How Organizations Meet Compliance Demands with Smart Technology

Guest post by Chris Strammiello, Vice President of Global Alliances & Strategic Marketing, Nuance.

Chris Strammiello
Chris Strammiello

The growing use of smart devices at the point of care exacerbates the dual, yet contradictory, challenges confronting hospital IT directors and compliance officers: Making patients’ health information easier to access and share, while at the same time keeping it more secure.

A major problem is that there are just too many touch points that can create risk when sharing protected health information (PHI) inside and outside of the hospital. In addition to securing communications on cell phones, tablets and laptops, these tools can send output to smart multi-function printers (MFPs) that not only print, but allow walk-up users to copy, scan, fax and email documents. This functionality is why the Office of the National Coordinator for Health Information Technology now defines MFPs as workstations where PHI must be protected. These protections need to include administrative, physical and technical safeguards that authenticate users, control access to workflows, encrypt data handled on the device and maintain an audit trail of all activity.

Accurate, Effective and Secure Use of Patient Information at Point of Care

Hospitals need to adopt an approach that automatically provides security and control at the smart MFP from which patient information is shared and distributed. This approach must also support the use of mobile computing technologies, which are helping to bring access to patient information and electronic health records (EHR) to the point of care. Advanced secure information technology and output management solutions can help hospitals protect patient health information as part of achieving HIPAA-compliant use of PHI with software by adding a layer of automated security and control to both electronic and paper-based processes. These solutions can minimize the manual work and decisions that invite human error, mitigate the risk of non-compliance and help hospitals avoid the fines, reputation damage and other costs of HIPAA violations and privacy breaches.

With this approach, vulnerabilities with capturing and sharing PHI are reduced with a process that ensures:

Continue Reading

Dispelling the Myths about HIPAA Compliance

Guest post by Erik Kangas, CEO, LuxSci.

Erik Kangas
Erik Kangas

Electronic protected health information (ePHI) is patient information that is protected under the Health Insurance Portability and Accountability Act (HIPAA). HIPAA compliance is a complex and confusing topic, and it only gets more daunting when it comes to communication between providers and patients. If you are sending protected health information over email as a healthcare organization or a healthcare organization’s business associate, HIPAA compliance applies to you. With fines for breaches that can land upwards of a million dollars, it’s a subject that is not to be taken lightly by any organization. Let’s take a moment to settle the score on the myths and facts revolving around ePHI and HIPAA-compliant emails.

Myth: All email is HIPAA-compliant

This is a dangerously false assumption. It may come as a surprise that most free email services are not HIPAA-compliant. This includes big players such as Yahoo!, Gmail, and Hotmail. No, ePHI should never be sent through these systems. If you must send ePHI to run your business, seek out an email provider that specializes in HIPAA compliance and is specifically geared towards protecting you and the patient data that flows through your organization.

Myth: My business is too small to worry about HIPAA

Practices and organizations of all sizes get hit with HIPAA violation fines – no one is exempt. HIPAA regulations apply across the board, regardless of the size of your business. Penalties for not being compliant can range from a simple slap on the wrist to a fine of $100 per email that contains ePHI sent through an unencrypted avenue. HIPAA compliance is everyone’s responsibility, and no business is too small to suffer a surprise audit that results in business-crushing fines. Protect yourself up-front by adhering to HIPAA guidelines, and you won’t find your business under the gun for non-compliance.

Myth: Any email with PHI must have encryption

If emails are sent in-office over a secure network, encryption over e-mail is not necessary. But once that email is sent out of the office over a wide area network, or through the internet, encryption is a must.

Myth: The recipient must have encrypted email

The majority of patients use a free, non-encrypted email host. According to the HIPAA Omnibus Rule, patients have the right to request that their ePHI be sent to them via an unsecured email system. Many secure email systems can send secure messages to people without secure email – and that can be okay. But it’s important to document that request from the patient and also to inform them that when using unsecured email and waiving their right to receive their ePHI privately, they inherit the risk of a potential security breach. Documentation protects you from future accusations of negligence.

Continue Reading

Patient Portals: Security Concern or Effective Tool?

Martin Edwards
Martin Edwards

Guest post by Martin Edwards, MS, CHC, CHPC, compliance officer, Dell Healthcare.

Patient portals offer an unprecedented opportunity to engage consumers, provide a customized care experience and potentially change behavior. Yet they also introduce new security concerns for both patients and providers.

A question we often hear from healthcare providers regarding security is: How much protection against negligence does meeting the HIPAA requirements really provide? That question is particularly germane to patient portals, which create an additional entry point and more risk to the security of protected health information (PHI). The laws and regulations in these cases can be confusing.

Fortunately for providers, “safe harbor” is offered in those cases where the provider can prove that they have properly encrypted all devices that contain PHI. Under the HIPAA security rule, as long as PHI is encrypted according to National Institute for Standards and Technology (NIST) guidelines, it is no longer considered “unsecured” and providers are effectively exempt from improper disclosure being considered a “breach.” Thus, the HIPAA breach notification rule doesn’t apply, and, by extension, the provider can avoid potential fines from the Office for Civil Rights (OCR). Since most breaches of PHI reported to the U.S. Department of Health and Human Services (HHS) to date have related to the theft or loss of unencrypted mobile devices, encrypting the data is a primary defense against data loss and against the consequences of improper disclosure.

While patient portals add risk, they also confer many benefits to healthcare organizations, including enhanced patient-provider communication and empowerment of patients. Some studies have found that portals can also enable better outcomes for patients. These benefits are behind the HIPAA privacy rule’s “right of access,” which allows individuals to examine and obtain a copy of their PHI. Meaningful use requirements also require eligible professionals to exchange secure emails with at least 5 percent of their unique patients. Since portals are an ideal way to meet this requirement, organizations seeking to comply with Stage 2 criteria have an incentive to adopt them.

Continue Reading

The Future of Health IT: A “Dawning” of Dynamic Proportions

Brandee Norris
Brandee Norris

Guest post by Brandee Norris, assistant professor healthcare administration and management school of business and technology, Trevecca Nazarene University.

The health information technology (HIT) industry is on the verge of a dramatic dawning. As more healthcare organizations transition to paperless systems and to meaningful use of a certified electronic health record (EHR), the need to ensure the safety and integrity of healthcare data and to eliminate the risk of health IT breaches increases. In the past five years, the Department of Health and Human Services reported more than 800 breaches of healthcare patient data, breaches that affected more than 30 million patients. Breaches in electronic healthcare data cause serious negative outcomes for patients, stakeholders, and organizations—both public and private—and result in millions of dollars in fines and losses.

As the use of HIT systems increases within the healthcare industry, hospitals and providers of private practices are seeking effective methods to enhance data storage and streamline access to patient information without jeopardizing the privacy of the data. A possible solution to this problem is the transference of protected health information from a local system’s network to a cloud-based electronic medical records (EMR) service. Cloud computing may be categorized as private or public. Based on HIPAA regulations, professionals in the healthcare industry continue to dispute the legitimacy of public cloud computing and compliance with specific requirements of the HIPAA.

Contrary to provisions mandated by HIPAA, cloud-based platforms could accommodate the growing needs of healthcare organizations and provide flexibility to adapt to frequent changes, while providing significant cost savings. The primary objectives of using any variation of a cloud-based program are efficient leveraging of healthcare information, enhancement of patient experience, versatility for providers, and improved clinical outcomes. Cloud-based programs permit 24-hour patient access to electronic records.

Consumers in the 21st century prefer convenient methods to access healthcare services and manage personal information. Consequently, healthcare organizations have adopted patient-centered models to deliver health care and increase provider-patient communication. In addition, cloud-based platforms can facilitate the use of mobile devices, such as smartphones and iPads, allowing patients and providers to access health software applications. The number of healthcare consumers using smartphones to access health information soared from more than 60 million to more than70 million in the last two years. Anderson projects an estimated 20 percent annual increase of software application sales during the next five years.

Healthcare providers have suggested that significant benefits could occur for patients using mobile software applications to monitor their health status. Currently, numerous types of health software applications exist that are free or obtainable at a reasonable fee. Last year, healthcare providers used health software applications for obtaining diagnostic test results, sending alerts for patients to self- medicate, track and monitor levels of chronic pain, and store vital signs and emergency contact information. Consumers should be aware that a compatible operating system and adequate storage space are required to download health software applications to a mobile device.

Continue Reading

Cancer Treatment Centers of America Improves Patient Care with Managed Print Services

Chris Downs
Chris Downs

Guest post by Christopher Downs, vice president, information services, Cancer Treatment Centers of America.

Printing is like electricity – when it works, no one really notices it. They only notice it when it’s not working.

Think about it. Quality communication is a cornerstone of delivering excellent patient care. Almost every department in a healthcare organization relies on their printers to provide instructions and information that are vital to a patient’s health. So, when the printing environment is offline or ineffective, it has a real impact on how healthcare is controlled and delivered.

At Cancer Treatment Centers of America (CTCA), our motto is to deliver “care that never quits,” meaning we place our patients and their caregivers first and foremost in every action and decision that we make. As such, we rely on our technology systems to be seamless, secure and reliable so that we can deliver on our motto.

The Importance of Printing

When a patient arrives at any one of our six treatment centers, he or she receives a personalized booklet providing details regarding his or her treatment schedule. Over the course of a stay, patients will receive additional documents such as prescriptions, post-surgery instructions, discharge summaries and insurance information, just to name a few. Administrative departments also generate and print reports, spreadsheets and presentations that are essential to hospital business functions.

All in all, approximately 90 percent of CTCA’s 5,000 employees rely on printers, printing roughly 30 million pages annually. That means, on average, our employees print more than 82,000 pages per day across the network.

Continue Reading

Data Breaches of Protected Health Information Will Get More Frequent in 2014

Michelle Blackmer

Guest post by Michelle Blackmer, director of marketing, Healthcare, Informatica.

The volume of protected health information (PHI) in electronic form is exploding – both from the wholesale move from paper charts to electronic health records for capturing clinical data and with the proliferation of new sources of electronic data from networked medical devices. Additionally, IT staff have been overwhelmed by regulatory mandates, rampant technology changes (e.g., virtualization, BYOD, big data), massive application projects and flat or decreasing budgets.

This increase in electronic PHI combined with the challenges for health systems IT make it even more important for providers and non-providers to find efficient ways to secure their data. However, with malicious activity showing a consistent upward trend, absent a change to an almost maniacal leadership focus on protecting patient data and the deployment of available tools and processes as an organizational imperative, 2014 will bring even more frequent and larger breaches of PHI.

Current data security climate

Even still, many healthcare organizations are not taking the necessary steps to reduce the proliferation of unprotected PHI in non-production test and development environments. Ninety-four percent of respondents to the third annual Ponemon Institute Benchmark Survey on Patient Privacy and Data Security had at least one data breach in the past two years, and 45 percent reported having had more than five total incidents each. Even more surprising is that the leading cause for a breach is a lost or stolen computing device that houses PHI.  The survey also found that:

Continue Reading

What HIPAA Means for Care Providers and EHR vendors?

What HIPAA means for care providers and EHR vendors?
Parker

Guest post by Scott Parker, Cure MD

The HIPAA Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) held by “covered entities.”These entities generally include healthcare clearinghouses, employer sponsored health plans, health insurers, and healthcare providers.

PHI is any information held by a covered entity concerning the health status, provision of healthcare, or payment for healthcare that can be linked to an individual.

Covered entities must disclose PHI to the individual within 30 days upon request. They also must disclose PHI when required to do so by law, such as reporting suspected child abuse to state child welfare agencies.

Continue Reading

Every Physician and Medical Practice Should Be Aware of These Common Risks and Safeguards for EHRs – Are You? (Part 1)

Guest post by Allan Ridings and Joseph Wager, senior risk management and patient safety specialists, Cooperative of American Physicians.

Part 1 of a two-part series.

Introducing an electronic medical records system into the practice helps the physicians and staff provide more efficient healthcare by making medical records more accessible to all health care team members. It also brings some risks. In this two-part article, CAP Risk Management and Patient Safety identifies 10 areas of risk exposure and provides some brief recommendations in each area.

EMR or EHR

Know your system.  Electronic Medical Record is the term most often used for the electronic system now holding the medical records of the physician’s patients. If patients’ medical data is shared electronically with other facilities, locations, caregivers, and/or billers, the term Electronic Health Record is more accurate. The terms are often used interchangeably. Most articles are using the words “Electronic Health Record.”

Provide updated/additional training periodically, especially after software updates and enhancements.

Continue Reading