Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and EHR for FREE!

Healthcare Orgs Must Do Better With Mobile Data Security Education

Posted on November 15, 2016 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

A new study finds that while most healthcare professionals use mobile messaging at work, many aren’t sure what their organization’s mobile messaging policies are, and a large number have transmitted Protected Health Information via insecure channels. In other words, it seems that health IT leaders still have a lot of work to do in locking down these channels.

According to a report by Scrypt, 65% of health professionals who use a mobile device at work also use the same device for personal use, the standard BYOD compromise which still gives healthcare CIOs the willies. Underscoring the security risks, 52% of respondents said that they had free reign over which applications they downloaded and used at work.

To be fair, virtually all respondents (96%) use at least one security method to protect the security of their mobile device. However, their one-factor efforts — usually passcode or PIN-based — may not be secure enough to protect such sensitive data.

The research also blows the whistle on the frequency with which health professionals share PHI using a mobile messaging clients (not surprisingly given that the vendor sells a secure mobile messaging solution). It notes that just a quarter of those who reported using mobile messages use a secure client, and that one in five have sent or received PHI via mobile message with names (24%), telephone numbers (19%) and email addresses (13%) included in the content.

Researchers found that 78% of healthcare professionals use mobile messaging at work. However, few understand how their organizations expect them to use these services. Fifty-two percent of respondents who use mobile messaging said they didn’t know or weren’t sure of what their organization’s policies were on the subject.

Showing some awareness of data security vulnerabilities, 56% of the survey respondents said they believe the organization could do more to educate employees on the rules around sharing PHI and HIPAA compliance. On the other hand, it seems like most consider this to be everybody else’s problem, as 80% of respondents reported that their own knowledge of HIPAA compliance was either good or very good.

Clearly, as self-serving as the vendor’s conclusion is, they’re onto something important. Not only are CIOs facing huge challenges in establishing a smart BYOD policy, they’re confronted with a major educational problem when it comes to sharing of PHI. While the professionals on their team may have been handed a mobile policy, they may not have absorbed it. And if they haven’t been given a policy, you have to be conservative and assume they’re not doing a great job protecting data on their own.

If nothing else, healthcare organizations can remind their staff members to be careful when texting at work – heck, why not text them the reminder so it’s in context? Bottom line, even highly intelligent and educated team members can succumb to habit and transmit PHI. So a nudge never hurts!

What Does Direct Messaging Look Like for MU2?

Posted on June 11, 2014 I Written By

Julie Maas is Founder and CEO of EMR Direct, a HISP (Health Information Service Provider) whose mission is to simplify interoperability in healthcare through the use of Direct messaging EHR integration and other applications. EMR Direct works with a large developer community to enable Direct for MU2 and other workflows using a custom, rapid-integration API that's part of the phiMail Direct Messaging platform. Julie is passionate about improving quality of care and software user experience, and manages ongoing interoperability testing within DirectTrust. Find Julie on Twitter @JulieWMaas.

I’m often asked what EHR integrations of Direct are supposed to look like.  In the simplest sense, I liken it to a Share button and suggest that such a button—typically labeled “Transmit”—be placed in context near the CCDA that’s the target of the transmit action, or in a workflow-friendly spot on a patient record screen.

Send a CCD Using Direct Messaging

Send CCD using Direct in OpenEMR

The receive side is similarly intuitive: the practice classifies how their incoming records are managed today and we map that process to one or more Direct addresses.  If we get stuck, I ask, “What is the workflow for faxes today–how many fax numbers are there, and how are they allocated?”  This usually helps clear things up:  as a starting point, a Direct address can be assigned to replace each fax endpoint.

The address structure raises an important question, because it is tightly tied to the Direct messaging user interface.  Should there be a Direct address for every EHR user?  Provider?  Department? Organization?  A separate address for the patient portal?  A patient portal that spans multiple provider organizations? One for every patient?

The rules around counting Direct messages for Transitions of Care (ToC) attestation do not require each provider to have their own Direct address, as long as the EHR can count transactions correctly for attestation.  As far as meaningful use is concerned, any reasonable address assignment method should be acceptable in ToC use cases (check the rules themselves, for full details).  Here are some examples. is clearly an address that could be shared by multiple users, though it could be used by just one person, and might be used for both transitions of care and patient portal transmit. could also be dual-purpose.  Jane might be the only authorized user of this address, or this address may be managed by a group of people at her practice that does not necessarily even include Jane.  Alternatively, this address could be used for Jane’s ToC transactions, while a address could be used for patient portal transmit.

So, any of the options proposed above are possible conventions for assigning Direct addresses.  Also, a patient does not need their own Direct address to Transmit from as part of the View, Download, Transmit measure (170.314(e)(1)), but might have their own address to transmit to.  Note that adding a little extra data can elevate a View, Download, Transmit implementation to BlueButton+ status.

It makes sense for patients and providers to have their own Direct addresses if they are using Direct for Secure Messaging – 170.314(e)(3) – for which Direct is an optional solution.  Or, if patients have their own Personal Health Record (PHR) and Direct address, Direct is a great way to deliver data to the PHR.  Incidentally, there are free services such as Microsoft HealthVault and many others that issue patient Direct addresses.

Direct addresses are nearly indistinguishable from regular email addresses, but a word of caution: Direct is incompatible with regular email, and has additional requirements beyond traditional S/MIME.  Although it’s not a requirement, you’ll often find the word “direct” somewhere in the domain part of a Direct address, to help distinguish a regular email address from a Direct address.

Now that you know what Direct is, and what Direct Messaging and Direct addresses look like, I’m sure you’ll start noticing Direct popping up in more and more places.  So, be a not-so-early adopter and go get yourself a Direct address!

Texas Law Amps Up HIPAA Penalties

Posted on September 10, 2012 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

Providers in every state must meet HIPAA standards, but alas, that may not be all in some states, which are permitted to institute stiffer requirements than the feds.  Such is the case in Texas, where a new state privacy law has gone into effect which asks a lot more of physicians and some other providers.

Texas has toughened up requirements in several areas, including the following:

* Covered entities:  HIPAA offers a fairly specific definition of covered entities, but the Texas law takes things much further, extending the rule to cover a wide range of people who handle PHI. This may include business associates, healthcare payers, government units, schools, facilities, providers, researchers and physicians, reports John Wisniewski, CEO of the Bexar County Medical Society.

* EMR data requests:  Requests for electronic medical records by Texans must be fulfilled within 15 days of a written query. This new rule, which brings EMR requests  up to the existing level for paper records, is tougher than HIPAA’s 30 day requirement.

* Stricter training:  The new law imposes tougher training requirements regarding privacy issues — including customized training regarding maintenance and protection of electronic PHI — and penalties for violations are ramped up under the new law. Covered entities must set deadlines for the completion of such training, and maintain records of completing such training, which is required every two years.

* Any PHI breach must be reported:  Any entity which experiences a breach in PHI must report it to individuals, including any business handling such information, not just covered entities as defined by the new statute.

I understand that providers must find it frustrating to have addition requirements slapped on them.  However, none of these strike me as insane, though the broadening of covered entities to include such a large group could lead to trouble, perhaps. What do you think?