Seems like the comments being made on posts and being emailed to me have been really interesting lately. As I often like to do, I want to highlight those that provide interesting stuff in the comments since many people don’t read all the comments. Here’s one such comment from ip-doctor on my post about de-identified healthcare data.

I am interested in knowing how readers answer John’s question re position on use of de-identified data. My guess is that people don’t know it’s going on and will object to it happening in principle.

Securing PHI feels a lot like Y2K. No doubt breaches occur, and, when they do, they are certainly costly for the offending HCO, but how many examples are there of leaked information being used to harm someone? Seems like the same proscriptions vs. extortion, blackmail, and libel would prevent individuals from using illegally obtained PHI to harm patients.

In fact, the odds that there is a Person A who wishes to harm Person B AND who somehow comes up with Person B’s sensitive PHI AND is able to use it to harm Person B without Person B having ample legal recourse against Person A are hopelessly LONG. Breaches of thousands/hundreds of thousands/millions of records are too large and unspecific to be “used” for nefarious purposes.

We need to secure PHI, but we are hoisting ourselves on our own petards if we let legitimate concerns about the use of patient data block or slow our adoption of EMRs and HCIT for ACOs and PCMHs. Just as there are real benefits associated with use of de-id’ed patient data, there are (significant, hidden) costs with not sharing health data.

The irony here is that the most common, undeniably harmful use of sensitive PHI has been to deny coverage to patients with pre-existing conditions. Kind of makes sense. It is, after all, health information.

Nothing like sharing a post about the fears and challenges associated with sharing data and privacy and following up with a post that talks about how it might not be as big of a risk as many like to make it. Of course, the happy place is somewhere in the middle where we do a good job securing the data while as HIPAA outlines, we avoid placing an undue burden on patient care.

I don’t know about the rest of you, but a big part of me is getting anxious for the start of college football (for my team it starts tomorrow) and the NFL starting on Thursday. It’s one of my favorite times of the year and probably my wife’s least favorite times, but I digress.

During the #HITsm chat today I saw a great quote that talked about HIPAA from Peyton Manning:
@bwilsonIntel – Ben Wilson
RT @jonmertz: HIPAA qte of the week from Peyton Manning: “I dont know what HIPAA stands for, but I believe in it and I practice it.” #HITsm

In case you don’t follow football, Peyton Manning is recovering from neck surgery and the above comment was a nice way for Peyton to say he didn’t want to talk about his medical information.

How long until someone from Peyton’s doctor’s office or hospital gets canned for looking at his records?

Since we’re talking football, healthcare and HIPAA, I’d be remiss to not mention Arian Foster’s recent tweet. This is what he said:
@ArianFoster – Arian Foster
This is an MRI of my hamstring, The white stuff surrounding the muscle is known in the medical world as anti-awesomeness http://moby.to/zta9xp

That’s right. Arian Foster tweeted a picture of the MRI of his hamstring. Of course, he’s welcome to do this. He’s suffering the consequences of his choice (his team said it’s a violation of their team policies). When I heard about the tweet, all I could think was, It’s amazing what some people will do to make a joke. I know this first hand.

Also, I haven’t dug into Arian’s MRI, but it seems like there might be some info in the corners of his MRI that he might not want people to know, no?

This guest post was provided by Ed Fisher on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. More information: email archiving software.

In today’s business environment, where litigation is an increasingly common way for disputes to be settled, compliance is included in every business plan, and regulations are reaching into business processes everywhere. Email admins must concern themselves with far more than just whether or not email is flowing. They must ensure that messaging meets the various regulations under which their business falls. They may also have to deal with legal holds, compliance reviews, discovery motions, and internal policy enforcement.

An email archiving solution can assist with all of these tasks, and nowhere is this more important than in the Healthcare industry. Email is becoming the preferred method to communicate, and since there are so many ways in which the Health Insurance Portability and Accountability Act (HIPPA) of 1996 can come into play with data sharing between providers and communications with patients, email archiving can be a very important, and potentially far reaching, service you can add to your email system.

PHI data in email communications

HIPAA requirements are unique to the healthcare industry, but the scope of these requirements can extend well beyond the boundaries of the doctor’s office or hospital. Both the burden and the potential penalties for non-compliance have been increased by HITECH. Enterprises that deal with healthcare providers, including professional services companies like accountants, law firms and IT consulting practices, will find themselves subject to provisions of HIPAA and HITECH as soon as they take on a healthcare provider as a client.

One of the trickier aspects for messaging is that HIPAA specifically addresses the need to encrypt Personal Health Information (PHI) in email communications. It is very rare for healthcare providers to send PHI by email as most of them use specialized messaging systems to do this. However, this doesn’t mean healthcare providers are not sending or receiving email that, indirectly, affects the relationship between healthcare provider and the patient or that between the staff and their patients.

There are other items that could be relevant for an investigation. For example, appointment reminders/confirmations (thus validating that the patient was notified); internal email discussions among doctors/nurses (not directly referencing a patient, but talking about treatments or scheduling); and even general HR emails that a doctor was absent due to illness (if the doctor was away when a claim is made that a patient was misdiagnosed, then they would be cleared of wrongdoing) and so on.

Many organizations, not only in healthcare, underestimate the importance of email in terms of content and intellectual property and being able to refer to emails sent six months earlier or last year can be of great benefit. Email archiving is not specifically called for within the text of HIPAA, but by maintaining a copy of every internal email message or any that was sent to or received from partners, vendors, and clients, you can prove conclusively that messages sent contained no PHI, and that any messages that did contain PHI were sent through the proper and encrypted channels.

Some people argue that email archiving is a double-edged sword – damned if you do, damned if you don’t. This is a rather naïve way of looking at email archiving. If you do archive your email, you have assurance that you comply with any regulations in place and if you are subject to legal requests for information that may be traced through an email, you have the ability to find it.

Now the counter argument would be, ‘well, if I don’t have an email archived, I can’t be condemned because the evidence is not there’. Wrong. If you don’t have the email, someone else certainly does and suddenly you’ve found yourself in a worse situation once the evidence is presented.

Proving that you made the effort at attaining compliance is preferable to doing nothing at all.

Document retention

With email archiving, you can also meet the document retention requirements specified within HIPAA. There is a six year retention period for information related to PHI which is mandated by HIPAA. That can be six years from the creation of a message, or the last date on which the message can be considered relevant. As more communications move from in-person, telephone, and facsimile, to email, patient requests and Healthcare professionals’ responses will follow suit. An email archiving solution makes it easy to retain these communications for the six year timeframe, as well as to automatically purge out those communications which are older than six years or tagged as no longer relevant.

Search and discovery

An email archiving solution is also an excellent way to access the repository of information contained within the combined emails of a company. Consider how much of your own email is saved because it contains data or instructions that simply don’t exist anywhere else. An email archiving solution can empower a user to search their own archived messages for all content related to a search string, such as a patient’s name; it can also enable an authorized user to search across all users’ email for information related to a patient, a condition, a particular medicine, or any other topic. There may well come a day when you must do this in response to a legal order, but there will also be plenty of times when you need to find a key piece of information, or simply want to spot check to ensure that all users are following the policies in place to protect patients’ PHI.

With an email archiving solution in place, healthcare providers not only position themselves to show compliance, review users’ actions, and meet current document retention requirements, they are able to build up a historical repository to meet future needs. The health care provider is also able to take advantage of the many benefits of an email archiving solution that are common across all enterprises, including storage, search, and business continuity.

All product and company names herein may be trademarks of their respective owners.

Full Disclosure: GFI Software Ltd. is an advertiser on EMR and HIPAA.

Boy, back in the good old days, protecting patient data was comparatively easy. All you had to do was make sure that nobody got their hands on a patient’s paper chart who shouldn’t be looking at it.

After all, simple stuff like locking file rooms and making sure charts never get left in a public place are pretty easy to understand. Sure, paper records get stolen or rifled through now and then — no system is perfect — but putting processes in place to prevent unauthorized chart access isn’t that complicated.

On the other hand, introducing electronic medical records  – plus e-prescribing, digital sharing of lab results and more — is a completely different kettle of fish.

For one thing, providers must control access to medical information stored in their EMR in a far more sophisticated way than they had with paper charts.  For example, while role-based access to data may not sound too threatening to your average IT boss, it’s not exactly intuitive if you’re not a geek. Figuring out just who should get access to what gets a lot more complicated than when you used to just have to pull and route a chart.

Another issue: few clinicians know much about data security, and it’s not likely that they’re going to suddenly get wildly excited about encryption or VPNs.  Sure, you can warn them that it comes down to whether some random stranger (or even a staff member) will steal their patients’ Social Security numbers or broadcast medical secrets. But it’s just about impossible to explain security issues without wandering into scary jargon that will alienate the heck out of many doctors.

Of course, healthcare organizations can make sure their clinicians are trained to understand the importance of  securing their EMR. And they can even explain why specific types of security measures will limit their HIPAA exposure, the best pitch you can make to non-techies.

Still, the bottom line is that moving from paper to EMRs isn’t just a change-management exercise. It forces clinicians to think about how they use, distribute and share data on a profound level. I hope it does, anyway…cause if providers aren’t ready to think about these issues, things aren’t going to be pretty.

Brian Van Zandt, a long time reader of EMR and HIPAA and an account executive at a managed IT services company in New York, NST, sent me the following fascinating question.

I’ve had a conversation with a few people recently about something that been on the news a lot recently. A tornado in the mid west destroyed a hospital and patient records, I heard about x-rays specifically, were found miles from the hospital. In extreme cases like that, are hospitals still liable for penalties from HIPAA for losing patient information?

First, I have to start with my regular disclaimer that I’m not a lawyer, I don’t play one on TV and much prefer being a blogger. Consult a lawyer for legal advice.

With that disclaimer, it’s a fascinating situation to consider. I remember from my business law classes in college that there’s a legal term called “Act of God” which seems like it might have consideration in this situation. I can’t say for sure that the Act of God defense would work when it comes to disclosure of PHI, but it would be interesting to see it play out.

I think the other consideration and question is what efforts did the hospital make to prevent the disclosure of the PHI. How did they act when the tornado warning was announced? What measures had they taken to prevent such an issue from happening since they likely new they were in an area that was prone for tornadoes? What efforts did they put forth once the hospital was destroyed to protect the information that was scattered?

I’m sure there’s a lot more questions that would likely be asked. I’m just trying to start the conversation and hopefully some HIPAA lawyers that read this blog will chime in with more details.

Although, I must admit that my first reaction to reading this question was, would people really have a legal issue with this? My point being that someone would have to bring a legal case against this hospital for us to really find out the legal requirements. It’s just a sad commentary on society if individuals would really bring a HIPAA violation against a hospital that was destroyed by a tornado. I’m all for the legal system when there are issues of negligence. I just don’t see how a tornado’s disclosure of PHI miles away is negligence.

Of course, if the hospital had an EMR, they wouldn’t have to worry about an X-ray being found miles away. Well, unless the hard drive, server, computer, laptop, etc was blown miles away. Hopefully the data center planning took natural disasters like this into account. Although, even if it didn’t, with appropriate device encryption even this wouldn’t be an issue. It would be like having an encrypted laptop stolen. One more reason to have an EMR instead of paper records.

This is an interesting edge case that I’d love to learn about since every healthcare entity could potentially be hit by a natural disaster. Of course, I’ve seen a lot of discussion about providing healthcare during a natural disaster. I hadn’t thought as much about HIPAA during a natural disaster. Maybe that’s how it should be.

On a more personal note, my thoughts and prayers go out to those who’ve been hit by this disaster and others. I didn’t know anyone in Joplin, but we have family in Springfield, MA which had a tornado cause destruction as well as some fires raging in Arizona that are affecting many people we know. I wish them all the best as they deal with challenging situations.

Many of you have quickly realized that I find it a lot more interesting to write about EMR than I do about HIPAA. Seems like most people prefer to read about EMR than they do HIPAA as well (except for this popular HIPAA Lawsuits post I did eons ago). However, I’m sure that many of you will find this article I found about privacy of medical data quite interesting. Here’s a quote from the beginning of the article which prefaces the health privacy situation quite well.

A pharmaceutical company, Bristol-Myers Squibb Co., sent him an eight-page brochure pitching another medicine, Abilify, used to treat patients “when an antidepressant alone isn’t enough.”

Lexapro was plenty for Spencer, but the mailing stuck in his craw. He has followed the recent debate over the utterly porous privacy of consumer data. But he thought his medical history, at least, was guarded by the special privacy protections of HIPAA, 1996′s Health Insurance Portability and Accountability Act.

Spencer asked a simple question: How did Bristol-Myers Squibb – or the “third-party list company” that the brochure said was the source of his name – know enough to send him that mailing?

The article goes through all the places that had the information that he was on the antidepressant Lexapro: the insurance company, his doctor, the pharmacy. Each of course denied having sold his information. After some digging, Bristol-Myers Squibb gave the actual way they got Spencer’s health information to be able to do a targeted mailing:

Maybe Spencer bought an over-the-counter depression remedy at a store where he has “frequent shopper” card? Maybe he called an 800 number for information? Maybe he answered a survey on health concerns?

I ran all these ideas by Spencer, and he rejected each.

‘Gotcha’?
On Friday afternoon, Bristol-Myers Squibb delivered a “gotcha.” Yes, Spencer was the source of his own privacy breach, according to spokeswoman Laura Hortas.

Hortas says Bristol-Myers Squibb bought the list in question from a reliable list broker. “We only work with list vendors that we know commit to observing U.S. privacy law,” she told me.

And how did the list vendor get Spencer’s name? Hortas says Spencer visited a site called www.WinningSurveys.com at 9:25 p.m. on Dec. 14 and replied to a prompt that said: “Please provide relevant information to me on the following ailments.”

“He selected depression,” Hortas says.

Of course, Spencer denies every having visited that site. The problem is that I bet Spencer is like most Americans and doesn’t really know what sites they’re visiting anyway. I’m still surprised how many people I talk to don’t know the difference between going to www.emrandhipaa.com and typing emrandhipaa in Google to find the site. I see the stats on my blog that show how many people don’t know the difference. I wouldn’t be surprised if Spencer is one of these people.

I’m not trying to defend sites like WinningSurveys.com. There’s a lot of JUNK on the internet that is absolutely terrible, deceptive and in many cases dishonest. It’s really easy to trap someone into providing their personal information to you online (although I don’t agree or use these methods). Many times without people even realizing they’ve done it. Is that a breach of someone’s privacy if they were deceived into giving up their information to win an iPad?

I’m also not saying that companies shouldn’t be held responsible for using health information inappropriately. They should be held accountable according to the laws. I just don’t see any violation of HIPAA laws in this case.

I do love the irony that someone so concerned about privacy of his health information now has an article on Philly.com with his name and his health information. That leads me to believe that Spencer isn’t as concerned about the privacy of his information as he puts on. Maybe he’s just mad that he didn’t have a winning survey. I wonder if he’d won an iPad from the survey if he’d be as concerned about the mailings.

John’s Note: One of the requests I got in the recent survey I did was to cover more details of HIPAA. So, I’m glad to have John Brewer (yes, another John) providing some guest posts on the subject.

Do they go together like peanut butter and jelly?  Cookies and milk?

Nothing quite as good as these…but they do go together…now.

HIPAA has been around for some time.  Many argue that HIPAA has no “teeth”.  Sure it has big fines…but when’s the last time you heard of a physician getting fined for a HIPAA violation?

In steps Meaningful Use.

Buried in the details of the Stage 1 Core Objectives is a single block that refers to the seemingly innocuous statement of “Conduct a risk analysis per 45CFR164.308(a)(1)”.

A risk analysis seem simple enough…right?

Dig a little deeper and you’ll see something a bit more unpleasant.  164.308(a)(1) requires the following:

• Risk analysis – clear enough…
• Risk management – with reference to 164.306(a) – Uh oh…
• Sanction policy
• Information System Activity Review

Whew…now it is starting to get ugly.  Where shall we start?

As usual, I like to go from easiest to most difficult.

The easiest thing to tackle here is the Information System Activity Review.

This is a mouth full, but your shiny new Meaningful Use certified EHR will have a report for this, which will cover most of this requirement.

In order for this report to show information that is useful, you need to ensure you have setup the users in your EHR in the correct way.

By this I mean:

• Each user must have their own login,
• Each user must only have access to the areas of the EHR that are appropriate for their position,
  • By this I mean, the front desk “receptionist” should only have access to the calendar section of the EHR, whereas a nurse would have full medical record access.

Next time we’ll attack the Sanction Policy.

An interesting discussion happened in the comments about HIPAA secure fax services in regards to the security of email. Being a tech person who formerly managed a few different corporate email systems, sometimes I forget that many people don’t understand some of the details about the security (or lack of security) that’s provided by email.

The short story is: Email is NOT HIPAA Secure (at least in 99% of cases)

There is a way to encrypt email sent between 2 email systems, but so far a standard and mechanism for encryption between all the vast number of email providers has not been established. I won’t go into the details of why this is the case (cost of encryption, standards for encryption, etc), but suffice it to say that almost none of the email systems send encrypted email that would satisfy the HIPAA requirements.

In fact, most times when an EMR, PHR or other patient portal wants to send a secure email/message to someone they send an email which contains a link to an encrypted website that has a unique login. The reason they do this is because there’s no recognized and adopted standard for encryption of email. However, presenting Protected Health Information (PHI) through an encrypted webpage where someone has a unique login is HIPAA compliant and doesn’t require the receiving email system to understand the encryption. It’s a pain, but it’s the reality of privacy of health information right now.

One of the major reasons that many people think that email is secured is that a number of email providers (Gmail being the most famous for this) turned on encryption for all of their users. The misunderstanding is that this encryption is just for users logging in to check, read and send their email. It does not encrypt the email as it it sent from Gmail to the destination email system. Aleks, from Sfax described it similar to a postcard. It’s open where anyone listening can see what’s in the email with no traces left behind.

The only security email partially offers in this manner is the volume of emails that are sent. There’s such a huge volume of useless emails that there’s some security by obscurity benefits. Although, that security doesn’t meet well with the HIPAA requirements. Plus, remember that one thing that computers are great at doing is crunching large amounts of data.

One minor exception that I might make is that if you’re sending email in an internal email system, then it’s possible to set up email encryption. This is possible because you control the email system for the sender and the receiver and so there are ways to do this. However, I know very few people that have actually set this arrangement up. Probably because if they are on your internal email system they usually have access to your EMR and all the PHI can remain in the EMR instead of your email system.

Now many have said that you shouldn’t use the free email providers like Gmail. After reading this it should be clear. You shouldn’t use ANY email provider for sending PHI. So, whether you use Gmail or some other free email provider it shouldn’t matter since I’m sure you won’t be sending any PHI through email any more.

Of course, I’d recommend you use the free Google Apps version of Gmail since DrSmith@yourpractice.com is so much more professional than DrSmith985373@gmail.com. Although, that’s kind of a topic for a different discussion.

A New York City hospital has apologized for a security lapse that allowed personal information belonging to as many as 6,800 former patients to be published on the Internet.

New York Presbyterian Hospital/Columbia University Medical Center says the information included names, clinical data and a few social security numbers.

The hospital said in a statement that the data had been inadvertently placed on a server, which was accessible online. The information has now been taken down. -Source

This is a pretty sad indiscretion although it is lacking some important details. I hate that it only says personal information for 6800 former patients. Ok, putting ANY health information on an insecure web server is just dumb, but not all health information is created equal. Plus, wouldn’t it be nice to know what happened to cause this issue so that others could learn from their mistakes?

Plus, was the health information placed on the web server in an accessible location or was it just on the web server? That would be very different things.

Still something’s wrong if they’re putting patient information on an unsecured server. Makes me wonder what the rest of the story really is though.

I was recently sent an Information Week article on the “Steady Bleed: State of HealthCare Data Breaches.” The article basically tries to list out all of the data breaches that are happening in healthcare and how healthcare companies aren’t doing what they need to do to protect patient data.

Now, I’ll be the first to acknowledge that more can always be done. I even agree that more can and needs to be done to protect patient information. However, I don’t agree with the article’s assertion that the use of an electronic health record (EHR) is the reason why health care providers are so poorly securing patient information.

Many of you might remember my post on EMR and EHR about HIPAA Breaches related to EMR. In that post, I discuss how it’s unfair for someone to automatically assume that if there was a breach, then it was the electronic medical record software’s fault. In the analysis I did in the above post, I found that most of the HHS list had nothing to do with EMR software. In fact, many of the HIPAA breaches were lost devices which contained lists of insurance information. EHR had nothing to do with that.

I’m not saying that breaches don’t happen with an EMR. They do. However, most of the examples given in the Information Week article could have happened just as easily in the paper world. It didn’t take an electronic health record for people to start looking up famous sports stars health information.

Maybe the real difference with an EHR is that now we can know and track who accesses each patient record. That just means that now we actually know about all the violations whereas with paper charts they’d just happen and we’d likely never know about it or have a way to prove that it happened. So, yes, the number of reported HIPAA breaches should be going up. We have more information to report on.

The good thing long term is that with an EHR we now have tracking mechanisms that allow us to hold someone accountable for their breaches of HIPAA. If this accountability is taken seriously, the number of breaches will go down. That’s a much better long term solution than the naive ignorance of not knowing about breaches in the paper chart world.

Sure not all EHR software is secure. They need to fix that and improve that. However, the numbers and reports I’ve seen don’t seem to indicate that breaching an EHR software’s security is the real problem. There are far easier ways to take patient data than trying to breach an EHR’s security system. Let’s focus on those other ways that people take patient data and punish it appropriately. That’s far more productive than saying that we’re rushing too quickly into an unsecured EHR world.