Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

NueMD’s Startling HIPAA Compliance Survey Results

Posted on December 12, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

In a recent HIPAA compliance survey of 1,000 medical practices and 150 medical billing companies, NueMD found some really startling results about medical practices’ understanding and compliance with HIPAA. You can see their research methodology here and the full HIPAA Compliance survey results.

This is the most in depth HIPAA survey I’ve ever seen. NueMD and their partners Porter Research and The Daniel Brown Law Group did an amazing job putting together this survey and asking some very important questions. The full results take a while to consume, but here’s some summary findings from the survey:

  • Only 32 percent of medical practices knew the HIPAA audits were taking place
  • 35 percent of respondents said their business had conducted a HIPAA risk analysis
  • 34 percent of owners, managers, and administrators reported they were “very confident” their electronic devices containing PHI were HIPAA compliant
  • 24 percent of owners, managers, and administrators at medical practices reported they’ve evaluated all of their Business Associate Agreements
  • 56 percent of office staff and non-owner care providers at practices said they have received HIPAA training within the last year

The most shocking number for me is that only 35% of respondents had conducted a HIPAA risk analysis. That means that 65% of practices are in violation of HIPAA. Yes, a HIPAA risk analysis isn’t just a requirement for meaningful use, but was and always has been a part of HIPAA as well. Putting the HIPAA risk assessment in meaningful use was just a way for HHS to try and get more medical practices to comply with HIPAA. I can’t imagine what the above number would have been before meaningful use.

These numbers explain why our post yesterday about HIPAA penalties for unpatched and unsupported software is likely just a preview of coming attractions. I wonder how many more penalties it will take for practices to finally start taking the HIPAA risk assessment seriously.

Thanks NueMD for doing this HIPAA survey. I’m sure I’ll be digging through your full survey results as part of future posts. You’ve created a real treasure trove of HIPAA compliance data.

Firewall & Windows XP HIPAA Penalties

Posted on December 11, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Anchorage Community Mental Health Services, Inc, has just been assessed a $150,000 penalty for a HIPAA data breach. The title of the OCR bulletin for the HIPAA settlement is telling: “HIPAA Settlement Underscores the Vulnerability of Unpatched and Unsupported Software.” It seems that OCR wanted to communicate clearly that unpatched and unsupported software is a HIPAA violation.

If you’re a regular reader of EMR and HIPAA, then you might remember that we warned you that continued use of Windows XP would be a HIPAA violation since Windows stopped providing updates to it on April 8, 2014. Thankfully, it was one of our most read posts with ~35,000 people viewing it. However, I’m sure many others missed the post or didn’t listen. The above example is proof that using unsupported software will result in a HIPAA violation.

Mike Semel has a great post up about this ruling and he also points out that Microsoft Office 2003 and Microsft Exchange Server 2003 should also be on the list of unsupported software alongside Windows XP. He also noted that Windows Server 2003 will stop being supported on July 14, 2015.

Along with unsuppported and unpatched software, Mike Semel offers some great advice for Firewalls and HIPAA:

A firewall connects your network to the Internet and has features to prevent threats such as unauthorized network intrusions (hacking) and malware from breaching patient information. When you subscribe to an Internet service they often will provide a router to connect you to their service. These devices typically are not firewalls and do not have the security features and update subscriptions necessary to protect your network from sophisticated and ever-changing threats.

You won’t find the word ‘firewall’ anywhere in HIPAA, but the $ 150,000 Anchorage Community Mental Health Services HIPAA penalty and a $ 400,000 penalty at Idaho State University have referred to the lack of network firewall protection.

Anyone who has to protect health information should replace their routers with business-class firewalls that offer intrusion prevention and other security features. It is also wise to work with an IT vendor who can monitor your firewalls to ensure they continue to protect you against expensive and embarrassing data breaches.

Be sure to read Mike Semel’s full article for other great insights on this settlement and what it means.

As Mike aptly points out, many organizations don’t want to incur the cost of updating Windows XP or implementing a firewall. It turns out, it’s much cheaper to do these upgrades than to pay the HIPAA fines for non-compliance. Let alone the hit to your reputation.

The Just Enough Culture of HIPAA Compliance

Posted on September 10, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Today I was lucky to finally have a long lunch with Mike Semel from Semel Consulting. Ironically, Mike has a home in Las Vegas, but with all of his travel, we’d never had a chance to meet until today. However, we’ve exchanged a lot of emails over the years as he regularly responds to my blog posts. As Mike told me, “It feels like I’ve known you for a long time.” That’s the power of social media in action.

At lunch we covered a lot of ground. Mostly related to HIPAA security and compliance. As I try to process everything we discussed, the thing that stands out most to me is the just enough culture of HIPAA compliance that exists in healthcare. I’ve seen this over and over again and many of the stories Mike shared with me confirm this as well. Many healthcare organizations are doing just enough to get by when it comes to HIPAA compliance.

You might frame this as the “ignorance is bliss” mentality. In fact, I’m not sure if it’s even fair to say that healthcare organizations are doing just enough to comply with HIPAA. Most healthcare organizations are doing just enough to make their conscience feel good about their HIPAA compliance. People like to talk about Steve Jobs “reality distortion field” where he would distort reality in order to accomplish something. I think many in healthcare try and distort the realities of HIPAA compliance so they can sleep good at night and not worry about the consequences that could come upon them.

Ever since HIPAA ombnibus, business associates have to be HIPAA compliant as well. Unfortunately, many of these business associates have their own “reality distortion field” where they tell themselves that their organization doesn’t have to be HIPAA compliant. I don’t see this ending well for many business associates who have a breach.

The solution is not that difficult, but does take some effort and commitment on the part of the organization. The key question shouldn’t be if you’re HIPAA compliant or not. Instead you should focus on creating a culture of security and privacy. Once you do that, the compliance part is so much easier. Those organizations that continue this “just enough” culture of HIPAA compliance are walking a very thin rope. Don’t be surprised when it snaps.

Proving HIPAA Compliance

Posted on September 9, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Given the name of this blog, I get a lot of people asking me about HIPAA compliance. Many of them that are new to the industry are looking for some sort of regulating or certifying body that they can go to in order to be HIPAA compliant.

Unfortunately, there is no body that can audit you and basically certify that you’re HIPAA compliant. HIPAA is basically a self certification, so you can just claim “compliance.” However, if a real audit happens, you better make sure your ducks are all in a row and that you are actually complying. While there is no body that certifies HIPAA compliance, there are pretty specific guidelines on what you need to do to be HIPAA compliant.

When companies and organizations ask me what they need to do to be HIPAA compliant, I usually suggest they start with these HIPAA trainings from one of my partner companies, 4MedApproved: http://bit.ly/191zR9N (20% discount if you use the code healthcare20 since I’m a partner). The HIPAA compliance officer training will teach you what you need to do and it includes HIPAA documentation templates you can use along with business associate agreement forms. Then, the HIPAA workforce trainings are good to train the rest of your staff. With this training and documentation, you’ll feel much more comfortable saying you’re HIPAA compliant and having something to show for it. You’ll also learn what other places you might be lacking when it comes to HIPAA compliance.

I had someone on a LinkedIn discussion about a breach suggest that organization should regularly train their staff on HIPAA. Turns out that doing so isn’t just a good idea, but is also a HIPAA requirement. Having some sort of proven HIPAA training that you’ve completed is one step in the right direction of proving your HIPAA compliance.

The other major step an organization should take is doing a full HIPAA risk assessment. Many organizations are doing this since they’ve had to in order to get meaningful use money. However, even those organization who aren’t asking for the EHR incentive handout are still required to do a HIPAA risk assessment.

What are you doing in your organization or company to prove HIPAA compliance?

HIPAA Security and Audits with Mac McMillan

Posted on May 20, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

In case you missed the recent HIPAA Privacy and Security hangout I did with Mac McMillan, CEO of Cynergistek, you’re missing out. I think this HIPAA interview is an extension of what we started in our post “6 Reality Checks of HIPAA Compliance.” There’s a real awakening that’s needed when it comes to HIPAA. I love in this hangout when Mac says that the patience in Washington for those that aren’t HIPAA compliant is running low. An example of that is another topic we discus: HIPAA audits. The first round of HIPAA audits were more of a barometer of what was happening. The next round we’ll likely be much more damaging.

Watch the entire HIPAA interview with Mac McMillan to learn even more:

Six Reality Checks of HIPAA Compliance

Posted on April 23, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Between Windows XP causing HIPAA compliance issues and the risk associated with the risk assessment required by meaningful use, many in healthcare are really waking up to the HIPAA compliance requirements. Certainly there’s always been an overtone of HIPAA compliance in the industry, but its one thing to think about HIPAA compliance and another to be HIPAA compliant.

This whitepaper called HIPAA Compliance: 6 Reality Checks is a great wake up call to those that feel they have nothing to worry about when it comes to HIPAA. While many are getting ready, there are still plenty that need a reality check when it comes to HIPAA compliance.

Here’s a look at why everyone could likely benefit from a HIPAA reality check:
(1) Data breaches are a constant threat
(2) OCR audits reveal health care providers are not in compliance
(3) Workforce members pose a significant risk for HIPAA liability
(4) Patients are aware of their right to file a complaint
(5) OCR is increasing its focus on HIPAA enforcement
(6) HIPAA Compliance is not an option, it’s LAW

Obviously, the whitepaper goes into a lot more detail on each of these areas. As I look through the list, what seems clear to me is that HIPAA compliance is a problem. Every organization should ask themselves the following questions:

Are we HIPAA compliant?

What are you doing to mitigate the risk of a breach or HIPAA violation?

When I look at the 6 Reality Checks details in the whitepaper, I realize that everyone could benefit from a harder look at their HIPAA compliance. A little bit of investment now, could save a lot of heartache later.

A CIO Guide to Electronic Mobile Device Policy and Secure Texting

Posted on January 6, 2014 I Written By

The following is a guest blog post by Cliff McClintick, chief operating officer of Doc Halo. Doc Halo provides secure, HIPAA-compliant secure-texting and messaging solutions to the healthcare industry. He is a former chief information officer of an inpatient hospital and has expertise in HIPAA compliance and security, clinical informatics and Meaningful Use. He has more than 20 years of information technology design, management and implementation experience. He has successfully implemented large systems and applications for companies such as Procter and Gamble, Fidelity, General Motors, Duke Energy, Heinz and IAMS.
Reach Cliff at cmcclintick@dochalo.com.

One of the many responsibilities of a health care chief information officer is making sure that protected health information stays secure.

The task includes setting policies in areas such as access to the EMR, laptop hard drive encryption,  virtual private networks, secure texting and emailing and, of course, mobile electronic devices.

Five years ago, mobile devices hadn’t caught many health care CIOs’ attention. Today, if smartphones and tablets aren’t top of mind, they should be. The Joint Commission, the Centers for Medicare and Medicaid Services and state agencies are scrutinizing how mobile fits into organizations’ security and compliance policies.

Be assured that nearly every clinician in your organization uses a smartphone, and in nearly every case the device contains PHI in the form of email or text messages. That’s not entirely a bad thing: The fact is, smartphones make clinicians more productive and lead to better patient care. Healthcare providers depend on texts to discuss admissions, emergencies, transfers, diagnoses and other patient information with colleagues and staff. But unless proper security steps are being taken, the technology poses serious risks to patient privacy.

For creating a policy on mobile electronic devices, CIOs can choose from three broad approaches:

  • Forbid the use of smartphones in the organization for work purposes. This route includes forbidding email use on the devices. Many companies have tried this approach, but in the end, it’s not a realistic way to do business. You may forbid the use of the technology and even have members of your organization sign “contracts” to that effect. But even for the people who do comply out of fear, the organization sends the message that it’s OK to violate policy as long as no one finds out.
  • Allow smartphones in the organization but not for transmitting PHI. This approach acknowledges the benefits of the technology and provides guidelines and provisions around its use. This type of policy is better than the first option, as the CIO is taking responsibility for the use of the devices and providing some direction. In most cases there will be guidelines regarding message life, password format, password timeout, remote erase for email and other specifics. And while the sending of PHI would not be allowed, protocol and etiquette would be in place for when the issue comes up. Ultimately, though, this approach can be hard to enforce, and the possibility remains that PHI will be sent to a vendor or out-of-IT-network affiliate.
  • Create a mobile device strategy. This option embraces the technology and acknowledges that real-time communication is paramount to the success of the organization. In healthcare, real-time communication can mean the difference between life and death. With this approach the technology is fully secured and can be used efficiently and effectively.

Recent studies have shown that more than 90 percent of physicians own a smartphone. Texting PHI is common and helps clinicians to make better decisions more quickly. But allowing PHI to be transmitted without adequate security can compromise patient trust and lead to government penalties.

Fortunately, healthcare organizations can take advantage of mobile technology’s capacity to improve care while still keeping PHI safe. In a recent survey of currently activated customers of Doc Halo, a secure texting solution provider, 70 percent of respondents using real-time secure communication reported better patient care. Seamless communication integration and a state-of-the-art user experience ensure that the percentage will only rise.

Doc Halo, a leading secure physician communication application, is a proud sponsor of the Healthcare Scene Blog Network.

Top 5 Tips for HIPAA Compliance

Posted on December 17, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Manny Jones, health care solution manager at LockPath, recently sent me 5 tips to consider in order to meet HIPAA guidelines. It addresses some of the following questions: What does the HIPAA Omnibus rule mean for me? How do I know if I’m compliant? Where do I even begin?

This list of 5 tips are a good place to start.

1. Be prepared for more frequent audits and a fine structure based on knowledge – The new tiered approach means organizations can face much higher fines if they’re not in compliance with the rule.

2. Update Notice of Privacy Practice (NPP) – These should explain that individuals will be notified if there is a breach, disclosures around areas that now require authorizations, and more. Once updated, organizations should redistribute to patients and others to ensure they’re aware of changes.

3. Develop new processes – These should address additional restrictions on use or disclosure of protected health information (PHI).

4. Identify assets containing PHI – Once an organization has an inventory of these assets, they can determine where safeguards/breach notification obligations apply.

5. Understand the new definitions – Organizations should understand how “breach” and “business associate” are now defined and how they apply to their organization.

For those wanting to really dig into the details of HIPAA compliance, you’ll want to consider a HIPAA Compliance training course. These are easy online courses for both the HIPAA privacy officer or your staff. As is noted above, more frequent audits and fines are coming.

Should Patients Care About Their Doctors’ Text Messages?

Posted on November 25, 2013 I Written By

The following is a guest blog post by Dr. Jose Barreau, CEO of Doc Halo.

For all the money they spend on state-of-the-art EMRs, compliance officers and other measures to ensure they’re protecting their patients’ medical information, many healthcare organizations have a gaping hole in their security.

Physicians and other clinicians are as apt as anyone to send a quick text to a colleague. Maybe an attending physician wants to ask a resident about test results or an office worker needs to pass along a patient’s question.

But standard SMS text messages are not HIPAA compliant. Communicating protected health information in this way could compromise patient privacy and expose your organization to substantial fines.

That’s not to say doctors shouldn’t text. Because of its instantaneous nature, mobile messaging can improve efficiency and quality of care. But healthcare providers should make sure they’re using a secure texting platform.

If you have a non-HIPAA-compliant texting habit, you’re in good company. In research last year, nearly 60 percent of physicians at children’s hospitals said they sent or received text messages for work.

It’s easy to view text messages as “off the record.” Chances are they aren’t going into an EMR, and there’s a sense that no one but the sender and recipient will see them.

But when you fire off a text, you don’t know where it will end up. Some of these text messages contain sensitive details of diagnosis and treatment that have been discussed.  Also it’s hard to say whose servers the messages might be stored on, or for how long.  When patients entrust healthcare providers to care for them, they expect their data to be cared for, too.

The Department of Health and Human Services certainly knows about the problem. Last year the agency told an Arizona physicians practice to address the issue in a risk-management plan. The group “must implement security measures sufficient to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level for ePHI in text messages that are transmitted to or from or stored on a portable device.”

Healthcare providers can text about their patients without violating HIPAA — but only with secure messaging technology. Here are features to look for in a healthcare texting solution:

  • Encryption at all levels — database, transmission and on the app — with federally validated standards
  • Tracking of whether messages have been delivered, with repeated ping of the user
  • A secure private server that is backed up
  • Remote mobile app wipe option if a phone is lost or stolen
  • Automatic logout with inactivity
  • Ability to work on all spectrums of cell data and Wi-Fi for broad coverage
  • Limited data life — for example, 30 days — for messages

Patients benefit when their healthcare providers have quick and secure ways to stay in touch. A secure text messaging platform can help you to provide better care while avoiding HIPAA violations.

Doc Halo, a leading secure physician communication application, is a proud sponsor of the Healthcare Scene Blog Network.

Model Notice of Privacy Practices (NPP) Released by OCR and ONC

Posted on September 20, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The HIPAA Omnibus Rule compliance date is on Monday. Are you ready?

I’m sure the answer for most organizations is NO!

In fact, the real question that I hear most organizations asking is what they need to do to be compliant with the new HIPAA omnibus regulations. One of my more popular video interviews was on the subject of HIPAA Omnibus with Rita Bowen from HealthPort. That might be one place to start.

OCR and ONC recently released some model HIPAA Notice of Privacy Practice forms to help with compliance. Why they are just releasing them a week before organizations are suppose to be compliant is a little puzzling to me. Hopefully your organization is well ahead of the game on this, but you could still compare your Notice of Privacy Practices with the model forms they released.

David Harlow from the Health Blawg wrote the following about the model forms:

I was disappointed, however, with one of the examples given in the model NPP:
*You can ask us to contact you in a specific way (for example, home or office phone) or to send mail to a different address.
*We will say “yes” to all reasonable requests.

Telephone and snail mail are nice, but many patients would prefer to be in contact with their health care providers via text message or email. Both modes of communication are permitted under HIPAA wth the patient’s consent (which may be expressed by simply emailing or texting a provider), but if the NPP doesn’t alert patients to that right, then many will never be aware of it.

As I heard voiced at a healthcare billing conference yesterday, “You have to be HIPAA omnibus compliant on Monday. I’m not saying you should spend your whole weekend making sure you’re in compliance. The HIPAA auditors won’t be knocking your door on Monday, but you better become compliant pretty quickly if you’re not already.”