Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and EHR for FREE!

EMR and Privacy

Posted on November 20, 2013 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’ve recently engaged Dr. Deborah Peel, Founder of the Patient Privacy Rights organization, in a number of really interesting discussions around patient privacy. For those who aren’t familiar with Dr. Peel, she’s the most passionate patient privacy advocate in the world. While I don’t always agree with Dr. Peel’s views on patient privacy, I always love to hear what she has to say and I think we need more people like her in healthcare to make the case for something they think is really important.

With this said, Dr. Peel recently told me about a Wall Street Journal Experts chat she was on where they discussed EMR and privacy. You can see the video embedded below (Dr. Salwitz had sound issues, so after the intro you might want to skip to 4 minutes):

Dr. Peel also told me about an ONC event that she’ll be attending to talk about a really important topic: Patient IDs. When you’re talking privacy, the patient ID discussion is a very important one. Here’s the info if this is a discussion that you think is important. Plus, if enough people register, they’ll stream the event for everyone to watch online.

The Office of the National Coordinator for Health Information Technology (ONC) invites organizations with an interest in improving the accuracy of electronic patient identification and matching to attend a meeting in Washington, D.C. on December 16, 2013.
The Patient Matching Stakeholder Meeting will be held from 10:00 a.m. – 3:30 p.m. at Patriot Plaza III, 355 E Street, SW, Washington, D.C. 20024.
Registration is now open –

The agenda will include:
– Updates on the recent industry environmental scan on patient identification and matching, conducted by Audacious Inquiry on behalf of ONC;
– Sharing of initial recommendations for improving patient matching rates, derived from input from a wide range of stakeholders;
– Interactive discussions around emerging ideas to improve the processes of data collection, data validation, and other ways to help ensure accurate patient identification and matching, as electronic exchange of health information increases across the country; and
– Opportunities for all sectors to provide further feedback, including: large and small health care organizations, software and hardware health IT vendors, federal agencies, patient safety and privacy advocates, associations, and state and regional health information organizations.

We are exploring the possibility of providing webinar/videoconferencing capabilities to expand participation. Please register now, even if you plan to attend remotely, and we will follow up with more information.

Privacy Group Seeks Rules For Healthcare Clouds

Posted on January 4, 2013 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

It’s time for HHS’ Office for Civil Rights to release “strong guidance” on cloud computing in healthcare, according to a letter sent by advocacy group Patient Privacy Rights. The letter, sent by PPR president Deborah Peel, argues that the transition to EMRs will be hampered if patients aren’t confident that their medical information is protected wherever it goes, including the cloud.

“More specific guidance in the health care ecosystem would help ensure that cloud providers, health care professionals and patients alike are aware of how the privacy and security rules apply to clouds,” Peel writes.

Peel suggests that HHS rely on lessons learned from the recently-settled Phoenix Cardiac Surgery case, in which a medical group was fined $100,000 for HIPAA violations including exposing clinical and surgical appointments on a publicly-available Internet calendar.

Specifically, Peel recommends the following standards be established:

Security Standards: Security standards must be implemented that are consistent and
compatible with standards required of federal agencies including the HIPAA Security
Rule and the HITECH breach notification requirements.

Privacy of Protected Health Information: Standards must be included that establish the
appropriate use, disclosure, and safeguarding of individually identifiable information,
which take into account stronger state and federal requirements, Constitutional rights to
health information privacy, and the fact that HIPAA is the “floor” for privacy protections
and was never intended to replace stronger ethical, or professional standards or “best

BAA Requirement and Standardization: Consistent with prior OCR guidance, any
software company given access to protected health information by a HIPAA-covered
entity to perform a service for the covered entity is a business associate. Thus, as OCR
representatives have publicly stated on several occasions, a Business Associate
Agreement (BAA) is required between a cloud computing provider and any customer
entity that uses or discloses protected health information or de-identified health
information. It is imperative that these BAA standards promote the protection of privacy
and security of health information to ensure public trust in health IT systems and promote
quality health care, health care innovation and health provider collaboration.

I was particularly interested to note her suggestion that software companies given access to ePHI sign Business Associate Agreements.  My guess is that some cloud providers would fail miserably if asked to uphold HIPAA standards, simply because they aren’t prepared.  If Peel’s recommendations were enacted, in other words, it could shake up the cloud services industry.  Maybe that’s a good thing, but it won’t be a pleasant one for some.