• Member Statistics

    • 823,487 Colleagues-to-Date [Sponsored by a generous R&D grant from iMBA, Inc.]
  • David E. Marcinko [Editor-in-Chief]

    As a former Dean and appointed University Professor and Endowed Department Chair, Dr. David Edward Marcinko MBA was a NYSE broker and investment banker for a decade who was respected for his unique perspectives, balanced contrarian thinking and measured judgment to influence key decision makers in strategic education, health economics, finance, investing and public policy management.

    Dr. Marcinko is originally from Loyola University MD, Temple University in Philadelphia and the Milton S. Hershey Medical Center in PA; as well as Oglethorpe University and Emory University in Georgia, the Atlanta Hospital & Medical Center; Kellogg-Keller Graduate School of Business and Management in Chicago, and the Aachen City University Hospital, Koln-Germany. He became one of the most innovative global thought leaders in medical business entrepreneurship today by leveraging and adding value with strategies to grow revenues and EBITDA while reducing non-essential expenditures and improving dated operational in-efficiencies.

    Professor David Marcinko was a board certified surgical fellow, hospital medical staff President, public and population health advocate, and Chief Executive & Education Officer with more than 425 published papers; 5,150 op-ed pieces and over 135+ domestic / international presentations to his credit; including the top ten [10] biggest drug, DME and pharmaceutical companies and financial services firms in the nation. He is also a best-selling Amazon author with 30 published academic text books in four languages [National Institute of Health, Library of Congress and Library of Medicine].

    Dr. David E. Marcinko is past Editor-in-Chief of the prestigious “Journal of Health Care Finance”, and a former Certified Financial Planner® who was named “Health Economist of the Year” in 2010. He is a Federal and State court approved expert witness featured in hundreds of peer reviewed medical, business, economics trade journals and publications [AMA, ADA, APMA, AAOS, Physicians Practice, Investment Advisor, Physician’s Money Digest and MD News] etc.

    Later, Dr. Marcinko was a vital and recruited BOD  member of several innovative companies like Physicians Nexus, First Global Financial Advisors and the Physician Services Group Inc; as well as mentor and coach for Deloitte-Touche and other start-up firms in Silicon Valley, CA.

    As a state licensed life, P&C and health insurance agent; and dual SEC registered investment advisor and representative, Marcinko was Founding Dean of the fiduciary and niche focused CERTIFIED MEDICAL PLANNER® chartered professional designation education program; as well as Chief Editor of the three print format HEALTH DICTIONARY SERIES® and online Wiki Project.

    Dr. David E. Marcinko’s professional memberships included: ASHE, AHIMA, ACHE, ACME, ACPE, MGMA, FMMA, FPA and HIMSS. He was a MSFT Beta tester, Google Scholar, “H” Index favorite and one of LinkedIn’s “Top Cited Voices”.

    Marcinko is “ex-officio” and R&D Scholar-on-Sabbatical for iMBA, Inc. who was recently appointed to the MedBlob® [military encrypted medical data warehouse and health information exchange] Advisory Board.

    entrepreneur

    Frontal_lobe_animation

  • ME-P Information & Content Channels

  • ME-P Archives Silo [2006 – 2020]

  • Ann Miller RN MHA [Managing Editor]

    ME-P SYNDICATIONS:
    WSJ.com,
    CNN.com,
    Forbes.com,
    WashingtonPost.com,
    BusinessWeek.com,
    USNews.com, Reuters.com,
    TimeWarnerCable.com,
    e-How.com,
    News Alloy.com,
    and Congress.org

    Comprehensive Financial Planning Strategies for Doctors and Advisors: Best Practices from Leading Consultants and Certified Medical Planners(TM)

    Product Details

    Product Details

    Product Details

  • CERTIFIED MEDICAL PLANNER® program

    New "Self-Directed" Study Option SinceJanuary 1st, 2020
  • Most Recent ME-Ps

  • PodiatryPrep.org


    BOARD CERTIFICATION EXAM STUDY GUIDES
    Lower Extremity Trauma
    [Click on Image to Enlarge]

  • ME-P Free Advertising Consultation

    The “Medical Executive-Post” is about connecting doctors, health care executives and modern consulting advisors. It’s about free-enterprise, business, practice, policy, personal financial planning and wealth building capitalism. We have an attitude that’s independent, outspoken, intelligent and so Next-Gen; often edgy, usually controversial. And, our consultants “got fly”, just like U. Read it! Write it! Post it! “Medical Executive-Post”. Call or email us for your FREE advertising and sales consultation TODAY [770.448.0769]

    Product Details

    Product Details

  • Medical & Surgical e-Consent Forms

    ePodiatryConsentForms.com
  • iMBA R&D Services

    Commission a Subject Matter Expert Report [$2500-$9999]January 1st, 2020
    Medical Clinic Valuations * Endowment Fund Management * Health Capital Formation * Investment Policy Statement Analysis * Provider Contracting & Negotiations * Marketplace Competition * Revenue Cycle Enhancements; and more! HEALTHCARE FINANCIAL INDUSTRIAL COMPLEX
  • iMBA Inc., OFFICES

    Suite #5901 Wilbanks Drive, Norcross, Georgia, 30092 USA [1.770.448.0769]. Our location is real and we are now virtually enabled to assist new long distance clients and out-of-town colleagues.

  • ME-P Publishing

  • SEEKING INDUSTRY INFO PARTNERS?

    If you want the opportunity to work with leading health care industry insiders, innovators and watchers, the “ME-P” may be right for you? We are unbiased and operate at the nexus of theoretical and applied R&D. Collaborate with us and you’ll put your brand in front of a smart & tightly focused demographic; one at the forefront of our emerging healthcare free marketplace of informed and professional “movers and shakers.” Our Ad Rate Card is available upon request [770-448-0769].

  • Reader Comments, Quips, Opinions, News & Updates

  • Start-Up Advice for Businesses, DRs and Entrepreneurs

    ImageProxy “Providing Management, Financial and Business Solutions for Modernity”
  • Up-Trending ME-Ps

  • Capitalism and Free Enterprise Advocacy

    Whether you’re a mature CXO, physician or start-up entrepreneur in need of management, financial, HR or business planning information on free markets and competition, the "Medical Executive-Post” is the online place to meet for Capitalism 2.0 collaboration. Support our online development, and advance our onground research initiatives in free market economics, as we seek to showcase the brightest Next-Gen minds. THE ME-P DISCLAIMER: Posts, comments and opinions do not necessarily represent iMBA, Inc., but become our property after submission. Copyright © 2006 to-date. iMBA, Inc allows colleges, universities, medical and financial professionals and related clinics, hospitals and non-profit healthcare organizations to distribute our proprietary essays, photos, videos, audios and other documents; etc. However, please review copyright and usage information for each individual asset before submission to us, and/or placement on your publication or web site. Attestation references, citations and/or back-links are required. All other assets are property of the individual copyright holder.
  • OIG Fraud Warnings

    Beware of health insurance marketplace scams OIG's Most Wanted Fugitives at oig.hhs.gov

A Review of HIPAA EHR Security Regulations

Join Our Mailing List

Focus on the Hospital Industry

Carol S. MillerBy Carol S. Miller BSN MBA

With the implementation of EMRs, Internet access, intranet availability throughout the hospital and physician complexes, as well as from home or any virtual site, the potential for security violations and associated vulnerabilities may have already caused serious harm to many hospitals and to the IT community in general.  Implementation of HIPAA security standards across the United States at hospitals, clinics, medical complexes, universities, federal facilities such as the VA, DoD or IHS and others have been inconsistent.  In addition, the HIPAA privacy regulations have given the responsibility for the patient health record to the patient — the impact of which has not been fully addressed nor is it supported by healthcare IT rules and regulations.

In Control?

Throughout the entire healthcare industry, there are concerns over who has access, who is in control, and whether the release of information impacts the privacy and security of the patient medical information or presents a risk to patient well-being, the quality of patient care, compliance issues, and potential fines to the hospital community.

The simple fact is that security is a problem that could have a catastrophic effect on any hospital.  Most Chief Information Officers have increased their “security-related” and “computer specialist” staff to address security issues, but most believe that their security is still vulnerable and needs to be improved.  Understanding a complex group of technologies and processes that have been built and modified many times over the years, especially at a large university or medical center complex, will be not only time-consuming, but also costly.  Security, like complex IT systems, was never designed in any organized manner.  It simply expanded as more and more access was made available, patient rights were defined, technology capabilities expanded, and more Internet-related communications and document-sharing occurred.

Hospital Security Concerns

Further, HIPAA security requirements were thrown into the mix in an era when hospital budgets were shrinking, and hospitals were trying to meet their costs through consolidation or reduction of programs and staff.

The prime concerns for information security are:

  • confidentiality – information is accessible only by authorized people and processes;
  • integrity – information is not altered or destroyed; and
  • availability – information is there when you need it.

Hospitals will continue to review, update and further document their security issues, monitor changes, and develop processes to mitigate the problems.  Gap analyses will continue to determine where vulnerabilities are or potentially could occur.  This process will be time consuming, but will enable the hospitals to determine how each system is integrated into their portfolio of systems and applications, and how it will be integrated with new technology.  Most importantly, it will facilitate identification of the detailed process of requesting, securing, and approving access to confidential patient records, systems, or applications.  It will enable hospitals to move forward with other technology enhancements in a secure manner.

Patchwork Security Quill

As stated previously, security has grown piecemeal as needs have been integrated with system, application, and software program growth.  It is literally a patchwork of various security functions and restrictions that may just be applicable to a certain application or software product or may be applicable to several applications but not all.  Various security software or SaaS packages have been deployed at different facilities across the United States that provide firewalls, access controls, tracking systems, and various other HIPAA security compliant capabilities; however, even with all these controls no one person within a hospital environment is fully aware of all the security requirements, security structures, the integration of the security network or whether any of the security network works efficiently and effectively.  Building a basic understanding of the entire network is the basis for developing and improving the entire HIPAA-related security process.  Besides the security involved within the hospital systems and through the Internet, there is still the issue of physical security, security theft or inappropriate access to patient information.

Typical Security Queries

The following list provides examples of typical questions related to security of information stored either on the laptop or on an accessible Intranet site from the laptop that should be addressed. All of these questions relate to additional time and expense in having an assigned individual monitor all aspects of this tracking process:

  • Is there an accurate record or log of each piece of equipment referenced at the hospital?
  • Do I know how many of the laptops are portable and used at home?
  • Are personal digital assistants (PDAs) and laptops encrypted and is the employee required to change passwords frequently?
  • Do I know how many of these portable systems are used for personal services?
  • Do I know how many of these laptops are used by family members?
  • Do I know how secure the portable systems are?
  • Do I know if they are just password protected or whether other security measures are in place?
  • Is every piece of equipment accounted for when employees leave, including PDA, laptop, CD, DVD, or other storage devices?
  • Do I know who can access confidential patient information from a remote office or home?
  • Is there a defined process for discarding old computers and old media?
  • Do employees know the hospital’s reporting process if their laptop is stolen or hacked?
  • Is virus and spyware software continually updated?
  • Are employees provided with information on how to secure their laptops or blackberries?
  • Do employees know what to do when attachments from unknown sources are sent and/or downloaded?
  • Does the employee use home-burned CDs/DVDs on their laptop?
  • Is system backup maintained by every employee?
  • Do employees know to “log off” when leaving their desktop or is there an automatic “log off” capability built within the system?

Security Administrators and Managers

Hospitals are employing security administrators and security staff to identify potential risks, vulnerabilities, risk scenarios, and develop policy and procedures to address all of these issues.  HIPAA compliance reviews and approval processes from HIPAA officers or legal counsel will be an added process for the hospital as part of any security consideration.  All of these security review processes, requirements, and staffing represent new and most likely unbudgeted costs with higher-than-anticipated associated costs to the hospital.  Costs need to be based on the affiliated risk, and the associated manpower or technical systems/software required to fix the risk; these indirect costs (i.e., not direct labor costs related to patient care) are being met from the hospital profits.

Risk Assessment Queries

Every covered entity should complete a risk assessment and review it periodically.  Focus areas that need to be addressed in the risk plan include the following:

  • workforce clearance (does the job require access to patient information and is it documented in the job description);
  • training (ongoing awareness and reminders); and
  • termination (what are the processes and procedures for assuring that a terminated employee does not have future access to any confidential patient information).

Today it is important for all hospitals to focus on contingency plans and disaster recovery to prevent any arbitrary loss of patient information.  Hospitals need to plan for and demonstrate that disasters such as Katrina or 9/11 or Japan or Alabama will not affect the security of the systems or access to patient information.

Many hospitals provide routine reviews, and system maintenance and updates to combat potential security problems or concerns with regard to confidential patient information.  However, inadvertent or even intentional changes to systems can cause serious data problems as the data integrates throughout the hospital IT environment.  Security breaches at this level can come from inside or outside the hospital.  They can be malicious or accidental and they can be related to system function disruption or data degradation.  They can relate to potential failures to properly share data and coordinate information.  They can also be the cause of major patient clinical errors, physician dissatisfaction, inaccurate record information, duplication of records, and as always, additional cost to the hospital that must identify the potential breach, develop a solution, and correct the issue at hand.

Main Concern

Direct access to information is probably the biggest security issue.  It affects personnel access to the systems they need in their daily jobs and tends to be poorly controlled.  Because hospitals need to provide access to information, they are sometimes lax about who has that access.  As an example, ask any hospital to not only identify each access user on the system, but also identify who uses each specific application.  Few hospitals have that capability. They would require additional resources to develop not only a major computerized index, but also the time and attention to monitor and to change users’ rights to access.  Many hospitals routinely request that the business or IT manager provide access for new employees that is similar to what another comparable staff person has — not really addressing the particular “right to know” or determining whether the new employee really needs a particular level of access.  Experience within the hospital environment also shows that many of the staff still have the same access to systems that they have had for years, even though they may have changed positions several times.

Finally, many staff have access to confidential patient information, yet few of the hospitals have ever linked this “right of access” to a background check.  Access to the hospital system is given to employees to perform a job.  In turn, the hospital is widely opening its doors to access a wide range of financial or confidential information, or even competitive information.  Many of these hospitals have employed designated staff to change and delete access rights, or allow read-only access, or read/write access; however, vulnerability still can exist.  Security is a trade-off between control and flexibility and there will always be weak points.  For those hospitals that have in place a comprehensive security review process, policy and procedures, and a contingency plan, the risks and liability can be limited.

Assessment

Regardless of the cost, HIPAA security and privacy regulations have changed the hospital environment.  The hospital and its IT and security staff need to be proactive.  There is simply too much at stake and potentially too many issues where mistakes could cause the hospital a serious system problem or result in a large fine.  HIPAA and the responsibility to provide reasonable patient care risk reduction mandate secure healthcare IT operations.  To do less simply allows patient care and healthcare delivery outcomes to be exposed to unacceptable levels of unnecessary risk.

About the Author

Carol S. Miller has an extensive healthcare background in operations, business development and capture in both the public and private sector. Over the last 10 years she has provided management support to projects in the Department of Health and Human Services, Veterans Affairs, and Department of Defense medical programs. In most recent years, Carol has served as Vice President and Senior Account Executive for NCI Information Systems, Inc., Assistant Vice President at SAIC, and Program Manager at MITRE. She has led the successful capture of large IDIQ/GWAC programs, managed the operations of multiple government contracts, interacted with many government key executives, and increased the new account portfolios for each firm she supported.

She earned her MBA from Marymount University; BS in Business from Saint Joseph’s College, and BS in Nursing from the University of Pittsburgh. She is a Certified PMI Project Management Professional (PMP) (PMI PMP) and a Certified HIPAA Professional (CHP), with Top Secret Security clearance issued by the DoD in 2006. Ms. Miller is also a HIMSS Fellow, Past President and current Board member and an ACT/IAC Fellow.

Conclusion

Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.

Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com

OUR OTHER PRINT BOOKS AND RELATED INFORMATION SOURCES:

Product DetailsProduct Details

14 Responses

  1. HI-TECH ACT – HIPAA Penalties

    With the introduction into law of the 2009 ARRA Act that includes a section called HITECH Act, the penalties for HIPAA violations have increased. There is now a tiered system of civil monetary penalties based on the level of knowledge of non-compliance and corrective actions. They are:

    * For reasonable cause and not willful – $1000 for each violation

    * For willful neglect and not corrected – $50,000 per violation with a maximum fine of $1,500,000 for all such violations in a year.

    * In addition, HIPAA still includes criminal penalty fines of up to $250,000 and up to ten years in prison for disclosing or obtaining health information with the intent of selling, personal gain, or malicious purpose.

    Source: Carol S. Miller BSN, MBA

    Like

  2. IT Leaders Fight New HIPAA Rule

    CHIME and MGMA take exception to a proposed requirement to produce access reports within 30 days after a patient’s request.

    http://www.informationweek.com/news/healthcare/policy/231002772

    Brent

    Like

  3. How Health IT-Related Errors Hurt Patient Safety

    Here is a new analysis that explains how the occasional glitches with EHRs and related systems can get out of hand.

    http://www.informationweek.com/news/healthcare/patient/231002617

    Jane

    Like

  4. Properly delete electronic medical records, or face fines
    Say it ain’t so?

    Could a complete stranger receive your echocardiogram results in the mail? Could a homeless guy in Boston end up with your labs in his shopping cart? Is it possible that your medical records were sold on eBay? Yes. Yes. And yes.

    On February 24, 2011, Massachusetts General Hospital was fined $1 million dollars by the federal government when an employee inadvertently left a stack of papers on the subway.

    http://www.kevinmd.com/blog/2011/08/properly-delete-electronic-medical-records.html

    Barbara

    Like

  5. Happy Birthday HIPPA

    Let me get this straight: Fifteen years after Congress passed the HIPAA privacy statutes, the health information technology [HIT] industry is finally adapting to guidelines made more stringent by the 2009 HI-TECH Act.

    Is that about right, readers?

    Dr. David Edward Marcinko MBA CMP™
    [Editor-in-Chief]
    http://www.HealthcareFinancials.com

    Former, American Society of Health Economists (ASHE)
    Former, American Health Information Management Association (AHIMA)
    Former, Healthcare Information and Management Systems Society (HIMSS)

    Like

  6. Here come the lawyers

    Carol – Sutter Health will face a class-action lawsuit regarding the Californian health system’s largest data breach that involved the personal information of 4.24 million patients.

    http://www.sacbee.com/2011/11/23/4074676/sutter-health-sued-over-theft.html

    Leonard

    Like

  7. Prime hospital CEO, CMO blasted for sharing patient chart with media

    Two executives at Shasta Regional Medical Center, owned by Prime Healthcare Services, are facing severe criticism after sharing a patient’s medical chart with news outlets. The incident, in addition to drawing fire, has brought up questions about whether the practice was legal or ethical.

    http://www.fiercehealthcare.com/story/prime-hospital-ceo-cmo-blasted-sharing-patient-chart-media/2012-01-06?utm_medium=nl&utm_source=internal#ixzz1ihpmSe4i

    So Carol – Forget about HIT and HIPAA; it always boils down to human error!

    Laura

    Like

  8. HIPAA AUDITS

    I want to know if it is it the Republicans or Democrats who stand against ineffective, parasite infested government regulations that needlessly raise the cost healthcare. HIPAA’s bipartisan support makes it hard to tell.

    Get ready for even more nonsense, Doc. “HIPAA Audits Move Forward” by Howard Anderson was posted today on HealthcareInfoSecurity.com. Three unnamed physicians and one really unlucky dentist are included in the first 20 audits.

    http://www.healthcareinfosecurity.com/articles.php?art_id=4379&rf=2012-01-06-eh&elq=96e271e135fe42f28d6300cc90b23905&elqCampaignId=1124

    Anderson writes: “It’s official: The new HIPAA compliance audit program has begun. The 20 organizations selected for the initial test phase of the program are preparing for site visits in the coming weeks, federal regulators confirm. After that, about 130 more organizations will face audits later this year.”

    Inevitably, it won’t be long until KPMG auditors working under a $9.2 million contract with HHS will be looking to make examples of mouthy dentists. That’s why I can’t blame HIPAA covered dentists for their silence. If I were a Covered Entity like 90% of the dentists in the nation, I certainly wouldn’t be pointing out federal stupidity.

    Ominously, it’s been 6 years, and I’m still the only dentist in the nation who dares to question the value of HIPAA in dentistry. It looks to me like most dentists’ silence can be attributed to pervasive fear of obscene, bankruptcy-level fines for a capricious, subjective finding of “willful neglect” by a KPMG auditor having a bad day. It’s unfortunate in the land of the free, that anyone fears retribution from rented authorities with badges. Want to know a secret? Shortly after KPMG won the government contract to audit dentists’ compliancy, they had to disclose that one of their employees lost a hard drive containing 4500 patients identities. OOPS! (If you happen to be audited, it wouldn’t be a good idea to mention that incident).

    How to prepare for an audit the OCR way

    A month ago, attorney Adam Greene, a former OCR official, suggested that HIPAA covered entities should prepare for an audit by:

    – Addressing the entire lifecycle of electronic and hard copy protected health information, identifying where such information is created throughout the organization, how it is maintained, and how it is disposed of;

    – Creating a compliance cycle that regularly modifies policies and training in response to recurring issues and emerging threats; and

    – Conducting a comprehensive review of policies, procedures, other documentation, and training.

    http://www.dwt.com/LearningCenter/Advisories?find=450543

    If those tedious, meaningless obligations aren’t scary enough for busy dentists who are sincerely trying to keep their patients’ identities secure, in August, Greene suggested that “entities that have never imposed an internal HIPAA-related sanction may have a problem.” He added that not having issued a sanction “doesn’t mean you have never had a HIPAA violation.” Incredible.

    http://insurancenewsnet.com/article.aspx?id=271036

    As any thinking, literate human, and a few exceptionally smart family pets can figure out, Mr. Greene’s takeaway lesson is shocking: If nobody in your office has yet been officially sanctioned, Doc, it’s time to choose someone to take the first hit for the team, and for others to get in line for their bustin’ as well. Actually going through the motions of coming down hard on various employees for minor HIPAA violations on an irregular schedule is much better than trying to backdate numerous sanctions in the frantic 10 days following an audit notice from OCR. Besides, that’s likely to land you in jail.

    Regardless how you prove you vigorously sanction HIPAA violations every now and then as expected, don’t forget to pin down the details with those whose carelessness you document according to HIPAA requirements. It would reflect badly on the dentist’s dedication to compliancy if upon questioning by a KPMG auditor, a staff member couldn’t recall why he or she was sanctioned one or more times.

    It’s no surprise that HIPAA has failed to even slow down the number of data breaches from dental offices. Nor has HITECH lessened the temptation of dental patients’ stolen identities that go for $50 each. Think about it. A dental practice’s 3000 patients’ PHI quietly downloaded onto a flash drive within minutes can put $150,000 in the thief’s pocket, tax free. What’s more, the dentist might not learn of the heist until a law official is seated in the waiting room with a long list of identity theft victims with a dentist in common. How scary is that?

    Mr. Greene’s feel-good busywork and cosmetic sanctions offer Americans as much protection as the 1960s’ patriotic “duck and cover” campaign intended save our nation’s school children during a nuclear war.

    Silence from citizens gives tyranny a strategic advantage.

    D. Kellus Pruitt DDS

    Like

  9. Consumer Data Privacy Bill of Rights‏

    Jim Pyles, a nationally-respected authority on patient privacy rights, sent me the following email which he gave me permission to share:

    Darrell,

    I thought your reading public might be interested in the Consumer Data Privacy Bill of Rights just released by the White House. I am including the summary with some of the more significant statements highlighted.

    http://www.whitehouse.gov/the-press-office/2012/02/23/we-can-t-wait-obama-administration-unveils-blueprint-privacy-bill-rights

    Note that the policy established by the Administration is that technology must be modified and shaped to fit our traditional privacy rights since they have been “at the heart of our democracy from its inception.” One might add that the same is true of privacy in medicine.

    Note also that the first right in the Consumer Privacy Bill of Rights is that “Consumers have a right to exercise control over what personal data companies collect from them and how they use it.”

    The White House issued this policy statement now because the European Union recently issued a detailed Data Privacy Regulation which provided that (a) personal data may not be used or disclosed without the individual’s consent (unless otherwise required by law) and (b) EU members must ensure that countries outside the EU with whom they deal have comparable data privacy protections.

    So it appears we have a new floor of privacy protections that is a level above HIPAA.

    Have a nice weekend.

    Jim Pyles

    Like

  10. Patients getting short shrift in EHR privacy and access

    Healthcare providers and health information exchanges must do a better job of protecting patients’ privacy, allowing them to access their own healthcare data, and developing consistent “rules of the road” to safeguard information, according to studies published by the New York Civil Liberties Union and Consumers Union.

    http://content.healthaffairs.org/content/31/3/537.abstract

    Your thoughts?

    Judson

    Like

  11. Physician’s Stolen Laptop Leads to $1.5 Million Settlement

    Stolen or lost laptops accounted for roughly 1 in 5 incidents of footloose patient data reported to the federal government in 2011, according to a recent study by the accounting firm Kaufman Rossin. If that statistic is not enough to convince out-and-about physicians to lock their laptops in their car trunks, the federal government will get their attention with a regulatory hammer. Just ask a group practice affiliated with the Massachusetts Eye and Ear Infirmary (MEEI), a specialty hospital in Boston.

    In February 2010, a member of that group practice, now retired, had his unencrypted laptop stolen while he was lecturing in South Korea. The laptop contained demographic and health information on roughly 3,600 patients. When it announced the theft 2 months later, MEEI stated that there was no evidence to suggest that anyone had accessed or misused the data in the computer. In addition to apologizing for the data breach, MEEI said it was encrypting laptops connected to its network and educating its staff about limiting the amount of patient information stored on the devices. Those changes were not enough for the Department of Health and Human Services (HHS). On September 17, HHS announced that MEEI and an affiliated medical group, Massachusetts Eye and Ear Associates, had agreed to pay the government $1.5 million to settle “potential violations” of HIPAA. The Massachusetts providers also agreed to a corrective action plan to stay out of HIPAA trouble in the future.

    Source: Robert Lowes, Medscape News [9/21/12]

    Like

  12. Ponemon survey

    “How Many Data Breaches Have Surveyed Health Organizations Had in Past Two Years?” – iHealthBeat, December 19, 2012

    http://www.ihealthbeat.org/data-points/2012/how-many-data-breaches-have-surveyed-health-organizations-had-in-past-two-years.aspx

    “In 2012, 45% of surveyed health care organizations said they had experienced more than five patient data breaches during the past two years and 33% said they had experienced two to five breaches, according to a recent report by the Ponemon Institute.”

    Darrell K. Pruitt DDS

    Like

  13. HHS Issues Long-Awaited Update to the HIPAA Privacy and Security Rules

    HHS in its long-awaited privacy rule released today expanded liability of business associates of hospitals, physicians, and other HIPAA-covered entities if they release data in ways that violate patient privacy. Called the “omnibus” privacy and security rule because of its broad reach, it updates earlier Health Insurance Portability and Accountability Act rules with more stringent privacy and security measures passed under the American Recovery and Reinvestment Act of 2009.

    The rule clarifies when breaches of information must be reported to the Office for Civil Rights, sets new rules on the use of patient-identifiable information for marketing and fundraising, and expands direct liability under the law to the so-called “business associates” of hospitals and physicians and other “HIPAA-covered entities.”

    Source: Joseph Conn, Modern Healthcare [1/17/13]

    Like

  14. EHR Breaches

    “Be Prepared for EHR Breaches, Experts Warn – If you have not yet endured an electronic patient data theft, you most likely will experience one before too long, experts warn. They say the transition to electronic health records (EHRs) has not been accompanied by adequate safeguards, and they are calling on physicians to do more to protect patient data.”

    David Wild

    Clinical Oncology News
    [November, 2014]

    http://www.clinicaloncology.com/ViewArticle.aspx?d=Current%2BPractice&d_id=155&i=November+2014&i_id=1126&a_id=28785

    Katherine Downing, MA, Director of Health Information Management Practice Excellence at the American Health Information Management Association tells Clinical Oncology News: “Health care systems will be seeing large-scale hacks of the type we’ve seen with retailers like Target.”

    Ms. Downing adds that Health data are especially valuable because unlike data from other industries, EHRs typically contain health information in addition to Social Security numbers and other financial details. She points out that because of the “wellspring of information” a patient’s record can sell for $50 on the black market, while stolen social security numbers go for $1

    (http://bit.ly/​1pS2nzz).

    So have you done your risk analysis yet, Doc?

    D. Kellus Pruitt DDS

    Like

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: