Privacy and Security Mobile Device Good Practices Project Launched

ONC’s Office of the Chief Privacy Officer (OCPO), in working with the HHS Office for Civil Rights (OCR), recently launched a Privacy & Security Mobile Device project.

The project goal is to develop an effective and practical way to bring awareness and understanding to those in the clinical sector to help them better secure and protect health information while using mobile devices (e.g., laptops, tablets, and smartphones). Building on the existing HHS HIPAA Security Rule – Remote Use Guidance, the project is designed to identify privacy and security good practices for mobile devices. Identified good practices and use cases will be communicated in plain, practical, and easy to understand language for health care providers, professionals, and other entities.

HHS will be looking for your input. Stay tuned for a public roundtable this Spring.

The proliferation of laptops, smartphones, and tablets and their use to access Protected Health Information (PHI) of patients has lots of people worried. Some of the largest breaches of data reported have been through the loss of laptop computers. In November 2010, ONC developed a document on Cybersecurity: 10 Best Practices for the Small Healthcare Environment relating to offices and networks. The problem is that during the last 18 months, smartphones and tablet computers like iPads and Kindles that can access the Internet have become ubiquitous.

The biggest problem with using these devices to remotely access PHI is that there are not yet security protocols and procedures in most organizations aimed at guaranteeing the privacy of the PHI accessed remotely.

Imagine for a moment: your physician is sitting in a coffee bar with a public wi-fi when s/he gets a call that you need an emergency refill of your blood pressure medication. The doctor uses a smartphone to login to the ePrescribing software used by the practice and sends the prescription to your pharmacy. Doctor finishes the cup of coffee, slips the phone into a jacket pocket and gets up to leave the shop. Unfortunately, the phone does not make it into the pocket and winds up on the chair as the doctor leaves.

You know the rest of the story. Someone finds the phone and messes around with it while deciding whether to try to find the owner. Since Finder can start everything on the phone (you see, there is no password), they can go right back to the last app used to see what the owner was doing. Since Doctor had the browser set to save passwords, Finder can log right into the ePrescribing software. . . .

Unfortunately, additional scenarios are also possible. That public wi-fi is known to everyone in the neighborhood and there are a couple of folks who sit around drinking their coffee capturing usernames and passwords from insecure sites. Who knows what they are capturing and accessing . . . maybe your username and password for your organization’s network!

The biggest concern with mobile devices is that they have proliferated so rapidly that organizations have not had the opportunity to develop protocols and adequately train staff members to have some semblance of a guarantee that PHI is secure. So ONC is doing what it can to shed some light on the subject and increase awareness.

In the meantime, this article has 5 security tips for your smartphone or tablet.

What is your organization’s policy about accessing protected health information remotely? Do you have policies?

Please share your comments below.

As you know, there are massive changes happening in the healthcare world. Many of those changes pertain to electronic medical records (EMRs), but there are also important occurrences related to the billing/practice management side of the behavioral health organization.

So here are those three things you need to know:

1. The 5010 changes only relate to electronic claims. If you are still filing claims on paper, changes from the 4010 to the 5010 versions of the 837 claim filing format do not affect you.
2. January 1, 2012 is still the deadline for beginning to send 5010 formatted claims. CMS and the Office of Civil Rights (OCR) have indicated that they will not begin to fine organizations that are not yet sending 5010 claims or payers who are not yet receiving them, but the deadline date still stands. After March 31, 2012, OCR will begin the enforcement process
3. Our clearinghouse partner, Emdeon, made this transition easier than anyone could have imagined.
   We use only one clearinghouse, but we have customers who send claims directly to several Medicare and Medicaid payers. Those custom, direct-sends have been a royal pain. Some of the payers were not ready for us to test until the last possible moment. Some of them were ready for testing but required that our customer start sending the 5010 even before the deadline. Some changed the testing process along the way; others had a procedure but did not inform us of all the steps when we first contacted them months ago. Many have been virtually impossible to reach by telephone in order to get assistance for our customers.Emdeon has done just what a clearinghouse is supposed to do. They began a timeline for testing and implementation almost two years ago. They had a testing system in place so our development staff could get help if needed but could also do iterative testing without someone there needing to intervene at each step. And finally, they assured us that there would be the capability of sending a 5010 early or continuing to send a 4010 with them translating to 5010 if a customer needed that to occur.

   Once our customers started sending, Emdeon was ready! Our customers are able to check the status of their claims using Emdeon’s Vision. If there were problems, we have an account representative we can speak to who intervenes immediately. In the couple of cases were there was an issue with a payer, Emdeon dealt with the payer, not us.

   By our standards, all of those things make our Channel Partner relationship an extremely valuable asset for our customers.

The next big, systemic change will be the move to the ICD-10, with a current deadline date of October 1, 2013. This one will affect everyone, those who file claims electronically and those who file on paper. The American Medical Association (AMA) has decided to fight that deadline on behalf of American physicians. They believe the cost to providers is too large, especially following so quickly upon the move to EMRs. Whatever the deadline, this will be a massive change requiring everyone to use different diagnosis codes and requiring hospitals to use different procedure codes. We can only hope the chaos will not be as great as could be possible.

Please share your experiences and thoughts about these changes. Just comment below.

This is an area that has interested and concerned me for quite a while. As developers of software for behavioral health providers, SOS has for years been monitoring developments in the arena of Health Information Exchange (HIE). This is the method by which Electronic Medical Record (EMR) software will exchange information among providers and healthcare organizations. The HIE is both the process of exchanging information and any repository of that information for easy access by those with rights to the data.

This is the bugaboo that has always bothered me as well as my colleagues in the behavioral health software trade association to which we belong (Software and Technology Vendors Association). SATVA members are committed to assuring that our products share information only as the law allows and as consumers wish.

Work is currently in progress to assure that a universal method of acquiring patient permission for release of their information is part of any HIE. Such a method would undoubtedly allow a patient to specify providers to whom their treatment and diagnosis information can be released and any providers to whom it cannot be released. But what happens when a patient changes their mind?

Here’s a hypothetical example that jumps into the future by a few years, when all or most healthcare providers have EMRs and are connected into their regional HIEs.

John D. is admitted to the Emergency Room of a local hospital after a panic attack that he interprets as a heart attack. Among the papers that he signs is a release for the ER to access any information in the regional HIE about his health conditions. Since he is not thinking very clearly as he is sure he is dying from a heart attack, he signs everything put in front of him. After he is medicated, stabilized and sent home, he wonders about what he signed and which of his health information will now be available to whom. Does he really want his optometrist to know that he was treated with an anti-anxiety medication and prescribed an antidepressant (which he decided not to take)? Is it necessary for his urologist to have this information? What does he do to protect just that ER visit information and keep it from being sent on to other providers?

And what do our mental health and substance abuse patients do to secure their sensitive information?

This process concerns me because of my experience that once a piece of information has been entered into some large electronic database, getting it out may be near to impossible. Several years ago, I attended a conference in New Jersey. I rented a car, drove to the city in which the conference was held, returned the car and paid my bill in a timely fashion, and returned home.

The next time I needed to rent a car was three months after Katrina flooded New Orleans when my mother and I returned to check on her home and attend the funeral of one of my uncles. For some reason, the car was reserved in my mother’s name…the airline tickets were purchased with her card…even though I had placed my name on everything. The rental agency manager noticed something wrong when we picked up the car; there was a block on my account even though there was no balance. She overrode the block, gave me the keys to the car, and we were on our way. I did not give it another thought.

In several return visits to New Orleans, I again rented cars from the same company and always wound up with a car, not even knowing there continued to be a block on my account. Each time the agent or manager overrode the hold and gave me the keys. In November 2010, we arrived in New Orleans on a Sunday. The agent and assistant manager decided they did not have the authority to override the block on my account and there was no one they could contact to clear it. They refused to rent a car to me and offered no solution. They gave me a phone number I could call on Monday, but did not even offer my 90 year old mother and me transportation to another agency. I cursed and swore I would never rent from their unprofessional agency again and called my brother to come pick us up. Fortunately, he was thinking clearly enough to suggest that we go across the highway to a different company and rent a car there.

I did call the company the next day and eventually got the written apology and clearance of my account that I requested. It took six years for this correction of an error to happen.

What processes will we insist be put in place to assure that patients can change their minds about release of information or correct errors or enter corrected information into their records? What kind of advocacy will be required? What do mental health and substance abuse providers need to do to assure that the privacy of their patients’ sensitive information will be handled as they choose?

Please share your thoughts about HIE and EMRs and where we are going with this process.

WellPoint, a BlueCross collaboration, is the largest provider of health benefits in the country. Their plan is to utilize Watson to sift through their patient databases to make diagnosis and treatment recommendations to WellPoint physicians.

This idea is not at all far-fetched and certainly a reasonable way for IBM to make some money off their huge research and development investment in Watson. They have also purchased some other companies that position them well for movement into the medical sphere.

Over the last four years, IBM has spent more than $7.8 billion to acquire database analytics specialists Cognos and SPSS, both formerly public, as well as data warehouse company Netezza, along with other private companies. In the first half of 2011, IBM spending on research and development exceeded $3.15 billion.
—International Business Times, 9/19/2011

What WellPoint is proposing to do is a starting point for a task all EMR’s will ultimately need access to and participation in. In order to meet the requirements for ARRA stimulus funds, eligible providers will need to utilize their EMR’s to help them make clinical decisions.

Clinical Decision Support (CDS) is a process whereby the physician gets notices and alerts from their software to assist them in making clinical choices that are based on data and evidence rather than memory and intuition. The Centers for Disease Control and Prevention (CDC) hopes to see public health organizations utilizing population data and statistics to guide their choices. They believe this will be one of the most impactful effects EMRs can offer the public health. The Office of the National Coordinator for Healthcare IT (ONC) wants to see individual physicians using Clinical Decision Support to advise their patients. Clearly, WellPoint plans for this level of intervention: physicians will have access to the data Watson can provide to assist them in making diagnoses and recommending treatments.

We talked in this blog about some of the potential benefits of CDS back in 2009. Since then, research on the benefits of supported clinical decision making has continued. A Google Scholar search of ’decision support emr’ results in 16,800 hits. There have also been noted some shortcomings, most notably a phenomenon called ‘alert fatigue‘, wherein a provider gets so many alerts and notices that they stop attending to them or turn them off altogether. Obviously, we have lots to learn about how to present information to healthcare providers so they can use it most effectively for the benefit of their patients. WellPoint has decided to dive right in!

What do you think about being diagnosed by a computer? Will it be more effective or less so? What is the relevance of CDS for behavioral health?

Please share your thoughts below.

I believe the idea is that the patient will bring their personal record with them when they visit a doctor. The doctor can download relevant information of the patient’s choosing into their own electronic medical record (EMR) system. At the end of the visit with the patient, they will upload their note onto the patient’s thumb drive. The doctor can subscribe to this system themselves, but even if they do not, they will be able to use the patient’s information. This is one way to make sure that the people treating you have the most current medical information about you.

Over the course of the last few weeks, the reason for concern about what information health systems have and how they manage it again came into the public light. The Stanford Hospital in Palo Alto, CA reported that 20,000 records of emergency room patients had been revealed online by their collection agency…one of their Business Associates. The information had been posted on a web site for just short of one year. One of the affected patients saw the posting of the information and reported it to Stanford Hospital and Clinics.

According to IDExperts, there is good reason for concern about the security of medical data. The street value for a stolen medical identity is $50. Using that information, a Medicare or Medicaid or other insurance fraudster can file claims for services never provided….and often get paid.

In other news this week, the White House has proclaimed September 11-16, 2011 to be National Health Information Technology Week. The purpose of the proclamation is to call attention to and educate the citizenry of the benefits of and need for Health IT that will protect the privacy of the patient and involve patients in their health care.

Finally, the Office of the National Coordinator for Health Information Technology (ONC) has announced their new website, HealthIT.gov, designed to become the leading national resource on health IT for both consumers and health care professionals. The goal of the site appears to be to encourage personal responsibility for one’s health and health care through wise use of technology and coordinated efforts with one’s providers.

It was a busy week! Is there news you would like to share?

In a separate case, FierceHealthPayer reported that WellPoint will pay $100,000 to the state of Indiana because they waited several months before notifying Indiana officials of a security breach that could have exposed the data of 32,000 members.

It also will reimburse each affected member up to $50,000 for any breach-related losses as part of the settlement reached with the Indiana Attorney General.                                                                  [Read more; Subscribe]

For me, the important issues here are the following:

• OCR is serious about data breaches and safeguarding patient protected health information (PHI).
• State laws are just as important as Federal law. You must know and follow those local regulations as well as HIPAA and HITECH.
• The cost of a data breach is significant and would put many small provider organizations out of business.

Have you reviewed your security and privacy practices and policies this year? Are you confident that your PHI practices are solid and that your employees are using the procedures as written? How do you review these and how do you educate your employees?

Please share your experiences and concerns about data privacy and security with us below.

The difference in attendance speaks to multiple issues. First, Dr. Porter is an excellent presenter who talked broadly about EMRs. His years as a researcher and university professor combined with recent years in private practice give him great credibility. Secondly, the EMR landscape has changed hugely in the past decade with government requirements to migrate patient records to an EMR a distinct possibility.

The psychologists who are my age peers who used an EMR  loved computers and liked doing all their work there. Most of our age-mates would never have considered keeping records that could not be locked up in a file cabinet behind their locked office door. The younger psychologists who are now replacing us in the private practice community are not only willing to consider keeping their records electronically. . . they are willing to keep them online using a Software as a Service (SaaS) type product. The move from needing to hold the patient record in my hot little hands to allowing it to float out there in the cloud is a sea change.

While Dr. Porter presented a great deal of information in the two hours he spoke, there were several items I thought you might find interesting.

1. The American Psychological Association published Record Keeping Guidelines in the December 2007 issue of the American Psychologist. If you are a psychologist and you keep records, you should read them. If you keep behavioral health records but are not a psychologist, you might take a look at them. Such Guidelines frequently become part of the standard of care in a professional community.
2. The APA Guidelines recommend disclosure to the patient of your record keeping procedures, including the limitations of confidentiality of the records. Those limitations of confidentiality lead to a likely need to maintain a separate  record of care for each person you treat, including for each individual member of a family or couple. (Guideline 4)
3. Ofer Zur, Ph.D., a licensed psychologist in California, offers extensive information about and continuing education on record keeping and many other aspects of behavioral health practice. [Retrieved 4/19/2011 from http://www.zurinstitute.com/recordkeepingguidelines.html.]
4. Dr. Zur points out that a treatment plan usually includes problems or symptoms, a diagnosis, goals of treatment, interventions to be used to achieve the goals, and the rationale for use of those interventions.

I would add a quick note about the possibility of a requirement to keep records of psychological care in an EMR. At present, the only behavioral health providers who are Eligible Providers (EP) for ARRA funding to purchase an EMR are psychiatrists and nurse practitioners. Psychologists, social workers, mental health counselors and addiction professionals do not qualify, nor do psychiatric hospitals. While this may change, there is currenly no way for most mental health providers to obtain stimulus funds. At the same time, there is no requirement for them to move to an EMR, nor will they be penalized for not doing so (psychiatrists and nurse practitioners may be subjected to Medicare withholds). Fortunately, most of the products aimed at the private mental health practitioner are relatively inexpensive and can easily be obtained without resorting to government funding or a second mortgage on your house.

While an electronic medical record can be a powerful way to significantly increase the quality of the records maintained by you and your organization, you must know what you are required to maintain in the record. . . by the governmental jurisdictions and the professional guidelines to which you are subject.

How does your organization determine what goes in the client’s record? Who is responsible for those records? Are you using an EMR, a paper record, or some hybrid system?

Please share your thoughts on records in the Comments below.

The rate at which users want to be able to access their work applications remotely has grown geometrically. Fifteen years ago, we were asked about remote access a couple of times a year. Five years ago, that increased to a couple of times a month as many more users wanted to be able to access their software from home. Now, everyone who carries a laptop, or even a smart phone, wants to be able to do everything they need to do for their jobs from wherever they are located with whatever device they have handy.

Whew! If only they realized what an expectation that is! And, all of these expectations complicate the issue of security in ways that those of us who are not very technically savvy cannot imagine. But imagine we must…if we plan to protect PHI, that is.

First, the issue of backup. This is the primary way in which you protect the security and integrity of client information. If you do not have a usable backup from which you could restore PHI in the event of a catastrophe, you are only one step away from having allowed the destruction of your client’s PHI.

Yes, the identifying demographics together with the diagnosis you use to file claims is PHI and is protected under HIPAA. Everything you have in an EMR is PHI. Yes, you are responsible to assure that this information is intact, safe from destruction, and secure from preying eyes (and hacks). Without a usable backup (preferably encrypted) stored in a secure location ready at a moment’s notice to replace data on your computer system, you are not even doing the most basic things necessary to provide protection to your patients. You could probably be demonstrated to be guilty of ‘willful neglect,’ the level of culpability that will generate the highest of fines from HHS and OCR under their HIPAA authority.

If you are not sure of what kind of backup strategy is minimally adequate, take a look at the backup recommendations and product suggestions we make to our customers.

The issue of remote access, especially from handheld devices like smart phones and iPads, is one that concerns me considerably. HIPAA requires that we must provide for the security of PHI while it is at rest (on a computer drive or CD or smart phone) and while it is in motion (being transmitted from one location or device to another).

Access tunnels like a secure VPN or MS Terminal Services are specifically designed to assure the safety and security of the data being transmitted through those tunnels. Those of us who are not very technically sophisticated may assume that the developers of the iPad and smart phones have already taken care of equivalent security for us. Not so, folks. While there are some products that will provide that security, they are not built into those hand held devices and we are on our own to find them.

Do you realize what that means? Do you understand that using your cell phone to access your desktop computer and patient information without adding specific protection assures that your data are vulnerable? There is not built-in security in your telephone or tablet. Even having your client names and phone numbers in your telephone contact list is potentially a breach of their privacy.

No one has volunteered to create a secure environment for your data…that is your job. You must do the research and determine which products will give your PHI the greatest protection.

Not being informed about a problem of insecurity is not considered an excuse by HIPAA. You must know what security your devices use to assure the safety of PHI. Do you have password protection on your phone? Do you have a way of wiping all data from the phone if you lose it or it is stolen? Have you initiated the services that are available to accomplish those purposes?

I know, this has started to sound like a rant. I do not mean to suggest that everyone is acting irresponsibly with client PHI. I do mean to suggest that we take a much too casual attitude toward protection of that PHI…especially when it comes to technologies about which we know little but assume much.

What policies does your organization have in place about use of portable devices and the protection of PHI? Have you found products that are wonderful to accomplish that protection? Will you share their names and your experiences with the rest of us?

Please enter your comments below.

A new study published in The Journal of General Internal Medicine suggests that email contact with a trained psychiatric nurse can dramatically improve the outcome of medication treatment for depression by internal medicine practices. Reported in Healthcare IT News on March 17, the study was a follow-up to a similar study using telephone contact with patients who had newly been started on antidepressant medication. According to the report, the email messaging was even more effective than a telephone call in improving the benefit of the medication.

The study utilized 208 members of Group Health, a consumer-governed, nonprofit, integrated healthcare organization that coordinates care and coverage for 600,000 individuals in Washington state and Idaho. The Group Health Research Institute (GHRI) was the responsible research organization. GHRI  is a non-proprietary, public-domain research institution within Group Health.

The Group Health plan includes a patient portal that has access into the organization’s electronic health record. According to the abstract of the article, the Intervention consisted of:

 Three online care management contacts with a trained psychiatric nurse. Each contact included a structured assessment (severity of depression, medication adherence, side effects), algorithm-based feedback to the patient and treating physician, and as-needed facilitation of follow-up care. All communication occurred through secure, asynchronous messages within an electronic medical record.

This study was motivated by poor improvement outcomes reported nationally for depressed individuals treated by their primary care providers with antidepressant medication. The goal of the entire research project is to determine if use of an organized plan of treatment including evidence-based follow-up services would result in greater effectiveness of medical therapy.

A significant movement is developing within the U.S. to improve outcomes of our healthcare system by providing services in non-traditional ways. The Connected Healthmovement seeks to improve healthcare services and outcomes by use of technology to remotely monitor and provide services. Partners Healthcare Center for Connected Health has been a pioneer in this effort. Their web site states the goal in this fashion:

Changing Healthcare Delivery

We are engaging patients, providers and the connected health community to deliver quality care outside of traditional medical settings. Telehealth, remote care and disease management initiatives reflect the opportunities for technology-enabled care programs.

What potentials do you see for the use of electronic methodologies like secure email communication with clients within your organization? Are you already engaged in such endeavors? What do you see as the obstacles to such care? What are the potential benefits to your clients? How do we get from here to there?

Please share your experiences, concerns and other comments below.

As I look at the huge changes that are happening, I find myself  thinking about how individuals handle change.

To oversimplify, it seems to me that there are people who seek out change and all things new…the thrill-seekers of the world. Then there are those who fight change of anything at all costs…the ultraconservatives of the world. And, of course, there are those in the center who struggle to embrace changes that seem constructive while trying to hold onto what they value in the old . . . a delicate balancing act. How do you deal with change?

I am one of those middle-of-the-road people who likes things to stay mostly the same, as long as people are not hurt by that sameness. I like to do the same things day-to-day in very similar ways. I like to experience lots of things, most in moderation (except for reading), but is difficult for me to do new things just for the sake of doing something new…except for traveling to new places. I do not dive into new technology or new software programs if the old are doing the job for me.

I know, I know . . . those of you who know me as a radical feminist and politically liberal woman will be amazed by those statements. After all, I actively endorse public and personal ‘policies’ that support dramatic social change so more people have the right and ability to seek their happiness and success and to be safe and secure as they do so. Nevertheless, those who work with me know of my strong tendency to say ‘no’ first, and only later to consider the new way of accomplishing something. I am comforted by the familiar and will face the anxiety caused by the new only if I deem the potential benefit to be worth the discomfort.

I share this perspective on myself to encourage you to assess your own responses to change.

Are you the first in your group of colleagues and friends to try out a new assessment technique or therapeutic modality, new computer or software? Do you go to all the workshops because they are fun and stimulating rather than just to meet the requirement for continuing education credits? Have you already started using an EMR or clinical record software product?

Or do you fall on the side of ‘If it ain’t broke, don’t fix it’? Do you prefer the comfort of seeing clients in the same way you have always done so without feeling the need to explore new methods? Are you determined that you will not move to an EMR? Electronic prescribing? Patient portals? Will you just retire before it is required that all behavioral health professionals participate in the electronic record revolution?

How does your personal approach to change affect your opinions about and participation in your organization’s direction? Are you leading the charge for change or being dragged along by those who are racing ahead? Are you just sitting back and taking a wait-and-see posture rather than jumping into the fray?

Please share your experiences with change and how your personal approach is affecting your view of the move to Electronic Medical Records. Just enter your comments below.