Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Six Reality Checks of HIPAA Compliance

Posted on April 23, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Between Windows XP causing HIPAA compliance issues and the risk associated with the risk assessment required by meaningful use, many in healthcare are really waking up to the HIPAA compliance requirements. Certainly there’s always been an overtone of HIPAA compliance in the industry, but its one thing to think about HIPAA compliance and another to be HIPAA compliant.

This whitepaper called HIPAA Compliance: 6 Reality Checks is a great wake up call to those that feel they have nothing to worry about when it comes to HIPAA. While many are getting ready, there are still plenty that need a reality check when it comes to HIPAA compliance.

Here’s a look at why everyone could likely benefit from a HIPAA reality check:
(1) Data breaches are a constant threat
(2) OCR audits reveal health care providers are not in compliance
(3) Workforce members pose a significant risk for HIPAA liability
(4) Patients are aware of their right to file a complaint
(5) OCR is increasing its focus on HIPAA enforcement
(6) HIPAA Compliance is not an option, it’s LAW

Obviously, the whitepaper goes into a lot more detail on each of these areas. As I look through the list, what seems clear to me is that HIPAA compliance is a problem. Every organization should ask themselves the following questions:

Are we HIPAA compliant?

What are you doing to mitigate the risk of a breach or HIPAA violation?

When I look at the 6 Reality Checks details in the whitepaper, I realize that everyone could benefit from a harder look at their HIPAA compliance. A little bit of investment now, could save a lot of heartache later.

4Med Health IT Courses – HIPAA Training, ICD-10 Training, PQRS Training and More

Posted on January 21, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

As most of you know, I’ve been sharing a number of different 4Med approved education courses on this site and throughout my various social media channels. I think 4Med’s done a pretty good job putting together training courses that matter to those of us in Healthcare IT. For example, they have HIPAA courses, EHR Courses, ICD-10 courses and they recently added a course on PQRS which I haven’t seen anywhere else. As a partner, those links and the discount code “healthcare20″ will get you a 20% discount off the course price. Plus, many of the courses include CMEs for those that need them.

What’s also been amazing to me is how many people I work with sell the 4Med courses as well. Everyone from health IT service providers to EHR consulting companies are signed up as 4Med affiliates and are suggesting these courses to their clients.

It makes sense why so many people are interested in these training courses. HIPAA Omnibus has led many to take another look at their HIPAA compliance. One of those requirements is to have regular HIPAA training. ICD-10 is bearing down on us and many aren’t ready and so ICD-10 training is going to be huge over the next 6 months. PQRS penalties are coming and many have no idea how the PQRS program even works. Hopefully these training courses can be useful for many of you.

Windows XP Won’t Be HIPAA Compliant April 8, 2014

Posted on December 12, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

As was announced by Microsoft a long time ago, support for Windows XP is ending on April 8, 2014. For most of us, we don’t think this is a big deal and are asking, “Do people still use Windows XP?” However, IT support people in healthcare realize the answer to that question is yes, and far too much.

With Microsoft choosing to end its support for Windows XP, I wondered what the HIPAA implications were for those who aren’t able to move off Windows XP before April 8. Is using Windows XP when it’s no longer supported a HIPAA violation? I reached out to Mac McMillan, CEO & Co-Founder of CynergisTek for the answer:

Windows XP is definitely an issue. In fact, OCR has been very clear that unsupported systems are NOT compliant. They cited this routinely during the audits last year whenever identified.

Unsupported systems by definition are insecure and pose a risk not only to the data they hold, but the network they reside on as well.

Unfortunately, while the risk they pose is black and white, replacing them is not always that simple. For smaller organizations the cost of refreshing technology as often as it goes out of service can be a real challenge. And then there are those legacy applications that require an older version to operate properly.

Mac’s final comment is very interesting. In healthcare, there are still a number of software systems that only work on Windows XP. We’re not talking about the major enterprise systems in an organization. Those will be fine. The problem is the hundreds of other software a healthcare organization has to support. Some of those could be an issue for organizations.

Outside of these systems, it’s just a major undertaking to move from Windows XP to a new O/S. If you’ve been reading our blogs, Will Weider warned us of this issue back in July 2012. As Will said in that interview, “We will spend more time and money (about $5M) on this [updating Windows XP] than we spent working on Stage 1 of Meaningful Use.” I expect many organizations haven’t made this investment.

Did your HIPAA compliance officer already warn you of this? Do you even have a HIPAA compliance officer? There are a lot of online HIPAA Compliance training courses out there that more organizations should consider. For example, the designated compliance officer might want to consider the Certified HIPAA Security Professional (CHSP) course and the rest of the staff the HIPAA Workforce Certificate for Professionals (HWCP) course. There’s really not much excuse for an organization not to be HIPAA compliant. Plus, if they’re not HIPAA compliant it puts them at risk of not meeting the meaningful use security requirements. The meaningful use risk assessment should have caught this right?

I’m always amazed at the lack of understanding of HIPAA and HIPAA compliance I see in organizations. It’s often more lip service than actual action. I think that will come back to bite many in the coming years. One of those bites will likely be organizations with unsupported Windows XP machines.

HITECH Privacy Compliance Gets Trickier – Meaningful Use Monday

Posted on July 9, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

It’s been a very interesting few weeks for privacy protection under  HIPAA. Just in case you haven’t had a chance to catch up on them,  here’s what’s going on.  The OCR has announced the protocols under which it’s going to perform audits required by HITECH.

Here’s how OCR is going to check both you and business associates for compliance with the HIPAA Privacy Rule,  Security Rule and Breach Notification Rule. Here’s a summary from the Beyond Healthcare  Reform blog from lawfirm Faegre Baker Daniels:

Privacy Rule Security Rule
Notices of privacy practices Administrative Safeguards
Right to request privacy protection for PHI Physical Safeguards
Access to PHI Technical Safeguards
Administrative requirements
Uses and disclosures of PHI
Amendment of PHI
Accountings of disclosures

Meanwhile, there’s the matter of the temperature being turned up on your relationship with your business partners. As things stand, maintaining HIPAA-level control over information once it leaves your facility or office is hard enough.  Since 2009, HITECH has required covered entities and business associates to disclose if they’d used information on patients — including for treatment, payment or operations — if the access was through an EMR.

While that’s sticky to enforce, it mostly affects providers, not the business associates in most cases. But things could get a little trickier going forward.  A new proposed rule would now require a basic access report applying not just to EMRs, but also to uses and disclosures of e-PHI in a designated record set.

As the Beyond Healthcare Reform blog notes, this could mean that health plans and business associates (if they have a designated records set) would have to provide the access reports for everything, including treatment, payment and operations.

I doubt any of us are surprised to see OCR getting tougher on data sharing;  in fact, I’d argue that it’s overdue. The question is whether in the mean time, the near-daily data breaches we see (stolen laptops with unencrypted data, lost data disks) still haunt us.  Scary times.

Are We Ready For ACOs? Security, Process Issues Abound

Posted on June 13, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Accountable Care Organizations are starting to emerge and solidify, though they still seem to be mostly the efforts of large integrated health systems dancing with large medical groups and partner hospitals with very strong IT departments.  In other words, ACOs don’t seem to be for the weak or poorly funded, at least not yet.

The business issues these entities face (aligning physicians with global goals, most particularly) are complicated and taxing enough. Once you’ve gotten those initiatives in motion, it’s time to interoperate and share data. After all, you have a better chance of accomplishing them if your group shares health data freely and uses advanced functions of EMRs to track collective clinical progress.

The thing is, even big, mature IDNs with a tightly-knit ACO group are still struggling with physician alignment and, as we all know, getting what they need from their EMR and health data exchange.

Given how hard creating consensus and sharing interoperable data is, it’d be nice to end the critique right there. But the truth is, shared goals and shared systems are just one layer of the problem.

One thing I don’t hear much of is serious discussion as to the security issues that open up when you share data across the porous borders of ACO partner organizations.

Now, I am neither a lawyer nor an engineer (IANALOE), so I’m not going to attempt to articulate any long list of specific security problems. But just because IANALOE doesn’t mean I can’t see the obvious:  Data shared widely is data exposed, unless you’ve got some great solutions in place.

Moreover, data shared among even partnered ACO organizations will pass through some organizations that have trained their staff effectively in HIPAA compliance, and others where the training was minimal or didn’t take.  This is a problem that must be faced by HIEs in any event, but even  more when providers need to manage at the case level, doing deep dives into patient records rather than skimming summaries and drug lists.

I’m not suggesting that ACOs don’t work — actually, I think they can perform very well — but I am suggesting that we aren’t taking the process and security issues as seriously as we should.  I do hope solutions to these problems emerge as ACOs refine their business models.  If not, I see some serious crashes in the future.

Be Sure That Business Associates Are HIPAA-Prepared, Or Else

Posted on June 6, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Sure, most readers will know that it’s important to have business associates who know how to handle potential HIPAA concerns.  I’d wager, however, given the outbreak of partner-related data losses of late, many facilities and medical practices aren’t subjecting their business partners to severe enough scrutiny.

There’s many, many ways a business associate can drop the ball, especially if you’re not keeping them informed.  For example, consider the case of South Shore Hospital of South Weymouth, MA, which lost boxes of unencrypted backup tapes en route to associate Archive Data Solutions.  The tapes stolen included HIPAA-protected ePHI (SSNs, names, financial account numbers and diagnoses).

While the business associate may have done wrongly, it was the hospital which was fined a total of $475,000 over the incident, which affected over 800,000 individuals. The state’s Attorney General slapped the hospital with these fines because it hadn’t done due diligence to make sure the associate had appropriate safeguards in place.

So, how do you protect yourself in your relationship with data management associates?  The following list of criteria, supplied by Thu Pham, seem likely to do the trick:

  • Business associate has been independently audited across all 54 HIPAA citations and 136 audited components; they’ve passed with 100% compliance and can show you a copy of their report.
  • They can tell you the particular technologies they’ll use to meet HIPAA security standards.
  • They have documented policies and procedures already in place, including policies related to breach notification.
  • They have proof their employees are trained on how to handle your PHI, with last completed dates of training.
  • They should have their own business associate agreement in place that defines their responsibilities when handling your PHI.

I might also ask them how they train their workers, as all of this preparation might be worth a lot less if policies are loose.  Now, over to you. Do you think this list is sufficient to protect your institution?  Are there items you’d add or clarify?

HIPAA Applies To Those Who Don’t Know About It

Posted on May 17, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Now here’s a pretty how-to-do for HIPAA lawbreakers. According to a new appellate decision in California, people convicted of accessing patient records illegally can be punished whether or not they knew it was illegal.

The case, United States v. Zhou, concerned the acts of one Huping Zhou, a former research assistant in rheumatology at the University of California at Los Angeles Health System. After being fired from his job as a research assistant in 2003, Zhou accessed patient records without authorization at least four times (and obviously, got caught).  After some sparring over charges, the feds eventually prosecuted him for HIPAA violations.

For years, the case worked its way through the system, with Zhou taking the position that he didn’t know accessing the patient records was illegal, and for that reason should not be found guilty.

Last month, the case ended up in the United States District Court for the Central District of California last month. It took the judges only a few weeks to decide that yes, Zhou was responsible even though he may not have known that his data spying was illegal under HIPAA.  Wow.

The HIPAA provision the judges relied on was the following:

HIPAA provides that: “[a] person who knowingly and in violation of this part — (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, shall be punished as provided in subsection (b).” 42 U.S.C. § 1320d-6(a).

And their analysis of Zhou’s defense did not go the way he had hoped. Again, from the appellate decision:

[T]he plain text of Section 1320d-6(a)(2) [of HIPAA]  is not limited to defendants who knew that their
actions were illegal. Rather, the misdemeanor applies to defendants who knowingly obtained individually identifiable health information relating to an individual, and obtained that information in violation of HIPAA.

In other words,  if you knowingly snoop into patient records, you’re on the hook even if you never knew HIPAA existed. (Note, I am not a lawyer or court-watcher, but this is how most legal commentators have interpreted the decision.)

While I like my privacy as much as anyone else, this case does trouble me. While it’s unlikely that a hospital staffer would think PHI peeping was OK, some healthcare workers — in settings such as, say, home care or a small mental health practice — might have no idea that the Department of Justice might come knocking at their door.

Wouldn’t it be more logical to prosecute the hospital for being so insecure that its data could be accessed by an angry ex-employee?  If it were my PHI, that’s where I’d be venting my wrath.

Clinical Documentation Upgrade Critical Before ICD-10 Conversion

Posted on April 4, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

For most providers organizations, the news that ICD-10 implementation is likely to be delayed is, at minimum, a big relief.  But don’t let that lull you into a false sense of relief, suggests Priya Patel of tech consulting firm Perficient.  Even if the ICD-10 rollout is delayed — as many hope — until October 2013, it’s still going to happen.

So what can organizations due to reduce that weak feeling in the knees associated with ICD-10?  Well, generally speaking, Patel notes, your organization is already overdue for doing an ICD-10 impact assessment to figure out how to move ahead.

While the whole assessment is important, perhaps the most important element of the ICD-10 preparation process is clinical documentation assessment, Patel says. In fact, “if you choose not to assess your clinical documentation, you will certainly lose!” Patel asserts. Lose what?  Well, clinical and business effectiveness, sure, but also a great deal of money.

Right now, few doctors document efficiently enough to support coders, who are forced to do their work based on their assumptions and often, make mistakes and end up doing things over again.  As things move to ICD-10, these problems are only likely to get worse, as consistency in coding will become even more important.

Unfortunately, that’s not going to happen on its own. In fact, According to Patel, a recent study of 3,000-odd medical records across the country found that only 37 percent of physician documentation in existence would meet standards set by ICD-10.  Most organizations, in other words, will find that the documentation they have on hand is nowhere near as specific as it should be to support ICD-10 coding.

To figure out just how much your physicians need to improve before you transition to ICD-10, it’s critical to assess what clinical documentation gaps your organization faces, Patel says.

Anyone who reads Patel’s article and doesn’t see it as a red-hot wakeup call (deadline move-up or not) they’re crazy. It’s hard to argue that it will take a lot of time and physician training of doctors, coders and hospital staff.   If your clinicians don’t drill down to codes that have the clinical impact for them, and medical coders get much more training on documentation, anatomy and physiology and disases processes, things could get ugly, Patel notes.

Can Providers Cope With EMR Security Challenges?

Posted on June 15, 2011 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Boy, back in the good old days, protecting patient data was comparatively easy. All you had to do was make sure that nobody got their hands on a patient’s paper chart who shouldn’t be looking at it.

After all, simple stuff like locking file rooms and making sure charts never get left in a public place are pretty easy to understand. Sure, paper records get stolen or rifled through now and then — no system is perfect — but putting processes in place to prevent unauthorized chart access isn’t that complicated.

On the other hand, introducing electronic medical records  — plus e-prescribing, digital sharing of lab results and more — is a completely different kettle of fish.

For one thing, providers must control access to medical information stored in their EMR in a far more sophisticated way than they had with paper charts.  For example, while role-based access to data may not sound too threatening to your average IT boss, it’s not exactly intuitive if you’re not a geek. Figuring out just who should get access to what gets a lot more complicated than when you used to just have to pull and route a chart.

Another issue: few clinicians know much about data security, and it’s not likely that they’re going to suddenly get wildly excited about encryption or VPNs.  Sure, you can warn them that it comes down to whether some random stranger (or even a staff member) will steal their patients’ Social Security numbers or broadcast medical secrets. But it’s just about impossible to explain security issues without wandering into scary jargon that will alienate the heck out of many doctors.

Of course, healthcare organizations can make sure their clinicians are trained to understand the importance of  securing their EMR. And they can even explain why specific types of security measures will limit their HIPAA exposure, the best pitch you can make to non-techies.

Still, the bottom line is that moving from paper to EMRs isn’t just a change-management exercise. It forces clinicians to think about how they use, distribute and share data on a profound level. I hope it does, anyway…cause if providers aren’t ready to think about these issues, things aren’t going to be pretty.

Meaningful Use and HIPAA – The Risk Analysis

Posted on April 6, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Guest Poster: John Brewer is the founder of HIPAAaudit.com.  He and his team help physicians run HIPAA Compliant practices in the simplest, most pain free way.

So far we’ve covered Information System Activity Review & Sanction Policy.

The next item to tackle for the HIPAA side of Meaningful Use is the Risk Analysis.  This may also be referred to by some as the Risk Assessment also.

The Risk Analysis is simply a look at the way your practice operates as it pertains to PHI and your computer network.

Your risk analysis shouldn’t be a handful of questions.  It should be a set of targeted questions – partly to see that your practice is doing things correctly and partly to invoke conversation to ensure you fix other areas of how your practice does business.

The risk analysis we use is just north of 100 questions…and it continually grows as technology changes and new phishing scams arrive on the scene.

How often should a risk analysis be accomplished?

Once a year is reasonable for most practices.  An additional risk analysis should be accomplished anytime there is a major technological or physical change.

A technological change would include: a new EHR, a new component to your EHR new computer network architecture, and even something as innocent as a new photocopier (more on this later).

Physical change would include any remodeling that might change the layout to the waiting area or a complete location change for the office.

Can I accomplish the risk analysis?

Sure, you or your staff may accomplish the risk analysis.  Be aware though, the risk analysis can become quite technical, so you may need to have your IT staff involved, at least in part of this analysis.

But don’t be fooled, this risk analysis is not just technology based.  Your risk analysis should cover areas including:

  • Does the practice have a privacy window at the sign in station?
  • Does the practice close the privacy window to the lobby except when speaking to a patient directly?
  • Does the practice use an acceptable procedure to hide patient names on the sign-in form?
    • What is acceptable?  Here are a few examples:
      • Individual sign-in slips that are handed to the receptionist
      • Peel-off name labels that are removed by the receptionist and stuck to the file (yes, even in the electronic world paper still exists)
      • An electronic sign-in system – this is a fancy way of saying a computer in the lobby on which the patient signs in.
  • Who has keys to the office?
  • Where is the list of who has keys to the office?
  • Who has the alarm code to the office?
  • Where is the list of who has the alarm code?
  • Is the door from the waiting area always locked?
  • Does the facility have a sprinkler fire system?
  • Does the server have a fire system sprinkler above it?
  • Are all computers at least 3 inches off the ground?

Now we’ve hit 3 of the 4 HIPAA items in the required Risk Analysis in the Meaningful Use Core Objectives.

Next time we’ll at least start on Risk Management.