Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

URMC Faces Third HIPAA Breach

Written by:

The University of Rochester Medical Center has seen a third HIPAA breach, this one caused by the loss of an unencrypted USB drive by a physician, reports Healthcare IT News.  The drive, which belonged to a resident, contained protected health information on 537 patients.

Officials with URMC say they have notified the 537 former orthopedic patients whose information was lost on the drive.  Lost information included patients’ names, genders, ages, dates of birth, telephone numbers, medical record numbers, and more, though it didn’t include addresses, Social Security numbers or insurance information.

According to Healthcare IT News, the resident’s unencrypted, unprotected drive runs counter to URMC’s campus-wide policy. URMC requires physicians and staff to use only encrypted drives — the only kind which are stored in its on-campus computer center.  The latest URMC security policy also requires all mobile devices to be password protected, encrypted, and to have a time-out if unattended.

In an effort to make sure further security breaches don’t occur, the health organization is re-educating its faculty and staff on its security policy, and plans an annual education series to reinforce this training, a hospital spokesperson told Healthcare IT News.

This is URMC’s third data breach involving more than 500 patients reported to HHS, the magazine reports. The previous two breaches, which involved PHI for nearly 3,500 patients, both took place in 2010.  One of the two involved the loss of an encrypted portable electronic device.

Post a Comment(1)
May 7, 2013 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Filed Under: Electronic Medical Record  EMR  HealthCare IT  HIPAA Breaches  HIPAA News
Tags:      

HIPAA Omnibus – What Should You Know?

Written by:

I had the great opportunity to sit down with HIPAA expert, Rita Bowen from HealthPort, at HIMSS 2013 and learn more about the changes that came from the recently released HIPAA Omnibus rule. The timing for this video is great, because today is the day the HIPAA Omnibus rule goes into effect. In the video embedded below, Rita talks about what you should know about the new HIPAA changes, the new business associate requirements, and restricting the flow of sequestered health information.

Post a Comment(3)
March 26, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit.

Filed Under: EHR  Electronic Health Record  Electronic Medical Record  EMR  Healthcare  HealthCare IT  HIPAA General  HIPAA News  Medical Privacy  Security Rule
Tags:              

The Final HIPAA Omnibus Rule: A Sharing of Accountability

Written by:

The following is a guest post by Rita Bowen, MA, RHIA, CHPS, SSGB, SVP of HIM and Chief Privacy Officer, HealthPort. If you’re attending HIMSS, I’ll be doing an interview with Rita at HealthPort’s Booth 6841 at Noon on Tuesday 3/5/13. Come by and learn more about the HIPAA Omnibus Rule and get any questions you have answered.

It seems an eternity ago, four years to be exact, that the HITECH Act introduced changes to HIPAA. After much speculation, rumor, innuendo and anticipation, HHS released the final HIPAA omnibus rule, which significantly amends the original HIPAA Privacy, Security, Breach and Enforcement Rules. HHS Secretary Kathleen Sebelius introduced the new rule by stating:

“The final rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.”

Ms. Sebelius conceded that healthcare has changed dramatically since HIPAA was first enacted and that the new rule is necessary to “protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”

The new rule, at 563 pages, is not brief, but covered entities can’t let that inhibit them from becoming intimately acquainted with this document. I’ve made an initial review of the rule and culled what I feel are its key concepts:

  • Business Associates (BAs) of covered entities are now, for the first time, directly liable for compliance with certain requirements of HIPAA Privacy and Security rules, including the cost of remediation of breaches for which they are responsible.
  • The rule goes so far as to revise the definition of a “breach.” This new definition promises to make the occurrence of breaches – and the required notification of breaches — more common.
  • The use and disclosure of protected health information for marketing and fundraising purposes is further limited, as is the sale of protected information without individual authorization.
  • The rule expands patients’ rights to receive electronic copies of their health information and to restrict disclosures to health plans regarding treatment for which they’ve already paid.
  • Covered entities are required to modify and redistribute their notice of privacy practice to reflect the new rule.
  • The new rule modifies Individual authorizations and other requirements to facilitate research, expedite the disclosure of child immunization proof to schools, and enable access to decedent information by family members and others.
  • The additional HITECH Act enhancements to the Enforcement Rule are adopted, including provisions addressing enforcement of noncompliance with HIPAA rules due to willful neglect.

Getting to Compliance

And now comes the challenging part – compliance! The new rule goes into effect on March 26, and covered entities and BAs are expected to comply by September 23, so there is much work to do. Hospitals and clinics need to thoroughly comprehend — and then prepare for — the sweeping changes in BA liability. They’ll need to communicate these changes and new requirements to BAs and update their BA agreements accordingly. And since BAs are now directly liable for breaches, organizations must decide how they’ll enforce their BA agreements with regard to privacy and security. Additionally, comparable agreements must now be shared between BAs and their subcontractors.

What are the keys to successful compliance?  The following tips should ensure your smooth transition into the new rule:

  • Become intimately acquainted with the new rule — and its ramifications for your organization, your BAs, and their subcontractors.
  • Identify a privacy officer within all of your partner organizations.
  • Define a process for the notification of patients in the event of a breach of their protected health information (PHI).
  • Update breach notification materials to reflect the new Rule.
  • Update, repost and redistribute your Notice of Privacy Practices.
  • Document current privacy and security practices, and conduct a risk assessment.
  • Make certain your healthcare security technology solution is flexible, secure, and scalable to handle the growing volume of audit inquiries promised by the RACs.
  • Encrypt all devices that store patient information.
  • Communicate new HIPAA requirements and expectations to BAs.
  • Update business associate agreements (BAAs) to clarify that BAs pay the cost of breach remediation, when the BA is responsible for the breach.
  • Provide a template of a comparable agreement for BAs to use with their subcontractors.
  • Monitor your partners’ efforts to protect patient data.

The new HPAA omnibus rule has arrived and the challenges it presents should not be underestimated. Communication and organization will be your keys to success!

Rita Bowen, MA, RHIA, CHPS, SSGB

Ms. Bowen is a distinguished professional with 20+ years of experience in the health information management industry.  She serves as the Sr. Vice President of HIM and Privacy Officer of HealthPort where she is responsible for acting as an internal customer advocate.  Most recently, Ms. Bowen served as the Enterprise Director of HIM Services for Erlanger Health System for 13 years, where she received commendation from the hospital county authority for outstanding leadership.  Ms. Bowen is the recipient of Mentor FORE Triumph Award and Distinguished Member of AHIMA’s Quality Management Section.  She has served as the AHIMA President and Board Chair in 2010, a member of AHIMA’s Board of Directors (2006-2011), the Council on Certification (2003-2005) and various task groups including CHP exam and AHIMA’s liaison to HIMSS for the CHS exam construction (2002).

Ms. Bowen is an established speaker on diverse HIM topics and an active author on privacy and legal health records.  She served on the CCHIT security and reliability workgroup and as Chair of Regional Committees East-Tennessee HIMSS and co-chair of Tennessee’s e-HIM group.  She is an adjunct faculty member of the Chattanooga State HIM program and UT Memphis HIM Master’s program.  She also serves on the advisory board for Care Communications based in Chicago, Illinois.

Post a Comment(0)
February 25, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit.

Filed Under: HIPAA General  HIPAA News  Medical Privacy  Security Rule
Tags:            

Health Data Hacking Likely To Increase

Written by:

Wondering about trends in the various protected health information breaches you seen in the news every now and then? Here’s some hard numbers, courtesy of IT security firm Redspin, which has pulled together data on incidents reported to HHS since breach notification rules went into effect in August 2009.

According to Redspin research, a total of 538 large breaches of PHI, affecting 21.4 million patient records, have been reported to HHS since the notification rule when into effect as part of the HITECH Act.  The largest breach in 2012 resulted in exposure of 780,000 records.

Between 2011 and 2012, there was a 21.5 percent increase in the number of large breaches reported, but interestingly, a 77 percent decrease in the number of patient records impacted, Redspin reports.

More than half of the breaches (57 percent) involved a business associate, and 67 percent were the result of theft or loss. Thirty-eight percent of incidents took place due to data on a laptop or other portable electronic device which wasn’t encrypted.

During 2012, the top five incidents contributed almost two-thirds of the total number of patient records exposed. They each had different causes, however, making it hard to draw any  broad conclusions as to how PHI gets breached.

Meanwhile, if that business associate stat intrigues you, check this out: historically, the firm concludes, breaches at business associates have impacted 5 times as many patient records as those at a covered entity. (It certainly encourages one to take a second look at how skilled their business associates are at maintaining security.)

While all of this is interesting, perhaps the most important info I came away with was that Redspin thinks health data hacking is likely to increase in coming years. From 2009 to the date of the report, hacking has contributed to only 6 percent of breaches, but the biggest breach, an Eastern European-based attack on the State of Utah “should end any complacency,” Redspin advises.

Post a Comment(5)
February 15, 2013 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Filed Under: EHR  Electronic Health Record  Electronic Medical Record  EMR  HIPAA Breaches  HIPAA General  HIPAA News  Security Rule
Tags:    

Hospital Forced To Provide EMR Data Access By Court

Written by:

A New Hampshire hospital has been forced by the state’s Superior Court to provide public health officials with access to its EMR so they can further investigate a major hepatitis C outbreak.

Exeter Hospital had been ordered by the state’s Division of Public Health Services to release patient records, but had  challenged the order, arguing that it would be violating state and federal law if it provided free access to EMR records.

The issue dates back to July, when a lab technician formerly employed by the hospital was arrested in connection of a hep C outbreak affecting more than 30 patients. The lab tech, who has hep C, allegedly stole fentanyl-filled syringes from the hospital, injected the fentanyl, then refilled the dirty syringes with another substance.

The hospital sought guidance from the courts in an effort to learn just how much access it would have to provide without running afoul of HIPAA and state privacy laws.  (If I were running Exeter Hospital I certainly would have done the same thing; otherwise, one would think  it’d be wide-open liable to suits by patients who objected to the data sharing.)

Now, it seems, the hospital is satisfied that patients involved in the outbreak are adequately protected. From its official statement on the matter:

The Court pointed out that the State needs to follow very specific, CDC-sanctioned protocols in collecting data from Exeter Hospital’s electronic medical record system and can only obtain the minimum amount of information necessary to complete its investigation. The Court has also emphasized that the information collected by the State cannot be re-published which helps to protect the privacy of patients.

For both the patients’ and Exeter’s sake, let’s hope that the public health authorities involved handle such explosive data with extreme care.  A data breach at this point would not only have devastating consequences — particularly if the hepatitis C sufferers’ names were made public — it would also plunge all involved into a legal nightmare. For their sake, I’m hoping for the best.

Post a Comment(2)
November 13, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Filed Under: EHR  Electronic Health Record  Electronic Medical Record  EMR  EMR Security  HIPAA Breaches  HIPAA General  HIPAA News  Hospital EHR  Hospitals  Medical Privacy  Security Rule
Tags:          

Verizon Launches HIPAA-Compliant Cloud Services

Written by:

Last month, I shared some of Verizon’s big plans for the medical space with you, including their desire to become the industry’s default carrier of secure healthcare data.  This week, Verizon has launched its cloud service line, and I wanted to share some of the details on how it’s set up with you.

Verizon’s Enterprise Solutions division is offering five “healthcare-enabled” services, including colocation, managed hosting, enterprise cloud, an “enterprise cloud express edition” and enterprise cloud private edition. In addition to the services, Verizon provides a HIPAA Business Associate Agreement which, one would assume, is particularly stringent in how it safeguards data storage and tranmission between parties.

The new Verizon services will be offered through cloud-enabled data centers in Miami and Culpeper, Va. run by Terremark, which Verizon acquired some time ago. Security standards include PCI-DSS Level 1 compliance, ITIL v3-based best practices and facility clearances up to the Department of Defense, Verizon reports.

In addition to meeting physical standards for HIPAA compliance, Verizon has trained workers at the former Terremark facilities on the specifics of handling ePHI, Verizon exec Dr. Peter Tippett told Computerworld magazine.

You won’t be surprised to learn that Verizon is also pitching its (doubtless very expensive) health IT consulting services as well to help clients take advantage of all of this cloud wonderfulness.

Not surprisingly, Verizon notes in its press release that “each client remains responsible for ensuring that it complies with  HIPAA and all other applicable laws and applications.”  If I were Verizon, I’d be saying that too, and doubtless states the obvious. That being said, it does make me wonder just how much they manage to opt out of in their business associate agreement.  Call me crazy, but I think they’d want to leave as much wiggle room as humanly possible.

The bigger question, as I see it, is how big the market for these services really is at present. According to the Computerworld story, only 16.5 percent of healthcare providers use public or private clouds right now. Verizon may be able to turn things around on the strength of its brand alone, but there’s no g uarantees. I guess we’ll have to wait and see.

Post a Comment(5)
October 4, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Filed Under: EHR  Electronic Health Record  Electronic Medical Record  EMR  EMR Consulting  EMR Security  Healthcare  HIE  HIPAA General  HIPAA News  Medical Privacy  Security Rule
Tags:            

HIPAA Infographic

Written by:

Who doesn’t like a good infographic? My favorite part of this HIPAA infographic is the last section where it breaks out the number of healthcare organizations that are being investigated for HIPAA violations and the results of those investigations.

HIPAA Violation Infographic
Infographic authored by Inspired eLearning, a leading provider of online HIPAA compliance training solutions. To view the original post, check out the original HIPAA violation infographic.
Post a Comment(3)
September 27, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit.

Filed Under: HealthCare IT  HIPAA Breaches  HIPAA General  HIPAA News
Tags:      

Verizon Hopes To Be Secure Healthcare Network For All

Written by:

If you’re like me, you might be wondering how carriers are  looking at their role in the healthcare business — and whether some of their talk about mHealth is just noise.  (I’ve always seen mHealth as a space ripe to be be dominated by applications developers and device manufacturers, not carriers.)

To get my head straight, I recently had a conversation with Dr. Peter Tippett, chief medical officer and vice president of Verizon Connected Health Care. In it, he changed my view of what Verizon is doing in mHealth, and moreover,  what ground Verizon specifically hopes to own in healthcare over the next several years.

When I think Verizon I think switches and routers and cables, not consumer-facing applications and medical devices. And before I talked to Dr. Tippett, I assumed that Verizon’s main healthcare efforts likely involved going head to head with other wireless/wireline connectivity players for connectivity business in some form.

Well, think again.  Verizon’s Connected Health Division, says Tippett, is aiming to set the bar much higher.

“The question is, ‘what happens after wireless data?’,” Dr. Tippett said. “This isn’t a two month plan, this is a strategic extension of Verizon to transform the healthcare industry using our huge capability around the world.”

On the more immediate front, Verizon has mHealth technology under development which, to my mind, would solve a difficult problem.  For five years, he says, Verizon has been developing a new mHealtlh platform which will tie together data from testing devices like blood pressure cuffs, weight scales and EKGs into an analytics engine that makes sense of it all.

“No doctor wants four glucoses a day from 1,000 patients,” Dr. Tippett says. “Just mobilizing the data isn’t enough. You’ve got to create a cloud service that can do big data analytics on it and normalize the data, then trigger the alerts to the right people — including patients.”

I’m going to keep my eye on the mHealth platform, which definitely intrigues me.

But the really big play for Verizon in this space seems to be in HIPAA-secure data hosting and exchange.  Verizon already has a massive presence around hosting, app management, security, identity management and the cloud, having added Cybertrust and Terramark (enterprise hosting) to build up its lineup.

Verizon now offers secure data sharing on multiple levels:

*  A “medical data exchange” — not unlike the exchange banks use to pass transactions back and forth — allowing any member to share information using Verizon’s security services.

* An exchange “identity layer” which is secure enough to allow Schedule 2 drugs to be prescribed. According to Dr. Tippett, 40 percent of doctors in the U.S. are already using it.

* A global network of highly-secured data centers.

Members of the medical ecosystem who use secure Verizon services can consider their HIPAA compliance and security matters handled, then focus on their core business, Dr. Tippett says. And that can scale to hundreds of millions of users on the network, he notes.

Clearly, this doesn’t sound like the broadband carrier talking — these folks are out to take business from players as diverse as Verisign, IBM and the database giants.  It makes sense to me, on the surface, but in any grand vision there are holes to be picked.

You tell me:  Does Verizon sound like it’s positioned right to become the default secure healthcare backbone?

Post a Comment(5)
September 11, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Filed Under: EMR Security  Healthcare  Healthcare Interoperability  HealthCare IT  HIE  HIPAA General  HIPAA News  Interfaces  mHealth  RHIO  Security Rule
Tags:                

The Immortal Life of Healthcare IT, Secure Texting Scam, and iPhone Heart Rate — Around Health Care Scene

Written by:

EMR and EHR

The Immortal Life of Healthcare IT

Patient engagement has evolved in many ways in the past century. While patients used to rely on doctors for any information regarding health care, it’s now common for patients to “diagnose” themselves, before even stepping foot into a doctor’s office. “The Immortal Life” by Henrietta Lacks, and the authors thoughts, are compared and contrasted to life nowadays.

Interview with Verizon Wireless’ Arthur Lane

A leader for mobile health solution development for Verizon’s Connected Health, Arthur Lane, was interviewed over at EMR and EHR this past week. He focuses his work on developing solutions that help with Verizon’s wireless, cloud, and security. The interview focuses on Health IT and mHealth, and what is in the works at Verizon. He discussed the benefits of mHealth, and what is to come in the future.

Hospital EMR and EHR
What Won’t Happen in #HIT By September 2013

There’s a lot going on with Health Care IT, and it seems as if we’re always hearing about the latest and greatest innovation. However, despite the leaps and bounds that are being made, we can’t expect everything in the EMR industry to be perfect by next year. Anne Zeigler talks about things that won’t be happening in #HIT over the next year, including lack of major growth in remote monitoring and no high penetration HIE.

Meaningful Healthcare It News With Neil Versel

Sampling of opinions on meaningful use Stage 2

The meaningful use Stage 2 final rules have caused quite a bit of discussion across the web since they were announced. Some good, some bad. Neil Versel compiled some of the opinions and thoughts he has discovered over the past few weeks, and created this post with some of them.

Wired EMR and EHR Doctor

The Secure Texting Scam

Medical practices may be getting offers from companies that offer “secure texting,” that won’t violated HIPAA standards. However, how secure can texting be? Dr. Michael Koriwchak talks about the “secure texting scam,” and talks about the reasons why secure texting can fail. Don’t get caught in this trap, and end up paying a large amount for a product that might not deliver what you think.

Smart Phone Health Care

Detect Heart Rate With iPhone Camera – #HITsm Chat Discovery

Finding out your heart rate is now easier than ever — simply by using the camera on your iPhone. This new way to detect heart rate requires no special equipment, beyond an iPhone 4. The app tracks the information and allows the user to view changes over time, among other features.

Post a Comment(0)
September 9, 2012 I Written By

Katie Clark is originally from Colorado and currently lives in Utah with her husband and son. She writes primarily for Smart Phone Health Care, but contributes to several Health Care Scene blogs, including EMR Thoughts, EMR and EHR, and EMR and HIPAA. She enjoys learning about Health IT and mHealth, and finding ways to improve her own health along the way.

Filed Under: EHR  Electronic Health Record  Electronic Medical Record  EMR  EMR Implementation  EMR Selection  EMR Technology  Health IT Startups  Healthcare  HIE  HIPAA Breaches  HIPAA Lawsuits  HIPAA News  HL7  Hospital EHR  Hospitals  Meaningful Use  mHealth  Pharmacy
Tags:                  

HITECH Privacy Compliance Gets Trickier – Meaningful Use Monday

Written by:

It’s been a very interesting few weeks for privacy protection under  HIPAA. Just in case you haven’t had a chance to catch up on them,  here’s what’s going on.  The OCR has announced the protocols under which it’s going to perform audits required by HITECH.

Here’s how OCR is going to check both you and business associates for compliance with the HIPAA Privacy Rule,  Security Rule and Breach Notification Rule. Here’s a summary from the Beyond Healthcare  Reform blog from lawfirm Faegre Baker Daniels:

Privacy Rule Security Rule
Notices of privacy practices Administrative Safeguards
Right to request privacy protection for PHI Physical Safeguards
Access to PHI Technical Safeguards
Administrative requirements
Uses and disclosures of PHI
Amendment of PHI
Accountings of disclosures

Meanwhile, there’s the matter of the temperature being turned up on your relationship with your business partners. As things stand, maintaining HIPAA-level control over information once it leaves your facility or office is hard enough.  Since 2009, HITECH has required covered entities and business associates to disclose if they’d used information on patients — including for treatment, payment or operations — if the access was through an EMR.

While that’s sticky to enforce, it mostly affects providers, not the business associates in most cases. But things could get a little trickier going forward.  A new proposed rule would now require a basic access report applying not just to EMRs, but also to uses and disclosures of e-PHI in a designated record set.

As the Beyond Healthcare Reform blog notes, this could mean that health plans and business associates (if they have a designated records set) would have to provide the access reports for everything, including treatment, payment and operations.

I doubt any of us are surprised to see OCR getting tougher on data sharing;  in fact, I’d argue that it’s overdue. The question is whether in the mean time, the near-daily data breaches we see (stolen laptops with unencrypted data, lost data disks) still haunt us.  Scary times.

Post a Comment(4)
July 9, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Filed Under: EHR  EMR  EMR Consulting  HIPAA News  HIPAA Training  HITECH  Hospital EHR  Security Rule
Tags:          


    • Next