Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Why You Shouldn’t Take Calculated Risks with Security

Posted on May 9, 2018 I Written By

The following is a guest blog post by Erin Gilmer (@GilmerHealthLaw).

Calculated risks are often lauded in innovation.  However, with increasing security breaches in the tech industry, it is time to reassess the calculated risks companies take in healthcare.

Time and again, I have advised technology companies and medical practices to invest in security and yet I am often met with resistance, a culture of calculated risk prevails.  To these companies and practices, this risk may make sense to them in the short term. Resources are often limited and so they often believe that they needn’t spend the time and money in security.  However, the notion that a company or a practice can take this chance is ill advised.

As a recent study conducted by HIMSS (and reviewed by Ann Zieger here) warns, “significant security incidents are projected to continue to grow in number, complexity and impact.” Thus in taking the calculated risk not to invest in security, companies and practices are creating greater risk for in the long run, one that comes with severe consequences.

As we have seen outside of healthcare, even “simple” breaches of user names and passwords as happened to Under Armour’s MyFitnessPal app, become relatively important use cases as examples of the impact a security breach can have. While healthcare companies typically think of this in terms of HIPAA compliance and oversight by the Office for Civil Rights (OCR), the consequences reach far wider.  Beyond the fines or even jail time that the OCR can impose, what these current breaches show us is how easy it is for the public to lose trust in an entity.  For a technology company, this means losing valuation which could signal a death knell for a startup. For a practice, this may mean losing patients.  For any entity, it will likely result in substantial legal fees.

Why take the risk not to invest in security? A company may think they are saving time and money up front and the likelihood of a breach or security incident is low. But in the long run, the risk is too great – no company wants to end up with their name splashed across the headlines, spending more money on legal fees, scrambling to notify those whose information has been breached, and rebuilding lost trust.  The short term gain of saving resources is not worth this risk.

The best thing a company or practice can do to get started is to run a detailed risk assessment. This is already required under HIPAA but is not always made a priority.  As the HIMSS report also discussed, there is no one standard for risk assessment and often the OCR is flexible knowing entities may be different sizes and have different resource. While encryption standards and network security should remain a high priority with constant monitoring, there are a few standard aspects of risk assessment including:

  • Identifying information (in either physical or electronic format) that may be at risk including where it is and whether the entity created, received, and/or is storing it;
  • Categorizing the risk of each type of information in terms of high, medium, or low risk and the impact a breach would have on this information;
  • Identifying who has access to the information;
  • Developing backup systems in case information is lost, unavailable, or stolen; and
  • Assessing incidence response plans.

Additionally, it is important to ensure proper training of all staff members on HIPAA policies and procedures including roles and responsibilities, which should be detailed and kept up to date in the office.

This is merely a start and should not be the end of the security measures companies and practices take to ensure they do not become the next use case. When discussing a recent $3.5 million settlement, OCR Director Roger Severino recently emphasized that, “there is no substitute for an enterprise-wide risk analysis for a covered entity.” Further, he stressed that “Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law.”

Though this may seem rudimentary, healthcare companies and medical practices are still not following simple steps to address security and are taking the calculated risk not to – which will likely be at their own peril.

About Erin Gilmer
Erin Gilmer is a health law and policy attorney and patient advocate. She writes about a range of issues on different forums including technology, disability, social justice, law, and social determinants of health. She can be found on twitter @GilmerHealthLaw or on her blog at www.healthasahumanright.wordpress.com.

Should Apps with Personal Health Information Be Subject to HIPAA?

Posted on April 10, 2018 I Written By

The following is a guest blog post by Erin Gilmer (@GilmerHealthLaw).

With news of Grindr’s sharing of user’s HIV status and location data, many wonder how such sensitive information could be so easily disclosed and the answer is quite simply a lack of strong privacy and security standards for apps.  The question then becomes whether apps that store personal health information should be subject to HIPAA? Should apps like Grindr have to comply with the Privacy and Security Rules as doctors, insurance companies, and other covered entities already do?

A lot of people already think this information is protected by HIPAA as they do not realize that HIPAA only applies to “covered entities” (health care providers, health plans, and health care clearininghouses) and “business associates” (companies that contract with covered entities).  Grindr is neither of these. Nor are most apps that address health issues – everything from apps with mental health tools to diet and exercise trackers. These apps can store all manner of information ranging simply from a name and birthdate to sensitive information including diagnoses and treatments.

Grindr is particularly striking because under HIPAA, there are extra protections for information including AIDS/HIV status, mental health diagnoses, genetics, and substance abuse history.  Normally, this information is highly protected and rightly so given the potential for discrimination. The privacy laws surrounding this information were hard fought by patients and advocates who often experienced discrimination themselves.

However, there is another reason this is particularly important in Grindr’s case and that’s the issue of public health.  Just a few days before it was revealed that the HIV status of users had been exposed, Grindr announced that it would push notifications through the app to remind users to get tested.  This was lauded as a positive move and added to the culture created on this app of openness. Already users disclose their HIV status, which is a benefit for public health and reducing the spread of the disease. However, if users think that this information will be shared without explicit consent, they may be less likely to disclose their status. Thus, not having privacy and security standards for apps with sensitive personal health information, means these companies can easily share this information and break the users’ trust, at the expense of public health.

Trust is one of the same reasons HIPAA itself exists.  When implemented correctly, the Privacy and Security Rules lend themselves to creating an environment of safety where individuals can disclose information that they may not want others to know.  This then allows for discussion of mental health issues, sexually transmitted diseases, substance use issues, and other difficult topics. The consequences of which both impact the treatment plan for the individual and greater population health.

It would be sensible to apply a framework like HIPAA to apps to ensure the privacy and security of user data, but certainly some would challenge the idea.  Some may make the excuse that is often already used in healthcare, that HIPAA stifles innovation undue burden on their industry and technology in general.  While untrue, this rhetoric holds sway with government entities who may oversee these companies.

To that end, there is a question of who would regulate such a framework? Would it fall to the Office for Civil Rights (OCR) where HIPAA regulation is already overseen? The OCR itself is overburdened, taking months to assess even the smallest of HIPAA complaints.  Would the FDA regulate compliance as they look to regulate more mobile apps that are tied to medical devices?  Would the FCC have a roll?  The question of who would regulate apps would be a fight in itself.

And finally, would this really increase privacy and security? HIPAA has been in effect for over two decades and yet still many covered entities fail to implement proper privacy and security protocols.  This does not necessarily mean there shouldn’t be attempts to address these serious issues, but some might question whether the HIPAA framework would be the best model.  Perhaps a new model, with new standards and consequences for noncompliance should be considered.

Regardless, it is time to start really addressing privacy and security of personal health information in apps. Last year, both Aetna and CVS Caremark violated patient privacy sending mail to patients where their HIV status could be seen through the envelope window. At present it seems these cases are under review with the OCR. But the OCR has been tough on these disclosures. In fact, in May 2017, St. Luke’s Roosevelt Hospital Center Inc. paid the OCR $387,200 in a settlement for a breach of privacy information including the HIV status of a patient. So the question is, if as a society, we recognize the serious nature of such disclosures, should we not look to prevent them in all settings – whether the information comes from a healthcare entity or an app?

With intense scrutiny of privacy and security in the media for all aspects of technology, increased regulation may be around the corner and the framework HIPAA creates may be worth applying to apps that contain personal health information.

About Erin Gilmer
Erin Gilmer is a health law and policy attorney and patient advocate. She writes about a range of issues on different forums including technology, disability, social justice, law, and social determinants of health. She can be found on twitter @GilmerHealthLaw or on her blog at www.healthasahumanright.wordpress.com.

Second Opinions and Dr. Google – Fun Friday

Posted on November 3, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I have a feeling that this cartoon might rub some people the wrong way. Although, on Fun Friday’s I’m never one to not share something as funny as this.

The key discussion point in this cartoon is doctors’ frustration with patients who are already “self-diagnosed.” Rational people know that there’s a need for balance and respect, but not everyone is rational. Patients should respect the doctor and collaborate with them in their diagnosis process. If patients aren’t careful it’s easy to see how it can go too far and show a lack of respect to the doctor. That said….

It’s also easy to see how doctors can be disrespectful to patients. In today’s #HITsm chat, Erin Gilmer commented that patients wanted to be treated as equals. I suggested that “equals” wasn’t the right term since they weren’t equals. Doctors know some things that patients don’t know and patients know some things that doctors don’t know.

Erin then suggested the term “respected” which is what I used above and I think is a great term to describe how the doctor-patient interaction should be. They should equally respect each other. If that were the case, the above cartoon wouldn’t be so funny.

Patient Burnout – #HITsm Chat Topic

Posted on October 31, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

We’re excited to share the topic and questions for this week’s #HITsm chat happening Friday, 11/3 at Noon ET (9 AM PT). This week’s chat will be hosted by Erin Gilmer (@GilmerHealthLaw) on the topic of “Patient Burnout.”

“We talk a lot about physician burnout. When do we talk about patient burnout?”

A few weeks ago I tweeted this out and it seems to have struck a nerve. Patient (and caregiver) burnout is a topic that is not addressed nearly enough outside of patient communities. However, burnout needs to be recognized and acknowledged in order to understand the patient experience and to create new solutions to improve health.

Patients are tasked with a lot to maintain and improve their health – things like scheduling appointments, dealing with insurance, managing multiple medications at the pharmacy, preparing for and going to appointments, communicating with healthcare providers, coordinating care between providers, and following care plans at home. All of this is in addition to their everyday lives – including family, work, social lives, and more – and dealing with sometimes very disabling conditions or while in great pain.

Providers who recognize this burnout may be able to understand why a patient might be “noncompliant” and find ways to address the patient’s needs. And those in HIT who want to create real change, can learn from the patient experience and work with patients to ease the burden patients face in managing their health.

Note: Before the chat, you might read: Rethinking the patient: using Burden of Treatment Theory to understand the changing dynamics of illness (open access).

Join us as we dive into this topic during this week’s #HITsm chat using the following questions.

Topics for This Week’s #HITsm Chat:

T1: What does patient burnout mean to you? #hitsm

T2: What would you like healthcare providers to know about patient burnout? #hitsm

T3: How could healthcare providers help you feel less burnt out? #hitsm

T4: What ways can technology help ease patient burnout? #hitsm

T5: What ways has technology made patient burnout worse? #hitsm

BONUS: What helps you deal with patient burnout? What advice would you give to other patients about burnout? Or what do you wish others had told you about burnout? #hitsm

Upcoming #HITsm Chat Schedule
11/10 – Medical Data Impact to Financial Health, Disability and Job Protection
Hosted by Kimberly George (@kimberlyanngeo) from @sedgwick

11/17 – TBD
Hosted by TBD

11/24 – Thanksgiving Break!

12/1 – Using Technology to Fight EHR Burnout
Hosted by Gabe Charbonneau, MD (@gabrieldane)

12/8 – TBD
Hosted by Homer Chin (@chinhom) and Amy Fellows (@afellowsamy) from @MyOpenNotes)

12/15 – TBD
Hosted by David Fuller (@genkidave)

We look forward to learning from the #HITsm community! As always, let us know if you’d like to host a future #HITsm chat or if you know someone you think we should invite to host.

If you’re searching for the latest #HITsm chat, you can always find the latest #HITsm chat and schedule of chats here.