Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and EHR for FREE!

OCR Didn’t Meet HIPAA Security Requirements

Posted on December 27, 2013 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @annezieger on Twitter.

Oops — this doesn’t sound good. According to a report from the HHS OIG, the agency’s Office for Civil Rights has failed to meet the requirements for oversight and enforcement of the HIPAA security rule.

The 26-page report spells out several problems with OCR’s enforcement of the security rule, which was expanded by the HITECH ACT of 2009 to demand regular audits of covered healthcare organizations and their business associates. The vulnerabilities found leave procedural holes which could harm OCR’s ability to do its job regarding the security rule, the OIG said.

What was OCR failing to do? Well for one thing, the report contends, OCR had not assessed the risks, established priorities or implemented controls for the audits to ensure their compliance. Another example: OCRs investigation files didn’t contain the required documentation supporting key decisions made by staff, because the staff didn’t consistently follow the offices procedures by reviewing case documentation.

What’s more, the OCR apparently hasn’t been implementing sufficient controls, including supervisory review and documentation retention, to make sure investigators follow policies and procedures for properly managing security rule investigations.

The OIG also found that OCR wasn’t complying with federal cyber security requirements for its own information systems used to process and store data on investigations. Requirements it was neglecting included getting HHS authorizations to operate the system used to oversee and enforce security rule. OCR also failed to complete privacy impact assessments, risk analyses or system security plans for two of its three systems, the OIG concluded.

All told, it seems that if the OCR is going to oversee the privacy rule properly, it had better get its own act together.

100% Interoperability, Quantified Self Data, and Data Liquidity – #HITsm Chat Highlights

Posted on March 30, 2013 I Written By

Katie Clark is originally from Colorado and currently lives in Utah with her husband and son. She writes primarily for Smart Phone Health Care, but contributes to several Health Care Scene blogs, including EMR Thoughts, EMR and EHR, and EMR and HIPAA. She enjoys learning about Health IT and mHealth, and finding ways to improve her own health along the way.

Topic 1: Do you think the healthcare system WANTS 100% interoperability & data liquidity? Why/why not?

 

Topic 2: As consumer, what are YOUR fears about your health data being shared across providers/payers/government?

 

Topic 3: What do you think payers will do with #quantifiedself data if integrated into EHR? Actuarial/underwriting?

 

Topic 4: Could there be a correlation between your fear of data liquidity and your health?

 

Topic 5: What could assuage your fears? Education? Legislation? Regulation? Healthcare system withdrawal?

Sending PHI Over SMS

Posted on February 26, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I recently was talking with a doctor who told me about a healthcare communications company called YouCall MD. The doctor liked many of the features that YouCall MD provided. He loved that they would answer your Live Calls, transcribe a message to you and send you that message by SMS. Well, he loved all of it except the part that YouCallMD was using insecure SMS messages to send protected health information (PHI).

I wrote about this before in my post called “Texting is Not HIPAA Secure.” I know that many doctors sit on all sides of this. I heard one doctor tell me, “They’re not going to throw us all in jail.” Other doctors won’t use SMS at all because of the HIPAA violations.

While a doctor probably won’t get thrown in jail for sending PHI over SMS, they could get large fines. I think this is an even greater risk when sending PHI over SMS becomes institutionalized through a service like YouCallMD. This isn’t a risk I’d want to take if I were a doctor.

Plus, the thing that baffles me is that there are a lot of secure text message services out there. Using these services would accomplish the same thing for the doctor and YouCall MD and they wouldn’t put a doctor or institution at risk for violating HIPAA. Soon the day will come when doctors can send SMS like messages on their phones in a secure way and they won’t have to worry about it. I just think it’s a big mistake for them to be using their phone’s default SMS.

Privacy Group Seeks Rules For Healthcare Clouds

Posted on January 4, 2013 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @annezieger on Twitter.

It’s time for HHS’ Office for Civil Rights to release “strong guidance” on cloud computing in healthcare, according to a letter sent by advocacy group Patient Privacy Rights. The letter, sent by PPR president Deborah Peel, argues that the transition to EMRs will be hampered if patients aren’t confident that their medical information is protected wherever it goes, including the cloud.

“More specific guidance in the health care ecosystem would help ensure that cloud providers, health care professionals and patients alike are aware of how the privacy and security rules apply to clouds,” Peel writes.

Peel suggests that HHS rely on lessons learned from the recently-settled Phoenix Cardiac Surgery case, in which a medical group was fined $100,000 for HIPAA violations including exposing clinical and surgical appointments on a publicly-available Internet calendar.

Specifically, Peel recommends the following standards be established:

Security Standards: Security standards must be implemented that are consistent and
compatible with standards required of federal agencies including the HIPAA Security
Rule and the HITECH breach notification requirements.

Privacy of Protected Health Information: Standards must be included that establish the
appropriate use, disclosure, and safeguarding of individually identifiable information,
which take into account stronger state and federal requirements, Constitutional rights to
health information privacy, and the fact that HIPAA is the “floor” for privacy protections
and was never intended to replace stronger ethical, or professional standards or “best
practices.”

BAA Requirement and Standardization: Consistent with prior OCR guidance, any
software company given access to protected health information by a HIPAA-covered
entity to perform a service for the covered entity is a business associate. Thus, as OCR
representatives have publicly stated on several occasions, a Business Associate
Agreement (BAA) is required between a cloud computing provider and any customer
entity that uses or discloses protected health information or de-identified health
information. It is imperative that these BAA standards promote the protection of privacy
and security of health information to ensure public trust in health IT systems and promote
quality health care, health care innovation and health provider collaboration.

I was particularly interested to note her suggestion that software companies given access to ePHI sign Business Associate Agreements.  My guess is that some cloud providers would fail miserably if asked to uphold HIPAA standards, simply because they aren’t prepared.  If Peel’s recommendations were enacted, in other words, it could shake up the cloud services industry.  Maybe that’s a good thing, but it won’t be a pleasant one for some.

Disaster Planning, Horrors of Generic HIT Training, and Snap.MD: Around Healthcare Scene

Posted on November 25, 2012 I Written By

Katie Clark is originally from Colorado and currently lives in Utah with her husband and son. She writes primarily for Smart Phone Health Care, but contributes to several Health Care Scene blogs, including EMR Thoughts, EMR and EHR, and EMR and HIPAA. She enjoys learning about Health IT and mHealth, and finding ways to improve her own health along the way.

EMR and HIPAA

Disaster Planning and HIPAA

Unfortunately, it appears that far too many healthcare providers don’t follow this rule. There aren’t very many that even have an emergency plan in place. However, this will soon need to be remedied. HIPAA security general rules state that not only must a patient’s privacy be protected, but the ePHI is available at all times — even in the case of an emergency. All healthcare providers, regardless of size, will need to implement some kind of disaster planning, regardless of their situation, in order to be in compliance with these regulations.

EMR Add-On’s that Provide Physician Benefit

MedCPU is a part of the inaugural NYC Digitial Health Accelerator class. They have developed a new concept that will likely to very helpful to many. It analyzes free text notes and structured data, and checks for compliance with rules and to identify any deviances. The company described one hospital using the services the company provides as a benefit given to doctors who use EHR. This is just one of many add-ons available, but some are seeing them to be a large reason why some doctors want to adopt EMRs.

Hospital EMR and EHR

Video: The Horrors of Generic HIT Training

Need a break from the day-to-day monotony? Be sure to check at this video on the horrors of generic HIT Training. It “offers a wry take on what happens when EMR training isn’t relevant for the doctor who’s getting the training. In this case, we witness the plight of a heart surgeon who’s forced through a discussion on primary care functions that she neither wants nor needs.”

Study: EMR ROI Stronger In Low-Income Setting

A recent study revealed something interesting. Hospitals in low-income areas actually may have a decent return on investment when an EMR is integrated. Three different areas were looked at and analyzed, and it was found that after five years of having an EMR, the hospital examined had a net benefit of over $600,000. Not all hospitals will benefit this much, but it’s encouraging to see more EMR success stories popping up.

Smart Phone Healthcare

Get Peace of Mind and Avoid the ER With Snap.MD

It’s the middle of the night, and your child breaks out in a rash all of his or her body. The doctor’s office doesn’t have middle of the night, on-call doctors, so the only option is the ER, right? Maybe not for long. Snap.MD, a new telemedicine system, may help parents decide if the Emergency Room is the best course of action. Parents of pediatric patients are connected to physician, who will help evaluate the situation via video conferencing.

Our Health Privacy Paranoia

Posted on November 21, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Katherine’s recent post on using EMR data to Market to patients got a lot of really interesting discussion about how this data should be used and if it’s ok to use the EMR data for marketing. The majority of comments were quite scared of the idea of EMR data being used for marketing. Most saw that their could be benefits, but saw it as a slippery slope and we should be careful going down that path. Most wanted an opportunity to opt out from such a policy.

Mark H. Davis offered a little different view in his comment about the need for privacy in this and other healthcare situations. Here’s what Mark said:

And now for a slightly different take…

I have no issues with my hospital using its knowledge of my health situation to provide me with targeted opportunities that might be beneficial. I see it as potentially a positive and proactive outreach. They will need to be sensitive in doing this, however, but in my region, the hospital system is pretty tightly woven into the community, anyhow, and would be rather affected by any backlash. And honestly, sometimes I feel like we make an overblown fuss about health data privacy just because everybody else is making a fuss about it, without stepping back and examining the actual impacts. For example, my mailman, with only slight observation, could easily deduce the health issues my wife, children and I have been treated for. The folks behind me in line at the drug store could do the same. Even most doctor’s offices I visit do a poor job of protecting privacy within the office itself. Just last week, I had to forcibly ignore the conversation taking place in an adjacent examination room. It was easily audible. Anyone who signs in at their PCP can see who has checked in earlier, for what doctor, for what time. Anyone who signs the pharmacist waiver form at the CVS can see who has signed in front of them. The prevalence of OTC meds makes it easier to tell what your fellow shoppers’ ailments are just by looking at their shopping cart. And somehow, we still co-exist. I’m not saying we shouldn’t protect ourselves against a massive data breach that could have dire consequences in the form of identity theft and other fallout. I’m just asking everyone to be honest about how serious they really are about privacy. It’s easy to pick on a hospital system without recognizing other areas where we turn a blind eye.

Mark does a great job articulating how many healthcare situations expose our healthcare data without any major issues. Yet, people tend to get far more worked up over the potential idea of an EMR data breach.

Certainly I’m not advocating for reckless behavior when it comes to healthcare data and securing it properly. We need to make a thoughtful effort to ensure that patient data is kept secure and private. However, let’s be reasonable in our expectations about what’s possible and reasonable.

Clinical Data Access, New Open Source EHR, and Striiv – Around Healthcare Scene

Posted on October 28, 2012 I Written By

Katie Clark is originally from Colorado and currently lives in Utah with her husband and son. She writes primarily for Smart Phone Health Care, but contributes to several Health Care Scene blogs, including EMR Thoughts, EMR and EHR, and EMR and HIPAA. She enjoys learning about Health IT and mHealth, and finding ways to improve her own health along the way.

Hospital EMR and EHR

Call Me Maybe at #CHIME12

One of the most popular songs among teens recently is “Call Me Maybe.” Well, at CHIME 2012, a music video of this song was created, featuring many of the participants in #CHIME12. It’s a fun little video, and the song sure is catchy.

Senators Join Initiative to Scrutinize Meaningful Use

After four GOP leaders have demanded that HHS Katherine Sebilus account for “failures” they found with Meaningful Use. Recently, a few senators have joined in the fight as well. Several questions were raised about EMRs, Medicare, and Meaningful Use. Is this the push that was needed in order to get Congress interested in the future of EMRs?

EMR and HIPAA
SXSW Accelerator Event for Health Startups

SXSW has long been known as an amazing music, film and now IT event. In fact, many people laud the event as a great place where creative people from all industries come together. This year SXSW has a whole health IT campus and a section of their Startup Accelerator competition that’s just devoted to healthcare IT startups. It will be a great place for healthcare IT to mix with the rest of the IT startup world. Plus, I expect a number of very interesting health IT companies to launch in the SXSW accelerator.

Access to Clinical Data Too Easy Via Phone

Most doctor’s offices will verify information by asking for a name and birthdate. However, this system could easily be compromised. Is there a better way to verify this type of information, before discussing medical issues? This post talks about different ideas, and how patient portals might be the solution.

New Open Source (Free) EHR Offering Developed by A Doctor

A new open source EHR is about to be released. And it was developed by a physician. Michael Chen, MD,  the doctor behind it, was interviewed on EMR and HIPAA. He discusses why he wanted to create an open source EHR, future plans, and any challenges that might be associated with it in this post.

Happy EMR Doctor

EMR Use Improves Primary Care: New Study

While there has been some debate about if EMR improves patient care, a recent study indicates that it does; at least in some health specialties. Over 7000 patients with coronary artery disease and diabetes were studied over the course of nine months, and the results ruled in the favor of EMRs. Dr. Michael West has found in his own personal observations, EMR does indeed improve patient care as well.

Smart Phone and Health Care

Five Challenges of mHealth

While mHealth has many advantages and has improved health care in many ways, there have been some challenges that have come about. These challenges include privacy, data security, and funding.

Striiv Ups the Standard for Pedometers — Games, Challenges, and Charity Incorporated

A new generation for the classic pedometer has been created. Striiv recently released a $99 pedometer that really gives the old kind a makeover. It incorporates fitness games, goals, and a charity to convince people to get walking. For those that don’t want to spend $99 on a pedometer, the (free) mobile app is available for the iPhone, and has a lot of the same functions.

HIMSS Pushes For National Patient Identifier System

Posted on October 2, 2012 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @annezieger on Twitter.

Well, here’s some trade organization efforts that aren’t just a lot of smoke and mirrors and self-interest. Apparently, HIMSS is pushing Congress hard to establish a national patient identifier system usable for sharing digital records between facilities.

HIMSS execs estimate that as many as 14 percent of all medical records include wrong, potentially dangerous information due to patient misidentification, a problem which is likely to get worse as more systems transition data from paper to EMRs, according to a story in InformationWeek magazine.

As if that wasn’t bad enough, HIMSS says, when organizations begin to share data under Meaningful Use Stage 2, the problem is likely to get much worse. (And doesn’t a system that makes mismatches and lost data likely more or less completely defeat the purpose of setting up HIEs in the first place?)

In reality, a single patient identifier won’t do the job on its own. In fact, it could contribute to errors of its own, HIMSS notes, so adding biometrics and probabilistic matching records will be necessary to really get things right. But getting moving on the identifier is a start.

To get things standardized, HIMSS would like to see Congress request a report from the Government Accountability Office on the subject to help legislators better understand the issues. (They got so far as getting the House to file a resolution in support of the concept last year, but no further.)  HIMSS has since been working with other associations, think tanks, CMS and ONC to raise awareness of the issue.

To get what it wants, HIMSS will have to convince Congress to change existing law, reports InformationWeek. Since 1999, it’s been illegal to establish such an identifier, as Congress apparently felt the public would view it as a privacy risk.

EMR Security, Afghanistan EMR, and Regina Holliday EMR Video

Posted on August 26, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Time once again for our roundup of interesting tweets from around the EMR twittersphere. We really go around the world with one of these tweets. Hopefully you find them useful and interesting.

I don’t think most of you know that I’m also working on a redesign of my websites. It’s still got a little ways to go, but I think it’s coming together nicely. It’s going to add some features I’ve wanted for a while and make the design look a lot better. I’ve had the current design for more than 6 years, so it was time. One of the best features of the new website is Twitter embeds. I can’t wait!

Without further ado, a few EMR and health IT tweets with some of my own commentary:


I always love when people talk about the huge EMR security risk. When you look at the breach list and the healthcare data security issues, EMR barely shows up. There are so many other security issues with medical practices that are much more vulnerable. Not that we should give EMR security a pass, but EMR security is likely one of the most secure things in a medical office. So, this is good advice.


I always love to hear how the military uses EMR. They use EMR in some of the most challenging places imaginable. I think we can learn a lot from their experiences.


I think this is a really interesting contest by ONC. I’m looking forward to see more of the videos that are created. My fear is that most of the videos will be EHR companies that push their power EMR users to make something. We’ll see how it turns out.

New App Allows For HIPAA-Compliant Group Texting by Clinicians

Posted on June 11, 2012 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @annezieger on Twitter.

John wrote previously on EMR and HIPAA about the need for HIPAA Secure Texting and a company he’s advising that does secure text messaging called docBeat.

Well, another new app called Medigram is being tested which will allow clinicians to send HIPAA-compliant text messages within a defined group. The app is currently in closed beta with docs at Stanford Hospital, Lucille Packard Children’s Hospital and the Palo Alto VA Hospital, according to iMedicalApps.com.

According to the company, Medigram meets not only HIPAA requirements but also privacy/security provisions in Subtitle D of HITECH.  It does so, in part, by using SSL connections between mobile apps and its servers, as well as NIST-approved 256-bit AES encryption to secure chat data.

Secure texting certainly seems like a good idea, given how mobile-friendly this generation of clinicians has turned out to be.  And it’s hard to argue Medigram’s core pitch, which is that texting is far more interactive than a pager. Given that a surprisingly large number of doctors still use pagers, improving on the model seems like a good thing.

My theory is that the app, if otherwise usable and bug-free, will be a big hit during its beta. If so, I expect to see HIPAA-compliant instant messaging turn up next. Smaller, presumably agile companies specializing in B2B messaging — such as HipChat, Trumpia and 24im — are logical candidates to develop such a utility. (This article outlines several other enterprise IM firms, just in case you want to dig deeper.)

Of course, there’s also Google and Microsoft, both of which have large IM bases. Perhaps creating a secure version of an existing product (such as Messenger) will be less of a marketing challenge than say, HealthVault.

Regardless, I’ll be quite interested to find out how the beta turns out — I’ll keep you posted. Meanwhile, here’s a video in which Medigram describes its product.