HIPAA Compliance for Medical Practices
65.6K views | +0 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Millions of Electronic Medical Records Breached | Center for Health Reporting

Millions of Electronic Medical Records Breached | Center for Health Reporting | HIPAA Compliance for Medical Practices | Scoop.it

This story first appeared in the Orange County Register and the Los Angeles Register.

Thieves, hackers and careless workers have breached the medical privacy of nearly 32 million Americans, including 4.6 million Californians, since 2009.

Those numbers, taken from new U.S. Health & Human Services Department data, underscore a vulnerability of electronic health records.

These records are more detailed than most consumer credit or banking files and could open the door to widespread identity theft, fraud, or worse.

Consider the case of Tustin-based GMR Transcription Services Inc. The Federal Trade Commission alleges that in 2011 a GMR subcontractor put transcribed medical audio files on a computer server that was then indexed by Google. (link is external)

The files contained patients’ medical histories, including psychiatric disorders, alcohol use and drug abuse. GMR settled the FTC lawsuit in January. In a statement after the settlement (link is external), GMR said the files were no longer searchable and that it was exiting the medical transcription business.

Despite ever-tighter federal regulations, “we recognize that sometimes security is still compromised,” said Dr. Jacob Reider (link is external), HHS’ deputy national coordinator for information technology.

The government is trying to combat potential privacy breaches with a carrot-and-stick approach. It’s offering early adapters of electronic health records advice, an online security assessment tool (link is external), even a “cybersecure” (link is external) computer game to help them learn.

But it’s also threatening, and in rare cases imposing, big fines on insurers, hospitals or doctors that lose control of records.

In May, HHS levied a record $4.8 million penalty (link is external) against New York-Presbyterian Hospital and its partner, Columbia University. The grounds: In September 2010 some 6,800 patients’ records were accidentally exposed to Internet search engines.

That incident is one of 1,045 cases listed on HHS’ so-called “wall of shame,” a website (link is external) mandated by the 2009 stimulus act that lists every health privacy breach affecting at least 500 individuals.

Individual cases highlight just how weakly protected many medical records are: Hundreds of thousands, even millions of records are typically kept on a single computer. Those records, usually protected by a password, are often not encrypted. That makes them readable by anyone who can crack the password.

“There are some healthcare providers who are not going to have any problem” safeguarding electronic health records, said Pam Dixon, executive director of the World Privacy Forum (link is external) in San Diego. “There are other health care providers who are just like a sieve.”

The government does “provide good guidance,” said Justin Brookman, consumer privacy director at the Center for Democracy & Technology (link is external), a Washington, D.C., nonprofit that promotes online privacy. “But most of the breaches we’ve seen have been people not following” that guidance.

There is “a 1 percent chance of very bad things happening,” Brookman added. “It is foreseeable or should be foreseeable.”

Other examples:

  • Sometime between Feb. 14 and March 27, 2014, computer “malware” captured information from three computers at the UC Irvine Student Health Center (link is external) and fed data involving 1,813 students – including names, addresses, insurance and bank information, as well as medical information – to unauthorized servers. UCI is upgrading its security.
  • In October 2013, someone broke into a sixth-floor office in Alhambra and stole two laptops. The laptops contained information for 729,000 patients of AHMC Healthcare (link is external), which runs Anaheim Regional Medical Center and five hospitals in Los Angeles County. The computers contained patients’ names, Medicare and insurance identification numbers, diagnosis codes and insurance payments. Spokesman Gary Hopkins said there is no evidence patient information was ever used.
  • In one of the biggest breaches in California history, an unencrypted desktop computer was stolen from the Sacramento administrative office of Sutter Medical Foundation (link is external) in October 2011. The computer contained personal medical information, including diagnoses and procedures, for 943,000 patients. In response, Sutter sped up efforts to encrypt its computers.

more...
No comment yet.
Scoop.it!

Impact of New HIPAA Enforcement Leader

Impact of New HIPAA Enforcement Leader | HIPAA Compliance for Medical Practices | Scoop.it

As the Department of Health and Human Services' Office for Civil Rights prepares for a change in its top leadership, information security leaders are watching to see whether the strategies of the HIPAA enforcement agency might shift as well.

On July 9, OCR Director Leon Rodriguez, who held the post of the nation's top HIPAA privacy and security rules enforcer at HHS since 2011, was sworn in as the new director of U.S. Citizenship and Immigration Services, a unit of the Department of Homeland Security.

But his successor at OCR, Jocelyn Samuels, who currently serves as the acting assistant attorney general for the Civil Rights Division at the U.S. Department of Justice, won't be starting in her new post for a while.

"Transition demands at the Department of Justice have delayed Ms. Samuel's arrival for a few weeks," an OCR spokeswoman tells Information Security Media Group. "In the interim, HHS leadership are acting in her stead."



Jocelyn Samuels

Samuels was named last week by HHS Secretary Sylvia Mathews Burwell to replace Rodriguez. He was nominated by President Obama in December and confirmed by the Senate in June 2014 as the director of U.S. Citizenship and Immigration Services, which has nearly 18,000 employees and administers the nation's immigration and naturalization system.

DOJ Work

While Samuels has served in the civil rights division at DOJ, the agency has paid particular attention to pursuing Americans With Disabilities Act cases and enforcement actions related to the Supreme Court's Olmstead ruling, which provides rights to individuals with disabilities to live outside of institutionalized care, notes the Boston Globe in a June 24 article about the 15th anniversary of the court's decision. Other healthcare-related cases pursued by the DOJ during Samuel's tenure involved rights of the hearing impaired, notes Elizabeth Hodge, a healthcare compliance attorney at the Tampa, Fla.-based office of national law firm Akerman LLP. "There were cases fining hospitals as well as smaller practices" over their lack of access to healthcare for the hearing impaired, she says.

In addition to enforcing HIPAA compliance through activities that include breach investigations and random compliance audits, OCR also enforces protection against unfair healthcare treatment or discrimination based on race, color, national origin, disability, age, gender or religion. While Samuel's arrival to OCR will not change the mission of the agency, how its limited resources are divvied up for its various enforcement activities could potentially shift.

Challenges Ahead

The greatest challenge facing Samuels is OCR's need for additional financial and human resources, says David Holtzman, a former senior adviser at OCR who's now a vice president at the security consulting firm CynergisTek.

OCR's mission and responsibility was significantly expanded through Congressional mandates in the HITECH Act and the Affordable Care Act, he notes. "For example, the HITECH Act required OCR to expand enforcement of the HIPAA rules to business associates, required investigation and imposition of penalties on HIPAA violations due to willful neglect, and established an audit program. The ACA expanded the rights of individuals to access healthcare without regard to their sexual orientation or gender identity. However, Congress did not appropriate additional funding to carry out this mission."

Holtzman calls on Samuels to "continue the efforts begun by her predecessor to use her 'bully-pulpit' to raise the visibility of OCR and work with Secretary Burwell for appropriation of additional support for OCR's mission."

Striking a Balance

Even when it comes to OCR's various HIPAA enforcement activities, which range from breach and complaint investigations to the planned resumption this fall of the HIPAA compliance audit program, Samuels will be faced with a delicate juggling act, says privacy and security attorney Adam Greene, a partner with Davis Wright Tremaine in Washington.

"One of the biggest challenges for Ms. Samuels will be to ensure that the agency continues to strike a reasonable balance with respect to enforcement," says Greene, who also formerly was a member of the OCR staff. "OCR initially focused on voluntary compliance rather than seeking financial penalties and settlements, and some within healthcare complained that the lack of enforcement led to insufficient resources allocated to HIPAA. Now, we have started to see more multi-million dollar settlements, and some question whether the penalties are disproportionate to the conduct and harm."

A challenge for Samuels, Greene says, is "to strike the balance where HIPAA is seen as having 'teeth' but covered entities and business associates can still count on OCR as being reasonable when there are areas of ambiguity or privacy or security issues occur despite good efforts at compliance."

Enforcement Actions

In OCR's latest HIPAA enforcement activity, the agency in June announced an $800,000 settlement with Indiana-based community health system Parkview Healthcare for a 2009 breach involving paper medical record dumping and affecting between 5,000 and 8,000 patients. That settlement followed a $4.8 million resolution agreement revealed in May involving two New York healthcare organizations - New York-Presbyterian Hospital and Columbia University. The OCR investigation into that incident, which involved unsecured patient data on a network and affected about 6,800 patients, uncovered other HIPAA compliance issues, including the lack of a risk analysis and failure to implement appropriate security policies.

Those OCR settlements are among 21 HIPAA resolution agreements that included financial payments since 2008, plus one case that involved a civil monetary penalty, which is considered more punitive. However, since the HIPAA Omnibus Rule took effect last year, OCR has indicated that it's ramping up HIPAA enforcement, which includes plans to resume the HIPAA compliance random audit program later this year (see HIPAA Enforcement: A Reality Check).

OCR's enforcement strategy to date of issuing HIPAA resolution agreements and sometimes hefty financial settlements to a small number of select covered entities has been an effective compliance tool, Hodge contends.

"Given OCR's limited resources, targeted resolution agreements that bring focus on a variety of compliance issues and breaches, and a range of different kinds of covered entities, grab attention," she says. "The next thing we might see are resolution agreements involving business associates."

Under HIPAA Omnibus, business associates are directly liable for HIPAA compliance.

But those cases also take up OCR resources. "I believe it is important that director Samuels work with secretary Burwell to put into place the resources needed to effectively respond to the large number of complaints being received by OCR," Holtzman says.

"All too often, complaint investigations and compliance reviews begun by OCR drag on for many, many months because there are not enough investigators in the regional offices to keep up with the complaints filed by consumers. Almost all complaint investigations can be resolved informally through the voluntary corrective action of covered entities," he says. "Covered entities and business associates deserve the opportunity to a prompt investigation and resolution of these agency enforcement activities."



more...
No comment yet.
Scoop.it!

OCR clarifies omnibus HIPAA questions | Government Health IT

Last week I had the opportunity to attend and present at this year’s American Health Lawyers Association (AHLA) annual conference in New York. It turned out to be an excellent opportunity for exchanging ideas as well as offering in-depth discussions of many of the compliance challenges in healthcare. Additionally, it was a chance to hear first-hand from the Office of Civil Rights (OCR) regarding various aspects of the rules and their interpretations. What OCR is thinking or how they interpret the rules has always been a major topic of interest.

That was indeed the case as the discussion turned to the subject of Business Associates (BAs). The rule is clear: BAs must comply with the technical, administrative and physical safeguard requirements under the security rule and those use or disclosure limitations expressed in the contract and the privacy rule. 

Right? Well, maybe that’s not so clear.

There was a fair amount of discussion around the fact that not all BA relationships are equal and that there may be cases where not all security provisions apply. In those instances where this can be determined at the point of contracting, it was opined that the contract and/or the Business Associate Agreement (BAA) can include the phrase “as applicable” to recognize that not all security rule provisions may apply. It is important though when going this route to clearly identify what does and does not apply so that expectations are set and both sides know how to perform. 

[See also: Top 10 Government Health IT stories of 2014, thus far.]

Another hot topic that was discussed (and seemingly put to bed by OCR) involved the question of whether encrypting data relieved a vendor of its BA responsibilities.  You might recall that OCR let it be known shortly after the Omnibus Rule was released that they would consider the idea that encryption might be relevant as a factor when determining BA responsibilities or status. The question posed was if the vendor simply hosted the data or the system containing the data, and the data was encrypted by the Covered Entity (CE) who then retained the keys, to such that the vendor could not gain access to the information should this not obviate BA status. The short answer was no, it does not relieve those responsibilities. The rationale was simple. Organizations that host a CE’s electronic protected health information (ePHI) or systems containing ePHI, have security responsibilities that go beyond simple access management. They have responsibilities for areas such as contingency planning, physical security, etc. that have little to do with access management and are absolutely required for anyone maintaining critical systems or ePHI. So, final answer: encryption does not relieve vendors from BA responsibilities.

There were several other topics regarding BAs discussed such as how liability flows from CE to BA to each successive layer of subcontractor and how the Federal Common Law of Agency applies, which is discussed in the Preamble of the Rule, meaning that the CE is responsible for the actions of those it elects to designate as its agents. As always, it is important to not only read the body of the rule, but the Preamble language as well because it typically explains and expands on the rule for interpretation purposes.

The last topic I’ll address is that of the Conduit Exemption. OCR’s representative provided a good explanation of how to apply this exemption and the background for the provision. When the exemption was first conceived electronic transmission of data was not the issue. The issue was the transportation of hard copy PHI through mail services. The conduit provision is very limited. It focuses on transportation or transmittal of PHI. There is no retention of the data contemplated.

[From sister site Medical Practice Insider3 crazy HIPAA breaches.]

Storage if it occurs is incidental to the transmission or transportation process and occurs only for the minimal amount of time necessary to support that process. When the question was asked ‘how does this exemption apply to electronic transmissions?’ the criteria did not change. If a vendor is simply providing transport of ePHI then storage, if necessary, should only occur for that brief period necessary for the information to pass through the vendor’s environment. If the vendor hosts the information, holds it for any reason, beyond what is required to move it through their environment they are a BA and the Conduit Exemption does not apply. 

I leave you with one interesting “conundrum” as the participants in the discussion described it to ponder. It applies to the use of personal email at work, meaning allowing workforce members to use their personal email (Google, Yahoo, etc.) while on the job. The question posed was whether or not the CEs permitted use of personal services created a BA relationship by default, and should workforce members use their personal service to transmit ePHI. Think not only email, but texting, images, etc. Several were of the opinion that this did create a BA relationship.

While you are wrapping your head around the potential implications of that one let me say, this was a great conference. AHLA organized a first class agenda and an excellent faculty that generated a lot of very interesting, thought provoking and relevant discussions. I heartily recommend it for any internal counsel or law team working with healthcare.



more...
No comment yet.
Scoop.it!

Meaningful Use Audits, RAC Audits, and HIPAA Audits | EMR and HIPAA

Meaningful Use Audits, RAC Audits, and HIPAA Audits | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare has always been a deeply regulated industry, so in many ways healthcare organizations are already used to dealing with government scrutiny. However, we’ve recently seen a number of new audit programs hit the healthcare world that didn’t exist even a few years ago. Here’s a look at a few of them you should be prepared for.

Meaningful Use Audits
This is one of the newest audit programs to hit healthcare. Depending on your attestation history, it could have a tremendous impact on your organization’s financial health. These EHR incentive audits have been happening across every size organization and are conducted by the CMS hired auditing firm, Figliozzi and Company of Garden City, N.Y. If you get a letter or email from Figliozzi you’ll know what it is right away. An EHR incentive audit is a big deal since the meaningful use program is all or nothing. If they find even one thing wrong with your meaningful use attestation, you could lose ALL of your EHR incentive money.

CMS recently released an informative guidance document outlining the supporting documentation needed for an EHR incentive audit. Pages 4 and 5 of the document go through the self-attestation objectives and others detailing the audit validation and suggested documentation needed for each. If you’ve attested to meaningful use, then you’ll want to take some time to go through the document to make sure you can provide the necessary documentation if needed. In many cases this simply includes dated screenshots to prove measure completion. While many EHR vendors can be helpful in the meaningful use audit process, you should not totally rely on them.

In a recent blog post, Jim Tate makes a compelling case for why you might want to consider doing a mock EHR incentive audit and how to make sure that the audit is effective. Although smaller organizations won’t likely be able to afford an outside audit, having it done by someone in your organization that wasn’t involved in the attestation is beneficial. The CMS guidance document could be used as a guide. A mock audit could help discover any potential issues and help you put mitigation strategies in place before you have a real audit and your hands are tied.

Recovery Audit Contractor (RAC) Audits
RAC audits are currently on hold as CMS works to improve the program and deal with the enormous audit backlog. We still haven’t heard from CMS about when the RAC audits will resume, but we should hear something later this summer. While no RAC audits are occurring right now, that doesn’t mean that once the RAC audits resume, the claims you’re filing today can’t and won’t be audited.

The best thing you can do to be prepared for RAC audits is to make sure that your documentation and billing ducks are in a row. A great place to start is to look at your most common denials and look at how you can improve your clinical documentation, coding and billing for each of these denials. Also, make sure that your process for responding to audits is standardized and effective. The RAC audit is just one example of an audit performed by payers. Don’t be surprised if you’re subjected to audits from other agencies or commercial payers.

RAC audits recovered billions of dollars in overpayments in recent years. You can be sure that they will continue and that other similar initiatives are coming our way. There’s just too much incentive for the government not to do it.

HIPAA Audits
The US Department of Health and Human Services’ Office for Civil Rights (HHS OCR) first started doing HIPAA audits as part of a 2011 pilot program. It’s fair to say that HHS OCR’s audit program was one of discovery as much as it was of compliance. However, the HITECH Act and Omnibus Rule have started to up the ante when it comes to enforcement of HIPAA. HHS OCR announced that they’d be surveying 800 covered entities and 400 business associations to select the next round of audit subjects. An OCR Spokesperson said, “We hope to audit 350 covered entities and 50 BAs in this first go around.”

Unlike previous audits that were done by KPMG, these HIPAA audits will be done by OCR staff. One area that these audits will likely focus on is the HIPAA Security Risk Assessment. The importance of doing this cannot be understated and is illustrated by the fact that it’s a requirement for meaningful use. I will be surprised if these audits don’t also focus on the new HIPAA Omnibus Rule requirements. I’m sure many of the HIPAA audits will catch organizations that never updated their HIPAA policies to comply with HIPAA Omnibus.

Summary
No one enjoys an audit of any sort. However, being well prepared for an audit will provide some level of comfort to yourself and your organization. Now is your opportunity to make sure you’re well prepared for these audits that could be coming your way. These audit programs likely aren’t going anywhere, so take the time to make sure you’re prepared.



more...
No comment yet.
Scoop.it!

Stanford physician's startup makes it a breeze to build HIPAA-compliant mobile health apps

Stanford physician's startup makes it a breeze to build HIPAA-compliant mobile health apps | HIPAA Compliance for Medical Practices | Scoop.it

A plethora of health-related apps and devices should be hitting the market in the next year or two. And the data that these apps and devices collect could help your doctor provide a more holistic picture of your health.

But, as I wrote a few weeks ago, when that health data crosses the line from consumer health cloud into the healthcare delivery system, HIPAA privacy rules will come into play.

One company, started by a Stanford physician, has foreseen this challenge to device and app developers, and is offering a way to easily comply with HIPAA’s often stringent rules. These “medical grade” apps can then safely share data with clinical systems.

“With Medable, mobile apps can make it easy for users to communicate with their doctors, nurses, and caregivers, and also to provide them with any kind of data originating from their mobile devices,” company co-founder Dr. Michelle Longmire tells VentureBeat. “That lets everyone receive the data, visualize it, and then communicate about it in a very natural way.”

Advertisement

Health app developers can use the platform to build new applications or to integrate Medable features into existing applications, Longmire says. Medable also offers numerous application features like patient and provider profiles, two-factor authentication, and “push” messaging. These features are delivered through a software development kit (SDK) and an application programming interface (API).

“If push messages are sent to care providers, they contain only the metadata, not any identifiable information,” Longmire explains. “So a physician might receive a message saying ‘an image is available for you,’ but the doctor would need to log in to get the image.”

Longmire says Medable uses the HL7 clinical data format, so it can integrate with, and exchange data with, any electronic health record system that uses HL7 format, and the majority of them do.

The main concern of HIPAA rules is guarding “protected health information” or “PHI” from the eyes of those who don’t need to see it for clinical purposes.

Longmire says the Medable platform encrypts all PHI in several ways — on the device, in transit and then on the Medable platform.

The Medable platform can also anonymize large amounts of clinical data so that researchers can study it. Additionally, Medable provides all of the capability needed for HIPAA auditing and clinical data reporting.

The bottom line is that Longmire’s platform gets app developers out of the privacy and compliance business, at least where it concerns sharing data with hospitals or medical groups.

“Medable allows developers to focus on the content of their apps, instead of on data security, which is not their specialty,” Longmire says.

The global health market was at $6 billion in 2013, but it’s projected to be a $26 billion market by 2017.



more...
No comment yet.
Scoop.it!

Health Data Startup Addresses HIPAA Issues Apple Hasn’t

Health Data Startup Addresses HIPAA Issues Apple Hasn’t | HIPAA Compliance for Medical Practices | Scoop.it

Health and fitness-tracking apps and devices are set to take off. The growth of the area, further propelled by platforms developed by Apple (NASDAQ:AAPL) and Samsung (SSNLF.PK), will propel the adoption of these apps and services both by consumers and by healthcare systems and providers. As VentureBeat’s Mark Sullivan reports, these health apps and services will come under the jurisdiction of the Health Insurance Portability and Accountability Act (HIPAA) regulations over the privacy of personal health data.

Those regulations were widened last year to safeguard users’ “protected health information” not only at clinics, hospitals, and insurance companies, but also in computer systems that manage health data, and as apps blur the distinction between services created for consumers and services created for the healthcare industry, developers will need to consider how to make their apps’ handling of data HIPAA-compliant.

Medable, a Palo Alto startup co-founded by Stanford physician Michelle Longmire, is prepared for that challenge. It offers a platform that enables the easy development of apps that comply with HIPAA’s security and privacy regulations. Apps built on Medable’s platform will be able to safely and legally share users’ data with healthcare providers, making it possible for developers to build apps where users will be able to communicate with doctors, nurses, and caregivers, plus track, visualize, and share the health-related data that they collect with their smartphone and any connected devices. Medable offers developers a variety of options, including its platform as a service, cloud services, an assortment of APIs, and an integrator partner program. Though Medable is a mobile-first service, the platform enables developers to build desktop, tablet, and web apps as well.

In a post on Medable’s blog, Trevor Goss writes that the company’s mission is “to make health data universally accessible and connected.” Goss refers to Medable as “the world’s first medical-grade platform-as-a-service,” which will enable developers, doctors, hospitals, medical device manufacturers, and others to quickly and “easily build HIPAA-compliant applications and services.” Medable says “medical-grade” refers to the platform’s ability to support both clinical applications — with features such as communication between healthcare providers and patients, collaboration among patients and multiple providers or providers and multiple patients or other providers, and patient-controlled data sharing — plus personal health information — compliant with HIPAA and compatible with wearables, implantables, and in-home devices.

Sullivan reports that developers will be able to use Medable to build new apps, or integrate its features into existing apps. Longmire told VentureBeat that Medable offers features like patient and provider profiles, two-factor authentication, and security-conscious push messaging. They’re all available in Medable’s software development kit and API. Medable uses the HL7 clinical data format, also used by the majority of health record systems, so that it can integrate with or exchange data with any record system that uses the format. The platform can also anonymize large amounts of data for clinical study, and enables both HIPAA auditing and clinical data reporting. 

As Sullivan puts it, the Medable platform “gets app developers out of the privacy and compliance business, at least where it concerns sharing data with hospitals or medical groups.” Longmire tells him that, “Medable allows developers to focus on the content of their apps, instead of on data security.” 

Sullivan noted in June that what determines whether HIPAA requirements apply to a given app is “who is handling the data.” In the past, consumer apps have been clearly separated from apps intended for doctors and other healthcare providers. But with the growing prevalence of cloud services that enable the uploading and sharing of data, those lines blur. Apps that enable consumers to transmit their data to the cloud, where healthcare providers access it and can provide feedback, will likely need to be HIPAA-compliant because the widening regulations can be interpreted to include app developers whose apps “manage and transmit” protected health information.

Both Apple and Samsung will have HIPAA regulations to contend with as they develop HealthKit and SAMI, as both platforms are clearly intended to collect and send patient health data. That’s especially clear given that both companies are reportedly working with Epic, an electronic health record software provider. But neither company has yet unveiled detailed plans for data security in those platforms.

Since Apple’s HealthKit allows for apps to share data with each other, HIPAA compliance should become especially important for apps integrated with the platform. But just as app developers are unlikely to want to get into the privacy compliance business, Apple and Samsung aren’t likely to want to actively enforce HIPAA compliance as a requirement for apps to be accepted into their app stores. That’s partially because HIPAA was written well before the development of the iPhone, and even with last year’s amendments, the terminology it uses leaves some room for interpretation.

Following Apple’s announcement of HealthKit and the corresponding Health app at the Worldwide Developers Conference, several websites have posted guides for developers who are researching the daunting task of complying with HIPAA’s regulations without much guidance from Apple. Most developers simply don’t know much about the regulations, and how they relate to the apps and services that new technologies and platforms make possible. But HIPAA places responsibility on the shoulders of developers, who will need to make sure that apps that deal with protected health information account for privacy and security in communications, notifications, data sharing, and data storage.

Developers have a few options, like Medable, to remove the burden of compliance from their shoulders. TrueVault provides a secure and HIPAA-compliant API for the storage of health data, and Accountable offers HIPAA compliance management as a service. Medable’s Longmire told Stephanie Baum of MedCity News last year that she wanted Medable to be “one of the key utilities for clinical health.” At the time, Longmire estimated that HIPAA compliance represented as much as 80 percent of app development costs, and said that the process could delay an app’s release for up to a year. Longmire told Baum that she envisions Medable as  solution to save developers both time and money:

She sees plenty of scope for Medable’s platform to be used by small developers to health systems and companies across the health ecosystem. Longmire likens the company’s business model to Dropbox –- there’s a freemium, but it scales with data utilization.”

Though the development of the health app sphere is largely still in its infancy, it seems inevitable that many, if not most, of the health-related apps that consumers will use in the future will share data with doctors, clinics, or hospitals. That makes HIPAA regulation of apps and services not only inevitable but truly necessary, and Medable seems to have hit on an idea that could turn out to be a smart and far-reaching solution for developers building for Apple, Samsung, and a variety of other platforms.

The introduction of platforms like HealthKit and SAMI should represent a turning point in discussions about privacy and security compliance, so that it will be more clear what apps and services need to do to be compliant and secure while delivering innovation to consumers and healthcare professionals. But for individual app developers, a service like Medable may be all they need.

If several — or even one — health apps are built on Medable’s platform, that could set a precedent and get more developers on board, both with HIPAA and with Medable. HIPAA-compliant apps that collect patient data, enable better communication between doctor and patient, and are compatible with the records systems that most healthcare providers already use are a benefit for patients, healthcare providers, and regulators. These apps and services, intended for both consumers and providers, will very likely represent the future of health apps.


more...
No comment yet.
Scoop.it!

Why Are Telemedicine Systems So Expensive? | EMR and HIPAA

Why Are Telemedicine Systems So Expensive? | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

Like many other enabling-technologies in healthcare, telemedicine has vast unrealized potential.

If we make location completely irrelevant and can deliver care virtually, we can address the supply and demand imbalance plaguing healthcare. The benefits to patients would be enormous: lower costs and improved access in ways that are unimaginable in the analog era.

However, one of the many roadblocks to adoption is the cost of the legacy technology powering clinical telemedicine use. In this post, I’ll outline why the telemedicine systems are so expensive, even in the era of Skype and other free video-conferencing systems.

The Telemedicine Industry Is Old…School

Telemedicine as an industry has existed for about 15 years, although uses of telemedicine certainly predate that by another 10-20 years. A decade and a half ago, the foundational technologies that enable video-conferencing simply weren’t broadly available. Specifically, early telemedicine companies had to:

1) Develop and maintain proprietary codecs
2) Design and assemble hardware (e.g. proprietary cameras) and device drivers
3) Deploy hardware at each client site and train end users on its management
4) Build an expensive outside sales force to carry these systems door-to-door to sell them
5) Endure long, grant funding-driven sales cycles

Though some of these challenges have been commoditized over the years, many of the legacy players still manage and maintain the above functions in-house. This drives up costs, which in turn must be passed onto customers. Since many customers initially paid for telemedicine systems with grant money (that telemedicine technology companies helped them write and receive), the market has historically lacked forces to drive down prices. Funny how that seems to be a recurring theme in healthcare!

But, there’s a better way

Today, many startups are building robust telemedicine platforms with dramatically lower cost overhead by taking advantage of a number of technologies and trends:

1) Technologies such as WebRTC commoditize the codec layer
2) The smartphones, tablets, and laptops already owned by hospitals (and individual providers) have high quality cameras built into them
3) Cloud providers like Amazon Web Services make it incredibly easy for young companies to build cloud-based technologies
4) Digital and inbound marketing enable smaller (and inside) sales forces to succeed at scale.
5) To reduce the cost of care, providers are increasingly seeking telemedicine systems now, without wading (and waiting) through the grant process of yesteryear.

In short, telemedicine companies today can build dramatically more cost-effective solutions because they don’t have to incur the costs that the legacy players do.

Why don’t the old players adapt?

The simple answer: switching business models is exceedingly difficult. Consider the following:

1) Laying off hardware and codec development teams is not easy, especially given how tightly integrated they are to the rest of the technology stack that has evolved over the past decade

2) Letting go of an outsides sales force to drive crafty, cost-effective inside sales is an enormous operational risk

3) Lobbying the government to provide telemedicine grants provides an effectively unlimited well to drink from

Changing business models is exceedingly difficult. Few companies can do it successfully. But telemedicine is no different than all other businesses that thought they were un-disruptable. Like all other technologies, telemedicine must adapt from legacy, desktop-centric, on-premise solutions to modern, cloud based, mobile and wearable-first solutions.



more...
No comment yet.
Scoop.it!

Jocelyn Samuels to head HHS Office for Civil Rights

Jocelyn Samuels has been named the next director of the Office for Civil Rights, the unit within the U.S. Department of Health and Human Services that enforces HIPAA compliance, an OCR spokeswoman confirmed Tuesday in an email to FierceHealthIT.

Samuels (pictured) replaces Leon Rodriguez, who was confirmed as director of U.S. Citizenship and Immigration Services, a unit of the Department of Homeland Security. He had held the top OCR post since 2011.

The OCR is expected to ramp up HIPAA audits this fall, though with a narrower focus, and an OCR attorney has warned that the whopping fines of the past year will "pale in comparison" to those coming in the next 12 months.


Samuels comes from the Department of Justice, where she is the acting assistant attorney general for the Civil Rights Division.

Former OCR senior privacy and security adviser David Holtzman, considered a prime candidate to replace Rodriguez, left in November. Another potential candidate, Susan McAndrew, OCR's deputy director for health information privacy and security, who had worked on the HIPAA Privacy Rule for HHS since May 2000, has retired.

Massive change is coming to HHS. In January, Karen DeSalvo took over as National Coordinator for Health IT. Sylvia Mathews Burwell was named HHS secretary in early June.

A rash of HHS executives are leaving, including Mike Hash, director of Office of Health Reform; Gary Cohen, director of the Center for Consumer Information and Insurance Oversight; CMS principal deputy administrator Jonathan Blum; Lygeia Ricciardi, director of the Office of Consumer eHealth at the Office of the National Coordinator for Health IT; and Joy Pritts, ONC's first chief privacy officer.

In late May, the agency revealed plans to reorganize, cutting the number of offices within the agency from 17 to 10.

more...
Technical Dr. Inc.'s curator insight, July 12, 2014 3:07 AM

Contact Details :
inquiry@technicaldr.com or 877-910-0004
- The Technical Doctor Team

Scoop.it!

Health system caught up in an $800,000 breach | HIPAA Update

Health system caught up in an $800,000 breach | HIPAA Update | HIPAA Compliance for Medical Practices | Scoop.it

The hits just keep on coming. HHS announced June 23 that OCR entered into resolution agreement and $800,000 settlement with Parkview Health System, Inc., in Fort Wayne, Indiana, for alleged HIPAA Privacy Rule violations.


Parkview obtained the medical records of 5,000–8,000 patients while helping Dr. Christine Hamilton transition her patients to new providers upon her retirement. It was believed that the health system was interested in purchasing a portion of Dr. Hamilton’s practice. Parkview failed to safeguard the PHI of these patients when its employees left 71 cardboard boxes of these medical records outside the physician’s home while she was not there. The home is within 20 feet of a public road and is near a shopping center, according to the press release.


The resolution agreement provides that Dr. Hamilton filed the complaint against Parkview. The investigation revealed that when Parkview employees left the medical records at Dr. Hamilton’s home, they were aware that she was not there and had previously refused the delivery of the records.


Parkview’s corrective action plan states that it will do the following:

  • Develop, maintain, and revise written HIPAA Privacy Rule policies and procedures for its workforce with HHS approval
  • Distribute HHS-approved policies and procedures to members of its workforce
  • Ensure that new, approved policies and procedures provide for administrative, technical, and physician safeguards to protect PHI
  • Notify HHS in writing within 30 days of a violation of the new, approved policies and procedures
  • Provide general safeguards training for its workforce members who have access to PHI
Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
- The Technical Doctor Team

more...
No comment yet.
Scoop.it!

Hospitals 'very sloppy' about security efforts

Hospitals 'very sloppy' about security efforts | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare facilities are constantly in danger of being hacked and having data stolen, but two researchers have found that many hospitals themselves leak valuable information online.


The data leaks result from network administrators enabling Server Message Block, or SMB, which, when configured a certain way, broadcasts the data externally, researchers Scott Erven, head of information security for Essentia Health, and Shawn Merdinger, an independent healthcare security researcher and consultant, shared in a recent Wired article.


SMB is a protocol used by administrators to quickly identify, locate and communicate with computers and equipment connected to an internal network, according to the article. Erven and Merdinger found that hospitals misconfigure the SMB service, which allows outsiders to see it. 


Security issues at healthcare facilities are nothing new, and the SMB protocol vulnerability is just another problem to add to a growing list of ways information can be compromised.


"It goes to show that healthcare [organizations are] very sloppy in configuring their external edge networks and are not really taking security seriously," Erven told Wired.


He added that the problems can occur because of too much focus on HIPAA compliance--which causes providers to pay too little attention to testing and securing their systems.


With a spike in HIPAA fines possible, healthcare facilities may be even more focused on compliance with those standards then working to properly secure their networks.


To that end, even a recent White House report pointed out that HIPAA compliance might not be enough to ensure privacy in the electronic age.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
- The Technical Doctor Team

more...
No comment yet.
Scoop.it!

Tracking confidential data a major worry in healthcare security

Tracking confidential data a major worry in healthcare security | HIPAA Compliance for Medical Practices | Scoop.it

Uncertainty about where sensitive and confidential data is located causes more worry for security pros than hackers or malicious employees, according to a new survey from the Ponemon Institute.

The report, based on a poll of 1,587 IT security practitioners in 16 countries, focuses on the state of data-centric security, which it describes as a security policy that follows data wherever it is replicated, copied or integrated.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
- The Technical Doctor Team

more...
No comment yet.
Scoop.it!

OCR attorney predicts spike in HIPAA fines

OCR attorney predicts spike in HIPAA fines | HIPAA Compliance for Medical Practices | Scoop.it

The Office for Civil Rights' crackdown on HIPAA violations over the past year will "pale in comparison" to the next 12 months, a U.S. Department of Health and Human Services attorney recently told an American Bar Association conference.

Jerome B. Meites, OCR chief regional counsel for the Chicago area, said that the office wants to send a strong message through high-impact cases, according to Data Privacy Monitor.

The Office for Civil Rights has been levying fines to make healthcare entities take notice: nine settlements since June 1, 2013, have totaled more than $10 million. That includes a record $4.8 million fine announced in May against New York-Presbyterian Hospital and Columbia University.


Choosing an efficient patient portal solution can be a daunting task and can cost you big without proper research. By asking the right questions and connecting the right stakeholders, you can ensure that you implement a true community solution that will improve the continuum of care for your clinicians and patients. Click here to learn more about 7 key questions that can help you choose the best patient portal solution for your facility. To learn more, download today.


"Knowing what's in the pipeline, I suspect that that number will be low compared to what's coming up," Meites said in the article.

The OCR has said that when it resumes HIPAA audits this fall, the investigations will have a narrow focus and there will be fewer onsite visits. Meites told the American Bar Association that the OCR still has to decide which organizations it will select for an audit from a list of 1,200 candidates--800 healthcare providers, health plans or clearinghouses--and 400 of their business associates.

A report last December from the Office of Inspector General criticized the OCR's enforcement of the HIPAA provisions, including inadequate focus on system and data security.

Meanwhile, the number of breaches on the U.S. Department of Health and Human Services' "wall of shame" topped 1,000 this month, with at least 34 breaches so far in June. The records of nearly 31.7 million people have been exposed since federal reporting was mandated in September 2009.





more...
No comment yet.
Scoop.it!

iOS changes will address HIPAA risk | Healthcare IT News

iOS changes will address HIPAA risk | Healthcare IT News | HIPAA Compliance for Medical Practices | Scoop.it

Imagine if almost everyone walking into your hospital – patients, doctors, visitors, salespeople – was carrying an active homing beacon, which broadcast, unencrypted, their presence and repeatedly updated exact location to anyone who chose to listen.

[See also: Where will HIT security be in 3 years?]

That's where things stand today, courtesy of the mobile MAC address signal (it stands for media access control), a unique ID coming from every smartphone, tablet and wearable device.

But not for long, given upcoming changes to how Apple products will handle MAC address broadcasts –  a move almost certain to be copied by Google's Android.

[See also: 'Troubling disconnect' between mobile security threats and protections in place]

Apple's iOS 8 change, focusing initially on how MAC addressing interacts with Wi-Fi scans, will shift to using "randomly, locally administered" MAC addresses. The result, according to Apple: "The MAC address used for Wi-Fi scans may not always be the device's real – universal – address." (That description is on page 18 of an Apple PDF, available here.)

As a practical matter, using this kind of a randomized bogus address approach will make tracking people via mobile devices impossible or, at best, impractical, depending on the level of randomization used and how often – if ever – the true MAC address is broadcast.

It will still be months before Apple releases this new version of its mobile OS publicly (it's now solely with developers), weeks and maybe months before most consumers will upgrade and longer still before others – especially Google's Android – mimic the move.

That means that, for now, this security privacy risk is still a very real threat.

The risk is twofold. First, there is the potential for a renegade member of the hospital's staff to track people. Second, there exists the possibility that hospital visitors could wirelessly track other hospital visitors.

With the first scenario, this is not as much of a concern for tracking doctors and other hospital staff, as they could just as easily be tracked the instant they log into the hospital's local area network, so the MAC address broadcast is not necessary. With visiting cyberthieves or stalkers, anyone with a mobile device is a potentially tracked victim.

The security risk is that a specific MAC address would be tracked over time, showing all travel activity within the hospital. Retail offers a great example of the risk: Retailers work with vendors who have contracts with lots of other retailers. This allows those companies to create – and to then sell – detailed reports of every store and mall and parking lot that a MAC address visits. By overlaying it with purchase records, that address can be associated with specific purchases. If those purchases used a payment card or loyalty card, that MAC address can then be associated with a specific person.

more...
No comment yet.
Scoop.it!

HIPAA Violation Results in $4.8 Million Settlement | JD Supra

While most healthcare providers know to pay close attention to the HIPAA rules when setting up their information technology systems, recent events have demonstrated that this close scrutiny should also be applied to computer reconfigurations and other IT system changes. According to the Department of Health and Human Services Office for Civil Rights (“OCR”), a “reconfiguration” of a computer server involving two healthcare providers caused the health information of 6,800 patients to be disclosed to Internet search engines. The healthcare providers, New York-Presbyterian Hospital and Columbia University Medical Center, each entered into a settlement and a Corrective Action Plan with OCR requiring payment of $4.8 million to OCR.

According to OCR, the hospitals failed to conduct an accurate and thorough risk analysis that incorporates all information technology (“IT”) equipment, applications, and data systems utilizing electronic protected health information (“ePHI”). Additionally, they failed to implement processes for assessing and monitoring all IT equipment, applications, and data systems that were linked to their patient databases prior to the breach incident, and failed to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level. The hospitals also failed to implement appropriate policies and procedures for authorizing access to their patient databases, and they failed to comply with their HIPAA security policies on information access management.

Under the HIPAA Security Rule, most healthcare providers are required to conduct a risk analysis of, among other things, their IT equipment. Healthcare providers are also required to implement HIPAA security policies and procedures to reduce their risk of a potential HIPAA violation and vulnerabilities in their IT systems. Whenever a change is made to a healthcare provider’s IT systems, a new risk analysis should be conducted to identify any potential risk of improper disclosure of ePHI as a result of the change. Any such risk must be eliminated or sufficiently reduced prior to implementing the change to avoid a violation of HIPAA and the costly penalties that go along with it.



more...
No comment yet.
Scoop.it!

HIPAA Compliance: What Every Developer Should Know - InformationWeek

HIPAA Compliance: What Every Developer Should Know - InformationWeek | HIPAA Compliance for Medical Practices | Scoop.it

The recent launches of Apple Health and Google Fit have stirred a lot of interest in health app development. If you're developing a healthcare-focused mobile application or software for wearable devices, it's important that you understand the laws around protected health information (PHI) and HIPAA compliance. While not all healthcare applications fall under HIPAA rules, those that collect, store, or share personally identifiable health information with covered entities (such as doctors and hospitals) must be HIPAA-compliant.

Sponsor video, mouseover for sound
 

HIPAA was written nearly 20 years ago, before mobile health applications were ever envisioned. Because of this, some areas of the law make it hard to determine which apps must be HIPAA-compliant and which are exempt. Below are some considerations developers must address to determine whether their healthcare apps must be HIPAA-compliant or not.

Mobile devices and data security
Considering the numerous ways security breaches can occur with a mobile device, it's no wonder government entities like the US Department of Health and Human Services are leery about how PHI is handled on smartphones and wearables.

[Privacy violations are on the rise throughout the healthcare industry. Read HIPAA Complaints Vex Healthcare Organizations.]

If your application is going to send or share health data to a doctor, hospital, or other covered entity, it must be HIPAA-compliant. Adhering to the Privacy and Security Rules of HIPAA is essential, especially considering the dangers that come with handling protected health data on a device:

  • Phones, tablets, and wearables are all easily stolen and lost, meaning PHI could be compromised.
  • Social media and email are easily accessible by the device, making it easy for users to post something that breaches HIPAA privacy laws.
  • Push notifications and other user communications can violate HIPAA laws if they contain PHI.
  • Users may intentionally or unintentionally share personally identifiable information, even if your app's intended use doesn't account for it.
  • Not all users take advantage of the password-protected screen-lock feature, making data visible and accessible to anyone who comes in contact with the device.
  • Devices like the iPhone do not include physical keyboards, so users are more likely to use basic passwords that are not as safe as complex options.

While not all of these factors are under your control as a developer, it's important to take all the steps possible to comply with HIPAA guidelines.

Determining if an app must be HIPAA-compliant
Not all health-related apps must be HIPAA-compliant. In fact, most apps in the market today are not. Fortunately, it's easy to determine whether or not your app must be compliant.

The information that does need to be compliant is personal information that directly identifies an individual and that is -- or can be -- transmitted to a covered entity. This protected health information can include everything from medical records and images to scheduled appointment dates.



If your app is used to record and share patient information with a covered entity in any way, it must be HIPAA-compliant.

On the other hand, your app probably does not need to be HIPAA-compliant if it performs tasks such as the following:

  • Allows users to record their weight and exercise routines
  • Gives users access to medical reference information
  • Lets average users look up illness information
  • Defines various illnesses or diseases
  • Lets users keep up with their daily diets

If the app is to be used by average people (as opposed to medical personnel or staff and contractors of covered entities), then it likely does not need to be HIPAA-compliant.

But not all apps used by medical personnel need to be compliant. For example, applications that let doctors or other professionals



more...
No comment yet.
Scoop.it!

Secure vs. HIPAA Compliant: What’s the Difference for Text Messaging?

Secure vs. HIPAA Compliant: What’s the Difference for Text Messaging? | HIPAA Compliance for Medical Practices | Scoop.it

The need for physicians and other healthcare team members to be in constant communication with each other has never been higher. Secure texting applications seek to provide healthcare professionals a quick and convenient way to connect while complying with the Health Insurance Portability and Accountability Act (HIPAA) and other privacy regulations.

Text messages are, in principle, an excellent way to transfer information on the go. They are useful in communication between doctors, nurses, office staff and even patients. Text messaging is a viable replacement for older, less efficient technologies such as the pager. Texting is real-time communication which email doesn’t equal. Physicians have shown an affinity for the method. In a study published in 2014, well over half of physicians at pediatric hospitals reported sending and receiving work-related text messages, and 12 percent said they sent more than 10 messages per shift [1].

Unfortunately, despite being used frequently in healthcare, standard text messages and most “secure” applications lack the encryption and other features needed to avoid potentially costly and embarrassing HIPAA infractions. Such violations, if due to “willful neglect,” can lead to fines of $50,000 per violation, to a maximum “of $1.5 million a year [2]. The right physician messaging solution keeps PHI private while making healthcare professionals’ lives easier and improving quality of care.  Choosing an app that will truly keep your patients’ data safe, however, can be a challenge because “secure” does not always mean “HIPAA-compliant.” HIPAA-compliant is much more stringent and unfortunately most applications just aren’t.



more...
No comment yet.
Scoop.it!

HIPAA Blog

HIPAA Blog | HIPAA Compliance for Medical Practices | Scoop.it

This article has popped up several places in my morning reading.  They are probably right; in fact, some big health data hacks have probably already occurred, but we just don't know about them yet because we don't yet know how the data is being used and aren't able to see it.  There are probably millions of individual instances of medical identity theft occurring every day, from the voluntary "sharing" of insurance by cooperative parties (your brother has insurance through his job but you don't so you go to a doctor and pretend to be him so that his insurance will pay for your care) to identity theft facilitated by insiders (a nurse or receptionist issues multiple Oxycontin prescriptions to a legitimate pain patient, but sends the extras to a friend who fills them and resells the pills) to pure identity theft (a hacker gains medical identities and sells them to people who use the unwitting victim's insurance to pay for their care). 

Medical identity theft can be much more lucrative that stealing credit card info, since the medical information is more persistent and the credit card info is more transitory (you can get a new credit card number, not a new medical history).  That said, you need a purchaser who needs healthcare to complete a medical identity theft, whereas credit card info can always be used immediately.

more...
No comment yet.
Scoop.it!

What HIPAA doesn't cover | Healthcare IT News

What HIPAA doesn't cover | Healthcare IT News | HIPAA Compliance for Medical Practices | Scoop.it

Sure, HIPAA adds a layer of privacy protection for certain health data -- if organizations actually comply with it -- but there remains myriad avenues of mining health data and selling to the highest bidder that do not fall under the purview of HIPAA's privacy and security rules. And they may surprise you.    Anything from what health data one Googles, to what medical products you purchase through online retailers are fair game for data brokers. What's more, these companies are not liable under HIPAA and are able, without an individual's consent, to track and collect health data for various purposes, says a new July report from the California Healthcare Foundation.    [See also: FTC calls out data brokers on privacy.]   Often unknown by consumers, data elements including Googling for health data; using medical-related social networks; purchasing health products through online retailers; entering retail store preferences and locations into smartphones; or even buying any item related to health like fast food and cigarettes, can all be tracked.    "Even consumer footprints that are not expressly about health can be used to help determine a person's physical or mental health. How we shop, the magazines we subscribe to, where we hang out on the week -- this information is relatively easy to purchase by third parties," wrote Jane Sarasohn-Kahn, health economist and author of the report.    Sarasohn-Kahn pointed to a 2014 report from 60 Minutes covered by Tim Sparapani, former director of public policy for Facebook, in which he said, "You can buy from any number of data brokers, by malady, the list of individuals in America who are afflicted with a particular disease or condition."   Sure, oftentimes these data elements are collected and tracked not for malevolent purposes but rather for improving clinical outcomes and reducing costs. The report cites data mining as integral in bettering clinical trials and managing chronic disease for instance. One particular instance included designing a recruitment strategy for a Hepatitis C vaccine trial, where they located patient influencers on Twitter, contacted them and asked them to publicize the vaccine trial.    However, even with these seemingly positive end goals, many individuals and stakeholders have expressed concern over privacy rights and the current lack of transparency.     Even the Federal Trade Commission has expressed concernover the unfettered access these data brokers have to consumer health information, without the consumer's consent.    In a May report, FTC underscored the practices of nine data brokers and revealed that most consumers are unaware these brokers are collecting data. Just one of the data brokers in the report, Acxiom, had more than 3,000 data segments for nearly every U.S. consumer.    "To close these gaps, I urge Congress to consider legislation provisions – in addition to the provisions recommended by the Commission – that would create greater accountability for data supplies, data brokers and data broker clients," wrote FTC Commissioner Julie Brill in a May 27 statement to Congress.   Sarasohn-Kahn underlined several recommendations put forth by stakeholders on how to properly balance data sharing with consumers' privacy rights: 

 
  • Help people gain control. For some stakeholders, this means getting consent from consumers. And for others, consent fails to offer "meaningful protections."
  • Simplify the fragmented regulatory environment.
  • Consider personal health data locker and clouds. 



more...
No comment yet.
Scoop.it!

Big Data in Health Care: Using Analytics to Identify and Manage High-Risk and High-Cost Patients - CHCF.org

Big Data in Health Care: Using Analytics to Identify and Manage High-Risk and High-Cost Patients - CHCF.org | HIPAA Compliance for Medical Practices | Scoop.it

As a result of greater adoption of electronic health records, health care organizations have increased opportunities to analyze and interpret large quantities of patient information, known as big data, to better manage high-risk and high-cost patients.

The July 2014 issue of the journal Health Affairs explores the promise of big data to improve health care. In one article, supported by CHCF, the authors examine six examples in which mining big data can improve care and reduce expenses in hospital settings:

  1. Identifying high-cost patients can in turn determine which patients are most likely to benefit from interventions and which care plans can best improve care.
  2. Using predictive algorithms to foresee potential readmissions can enable more precise interventions and care coordination after discharge.
  3. Integrating triage algorithms into the clinical workflow can help manage staffing, patient transfers, and beds.
  4. Some ICUs are using analytics to evaluate multiple data streams from patient monitors to predict whether a patient's condition is likely to worsen.
  5. By uncovering unique data patterns, such as prescription drug use and vital sign changes,  other systems can help prevent renal failure, infections, and adverse drug events.
  6. Data from multisite disease registries and clinical networks will help manage patients with chronic conditions that span more than one organ system.

While big data and analytics are powerful tools, the authors say more systematic evaluation is needed to move from potential to realization in many areas. And questions remain on how to regulate analytics and provide adequate patient privacy.

more...
No comment yet.
Scoop.it!

Medable promises an easy way to make health apps comply with health data laws

Medable promises an easy way to make health apps comply with health data laws | HIPAA Compliance for Medical Practices | Scoop.it

Many health-related apps and devices will be hitting the market in the next year or two. And the data that these apps and devices collect could help your doctor provide a more holistic picture of your health.

But, as I wrote a few weeks ago, when that health data crosses the line from consumer health cloud into the healthcare delivery system, HIPAA privacy rules will come into play.

One company, started by a Stanford physician, has foreseen this challenge to device and app developers, and is offering a way to easily comply with HIPAA’s often stringent rules. These “medical grade” apps can then safely share data with clinical systems.

“With Medable, mobile apps can make it easy for users to communicate with their doctors, nurses, and caregivers, and also to provide them with any kind of data originating from their mobile devices,” company co-founder Dr. Michelle Longmire tells VentureBeat. “That lets everyone receive the data, visualize it, and then communicate about it in a very natural way.”

Health app developers can use the platform to build new applications or to integrate Medable features into existing applications, Longmire says. Medable also offers numerous application features like patient and provider profiles, two-factor authentication, and “push” messaging. These features are delivered through a software development kit (SDK) and an application programming interface (API).

“If push messages are sent to care providers, they contain only the metadata, not any identifiable information,” Longmire explains. “So a physician might receive a message saying ‘an image is available for you,’ but the doctor would need to log in to get the image.”

Longmire says Medable uses the HL7 clinical data format, so it can integrate with, and exchange data with, any electronic health record system that uses HL7 format, and the majority of them do.

The main concern of HIPAA rules is guarding “protected health information” or “PHI” from the eyes of those who don’t need to see it for clinical purposes.

Longmire says the Medable platform encrypts all PHI in several ways — on the device, in transit and then on the Medable platform.

The Medable platform can also anonymize large amounts of clinical data so that researchers can study it. Additionally, Medable provides all of the capability needed for HIPAA auditing and clinical data reporting.

The bottom line is that Longmire’s platform gets app developers out of the privacy and compliance business, at least where it concerns sharing data with hospitals or medical groups.

“Medable allows developers to focus on the content of their apps, instead of on data security, which is not their specialty,” Longmire says.

The global health market was at $6 billion in 2013, but it’s projected to be a $26 billion market by 2017.



more...
No comment yet.
Scoop.it!

Chinese Hackers Pursue Key Data on U.S. Workers - NYTimes.com

Chinese Hackers Pursue Key Data on U.S. Workers - NYTimes.com | HIPAA Compliance for Medical Practices | Scoop.it

WASHINGTON — Chinese hackers in March broke into the computer networks of the United States government agency that houses the personal information of all federal employees, according to senior American officials. They appeared to be targeting the files on tens of thousands of employees who have applied for top-secret security clearances.

The hackers gained access to some of the databases of the Office of Personnel Management before the federal authorities detected the threat and blocked them from the network, according to the officials. It is not yet clear how far the hackers penetrated the agency’s systems, in which applicants for security clearances list their foreign contacts, previous jobs and personal information like past drug use.

In response to questions about the matter, a senior Department of Homeland Security official confirmed that the attack had occurred but said that “at this time,” neither the personnel agency nor Homeland Security had “identified any loss of personally identifiable information.” The official said an emergency response team was assigned “to assess and mitigate any risks identified.”

One senior American official said that the attack was traced to China, though it was not clear if the hackers were part of the government. Its disclosure comes as a delegation of senior American officials, led by Secretary of State John Kerry, are in Beijing for the annual Strategic and Economic Dialogue, the leading forum for discussion between the United States and China on their commercial relationships and their wary efforts to work together on economic and defense issues.

Computer intrusions have been a major source of discussion and disagreement between the two countries, and the Chinese can point to evidence, revealed by Edward J. Snowden, that the National Security Agency went deep into the computer systems of Huawei, a major maker of computer network equipment, and ran many programs to intercept the conversations of Chinese leaders and the military.

American officials say the attack on the Office of Personnel Management was notable because while hackers try to breach United States government servers nearly every day, they rarely succeed. One of the last attacks the government acknowledged occurred last year at the Department of Energy. In that case, hackers successfully made off with employee and contractors’ personal data. The agency was forced to reveal the attack because state disclosure laws force entities to report breaches in cases where personally identifiable information is compromised. Government agencies do not have to disclose breaches in which sensitive government secrets, but no personally identifiable information, has been stolen.

Just a month ago, the Justice Department indicted a group of Chinese hackers who work for the People’s Liberation Army Unit 61398, and charged them with stealing corporate secrets. The same unit, and others linked to the P.L.A., have been accused in the past of intrusions into United States government computer systems, including in the office of the secretary of defense.

But private security researchers say the indictments have hardly deterred the People’s Liberation Army from hacking foreign targets, and American officials are increasingly concerned that they have failed in their effort to deter computer attacks from China or elsewhere. “There’s no price to pay for the Chinese,” one senior intelligence official said recently, “and nothing will change until that changes.”

The indictments have been criticized as long on symbolism and short on real punishment: There is very little chance that the Chinese military members would ever see the inside of an American courtroom, even if the F.B.I. has put their pictures on wanted posters.

“I think that it was speaking loudly and carrying a small stick,” said Dennis Blair, the former director of national intelligence during President Obama’s first term, who was a co-author of a report last year urging that the United States create a series of financial disincentives for computer theft and attacks, including halting some forms of imports and blocking access to American financial markets.

Not long after several members of Unit 61398 were indicted, security researchers were able to pin hundreds more cyberattacks at American and European space and satellite technology companies and research groups on a second Shanghai-based Chinese military unit, known as Unit 61486. Researchers say that even after Americans indicted their counterparts in Unit 61398, members of Unit 61486 have shown no signs of scaling back.

The same proved true for the dozen other Chinese military and naval units that American officials have been tracking as they break into an ever more concerning list of corporate targets including drone, missile and nuclear propulsion technology makers.

The intrusion at the Office of Personnel Management was particularly disturbing because it oversees a system called e-QIP, in which federal employees applying for security clearances enter their most personal information, including financial data. Federal employees who have had security clearances for some time are often required to update their personal information through the website.

The agencies and the contractors use the information from e-QIP to investigate the employees and ultimately determine whether they should be granted security clearances, or have them updated.

A representative of the Office of Personnel Management said that monitoring systems at the Department of Homeland Security and the agency office allowed them to be “alerted to a potential intrusion of our network in mid-March.”

In the past, the Obama administration has urged American companies to share intrusion information with the government and reveal breaches to consumers in cases where their personal information was compromised and could be used without authorization.

But in this case there was no announcement about the attack. “The administration has never advocated that all intrusions be made public,” said Caitlin Hayden, a spokeswoman for the Obama administration. “We have advocated that businesses that have suffered an intrusion notify customers if the intruder had access to consumers’ personal information. We have also advocated that companies and agencies voluntarily share information about intrusions.”

Ms. Hayden noted that the agency had intrusion-detection systems in place and notified other federal agencies, state and local governments about the attack, then shared relevant threat information with some in the security industry. Four months after the attack, Ms. Hayden said the Obama administration had no reason to believe personally identifiable information for employees was compromised.

“None of this differs from our normal response to similar threats,” Ms. Hayden said.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
- The Technical Doctor Team

more...
No comment yet.
Scoop.it!

HIT vendors rely on security standards that don't meet HIPAA requirements

HIT vendors rely on security standards that don't meet HIPAA requirements | HIPAA Compliance for Medical Practices | Scoop.it

Health IT vendors don't often protect electronic patient information in accordance with HIPAA, even when they and their provider clients think that they're in compliance with the law, according to a new article by Dan Schroeder, an attorney with Habif, Arogeti & Wynne in Atlanta.


Writing for the Health Law eSource, the monthly e-zine of the American Bar Association's Health Law Section, Schroeder points out that while the potential security risks of health IT companies are "very high," many of them are falling short on HIPAA compliance. For example, they're not conducting a risk analysis of potential threats and vulnerabilities regarding the data, a fundamental HIPAA requirement.


Health IT vendors and the providers who use them are expected to come under increased scrutiny, particularly over the next year, according to one attorney with the U.S. Department of Health and Human Services Office for Civil Rights. Both the Office of Inspector General and OCR have announced their intention to targeting cloud vendors and other business associates to ensure that patient data is adequately protected pursuant to HIPAA requirements.


Some vendors erroneously rely on alternative security standards as evidence that they adequately protect patient information. For instance, many health IT companies believe that obtaining a Service Organization Control (SOC) 1 Report--also known as an SSAE 16--is sufficient to comply with HIPAA. SOC 1 Reports, which are prepared by a certified public accountant in accordance with guidelines from the American Institute of Certified Public Accountants (AICPA), attest to a company's internal controls. However, they apply only to financial reporting, such as debits and credits.


"A basic Internet search uncovers numerous HIT companies that offer up SOC 1 reports as evidence that they have fulfilled their HIPAA responsibilities, even though AICPA standards explicitly restrict the report from being used to address operational and compliance risks [e.g., security, privacy, integrity and availability risks]," he warns.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
- The Technical Doctor Team

more...
No comment yet.
Scoop.it!

Thousands of hospitals making simple cyber security error, exposing devices

Thousands of hospitals making simple cyber security error, exposing devices | HIPAA Compliance for Medical Practices | Scoop.it

Drug infusion pumps that can be manipulated from afar, defibrillators than can be programmed to deliver random shocks, refrigerators whose temperature settings can be reset, these are some of the cybersecurity problems uncovered by Scott Erven, the head of information security for healthcare facility operator Essentia Health.


It took Erven's team only half an hour to find another healthcare organization that was exposing information about 68,000 systems, including at least 488 cardiology systems, 332 radiology systems and 32 pacemakers, according to Wired Magazine.


"Now we know all the targeted info and we know that systems that are publicly connected to the internet are vulnerable to the exploit," Erven told Wired. "We can exploit them with no user interaction… [then] pivot directly at the medical devices that you want to attack."


The problem stems from poorly configured settings on the Server Message Block protocol that allows information like computer IDs to be shared publicly instead of just with select staff. And Erven said thousands of other healthcare organizations around the globe are making the same mistake.


Computer viruses exploiting the information can then be sent to hospitals via spam emails. Worst of all, if the computer ID contains a doctor's name, as it sometimes does, that information can be used to target individual patients, the article says. 


While shocking, news of poor cybersecurity in the med tech and healthcare industries shouldn't be "news" anymore. On June 23, Medtronic ($MDT) said that it, along with two other large medical device manufacturers, discovered an "unauthorized intrusion" to its systems last year that could be traced back to hackers in Asia. The company also disclosed that it lost an unnamed number of patient records from its diabetes unit in a separate incident, but does not know what type of information was included in the records.


The FDA has taken notice and experts say it will soon start rejecting devices that aren't secure. In addition, growing concerns from patients could jolt companies and hospitals into action. A fictional cyber attack on the TV show Homeland and increased media attention have brought the issue to life.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
- The Technical Doctor Team

more...
No comment yet.
Scoop.it!

Security tips from the health IT pros | Healthcare IT News

Security tips from the health IT pros | Healthcare IT News | HIPAA Compliance for Medical Practices | Scoop.it

As anyone who's ever worked for IT security can attest, the job is no walk in the park. New threats, compliance mandates, vulnerabilities and updates are constant. But with strong leadership, and a culture of compliance and responsibility to match, many healthcare organizations have shown it can be done right -- and well.   Beth Israel Deaconess Medical Center's Chief Information Officer John Halamka, MD, said for this kind of career, it's a matter of first understanding that, "a CIO has limited authority but infinite accountability." You have to ask, "How do you reduce risk to the point where government regulators and, more importantly, patients will say, 'What you have done is reasonable?'" he said.   [See also: Hacker calls health security 'Wild West'.]   This involves thinking about how to encrypt every device and how to protect the data center from both internal and external attacks.

"Much of what I have to do is meet with my business owners and ask, 'What are the risks? Reputational risks? Patient privacy breach risks? Data integrity risks? We're never going to be perfect," he added. "But we can put in place, what I call a 'multilayer defense.'"   Another fundamental piece to doing privacy and security right? No surprise here: Get your risk analysis done – and done properly.

"This is the single most important document as part of the OCR investigation," said Lynn Sessions, partner at BakerHostetler, who focuses on healthcare privacy. "(OCR is) asking for the current one; they are asking for two, three, five years back. They want to see the evolution of what was going on from a risk analysis standpoint at your institution to see if you were appreciating the risk."   This includes showing the safeguards your organization has put in place from technical, physical and administrative standpoints, explained Sessions. Things such as staff training and education, penetration tests, cable locks or trackers for unencrypted devices all matter.    Time to encrypt   "Encrypt; encrypt; encrypt," said Sessions. It's a safe harbor for the HIPAA breach notification requirements, but that still fails to motivate some.    [See also: Hacker calls health security 'Wild West'.]   "(Physical theft and loss) is the biggest hands down problem in healthcare that we are seeing," said Suzanne Widup, senior analyst on the Verizon RISK team, discussing the 2014 annual Verizon breach report released in April. "It really surprises me that this is still such a big problem ... other industries seem to have gotten this fairly clearly."   According to OCR data, theft and loss of unencrypted laptops and devices account for the lion's share of HIPAA privacy and security breaches, nearing 60 percent. (Hacking accounts for some 7 percent, and unauthorized disclosure accounts for 16 percent).   "Pay attention to encryption, for any devices that can leave the office," said former OCR deputy director for health information privacy Susan McAndrew at HIMSS14 this past February.   Of course, the healthcare breach numbers are going to be slightly higher because the federal government has mandated specific HIPAA privacy and security breach notification requirements for organizations, but that has no bearing on the reality that these organizations still fail to implement basic encryption practices, Widup pointed out.    Sessions conceded that it is a pricing concern. "At a time where reimbursements are going down and technology costs are going up with the advent of the electronic health record, there are competing priorities within a healthcare organization of where they can spend their money."   A 2011 Ponemon Institute report estimated full disk encryption costs to be around $232 per user, per year, on average, a number representing the total cost of ownership. And that number could go as high as $399 per users, per year, the data suggest.    Kaiser Permanente Chief Security Officer and Technology Risk Officer Jim Doggett, however, said encryption presents a challenge not only because of costs but also because of the data itself. "The quantity of data is huge," he told Healthcare IT News.    The 38-hospital health system encrypts data on endpoint devices in addition to sensitive data in transit, said Doggett, who currently leads a 300-person technology risk management team, in charge of 273,000 desktop computers, 65,000 laptops, 21,700 smartphones and 21,000 servers. And don't forget the health data of some 9 million Kaiser members Doggett and his team are responsible for.

"This kind of scale presents unique challenges, and calls for the rigor and vigilance of not only the technology teams but of every staff member across Kaiser Permanente," he added. 

more...
No comment yet.
Scoop.it!

The HHS/OCR Hit List for HIPAA Audits

The HHS/OCR Hit List for HIPAA Audits | HIPAA Compliance for Medical Practices | Scoop.it

As the HHS Office for Civil Rights analyzes breach reports for vulnerabilities, it has learned lessons on areas where covered entities should pay particular attention to their HIPAA compliance efforts. With OCR hoping soon to launch a permanent random HIPAA Audit program, the agency has reiterated six core ways to avoid common types of breaches, which will be among the targeted focus areas of audits.



more...
No comment yet.