SCGhealth Blog


Medication Noncompliance- what to do when your patient thinks they know better

Monday, December 18, 2017

By Audrey Landers

One of the most frustrating things a patient can do is refuse to take their medicine, and patients do it every day for any reason under the sun. Studies have shown that as many as 30% of prescriptions are never filled and nearly 50% of medications for chronic disease are not taken as prescribed. This noncompliance can cause problems that would be completely avoided if only the patient would take their medicine. While ultimately the decision to comply belongs to the patient, there are a few things physicians can do to guide their hand.


Make sure instructions are clear
A patient may have a prescription with a label that reads “take one capsule by mouth twice daily.” What does that mean for the patient? Is it every twelve hours? Are they to be taken with food? Can the patient take them both at the same time and get it over with? To a physician or clinician these instructions may seem clear but many patients have low health literacy, meaning they may have difficulty understanding how or when to take a medication if the instructions on the bottle are vague or not written in lay language. You can help combat this confusion by explaining the medication when it is prescribed and even writing or printing a set of fully explained instructions if you believe that the patient may forget or does not fully understand after receiving a full explanation.

Use technology
One issue many patients face in staying compliant is forgetfulness. It happens, especially if the patient is not used to medication and does not feel any immediate benefit from taking it. Fortunately, there is a solution that almost everyone carries in their pockets. By instructing your patients to set reminders on their phones, you can not only increase the chance that they will comply but may help them increase the effectiveness of certain medicines that need to be taken at the same time each day, such as birth control. If you think your patients would be interested in a more medicine-specific app, there are over 20,000 medicine related apps available for smartphones. Apps allow patients to keep track of their medications as well as see how well they are adhering to them. These three are highly rated and available for free for both apple and android users:

  • CareZone- Allows patients to easily create medication lists by scanning bottles, set reminders, and organize medical related information ranging from appointments, to symptoms, to contacts.
  • MediSafe- Allows patients to set medication and prescription refill reminders, create progress reports that can be sent to physicians, as well as log and track other measurements such as blood pressure and weight.
  • Mango Health- Turns taking medications into a fun game. Users earn points for correctly taking and logging their medications as well as bonus points for logging healthy habits. These points can be used to earn gift cards and donations to charities.

There are also more high-tech options in the works such as pill bottles that can detect when medication is removed and pills that can alert the doctor when they are swallowed.

Help them find ways to offset the cost
According to the Centers for Disease Control & Prevention (CDC), one in ten Americans don’t take their medication for the simple fact that they cannot afford to. With articles about the rising cost of medicine and healthcare being written every day, this should come as no surprise. While this may seem like a problem that no physician can fix, you can help your patients by doing a bit of research into the various programs that can help them get the medicine they need at a discounted price. Many pharmacies offer some sort of discount program for generic drugs, with the general consensus being that Costco offers the best savings. Patients can also look online for discount cards and deals on websites like GoodRX.com.

The most important thing is to listen to your patients and their concerns. Let them tell you what the problem is so you can do what you do best and help them fix it.


Don’t come back! Ensuring that former employees can’t access HIPAA-protected confidential patient information

Wednesday, December 13, 2017

By Marla Durben Hirsch

One of the most common – and frustrating – ways that patient information is compromised in violation of HIPAA is by a provider’s own staff. The problem is so prevalent that the Department of Health and Human Services’ Office for Civil Rights (OCR) has issued a new alert about it. 

The alert, released in a newsletter November 30, focuses on the risks posed by former employees who still have the ability to access electronic protected health information (ePHI) “with evil motives.” 

“Effective identity and access management (IAM) policies and controls are essential to reduce the risks posed by these types of insider threats. IAM can include many processes, but most commonly would include the processes by which appropriate access to data is granted, and eventually terminated, by creating and managing user accounts. Making sure that user accounts are terminated, so that former workforce members don’t have access to data, is one important way IAM can help reduce risks posed by insider threats,” OCR says. 

OCR recommends a number of common sense steps that covered entities and business associates should take to protect patient information from former employees: 

  • Have standard procedures of all action items to be completed when an individual leaves –these action items could be incorporated into a checklist. These should include notification to the IT department or a specific security individual of when an individual should no longer have access to ePHI, when his duties change, he quits, or is fired.
  • Consider using logs to document whenever access is granted (both physical and electronic), privileges increased, and equipment given to individuals. These logs can be used to document the termination of access and return of physical equipment.
  • Consider having alerts in place to notify the proper department when an account has not been used for a specified number of days. These alerts may be helpful in identifying accounts that should be permanently terminated.
  • Terminate electronic and physical access as soon as possible.
  • De-activate or delete user accounts, including disabling or changing user IDs and passwords.
  • Have appropriate audit procedures in place. Appropriate audit and review processes confirm that procedures are actually being implemented, are effective, and that individuals are not accessing ePHI when they shouldn’t or after they leave.
  • Change the passwords of any administrative or privileged accounts that a former workforce member had access to.
  • Address physical access and remote access by implementing procedures to:
    • take back all devices and items permitting access to facilities (like laptops, smartphones, removable media, ID badges, keys);
    • terminate physical access (for example, change combination locks, security codes);
    • effectively clear or purge ePHI from personal devices and terminate access to ePHI from such devices if personal devices are permitted to access or store ePHI;
    • terminate remote access capabilities;
    • terminate access to remote applications, services, and websites such as accounts used to access third-party or cloud-based services.

Alert leaves some gaps
While the alert provides practice advice, there are some issues that it did not address: 

The legal consequence of dropping the ball. The alert doesn’t remind readers that unauthorized access by a current or former employee is presumed to be a breach of PHI reportable to HHS and likely a HIPAA violation if the entity hadn’t taken adequate steps – i.e., the ones listed in the alert – to protect the records. 

For instance, earlier this year Memorial Health Care System in South Florida paid $5.5 million to settle allegations it had violated HIPAA. The ePHI of more than 80,000 patients was impermissibly accessed by employees and disclosed to affiliated physician office staff by using the login credential of a former employee of an affiliated physician’s office. Memorial had failed to implement procedures regarding reviewing, modifying and /or terminating users’ right to access. It also failed to promptly detect the activity, even though it had identified this issue as a vulnerability. Some of these disclosures led to federal charges relating to selling the patient information and the filing of fraudulent tax returns. 

The need to include access control in security risk analyses. The alert doesn’t point out a fundamental tenet: the provider needs to know not only who has access and equipment but also what kind of risk that poses. Are smartphones encrypted? Can computers be remotely accessed? Are passwords changed regularly? Therefore it’s important to include this in your HIPAA-required security risk analysis

Failure to comply can create additional headaches. Providers need to worry about more than HIPAA compliance. For example, a former employee of a perinatal medical practice who took a new job with a competitor hacked the computer of his former employer and took all of the patient information to create a direct mail campaign for the competitor. To add insult to injury, he wiped the patient information from the former employer’s system. He was convicted of the cybercrime and went to prison, but caused tremendous damage to the practice. 

Takeaway: Implement these safeguards, many of which are easy and cost-effective. If OCR is flagging a particular issue, that means it’s occurring often and a priority of the agency.


OCR issues new warning about protecting patient information on mobile devices

Monday, November 13, 2017

By Marla Durben Hirsch, contributing writer

Tread carefully if you store, send, receive or transmit electronic patient protected health information (ePHI) via a laptop, iPhone or other portable electronic device. The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued a new alert about the vulnerability of such information.

The alert, released in a newsletter October 31, notes that while mobile devices are convenient and easy to use, the ePHI is particularly difficult to keep secure. The devices are usually on default settings, enabling them to connect to unsecure Wi-Fi, Bluetooth, cloud storage or file sharing network services, where others can access the data. It is common for users to inadvertently download malware or viruses, which can hack into or corrupt the data on the device. And the devices themselves are frequently lost or stolen. 

For example, more than 27% of the breaches of 500 or more patient records archived on HHS’ HIPAA breach “wall of shame” were due to the loss or theft of a laptop or other portable device. That figure doesn’t even include potentially related breaches, such as emails containing ePHI sent from a mobile device to the wrong recipient or that were intercepted. 

“As mobile devices are increasingly and consistently used by covered entities and business associate[s] and their workforce members to store or access ePHI, it is important that the security of mobile devices is reviewed regularly, and modified when necessary, to ensure ePHI remains protected,” OCR says in the alert. 

OCR recommends that entities: 

  • Include mobile devices when conducting their HIPAA-required security risk analyses to identify vulnerabilities that could compromise patient data and take action to reduce any vulnerabilities or risks found.
  • Implement policies and procedures regarding the use of mobile devices in the work place, especially when used to create, receive, maintain, or transmit ePHI.
  • Consider using Mobile Device Management (MDM) software to manage and secure mobile devices.
  • Install or enable automatic lock/logoff functionality.
  • Require authentication to use or unlock mobile devices.
  • Regularly install security patches and updates.
  • Install or enable encryption, anti-virus/anti-malware software, and remote wipe capabilities.
  • Use a privacy screen to prevent people close by from reading information on your screen.
  • Use only secure Wi-Fi connections.
  • Use a secure Virtual Private Network (VPN).
  • Reduce risks posed by third-party apps by prohibiting the downloading of third-party apps, using whitelisting to allow installation of only approved apps, securely separating ePHI from apps, and verifying that apps only have the minimum necessary permissions required.
  • Securely delete all ePHI stored on a mobile device before discarding or reusing the mobile device.
  • Train staff on how to securely use mobile devices. 

Don’t expect leniency on this one
OCR’s concern about protecting patient data on portable devices is not new. The agency has previously published resources on this topic, including videos, checklists and FAQs. But the fact that OCR felt a need to repeat itself indicates that it believes that entities are not “getting the memo” and are not taking proper precautions. 

It also shows that this is a front burner issue for the agency, and that entities which fail to comply despite the plethora of repeated guidance are more likely to face harsher punishment. 

Takeaway: Entities that suffer a breach of ePHI related to a mobile device are not going to be able to defend themselves on the ground that there was no guidance to help them protect the data. Now’s a good time to assess your office’s use of portable devices and reduce the risk that patient information will be exposed.


Think Twice Before Using a Voice Assistant at Work

Monday, October 16, 2017

By Marla Durben Hirsch, contributing writer

Voice assistants like Apple’s Siri or Amazon’s Echo Dot can be convenient and easy to use, but tread very carefully if you’re going to use them in your practice, since they are fraught with risk.

A recent survey found that almost a fourth of physicians are already using a voice assistant for work-related reasons, including drug dosing queries, diagnostic information searches, communication and dictation. That number is expected to rise as the devices become more popular, but these tools have shortcomings that many physicians are not aware of, according to attorneys Elizabeth Litten and Michael Kline, with the law firm of Fox Rothschild in Princeton, New Jersey.

Some of these risks include:

Privacy. Since these are voice powered devices, the physician’s query and the device’s response can be easily overheard by others, says Kline. If a physician provides too much patient-specific information so as to make the patient identifiable, speaks more loudly than necessary, or positions the device so that it’s not in a private area, it could be a violation of the Health Insurance Portability and Accountability Act (HIPAA)or state law privacy rights.

Security. Most people don’t realize that voice assistants store users’ queries, making them subject to hacking. In addition, different voice assistants deploy different levels and types of security of the stored information, warns Litten. For instance, Siri keeps recordings and transcripts but ties them to random numbers, making the users more anonymous. Amazon’s Alexa is much less secure; it stores full transcripts which can be viewed by the user – as well as anyone else who can access the user’s account. “You’ve created data. Be aware this is another place where the data is stored,” says Litten.

There’s also the vulnerability of the devices themselves. Voice assistants are part of the “Internet of Things,” like smart TVs, wireless insulin pumps and baby monitors. Unfortunately, they are easily exploited by cybercriminals, who eavesdrop and collect information to use against users, disable or reprogram the devices, download malware which can then affect other electronic systems, and other wrongdoing. The FBI has issued several warnings about the security risks of things that use the Internet, including one this past summer.

Unreliable, inaccurate or wrong content. Just because a voice assistant is programmed to search the internet does not mean that the information it locates and spits back is reliable and trustworthy. “You don’t know how good the information is and whether it’s validated,” warns Litten [for example, ask Siri to divide one by zero]. This is particularly concerning when asking for and relying on clinical information.

Medical record problems. Some voice assistants that input automatically into the medical record may do so in a way or location that you don’t want or is hard to later find. Some physicians neglect to input clinical information received from a device into the patient’s medical record, rendering the record faulty or incomplete, warns Kline.

Malpractice concerns. Relying on questionable or wrong information provided by a voice assistant and failing to keep complete medical records are malpractice risks. And since the tools store past queries, they can be discoverable in malpractice litigation.

Six tips to protect your practice:

Some entities have banned the use of voice assistants in the workplace. However, an outright ban may not be feasible or desired; it may also be difficult to enforce, says Kline. If these devices will be allowed, at least take some steps to reduce your risks:

  • Understand the security of the voice assistant you want to use. Know how it stores and retrieves data, says Litten. If you have a choice, use one that’s more secure. For instance, the assistant in your electronic health record or iPhone may be more secure than Amazon’s Alexa.

  • Use the tool cautiously. Don’t rely on it for clinical information without corroboration, and don’t provide it with identifiable patient information. “Be careful how you frame inquiries,” suggests Litten.

  • Make sure that all physicians and staff understand the limitations and risks of using voice assistants in the office. Hopefully this will cause users to be more careful. For example, all searches should be viewed as nonprivate, says Litten.

  • Take steps to not violate HIPAA or state privacy and security rules. Include these devices as part of the practice’s overall HIPAA compliance efforts. For instance, don’t use the tools in a way that others can overhear the query or the response. “Don’t yell to Alexa and be a bigmouth. Use [HIPAA’s] elevator rule [and don’t discuss patient information in public],” says Litten.

  • Adopt the FBI’s suggestions to reduce the tool’s vulnerability. For example, change the password on the voice assistant from the manufacturer’s default password so that it’s less likely to be exploited; apply security update patches when applicable.

  • Document applicable clinical information into the medical record. “If it’s not documented it didn’t happen,” warns Kline.


Don’t let your disposal vendor mishandle your trash into a HIPAA violation

Tuesday, January 17, 2017

By Marla Durben Hirsch , contributing writer


Photo: Adobe Systems Incorporated.

Providers continue to be confused as to how to dispose of their trash without running afoul of HIPAA. But the stakes are now higher – because it’s often the provider’s trash collector that’s exposing the patient data that’s in the garbage.

The Department of Health and Human Services’ Office for Civil Rights, (OCR) which enforces HIPAA’s privacy and security rules, has published guidance on proper disposal methods. While HIPAA doesn’t require particular processes, OCR suggests several, such as shredding, burning, pulping or pulverizing the records so that patient protected health information (PHI) is unreadable and cannot be reconstructed. Records treated this way are considered “secure”; a breach of them doesn’t even have to be reported.

However, many providers still don’t realize that they need to take this step as part of disposal. A number of them, including CVS, Rite Aid and Cornell Prescription Pharmacy have settled alleged HIPAA violations after disposing of unsecured records and other materials containing PHI in unlocked publicly accessible dumpsters. State attorneys general have also fined providers, even solo practitioners, for faulty trash disposal.

And it gets worse, since many providers have turned to outside vendors to dispose of their trash, and the vendors are making mistakes and exposing the PHI, violating HIPAA. The provider is ultimately liable even though it has entrusted the vendor to perform the disposal.

A simple Google search reveals a multitude of these incidents.

For example, the disposal company hired by physician owned Radiology Regional Center, with several facilities in Florida, exposed patient PHI in December 2015 when the back of the truck transporting the records to an incinerator opened, spilling the contents all over the road. While the Center spent considerable time combing the area and retrieving the records, it still had to notify 483,663 patients about the breach. The incident triggered a lawsuit in 2016 from several patients who claim, among other things, that the doctors were unaware of their obligations regarding proper trash disposal and admitted ignorance regarding it. That lawsuit is still pending.

And that may not be all. OCR has for the first time has begun to train its sights on mistakes being made business associates. In 2016 the agency resolved several enforcement actions with providers and business associates for security breaches caused by the business associates. It would not be surprising for OCR to investigate Radiology Regional and other providers whose records have been compromised by their disposal company.

Takeaways
Review all of your business associate agreements with those handling PHI on your behalf to ensure that you are adequately protected in case the business associate exposes patient information. For example, the business associate should pay for the costs of the breach, such as the expense of notifying patients and offering them free credit monitoring. OCR has a model business associate agreement that can help you.

If you delegate trash disposal and destruction to an outside vendor, make sure you know how the vendor will safeguard the information and dispose of it. For instance, look to see if the containers the disposal company is using are sturdy. Ensure that the vendor’s staff is trained in HIPAA compliance.

Be proactive to the extent possible regarding your trash. Consider having the trash incinerated on site so it doesn’t have to be transported. Make the trash unreadable yourself before giving it to the vendor to cart away, say by shredding it or obliterating PHI with a marker. Had Radiology Regional Center taken some of those steps, it may not have been in the hot spot it is today.


Ins and Outs of Mobile Healthcare

Tuesday, January 19, 2016

By Elizabeth Lauzon

Smartphones, apps, fitness trackers; we all either use them or know someone who does. The trend of mobile healthcare is everywhere. While there are many benefits to both physicians and patients, from increased activity to vaccine scheduling, there are concerns to keep in mind also. Here are five top-of-mind considerations about mobile healthcare today.

Image of person holding mobile phone

Photo credit: GraphicStock © 2016.
  1. Mobile health is on the rise. The mobile health market is expected to grow to $117 million by 2020, and according to a trade association ACT report, an estimated half billion people will use one or more. Top trending app solutions include chronic condition management, personal fitness and remote patient monitoring. Not surprisingly, healthcare devices were the hot topic at the most recent International Consumer Electronics Show, with Medtronic and IBM CEO’s giving a keynote address outlining their new venture of a platform that combines data from Medtronic's diabetes devices with analytics from IBM's Watson Health technology.
  2. It keeps patients connected with their physicians. A recent study published by the Journal of the American Heart Association showed that patients at risk for heart disease who received texts from their physicians led to significant increases in physical activity levels. Patients in the study wore fitness trackers with the goal of 10,000 steps a day. The subset of patients who received encouraging texts from their physicians walked an average of 2,334 more steps per day and more than nearly twice as many participants in the text-receiving group achieved the steps goal compared to those who did not. Staying connected with technology is a great way for physicians to maintain high-touch service with patients.
  3. Mobile health can benefit physicians, too. In a survey done by American EHR Partners, 51 percent of physicians use apps on a daily basis. And the federal government is in on it! The Centers for Disease Control and Prevention (CDC) has 27 apps available for the Apple store. Examples include a public health trivia app, the STD treatment guidelines, a public health mortality app and the Vaccine Schedules app. This app helps physicians by specifying vaccine color coding for use at the point of care and vaccine contraindications and precautions. In addition to what is offered by the CDC, there are many more general apps available. The top five used apps used by physicians reported by the American EHR Partners are Epocrates, Medscape, MedCalc, Skyscape and Doximity.
  4. Be aware of security and HIPAA issues. Admittedly, no federal agency is properly regulating health care mobile technology at this time. But, that doesn’t mean that you can’t begin to solve for potential issues. A report from the Center for Democracy and Technology outlined several security and privacy concerns with modern mobile technologies. A few of these concerns include that mobile healthcare communications fall outside of federal privacy and security regulations and that the data isn’t protected from being shared with outside vendors. Further, some mobile software may contain security flaws making it more susceptible to hackers.
  5. Know your liability. An additional concern to keep in mind outside of security is physician medical liability. When patients monitor their own health with a mobile device, what is the doctor’s liability if the patient supplies faulty or inaccurate information?

Mobile healthcare is a great tool and way for physicians and patients to stay connected and up to date, but it is not without it’s flaws. If you are using any one of the many devices or apps out there, enjoy the benefits but also educate yourself on the potential concerns as well.



SCG Health blog by Email

Recent Posts


Archive


Tags

SCG Health is a tradename of the Searfoss Consulting Group, LLC. You may reproduce materials available on this site for your own personal use and for noncommercial distribution. For more information, please read the Content Sharing Policy. Art & design by SCG Health. DISCLAIMER: You should consult an attorney for individual advice regarding a particular set of facts and circumstances. SCG Health reserves the right to change the information on this website without notice.