HIPAA Compliance for Small Medical Practices Remains a Problem
While large healthcare systems have mostly got to grips with HIPAA Rules and implemented controls to safeguard ePHI from external and internal threats, HIPAA compliance for small medical practices remains a problem according to a recent survey conducted by NueMD. NueMD surveyed 900 healthcare professionals last month to gain an insight into how small medical practices are faring with their compliance efforts ahead of the next round of OCR compliance audits due later this year. 588 respondents worked in practices employing 1-3 physicians, 131 were from practices employing 4-10 providers. 80 larger practices that employ over 10 healthcare providers also took part in the survey. 86% of respondents were from medical practices and 6% worked in billing companies. The survey produced some surprising and worrying results. 60% of respondents were unaware of the upcoming HIPAA compliance audits Only 69% of respondents were aware of the 2013 Omnibus Rule 30% did not have a HIPAA compliance plan in place Only 58% conducted annual staff training on HIPAA Rules Only 68% were aware they needed...
HIPAA-Breaching Email Exposed BJC HealthCare Patients’ Data
BJC HealthCare, a not-for-profit health system based in St. Louis, MO., has started notifying 2,393 of its patients that some of their protected health information has been exposed as a result of an email error that occurred on December 30, 2015. An email containing sensitive data covered by HIPAA was emailed to another medical group. While HIPAA permits the sharing of healthcare data for certain healthcare operations, the Security Rule requires any shared data to be protected in transit. If ePHI is to be shared electronically with another covered entity or business associate, it must be adequately protected to prevent unauthorized access and to protect the integrity of those data. Controls to protect the integrity of ePHI are addressable issued under 45 CFR § 164.312(e). In this case, the data were not encrypted to the standards required by the Security Rule, and consequently the data could potentially have been intercepted in transit. HIPAA requires covered entities to notify individuals when their PHI has been exposed or viewed by a third party to allow them to take precautions...
HiMSS Publishes Report on Pagers
HiMSS Analytics has published a new report offering insight into the real cost of pagers in healthcare. The report quantifies the cost of pagers and highlights the advantages that can be gained from switching to more efficient methods of healthcare communication such as HIPAA-compliant secure messaging apps. Healthcare Providers Reluctant to Retire Pagers Many industries have embraced new communications technology and are now using smartphones to communicate with employees; however, many healthcare organizations are still using outdated pager technology to communicate with physicians and nurses. Pagers have served the healthcare industry well for decades, yet they are inefficient, only allow one-way communication, and can cause communication delays and workflow disruptions. While it is clear that the technology is outdated and needs to be replaced, a great many healthcare providers have been slow to make the move to new channels of communication. This has been attributed, in part, to misconceptions about the value offered by pagers and inaccurate estimates of the actual cost of...
Privacy Breach Reported by Bay Area Chiropractic Center
In December, Bay Area Chiropractic Center LLC was advised that a substitute doctor who had worked at the Coos Bay facility had used a patient list that he compiled while employed by the company to drum up business for his own private practice. The physician was employed by Bay Area Chiropractic Center between June 1 and August 31, 2015. While employed at the company, the physician compiled a patient list which included patient names, addresses and contact telephone numbers. The data were taken from patient’s charts supplied to him in order for treatment to be provided to patients. The physician was not given permission to store the data, remove them from the company facilities, or to contact patients. The data were apparently stored in a Word document on a zip drive and were also stored on a mobile phone used by the physician. According to a breach notice sent to the Oregon Department of Justice, the physician is no longer in possession of the phone. It is unclear whether the data stored on the phone were securely erased before the device was disposed of. Bay Area Chiropractic...
Perceptions of Privacy and Security of Medical Records and Health Data Exchange Explored by ONC
Great strides are being made toward a fully interoperable health IT infrastructure. Adoption of certified health IT is growing and healthcare organizations and office-based physicians are increasingly exchanging health information electronically, but how do patients feel about the electronic exchange of their PHI? Is concern over data security growing? The Office of the National Coordinator for Health Information Technology (ONC) has been assessing public feeling and has recently issued a brief detailing the findings of surveys it has conducted on consumers over the past few years. Between 2012 and 2014, ONC conducted a nationwide survey which examined security concerns about electronic health records and electronic health information exchange. The number of individuals who are very or somewhat concerned about the privacy and security of their medical records has been decreasing and the number of individuals who expressed a lack of concern about the privacy and security of their medical records is increasing. In 2012, 7% of individuals were choosing to withhold information from...



