HIPAA Compliant v. Mobile Devices

The HIPAA Privacy Rule provides federal protections for individually identifiable health information held by covered entities and their business associates and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of health information needed for patient care and other important purposes.

The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities and their business associates to use to assure the confidentiality, integrity, and availability of electronic protected health information.

The description above may seem black and white but the recent rise in theft of healthcare data has revealed gray areas that have caused some debate amongst the medical security community as to what safeguards are to be taken in order to assure your providers and staff are HIPAA compliant. Recently Beth Israel Deaconess levied a hefty fine, when a provider’s unencrypted laptop was stolen that contained patient information. This incident was responsible for leaking sensitive information of more than 41 million patients. This is clearly a black and white case of negligence, which is why the fine was levied, however what if the laptop was encrypted and the owner was robbed at knife point and forced to disclose the password information? Not so black and white, right? According to a recent robbery reported by Boston’s Brigham and Woman’s Hospital, this is exactly what happened to one of their physicians, creating an interesting interpretation of the HIPAA Privacy Rule and Security Rule. This most incident reported the theft of two devices that contained patient related information on 999 patients.

The armed robbery, which took place Sept. 24, was reported to the Boston Police Department, who then issued a community alert six days later. According to the police department, the physician was robbed at knifepoint and then bound to a tree. The stolen items have not yet been recovered.

“We apologize for any inconvenience and deeply regret any concern this situation may cause our patients,” said Cedric Priebe, MD, chief information officer at BWH, in a Nov. 17 press statement. “We have no knowledge that the information on these devices has been accessed, and we are reviewing related policies and procedures in an effort to determine if there are steps that may decrease the likelihood of this type of incident in the future.”

The bigger question of whether encryption alone covers a healthcare organization responsibility to the HIPAA Security Rule. According to the Department of Health and Human Services, the answer is No, encryption alone not enough. HHS states that the HIPAA Security Rule involves, “an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key … and such confidential process or key that might enable decryption has not been breached.”

This is the third HIPAA breach for BWH, according to data from HHS – and the third theft. BWH, is one of the largest healthcare organizations in Massachusetts and one of the most respected. If it can happen here, it can happen anywhere. With the advances of technology and sharing of information come the responsible to protect that information, the government has defined how that information is to be protected but it is responsibility of the Healthcare organization to safeguard patient sensitive information and put the proper precautions and mitigation plans in place to ensure security. Consult with a Security Expert today at EHR & Practice Management Consultants, Inc. (www.ehrpmc.com) by contacting us at 1-800-376-0212 or contact@ehrpmc.com, even if you have completed a Security Assessment and have a Mitigation plan already in place, it’s better to have the assurance from a professional.


EHR Data Continues To Save Lives

In the midst of all the MU Stage 2 controversy comes evidence that EHRs are still having positive impacts on patient health outcomes. In May of this year Healthcare It News released an article with data provided by the Department of Health and Human Services, reported 15,000 lives and $4B saved so far from HAC reductions.

These reductions in adverse drug events, falls and infections have prevented nearly 15,000 deaths, avoided 560,000 injuries and saved as much as $4 billion in health spending over the same period.

“We applaud the nationwide network of hospital systems and providers that are working together to save lives and reduce costs,” said outgoing HHS Secretary Kathleen Sebelius. “We are seeing a simultaneous reduction in hospital readmissions and injuries, giving patients confidence that they are receiving the best possible care and lowering their risk of having to be readmitted to the hospital after they get the care they need.”

A more recent study by researchers in the U.S. and United Kingdom published by CMAJ Open analyzed 11.5 million electronic patient records, identifying a jaw dropping number of undiagnosed cases of diabetes. Using an algorithm that analyzed biomedical data, researchers were able to identify that off the total 1,174,018 patients with diabetes, 63, 620, had undiagnosed diabetes. Diabetes kills one person every six seconds and afflicts 382 million people worldwide, according to the International Diabetes Federation, a staggering number indeed. If the only positive outcome of EHRs were to identify diabetes patients worldwide and in return provide the treatment they require in order to save their life, it would be worthwhile. Suffice being inundated with negative commentary on EHRs and Meaningful use in the last few months, I believe this is enough evidence to at least quiet the cynics and chalk this one in the win category.

If you need assistance with optimizing your EHR or andy other EHR needs please contact EHR & Practice Management Consultants, Inc (www.ehrpmc.com) for additional assistance at 1-800-376-0212 or contact@ehrpmc.com

New Deadline for EHs and CAHs to Attest for MU in 2014

The Centers for Medicare and Medicaid Services announced on November 24th, a one-month extension to the deadline for eligible hospitals and critical access hospitals to attest to meaningful use of certified EHRs for 2014, the new deadline is December 31st.  CMS stated that, “this extension will allow more time for hospitals to submit their meaningful use data and receive an incentive payment for the 2014 program year, as well as avoid the 2016 Medicare payment adjustment. CMS also extended the deadline for eligible hospitals and CAHs that are electronically submitting clinical quality measures to meet that requirement of meaningful use and the Hospital Inpatient Quality Reporting program. The deadline was also extended to December 31st, giving hospitals another month to submit their eCQM data to Quality Net.  Unfortunately the extensions do not impact the Medicaid program.

BYOD- The Good, The Bad and The Ugly

Bring Your Own Device (BYOD) is a new phenomenon happening in corporate America, especially in the Hospital space.  BYOD is a concept where employers allow their staff to use their own mobile devices for work related purposes. In this day and age Healthcare providers rely heavily on the mobile devices for communication. While some organizations are looking to this new phenomenon to increase productivity, others have expressed valid concerns about how and what information will be accessed and the potential threat it poses to violating HIPAA.

As it stands no organizations have taken the final steps to approve a BYOD program, Penn Medicine is the closest to finalizing a plan to address many of the common concerns surrounding BYOD.

This forward thinking approach to bridge the communication gaps in healthcare comes at a tumultuous time considering the recent breaches in security and hefty fines ensued by several larger healthcare networks. Brigham and Women’s Hospital and Beth Israel Deaconess are two of the most recent victims of theft, which in the case of Beth Israel Deaconess was levied with a $100,000 fine for negligence for failing to encrypt a laptop, which contained patient sensitive information.

Allow our experts at EHR & Practice Management Consultants, Inc. (www.ehrpmc.com) help address your concerns by contacting us at 800-376-0212 or contact@ehrpmc.com

Big Data Produces Big Results

Big Data is a buzz word in the Healthcare IT Community and according to recent reports is producing big results. Let’s first understand what Big Data actually means. Big data is an all-encompassing term for any collection of data sets so large and complex that it becomes difficult to process them using traditional data processing applications. What does it mean to a healthcare organization that can simplify complex data and apply it’s results to better understanding it’s patient population, improved patient outcomes. A new report released by Brigham and Woman’s Hospital boasts more than a handful of ways to lower healthcare costs through the use of big data.

“The examples we present in this study provide key insights to the ‘low hanging fruit’ in healthcare big data and have implications for regulatory oversight, offer suggestions for addressing privacy concerns and underscore the need for support of research on analytics,” said David Bates, MD, chief quality officer at Brigham and Women’s Hospital and lead author on the study, in a press statement.

Brigham and Woman’s researchers are using analytics to reduce costs in six key areas:

High-cost patients

The study suggests that identifying high cost patients as early as possible and formulating an proactive approach will greatly reduce costs.


Many studies have revealed insight into the staggering rate of hospital readmissions, this study suggests that as many as one-third of readmissions may be preventable. Bates and his coauthors suggest that all healthcare organizations should use algorithms to predict who is likely to be readmitted. They include: tailoring the intervention to the individual patient, ensuring that patients receive the interventions intended for them, monitoring specific patients after discharge to ensure they do not develop issues that would cause their condition to deteriorate, and ensuring a low ratio false positive rate of patients flagged for an intervention to patients who experience a readmission.


The study shows that effective triage is key to predicting possible complications. Two pilot studies provide valuable lessons learned in establishing triage algorithms, ensuring the patient is sent to the correct place for care and enables the staff to make more informed decisions.


As patients’ conditions worsen, certain organs may fail to adequately compensate for the systemic stress of a disease. But there is often a period in which physiological data can be used to determine whether the patient is at risk for decompensating. The study shows how the initial rationale for intensive care units was to allow patients who were critically ill to be closely monitored for just this purpose. Researchers emphasize such systems can now be used throughout the hospital, and that effective analytic systems in this area must use multiple data streams to detect decompensation, as many new technologies are becoming available that can be used to better monitor patients.

Adverse events

Adverse events are expensive, and can result in high rates of morbidity and mortality. But they’re preventable at high rates, according to B&W researchers, who spotlight three areas – renal failure, infection and adverse drug events – as specific opportunities where analytics can realize cost savings

Treatment optimization

When it comes to chronic diseases affecting multiple organ systems, correctly managing these systemic problems is essential to keeping costs down. For instance, the study shows how autoimmune disorders such as rheumatoid arthritis and lupus could benefit from big data, enabling caregivers deliver expensive therapies in a more targeted way – helping predict the trajectory of a patient’s disease and tailoring treatments and therapies along the way.

Allow EHR & Practice Management Consultants, Inc. (www.ehrpmc.com) help you analyze your patient data to increase better patient outcomes and reduce costs.  Contact us at 800-376-0212 or email us at contact@ehrpmc.com


Failure to Encrypt A Provider’s Laptop Leads to a $100,000 Fine

Identity theft and security breaches have affected such big name companies as Target, Home Depot and most recently JP Morgan. hackers, reportedly stealing financial information from over 76 million households. Financial information is important to safeguard understandably but what about your personal information, such as your medical records and social security number, the most coveted piece of information? A recent healthcare data breach has affected 30 million people and counting, this information however includes patients’ social security numbers, leaving some feeling more exposed than when wearing a hospital gown. Beth Israel Deaconess, in Boston, MA can attest to how this can happen to any Healthcare Organization, especially when the proper training and precautions are not put in place. Beth Israel Deaconess was hit with a heavy fine this month, after information was leaked from an incident occurring in 2012, when a physician’s personal laptop was stolen. The Massachusetts Office of Attorney General levied a $100,000 fine for failure to encrypt the device.

According to the Identity Theft Resource Center, Healthcare data has seemingly become increasingly targeted, accounting for 43 percent in major data breaches reported in 2013. It seems to be on pace for this year and a dark shadow has already been cast over 2015.

Although the Federal Reporting requires breach notifications, that is in my opinion too little too late. Hefty fines are turning the heads of many larger healthcare organizations, reporting that 69 percent of health security professionals in a 2013 survey said their organization has a data breach plan in place. That’s not a number to grant a sense of ease, in fact it’s not the 40 percent of larger healthcare organizations that are unprepared that worries me, it’s the smaller private practices that have no or strategy in place and much like the Beth Israel Deaconess incident are still carrying my private medical information and potentially my social security number on a personal laptop with no encryption to secure the contents of the computer.

The moral of this story…don’t be a victim, take HIPPA security seriously and protect your patients’ sensitive information. Talk to a security expert, get the right training for your staff and put the proper precautions in place.

Contact EHR & Practice Management Consultants, Inc. (www.ehrpmc.com) for Assistance at 1-800-376-0212 or contact@ehrpmc.com for all your security needs including encryption!

Security Tips from EHR & Practice Management Consultants, Inc.

Approximately 40% of healthcare organizations reported a criminal data attack this year.

Ask yourself how can you put a multi-layer defense in place to prevent a Breach?

What are the risks?  Reputational Risks? Data Integrity Risks?

Areas To Address:

  • Encrypt Every Device and how to protect the data center from external and internal attacks
  • Have a Risk Analysis Done Properly since the OCR is asking up to 5 years back now to show that you have made a concious effort to mitigate your risks every year
  • Staff Training and education, penetration tests, cable locks or trackers for unencrypted devices all matter.
As previously mentioned in my blogs, the OCR stated over 60% of breaches occur because of theft or loss of an unencrypted device.  Therefore, it is important to keep track of any device that leaves the office!  Unauthorized disclosure of accounts accounted for 16% of breaches.  Hacking of account accounted for only 7% of actual breaches.
A 2011 Ponemon Institute report estimated full disk encryption to average $232 per user, per year.
Keeping EPHI secure is not only a matter of professional responsibility but a matter of cost, reputation, and integrity to the patient-provider relationship.
If you need help keeping EPHI (Electronic Patient Health Information) secure please contact us to do a HIPAA Privacy/ Security Risk Assessment & Mitigation Plan at 1-800-376-0212 or contact@ehrpmc.com.

Important Reasons To Keep Patient Information Secure

Some organizations are unaware they have a breach of information until the FBI initiates the incidence report.  It is not only hospitals that are responsible.  It could even go as far a medial application developer or third party vendors  It is highly recommended for healthcare organizations to verify vendors’ security  and make it part of their contract.  HIPAA breaches can cause you to get federal, state and/ or regional fines.

For example, Health Net the Woodland Hills, Calif.-based health insurance company learned its business associate IBM had lost nine unencrypted server drives on January 2011. These servers contained names, Social Security numbers, addresses and health information of Health Net employees, members and providers. They did not receive federal fines  but two state attorneys general offices filed suit against the firm.
As a result, Health Net had to pay $625,000 in fines and damages to the Connecticut attorney general and the state insurance commissioner. Additionally they settled with the Vermont’s attorney general for $55,000.
As of the statistics in 2012, if your data was breached you have a 1 in 4 chance of being a victim of fraud.
Breach Due to a A Weak Default Password on a Server
The report examined a HIPAA oversight by a contracted Utah Department of Health employee affecting 780,000 people in this breach. The server had a weak default password and failure to manage the department’s IT assets appropriately, hackers exploited the vulnerability and took  Social Security numbers, medical diagnostic codes and dates of birth.   Javelin Research estimated some 122,000 cases of fraud would occur.  Resulting in a total cost pegged at a whopping $406 million.  This represents approximately 20 hours to resolve each fraud case.

Having a Social Security number stolen put the person to be at risk indefinitely.

Trust & Patient Health

“People refuse to see doctors for sensitive conditions because they know the information won’t stay private. I’m talking about cancer, depression, sexually transmitted diseases,” said Deborah Peel, MD, founder of Patient Privacy Rights, a non-profit consumer privacy watchdog organization, in a 2013 Health Privacy Summit video. “That’s a tragedy when people who have very treatable, serious medical illnesses won’t get care.”
A 2014 Harvard School of Public Health study assessing the privacy perceptions of U.S. adults pertaining to their health data found more than 12 percent of some 1,500 respondents withheld information from care providers over medical security concerns.
If you need help keeping EPHI (Electronic Patient Health Information) secure please contact us to do a HIPAA Privacy/ Security Risk Assessment & Mitigation Plan at 1-800-376-0212 or contact@ehrpmc.com.

Patient Access to Electronic Health Data v. Privacy/ Security Concerns

According to a recent survey of U.S. consumers:

  • 69% of those with chronic health conditions believe patients should have the right to access all of their healthcare information
  • 51% believe that accessing their medical records online outweighs the privacy risks
  • Consumers with chronic conditions had greater privacy concerns regarding online banking (70%), in-store credit card use (69%) and online shopping (68%), than their concern over privacy of their electronic medical record (65%)
  • 87% of U.S. consumers say they want to control their health data, but 55% believe they currently do not have very much control

Source: “Majority of U.S. Consumers with Chronic Conditions Believe Accessing Medical Records Online Outweighs Privacy Risks, According to Accenture Survey,” Accenture Press Release, May 5, 2014, http://newsroom.accenture.com/news/majority-of-us-consumers-with-chronic-conditions-believe-accessing-medical-records-online-outweighs-privacy-risks-ccording-to-accenture-survey.htm

Price Transparency Software Beneficial to Medical Practices/ Clinics

Due to statistics published there is a rising trend of out of pocket expenses for patients due to the growing high deductible health plans for consumers.  In a recent research study by InstaMed in 2013, the annual number of patient payments to providers rose 72 percent between 2011 and 2013, and the average payment of $110.86 in 2011 increased 20 percent to $133.15 in 2013.

America’s Health Insurance Plans, a payer trade association, expects out-of-pocket expenses for insured patients to rise from $250 billion in 2009 to $420 billion by 2015.

Due to the increased out of pocket expenses of patients, providers increasingly are offering payment plans; InstaMed’s data shows that the number of annual transactions for payment plans increased by 284% (percent) from 2011 to 2013.  Additionally, more providers are accepting credit card-based electronic payments online and more patients are willing to pay this way. In 2013, credit card payments represented 42 percent of the gross dollar volume of back office payments which is an 8% percent increase from two years ago.

An InstaMed survey of providers that complements the data analysis shows 67 percent of patients saw an increase in their payment responsibility in 2013.

Forty-two percent of providers did not know what the patient was responsibile for paying during the visit.  Seventy six percent (76%) said it takes more than a month to collect from a patient and 56 percent pegged collections as the top revenue cycle concern.

Another survey found of more than 200 consumers found that 72 percent of respondents were unaware of their payment responsibility during a visit. Only 2 percent received healthcare bills via email in 2013. When a patient was given the option of how to pay a healthcare bill most indicated they would pay online via a provider, payer or bank Web portal. The vendor reminds providers that mobile devices also can be used to collect payments at the point of service.

An area believed to help lower the amount of time to be paid by a patient would be for the practice to use a price transparency software.  This would allow the patient to know exactly what they will owe for the service they are receiving.  Then, the patient has the option of paying the bill at te day of service or know what to budget for when they leave the office.  Therefore, once they receive the bill at home they may have already set the funds aside to pay for this bill.  Either way price transparency software is very simple to use in a medical office/ clinic and can decrease the days of your A/R (accounts receivable).

If you are interested in seeing how Price Transparency software can help you with increasing your collections in a shorter time interval please contact us at EHR & Practice Management Consultants, Inc (800) 376-0212, 847-322-0139  and contact@ehrpmc.com.  We can show you a demonstration on how price transparency software would work in your practice and see if it would be a good fit for you.