Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Atlanta Hospital Sues Exec Over Allegedly Stolen Health Data

Written by:

In most cases of hospital data theft, you usually learn that a laptop was stolen or a PC hacked. But in this case, a hospital is claiming that one of its executives stole a wide array of data from the facility, according to the Atlanta Business Chronicle.

In a complaint filed last week in Atlanta federal court, Children’s Healthcare of Atlanta asserts that corporate audit advisor Sharon McCray stole a boatload of proprietary information. The list of compromised data includes PHI of children, DEA numbers, health provider license numbers for over 500 healthcare providers, financial information and more, the newspaper reports.

According to the Children’s complaint, McCray announced her resignation on October 16th, then on the 18th, began e-mailing the information to herself using a personal account. On the 21st, Children’s cut off her access to her corporate e-mail account, and the next day she was fired.

Not surprisingly, Children’s has demanded that McCray return the information, but as of the date of the filing, McCray had neither returned or destroyed the data nor permitted Children’s to inspect her personal computer, the hospital says. Children’s is asking a federal judge to force McCray to give back the information.

According to IT security firm Redspin, nearly 60 percent of the PHI breaches reported to HHS under notification rules involved a business associate, and 67 percent were the result of theft or loss. In other words, theft by an executive with the facility — if that is indeed what happened — is still an unusual occurrence.

But given the high commercial value of the PHI and medical practitioner data, I wouldn’t be surprised if hospital execs were tempted into theft. Hospitals are just going to have to monitor execs as closely they do front-line employees.

November 1, 2013 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Hacking HIPAA – Patient Focused Common Notice of Privacy Practices

Written by:

How can you not be interested in an article that talks about hacking? Of course, in this case I’m talking about hacking in a much more general since. Most people think of hacking as some nefarious person compromising a system they shouldn’t be accessing. The broader use of the term hack is to create something that fixes a problem. You “hack” something together to make it work.

This is what David Harlow, Ian Eslick, and Fred Trotter had in mind when they got together to hack HIPAA. They wanted to create a HIPAA Notice of Privacy Practices (NPP) that would provide meaningful privacy choices for patients while still enabling the use of the latest technology. Far too often HIPAA as seen as an excuse for why doctors don’t use technology. However, if the NPP is set up correctly, it can enhance patient privacy while allowing use of the latest technologies in your practice.

The Hacking HIPAA team decided to leverage the power of crowdfunding to see if they could collaboratively develop a patient focused Notice of Privacy Practices. I really love the idea of a Common Notice of Privacy Practices. If you like this idea, you can help fund the Hacking HIPAA project on MedStartr.

For those not familiar with crowdfunding, imagine your healthcare organization getting $10,000 worth of legal work from one of the top healthcare lawyers for only $1000. Looked at another way, you get an updated Notice of Privacy Practices with all the latest HIPAA omnibus rules incorporated for only $1000. Call your lawyer and see if they’d be willing to provide an NPP for that price. Plus, your lawyer probably will just provide you some cookie cutter NPP they find as opposed to a well thought out NPP.

This is such a great idea. I hope that a large number of healthcare organizations get behind the project. I’d also love to see some of the HIPAA disclosure companies and EHR companies support the project as well. The NPP will have a creative commons license so those companies could help fund the project, provide feedback in the creation of the NPP and then distribute the NPP to all of their customers. What better way to build the relationship with your customers than to provide them a well thought out NPP?

If you want a little more information on how the Hacking HIPAA project came together, here’s a video of Fred Trotter talking about it. Also, be sure to read the details on the Hacking HIPAA MedStartr page.

June 27, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

URMC Faces Third HIPAA Breach

Written by:

The University of Rochester Medical Center has seen a third HIPAA breach, this one caused by the loss of an unencrypted USB drive by a physician, reports Healthcare IT News.  The drive, which belonged to a resident, contained protected health information on 537 patients.

Officials with URMC say they have notified the 537 former orthopedic patients whose information was lost on the drive.  Lost information included patients’ names, genders, ages, dates of birth, telephone numbers, medical record numbers, and more, though it didn’t include addresses, Social Security numbers or insurance information.

According to Healthcare IT News, the resident’s unencrypted, unprotected drive runs counter to URMC’s campus-wide policy. URMC requires physicians and staff to use only encrypted drives — the only kind which are stored in its on-campus computer center.  The latest URMC security policy also requires all mobile devices to be password protected, encrypted, and to have a time-out if unattended.

In an effort to make sure further security breaches don’t occur, the health organization is re-educating its faculty and staff on its security policy, and plans an annual education series to reinforce this training, a hospital spokesperson told Healthcare IT News.

This is URMC’s third data breach involving more than 500 patients reported to HHS, the magazine reports. The previous two breaches, which involved PHI for nearly 3,500 patients, both took place in 2010.  One of the two involved the loss of an encrypted portable electronic device.

May 7, 2013 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

HIPAA Omnibus – What Should You Know?

Written by:

I had the great opportunity to sit down with HIPAA expert, Rita Bowen from HealthPort, at HIMSS 2013 and learn more about the changes that came from the recently released HIPAA Omnibus rule. The timing for this video is great, because today is the day the HIPAA Omnibus rule goes into effect. In the video embedded below, Rita talks about what you should know about the new HIPAA changes, the new business associate requirements, and restricting the flow of sequestered health information.

March 26, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

The Final HIPAA Omnibus Rule: A Sharing of Accountability

Written by:

The following is a guest post by Rita Bowen, MA, RHIA, CHPS, SSGB, SVP of HIM and Chief Privacy Officer, HealthPort. If you’re attending HIMSS, I’ll be doing an interview with Rita at HealthPort’s Booth 6841 at Noon on Tuesday 3/5/13. Come by and learn more about the HIPAA Omnibus Rule and get any questions you have answered.

It seems an eternity ago, four years to be exact, that the HITECH Act introduced changes to HIPAA. After much speculation, rumor, innuendo and anticipation, HHS released the final HIPAA omnibus rule, which significantly amends the original HIPAA Privacy, Security, Breach and Enforcement Rules. HHS Secretary Kathleen Sebelius introduced the new rule by stating:

“The final rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.”

Ms. Sebelius conceded that healthcare has changed dramatically since HIPAA was first enacted and that the new rule is necessary to “protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”

The new rule, at 563 pages, is not brief, but covered entities can’t let that inhibit them from becoming intimately acquainted with this document. I’ve made an initial review of the rule and culled what I feel are its key concepts:

  • Business Associates (BAs) of covered entities are now, for the first time, directly liable for compliance with certain requirements of HIPAA Privacy and Security rules, including the cost of remediation of breaches for which they are responsible.
  • The rule goes so far as to revise the definition of a “breach.” This new definition promises to make the occurrence of breaches – and the required notification of breaches — more common.
  • The use and disclosure of protected health information for marketing and fundraising purposes is further limited, as is the sale of protected information without individual authorization.
  • The rule expands patients’ rights to receive electronic copies of their health information and to restrict disclosures to health plans regarding treatment for which they’ve already paid.
  • Covered entities are required to modify and redistribute their notice of privacy practice to reflect the new rule.
  • The new rule modifies Individual authorizations and other requirements to facilitate research, expedite the disclosure of child immunization proof to schools, and enable access to decedent information by family members and others.
  • The additional HITECH Act enhancements to the Enforcement Rule are adopted, including provisions addressing enforcement of noncompliance with HIPAA rules due to willful neglect.

Getting to Compliance

And now comes the challenging part – compliance! The new rule goes into effect on March 26, and covered entities and BAs are expected to comply by September 23, so there is much work to do. Hospitals and clinics need to thoroughly comprehend — and then prepare for — the sweeping changes in BA liability. They’ll need to communicate these changes and new requirements to BAs and update their BA agreements accordingly. And since BAs are now directly liable for breaches, organizations must decide how they’ll enforce their BA agreements with regard to privacy and security. Additionally, comparable agreements must now be shared between BAs and their subcontractors.

What are the keys to successful compliance?  The following tips should ensure your smooth transition into the new rule:

  • Become intimately acquainted with the new rule — and its ramifications for your organization, your BAs, and their subcontractors.
  • Identify a privacy officer within all of your partner organizations.
  • Define a process for the notification of patients in the event of a breach of their protected health information (PHI).
  • Update breach notification materials to reflect the new Rule.
  • Update, repost and redistribute your Notice of Privacy Practices.
  • Document current privacy and security practices, and conduct a risk assessment.
  • Make certain your healthcare security technology solution is flexible, secure, and scalable to handle the growing volume of audit inquiries promised by the RACs.
  • Encrypt all devices that store patient information.
  • Communicate new HIPAA requirements and expectations to BAs.
  • Update business associate agreements (BAAs) to clarify that BAs pay the cost of breach remediation, when the BA is responsible for the breach.
  • Provide a template of a comparable agreement for BAs to use with their subcontractors.
  • Monitor your partners’ efforts to protect patient data.

The new HPAA omnibus rule has arrived and the challenges it presents should not be underestimated. Communication and organization will be your keys to success!

Rita Bowen, MA, RHIA, CHPS, SSGB

Ms. Bowen is a distinguished professional with 20+ years of experience in the health information management industry.  She serves as the Sr. Vice President of HIM and Privacy Officer of HealthPort where she is responsible for acting as an internal customer advocate.  Most recently, Ms. Bowen served as the Enterprise Director of HIM Services for Erlanger Health System for 13 years, where she received commendation from the hospital county authority for outstanding leadership.  Ms. Bowen is the recipient of Mentor FORE Triumph Award and Distinguished Member of AHIMA’s Quality Management Section.  She has served as the AHIMA President and Board Chair in 2010, a member of AHIMA’s Board of Directors (2006-2011), the Council on Certification (2003-2005) and various task groups including CHP exam and AHIMA’s liaison to HIMSS for the CHS exam construction (2002).

Ms. Bowen is an established speaker on diverse HIM topics and an active author on privacy and legal health records.  She served on the CCHIT security and reliability workgroup and as Chair of Regional Committees East-Tennessee HIMSS and co-chair of Tennessee’s e-HIM group.  She is an adjunct faculty member of the Chattanooga State HIM program and UT Memphis HIM Master’s program.  She also serves on the advisory board for Care Communications based in Chicago, Illinois.

February 25, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Health Data Hacking Likely To Increase

Written by:

Wondering about trends in the various protected health information breaches you seen in the news every now and then? Here’s some hard numbers, courtesy of IT security firm Redspin, which has pulled together data on incidents reported to HHS since breach notification rules went into effect in August 2009.

According to Redspin research, a total of 538 large breaches of PHI, affecting 21.4 million patient records, have been reported to HHS since the notification rule when into effect as part of the HITECH Act.  The largest breach in 2012 resulted in exposure of 780,000 records.

Between 2011 and 2012, there was a 21.5 percent increase in the number of large breaches reported, but interestingly, a 77 percent decrease in the number of patient records impacted, Redspin reports.

More than half of the breaches (57 percent) involved a business associate, and 67 percent were the result of theft or loss. Thirty-eight percent of incidents took place due to data on a laptop or other portable electronic device which wasn’t encrypted.

During 2012, the top five incidents contributed almost two-thirds of the total number of patient records exposed. They each had different causes, however, making it hard to draw any  broad conclusions as to how PHI gets breached.

Meanwhile, if that business associate stat intrigues you, check this out: historically, the firm concludes, breaches at business associates have impacted 5 times as many patient records as those at a covered entity. (It certainly encourages one to take a second look at how skilled their business associates are at maintaining security.)

While all of this is interesting, perhaps the most important info I came away with was that Redspin thinks health data hacking is likely to increase in coming years. From 2009 to the date of the report, hacking has contributed to only 6 percent of breaches, but the biggest breach, an Eastern European-based attack on the State of Utah “should end any complacency,” Redspin advises.

February 15, 2013 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Hospital Forced To Provide EMR Data Access By Court

Written by:

A New Hampshire hospital has been forced by the state’s Superior Court to provide public health officials with access to its EMR so they can further investigate a major hepatitis C outbreak.

Exeter Hospital had been ordered by the state’s Division of Public Health Services to release patient records, but had  challenged the order, arguing that it would be violating state and federal law if it provided free access to EMR records.

The issue dates back to July, when a lab technician formerly employed by the hospital was arrested in connection of a hep C outbreak affecting more than 30 patients. The lab tech, who has hep C, allegedly stole fentanyl-filled syringes from the hospital, injected the fentanyl, then refilled the dirty syringes with another substance.

The hospital sought guidance from the courts in an effort to learn just how much access it would have to provide without running afoul of HIPAA and state privacy laws.  (If I were running Exeter Hospital I certainly would have done the same thing; otherwise, one would think  it’d be wide-open liable to suits by patients who objected to the data sharing.)

Now, it seems, the hospital is satisfied that patients involved in the outbreak are adequately protected. From its official statement on the matter:

The Court pointed out that the State needs to follow very specific, CDC-sanctioned protocols in collecting data from Exeter Hospital’s electronic medical record system and can only obtain the minimum amount of information necessary to complete its investigation. The Court has also emphasized that the information collected by the State cannot be re-published which helps to protect the privacy of patients.

For both the patients’ and Exeter’s sake, let’s hope that the public health authorities involved handle such explosive data with extreme care.  A data breach at this point would not only have devastating consequences — particularly if the hepatitis C sufferers’ names were made public — it would also plunge all involved into a legal nightmare. For their sake, I’m hoping for the best.

November 13, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Verizon Launches HIPAA-Compliant Cloud Services

Written by:

Last month, I shared some of Verizon’s big plans for the medical space with you, including their desire to become the industry’s default carrier of secure healthcare data.  This week, Verizon has launched its cloud service line, and I wanted to share some of the details on how it’s set up with you.

Verizon’s Enterprise Solutions division is offering five “healthcare-enabled” services, including colocation, managed hosting, enterprise cloud, an “enterprise cloud express edition” and enterprise cloud private edition. In addition to the services, Verizon provides a HIPAA Business Associate Agreement which, one would assume, is particularly stringent in how it safeguards data storage and tranmission between parties.

The new Verizon services will be offered through cloud-enabled data centers in Miami and Culpeper, Va. run by Terremark, which Verizon acquired some time ago. Security standards include PCI-DSS Level 1 compliance, ITIL v3-based best practices and facility clearances up to the Department of Defense, Verizon reports.

In addition to meeting physical standards for HIPAA compliance, Verizon has trained workers at the former Terremark facilities on the specifics of handling ePHI, Verizon exec Dr. Peter Tippett told Computerworld magazine.

You won’t be surprised to learn that Verizon is also pitching its (doubtless very expensive) health IT consulting services as well to help clients take advantage of all of this cloud wonderfulness.

Not surprisingly, Verizon notes in its press release that “each client remains responsible for ensuring that it complies with  HIPAA and all other applicable laws and applications.”  If I were Verizon, I’d be saying that too, and doubtless states the obvious. That being said, it does make me wonder just how much they manage to opt out of in their business associate agreement.  Call me crazy, but I think they’d want to leave as much wiggle room as humanly possible.

The bigger question, as I see it, is how big the market for these services really is at present. According to the Computerworld story, only 16.5 percent of healthcare providers use public or private clouds right now. Verizon may be able to turn things around on the strength of its brand alone, but there’s no g uarantees. I guess we’ll have to wait and see.

October 4, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

HIPAA Infographic

Written by:

Who doesn’t like a good infographic? My favorite part of this HIPAA infographic is the last section where it breaks out the number of healthcare organizations that are being investigated for HIPAA violations and the results of those investigations.

HIPAA Violation Infographic
Infographic authored by Inspired eLearning, a leading provider of online HIPAA compliance training solutions. To view the original post, check out the original HIPAA violation infographic.
September 27, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Verizon Hopes To Be Secure Healthcare Network For All

Written by:

If you’re like me, you might be wondering how carriers are  looking at their role in the healthcare business — and whether some of their talk about mHealth is just noise.  (I’ve always seen mHealth as a space ripe to be be dominated by applications developers and device manufacturers, not carriers.)

To get my head straight, I recently had a conversation with Dr. Peter Tippett, chief medical officer and vice president of Verizon Connected Health Care. In it, he changed my view of what Verizon is doing in mHealth, and moreover,  what ground Verizon specifically hopes to own in healthcare over the next several years.

When I think Verizon I think switches and routers and cables, not consumer-facing applications and medical devices. And before I talked to Dr. Tippett, I assumed that Verizon’s main healthcare efforts likely involved going head to head with other wireless/wireline connectivity players for connectivity business in some form.

Well, think again.  Verizon’s Connected Health Division, says Tippett, is aiming to set the bar much higher.

“The question is, ‘what happens after wireless data?’,” Dr. Tippett said. “This isn’t a two month plan, this is a strategic extension of Verizon to transform the healthcare industry using our huge capability around the world.”

On the more immediate front, Verizon has mHealth technology under development which, to my mind, would solve a difficult problem.  For five years, he says, Verizon has been developing a new mHealtlh platform which will tie together data from testing devices like blood pressure cuffs, weight scales and EKGs into an analytics engine that makes sense of it all.

“No doctor wants four glucoses a day from 1,000 patients,” Dr. Tippett says. “Just mobilizing the data isn’t enough. You’ve got to create a cloud service that can do big data analytics on it and normalize the data, then trigger the alerts to the right people — including patients.”

I’m going to keep my eye on the mHealth platform, which definitely intrigues me.

But the really big play for Verizon in this space seems to be in HIPAA-secure data hosting and exchange.  Verizon already has a massive presence around hosting, app management, security, identity management and the cloud, having added Cybertrust and Terramark (enterprise hosting) to build up its lineup.

Verizon now offers secure data sharing on multiple levels:

*  A “medical data exchange” — not unlike the exchange banks use to pass transactions back and forth — allowing any member to share information using Verizon’s security services.

* An exchange “identity layer” which is secure enough to allow Schedule 2 drugs to be prescribed. According to Dr. Tippett, 40 percent of doctors in the U.S. are already using it.

* A global network of highly-secured data centers.

Members of the medical ecosystem who use secure Verizon services can consider their HIPAA compliance and security matters handled, then focus on their core business, Dr. Tippett says. And that can scale to hundreds of millions of users on the network, he notes.

Clearly, this doesn’t sound like the broadband carrier talking — these folks are out to take business from players as diverse as Verisign, IBM and the database giants.  It makes sense to me, on the surface, but in any grand vision there are holes to be picked.

You tell me:  Does Verizon sound like it’s positioned right to become the default secure healthcare backbone?

September 11, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.