HIPAA Compliance for Medical Practices
84.6K views | +19 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

Is the Collective Will Present for a Concerted Push on Cybersecurity?

Is the Collective Will Present for a Concerted Push on Cybersecurity? | HIPAA Compliance for Medical Practices | Scoop.it

It was a privilege and a pleasure to moderate the panel “Healthcare Cyber Security Solutions: Concepts and Trends,” at the Denver CHIME Lead Forum on Monday, July 20. The panel I moderated was part of a daylong event held at the Sheraton Downtown Denver, and sponsored by the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME) and the Institute for Health Technology Transformation (iHT2, a sister organization of Healthcare Informatics under the corporate umbrella of our parent company, the Vendome Group LLC).

I was joined on the panel by Mike Archuleta, director of IT at Mt. San Rafael (Colo.) Hospital; Guy Turner, chief data security officer at Sutter Healthcare (San Francisco); Francisco C. Dominicci, R.N., CIO and director of health IT for the Colorado Springs (Colo.) Military Health System; Ryan Witt, vice president, healthcare industry practice, at Fortinet (Sunnyvale, Calif.); and Steve Shihadeh, senior vice president at the Seattle-based Caradigm.

Our panel’s discussion covered a very wide range of topics under the cybersecurity umbrella, including why that term itself is becoming more used these days.

Numerous statements were made by panelists that I found to be particularly worth recounting. Among those was Turner’s strongly urging attendees to adopt behavioral pattern recognition solutions, as had been recommended earlier in the day by Mac McMillan, CEO of the Austin, Tex.-based CynergisTek consulting firm. As McMillan had stressed, so did Turner, the fact that, as Turner put it, “You have to invest in tools for pattern recognition for anomalous behavior.” To not do so essentially leaves one’s entire clinical information system open to hackers once they’ve penetrated the outer defenses of the system.

Importantly, all the panelists agreed that investing in cybersecurity solutions and measures really is exactly that: a form of investment. It can’t be seen purely as a “cost” or set of costs, as can many

purchases, given the risks facing patient care organizations these days.

As for the term “cybersecurity,” there was general consensus around the idea that there is some logic to that term in some cases now eclipsing the terms “data security” and “IT security” in industry usage, since so many of the security issues facing patient care organizations really are online and electronic in nature.

Among the important statements made during the discussion were this one by Dominicci: “Providers need to hold vendors accountable, he stressed, noting that there is an intensifying need on the part of healthcare IT leaders to be able to hold vendors accountable for their ability to help ensure the security of information systems in a more thorough way than was ever needed until recently.

How will the accelerating consolidation of patient care organizations through mergers and acquisitions affect the broader dynamics around investing in cybersecurity? In fact, said Shihadeh, with consolidation proceeding apace, this is in fact a good time for investment in cybersecurity tools and processes. “There is a good opportunity now to invest,” he said, “because of the bigger patient care organizations involved. Large integrated delivery networks are being created, and those larger organizations will have the capital to be able to fund these initiatives” in beefing up cybersecurity/IT security, in his view.

Of course, there are people-based issues as well. What about a question from the audience around whether the leaders of patient care organizations should focus their efforts on grooming or recruiting individuals with healthcare industry-specific data security experience, versus bringing talented individuals in from other industries, and teaching them the ins and outs of healthcare IT security, versus IT security in other industries? Turner was very blunt in stating his perspective: “It’s easier to teach someone the healthcare business than it is to teach someone with a healthcare background all the technical aspects of IT security,” he said. “I would very willingly seek people outside healthcare,” he opined, as patient care organizations are finding themselves trying to fill such important positions as chief information security officer (CISO) in an environment in which the number of potential candidates is dwarfed by the need for qualified individuals these days.

And what of the next couple to few years in this whole arena? There was a broad consensus on the panel that things will get worse before they get better, across range of issues in the IT/cybersecurity arena. The panelists agreed that the ongoing series of announced data breaches will inevitably intensify, growing in number and frequency, before a very broad collective consensus emerges in the U.S. healthcare industry around what to do about all of this, and industry leaders will band together in very broad, concerted efforts.

It was very clear to me from this panel discussion with these industry leaders, that it will indeed require a huge, collective commitment, at a policy, industry, strategic, and business level, for the leaders of healthcare IT industry-wide, to move forward together to address the issues facing us. Several references were made to the recent disclosure on the part of the leaders of the UCLA Health System of a massive data breach there, which may have exposed 4.5 million people to being data-compromised; and the consensus on the panel was that such disclosures are being seen as “wake up calls”—in a patient care delivery setting, they might be referred to as “sentinel events”—that will eventually compel collective action, on the industry and policy levels.

It was also agreed that the headlong rush into accountable care organization development, population health management innovation, and health information exchange, all of which are extremely worthwhile, valuable areas of pursuit, will inevitably ratchet up the risks for patient care organizations around cybersecurity/IT security.

In short, the immediate future is one fraught  with danger and challenge, everyone agreed. And yet one did not leave that session with a sense of despair, but rather with a sense of “let’s-roll-up-our-sleeves” commitment to action, at a time when there is no time to waste, and there are many, many extremely tasks ahead—and that there is indeed both a collective intelligence, as well as a collective will, to move forward industry-wide in this incredibly crucial area for all the stakeholder groups in U.S. healthcare.

No comment yet.

Shoring Up HealthCare.gov Security

Shoring Up HealthCare.gov Security | HIPAA Compliance for Medical Practices | Scoop.it

The future of Obamacare seems more certain now that the Supreme Court has upheld subsidies for consumers who purchase policies on the federal health insurance exchange. As a result, it's more critical than ever for the federal government to ensure that personally identifiable information is adequately safeguarded on the HealthCare.gov website for the program, as well as state insurance exchanges, as they gear up for open enrollment in the fall.

In recent months, hackers have increasingly focused their attacks on government and healthcare systems. Targets of attacks have included the U.S. Office of Personnel Management and the Internal Revenue Service, as well as health insurers Anthem Inc. and Premera Blue Cross

That's why many security experts are calling attention to the need to make certain that systems supporting the Affordable Care Act, or Obamacare, programs are secure.

"Affordable Care Act insurance exchanges are a hodgepodge of programs operated by states and the federal governments," notes privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek. "With the recent news of discovery of coordinated, highly sophisticated attacks on large government operated databases, as well as incidents involving large health insurers, it stands to reason that the information systems serving as the backbone to the health insurance marketplaces are an attractive target because of their size and the sensitivity of the information they hold."

Lee Tien, a senior staff attorney at the Electronic Frontier Foundation, a civil liberties group, notes: "All large collections of sensitive personal data are at risk." When it comes to potential fraud, "healthcare data is considered more valuable on the open market," he says. "Obviously it matters how well they're protected."

Under Scrutiny

Certainly, security of the federal HealthCare.gov health insurance exchange, which facilitates the electronic health insurance marketplaces for 34 states, has been under intense scrutiny since its rollout in the fall of 2013 during the first open enrollment season for Obamacare.

Congress, as well as government watchdog agencies, including the Government Accountability Office and the Department of Health and Human Services' Office of Inspector General, have examined whether the federal health insurance exchanges - and the 16 state-operated health insurance exchanges - have in place the processes and technology to prevent breaches involving consumers' personal information, including Social Security numbers.

For instance, in April, the OIG issued a report reviewing California's health insurance exchange - Covered California - and the security controls that were in place as of June 2014. The OIG found that California had implemented security controls for its website and databases for its health insurance exchange, but the watchdog agency said more improvements were needed.

OIG determined that California had not performed a vulnerability scan in accordance with federal requirements. Also, the GAO said that Covered California's security plan did not meet some of the Centers for Medicare and Medicaid Services' minimum requirements for protection of marketplace systems, and that Covered California did not have security settings for some user accounts. California officials, in their response to the report, said they planned to implement the OIG's recommendations related to vulnerability scans, security plans and user account settings.

A September 2014 GAO report examining HealthCare.gov security found that CMS - the Department of Health and Human Services unit responsible for the federal insurance exchange - had not always required or enforced strong password controls, adequately restricted systems supporting HealthCare.gov from accessing the Internet, consistently implemented software patches and properly configured an administrative network.

In addition to the HealthCare.gov exchange, another related potential target for hackers is HHS' Multidimensional Insurance Data Analytics System, or MIDAS, which a federal IT budget planning document describes as a "perpetual central repository for capturing, aggregating and analyzing information on health insurance coverage."

The GAO noted in its September 2014 report that MIDAS is intended to create summary reporting and performance metrics related to the federally facilitated marketplace and otherHealthCare.gov-related systems by aggregating data, including PII, collected during the plan enrollment process. GAO found, however, that at the time of its review, CMS hadn't yet approved an impact analysis of MIDAS privacy risks "to demonstrate that it has assessed the potential for PII to be displayed to users, among other risks, and taken steps to ensure that the privacy of that data is protected."

In a recent report, the Associated Press noted a variety of concerns about MIDAS, including current plans for data to be retained indefinitely. "Despite [a] poor track record on protecting the private information of Americans, [the Obama administration] continues to use systems without adequately assessing these critical components," said Sen. Orrin Hatch, R-Utah.

CMS did not immediately respond to an Information Security Media Group request for an update on the security of the MIDAS system.

Data Risks

Health insurers, as well as health insurance exchanges and their related databases, are a potential target for hackers because "any collection of data that includes Social Security numbers is particularly vulnerable," notes security expert Tom Walsh, founder of the consulting firm tw-Security.

"Healthcare was doing a good job of eliminating Social Security numbers from our systems. In the old days, the SSN was a person's member number for their insurance. It was finally getting to the point where SSNs were less frequently collected and used in healthcare," he says.

However, under Obamacare, sensitive consumer data, including Social Security numbers and income information, is used on the insurance exchanges to help individuals enroll in insurance plans and qualify for subsidies, Walsh notes. "So healthcare is back in the SSN game again - especially insurance companies."

Ray Biondo, chief information security officer at insurer Health Care Services Corp. says that the federal government has been taking action to address cyberthreats.

"We have been partnering with the Department of Homeland Security and the FBI and sharing threat information," Biondo says. "They've been collaborative and cooperative and helping us in that space."

Still, all players in the healthcare arena are anxious about potential attacks, he admits. "Everyone is worried about being next."

Playing Politics

Holtzman, the consultant, says it's important that politics don't get in the way of government agencies making the investments that are needed to shore up the security of health insurance exchange data.

"Everyone agrees that the federal and state governments should take decisive action to test existing information security safeguards on the systems that support the health insurance marketplace, and to take appropriate measures to ensure that the data, wherever it is held, is secured from the cybersecurity threat," he says.

"What concerns me is that in the long-running political debate over ACA, Congress has said that the HHS may not spend federal funds to support the development and implementation of the ACA. Perhaps it would be in the public interest to ensure that the fight over whether ACA is good policy does not prevent critical funds needed for investment in protecting the government information systems holding the personal information of millions of Americans from the cybersecurity threat."

Walsh says that protecting the health insurance exchanges also comes down to basics. "I was surprised when I read that the OPM did not encrypt data at rest. The government should lead by example and implement better security practices."

Tien of the Electronic Frontier Foundation, sums up his concerns: "The OPM example shows how pathetically lax information security can be. [The government] needs to make defense a priority and spend money on it."

No comment yet.

US data breach affected 18 million, four times larger than said

US data breach affected 18 million, four times larger than said | HIPAA Compliance for Medical Practices | Scoop.it

According to a CNN report released on Tuesday, Federal Bureau of Investigation (FBI) Director James Comey estimated that 18 million, over four times more than the publicly acknowledged four million, current, former and prospective federal employees were affected by a breach of the United States government Office of Personnel Management.

The data of the U.S. government Office of Personnel Management, the agency that handles security clearances and U.S. government employee records and information, was breached last year by two massive cyber-attacks that were only recently discovered and revealed. Government officials originally said that the attack, which occurred in the OPM office as well as the Interior Department, could potentially affect four million people at every federal agency. 

However, according to the new report released by CNN, that number is over four times more than what has been originally said. In the report FBI Director James Comey estimated that 18 million federal employees were affected.

Using the OPM's internal data, Comey presented the number to Senators in closed-door briefings throughout the recent few weeks, U.S. official briefed on the matter told CNN. 

The agency's spokesman has said that they haven't verified the larger number, so far sticking by the over-four million estimate originally provided. 

According to U.S. officials briefed in the subject, the number of people whose data is breached will continue to grow. This is because hackers accessed a data base storing SF86 questionnaire – government forms used for security clearances – which have private information about government officials' family members. 

Following the discovery of the breach, a U.S. law enforcement official told Reuters that "a foreign entity or government" was believed to be behind the attacks, with authorities looking into a possible Chinese intrusion, according to the news agency who quoted a source close to the matter. 

OPM officials are expected to attend multiple congressional hearings throughout the week to provide their take on the breach. 
Last week, OPM auditors told a House Oversight and Government Affairs Committee that crucial databases storing sensitive national security information did not meet federal security standards. 

Michael Esser, OPM's assistant inspector general for audits, wrote in testimony prepared for committee: "Not only was a large volume (11 out of 47 systems) of OPM's IT systems operating without a valid Authorization, but several of these systems are among the most critical and sensitive applications owned by the agency."

No comment yet.

Think Your Practice is HIPAA Compliant? Think Again.

Think Your Practice is HIPAA Compliant? Think Again. | HIPAA Compliance for Medical Practices | Scoop.it

You may think you know HIPAA inside and out, but experts say many practices and physicians are making mistakes regarding protected health information (PHI) that could get them into big trouble with the law. Here are nine of the most common compliance missteps they say practices and physicians are making.


For most physicians, texting is an easy, convenient, and efficient way to communicate with patients and colleagues. But if a text contains unencrypted PHI, that could raise serious HIPAA problems.

"One of the big things people are doing these days is texting PHI, and people seem to be ignoring the fact that text messages can be read by anyone, they can be forwarded to anyone, [and] they're not encrypted in any fashion when they reside on a telecommunications provider's server," says Jim Hook, director of consulting services at healthcare consulting firm The Fox Group, LLC. "People really need to understand that [short message service (SMS)] text messaging is inherently nonsecure, and it's noncompliant with HIPAA."

That's not to say that texting PHI is never appropriate, it just means that physicians must find a way to do so securely. While the privacy and security rules don't provide explicit text messaging guidelines, they do state that covered entities must have "reasonable and appropriate safeguards to protect the confidentiality, availability, and integrity of protected health information," says Michelle Caswell, senior director, legal and compliance, at healthcare risk-management consulting firm Clearwater Compliance, LLC. As a result, Caswell, who formerly worked for HHS' Office for Civil Rights, says physicians must consider, "What would I put on my [smart] phone to reasonably and appropriately safeguard that information?" Most likely, the answer will be a secure messaging service with encryption, she says, adding that many inexpensive solutions are available to providers.


Similar to text messaging, many physicians are e-mailing unencrypted PHI to patients and colleagues. As Robert Tennant, senior policy adviser of government affairs for the Medical Group Management Association says, e-mailing is becoming ubiquitous in our society, and healthcare is no exception.

If your providers are e-mailing PHI, consider implementing a secure e-mail application; for instance, one that recognizes when content included in the e-mail contains sensitive information and therefore automatically encrypts the e-mail. Your practice could use the application to specify certain circumstances in which e-mails should be encrypted; such as the inclusion of social security numbers or credit card numbers. The application would then filter e-mails for that specified content, and when it finds that content, encrypt those e-mails automatically, says Caswell.

Another option is to use a secure e-mail application to set up filters to automatically encrypt e-mails sent with attachments, or encrypt e-mails when senders include a word like "sensitive" or "encrypt" in the subject line, she says. An added benefit of encrypting e-mail is if a potential breach occurs, like the theft of a laptop containing e-mails with PHI, that is not considered a reportable breach if the e-mails stored on the laptop are encrypted, says Tennant. "You don't need to go through all of the rigmarole in terms of reporting the breach to the affected individual, and ultimately, to the government," he says. "So it's sort of a get out of jail free card in that sense."

If your practice would rather prohibit the use of e-mail altogether, a great alternative might be a patient portal that enables secure messaging.

Finally, if patients insist on having PHI e-mailed to them despite the risks, get their permission in writing for you to send and receive their e-mails, says Tennant.


If your practice has not conducted a security risk analysis — and about 31 percent of you have not, according to our 2014 Technology Survey, Sponsored by Kareo — it is violating HIPAA. The security rule requires any covered entity creating or storing PHI electronically to perform one. Essentially, this means practices must go through a series of steps to assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of their electronic protected health information (ePHI).

Though the security risk analysis requirement has been in place since the security rule was formally adopted in 2003, it's been pretty widely ignored by practices, says Hook. Part of the reason, he says, is lack of enforcement of the requirement until recently. Since conducting a security risk analysis is now an attestation requirement in the EHR incentive program, auditors are increasingly noting whether practices are in compliance.


If your practice has not updated its Notice of Privacy Practices (NPP) recently, it could be violating HIPAA. The HIPAA Omnibus Rule requires practices to update these policies and take additional steps to ensure patients are aware of them, says Tennant.

Some of the required updates to the NPP include:

• Information regarding uses and disclosures that require authorization;

• Information about an individual's right to restrict certain disclosures of PHI to a health plan; and

• Information regarding an affected individual's right to be notified following a privacy or security breach.

In addition to updating the NPP, a practice must post it prominently in its facility and on the website, and have new patients sign it and offer a copy to them, says Tennant. "I'd say of every 10 practices, hospitals, dental offices I go into, nine of them don't have their privacy notice in the waiting room," he says.


Don't hesitate to take action when patients request an amendment to information in their medical records, cautions Cindy Winn, deputy director of consulting services at The Fox Group, LLC. Under the HIPAA Privacy Rule, patients have the right to request a change to their records, and providers must act on those requests within 60 days, she says.

If you disagree with a patient's requested change, you must explain, in writing, why you are not making the requested change, says Hook. Then, share that reasoning with the patient and store a copy of it in the patient's medical record, as well as a copy of the patient's written request for the amendment.


The privacy and security rules require formal HIPAA education and training of staff. Though the rules don't provide detailed guidance regarding what training is required, Hook recommends training all the members of your workforce on policies and procedures that address privacy and security at the time of hire, and at least annually thereafter.

The HIPAA Security Rule also requires practices to provide "periodic security reminders" to staff, says Caswell, adding that many practices are unaware of this. Actions that might satisfy this requirement include sending e-mails to staff when privacy and security issues come up in the news, such as information about a recent malware outbreak; or inserting a regular "security awareness" column in staff e-newsletters.

Finally, be sure to document any HIPAA training provided to staff.


With few exceptions, the privacy rule requires practices to provide patients with copies of their medical records when requested. It also requires you to provide access to the record in the form requested by the individual, if it is readily producible in that manner.

While practices can charge for copies of records, some practices may be getting into trouble due to the fee they are charging, says Tennant. "HIPAA is pretty clear that you can only charge a cost-based fee and most of those are set by the state, so most states have [limits such as] 50 cents a page up to maybe $1 a page ... but you can't charge a $50 handling fee or processing fee; at least it's highly discouraged," says Tennant.

To ensure you are following the appropriate guidelines when dealing with record copy requests, review your state's regulations and consult an attorney. Also, keep in mind that though the privacy rule requires practices to provide copies within 30 days of the request, some states require even shorter timeframes.


If your practice does not have security controls in place regarding who can access what medical records and in what situations, it's setting itself up for a HIPAA violation. The privacy rule requires that only those who have a valid reason to access a patient's record — treatment purposes, payment purposes, or healthcare operations — should do so, says Caswell. "If none of those things exist, then a person shouldn't [access] an individual's chart."

Caswell says practices need to take steps to ensure that staff members do not participate in "record snooping" — inappropriately accessing a neighbor's record, a family member's record, or even their own record.

She recommends practices take the following precautions:

• Train staff on appropriate record access;

• Implement policies related to appropriate record access; and

• Run EHR audits regularly to determine whether inappropriate access is occurring.


Similar to providing too much access to staff, some practices provide too much access to outside entities, says Caswell. For instance, they release too much PHI when responding to requests such as subpoenas for medical records, requests for immunization information from schools, or requests for information from a payer.

"If there's, say, for instance, litigation going on and an attorney says, 'I need the record from December 2012 to February 2014,' it is your responsibility to only send that amount of information and not send anything else, so sort of applying what's called the minimum necessary standard," says Caswell. "When you receive outside requests for PHI, pay close attention to the dates for which information is requested, as well as the specific information requested."

No comment yet.

Why Understanding HIPAA Rules Will Help With ONC Certification

Why Understanding HIPAA Rules Will Help With ONC Certification | HIPAA Compliance for Medical Practices | Scoop.it

Understanding HIPAA rules will have far reaching benefits for covered entities. Not only will they be compliant in terms of keeping patient PHI secure, but it will also ensure that those facilities are able to adhere to other federal certification programs. With the push for nationwide interoperability, it is extremely important that organizations of all sizes understand how they can exchange information in a secure and federally compliant way.

Earlier this year, the Office of the National Coordinator (ONC) released its proposal for the 2015 Health IT Certification Criteria. The ONC said that it will “ensure all health IT presented for certification possess the relevant privacy and security capabilities.” Moreover, certified health IT will be more transparent and reliable through surveillance and disclosure requirements.

ONC Senior Policy Analyst Michael Lipinski spoke with HealthITSecurity.com at HIMSS last week, and broke down why understanding HIPAA rules will help covered entities on their way to compliance and with ONC certification.

The ONC certification program has certain capabilities that it certifies to, Lipinski explained, and the way the ONC set up its approach depends on what a facility is bringing forward to be certified.

“What we’ve always said about our privacy and security criteria is that it helps support compliance, but it doesn’t guarantee compliance with the HIPAA Privacy or Security rules,” Lipinski said. “Or even with meeting your requirements under the EHR incentive program.”

One complaint that the ONC has received in terms of information sharing is that covered entities claim they cannot exchange data because of HIPAA rules. However, that likely stems from a lack of understanding what the HIPAA Privacy and Security Rules actually entail, Lipinski said. If that misunderstanding of what HIPAA compliance actually is exists, it can make it more difficult for healthcare organizations to move forward.

“I think that issue is not so much a certification issue, because it’s about payment, treatment, and operations, and you can exchange for those reasons,” Lipinski said. “I think maybe what they found is that there are those instances where they could do it, and they’re making the misinterpretation that they could have done that for treatment and exchange that information.”

Healthcare facilities are using that as an excuse not to exchange, when under HIPAA they could have done so for payment, treatment or operations options, he added.

“It’s not so much in the wheelhouse of certification, but more like we said in the report that we would work with OCR and make sure there’s appropriate guidance and understanding of the HIPAA Privacy and Security rules so that hopefully that will enable more free flow of the information.”

That sentiment echoes what ONC Chief Privacy Officer Lucia Savage said about interoperability and the future of information sharing for healthcare. In a HIMSS interview Savage explained that HIPAA supports information sharing, but that support depends on the decisions made by healthcare providers.

However, a difficult aspect of creating nationwide interoperability will be in relation to state law and state policies on health IT privacy, Savage said, mainly because states have diverse rules.

“That’s a very long dialogue, and has a very long time frame in where we can accomplish what we want to accomplish,” Savage said. “I think people are concerned about that.”

No comment yet.

Don't confuse EHR HIPAA compliance with total HIPAA compliance

Don't confuse EHR HIPAA compliance with total HIPAA compliance | HIPAA Compliance for Medical Practices | Scoop.it

Electronic health records (EHR) systems are revolutionizing the collection and standardization of patient medical information. Never before has it been so easy for healthcare practitioners to have patient information so readily available, allowing for more efficient and accurate care.

Unfortunately, what many organizations today don’t realize is, just because their EHR system is compliant with HIPAA security standards, their entity as a whole may not be fully compliant.

Every healthcare organization under HIPAA is responsible for the protection of patient data, regardless of whether they use a vendor to process or store their patient records. If your EHR vendor claims you don’t have to worry about HIPAA compliance, don’t believe them – it’s just not true.

Privacy and security are much more than simply having a HIPAA compliant EHR. It is truly frightening when I hear a healthcare company, or even worse, an EHR vendor, claim their EHR system covers all of a healthcare company’s HIPAA requirements. Even for cloud-based EHR systems, this simply is not the case.

Maintaining a secure EHR system

The newly revised HIPAA Security Rule requires providers to assess the security of their databases, applications, and systems that contain patient data against a list of 75 specific security controls. These controls include specific safeguards to be in place for the purpose of protecting PHI.

In our ever-changing digital environment, it’s critical that healthcare organizations regularly assess their security programs as a whole to ensure they have the policies, procedures, and security measures in place to better protect patient information and avoid costly regulatory enforcements.

Unfortunately, addressing risks to electronic patient data is not always a top priority.

We need to get the message out that HIPAA compliance (and the protection of patient data) cannot be relegated to simply checking a box (i.e., my EHR system is compliant, therefore, my practice is compliant, too). HIPAA compliance must, instead, be addressed across an organization wherever patient data is present.

Understand current security measures

The ongoing responsibility of managing patient data throughout an organization requires an organized, well-thought-out approach to risk management. No matter how small or long established, it’s critical for healthcare entities to understand what they are doing to protect patient data, what they are not doing, and what they should be doing in the future.

While some EHR systems and their related equipment have security features built into or provided as part of a service, they are not always configured or enabled properly. In addition, medical equipment is often web-enabled (can connect remotely to send information to a server), but that equipment may not be checked for proper security.

As the guardian of patient health information, it is up to each healthcare organization to learn and understand the basic features of their IT assets and medical devices, what security mechanisms are in place, and how to use them.

There are a number of actions an entity can take to make sure that their EHR systems and IT assets are secure. Such measures leverage an integrated use of data loss prevention tools, intrusion prevention, anti-malware, file integrity monitoring, robust identity management and authentication programs, role-based access and data security solutions.

The road to HIPAA compliance

Creating adequate safeguards does not happen overnight. While it may seem overwhelming and time-consuming at first (due to HIPAA’s complex nature), the biggest obstacle to overcome is actually getting the entire process started.

Begin by carving out a regular, weekly routine – perhaps starting at 30 minutes per week when your staff members who are responsible for HIPAA compliance can meet to discuss the privacy and security of patient data.

Here are some specific actions your entity should take when working to protect patient information:

  • Have a designated HIPAA-assigned compliance officer or team member. Clearly and specifically lay out the roles of everyone in your organization involved with HIPAA compliance responsibilities.
  • Ensure that access to ePHI is restricted based on an individual’s job roles and/or responsibilities.
  • Conduct an annual HIPAA security risk analysis (specifically required under HIPAA rules.) This can involve regularly engaging with a trusted provider that can remotely monitor and maintain your network and devices to ensure ongoing security.
  • Mitigate and address any risks identified during your HIPAA risk analysis including deficient security, administrative and physical controls, access to environments where ePHI is stored, and a disaster recovery plan.
  • Make sure your policies and procedures match up to the requirements of HIPAA.
  • Require user authentication, such as passwords or PIN numbers that limit access to patient information to authorized-only individuals.
  • Encrypt patient information using a key known or made available only to authorized individuals.
  • Incorporate audit trails, which record who accessed your information, what changes were made, and when they were made, providing an additional layer of security.
  • Implement workstation security, which ensures the computer terminals that access individual health records cannot be used by unauthorized persons.

Privacy and security concerns are key when it comes to HIPAA, but it’s also important to ensure your enterprise as a whole is protected. With 75 different requirements that fall under the HIPAA Security Rule umbrella, it’s critical to ensure all systems where ePHI resides are protected. Otherwise, organizations are placing themselves and their patients at serious risk.

No comment yet.

Data Encryption Is Key for Protecting Patient Data

Data Encryption Is Key for Protecting Patient Data | HIPAA Compliance for Medical Practices | Scoop.it

According to the HIPAA Final Omnibus Rule, section 164.304 sets forth the following definition: "Encryption means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key." Although encryption is considered an "addressable" issue, and not "required" or "standard," it really should be accounted for as "required." But why? Encrypting mobile devices, laptops, hard drives, servers, and electronic media (e.g., UBS drives and CD-ROMs) can prevent the practice from paying a large fine for a HIPAA breach.

As a reminder, both Concentra and QCA Health Plan paid over $2 million in combined fines to the Department of Health and Human Services, Office for Civil Rights. The "investigation revealed that Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (PHI) was a critical risk," the Office for Civil Rights said. "While steps were taken to begin encryption, Concentra's efforts were incomplete and inconsistent over time, leaving patient PHI vulnerable throughout the organization. OCR's investigation further found Concentra had insufficient security-management processes in place to safeguard patient information."

The problems with not encrypting data and failing to conform to the other requirements associated with HIPAA and the HITECH Act can have further reaching consequences. According to a recent article by Absolute Software, "Protected health information is becoming increasingly attractive to cybercriminals with health records fetching more than credit card information on the black market. According to Forrester, a single health record can sell for $20 on the black market while a complete patient dossier with driver's license, health insurance information, and other sensitive data can sell for $500."

Any physician who has had their DEA number compromised or been involved in a government investigation involving Medicare fraud knows firsthand about the importance of implementing adequate security measures and internal audits. Investing in encryption is one way to mitigate financial, reputational, and legal liability.

Justin Boersma's curator insight, March 27, 2015 7:28 AM

Data encryption is vital in the protection of private consumer data collected by companies, especially medical records. Innovation in data encryption is required to prevent breaches of sensitive information as The Information Age grows in the coming years.


Securely Disposing Medical Practice Equipment

Securely Disposing Medical Practice Equipment | HIPAA Compliance for Medical Practices | Scoop.it
It goes without saying that computers are expensive. Medical practices will often gift used office equipment to employees or family members; or donate them to vocational programs. Risk management attorney Ike Devji says that donating old equipment like scanners, fax machines, and computers at the end of the year is very common. "At the end of the year practices will rush to spend money so that it is not taxable. They buy [new] equipment … and computers are replaced."

There's just one small problem. Deleting sensitive patient data will not permanently eliminate it from the hard drive of the device. And if you've donated your practice's scanner to the local thrift store, it still contains sensitive patient data that "a well-trained 12-year-old kid with access to YouTube can get … off the hard drive," says Devji.

Devji points out that a high-end digital scanner can store up to 10,000 pages of patient data. And equipment that is synched to your EHR, even smartphones and tablets, needs to be destroyed or disposed of in a secure manner.

If you have old equipment that you'd like to get rid of, contact your IT consultant. He should be able to point you in the right direction. Or you could follow Devji's approach: He uses his old equipment for target practice in the Arizona desert.
No comment yet.

Maine man files $5 million class action suit over Anthem data breach

Maine man files $5 million class action suit over Anthem data breach | HIPAA Compliance for Medical Practices | Scoop.it

A Brunswick man on Thursday filed a $5 million class action suit against Anthem Health Plans of Maine, charging that the company failed to adequately protect the personal information of its clients before the data breach reported in February.

In a complaint filed Thursday in U.S. District Court in Portland, attorney Benjamin K. Grant of McTeague Higbee in Topsham wrote on behalf of his client, Brian Mason, that Anthem Inc. acted unreasonably by failing to encrypt clients’ confidential information, including Social Security numbers and medical and financial information.

On Feb. 4, Anthem disclosed the breach, announcing that it suspected hackers had stolen information belonging to tens of millions of current and former customers and employees, including at least 300,000 Maine residents, Reuters reported.

Social Security numbers, names, dates of birth, medical identification numbers, street and email addresses, and employment information including income data of approximately 80 million people was hacked between Dec. 10, 2014, and Jan. 27, 2015.

Although the breach was discovered on Dec. 10, Anthem did not announce it until Feb. 4, according to the suit, which notes, “The Maine Attorney General has joined attorneys general from other affected states in criticizing Anthem Inc.’s delay in notifying affected customers.”

Anthem is the second-largest health insurer in the country and conducts business in Maine as a wholly owned subsidiary, Anthem ME. According to the complaint, one in every nine Americans receives coverage through Anthem or an affiliated plan.

The suit alleges that Anthem also failed to maintain the information in an adequate computer system, failed to implement a process to detect a data breach in a timely way, failed to disclose the breach to consumers and failed to disclose that it could not adequately secure the personal information from theft or misuse.

In court documents, Grant refers to a 2014 FBI report in which the agency’s cyber division warned that health care companies were susceptible to cyberattacks.

According to Grant, had Anthem encrypted the data, “hackers would now possess electronic gibberish” instead of personal information that “is now freely readable by the hackers who acquired it and by whomever these hackers choose to sell the [information] to.”

Mason and other plaintiffs “now face a lifelong battle against identity theft,” Grant wrote, quoting from various publications that labeled the stolen personal information “a treasure trove for cybercriminals” that can “easily be sold on underground markets within hours and used for a wide variety of identity fraud schemes” such as filing fraudulent tax returns and stealing refunds.

The suit seeks “damages, restitution, injunctive relief, and any other appropriate relief” on behalf of the plaintiff “and millions of Anthem’s customers in Maine and throughout the United States” whose information was stolen.

Reached by email Friday, Grant declined to comment on the suit, although he confirmed that more than 60 similar lawsuits have been filed in other states.

A spokesman for Anthem also did not offer immediate comment Friday, saying that the company’s policy is not to comment on pending litigation.

No comment yet.

Getting the balance right with privacy and e-health

Getting the balance right with privacy and e-health | HIPAA Compliance for Medical Practices | Scoop.it
Recent advances in data management and analysis, such as the introduction of Electronic Health Records (EHRs) have the potential to save lives – and on a huge scale. However, it is increasingly clear that such innovations will only be realised if we can overcome a significant hurdle: the public’s concern that private medical data could fall into the wrong hands. To do that, we must convince people to play a more active role in establishing which information they want to keep private and which they are willing to share.

EHRs and the transformation of patient outcomes

Before we look at privacy, it is worth discussing just how transformative EHRs promise to be for the prevention and treatment of illnesses.

EHRs are much more than just a digital version of the paper-based health records of the past. In fact, EHRs embody a totally new approach to healthcare in which the wider ecosystem expands the centre of gravity beyond hospital borders. In this ecosystem, care becomes more distributed, with the burden shared by an extended family of health providers – GPs; physiotherapists; pharmacists; home-carers; family members; private health clinics; gyms; etc.

The patient is at the centre of a network bound together by his or her data, which in turn is shared and managed across all members of the healthcare web through the EHR. The EHR therefore is the main source of a comprehensive view of patient information.

> See also: Tackling the scourge of paper-based patient data

The advantages of this approach are compelling: primary care givers are provided with an unprecedented view of the patient, allowing them to come to more accurate decisions in shorter timeframes and improving patient outcomes.

The empowered patient

Importantly, however, the same data innovations that are driving connected healthcare are also empowering patients to play a much more direct role in managing their own health. This is due in great part to the proliferation of wireless health devices and apps as well as social media platforms.

In the IDC/EMC Whitepaper ‘Taking-On the Chronic Disease Burden in the Hyper-Connected Patient Era’ the analysts Massimiliano Claps and Nino Giguashvili discuss how through smartphones and tablets, patients can monitor their daily activities, such as exercise and diet, and share results with their healthcare network. They can also, if they choose to, share their results through social networks, using gamification to drive health benefits.

It is not just through smartphones that such data can be shared; today a wide range of wearable devices such as smart watches, wristbands and even clothing can track wearers’ physical activity, calorie intake and other vital statistics. These data sources can be used by the wearer to manage their lifestyle, helping to prevent illness. Through EHRs moreover, this data can be shared with the user’s healthcare web, enabling their healthcare providers to deliver the best possible treatments over the course of the patient’s life.

As IDC puts it: 'The vast amount, wide variety, and velocity of data that is pushed to and pulled from the hyper-connected patient ecosystem represents an unprecedented opportunity to generate insights that can enhance the appropriateness of prevention and care.'

This is, of course, only if the patient is willing to share such information.

Privacy – a stumbling block to integrated healthcare?

EMC’s recent Privacy Index revealed that when it comes to privacy in the healthcare sector people have some major worries. In fact, a full 72% of people around the world are concerned about the future of the privacy of their medical data. While this figure is less than for other sectors – such as finance or retail – it is still intolerably high.

People do not, it appears, trust healthcare organisations with their data. This is largely understandable. People have a natural anxiety about organisations collecting too much data about them – it has a whiff of ‘big brother’ about it. With a news agenda that is full of stories of privacy breaches, data loss and the misuse of data by businesses it is understandable why people may wish to keep their medical data private.

The digital world is still very new and it is evolving rapidly. The evolution of what we can do with data is moving so fast that many people have been caught unprepared. Fundamentally, allowing a select group of medical professionals to access data in order to help you is a very different proposition to businesses or governments accessing/using your data without your consent. Unfortunately at present the two things are often conflated.

As we grow used to our digital world however we will soon begin to understand that we can both ensure privacy while also enjoying the full benefits that a free flow of information promises. Technologies already exist to make digital records more secure than paper – it is now our behaviours that need to change.

Taking control of digital privacy

The change will come when people take more control of their online selves and take more steps to protect their own privacy.

People are already able to protect their privacy on social media sites through privacy settings, although far too few currently choose to do so. This needs to change.

When it comes to EHRs, privacy settings can easily be enabled. Patients need to select exactly who can access what portions of their health record. To that extent they will make decisions on how much of their privacy they are willing to trade off in order to receive better treatment. They will in short be empowered to use their own data as a discretionary tool.

> See also: How big data can turn around our National Health Service

This has implications beyond the health sector too. For example, if I am a fitness fanatic who exercises every day and only eats the healthiest of foods, I will be able to input this information into my EHR via my smart devices. Then, if I so chose, I could allow my life insurance company access to this data in order to help lower the premiums I pay each month. The key here is that it would be my choice to do so. I would have made a conscious and positive choice to trade a small portion of privacy for a clear benefit.

The future is in our hands

The promise of EHRs is not illusory. Already today innovative projects are improving the lives of people worldwide. Take Finland where its ePrescription service allows doctors to dispense with paper prescriptions and instead communicate electronically with pharmacies. Crucially, Finland has also implemented consent management and patients are therefore able to filter exactly what information is viewed by whom.

Implementations such as these will gather in pace and as they do so patients will better understand why the controlled sharing of private information benefits them – as long as the control rests firmly with them.

Secure EHRs really do have the power to transform healthcare, but it is important patients are aware and ready to make decisions about who has access to their data. Part of these decisions will be made on how secure the systems are that hold their data. Part will be based on what benefit they can receive from allowing access to this data. Through this process patients will be empowered to take greater ownership of their data and given the chance to improve their wellbeing through a more efficient approach to healthcare. While a new concept, we would argue that this is something patients should embrace rather than be concerned about.
No comment yet.

VoIP Phones and HIPAA Compliance

VoIP Phones and HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

So, what about your VoIP phone system? Many organizations have migrated to VoIP service.  VoIP (or “Voice over Internet Protocol”) is a method for taking analog audio signals and turning them into digital data that can be transmitted over the Internet instead of traditional analog phone lines. Does patient information stored and processed by these phone systems constitute electronic Protected Health Information?

By definition, electronic PHI is data which is transmitted or maintained on electronic media. Electronic media is defined as either:

  1. Electronic storage material, which includes, for example, computer hard drives, or
  2. Transmission media, which includes, for example, the internet. Note that part of this definition changed with the 2013 Omnibus Rule changes, and states “Certain transmissions, including of paper, via facsimile, and of voice, via the telephone, are not considered to be transmissions via electronic media, if the information being exchanged did not exist in electronic form immediately before the transmission”.

Note the words in red which were represent changes made to the rule in 2013. For VoiP systems that do not include voice mail (this eliminates just about all VoiP systems) there might be opportunity for debate whether the information in VoiP systems met the definition of ePHI.  However, voice mails are clearly stored on computer hard drives or other electronic storage material.

What features does HIPAA look for with VoIP software that processes ePHI?   The implementation specifications in the HIPAA rule that apply to software include:

  1. Unique User ID & authentication. Phones identify themselves with the phone number or serial number on the phone. A certificate installed on the phone is used for authentication using PKI.
  2. Access Controls. Certain users may have additional privileges beyond making phone calls so the system should support different classes of users.
  3. Audit logs. The system should record call meta data, as well as any details regarding any administrative activities performed by an authenticated user.
  4. Encryption. TLS and or VPNs can be employed between IP Phones and the Communications Manager Software. For data at rest, for example, voicemails, other encryption technologies can be used.
  5. Business Associate Agreement (for cloud providers). When cloud-based VoIP solutions are used, an essential ingredient is the HIPAA Business Associate agreement. The cloud provider has an additional set of compliance obligations including their own physical, technical and administrative controls.

It is not surprising that some cloud VoiP vendors offer interpretations of HIPAA which claim that their services and VoiP phone technology falls under the so-called “conduit exception”. The “conduit exception” excludes organizations that provide mere courier services including the U.S Postal Service, or internet service providers.  For an excellent post regarding this narrow exception.

The takeaway – include your VoIP phone system in application inventory, assess risks during your risk assessment, conduct the appropriate security evaluation and document compliance.

No comment yet.

HIPAA Criminal Violations on the Rise

HIPAA Criminal Violations on the Rise | HIPAA Compliance for Medical Practices | Scoop.it

Stories appear almost everyday about medical records being improperly accessed, hacked or otherwise being stolen. The number of stories about such thefts is almost matched by the number of stories about the high value placed upon medical records by identity thieves and others. This confluence of events highlights the pressure being faced by the healthcare industry to protect the privacy and security of medical records in all forms.

While stories about hacking and other outside attacks garner the most attention, the biggest threat to a healthcare organization’s records is most likely an insider. The threat from an insider can take the form of snooping (accessing and viewing records out of curiosity) to more criminal motives such as wanting to sell medical information. Examples of criminally motivated insiders, unfortunately, are increasing.

One recent example occurred at Montefiore Medical Center in New York where an assistant clerk allegedly stole patient names, Social Security numbers, and birth dates from thousands of patients. The hospital employee then sold the information for as little as $3 per record. The individuals who acquired the information used it to allegedly go on a shopping spree across New York for over $50,000.

Another recent example comes out of Providence Alaska Medical Center in Anchorage, AK. In Anchorage, a financial worker at a hospital provided information about a patient to a friend. Unfortunately, that friend he had injured for which he was under criminal investigation. The friend wanted to know if either of the patients had reported him to the police. Clearly, the access by the financial worker was improper.

While it could previously be said that instances of criminal convictions or indictments were rare, the examples do appear to be coming with increasing frequency. What should organizations do? Is this conduct actually preventable? As is true with HIPAA compliance generally, the key is to educate and train members of an organization’s workforce. If someone is unaware of HIPAA requirements, it is hard to comply.

However, it can also be extremely difficult to prevent criminal conduct altogether. If an individual has an improper motive, that individual will likely find a way to do what they want to do. From this perspective, organizations cannot prevent the conduct, but should consider what measures can be taken to mitigate the impact of improper access or taking of information. It would be a good idea to monitor and audit access or use of information to be able to catch when information could be going out or otherwise accessed when not appropriate. Overall, the issue becomes one of how well does an organization monitor its systems and take action when a suspected issue presents itself.

No comment yet.

Unencrypted Device Breaches Persist

Unencrypted Device Breaches Persist | HIPAA Compliance for Medical Practices | Scoop.it

Although hacker attacks have dominated headlines in recent months, a snapshot of the federal tally of major health databreaches shows that stolen unencrypted devices continue to be a common breach cause, although these incidents usually affect far fewer patients.

As of June 23, the Department of Health and Human Services' Office for Civil Rights' "wall of shame" website of health data breaches affecting 500 or more individuals showed 1,251 incidents affecting nearly 134.9 million individuals.

Those totals have grown from 1,213 breaches affecting 133.2 million individuals in an April 29 snapshot prepared by Information Security Media Group.

The federal tally lists all major breaches involving protected health information since September 2009, when the HIPAA Breach Notification rule went into effect. As of June 23, about 52 percent of breaches on the tally listed "theft" as the cause.

Among the breaches added to the tally in recent weeks are about a dozen involving stolen unencrypted computers. Lately, those type of incidents have been overshadowed by massive hacking attacks, such as those that hit Anthem Inc.and Premera Blue Cross.

"Although we've seen some large hacking attacks, they are aimed at higher-profile organizations than the more typical provider organization," says privacy and security expert Kate Borten, founder of the consulting firm, The Marblehead Group. "Attackers know that these organizations have a very high volume of valuable data. But I continue to believe that unencrypted PHI on devices and media that are lost or stolen is 'the' most common breach scenario affecting organizations of any size."

Borten predicts that many incidents involving unencrypted devices will continue to be added to the wall of shame. "Getting those devices encrypted is an ongoing challenge when we expand the requirement to tablets and smartphones, particularly when owned by the users, not the organization," she says. "We also shouldn't overlook encryption of media, including tapes, disks and USB storage drives."

Unencrypted Device Breaches

The largest breach involving unencrypted devices that was recently added to the tally was an incident reported to HHS on June 1 by Oregon Health Co-Op., an insurer.

That incident, which impacted 14,000 individuals, involved a laptop stolen on April 3. In a statement, the insurer says the device contained member and dependent names, addresses, health plan and identification numbers, dates of birth and Social Security numbers. "There is no indication this personal information has been accessed or inappropriately used by unauthorized individuals," the statement says.

Also recently added to the federal tally was a breach affecting 12,000 individuals reported on June 10 by Nevada healthcare provider Implants, Dentures & Dental, which is listed on the federal tally as "doing business as Half Dental." The incident is listed as a theft involving electronic medical records, a laptop, a network server and other portable electronic devices.

In addition to the recent incidents involving stolen or lost unencrypted devices, several breaches added to the wall of shame involve loss or stolen paper records or film.

"Breaches of non-electronic film and paper will never end, but at least these breaches are typically limited to one or a small number of affected individuals," Borten says. Because many of the breaches involving paper or film are often due to human error, "effective, repeated training is essential" to help prevention of such incidents, she says.

Hacking Incidents Added

The largest breach added to the tally in recent weeks, however, is the hacker attack on CareFirst BlueCross BlueShield, which was reported on May 20 to HHS and affected 1.1 million individuals. Baltimore-based CareFirst has said that an "unauthorized intrusion" into a database dating back to June 2014 was discovered in April by Mandiant, a cyberforensics unit of security vendor FireEye, discovered the attack on CareFirst in April. Mandiant was asked by CareFirst to conduct a proactive examination of CareFirst's environment, following the hacker attacks on Anthem and Premera.

Another hacker incident added to the tally affected South Bend, Ind.-based Beacon Health System. That incident, reported to HHS on May 20, is listed as affecting about 307,000 individuals. The organization has said patients' protected health information, including patient name, doctor's name, internal patient ID number, and in some cases, Social Security numbers and treatment information, was exposed as a result of phishing attacks on some employees that started in November 2013. The attacks led to hackers accessing "email boxes" that contained patient information.

Addressing Multiple Threats

Healthcare organizations need to continue their efforts to protect data from the threats posed by cyber-attackers, insiders or street thieves, says Borten, the consultant.

"There's no simple answer, but security is complex, and so the solutions, or mitigating controls, must be numerous and varied."

No comment yet.

HIPAAChat: secure messaging and telemedicine platform

HIPAAChat: secure messaging and telemedicine platform | HIPAA Compliance for Medical Practices | Scoop.it

To provide the best care for our patients, physicians and healthcare workers must communicate constantly.  For many of us, text messaging, push-to-talk messages, and video calling have become the preferred method of contact.

However, SMS, FaceTime, Skype, and iMessage are not technically HIPAA-compliant platforms. Even though some like FaceTime may meet data security standards that could make them HIPAA compliant, they don’t necessarily commit to it.

We have seen an influx of HIPAA-compliant secure messaging apps over the past few years like AthenaTextDoximityTigerText, and others. HIPAAChat enters into this market as an easy to use app with an intuitive format and some pretty unique features that make it stand out. Following the acquisition by Everbridge, a world leader in cloud-based, unified critical communications, HIPAAChat also incorporates advanced Enterprise utility and interoperability. Secure text, group chat, image transfer – check. Dictate/audio transfer/push-to-talk – check. Real-time, live video calling? You bet! HIPAAChat provides all these features packaged in an app that is as easy to use as iMessage and FaceTime.

User Interface

After downloading the HIPAAChat app, setup was extremely simple and only required input of your name, email, and phone number. Optional information included a photo upload and a 4-digit pin setup if your phone isn’t fingerprint or password protected. In order to connect with colleagues, both parties must have the app on their smartphone. However, within the app, you can select people from your existing contacts or enter a phone number or email and an invitation will be sent prompting them to download the app to begin HIPAA-compliant communication.

HIPAAChat is available for both Android and iPhone devices. As a result, the app facilitates secure messaging between all members of the care team, including physicians, nurses, social workers, consultants, etc. One of the main features that kept me using the HIPAAChat app is the simple, clean, and intuitive interface. I have been using this app to answer questions about patients from residents and referring doctors. Despite a busy clinical and surgical volume, the app allows for minimal disruption in my current routine.



The messaging features are standard and work the same as SMS or iMessage. The interface shows when a message was read and also displays when a message is being typed. A nice feature of this and other secure messaging apps is the ability to group text with users. The Enterprise software allows for additional features, including the creation of group distribution lists via active directory/ADAM and LDAP synchronization. This would be particularly useful for alerting specialized medical teams, such as a Stroke Team, Code Team, Trauma Team, etc. In our practice, we have been using HIPAAChat to relay information on surgical or clinic add-ons, questions on patient management, and consultations from other doctors. 


In ophthalmology, as with many other medical specialties, we heavily rely on imaging for patient care. A picture is often worth a thousand words. HIPAAChat allows for secure transmission of photos with a simple tap of the camera icon. Users can choose to take a new photo or choose an existing photo, without leaving the app interface. One feature missing in the current version is the ability to transmit saved videos asynchronously.


Walkie-talkie or push-to-talk allows recording voice messages with the touch of a button. This feature actually plays the audio message instead of converting to text. However, the audio message is played back over the speaker, so you must be cognizant of people around as they will hear the message. In addition to touch-to-talk, the app also allows talk-to-text, making it extremely easy to dictate text messages on the fly. With the release of smart watches like the Apple Watch, these features could open the door to efficient audio messaging on your wrist since these devices won’t allow texting on the screens. Message alerts show up on the Apple Watch, but the current version will not display actual messages. Although future versions are likely to incorporate the use of the smart watches.

Audio/Video calling

A main distinguishing feature of HIPAAChat from several competitors is the ability for real-time audio and video calling. As a result, the HIPAAChat app can also serve as a telemedicine platform. The video calling has a similar interface as FaceTime or Skype, again contributing to the ease-of-use and intuitive nature of the app. Call clarity and picture quality was very good, without any significant delays or picture freezes when I used it on our Wifi network.


With maximum fines of $50,000 per violation and up to $1.5 million annually for repeat violations, secure messaging of PHI is imperative. HIPAAChat allows for secure, encrypted transmission of messages as part of the Everbridge platform. The app meets all the administrative, technical, and physical safeguards.


I have been using the basic HIPAAChat lite, which is free for download and offers the core secure communication features. The Enterprise-level adds an IT administrator console for managing users and devices, an Active Directory sync, archiving and data retention, auditing, reporting, and analytics. Additionally, the Enterprise version facilitates system integration with EHRs, labs, admissions/discharge/transfer systems, and nurse call/intercom systems. For institutions wanting custom integration, fully documented APIs are available and based on specific needs.


The live video calling feature of the HIPAAChat app sets it apart from other secure messaging apps that I have used. Whereas two systems are usually needed for secure messaging and telemedicine, HIPAAChat combines the two in one platform. Additionally, unlike many telemedicine platforms, the physician can access secure video on their smartphone or tablet, making it truly portable.

The HIPAAChat platform enables physicians to communicate virtually with other medical staff, consultants, and even patients from anywhere. I have found that the video consultations can be very useful in the emergency room setting, often preventing unneeded transfers, follow-up, or unnecessary treatment. Everbridge also offers an iCart that serves as a mobile telemedicine platform, ideally suited for the emergency room. The iCart is a mobile cart on wheels with the attachment of a tablet. The housing of the tablet allows for attachment of video lights, a Wood’s lamp, and macro lenses specifically for ophthalmology and dermatology.

Lyfe Media's curator insight, June 19, 2015 1:48 PM

Technology is quickly coming to the medical fields rescue by improving processes and cutting costs. HIPAACHAT is just one of the tools doing exactly that. This article explains the different features the app has and how it's making incredible improvements to a necessary industry. LyfeNews


EHR Vendor Target of Latest Hack

EHR Vendor Target of Latest Hack | HIPAA Compliance for Medical Practices | Scoop.it

Web-based electronic health record vendor Medical Informatics Engineering, and its personal health records subsidiary, NoMoreClipBoard, say a cyber-attack has resulted in a data breach affecting some healthcare clients and an undisclosed number of patients.

In a statement, Medical Informatics Engineering says that on May 26, it discovered suspicious activity on one of its servers.

A forensics investigation by the company's internal team and an independent forensics expert determined that a "sophisticated cyber-attack" involving unauthorized access to its network began on May 7. The breach resulted in the compromise of protected health information relating to certain patients affiliated with certain clients, the company says.

"We emphasize that the patients of only certain clients of Medical Informatics Engineering were affected by this compromise and those clients have all been notified," the company says. Clients include: Concentra, a nationwide chain of healthcare clinics; Fort Wayne (Ind.) Neurological Center; Franciscan St. Francis Health Indianapolis; Gynecology Center, Inc. Fort Wayne; and Rochester Medical Group, Rochester Hills, Mich.

Information exposed in the breach affecting the Web-basedEHR system includes patient's name, mailing address, email address, date of birth, and for some patients a Social Security number, lab results, dictated reports and medical conditions. "No financial or credit card information has been compromised, as we do not collect or store this information," the company says.

PHR Also Breached

Medical Informatics Engineering says it also determined that the cyber-attack compromised PHI of its NoMoreClipboard subsidiary, which serves patients who assemble personal health records. A separate notice was issued for affected clients and patients. Information exposed for individuals who use a NoMoreClipboard portal/personal health record, includes name, home address, username, hashed password, security question and answer, email address, date of birth, health information and Social Security number.

"We strongly encourage all NoMoreClipboard users to change their passwords," the company says in its statement. "We also strongly encourage everyone to use different passwords for each of their various accounts. Do not use the same password twice. The next time a NoMoreClipboard user logs in, we will prompt a password change."

As part of the password change process, the company says it will send a five-digit PIN code to a cell phone, via an automated phone call, or to an email address already associated with the NoMoreClipboard account. "Users will have to enter this five-digit code to reset their password," the company says. "We are also emailing NoMoreClipboard users to encourage this password change."

Medical Informatics Engineering says the breach has been reported to law enforcement, including the FBI, and the company is cooperating with the investigation. Upon discovering the breach, the company says it "immediately began an investigation to identify and remediate any identified security vulnerability."

Medical Informatics Engineering and its NoMoreClipBoard subsidary are offering affected individuals free credit monitoring and identity protection services for the next 24 months.

The company did not immediately reply to a request for comment.

Going After Patient Data

This incident shows that any healthcare-related company or business associate is a target for attackers, says security and privacy expert Kate Borten, founder and CEO of The Marblehead Group consultancy.

"Assuming the attack was targeted, this is just another example of going after a big chunk of patient data," she says. "I don't think it matters to an attacker whether the company is a health plan/insurer or a health information exchange, or a provider. It's just an organization with a significant volume of PHI."

No comment yet.

Doximity launching app for the Apple Watch

Doximity launching app for the Apple Watch | HIPAA Compliance for Medical Practices | Scoop.it

Doximity announced today that they are launching an app for the Apple Watch, which hits the shelves later this month.

Many physicians will be familiar with Doximity, now that more than half of us have become registered users. Designed as a social network for physicians, Doximity includes a number of features that physicians will find useful for a lot more than just staying in touch with colleagues. In the recent rush of registrations on Doximity related to their partnership with US News and World Report, we wrote a quick guide on those key features. Included was secure HIPAA compliant messaging as well as an e-fax number and a journal feed.

Doximity’s Apple Watch app will bring some of these key features to your wrist. In particular, you’ll be able to read messages sent to you and dictate messages to other – without taking out your phone or pager, jumping on a computer, or spending endless minutes on hold trying to reach a colleague. You can also get notifications when you have a new fax come in – you can automatically view the fax on your iPhone using the Handoff functionality.

This hits on one the key functionalities we put on our wish list of apps for the Apple Watch – HIPAA compliant messaging. There are some limitations here worth noting. In particular, Doximity is limited to physicians so this won’t help with communication among a multi-disciplinary healthcare team, such as in a hospital or clinic. I wouldn’t be able to let a nurse know about a new medication or a social worker about an at-risk patient. Other platforms, like TigerText, will hopefully step in to bring that functionality to wearables like Apple Watch. That being said, the ability to send messages more easily to colleagues both inside and outside my own institution can be incredibly helpful.

We’re excited to see big players in the digital health space like Doximity embracing the Apple Watch. One natural question that frequently comes up is “what about Android devices?” Well, as Doximity points out, 85% of their mobile traffic is from iPhones & iPads. Its well recognized that physicians have largely embraced Apple devices and so medical app developers are going to go there first. So while many solid options have been available for Android, we expect the Apple Watch to be a catalyst in the development of new tools for clinicians.

Doximity’s app is just the start.

No comment yet.

Step Up Compliance in 2015: 6 Tips for Practices

Step Up Compliance in 2015: 6 Tips for Practices | HIPAA Compliance for Medical Practices | Scoop.it

Achieving physician buy-in for a compliance program can be daunting. Compliance comes at a cost, consuming resources (time, attention, and money) that are already stretched thin. But, if physicians and staff fail to pay for compliance, up front, practices run the risk of implementing a compliance program reactively, at an even higher cost.

In other words, compliance is a lot like insurance. You may hate to pay for it, but if you need it and if don’t have it, you could be setting yourself up for a financial disaster.

Be assured: If you are not monitoring your productivity bell curves, documentation, coding, medical necessity, utilization; and if you are not auditing revenue integrity, someone else is.

Current data analytics make it easy to identify an outlier physician profile, and the government has very sophisticated techniques for data mining. Whistleblower cases also have skyrocketed in recent years, with huge settlements awarded to individuals who bring cases to, or on behalf of, the government.

Failure to implement compliance programs proactively creates additional opportunities for regulatory and law enforcement scrutiny, as well as potential False Claims Act liability. And, failure to prevent or identify improper federal healthcare program claims and payments comes with a big price. The amount of federal audit recoveries in the first six months of 2014 was $3.1 billion.

1. Implement the seven core elements
Corporate integrity agreements (CIAs) do not discriminate, and no one is exempt. The cost associated with compliance program implementation under a CIA vs. proactive implementation is staggering. Both require implementation of the seven core elements of the Office of Inspector General compliance guidance roadmap; however, under the CIA there are additional fees associated with legal representation and independent review organizations (IROs), frequent mandated audits, reporting requirements, and many times, consulting fees, as well.

2. Conduct regular audits
Compliance is not just insurance: It is preventative medicine for your practice. Make sure that your practice has annual and ongoing check ups. Assessing your practice for risks, and determining the likelihood and severity of impact, will help determine the most important areas to focus on, and should drive your audit work plan. Highest risk areas should be addressed, first.

Perform benchmark audits to review small samples of data and set the baseline for all future audits. If a benchmark audit results in areas of concern, conduct an expanded audit. When a “diagnosis” of the problem is established, develop a plan of corrective action. Don't forget to follow up. This is a critical step in determining if corrective action plan is effective and working. Continually monitor and audit.

3. Disclose payment errors
Don’t forget: If your practice identifies payments that it was not entitled to, it must pay them back by adhering to the CMS self-disclosure requirements.

4. Know the laws
Section 6401(a) of the Affordable Care Act made a significant change to the status quo by requiring all providers and suppliers to establish a compliance program that contains certain “core elements” as a condition of enrollment in Medicare, Medicaid, and CHIP. New York State and Arkansas have mandatory compliance program certification requirements for Medicaid providers who meet certain criteria.

5. Identify a compliance leader
Compliance is a cost of doing business, and must be a priority for all provider practices. If you haven’t already done so, designate an individual to lead your compliance program, and start performing risk assessment and self-audits.

If your risk assessments are not identifying any issues, you probably aren’t looking in the right places. No practice is perfect. The point of having a compliance program is to help identify areas of weaknesses and potential issues, early, so that you can correct them.

6. Secure staff buy-in and training
A culture of compliance starts at the top. Treating compliance as a partnership, instead of a police action, will help to obtain buy-in from the staff. Train employees on your code of conduct, how to identify fraud and abuse, and how to report it. They also need job specific training to avoid errors and assure revenue integrity. All staff should understand that everyone is responsible for compliance, and that it is a condition of employment.

Enact a policy that whoever reports a potential violation, in good faith, will not be retaliated against. Have open lines of communication, and a way for employees to report incidents anonymously. If you find problems, correct them immediately and going forward. Whether you consider compliance to be insurance or preventive medicine, it’s a necessary investment.

No comment yet.

Data Breach Reporting Requirements for Medical Practices

Data Breach Reporting Requirements for Medical Practices | HIPAA Compliance for Medical Practices | Scoop.it

Are we ready to replace passwords with biometrics for access to our facilities' networks and EHRs? I know that I'm ready for something easier and more secure than my ever-changing facility login, a byproduct of being forced by the system to change my password every couple of months.

In its current iteration, the EHR at my facility takes three separate login steps to get into the record to document a patient encounter or retrieve information. This doesn't seem like much, but multiply it by 20 or 30 patients and it becomes burdensome and a significant time waster.

If a terminal is locked, I have to enter my credentials to access the system and from there, I have to enter my credentials to open the EHR. Then if I want to dictate any notes, I have to again enter my credentials to open the dictation software. It gets old in a hurry, and is a major complaint among members of the medical staff at my community hospital.

The IT team in our organization is experimenting with using the embedded "near field" chip in our ID cards as a way in which to log in to the EHR. It would be a big step forward and would eliminate the majority of authentication to access our EHR. It would also have the added advantage of encouraging all members of the medical staff to carry their hospital IDs, but not all software needed for charting supports this mode of authentication.

Fast Identity Online (FIDO) is the current buzz phrase that refers to all of the biometric authentication technology currently available or planned. We are already using our fingerprints in a variety of ways to unlock our phones and doors, and there are readily available technologies that rely on retinas, irises, face recognition, or voice recognition that are being developed to solve authentication and security problems. We have seen the future in a variety of science fiction films, and much of it is working and available technology.

While there is a tremendous upside to FIDO technology, there are also significant downsides in the form of privacy. We constantly see that passwords are not 100 percent secure, and companies tasked with protecting our personal data stored on their servers also fail. It is not too much of a stretch to raise concerns about personal biometric data being stored on vulnerable servers, and the privacy vulnerability that this represents to us all as individuals.

There should be similar concerns with biometric security data. My fingerprints are stored on my phone as a security measure, but could an enterprising criminal find a way to use that data to reconstruct my fingerprints?

As always, computer technology and software are well ahead of privacy protections and personal security, and will remain so for some time, possibly forever.

To make it work on an EHR, we need enterprise level solutions, as the thought of customizing my FIDO login separately at each terminal in the hospital, defeats the purpose and intent of making this simultaneously easier and more secure.

It seems that an enterprising technology company would see the opportunity in allowing medical providers to quickly and securely sign into an EHR. I know that there are a lot of smart people working on this problem in an attempt to make this both easier and more secure for those of us in the trenches.

As the pace of technology development and implementation becomes more rapid, so does the need for increasing security and privacy, as well as reducing the technological burden on the healthcare providers who daily have the use this technology in the performance of their jobs. These competing trends get more important everyday as the penetration of the EHR becomes more ubiquitous.

No comment yet.

Should HIPAA require encryption of medical data?

Should HIPAA require encryption of medical data? | HIPAA Compliance for Medical Practices | Scoop.it
Dive Brief:
  • Even more surprising to some than the fact that Anthem did not encrypt its medical recordswhich made it easier to hack, according to expertswas the fact that HIPAA's regulations do not currently require that personal health data be encrypted by providers who manage those records. A report in HealthIT Security revealed that lawmakers are starting to address this issue.
  • The US Senate Health, Education, Labor and Pensions committee is taking up the debate, while New Jersey Gov. Chris Christie has already enacted a law requiring medical record encryption and Connecticut Democrats are apparently also seeking similar legislation in their state.
  • At present, HIPAA regs do not specifically require data encryption. Instead, HIPAA-covered entities get to choose, based on their situation, whether encryption is necessary or another approach is more appropriate.
Dive Insight:

The Anthem hack has become the cue for every agency, governmental body, consumer group, healthcare advocacy organization and technology forum to start pushing tougher cybersecurity requirements. While the strong reaction was expected, the stampede could generate more problems than solutions, with lawmakers and federal agencies duplicating efforts with state legislatures around the country.

What would make the aftermath of the Anthem hack even worse is a resulting mish-mash of regulations and laws that vary from state to state, from agency to agency. Any additional HIPAA security regs should at least attempt to coordinate bills being drafted by Congress and work to advise individual states so there can be some parity across all the different bodies with multiple approaches to the same goal.

No comment yet.

Data Breach Reporting Requirements for Medical Practices

Data Breach Reporting Requirements for Medical Practices | HIPAA Compliance for Medical Practices | Scoop.it

By now, almost everyone who watches the news or reads any major newspaper has heard about the Anthem, Inc. data breach. Anthem, the nation's second-largest health insurer, is considered a covered entity under HIPAA and, in turn, must comply with the federal laws and regulations governing such entities.

On Feb. 4, the company announced that it was the target of a cyber attack that enabled hackers to penetrate its data system and access members' identifying factors and personal information including: names, dates of birth, employers, and social security numbers. In the aftermath of this announcement, class action lawsuits were filed around the country. This means that in accordance with Rule 23 of the Federal Rules of Civil Procedure, "one or more members of a class may sue or be sued as representative parties on behalf of all members" with certain conditions such as the number of claimants, commonality among questions of law and fact, as well as defenses.

The suit filed in the U.S. District Court for the Southern District of Indiana, Meadows v. Anthem, Inc., indicated that the data breach exposed the information of up to 80 million consumers. The suit alleges that people would not have obtained health insurance and relied on the representations of Anthem had they have known that their data was at risk. Hence, numerous contractual issues were raised. In light of this occurrence, physicians should evaluate the own contracts, HIPAA compliance, and what they are indicating in their attestations and assurances to patients and business partners.

The new Office of Civil Rights HIPAA breach protocol

With the upgrade to the HHS' Breach Portal, additional information is required there, too.

45 CFR §164.408 and the alterations to the Breach Portal, may impact certain entities, who are planning on submitting their 2014 breach notification reports for incidents impacting fewer than 500 people within 60 days of the end of the calendar year, pursuant to 45 CFR §164.408(c). So, what do these new report requirements entail?

• Disclosure of a "breach end date" and "discovery end date" are required.

• The "Safeguards in Place Prior to the Breach" now utilizes general categories (i.e., none and privacy rule safeguards) instead of specifics (i.e., strong authentication and encrypted wireless).

• "Actions Taken in Response to Breach" are much more detailed and included "adopted encryption technologies, security rule risk analysis, and revised policies and procedures."

It is important to note that in the event of an investigation, any identified area may be delved into in greater detail. The March 2, 2015, 60-day, deadline for reporting 2014 breaches is coming shortly. These changes are a signal that close attention should be given to HIPAA, the HITECH Act, and the related rules. It can save a lot of time, money and reputational costs

No comment yet.

The Black Market For Stolen Health Care Data

The Black Market For Stolen Health Care Data | HIPAA Compliance for Medical Practices | Scoop.it

President Obama is at Stanford University today, hosting a cybersecurity summit. He and about a thousand guests are trying to figure out how to protect consumers online from hacks and data breaches.

Meanwhile, in the cyber underworld, criminals are trying to figure out how to turn every piece of our digital life into cash. The newest frontier: health records.

I grab a chair and sit down with Greg Virgin, CEO of the security firm RedJack.

"There are a lot of sites that have this information, and it's tough to tell the health records from the financial records," he says.

We're visiting sites that you can't find in a Google search. They have names that end with .su and .so, instead of the more familiar .com and .org.

After poking around for about an hour, we come across an advertisement by someone selling Medicare IDs.

We're not revealing the site address or name because we don't want the dealer to know we're watching.

According to the online rating system — similar to Yelp, but for criminal sales — the dealer delivers what's promised and gets 5 out of 5 stars. "He definitely seems legit" — to the underworld, Virgin says.

The dealer is selling a value pack that includes 10 people's Medicare numbers – only it's not cheap. It costs 22 bitcoin — about $4,700 according to today's exchange rate.

Security experts say health data is showing up in the black market more and more. While prices vary, this data is more expensive than stolen credit card numbers which, they say, typically go for a few quarters or dollars.

Health fraud is more complex. Records that contain your Social Security number or mother's maiden name are used for identity theft. Virgin predicts hackers could be using them for corporate extortion.

"A breach happens at one of these companies. The hackers go direct to that company and say, 'I have your data.' The cost of keeping this a secret is X dollars and the companies make the problems go away that way," he says.

Health care companies saw a 72 percent increase in cyberattacks from 2013 to 2014, according to the security firm Symantec. Companies are required to publicly disclose big health data breaches. And there have been more than 270 such disclosures in the last two years.

Jeanie Larson, a health care security expert, says cyber-standards are too low for hospitals, labs and insurers. "They don't have the internal cybersecurity operations."

Companies subject to federal HIPAA rules, which were designed to protect privacy, choose to interpret them loosely — in a way that gets around the basics, like encryption.

"A lot of health care organizations that I've talked to do not encrypt data within their own networks, in their internal networks," she says.

They assume, incorrectly, that the walls around the network are safe.

Larson is part of the industry group National Health ISAC which is trying to raise the bar and make hospitals more like banks when it comes to investing in security.

"The financial sector has done a lot with automating and creating fraud detection type technologies, and the health care industry's just not there," she says.

Orion Hindawi with Tanium, a firm that monitors computer networks, says health care providers are far from there. They've been racing to grow, to digitize health records, to make mobile apps, to acquire other companies — all this without having a basic handle on how big their networks even are.

"I was working with a customer recently, and I asked them how many computers they had. And they told me between 300,00 and 500,000 computers," Hindawi says.

Meaning his client basically didn't know.

"We see that often when we walk into a customer [office]," Hindawi says.

He wasn't surprised to hear that the health care company Anthem suffered a major cyberattack. Anthem revealed last week that as many as 80 million people's records may have been stolen. Hindawi says he expects to see many more Anthems.

No comment yet.