How patients can safeguard their PHI

This morning I received my monthly newsletter from United Healthcare, our insurer. The lead article in that newsletter included 8 crucial steps I can take to prevent ID theft. Obviously, insurers have a lot to lose from fraudulent claims. So do each of us.

The frequent announcements about healthcare data breaches and hacks into healthcare systems and software vendors has lead some organizations to begin to focus on how we as patients and consumers can protect our private information. In their August 24, 2015 newsletter, FierceHealthIT recommends 3 ways patients can safeguard PHI.

They are simple steps:

  1. Only share your private information when it is absolutely needed. Every physician I have ever been to has requested my social security number (SSN). There is no reason for them to have it. My SSN is not needed for identification or billing purposes and I stopped giving it years ago. You can do the same. For those of you who are on Medicare, it is not so simple; that number is on your card and requires additional safekeeping on your part. A law passed by Congress this year requires the Centers for Medicare and Medicaid Services (CMS) to develop Medicare cards which do not include the holder’s social security number. There is funding which will allow this to happen for new subscribers within four years and for all other subscribers within four additional years.
  2. Get credit monitoring. If any of your personal information is included in a data breach of any sort— Target, VA, anything–and you are offered credit monitoring, TAKE IT! And then use it. If they suggest that you initiate a credit freeze for one or all of the credit services, do it. If you are concerned about your personal data, you might even consider subscribing to one of the services on your own. Whether you do that or not, be sure to get your free annual credit reports from each of the big three reporters.
  3. Watch your health records. Ask for copies of your records and monitor them. Make sure the information is correct. Use your health insurer’s website to monitor claim activity to be sure no one bills for services that were not rendered to you.

The upshot of these articles is that patients and consumers of all services must become more aware of our own data and how it is being used and protected (or not being protected), by those with whom we do business or from whom we receive services. Healthcare providers can participate in this education process for their patients by providing information for them about what they can do. It goes without saying that you also provide your organization’s Privacy Policy, as required by HIPAA.

We are all subject to pretty onerous outcomes if our personal information is stolen. Proactive steps to encourage your patients to protect theirs can go a long way to securing your relationship with them.

Technology frustrations . . . and dangers

The past two weeks have reminded me that I sometimes struggle with technology, and often let myself get very frustrated.

While I was away at a yoga training, Seth created a video to teach our customers how to use the SOS ICD-10 Prep Utility we have created for our software, SOS Office Manager. We decided that I would record a voice track and then determine which to use.

I cranked up the software I have used to create videos in the past and spent two days getting the audio recorded and the video edited to my satisfaction. Then I tried to produce the video. It kept inserting green or black screens in places I had made edits. After another day of working with it, I realized I was not going to be able to get a clean video with my software.

Seth suggested I use YouTube’s editing tools but I could not figure out how to do so.

This is the point at which I made my biggest mistake. I searched for free video editing software and downloaded a product to my computer. I spent another two days trying to get the video edited properly and finally gave up, turning the project back over to Seth.

When I re-focused on my other tasks, I started to notice some changes to Chrome, my preferred browser. My usual search engine and new tab page were no longer Google. Instead, Yahoo kept showing up every time I opened a new page. I also found that I could not attach a document to an email. I do not know what other problems might have appeared if I had not realized that something was wrong.

I then spent part of the day on Monday, part of Tuesday, and all day Wednesday searching the web for solutions to my problems. At first, I did not connect them with the download of VSDC , the video editor. When I looked at the history in Chrome and traced back the appearance of the Yahoo! page, I was able to correlate it with this download. Like many other free and low cost products, this software installs Potentially Unwanted Programs (PUPs) on your computer when you install it. I was even careful to uncheck boxes accepting other software, to no avail. This is how these software companies make money: they get paid by other vendors to install software on your computer, often without your knowledge.

This method has also become the most common way serious exploits are installed on your machine. And most virus software does not search for such programs to prevent their installation. Malware products do, but most of us do not have those on our computers.

I was lucky this time that only my browser search choices were hijacked. I hope to avoid a next time!

Lessons Learned:

  1. Do not download free software.
  2. In the event that a free product is the only reasonable way to accomplish a goal, download it only from the company’s site directly. Do not use sites that aggregate free products.
  3. Learn how to find reviews on free and inexpensive software products and determine if anyone has reported malware problems related to the software. Avoid any that have even a single such mention.
  4. Especially, do not download free software when in a time crunch. Deadlines make for poor judgment!


Okay, now that I have ‘fessed up, please share your own experiences in the comments below!


ICD-10 Testing and Countdown to October 1, 2015

We know that most of our customers are ready for the switch to ICD-10 for diagnosis codes in their claim files. But just in case you are not quite there yet, please subscribe to the bulletins that CMS sends regarding this transition. Short of that, take a look at some of their recent posts wherein they focus on the 5th of their recommended steps to prepare for ICD-10:

  1.  Make a plan.
  2. Train your staff.
  3. Update your processes.
  4. Talk with your vendors and health plans.
  5. Test your systems and processes.


If you are still at a loss, or you are new to your organization and want to have a better understanding of this whole ICD-10 transition, feel free to take a look at our previous posts on this topic:

  1. Mental Health Billing and the ICD-10 – 10/31/2008
  2. ICD-10: How will the change affect your life? – 9/21/2009
  3. Three things you need to know about mental health billing in 2012 – 1/16/2012
  4. CMS: Are you familiar with their newsletters and eLists? – 8/20/2012
  5. ICD-10 Implementation – 6/27/2013
  6. New CMS-1500 Forms Required Soon – 9/13/2013
  7. CMS Notices on ICD-10 Transition Become More Concerned – 11/19/2013
  8. ICD-10 Challenges Behavioral Health Providers – 2/5/2014
  9. Congress Throws a monkey wrench into ICD-10 Implementation – 4/1/2014
  10. ICD-10 Implementation Rule Announced . . . Again – 8/19/2014
  11. ICD-10 Strategy: Be prepared – 4/21/2015
  12. SOS-at-Large: Our top 10 blog posts – 5/15/2015
  13. CMS completes second round of ICD-10 end-to-end testing – 6/3/2015
  14. Change is in the air! Are you ready? – 7/21/2015

If you are an SOS customer with a current support agreement and have no idea about ICD-10 changes, please contact us as soon as possible!

Here’s one last bit of information. Out of concern for the transition to ICD-10 and the learning process that provider organizations must endure, the American Medical Association (AMA) and the Centers for Medicare and Medicaid Services (CMS) have developed CMS Guidance for providers to help with some of the concerns. CMS developed their Guidance in the form of Frequently Asked Questions (FAQ) and a Clarification of the Guidance. If you have concerns about what you should do if you run into problems once you start using the ICD-10, be sure to take a look at these documents.


Change is in the air! Are you ready?

[Trish Merchant, our business development rep, is getting lots of questions about ICD-10. She asked to write a post letting you know what SOS is doing about ICD-10. In consultation with Manon Faucher, our Lead Tech Support rep, she created the article below.

Not using our products? What is your software company doing to make your transition to ICD-10 an easy one?]


Of course I’m talking about changes with the International Classification of Disease system of coding (ICD). While the original intent for the ICD codes was for epidemiological, health management and clinical purposes, here in the U.S. the codes are used by payers for billing and reimbursement purposes as well.

On October 1, 2015 the code set will change. We will cease using the current ICD-9 code set and begin using the ICD-10 codes. Before you fall over at the thought of having to re-code patient accounts in a last-minute, rushed manner, SOS wants you to know that you can begin re-coding now, in advance of the change over date! To do this, we created an ‘ICD-10 Prep Utility’ in SOS Office Manager which will allow you to go through and re-code accounts as you have time to do so between now and October 1st.

You must be running at least a 2014 version of SOS Office Manager to have this prep utility.

The prep utility can be found in SOS Office Manager on the “Tools” menu, then select “ICD-10 Prep Utility.” By clicking on ICD-10 Prep Utility, you are taken into a holding area within the software. When you click on the Claim Setup (CSU) icon, you will be presented with a patient list. This allows you to go through your patient list at your leisure to enter the correct ICD-10 code, mark the coding as complete, then save the changes. If you have the Pro version of SOS Office Manager, any patient with more than one Claim Setup (CSU) will appear on the list for each CSU they have. Each CSU has a box that you can mark to indicate coding for that patient is complete. Once re-coding is done, you can import the new codes into SOS Office Manager by using the “Import from ICD-10 Prep Utility” function located under the Tools menu. You can also check a box to hide patient accounts with ‘Completed’ status, in order to ensure no patient account is overlooked!

You will be able to import at any time prior to October 1st, even multiple times if necessary, without overwriting codes that were previously imported. If you have entered some ICD-10 codes in the Claim Setup of a patient account, the codes will not be used until the date that is entered in the field for ‘Date to Start Implementation of ICD-10 Diagnosis’. This field is found under Setup>System Options>Billing Tab and is located at the bottom of the page. This date should be set at 10/01/2015.

For some, re-coding may not be an arduous task, only taking a matter of minutes to complete. But for practices where this process may be more of an undertaking, the Prep Utility was created so re-coding could begin well in advance of the cut over date. When using the Prep Utility, you’ll notice that we populate the ICD-10 field for you whenever there is no ambiguity about which ICD-10 code to use. If there are two or more possible ICD-10 codes, we show you the possible matches in a pick list. You’ll want to make sure that the suggested ICD-10 code is correct, compared to the ICD-9 code that is currently being used. If you need coding assistance, we’ve also added links to websites that you can use to reference ICD-10 codes.

While the wait to switch to ICD-10 codes is almost over, you don’t have to wait any longer to begin the re-coding process! If you are an SOS customer and have a current Support Agreement, please call SOS the Support Team if you need help getting started!

Moving with change

I am a planner. I learned early on in my life that I am able to get large numbers of things done if I plan my activities. That now thoroughly internalized quality has served me well. It helped me succeed in school. My planning has allowed me to accomplish much of what I set out to do professionally. I am able to stay healthy at least partly because I plan what to eat and when to exercise and practice yoga. It is so much a part of how I behave in the world that it is also one of the ways I describe who I am. I am a planner.

Then, as life will have it, something happens that is not part of the plan.

My usual reaction would be to freeze; don’t do anything until I can understand the consequences and plan my next action. Fortunately, I have family and friends who encourage me to step into the change, to view it as an adventure.

My most recent experience of stepping into the unplanned was related to vacation. I had the opportunity to leave the country a week before I expected to do so with about 24 hours to take care of everything that was required of me! As anyone who knows me well would tell you, taking advantage of this unplanned situation is not my strong suit.

Events like this make me wonder what aspects of my life I may have limited by so heavily endorsing this one characteristic. There is no question that being a planner makes me more rigid. Since I already have a plan, I am not inclined to step outside the path I have set. If I have no plan or expectation for a particular activity or endeavor, I am able to be flexible, and that certainly can be fun and freeing. I am sure doing some things in an unplanned way allows me to be more open to the experience and to lessons I can learn from the new circumstance.

I am sure there are many other qualities that people have that limit how they behave in the world, even if those characteristics also allow them to succeed in certain ways. I think of the person who is averse to taking risks. They are always safe but experience little that is new. And the person who goes rapidly from one new thing to the next, rarely following through on what they start. And the one who is set in their ways, unable to incorporate modern ways of doing things.

What characteristics do you, or your organization, have that assure you certain successes, but limit you at the same time? What might need to happen to help you see those qualities . . . and even to change them? What might make it easier for you to move with and through change? Please share your thoughts and experiences in the Comments section below.

Oh, by the way, the extra week of vacation was great and I learned lots about how I want to travel and how I do not want to do so! The unplanned parts were at least as much fun as the planned ones, if not more so.

CMS completes second round of ICD-10 end-to-end testing

For the second time this year, the Centers for Medicare and Medicaid Services (CMS) has completed a round of testing with providers, clearinghouses and billing agencies. This testing during the last week in April demonstrated even greater success than the first round of testing in January. There will be one final round of testing in July. According to CMS, ICD-10 news updates,

From April 27 through May 1, 2015, Medicare Fee-For-Service (FFS) health care providers, clearinghouses, and billing agencies participated in a second successful ICD-10 end-to-end testing week with all Medicare Administrative Contractors (MACs) and the Durable Medical Equipment (DME) MAC Common Electronic Data Interchange (CEDI) contractor. The Centers for Medicare & Medicaid Services (CMS) was able to accommodate most volunteers, representing a broad cross-section of provider, claim, and submitter types.

This second end-to-end testing week demonstrated that CMS systems are ready to accept ICD-10 claims.

One of our biggest concerns as practice management software vendors has been that payers would not be ready for the move to ICD-10. We were very pleased to learn of this successful testing on the part of CMS. While this in no way guarantees that other payers will be ready to receive ICD-10 claims, it is clear that those who send claims and who are intermediaries for claims (clearinghouses) have taken this change seriously and will be as ready as it is possible for systems to be. CMS continues to provide ongoing news, information and training materials. If you have not already registered to receive CMS ICD-10 updates, you should certainly do so!

In addition, it would not hurt to check with your other large payers to question their level of readiness to receive ICD-10 claims starting on October 1, 2015. If they do not have information for providers available on their website, give their provider support line a call.

Finally, do not assume that things will go smoothly. Be sure you have acquired a line of credit to run your business for several months in case your payers have difficulty with implementation.

CMS recommends the following:

Prepare now for ICD-10 implementation

Medicare claims with a date of service on or after October 1, 2015, will be rejected if they do not contain a valid ICD-10 code. The Medicare claims processing systems do not have the capability to accept ICD-9 codes for dates of service after September 30, 2015; or accept claims that contain both ICD-9 and ICD-10 codes.

There is still time to get ready!

Even though the October 1, 2015, mandatory implementation date is quickly approaching, providers still have time to prepare for ICD-10, and CMS has created a number of tools and resources to help you succeed. One tool is the “Road to 10,” aimed specifically at smaller physician practices with primers for clinical documentation, clinical scenarios, and other specialty-specific resources to help you with implementation.

Are you ready?

SOS-at-Large: Our top 10 blog posts

Every few days, I notice which old posts are being visited on our blog page. I am somewhat surprised when I see what is popular. Unfortunately, it is difficult to tell whether these are visited often because they are really popular or because there is a list of Popular Posts at the top of the page in the left sidebar. Some of the same posts probably get clicked on just because they are in the list. Maybe they are in the most-viewed list because they are old and have been on the site for so long!

I recently had a conversation with a friend who was talking about a bakery selling more white cakes by far than chocolate or marble. When she looked at their case, she questioned whether the bakery sold more white cakes because that is what they put out for people to buy or whether they put out white cakes because that is what people requested. While questions like this are standard marketing fare, they can be useful to all of us in evaluating what we provide to the public. I think I choose topics because I want to write about them. Maybe I actually choose them because it appears that they are what people want to read about!

Tied for #10 are:

Psychologists and EMR: Movement forward, April 19, 2011 . . . . .and
Workflow and EMR: How do you do it?, November 10, 2009

#9 Psychiatry CPT Codes for 2013, October 4, 2012
#8 ARRA and Mental Health EHR Software, February 17, 2009
#7 ARRA’s New Privacy and Security Requirements, March 10, 2009
#6 Health Care Reform and Behavioral Health, April 1, 2010
#5 Behavioral Health EHR: Dream or Reality, Obstacle or Asset, December 8, 2008
#4 Electronic Claim Filing for Secondary Insurance, May 10, 2011
#3 Are your passwords HIPAA secure?, February 23, 2009
#2 Psychiatric CPT Codes Changing in 2013, August 15, 2012 . . . . . and . . . . . (drum roll)

#1 Mental Health Billing and the ICD-10, October 31, 2008.

I remind you, these are pretty old posts. If you want to see more recent posts, just go to the SOS-at-large page, start at the top and scroll down. Alternatively, look at the Latest Posts list (just under the Popular Posts), or scroll down a bit more and click on the Archives list month-by-month. If you are interested in a particular topic, find the Search for box near the top on the right sidebar. Just type in the term you are interested in. For example, typing  HIPAA  in that box will show all the articles in which HIPAA is mentioned. We have been writing this blog since October 2008, so there are lots of articles there, but some of them are old and the information is dated. If there is a topic in which are you are interested but you only see old information, let me know. I would be glad to write new posts with fresh data.

What do you think? Do you buy white cake because it is what is in the case? Do you read about HIPAA and ICD-10 because you need the information or because the articles are near the top of the list? Please share your comments below.

ICD-10 Strategy: Be prepared

I just came across a nice article on ICD-10 implementation today that you should take a look at. While aimed at hospitals, the concepts apply to all organizations, including behavioral health. This article was published on April 17, 2015 in a newsletter called the ICD10 Monitor. The author, Juliet A. Santos, MSN, CCRN, FNP-BC, presents straightforward, concrete ideas.

  • Be proactive and expect delays.
  • Avoid an all-or-nothing approach. If possible, start early.
  • Consider staggering claims.
  • Ensure that you are capable of submitting ICD-10 codes.
  • Support the person/people responsible for coding.
  • Establish efficient processes and contingency plans. Make sure providers know what to expect and how they are to interact with coder/billers who have questions.
  • Have at least six months of operating funds available.

That last suggestion is more than worth considering. If possible, get a line of credit arranged now. If there are problems on the part of even one of your largest payers, you will need the cash.

I know that many of you see the ICD-10 switchover as a non-event. And for some of you, that is the case. Please prepare as much as possible so it will be the case for everyone!


The Internet of Things (IoT): Where do you touch it?

Just before the end of last year, I was at one of the big box stores with my husband. He is a bicyclist, tech hobbyist, and unabashed advocate of use of the Internet for every possible thing. I am more conservative when it comes to technology . . . especially where my privacy might also be involved. I had decided that I wanted a pedometer. I would like to improve my general activity level and I thought awareness of how much I move during the day might help me. He suggested I get a fitness device instead. That way, I could track my sleep as well as my steps and other activity. His own device tracks steps and sleep and connects with the same online database he uses for his bicycling.

As I was setting the device up, I found myself having some concern about my information. In the settings, I was able to indicate that only I would be able to see the data, but I know that all of this information is getting stored in some huge database that is or will be mined to sell me things. After all, it is connected to an app on my smartphone. The device communicates by bluetooth with the phone.

Several weeks after starting to use this new toy, I decided I wanted to lose a few pounds. In the past, I have successfully used a telephone app to track what I eat and my workouts, and guess what! It connects with my new fitness device, so my device can give me activity credit. That way I have an idea of how many calories I can eat and still lose weight. Hmmm, more personal data on the Internet and now connected together.

On March 31, I received one of the FierceHealth newsletters to which I subscribe. I was struck by an article about the Internet of Things (IoT) and the need for a framework for how such things should be regulated, should manage data, should handle security, should interface with our lives. I realized that I had stepped into what is rapidly becoming a very large pond.

So what is this Internet of Things? According to Wikipedia,

The Internet of Things (IoT) is the network of physical objects or “things” embedded with electronics, software, sensors and connectivity to enable it to achieve greater value and service by exchanging data with the manufacturer, operator and/or other connected devices. Each thing is uniquely identifiable through its embedded computing system but is able to interoperate within the existing Internet infrastructure.

The term “Internet of Things” was first documented by a British visionary, Kevin Ashton, in 1999.[1] Typically, IoT is expected to offer advanced connectivity of devices, systems, and services that goes beyond machine-to-machine communications (M2M) and covers a variety of protocols, domains, and applications.[2] The interconnection of these embedded devices (including smart objects), is expected to usher in automation in nearly all fields, while also enabling advanced applications like a Smart Grid.[3]

Things, in the IoT, can refer to a wide variety of devices such as heart monitoring implants, biochip transponders on farm animals, electric clams in coastal waters,[4] automobiles with built-in sensors, or field operation devices that assist fire-fighters in search and rescue.[5] These devices collect useful data with the help of various existing technologies and then autonomously flow the data between other devices.[6] Current market examples includesmart thermostat systems and washer/dryers that utilize Wi-Fi for remote monitoring.

Besides the plethora of new application areas for Internet connected automation to expand into, IoT is also expected to generate large amounts of data from diverse locations that is aggregated very quickly, thereby increasing the need to better index, store and process such data.[7][8]


Healthcare devices that are part of the IoT such as pacemakers have been around for a while. Those of you who work in corrections have probably had clients who have worn ankle bracelets to determine their whereabouts. The possibilities are endless as Cisco, Microsoft and Google have determined.

While I am not creative enough to come up with ways the IoT will impact behavioral health services, I am sure it will. At the very least, according to Nic Cuccia and OpenMinds, it is likely to change health care customer service. This realm will have much more impact on your life than that computer sitting on your desk ever did.

How will you allow the Internet of Things into your life? into your practice? into your services? Please share your comments below.

Telepsychology and Internet Based Therapy Revisited

Several times over the last six years, I have written about the topic of telehealth, telemental health, and remote provision of behavioral health services. While I have never hesitated to express my opinion about the potential benefits and pitfalls of remotely provided services, I have also never done anything approaching a comprehensive review of the literature.

Fortunately for many of us, Dr. Kenneth Pope has. Surveying resources and compiling them on his website is one of the many contributions Dr. Pope makes to the field of psychology. Below is an announcement he recently made that was shared on a list to which I subscribe. I share it with you here. All of the credit for the work in compiling this list and information belongs to Dr. Pope.

If your organization has not yet begun to provide remote services, the information provided at Dr. Pope’s site may just be the way for you to get started. Please feel free to share your comments below.


Today I updated and expanded a web page of resources for telepsychology and internet-based therapy.

This collection of resources is intended to help therapists, counselors, and other clinicians to keep abreast of the rapidly evolving professional guidelines, research, treatments, legal standards, innovations, and practices in the areas of telepsychology, telehealth, and internet-based therapy.

I've divided the resources into 3 sections:

1) Links to 24 sets of professional guidelines that focus on telepsychology, online counseling, internet-based therapy, etc.

2) Citations for 51 recent (i.e., published in 2013-2015) articles

3) State Psychology Board Telepsychology Laws, Regulations, Policies, & Opinions--This third section was generously compiled by psychologist Kenneth R. Drude, and I am indebted to him for his kind offer to post it on the web page.


The web page is at:

Ken Pope


"...the four sentences that lead to wisdom:
I was wrong. 
I am sorry. 
I don't know. 
I need help."
--Louise Penny in *Bury Your Dead: A Chief Inspector Gamache Novel*

PHI Security: How aware are you?

Almost every week, one of our support techs enters an item into our HIPAA breach log recording the receipt of Protected Health Information (PHI) in an unencrypted email. Usually, it is one patient’s name and identifying information in a screen snapshot. The tech informs the customer of the dangers of sending PHI in an unencrypted manner, tells them to inform their Privacy/Security Officer of the breach, and records the information in our log. They delete the email immediately in order not to expose the PHI.

We are constantly amazed that the customer seems unaware that sending PHI to us by email is a potential breach. All of us have something like the following sentence as part of our email signatures.

REMEMBER: Typical email is not secure. Never include sensitive financial, personal, health, or account credential (eg. password) information in unencrypted email communications!

We are rarely questioned about this.

The recent theft of PHI from Anthem, Inc. brings home just how huge this problem of inadequately protected patient information actually is. Personal data on roughly 80 million insureds was compromised. The attack is believed to be linked to China.

While none of our customers need to worry about being hacked on this scale, many appear not to be worried about improper data release on any scale. Earlier this month, FierchHealthIT indicated that it is incumbent upon provider organizations of all types and sizes to more seriously educate their employees and enforce their policies. Having the policies and procedures without educating employees and enforcing them would likely be considered ‘willful neglect’ by the Office for Civil Rights (OCR), the enforcer of the HIPAA mandates. According to a January 2013 article in the American Bar Association’s Health eSource, “the HIPAA Enforcement Rule defines ‘willful neglect as conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated. 45 C.F.R. § 160.401.”

It is the ‘reckless indifference’ part that worries me. Our customers are very concerned about their patients. They are serious about confidentiality of their data. But they often demonstrate such lack of concern about the security of that data that I fear it would be considered ‘reckless indifference’ by OCR. It makes me feel no better that a similar casual attitude seems to exist in most of the physician offices I visit.

If the things said in this article and those I have quoted make you vaguely uncomfortable, it is likely time to revisit your own policies and how they are enforced. If what I have written here is totally new information to you, you must educate yourself and your staff and get to work protecting your patients’ PHI. If you and your co-workers are excellent at following your policies, please share with us how you came to be so!

Just enter your comments below.

Behavioral Health Interventions Reduce Cost of Medical Care

FierceHealthIT reported last week that Behavioral Health remote monitoring cuts hospital admissions. While this kind of result has been reported in the past, largely by mental health researchers, it is interesting to see a study performed by an insurer and a telehealth company.

The intervention used was Cognitive Behavioral Therapy; the illness was a significant cardiac event like myocardial infarction; the outcome was significantly reduced days in hospital. The study was published in the AJMC, a managed care journal and is titled Leveraging Remote Behavioral Health Interventions to Improve Medical Outcomes and Reduce Cost.

We demonstrated that an 8-week remotely delivered behavioral change intervention was associated with cost savings, driven by an adjusted 48% reduction in total inpatient days and a 31% reduction in all-cause hospital admissions in the 6-month follow-up period. These substantial reductions in healthcare utilization and associated cost savings were attributable to the delivery of a high-quality behavioral health program for this high-risk group of patients with cardiovascular disease. This study shows that focused targeting of patients with highrisk clinical conditions, coupled with highly successful engagement strategies, can lead not only to meaningful behavioral health improvements, but also to improved medical outcomes and lower healthcare expenditures. – See more at:

The interventions were evidence-based, provided according to protocol by skilled therapists. I wonder how many of your organizations have a health psychology focus. Have you considered providing such services to reduce the costs of medical care? Perhaps insurers will begin to look for providers who can contract for such interventions.

What are your thoughts on integrating such interventions into your practice? Please share your comments below.

Identity Theft and Consumer Scams: What you need to know

Our last few posts related to protection of the information entrusted to a behavioral health organization—Protected Health Information (PHI). This is such a big deal for us in the world of healthcare, that we sometimes forget there are other kinds of data we need to be safeguarding—our own and that of our coworkers and clients.

The Federal Trade Commission (FTC) recently launched a new initiative to help protect individuals from consumer scams. Pass It On is the site that focuses on a variety of consumer scams that might affect any of us. The topics include:


Many of us feel we are too sophisticated to be taken by these scams, but you might be surprised when actually confronted with one. And we all have clients, family members and friends who could benefit from this information.

In fact, you can even get copies of the articles and bookmarks to place in your office or waiting room.

So, please do

HIPAA Compliance Part II: Cloud Security and Cyberinsurance

Last week we talked about HIPAA compliance as an ongoing process. Part of the reason that it must be ongoing is that the world changes. We are constantly offered new ways of doing the business part of behavioral health practice, and each of those new methods must be evaluated in light of the privacy and security requirements of HIPAA. For example, I know that many of you have gone to multipurpose copy/print/fax machines. Hopefully, you remember that the hard drives in those machines store most things that you photocopy, print or fax. When you eventually get rid of that machine, you will need to remove and destroy the hard drive in order to be sure the information you have processed does not leave your organization.

Another arena in which many of our customers now find themselves is access to Protected Health Information (PHI) “in the cloud”. Some customers back up their data to some sort of cloud storage. Some of you are using EMRs or eRx tools that are accessed from the Internet. Some of you have for years had practitioners access your billing and clinical record software remotely, connecting by means of a remote control product or something like Windows Terminal Services. All of these activities require that you make sure your processes are HIPAA compliant…and that does not mean that the service provider says they are.

HIPAA requires that data be secured both when it is “at rest” and when it is “in motion” using certain NIST standards. The requirements are pretty technical; interpretation of the rules extends to specific actions that must be taken by the Covered Entity. This generated some interesting discussion on our SOS User Group.

Dr. B posted: When PHI is stored on a website, how should that PHI be accessed? When are those computers considered secure in accessing that information? Obviously, it is not enough to assume that because the website is secure (has secure log in features), it is HIPAA compliant to access that website from any computer, anywhere. So, to what lengths must a business owner [go] when allowing staff to access PHI stored on the internet? How locked down and monitored should staff computers [be]?

I have heard a whole range of responses as to what people believe is necessary.

1. Some let their staff access the web-based PHI from any computer.

2. Some tell their staff to just be sure to clear the browser history, and they’ll be OK.

3. Some believe they are OK just having their staff sign an agreement that they are accessing PHI on a personal computer that is encrypted and has antivirus.

4. Some believe they have to buy computers for the staff and it is the owners responsibility to secure and monitor those computers in an ongoing fashion. That is, staff are not allowed to access the web-based PHI from a personal computer.

5. Some believe it is OK to use a type of VPN connection from a personal computer through an app such as “Remote App” because this apps gives access to a “virtual server” on the cloud. This app, provided by Microsoft, will only allow the user to access designated websites like the one where the PHI is stored.

Regarding option #3, I have heard from IT experts that “people are stupid” when it comes to understanding computers. SO while they may think they have good antivirus and are doing security updates, most are way off base. And if something happens, it falls at the owners feet (or wallet) not on the staff person who signed an agreement.

Lastly, I heard from a few IT experts who believe that in the next two years there will be many midsize healthcare companies that get nailed with big fines, and these people will be the unfortunate test cases.

After SOS staff discussion in our HIPAA training meeting, Seth replied: Secure use of cloud resources that involve PHI requires:
  • Encrypted storage at the cloud service provider.
  • Encryption of data being passed back and forth – preferably VPN/Virtual Private Cloud.
  • Secure client end-point.
I think your question is specifically about security at the client side, so let’s now look at the factors there:
  • Hardware and operating system factors
    • Operating system updates
    • Virus and malware protection
    • Encryption of local storage, especially on portable equipment
    • Others using the equipment MUST use a separate log-in. This is a big issue for those working from home.
    • Use short timeouts so that system locks when not being used and when “sleeping”.
    • Chromebooks and Chromeboxes provide all the above automatically and have the advantage of being less expensive (approximately $200 per unit) than similar traditional PC’s. The advantage is that the user does not have to do ANYTHING to secure it, beyond using a strong login/encryption password. Any device that requires the user to have some technical know-how and consciously follow certain procedures (like applying updates) regularly is going to be problematic.
  • Access security
    • Serious password policies that don’t permit short, common passwords like ‘password’, ‘abc123’, ‘qwerty’ and the like. Policies for password complexity must be enforced by the systems used.
    • Two factor authentication is highly desirable and should be used whenever possible.
    • If system permits, implement a whitelist that only permits log-in from computers/devices with registered MAC addresses.
  • WiFi and other local network security issues
    • WPS should be disabled on routers.
    • UPnP (Universal plug and play) should be disabled on routers.
    • WPA-2 security is the minimum acceptable wifi security.
    • Firmware on routers should be kept up to date.
    • If connecting from home, professional rather than consumer router should be used.
  • Human Factors
    • Train, train, and train some more. Users must be sensitized to the vulnerabilities and to the fact that PHI theft is BIG business. A single PHI record is worth approximately $50 on the black market because of its value in both identity theft and use in filing false claims.
    • Having policies is essential, but to prevent breaches and HIPAA violations, your staff must understand why the policy is there, and the importance of adhering to it.

It is natural to downplay the importance of devices that just ACCESS rather than store PHI, but this recent article explains how even a cellphone, on which data is not actually stored, can result in major problems:

The same day this discussion occurred, I received an invitation to download a white paper through Healthcare Informatics magazine. The 7 Essential Layers of Secure Cloud Computing is a paper produced by ClearData corporation, a company that specializes in security for healthcare organizations. The paper is provided for you with their permission.

The final element of this HIPAA discussion related to cyber insurance. Dr. K, who is seeking outside assistance on developing and implementing his HIPAA plan was asked whether his group carries cyber-insurance.

 Dr. K: Anybody heard of “cyber insurance”? According to the organization consulting with us, it is a policy that helps cover costs in the event of a breach.  It’s inexpensive and worth considering.


Dr. B: Definitely. I recall that we have a rider on our policy, but I need to double check that.

Dr. G: Would we need cyber insurance if we do not have internet in our office?

Seth responded: If you are an SOS customer, you obviously store and manage PHI in electronic form. Unless you are scrupulous about encrypting and otherwise safeguarding that data, then conceivably you could suffer a significant breach. Let’s say that the machine on which you store your SOS database is not encrypted and were to be stolen. Are you prepared to handle the fines, notification of patients, purchase of identity theft insurance for your patients, etc? Would you feel more comfortable if you had some insurance to help you with those costs?

Whether you NEED it or not is a call only you can make.

And that, my friends, is the bottom line when it comes to HIPAA privacy and security requirements. The law requires a great deal. The requirements are scalable based on the size of your organization. Only you can determine what is enough for your organization to do, keeping in mind that even small behavioral health organizations have begun to be fined for irresponsible handling of their security and privacy responsibilities that resulted in a breach. Can your organization survive the repercussions of a PHI breach? How are you handling these issues?

HIPAA Compliance: How are you managing privacy and security?

In the past week, there has been a bit of a discussion on our User Group about really complying with HIPAA in a mid-sized to large behavioral health practice. It also applies to small organizations. This is Part I of that discussion.

The fact that the HIPAA privacy requirements were implemented in 2003 does not mean that most mental health organizations—or most medical practices, for that matter—actually do a good job with their compliance. Since the HiTech Act added security requirements including a Risk Assessment almost six years ago, many organizations are not compliant. Somehow, people in both the private and public sectors seem to forget that HIPAA compliance is an ongoing discipline, not a one time act.

The discussion participant who is co-owner of a mid-sized practice is interested in doing the compliance plan himself (Mr.Z), but he has concerns about having time to monitor ongoing implementation of the plan. His colleague (Dr. K), who is owner of a quite large practice, has decided that their situation is becoming too complex to handle on their own. They will be hiring an organization who is expert in doing Risk Assessments and developing HIPAA Compliance Plans, and who will help them stay on track in their implementation of the plan over time. Seth and Kathy are SOS owners.

Here is part of the exchange:

Mr. Z: I have found time to dig into the HIPAA challenge aggressively. I am aware there is a difference between a HIPAA Security Evaluation and a Risk Analysis. I am also using the Security Risk Assessment Tool found at for my security evaluation. I need to be re-pointed to a good format for a risk analysis tool. Can someone point me to a risk analysis tool they have been using?

The Security Risk Assessment Tool is the risk analysis tool. As you work through each item, the relevant ones will display two items for you to rate likelihood and impact, which together indicate the “risk”. For example, the likelihood of a stolen unencrypted laptop may be low, but the impact would be huge, so it demands attention and correction. The public mention of a patient name might have a much lower impact, but a much higher likelihood, so it too should be addressed through policies and staff education. In working through the tool, the two ratings taken together provide a ranking that helps you decide which threats are highest priority.

Bottom line is that this tool should provide sufficient structure to get the job done, I think. Is there some ground that is not covered by the Security Risk Assessment Tool?

For those who are not aware of this resource, please visit:

and watch the associated video:

 I am going to express an opinion, Mr. Z. It is aimed at helping you and other user group members evaluate some of what you read about HIPAA compliance.

The article that you mentioned [in another part of his message] is written by a company that specializes in providing risk analyses for a price. They are specialists in this arena, understanding the differences between privacy and security as defined by HIPAA and the HiTech Act. The other articles and elucidations available on their web site are aimed at helping you understand how much they know and that they are truly expert in their field. It is highly likely that they are.

The question is, do you need their level of expertise? Do you have the time and are you able to sort through the many articles and checklists out there? Do you understand enough about technical security to assure that your computer systems meet standards? When you start reading about this stuff, do you get curious and interested or just want to run and hide?

The HHS tool for risk assessment is aimed at small to mid-sized organizations whose situation is not so complicated that outside expertise is required. If that describes your organization, then do use the HHS tool as a starting place for your own assessment. Just be careful about considering it exhaustive; it is not likely to be that.

It is never going to remind you that you provide group psychotherapy and that groups present inherent security and privacy risks that you should address in your plan. For example, you probably have a written agreement that each group member signs about maintaining the privacy of other group participants. That should be included in your assessment as a source of risk and you should include your agreement in your plan. If you limit name use in group to first names, you need procedures to guarantee that. Your staff need written policies and procedures that they follow to maintain the privacy of those group members. If your staff utilize paper files and have a stack of those records in the group session (or on their desks), how do they protect the privacy of the members? What security methods are used to protect those records? Is there at least a lock on their office doors, and do those locks get used? How easy is it for a group member heading to the restroom to stick their head into that office?

This is the kind of thing that a well-qualified HIPAA security/privacy professional would ask you as they interview you about your practice. They would look at as many possible sources of risk as they can find and then help you address them in your plan. This is what you pay someone to do. Are you comfortable doing this yourself? Even if outside expertise is not required to get you to a plan, you might decide that you want to purchase it anyway. It may be that using an outside source to do your risk assessment and point you toward the policies you need to develop would be a wonderful help to you. Or, it may not.

I think a helpful attitude to take when beginning a risk assessment is to be as open as possible to information and observations…and don’t expect to find everything yourself. Each of your staff members and employees has certain sets of responsibilities and interactions with PHI. Once you have done an overview for the organization, you need to sit with different employees (all if possible) in small groups and get their input about how they handle PHI. They will have perspectives you cannot even imagine! Their observations will be invaluable to you in developing your plan.

As you read and research, just remember the source of the material. It is not essential for everyone to hire professionals to do their risk assessment and security plan for them. Don’t be too heavily swayed by such professionals who disparage the home-grown assessment and plan. If the materials are too simplistic for your organization, you may need consultation. On the other hand, if the materials provides seem complicated beyond what you can decipher and you are in danger of using that as an excuse not to develop a plan, it is time for you to get assistance on HIPAA compliance.

Dr. K
wrote in part:  …But if you run almost any size group, the more I find out about the complexities of remaining compliant (Geez, I had not even thought about the specialized group therapy HIPAA issues), the more I know I need specialized assistance and cannot possibly create what is needed on my own, and more importantly, continue to monitor compliance in all offices and with all staff as we grow…..

At a certain point, larger practices will have to do some outsourcing, hire a compliance officer, or designate a staff member to put a significant portion of their time into getting trained and implementing the systems needed to get closer and closer to compliance.

I want to point out, however, that no matter how much you try to outsource, there still will be much more internal work and training than you imagine to achieve compliance. It is like psychotherapy, in a way. You can counsel a patient about how s/he can make meaningful changes, but then it is up to the patient to put in the work when they leave your office. If no work is done outside the office, no substantial change will occur. Just as this patient can end up dropping many thousands of dollars on therapy and end up with no benefit, so can you if you think for one second that you can hire someone to take HIPAA compliance off your hands. That is not the way it works. You will be “prescribed” policies and procedures, and you and your staff must learn them, follow them, and document your compliance.
Auditors say that having policies and procedures that you don’t follow, is little better than not having them at all. You are going to end up with compliance logs of various types. If there are not regular entries in those logs (made by YOU and/or YOUR STAFF, not by some hired gun) then you are not making a good faith effort toward compliance. These experts can create a list of stuff that you should be doing, and make suggestions about how to get the tasks done, but most cannot be done for you.
The larger you are, of course, the more risk and the more potential points of failure you have. I don’t envy either of you, but I offer this advice: get references and follow up on them before signing a contract. It is one thing to know the HIPAA regulations; it is quite another to be the kind of person who can motivate a group of psych folks to change their attitudes and behavior!
Another analogy occurs to me — weight loss. You all know how easy it is to write up a plan to change eating and exercise behavior, how hard it is to motivate yourself or your patients to follow through, and how much harder still it is to keep the changed behavior going month after month, and year after year.

Reading this exchange reminded me that it might be time to re-share some of the links to important information about HIPAA and HiTech.

You can go to the HHS website and search for HIPAA. The Office for Civil Rights is the official enforcer for HIPAA. Many professional organizations have materials available to their members. A quick Google search for ‘hipaa risk assessment tools apa’ produced a good deal of information. Over the course of the past several years we have posted on this topic regularly. Take a look at our articles from October 17, 2008 through December 10, 2014.

And most important of all, once you have done your reading…take action. If you have not done a Risk Assessment and do not have a Privacy Policy and Security Plan that you use and review regularly, no matter how small you are, you are not compliant with HIPAA. If you have a plan but have not reviewed it recently, now is the time to do so! This just might come back to bite you at some time if something you do not expect occurs.

Please share your thoughts and experiences below…and be sure to read Part II next week.


Enjoy your holiday now . . . not when you get there!

I just wanted to quickly wish everyone a very happy holiday season. To those of you who have already been celebrating Hanukkah, sorry I missed extending a greeting. Same goes for you Solstice observers. Let the light shine!

To you Christmas celebrants, Merry Christmas….and Happy Kwanzaa to all of you who mark that holiday. This year, I took note of the winter Solstice, and my husband stated his desire to get out the Festivus pole.

The most important message I wanted to share with you is that I hope you will stop for a moment, take a deep breath, and enjoy just where you are right now. Your holidays consist of the whole experience inside you and around you, not just when you arrive at your family home and dive into the celebration. Lots has been written about Mindfulness and the manner in which it can add to our happiness. Perhaps you can use some of what you already know about mindfully experiencing this moment, and in doing so experience what your particular holiday is all about.

We wish for you a happy, healthy and prosperous 2015. But mostly, we wish for you to have awareness of as many of the moments of the end of this year and of the new one to come as you possibly may. And may they all be happy ones.

Email Overload: How to avoid email bankruptcy

Have you ever looked at the number of emails in your inbox and been tempted to just delete all of the old ones and start out fresh? Most employers would not appreciate this method of gaining control. There might be very important information in those emails. Even so, some folks would like to declare bankruptcy (email bankruptcy, that is) and just start over.

Every time I go away or even just take a couple of days off, I am amazed by the number of emails in my Inbox. I have used some of the suggestions I have read over the years, but still fall behind. I am not well-disciplined when it comes to following these simple ideas.

Here are a few suggestions taken from a couple of articles on this subject.

  1. Learn enough about the email application you use so that you can implement these ideas. If you just continue to do things as you have been doing them, nothing is likely to change. If you learn how your technology can help, you will likely be able to manage better. Gmail, Outlook, and Yahoo! Mail all have tools you can use.
  2. Filter your email into different folders, or at least use different tags or labels. In gmail, Google allows you to create multiple inboxes as well as an unlimited number of labels. I use things like ‘Blog ideas’, ‘CMS’, ‘HIPAA’, etc. I have hundreds of labels. The labels themselves are useless unless I also create filters to automatically tag each email that comes in with its appropriate label. In gmail, the steps are simple. With an email open, click on the ‘More’ button and select ‘Filter messages like these.” Walk through creating the rule for filtering these emails based on who they are from or words in the subject or in the email itself. You can even have things like newsletters that you receive daily skip your inbox altogether and go directly into their own folder waiting to be read when you have a few minutes.
  3. Limit how often you check email to once or twice, or maybe three times a day. Unless most of your business and work is connected to your email, do not keep it open all day. Limit the time you spend on email and work quickly through what you receive.
  4. Decide what you are going to do with each email you read and take that action. Reply, archive, delete, save in a folder. If you use GQueues as a task manager, you can even create a task and add it to your ToDo list directly from the email. Take a look at this video featuring Merlin Mann to get a good idea about how to implement these techniques.
  5. Sit down and start, but don’t expect yourself to clean out the Inbox all at once. Decide what your plan is and start to implement it. Then do a bit more each day.

Now that I have written these ideas down for you, I am motivated again to get my email cleaned up. The laptop will come home with me tonight so I can start the process of clearing my inbox. Who knows, maybe I will even delete some of those very old newsletters or headlines that could not possibly be of use to me ever again!

Do you have a system for managing email that works for you. Please share your ideas and comments below.




Mental Health Organizations Not Immune from HIPAA Fines

One of the most recent large HIPAA fines was placed upon a behavioral health organization just this month—Anchorage Community Mental Health Services.

BULLETIN: HIPAA Settlement Underscores the Vulnerability of Unpatched and Unsupported Software

Anchorage Community Mental Health Services (ACMHS) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule with the Department of Health and Human Services (HHS), Office for Civil Rights (OCR). ACMHS will pay $150,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program. ACMHS is a five-facility, nonprofit organization providing behavioral health care services to children, adults, and families in Anchorage, Alaska.

The problem: the organization reported a breach that affected over 2700 individuals. They had completed a risk assessment and developed policies in 2005; they had done almost nothing else since then.

OCR opened an investigation after receiving notification from ACMHS regarding a breach of unsecured electronic protected health information (ePHI) affecting 2,743 individuals due to malware compromising the security of its information technology resources. OCR’s investigation revealed that ACMHS had adopted sample Security Rule policies and procedures in 2005, but these were not followed. Moreover, the security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software.

I read this and started wondering how many of our customers might be in the same boat. They went through the motions of taking a course on HIPAA security and privacy, adopted some sample policies that the trainer shared, and put it all in a file cabinet. You might be surprised to hear this, but that is not HIPAA compliance.

If some nightmare occurs, you experience a data breach and have to report to OCR, will they find the same thing in your organization? Are you still using unsupported software that is no longer updated for security by the manufacturer (like Windows XP)? Have you provided training on your policies and procedures to that new receptionist you hired? If you are a staff person reading this article, have you been trained on your organization’s HIPAA policies and procedures? Do you know what PHI is and what the consequences can be if that information is seen by someone else without their permission?

If you would like to share some of the things you and your organization have done to make sure that the information with which your clients have entrusted you is secure, please do so below. If you know you have not done enough, please read about doing a Security Risk Assessment and start remediating your situation. I cannot tell you how much we would hate to lose a customer who had to close up shop because of a large fine they could not pay. I know it could never happen to you. . .but just in case. . . .


Online Dating: Positive or negative for your behavioral health clients

I have friends who have met and married their spouses through online dating. You probably do too. The PewResearch Internet Project reports that

. . . one in ten Americans have used an online dating site or mobile dating app themselves, and many people now know someone else who uses online dating or who has found a spouse or long-term partner via online dating.

In fact Christian Rudder, the co-founder of OkCupid, a popular online dating site , wrote about the data his site gathered on people who are registered there. All of the data reported in his book, Dataclysm: Who we are (When We Think No One’s Looking), is anonymous and aggregated, so there is no data that can be identified as specific to any given individual. Rudder believes that online activity is changing how we behave, how we see ourselves…maybe even who we are.

So when I got an email this morning from Addiction Professional Magazine offering a free webinar entitled Falling in Love Through Technology: The Risks of Online Dating taught by Lori Jean Glass, Program Director at Five Sisters Ranch, I was intrigued. After all, it is certain that behavioral health clients are among the 10% of U.S. adults who are using online dating sites. This webinar is aimed at mental health and addiction professionals and will be held on Wednesday, December 17, 2014.

Learning Objectives

  • Discuss why online dating / relationship seeking may or may not be suited for their attachment style.
  • Assess how addictive personalities can ignite relapse with drugs and alcohol with on-line relationship hunting.
  • Recommend appropriate intervening tools for addictive online relationship challenges.

What do you think about online dating and relationships, for yourself or for your clients? Do you think there is risk involved? I hope some of you will register for the webinar and share your thoughts here.

Please enter your comments below.

Sharing Your Personal Health Data

A few weeks ago, I wrote about your personal health data and how much control you would like to have over it. I have been thinking about this question more recently.

This week, I attended a SATVA meeting during which we discussed our own responsibilities toward security and privacy of behavioral health patient data as software vendors. We also talked about the move of some of our customers toward using mobile Apps as treatment aids for their patients.

On November 6, 2014, FierceHealthIt newsletter published an article entitled Making the case for personal health data sharing. In it the author discussed what some people see as our “responsibility to help advance medicine by sharing our health data.” This article focuses on the value to the healthcare system and to public health of sharing de-identified healthcare data. The claim is that the compilation and analysis of all that data will enable the development of more effective ways of providing treatment, of evidence-based practices, and of improved care for everyone.

An article by Beth Seidenberg, M.D. in Wired magazine on 11/6/2014 argues strongly that we all ought to allow our data to be shared. You Should Share Your Health Data: Its Value Outweighs the Privacy Risk argues from the perspectives of public health, patients, providers, and entrepreneurs that sharing health data is crucial. “The author, Beth Seidenberg, M.D., is a general partner with Kleiner Perkins Caufield & Byers (@KPCB), focused on life science and digital health investing. Before joining the firm in 2005, she worked at a number of pharmaceutical businesses, mostly recently as chief medical officer at Amgen.” This author is a medical professional who has mostly worked on the entrepreneurial side of medicine rather than the patient care side.

My partner is a tech professional, a tech hobbyist and fitness buff. Several months ago, he purchased one of those personal fitness tracking devices which he wears all the time. I asked him recently what happens to the data his device gathers every day. He pulls the data off the device and into the App each morning. Garmin’s privacy policy says that they do not share the data, but he can share it with other Garmin users. There is currently no way for him to bring the data into HealthVault or send it to his physician. It is likely that HIPAA does not cover these devices.

In my opinion, we are currently in a time of rapid transition with few guidelines and safeguards. Those of you who are governed by HIPAA have certain constraints upon the data you gather from patients. If you are using an electronic medical record and if you have applied for stimulus funds to purchase that software, you will at some time be required to report certain de-identified data to the Centers for Disease Control or some other such bodies. You will be required by the law to make sure that data is private and secure, even as you report it.

But what about others who do not have such requirements? What about the Apples and the Microsofts and the Googles and all of the small vendors who collect a variety of health data? Do you want them to have your data? What do you want them to be allowed to do with it?

Please share your thoughts and comments below.