In this article, I gave an overview of the HIPAA Security Rule.  Let’s drill down a little further and go over the principles of the Security Rule.

There are two very good papers published by CMS that give an overview of the Security Rule.  The papers include Security 101 for Covered Entities and Security Standards: Implementation for the Small Provider.  In an ideal world, the Security Rule would sound like a cooking recipe that tells you the exact ingredients you need, how to mix the ingredients and how long you should cook everything to have the final product.  However, reading the papers, you’ll immediately notice they are very vague, giving you what is required to comply with the Security Rule, but they don’t tell you how or what you need to do to comply.  No recipe here – which brings me to my first point; the Security Rule is not a detailed step by step process that tells you how to implement the rule.

Take this line from the Security Standards:

“The Security Rule provides a flexible, scalable and technology neutral framework to allow all covered entities to comply in a manor that is consistent with the unique circumstances of their size and environment.”

Wow, that seems to say a lot but when you finish reading it you realize that it doesn’t say that much at all.  My take on it is that there are a set of rules you need to follow which include procedures and technologies you need to implement but specific procedures and technologies will not be defined.  Furthermore, based on the size of your organization you may or may not implement the same procedures and technologies and you may choose not to implement some of the procedures and technologies at all.  To clarify, if you are a large hospital with a full-time IT staff you will have the ability to implement different procedures and technologies then a small practice that has no full-time IT staff. 

The Security Rule is composed of a series of Standards.  A good description of a Standard can be found in the  Security Standards:

“Each Security Rule standard is a requirement: a covered entity must comply with all of the standards of the Security Rule with respect to the EPHI it creates, transmits or maintains.”

So no matter your organization size or level of IT ability, a Standard has to be implemented.

Within some Standards are Implementation Specifications:

“An implementation specification is a more detailed description of the method or approach covered entities can use to meet a particular standard. Implementation specifications are either required or addressable.”

 • A required implementation specification is similar to a standard, in that a covered entity must comply with it.

• For addressable implementation specifications, covered entities must perform an assessment to determine whether the specification is a reasonable and appropriate safeguard in the covered entity’s environment. After performing the assessment, a covered entity decides if it will implement the addressable implementation specification; implement an equivalent alternative measure that allows the entity to comply with the standard; or not implement the addressable specification or any alternative measures, if equivalent measures are not reasonable and appropriate within its environment. Covered entities are required to document these assessments and all decisions.

• Factors that determine what is “reasonable” and “appropriate” include cost, size, technical infrastructure and resources. While cost is one factor entities must consider in determining whether to implement a particular security measure, some appropriate measure must be implemented. An addressable implementation specification is not optional, and the potential cost of implementing a particular security measure does not free covered entities from meeting the requirements identified in the rule.

 Required implementation specifications have to be implemented no matter what your size or ability.  Addressable implementation specifications are not optional but you have to determine if your ability to implement the specification is reasonable and appropriate.  A good example of this is email encryption.  A large hospital has the ability and resources to ensure that all emails that contain electronic patient information have to be sent via secure encrypted email.  A smaller practice may decide that email encryption is too complicated or expensive to implement.  Instead the smaller practice may decide that they will not send electronic patient information via email at all, thus removing the need for email encryption.  Both organizations have addressed the implementation specific but did it in different ways that make sense to each of them.

If you determine that an addressable implementation specification is not reasonable or appropriate for your organization, you need to document the rationale for your decision.  Make sure you can defend the decision in the future which could be years from when you actually made the decision.

If you are a small,  midsize or large medical practice, the take away from this article should be that the Security Rule is not a specific list of things you have to do or a defined list of technologies you have to implement.  The Security Rule is a set of guidelines that give you some flexibility and take into account a practice’s size and resources. 

In future posts, I will dive into each of the Security Rule Standards and try to help you make sense of them.

According to a press release from the U.S. Department of Health and Human Services (HHS), several states will benefit from addition stimulus fund.  The funds are to help setup health information exchanges (HIE).

The health information exchange HIE awards announced today provide approximately $162 million to 16 states and qualified state designated entities (SDEs) to facilitate non-proprietary health information exchange that adheres to national standards.  Health information exchange is critical to enabling care coordination and improving the quality and efficiency of health care.  

“Today’s announcement of awards to 16 states and SDEs marks a significant milestone with all states now empowered to start their journey towards identifying innovative ways to break down theses barriers that prevent the seamless exchange of information, so that we can give patients the access to care they deserve and expect,” stated Dr. David Blumenthal, national coordinator for health information technology.  “States play a critical leadership role in advancing the development of the exchange capacity of healthcare providers and hospitals within their states and across the nation. Health information exchange will enable eligible healthcare providers to be deemed meaningful users of health IT and receive incentive payments under the Medicare and Medicaid electronic health record (EHR) incentive program.”

New Jersey is set to receive $11.4 million and Connecticut will receive $7.2 million.

The states receiving funds from the $162 million awards include:

State/SDE	Award Amount
Agency of Health Care Administration (FL)	$20,738,582
The Maryland Department of Health and Mental Hygiene	$9,313,924
New Jersey Health Care Facilities Financing Authority	$11,408,594
South Carolina Department of Health & Human Services	$9,576,408
Iowa Department of Public Health	$8,375,000
Idaho Health Data Exchange	$5,940,500
State of North Dakota, Information Technology Department	$5,343,733
State of Alaska	$4,963,063
Nebraska Department of Administrative Services	$6,837,180
South Dakota Department of Health	$6,081,750
Department of Public Health, State of CT	$7,297,930
State of Mississippi	$10,387,000
Indiana Health Information Technology, Inc.	$10,300,000
HealthShare Montana	$5,767,926
Texas Health and Human Services Commission	$28,810,208
Louisiana Health Care Quality Forum	$10,583,000
Total	$161,724,798

In the age of the Internet and search engines, you want to get your practice noticed on the web.  But there is one place that you don’t ever want to see your practice’s name and that is the U.S. Department of Health & Human Services’ (HHS) HITECH breach website. 

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html

The site is for HIPAA / HITECH violations affecting 500 or more individuals.

Breaches Affecting 500 or More Individuals

As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. The following breaches have been reported to the Secretary.

The list contains:

• the name of the entity (organization, corporation, practice, clinic, etc.)
• the state where the entity is located
• the approximate number of individuals affected
• the date of the breach
• the type of breach (theft, loss, unauthorized access, hacking/IT incident, incorrect mailing, misdirected e-mail, phishing scam, etc.)
• the location of breached information (i.e. laptop, hard drive, mailing, e-mail, etc.)

I mentioned in this post about Blue Cross Blue Shield of Tennessee having 57 hard drives stolen from a training center.  Each of the hard drives contained personal information about subscribers.  In conjunction with the data breach, they are now listed on the HHS breach website.

Blue Cross Blue Shield of Tennessee
State:	Tennessee
Approx. # of Individuals Affected:	500,000
Date of Breach:	10/02/09
Type of Breach:	Theft
Location of Breached Information:	Hard Drives

Let’s take a step back and look at the other breach notification requirements to comply with the HITECH Act.  The HHS website states that a covered entity must do the following in the event of a breach of unsecured protected health information:

Breach Notification Requirements

Following a breach of unsecured protected health information covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media.  In addition, business associates must notify covered entities that a breach has occurred.

• Individual Notice

Covered entities must notify affected individuals following the discovery of a breach of unsecured protected health information.  Covered entities must provide this individual notice in written form by first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive such notices electronically.  If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide substitute individual notice by either posting the notice on the home page of its web site or by providing the notice in major print or broadcast media where the affected individuals likely reside.  If the covered entity has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written, telephone, or other means.   

These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity.  Additionally, for substitute notice provided via web posting or major print or broadcast media, the notification must include a toll-free number for individuals to contact the covered entity to determine if their protected health information was involved in the breach.

• Media Notice

Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction.  Covered entities will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area.  Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice.

• Notice to the Secretary

In addition to notifying affected individuals and the media (where appropriate), covered entities must notify the Secretary of breaches of unsecured protected health information.  Covered entities will notify the Secretary by visiting the HHS web site and filling out and electronically submitting a breach report form.  If a breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay and in no case later than 60 days following a breach.  If, however, a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis.  Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches occurred.

• Notification by a Business Associate

If a breach of unsecured protected health information occurs at or by a business associate, the business associate must notify the covered entity following the discovery of the breach.  A business associate must provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach.  To the extent possible, the business associate should provide the covered entity with the identification of each individual affected by the breach as well as any information required to be provided by the covered entity in its notification to affected individuals.

 As you can see, the HITECH Act has put some stiff requirements into breach notifications concerning unsecured protected health information.  My advice is to make sure your HIPAA policies and procedures are up to date,  your staff is trained and you do everything possible to avoid a data breach.  You don’t want to end up on the HHS “wall of shame”.

A break-in at a Mall has cost BlueCross BlueShield of Tennessee $7 million and counting. As noted in this Newsweek article:

On Oct. 2, someone stole 57 hard drives from a closet at the health insurance company’s training center in Chattanooga’s Eastgate Town Center mall. The drives contained recordings of more than 1 million customer support calls, totalling 50,000 hours of conversation. There were also 300,000 screen shots, showing what BlueCross representatives had on their computer monitors at the time some of the calls were made.

In most of the calls, subscribers provided their BlueCross ID number, name and date of birth — not enough information for criminals to pull off an identity theft scam. But in some calls, Medicare subscribers provided what’s known as a Health Insurance Claim (HIC) number, which contains the subscriber’s Social Security number. Many of the screen shots also include Social Security numbers, and that information can be used in identity theft.

An attorney from BlueCross said in a letter to the Maryland attorney general that the data on the hard drives were encoded but not encrypted.  Encrypted data would need the passcode or key to decrypt /unencrypt and read the data.

Over the past five months, the company has employed a small army of workers to sort through the aftermath of what has proved to be a large and complex breach. Late last year, BlueCross and forensics company Kroll OnTrack employed 500 full-time workers and 300 part-time employees, working in two shifts, six days a week, to piece together what happened

So for the past five months, BlueCross has been sorting out which of its 3 million customers to notify of the breach. “Unfortunately, after checking with numerous vendors throughout the country, an electronic solution could not be formulated, and a largely manual review of audio and video files has been necessary,” BlueCross said in the letter, dated Dec. 16.

“We made the decision that there is really no substitute for actually manually going through it and looking at the video screens or listening to the audio,” said Roy Vaughn, a BlueCross BlueShield of Tennessee spokesman. “It has to be reviewed.”

The costs keep tallying up:

The process has cost more than US$7 million so far, and it will be several months more before the notification effort is concluded, Vaughn said.

The HITECH Act requires media and regulatory notifications.  In the letter to the Maryland attorney general they mention:

The HITECH Act requires that we provide media notice to any jurisdiction where over 500 members may reside; therefore, we are also notifying all Attorneys General in these states so they may also be aware of our activities and could address questions they may receive from our members who reside in their states

A few points to think about regarding this incident are:

1. This did not occur at the BlueCross headquarters but at a rented location.  So no matter how much they secured their offices and network, a HIPAA security breach still occurred.
2. Data that leaves your headquarters, office or building that is on a laptop, desktop, USB drive, smartphone, etc and that is not encrypted is a liability waiting to happen. 
3. HIPAA and HITECH data breaches can be extremely costly not only from a HIPAA fine perspective but from the manpower and wasted productivity required to react to the data breach.

The need to uniquely identify patients in a practice management or EHR system is critical.  This is especially true in light of a well publicized incident with the Veterans Association (VA) and the Department of Defense. 

VA officials first discovered problems with the data exchange late last month when a VA clinician found a record in AHLTA (Defense Department’s AHLTA EMR)  indicating that a female patient had been prescribed a drug for erectile dysfunction. NextGov reports that the clinician’s query actually had returned the record of another patient. “The VA clinician may see the patient’s data during one session, but another session may not display the data previously seen,” the VA alert explains. “This problem occurs intermittently and has been reported when querying DoD laboratory, pharmacy and radiology reports.”

There has been a lot of discussion on using biometrics such as fingerprints, palm readers, etc to uniquely identify patients.  But now there is a new technology that can read the iris of a patient’s eye.  Like fingerprints, the iris provides a unique identifier.  The eye scanner does not require any physical contact with the patient.

For a clinic in Bronx, NY where they have many of the same patient names and many without SSNs, the iris reader provided a perfect solution.  As reported in this CNN article:

With a heavily Hispanic client base, where some of their 37,000 patients speak limited English and only a few provide Social Security numbers, the clinic encountered cases of mistaken identities.

It had 50 Maria Hernandezes, 66 Maria Gonzaleses, 55 Jose Gonzalezes, 83 Carmen Rodriguezes and 103 Jose Rodriguezes, according to the clinic.

The clinic photographed its patients, but that was imprecise. De Leon didn’t want to use fingerprints, because some patients associated that with the police and crime. He didn’t want to use palm readers that required physical contact because that would easily spread germs. So he set his sights on iris scanners; it didn’t require touching and didn’t carry the negative connotations.

The company that makes the iris scanner is Eye Controls.  Evan Smith, Eye Controls’ chief executive officer says this about his technology:

“The acceptable error rate is zero, because we’re talking about people’s lives here. People can get hurt and die”

The iris, which is the colored ring of the eye, is unique for every human being. The company tested the iris scanner with simulated IDs and found zero errors in 8 million transactions.

For more information read the FierceHealthIT story

If you haven’t heard about HIPAA yet, you probably have been living under a rock.  If you ask most people about HIPAA, patients and practice staff alike, you will probably get responses back concerning the privacy and protection of health information.  Most practices have implemented the basic required steps to protect patient privacy.  Two of the most common requirements include HIPAA privacy notices that patients are required to sign, and publicly available HIPAA privacy policies.  However, as more and more practices are moving towards electronic health records systems (EHRs), there is a more complex side of HIPAA that many small, midsize and even large practices may not have focused on – the HIPAA Security Rule.

I plan on future articles that go into the HIPAA Security Rule much more in-depth but for now let’s look at the Security Rule at a high level.  The HIPAA Security Rule requires that practices put in place policies and procedures to ensure that electronic protected health information (EPHI) is properly protected.   A good comparison regarding EPHI between the HIPAA Privacy Rule and the Security Rule is stated in the Centers for Medicare & Medicaid Services (CMS) Security 101 for Covered Entities:

Electronic vs. oral and paper: It is important to note that the Privacy Rule applies to all forms of patients’ protected health information, whether electronic, written, or oral. In contrast, the Security Rule covers only protected health information that is in electronic form. This includes EPHI that is created, received, maintained or transmitted. For example, EPHI may be transmitted over the Internet, stored on a computer, a CD, a disk, magnetic tape, or other related means. The Security Rule does not cover PHI that is transmitted or stored on paper or provided orally.

There are three main parts of the HIPAA Security Rule as defined by CMS for small providers:

1. Administrative Safeguards – These provisions are defined in the Security Rule as the “administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”
2. Physical Safeguards – These provisions are defined as the “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
3. Technical Safeguards – These provisions are defined as the “technology and the policy and procedures that protect electronic protected health information and control access to it (the EPHI).”

As I mentioned, I plan on drilling down into each of the main parts of the Security Rule.  For a very good overview from CMS, take a look at the Security Standards: Implementation for the Small Provider document.  The document goes into further detail of each of the three parts and provides questions and examples to help you better understand the concepts and principles.

I read a post by Bob Coffield over at the Health Care Law Blog about issues with mobile devices and the potential for patient privacy issues.  The post discusses an incident where hospital employees took pictures of a shark attack victim in the emergency room and emailed them to other people.

Bob goes on to express concern that mobile devices with cameras and social media increase the potential for patient privacy issues.

As such, this incident provides a good example for training and reeducating health care employees on patient privacy issues. Health care employees and professionals must always remember to start from a framework of protecting the health and privacy of their patients. As the use of mobile devices with cameras and social media tools becomes more ingrained in our every day lives — the ability for private information to be captured, transferred and spread in a viral fashion has become much easier. Caution must be used and this case highlights the importance of retraining staff and highlighting the importance of protecting your patient’s privacy.

Hospitals and medical practices have to add cameras, facebook updates, tweets, and other social media to the list of items to address when providing HIPAA privacy education.

The American Medical Association (AMA) along with 95 other physician organizations and associations (including including state, education and medical societies) have written a letter to the Centers for Medicare & Medicaid Service (CMS) with their comments regarding meaningful use and the EHR incentive program.  The 37 page letter outlines where the organizations agree and disagree with the proposed definition of meaningful use and it’s direct correlation to the EHR incentive payments.  To summarize the entire letter would be a lengthy process so I will pick out sections that caught my eye.

The overall message to CMS was that the proposed meaningful use requirements to achieve the initial stimulus payments are too aggressive and the cost to achieve them will deter physicians from participating in the EHR incentive program.

Physicians are deeply supportive of and committed to incorporating well-developed EHRs into their practices to improve quality of care delivery, enhance patient safety, as well as support practice efficiencies. To facilitate this transition, we want to ensure that there is widespread adoption and meaningful use of EHRs by physicians. We do, however, feel strongly that the Stage 1 criteria proposed by CMS for achieving meaningful use of EHRs is too aggressive and if adopted, will deter many physicians from participating in the Medicare and Medicaid incentive programs. This runs counter to the intent of ARRA, which clearly indicated that demonstrating meaningful use should progress over time.

The organizations are concerned about the impact on smaller physician groups.  They also are concerned with the high failure rates of EHR adoption.

The vast majority of physicians practices are comprised of five or fewer physicians.  Encouraging physician adoption of health IT, especially small physician practices, is critical to ensuring widespread EHR use. Studies of EHR adoption clearly show that it takes more time for smaller practices to adopt and implement EHRs because they have fewer resources and support. Aggressive timelines and criteria during the initial stage of the incentive program will only serve to undermine this effort. Some government officials have relayed that complex measures and high reporting thresholds are needed to discourage EPs from switching back to the use of paper during this transition to EHRs.  We are very troubled by this assertion. Physicians are deeply supportive of and  committed to incorporating well-developed EHRs into their practices to improve quality of care delivery, enhance patient safety, as well as support practice efficiencies. It is also very unlikely that after physicians make a significant up front investment in health IT and changes to their workflow that they will revert back to manual processes. We believe that the larger concern should be deterring the purchasing of costly EHR products that fail to improve physician workflow, patient care, and practice needs. Industry experts have cited that such failures have adversely affected EHR adoption rates ranging from 50 to 80 percent.

The letter goes on to suggest that the requirements for Stage 1 meaningful use should be spilt over the first two years.

We strongly agree with CMS’ proposal for establishing a staged approach to achieving “meaningful use” of EHRs. In this way, eligible professionals (EPs) are provided a predictable pathway, enabling them to plan, including consideration of practice workflow changes, and to engage in critical discussions with EHR vendors regarding functionalities. To support this, we strongly recommend that the focus of Stage 1 for the health IT functionality measures be on data entry (e.g., problem list, medication list) and structured data (e.g., enable EHR functionality for drug-drug, drug-allergy, drug 4 formulary checks). If achieved consistently and accurately, a more seamless use and reporting of quality measures will result. Therefore, we believe Stage 1 should be redefined and the proposed criteria should be segmented into two years to provide more flexibility on functionality measures and selection/awareness of quality measures

The letter addresses each of the 25 meaningful use objectives and describes where the organizations agree and disagree with the proposed objectives.  In my opinion it seems that the message to CMS is that they support the objectives but would like to see Stage 1 objectives scaled back.  The big push should be to get providers to implement EHRs and start using them, without strict requirements, to achieve the stimulus payments.  The organizations recognize that it is costly to implement EHRs and use them in meaningful ways.  It is costly to interface them with other systems including lab results, insurance providers, other EHRs.  And it is costly to support the new technology that is required.  Physician practices need to believe that the meaningful use objectives are realistic and that they are able to meet them.  Furthermore, they need to feel that they will be able to obtain the stimulus incentives to offset the costs of EHR adoption.  I feel the letter correctly addresses a lot of the issues that physician practices, both small and large, will face as they begin implementing EHRs.  It will be interesting to see what CMS does with the organizations’ recommendations.

The letter can be found on the AMA website.

I came across a very interesting blog called Musings of a Dinosaur.  The blog is written by Dr. Lucy Hornstein.  Dr. Hornstein describes herself as:

A Family Doctor in solo private practice; I may be going the way of the dinosaur, but I’m not dead yet.

On her blog she lists the 10 Laws of the Dinosaur.  These are insightful as well as funny.  I thought I would share them with you.

First Law: The art of medicine consists of amusing the patient while nature takes its course.

Second Law: It is impossible to make an asymptomatic patient feel better.

Third Law: The urgency of the test is inversely proportional to the IQ of the insurance company preauthorization clerk.

Fourth Law: There is no cure for stupid.

Fifth Law: Bad things really do happen to good people.

Sixth Law: The better the surgeon, the more reluctant s/he is to operate.

Seventh Law:
Part A: It has to be fun.
Part B: If it isn’t fun, see Part A.

Eighth Law: Half of what is taught in medical school is wrong, but no one knows which half.

Ninth Law: Poor planning on your part does not constitute an emergency on my part.

Tenth Law: A bad idea held by many people for a long time is still a bad idea.

My favorite is the fourth law.  There really is no cure for stupid!

As a Microsoft partner, I receive a lot of email from Microsoft with important information.  It is usually mixed in with a lot of unimportant information so I have to weed through it to get to the good stuff.  Today I came across something that I thought I would share.

Microsoft is ending support of Windows XP Service Pack 2 on July 13, 2010.  For those of you that are not familiar with what end of support means for one of Microsoft’s products, here is their description.

When support ends, customers still relying on these products won’t be able to benefit from security hotfixes, patches and service packs, presenting serious concerns around data security, system reliability for mission-critical workloads and regulatory compliance.

Important Dates

Product	End of Mainstream Support	End of Extended Support
Windows XP SP2		July 13, 2010
Windows Vista RTM	April 13, 2010
Windows 2000 Professional SP4		July 13, 2010
Windows 2000 Server SP4		July 13, 2010

Note:  Windows Vista RTM means “Released To Manufacturing”.  Most companies will not be running this version but if you are you will need to upgrade to Windows Vista Service Pack 2.

If you have questions or are looking for further insight into the impact of Microsoft’s end of support to your practice, feel free to contact me.