Two entities have paid the U.S. Department of Health and Human Services Office for Civil Rights (OCR) $1,975,220 collectively to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. These major enforcement actions underscore the significant risk to the security of patient information posed by unencrypted laptop computers and other mobile devices.
“Covered entities and business associates must understand that mobile device security is their obligation,” said Susan McAndrew, OCR’s deputy director of health information privacy. “Our message to these organizations is simple: encryption is your best defense against these incidents.”
OCR opened a compliance review of Concentra Health Services (Concentra) upon receiving a breach report that an unencrypted laptop was stolen from one of its facilities, the Springfield Missouri Physical Therapy Center. OCR’s investigation revealed that Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI) was a critical risk.
While steps were taken to begin encryption, Concentra’s efforts were incomplete and inconsistent over time leaving patient PHI vulnerable throughout the organization. OCR’s investigation further found Concentra had insufficient security management processes in place to safeguard patient information. Concentra has agreed to pay OCR $1,725,220 to settle potential violations and will adopt a corrective action plan to evidence their remediation of these findings.
Maintaining blood supplies to meet the needs of the hospitals in the region is a key mandate for the Rhode Island Blood Center. The Center collects 250 pints of blood from donors to meet this commitment. To make it easy for donors, more than 3,000 mobile blood drives are held annually throughout the community.
While we have nurses and lab technicians to take care of the donors’ physical needs, it is my job as the IT Systems Manager at Rhode Island Blood Center to take care of their personal information. We gather this information from each donor at the mobile clinics and store it on laptops, so it is essential that we have safeguards in place to ensure the data is properly secured.
Data security is a key concern for the majority of healthcare organizations in the US. And like most organizations, Rhode Island Blood Center must follow regulatory guidelines and protect patient data.
My department is responsible for the IT and telecommunications equipment used at the remote blood drives and the six Center locations. The typical set-up includes a large number of Center-owned laptops where donor information is stored.
While most people arrive at a clinic and see the positive results of a community coming together and helping each other – all I see are laptops loaded with confidential information for which Rhode Island Blood Center is ultimately responsible. I know if even one laptop is lost or stolen, confidential donor information could be at risk.
Data at Risk
Reviewing daily healthcare news, it is clear that data breaches are a huge issue for healthcare organizations across the US, but bad press isn’t the only issue – many organizations face large non-compliance fines and damage to their reputation that can never be restored.
A new security risk assessment (SRA) tool to help guide health care providers in small to medium sized offices conduct risk assessments of their organizations is now available from HHS.
The SRA tool is the result of a collaborative effort by the HHS Office of the National Coordinator for Health Information Technology (ONC) and Office for Civil Rights (OCR). The tool is designed to help practices conduct and document a risk assessment in a thorough, organized fashion at their own pace by allowing them to assess the information security risks in their organizations under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The application, available for downloading at www.HealthIT.gov/security-risk-assessment also produces a report that can be provided to auditors.
HIPAA requires organizations that handle protected health information to regularly review the administrative, physical and technical safeguards they have in place to protect the security of the information. By conducting these risk assessments, health care providers can uncover potential weaknesses in their security policies, processes and systems. Risk assessments also help providers address vulnerabilities, potentially preventing health data breaches or other adverse security events. A vigorous risk assessment process supports improved security of patient health data.
Eric Munz, vice president of business process crowdsourcing at Lionbridge Technologies, where he manages and leads the delivery of in-person, telephonic and video crowd-enabled interpretation solutions to meet the unique needs of customers across a broad range of industries, discusses here the need for interpretation services in health systems.
He also touches upon interpretation mandates for hospitals, the struggles large and small health systems face with interpreting to ensure the best patient care; he discusses the benefits of using a secure interpretation solution; and provides advice for implementing such a solution.
What are interpretation mandates for hospitals? How has equal access to language changed recently with ACA?
There are about 10 different places in the Affordable Care Act (ACA) that require hospitals to develop and implement a system that provides interpretation services to patients with limited English proficiency (LEP), to have equal access to healthcare. For example, Section 1557 of the Patient Protection and Affordable Care Act focuses on non-discriminatory policies and procedures, including those based on the grounds of language and national origin.
Now, healthcare facilities are facing a renewed struggle to provide such interpretation services because of the influx of LEP patients newly enrolled in insurance plans under the ACA. According to the UCLA Center for Health Policy Research, 36 percent of newly insured individuals under the ACA in the state of California are LEPs — compared to only 9 percent of LEP patients prior to the ACA enactment. That is a dramatic increase in non-English speaking patients to serve.
Other states facing a jump in patients speaking foreign languages include Texas, Arizona and Florida. Across the nation, healthcare providers must be at the ready to interpret more than 300 languages to remain compliant. Otherwise, they risk incurring monetary penalties.
Why is it often a struggle to deliver interpretation for patients in large and small hospitals alike?
A big city hospital could serve patients representing a dozen different languages or more on any given day. That presents a very practical logistical problem for facilitating so many different conversations in so many different languages. This is why many facilities partner with vendors to provide on-site interpretation, but these interpreters often work on an on-call basis, delaying treatment. They also often charge two-hour minimum rates for their service even if it’s a 30-minute conversation. In a rural hospital, there simply may not be someone with the skillset to speak a particular language within the geographic area.
For these reasons, the biggest challenge for hospital management is determining how to efficiently meet the demand for interpretation services, which are required by law, while remaining cost conscious throughout the process.
As someone passionate about patient engagement and using health IT and other technologies to improve care, I continue hear a great deal about how solutions can actually benefit population health. Even at the most recent HIMSS conference, “patient engagement” as a term clearly has become one of this year’s biggest buzz phrases.
Conference sessions were dedicated to the topic, vendors marketed their services to solving some of the issues associated with it and seemingly everyone in attendance had an opinion for what needs to be done or at least has some strategies for bringing more patients — or their data — directly into the care sphere.
Problem is, from my perspective, that, unfortunately, too much is still being said about population health and not nearly enough about individual health. In theory, I understand why this must be, but in practicality, I don’t understand the seemingly lack of attention individuals are receiving. Obviously, if population health outcomes improve then that must logically mean individual health outcomes are improving.
And while I understand that not everyone or every need can possibly be addressed, that doesn’t mean we shouldn’t be trying to fill those needs. The current conversations about improved population health remind me of a common business/life solution when addressing a major problem: How does one eat an elephant? One bite at a time. Likewise, it would seem the same approach could be taken to achieve improve population health outcomes: One individual patient at a time.
That said, I asked some folks within the health IT community how technology affects individual patient outcomes. Though some of the ideas here are still high level, perhaps they are a step in the right direction. Here are some of the responses I received:
What are the real-world benefits of electronic health records, for example, to a specific individual? To answer that question, let’s take a look at a fictional person we’ll call “Bill.” Bill is quite elderly and has a variety of age-related illnesses. He lives in Ohio, and decides spend the winter with his daughter in Florida.
Bill’s daughter, Susan, arranges for her father to be seen by a local specialist during his stay. Susan tries to get a voluminous paper file transferred from Ohio to the new doctor in Florida, but there are delays: phone messages are missed, handwriting is misread, and no one has time to copy and mail 100 pages of medical records.
In the end, Susan is unable to get her father’s records transferred in time for the appointment with the new physician. As a result, an unnecessary test is performed, and a drug is prescribed that had caused an allergic reaction in the past.
In the future, EHRs will enable the Florida clinic to have electronic access to the same records available in Ohio. Already, Medicare and some commercial carriers have websites that list physician visits, patient complaints, diagnoses made, lab/diagnostic tests performed, and drugs prescribed. Eventually, such websites may include a full medical profile, including doctor’s notes, lab results, x-ray images and more.
Dean Wiech, managing director of Tools4ever, a global provider of identity and access management solutions, has worked in healthcare for more than 25 years. Here, he discusses how IAM enhances the ROI for health systems, and how the solutions make patient care more efficient, how they work in healthcare, and how systems and records can be made more secure — for patients and providers — because of the technology.
Tell me about yourself and your experience in healthcare.
I have been actively selling software solutions in the healthcare market for 25 years. I have sold and/or managed teams in about 50 percent of the country. I have always focused on solutions that provided a definable ROI based on productivity and time savings.
Tell me about Tools4ever. How does the company serve the space? Tell me about your products and how they are used in healthcare.
Tools4ever is a company that focuses on the identity and access governance space. We assist the healthcare market in insuring that the lifecycle of user accounts are managed in a timely and accurate manner. We also have solutions that save care providers time by eliminating repetitive login tasks and avoiding the need to call the help desk for password resets
How is Tools4ever different than some of the competitors in your space?
I believe our primary differentiator is time to implement. We can get the basics up in running in a few days to a few weeks, depending on the solution. The majority of our competitors take months to years to complete an install. The result is the healthcare organization can realize a much quicker benefit from the product and a quicker ROI.
What’s your footprint like in healthcare and who are some of the organizations you work with? How do you help them?
We have numerous hospitals and long-term care providers across the country. One example is South County Hospital in Rhode Island. It utilizes our Self Service Reset Password Management (SSRPM) solution to allow end users to reset forgotten network passwords. We then synchronize that password to several other solutions to allow a reduction in the number of credentials the employee needs to remember.
Another example is a major university hospital in New York City. It uses our user management solution for several tasks. The most recent example is provisioning patients to the network to allow them to view their records on a mobile device provided by the hospital for the duration of their stay. We also implemented a password self-service reset function to allow the patients to reset their passwords without a further burden on the help desk.
Received the following study recently that is quite interesting; thought it worthy of sharing:
Emergency department physicians are less likely to admit patients to the hospital when they have readily available electronic access to those patients’ health records, Weill Cornell Medical College researchers have found.
Its study, published March 12 in Applied Clinical Informatics, illustrates the value of combining multiple providers’ digital patient charts into a single source for health care providers – particularly in an urgent setting like the emergency department. With information such as previous test results, prescriptions and other patient history immediately accessible, providers are able to treat patients more efficiently and effectively than when they lack that data.
“New York State has made significant investments in health information exchange,” said Dr. Joshua Vest, an assistant professor at Weill Cornell and the lead author on the study. “Our study shows that providing physicians, nurses and allied health care professionals such as physician assistants real-time access to community-wide, longitudinal health records does in fact benefit patients.”
With federal and New York State government backing, hospitals and medical practices across the state are investing millions of dollars to make health records sharable among physicians when they need the information. The digitized charts contain doctors’ notes from every patient visit; family medical history; immunization records; lab results; medication history; allergies; reminders for preventative care and more.
Sending text messages has become a common method of communication among teenagers, adults, and more recently, medical professionals. Physicians are discovering that texting provides a quick and efficient way to communicate with colleagues, patients, and office or hospital staff. A recent survey by QuantiaMD of 38,000 physicians found that approximately “83 percent of physicians own at least one mobile device and about one in four doctors are ‘super mobile’ users who leverage both smartphones and tablet computers in their medical practices.”
As patients and healthcare providers increasingly use mobile devices to communicate with each other, concerns are raised about the security of electronic protected health information (e-PHI). The Health Insurance Portability and Accountability Act (HIPAA) Security Rule allows healthcare providers to communicate electronically with patients, but it also outlines standards to protect individuals’ e-PHI with appropriate safeguards to protect confidentiality, integrity and security of e-PHI. The following identifies security issues raised by texting of PHI between healthcare providers or provider and patient and how unsecure texting may violate the HIPAA Security Rule and create liability for healthcare providers.
As a general rule, texting of PHI by healthcare providers is strongly discouraged. Texting, or traditional short message service (SMS) messaging, is non-secure and non-compliant with HIPAA because data stored on personal mobile devices is not encrypted and is usually stored within the computer memory or on a smartphone SIM card or memory chip. The lack of encryption and the easily accessible storage methods allow any e-PHI communication on a mobile device to be retrieved and shared by anyone with access to the mobile device. This means that messages containing PHI can be read by anyone, forwarded, remain unencrypted on phone company servers, and stay forever on the sender and receiver’s phones.
Another reason why physician-patient texting is discouraged is that standard texting/SMS limits the message to 160 characters. This limited text field may cause critical information or options to be eliminated. According to a recent policy statement from the American College of Physicians and the Federation of State Medical Boards, physicians should understand text messaging is “not analogous to e-mail because of its abbreviated format and the greater possibility of missed messages.” Physicians are urged not to use text messaging even with established patients “except with extreme caution and with patient consent.”
Don’t forget that the end-of-the-year reporting of Health Insurance Portability and Accountability Act (HIPAA) breaches of unsecured protected health information (PHI) discovered in 2013 is due Saturday, March 1, 2014.
Healthcare providers and health plans that are covered entities under HIPAA must report breaches of unsecured PHI affecting fewer than 500 individuals annually to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). These small breaches should already have been reported to each of the affected individuals, and reports to the OCR should include the actions to mitigate and remediate any breaches, even those affecting a single individual. Reports to the OCR of large breaches (those affecting 500 or more individuals) are made at the time of reporting to the affected individuals—that is, without unreasonable delay and in no case greater than 60 days.
Covered entities may report small breaches electronically at the OCR’s website: www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html.
There are major healthcare regulatory mandates going in effect, at the federal and the state level, which will significantly impact property and casualty (P&C) insurance medical bills payers. The Administrative Simplification provisions of the Federal Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II), state mandates for property and casualty eBilling and more regulatory initiatives are forcing payers to understand these regulation’s requirements and be prepared to implement new processes and technologies in order to be compliant. Federal healthcare administrative simplification offers payers an opportunity to prepare for compliance while meeting cost containment and operational efficiency objectives, empowering property and casualty payers to prepare for an all-electronic American healthcare future.
The concepts of eBilling and ePayment for medical bills are gaining traction throughout the healthcare arena, along with the adjacent P&C insurance industry. Medical providers and P&C payers are increasingly taking advantage of the benefits associated with electronic billing and payments, which include substantially lower transaction costs, increased efficiency for call centers, adjusters and finance departments.
Non-legislative organizations are collaborating and recommending changes that could accelerate the impact on the P&C industry.
Other non-legislative organizations are collaborating and recommending changes that could accelerate the impact on the P&C industry. For instance, the Workgroup for Electronic Data Interchange (WEDI), the International Association of Industrial Accident Boards and Commissions (IAIABC), the American Medical Association (AMA), and the Accredited Standards Committee of the American National Standards Institute (ASCX12) are all working to ensure standards to facilitate eBill exchange and adoption. The National Committee on Vital and Health Statistics (NCVHS), a public advisory body to the Secretary of Health and Human Services (HHS), periodically holds meetings to review health statistics and trends. And while the NCVHS does not set policy, they do provide analysis, insight and recommendations to HHS, with eBilling as a topic of likely review in the future. These organizations have collectively laid a path for how to participate in this new environment.