Security Tips from EHR & Practice Management Consultants, Inc.

Approximately 40% of healthcare organizations reported a criminal data attack this year.

Ask yourself how can you put a multi-layer defense in place to prevent a Breach?

What are the risks?  Reputational Risks? Data Integrity Risks?

Areas To Address:

  • Encrypt Every Device and how to protect the data center from external and internal attacks
  • Have a Risk Analysis Done Properly since the OCR is asking up to 5 years back now to show that you have made a concious effort to mitigate your risks every year
  • Staff Training and education, penetration tests, cable locks or trackers for unencrypted devices all matter.
As previously mentioned in my blogs, the OCR stated over 60% of breaches occur because of theft or loss of an unencrypted device.  Therefore, it is important to keep track of any device that leaves the office!  Unauthorized disclosure of accounts accounted for 16% of breaches.  Hacking of account accounted for only 7% of actual breaches.
A 2011 Ponemon Institute report estimated full disk encryption to average $232 per user, per year.
Keeping EPHI secure is not only a matter of professional responsibility but a matter of cost, reputation, and integrity to the patient-provider relationship.
If you need help keeping EPHI (Electronic Patient Health Information) secure please contact us to do a HIPAA Privacy/ Security Risk Assessment & Mitigation Plan at 1-800-376-0212 or contact@ehrpmc.com.

Important Reasons To Keep Patient Information Secure

Some organizations are unaware they have a breach of information until the FBI initiates the incidence report.  It is not only hospitals that are responsible.  It could even go as far a medial application developer or third party vendors  It is highly recommended for healthcare organizations to verify vendors’ security  and make it part of their contract.  HIPAA breaches can cause you to get federal, state and/ or regional fines.

For example, Health Net the Woodland Hills, Calif.-based health insurance company learned its business associate IBM had lost nine unencrypted server drives on January 2011. These servers contained names, Social Security numbers, addresses and health information of Health Net employees, members and providers. They did not receive federal fines  but two state attorneys general offices filed suit against the firm.
As a result, Health Net had to pay $625,000 in fines and damages to the Connecticut attorney general and the state insurance commissioner. Additionally they settled with the Vermont’s attorney general for $55,000.
As of the statistics in 2012, if your data was breached you have a 1 in 4 chance of being a victim of fraud.
Breach Due to a A Weak Default Password on a Server
The report examined a HIPAA oversight by a contracted Utah Department of Health employee affecting 780,000 people in this breach. The server had a weak default password and failure to manage the department’s IT assets appropriately, hackers exploited the vulnerability and took  Social Security numbers, medical diagnostic codes and dates of birth.   Javelin Research estimated some 122,000 cases of fraud would occur.  Resulting in a total cost pegged at a whopping $406 million.  This represents approximately 20 hours to resolve each fraud case.

Having a Social Security number stolen put the person to be at risk indefinitely.

Trust & Patient Health

“People refuse to see doctors for sensitive conditions because they know the information won’t stay private. I’m talking about cancer, depression, sexually transmitted diseases,” said Deborah Peel, MD, founder of Patient Privacy Rights, a non-profit consumer privacy watchdog organization, in a 2013 Health Privacy Summit video. “That’s a tragedy when people who have very treatable, serious medical illnesses won’t get care.”
A 2014 Harvard School of Public Health study assessing the privacy perceptions of U.S. adults pertaining to their health data found more than 12 percent of some 1,500 respondents withheld information from care providers over medical security concerns.
If you need help keeping EPHI (Electronic Patient Health Information) secure please contact us to do a HIPAA Privacy/ Security Risk Assessment & Mitigation Plan at 1-800-376-0212 or contact@ehrpmc.com.

Patient Access to Electronic Health Data v. Privacy/ Security Concerns

According to a recent survey of U.S. consumers:

  • 69% of those with chronic health conditions believe patients should have the right to access all of their healthcare information
  • 51% believe that accessing their medical records online outweighs the privacy risks
  • Consumers with chronic conditions had greater privacy concerns regarding online banking (70%), in-store credit card use (69%) and online shopping (68%), than their concern over privacy of their electronic medical record (65%)
  • 87% of U.S. consumers say they want to control their health data, but 55% believe they currently do not have very much control

Source: “Majority of U.S. Consumers with Chronic Conditions Believe Accessing Medical Records Online Outweighs Privacy Risks, According to Accenture Survey,” Accenture Press Release, May 5, 2014, http://newsroom.accenture.com/news/majority-of-us-consumers-with-chronic-conditions-believe-accessing-medical-records-online-outweighs-privacy-risks-ccording-to-accenture-survey.htm

Price Transparency Software Beneficial to Medical Practices/ Clinics

Due to statistics published there is a rising trend of out of pocket expenses for patients due to the growing high deductible health plans for consumers.  In a recent research study by InstaMed in 2013, the annual number of patient payments to providers rose 72 percent between 2011 and 2013, and the average payment of $110.86 in 2011 increased 20 percent to $133.15 in 2013.

America’s Health Insurance Plans, a payer trade association, expects out-of-pocket expenses for insured patients to rise from $250 billion in 2009 to $420 billion by 2015.

Due to the increased out of pocket expenses of patients, providers increasingly are offering payment plans; InstaMed’s data shows that the number of annual transactions for payment plans increased by 284% (percent) from 2011 to 2013.  Additionally, more providers are accepting credit card-based electronic payments online and more patients are willing to pay this way. In 2013, credit card payments represented 42 percent of the gross dollar volume of back office payments which is an 8% percent increase from two years ago.

An InstaMed survey of providers that complements the data analysis shows 67 percent of patients saw an increase in their payment responsibility in 2013.

Forty-two percent of providers did not know what the patient was responsibile for paying during the visit.  Seventy six percent (76%) said it takes more than a month to collect from a patient and 56 percent pegged collections as the top revenue cycle concern.

Another survey found of more than 200 consumers found that 72 percent of respondents were unaware of their payment responsibility during a visit. Only 2 percent received healthcare bills via email in 2013. When a patient was given the option of how to pay a healthcare bill most indicated they would pay online via a provider, payer or bank Web portal. The vendor reminds providers that mobile devices also can be used to collect payments at the point of service.

An area believed to help lower the amount of time to be paid by a patient would be for the practice to use a price transparency software.  This would allow the patient to know exactly what they will owe for the service they are receiving.  Then, the patient has the option of paying the bill at te day of service or know what to budget for when they leave the office.  Therefore, once they receive the bill at home they may have already set the funds aside to pay for this bill.  Either way price transparency software is very simple to use in a medical office/ clinic and can decrease the days of your A/R (accounts receivable).

If you are interested in seeing how Price Transparency software can help you with increasing your collections in a shorter time interval please contact us at EHR & Practice Management Consultants, Inc (800) 376-0212, 847-322-0139  and contact@ehrpmc.com.  We can show you a demonstration on how price transparency software would work in your practice and see if it would be a good fit for you.

 

 

 

Over $2 million collected from Concentra and QCA Health Plan for breaches of patient information

The Department of Health and Human Services Office for Civil Rights announced on April 22 that it collected nearly $2 million to resolve potential HIPAA violations from Concentra Health Services & QCA Health Plan for failure to secure protected health information on laptops and mobile devices.

Both organizations demonstrated long-time non-compliance with HIPAA, according to OCR, which has now taken this level of action against at least 20 organizations.

In an announcement titled, “Stolen Laptops Lead to Important HIPAA Settlements,” OCR noted, “These major enforcement actions underscore the significant risk to the security of patient information posed by unencrypted laptop computers and other mobile devices.” Susan McAndrew, deputy director of health information privacy, stated: “Covered entities and business associates must understand that mobile device security is their obligation. Our message to these organizations is simple: encryption is your best defense against these incidents.”

Encryption is the #1 source of patient breaches.  If you have questions on how to encrypt your PCs and mobile devices please contact us at EHR & Practice Management Consultants, Inc. (800) 376-0212 or contact@ehrpmc.com

Cyber Threats are at Highest Risk in the Healthcare Industry

In April 2014 the FBI Cyber Division issued a warning that medical devices and healthcare systems are at risk for increased cyber attacks due to financial benefits of hackers.

Due to the deadline for providers to go on an EHR by 2015 there will be many providers going on an EHR to reach this deadline which will include a greater number of medical devices connected to the Internet which will be at an increased risk of cyberattack for medical information of patients.

Compared to other industries the FBI stated the healthcare industry is not as well prepared to handle these cyber attacks.

As cited by Symantec, last year 37% of breacjhes were forund to be in the healthcare industry which is the largest for any industry.

As I have discussed in my earlier blogs, this not only puts the patient’s identity at risk for fraudulent activity but it also creates potential health risks in case a person fraudulently uses their identity and receives medical treatment. This can have misinformation as part of the true patients health history, treatments, and medications they are on. Not only could this cause an increase in the patients premium but misinformation could be given to other patients regarding the patients health and be mistreated by other providers. This is why it always important for a patient to periodically go online with their insurance company to make sure the claims being sent to the insurance firm are for claims that they actually had on their behalf. Additionally, when their providers are starting to receive information on the health information exchange (HIE) of care they received elsewhere to verify with the provider this is correct.

Identity theft not only can cost a person thousands of dollars to have resolved but can also put their health outcomes at risk.

If you are a provider/ practice/ clinic and would like a full risk assessment and mitigation plan completed for your practice to avoid any security breaches of your patients protected health information please contact us at EHR & Practice Management Consultants, Inc.  1 (800) 376-0212 or contact@ehrpmc.com

 

Internet Searches & Mobile Apps May Not Always Be Beneficial to Managing Your Health

There are over 43,000 healthcare mobile applications available.  However, not many physicians are referring them since there is not a great trust factor they will make a difference.  In addition there are many sites available on the web available for prevention and management of health conditions.   The scary thing is that patients may choose to follow the advice of the internet instead of seeking medical attention.  Just because a website is ranked on the first page of a search engine does not mean all their data is accurate.  I encourage patients to still seek a medical professional before trying to diagnosis and manage their health on their own.

Tips on Successful Adoption of A Patient Portal

In my experience of selling and implementing patient portals over the last 7 years I have come up with various tips to encourage patient portal adoption both by your practice and your patients.  At EHR & Practice Management Consultants, Inc. we do patient portal adoption services consulting to help assist practices in their patient portal adoption.  Among some of the tips we provide are the following:

  1. Have a mobile device in the office for patients to get comfortable with the portal.
  2. Have the employees discuss with the patients the advantages of the portal.
  3. Have pamphlets as a takeaway for patients to recall the advantages of the portal.
  4. Make sure the employees are well trained on the portal and a policies and procedures regarding the portal should be addressed.
  5. Make sure to assign which employees should address which messages.
  6. Discuss with patients what messages are appropriate to securely message the practice.
  7. Make sure to educate family members who have access to the portal on the usage.
  8. Put proper signage or videos around the office to educate patients on the portal.
For these any many other ways to use a patient portal please contact us at EHR & Practice Management Consultants at 1 (800) 376-0212 ext. 1, contact@ehrpmc.com, or 1 (847) 322-0139.

 

 

Stanford Hospital & Clinics Pay $4 Million for privacy offense

Practice, clinics an hospital not only have to worry about HIPAA laws at a federal level but they need to take into account the state privacy laws that can cost them as well!

In California, the law requires that medical providers maintain their patients’ medical information confidential and prohibits the disclosure of such information without a patient’s written authorization.

Stanford Hospital and Clinics has had 5 big HIPAA breaches in the last 3 years compromising the protected health information of more than 92,000 patients.  Four of the breaches involved the theft of unencrypted company laptops.   It would have been much better if this was merely property losses as opposed to data losses. They may now be required to pay a $4.1 million class action settlement after violating California’s medical privacy law.

The settlement was given approval last week by Los Angeles County Superior Court Judge Elihu Berle from a 2010 incident when Stanford notified 20,000 of its patients that their protected health information was wrongfully posted to a student website. The information was posted on a public website  for almost a year included medical diagnoses and patient names.

In September 2011, Shana Springer, a patient, filed a $20 million class action lawsuit against Stanford and its business associate Multi-Specialty Collection Services for violating California’s Confidentiality of Medical Information Act.

When Stanford Hospital and Clinics notified patients, it claimed it had sent Multi-Specialty Collections services encrypted patient information for “permissible business purposes,” making the company “responsible by law and contract for protecting all patient information provided to it for its services.”

HIPAA-covered entities and business associates have paid over $18.6 million to settle alleged federal HIPAA violations, with $3.7 million of that just from last year which does not include the state and private legal settlements.

2014 Hardship Exemptions

The hardship exception rule in the Meaningful EHR Incentive Program has allowed for relief to some providers and hospitals to apply for exceptions to anticipated penalties if their EHR vendor did not obtain EHR certification for 2014.

Since some vendors did not have the time or resources to get their product 2014 certified the additional flexibility has been put in the exception rule i

There are a couple stipulations to this flexibility in the hardship exception rule:

  • The application can only be submitted for 2014.
  • CMS is said you may apply for the exception.  This will not guarantee not that you will get the exception.  CMS will determine if you will receive the exception on a case by case basis.
Providers and hospitals should be encouraged to do everything in their power to get the certified EHR technology implemented and meet meaningful use in 2014.  However, if things are running close I would encourage eligible providers and hospitals to apply for the hardship exemption if it looks like they are going to run into into implementation and workflow issues.

If you have any further questions or need additional help regarding Hardship exemptions, EHR and Practice Management selection, contract negotiations, project management, implementation, EHR training, EHR optimization, EHR template customization, Meaningful Use Gap Analysis, Meaningful Use Attestation, HIPPA Privacy/Security Assessments and Mitigation Plans, EHR Safety, and Meaningful Use Audits please contact Vanessa Bisceglie at 847-322-0139, 1-800-376-0212, or vanessa@ehrpmc.com.

Vanessa Rose Bisceglie, President, EHR & Practice Management Consultants, Inc. www.ehrpmc.com