Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and EHR for FREE!

5 Tips for HIPAA Compliance

Posted on November 20, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Planet HIPAA had this great article that shared 5 tips to ensure an effective HIPAA program. The reality is that HIPAA is a pretty flexible program that in many cases is open to some interpretation by the medical practice. There are exceptions, but HIPAA is generally about reducing risk as opposed to strict compliance. That’s reflected in this list of 5 tips from Planet HIPAA:

1. Conduct a Risk Assessment/Analysis

2. Create, Review and/or Update all HIPAA policies and procedures

3. Provide Workforce HIPAA Education

4. Conduct regular HIPAA Audits

5. Use Security Technologies

Most of the items on the list aren’t rocket science. However, my guess is that most medical practices will go through this list and realize that they have work to do. Whether it’s not doing a HIPAA risk assessment regularly (yes, sadly this still happens), or whether it’s not documenting or training, most practices will have something they could improve when it comes to HIPAA compliance. How’s your practice doing? My guess is you know where you’re lacking.

My favorite tip on this list was to use security technologies. HIPAA has some really good elements that help a practice protect PHI, but HIPAA does not equal secure. There is plenty more that a medical practice needs to do to ensure that their practice is secure and protected against the malware, ransomware, viruses, and other online threats that exist and are bombarding their IT infrastructure from every angle. HIPAA is required by law, but security beyond HIPAA is required to avoid a cybersecurity disaster in your organization.

The sad reality for many small practices is that they aren’t keeping up with the HIPAA requirements. This was illustrated by this story from Dr. Jayne:

One of my friends admitted that she had her work laptop stolen and didn’t report it to anyone despite it containing protected health information. That sort of thing is one of the perks (or hazards, depending on how you look at it) of owning your own practice and not fully understanding the huge number of laws that impact our practices. At least she realized after attending the conference that she should have taken additional action.

Dr. Jayne described most small medical practices’ feelings perfectly when she said the “perks (or hazards, depending on how you look at it)” of owning your own practice. Ignorance is bliss until you’re stuck on the front page of the paper or in some lawsuit. I’ll never forget the doctor who told me “They won’t throw us all in jail.” Maybe not, but they won’t be afraid to send you all fines.

An ounce of prevention is worth a pound of cure. This seems quite appropriate when it comes to HIPAA and security in a medical practice.

EMR Security, Afghanistan EMR, and Regina Holliday EMR Video

Posted on August 26, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Time once again for our roundup of interesting tweets from around the EMR twittersphere. We really go around the world with one of these tweets. Hopefully you find them useful and interesting.

I don’t think most of you know that I’m also working on a redesign of my websites. It’s still got a little ways to go, but I think it’s coming together nicely. It’s going to add some features I’ve wanted for a while and make the design look a lot better. I’ve had the current design for more than 6 years, so it was time. One of the best features of the new website is Twitter embeds. I can’t wait!

Without further ado, a few EMR and health IT tweets with some of my own commentary:


I always love when people talk about the huge EMR security risk. When you look at the breach list and the healthcare data security issues, EMR barely shows up. There are so many other security issues with medical practices that are much more vulnerable. Not that we should give EMR security a pass, but EMR security is likely one of the most secure things in a medical office. So, this is good advice.


I always love to hear how the military uses EMR. They use EMR in some of the most challenging places imaginable. I think we can learn a lot from their experiences.


I think this is a really interesting contest by ONC. I’m looking forward to see more of the videos that are created. My fear is that most of the videos will be EHR companies that push their power EMR users to make something. We’ll see how it turns out.

EMR Data and Privacy

Posted on November 21, 2011 I Written By

Priya Ramachandran is a Maryland based freelance writer. In a former life, she wrote software code and managed Sarbanes Oxley related audits for IT departments. She now enjoys writing about healthcare, science and technology.

From MinnPost.com, a post on Sen. Al Franken’s second hearing as chairman of the Senate Subcommittee on Privacy, Technology and the Law. Franken’s take was that federal agencies tasked with enforcing digital privacy are not doing so. While we might be aware on some subliminal level about the lack of enforcement, when presented in sheer numbers, the statistics are shocking.

According to the MinnPost article:

“Total, there have been 364 “major breaches” of 18 million patient’s private data since 2009, Franken said. Meanwhile, enforcement of data privacy laws have been lax — out of the 22,500 complaints the Health and Human Services Department has received since 2003, it’s levied only one fine and reached monetary settlements in six others. Of the 495 cases referred to the Department of Justice, only 16 have been prosecuted.”

Here on the HHS website, you can see all the breaches affecting 500 or more people (sort by Breach Date to see recent breaches). Even with all the rules around reporting, effectively, given the lack of enforcement, hospitals and care organizations stand to gain the most in this lax enforcement landscape. I’d be curious to know the process of fining and reaching settlements, whether it is proportional to the amount of data stolen/lost. More importantly, I’d like to know what organizations are doing differently if data thefts have been identified – the worst thing for an organization would be to pay the fine, and continue with the same faulty processes that led the breach in the first place.

Data Security in the Age of Self-logged Health

Posted on August 29, 2011 I Written By

Priya Ramachandran is a Maryland based freelance writer. In a former life, she wrote software code and managed Sarbanes Oxley related audits for IT departments. She now enjoys writing about healthcare, science and technology.

Over at EMR and EHR I have a post going about the self-logging trend, in which people log their medical and other observations on a regular basis. I’m fascinated by the trend, but as an IT person, I shudder at the data nightmares this movement will leash if it becomes widespread.

Quantified Self, a major web hub for self-trackers, has posts on monitoring devicest hat can measures the vitals of people up to 10 meters away, and microsensor embedded mindfulness pills that transmit data to your phone when ingested.

So if someone steals my smartphone, does it mean that not only can s/he spam-text all my friends, but s/he can access all my health logs and PHRs that only my HIPAA compliant provider’s office and EMR systems were supposed to get their hands on?

Indeed, a news story in Med City News says that physical theft, not hacking, is the major concern for mobile storage devices. It’s far easier to flick an iPhone lying on somebody’s desk than to devote the brain- or computing power needed to hack into an EHR system from a reputable vendor.

Med City News reports that during the period from 2009-2011, there were 116 cases of data breaches involving at least 500 patient records (breaches that exposed fewer than 500 records were not included). Physical loss of devices accounted for a whopping 60% of security breaches.

As the Med City News piece notes:

HIPPA violations aren’t happening in the cloud. Rather, they’re happening in the doctor’s office, hospital IT closets, cars, subways, and homes.

Think about how much more this problem can be compounded if health logging becomes practise du jour?

Bottomline: Self-tracking may yet revolutionize healthcare, but could we as individuals potentially jeopardize our own data security? Possibly. It might be a fad among tech geeks but it needs some thinking through from an EMR/EHR perspective.