SCGhealth Blog

Electronic HIPAA Violations

Thursday, July 20, 2017

Written by Nasir Abbas


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is pretty ancient. It passed through Congress in 1996, but the first regulation didn’t come out until 2003. The federal law established mandates the security and protection of sensitive patient information: protected health information (PHI) and personally identifiable information (PII). Two separate regulations cover how to keep this info private and secured.


We’ve published several blogs in the past discussing appropriate disposal of physical information and the risks associate with carelessness. Now let’s look at the electronic side of HIPAA. According to Joseph Mutlu, former Executive Vice President of Information Technology at SCG Health, two of the most often overlooked security safeguards pertain to inventory management. “Currently we are utilizing more and more removable storage options. These devices are easily lost and/or stolen, so it is wise to always keep a running inventory of these devices if they contain any sensitive information” observed Mutlu. The second issue is related to the systems themselves. “CPU cases contain the hard drive to your computer and can/should be locked. Anyone with the technical skills and know-how can effortlessly remove the hard drive in a matter of seconds, without the use of any tools.” If computers are left unattended, especially with distracted staff, one could slip out the hard drive and easily go weeks – maybe even months – undetected. By the time anyone realizes what has happened, whatever information was being stored on that hard drive would have been long gone.

Though these tips are highly beneficial and interesting, there are two procedures that should be followed to a T if you wish to protect yourself and your practice as best as possible. These two steps, if taken appropriately, make sure that even if your device is stolen or lost, your information remains hidden. Those measures are encryption and deletion.


With that being said, it is unfortunate that the protocols that most businesses are improperly executing are encryption and deletion. Encryption is the scrambling of data files, only legible to those with the decryption key. This ensures that if sensitive information were to fall into the wrong hands, said information would still be protected. “Always make sure that when sending encrypted files via email that you send two separate emails – one with the encrypted file and another with the key. Doing so protects you and the recipient in the case that one email was to be intercepted, it would be useless without the other,” says SCG Health CEO Jennifer Searfoss.

Deletion refers to the APPROPRIATE removal of information from networks and devices. Believe it or not, there is more to deletion than just emptying the recycling bin. If that is your method of electronic disposal, you are in dangerous territory. The truth is that information is still there and is far from gone. Anyone with the time and patience can retrieve that information. Just by simply Google searching “retrieving deleted information,” you will find numerous sites containing step-by-step instructions on how to do just that.

So, what can one do to make sure they are protecting themselves from all sides?

Steps to Take

Firstly, make sure you are familiar with your state’s regulations on the retention of medical records. The HIPAA Security Rule states that clinicians must keep any documents containing PHI for six years from the creation date or last known use date, whichever is later Again, double check with your specific state as the laws from state to state are different

Make sure you perfect your encryption protocols. Encryption is your first layer of defense and should not be taken lightly. Make sure files are correctly coded, and make sure to always send two emails (the encrypted file and the decoder key). Deletion is the next layer of defense, but is still extremely important and should always be performed to the highest level of completion. To completely and appropriately destroy data files, disks must either be magnetically wiped or completely reformatted and rewritten (minimum of three times through). Companies, such as Dell, offer destruction services, but you must always make sure they are HIPAA compliant before taking any action.

Overall, HIPAA violations can be avoided with a little training, education, attention and discipline. There are plenty of ways to protect your electronic information, but by following the procedures mentioned in this article, you will undoubtedly be on the right path to being HIPAA compliant.


Retention Laws Infographic

Does Your EMR Measure Up?

Monday, July 17, 2017

By Ben Regaldo, contributing writer

If you saw the recent announcement by Allscripts, a major electronic medical records (EMR) provider, that it has released the first fully certified 2015 edition, some questions may arise, such as: What is certification? Does it matter? What’s different about the 2015 edition?

What Is Certification?

Certification essentially means that an independent reviewer (Authorized Certification Body, or ACB) compared the product’s features against a detailed listing of standards, and then notes which standards are met.

The federal Office of the National Coordinator for Health Information Technology (ONC-HIT) maintains the Certified Health IT Product List (CHPL, found at The CHPL is a comprehensive and easily navigable database of the multitude of EMR products available. By sorting through this database, you should be able to find your product, as well as see all the products that are independently certified with regards to 2011, 2014 and 2015 criteria. Think of it as the Joint Commission of EMRs. The CHPL enables users to easily make precise “apples to apples” comparisons of the various software products on the market, all while noting what standards are met by each product.

Does It Matter?

The overarching goal of certified software is to assure that necessary health information is being appropriately captured, stored and secured in a manner that allows for easy exchange of information between providers who may not be on the same systems. Proper software should also support the tracking and benchmarking of health care data, solely for the benefit of the providers, as well as patients.

Certification reviews cover how the software versions enable what was once known as “Meaningful Use” (Stages 2 and 3), as well as the many Clinical Quality Measures from the Centers for Medicare and Medicaid Services (CMS). Rolled together, these are the standards that allow you to meet elements of the new Merit-based Incentive Payment Systems (MIPS) methodologies, which will determine positive/negative adjustments to your Medicare payment rates in the years ahead.

Under the new MIPS scoring system, a total of 25% of your score comes from meeting standards in what is now known as Advancing Care Information. There are about 60+ items on this list – 48 of which are reviewed in the certification process.

What's Different About the 2015 Edition?

It is important to note and understand that “required” does not mean a system must demonstrate the criteria or it fails certification. This simply means that the element was previously considered “optional” and meeting said element was not required for full certification.

With the release of the 2015 edition, comes the removal of different criteria that made up the prior version. Unfortunately, out of the 2014 criteria that was removed in 2015, having advance directives was amongst them. Certain items were also changed. For example, the clarifications on the electronic submission of Clinical Quality Measures has been sorted into two standards – reporting and filtering.

However, if anything the 2015 criteria changes demonstrate the desire of the ONC-HIT to promote the evolution and expansion of exactly how EMRs are used.

For example, some items are no longer noted as optional in the 2015 criteria, most importantly computerized provider order entry (CPOE) for medications, laboratory, diagnostic imaging. Along with the CPOE, it is also worth mentioning the accounting of disclosures, as well as the transmission of information to cancer registries and public health organizations.

Alongside the criteria that was removed, new criteria were added as well. The most notable addition signifies the ability of the EMR system being able to maintain Implantable Device Lists and Social, Psychology ad Behavioral Determinants Data. Beyond merely sharing this information, the ONC-HIT is encouraging the creation and exchange of data in a “common clinical data set,” which is demonstrated by the broadening of data transmission to public health agencies.

With a wide range of products on the market, you don’t need to be looking for a new product in order to evaluate your own routinely. Instead, just look at how your product stands up against the certification criteria/different products to shed some light onto some useful features that you may not be using to your advantage. Doing so will allow your providers to deliver better and more coordinated care for your patients, no matter where they are in the healthcare spectrum. Use the certification criteria as a tool to help you run your practice more efficiently, ultimately delivering the best possible experience for your patients. That’s what it’s all about, right?

Flying the Friendly Medical Practice

Monday, May 22, 2017

By Ben Regaldo, contributing writer

No doubt you saw the news that became a public relations nightmare for United Airlines, but you probably don’t know that Christiana Care Health System in Delaware had a similar incident come to light shortly after the United Airlines story broke.

Once known for their iconic slogan, “Fly the Friendly Skies,” United Airlines had years of goodwill undone in just a matter of minutes. Seeing as to how nearly everyone these days has a recording device of some sort in arms reach at all times, another slogan comes to mind: “Smile! You’re on Candid Camera!”

One could argue that the United Airlines flight attendants did nothing wrong. They were just following procedures and doing their job, just like some of your staff may be doing. If that is in fact the case, what can we learn from these recent incidents?

Lesson 1: Culture

“Culture eats strategy for breakfast,” says management guru Peter F. Drucker. In the Harvard Business Review article written by John Deighton in relation to the United Airlines incident, he states that it isn’t policies and procedures that make a difference, but rather helping staff understand the principles of good judgement and allowing them to exercise just that. Just as staff should understand when and where to break policy (to a certain extent) and exercise good judgement, supervisors must also learn to deviate from the rule book and lead by example.

The airline industry, like healthcare, is driven mainly by policy and procedure because ultimately, lives are at stake. However, if you’ve ever flown Southwest Airlines, you’d never guess that their staff were subject to the same regulations as every other airline. That is due mainly to the difference in culture.

Culture isn’t born from policy manuals. Culture is built through experiences and stories of what’s gone right, what’s gone wrong, and what behavior’s been rewarded and/or frowned upon. In their book “School Culture Rewired,” Steve Gruenert and Todd Whitaker wrote that “the culture of any organization is shaped by the worst behavior the leader is willing to tolerate”. Perhaps now is the time to put down the strategic plans, and think about your strategic culture – specifically the desired patient experience.

Lesson 2: Hire Appropriately 

Of course, for a positive culture to become infused throughout your practice, you must have the right people in place to make that happen. This starts with understanding the culture you are looking to portray in your business, and then hiring those with the characteristics and attributes that go hand in hand with said culture, not just the skills necessary to do that job. As mentioned by Human Resource Executive Online, it may benefit one to play out different scenarios during candidate interviews to single out those who cannot utilize desired traits and common sense in certain situations.

Let’s look at Southwest again, did you know that they focus more on their employees than their customers (and shareholders)? Southwest believes that if they hire the right people and support their staff, then their employees will focus more on the customers and ensure that they have the best possible experience – a hardnosed business built on love. What attitudes do you take into consideration? Empathy? Responsiveness? Attention to detail? Just to name a few.  

Lesson 3: Training and Awareness

Finally, take the time to thoroughly train your staff. As practices continue to grow in patient volume, the time for crucial staff meeting and trainings often falls by the wayside. Practices with strong cultures have one thing in common: they all invest the time necessary to provide the best training opportunities available. Training should help everyone understand the experience you want patients to have. Remember, patients come to you at a vulnerable time in their lives and are placing incredible trust in you. They need someone who cares, so do right by them and make them feel as if they are more than just dollars and cents.

Involve your staff in the training instruction whenever possible. The younger, more tech-savvy employees of your practice know just how powerful social media can be when it comes to highlighting and spreading the word. Let them help keep your practice in a positive light in both the good and bad situations you may be faced with. We are in the age of technology, so embrace it. Nowadays, the infamous “no cell phone” policy is dying. Even school teachers (once the sworn enemy of cell phones) are finding ways to utilize apps and different technological features into their teachings.

Takeaway: When Things Go Bad, Act Fast

It’s all fun and games until something goes wrong, and before you know it you’re in the spotlight. You’re on the defensive and scrambling to “gather the facts,” but the reality of it is that negative news travels around the world before you even have the chance. United Airlines CEO Oscar Munoz failed to act for 48 hours, drastically effecting the credibility of his airline, but also his personal prestige.

It’s imperative to act quickly, honestly and authentically. One can learn a lot from United Airlines’ public relations mess, but it all boils down to their culture, their staff, and the training they provide for their staff. With the introduction of the Merit-based Incentive Payment System, clinicians with the best possible patient experience will receive higher payments. However, the most successful practices have always put patients first. What does that tell you?

You can’t play discrimination dodge ball when it comes to patient communication

Tuesday, February 28, 2017

By Marla Durben Hirsch, contributing writer

Be prepared to provide communication and other assistance to patients with disabilities or with limited English proficiency. There’s been an uptick in government enforcement in this area, with the Office of Civil Rights (OCR) announcing a settlement a month for the last four months against entities that have dropped the ball.

In the most recent settlement, UConn Health agreed to settle allegations that its John Dempsey Hospital failed to provide services and auxiliary aids to a patient in the emergency department who was deaf and requested communication assistance. OCR, joined by the Connecticut attorney general’s office, claimed that the Hospital violated not one but three different laws: 1) The Americans with Disabilities Act (ADA), which prohibits state and local government entities from discrimination against individuals with disabilities; 2) Section 504 of the Rehabilitation Act, which bars discrimination on the basis of disability in any program or activity receiving federal financial assistance and 3) Section 1557 of the Affordable Care Act (ACA), which expanded providers’ obligations to patients with communication problems, such as those with disabilities and limited English proficiency.

The health system has agreed to pay $20,000 in compensatory relief to the patient and take other steps to avoid communication snafus in the future, including revising policies and procedures, training staff, posting a notice of nondiscrimination and assigning an employee to be a civil rights coordinator.

What’s significant is that while OCR noted that the hospital was subject to all three laws and violated all of them “collectively,” in actuality even a solo practitioner is going to be hard pressed to avoid compliance with the laws banning discrimination against those with disabilities or other communication difficulties, since it’s likely that at least one law will apply.

For example, all providers are required under Title VI of the Civil rights Act of 1964 to take reasonable steps to make their programs, services and activities available to those with limited English proficiency. Section 1557 of the ACA applies to any health program or activity which receives any federal financial assistance, which includes Medicaid and Medicare managed care. Only providers participating just in Part B Medicare and receive no other federal money would be exempt.

Moreover, providers should expect to see more enforcement in this area. OCR began its “barrier free health care initiative” several years ago, primarily to help deaf patients obtain interpreter assistance when seeking health care.

However, since section 1557 of the ACA requires providers to publicize that they do not discriminate, it is likely that more aggrieved patients will be filing complaints with OCR, since their awareness of their rights will be increased awareness of their rights.

In addition, OCR has been stopped – that is “enjoined”- from enforcing two of the other nondiscrimination provisions of section 1557. A federal court on December 31 ruled that OCR can’t pursue alleged violations of discrimination against entities on the basis of gender identity or termination of pregnancy. So it’s possible that OCR will concentrate on those components of section 1557 that it can still investigate and enforce.

Your Voluntary Wellness Program Is Safe – For Now

Tuesday, February 07, 2017

By Marla Durben Hirsch, contributing writer

If your practice has instituted an employer sponsored wellness program in accordance with the new rules issued by the Equal Employment Opportunity Commission (EEOC), it looks like those rules currently pass muster. The AARP’s request for a preliminary injunction to prevent the rules from going into effect January 1, 2017 has been shot down by a federal court.

Many employers have instituted voluntary wellness programs such as tobacco cessation classes, Fitbit teams and the like in order to promote and improve the health of their workforce. These programs are popular because they decrease the cost of health care by improving employee health.

Employers can’t discriminate against employees on the basis of disability or genetics, but the law allows employers that operate these wellness programs to conduct voluntary medical exams such as health risk assessments or diagnostic tests and collect medical histories, as part of these programs so long as participation is voluntary. The information collected can include disability or genetic protected information. Moreover, the employer can impose an incentive/penalty of up to 30 percent of the employee’s health insurance premiums for participation. In other words, an employee that doesn’t share her medical information can be subject to an up to 30% increase in the cost of her health insurance premiums.

The EEOC published rules in May 2016 clarifying how employer sponsored wellness programs which collect this confidential medical information would dovetail with the Americans with Disability Act (ADA) and the Genetic Information Nondiscrimination Act (GINA) and imposing some requirements regarding how such wellness programs need to operate.

For instance, the program must be reasonably designed to promote health or prevent disease. Employers also need to provide notice to employees informing them what information will be collected, how it will be used, who will receive it and what will be done to keep it confidential. The notice also needs to state that employees may not be discriminated against in employment because of the medical information they provide as part of participating in the wellness program, nor may they be subjected to retaliation if they choose not to participate.

AARP is concerned that its members, who are older and may be less healthy, will be discriminated against if they reveal confidential medical information that they prefer to keep confidential, and penalized with the higher insurance premiums that they can’t afford if they choose not to. The organization filed a lawsuit in October 2016 to stop the rules from going into effect.

The federal District Court for the District of Columbia said no, ruling December 29, 2016 that the rules were not so onerous to cause “irreparable harm” such that the rule needed to be stopped in its tracks. It said that the rules were designed to prevent employers from using the information to discriminate against employees, and that AARP had not submitted sufficient evidence to show that people would suffer such irreparable harm that the rules could not even be implemented.

The EEOC rules went into effect January 1, 2017, so if you have or are considering operating a voluntary wellness program you can go forward – but you still need to comply. For instance, if you haven’t provided employees with that notice on how the employer sponsored wellness program will work, you need to do so promptly. The EEOC has created a sample notice that employers can adapt.

Practices should also keep an eye on this case. AARP has said that even though it wasn’t granted a preliminary injunction to keep the rules from going into effect, it’s still going to pursue its lawsuit challenging the rules. If AARP ultimately prevails, these wellness programs may need to be restructured.

Don’t let your disposal vendor mishandle your trash into a HIPAA violation

Tuesday, January 17, 2017

By Marla Durben Hirsch , contributing writer

Photo: Adobe Systems Incorporated.

Providers continue to be confused as to how to dispose of their trash without running afoul of HIPAA. But the stakes are now higher – because it’s often the provider’s trash collector that’s exposing the patient data that’s in the garbage.

The Department of Health and Human Services’ Office for Civil Rights, (OCR) which enforces HIPAA’s privacy and security rules, has published guidance on proper disposal methods. While HIPAA doesn’t require particular processes, OCR suggests several, such as shredding, burning, pulping or pulverizing the records so that patient protected health information (PHI) is unreadable and cannot be reconstructed. Records treated this way are considered “secure”; a breach of them doesn’t even have to be reported.

However, many providers still don’t realize that they need to take this step as part of disposal. A number of them, including CVS, Rite Aid and Cornell Prescription Pharmacy have settled alleged HIPAA violations after disposing of unsecured records and other materials containing PHI in unlocked publicly accessible dumpsters. State attorneys general have also fined providers, even solo practitioners, for faulty trash disposal.

And it gets worse, since many providers have turned to outside vendors to dispose of their trash, and the vendors are making mistakes and exposing the PHI, violating HIPAA. The provider is ultimately liable even though it has entrusted the vendor to perform the disposal.

A simple Google search reveals a multitude of these incidents.

For example, the disposal company hired by physician owned Radiology Regional Center, with several facilities in Florida, exposed patient PHI in December 2015 when the back of the truck transporting the records to an incinerator opened, spilling the contents all over the road. While the Center spent considerable time combing the area and retrieving the records, it still had to notify 483,663 patients about the breach. The incident triggered a lawsuit in 2016 from several patients who claim, among other things, that the doctors were unaware of their obligations regarding proper trash disposal and admitted ignorance regarding it. That lawsuit is still pending.

And that may not be all. OCR has for the first time has begun to train its sights on mistakes being made business associates. In 2016 the agency resolved several enforcement actions with providers and business associates for security breaches caused by the business associates. It would not be surprising for OCR to investigate Radiology Regional and other providers whose records have been compromised by their disposal company.

Review all of your business associate agreements with those handling PHI on your behalf to ensure that you are adequately protected in case the business associate exposes patient information. For example, the business associate should pay for the costs of the breach, such as the expense of notifying patients and offering them free credit monitoring. OCR has a model business associate agreement that can help you.

If you delegate trash disposal and destruction to an outside vendor, make sure you know how the vendor will safeguard the information and dispose of it. For instance, look to see if the containers the disposal company is using are sturdy. Ensure that the vendor’s staff is trained in HIPAA compliance.

Be proactive to the extent possible regarding your trash. Consider having the trash incinerated on site so it doesn’t have to be transported. Make the trash unreadable yourself before giving it to the vendor to cart away, say by shredding it or obliterating PHI with a marker. Had Radiology Regional Center taken some of those steps, it may not have been in the hot spot it is today.

Attestation Worksheets Now Available for 2016 Medicare EMR Incentive Program

Tuesday, January 10, 2017

Written by: Melissa Cotton

The Centers for Medicare & Medicaid Services (CMS) has announced that its certified electronic medical record (EMR) Incentive Program attestation system will be open from January 3 through February 28, 2017. All physicians must attest by the February 28, 2017 deadline to avoid a 2018 payment adjustment. The EMR Incentive Program is commonly known as the “Meaningful Use Program.”

CMS has also released two attestation worksheets for eligible professionals, eligible hospitals and critical access hospitals. The worksheets can be located on the CMS website or by following the links listed below:

The Eligible Professional Attestation Worksheet is for physicians in the Modified Stage 2 of the Medicare EMR Incentive Program. Physicians must report on the following:

  • Ten objectives, which should include one consolidated public health reporting objective with measure options requiring physicians scheduled to be in Stage 1 and Stage 2 to meet two public health measures (SCG Health is a specialized registry)
  • Nine out of 64 of the clinical quality measures covering at least three National Quality Strategy domains

Physicians may log into their meaningful use measure dashboard in their certified electronic medical record technology for each objective and use the worksheet as a reference when attesting for the 2016 Medicare EMR Incentive Program in CMS’ Registration and Attestation System. CMS strongly encourages providers to review the additional resources for the 2016 EMR Incentive Program.

For assistance using the Medicare & Medicaid EHR Incentive Program Registration and Attestation System, reference these user guide materials:

To call for support, dial 1-888-734-6433, option 1 between 7:30 a.m. – 6:30 p.m. (Central Time) Monday through Friday, except federal holidays.

Be Prepared for an Audit
As a reminder, please take screen shots and other support materials to demonstrate the information used to attest for meaningful use during the 2016 period chosen. SCG Health’s recommendations and best practices are in these blog posts:

Need help?
With the deadline for attesting for Meaningful Use rapidly approaching, be sure to log in and check your account today. And if you need help, contact SCG Health.

Are You Avoiding the Advance Care Planning Conversation?

Tuesday, January 03, 2017

Written by: Ben Regalado, contributing writer

When it comes to talking about advance care planning, many physicians … still don’t.

Beginning in 2016 Medicare allowed for payment to providers who conduct advance care planning discussions with their patients and/or family members. Realizing that such conversations can be difficult, the payment structure created was based on the time it takes to have the discussion, with few other boundaries. For instance, the conversation didn’t just have to be with the beneficiary, but could include family members.

Still, a poll conducted by the California-based John A. Hartford Foundation a few months after the payment policy went into effect showed that while physicians overwhelmingly supported providing the service, only 14% have actually billed for it. (You can find an excellent summary here.)

The survey noted those most likely to have billed for advance care planning services worked regularly in a hospital setting, had participated in formal training in how to have the conversations, and also had a formal system or process in place to encourage the conversation. It appears the last two factors are potential areas of focus, as both relate strongly having time to prepare for and conduct the advance care planning conversations.

Here are two ideas that you can use to expand the opportunity for conversations in the new year:

1. Physicians who want to have the advance care planning conversation should consider setting aside time during the annual wellness visit. The benefit for the patient is that these services can be provided without a copay or deductible, and the expectation can be established up front that this will be included.

2. As more than half of the physicians surveyed indicated there is a place in their electronic medical record to indicate if the patient has an advance care plan (with some allowing you to see what is in the plan, if a copy has been provided). Reports run a few days before the appointment can help you identify the patients who is a candidate for discussion, or you can ask your staff to check when the appointment is set to see if additional time is needed.

Finding Training Resources
Even if the expectation is established and reports are run, there is no denying the fact that a major barrier to the discussion is physicians feeling unprepared to do so. Nearly one third of doctors polled cited a lack of formal training in how to have the conversation as a barrier.

Indeed, though there are plenty of websites and documents that are designed to help the patient, a quick scan found a lack of online provider focused training resources (although we found a number of journal articles, a few of which you can explore here, here, here or here.)

Perhaps familiarizing yourself with a few of patient oriented resources, such as or, can be a first step in establishing your own process and dialog. In fact, when establishing a appointment with a target age group or patient, you may want to train your staff sensitively and tactfully guide the patient at the time the appointment is made to the website or information of your choosing.

Sensitivity and tact also requires another perspective: addressing the topics of death and dying (among other health related subjects) with cultural sensitivity. Since advance care planning falls outside of the norm of illness and injury, understanding how to approach a particular patient population will take an investment of time. Again, readily available online resources appear to be limited (our search found one very limited guide). You may consider how a local hospice medical director may be able to assist you and your practice through peer education.

Being a physician involves hard decisions and discussions. Our cultural diversity demands sensitivity. Look at advance care planning payment not as revenue, but as a way to facilitate meeting the total care needs of your patients. In the long run, they and their family members will thank you.

OCR, ONC dispel fears about sharing patient records for public health purposes

Wednesday, December 28, 2016

Written by: Marla Durben Hirsch, contributing writer

Queasy about over disclosing information about your patients to the government for fear of violating HIPAA? Evidently, you’re not alone – but your ability to provide this information is broader than you may think.

The Department of Health and Human Services’ Office for Civil Rights (OCR), which enforces HIPAA’s privacy and security rules, and the Office for the National Coordinator of Health IT (ONC) has issued a fact sheet to allay providers’ concerns about sharing data to foster public health.

HIPAA allows covered entities to share patient information without first obtaining the patient’s written authorization when the disclosure involves treatment, payment or operations. According to the fact sheet, released in December, sharing information with public health agencies authorized by law to collect information for public health reasons is one of those instances where an authorization is not necessary.

Lucia Savage, ONC’s chief privacy officer and Matthew Penn, the director of public health law programs for the Centers for Disease Control and Prevention (CDC), explain in a related blog post published December 8, 2016 why the fact sheet was necessary:

“Many Americans have not taken full advantage of electronic health record data, perhaps because of confusion about how the Health Insurance Portability and Accountability Act (HIPAA) interacts with and supports the exchange of electronic health information for the purposes of public health.”

The fact sheet lists several not so hypothetical examples where it’s okay to divulge information, such as:

  • To honor a CDC request to collect disease surveillance information
  • To a state cancer registry, including type, extent, location of cancer and type of initial treatment
  • As part of a state department of health investigation of a disease outbreak
  • To assist a state health department intervention program, such as to reduce lead in drinking water or to measure care coordination outcomes
  • To the Food and Drug Administration collecting information as part of a medical device recall
  • To notify individuals who may have been exposed to a communicable disease while in the provider’s waiting room
  • To engage in medical surveillance in the workplace to evaluate work related injuries and illness, as required by law

Note that entities still need to comply with other provisions of the law, such as following HIPAA’s security rule when sending information electronically. They also need to only provide the minimum amount of data necessary, although they can rely on a public health authority’s request as to what information is necessary for these public health activities.

Why this new alert is important
While the fact sheet and blog post don’t say so, it appears that the government is concerned that the information currently being collected is incomplete. That can have a major impact on an agency’s ability to provide accurate information to the public and to health care providers, such as the spread of Measles that occurred in 2015.

Moreover, situations such as recent natural disasters and the Zika and Ebola outbreaks have increased attention on population health and the need for more proactive action. For instance, The CDC reported in December that the number of cases of mumps in the United States has skyrocketed, with 4,258 cases reported in 2016 as of December 3. In contrast, there were only 229 reported cases of mumps in all of 2012. The CDC suggests that this increase may be due in part to the possibility that the Mumps vaccine may be losing its effectiveness, which would need to be addressed.

Takeaway: Providers should expect more scrutiny in this area of HIPAA now that ONC and OCR have highlighted it as an area needing further guidance and has sought to reduce any confusion about compliance. Check your policies and procedures regarding data sharing for public health purposes and ensure that you understand the rules.

Read the fact sheet.
Here’s the blog post.
Read the CDC mumps report.

Forget Instagram: “Insta-Mail” Could Pose New HIPAA Issues

Tuesday, December 06, 2016

Written by: Ben Regalado, contributing writer

In the early days of email, we looked forward to the voice chiming “You’ve Got Mail!” when we logged in our inbox. While that may be far from the case now, the United States Postal Service is rolling out a new service that will make that phrase literally true. Very soon, if not already, you can sign up for Informed Delivery, and by email find out what’s in your mailbox before you open it, perhaps before the mail itself arrives.

Through Informed Delivery, your post office can send photos of your mail packaging (not contents) to a designated email before delivery, allowing you to see what’s coming before it’s arrived. While the technology isn’t yet where the USPS wants it to be, the full fruition of the service is probably not far away.

The original purpose of the postal service, secure and reliable communication, has proven to be less than profitable in this new era of communication. So, by focusing on generating new revenues from direct marketers who’ve increasingly abandoned the mail for in favor of targeted online advertising, this service allows you to see (among other things) the catalog or magazine about to arrive, and then potentially click on a link that may bring you special offers. This holds appeal to marketers (and maybe you if you choose to enter into that promotional approach) as it gives more exposure to the message.

Of course, what if the message isn’t marketing? What if it instead contains lab results or other medical information that even in a shared household and mailbox, someone wants to protect? As always, we encourage you to take steps to protect the confidentiality of information. 

You obviously can’t control who sees and opens mail in a household. But as much care should be given to what is on the outside now as what is on the inside. While envelopes are often seen as marketing tools, perhaps a return to the plainly printed white or manila envelope should be a consideration. After all, once opened the pieces generally find their way to the recycle bin (right?!). 

Of course, the underutilized patient portals are also supposed to be a greater part of the communication dialog between physicians and their patients. The one-to-one dialog allowed may be where we need to go to promote privacy in communication, and perhaps save time and money.

In addition, having spent more than a few hours slicing open, sorting, scanning and shredding mail sent between doctors and patients, lab companies, hospitals, or even other doctors, we can begin to appreciate the inefficiency and weak security of using the mail, when electronic communication will suffice. Perhaps this new initiative can be used to encourage the digital generation to take the steps to maintain their confidentiality that a portal will provide.

Are you willing to challenge your patient population to adopt the use of portals over US Mail? 

As for those who are less tech savvy, it’s important to understand that while they may not choose to use a portal, or even elect to receive images of their mail by email, the conversation about who will have access to their information must become ongoing. Children-caretakers may want to see what’s in Mom and Dad’s mail, and while the Informed Delivery process is supposed to take steps to assure confidentiality, there is no guarantee that it will.

Repeatedly putting disclosure in the hands of the patients is the most effective means of protecting confidentiality.

Because for medical practices, HIPAA has become automatic - the offer (and frequent refusal) of policies, the signature - that we forget that it is in place to protect the doctor-patient relationship, and at the very least support the care you provide and the dignity of each patient. Much like updating benefits at each visit, perhaps your process should now require more than the annual HIPAA signature, but actively and plainly asking: “Do you want to make any changes to who can see your medical information?”

HIPAA is now a 20-year-old law with ever increasing new permutations. As technology creates pressure points, it’s up to you to respond. How do you intend to do so?

SCG Health blog by Email

Recent Posts



SCG Health is a tradename of the Searfoss Consulting Group, LLC. You may reproduce materials available on this site for your own personal use and for noncommercial distribution. For more information, please read the Content Sharing Policy. Art & design by SCG Health. DISCLAIMER: You should consult an attorney for individual advice regarding a particular set of facts and circumstances. SCG Health reserves the right to change the information on this website without notice.