SCGhealth Blog


We Fired Amazon's Alexa

Wednesday, February 21, 2018

By Clay Dubberly, Intern 

Amazon’s Alexa is being criticized by the healthcare industry, not because of a design error, but because of its passive listening ability. This function led Jennifer Searfoss, CEO of SCG Health to ban Alexa from its premises.

Alexa is an “intelligent personal assistant” capable of voice interaction, music playback, making to-do lists, setting alarms, streaming podcasts, playing audiobooks, and offering other real-time information.

The way Alexa works is by listening for its wake word (its name) which prepares it to analyze a command. It then listens and responds to everything that it hears afterward. You can ask it questions about the weather, converting measurements, or even for help shopping. It can even be used as an intercom.

In a medical environment, it can be used to help physicians take notes, remotely monitor patients, or allow them to ask health-related questions.

Passive listening and hacking: The Downsides to Alexa

The problem is that Alexa is listening to its surroundings at all times. This means that 24/7, she can be picking up personal information, which is sent back to Amazon or a potential hacker.

“There’s too much risk to be hacked,” Jen Searfoss says. “SCG Health used to have the device in its building,” but “We kicked Alexa out of our office after considering the vulnerabilities of the passive listening technology.”

There isn’t just a “possibility” of being hacked; it’s a reality. There are already several documented instances of Alexa being compromised. One way is through a “Dolphin Attack,” which is when it picks up frequencies which humans are unable to hear.


In this type of attack, hackers increase the frequency of a voice command to over 20,000hz and can play it through another phone’s speaker. While humans can’t hear this, smartphones will pick it up. Another concern for users is that a device that’s been compromised looks no different from one that hasn’t been compromised.

After picking up the frequencies, Alexa can carry out the command without the user’s permission. All that’s needed to do this is a battery, a smartphone, an ultrasonic transducer and an amplifier. All of this is readily sold online for a low price.

After a successful attempt, invaders can open your garage door (granted the right technology is installed) or make calls.

Another way Alexa can be hacked involves pre-installing software onto the device which transforms it into a wiretap that records any sound picked up onto a computer at another location.

Forbes successfully tested this out. One of the disadvantages (to the hacker) is that it takes several hours of installation on the hacker’s part, but this still poses a threat to anyone that buys Alexa from a secondhand source.

In one of those less-concerning instances when hacking is used for something good (or at least something funny), Alexa was hacked into a Big Mouth Billy Bass -- one of those wall-mounted fish that sings songs like “Don’t Worry Be Happy” or “Take Me To The River.”

Alexa isn’t HIPAA compliant. Here is how Amazon plans to fix it.

Another big concern for Amazon’s Alexa (as if being hacked wasn’t big enough) is that it’s not HIPAA compliant. As such, its use in healthcare is extremely limited.

The idea of having a device which could be recording patient data presents a clear threat: “It’s collecting info that has PII,” Ms. Searfoss says.

To help Alexa reach HIPAA compliance guidelines, Amazon recently hired a HIPAA Compliance Agent to help them reach legal requirements, including Business Associate Agreements (BAA), federal and state laws, and standards and regulations. The Compliance Agent is expected to help ensure that “technology and business processes meet [Amazon’s] HIPAA BAA requirements, as well as all applicable federal and state laws, regulations and standards.”

Some healthcare organizations have begun testing the device’s capabilities despite the risk. WebMD allowed Alexa to deliver its web content to users at their own homes for example. The Beth Israel Deaconness Medical Center (BIDMC) ran a successful pilot study in an inpatient setting (without actual patient data). It eventually plans to use it in a clinical setting, but not until Amazon signs a BAA.

The Boston’s Children’s Hospital (BCH) also experimented with using Alexa to give info to its clinical staff, but because it didn’t have a BAA only non-identifiable health information was used. The BCH also created an Alexa skill called KidsMD, which allows users to ask advice for when their kids have a fever.

SCG Health will continue to stand strong and enforce its ban on Alexa -- at least until Amazon approves a business associate agreement.


Don’t come back! Ensuring that former employees can’t access HIPAA-protected confidential patient information

Wednesday, December 13, 2017

By Marla Durben Hirsch

One of the most common – and frustrating – ways that patient information is compromised in violation of HIPAA is by a provider’s own staff. The problem is so prevalent that the Department of Health and Human Services’ Office for Civil Rights (OCR) has issued a new alert about it. 

The alert, released in a newsletter November 30, focuses on the risks posed by former employees who still have the ability to access electronic protected health information (ePHI) “with evil motives.” 

“Effective identity and access management (IAM) policies and controls are essential to reduce the risks posed by these types of insider threats. IAM can include many processes, but most commonly would include the processes by which appropriate access to data is granted, and eventually terminated, by creating and managing user accounts. Making sure that user accounts are terminated, so that former workforce members don’t have access to data, is one important way IAM can help reduce risks posed by insider threats,” OCR says. 

OCR recommends a number of common sense steps that covered entities and business associates should take to protect patient information from former employees: 

  • Have standard procedures of all action items to be completed when an individual leaves –these action items could be incorporated into a checklist. These should include notification to the IT department or a specific security individual of when an individual should no longer have access to ePHI, when his duties change, he quits, or is fired.
  • Consider using logs to document whenever access is granted (both physical and electronic), privileges increased, and equipment given to individuals. These logs can be used to document the termination of access and return of physical equipment.
  • Consider having alerts in place to notify the proper department when an account has not been used for a specified number of days. These alerts may be helpful in identifying accounts that should be permanently terminated.
  • Terminate electronic and physical access as soon as possible.
  • De-activate or delete user accounts, including disabling or changing user IDs and passwords.
  • Have appropriate audit procedures in place. Appropriate audit and review processes confirm that procedures are actually being implemented, are effective, and that individuals are not accessing ePHI when they shouldn’t or after they leave.
  • Change the passwords of any administrative or privileged accounts that a former workforce member had access to.
  • Address physical access and remote access by implementing procedures to:
    • take back all devices and items permitting access to facilities (like laptops, smartphones, removable media, ID badges, keys);
    • terminate physical access (for example, change combination locks, security codes);
    • effectively clear or purge ePHI from personal devices and terminate access to ePHI from such devices if personal devices are permitted to access or store ePHI;
    • terminate remote access capabilities;
    • terminate access to remote applications, services, and websites such as accounts used to access third-party or cloud-based services.

Alert leaves some gaps
While the alert provides practice advice, there are some issues that it did not address: 

The legal consequence of dropping the ball. The alert doesn’t remind readers that unauthorized access by a current or former employee is presumed to be a breach of PHI reportable to HHS and likely a HIPAA violation if the entity hadn’t taken adequate steps – i.e., the ones listed in the alert – to protect the records. 

For instance, earlier this year Memorial Health Care System in South Florida paid $5.5 million to settle allegations it had violated HIPAA. The ePHI of more than 80,000 patients was impermissibly accessed by employees and disclosed to affiliated physician office staff by using the login credential of a former employee of an affiliated physician’s office. Memorial had failed to implement procedures regarding reviewing, modifying and /or terminating users’ right to access. It also failed to promptly detect the activity, even though it had identified this issue as a vulnerability. Some of these disclosures led to federal charges relating to selling the patient information and the filing of fraudulent tax returns. 

The need to include access control in security risk analyses. The alert doesn’t point out a fundamental tenet: the provider needs to know not only who has access and equipment but also what kind of risk that poses. Are smartphones encrypted? Can computers be remotely accessed? Are passwords changed regularly? Therefore it’s important to include this in your HIPAA-required security risk analysis

Failure to comply can create additional headaches. Providers need to worry about more than HIPAA compliance. For example, a former employee of a perinatal medical practice who took a new job with a competitor hacked the computer of his former employer and took all of the patient information to create a direct mail campaign for the competitor. To add insult to injury, he wiped the patient information from the former employer’s system. He was convicted of the cybercrime and went to prison, but caused tremendous damage to the practice. 

Takeaway: Implement these safeguards, many of which are easy and cost-effective. If OCR is flagging a particular issue, that means it’s occurring often and a priority of the agency.


OCR issues new warning about protecting patient information on mobile devices

Monday, November 13, 2017

By Marla Durben Hirsch, contributing writer

Tread carefully if you store, send, receive or transmit electronic patient protected health information (ePHI) via a laptop, iPhone or other portable electronic device. The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued a new alert about the vulnerability of such information.

The alert, released in a newsletter October 31, notes that while mobile devices are convenient and easy to use, the ePHI is particularly difficult to keep secure. The devices are usually on default settings, enabling them to connect to unsecure Wi-Fi, Bluetooth, cloud storage or file sharing network services, where others can access the data. It is common for users to inadvertently download malware or viruses, which can hack into or corrupt the data on the device. And the devices themselves are frequently lost or stolen. 

For example, more than 27% of the breaches of 500 or more patient records archived on HHS’ HIPAA breach “wall of shame” were due to the loss or theft of a laptop or other portable device. That figure doesn’t even include potentially related breaches, such as emails containing ePHI sent from a mobile device to the wrong recipient or that were intercepted. 

“As mobile devices are increasingly and consistently used by covered entities and business associate[s] and their workforce members to store or access ePHI, it is important that the security of mobile devices is reviewed regularly, and modified when necessary, to ensure ePHI remains protected,” OCR says in the alert. 

OCR recommends that entities: 

  • Include mobile devices when conducting their HIPAA-required security risk analyses to identify vulnerabilities that could compromise patient data and take action to reduce any vulnerabilities or risks found.
  • Implement policies and procedures regarding the use of mobile devices in the work place, especially when used to create, receive, maintain, or transmit ePHI.
  • Consider using Mobile Device Management (MDM) software to manage and secure mobile devices.
  • Install or enable automatic lock/logoff functionality.
  • Require authentication to use or unlock mobile devices.
  • Regularly install security patches and updates.
  • Install or enable encryption, anti-virus/anti-malware software, and remote wipe capabilities.
  • Use a privacy screen to prevent people close by from reading information on your screen.
  • Use only secure Wi-Fi connections.
  • Use a secure Virtual Private Network (VPN).
  • Reduce risks posed by third-party apps by prohibiting the downloading of third-party apps, using whitelisting to allow installation of only approved apps, securely separating ePHI from apps, and verifying that apps only have the minimum necessary permissions required.
  • Securely delete all ePHI stored on a mobile device before discarding or reusing the mobile device.
  • Train staff on how to securely use mobile devices. 

Don’t expect leniency on this one
OCR’s concern about protecting patient data on portable devices is not new. The agency has previously published resources on this topic, including videos, checklists and FAQs. But the fact that OCR felt a need to repeat itself indicates that it believes that entities are not “getting the memo” and are not taking proper precautions. 

It also shows that this is a front burner issue for the agency, and that entities which fail to comply despite the plethora of repeated guidance are more likely to face harsher punishment. 

Takeaway: Entities that suffer a breach of ePHI related to a mobile device are not going to be able to defend themselves on the ground that there was no guidance to help them protect the data. Now’s a good time to assess your office’s use of portable devices and reduce the risk that patient information will be exposed.


Think Twice Before Using a Voice Assistant at Work

Monday, October 16, 2017

By Marla Durben Hirsch, contributing writer

Voice assistants like Apple’s Siri or Amazon’s Echo Dot can be convenient and easy to use, but tread very carefully if you’re going to use them in your practice, since they are fraught with risk.

A recent survey found that almost a fourth of physicians are already using a voice assistant for work-related reasons, including drug dosing queries, diagnostic information searches, communication and dictation. That number is expected to rise as the devices become more popular, but these tools have shortcomings that many physicians are not aware of, according to attorneys Elizabeth Litten and Michael Kline, with the law firm of Fox Rothschild in Princeton, New Jersey.

Some of these risks include:

Privacy. Since these are voice powered devices, the physician’s query and the device’s response can be easily overheard by others, says Kline. If a physician provides too much patient-specific information so as to make the patient identifiable, speaks more loudly than necessary, or positions the device so that it’s not in a private area, it could be a violation of the Health Insurance Portability and Accountability Act (HIPAA)or state law privacy rights.

Security. Most people don’t realize that voice assistants store users’ queries, making them subject to hacking. In addition, different voice assistants deploy different levels and types of security of the stored information, warns Litten. For instance, Siri keeps recordings and transcripts but ties them to random numbers, making the users more anonymous. Amazon’s Alexa is much less secure; it stores full transcripts which can be viewed by the user – as well as anyone else who can access the user’s account. “You’ve created data. Be aware this is another place where the data is stored,” says Litten.

There’s also the vulnerability of the devices themselves. Voice assistants are part of the “Internet of Things,” like smart TVs, wireless insulin pumps and baby monitors. Unfortunately, they are easily exploited by cybercriminals, who eavesdrop and collect information to use against users, disable or reprogram the devices, download malware which can then affect other electronic systems, and other wrongdoing. The FBI has issued several warnings about the security risks of things that use the Internet, including one this past summer.

Unreliable, inaccurate or wrong content. Just because a voice assistant is programmed to search the internet does not mean that the information it locates and spits back is reliable and trustworthy. “You don’t know how good the information is and whether it’s validated,” warns Litten [for example, ask Siri to divide one by zero]. This is particularly concerning when asking for and relying on clinical information.

Medical record problems. Some voice assistants that input automatically into the medical record may do so in a way or location that you don’t want or is hard to later find. Some physicians neglect to input clinical information received from a device into the patient’s medical record, rendering the record faulty or incomplete, warns Kline.

Malpractice concerns. Relying on questionable or wrong information provided by a voice assistant and failing to keep complete medical records are malpractice risks. And since the tools store past queries, they can be discoverable in malpractice litigation.

Six tips to protect your practice:

Some entities have banned the use of voice assistants in the workplace. However, an outright ban may not be feasible or desired; it may also be difficult to enforce, says Kline. If these devices will be allowed, at least take some steps to reduce your risks:

  • Understand the security of the voice assistant you want to use. Know how it stores and retrieves data, says Litten. If you have a choice, use one that’s more secure. For instance, the assistant in your electronic health record or iPhone may be more secure than Amazon’s Alexa.

  • Use the tool cautiously. Don’t rely on it for clinical information without corroboration, and don’t provide it with identifiable patient information. “Be careful how you frame inquiries,” suggests Litten.

  • Make sure that all physicians and staff understand the limitations and risks of using voice assistants in the office. Hopefully this will cause users to be more careful. For example, all searches should be viewed as nonprivate, says Litten.

  • Take steps to not violate HIPAA or state privacy and security rules. Include these devices as part of the practice’s overall HIPAA compliance efforts. For instance, don’t use the tools in a way that others can overhear the query or the response. “Don’t yell to Alexa and be a bigmouth. Use [HIPAA’s] elevator rule [and don’t discuss patient information in public],” says Litten.

  • Adopt the FBI’s suggestions to reduce the tool’s vulnerability. For example, change the password on the voice assistant from the manufacturer’s default password so that it’s less likely to be exploited; apply security update patches when applicable.

  • Document applicable clinical information into the medical record. “If it’s not documented it didn’t happen,” warns Kline.


Electronic HIPAA Violations

Thursday, July 20, 2017

Written by Nasir Abbas

Background

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is pretty ancient. It passed through Congress in 1996, but the first regulation didn’t come out until 2003. The federal law established mandates the security and protection of sensitive patient information: protected health information (PHI) and personally identifiable information (PII). Two separate regulations cover how to keep this info private and secured.


Hardware

We’ve published several blogs in the past discussing appropriate disposal of physical information and the risks associate with carelessness. Now let’s look at the electronic side of HIPAA. According to Joseph Mutlu, former Executive Vice President of Information Technology at SCG Health, two of the most often overlooked security safeguards pertain to inventory management. “Currently we are utilizing more and more removable storage options. These devices are easily lost and/or stolen, so it is wise to always keep a running inventory of these devices if they contain any sensitive information” observed Mutlu. The second issue is related to the systems themselves. “CPU cases contain the hard drive to your computer and can/should be locked. Anyone with the technical skills and know-how can effortlessly remove the hard drive in a matter of seconds, without the use of any tools.” If computers are left unattended, especially with distracted staff, one could slip out the hard drive and easily go weeks – maybe even months – undetected. By the time anyone realizes what has happened, whatever information was being stored on that hard drive would have been long gone.

Though these tips are highly beneficial and interesting, there are two procedures that should be followed to a T if you wish to protect yourself and your practice as best as possible. These two steps, if taken appropriately, make sure that even if your device is stolen or lost, your information remains hidden. Those measures are encryption and deletion.

Encryption

With that being said, it is unfortunate that the protocols that most businesses are improperly executing are encryption and deletion. Encryption is the scrambling of data files, only legible to those with the decryption key. This ensures that if sensitive information were to fall into the wrong hands, said information would still be protected. “Always make sure that when sending encrypted files via email that you send two separate emails – one with the encrypted file and another with the key. Doing so protects you and the recipient in the case that one email was to be intercepted, it would be useless without the other,” says SCG Health CEO Jennifer Searfoss.

Deletion refers to the APPROPRIATE removal of information from networks and devices. Believe it or not, there is more to deletion than just emptying the recycling bin. If that is your method of electronic disposal, you are in dangerous territory. The truth is that information is still there and is far from gone. Anyone with the time and patience can retrieve that information. Just by simply Google searching “retrieving deleted information,” you will find numerous sites containing step-by-step instructions on how to do just that.

So, what can one do to make sure they are protecting themselves from all sides?


Steps to Take

Firstly, make sure you are familiar with your state’s regulations on the retention of medical records. The HIPAA Security Rule states that clinicians must keep any documents containing PHI for six years from the creation date or last known use date, whichever is later Again, double check with your specific state as the laws from state to state are different

Make sure you perfect your encryption protocols. Encryption is your first layer of defense and should not be taken lightly. Make sure files are correctly coded, and make sure to always send two emails (the encrypted file and the decoder key). Deletion is the next layer of defense, but is still extremely important and should always be performed to the highest level of completion. To completely and appropriately destroy data files, disks must either be magnetically wiped or completely reformatted and rewritten (minimum of three times through). Companies, such as Dell, offer destruction services, but you must always make sure they are HIPAA compliant before taking any action.

Overall, HIPAA violations can be avoided with a little training, education, attention and discipline. There are plenty of ways to protect your electronic information, but by following the procedures mentioned in this article, you will undoubtedly be on the right path to being HIPAA compliant.



Resources

Retention Laws Infographic

Don’t let your disposal vendor mishandle your trash into a HIPAA violation

Tuesday, January 17, 2017

By Marla Durben Hirsch , contributing writer


Photo: Adobe Systems Incorporated.

Providers continue to be confused as to how to dispose of their trash without running afoul of HIPAA. But the stakes are now higher – because it’s often the provider’s trash collector that’s exposing the patient data that’s in the garbage.

The Department of Health and Human Services’ Office for Civil Rights, (OCR) which enforces HIPAA’s privacy and security rules, has published guidance on proper disposal methods. While HIPAA doesn’t require particular processes, OCR suggests several, such as shredding, burning, pulping or pulverizing the records so that patient protected health information (PHI) is unreadable and cannot be reconstructed. Records treated this way are considered “secure”; a breach of them doesn’t even have to be reported.

However, many providers still don’t realize that they need to take this step as part of disposal. A number of them, including CVS, Rite Aid and Cornell Prescription Pharmacy have settled alleged HIPAA violations after disposing of unsecured records and other materials containing PHI in unlocked publicly accessible dumpsters. State attorneys general have also fined providers, even solo practitioners, for faulty trash disposal.

And it gets worse, since many providers have turned to outside vendors to dispose of their trash, and the vendors are making mistakes and exposing the PHI, violating HIPAA. The provider is ultimately liable even though it has entrusted the vendor to perform the disposal.

A simple Google search reveals a multitude of these incidents.

For example, the disposal company hired by physician owned Radiology Regional Center, with several facilities in Florida, exposed patient PHI in December 2015 when the back of the truck transporting the records to an incinerator opened, spilling the contents all over the road. While the Center spent considerable time combing the area and retrieving the records, it still had to notify 483,663 patients about the breach. The incident triggered a lawsuit in 2016 from several patients who claim, among other things, that the doctors were unaware of their obligations regarding proper trash disposal and admitted ignorance regarding it. That lawsuit is still pending.

And that may not be all. OCR has for the first time has begun to train its sights on mistakes being made business associates. In 2016 the agency resolved several enforcement actions with providers and business associates for security breaches caused by the business associates. It would not be surprising for OCR to investigate Radiology Regional and other providers whose records have been compromised by their disposal company.

Takeaways
Review all of your business associate agreements with those handling PHI on your behalf to ensure that you are adequately protected in case the business associate exposes patient information. For example, the business associate should pay for the costs of the breach, such as the expense of notifying patients and offering them free credit monitoring. OCR has a model business associate agreement that can help you.

If you delegate trash disposal and destruction to an outside vendor, make sure you know how the vendor will safeguard the information and dispose of it. For instance, look to see if the containers the disposal company is using are sturdy. Ensure that the vendor’s staff is trained in HIPAA compliance.

Be proactive to the extent possible regarding your trash. Consider having the trash incinerated on site so it doesn’t have to be transported. Make the trash unreadable yourself before giving it to the vendor to cart away, say by shredding it or obliterating PHI with a marker. Had Radiology Regional Center taken some of those steps, it may not have been in the hot spot it is today.


OCR, ONC dispel fears about sharing patient records for public health purposes

Wednesday, December 28, 2016

Written by: Marla Durben Hirsch, contributing writer

Queasy about over disclosing information about your patients to the government for fear of violating HIPAA? Evidently, you’re not alone – but your ability to provide this information is broader than you may think.

The Department of Health and Human Services’ Office for Civil Rights (OCR), which enforces HIPAA’s privacy and security rules, and the Office for the National Coordinator of Health IT (ONC) has issued a fact sheet to allay providers’ concerns about sharing data to foster public health.

HIPAA allows covered entities to share patient information without first obtaining the patient’s written authorization when the disclosure involves treatment, payment or operations. According to the fact sheet, released in December, sharing information with public health agencies authorized by law to collect information for public health reasons is one of those instances where an authorization is not necessary.

Lucia Savage, ONC’s chief privacy officer and Matthew Penn, the director of public health law programs for the Centers for Disease Control and Prevention (CDC), explain in a related blog post published December 8, 2016 why the fact sheet was necessary:

“Many Americans have not taken full advantage of electronic health record data, perhaps because of confusion about how the Health Insurance Portability and Accountability Act (HIPAA) interacts with and supports the exchange of electronic health information for the purposes of public health.”

The fact sheet lists several not so hypothetical examples where it’s okay to divulge information, such as:

  • To honor a CDC request to collect disease surveillance information
  • To a state cancer registry, including type, extent, location of cancer and type of initial treatment
  • As part of a state department of health investigation of a disease outbreak
  • To assist a state health department intervention program, such as to reduce lead in drinking water or to measure care coordination outcomes
  • To the Food and Drug Administration collecting information as part of a medical device recall
  • To notify individuals who may have been exposed to a communicable disease while in the provider’s waiting room
  • To engage in medical surveillance in the workplace to evaluate work related injuries and illness, as required by law

Note that entities still need to comply with other provisions of the law, such as following HIPAA’s security rule when sending information electronically. They also need to only provide the minimum amount of data necessary, although they can rely on a public health authority’s request as to what information is necessary for these public health activities.

Why this new alert is important
While the fact sheet and blog post don’t say so, it appears that the government is concerned that the information currently being collected is incomplete. That can have a major impact on an agency’s ability to provide accurate information to the public and to health care providers, such as the spread of Measles that occurred in 2015.

Moreover, situations such as recent natural disasters and the Zika and Ebola outbreaks have increased attention on population health and the need for more proactive action. For instance, The CDC reported in December that the number of cases of mumps in the United States has skyrocketed, with 4,258 cases reported in 2016 as of December 3. In contrast, there were only 229 reported cases of mumps in all of 2012. The CDC suggests that this increase may be due in part to the possibility that the Mumps vaccine may be losing its effectiveness, which would need to be addressed.

Takeaway: Providers should expect more scrutiny in this area of HIPAA now that ONC and OCR have highlighted it as an area needing further guidance and has sought to reduce any confusion about compliance. Check your policies and procedures regarding data sharing for public health purposes and ensure that you understand the rules.

Read the fact sheet.
Here’s the blog post.
Read the CDC mumps report.


HIPAA in Reverse: When Patients Want to Protect Their Confidential Medical Information…From You

Tuesday, November 01, 2016

By: Ben Regalado, Contributing Writer

Those of us who have been around for years remember what we were told HIPAA Privacy was about. It meant that you, the provider, who knows it all, cannot tell anyone anything about the confidential medical care and conditions of a patient without their consent (with some limited exceptions, of course). On top of Privacy rules came the Security regulations, where we had to take steps to physically protect the information, especially as Meaningful Use pushed widespread EMR adoption.

While we were taking steps to ensure compliance with these regulations, we may have forgotten that HIPAA also gives patients certain rights to control who can receive what information. Now, as they grow in understanding of their rights, the direction of “need to know” confidentiality established by HIPAA may be going in reverse.

A few years ago, a real world trial found nearly half of a group of patients withheld “clinically sensitive information” from their providers. Patients feel strongly about this control, and you shouldn’t expect this to dissipate as patient portals grow in use. 

Providers reactions to this lack of sharing are mixed. Some cite concerns that concealing important medical information may impact the quality of care, or at least the trust required in a doctor-patient relationship. Others were willing to accept this new reality, so long their patients understood the ramifications. 

As providers, the ultimate decision about what is or is not shared with you is out of your hands. The only thing you control is how you react to it. But in an age of widespread information sharing (often crafted around cultivating a public image), juxtaposed against hacking and identity theft fears, how should providers react?

Are patients concealing information on issues such as sexually transmitted diseases, substance abuse or mental health because they want to control their image to their doctors? Are they fearful that the information they provide is not secure or will be treated with confidentiality? Or, perhaps driven by media crafted perceptions*, do they just believe it is relevant to the presenting problem they want you to cure, “right now”?

You have a true education effort on their hands now, especially those involved in primary care. As always, you have to listen for the symptoms, diagnosis the cause, and then enact a personalized solution. 

For some patients, you may have to recalibrate the thinking of patients regarding what a physician does for their overall health. For others, you may instead need to provide reassurance of the measures your practice takes to secure their records. But the reality is you also have to give pause to consider if you have the best and most complete information available. 

The root issue, then, may be that most fragile of all the tools you have at your disposal: trust. The computer screen can certainly create a barrier to developing that trust, which is one reason some practices utilize scribes. But in the end, you have to find time (ah, yes, that critical resource) to build the relationship to allow you be successful at what you first set out to do when you entered the noble profession of the healing arts.

* Regarding the media crafted perceptions, we are so far from the days of Marcus Welby MD that few remember him. From Code Black to Grey’s Anatomy to Chicago Med, today’s TV doctors are in hospitals. They provide instant, episodic, and heroic care. They don’t talk to other care providers outside the building. They don’t consult history in charts. When they get involved in the backstory of a patient, they are often told to back off by their peers or more senior doctors. Granted, these shows are about the lives of the doctors and their personal dramas. It’s not really about the work a physician is really doing, day in and day out. But it’s worth thinking about. We’re sure the politicians, police officers and lawyers don’t suffer from such mischaracterizations of their daily pursuits, right?


Phase 2 HIPAA audits: tip of the iceberg

Tuesday, July 12, 2016

By Marla Durben Hirsch, contributing writer

Chances are you already know if you might be one of the entities chosen to be audited in Phase 2 of the HIPAA audit program. Phase 2 was launched this past spring; the Department of Health and Humans Resources’ Office for Civil Rights, (OCR) has been sending out letters verifying addressees and asking entities to complete questionnaires. Once all of that information is in, OCR will cull the list and choose about 200 entities for a more comprehensive audit.



Those selected should have a fair idea of what’s in store; if not they can take a look at the procedures for this round of audits, which are posted on OCR’s website. Like Phase 1 of HIPAA audits, which was conducted in 2011 and 2012, OCR’s focus is not to punish the non-compliant but to identify best practices, discover risks and vulnerabilities and enable the agency to “get out in front problems before they result in breaches.” Unlike Phase 1, which was conducted by the auditing firm KPMG, OCR will be conducting the new audits itself, mainly via desk audit.

However, while most entities will not be subject to these audits, that doesn’t mean that the rest of the industry is off the hook. It is much more likely that you’ll end up on OCR’s radar via a complaint or by suffering a breach which then must be reported to HHS, not because you’ve been chosen to be audited. There have been thousands of complaints and breaches, and those are what have resulted in the “resolution agreements” that OCR has entered into over the years. OCR has received 134,246 complaints as of May 31, and while most have been resolved informally, there have already been six more formal, costly resolution agreements signed thus far in 2016, matching the number of all such settlements in 2015. There have been almost 1,600 breaches of 500 or more individuals on HHS’ “Wall of Shame.” That’s a fraction of the smaller breaches that have also been reported.

Enter the Federal Trade Commission
While HIPAA enforcement is on the rise (JEN: you might want to fish back to the prior blog on this subject) it is not the only federal agency to worry about. The Federal Trade Commission (FTC), charged with ensuring that companies don’t mislead consumers in violation of the FTC Act, has also taken an increased interest in health care entities that don’t protect patient information dinging violators.

This year the FTC has apparently upped the ante. It has already settled with two health care companies; oddly enough, both are electronic health record (EHR) vendors. Dental software provider Henry Schein Practice Solutions has agreed to pay $250,000 to settle charges that it falsely advertised the level of encryption it used to protect patient data, and marketed it as HIPAA compliant even when it had been informed by its software developer that it wasn’t.

The FTC has also settled with physician-oriented EHR vendor Practice Fusion, which was found misleading consumers by soliciting reviews about their doctors without disclosing that the reviews would be made public and posted on the internet. What made matters worse is that Practice Fusion made it look like the reviews were being solicited by the doctors themselves, causing patients to reveal very sensitive information.

Both FTC settlements indicate how easily patient information can be compromised. Since both vendors are business associates under HIPAA, it would not be surprising for these settlements to spark investigations into the providers who use these EHRs.

The new audit protocol: a glimpse into OCR’s expectations
There is a bit of good news: OCR has created an updated checklist regarding HIPAA compliance in conjunction with Phase 2 of the audits. The checklist, called the “audit protocol” outlines what OCR is looking for in terms of HIPAA compliance.

The protocol, which covers privacy, security and breach incidents, is longer, more specific, and more comprehensive than the protocol developed for Phase 1 of the audits. It also adds HIPAA compliance topics that have arisen since the first protocol was released in 2011.

The new protocol can be found on OCR’s website. It’s hefty, with 180 different elements, many of which include subsections. But it provides the clearest indication yet of what OCR is looking for from providers and the standard it will hold all entities – not just the ones audited – to.

Takeaway
Go through the new audit protocol to get a handle on what your practice needs to work on. For example, many of the sections specifically ask whether an entity’s policies and procedures address the topic being covered. Then go back and deal with the areas that need attention. OCR is providing the industry with a fee tool; it would be smart to take advantage of it.

Resources
OCR’s HIPAA audit website
Information on the HIPAA “wall of shame”
FTC announcement of Henry Schein settlement
FTC’s announcement of Practice Fusion settlement


More Power To You: 9 Quick Tips And A Bonus For When The Lights Go Out!

Thursday, February 04, 2016

By Ben Regalado

Spurred by Meaningful Use incentives, electronic health records (or EHRs) approach universal adoption, with secure Wi-Fi-connected tablets or laptop computers becoming the source of data entry.

But what do you do if the screens go dark, or Wi-Fi fails? While redundant backup and recovery processes for your system should be well established, this does not necessarily facilitate immediate practice continuity.

Expect what is Expected

As with most emergency practice management issues, the first thing to do is to start when the lights are on and create your plan to deal with the impact of anticipated and unanticipated power loss on the patients, providers and staff.

Reputable server-based EHR systems rely on uninterruptable power supply (UPS) batteries to kick in when the power goes off, giving you and your team the appropriate time to carry out your plans and manage graceful power down process.

Also, know how your EHR hardware stores “work in progress” so providers can quickly resume their documentation processes. If you do not use battery powered laptops or tablets, make sure you have a few critical workstations on a UPS system.

Photo credit: GraphicStock © 2016.

When the Lights Go Out

Many weather or other power-limiting events are precipitated by a warning of several hours to several days. Consider the following steps if these events are forecasted or imminent.

  1. Foremost, assess the readiness and responsiveness of your staff. Without a doubt, community-wide events such as the recent snowstorms across the country direct their focus to family and personal issues, limiting their ability to proactively consider the needs of the patients and the practice. Help them help you by preparing checklists, but always keep their safety in mind.
  2. Know how to access your EHR outside of the practice walls. This emergency plan and process, especially related to who can access and where they should access it from, should be printed and immediately accessible.
  3. Immediately print essential medical record, demographic and charge ticket information for the day’s patients. Should the providers be able to continue to see patients, this aids in the recording of essential visit information to be entered into the system later.
  4. If multiple days of power loss are anticipated, print additional schedules with patient contact information. Distribute these schedules to staff you have pre-arranged to call patients if necessary. (If these calls have to be made from mobile phones, it is a good idea for callers to temporarily block their own caller identification.)
  5. Remember to communicate to patients! If you have an interface with your telephone appointment reminder system, use it to send critical messages. You should also update the practice’s website and patient portal with information about how to contact the practice.

When Rain Falls from the Cloud

Beyond power outages, many EHRs now rely heavily on the Internet. Some are completely cloud-based, meaning connectivity is of the essence. While Internet providers sell you on uptime, prepare for the unlikely event you lose connection for what could be a substantial amount of time.

  1. Is just the Wi-Fi down? If you connect to the Internet via an in-office wireless system, first determine if the issue is limited to your Wi-Fi router. You can prepare for a loss of Wi-Fi is the issue by having the ability to connect to hardwired cabling in the exam rooms or in a nearby workstation until you restore your service. These days you cannot have too many electrical outlets and connection ports!
  2. Wake up from paperless dreams. Having a stock of document templates available in the office can guide your providers’ documentation until connections can be restored.
  3. Is there an app for that? Some cloud-based EHRs may have secure applications that can be connected through cellular-based wireless connection. While this is not the ideal method of routine connection for security and speed, it may serve you in a pinch for obtaining basic schedules and clinical information.
  4. Look ahead. When you can and have access to a secure Internet connection, prepare for the following day by printing necessary schedules, demographics and other documents to allow patients to be seen. While this will require "back end" data entry, it is certainly an alternative to not being able to continue to see patients in the event of a connection issue (rather than a complete power failure).

Finally, here is our Bonus tip. When your plans are put together, don’t put them on the shelf. Consider a few practice sessions, allowing you to determine what works and what doesn’t. You can then rest assured your practice is as ready as it can be, and maybe go back to those dreams of a paperless office again.



SCG Health blog by Email

Recent Posts


Archive


Tags

SCG Health is a tradename of the Searfoss Consulting Group, LLC. You may reproduce materials available on this site for your own personal use and for noncommercial distribution. For more information, please read the Content Sharing Policy. Art & design by SCG Health. DISCLAIMER: You should consult an attorney for individual advice regarding a particular set of facts and circumstances. SCG Health reserves the right to change the information on this website without notice.