Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and EHR for FREE!

Some Important Tips On Telemedicine Security

Posted on March 22, 2018 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

Recently, WEDI released a paper offering a pretty basic overview of the main categories of telemedicine services. From my standpoint, most of the paper wasn’t that new and exciting, one section had some interesting suggestions worth sharing. While you’ve probably heard some of them before, you probably haven’t seen the full package they shared.

First, WEDI provided some general principles providers should consider when delivering telehealth services, including that all interactions should be conducted through a secure transmission channel and that privacy notices must be displayed or easy to find on the telehealth site. Makes sense but not earthshattering.

Where things got interesting was when WEDI went through its own telemedicine security Q&A. Its feedback on key topics included the following:

  • Make sure you have a policy addressing provider-to-provider disclosures of HIPAA-protected information which is gathered via telemedicine consult.
  • Secure all telemedicine data. Verify and authenticate user identities and their authority levels before patient treatment, possibly through the log-in process. This could include making sure that there’s a one-to-one match with the person logging in to view the data being retained.
  • Set up standards for data storage and retention, as well as establishing policies, procedures and auditability for access, use and transfer of telemedicine-related PHI. Afterward, monitor compliance with those standards.
  • Decide how telehealth data breaches will be handled, and who will be responsible for doing so. Determine who will be notified when a breach occurs, what the timeline is for doing so and who else might need be notified. Also, identify what experts should be part of a breach response process, such as legal, information security and public affairs representatives, and make sure they know what their roles are if a breach takes place.
  • Bear in mind that any technology used for providing telemedicine services needs to be included in your HIPAA risk assessment.

Unless you work for a large organization, you probably won’t dig into security issues this deeply. Particularly if you work for a smaller practice with ten or fewer clinicians, you may end up outsourcing your entire IT function, including security and privacy protection.

However, it’s important to remember that members of your organization are ultimately responsible for any security violations, whether or not a contractor was involved in permitting the breach to happen.

It’s important that at a minimum, you have a security protection and incident response process in place — going well beyond “call the IT consultant” — that protects both patients and your practice from needless health data breaches. As you add telemedicine to the mix, make sure your process embraces that data too.

USAA Tapping EHR To Gather Data From Life Insurance Applicants

Posted on August 10, 2017 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

I can’t believe I missed this. Apparently, financial giant USAA announced earlier this year that it’s collecting health data from life insurance applicants by interfacing with patient portals. While it may not be the first life insurer to do so, I haven’t been able to find any others, which makes this pretty interesting.

Usually, when someone applies for life insurance, they have to produce medical records which support their application. (We wouldn’t want someone to buy a policy and pop off the next day, would we?) In the past, applicants have had to push their providers to send medical records to the insurer. As anyone who’s tried to get health records for themselves knows, getting this done can be challenging and is likely to slow down policy approvals.

Thanks to USAA’s new technology implementation, however, the process is much simpler. The new offering, which is available to applicants at the Department of Veterans Affairs and Department of Defense, allows consumers to deliver their health data directly to the insurer via their patient portal.

To make this possible, USAA worked with Cerner on EHR retrieval technology. The technology, known as HealtheHistory, supports health data collection,  encrypts data transmission and limits access to EHR data to approved persons. No word yet as to whether Cerner has struck similar deals elsewhere but it wouldn’t surprise me.

USAA’s new EHR-based approach has paid off nicely. The life insurer has seen an average 30-day reduction in the time it takes to acquire health records for applicants, and though it doesn’t say what the average was back in the days of paper records, I assume that this is a big improvement.

And now on to the less attractive aspects of this deal. I don’t know about you, but I see a couple of red flags here.

First, while life insurers may know how to capture health data, I doubt they’re cognizant of HIPAA nuances. Even if they hire a truckload of HIPAA experts, they don’t have much context for maintaining HIPAA compliance. What’s more, they rarely if ever have to look a patient in the face, which serves as something of a natural deterrent to provider data carelessness.

Also, given the industry’s track record, is it really a good idea to give a life insurer that much data? For example, consider the case of a healthy 36-year-old woman with no current medical issues who was denied coverage because she had the BRCA 1 gene. That gene, as some readers may know, is associated with an increased risk of breast and ovarian cancer.

The life insurer apparently found out about the woman’s makeup as part of the application process, which included queries about genetic information. Apparently, the woman had had such testing, and as a result had to disclose it or risk being accused of fraud.

While the insurer in question may have the right, legally, to make such decisions, their doing so falls into a gray area ethically. What’s more, things would get foggier if, say, it decided to share such information with a sister health insurance division. Doing so may not be legal but I can easily see it happening.

Should someone’s genes be used to exclude them life or health insurance? Bar them from being approved for a mortgage from another sister company? Can insurers be trusted to meet HIPAA standards for use of PHI? It’ll be important to address such questions before we throw our weight behind open health data sharing with companies like USAA.

Healthcare Orgs Must Do Better With Mobile Data Security Education

Posted on November 15, 2016 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

A new study finds that while most healthcare professionals use mobile messaging at work, many aren’t sure what their organization’s mobile messaging policies are, and a large number have transmitted Protected Health Information via insecure channels. In other words, it seems that health IT leaders still have a lot of work to do in locking down these channels.

According to a report by Scrypt, 65% of health professionals who use a mobile device at work also use the same device for personal use, the standard BYOD compromise which still gives healthcare CIOs the willies. Underscoring the security risks, 52% of respondents said that they had free reign over which applications they downloaded and used at work.

To be fair, virtually all respondents (96%) use at least one security method to protect the security of their mobile device. However, their one-factor efforts — usually passcode or PIN-based — may not be secure enough to protect such sensitive data.

The research also blows the whistle on the frequency with which health professionals share PHI using a mobile messaging clients (not surprisingly given that the vendor sells a secure mobile messaging solution). It notes that just a quarter of those who reported using mobile messages use a secure client, and that one in five have sent or received PHI via mobile message with names (24%), telephone numbers (19%) and email addresses (13%) included in the content.

Researchers found that 78% of healthcare professionals use mobile messaging at work. However, few understand how their organizations expect them to use these services. Fifty-two percent of respondents who use mobile messaging said they didn’t know or weren’t sure of what their organization’s policies were on the subject.

Showing some awareness of data security vulnerabilities, 56% of the survey respondents said they believe the organization could do more to educate employees on the rules around sharing PHI and HIPAA compliance. On the other hand, it seems like most consider this to be everybody else’s problem, as 80% of respondents reported that their own knowledge of HIPAA compliance was either good or very good.

Clearly, as self-serving as the vendor’s conclusion is, they’re onto something important. Not only are CIOs facing huge challenges in establishing a smart BYOD policy, they’re confronted with a major educational problem when it comes to sharing of PHI. While the professionals on their team may have been handed a mobile policy, they may not have absorbed it. And if they haven’t been given a policy, you have to be conservative and assume they’re not doing a great job protecting data on their own.

If nothing else, healthcare organizations can remind their staff members to be careful when texting at work – heck, why not text them the reminder so it’s in context? Bottom line, even highly intelligent and educated team members can succumb to habit and transmit PHI. So a nudge never hurts!

What Does Direct Messaging Look Like for MU2?

Posted on June 11, 2014 I Written By

Julie Maas is Founder and CEO of EMR Direct, a HISP (Health Information Service Provider) whose mission is to simplify interoperability in healthcare through the use of Direct messaging EHR integration and other applications. EMR Direct works with a large developer community to enable Direct for MU2 and other workflows using a custom, rapid-integration API that's part of the phiMail Direct Messaging platform. Julie is passionate about improving quality of care and software user experience, and manages ongoing interoperability testing within DirectTrust. Find Julie on Twitter @JulieWMaas.

I’m often asked what EHR integrations of Direct are supposed to look like.  In the simplest sense, I liken it to a Share button and suggest that such a button—typically labeled “Transmit”—be placed in context near the CCDA that’s the target of the transmit action, or in a workflow-friendly spot on a patient record screen.

Send a CCD Using Direct Messaging

Send CCD using Direct in OpenEMR

The receive side is similarly intuitive: the practice classifies how their incoming records are managed today and we map that process to one or more Direct addresses.  If we get stuck, I ask, “What is the workflow for faxes today–how many fax numbers are there, and how are they allocated?”  This usually helps clear things up:  as a starting point, a Direct address can be assigned to replace each fax endpoint.

The address structure raises an important question, because it is tightly tied to the Direct messaging user interface.  Should there be a Direct address for every EHR user?  Provider?  Department? Organization?  A separate address for the patient portal?  A patient portal that spans multiple provider organizations? One for every patient?

The rules around counting Direct messages for Transitions of Care (ToC) attestation do not require each provider to have their own Direct address, as long as the EHR can count transactions correctly for attestation.  As far as meaningful use is concerned, any reasonable address assignment method should be acceptable in ToC use cases (check the rules themselves, for full details).  Here are some examples.

records@orthodocs.ehrco-example.com is clearly an address that could be shared by multiple users, though it could be used by just one person, and might be used for both transitions of care and patient portal transmit.

janesmith@orthodocs.hisp-example.com could also be dual-purpose.  Jane might be the only authorized user of this address, or this address may be managed by a group of people at her practice that does not necessarily even include Jane.  Alternatively, this address could be used for Jane’s ToC transactions, while a patientportal@someother.domain-example.com address could be used for patient portal transmit.

So, any of the options proposed above are possible conventions for assigning Direct addresses.  Also, a patient does not need their own Direct address to Transmit from as part of the View, Download, Transmit measure (170.314(e)(1)), but might have their own address to transmit to.  Note that adding a little extra data can elevate a View, Download, Transmit implementation to BlueButton+ status.

It makes sense for patients and providers to have their own Direct addresses if they are using Direct for Secure Messaging – 170.314(e)(3) – for which Direct is an optional solution.  Or, if patients have their own Personal Health Record (PHR) and Direct address, Direct is a great way to deliver data to the PHR.  Incidentally, there are free services such as Microsoft HealthVault and many others that issue patient Direct addresses.

Direct addresses are nearly indistinguishable from regular email addresses, but a word of caution: Direct is incompatible with regular email, and has additional requirements beyond traditional S/MIME.  Although it’s not a requirement, you’ll often find the word “direct” somewhere in the domain part of a Direct address, to help distinguish a regular email address from a Direct address.

Now that you know what Direct is, and what Direct Messaging and Direct addresses look like, I’m sure you’ll start noticing Direct popping up in more and more places.  So, be a not-so-early adopter and go get yourself a Direct address!

Getting HITECH: Unraveling the Complexities of Compliance

Posted on March 6, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The following is a guest blog post by Jason Carolan, CTO for ViaWest.
Jason Carolan

HITECH and HIPAA compliance are incredibly important to the bottom lines of many companies. But what exactly does this compliance entail? In 2009, the HITECH Act (Health Information Technology for Economic and Clinical Health) was passed, expanding the scope of the previous Health Insurance Portability and Accountability Act (HIPAA). HITECH enforces the rules of HIPAA, while invoking stiff fines for non-compliance. Now more than ever before it is absolutely imperative that companies working with healthcare organizations ensure they have all the facts before designing IT solutions. And one of the keys to having all the facts is knowing the core terminology.

A Covered Entity under the HIPAA privacy rule refers to health plan groups, health care clearinghouses and health care providers that transmit health information electronically, including, doctors, dentists, chiropractors, insurers, Medicare, medical plans and billing services. These Covered Entities face the additional challenge of managing their Business Associates, revisiting agreements and ensuring privacy, security, enforcements and breach notification updates in order to meet the requirements of the Final Rule.

A Business Associate (BA) under the HIPAA privacy rule refers to a person or organization that conducts business with a Covered Entity that involves the use, access or disclosure of protected health information (PHI). HITECH also specifies that an organization that provides data transmission of PHI is a BA. Examples of BAs include vendors, subcontractors and IT service providers that provide managed hosting services requiring access, use or disclosure of PHI.

All HIPAA Covered Entities and Business Associates must comply with security controls to safeguard PHI through the following due diligence efforts:

  • Ensure the confidentiality, integrity, and availability of PHI
  • Protect against any reasonably anticipated threats and hazards
  • Protect against reasonably anticipated uses or disclosures of PHI that are not permitted
  • Ensure compliance by its workforce through Administrative Safeguards, Physical Safeguards, Technical Safeguards, Organizational Requirements and Policies and Procedures
  • Documentation of breach notification procedures and timeliness of breach notification

Covered Entities and Business Associates who have a strong security posture and can prove their due diligence through establishments and audit of controls and breach preparedness have a lower risk of fines than those companies that do nothing.  Proven due diligence includes:

  • Prioritizing compliance efforts
  • Culture awareness
  • Implementing security policies
  • Conducting risk assessments
  • Enforcing and validation of controls to protect PHI

IT departments are dealing with the same or shrinking budgets.  So, with a larger component of IT budget consumed by compliance, CIOs and CTOs are getting pressure from a resource standpoint but shrinking budgets. Failing on compliance can bring stiffer punishments and fines, so, more and more companies are looking at outsourcing so that they can share the burden and ensure they aren’t missing important components.

An audit may not be a pleasant experience, but it’s a reality, and being prepared is the key. The right technology provider can help you not just with a compliance checklist, but can take it a step further and provide a comprehensive set of solutions to be “baked in” upfront – minimizing the risk of audit or the “pain” of the audit if you are in the midst of one.

With increased regulation comes increased risk and complexity surrounding HIPAA compliance.  Are you confident in your company’s data security?

Texas Law Amps Up HIPAA Penalties

Posted on September 10, 2012 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

Providers in every state must meet HIPAA standards, but alas, that may not be all in some states, which are permitted to institute stiffer requirements than the feds.  Such is the case in Texas, where a new state privacy law has gone into effect which asks a lot more of physicians and some other providers.

Texas has toughened up requirements in several areas, including the following:

* Covered entities:  HIPAA offers a fairly specific definition of covered entities, but the Texas law takes things much further, extending the rule to cover a wide range of people who handle PHI. This may include business associates, healthcare payers, government units, schools, facilities, providers, researchers and physicians, reports John Wisniewski, CEO of the Bexar County Medical Society.

* EMR data requests:  Requests for electronic medical records by Texans must be fulfilled within 15 days of a written query. This new rule, which brings EMR requests  up to the existing level for paper records, is tougher than HIPAA’s 30 day requirement.

* Stricter training:  The new law imposes tougher training requirements regarding privacy issues — including customized training regarding maintenance and protection of electronic PHI — and penalties for violations are ramped up under the new law. Covered entities must set deadlines for the completion of such training, and maintain records of completing such training, which is required every two years.

* Any PHI breach must be reported:  Any entity which experiences a breach in PHI must report it to individuals, including any business handling such information, not just covered entities as defined by the new statute.

I understand that providers must find it frustrating to have addition requirements slapped on them.  However, none of these strike me as insane, though the broadening of covered entities to include such a large group could lead to trouble, perhaps. What do you think?

Data breaches and EMRs: bad guys or just dumb mistakes?

Posted on August 3, 2011 I Written By

Dr. West is an endocrinologist in private practice in Washington, DC. He completed fellowship training in Endocrinology and Metabolism at the Johns Hopkins University School of Medicine. Dr. West opened The Washington Endocrine Clinic, PLLC in 2009. He can be contacted at doctorwestindc@gmail.com.

I love this post by George V. Hulme at CSO Online because it really highlights my high level of skepticism regarding all the need for worry about encrypting everything to death where electronic medical records are concerned.  Yeah, yeah, yeah.  I’ve heard it over and over, ad nauseam.  I don’t necessarily disagree that data security is important, but just please someone name me some examples of where a nefarious miscreant was purposely trying to steal protected health information (PHI) electronically with hacking.  I’m sure such documented incidents must be out there somewhere, but they don’t seem common since I’ve never heard of any actual cases.  Even the strange one reported (but not really well referenced) in the above post was, okay technically crime, but not electronic at all.  The criminal cited in the story was apparently trying to manually steal what sounds like a hardcopy paper file from the doctor’s home.  I’ve always told my colleagues and friends, “What the bleep would anyone want with some average patient’s health information?  And who’s gonna go to the level of sophisticated, tech-savvy theft to get it?”

It really seems like crazy paranoia to me to think that anyone cares about Mrs. Smith’s medication doses, whether she smokes or has a beer every now and then, or when she was last seen in the office.  Come on, people, that’s not going to make anyone rich — pretty much has no street value at all on the surface.  So I ask again for your assistance in throwing me a bone.  Help me understand where the rubber meets the road and we really need to go crazy with overly expensive and extreme technology to avoid electronic data theft.  Someone think up the next blockbuster summer movie script.  “The Net III”?  I’ll take crazy Sandra Bullock movies for $100, Alex.

Dr. West is an endocrinologist in private practice in Washington, DC.  He completed fellowship training in Endocrinology and Metabolism at the Johns Hopkins University School of Medicine. Dr. West opened The Washington Endocrine Clinic, PLLC, as a solo practice in 2009.  He can be reached at doctorwestindc@gmail.com.

Tornadoes and HIPAA

Posted on June 16, 2011 I Written By

Dr. West is an endocrinologist in private practice in Washington, DC. He completed fellowship training in Endocrinology and Metabolism at the Johns Hopkins University School of Medicine. Dr. West opened The Washington Endocrine Clinic, PLLC in 2009. He can be contacted at doctorwestindc@gmail.com.

[Note:  Since this post was published, I found an excellent post over at EMRandHIPAA.com.]

My friend John Lynn over at EMRandHIPAA.com posted an interesting piece discussing hospital liability when health information is literally strewn around town after a tornado hits.  With all of the recent tornado activity and tragedy occurring in the U.S., it seems likely to happen again and again.

This also highlights another reason I love my web-based, redundantly backed-up EMR system.  You can’t lose any protected health information unless the locked-up primary server farm and the locked-up secondary backup server farm, which are typically geographically isolated from each other, are both destroyed .  You can’t blow paper chart notes out windows or plastic x-ray films into tree tops when they don’t exist.

Inadvertent exposure of PHI?  Think again.  Web-based records require the person to login remotely to access them, so you can’t just lose a laptop on the train or in a cab and be at risk of data breach.

I feel bad for all the patients who lost, or will lose, their records because they were kept on paper, since it probably means they’re at high risk of having a less informed doctor treating them in the future.  Don’t fight future tornadoes… embrace the cloud today!

 

Dr. West is an endocrinologist in private practice in Washington, DC.  He completed fellowship training in Endocrinology and Metabolism at the Johns Hopkins University School of Medicine. Dr. West opened The Washington Endocrine Clinic, PLLC, as a solo practice in 2009.  He can be reached at doctorwestindc@gmail.com.