Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and EHR for FREE!

USAA Tapping EHR To Gather Data From Life Insurance Applicants

Posted on August 10, 2017 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

I can’t believe I missed this. Apparently, financial giant USAA announced earlier this year that it’s collecting health data from life insurance applicants by interfacing with patient portals. While it may not be the first life insurer to do so, I haven’t been able to find any others, which makes this pretty interesting.

Usually, when someone applies for life insurance, they have to produce medical records which support their application. (We wouldn’t want someone to buy a policy and pop off the next day, would we?) In the past, applicants have had to push their providers to send medical records to the insurer. As anyone who’s tried to get health records for themselves knows, getting this done can be challenging and is likely to slow down policy approvals.

Thanks to USAA’s new technology implementation, however, the process is much simpler. The new offering, which is available to applicants at the Department of Veterans Affairs and Department of Defense, allows consumers to deliver their health data directly to the insurer via their patient portal.

To make this possible, USAA worked with Cerner on EHR retrieval technology. The technology, known as HealtheHistory, supports health data collection,  encrypts data transmission and limits access to EHR data to approved persons. No word yet as to whether Cerner has struck similar deals elsewhere but it wouldn’t surprise me.

USAA’s new EHR-based approach has paid off nicely. The life insurer has seen an average 30-day reduction in the time it takes to acquire health records for applicants, and though it doesn’t say what the average was back in the days of paper records, I assume that this is a big improvement.

And now on to the less attractive aspects of this deal. I don’t know about you, but I see a couple of red flags here.

First, while life insurers may know how to capture health data, I doubt they’re cognizant of HIPAA nuances. Even if they hire a truckload of HIPAA experts, they don’t have much context for maintaining HIPAA compliance. What’s more, they rarely if ever have to look a patient in the face, which serves as something of a natural deterrent to provider data carelessness.

Also, given the industry’s track record, is it really a good idea to give a life insurer that much data? For example, consider the case of a healthy 36-year-old woman with no current medical issues who was denied coverage because she had the BRCA 1 gene. That gene, as some readers may know, is associated with an increased risk of breast and ovarian cancer.

The life insurer apparently found out about the woman’s makeup as part of the application process, which included queries about genetic information. Apparently, the woman had had such testing, and as a result had to disclose it or risk being accused of fraud.

While the insurer in question may have the right, legally, to make such decisions, their doing so falls into a gray area ethically. What’s more, things would get foggier if, say, it decided to share such information with a sister health insurance division. Doing so may not be legal but I can easily see it happening.

Should someone’s genes be used to exclude them life or health insurance? Bar them from being approved for a mortgage from another sister company? Can insurers be trusted to meet HIPAA standards for use of PHI? It’ll be important to address such questions before we throw our weight behind open health data sharing with companies like USAA.

What Are You Doing To Protect Your Organization Against Your Biggest Security Threat? People

Posted on July 28, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.


This was a great tweet coming out of the HIM Summit that’s run by HealthPort. I agree with the comment 100%. Sure, we see lots of large HIPAA breaches that make all the news. However, I bet if we looked at the total number of breaches (as opposed to patient records breached), the top problem would likely be due to the people in an organization. Plus, they’re the breaches that are often hardest to track.

What’s the key to solving the people risk when it comes to privacy and security in your organization? I’d start with making security a priority in your organization. Many healthcare organizations I’ve seen only pay lip service to privacy and security. I call it the “just enough” approach to HIPAA compliance. The antithesis of that is a healthcare organization that’s create a culture of compliance and security.

Once you have this desire for security and privacy in your organization, you then need to promote that culture across every member of your organization. It’s not enough to put that on your chief security officer, chief privacy officer, or HIPAA compliance officer. Certainly those people should be advocating for strong security and privacy policies and procedures, but one voice can’t be a culture of compliance and security. Everyone needs to participate in making sure that healthcare data is protected. You’re only as strong as your weakest link.

One of the attendees at the session commented that she’d emailed her chief security officer about some possible security and compliance issues and the chief security officer replied with a polite request about why this HIM manager cared and that the HIM manager should just let her do her job. Obviously I’m summarizing, but this response is not a surprise. People are often protective of their job and afraid of comments that might be considered as a black mark on the work they’re doing. While understandable, this illustrates an organization that hasn’t created a culture of security and compliance across their organization.

The better response to these questions would be for the chief security officer to reply with what they’ve done and to outline ways that they could do better or the reasons that their organization doesn’t have the ability to do more. The HIM manager should be thanked for taking an interest in security and compliance as opposed to being shot down when the questions are raised. It takes everyone on board to ensure compliance and security in a healthcare organization. Burning bridges with people who take an interest in the topic is a great way to poison the culture.

Those are a few suggestions about where to start. It’s not easy work. Changing a culture never is, but it’s a worthwhile endeavor. Plus, this work is a lot better than dealing with the damaged reputation after a security breach.

The Evolving Security and Privacy Discussion

Posted on April 1, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

HIMSS put out the great tweet above. The image itself is worthy of a laugh. Although, only a partial laugh since in healthcare many people don’t understand that a password doesn’t mean it’s encrypted. Plus, that’s just emblematic of how elementary healthcare’s implementation of security is in most healthcare organizations.

Yes, there are the outlier organizations and there are even the outlier security and privacy individuals within a large organization. However, on the whole healthcare is not secure. The hard thing is that it’s not because of bad intentions. Almost everyone I’ve met in healthcare really want to ensure the privacy and security of health information. However, there’s a general lack of understanding of what’s needed.

With that said, I have seen a greater focus on privacy and security in healthcare than I’ve ever seen before. HIMSS featuring so many sessions is just one indicator of that increased interest in the topic. It’s hard to ignore when every other day some major corporation inside and outside of healthcare is getting breached.

One of the biggest security holes in healthcare is business associates. Most don’t have a real understanding of how to be HIPAA compliant and that’s a massive risk for the healthcare organization and the business associate. That’s why I’m excited that people who get it like Mike Semel are offering HIPAA Compliance training for business associates. Doing HIPAA compliance right is not cheap, but it’s cheaper than getting caught in a breach.

Personally, I’ve seen a whole wave of HIPAA compliance products and services coming out. In fact, I’m looking at creating a feature on EMR and HIPAA which lists all of the various companies involved in the space. I’m sure I’ll hear a lot of discussion around this topic at HIMSS.

How To Respond to Data Breaches

Posted on May 19, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

A lot of people have really liked this whitepaper on the 6 Reality Checks of HIPAA compliance. It’s a good download for those concerned about their HIPAA readiness. It will wake you up to the fact that you need to be ready and compliant with HIPAA.

Mac McMillan recently did a great HIPAA compliance interview with me where he said “A little bit of prevention goes a heck of a long way to preventing a bad event.” That’s great advice and if you read this whitepaper I think you’ll be woken up to the need to do a little more than you’re doing today to be HIPAA compliant.

While prevention is better, I was intrigued by this article (annoying registration required) in Health Data Management that talks about what to do in the event of a data breach. I love this quote from Rita Bowen, Senior VP at Healthport, “Breaches are inevitable.” It’s true. Despite your best efforts, breaches happen in every organization large and small.

Rita also points out that the key to a data breach is to have a system in place to “learn what went wrong and fix it.” I’ve always found HIPAA to be pretty generous with mistakes. As the HIPAA name says, it’s more about accountability than anything else. If you’re accountable for the decisions you’re making, then it’s more lenient than a lot of laws out there.

The article also gives three insights worth considering if you experience a data breach:

  • Honesty, the best policy
  • Keep Asking, “What if?”
  • Go the Extra Mile

All of these are great advice. If you go the extra mile and are honest about what happened, then you’ll usually be able to recover from a data breach. If you try and cover it up or hide what happened, then that will often come back to haunt you and damage you much more than if you were just honest and up front about what happened.

Windows XP Is No Longer HIPAA Compliant

Posted on April 14, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

For those of you who missed it, thousands in healthcare are now out of compliance with HIPAA thanks to Microsoft’s decision to stop supporting Windows XP. I wrote about the details of Windows XP and HIPAA compliance previously. Microsoft stopped supporting the Windows XP operating system on April 8, 2014 and as Mac McMillan says in the linked post, OCR has been clear that unsupported systems are not HIPAA compliant.

I asked Dell if they had any numbers on the number of PCs out there that are still running XP. Here was their response (Note: These are general numbers and not healthcare specific)

The latest data I’ve seen shows that around 20-25% of PCs are still running XP (number vary depending on the publication). But most of those are consumer devices or very small businesses. Larger organizations seem to be complete, on track to completing by April, or have already engaged Dell (or competitor) to migrate them.

Dell also told me that globally, they have helped more than 450 customers (exact count is 471) with Windows 7 migration and automated deployment.

I’m not sure I agree with their assessment that the larger organizations have pretty much all upgraded beyond Windows XP. I agree that they’re more likely to have upgraded, but I’m sure there’s still plenty of Windows XP in large hospital systems across the nation. I’d love to hear from readers to see if they agree or disagree with this assertion.

I’ve heard some people make some cases for why Windows XP might not be considered a HIPAA violation if it was a standalone system that’s not connected to a network or if it was in a highly controlled and constrained use case. Some medical devices that still require Windows XP might force institutions to deal with HIPAA like this. However, I think that’s a risky situation to be in and may or may not pass the audit or other legal challenges.

I think you’re a brave (or stupid if you prefer) soul to still be running Windows XP in healthcare. Certainly there wasn’t a big disaster that occurred on April 8th when Windows XP was no longer supported. However, I’d hate to be your organization if you have Windows XP and get a HIPAA audit.

If you haven’t updated your HIPAA policies lately, you may want to do that along with updating Windows XP. This whitepaper called “HIPAA Compliance: Six Reality Checks” is a good place to start. Remember also that once an auditor finds one violation (like Windows XP), then they start digging for even more. It’s a bit like a shark that smells (or however they sense) blood in the water. They get hungry for more. I don’t know anyone that enjoys a HIPAA auditor, let alone one that really starts digging for problems.

HIPAA and ICD-10 Courses

Posted on October 11, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

One of the real telling things I learned this week as I traveled to the MGMA Annual Conference and then the CHIME Fall Forum was how unprepared organizations are for ICD-10 and HIPAA Omnibus. It was amazing the stories I heard and I’m sure these will be topics I write about much more in the future.

One of the stories I heard was a medical practice who was asked if they were ready for ICD-10. The practice said that they were ready. Then, they were asked what they’d done to prepare for ICD-10. Their response was that their vendor said that they were ready for ICD-10.

We could really dig in to reasons why that practice might want to verify that their EHR vendor is really ready, but we’ll save that for future posts. What was amazing to me was that this practice thought they didn’t need to do anything to train their doctors and coders on ICD-10 to be ready for the change. They’re in for a rude awakening.

At a minimum, these organizations should look at a course like the Certificate of ICD-10-CM Coding Proficiency (20% discount if you use that link and discount code). The course looks at the key changes in coding with the implementation of ICD-10. Plus, it’s a course that looks to bridge your ICD-9 knowledge to ICD-10. Once you start digging into this content, you realize why your organization better have some ICD-10 training or you’re organization will suffer.

The same applies to HIPAA. So many people don’t realize (or remember) that as part of HIPAA compliance you need to have regular HIPAA training for your staff. This is particularly true with all of the changes that came with HIPAA omnibus. How many in your organization know the details of the changes under HIPAA omnibus?

An online courses like the Certified HIPAA Security Professional are such a great option since you can work on them when you have time and come back to them later while helping to protect you against a HIPAA audit. Plus, the course linked above includes a HIPAA “Business Associate Agreement” downloadable template which I’m quite sure many organizations still need. I recently asked a doctor’s office I was working with for their EHR business associate agreement. They told me they didn’t have one (more on that in future posts). Really? Wow!

Certainly each of these courses and training take some commitment to complete. Although, when your colleagues ICD-10 reimbursement becomes an issue or the HIPAA auditor knocks on your door, you’ll sleep much better knowing you’ve made the investment. Those who don’t will likely pay for it later.

HIPAA Compliance Audits Underway

Posted on January 9, 2012 I Written By

Priya Ramachandran is a Maryland based freelance writer. In a former life, she wrote software code and managed Sarbanes Oxley related audits for IT departments. She now enjoys writing about healthcare, science and technology.

So the first round of the HIPAA compliance audit program is underway. Howard Anderson, writing in HealthcareInfoSecurity.com, has a great post on what’s going on:
– 20 organizations will be hosting auditors from KPMG in the next few weeks, followed by another 130 organizations in the second phase of the audits later this year.
– The focus this year is on covered entities, not on their business associates.
– OCR is not just going after the big fish. OCR is auditing “eight health plans, two claims clearinghouses plus 10 provider organizations, including three hospitals, three physicians’ offices, and a laboratory, a dental office, a nursing/custodial facility and a pharmacy.”
– Adam Greene, the blogger who broke this news first on his blog has some interesting details about the organizations. It seems as if 6 of the 20 organizations chosen for the first audit are Level 4 entities, meaning “Small providers and community pharmacies with less than $50 million in revenue and/or assets.” This translates to 30% of the initial list.
– Notifications were sent to organizations on the 1st of December. Auditors are going out for field visits expected to last between 3-10 business days.

Having been in charge of Sarbanes Oxley audits at my last place of work, I know first hand what a flurry external audits can cause in any organization. I can only empathize with the first few organizations chosen. However, I also find OCR’s approach to the audit process to be quite wise – the post at HealthcareInfoSecurity quotes Leon Rodriguez, OCR head honcho as saying “Our first objective is not to go out there and start banging [organizations] with penalties; it’s really to take a good look at them, find out where their opportunities for improvement are and help them improve… Having said that, I think we know that there are cases where we’re going to find some significant vulnerabilities and weaknesses. And in those cases, we may be pursuing significant corrective action. And in some of those cases, we may be actually pursuing civil monetary penalties. But that’s really not the primary goal of the audit program.”

Which probably is some solace for the organizations that are currently being audited. Hopefully at the end of this exercise, OCR will have a good idea of where the major weaknesses are, where it wants organizations to be at, and help them get there.