Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

NFL Players’ Medical Records Stolen

Posted on June 21, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’d been meaning to write about this story for a while now, but finally got around to it. In case you missed it, Thousands of NFL players’ medical records were stolen. Here’s a piece of the DeadSpin summary of the incident:

In late April, the NFL recently informed its players, a Skins athletic trainer’s car was broken into. The thief took a backpack, and inside that backpack was a cache of electronic and paper medical records for thousands of players, including NFL Combine attendees from the last 13 years. That would encompass the vast majority of NFL players

The Redskins later issues this statement:

The Washington Redskins can confirm that a theft occurred mid-morning on April 15 in downtown Indianapolis, where a thief broke through the window of an athletic trainer’s locked car. No social security numbers, Protected Health Information (PHI) under HIPAA, or financial information were stolen or are at risk of exposure.

The laptop was password-protected but unencrypted, but we have no reason to believe the laptop password was compromised. The NFL’s electronic medical records system was not impacted.

It’s interesting that the Redskins said that it didn’t include any PHI that would be covered by HIPAA rules and regulations. I was interested in how HIPAA would apply to an NFL team, so I reached out to David Harlow for the answer. David Harlow, Health Blawg writer, offered these insights into whether NFL records are required to comply with HIPAA or not:

These records fall in a gray zone between employment records and health records. Clearly the NFL understands what’s at stake if, as reported, they’ve proactively reached out to the HIPAA police. At least one federal court is on record in a similar case saying, essentially, C’mon, you know you’re a covered entity; get with the program.

Michael Magrath, current Chairman, HIMSS Identity Management Task Force, and Director of Healthcare Business, VASCO Data Security offered this insight into the breach:

This is a clear example that healthcare breaches are not isolated to healthcare organizations. They apply to employers, including the National Football League. Teams secure and protect their playbooks and need to apply that philosophy to securing their players’ medical information.

Laptop thefts are common place and one of the most common entries (310 incidents) on the HHS’ Office of Civil Rights portal listing Breaches Affecting 500 or More Individuals. Encryption is one of the basic requirements to secure a laptop, yet organizations continue to gamble without it and innocent victims can face a lifetime of identity theft and medical identity theft.

Assuming the laptop was Windows based, security can be enhanced by replacing the static Windows password with two-factor authentication in the form of a one-time password. Without the authenticator to generate the one-time password, gaining entry to the laptop will be extremely difficult. By combining encryption and strong authentication to gain entry into the laptop the players and prospects protected health information would not be at risk, all because organizations and members wish to avoid few moments of inconvenience.

This story brings up some important points. First, healthcare is far from the only industry that has issues with breaches and things like stolen or lost laptops. Second, healthcare isn’t the only one that sees the importance of encrypting mobile devices. However, despite the importance, many organizations still aren’t doing so. Third, HIPAA is an interesting law since it only covers PHI and covered entities. HIPAA omnibus expanded that to business associates. However, there are still a bunch of grey areas that aren’t sure if HIPAA applies. Plus, there are a lot of white areas where your health information is stored and HIPAA doesn’t apply.

Long story short, be smart and encrypt your health data no matter where it’s stored. Be careful where you share your health data. Anyone could be breached and HIPAA will only protect you so much (covered entity or not).

10 Years of Blogging – The HealthBlawg

Posted on June 10, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

My friend and colleague, David Harlow, is celebrating an important milestone on his blog. It’s the 10th anniversary of his HealthBlawg. That’s a long time in blog years. I know since I just passed my 10 year anniversary last year as well. It’s amazing for me to think back on all those years and the things I’ve learned from David’s posts on HealthBlawg.

In true David Harlow fashion, he’s doing a great 10 year celebration of HealthBlawg with what he’s calling the Festschrift of the Blogosphere. As part of that celebration, he’s invited other bloggers (including myself) to write posts in the HealthBlawg’s Tenth Blogiversary. I loved the idea since in many ways it took me back to the early days of blogging (before Twitter and other social media) where we all connected with each other on blogs.

I think David still has a number of other posts coming from guest bloggers, but I thought I’d highlight a few of them which I found extremely interesting.

First up is Dr. Nick van Terheyden’s post called “Channeling Churchill to deal with innovation, impatience and chaos in healthcare“. The whole post is great and worth a read, but this part stood out to me in particular:

Everything you thought you knew about how to make your organization financially successful will change. Profit centers like radiology and diagnostic imaging will become cost centers; the more high-end expensive care you give, which once supported all the more mundane services you provide, the lower your profits will be. Instead of filling beds, your job will be to keep them empty.

It’s a big challenge, but the same kind of augmented intelligence systems that will help physicians keep patients healthy can help you keep your organization healthy. Analytics can help you identify and stratify risk, so that you can contract with payers at rates that won’t kill your bottom line. And it can help you identify gaps in care that could lead to the need for expensive treatments and procedures.

It’s going to take a while for organizations to really process what Dr. Nick is saying. In fact, I don’t think most will and they’ll be blindsided when it happens. Talk about a dramatic shift in thinking and Dr. Nick described it so well. Combine this with Dr. Nick’s opening comments about the shifting consumer expectations and we’re in for some big changes.

Another post honoring the HealthBlawg that stood out to me was e-Patient Dave’s post called “Gimme my DaM Data: liberating to patients, scary to some.” I’d heard most of Dave’s story before, but he offered a few insights into it that I’d never heard before. However, his message is still just as compelling today as it was when he first blogging about his data issues back in 2009.

It’s too bad these things are still issues because I wish we could put e-Patient Dave out of business. Ok, that might sound harsh, but I think he wants to be put out of business too. No one would be happier than him if the culture around our health data were changed. I’m sure he’d find something else worth advocating for if we solved the problem of patient access to data.

If you’re not familiar with e-Patient Dave, here’s a section of his post which illustrates the problem and his goal:

Some old-schoolers are threatened by patients seeing the chart; some even think it’s none of your business. Twenty years ago Seinfeld episode 139 showed Elaine looking at her chart and seeing she’d been marked “difficult.” The doctor took the chart from her hands: back then she had no legal right to see it… so she sent Kramer to get it, impersonating a doctor.

You should get your data – all of it. It may not be easy – some providers are severely out of date about your legal rights, and some resist for other reasons: some feel threatened, some know there are gross errors in the chart, some charts contain insults, and some contain flat-out billing fraud: conditions you don’t have, but they’ve been billing your insurance for.

When your doctor hesitates to give you your data, which reasons do they have? Only one way to find out.

I have to admit that reading Dave’s story again has me inspired to spend more time and effort in that space myself and on this blog.

If you’d like to see the post I did, it’s called “Integrated Health – People Finally Caring About Their Health and Not Even Realizing It.” Here’s an excerpt from my post:

While most people will tell you they care about their health, their actions say otherwise. The reality is that the rest of our life is full of bright shiny objects and so it’s really easy for us to get distracted. However, there’s a coming revolution of health care that is totally integrated into your life that’s going to help us care about our health and we won’t even realize it is happening.

If you were to ask someone if they cared about their health, 100% of people would say they do. In fact, you’d likely hear the majority of people go on to say that if they didn’t have their health, then they wouldn’t have anything. While we are happy to publicly proclaim our desire for health, our actions often send a very different message.

Thanks David for inspiring us all with your work at HealthBlawg. You’re a good man (which can be hard to say for a lawyer…sorry I had to have at least one lawyer joke) that is working hard to make a difference in healthcare. I look forward to another decade of blogging alongside you.

Are ACOs More About Good Accounting and Reporting Than Improving Care?

Posted on August 28, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I was recently reading David Harlow’s analysis of the recently released data from CMS on ACO performance and found a lot to chew on. Most people have found the results underwhelming unless they’re big proponents of ACOs and value based reimbursement and then they’re trying to spin it as “early on” and “this is just the start.” I agree with both perspectives. Everyone is trying to figure out how to reimburse for value based care, and so far we haven’t really figured it out.

These programs aside, after reading David Harlow’s post, I asked the following question:

The thing I can’t figure out with ACOs is if they’re really changing the cost of healthcare or if they’re mostly a game of good accounting and reporting. Basically, do the measures they’re requiring really cause organizations to change how they care for patients or does it just change how organizations document and report what they’re doing?

I think this is a massive challenge with value based reimbursement. We require certain data to “prove” that there’s been a change in how organizations manage patients. However, I can imagine hundreds of scenarios where the organization just spends time managing how they collect the data as opposed to actually changing the way they care for patients in order to improve the data.

Certainly there’s value in organizations getting their heads around their performance data. So, I don’t want to say that collecting the right data won’t be helpful. However, the healthcare system as a whole isn’t going to benefit from lower costs if most ACOs are just about collecting data as opposed to making changes that influence the data in the right way. The problem is that the former is a program you can build. The later is much harder to build and track.

Plus, this doesn’t even take into account that we may be asking them to collect the wrong data. Do we really know which data we need to collect in order to lower the costs of healthcare and improve the health of patients? There is likely some low hanging fruit, but once we get past that low hanging fruit, then what?

In response to my comment, David Harlow brought up a great point about many of the ACO program successes not being reproducible. Why does an ACO in one area improve quality and reduce costs and in another it doesn’t?

All of this reminds me of the question that Steve Sisko posed in yesterday’s #KareoChat:

There are a lot of things that seem to make sense until you dig into what’s really happening. We still have a lot of digging left to do in healthcare. Although, like Steve, I’m optimistic that many of the things we’re doing with ACOs and value based care will provide benefits. How could they not?

Scanning Is a Feature of Healthcare IT and Will Be Forever

Posted on October 11, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

When I first started writing about EMR and EHR, I regularly discussed the idea of a paperless office. What I didn’t realize at the time and what has become incredibly clear to me now is that paper will play a part in every office Forever (which I translate to my lifetime). While paper will still come into an office, that doesn’t mean you can’t have a paperless office when it comes to the storage and retrieval of those files. The simple answer to the paper is the scanner.

A great example of this point was discussed in this post by The Nerdy Nurse called “Network Scanning Makes Electronic Medical Records Work.” She provides an interesting discussion about the various scanning challenges from home health nurses to a network scanner used by multiple nurses in a hospital setting.

The good people at HITECH Answers also wrote about “Scanning and Your EHR Implementation.” Just yesterday I got an email from someone talking about how they should approach their old paper charts. It’s an important discussion that we’re still going to have for a while to come. I’m still intrigued by the Thinning Paper Charts approach to scanning, but if I could afford it I’d absolutely outsource the scanning to an outside company. They do amazing work really fast. They even offer services like clinical data abstraction so you can really enhance the value of your scanned charts.

However, even if you outsource your old paper charts, you’ll still need a heavy duty scanner for ongoing paper that enters your office. For example, I have the Canon DR-C125 sitting next to my desk and it’s a scanner that can handle the scanning load of healthcare. You’ll want a high speed scanner like this one for your scanning. Don’t try to lean on an All-in-One scanner-printer-copier. It seems like an inexpensive alternative, but the quality just isn’t the same and after a few months of heavy scanning you’ll have to buy a new All-in-One after you burn it out. Those are just made for one off scanning as opposed to the scanning you have to do in healthcare.

David Harlow also covers an interesting HIPAA angle when it comes to scanners. In many cases, scanners don’t store any PHI on the scanner. However, in some cases they do and so you’ll want to be aware of this so that the PHI stored on the device is cleaned before you dispose of it.

Certainly many organizations are overwhelmed by meaningful use, ICD-10, HIPAA Omnibus, and changing reimbursement. However, things like buying the right scanner make all the difference when it comes to the long term happiness of your users.

Sponsored by Canon U.S.A., Inc.  Canon’s extensive scanner product line enables businesses worldwide to capture, store and distribute information.

Model Notice of Privacy Practices (NPP) Released by OCR and ONC

Posted on September 20, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The HIPAA Omnibus Rule compliance date is on Monday. Are you ready?

I’m sure the answer for most organizations is NO!

In fact, the real question that I hear most organizations asking is what they need to do to be compliant with the new HIPAA omnibus regulations. One of my more popular video interviews was on the subject of HIPAA Omnibus with Rita Bowen from HealthPort. That might be one place to start.

OCR and ONC recently released some model HIPAA Notice of Privacy Practice forms to help with compliance. Why they are just releasing them a week before organizations are suppose to be compliant is a little puzzling to me. Hopefully your organization is well ahead of the game on this, but you could still compare your Notice of Privacy Practices with the model forms they released.

David Harlow from the Health Blawg wrote the following about the model forms:

I was disappointed, however, with one of the examples given in the model NPP:
*You can ask us to contact you in a specific way (for example, home or office phone) or to send mail to a different address.
*We will say “yes” to all reasonable requests.

Telephone and snail mail are nice, but many patients would prefer to be in contact with their health care providers via text message or email. Both modes of communication are permitted under HIPAA wth the patient’s consent (which may be expressed by simply emailing or texting a provider), but if the NPP doesn’t alert patients to that right, then many will never be aware of it.

As I heard voiced at a healthcare billing conference yesterday, “You have to be HIPAA omnibus compliant on Monday. I’m not saying you should spend your whole weekend making sure you’re in compliance. The HIPAA auditors won’t be knocking your door on Monday, but you better become compliant pretty quickly if you’re not already.”

A Look at Email and HIPAA

Posted on August 28, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Disclaimer: I am not a lawyer and do not offer legal advice. The others quoted in this post are offering general information or interpretation and not specific legal advice or any statement of fact.

For more background on this topic, check out my previous post “Practice Fusion Violates Some Physicians’ Trust in Sending Millions of Emails to Their Patients

When I first started looking into the millions of emails that Practice Fusion was sending to patients, doctors were suggesting that these emails constituted a HIPAA violation. Practice Fusion has responded in my previous post that “The patient email reminder and feedback program is absolutely HIPAA compliant, under both the current and new Omnibus rules. We conduct thorough compliance research with every single new feature we launch.” I wanted to explore the HIPAA concerns regarding emails like these, so I talked to a number of HIPAA lawyers and experts. I believe the following look at HIPAA and emails will be informative for everyone in healthcare that’s considering sending emails.

Before I go into a detailed look at sending emails to patients, it is worth noting that under HIPAA emails can be sent to patients by doctors if the doctor has used “reasonable safeguards” and patients have agreed to email communication with their doctor. The following is a great HHS FAQ on use of email and HIPAA where this is outlined.

This leaves three HIPAA related questions:
1. Is Practice Fusion legally allowed to use the information in their EHR to send these emails?
2. Does the email contain Protected Health Information (PHI) that is being sent in an unsecured and not encrypted email?
3. Can Practice Fusion publish the provider reviews on their website?

Is Practice Fusion legally allowed to use the information in their EHR to send these emails?
The core of this question is whether the Practice Fusion user agreement (the version publicly available on the Practice Fusion website) allows the use of patient data contained in the Practice Fusion EHR for sending out these emails. Following are comments from William O’Toole, founder of the O’Toole Law Group regarding the user agreement:

I am not providing specific legal advice or opinion here, and I have no strong feelings about Practice Fusion one way or the other. That said, I find this issue extremely interesting and hope I can provide some direction and some interpretation of the law. Capitalized terms are defined under HIPAA and by now are familiar to all, so I will not define or elaborate.

The Practice Fusion Healthcare Provider User Agreement includes a section that, as between Practice Fusion and its customers, grants Practice Fusion the right to use a provider’s PHI (though I argue it is not the provider’s, it is the provider’s patients’ PHI, but I digress) to contact patients on the provider’s behalf, for various purposes, including “case management and care coordination” which is legally permitted. The conclusion can be easily drawn that Practice Fusion (or any other vendor doing the same) relies on this connection in claiming that its patient email is permitted under this section of the law, even if it contains PHI. Note – the topic of secure email is left out of this discussion.

Based on the user agreement, it seems like Practice Fusion is allowed to send out these rating and review emails to patients. William O’Toole does offer a reminder for providers:

For those of you that are familiar with my writings, you know what comes next. The Practice Fusion agreement clearly puts provider customers on notice that Practice Fusion has the right and option to contact patients directly on the provider’s behalf. The providers agreed when they accepted the terms of use. The most important piece of advice that I can offer to all providers is to read and understand the agreements to which you will be bound, or more appropriately, give the agreements to a healthcare technology attorney for review and opinion.

This is an important message for all providers to read and understand the user agreements they sign.

Does the email contain PHI that is being sent in an unsecured and not encrypted email?
You can see the contents of the ratings emails here (Note: The masked area is the name of the physician). Here’s Mac McMillan’s, CEO of CynergisTek and Chair of the HIMSS Privacy and Security Task Force, analysis of the emails:

The issue here is whether or not by the information included you can discern any protected information about the individual(s) involved. On the surface the email appears benign and does not include any specific Protected Health Information (PHI) and if coming from a general practitioner it would be near impossible to guess let alone determine for sure the purpose of my visit or my medical condition. Meaning I could have gone there for something as simple as a checkup, to refill a prescription, or I could have gone there for treatment of some ailment, but you don’t know and can’t tell by this simple email. Some would argue that this is no different than when Physicians communicate with their patients now via regular mail or email. The problem though is that not everyone may agree with this, and the consumer who may not be thinking rationally may take issue under certain circumstances. For instance, what if the email came from Planned Parenthood to a seventeen year old, or an AIDS clinic, or a specialty center handling a certain form of cancer, or a psychiatrists office? In these cases just the name and the identity of the covered entity potentially provides insight into the individual’s medical condition and therefore their personal health information. A patient might, whether legitimate or not, attempt to make the case that their privacy has been violated if others were to see this email who were not intended to like other family members, neighbors, employers, etc. I think this is really stretching it, but who knows how a Privacy attorney might see it?

Can Practice Fusion publish the provider reviews on the Patient Fusion website?
Assuming that Practice Fusion is authorized to contact its users’ patients, the next question is whether it is authorized to publish their responses online. When patients are posting a review, they have to agree to the terms of the “Patient Authorization.” Within that authorization it seems that Practice Fusion has done a good job making sure that they are getting authorization from the patient to publish the reviews they’ve submitted. David Harlow, a health care attorney and consultant at The Harlow Group LLC who blogs at HealthBlawg. notes that in addition to the Patient Authorization, “The Terms of Use on the PatientFusion.com review website make clear that posts on the site may be made public, and should not contain information that a patient would not want to be made public, or that a patient does not have the right to post.”

Summary
Hopefully this discussion around emails in healthcare will help more companies understand the intricate HIPAA requirements for email communication with patients. I see email communication increasing over the next couple years as more doctors realize the benefit of it. Plus, a whole new generation of patients wants that type of communication with their provider. We just have to make sure that we continue to respect patient’s privacy in the process. Making sure your emails are HIPAA compliant is not a simple task.

Practice Fusion sent me the following comment:

Practice Fusion’s goal is to create transparency in healthcare without compromise. It is critical that patients seeing any doctor on our platform understand the quality of their doctor. And, therefore, doctors using our free online scheduling application are required to make their reviews available to the public. Practice Fusion offers the only service on the market that validates a patient review was based on an actual visit. No PHI is ever shared in these communications.

Hacking HIPAA – Patient Focused Common Notice of Privacy Practices

Posted on June 27, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

How can you not be interested in an article that talks about hacking? Of course, in this case I’m talking about hacking in a much more general since. Most people think of hacking as some nefarious person compromising a system they shouldn’t be accessing. The broader use of the term hack is to create something that fixes a problem. You “hack” something together to make it work.

This is what David Harlow, Ian Eslick, and Fred Trotter had in mind when they got together to hack HIPAA. They wanted to create a HIPAA Notice of Privacy Practices (NPP) that would provide meaningful privacy choices for patients while still enabling the use of the latest technology. Far too often HIPAA as seen as an excuse for why doctors don’t use technology. However, if the NPP is set up correctly, it can enhance patient privacy while allowing use of the latest technologies in your practice.

The Hacking HIPAA team decided to leverage the power of crowdfunding to see if they could collaboratively develop a patient focused Notice of Privacy Practices. I really love the idea of a Common Notice of Privacy Practices. If you like this idea, you can help fund the Hacking HIPAA project on MedStartr.

For those not familiar with crowdfunding, imagine your healthcare organization getting $10,000 worth of legal work from one of the top healthcare lawyers for only $1000. Looked at another way, you get an updated Notice of Privacy Practices with all the latest HIPAA omnibus rules incorporated for only $1000. Call your lawyer and see if they’d be willing to provide an NPP for that price. Plus, your lawyer probably will just provide you some cookie cutter NPP they find as opposed to a well thought out NPP.

This is such a great idea. I hope that a large number of healthcare organizations get behind the project. I’d also love to see some of the HIPAA disclosure companies and EHR companies support the project as well. The NPP will have a creative commons license so those companies could help fund the project, provide feedback in the creation of the NPP and then distribute the NPP to all of their customers. What better way to build the relationship with your customers than to provide them a well thought out NPP?

If you want a little more information on how the Hacking HIPAA project came together, here’s a video of Fred Trotter talking about it. Also, be sure to read the details on the Hacking HIPAA MedStartr page.