Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Will Hospitals Be At Risk for HIPAA Audits If They Don’t Have HIPAA Violations?

Posted on February 5, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Sutter Health’s California Pacific Medical Center (CPMC) recently announced an employee accessing patient files without a business or treatment purpose. Here are the details from their press release:

California Pacific Medical Center (CPMC) recently notified 844 patients of its discovery that a pharmacist employee may have accessed their records without a business or treatment purpose.

CPMC first learned of the incident through a proactive audit of its electronic medical record system on October 10, 2014. The initial audit resulted in identification and notification of 14 individuals on October 21, 2014. Following its policy, CPMC terminated its relationship with the employee and broadened the investigation

The expanded investigation identified a total of 844 patients whose records the employee may have accessed without an apparent business or treatment purpose. It is unclear whether all of these records were accessed inappropriately but, out of an abundance of caution, CPMC notified all of these patients.

This was a fascinating breach of HIPAA. In fact, it starts with the question of whether we should call this a breach. In the HIPAA sense, it’s a breach of HIPAA. In the IT systems security sense, I could see how people wouldn’t consider it a breach since the person didn’t visit anything he wasn’t authorized by the IT system to see. Semantics aside, this is a HIPAA issue and is likely happening in pretty much every organization in the US.

My last statement is particularly true in larger organizations. The shear number of staff means that it’s very likely that some users of your IT systems are looking at patient records that don’t have a specific “business or treatment purpose.” I’m sure some will use this as a call for a return to paper. As if this stuff didn’t happen in the paper world as well. It happened in the paper world, but we just had no way to track it. With technology we can now track every record everyone touches. That’s why we’re seeing more issues like the one reported above. In the paper world we’d have just been ignorant to it.

With this in mind, I start to wonder if we won’t see some HIPAA audits for organizations that haven’t reported any violations like the ones above. Basically, the auditors would assume that if you hadn’t reported anything, then you’re probably not proactively auditing this yourself and so they’re going to come in and do it for you. Plus, if you’re not doing this, then you’re likely not doing a whole slew of other HIPAA requirements. On the other hand, if your security policies and procedures are good enough to proactively catch something like this, then you’re probably above average in other areas of HIPAA privacy and security. Sounds reasonable to me. We’ll see if it plays out that way.

The other lesson we need to take from the above HIPAA breach notification is that we shouldn’t be so quick to judge an organization that proactively discovers a breach. If we’re too punitive with healthcare organizations that find and effectively address a breach like this, then organizations will stop finding and reporting these issues. We should want healthcare organizations that have a culture and privacy and security. Part of that culture is that they’re going to sometimes catch bad actors which they need to correct.

Healthcare IT software like EHRs have a great ability to track everything that’s done and they’re only going to get better at doing it. That’s a good thing and healthcare information security and privacy will benefit from it. We should encourage rather than ridicule organizations like the one mentioned above for their proactive efforts to take care of the privacy of their patients’ information. I hope we see more organizations like Sutter Health who take a proactive approach to the security and privacy of healthcare information.

What Do We Know About Minimum Necessary Coming to HIPAA?

Posted on November 14, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

We recently sat down with Alisha R. Smith, RHIA, HIM Compliance Educator at Healthport, to talk about HIPAA Omnibus and one of the components that was left out of the HIPAA Omnibus final rule: minimum necessary. In the video below, Alisha talks about what your company can do to prepare for minimum necessary and what minimum necessary might require if it gets included in future HIPAA requirements.

What do you think about Alisha’s recommendations? Do you think that legislation will be passed to include minimum necessary as part of HIPAA?

Medicaid Doctors and Dentists Gaming the EHR Incentive Program

Posted on June 29, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I guess I should have known that it would only be a matter of time before I’d see something like this come out. As best I can tell, Dentrix has partnered with Henry Schein to offer what they’re calling Dentrix Meaningful Use Access 7.6. Seems like Henry Schein is using the Dentrix names to get Dentists access to the Medicaid EHR incentive money. On face, I don’t see any problem with this.

Although, once you start to dig into it, it appears that Dentrix and Henry Schein are partnering to get Dentists the first Medicaid EHR incentive check without even implementing the EHR. You have to remember that the Medicaid EHR stimulus money doesn’t require you to show meaningful use of the EHR. You just have to acquire the EHR technology.

Look at some of the verbiage from the website for the program:

Definition of Adopt, Implement, or Upgrade:
For Medicaid, the eligible provider must Adopt, Implement, or Upgrade (AIU) certified EHR software. As posted on the CMS website, for AIU, a provider does not have to have installed certified EHR technology. The definition of AIU in 42 CFR 495.302 allows the provider to demonstrate AIU through any of the following:
*Acquiring, purchasing or securing access to certified EHR technology
*Installing or commencing utilization of certified EHR technology capable of meeting meaningful use requirements
or
*Expanding the available functionality of certified EHR technology capable of meeting meaningful use requirements at the practice site, including staffing, maintenance, and training, or upgrade from existing EHR technology to certified EHR technology per the ONC EHR certification criteria.

Thus, a signed contract indicating that the provider has adopted or upgraded would be sufficient.

To be honest, I’m torn between whether this is genius or filthy. According to the letter of the law, I don’t know of any reason that someone with the right Medicaid population can’t purchase an EHR like this for $2000 and then collect the EHR incentive money. The regulations don’t require them to do any more to collect the money. Although, that’s certainly not the intent of the EHR incentive money and definitely feels like their gaming the system if they do it with no intent to actually implement the EHR.

Another piece from the website:

While Henry Schein currently has no plans to pursue a Meaningful Use solution beyond Stage 1, Year 1 for Dentrix, we continue to monitor healthcare reform to determine what subsequent steps, if any, should be taken regarding Meaningful Use criteria and certification.

At least their up front with the Dentists that they’re not planning to go beyond meaningful use stage 1, but may change their minds. I’m sure this is music to ONC’s ears to hear that they’re only committing to meaningful use stage 1.

If your strategy is to just help these dentists get the first EHR incentive check, then why should you worry about MU stage 2. Wouldn’t you love to be a salesperson for this product? Here’s your pitch: Pay me $2000 for this EHR, go through 5 steps on the government website and you’ll get paid $21,250.00.

I wish I could see something legally wrong with this idea. Someone I talked to mentioned that even for the Medicaid EHR incentive money you have to check some box saying that you comply with the HIPAA requirements. Well, these clinics have to do that anyway. Many don’t, but they’ll check that box anyway thinking that they comply whether they do or not.

The biggest surprise for me might be that Henry Schein is willing to have their name associated with a program like this. I’ll be interested to see who else picks up on this glaring issue with the Medicaid EHR incentive and what ONC/CMS/HHS do to close it up (if they can).

Texting is Not HIPAA Secure

Posted on April 17, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I previously posted the somewhat controversial post: Email is Not HIPAA Secure. It was an extremely important post and included 54 incredible comments discussing email security and email in how it relates to HIPAA. Today I want to discuss the security issues related to text (SMS) messages.

The short story is: Texting (SMS) is NOT HIPAA Secure

I recently did a focus group to discuss physician communication. At one point I asked how many of them use text messages to communicate with other doctors. All of them acknowledged that they used it and that they were using it more and more. I then asked how many sent PHI (protected health information) in the text messages that they sent. While the response wasn’t as strong likely because they knew it was a loaded question, they all acknowledged that PHI was sent by text message all of the time.

One doctor even commented, “They’re not going to put us all in jail.”

There is some validity to this comment. They’re not going to go around like an old school lynch mob putting physicians in jail because they sent some patient information in a text message. Although, that doesn’t mean that they couldn’t go around handing out hefty fines for HIPAA violations.

Let me be clear that there are secure text message platforms out there. I’ve actually been thinking about this quite a bit lately since I’ve been advising a local Vegas Tech iPhone app called docBeat that offers this secure text message functionality for free. In fact, there are quite a few companies that are trying to provide this functionality. Although, I like docBeat because it offers a whole suite of Physician Communication Tools and not just secure text messaging. I think there’s value in a doctor only to have to go to one place for all their communication needs. In a future post, I’ll do a full write up on what docBeat’s offering physicians.

At some point, I think doctors are going to turn the corner and realize that the standard SMS text messaging service that every cell phone has these days is not the right way to communicate. Besides the fact that standard text messaging isn’t secured, it’s also stored forever on the server of your cell phone service provider. Most doctors likely haven’t thought that everything they’ve sent over text could be brought back to haunt them forever.

Other problems with standard text messaging is that you don’t really know what happens with the text message once its sent. Did the text message actually send? Did the person you sent the text message actually receive it? If they received the text message have they read it?

The great thing is that we all finally have realized the value of simple communication with a text message. Now we just need to move to these new secure text messaging platforms that solve the security, reliability and tracking issues with standard text messaging.

HIPAA Requirements PHI in Natural Disasters

Posted on June 8, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Brian Van Zandt, a long time reader of EMR and HIPAA and an account executive at a managed IT services company in New York, NST, sent me the following fascinating question.

I’ve had a conversation with a few people recently about something that been on the news a lot recently. A tornado in the mid west destroyed a hospital and patient records, I heard about x-rays specifically, were found miles from the hospital. In extreme cases like that, are hospitals still liable for penalties from HIPAA for losing patient information?

First, I have to start with my regular disclaimer that I’m not a lawyer, I don’t play one on TV and much prefer being a blogger. Consult a lawyer for legal advice.

With that disclaimer, it’s a fascinating situation to consider. I remember from my business law classes in college that there’s a legal term called “Act of God” which seems like it might have consideration in this situation. I can’t say for sure that the Act of God defense would work when it comes to disclosure of PHI, but it would be interesting to see it play out.

I think the other consideration and question is what efforts did the hospital make to prevent the disclosure of the PHI. How did they act when the tornado warning was announced? What measures had they taken to prevent such an issue from happening since they likely new they were in an area that was prone for tornadoes? What efforts did they put forth once the hospital was destroyed to protect the information that was scattered?

I’m sure there’s a lot more questions that would likely be asked. I’m just trying to start the conversation and hopefully some HIPAA lawyers that read this blog will chime in with more details.

Although, I must admit that my first reaction to reading this question was, would people really have a legal issue with this? My point being that someone would have to bring a legal case against this hospital for us to really find out the legal requirements. It’s just a sad commentary on society if individuals would really bring a HIPAA violation against a hospital that was destroyed by a tornado. I’m all for the legal system when there are issues of negligence. I just don’t see how a tornado’s disclosure of PHI miles away is negligence.

Of course, if the hospital had an EMR, they wouldn’t have to worry about an X-ray being found miles away. Well, unless the hard drive, server, computer, laptop, etc was blown miles away. Hopefully the data center planning took natural disasters like this into account. Although, even if it didn’t, with appropriate device encryption even this wouldn’t be an issue. It would be like having an encrypted laptop stolen. One more reason to have an EMR instead of paper records.

This is an interesting edge case that I’d love to learn about since every healthcare entity could potentially be hit by a natural disaster. Of course, I’ve seen a lot of discussion about providing healthcare during a natural disaster. I hadn’t thought as much about HIPAA during a natural disaster. Maybe that’s how it should be.

On a more personal note, my thoughts and prayers go out to those who’ve been hit by this disaster and others. I didn’t know anyone in Joplin, but we have family in Springfield, MA which had a tornado cause destruction as well as some fires raging in Arizona that are affecting many people we know. I wish them all the best as they deal with challenging situations.

Email is Not HIPAA Secure

Posted on December 23, 2010 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

An interesting discussion happened in the comments about HIPAA secure fax services in regards to the security of email. Being a tech person who formerly managed a few different corporate email systems, sometimes I forget that many people don’t understand some of the details about the security (or lack of security) that’s provided by email.

The short story is: Email is NOT HIPAA Secure (at least in 99% of cases)

There is a way to encrypt email sent between 2 email systems, but so far a standard and mechanism for encryption between all the vast number of email providers has not been established. I won’t go into the details of why this is the case (cost of encryption, standards for encryption, etc), but suffice it to say that almost none of the email systems send encrypted email that would satisfy the HIPAA requirements.

In fact, most times when an EMR, PHR or other patient portal wants to send a secure email/message to someone they send an email which contains a link to an encrypted website that has a unique login. The reason they do this is because there’s no recognized and adopted standard for encryption of email. However, presenting Protected Health Information (PHI) through an encrypted webpage where someone has a unique login is HIPAA compliant and doesn’t require the receiving email system to understand the encryption. It’s a pain, but it’s the reality of privacy of health information right now.

One of the major reasons that many people think that email is secured is that a number of email providers (Gmail being the most famous for this) turned on encryption for all of their users. The misunderstanding is that this encryption is just for users logging in to check, read and send their email. It does not encrypt the email as it it sent from Gmail to the destination email system. Aleks, from Sfax described it similar to a postcard. It’s open where anyone listening can see what’s in the email with no traces left behind.

The only security email partially offers in this manner is the volume of emails that are sent. There’s such a huge volume of useless emails that there’s some security by obscurity benefits. Although, that security doesn’t meet well with the HIPAA requirements. Plus, remember that one thing that computers are great at doing is crunching large amounts of data.

One minor exception that I might make is that if you’re sending email in an internal email system, then it’s possible to set up email encryption. This is possible because you control the email system for the sender and the receiver and so there are ways to do this. However, I know very few people that have actually set this arrangement up. Probably because if they are on your internal email system they usually have access to your EMR and all the PHI can remain in the EMR instead of your email system.

Now many have said that you shouldn’t use the free email providers like Gmail. After reading this it should be clear. You shouldn’t use ANY email provider for sending PHI. So, whether you use Gmail or some other free email provider it shouldn’t matter since I’m sure you won’t be sending any PHI through email any more.

Of course, I’d recommend you use the free Google Apps version of Gmail since DrSmith@yourpractice.com is so much more professional than DrSmith985373@gmail.com. Although, that’s kind of a topic for a different discussion.