Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Are Legacy EHR Sytems the HIPAA Ticking Time Bomb?

Posted on February 20, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Healthcare IT and EHR security is a really important topic right now. Many organizations have started to spend time and resources on this problem after a series of healthcare and non-healthcare breaches. The Anthem breach being the most recent. Overall, this is a great thing for the industry since I think there’s more that could be done in every organization to shore up the privacy and security of patient health data.

In a recent conversation I had with Mike Semel, we talked about some of the challenges associated with legacy EHR and Healthcare IT systems in offices. Our conversation prompted to me to ask the question of whether these legacy EHR systems are the ticking time bombs of many healthcare organizations.

Think about what happens to many of these legacy EHR systems. They get put in some back office or under someone’s desk or in some nondescript closet where they’re largely forgotten. In many cases there are only 1-2 people who regularly use them and in many cases the word “regularly” equates to accessing it a few times a month. These few people are usually not technically savvy and know very little about IT security and privacy.

Do I need to ask the question about how good the security is on a system for which most people have forgotten?

These forgotten systems often don’t get any software updates to the application or the operating system. The former is an issue, but the later is a major problem. Remember that when updates to an operating system are issued, it’s essentially blasted out to the public that there are issues that a hacker can exploit. If you’re not updating the O/S, then these systems make for easy pickings for hackers.

Forget about great audit log tracking and other more advanced security on these legacy systems. In most cases, organizations are just trying to limp them along until they can decommission them and put them out to pasture. It makes for one massive security hole for most organizations.

Of course, this doesn’t even take into the account the fear that many organizations have that these systems will just give up the ghost and stop working all together. There’s nothing quite like security on a Windows 2000 Server box sitting under someone’s desk just waiting for it to die. Hopefully those hard drives and other mechanical elements don’t stop before the data’s end of life requirements.

These legacy systems aren’t pretty and likely present a massive HIPAA privacy and security hole in many organizations. If you don’t have a good handle on your legacy systems, now might be a good time to take a look. Better to do it now than to deal with it after a HIPAA breach or HIPAA audit.

Model Notice of Privacy Practices (NPP) Released by OCR and ONC

Posted on September 20, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The HIPAA Omnibus Rule compliance date is on Monday. Are you ready?

I’m sure the answer for most organizations is NO!

In fact, the real question that I hear most organizations asking is what they need to do to be compliant with the new HIPAA omnibus regulations. One of my more popular video interviews was on the subject of HIPAA Omnibus with Rita Bowen from HealthPort. That might be one place to start.

OCR and ONC recently released some model HIPAA Notice of Privacy Practice forms to help with compliance. Why they are just releasing them a week before organizations are suppose to be compliant is a little puzzling to me. Hopefully your organization is well ahead of the game on this, but you could still compare your Notice of Privacy Practices with the model forms they released.

David Harlow from the Health Blawg wrote the following about the model forms:

I was disappointed, however, with one of the examples given in the model NPP:
*You can ask us to contact you in a specific way (for example, home or office phone) or to send mail to a different address.
*We will say “yes” to all reasonable requests.

Telephone and snail mail are nice, but many patients would prefer to be in contact with their health care providers via text message or email. Both modes of communication are permitted under HIPAA wth the patient’s consent (which may be expressed by simply emailing or texting a provider), but if the NPP doesn’t alert patients to that right, then many will never be aware of it.

As I heard voiced at a healthcare billing conference yesterday, “You have to be HIPAA omnibus compliant on Monday. I’m not saying you should spend your whole weekend making sure you’re in compliance. The HIPAA auditors won’t be knocking your door on Monday, but you better become compliant pretty quickly if you’re not already.”

Meaningful Use and HIPAA – The Risk Analysis

Posted on April 6, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Guest Poster: John Brewer is the founder of HIPAAaudit.com.  He and his team help physicians run HIPAA Compliant practices in the simplest, most pain free way.

So far we’ve covered Information System Activity Review & Sanction Policy.

The next item to tackle for the HIPAA side of Meaningful Use is the Risk Analysis.  This may also be referred to by some as the Risk Assessment also.

The Risk Analysis is simply a look at the way your practice operates as it pertains to PHI and your computer network.

Your risk analysis shouldn’t be a handful of questions.  It should be a set of targeted questions – partly to see that your practice is doing things correctly and partly to invoke conversation to ensure you fix other areas of how your practice does business.

The risk analysis we use is just north of 100 questions…and it continually grows as technology changes and new phishing scams arrive on the scene.

How often should a risk analysis be accomplished?

Once a year is reasonable for most practices.  An additional risk analysis should be accomplished anytime there is a major technological or physical change.

A technological change would include: a new EHR, a new component to your EHR new computer network architecture, and even something as innocent as a new photocopier (more on this later).

Physical change would include any remodeling that might change the layout to the waiting area or a complete location change for the office.

Can I accomplish the risk analysis?

Sure, you or your staff may accomplish the risk analysis.  Be aware though, the risk analysis can become quite technical, so you may need to have your IT staff involved, at least in part of this analysis.

But don’t be fooled, this risk analysis is not just technology based.  Your risk analysis should cover areas including:

  • Does the practice have a privacy window at the sign in station?
  • Does the practice close the privacy window to the lobby except when speaking to a patient directly?
  • Does the practice use an acceptable procedure to hide patient names on the sign-in form?
    • What is acceptable?  Here are a few examples:
      • Individual sign-in slips that are handed to the receptionist
      • Peel-off name labels that are removed by the receptionist and stuck to the file (yes, even in the electronic world paper still exists)
      • An electronic sign-in system – this is a fancy way of saying a computer in the lobby on which the patient signs in.
  • Who has keys to the office?
  • Where is the list of who has keys to the office?
  • Who has the alarm code to the office?
  • Where is the list of who has the alarm code?
  • Is the door from the waiting area always locked?
  • Does the facility have a sprinkler fire system?
  • Does the server have a fire system sprinkler above it?
  • Are all computers at least 3 inches off the ground?

Now we’ve hit 3 of the 4 HIPAA items in the required Risk Analysis in the Meaningful Use Core Objectives.

Next time we’ll at least start on Risk Management.

 

Meaningful Use and HIPAA – The Sanction Policy

Posted on March 16, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Guest Poster: John Brewer is the founder of HIPAAaudit.com.  He and his team help physicians run HIPAA Compliant practices in the simplest, most pain free way.

As previously mentioned, the Sanction Policy is an integral part of Meaningful Use.

What exactly is a Sanction Policy?

Quite simply, it is clarification to your staff…all staff…yes, this includes the physicians, that there are ramifications for breaking company computer policies, specifically HIPAA violations.

First, your practice must have policies.  Without knowing the rules, nobody will know if they are breaking them or not.

The computer policies of a practice are the foundation on which your office will operate.  The computer policies are different than human resource company policies…actually, they are different, but enhance the HR policies.

For example:

  • Which websites can staff go to during business hours?
  • Which websites are completely banned?
  • Is your staff allowed to check their personal email on office computers?

These are all policies you may think are understood by your staff, but if you do not have these policies in writing AND ensure all staff has signed a document of understanding AND have them sign this document of understanding every year…you will run into trouble

So, this sanction policy will generally be in addition to any Human Resources sanction policy that exists (it does exist, right?).  Remember, this Sanction Policy is geared toward HIPAA violations and computer use violations.

This Sanction Policy should cover:

  • Initial reaction to a violation
    • Document the violation
    • Detail the exact violation to the offender
    • Document this communication
    • Initiate any company checklists that may be required depending on the specific violation
  • Secondary reaction to a violation
    • Retraining
      • Re-attend Annual Awareness Training
      • Document this re-training
    • Document understanding of the violation
  • Repeat violations
    • Repeat violations need to be dealt with in a solid and consistent way
    • How many repeat violations before termination?
    • Is any HIPAA violation a “counter” toward termination or should it be an exact repeat violation?
    • Is the training for repeat violations different?

As you can see, there are many parts to what appears to be a “single line” requirement within the Core Requirements for Meaningful Use.

Also note, this Sanction Policy originally reared its head in the HIPAA regulations, and yes, it is still a HIPAA requirement.  As I expected, the feds are using Meaningful use to push you toward HIPAA compliance.

Next time, the Risk Analysis (you guessed it, another HIPAA requirement).

 

Guest Post: Meaningful Use and HIPAA

Posted on March 9, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

John’s Note: One of the requests I got in the recent survey I did was to cover more details of HIPAA. So, I’m glad to have John Brewer (yes, another John) providing some guest posts on the subject.

Do they go together like peanut butter and jelly?  Cookies and milk?

Nothing quite as good as these…but they do go together…now.

HIPAA has been around for some time.  Many argue that HIPAA has no “teeth”.  Sure it has big fines…but when’s the last time you heard of a physician getting fined for a HIPAA violation?

In steps Meaningful Use.

Buried in the details of the Stage 1 Core Objectives is a single block that refers to the seemingly innocuous statement of “Conduct a risk analysis per 45CFR164.308(a)(1)”.

A risk analysis seem simple enough…right?

Dig a little deeper and you’ll see something a bit more unpleasant.  164.308(a)(1) requires the following:

  • Risk analysis – clear enough…
  • Risk management – with reference to 164.306(a) – Uh oh…
  • Sanction policy
  • Information System Activity Review

Whew…now it is starting to get ugly.  Where shall we start?

As usual, I like to go from easiest to most difficult.

The easiest thing to tackle here is the Information System Activity Review.

This is a mouth full, but your shiny new Meaningful Use certified EHR will have a report for this, which will cover most of this requirement.

In order for this report to show information that is useful, you need to ensure you have setup the users in your EHR in the correct way.

By this I mean:

  • Each user must have their own login,
  • Each user must only have access to the areas of the EHR that are appropriate for their position,
    • By this I mean, the front desk “receptionist” should only have access to the calendar section of the EHR, whereas a nurse would have full medical record access.

Next time we’ll attack the Sanction Policy.

John Brewer is the founder of HIPAAaudit.com.  He and his team help physicians run HIPAA Compliant practices in the simplest, most pain free way.

Fear of HIPAA Audits Despite 0.002% Chance

Posted on May 19, 2010 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Anyone that has worked in healthcare has the palpable fear of the word HIPAA. Any time the word’s mentioned, I have this visceral emotion shoot threw my body. I’m sure it’s the same for many people. HIPAA is like the nasty word that no one can argue with. Just say something is a HIPAA violation and no one can argue with you (assuming you’re right).

In the clinics I’ve worked in, there really is a desire to try and follow the HIPAA rules as best as possible. They all hate it, but they all try in good faith to follow the HIPAA rules. They likely do this because of fear of the dreaded HIPAA audit. Check out this interesting comment made on a previous post I did which puts the HIPAA audit in a new light:

Same goes for the HIPAA rules. We all spend so much effort and time to comply, yet the handful of cases arise when a disgrunted, recently fired employee becomes a whistleblower to screw their past boss and “tells all” to the feds who then pounce on the poor unsuspecting doctor to showcase their enforcement muscle. I’ve heard of anecdotal cases s.a. this, but I have never actually seen an office raided for an HIPAA violation or a major article on the subject in my medical journal reading. Considering that, if say, there are a dozen cases, then 12/780000 practicing doctors, my chances of an HIPAA audit are about 0.002%.

It’s a crazy world we live in. I agree that the risk of a HIPAA audit is pretty small and I think most people acknowledge this internally. Yet, people are afraid to say this publicly, because it sends a message that they don’t care about patient privacy. I think most clinics go through this amazing internal conflict. Basically, they want to support patient privacy, but they also don’t want HIPAA to get in the way of caring for patients and running their business.

The solution I believe most clinics employ: If I don’t talk or acknowledge it, then I don’t have to worry about it. Basically, ignorance is bliss. So, they address any privacy issues that come out and they try to maintain privacy generally, but few of them take it head on and make sure that they are HIPAA compliant. Should they? There’s only a 0.002% chance they’ll have a HIPAA audit.

Note 1: Hospitals are different than clinics. There’s other issues related to HIPAA at hospitals.

Note 2: See, I do occasionally write about HIPAA. That’s why this website is named EMR and HIPAA. Every 6 months is about right, no?

Note 3: Patient Privacy is very important to me, so this post isn’t meant as an excuse for people to not protect their patients’ privacy. It is an attempt to discuss openly what I think is really happening with HIPAA in clinics.

42 Questions HHS Might Ask in a HIPAA Audit

Posted on February 4, 2008 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This information is a little bit dated, but it was sitting in my draft posts and I think that it’s still very relevant to those interested in HIPAA compliance. Computer World posted an article about Atlanta’s Piedmont hospital being the first organization to have a HIPAA audit by the HHS.

In the report they identified 42 questions that HHS reportedly asked Piedmont hospital during the HIPAA audit. Regardless of how accurate this is, I think that it’s interesting for all those in the healthcare industry to evaluate these questions and how they apply in their environment.

Here’s the list of questions:

1. Establishing and terminating users’ access to systems housing electronic patient health information (ePHI).
2. Emergency access to electronic information systems.
3. Inactive computer sessions (periods of inactivity).
4. Recording and examining activity in information systems that contain or use ePHI.
5. Risk assessments and analyses of relevant information systems that house or process ePHI data.
6. Employee violations (sanctions).
7. Electronically transmitting ePHI.
8. Preventing, detecting, containing and correcting security violations (incident reports).
9. Regularly reviewing records of information system activity, such as audit logs, access reports and security incident tracking reports.
10. Creating, documenting and reviewing exception reports or logs. Please provide a list of examples of security violation logging and monitoring.
11. Monitoring systems and the network, including a listing of all network perimeter devices, i.e. firewalls and routers.
12. Physical access to electronic information systems and the facility in which they are housed.
13. Establishing security access controls; (what types of security access controls are currently implemented or installed in hospitals’ databases that house ePHI data?).
14. Remote access activity i.e. network infrastructure, platform, access servers, authentication, and encryption software.
15. Internet usage.
16. Wireless security (transmission and usage).
17. Firewalls, routers and switches.
18. Maintenance and repairs of hardware, walls, doors, and locks in sensitive areas.
19. Terminating an electronic session and encrypting and decrypting ePHI.
20. Transmitting ePHI.
21. Password and server configurations.
22. Antivirus software.
23. Network remote access.
24. Computer patch management.

HHS also had a slew of other requests:

1. Please provide a list of all information systems that house ePHI data, as well as network diagrams, including all hardware and software that are used to collect, store, process or transmit ePHI.
2. Please provide a list of terminated employees.
3. Please provide a list of all new hires.
4. Please provide a list of encryption mechanisms use for ePHI.
5. Please provide a list of authentication methods used to identify users authorized to access ePHI.
6. Please provide a list of outsourced individuals and contractors with access to ePHI data, if applicable. Please include a copy of the contract for these individuals.
7. Please provide a list of transmission methods used to transmit ePHI over an electronic communications network.
8. Please provide organizational charts that include names and titles for the management information system and information system security departments.
9. Please provide entity wide security program plans (e.g System Security Plan).
10. Please provide a list of all users with access to ePHI data. Please identify each user’s access rights and privileges.
11. Please provide a list of systems administrators, backup operators and users.
12. Please include a list of antivirus servers, installed, including their versions.
13. Please provide a list of software used to manage and control access to the Internet.
14. Please provide the antivirus software used for desktop and other devices, including their versions.
15. Please provide a list of users with remote access capabilities.
16. Please provide a list of database security requirements and settings.
17. Please provide a list of all Primary Domain Controllers (PDC) and servers (including Unix, Apple, Linux and Windows). Please identify whether these servers are used for processing, maintaining, updating, and sorting ePHI.
18. Please provide a list of authentication approaches used to verify a person has been authorized for specific access privileges to information and information systems.

Since most of my interest is in ambulatory care, I wonder if an audit would be this extensive for ambulatory care. Talk about putting a company out of business. This would be an extensive report for a hospital but could be really detrimental to a small doctor’s office. Still interesting to think about.

I expect that no one is fully compliant with this list. Of course, that raises the question of what’s full compliance, but we’ll save that topic for another day.