SCGhealth Blog

Electronic HIPAA Violations

Thursday, July 20, 2017

Written by Nasir Abbas


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is pretty ancient. It passed through Congress in 1996, but the first regulation didn’t come out until 2003. The federal law established mandates the security and protection of sensitive patient information: protected health information (PHI) and personally identifiable information (PII). Two separate regulations cover how to keep this info private and secured.


We’ve published several blogs in the past discussing appropriate disposal of physical information and the risks associate with carelessness. Now let’s look at the electronic side of HIPAA. According to Joseph Mutlu, former Executive Vice President of Information Technology at SCG Health, two of the most often overlooked security safeguards pertain to inventory management. “Currently we are utilizing more and more removable storage options. These devices are easily lost and/or stolen, so it is wise to always keep a running inventory of these devices if they contain any sensitive information” observed Mutlu. The second issue is related to the systems themselves. “CPU cases contain the hard drive to your computer and can/should be locked. Anyone with the technical skills and know-how can effortlessly remove the hard drive in a matter of seconds, without the use of any tools.” If computers are left unattended, especially with distracted staff, one could slip out the hard drive and easily go weeks – maybe even months – undetected. By the time anyone realizes what has happened, whatever information was being stored on that hard drive would have been long gone.

Though these tips are highly beneficial and interesting, there are two procedures that should be followed to a T if you wish to protect yourself and your practice as best as possible. These two steps, if taken appropriately, make sure that even if your device is stolen or lost, your information remains hidden. Those measures are encryption and deletion.


With that being said, it is unfortunate that the protocols that most businesses are improperly executing are encryption and deletion. Encryption is the scrambling of data files, only legible to those with the decryption key. This ensures that if sensitive information were to fall into the wrong hands, said information would still be protected. “Always make sure that when sending encrypted files via email that you send two separate emails – one with the encrypted file and another with the key. Doing so protects you and the recipient in the case that one email was to be intercepted, it would be useless without the other,” says SCG Health CEO Jennifer Searfoss.

Deletion refers to the APPROPRIATE removal of information from networks and devices. Believe it or not, there is more to deletion than just emptying the recycling bin. If that is your method of electronic disposal, you are in dangerous territory. The truth is that information is still there and is far from gone. Anyone with the time and patience can retrieve that information. Just by simply Google searching “retrieving deleted information,” you will find numerous sites containing step-by-step instructions on how to do just that.

So, what can one do to make sure they are protecting themselves from all sides?

Steps to Take

Firstly, make sure you are familiar with your state’s regulations on the retention of medical records. The HIPAA Security Rule states that clinicians must keep any documents containing PHI for six years from the creation date or last known use date, whichever is later Again, double check with your specific state as the laws from state to state are different

Make sure you perfect your encryption protocols. Encryption is your first layer of defense and should not be taken lightly. Make sure files are correctly coded, and make sure to always send two emails (the encrypted file and the decoder key). Deletion is the next layer of defense, but is still extremely important and should always be performed to the highest level of completion. To completely and appropriately destroy data files, disks must either be magnetically wiped or completely reformatted and rewritten (minimum of three times through). Companies, such as Dell, offer destruction services, but you must always make sure they are HIPAA compliant before taking any action.

Overall, HIPAA violations can be avoided with a little training, education, attention and discipline. There are plenty of ways to protect your electronic information, but by following the procedures mentioned in this article, you will undoubtedly be on the right path to being HIPAA compliant.


Retention Laws Infographic

July 15 deadline for the UnitedHealthcare Premium Designation Program: What You Need to Know

Monday, July 04, 2016

By: Elizabeth Lauzon, Public Relations Coordinator

With the UnitedHealthcare Premium Designation Program reconsideration submission deadline of July 15 quickly approaching, here is what you need to know before you log-in to check your status or submit an appeal.


The UnitedHealth Premium Designation Program results are displayed publicly on UnitedHealthcare's consumer web directories of their network participating physicians in 27 specialties in 42 states and 160 markets. The designation uses both quality and cost efficiency to determine a physician's designation. UnitedHealthcare defines quality by comparing a physician's observed practice to the same rate among their national network of physicians, and they compare a physician’s cost to the costs of peers in the same market and specialty. The goals of the program are to assess primary care physicians and certain specialists, recognize physicians who meet national standards for quality and local measures for cost-efficient care and to help members make informed, personally appropriate choices for their medical care.

Why it’s important to know where you stand
Because more and more consumers are using online tools to choose their providers, it’s important to know where you stand in meeting the quality and cost-efficiency criteria reflected in the Premium designation. To check your status, you must first register for, then register for the UnitedHealth Premium website access (learn more by going to > Clinician Resources  >  Performance Measurement & Reporting  >  UnitedHealth Premium).

Premium Reconsideration Eligible Corrections
If you are not satisfied with your status, Premium reconsideration is an opportunity for physicians to request a change to the patient-level quality and/or cost efficiency information used in their Premium assessment. There are two types of corrections or changes that can be requested through reconsideration due July 15, 2017:
A. Exclusion requests allow the submission of additional information which may warrant removal of the requested measurement element. Additional information may be submitted for patients, quality opportunities and/or episodes.
B. Compliance requests allow the submission of additional information which may demonstrate compliance with the criteria for the requested quality opportunity.
Each request for correction or change is then investigated by the reconsideration team.

Reconsideration Process ( resource on the process)
1. Log-in to Quick Links > Unitedhealth Premium > Premium Reconsideration > Reconsideration Status
2. Check your reconsideration eligibility. Your eligibility will be noted on the Premium Reconsideration webpage. If you are not eligible to submit a reconsideration, you will see an explanation of why you are not eligible and further instructions, if applicable.
3. Prepare and submit your request. From the Premium designation page, you can access detailed reports containing the patient, measure and episode data used to determine your designation. Multiple requests for corrections or changes submitted together are tracked under a unique Reconsideration Case ID for tracking and reporting purposes. Although not required, supporting documentation may be submitted with the reconsideration request.
4. Notification. Physicians are generally notified of their reconsideration results, including the specific reasons for the final decision, within 30 days of request submission.

With the deadline for submitting a reconsideration rapidly approaching, be sure to log in and check your status today. And if you need help, contact SCG Health.

SCG Health blog by Email

Recent Posts



SCG Health is a tradename of the Searfoss Consulting Group, LLC. You may reproduce materials available on this site for your own personal use and for noncommercial distribution. For more information, please read the Content Sharing Policy. Art & design by SCG Health. DISCLAIMER: You should consult an attorney for individual advice regarding a particular set of facts and circumstances. SCG Health reserves the right to change the information on this website without notice.