Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Texting Patients Is OK Under HIPAA, as long as you…

Posted on March 6, 2018 I Written By

Mike Semel is a noted thought leader, speaker, blogger, and best-selling author of HOW TO AVOID HIPAA HEADACHES . He is the President and Chief Security Officer of Semel Consulting, focused on HIPAA and other compliance requirements; cyber security; and Business Continuity planning. Mike is a Certified Business Continuity Professional through the Disaster Recovery Institute, a Certified HIPAA Professional, Certified Security Compliance Specialist, and Certified Health IT Specialist. He has owned or managed technology companies for over 30 years; served as Chief Information Officer (CIO) for a hospital and a K-12 school district; and managed operations at an online backup company.

OCR Director Severino Makes Policy from the Podium

Speaking at the HIMSS health IT conference in Las Vegas on Tuesday, Roger Severino, Director of the US Department of Health and Human Services Office for Civil Rights (OCR), the HIPAA enforcement agency, said that health care providers may share Protected Health Information (PHI) with patients through standard text messages. Providers must first warn their patients that texting is not secure, gain the patients’ authorization, and document the patients’ consent.

In 2013, the HIPAA Omnibus Final Rule allowed healthcare providers to communicate Electronic Protected Health Information (ePHI) with patients through unencrypted e-mail, if the provider informs the patient that their e-mail service is not secure, gains the patient’s authorization to accept the risk, and documents the patient’s consent.

A HIMSS audience member asked Severino why the OCR hasn’t issued similar guidance for text messaging with patients. “I don’t see a difference,” Severino said. “I think it’s empowering the patient, making sure that their data is as accessible as possible in the way they want to receive it, and that’s what we want to do.”

“Wow! That’s a big change,” said Tom Leary, Vice President of Government Relations for HIMSS. “That’s wonderful. Actually, the physician community has been clamoring for clarification on that for several years now. Our physician community will be very supportive of that.”

The 2013 OCR guidance for e-mails,  and Severino’s announcement about text messages, only applies to communications with patients. All HIPAA Covered Entities and Business Associates are still forbidden to use unsecure communications tools to communicate with each other.

Messages sent through free e-mail services are not private. Google’s Gmail Terms of Service, allow Google to “use…reproduce…communicate, publish…publicly display and distribute” your e-mail messages. Health care providers must use encrypted e-mail or secure e-mail systems to communicate ePHI outside of their organizations.

In 2012, a small medical practice was penalized $ 100,000 for sharing patient information through free Internet services, including e-mail.  According to the resolution agreement, Phoenix Cardiac Surgery “daily transmitted ePHI from an Internet-based email account to workforce members’ personal Internet-based email accounts.”

While the OCR may be best-known for its HIPAA enforcement, it has pushed healthcare organizations to lower barriers that have prevented patients from obtaining their medical records. The Omnibus Rule required health care providers to only recover actual costs when providing patients with copies of their records.

In its 2016 guidance, the OCR set a $ 6.50 limit (inclusive of all labor, supplies, and postage) for health care providers “that do not want to go through the process of calculating actual or average allowable costs for requests for electronic copies of PHI maintained electronically.”

The federal requirement to recover actual costs, or a flat fee of $ 6.50, supersedes state laws that allowed providers to charge for medical record searches and per-page fees. Maine caps the cost at $ 250 for a medical record, far above the federal $ 6.50 flat fee.

 

CES Really Scared Me. Will HIMSS Make Me Feel Any Better?

Posted on February 22, 2018 I Written By

Mike Semel is a noted thought leader, speaker, blogger, and best-selling author of HOW TO AVOID HIPAA HEADACHES . He is the President and Chief Security Officer of Semel Consulting, focused on HIPAA and other compliance requirements; cyber security; and Business Continuity planning. Mike is a Certified Business Continuity Professional through the Disaster Recovery Institute, a Certified HIPAA Professional, Certified Security Compliance Specialist, and Certified Health IT Specialist. He has owned or managed technology companies for over 30 years; served as Chief Information Officer (CIO) for a hospital and a K-12 school district; and managed operations at an online backup company.

Are Consumer Health Care Products Accurate & Safe Enough for Your Healthcare?

At CES, the monstrous electronics show, I saw lots of consumer devices advertised for personal fitness and healthcare. There was even a Digital Health Summit, with a wide range of industry experts.

Some companies were promoting their ability to send data to healthcare providers. That’s scary, since there are no standards governing many of these devices.

A clear message from CES is that the divisions between ‘technology’ and ‘devices’ are diminishing. Alexa, Google Home, and Siri, won’t be tied to stand-alone devices for long. They will be integrated into a wide range of consumer products across a home network, your car, portable devices, and the Internet. It’s not a big leap of the imagination to think that you will be telling Alexa, in your refrigerator, to reset the alarm clock in your bedroom, for an early meeting. And that Alexa will be telling you that you gained a pound, and send that data to your doctor.

Considering the recent news about Amazon getting into healthcare, with Warren Buffet and JP Morgan, it’s logical to think that Amazon will be delivering our healthcare along with our packages. Will you get a colonoscopy notification from Amazon because someone orders a 50th birthday card for you? (Will they only use lubricant if you have Prime? Ok, that might have been a little harsh.)

Loud and clear from CES is the consumerization of healthcare, and it’s scary.

Will data from your consumer products be accurate enough for a health care provider to form a professional opinion?

Will your devices be safe from hacking and interference?

Who will be liable if something bad happens to you because your data wasn’t accurate, or was delayed in transmission?

Should there be a government or industry-based organization setting standards and certifying devices?

ACCURACY

Valencell makes biometric sensor chips for companies to use in their consumer products. They displayed stylish brand-name smart watches that imbed their biometric-sensor chips.

Valencell’s President, Steven LeBoeuf, said that there are no standards for consumer heart monitors. His chips are voluntarily lab-tested and certified for accuracy. He said that some of their competitors’ products can confuse a person’s steps, as they are walking or running, as a heartbeat.

While that might not matter too much to a person casually checking their own vitals, what will happen if incorrect data is sent upstream to your healthcare provider?

This diagram, produced by iHealth, a company that makes ‘consumer-friendly, mobile personal healthcare products that connect to the cloud’, clearly shows their expectation that your data will be communicated to hospitals.

iHealth aptly describes this as a Systematic Framework. Think about how many vendors will be involved in the system. Device manufacturers, chip manufacturers, software designers, programmers, computer companies, communication networks, Internet service providers, cloud services, and more, all before data gets to the hospital.

What if there is a failure? What happens to you if your healthcare is depending on a consumer device? Who is responsible for the security and accuracy of the data through the system? Wanna bet that everyone will be pointing their finger at someone else?

SAFETY

What will protect you from your devices? There are an increasing numbers of stories of consumer products and autonomous cars – the Internet of Things (IoT) – being hacked.

In August, 2017, the FDA issued a warning that a pacemaker was vulnerable to hackers who could remotely kill the battery or modify the performance of the pacemaker. Killing the battery could kill the patient. Remember that this recall occurred because a pacemaker is a medical device governed by the FDA, which doesn’t govern consumer healthcare products.

The Equifax breach, the Spectre and Meltdown flaws in computer microchips, and hackers hijacking baby monitors and surveillance cameras, all show the importance of being able to apply software and firmware patches and updates.

It took a long time for the government to require car companies to recall vehicles for safety problems. How many people will be hurt, or die, before consumer health care products get regulated?

LIABILITY

At CES, AIG Insurance presented this graphic of survey results showing who is liable for a driverless vehicle crash.

Imagine personal injury attorneys salivating over consumer health care product failures. Imagine new types of insurance coverage – or new types of policy exceptions – related to managing healthcare based on consumer product data.

STANDARDS & REGULATIONS

What’s the difference between a medical device and a consumer health care product? What defines a heart monitor? How accurate is a scale? How will a consumer health care product receive security patches? How will consumers be notified their health care products aren’t safe?

Do we want the federal government involved? In 1966, the National Traffic and Motor Vehicle Safety Act required auto manufacturers to notify the government and consumers of safety defects, and recall vehicles. Could our dysfunctional Congress ever agree on a plan to regulate consumer health care products?

What about the industry policing itself? At his annual briefing at CES, electronics industry veteran Shelly Palmer made his case for a Self-Regulatory Organization (SRO) to create and enforce standards to protect consumers from risks associated with the Internet of Things.

The model for this could be PCI-DSS, the Payment Card Industry Data Security Standards, that govern organizations that accept and process credit cards. This standard is self-regulated by a council founded by the credit card companies, and is not overseen by federal or state agencies. It covers credit card processing from end-to-end, from certifying the swipe device on the store’s counter all the way through the merchant processors and banks.

According to its website, the council “provides critical tools needed for implementation of the standards such as assessment and scanning qualifications, self-assessment questionnaires, training and education, and product certification programs.

If you are a healthcare professional, isn’t this the level of integrity and security you want for consumer products sending patient data to you?

Who would take on the responsibility, not to mention the liability, of policing consumer products sending data to healthcare organizations? The Consumer Technology Association (CTA), or the Health Information Management Systems Society (HIMSS)?

Will it take a disaster for us to find out?

Maybe I will find some answers at the HIMSS health IT conference. I sure hope so.

Slow Learners Teach Big Lessons – $2 Million State HIPAA Penalty

Posted on December 4, 2017 I Written By

Mike Semel is a noted thought leader, speaker, blogger, and best-selling author of HOW TO AVOID HIPAA HEADACHES . He is the President and Chief Security Officer of Semel Consulting, focused on HIPAA and other compliance requirements; cyber security; and Business Continuity planning. Mike is a Certified Business Continuity Professional through the Disaster Recovery Institute, a Certified HIPAA Professional, Certified Security Compliance Specialist, and Certified Health IT Specialist. He has owned or managed technology companies for over 30 years; served as Chief Information Officer (CIO) for a hospital and a K-12 school district; and managed operations at an online backup company.

Editor’s Note: We’d like to welcome Mike Semel as the latest addition to the Healthcare Scene blog team.  We’ve been working with Mike for quite a while as a guest blogger, so it’s great to have Mike now covering security and privacy with us in a more formal capacity.  Check out all of Mike Semel’s EMR and HIPAA blog posts.

I think it is fair to call people slow learners if they get caught violating HIPAA:

  • after they published 50,000 patient records to the Internet for a 2-year period, so patients Googling themselves found their medical records,
  • and THEN DID IT AGAIN DURING THE INVESTIGATION for the first incident.

Duh.

On November 22, California Attorney General Xavier Becerra announced a $2 million settlement with Cottage Health System and its affiliated hospitals for violating both state and federal privacy laws. The settlement came after two separate data breaches where more than 50,000 patient records were made publicly available online. The state settlement is on top of a $4.125 million class-action settlement with its patients, that Cottage Health’s insurance company is trying to recover, because it said Cottage Health was not truthful on its insurance application.

It’s bad enough that from 2011 until 2013 (after it was notified by a patient that he found his medical records online), Cottage Health had a server with protected health information that was not encrypted, password protected, protected by firewalls, or protected against unauthorized access.

What is truly stunning is that, in 2015, during the federal investigation for the first incident, Cottage Health reported that it made another 4,596 patient records available online.

I have been the Chief Information Officer in a hospital, and know how bad executive and departmental management and oversight would have to be to create an environment where that can happen once, let alone twice.

Based on the complaint provided by the California Attorney General, there are a lot of lessons you can learn from this penalty.

LESSONS

1. It not just the OCR. This HIPAA penalty was issued by a state Attorney General. The federal HITECH Act (2009) gave state AG’s the authority to enforce civil penalties for violations of the HIPAA Privacy and Security Rules. It doesn’t take the federal Office for Civil Rights to go after you. It could be your state Attorney General, who is probably motivated by wanting to impress voters for his campaign to be governor or senator someday.

2. Know your state laws. California’s Confidentiality of Medical Information Act and Unfair Competition Law were also cited in the penalty. Forty-eight states, plus DC and Puerto Rico, have their own laws protecting Personally Identifiable Information. Some, like California, have state laws that protect medical records beyond the scope of HIPAA. State laws have different patient notification requirements than HIPAA’s maximum of 60 days. In California, patients must be notified within just 15 days.

3. Management should pay attention to security and compliance, before it has to sign $6 million in checks, plus legal fees. From the IT department to the executive suite, this penalty is proof that management was not validating the organization’s security and compliance.

Cottage Health isn’t a small, rural hospital with 25 beds, trying its best, with limited resources, to serve a community. According to its 2016 Annual Report, Cottage health generated over $746 million in revenue and had 3,120 employees.  Seventeen of them are Vice Presidents.

At least Cottage Health’s CEO didn’t publicly blame his IT guy, like the former CEO of Equifax did in front of Congress. Maybe he realizes he could have avoided spending $6 million by having better management.

4. Patients are Consumers, who are protected against Negligence & Unfair Business Practices. The $4 million settlement plus the $2 million penalty are proof that management was ignoring the commitment it made to its patients every day in the Cottage Health Notice of Privacy Practices.

Our Pledge
We understand that medical information about you and your health is personal, and we are committed to protecting it.

The Federal Trade Commission forced the closure of a small medical lab because it said the lab violated its prohibition of Unfair Business Practices by not protecting patient information.

There is a lawsuit in Connecticut where the state appeals court certified a Notice of Privacy Practices as a contract with a patient.

Yes, patients (and now their lawyers) really do read those notices. Treat yours with respect because it is a contract, not a brochure.

5. Don’t Assume Your HIPAA Compliance Program is Working. Not having policies, procedures, basic IT security like passwords and firewalls, means that a lot of Cottage Health managers and executives had to be asleep at the switch. Not complying with the HIPAA Security Rule, effective since 2005, which protects electronic data, means that Cottage Health’s compliance program was a mirage. I can imagine their compliance and security staff telling management that they had everything handled. Management believed them. Over 50,000 patients and an Attorney General disagree.

6. Prevent the Triggering Event. This wildfire started with a small spark. An IT engineer configured a server and plugged it into the network. Things as simple as checklists could have prevented the negligent publication of the medical records to the Internet.

The NIST Cybersecurity Framework (NIST CSF) is a 41-page document simple enough for even small organizations to use to improve their data security.

Bring in a qualified independent third party to evaluate your compliance and security against the HIPAA rules and the NIST CSF, and give the report directly to the CEO. Not a good use of the CEO’s time? It’s much better than the CEO’s involvement after an investigation has started.

7. If You Are Being Investigated, Don’t Let the Same Problem Happen Again. Duh.