Quarterly HIPAA Briefing and Security Reminder

Topic: Business Associates

Content:  A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.  In other words, a Business Associate is a vendor or contractor that has direct, technical, or incidental access to patient information.  Some examples of Business Associates include:

·         Medical Billing Companies

·         Information Technology (IT) Companies

·         Accountants

·         Attorneys

·         Business Consultants

·         Credentialing Consultants

·         Practice Management Companies

·         EMR Vendor


Did you know??

o   Business Associates are required by the U.S. Department of Health and Human Services to be HIPAA complaint.

o   Business Associates are responsible for over 60% of all the patients affected by HIPAA breaches.

o   Business Associates who ignore their HIPAA obligations present unnecessary risk to their customers.

What can you do?

1.      Work with your vendors to ensure that BAAs (Business Associate Agreements) are in place that clearly define the responsibilities of each party to protect patient information.

2.      Help your vendors understand that they are equally responsible for HIPAA compliance.

3.      Educate the business community on the importance of protecting patient information.


May HIPAA Briefing and Security Reminder

Topic:  Encryption

Content:  Encryption is the conversion of data into a coded form, called a ciphertext, that cannot be easily understood by unauthorized people.  Typically, in an encryption process, a type of “key” is applied to data and it is scrambled in such a way that only a corresponding key can unscramble the data.  Here is how it works:

Encryption uses a complex series of mathematical operations to scramble data. Unless the correct decryption key is applied, the data will remain scrambled.

There are two types of encryption where the majority of focus in protecting patient information lies:

1. Data at Rest – When you store patient information within an Electronic Medical Records application, on your desktop, laptop, or mobile phone, it is considered data at rest.  In order to be a Meaningful Use certified EMR, data at rest within the application must be in an encrypted state.  Encryption on a desktop, laptop, or mobile phone must be installed independently.  Typically, you will know if encryption has been installed on your workstation or device when an additional password is required before MS Windows, or your respective operating system, is loaded.  If you see the MS Windows login before a password is required, encryption is most probably not installed or active.  When data at rest is encrypted it is useless to someone who attempts to read it without a decryption key.

2. Data in Transit – When you transmit data from one computing device to another, it is defined as data in transit.  Some very common types of data in transit include connecting to a wireless network, connecting to a web based application, such as an EMR or your bank, sending text messages on your mobile device, connecting to a public email application, and utilizing a remote desktop connection.  There are two very clear indicators that some type of secure layer or encryption has been applied to the link where data is being transmitted.  First, addresses for internet sites will be preceded by “https://“.  Alternatively, you may be required to submit a password before a connection is established.  A common example of this is connecting to a wireless network.  Without the decryption key, a connection will, in most cases, be completely refused.

Bear in mind that if neither of these authentication methods appear to be taking place, your data may be vulnerable.  Higher vulnerability leads to higher risk.  Complete lack of encryption relative to Protected Health Information is considered a “very high risk” vulnerability.

If you are unsure of the level of encryption that is enabled on your device, network, or application, please consult your organizations Privacy and Security Official or Information Technology services provider.


HIPAA Gets Tougher on Physicians

By Jennifer Lubell, American Medical News

The final omnibus was released January 17th, which strengthened patient privacy against security breaches. Prior to this rule, breaches were only notified to affected patients if doctors determined that a significant financial or reputational risk was possible.  Now, doctors must report any assumed breach to patients, unless a risk assessment proves a low probability that information was compromised.

Doctors are not the only affected party with the new rule.  Business associates are now responsible if they cause a breach of patient information.  These  are defined a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.  Business associates can range anywhere from storage providers to shredding companies.

Under the final rule, physicians also need to revise their notices of privacy to explain their relationships with business associates.  Revised privacy notices must be placed in prominent areas of the doctors’ office and on their websites.  They must also explain the breach notification process to patients.

Full article: http://www.ama-assn.org/amednews/2013/02/04/gvl10204.htm

HIPAA Briefing and Security Reminder

Topic: Password Tips

Passwords serve as an authentication method for access to electronic Protected Health Information (ePHI).  When we login to a specific software application, we are typically identified by two factors, our ID and password.  Apart from our daily access to patient information, it is good practice to password protect all of our private data.  Methods of deciphering password are becoming more and more advanced daily.  Therefore, it is important to remember the following when creating and using a password to gain access to systems:

  1. Use a passphrase, where applicable, instead of one-word.
  2. Choose a password/passphrase that is made up of letter (upper and lower case), numbers, and a symbol, such as $, #, %, &, or @.
  3. Choose a password/passphrase that is at least 8 characters.
  4. Create a password/passphrase that is easy to remember so it doesn’t have to be written.
  5. Do not use your login name in any form (e.g. as-is, reversed, capitalized, doubled, etc…)
  6. Do not use your personal name, a family member’s name, or any other personal identifier.
  7. Do not share your password/passphrase with anyone.
  8. Change your password/passphrase on a routine basis.
  9. If it is possible and practical, do not use the same password/passphrase on all software applications.  This will enable a hacker to gain access to all systems, once they have identified one password.

You are responsible to ensure that your User ID is appropriately protected and used only for legitimate access to networks, systems, and applications.

If you believe that your User ID and/or password have been compromised, you must report that a security incident has occurred.

Examples of strong passwords include the following:

Hipa@e%PerT #JuLy4tH@cAmP L4k3M1chiG@n
D0ct*R$OFf1c3 He@!thC4re sn0wiNW!nT3r

Healthcare Cyber Security Webinar

On January 23rd HCM held a webinar featuring our own Joe Dylewski and Jill Jordan, from Arthur J Gallagher. They discussed the importance of Cyber Security and HIPAA Policies for your practice.  Check out the transcript of the webinar below:

Joe Dylewski: I have spent the majority of my career, almost 25 years now, in the IT side of business.  I’ve held positions from everywhere from infrastructure manager, project manager, and I’ve had the opportunity to live and work overseas as a part of that.  The last half of my career has exclusively been in healthcare. I got my footing in the HIPAA side of the business through application development.  We were leading large projects that required HIPAA compliance and began really digging into the HIPAA requirements around the 2000-2003 timeframe.

Jill Jordan:  I have spent the majority of my 15 or so years in the insurance business, on the brokerage side, mostly.  I started with Gallagher in Houston in 2000, and was there doing PNC in the energy industry.  Then I moved to Chicago and started working solely on the cyber risk services in ENO about six and a half years ago.  My focus is now just on this arena.

Environment Slide:

Joe:  Whenever I present on HIPAA I like to spend a few minutes doing a HIPAA 101, because I find that a lot of individuals aren’t completely familiar with what HIPAA is all about and what is contained in the HIPAA language.  So if I can take us all back to 1996 when HIPAA was introduced.  From an initiative standpoint, the real purpose of HIPAA, upfront, was to try and reduce health care cost.  A lot of that had to do with the administrative time that was engaged in making health care run.  For example, if anybody remembers or was involved in health care prior to ’96, when we would submit claims from a doctor’s office to an insurance company, or a hospital to an insurance company, a lot of that claim information was paper.  So doctors would keep ledgers of all the patients they visited, and what the procedures were.  And on the other end, that paper would be interpreted, claims would be adjudicated, payments would be sent, et cetera.  Well, as you can imagine, that’s extremely inefficient.  So, the real purpose was to try to drive some efficiency using electronics into healthcare.  However, there were other pieces that they put in place with HIPAA; one of them was the insurance portability.  So, the idea of being able to hold individual coverage and have that coverage transfer from employer to employer; fraud prevention, obviously with the introduction of electronics in this system, we wanted to be able to place an emphasis on being able to recognize and prevent insurance fraud.

And then this whole idea of administrative simplification; now this is generally the area where people have most familiarity.  When we think of HIPAA, we think that it really equate to those forms that you sign at the doctors’ offices for their privacy, and what they can do with your information. Well, in reality, that privacy piece of HIPAA is one fraction of what HIPAA is as a law, because there’s also the idea of securing the information.  Now, I’m going to spend a little bit of time discussing the differences between privacy and security.  So, the privacy side talks specifically about what’s called “use and disclosure”; how a doctor or insurance company can use your information to treat you, to receive payment, or to maintain the healthcare operations.  The other side of privacy is the disclosure piece, which is how and entity can release your information to a third party; in other words disclose it for some purpose, whether it’s approved.  And where we get into unauthorized disclosures is that word we know as breach.

HIPAA-Title II Slide:

 Now the security side, however, is a little different and is typically the area where I find the least familiarity in the market place.   So, title II of HIPAA is named administrative simplification.  Then there are three major sets of rules under the administrative simplification law.  The first one was the electronic data interchange; so the idea of taking healthcare transactions and being able to transmit those from point A to point B electronically was all defined in HIPAA.  The codes, the transaction sets were all identified.  On the far right is the privacy rule, which we talked about a few seconds ago.  In the middle is, now where we’re getting a lot of attention, the security rule.  And the security rule deals with different steps and safeguards to protect electronic patient information.  Administrative safeguards, physical safeguards, and technical safeguards.  And a lot of that deals with the policies and procedures that are in place.   It deals with the affects and the mechanisms that individuals or organizations have to protect that data, and, of course, being able to prove that.

Security Rule Slide:

So, we’ll talk about that security rule because the first thing that comes to mind when I talk with organizations about security is this whole idea of confidentiality.  So, many believe that security is keeping that information confidential.  But from a HIPAA perspective, security has to do with three key areas, in addition to confidentiality, the integrity and availability.  Imagine that the integrity of the data is compromised, if you were a patient, and the data wasn’t correct, and you were attempting to receive care with incorrect data; I’ve seen it happen out there.  In the third, and very important piece, is availability.  So, once a hospital or physician practice runs to the electronic method of keeping medical records, imagine what it would be like if the information one day just wasn’t available for various purpose.  These reasons could be a disaster, or a general system outage.  So HIPAA deals with all three of those areas, and a breach could occur in any one of those areas.

Where is the PHI? Slide:

Let’s talk a little bit about the location of PHI, protected health information.  On this diagram I’ve laid out a scenario, and I chose the lowest common denominator, which is a one physician practice.  However, when you start looking and peeling back the onion on a physician practice, you find that the protected health system information that they hold is actually all over the board.  You have, maybe, an IT services company that takes care of their equipment, so they have access to it.  Document destruction, a shredding company has access to it. That patient information might not reside in their sight, they might be using a hosted electronic medical record software that is located elsewhere.  So all of a sudden, you have this doctor’s information spread across this great deal of geography.

The HITECH Act Slide:

It’s important to understand that the protection of that health information has to be equivalent in everyone of those entities.  So, the one thing I talk about in that slide is its one thing to recognize the risk and vulnerabilities that exist in a particular office, but keep in mind that scope of geography is much larger.  So, we’re moving along in HIPPA from ’96, and these security and privacy rules have been in place since ’96.  However, in 2009, something interesting happened in the healthcare market.  And as part of the American Reinvestment Recovery Act, there was another act that was a portion of that called the Health Information Technology for Economic Recovery and Reinvestment, HITECH. And one of the things that happened in HITECH is the government recognized, based on where we stood electronically in the healthcare industry, that we needed to have a major push to get physician records electronic.  If you think about this, 80% of patient records, as they exist today, exist in doctors’ offices; the remaining 20% exist in hospitals.  Up until 2009, less than 1% of any doctor’s office had implemented electronic technology.  So, the push for security from the HIPAA perspective was never that strong, they never had much to go on, although it was out there.   Well, once HITECH came along, it introduced incentive or reimbursements for the implementation of electronic medical records.  That reimbursement came in the form of Medicare funds and it was somewhere between $44,000 and $63,000, based on the type of business you did; whether it was Medicare or Medicaid.  The practices and practitioners out there saw this, and saw it as their opportunity to finally have some organization help them implement their electronic medical record software.   HIPAA looked at this and said “pause, stop, if we’re going to do this we have to make sure that these rules we’ve implemented in ’96 continue to be adhered to and everyone understands them.”  With this reimbursement, all of a sudden, came this push for HIPAA, and HIPAA compliance and security compliance.  One of the things they did to strengthen that was when a practice or practitioner is going to receive this reimbursement, they have a certain amount of requirements and measurements they have to meet.

HIPAA Enforcement Slide:

HIPAA compliance and security compliance was one of those measures.  The other thing that came out of HITECH was to put some teeth around the HIPAA laws; so they beefed up the enforcement activity.  Prior to HITECH, if there was a breach the maximum fine was $25,000.   They’ve raised that to $1.5 million as a maximum fine; it’s now being enforced by the Office of Civil Rights.  They’re also currently building an audit candidate list, so the Office of Civil Rights is going to be randomly auditing organizations on their HIPAA compliance.  The other key phenomenon to happen out of all of this is that collected fines went to support the enforcement process, so it was a self-funding effort.  Also, they appropriated dollars within HITECH for enforcement within the State’s Attorney General Office.  Practitioners can face maximum OCR fines of $50,000 for falsely attesting to meaningful use measure #15; meaningful use measure #15 was this piece of those reimbursement dollars that required HIPAA compliance.  The other thing that changed is that ignorance is no longer tolerated.  Prior to HITECH, it was seen that people would get slapped on the wrist where they could claim “I didn’t know”, and were just told to fix things.

Compliance Effort vs. Risk Slide:

Ignorance is no longer tolerated, it’s now considered willful neglect.  So, the idea with the enforcement activities and HIPAA in general, is that more effort you put into being compliant, the less risk you present.  The government Office of Civil Rights identifies this by the least amount of effort done is considerable for neglect.  So, if a breach occurs and the problem is mitigated it’s considered one category, if it’s not mitigated it’s considered this other category which means it’s willful neglect if the violation is not corrected.  Then, the organization can willfully neglect it and correct the problem.  The organization can have a breach due to reasonable cause and not willful neglect, in other words they don’t work on it but it was something that was missed or something was not ignored.  Then, of course, the last is a breach that happens by exercising all the diligence but not being able to control that; and that’s important because breaches that occur are tagged with some sort of fine, and the idea is that the more effort you put in, the less riskier, and the more you reduce the potential fine and enforcement activities.  Even in the most compliant organizations, breaches can and do occur, but the way that it’s enforced is based on how much effort has been put in to preventing that occurrence.

OCR Audits and Current Activity Slide:

So let’s talk about what they’re doing to find out and determine where and how these breaches are enforced.  First of all, one of the things that’s happened over the last two years is a formal HIPAA audit protocol was developed; in other words, they didn’t have anything to evaluate an entity prior to 2010.  So they contracted with a couple larger consulting firms, one of those actually created a HIPAA protocol for audit, and the other created an audit target list.  They’re in the process of wrapping up the first year of those audits, and are now in the process of creating a second audit list that is going to include business associates.  It’s important to know that, in terms of what triggers an audit, there are really three things.  One of them is a self-recorded breach; if there are healthcare organizations on the call then we know that if a breach occurs they are required by law to report that, and depending on the size they may have to report it to different vehicles.  The other way that a HIPAA breach or audit can occur is when a patient complains.  For example, I’ve been involved in situations with clients where a patient has felt their privacy was violated and they complain to the Office of Civil Rights and it sparks a full on audit.  The third is the idea of a random audit; these audits are the least probable.  The probability of getting chosen for OCR for a random audit is very low.  The other triggers are much higher.

Cyber Security Trends Slide:

So with that, I’m going to turn the presentation over to Jill for the cyber security.

Jill: I’m going to spend a few minutes talking about the trends when it comes to breaches then go into some insurance coverage’s that you can purchase to mitigate against, or help with, the cost associated with a breach.  You’re looking at the trends over the last 5-6 years.  A couple things to note on here is that it’s been steady as to the number of breaches as of September 2012; between 400-600 breaches is normal.  The records exposed is also somewhat even, anywhere to 15-16 million to 25 million is the normal.  You’ll see in 2009 and 2007 there were two large hits; those were very specific, large breaches.  One was the TJ Maxx, back in 2007, and the Hartland breach was 2009, affecting a lot of grocery stores on the East Coast.  2007 and 2009 were anomalies.  To go through a quick trend of what happened in 2012, the final numbers are 447 breaches and about 7 million records exposed.  Of those 7 million, the medical healthcare industry is by far the largest group this past year.  About 35% of the breaches were healthcare and about 13% of the records; right now they’re the number one industry as far as breaches.  The government is number two, pretty much because of the number of records they hold, that breach makes sense.  Education is number three, which includes both higher education and K-12.  The healthcare industry is definitely seeing the most amounts of breaches.  Just so you know on here, we’ve been talking about PHI; this obviously includes PHI and PII, which is personally identifiable information.  PII is more on the financial side, including your name, address, with social security number, date of birth, driver’s license, any kind of account information including credit cards, debit cards, that sort of thing.  So both sides are represented here, PHI and PII.

Cause of Breach Slide:

The next slide is a pie graph of the causes of a breach.  About 40% of breaches are employee negligence, not intended; these are the lost laptop, lost flash drive, sending wrong information by email or mail to the wrong patient, not shredding paper documents when you should.  The malicious or criminal acts are the hacker getting in, obviously.  But it also includes rogue employees, people who have legitimate access to information, but they use it fraudulently or sell it.  The system failure is when the actual network gets a virus and causes a breach.  The significance of this breakdown is that the majority of breaches aren’t something you can combat with security on the network.  IT security is a great step to be prepared, but you can’t do much about the negligence and innocent errors of people.

Major Risk Concerns Slide:

Human error is by far the biggest risk concern, not intentional, just someone making a mistake.  Hackers, rogue employees, independent contractors, is another set of exposures when you outsource your IT, payroll, admin; you’re opening yourself up because you don’t have as much control over the securities information when you hand it over to a third party.  Keeping track of that, understanding what insurance they have, what securities practices they have in place, keeping up with your contractors and independent vendors is important when it comes to keeping that information secure; because if it’s your information, it’s your responsibility.  Even if you’re turning it over to someone else, if something happens, you’re the one on the hook with OCR.  Mobile devices, cell phones, smart phones, tablets, desk tops, and laptops are also a risk.  The regulatory environment, including HIPAA and the financial side, has quite a few laws as well, especially when it comes to state regulation of notification.  HIPAA has its own set, which is broader than of a state’s financial, notification.  Cloud computing, storing information offline, with a third party is becoming more of a concern just getting people to realize where the risk concerns are.

Response Cost Per Record Slide:

This page talks about cost.  These are from a survey done by the Penomon Institute; they’re good figures.  They’re a little bit off from what our experience is because Penomon brings into their study lost customers and loss of business which skew the numbers a little bit.  What we see for notification discovery, forensics, and legal expenses; and those legal expenses would include navigating the notification laws.  We see it typically between $10-15 for all of those combined.  The $35 for credit monitoring and ID theft services is also a little high, it’s closer to $15-20; and ID theft services include call centers that people can call to find out what happened, what they need to do, what’s available to them, and it includes restoration services if someone had an ID theft.  The average is $194 per record, including the response cost, the liability that arises from a breach, or also class action.  $5.5 million is the average breach number, and 15% is for attorney fees on the liability.

Cyber Liability- Coverage Descriptions Slide:

Now I’ll talk about some of the coverage’s available under the insurance policy.  The crest of the policy is the networks, security, and privacy policy.  This page, you can’t find these coverage’s under a normal causality program, that’s where cyber liability came from, the gaps that the traditional policies don’t handle.  So this is going to cover, not just the privacy side, but also the security.  So if you have a virus that you transmit to a third party network and they have damage, they can come back and sue you.  Also, denial of services; if someone relies on your network to do their work, and your network is down for some reason and they don’t have access to it, they might sue you.  Those things are covered, as well as the unauthorized use of information by hacker or employee, it can be paper or electronic, it doesn’t matter.  You do have the responsibility to keep that information private; any liability associated with compromised information is covered.

The privacy regulatory action is obviously important in regards to the healthcare industry.  If OCR does find out about a breach, so you have coverage only if you do find out about a privacy or security breach, so it’s not going to cover a random audit, it’s just going to cover a patient complaint if they find out they’ve had an audit from you or the state attorney.  It will help with your investigative costs associated with the investigation, and also help with the fines and penalties if it’s insurable in the state.

The breach response coverage covers as soon as you have a breach or incident, finding out if you actually have an incident; so computer forensics, hiring a law firm or a firm to help with the notification law.  The credit monitoring and theft ID services, also the hiring of a crisis management of public relations firm to help mitigate any reputational harm, which can be important.  One note, the policies will usually cover notification when it’s required by state law.  Again, with HIPAA it’s a little more far reaching so you have more of a chance of getting it covered.  For example, if you had encrypted employee social security numbers compromised, it’s called voluntary notification if you want to let those people know anyway, even though it doesn’t trigger notification law.  They will usually provide coverage, you just have to get carrier approval first; and usually, if they don’t cover it for the full amount of the breach response limit, they sometimes supplement it.

Coverage Descriptions Ctd. Slide:

These are coverage’s that are available under the cyber policy, you can get them elsewhere, so they’re optional under the cyber policy.  Media liability, you can get a standalone policy, but you also have some coverage under the general liability coverage policy.  GL’s are usually for advertising only, and it usually doesn’t include intellectual property infringement, so you might not have copyright or trademark infringement coverage, you might just have the personal injury.  This, you can purchase a couple of different options under the cyber.  It can be for your website, any information disseminated on your website.  Or it could be internet phased, which would include your website, but also anything sent over the internet, intranet, anything sent over emails so it brings in a little more electronic data, anything electronic would be covered.  Or you could get full media, which is also called enterprise media, multimedia, all kinds of things; that would cover both electronic and paper.  So anyway you can view published information would be covered.

The cyber extortion is actually an add-on, usually, that goes on the policies.  We can have it taken off; it doesn’t affect the premium too much.  This is obviously just the kidnap and ransom of information.  For example, someone could physically steal a server and a year later they come back and demand money or they’ll release that information.  This would cover the investigative expenses, the negotiation, that sort of thing, plus the extortion itself.  But it could also be that a hacker gets into your system or network and says “this is how we did this, this is how you can plug your holes, so pay us money or we’ll release the information.”  Both of those situations would be covered.

Network interruption is similar to property business interruption, it’s just specific to your network being down for security breach reason; so if a virus brings it down, your lost business income would be covered and any extra expense would be covered.  Again, you can find this in your normal property policy and could have supplement and extend to your network, which is why it’s an optional coverage.  Also, some people don’t rely on their network being up for income.  Yes, it relies on your service and what you do, but it doesn’t necessarily interrupt your income, so it wouldn’t be something someone needs.  But we often do include it on any healthcare related policies.

The data recovery is a recreation or restoring or recreating data that has been damaged by a security breach.  Again, it’s an outside cost, it wouldn’t cover your insides costs to do this.

So What Can You Do? Slide:

Now insurance, obviously, is just one piece of the risk management pie.  You want to concentrate on prevention, be prepared in case you do have a breach, and be prepared to respond to it.  All of those go along with the risk management.  Prevention, having assessments preformed, both network and HIPAA, having some sort of response in place, even if it’s just knowing who needs to be contacted, do they know what vendors they would contact in case of a breach. Having the right limits and coverage in place can go a long way in transferring risk, just being prepared and knowing what you need to do in what time of breach will save a headache at that time.


Customer:  With the new HIPAA rules that were just released last week, is there anything that’s really out there that we need to know immediately?

Joe: No, what happened was there was a revision or a consolidation of the HIPAA law that was called HIPAA omnibus.  So what they did was take HIPAA components that include HITECH and the revisions over the years, and consolidated into a new, updated HIPAA.  So in the near term, if you’re a covered entity or a healthcare provider insurance company, I think you still have to maintain the same amount of diligence as usual.  The biggest impact that it will be the enforcement of HIPAA rules and laws on business associates.  One of the things that they made very clear was this idea of transferring and making sure those audits are completed within the business associate community.  Now, there are a couple of other pieces relative to covered entities that you have to think about.  One of them is the whole idea of recording of use and disclosure.  Ultimately, we’ve been waiting on this rule to be passed through final legislation but electronic medical record software is going to have to beef up or enhance their audit capabilities around uses and disclosures of protected health information because patients will have the right to request a list of disclosures and uses and for the organization to be able to provide that to them.


North Dakota practice moves to electronic records

October 18, 2012 | Erin McCann, Associate Editor

BISMARCK, ND – Mid Dakota Clinic, a multi-specialty practice serving Bismarck, N.D. and neighboring rural regions, announced today it will be joining the burgeoning number of office-based practices that have implemented an electronic health record (EHR) system to spur better practice management and care coordination across its clinics.

The clinic, comprising more than 60 healthcare providers, offers an array of healthcare services to a growing population of rural patients in central and western North Dakota.

It will tap Watertown, Mass.-based athenahealth for EHRs, medical billing technology, practice management and patient communications services. The new IT, officials say, will enable Mid Dakota Clinic to streamline administrative work often the result of regulation, such as the impending transition to ICD-10and achieving meaningful use Stage 2 requirements, and also provide their physicians with tools to more efficiently communicate with their patients before, during, and after an exam.

[See also: New federal survey shows physicians positive about EHRs.]

“Having provided care to the Bismarck-Mandan area for many years, our organization is woven into the DNA of this region,” said Jeff Neuberger, CEO of Mid Dakota Clinic PrimeCare. “But in order to ensure we can continue to flourish amidst a changing health care environment and an ever growing population which includes young, tech-savvy families, implementing practice management and care coordination services is more necessary than ever before. Our physicians are constantly striving to keep up with burdensome regulation and administrative tasks that take away from their ability to treat more patients and provide better care.”

“Mid Dakota Clinic is a shining example of how important implementing cloud-based services can be to the vitality of rural practices whose patients in the community may not be able to travel for care elsewhere,” said Jonathan Bush, chairman and CEO of athenahealth. “As more primary care providers consider ACOs and other shared-savings models, they’ll need better, more coordinated technology to deliver care across an entire network of providers. We’re thrilled that we can help Mid Dakota Clinic improve the quality of care for their patients while helping them thrive through oncoming changes in health care.”

The Top 10 HIE Pitfalls

Experts Warn that Employing a ‘Field of Dreams” Strategy doesn’t always add up to Physician Adoption.

By Jennifer Prestigiacomo | Healthcare Informatics Magazine | Sept 2012

Experts at a BluePrint Healthcare IT discussion last week warned that the Field of Dreams strategy of “build it and they will come” won’t necessarily work when it comes to physician adoption of a health information exchange (HIE).

Lack of physician usage of a health information portal was the No. 1 pitfall when it came to HIEs that was mentioned in the recent webinar, “Top Ten Ways an HIE Can Go Wrong”.  Many organizations believe incorrectly that physicians will naturally use an HIE if its built, so not enough attention is paid to incorporating HIEs into physician workflow to garner adoption, said John Moore, founder and managing partner, Climark Research, a Cambridge, Mass.-based analyst firm focusing solely on the healthcare IT market.  He emphasized being clear about the goals of the exchange and doing necessary strategic planning to drive technology architecture and vendor roadmap decisions.

Attendees were surveyed in advance on their top three concerns or experiences on how an HIE can go wrong, and a top-10 list was compiled from 86 responses by BluePrint Healthcare IT, a Cranbury, N.J.-based software provider and consultancy.

Education is another key piece that gets glossed over when it comes to HIEs, said Neal Ganguly, vice president and CIO, CentraState Medical Center in Freehold, N.J.  More time is spent on the technology of the transport method than marketing and educating users in the value of HIE.  Also, workflow changes are a tough sell to providers until they know an HIEs potential value.  “There is an education need here that we all struggle with,” Ganguly added.  “Physicians often don’t understand the potential value.  We have to deliver that value and explain it properly, and I don’t know that we do that today.”

Kate Berry, CEO, National eHealth Collaborative (Washington, D.C.) was quick to bring up e-prescribing as what she called an example of a successful form of HIE.  E-prescribing took a number of years to gain physician adoption, but it not exceeds 50 percent of all U.S. physicians, Berry said.

The second most frequently mentioned way an HIE can go wrong, according to the BluePrint Healthcare IT survey, was viewing HIE interoperability as just a technology issue.  Tracy Rue, senior consultant, Health IT Transformation, BluePrint Healthcare IT, said interoperability is a huge resource issue, with organizations struggling to marshal the right people, tools, and vendors to get the necessary work done.

Chilmark Research’s Moore is seeing in the market now a lot of HIE implementations of results and orders delivery going into rip-and-replace mode.  “I think now we’re getting to another level of interoperability in the market, and we’re looking at really trying to drive those patient records to get that true longitudinal record together to drive a higher level of care and quality,” he added.

Other HIE pitfalls named by respondents were security and access management issues, as well as syncing priorities and technology architecture and setting clear goals.  HIEs that span state boundaries and hospitals with non-employed medical staff can only exacerbate these challenges, says Ganguly.

Strategic Visions

As was documented in the NeHC HIE Roadmap, to avoid some of these pitfalls, great care needs to be taken in the visioning and strategic planning of the HIE and its initial roadmap, which needs to be revisited on a scheduled basis.  “Building stakeholder trust and achieving ongoing alignment around the vision and objectives is critical, especially given potential conflicts inherent among stakeholder groups.” the NeHC report stated.

Berry emphasized that HIEs can’t sustain on grant funding along, and the real driver for compelling change in the market will be the move toward value-based payments.  In order to survive, HIEs must have a strong business orientation, in which all stakeholders who are getting value are also contributing financially to its sustainability, she added.  Subscription-based fees have seen more success in the industry, rather than transaction fees, which have the tendency to discourage use, Berry said.

BluePrint Healthcare IT’s Rue noted that even though an HIE’s vision can change over time, strategic goals should drive technology decisions and not the other way around.  One mandate does not fit all when it comes to a strategic roadmap, but any new technology or service offered needs to coincide with that vision, he said.

“[An HIE’s roadmap] is evolutionary,” Ganguly added.  “You have to continually revisit and make sure the vision remains consistent, or that as appropriate regulatory drivers are changing the landscape, that you reshape the vision.  It’s important to establish metrics as well to demonstrate the value and prove you have attained the vision objectives that you set out to obtain.”

Ganguly said his organization funds its own private HIE and has been using a physician affinity strategy to give clinicians information and tools that other nearby hospitals can’t provide.

Moore says the affinity model of ambulatory physicians pushing orders and referrals to the hospital sponsoring the HIE is one of the many business drivers fueling the private HIE market.  “It’s about building that affinity with the ambulatory practices out there that could potentially push business [to the hospitals],” said Moore.  “And you build that affinity by, when the orders come in, you turn around and quickly provide the lab results back to that referring physician, so the next time the patient shows up, they have those lab results right in front of them.”

HIPAA Security Assessment

Are you certain about HIPAA compliance within your practice?

Since the passage of the Health Insurance Portability and Accountability (HIPAA) Act was passed in 1996, Healthcare Organizations, large and small, have adopted processes and safeguards to ensure the privacy and security of Protected Health Information. HIPAA’s privacy and security rules established floors of confidentiality and security protections for patients’ demographic and health information in all forms—paper, oral, and electronic. The evolution of health information technology has resulted in additional risks. The HITECH Act, adopted in 2009, builds on the privacy and security rules to address these new risks. With the passage of the HITECH, additional emphasis was placed on the responsibility of Healthcare entities that utilize Electronic Protected Health Information to insure that the data is held safe and secure. Simply choosing and installing a HIPAA compliant Electronic Medical Records or Patient Management software does not guarantee HIPAA compliance within your practice. Additionally, HIPAA Security compliance is now an integral part of the Meaningful Use definition.

What can a Health Care Management HIPAA Security Compliance Assessment do for you?

  • Assign HIPAA certified and Healthcare Industry recognized professionals that understand the uniqueness of Physician practices
  • Conduct an accurate and thorough analysis of your practice’s current HIPAA Security compliance status
  • Examine the HIPAA compliance status of your Electronic Medical Records and Patient Management software vendor to help you better understand your level of risk
  • Provide a Gap Analysis and baseline remediation plan that is written in understandable and non-technical language
  • Offer standard documentation templates and sample plans that address HIPAA requirements and significantly reduce the time required to meet compliance
  •  Manage the remediation plan to completion

About the HIPAA Security Rule

Title II of the HIPAA Act includes requirements for Security Standards. The Security Rule describes the security requirements that healthcare entities must follow in order to be in compliance with the Administrative Simplification portion of HIPAA Title II.

  • Administrative Safeguards are actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect Electronic Protected Health Information; and to manage the conduct of the workforce in relation to the protection of that information.  
  •  Physical Safeguards are physical measures, policies, and procedures to protect a practice’s electronic information systems, related facilities, and equipment, from natural and environmental hazards and unauthorized intrusion.  
  •  Technical Safeguards are the technologies, policies, and procedures for the use, control of access, and security of Electronic Protected Health Information

HITECH and the HIPAA Security Rule

  • Fines for non-compliance with HIPAA have increased significantly with the introduction of the HITECH Act. Organizations can now be fined per calendar year.
  • Individuals who have been affected by a HIPAA data breach can receive a percentage of a civil monetary penalty or monetary settlement
  • Organizations that have a data breach affecting more than 500 people will incur monetary expenses associated with notifying the affected people and major media outlets
  • Enforcement offices will be partly funded by the levied HIPAA fines

Simply choosing and installing a HIPAA compliant Electronic Medical Records or Patient Management software does not guarantee HIPAA compliance within your practice.

What the HIPAA Security Assessment from HCM Includes:

Risk Assessment

Highlights of this exercise include:

  • Provision of Secure GRC SB® license to Balance in Life for the automated collection of assessment materials
  • Reviewing the infrastructure available to employees, partners, patients, and Business Associates
  • Reviewing operational information security requirements based on a departmental and/or functional application inventory
  • Reviewing the existence of computing infrastructure vulnerability policies which includes disaster recovery and business continuity procedures, protection from malicious software, network access procedures, physical access controls, workstation use and security, and patient ePHI access policies.
  • Review of available assessments and determining which questions require answers from key contributors
  • Deployment of assessments
  • Communication of Balance in Life’s intent regarding the collection of proof of compliance from Business Associates.
  • Reviewing the existence of policies for participants in treatment, payment, and operations relative to HIPAA security compliance, which includes:
    • HIPAA Privacy Policies
    • Risk Analysis Policy
    • Risk Management Policy
    • Sanction Policy
    • Information Systems Activity Review Policy
    • Workforce Security Policies
    • Information Access Management Policies
    • Security Awareness and Training Policies
    • Incident Response Plans and Policies
    • Compliance Evaluation Policies
    • Business Associate Agreement Policies
    • Media Re-Use Policies
    • Media Disposal Policies
    • ePHI Transaction Audit Policies
    • Unique User Identification and Login Monitoring Policies

Remediation Stage

Remediation is “the action of remedying something.”  Health Care Management will remain your partner during the remedy of your practice by providing remediation project management oversight and assistance for some or all components:

  • HIPAA Compliance Policy Templates that can be used in the creation of formal Balance in Life policies. These documents will be provided at no cost to Balance in Life. If desired, HCM can assist in the creation and/or modification of policies as a component of the advisory partnership
  • Development and governance of your remediation plan
  • Development of your resource plan and recommendations– if necessary
  • A final review and delivery of HIPAA compliance status

On Going Support Year 2 through 5

Industry standards are constantly evolving beginning from our initial meeting, Health Care Management offers a long-term partnership as your advisor, educator, ally, and advocate. Following the completion of remediation, HCM will maintain that long-term relationship by offering the following in years two through five, at Balance in Life’s discretion:

  • Secure GRC SB® HIPAA Compliance Management Solutions
  • Annual HIPAA Compliance Update and Assessment
  • Custom staff HIPAA education that satisfies Security Awareness Training Standard 45 CFR 164.308(a)(5)(i)
  • HIPAA Training Video for new employees


Replacing the Password: Improving Clinical Productivity, Security, and Cost Margins

Replacing the Password: Improving Clinical Productivity,
Security, and Cost Margins



Thursday August 23, 2012
1:00 PM ET
12:00 PM CT


Mac McMillan
CEO and Co-Founder
CynergisTek, Inc.

Emerson Kenneda
Network Analyst/Project Implementation
Mecosta County Medical Center

Tom Grissinger Senior Marketing Manager DigitalPersona

Replacing passwords is not just about making life easier for your doctors and nurses. Although you will see a happier clinical staff that can focus on patient care delivery, rather than typing in passwords three or four times for every patient they see, there’s much more to the story.

Hospital CFOs, auditors and IT staff also benefit from security that goes beyond the password. There are real bottom line advantages, including greater productivity, cost savings, fulfillment of compliance regulations, and prevention of dreaded data breaches. Join Healthcare Informatics and Digital Persona for a live 60-minute webinar that focuses on the costs of relying on passwords, the financial risks associated with password security, and the viable alternatives used by Mecosta County Medical Center and other healthcare organizations to keep their data safe.

Join our panel of experts as they discuss:

  • Risks of unsecured data in healthcare organizations
  • The costs associated with security breaches that compromise healthcare data
  • Strategies and practical tactics healthcare organizations can use to mitigate risk
  • Technologies that help hospitals achieve stronger authentication and happier staff

Register today to join the discussion!

Learning Objectives:

  • Describe the costs and risks associated with passwords
  • Examine strong authentication alternatives
  • Evaluate the advantages of alternative authentication methods
  • Apply the lessons learned at Mecosta County Medical Center as they transitioned from passwords to biometrics

Click here to sign up for this
complimentary webinar today!



Upcoming Webinars

Archived Webinars

Webinars on CD-ROM

EHRs: A legal ‘game changer,’ privacy experts say

June 07, 2012 | Diana Manos, Senior Editor

WASHINGTON – A panel of experts gathered at the 2nd International Summit on the Future of Health Privacy in Washington, DC on Wednesday all seemed to agree that the stakes are high when it comes to electronic medical records and privacy.

“Electronic technology is a game changer, legally, because the damage that can be done to someone is perpetual and the damages that can be awarded are incalculable,” said James Pyles, co-founder and principal of the law firm of Powers, Pyles, Sutter, & Verville.

Much of the debate centered on the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its ability to provide protection.

Pyles said HIPAA only provides a bare minimum of privacy, not a template for best practices.

Members of the panel reminded the some 300 attendees of the conference that when HIPAA was written, it was done to help physicians get reimbursement, not necessarily to keep patients’ privacy.

“One would think, if you were approaching healthcare privacy policy, the very first thing, the very top priority would be to ask what do the patients want?,” Pyles said. “Unfortunately, we have laws on the books that do not put the patient first.”

Joy Pritts, chief privacy officer for the Office of the National Coordinator for Health Information Technology (ONC), said the main problem is technology is moving faster than privacy laws can be written.

“I approach this in a simplistic way,” she said. “I look to see, do you have a right to privacy for your health information? So far, the courts say you do. The tort laws say you do. Standards of professional ethics of nearly every segment of the medical profession say you do. The HIPAA privacy rule does not say that at all.”

HIPAA doesn’t address the right to privacy, and it doesn’t define the word privacy, she said, both of which need to be addressed today.

Marcy Wilder, currently a partner at Hogan Lovells law firm was the lead lawyer for the Department of Health and Human Services on the development of the HIPAA rules.

She said the beginning premise of HIPAA was designed to let information flow relatively freely to allow treatment, allow physicians to get paid and put fairly strong restrictions on that data once it starts flowing outside the healthcare system.

“It’s true HIPAA is the floor,” Wilder said. “There is a regime of laws working toward protecting privacy. Health data is some of the most regulated data in the world.”

The goal should be to find a balance between providing patients with privacy rights and helping to build quality healthcare, Wilder said.

Frank Pasquale, a professor of healthcare regulation and enforcement at Seton Hall University said making new regulations with granularity controls for patients to pick and choose how to share their information would go a long way to helping patients feel safe. If they don’t feel safe, they won’t willingly share their data.

Even deidentified data poses concerns for many people, Pyles said. “Some people believe you can reidentify anything. Others think we should be more permissible with it,” he said. The litmus should be this: if a policy makes people more reticent to share even their deidentifed data, then there is not enough protection there.

Privacy rights encourage disclosure, he added.