User login
The nexus of new technology and privacy rules springing from the Health Insurance Portability and Accountability Act of 1996 (HIPAA) leads to a lot of stress and trepidation for health care professionals. Lucia Savage, chief privacy and regulatory officer for Omada Health, and Matthew Fisher, a health law attorney based in Worcester, Mass., who specializes in compliance issues, dispel common HIPAA myths and offer advice on how to protect yourself and your practice.
Truth: Physicians are not responsible for email security flaws from patient servers, said Ms. Savage, who served as chief privacy officer for the Office of the National Coordinator for Health IT under President Obama. HIPAA requires only that health providers send emails from a secure system that protects a doctor’s message from their end, she said.
“There’s this myth out there that you cannot send an electronic message to a patient’s email box if that email is unsecured, and that’s not true,” Ms. Savage said at a recent American Bar Association meeting. “The obligation is to secure what you send, not to secure what an unregulated, private person receives.”
Just remember to warn patients that they’re responsible for the safe storage of an email message once it arrives.
Truth: An email with protected health information (PHI) accidentally sent to the wrong health provider is not likely to get doctors in trouble with the Office for Civil Rights. In the last 12 years, there have been 184,000 HIPAA-related complaints to OCR and only 55 resulted in financial settlements, according to research Ms. Savage conducted through the Department of Health & Human Services website. Of the 55 settlements, none were associated with PHI accidentally sent from one health provider to another, she said in an interview.
“[The OCR] tends to seek fines for really eye-poppingly bad behavior,” Ms. Savage said, not small-scale accidents. For example, OCR fined one hospital for including the name of a patient in a press release without patient permission. Another health professional was fined for repeated failures to encrypt their computer system.
If a document with PHI does end up in the wrong inbox, Ms. Savage advises calling the receiver and asking that they immediately delete the email.
Truth: Breaches alone are not the reason most fines are levied, nor do breach notifications mean an instant penalty, Mr. Fisher said in an interview. Fines by OCR are more often tied to further noncompliance found when the agency begins investigating the entity after the breach report.
“Most breach reports will result in OCR conducting a follow-up investigation, usually with paper-based requests,” he said. “If responses to those requests reveal widespread or consistent noncompliance, then OCR may latch on and dig in order to impose a fine.”
For example, a breach could be the result of a lost USB drive or laptop, but OCR’s investigation might ultimately find that the practice failed to conduct an adequate risk analysis. Because a risk analysis is a fundamental component of HIPAA compliance, the inadequate risk analysis becomes the basis for a fine, Mr. Fisher said.
The best way to avoid an OCR fine is to ensure that proper HIPAA protocols are in place to assess security risks, prevent breaches, and mitigate breaches should they occur. “Part of good compliance is constant review and revision of policies as well,” Mr. Fisher said. “It is not sufficient to put the policies into place and then never revisit those policies. Circumstances change all of the time and policies need to keep up.”
Truth: Health professionals are obligated to provide copies of health information to patients and that includes electronic copies if practices have such technology. The electronic copy requirement was adopted in 2009 as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Despite the electronic amendment’s existence for nearly 10 years, Ms. Savage said she frequently hears from patients about the difficulty of obtaining health information and the extended time and high cost that come with requests.
“[Providing health information to patients] is an obligation,” Ms. Savage stressed. “A 21st century physician might want to be thinking about how to build on that obligation to really engage their patients in a partnership of care. If you give the patient the data, they can actually become a more valuable [participant] with you and engage in self-management.”
More information on HITECH and giving patients access to protected health information can be found here.
Truth: HIPAA is flexible and can adapt to newer technology more easily than many people think, Mr. Fisher says.
“[There is the perception] that HIPAA is archaic and does not fit with modern technology,” he said. “There are a lot of misplaced fears that digital tools cannot satisfy security requirements or will place data where they should not go.”
In actuality, many health care applications enable doctors to satisfy HIPAA requirements, while using updated technology. Secure email to send patients messages is one example, he said, as well as secure text messaging between providers.
At the same time, new technology can often assist health care privacy and advance security, Mr. Fisher noted. Technology solutions frequently automate routine tasks, such as auditing. Tools like machine learning and artificial intelligence can enhance security and catch up with attacker intelligence, he added.
“Technology should be viewed as a means of enhancing and expanding capabilities,” he said. “Using the auditing example, an individual really cannot adequately review all records or access points, but a program may be able to do so and begin to identify small trends that represent a security concern. From this perspective, the technology, as indicated, is about enhancing what can be done.”
The nexus of new technology and privacy rules springing from the Health Insurance Portability and Accountability Act of 1996 (HIPAA) leads to a lot of stress and trepidation for health care professionals. Lucia Savage, chief privacy and regulatory officer for Omada Health, and Matthew Fisher, a health law attorney based in Worcester, Mass., who specializes in compliance issues, dispel common HIPAA myths and offer advice on how to protect yourself and your practice.
Truth: Physicians are not responsible for email security flaws from patient servers, said Ms. Savage, who served as chief privacy officer for the Office of the National Coordinator for Health IT under President Obama. HIPAA requires only that health providers send emails from a secure system that protects a doctor’s message from their end, she said.
“There’s this myth out there that you cannot send an electronic message to a patient’s email box if that email is unsecured, and that’s not true,” Ms. Savage said at a recent American Bar Association meeting. “The obligation is to secure what you send, not to secure what an unregulated, private person receives.”
Just remember to warn patients that they’re responsible for the safe storage of an email message once it arrives.
Truth: An email with protected health information (PHI) accidentally sent to the wrong health provider is not likely to get doctors in trouble with the Office for Civil Rights. In the last 12 years, there have been 184,000 HIPAA-related complaints to OCR and only 55 resulted in financial settlements, according to research Ms. Savage conducted through the Department of Health & Human Services website. Of the 55 settlements, none were associated with PHI accidentally sent from one health provider to another, she said in an interview.
“[The OCR] tends to seek fines for really eye-poppingly bad behavior,” Ms. Savage said, not small-scale accidents. For example, OCR fined one hospital for including the name of a patient in a press release without patient permission. Another health professional was fined for repeated failures to encrypt their computer system.
If a document with PHI does end up in the wrong inbox, Ms. Savage advises calling the receiver and asking that they immediately delete the email.
Truth: Breaches alone are not the reason most fines are levied, nor do breach notifications mean an instant penalty, Mr. Fisher said in an interview. Fines by OCR are more often tied to further noncompliance found when the agency begins investigating the entity after the breach report.
“Most breach reports will result in OCR conducting a follow-up investigation, usually with paper-based requests,” he said. “If responses to those requests reveal widespread or consistent noncompliance, then OCR may latch on and dig in order to impose a fine.”
For example, a breach could be the result of a lost USB drive or laptop, but OCR’s investigation might ultimately find that the practice failed to conduct an adequate risk analysis. Because a risk analysis is a fundamental component of HIPAA compliance, the inadequate risk analysis becomes the basis for a fine, Mr. Fisher said.
The best way to avoid an OCR fine is to ensure that proper HIPAA protocols are in place to assess security risks, prevent breaches, and mitigate breaches should they occur. “Part of good compliance is constant review and revision of policies as well,” Mr. Fisher said. “It is not sufficient to put the policies into place and then never revisit those policies. Circumstances change all of the time and policies need to keep up.”
Truth: Health professionals are obligated to provide copies of health information to patients and that includes electronic copies if practices have such technology. The electronic copy requirement was adopted in 2009 as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Despite the electronic amendment’s existence for nearly 10 years, Ms. Savage said she frequently hears from patients about the difficulty of obtaining health information and the extended time and high cost that come with requests.
“[Providing health information to patients] is an obligation,” Ms. Savage stressed. “A 21st century physician might want to be thinking about how to build on that obligation to really engage their patients in a partnership of care. If you give the patient the data, they can actually become a more valuable [participant] with you and engage in self-management.”
More information on HITECH and giving patients access to protected health information can be found here.
Truth: HIPAA is flexible and can adapt to newer technology more easily than many people think, Mr. Fisher says.
“[There is the perception] that HIPAA is archaic and does not fit with modern technology,” he said. “There are a lot of misplaced fears that digital tools cannot satisfy security requirements or will place data where they should not go.”
In actuality, many health care applications enable doctors to satisfy HIPAA requirements, while using updated technology. Secure email to send patients messages is one example, he said, as well as secure text messaging between providers.
At the same time, new technology can often assist health care privacy and advance security, Mr. Fisher noted. Technology solutions frequently automate routine tasks, such as auditing. Tools like machine learning and artificial intelligence can enhance security and catch up with attacker intelligence, he added.
“Technology should be viewed as a means of enhancing and expanding capabilities,” he said. “Using the auditing example, an individual really cannot adequately review all records or access points, but a program may be able to do so and begin to identify small trends that represent a security concern. From this perspective, the technology, as indicated, is about enhancing what can be done.”
The nexus of new technology and privacy rules springing from the Health Insurance Portability and Accountability Act of 1996 (HIPAA) leads to a lot of stress and trepidation for health care professionals. Lucia Savage, chief privacy and regulatory officer for Omada Health, and Matthew Fisher, a health law attorney based in Worcester, Mass., who specializes in compliance issues, dispel common HIPAA myths and offer advice on how to protect yourself and your practice.
Truth: Physicians are not responsible for email security flaws from patient servers, said Ms. Savage, who served as chief privacy officer for the Office of the National Coordinator for Health IT under President Obama. HIPAA requires only that health providers send emails from a secure system that protects a doctor’s message from their end, she said.
“There’s this myth out there that you cannot send an electronic message to a patient’s email box if that email is unsecured, and that’s not true,” Ms. Savage said at a recent American Bar Association meeting. “The obligation is to secure what you send, not to secure what an unregulated, private person receives.”
Just remember to warn patients that they’re responsible for the safe storage of an email message once it arrives.
Truth: An email with protected health information (PHI) accidentally sent to the wrong health provider is not likely to get doctors in trouble with the Office for Civil Rights. In the last 12 years, there have been 184,000 HIPAA-related complaints to OCR and only 55 resulted in financial settlements, according to research Ms. Savage conducted through the Department of Health & Human Services website. Of the 55 settlements, none were associated with PHI accidentally sent from one health provider to another, she said in an interview.
“[The OCR] tends to seek fines for really eye-poppingly bad behavior,” Ms. Savage said, not small-scale accidents. For example, OCR fined one hospital for including the name of a patient in a press release without patient permission. Another health professional was fined for repeated failures to encrypt their computer system.
If a document with PHI does end up in the wrong inbox, Ms. Savage advises calling the receiver and asking that they immediately delete the email.
Truth: Breaches alone are not the reason most fines are levied, nor do breach notifications mean an instant penalty, Mr. Fisher said in an interview. Fines by OCR are more often tied to further noncompliance found when the agency begins investigating the entity after the breach report.
“Most breach reports will result in OCR conducting a follow-up investigation, usually with paper-based requests,” he said. “If responses to those requests reveal widespread or consistent noncompliance, then OCR may latch on and dig in order to impose a fine.”
For example, a breach could be the result of a lost USB drive or laptop, but OCR’s investigation might ultimately find that the practice failed to conduct an adequate risk analysis. Because a risk analysis is a fundamental component of HIPAA compliance, the inadequate risk analysis becomes the basis for a fine, Mr. Fisher said.
The best way to avoid an OCR fine is to ensure that proper HIPAA protocols are in place to assess security risks, prevent breaches, and mitigate breaches should they occur. “Part of good compliance is constant review and revision of policies as well,” Mr. Fisher said. “It is not sufficient to put the policies into place and then never revisit those policies. Circumstances change all of the time and policies need to keep up.”
Truth: Health professionals are obligated to provide copies of health information to patients and that includes electronic copies if practices have such technology. The electronic copy requirement was adopted in 2009 as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Despite the electronic amendment’s existence for nearly 10 years, Ms. Savage said she frequently hears from patients about the difficulty of obtaining health information and the extended time and high cost that come with requests.
“[Providing health information to patients] is an obligation,” Ms. Savage stressed. “A 21st century physician might want to be thinking about how to build on that obligation to really engage their patients in a partnership of care. If you give the patient the data, they can actually become a more valuable [participant] with you and engage in self-management.”
More information on HITECH and giving patients access to protected health information can be found here.
Truth: HIPAA is flexible and can adapt to newer technology more easily than many people think, Mr. Fisher says.
“[There is the perception] that HIPAA is archaic and does not fit with modern technology,” he said. “There are a lot of misplaced fears that digital tools cannot satisfy security requirements or will place data where they should not go.”
In actuality, many health care applications enable doctors to satisfy HIPAA requirements, while using updated technology. Secure email to send patients messages is one example, he said, as well as secure text messaging between providers.
At the same time, new technology can often assist health care privacy and advance security, Mr. Fisher noted. Technology solutions frequently automate routine tasks, such as auditing. Tools like machine learning and artificial intelligence can enhance security and catch up with attacker intelligence, he added.
“Technology should be viewed as a means of enhancing and expanding capabilities,” he said. “Using the auditing example, an individual really cannot adequately review all records or access points, but a program may be able to do so and begin to identify small trends that represent a security concern. From this perspective, the technology, as indicated, is about enhancing what can be done.”