BEI HIT Blog
Voice of the Doctor, January 27, 2014
BEI Commentary: We will keep saying it over and over until it is common practice – encrypt your hard drives (especially your laptops). Read about this practice in Canada that had an unencrypted laptop stolen that contained PHI for 627,000 patients.
In this latest release Medicentres Family Health Care Clinics, a 27-clinic medical group in Western Canada had an unencrypted clinic laptop stolen from one of the clinic’s IT consultants.
The laptop contained 620,000 patient names, dates of birth, health card numbers, medical diagnoses and billing codes, officials said. Read More
Healthcare IT News, 11/19/13
BEI Commentary: Many people use dropbox for filesharing. We suspect a lot of you are. It’s easy, free in many cases, and convenient. One problem – it is not HIPAA compliant.
Torie Jones, former chief privacy officer at University of Pennsylvania Health System, had an ironclad rule in place for her staff: “No PHI in the cloud until you have a BAA in place.”
For most cloud-based vendors, those who are used to the specific demands of working in healthcare, getting that business associate agreement in place wouldn’t be much of a problem.
But when it comes to using the popular file hosting service Dropbox, that all-important contract isn’t something that’s readily forthcoming. Read More
American Medical Association, September 10, 1013
BEI Commentary: We know that many of you feel like you are being “HIPAA’d” to death, but we get requests about the new HIPAA rules all the time. Here is a link from the AMA website that has some nice resources on the new HIPAA rules, Encryption and even sample Notice of Privacy Practices and Business Associate Agreements.
Upcoming September 23, 2013 HIPAA privacy and security deadline – The U.S Department of Health & Human Services (HHS) recently adopted new rules which make changes to existing privacy, security and breach notification requirements in what is often referred to as the final “HIPAA Omnibus Rule.” These new rules stem from changes made under the Health Information Technology for Economic and Clinical Health (HITECH) Act which is part of the same law that created the Electronic Health Records (EHRs) Incentive Program under Medicare and Medicaid. Read More
EMR & HIPAA Newsletter, November 5, 2011
According to the 2013 Medicare Final Rule released last week, there are new ways to avoid future payment adjustments under the MIPPA ePrescribing rule for those who have not already taken the necessary steps to avoid them: 1) The exemption request period has been reopened and 2) meaningful use will satisfy the ePrescribing requirements according to specific timetables.
1) CMS is offering a second chance to physicians who missed the June 30 deadline for requesting an exemption to the 2013 ePrescribing penalty (1.5%) under the original 4 categories. Between November 1, 2012 and January 31, 2013, physicians can go to the Quality Reporting Communication Support Page and request an exemption based on one of the following justifications: Read More
New York Times, Octobe 8, 2012
BEI Commentary: A very interesting article about how some physicians are using social media. Obviously there are a lot of issues to work out, but it looks like these technologies can be put to good use in working with patients.
The teenager’s cellphone buzzes. Her doctor, Natasha Burgert, is texting her: “Better morning with this medication?”
Another teenager opens his phone. “Everything is great,” reads Dr. Burgert’s discreet text. “Go ahead with the plan we discussed. Please reply so I know you received.”
And on the morning of college entrance exams, a teenager who suffers from a roiling stomach reads Dr. Burgert’s texted greeting: “Prepared. Focused. Calm. Your body is healthy and well. Good luck today.” Read More
EHR Watch, May 15, 2012
BEI Commentary: If you have an EHR you need an IT support company, or you need internal staff to support your network and hardware. Most ambulatory practices will either partially or totally outsource their IT. It is a good idea to work with a company that understands the healthcare vertical and its rules and regulations (shameless plug: BEI is one such company). Business Associates Agreements are one of the reasons why.
So you’ve been working hard to firm up your IT security protocols and systems, and you’re feeling good about the progress you’ve made.
Now, how about your myriad partners who also have access to your patients’ health information?
As this observer points out, for many providers that’s a different story altogether. He says that “while the HIPAA rules have been around for a while — the Security Rule’s compliance date goes back to 2005 — hospitals and other health care providers have not consistently devoted a significant amount of time to business associate security.” Read More
Health Data Management, April 17, 2012
BEI Commentary: For those of you who think that the HIPAA police are only after hospitals and payers, think again. This article states that an Arizona based cardiology practice was fined $100,000 for sloppy HIPAA practices related to their IT infrastructure.
Phoenix Cardiac Surgery, P.C, with offices in Phoenix and Prescott, Ariz., will pay a $100,000 fine and implement a corrective action plan under a resolution agreement with the HHS Office for Civil Rights following HIPAA privacy and security rule violations.
OCR began an investigation after learning that the physician practice was posting clinical and surgical appointments on an Internet-based calendar that was publicly accessible, according to an April 17 announcement from the agency. The investigation found that the practice had few policies and procedures to comply with the privacy and security rules.
“This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” OCR Director Leon Rodriguez said in the announcement. Read More
MedPage Today, December 7, 2011
BEI Commentary: There are good reasons for Meaningful Use Core Measure 15. According to some experts, stolen health care data can be worth much
more than even credit card numbers. Another major difference is that credit card numbers can be cancelled. Health information always remains with the individual.
Medical identity theft has become one of the most lucrative forms of identity theft, according to a panel of cybersecurity specialists.
Stolen patient data – including electronic health records as well as insurance information – is valuable because it can be used to make false or inflated insurance claims, obtain prescription drugs, or receive treatment at the insurance account holder’s expense. Read More
HealthData Management, November 7, 2011
BEI Commentary: This article reflects the whole point of Core Measure 15 – Risk Analysis. You need to make sure that you have put in place reasonable security procedures regarding your IT Infrastructure. Clearly, the practice in this article was caught off-guard.
Earlier this year, Janet Spangler got an object lesson in the tension between data access and security. A new patient at Family Medical Associates of Raleigh (N.C.) toted his own laptop into the exam room, recalls Spangler, administrator at the five-physician group practice. When the physician arrived, the patient–a computer technician–turned his laptop around, revealing he had just gained access into the group’s ostensibly secure wireless network, then admonishing the physician about the need to improve access controls. “We have since modified our wireless system,” Spangler says. “But the experience left us uneasy.”
No sensitive information was exposed during the interlude, but the episode gives insight into why Family Medical Associates takes what Spangler describes as “a conservative approach” to data access. Not only did the group bolster its firewall against unwarranted outside intrusion, it put limits on what its own staff can see on the EHR, an ambulatory system from Greenway Medical Technologies that has been in place for five years. The practice even takes the extraordinary step of maintaining any employee medical records on paper-in a locked cabinet-and not on the EHR. “We can restrict access to our online charts, but you don’t want records inappropriately accessed by other staff,” she explains. “We are all for access if it results in better care. But we are quick to limit access if there’s a risk of a security breach.” Read More
Security becomes a bigger IT issue everyday. Security is not just about protecting websites or servers; appropriate security is required for workstations as well. In fact, HIPAA requires it. Here are a few simple things to think about:
- Make sure each individual on your staff has a unique ID/Password for logging into the EHR. This may seem like a simple thing, but we have seen practices where a common ID/PW is used by people with similar roles. Unique ID/PWs are required to determine who has logged into the EHR and what changes they made.
- Passwords should be strong. Require at least 6 characters with at least one character being alphabetic and one being numeric.
- Place an inactivity timer on each workstation of five minutes. It is quite easy for someone to walk away from a workstation while forgetting that they are logged in. This gives a patient or other staff the opportunity to access the EHR using someone else’s ID/PW. This would result in unauthorized access to ePHI, which is a HIPAA violation.
- Encrypt your hard drives. Some workstations may have ePHI and some may not. Why bother figuring out which is which. If you encrypt the hard drive of each workstation, you will guarantee that you are HIPAA compliant. Encrypting the hard drive should not cost anything. If the workstation is lost, and you are not sure if there is ePHI on the machine, and the machine does not have encryption, that is a HIPAA violation that most likely needs to be reported to the Office of Civil Rights.
- Consider a privacy filter for workstations, especially those in public areas. Privacy filters allow only the user to view what is on the screen. Off angle viewing is blocked. They are very inexpensive and can be purchased for both laptops and desktops.
All of the items above are straight-forward and easy to implement. They can go a long way to protecting the ePHI in your practice!