention and other security features. It is also wise to work with an IT vendor who can monitor your firewalls to ensure they continue to protect you against expensive and embarrassing data breaches.

Be sure to read Mike Semel’s full article for other great insights on this settlement and what it means.

As Mike aptly points out, many organizations don’t want to incur the cost of updating Windows XP or implementing a firewall. It turns out, it’s much cheaper to do these upgrades than to pay the HIPAA fines for non-compliance. Let alone the hit to your reputation.

What Do We Know About Minimum Necessary Coming to HIPAA?

Posted on November 14, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

We recently sat down with Alisha R. Smith, RHIA, HIM Compliance Educator at Healthport, to talk about HIPAA Omnibus and one of the components that was left out of the HIPAA Omnibus final rule: minimum necessary. In the video below, Alisha talks about what your company can do to prepare for minimum necessary and what minimum necessary might require if it gets included in future HIPAA requirements.

What do you think about Alisha’s recommendations? Do you think that legislation will be passed to include minimum necessary as part of HIPAA?

Unfinished Business: More HIPAA Guidelines to Come

Posted on August 4, 2014 I Written By

The following is a guest blog post by Rita Bowen, Sr. Vice President of HIM and Privacy Officer at HealthPort.

After all of the hullabaloo since the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) release of the HIPAA Omnibus, it’s humbling to realize that the work is not complete. While the Omnibus covered a lot of territory in providing new guidelines for the privacy and security of electronic health records, the Final Rule failed to address three key pieces of legislation that are of great relevance to healthcare providers.

The three areas include the “minimum necessary” standard; whistleblower compensation; and revised parameters for electronic health information (EHI) access logs. No specific timetable has been provided for the release of revised legislation.

Minimum Necessary

The minimum necessary standard requires providers to “take reasonable steps to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose.”

This requires that the intent of the request and the review of the health information be matched to assure that only the minimum information intended for the authorized release be provided. To date, HHS has conducted a variety of evaluations and is in the process of assessing that data.

Whistleblower Compensation

The second bit of unfinished legislation is a proposed rule being considered by HHS that would dramatically increase the payment to Medicare fraud whistleblowers. If adopted, the program, called the Medicare Incentive Reward Program (IRP), will raise payments from a current maximum of $1,000 to nearly $10 million.

I believe that the added incentive will create heightened sensitivity to fraud and that more individuals will be motivated to act. People are cognizant of fraudulent situations but they have lacked the incentive to report, unless they are deeply disgruntled.

Per the proposed plan, reports of fraud can be made by simply making a phone call to the correct reporting agency which should facilitate whistleblowing.

Access Logs

The third, and most contentious, area of concern is with EHI access logs. The proposed legislation calls for a single log to be created and provided to the patient, that would contain all instances of access to the patient’s EHI, no matter the system or situation.

From a patient perspective, the log would be unwieldy, cumbersome and extremely difficult to decipher for the patient’s needs. An even more worrisome aspect is that of the privacy of healthcare workers.

Employees sense that their own privacy would be invaded if regulations require that their information, including their names and other personal identifiers, are shared as part of the accessed record.  Many healthcare workers have raised concern regarding their own safety if this information is openly made available. This topic has received a tremendous amount of attention.

In discussion are alternate plans that would negotiate the content of access logs, tailoring them to contain appropriate data regarding the person in question by the patient while still satisfying patients and protecting the privacy of providers.

The Value of Data Governance

Most of my conversations circle back to the value of information (or data) governance. This situation of unfinished EHI design and management is no different. Once released the new legislation for the “minimum necessary” standard, whistleblower compensation and revised parameters for medical access logs must be woven into your existing information governance plan.

Information governance is authority and control—the planning, monitoring and enforcement—of your data assets, which could be compromised if all of the dots are not connected. Organizations should be using this time to build the appropriate foundation to their EHI.

About the Author:
Rita Bowen, MA, RHIA, CHPS, SSGB

Ms. Bowen is a distinguished professional with 20+ years of experience in the health information management industry.  She serves as the Sr. Vice President of HIM and Privacy Officer of HealthPort where she is responsible for acting as an internal customer advocate.  Most recently, Ms. Bowen served as the Enterprise Director of HIM Services for Erlanger Health System for 13 years, where she received commendation from the hospital county authority for outstanding leadership.  Ms. Bowen is the recipient of Mentor FORE Triumph Award and Distinguished Member of AHIMA’s Quality Management Section.  She has served as the AHIMA President and Board Chair in 2010, a member of AHIMA’s Board of Directors (2006-2011), the Council on Certification (2003-2005) and various task groups including CHP exam and AHIMA’s liaison to HIMSS for the CHS exam construction (2002).

Ms. Bowen is an established speaker on diverse HIM topics and an active author on privacy and legal health records.  She served on the CCHIT security and reliability workgroup and as Chair of Regional Committees East-Tennessee HIMSS and co-chair of Tennessee’s e-HIM group.  She is an adjunct faculty member of the Chattanooga State HIM program and UT Memphis HIM Master’s program.  She also serves on the advisory board for Care Communications based in Chicago, Illinois.

Atlanta Hospital Sues Exec Over Allegedly Stolen Health Data

Posted on November 1, 2013 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

In most cases of hospital data theft, you usually learn that a laptop was stolen or a PC hacked. But in this case, a hospital is claiming that one of its executives stole a wide array of data from the facility, according to the Atlanta Business Chronicle.

In a complaint filed last week in Atlanta federal court, Children’s Healthcare of Atlanta asserts that corporate audit advisor Sharon McCray stole a boatload of proprietary information. The list of compromised data includes PHI of children, DEA numbers, health provider license numbers for over 500 healthcare providers, financial information and more, the newspaper reports.

According to the Children’s complaint, McCray announced her resignation on October 16th, then on the 18th, began e-mailing the information to herself using a personal account. On the 21st, Children’s cut off her access to her corporate e-mail account, and the next day she was fired.

Not surprisingly, Children’s has demanded that McCray return the information, but as of the date of the filing, McCray had neither returned or destroyed the data nor permitted Children’s to inspect her personal computer, the hospital says. Children’s is asking a federal judge to force McCray to give back the information.

According to IT security firm Redspin, nearly 60 percent of the PHI breaches reported to HHS under notification rules involved a business associate, and 67 percent were the result of theft or loss. In other words, theft by an executive with the facility — if that is indeed what happened — is still an unusual occurrence.

But given the high commercial value of the PHI and medical practitioner data, I wouldn’t be surprised if hospital execs were tempted into theft. Hospitals are just going to have to monitor execs as closely they do front-line employees.

Hacking HIPAA – Patient Focused Common Notice of Privacy Practices

Posted on June 27, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

How can you not be interested in an article that talks about hacking? Of course, in this case I’m talking about hacking in a much more general since. Most people think of hacking as some nefarious person compromising a system they shouldn’t be accessing. The broader use of the term hack is to create something that fixes a problem. You “hack” something together to make it work.

This is what David Harlow, Ian Eslick, and Fred Trotter had in mind when they got together to hack HIPAA. They wanted to create a HIPAA Notice of Privacy Practices (NPP) that would provide meaningful privacy choices for patients while still enabling the use of the latest technology. Far too often HIPAA as seen as an excuse for why doctors don’t use technology. However, if the NPP is set up correctly, it can enhance patient privacy while allowing use of the latest technologies in your practice.

The Hacking HIPAA team decided to leverage the power of crowdfunding to see if they could collaboratively develop a patient focused Notice of Privacy Practices. I really love the idea of a Common Notice of Privacy Practices. If you like this idea, you can help fund the Hacking HIPAA project on MedStartr.

For those not familiar with crowdfunding, imagine your healthcare organization getting $10,000 worth of legal work from one of the top healthcare lawyers for only $1000. Looked at another way, you get an updated Notice of Privacy Practices with all the latest HIPAA omnibus rules incorporated for only $1000. Call your lawyer and see if they’d be willing to provide an NPP for that price. Plus, your lawyer probably will just provide you some cookie cutter NPP they find as opposed to a well thought out NPP.

This is such a great idea. I hope that a large number of healthcare organizations get behind the project. I’d also love to see some of the HIPAA disclosure companies and EHR companies support the project as well. The NPP will have a creative commons license so those companies could help fund the project, provide feedback in the creation of the NPP and then distribute the NPP to all of their customers. What better way to build the relationship with your customers than to provide them a well thought out NPP?

If you want a little more information on how the Hacking HIPAA project came together, here’s a video of Fred Trotter talking about it. Also, be sure to read the details on the Hacking HIPAA MedStartr page.

URMC Faces Third HIPAA Breach

Posted on May 7, 2013 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

The University of Rochester Medical Center has seen a third HIPAA breach, this one caused by the loss of an unencrypted USB drive by a physician, reports Healthcare IT News.  The drive, which belonged to a resident, contained protected health information on 537 patients.

Officials with URMC say they have notified the 537 former orthopedic patients whose information was lost on the drive.  Lost information included patients’ names, genders, ages, dates of birth, telephone numbers, medical record numbers, and more, though it didn’t include addresses, Social Security numbers or insurance information.

According to Healthcare IT News, the resident’s unencrypted, unprotected drive runs counter to URMC’s campus-wide policy. URMC requires physicians and staff to use only encrypted drives — the only kind which are stored in its on-campus computer center.  The latest URMC security policy also requires all mobile devices to be password protected, encrypted, and to have a time-out if unattended.

In an effort to make sure further security breaches don’t occur, the health organization is re-educating its faculty and staff on its security policy, and plans an annual education series to reinforce this training, a hospital spokesperson told Healthcare IT News.

This is URMC’s third data breach involving more than 500 patients reported to HHS, the magazine reports. The previous two breaches, which involved PHI for nearly 3,500 patients, both took place in 2010.  One of the two involved the loss of an encrypted portable electronic device.

HIPAA Omnibus – What Should You Know?

Posted on March 26, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I had the great opportunity to sit down with HIPAA expert, Rita Bowen from HealthPort, at HIMSS 2013 and learn more about the changes that came from the recently released HIPAA Omnibus rule. The timing for this video is great, because today is the day the HIPAA Omnibus rule goes into effect. In the video embedded below, Rita talks about what you should know about the new HIPAA changes, the new business associate requirements, and restricting the flow of sequestered health information.

The Final HIPAA Omnibus Rule: A Sharing of Accountability

Posted on February 25, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The following is a guest post by Rita Bowen, MA, RHIA, CHPS, SSGB, SVP of HIM and Chief Privacy Officer, HealthPort. If you’re attending HIMSS, I’ll be doing an interview with Rita at HealthPort’s Booth 6841 at Noon on Tuesday 3/5/13. Come by and learn more about the HIPAA Omnibus Rule and get any questions you have answered.

It seems an eternity ago, four years to be exact, that the HITECH Act introduced changes to HIPAA. After much speculation, rumor, innuendo and anticipation, HHS released the final HIPAA omnibus rule, which significantly amends the original HIPAA Privacy, Security, Breach and Enforcement Rules. HHS Secretary Kathleen Sebelius introduced the new rule by stating:

“The final rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.”

Ms. Sebelius conceded that healthcare has changed dramatically since HIPAA was first enacted and that the new rule is necessary to “protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”

The new rule, at 563 pages, is not brief, but covered entities can’t let that inhibit them from becoming intimately acquainted with this document. I’ve made an initial review of the rule and culled what I feel are its key concepts:

  • Business Associates (BAs) of covered entities are now, for the first time, directly liable for compliance with certain requirements of HIPAA Privacy and Security rules, including the cost of remediation of breaches for which they are responsible.
  • The rule goes so far as to revise the definition of a “breach.” This new definition promises to make the occurrence of breaches – and the required notification of breaches — more common.
  • The use and disclosure of protected health information for marketing and fundraising purposes is further limited, as is the sale of protected information without individual authorization.
  • The rule expands patients’ rights to receive electronic copies of their health information and to restrict disclosures to health plans regarding treatment for which they’ve already paid.
  • Covered entities are required to modify and redistribute their notice of privacy practice to reflect the new rule.
  • The new rule modifies Individual authorizations and other requirements to facilitate research, expedite the disclosure of child immunization proof to schools, and enable access to decedent information by family members and others.
  • The additional HITECH Act enhancements to the Enforcement Rule are adopted, including provisions addressing enforcement of noncompliance with HIPAA rules due to willful neglect.

Getting to Compliance

And now comes the challenging part – compliance! The new rule goes into effect on March 26, and covered entities and BAs are expected to comply by September 23, so there is much work to do. Hospitals and clinics need to thoroughly comprehend — and then prepare for — the sweeping changes in BA liability. They’ll need to communicate these changes and new requirements to BAs and update their BA agreements accordingly. And since BAs are now directly liable for breaches, organizations must decide how they’ll enforce their BA agreements with regard to privacy and security. Additionally, comparable agreements must now be shared between BAs and their subcontractors.

What are the keys to successful compliance?  The following tips should ensure your smooth transition into the new rule:

  • Become intimately acquainted with the new rule — and its ramifications for your organization, your BAs, and their subcontractors.
  • Identify a privacy officer within all of your partner organizations.
  • Define a process for the notification of patients in the event of a breach of their protected health information (PHI).
  • Update breach notification materials to reflect the new Rule.
  • Update, repost and redistribute your Notice of Privacy Practices.
  • Document current privacy and security practices, and conduct a risk assessment.
  • Make certain your healthcare security technology solution is flexible, secure, and scalable to handle the growing volume of audit inquiries promised by the RACs.
  • Encrypt all devices that store patient information.
  • Communicate new HIPAA requirements and expectations to BAs.
  • Update business associate agreements (BAAs) to clarify that BAs pay the cost of breach remediation, when the BA is responsible for the breach.
  • Provide a template of a comparable agreement for BAs to use with their subcontractors.
  • Monitor your partners’ efforts to protect patient data.

The new HPAA omnibus rule has arrived and the challenges it presents should not be underestimated. Communication and organization will be your keys to success!

Rita Bowen, MA, RHIA, CHPS, SSGB

Ms. Bowen is a distinguished professional with 20+ years of experience in the health information management industry.  She serves as the Sr. Vice President of HIM and Privacy Officer of HealthPort where she is responsible for acting as an internal customer advocate.  Most recently, Ms. Bowen served as the Enterprise Director of HIM Services for Erlanger Health System for 13 years, where she received commendation from the hospital county authority for outstanding leadership.  Ms. Bowen is the recipient of Mentor FORE Triumph Award and Distinguished Member of AHIMA’s Quality Management Section.  She has served as the AHIMA President and Board Chair in 2010, a member of AHIMA’s Board of Directors (2006-2011), the Council on Certification (2003-2005) and various task groups including CHP exam and AHIMA’s liaison to HIMSS for the CHS exam construction (2002).

Ms. Bowen is an established speaker on diverse HIM topics and an active author on privacy and legal health records.  She served on the CCHIT security and reliability workgroup and as Chair of Regional Committees East-Tennessee HIMSS and co-chair of Tennessee’s e-HIM group.  She is an adjunct faculty member of the Chattanooga State HIM program and UT Memphis HIM Master’s program.  She also serves on the advisory board for Care Communications based in Chicago, Illinois.

Health Data Hacking Likely To Increase

Posted on February 15, 2013 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Wondering about trends in the various protected health information breaches you seen in the news every now and then? Here’s some hard numbers, courtesy of IT security firm Redspin, which has pulled together data on incidents reported to HHS since breach notification rules went into effect in August 2009.

According to Redspin research, a total of 538 large breaches of PHI, affecting 21.4 million patient records, have been reported to HHS since the notification rule when into effect as part of the HITECH Act.  The largest breach in 2012 resulted in exposure of 780,000 records.

Between 2011 and 2012, there was a 21.5 percent increase in the number of large breaches reported, but interestingly, a 77 percent decrease in the number of patient records impacted, Redspin reports.

More than half of the breaches (57 percent) involved a business associate, and 67 percent were the result of theft or loss. Thirty-eight percent of incidents took place due to data on a laptop or other portable electronic device which wasn’t encrypted.

During 2012, the top five incidents contributed almost two-thirds of the total number of patient records exposed. They each had different causes, however, making it hard to draw any  broad conclusions as to how PHI gets breached.

Meanwhile, if that business associate stat intrigues you, check this out: historically, the firm concludes, breaches at business associates have impacted 5 times as many patient records as those at a covered entity. (It certainly encourages one to take a second look at how skilled their business associates are at maintaining security.)

While all of this is interesting, perhaps the most important info I came away with was that Redspin thinks health data hacking is likely to increase in coming years. From 2009 to the date of the report, hacking has contributed to only 6 percent of breaches, but the biggest breach, an Eastern European-based attack on the State of Utah “should end any complacency,” Redspin advises.