The CMS (Centers for Medicare and Medicaid Services) has posted a PDF checklist of several items relating to HIPAA Security On-site Investigation that health care providers might want to take a look at in preparing for HIPAA email compliance. I suggest reviewing this list if you are a health care professional that is curious what kinds of things you might want to have on the agenda to be ready for the upcoming HIPAA audits.
Permalink
Leave a Comment
Ellen Messmer of Network World reports that lately hospitals have had more to worry about than just preparing for upcoming HIPAA security audits. “Health care organizations feel under increasing attack from the Internet,” Messmer writes, “while security incidents involving insiders and disappearing laptops with sensitive data are piling up.” Dr. John Halamka, CIO at both Beth Israel Deaconess Medical Center and Harvard Medical School in the Boston area, was quote as saying: “there is definitely an uptick in attacks. Privacy is the foundation of everything we do. We don’t want to be the TJX of health care.” She then turns to Don Jackson, researcher at Atlanta-based security services firm SecureWorks, who says: “health care organizations store a lot of valuable personal, identifiable information such as Social Security numbers, names, addresses, age, in addition to banking and credit-card information.” Jackson explains how cyber attacks are potentially beneficial to the pockets of criminals who obtain health insurance credentials to use in the “counterfeit document racket, especially in Central and South America.”
At least in terms of electronic communication, it might be time for some hospitals to turn to outsourced email archiving. Encryption, security, and access are all issues for health care providers right now, and these are three issues that email archiving services are well equipped to handle. It is time for hospitals to address the quality and success of their electronic patient data backup and protection. With HIPAA security audits right around the corner, the time to wait before integrating an email compliance solution is really over.
Permalink
Leave a Comment
I noticed today on Med Tech Sentinel that Google is about to begin experimentation with electronic patient medical records. Douglas Cress writes: “the Cleveland Clinic will facilitate Google’s potential domination of the electronic personal health record (PHR) space. Google chose the Clinic because they offer 100,000 patients the tools to manage their medical records online and coordinate with doctors using a PHR suite called eCleveland Clinic MyChart. An invitation will be extended to 1,500 – 10,000 of these users.” Google will use this trial to determine the level of its security in exchanging “patient medical record data including prescriptions, conditions, and allergies.” C. Martin Harris, Chief Information Officer of the Cleveland Clinic, said: “this collaboration is intended to help Google test features and services that will ultimately allow all Americans (as patients) to direct the exchange of their medical information between their various providers without compromising their privacy.
I believe the term of the day is: “HIPAA compliance.” This two word phrase is beginning to make the news in a big way. On one hand you have the CMS (Centers for Medicare and Medicaid Services) ready to conduct stringent HIPAA security audits of hospitals, and now on the other hand you have Google looking to become the top player in the electronic medical records arena. At the root of Google’s potential conquest is the technology and desire for patients to manage their personal health care records. This need is owed in large part to HIPAA, which ensures that the privileged relationship between doctor and patient is upheld. According to HIPAA, electronic patient health care data must be retained and kept secure in order for a health care provider to be deemed HIPAA compliant. However, providers such as the Cleveland Clinic have begun offering personalized tools for patients to manage their health records online. This new trend is certainly a fine idea and on part with a continuously evolving society, but are there some risks to be noted here? Are there reasons to be cautious of what Google is doing?
Firstly, what is in this for Google? I mean, nothing this noble could come for free, right? Of course not, and the concept to be aware of here is called “targeted marketing.” I am posting an additional excerpt from Douglas Cress below because I think it is important to read:
“Anyone who has spent any time on the Internet (or sorting through spam in their email in-box) should have a sense of how profitable medicine is on the Internet. Based on some cursory keyword research, and my rough calculations, Google is earning $20 million in annual revenues from the keyword ‘Viagra’ alone. ‘Ambien’ costs $2.43 -$3.65 per click; local queries like ‘Brooklyn dentist’ cost $3.71 – $4.98 per click. If Google delivers on their promise of a web portal with 24/7 access to health care information – and they’re certainly well positioned to, with their global web-based architecture and a focus on security – the upside could be tremendous. Google will have the ability to offer a free service supported by advertisers. Think GMAIL for medicine – with ads for doctors, pharmacies, drugs, and devices peppered beside your personal health records and delivered using the same contextual advertising Google is known for.”
This means that much to the delight of health care advertisers your medical records information will be used to assist in the campaign of targeted ads. There is also the issue of Google security here, is a simple password alone really enough to make you feel confident that your electronic health care data cannot be breached? What if your information is hacked? It’s true that it is possible for any system to be tampered with but would you feel more confident in a security provider that specializes solely in that field, or a gigantic corporation that merely uses it as an additional service? Will Google work on encryption? Will Google’s program only be compatible with health care providers that currently offer patients with the tools to manage medical records? If not, how would it work? If Google succeeds and takes this mainstream, how will this affect the email archiving industry? Will health care professionals flock to Google for their HIPAA email compliance needs? Stay tuned.
Permalink
Leave a Comment
According to the American Health Information Management Association (AHIMA) website, the event often referred to as “hipaa security week” will be held April 13th – 19th, 2008. AHIMA states: “CONFIDENTIAL IS ESSENTIAL–Protect Health Information” is the theme for Health Information Privacy and Security Week 2008. This invaluable awareness event, held April 13th through 19, assures our communities that the industry takes extraordinary measures to put health information in the right hands and keep it there. It is a positive reminder of the importance every healthcare professional should place in this crucial aspect of medicine. A message that resonates throughout the nation’s facilities.”
With the CMS bearing down on the enforcement of HIPAA security compliance, this years health information privacy and security week will likely get taken a little more seriously. The protection of electronic patient health care data is an extremely important measure for our society to take, and I believe that the CMS’s current agenda is definitely helping the cause. Email compliance and email archiving solutions are necessities for health care professionals at this point, especially for those that do not want to deal with the repercussions handed down by Tony Trenkle and the Office of E-Health Standards and Services.
Permalink
Leave a Comment
According to report on patient privacy (RPP), the industry’s most practical source of news on HIPAA patient privacy provisions, the compliance reviews which began last month “are separate and unrelated to audits being conducted by the HSS Office of Inspector General (OIG).” Tony Trenkle, director of the CMS Office of E-Health Standards and Services, told RPP that “the focus is broader than just hospitals, although they are included. In the future we may work with OIG, but these are two separate proceses.” Trenkle’s senior policy advisor, Lorraine Tunis Doo, added: “we will interview the people who are appropriate to the documentation and policy and procedures that we need to evaluate. Whoever is relevant will need to be there. It could be different at every review.” In regards to the 283 security complaints logged by the CMS as of December 2007, Trenkle said: “the majority of allegations are of inappropriate access and risk of inappropriate disclosure.”
Well, as the Centers for Medicare and Medicaid Services (CMS) start to integrate the compliance review process there are a bunch of pertinent questions that come to my mind. Firstly, how will the CMS reviews impact the current state of electronic patient health care data and email management? Would a serious HIPAA violation change the way that electronic information is managed by health care providers? What is the difference between a HIPAA security compliance review and an OIG audit? Would the agency doing the testing (OIG or Office of E-Health Standards and Services) impact the stringency required for the security and privacy of an email archiving system? Will the OIG and CMS Office for E-Health Standards and Services be working together in the future? If the answer is yes, would this create a uniform policy and method for testing electronic patient health care data? Would the OIG merely be setting the stage for Tony Trenkle by doing preliminary investigation work? How many entities will be reviewed? What other health care providers and facilities will be subject to HIPAA email compliance regulations besides hospitals? Stay tuned for updates.
Permalink
1 Comment
I noticed on the HIPAA Blog that Horizon Blue Cross and Blue Shield, New Jersey’s largest health insurance company, had a laptop computer stolen earlier this month in Newark along with the personal information of 300,000 of its members. Jeff Drummond reports that the laptop contained the names and social security numbers for “about 10% of the 3.3 million customers in New Jersey.” The first question that popped into my mind is: did Horizon Blue Cross and Blue Shield commit a HIPAA violation? Since there is no question that names and social security numbers are considered protected health information under HIPAA, the real issue becomes one of security. Who is in charge of enforcing HIPAA security regulations? That would be the CMS (Centers for Medicare and Medicaid Services), who would need to take action in determining if the laptop was reasonably secured at the time it was stolen. According to an editor on Realtime IT Compliance, they would need to conduct “an independent audit of the situation to reveal whether or not this was truly a violation of HIPAA.”
Well, what are people to think now? Do the 300,000 NJ members who had their information subject to potential identity theft feel confident in HIPAA security? How often are HIPAA audits conducted in the first place? I would be curious to know when the last time Horizon Blue Cross and Blue Shield was audited for adequate security and privacy measures. If protected health information such as social security numbers and names can be stolen, what about emails and electronic documents? Health insurance privacy & security professionals will have to give careful thought to email management and email archiving systems in the coming months, as the success of one thief could lead to a string of incidents to see how far HIPAA security breaches can be pushed.
Permalink
Leave a Comment
Simplicato's Weblog 