Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

2300 Blog Posts and 11 Million Pageviews Later

Posted on June 29, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

For those that don’t know the history of EMR and HIPAA, I wrote the first post on EMR and HIPAA back on December 11, 2005. It’s fun to read that first post. Short and sweet. I hit some high level points which amazingly still represent my desires 10 years later. “I will try to incorporate any aspects of EMR and HIPAA because I think best practices across the industry are important to know.” – I still try to incorporate any aspect of healthcare IT. Lately I’ve been writing even more about the business of medicine, but I still try and find best practices.

In my original post I invited people to participate in the conversation. I still desire this greatly, but I’ve found that much of the conversation has moved to social media versus the blog comment section. Plus, as I’ve refined my blogging skill, it avoids many comment threads. In the beginning I wasn’t as skilled and so there was a lot of opportunity to correct me which made for great comment threads.

The last line of that original post really expressed my understanding of EHR at the time: “This is my best knowledge from my research and is not guaranteed in anyway.” Pretty funny that I thought to put in a disclaimer from the start. When I started I knew so little. It’s amazing how much you can learn over 10 years. Yet, I’m still learning.

5 months into my EMR and HIPAA blogging journey I celebrated reaching 30,000 visitors to my blog. I was amazed by my achievement. Little did I know that less than 10 years later I’d be celebrating 2300 blog posts and 11 million pageviews. For some perspective, we celebrated 3 million pageviews in August 2010 and then last Valentine’s day we celebrated 9 million pageviews. I was nostalgic for those posts and still am today.

I’m really not sure how to process 2300 blog posts and 11 million pageviews for one of my Healthcare Scene blogs. I mostly feel to say: Thank you!

I never thought I’d be a full time blogger when I grew up, but I feel lucky to do so. Over the past 5 years as a full time blogger, it’s been amazing to see the blogging business model change. When I started blogging people were happy to buy links from my site (We stay far away from that now). We always have done some pay per click and display advertising and those both still do quite well for us. However, as we’ve matured, we’ve been able to offer a variety of email marketing and sponsored content options which really take healthcare IT marketing to the next level.

With that in mind, I want to take a second to thank those companies who are currently supporting the work we do here at EMR and HIPAA. Without their support, none of this would be possible.

EMR and HIPAA Email Sponsors
DrChrono
Stericycle

EMR and HIPAA Sponsored Content Series
ClinicSpectrum
The Breakaway Group

EMR and HIPAA Display Advertising
Ambir
HIPAA Secure Now
Colocation America
Accountable

What I love about each of these companies is that they are looking to promote their company, but they’re also interested in supporting the work we do here at EMR and HIPAA. Almost all of them are not only sponsors of the site, but also readers of the site as well.

If your company would like to support the work we do here at EMR and HIPAA, we’ve created a new landing page which outlines all of the various healthcare IT marketing and advertising options we offer across the Healthcare Scene network. We’d love to work with you on sharing your message. Just drop us a note on our contact us page.

We’ve got a lot of ideas on how to continue to make what we do here at EMR and HIPAA better. However, what won’t change is our efforts to provide valuable content that helps make our readers’ lives easier.

Patients Demand the Best Care … for Their Data

Posted on June 22, 2015 I Written By

The following is a guest blog post by Art Gross, Founder of HIPAA Secure Now!.
Art Gross Headshot
Whether it’s a senior’s first fitting for a hearing aid, or a baby boomer in for a collagen injection, both are closely scrutinizing new patient forms handed to them by the office clerk.  With 100 million medical records breached and stolen to date, patients have every reason to be reluctant when they’re asked to fill out forms that require their social security number, driver’s license, insurance card and date of birth — all the ingredients for identity fraud.  Patients are so squeamish about disclosing their personal information, even Medicare has plans to remove social security numbers on patients’ benefits cards.

Now patients have as much concern about protecting their medical records as they do about receiving quality care, and they’re getting savvy about data protection.  They have every right to be assured by their physician that his practice is as concerned about their privacy as he is about their health.

But despite ongoing reports of HIPAA violations and continuous breaking news about the latest widespread patient data breach, medical practices continue to treat ePHI security as a lesser priority.  And they neglect to train front office staff so the patient who now asks a receptionist where the practice stores her records either gets a quizzical look, or is told they’re protected in an EHR but doesn’t know how, or they’re filed in a bank box in “the back room” but doesn’t know why.

In some cases, the practice may hide the fact that office staff is throwing old paper records in a dumpster.  Surprisingly this happens over and over.  Or, on the dark side, the receptionist accesses the EHR, steals patients’ social security numbers and other personal information and texts them to her criminal boyfriend for medical identity theft.

Another cybercrime threatening medical practices comes from hackers who attack a server through malware and encrypt all the medical files.  They hold the records hostage and ask for ransoms.  Medical records can vanish and the inability to access critical information about a patient’s medical condition could end up being life threatening.

Physicians should not only encrypt all mobile devices, servers and desktops, regularly review system activity, back up their servers and have a disaster recovery plan in place, etc. they should also share their security practices and policies with the patient who asks how his office is protecting her records.

Otherwise, the disgruntled patient whose question about security is dismissed won’t only complain to her friends over coffee, she’ll spread the word on Facebook.  Next time a friend on Facebook asks for a referral the patient tells her not to go to her doctor — not because he’s an incompetent surgeon but because he doesn’t know the answer when she asks specifically if the receptionist has unlimited access to her records.

And word gets out through social media that the practice is ‘behind the times.’  The doctor earns a reputation for not taking the patient’s question seriously, and for not putting the proper measures in place to secure the patient’s data.  This is the cockroach running through the restaurant that ends up on YELP.

It’s time to pull back the curtain and tell patients how you’re protecting their valuable data.  Hand them a HIPAA security fact sheet with key measures you’ve put in place to gain their confidence.  For example, our practice:

  • Performs annual risk assessments, with additional security implemented, including encryption and physical security of systems that contain patient information.
  • Shows patients that the organization has policies and procedures in place
  • Trains employees on how to watch for risks for breaches
  • Gives employees limited access to medical records
  • Backups systems daily
  • Performs system activity regularly

Practices that communicate to patients how they are protecting their information, whether it’s provided by the front office staff, stated in a fact sheet or displayed on their websites, not only instills confidence and maintains their reputations, they actually differentiate themselves in the market place and attract new patients away from competitors.

About Art Gross
Art Gross co-founded Entegration, Inc. in 2000 and serves as President and CEO. As Entegration’s medical clients adopted EHR technology Gross recognized the need to help them protect patient data and comply with complex HIPAA security regulations. Leveraging his experience supporting medical practices, in-depth knowledge of HIPAA compliance and security, and IT technology, Gross started HIPAA Secure Now! to focus on the unique IT requirements of medical practices. Email Art at artg@hippasecurenow.com.

Full Disclosure: HIPAA Secure Now! is an advertiser on EMR and HIPAA.

An Important Look at HIPAA Policies For BYOD

Posted on May 11, 2015 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Today I stumbled across an article which I thought readers of this blog would find noteworthy. In the article, Art Gross, president and CEO at HIPAA Secure Now!, made an important point about BYOD policies. He notes that while much of today’s corporate computing is done on mobile devices such as smartphones, laptops and tablets — most of which access their enterprise’s e-mail, network and data — HIPAA offers no advice as to how to bring those devices into compliance.

Given that most of the spectacular HIPAA breaches in recent years have arisen from the theft of laptops, and are likely proceed to theft of tablet and smartphone data, it seems strange that HHS has done nothing to update the rule to address increasing use of mobiles since it was drafted in 2003.  As Gross rightly asks, “If the HIPAA Security Rule doesn’t mention mobile devices, laptops, smartphones, email or texting how do organizations know what is required to protect these devices?”

Well, Gross’ peers have given the issue some thought, and here’s some suggestions from law firm DLA Piper on how to dissect the issues involved. BYOD challenges under HIPAA, notes author Peter McLaughlin, include:

*  Control:  To maintain protection of PHI, providers need to control many layers of computing technology, including network configuration, operating systems, device security and transmissions outside the firewall. McLaughlin notes that Android OS-based devices pose a particular challenge, as the system is often modified to meet hardware needs. And in both iOS and Android environments, IT administrators must also manage users’ tendency to connected to their preferred cloud and download their own apps. Otherwise, a large volume of protected health data can end up outside the firewall.

Compliance:  Healthcare organizations and their business associates must take care to meet HIPAA mandates regardless of the technology they  use.  But securing even basic information, much less regulated data, can be far more difficult than when the company creates restrictive rules for its own devices.

Privacy:  When enterprises let employees use their own device to do company business, it’s highly likely that the employee will feel entitled to use the device as they see fit. However, in reality, McLaughlin suggests, employees don’t really have full, private control of their devices, in part because the company policy usually requires a remote wipe of all data when the device gets lost. Also, employees might find that their device’s data becomes discoverable if the data involved is relevant to litigation.

So, readers, tell us how you’re walking the tightrope between giving employees who BYOD some autonomy, and protecting private, HIPAA-protected information.  Are you comfortable with the policies you have in place?

Full Disclosure: HIPAA Secure Now! is an advertiser on this website.

Healthcare IT Marketing and PR on the Mind

Posted on April 2, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Healthcare IT marketing and PR have been on my mind lately as I’ve been preparing for the Healthcare IT Marketing and PR Conference (HITMC) and for HIMSS. We’ve published the full HITMC program if you haven’t seen it yet. It’s going to be a really amazing 2 days of learning for me and everyone who attends. Hopefully many EMR and HIPAA readers can make it. There’s only 5 days left to register for the event, so do so now if you’d like to attend.

We’ve certainly seen the evolution of marketing here on EMR and HIPAA. At first people mostly wanted to buy a link to their site from us since we were on the first page of Google for the term “EMR”. (Side note: Don’t buy links. That’s a bad strategy today.) Then, we started doing banner ads and those have always performed really well for our advertisers since we have such a targeted, niche audience. Recently we’ve been expanding our email marketing, event marketing and sponsored content packages. They’ve really become fully integrated marketing packages that touch on email, social media, blogs, and display advertising. It’s exciting what we’re able to deliver sponsors of our site.

10 years later it’s amazing to think back on the 2239 posts we’ve published, the 9743 comments that readers have contributed and the 10,689,418 pageviews for EMR and HIPAA. I wonder how many emails we’ve sent out with our content over the years, but I don’t have a good way to track it. Just last year I estimate that this blog has sent out 1.25 million emails. Wow! Thanks to all of you who read and contribute.

Every 6 months or so I like to highlight the companies who support the work we do here at EMR and HIPAA. Without them, I wouldn’t be able to be a full time blogger and provide you the content I do. Take a second to look through the list and see if one of them might be able to help you solve a problem you’re working on in your job.

Vocera – Vocera is an interesting story for me, since they acquired a secure messaging company I advised (docBeat). Since that acquisition, I’ve been lucky to advise them on some marketing and they’ve also been sponsoring a number of Healthcare Scene email campaigns. They offer a pretty compelling set of secure, real-time communication solutions for healthcare. Plus, they have a good announcement coming out at HIMSS that I think will set them apart from the other secure messaging solutions out there. Although, I’m not allowed to talk about the announcement yet. You can see Vocera’s HIMSS 2015 plans if you want to meet with them in person and learn about the announcement.

Iron Mountain – It was fun working with Iron Mountain on their Healthcare Information Governance Predictions and Perspectives series. You can find all the entries in that series here and my entry here. Plus, I was able to participate in their #InfoTalk Twitter chat which was really well done as well. I hope they continue the discussion, because it’s an important one.

ClinicSpectrum – Regular readers should be familiar with ClinicSpectrum. They’ve been contributing some great content in our Cost Effective Healthcare Workflow Series. I love how they’re interested in taking the discussion beyond just EHR and meaningful use into how a practice or hospital can optimize their use of technology. Plus, they’re really passionate about the hybrid workflow which mixes technology and people to find the optimal solution. We need more of this optimization in healthcare.

The Breakaway Group (A Xerox Company) – You’ll also likely be familiar with The Breakaway Group and their Breakaway Thinking Series. I’ve always loved the researched based perspective that they provide to the challenges that face healthcare IT. Plus, they offer some unique perspectives on training and learning in healthcare. One of the biggest challenges with any healthcare IT implementation is getting the training right. The Breakaway Group is dead set on solving that problem.

Ambir – Ambir’s been supporting the work we do here since January of 2010. Amazing that they’ve been with us for 5 years. I think that was before I even quit my day job. Most people know them as a scanner company, but word on the street is that at HIMSS 2015 they’ll be announcing a new tablet based product. I’ve heard the concept and I think it’s a really creative approach to solving healthcare’s workflow challenges.

HIPAA Secure Now! – We’re seeing a big wave of healthcare organizations and business associates finally starting to do something about HIPAA. Much of this has been pushed by meaningful use’s risk assessment requirement, but it’s also been driven by all the breaches. HIPAA Secure Now! is offering our readers Free HIPAA Security Training.

Colocation America – Colocation America has been supporting us for 2 years. It’s no surprise that more and more companies are looking to outsource their hosting to a HIPAA compliant hosting solution. Healthcare companies don’t want to be in the hosting business. They want to be in the healthcare business. So, working with a company like Colocation America for their HIPAA compliant hosting needs just makes sense.

A massive thank you to all the companies that support the work we do. We look forward to seeing many from the EMR and HIPAA community at HIMSS in Chicago and then at the Health IT Marketing and PR conference in Vegas.

OCR Fines Are the Least of Your Worries in a HIPAA Related Breach

Posted on August 27, 2014 I Written By

The following is a guest blog post by Art Gross, Founder of HIPAA Secure Now!.
Art Gross Headshot
Ask any medical professional about their biggest concern for protecting patient information and they will probably tell you about the threat of a random audit conducted by the Office of Civil Rights (OCR). OCR is tasked with enforcing HIPAA regulations and has the ability to hand out fines up to $1.5 million per violation for a HIPAA breach and failing to comply with HIPAA regulations.

With recent fines of $4.8 million handed out to New York and Presbyterian Hospital and $1.7 million fine to Concentra Health Services, physicians have good reason to worry.  These massive fines were levied not as the result of a random audit, but for the mandatory reporting of patient data breaches to the Department of Health and Human Services (HHS), and the investigation that followed.  So physicians need to reconsider where their real concerns should lie.

Ponemon Study

The 2013 Cost of a Data Breach Study by the Ponemon Institute calculated lost or stolen patient records at $233 per record. Let’s take a look at how quickly the cost of a HIPAA breach can add up:

# of Records Breached Cost
1 $233
10 $2,330
100 $23,300
1,000 $233,000
10,000

100,000

$2,330,000

$23,330,000

The cost of the recent Community Health Systems 4.5 million patient records breach could cost more than $1 billion!

Whether a medical provider loses 1,000 or 10,000 patient records the financial impact could easily set back the organization or even put it out of business.  But the “hidden cost” of a HIPAA breach that shouldn’t be overlooked is the damage to the provider’s reputation, lost trust from patients and the resulting sharp decline in revenues.

Lost patient records sparks negative publicity.  Take Phoenix Cardiac Surgery (PCS) for example. The Arizona medical practice with five physicians got slapped with a $100,000 fine for a HIPAA breach in 2012. A current search on Google returns the practice’s website plus 28 links to negative news stories related to the HIPAA fine. The consequences? A patient searching a referred cardiac surgeon from PCS finds the negative publicity and decides to continue searching for another surgeon. Or, an existing patient of PCS decides to look for another medical practice that takes every measure to safeguard his privacy.

Other Cost Factors

Beyond revenue loss and a damaged reputation are the direct overhead costs associated with a breach. The cost of discovering and stopping a breach may involve IT services, forensic investigative services to determine which systems and patients were affected, and legal counsel if patients file a lawsuit. There are also hard costs associated with notifying patients affected by the breach, including time spent to pull together their contact information, mailing out notifications and providing toll-free inbound phone numbers to handle complaints. Most organizations also provide identity and credit monitoring services for affected patients. All of these expenses add up, not to mention the cost of lost productivity due to the diverted attention of employees tasked with managing these processes.

Today it’s not uncommon for laptops, tablets and USB drives with patient records to disappear.  Or, for crime rings to hack into EHR systems to steal patient information and commit tax fraud, and for meth dealers to steal patient identities to obtain prescriptions.  If a large hospital system can lose 4.5 million patient records think how easy it is for a hacker to grab thousands of patient records from smaller medical practices and turn them into cash. The threat of a HIPAA breach has never been greater and all organizations should take heed.

Risk Assessment as a First Step

Healthcare organizations, particularly smaller medical practices, should perform a HIPAA risk assessment to look at where patient information is stored and accessed, and how the organization protects that information. It examines the risks of a breach and recommends steps to lower them. Without performing a risk assessment an organization may be lulled into a false sense of security, mistakenly believing they won’t suffer the consequences of a HIPAA breach.  At $233 per lost or stolen record that could be a costly miscalculation.

About Art Gross

Art Gross co-founded Entegration, Inc. in 2000 and serves as President and CEO. As Entegration’s medical clients adopted EHR technology Gross recognized the need to help them protect patient data and comply with complex HIPAA security regulations. Leveraging his experience supporting medical practices, in-depth knowledge of HIPAA compliance and security, and IT technology, Gross started his second company HIPAA Secure Now! to focus on the unique IT requirements of medical practices.  Email Art at artg@hippasecurenow.com.

Full Disclosure: HIPAA Secure Now! is an advertiser on EMR and HIPAA.

Criminals Have Their Eyes on Your Patients’ Records

Posted on June 26, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The following is a guest blog post by Art Gross, Founder of HIPAA Secure Now!
Art Gross Headshot
It’s one thing to have a laptop stolen with 8,000 patient records or for a disgruntled doctor to grab his patients’ records and start his own practice.  It’s another when the Cosa Nostra steals that information, siphons money from the patient’s bank account and turns it into a patient trafficking crime ring.  Welcome to organized crime in the age of big data.

Organized crime syndicates and gangs targeting medical practices and stealing patient information are on the rise. They’re grabbing patient names, addresses, insurance details, social security numbers, birth dates, etc., and using it to steal patients’ identities and their assets.

It’s not uncommon for the girlfriend of a gang member to infiltrate a medical practice or hospital, gain access to electronic health records, download patient information and hand it over to the offender who uses it to file false tax returns. In fact gang members often rent a hotel room and file the returns together, netting $40,000-$50,000 in one night!

Florida is hotbed for this activity and it’s spreading across the country.  In California, narcotics investigators took down a methamphetamine ring and confiscated patient information on 4,500 patients. Investigators believe the stolen information was being used to obtain prescription drugs to make the illicit drug.

Value of patient records

Stolen patient information comes with a high price tag if the medical practice is fined by HIPAA. One lost or stolen patient record is estimated at $50, compared to the price of a credit card record which fetches a dollar.  Patient records are highly lucrative. The below charts shows the value of patient information that might be sitting in an EHR system:

Amount of Patient Records Value of Patient Records
1,000 $50,000
5,000 $250,000
10,000 $500,000
100,000 $5,000,000

 
Protect your practice

Medical practices need to realize they are vulnerable to patient record theft and should take steps to reduce their risk by implementing additional security.  Here are seven steps that organizations can take to protect electronic patient information:

  1. Perform a security risk assessment – a security risk assessment is not only required for HIPAA Compliance and EHR Meaningful Use but it can identify security risks that may allow criminals to steal patient information.
  2. Screen job applicants – all job applicants should be properly screened prior to hiring and providing access to patient information. Look for criminal records, frequent job switches or anything else that might be a warning sign.
  3. Limit access to patient information – employees should have minimal access necessary to perform their jobs rather than full access to electronic health records.
  4. Audit access to patient information – every employee should use their own user ID and password; login information should not be shared. And access to patient information should be recorded, including who accessed, when, and which records they accessed.
  5. Review audit logs – organizations must keep an eye on audit logs. Criminal activity can be happening during a normal business day. Reviewing audit logs can uncover strange or unexpected activity. Let’s say an employee accesses, on average 10 patient records per day and on one particular day they retrieve 50 to 100 records.  Or records are being accessed after business hours. Both activities could be a sign of criminal activity. The key is to review audit logs regularly and look for unusual access.
  6. Security training – all employees should receive security training on how to protect patient information, and make sure they know any patient information activity is being logged and reviewed.  Knowing that employee actions are being observed should dissuade them from using patient information illegally.
  7. Limit the use of USB drives – in the past it would take a truck to steal 10,000 patient charts. Now they can easily be copied onto a small thumb/USB drive and slipped into a  doctor’s lab coat.  Organizations should limit the use of USB drives to prevent illegal activity.

The high resale value of patient information and the ability to use it to file false tax returns or acquire illegal prescriptions make it a prime target for criminals.  Medical practices need to recognize the risk and put proper IT security measures in place to keep their patient information from “securing” hefty tax refunds

About Art Gross

Art Gross co-founded Entegration, Inc. in 2000 and serves as President and CEO. As Entegration’s medical clients adopted EHR technology Gross recognized the need to help them protect patient data and comply with complex HIPAA security regulations. Leveraging his experience supporting medical practices, in-depth knowledge of HIPAA compliance and security, and IT technology, Gross started his second company HIPAA Secure Now! to focus on the unique IT requirements of medical practices.  Email Art at artg@hipaasecurenow.com.