Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Guest Post: HIPAA Responsibility – Whether You Want It or Not

Written by:


Guest Blogger: Jan McDavid is General Counsel and Compliance Officer at HealthPort, a Release of Information and Audit Management Technology company. You can read more of Jan’s posts on the HealthPort blog.

John Lynn’s post “Covered Entity is Only One with Egg on Their Face” is good warning to healthcare providers: as HIPAA enforcement gains teeth, you are responsible for breaches caused by your business associates. The increase in HIPAA enforcement, penalties and current ONC audits make it clear that ignorance of adherence to HIPAA by your business associates (BA) is not a valid strategy.

In fact, the Poneman Institute Study cites 46 percent of breaches as caused by BAs, yet the covered entity (CE) is responsible for 100 percent of them from a legal prospective.

The time for inaction regarding your BAs is over. Now is the time to confront the issue head-on. The good news is that it costs less in the long run to prevent breaches than it does to pay for breaches committed by your BAs. Here’s how to get started.

It’s Time to Act

The same policies and procedures that you have implemented for yourself are applicable to your BAs. Of course, since the BAs do not report through your organization, the best way to assume compliance is through your contracting process.

It is not enough to just put it in the contract. In the old “trust but verify” school of management, your contract must also contain avenues of verification. That can include surveys, reports, audits, policy and procedure manuals, etc. This due diligence at contracting time pays off in many ways when ONC auditors knock on your door.

The due diligence must be a continual process, not just “once and done”. The laws are changing and Health and Human Services (HHS)’s Office of Civil Rights (OCR) is implementing new risk audits in 2012 to test your readiness. New breach notification and accounting of disclosure rules are imminent and will further tighten the laws. Also, many institutions focus on the Privacy Rules, while paying less attention to the Security Rules. The privacy rules focus on the “what,” while the security rules focus on the “how” of compliance.

To protect yourself, you should be doing self assessments using both internal and external auditors. Anything you do for yourself should be considered for your business associates.

Simple Encryption Goes a Long Way

Most accidental large-scale breaches are caused by lost or stolen electronic devices. The small one or two patient breaches are much less of a publicity problem but still require a risk assessment. The small breaches are going to happen; it is inevitable. The large breaches carry a higher degree of severity.

To prevent large breaches, it is essential that BAs which use electronics have the same tight policies and procedures in place that you do (or should). They can go beyond the HIPAA-mandated policies. One practice that should be implemented is encryption.

Remember, a lost electronic device that contains encrypted data is not considered a reportable breach. Encryption is a logical first step that, while not yet HIPAA mandated, will save considerable pain and expense over time. Notice it is only a first step. There are other security technologies available that will call a central location to pinpoint a device’s location. Further, they can wipe themselves clean if not accessed properly or in a given timeframe.

Paper Breaches Also a Concern

And providers shouldn’t lose sight of paper medical records and how BAs are using them. In fact, many breaches to date have involved paper. Understand how your BAs use paper records and patient information. Is it going off site? If so, there should be established policies and procedures.

Any access to paper records and appropriate destruction of those records must be HIPAA compliant. Locked bins for disposal and state-of-the-art shredders are a must at the provider’s site and the BA’s office. Do not let paper records lay around on desks and make sure all personnel are trained in the handling of paper records.

Training and Education for All

Training and educating are the foundation of any compliance program. BAs should have an in-depth training and education program that is as robust as that of the covered entity. Best practices make training an ongoing, living process with regular updates and mandatory attendance at classes.

Making the effort to fend off unauthorized disclosures will go a long way toward mitigating risk. Staying in front of the threat curve is difficult but not impossible. Remember to apply lessons learned to your BAs so you aren’t the only one with egg on your face!

March 21, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Guest Post: Small Breaches Still Reportable – Current State of HIPAA Breach Notification

Written by:


Guest Blogger: Jan McDavid is General Counsel and Compliance Officer at HealthPort, a Release of Information and Audit Management Technology company. You can read more of Jan’s posts on the HealthPort blog.

The following is a 4 part series of blog posts on the HIPAA Breach Notification Rules. Here’s a link to read all of the HIPAA Breach Notification Rules guest posts.

In the world of release of information (ROI), we see the breach of one or two records much more frequently than the massive, over-500 events. Smaller, one- or two-record breaches do not require immediate notification to HHS. The HITECH Act says they should be aggregated and sent to HHS at the end of each year. In 2010, the agency received more than 25,000 reports of smaller breaches affecting more than 50,000 individuals. The complete Annual Report to Congress (PDF) from HHS for 2009 and 2010 is available online.

The most common, inadvertent breaches within the ROI process involve sending the wrong record to the wrong person or third party. It is usually human error that produces these breaches. For example, the CE gets a written request from an insurance company, attorney or patient for medical record #12345. Someone pulls the wrong medical record either paper-based or electronic, say medical record #12344 and sends it. The result—a breach!

Training, education, skilled staff and solid procedures are the best approach to minimizing human error-based breaches, but they are inevitable. If and when it happens, the CE must evaluate sending a notification to the patient.

Another observation about breaches is that reactions to them seem to be very polarizing. Sometimes we see “breach fatigue” by patients. They hear so much about breaches that any leakage of their information is considered “no big deal” and simply a reality of modern, high-tech times. “After all, who really cares about the appendectomy I had ten years ago?” The opposite pole is that some patients become very upset and exhibit a sense of great concern.

Ultimately, the balance between a patient’s right of confidentiality and the provider’s needs for workflow consistency will continue to evolve. In the meantime, until a final breach notification rule is released, every CE must determine for itself how patient notices are analyzed and handled.

November 3, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Guest Post: Expect New Rules to Expand Notification – Current State of HIPAA Breach Notification

Written by:


Guest Blogger: Jan McDavid is General Counsel and Compliance Officer at HealthPort, a Release of Information and Audit Management Technology company. You can read more of Jan’s posts on the HealthPort blog.

The following is a 4 part series of blog posts on the HIPAA Breach Notification Rules.

It is widely expected that Health and Human Service (HHS) final disclosure rules will mandate notification be done in every case. Should this occur as predicted, additional patient education will be needed to avoid the concerns mentioned above.

Further complicating matters is the fact that hospitals must adhere to HHS rules AND those at the state level. State laws in some cases are more onerous than federal laws and they continue to morph. Just trying to stay on top of all the changes may be reason enough to disclose every instance of breached information. Whether it contains protected health information (PHI) or not, some states require patient notification in every instance of the inadvertent release of certain i.d. information.

In next week’s post, we’ll cover whether small breaches are still reportable.

October 27, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Guest Post: Over-Notifying Also Carries Risk – Current State of Breach Notification

Written by:


Guest Blogger: Jan McDavid is General Counsel and Compliance Officer at HealthPort, a Release of Information and Audit Management Technology company. You can read more of Jan’s posts on the HealthPort blog.

The following is a 4 part series of blog posts on the HIPAA Breach Notification Rules.

Some hospitals feel that, since the risk analysis only produces subjective results, why bother? They believe that the effort and expense incurred derives no real benefit for CE or patient, and they just notify the potentially affected patient in every instance.

In my opinion, notifying the patient for each breach is a little risky in itself. Patients often have no context in which to view a breach.

For example, losing a flash drive containing unencrypted PHI on 1,000 patients entails obvious risks – the risk of someone finding and misuing the information, for example. The law rightfully requires patient notification in such cases. However, if a patient’s record is inadvertently mailed to a house number that does not exist (perhaps due to a typo which transposed two digits), chances are good that the post office will either return the records to the sender or else the package will go undelivered.

If the records are not accounted for, it is generally accepted that it should be considered a breach; however, telling the patient this may raise an alarm about something that probably will not happen. A thorough risk analysis, although subjective, might conclude that such a breach did NOT have a “substantial risk of reputational or financial harm” to the patient. This was apparently HHS’s thinking when it required the risk analysis to be conducted.

In next week’s post, we’ll cover the possible changes to the breach notification rules.

October 13, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Guest Post: Current State of HIPAA Breach Notification – Notify Patients…or Not?

Written by:


Guest Blogger: Jan McDavid is General Counsel and Compliance Officer at HealthPort, a Release of Information and Audit Management Technology company. You can read more of Jan’s posts on the HealthPort blog.

The following is a 4 part series of blog posts on the HIPAA Breach Notification Rules.

Eight thousand providers. One question. When do we notify patients of a breach? I hear this question several times a week from all types of covered entities; hospitals, clinics and physician offices. Many are confused or misinformed about the answer. Furthermore, real world experience varies dramatically. Some providers notify everyone. Others notify only when necessary. What’s the answer?

First and foremost, you do not have to notify the patient each and every time there is a breach of protected health information (PHI). The law requires notification only if you meet one of two conditions:
1) When 500 or more records have been breached at the same time, you must notify the patients involved, OR
2) When you as the covered entity (CE) have conducted the required “risk analysis” and determined the patient (or patients) could suffer substantial financial or reputational harm.

The issue with the second requirement is the term “substantial”. It is very subjective and not fully defined within the rules. Conducting a risk analysis and determining the extent would appear to be a classic case of the fox guarding the hen house. As such, many observers expected hospitals NOT to notify, or perhaps under-notify, as the cost of a breach can be very high — both direct costs and the soft cost of reputational harm to the CE. However, we see providers taking a “better safe than sorry” approach and over-notifying.

In next week’s post, we’ll cover the risks of over-notifying after a breach.

I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.