Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and EHR for FREE!

Tips On Storing Patient Information In The Cloud

Posted on June 27, 2018 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

These days, it’s pretty much a given that providers will store some or all of their data in the cloud, i.e. off-site on a vendor’s servers.  For many providers, doing this is a good idea, as it allows them to avoid buying dedicated hardware or upgrade their own storage capacity.

That being said, all cloud vendors are not made equal, and it’s important to pick the right one. After all, providers can face dire consequences if their patient data is breached. Even if the vendor is at fault, providers will take most or all of the blame.

Before storing data on an outside service, it’s important to check them out carefully.  Here are some tips on evaluating vendors from David McHale of The Doctors Company:

  • Research the vendor’s security practices: Find out of they have a good reputation and strong security policies in place. Whatever time you put into the research is time well spent.
  • Make sure the vendor can handle all of your data: Bear in mind that many cloud services company charge by the amount of storage providers use, so being sure those costs are affordable is important. Also, providers should make sure the vendor can handle the amount of data they’d like to store.
  • Be sure that your data is encrypted at all times: Providers should see to it that their data is encrypted when being uploaded to or downloaded from the cloud. This includes ensuring that browsers or apps require an encrypted connection to the vendor’s server.
  • Patient data should be encrypted when stored in the cloud: Never store data protected by law in the cloud, such as medical information or personal identifiers, unless the stored data is encrypted. Also, don’t let anyone decrypt the data unless they are authorized to do so.
  • Learn how access is stored in your cloud folder: Cloud storage vendors often let providers share access to online folders stored on their servers. and it’s important to know how that sharing works. For example, find out whether data in the folder is read-only or whether users can edit the file, and whether managers can find out who last edited a file.
  • Prepare for the worst: Providers should know what they’ll do if their cloud vendor gets hacked or their data is lost. To find this out, they should read the “terms of service” provisions of their contract, which often states that users have little recourse if their data is breached or lost.

To be sure, cloud storage can be a great way for providers to save money on storage and see that their data is backed up offsite. However, it’s important they do their due diligence and see that the vendor will protect that data carefully.

5 Tips for HIPAA Compliance

Posted on November 20, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Planet HIPAA had this great article that shared 5 tips to ensure an effective HIPAA program. The reality is that HIPAA is a pretty flexible program that in many cases is open to some interpretation by the medical practice. There are exceptions, but HIPAA is generally about reducing risk as opposed to strict compliance. That’s reflected in this list of 5 tips from Planet HIPAA:

1. Conduct a Risk Assessment/Analysis

2. Create, Review and/or Update all HIPAA policies and procedures

3. Provide Workforce HIPAA Education

4. Conduct regular HIPAA Audits

5. Use Security Technologies

Most of the items on the list aren’t rocket science. However, my guess is that most medical practices will go through this list and realize that they have work to do. Whether it’s not doing a HIPAA risk assessment regularly (yes, sadly this still happens), or whether it’s not documenting or training, most practices will have something they could improve when it comes to HIPAA compliance. How’s your practice doing? My guess is you know where you’re lacking.

My favorite tip on this list was to use security technologies. HIPAA has some really good elements that help a practice protect PHI, but HIPAA does not equal secure. There is plenty more that a medical practice needs to do to ensure that their practice is secure and protected against the malware, ransomware, viruses, and other online threats that exist and are bombarding their IT infrastructure from every angle. HIPAA is required by law, but security beyond HIPAA is required to avoid a cybersecurity disaster in your organization.

The sad reality for many small practices is that they aren’t keeping up with the HIPAA requirements. This was illustrated by this story from Dr. Jayne:

One of my friends admitted that she had her work laptop stolen and didn’t report it to anyone despite it containing protected health information. That sort of thing is one of the perks (or hazards, depending on how you look at it) of owning your own practice and not fully understanding the huge number of laws that impact our practices. At least she realized after attending the conference that she should have taken additional action.

Dr. Jayne described most small medical practices’ feelings perfectly when she said the “perks (or hazards, depending on how you look at it)” of owning your own practice. Ignorance is bliss until you’re stuck on the front page of the paper or in some lawsuit. I’ll never forget the doctor who told me “They won’t throw us all in jail.” Maybe not, but they won’t be afraid to send you all fines.

An ounce of prevention is worth a pound of cure. This seems quite appropriate when it comes to HIPAA and security in a medical practice.

USAA Tapping EHR To Gather Data From Life Insurance Applicants

Posted on August 10, 2017 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

I can’t believe I missed this. Apparently, financial giant USAA announced earlier this year that it’s collecting health data from life insurance applicants by interfacing with patient portals. While it may not be the first life insurer to do so, I haven’t been able to find any others, which makes this pretty interesting.

Usually, when someone applies for life insurance, they have to produce medical records which support their application. (We wouldn’t want someone to buy a policy and pop off the next day, would we?) In the past, applicants have had to push their providers to send medical records to the insurer. As anyone who’s tried to get health records for themselves knows, getting this done can be challenging and is likely to slow down policy approvals.

Thanks to USAA’s new technology implementation, however, the process is much simpler. The new offering, which is available to applicants at the Department of Veterans Affairs and Department of Defense, allows consumers to deliver their health data directly to the insurer via their patient portal.

To make this possible, USAA worked with Cerner on EHR retrieval technology. The technology, known as HealtheHistory, supports health data collection,  encrypts data transmission and limits access to EHR data to approved persons. No word yet as to whether Cerner has struck similar deals elsewhere but it wouldn’t surprise me.

USAA’s new EHR-based approach has paid off nicely. The life insurer has seen an average 30-day reduction in the time it takes to acquire health records for applicants, and though it doesn’t say what the average was back in the days of paper records, I assume that this is a big improvement.

And now on to the less attractive aspects of this deal. I don’t know about you, but I see a couple of red flags here.

First, while life insurers may know how to capture health data, I doubt they’re cognizant of HIPAA nuances. Even if they hire a truckload of HIPAA experts, they don’t have much context for maintaining HIPAA compliance. What’s more, they rarely if ever have to look a patient in the face, which serves as something of a natural deterrent to provider data carelessness.

Also, given the industry’s track record, is it really a good idea to give a life insurer that much data? For example, consider the case of a healthy 36-year-old woman with no current medical issues who was denied coverage because she had the BRCA 1 gene. That gene, as some readers may know, is associated with an increased risk of breast and ovarian cancer.

The life insurer apparently found out about the woman’s makeup as part of the application process, which included queries about genetic information. Apparently, the woman had had such testing, and as a result had to disclose it or risk being accused of fraud.

While the insurer in question may have the right, legally, to make such decisions, their doing so falls into a gray area ethically. What’s more, things would get foggier if, say, it decided to share such information with a sister health insurance division. Doing so may not be legal but I can easily see it happening.

Should someone’s genes be used to exclude them life or health insurance? Bar them from being approved for a mortgage from another sister company? Can insurers be trusted to meet HIPAA standards for use of PHI? It’ll be important to address such questions before we throw our weight behind open health data sharing with companies like USAA.

What Are You Doing To Protect Your Organization Against Your Biggest Security Threat? People

Posted on July 28, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.


This was a great tweet coming out of the HIM Summit that’s run by HealthPort. I agree with the comment 100%. Sure, we see lots of large HIPAA breaches that make all the news. However, I bet if we looked at the total number of breaches (as opposed to patient records breached), the top problem would likely be due to the people in an organization. Plus, they’re the breaches that are often hardest to track.

What’s the key to solving the people risk when it comes to privacy and security in your organization? I’d start with making security a priority in your organization. Many healthcare organizations I’ve seen only pay lip service to privacy and security. I call it the “just enough” approach to HIPAA compliance. The antithesis of that is a healthcare organization that’s create a culture of compliance and security.

Once you have this desire for security and privacy in your organization, you then need to promote that culture across every member of your organization. It’s not enough to put that on your chief security officer, chief privacy officer, or HIPAA compliance officer. Certainly those people should be advocating for strong security and privacy policies and procedures, but one voice can’t be a culture of compliance and security. Everyone needs to participate in making sure that healthcare data is protected. You’re only as strong as your weakest link.

One of the attendees at the session commented that she’d emailed her chief security officer about some possible security and compliance issues and the chief security officer replied with a polite request about why this HIM manager cared and that the HIM manager should just let her do her job. Obviously I’m summarizing, but this response is not a surprise. People are often protective of their job and afraid of comments that might be considered as a black mark on the work they’re doing. While understandable, this illustrates an organization that hasn’t created a culture of security and compliance across their organization.

The better response to these questions would be for the chief security officer to reply with what they’ve done and to outline ways that they could do better or the reasons that their organization doesn’t have the ability to do more. The HIM manager should be thanked for taking an interest in security and compliance as opposed to being shot down when the questions are raised. It takes everyone on board to ensure compliance and security in a healthcare organization. Burning bridges with people who take an interest in the topic is a great way to poison the culture.

Those are a few suggestions about where to start. It’s not easy work. Changing a culture never is, but it’s a worthwhile endeavor. Plus, this work is a lot better than dealing with the damaged reputation after a security breach.

The Evolving Security and Privacy Discussion

Posted on April 1, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

HIMSS put out the great tweet above. The image itself is worthy of a laugh. Although, only a partial laugh since in healthcare many people don’t understand that a password doesn’t mean it’s encrypted. Plus, that’s just emblematic of how elementary healthcare’s implementation of security is in most healthcare organizations.

Yes, there are the outlier organizations and there are even the outlier security and privacy individuals within a large organization. However, on the whole healthcare is not secure. The hard thing is that it’s not because of bad intentions. Almost everyone I’ve met in healthcare really want to ensure the privacy and security of health information. However, there’s a general lack of understanding of what’s needed.

With that said, I have seen a greater focus on privacy and security in healthcare than I’ve ever seen before. HIMSS featuring so many sessions is just one indicator of that increased interest in the topic. It’s hard to ignore when every other day some major corporation inside and outside of healthcare is getting breached.

One of the biggest security holes in healthcare is business associates. Most don’t have a real understanding of how to be HIPAA compliant and that’s a massive risk for the healthcare organization and the business associate. That’s why I’m excited that people who get it like Mike Semel are offering HIPAA Compliance training for business associates. Doing HIPAA compliance right is not cheap, but it’s cheaper than getting caught in a breach.

Personally, I’ve seen a whole wave of HIPAA compliance products and services coming out. In fact, I’m looking at creating a feature on EMR and HIPAA which lists all of the various companies involved in the space. I’m sure I’ll hear a lot of discussion around this topic at HIMSS.

How To Respond to Data Breaches

Posted on May 19, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

A lot of people have really liked this whitepaper on the 6 Reality Checks of HIPAA compliance. It’s a good download for those concerned about their HIPAA readiness. It will wake you up to the fact that you need to be ready and compliant with HIPAA.

Mac McMillan recently did a great HIPAA compliance interview with me where he said “A little bit of prevention goes a heck of a long way to preventing a bad event.” That’s great advice and if you read this whitepaper I think you’ll be woken up to the need to do a little more than you’re doing today to be HIPAA compliant.

While prevention is better, I was intrigued by this article (annoying registration required) in Health Data Management that talks about what to do in the event of a data breach. I love this quote from Rita Bowen, Senior VP at Healthport, “Breaches are inevitable.” It’s true. Despite your best efforts, breaches happen in every organization large and small.

Rita also points out that the key to a data breach is to have a system in place to “learn what went wrong and fix it.” I’ve always found HIPAA to be pretty generous with mistakes. As the HIPAA name says, it’s more about accountability than anything else. If you’re accountable for the decisions you’re making, then it’s more lenient than a lot of laws out there.

The article also gives three insights worth considering if you experience a data breach:

  • Honesty, the best policy
  • Keep Asking, “What if?”
  • Go the Extra Mile

All of these are great advice. If you go the extra mile and are honest about what happened, then you’ll usually be able to recover from a data breach. If you try and cover it up or hide what happened, then that will often come back to haunt you and damage you much more than if you were just honest and up front about what happened.

Windows XP Is No Longer HIPAA Compliant

Posted on April 14, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

For those of you who missed it, thousands in healthcare are now out of compliance with HIPAA thanks to Microsoft’s decision to stop supporting Windows XP. I wrote about the details of Windows XP and HIPAA compliance previously. Microsoft stopped supporting the Windows XP operating system on April 8, 2014 and as Mac McMillan says in the linked post, OCR has been clear that unsupported systems are not HIPAA compliant.

I asked Dell if they had any numbers on the number of PCs out there that are still running XP. Here was their response (Note: These are general numbers and not healthcare specific)

The latest data I’ve seen shows that around 20-25% of PCs are still running XP (number vary depending on the publication). But most of those are consumer devices or very small businesses. Larger organizations seem to be complete, on track to completing by April, or have already engaged Dell (or competitor) to migrate them.

Dell also told me that globally, they have helped more than 450 customers (exact count is 471) with Windows 7 migration and automated deployment.

I’m not sure I agree with their assessment that the larger organizations have pretty much all upgraded beyond Windows XP. I agree that they’re more likely to have upgraded, but I’m sure there’s still plenty of Windows XP in large hospital systems across the nation. I’d love to hear from readers to see if they agree or disagree with this assertion.

I’ve heard some people make some cases for why Windows XP might not be considered a HIPAA violation if it was a standalone system that’s not connected to a network or if it was in a highly controlled and constrained use case. Some medical devices that still require Windows XP might force institutions to deal with HIPAA like this. However, I think that’s a risky situation to be in and may or may not pass the audit or other legal challenges.

I think you’re a brave (or stupid if you prefer) soul to still be running Windows XP in healthcare. Certainly there wasn’t a big disaster that occurred on April 8th when Windows XP was no longer supported. However, I’d hate to be your organization if you have Windows XP and get a HIPAA audit.

If you haven’t updated your HIPAA policies lately, you may want to do that along with updating Windows XP. This whitepaper called “HIPAA Compliance: Six Reality Checks” is a good place to start. Remember also that once an auditor finds one violation (like Windows XP), then they start digging for even more. It’s a bit like a shark that smells (or however they sense) blood in the water. They get hungry for more. I don’t know anyone that enjoys a HIPAA auditor, let alone one that really starts digging for problems.

HIPAA and ICD-10 Courses

Posted on October 11, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

One of the real telling things I learned this week as I traveled to the MGMA Annual Conference and then the CHIME Fall Forum was how unprepared organizations are for ICD-10 and HIPAA Omnibus. It was amazing the stories I heard and I’m sure these will be topics I write about much more in the future.

One of the stories I heard was a medical practice who was asked if they were ready for ICD-10. The practice said that they were ready. Then, they were asked what they’d done to prepare for ICD-10. Their response was that their vendor said that they were ready for ICD-10.

We could really dig in to reasons why that practice might want to verify that their EHR vendor is really ready, but we’ll save that for future posts. What was amazing to me was that this practice thought they didn’t need to do anything to train their doctors and coders on ICD-10 to be ready for the change. They’re in for a rude awakening.

At a minimum, these organizations should look at a course like the Certificate of ICD-10-CM Coding Proficiency (20% discount if you use that link and discount code). The course looks at the key changes in coding with the implementation of ICD-10. Plus, it’s a course that looks to bridge your ICD-9 knowledge to ICD-10. Once you start digging into this content, you realize why your organization better have some ICD-10 training or you’re organization will suffer.

The same applies to HIPAA. So many people don’t realize (or remember) that as part of HIPAA compliance you need to have regular HIPAA training for your staff. This is particularly true with all of the changes that came with HIPAA omnibus. How many in your organization know the details of the changes under HIPAA omnibus?

An online courses like the Certified HIPAA Security Professional are such a great option since you can work on them when you have time and come back to them later while helping to protect you against a HIPAA audit. Plus, the course linked above includes a HIPAA “Business Associate Agreement” downloadable template which I’m quite sure many organizations still need. I recently asked a doctor’s office I was working with for their EHR business associate agreement. They told me they didn’t have one (more on that in future posts). Really? Wow!

Certainly each of these courses and training take some commitment to complete. Although, when your colleagues ICD-10 reimbursement becomes an issue or the HIPAA auditor knocks on your door, you’ll sleep much better knowing you’ve made the investment. Those who don’t will likely pay for it later.

HIPAA Compliance Audits Underway

Posted on January 9, 2012 I Written By

Priya Ramachandran is a Maryland based freelance writer. In a former life, she wrote software code and managed Sarbanes Oxley related audits for IT departments. She now enjoys writing about healthcare, science and technology.

So the first round of the HIPAA compliance audit program is underway. Howard Anderson, writing in HealthcareInfoSecurity.com, has a great post on what’s going on:
– 20 organizations will be hosting auditors from KPMG in the next few weeks, followed by another 130 organizations in the second phase of the audits later this year.
– The focus this year is on covered entities, not on their business associates.
– OCR is not just going after the big fish. OCR is auditing “eight health plans, two claims clearinghouses plus 10 provider organizations, including three hospitals, three physicians’ offices, and a laboratory, a dental office, a nursing/custodial facility and a pharmacy.”
– Adam Greene, the blogger who broke this news first on his blog has some interesting details about the organizations. It seems as if 6 of the 20 organizations chosen for the first audit are Level 4 entities, meaning “Small providers and community pharmacies with less than $50 million in revenue and/or assets.” This translates to 30% of the initial list.
– Notifications were sent to organizations on the 1st of December. Auditors are going out for field visits expected to last between 3-10 business days.

Having been in charge of Sarbanes Oxley audits at my last place of work, I know first hand what a flurry external audits can cause in any organization. I can only empathize with the first few organizations chosen. However, I also find OCR’s approach to the audit process to be quite wise – the post at HealthcareInfoSecurity quotes Leon Rodriguez, OCR head honcho as saying “Our first objective is not to go out there and start banging [organizations] with penalties; it’s really to take a good look at them, find out where their opportunities for improvement are and help them improve… Having said that, I think we know that there are cases where we’re going to find some significant vulnerabilities and weaknesses. And in those cases, we may be pursuing significant corrective action. And in some of those cases, we may be actually pursuing civil monetary penalties. But that’s really not the primary goal of the audit program.”

Which probably is some solace for the organizations that are currently being audited. Hopefully at the end of this exercise, OCR will have a good idea of where the major weaknesses are, where it wants organizations to be at, and help them get there.

HIPAA and Mobile Health Applications

Posted on June 19, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’m a really big fan of the mobi health news website. They do a really great job covering the mobile healthcare industry. Today someone pointed me to a series of articles they have going right now about HIPAA and mobile health applications.

These articles are being written by Adam H. Greene, JD, MPH who use to work at HHS and so he’s intimately familiar with the HIPAA laws. Here’s 2 articles that I’d consider must read articles for those that are interested in the HIPAA requirements for a mobile health app:

When HIPAA Applies to Mobile Applications
Mobile health: How to comply with HIPAA

The first article asks the question most mobile health developers ask, Whether HIPAA even applies to mobile health apps. The second one talks about how to comply if your mobile health app does require HIPAA compliance.

Very important steps if you’re working in the mHealth space.

Of course, if you’re doing a mobile health EMR app, you’re going to have to worry about HIPAA. Although, you should already be quite familiar with that.