Guest Poster: John Brewer is the founder of HIPAAaudit.com.  He and his team help physicians run HIPAA Compliant practices in the simplest, most pain free way.

So far we’ve covered Information System Activity Review & Sanction Policy.

The next item to tackle for the HIPAA side of Meaningful Use is the Risk Analysis.  This may also be referred to by some as the Risk Assessment also.

The Risk Analysis is simply a look at the way your practice operates as it pertains to PHI and your computer network.

Your risk analysis shouldn’t be a handful of questions.  It should be a set of targeted questions – partly to see that your practice is doing things correctly and partly to invoke conversation to ensure you fix other areas of how your practice does business.

The risk analysis we use is just north of 100 questions…and it continually grows as technology changes and new phishing scams arrive on the scene.

How often should a risk analysis be accomplished?

Once a year is reasonable for most practices.  An additional risk analysis should be accomplished anytime there is a major technological or physical change.

A technological change would include: a new EHR, a new component to your EHR new computer network architecture, and even something as innocent as a new photocopier (more on this later).

Physical change would include any remodeling that might change the layout to the waiting area or a complete location change for the office.

Can I accomplish the risk analysis?

Sure, you or your staff may accomplish the risk analysis.  Be aware though, the risk analysis can become quite technical, so you may need to have your IT staff involved, at least in part of this analysis.

But don’t be fooled, this risk analysis is not just technology based.  Your risk analysis should cover areas including:

• Does the practice have a privacy window at the sign in station?
• Does the practice close the privacy window to the lobby except when speaking to a patient directly?
• Does the practice use an acceptable procedure to hide patient names on the sign-in form?
  • What is acceptable?  Here are a few examples:
    • Individual sign-in slips that are handed to the receptionist
    • Peel-off name labels that are removed by the receptionist and stuck to the file (yes, even in the electronic world paper still exists)
    • An electronic sign-in system – this is a fancy way of saying a computer in the lobby on which the patient signs in.
• Who has keys to the office?
• Where is the list of who has keys to the office?
• Who has the alarm code to the office?
• Where is the list of who has the alarm code?
• Is the door from the waiting area always locked?
• Does the facility have a sprinkler fire system?
• Does the server have a fire system sprinkler above it?
• Are all computers at least 3 inches off the ground?

Now we’ve hit 3 of the 4 HIPAA items in the required Risk Analysis in the Meaningful Use Core Objectives.

Next time we’ll at least start on Risk Management.

Guest Poster: John Brewer is the founder of HIPAAaudit.com.  He and his team help physicians run HIPAA Compliant practices in the simplest, most pain free way.

As previously mentioned, the Sanction Policy is an integral part of Meaningful Use.

What exactly is a Sanction Policy?

Quite simply, it is clarification to your staff…all staff…yes, this includes the physicians, that there are ramifications for breaking company computer policies, specifically HIPAA violations.

First, your practice must have policies.  Without knowing the rules, nobody will know if they are breaking them or not.

The computer policies of a practice are the foundation on which your office will operate.  The computer policies are different than human resource company policies…actually, they are different, but enhance the HR policies.

For example:

• Which websites can staff go to during business hours?
• Which websites are completely banned?
• Is your staff allowed to check their personal email on office computers?

These are all policies you may think are understood by your staff, but if you do not have these policies in writing AND ensure all staff has signed a document of understanding AND have them sign this document of understanding every year…you will run into trouble

So, this sanction policy will generally be in addition to any Human Resources sanction policy that exists (it does exist, right?).  Remember, this Sanction Policy is geared toward HIPAA violations and computer use violations.

This Sanction Policy should cover:

• Initial reaction to a violation
  • Document the violation
  • Detail the exact violation to the offender
  • Document this communication
  • Initiate any company checklists that may be required depending on the specific violation
• Secondary reaction to a violation
  • Retraining
    • Re-attend Annual Awareness Training
    • Document this re-training
  • Document understanding of the violation
• Repeat violations
  • Repeat violations need to be dealt with in a solid and consistent way
  • How many repeat violations before termination?
  • Is any HIPAA violation a “counter” toward termination or should it be an exact repeat violation?
  • Is the training for repeat violations different?

As you can see, there are many parts to what appears to be a “single line” requirement within the Core Requirements for Meaningful Use.

Also note, this Sanction Policy originally reared its head in the HIPAA regulations, and yes, it is still a HIPAA requirement.  As I expected, the feds are using Meaningful use to push you toward HIPAA compliance.

Next time, the Risk Analysis (you guessed it, another HIPAA requirement).

In kind of ironic timing, the news was recently reported of a patient talking to lawyers about a possible lawsuit against a doctor who sent her protected health information (PHI) to his home email in an un-encrypted format. The irony is that for the past week, my post on Email not being HIPAA secure has been having a really good discussion happening in the comments about these very issues (you should go read through the comments, they’re very interesting).

One interesting part of the above news story is that it didn’t even include the most common personal information used for identity theft. Certainly a person’s name and medical information should be kept private as well and could have consequences related to its release on the internet. However, it definitely doesn’t bring out the privacy critics like a breach of financial related info would bring.

While I personally hate lawsuits, a part of me kind of hopes that this or some other lawsuit happens related to email and PHI. Not because I like lawsuits or I want someone to be held responsible. Mostly because we could use some legal precedent to better enable those who want to use technology like email. Until the precedence is set (or a more specific law), I think that many people are just too afraid to use email for any sort of health care related communication.

In the comments I mentioned above, someone even commented about them wanting a doctor who would let them waive their right to privacy in the name of convenience. Basically, they would rather use email to communicate even PHI at the risk of someone seeing their health information so that they can use communication tools like email in their healthcare. I bet there are a lot more people who would opt in for this also. The problem is that the law is such that I don’t know many doctors who are willing to take the risk even if the patient gives them permission.

The best alternative right now is the patient portal where a patient receives an email saying something has been added or updated on the portal and invites them to login to the private secured portal to see the PHI or other health information. Not perfect and not that broadly adopted.

Lots of other issues related to email with doctors, but at least resolving the privacy and security ones would allow us to focus on those other issues.

During a bond hearing Thursday in Superior Court, Wheeler’s Macon attorney Reza Sedghi described his client’s actions as a job application gone awry with “no criminal intent or compromise of sensitive patient information.” Sedghi said Wheeler had obtained access to the database with a password and access codes obtained while working on a Macon physician’s connectivity problems with the hospital.

The attorney said Wheeler uncovered seven flaws in the hospital’s system and sought to use the discovery to land a job with the countywide medical complex, spending several hours with Rhodes and David Griffin, the hospital’s security chief.

“They asked for and received a copy of his resume and a written report of his findings,” Sedghi reported in court. “Then they walked out of the conference room and returned with two Warner Robins police officers.”

Wheeler’s acts were stupid, the Macon attorney conceded, but “he had no malicious intent. He was the one exposing the flaws.” -source

I must admit that I’m a bit torn by the story of this kid who I believe didn’t have any malicious intent when he breached the hospitals security system. The crazy thing is that if he’d had malicious intent they wouldn’t have likely known that there were these security holes and that he had breached them.

Certainly the kid is dumb to have done it, but the reaction by the hospital system is terrible. Here’s a quote from the same article excerpt above:

“I condemn any effort of any party to justify his acts,” Rhodes [CIO] said in an exclusive Warner Robins Patriot interview. “This is a criminal act and he did not do Houston Healthcare or its patients any favors. His actions were illegal and we will support the authorities in prosecuting this to the full extent of the law.”

Talk about a major overreaction. Of course his condemnation of efforts to justify his acts makes people more interested in doing so. Honestly, Robert Rhodes, chief information officer for Houston Healthcare, just sounds like an angry CIO whose security efforts were torn to shreds by a 21 year old. I’d be angry too if I were Robert Rhodes. Mostly because Robert Rhodes is the one that should be fired for having such porous security and they should hire Christopher Wheeler to help them actually implement some real security.

Of course, the CIO is quick to point out that “He did not breach our internet security. He got in through a stolen pass word. He didn’t discover a breach. He was the breach.”

This is just wrong. It wasn’t stolen, but given to him as part of his duties to help the doctor connect to the hospital. That’s not a breach. What’s insane is that a doctor’s password would have the ability to create all these back doors and expose seven flaws in the hospital’s IT systems. The CIO should be held accountable for that. So much for only giving users the access that they need. Or maybe the doctors at Houston Healthcare need that ability. Yeah, right.

I don’t want to give the impression that security isn’t important. It is and what this guy did was wrong and he’ll be punished in the legal system for what he did. Although, it does seem that it wasn’t with malicious intent and so some leeway should be given there. However, the CIO accepting a c-level executive salary with responsibility over a network with so many security flaws that could be exposed by a 21 year old using a doctor’s password sounds much more inappropriate to me.

I told you on the weekends I’d try to go through and highlight some of my previous 774 posts (but who’s counting?). Obviously, there’s a lot to choose from. So, this time I decided to hit the big red button on my stats program that said “Top Posts for All Time” Yes, that’s crunching 2,636,682 pageviews to provide this data. That’s right. Over 2.6 million pageviews. I kind of shutter thinking about that. Plus, I didn’t implement this stats system (since it didn’t exist) until well into this blog, but I digress.

2 posts that I knew would be near the top is my Overwhelming List of EMR Companies post which I did back on 2/21/06 and my EMR and EHR vendors page. The former just barely edged out the prior.

Man a lot has changed since early 2006 with that list of EMR vendors. Kind of fun to look back at the state of EMR vendors in 2006. A lot more entrants. Also, I’ve mostly stopped updating that page, and instead have been linking to this EMR and EHR matrix wiki page. Although, I do generally update the EMR and EHR vendors page for those vendors that advertise on EMR and HIPAA.

Coming in close behind my list of EMR and EHR vendors was a couple posts about the EMR stimulus package (imagine that). One was called, “Details of Obama’s EMR stimulus Package” that I posted on 1/24/09 and the other was titled,”Economic Stimulus Bill Simplified” that I posted February 17, 2009.

I kind of shudder going back and reading those initial posts. So much of the information was vague and we were doing our best to guess what the government process would produce. Needless to say, we know a lot more about it now then we did then. I’m also glad I updated those posts with a link to my EMR Stimulus presentation. It’s mostly right, but we just have a lot more information now about Meaningful Use and Certified EHR than we had when I gave that presentation. The sad part of course, is that we’re still missing a lot of necessary details.

Another one that’s pretty interesting was a post I did back on June 21, 2006 about HIPAA Violation Examples. Turns out, a lot of people search the web for examples of HIPAA violations. I guess it’s kind of like passing a car wreck. You just need to look. This post is also proof that at least at some point, I’ve written about HIPAA. Thus the name EMR and HIPAA. Ok, I admit it’s probably about 99.6% EMR posts and 0.4% HIPAA posts. When I started I thought HIPAA would be interesting. I was wrong (at least for a computer nerd like me).

Another popular post was one listing the Top 10 Open Source EMR projects. Make sure you read the comments. That’s where the real action happened in that post. I might have to contact Sam Bowen about the Open Source Medical Software’s move to get OpenEMR certified. I’m guessing they still want to, but are just waiting for HHS to get their ducks in a row first.

I still love open source. I’d love to hear more updates about these open source EMR projects. So, if you’re someone who uses or codes for these open source EMR projects, I’d love to get an update (hopefully one I can share on the site).

Ok, that’s enough for now. Let me know if you like these type posts or not. I bet they’ll get better as I go down the list even more.

Guest Post: Hayden Hartland works at Spearstone, makers of Spearstone’s DiskAgent offering which provides a multi-platform approach to smartphone security by allowing lock, data-wipe, and GPS-tracking from any web-browser along with online backup for your business.

Breathtaking advances in smartphone capabilities are changing the ways we work and live. In their latest forms, phones such as the iPhone, Android, Blackberry, Windows Phone, Symbian, and Palm are beginning to rival, and in several areas (think GPS, camera and video) exceed the capabilities of laptops and desktops.

Increasingly, we email, keep contacts, track tasks and appointments, browse the internet, capture family moments, connect with friends, shop, and even run powerful business apps from our hand-held do-it-alls. No wonder then that surveys show some people giving up computers altogether for smartphones. Trends indicate smartphone sales and usage will exceed that of laptops in the next five years. Analysts describe a future where Smartphones that dock to keyboards and monitors obsolesce the laptop altogether.

The problem is that while smartphones are leapfrogging laptops and desktops in utility and connectivity, they have introduced security risks that too few take seriously. Unlike desktops and laptops where some of the biggest risks lie in viruses, and the eventual failure of spinning hard drives, the biggest risk with a smartphone is the loss and exposure of the information you store on it.

More than 5,000 smartphones are lost or stolen each day. Most smartphones hold thousands of confidential records – patient lists, emails, documents, medical records, patient payment records, and so on – yet there is little or no ability to prevent their compromise if your phone is lost or stolen. Many were carried by healthcare professionals (doctors, nurses, dentists, office managers, billing providers, support staff, and so on) whose information represents real risk to their practices and patients if compromised.

Next time you notice a staff member, equipment rep, supply rep  or any BAA using a smartphone, consider asking, “Are our emails accessible on that phone?” and “If you lose it, can anyone access them on the phone?” If you are a medical professional carrying a smartphone you need protection because odds are that eventually you will lose your phone. Furthermore, HIPAA, the FTC and state consumer organizations require notification of all patients of a data breach (not exactly good for any practice or healthcare business).

Current phones and typical user practices do a poor job of safeguarding your confidential information. While many smartphones can require a password or PIN number to use them, few of us can tolerate the hassle of actually using one. We simply use our phones too frequently to put up with it. Yet without one, we’re completely exposed. And while a phone password may protect your information in the case of loss, it can’t stop someone with phone hacking skills who wants to access your information.

Here are some practical tips you can employ to reduce your risks:

1. Create a passcode for your phone. If you (like me) hate being pestered by it, set it to be required after 4 or 8 hours, so that you only need to enter it once or twice a day. If your phone is stolen and locked the thief will either need to hack your phone or reset the phone to factory settings thereby removing all the data in the process.
2. Create a splash screen when your phone is locked displaying a contact phone number or email address and reward value. Consider etching your name and contact information somewhere on the phone.
3. Remove sensitive information from your phone as soon as possible.
4. Write down your IMEI (International Mobile Equipment Identity) number. If your phone is stolen, call your carrier immediately and ask them to deactivate the IMEI number and the phone will be rendered inoperable for calling on all networks. This ensures the phone is unusable although it doesn’t protect any unencrypted information on your phone.

Fortunately, a few larger clinics and hospitals are beginning to address these concerns. If yours is a larger practice with a Blackberry Enterprise server and or Exchange Mail Server and your users exclusively use the corresponding phones (Blackberries, and Windows Mobile devices), you can remotely remove emails and some other sensitive information in the event of a loss or theft. Other alternatives are to deploy encryption software or use the expensive MobileMe services provided by Apple. For other organizations, Spearstone’s DiskAgent offering provides a multi-platform approach to smartphone security by allowing lock, data-wipe, and GPS-tracking from any web-browser.

This story coming out of Oregon came across my feeds today which tells of the Oregon Health and Science University contacting 1,000 patients after a physician’s laptop was stolen from a car parked at the doctor’s home.

This story made me think of two things:
1. Why is PHI being stored on the laptop in the first place? I wish I could find out if there was an EMR involved. If there was, then the EMR should be storing all of the patient information on the server and none of that data should be stored on the laptop. So, if it gets stolen there’s no breach. That’s the beauty of an EMR these days. There should be no need for this to happen.

2. There’s some really cool technology that’s been coming out in recent laptops that will allow you to remotely wipe out the laptop if it ever gets connected to a network. Basically, once your laptop is stolen you report it stolen and they start tracking it down kind of like they do with stolen cars (same people from what I understand).

Once the stolen laptop is connected to the network, it will call back to the main center and receive the command to wipe out the laptop. Then, it will also give them information about where it was connected in order for police to possibly recover the stolen laptop as well. We’re implementing this on all our new laptops. I’ll be very happy once we have them all with this feature.

Today I found a really interesting article in Utah’s local paper the Deseret Morning News. In the story, a box of medical charts was lost by UPS after being sent from a Hospital to somewhere in Las Vegas for a medicare audit. You can read the article for all the facts, but essentially the box somehow got misdirected and ended up being bought by a Utah school teacher purchasing some “scrap” paper.

I was kind of surprised by how long it took the hospital to get in touch with UPS after the box was lost. Ok, so I’m not really surprised that the hospital is not watching all of the HIPAA information they sent out to make sure that it arrives safely, but maybe it should. UPS has some pretty incredible tracking tools these days that really aren’t that hard to use.

The other interesting thing to consider is how these types of audits/information transfer happens in an electronic world. I know that we transfer eligibility lists to insurance companies using Secure FTP and that works quite well. We’ve worked with a scanning company who is scanning our old paper charts and when we need to access one of those old records, they send us an encrypted file through email. That works pretty smoothly.

Unfortunately, I think if a patient wants a record right now or if we needed to send some health information out for an audit (not sure why we would need to) then we’d have to pretty much just print out the electronic record like we do when a patient makes a . In fact, we’ve even made a request to our EMR software company to give us a one click method that will allow us to print the entire chart. It’s a pain to print out everything in the paper chart from what’s scanned in, to prescriptions, to lab results, to referrals, etc etc etc. Any EMR companies have a better way to do this?