HealthITSecurity.com

HealthITSecurity.com http://healthitsecurity.com HealthIT security news and selection information Fri, 17 May 2013 16:41:57 +0000 en hourly 1 http://wordpress.org/?v=3.2.1 Community Health sends patients data breach notifications http://healthitsecurity.com/2013/05/17/community-health-sends-patients-data-breach-notifications/ http://healthitsecurity.com/2013/05/17/community-health-sends-patients-data-breach-notifications/#comments Fri, 17 May 2013 16:41:57 +0000 Patrick Ouellette http://healthitsecurity.com/?p=8296 more »]]> After learning of a former employee stealing patient identities, Community Health Med-check in Speedway, Ind. has notified about 180 patients that their data may have been compromised.

WISH TV in Indiana reports that the employee (who no longer works at Community but it’s unknown if they were fired) was able to gain access to the EHRs of up to 180 people from mid-March to mid-April. But Jean Putnam, Vice President at Community Health Network, which has about 1,200 employees, believes only about 10 patients were affected. The data in EHRs that was inappropriately accessed included Social Security numbers, dates of birth or credit card numbers.

Though the report says that Community Health sent letters to affected patients alerting them to the crime, there isn’t an exact timeline of when it learned of the breach and the time it took to alert patients. WISH TV did speak to a patient who said there was about a month-long delay between the breach and when he received his letter. Charges against the former employee have yet to be filed and there wasn’t any talk of Community offering credit report or identity monitoring.

And while Community Health says that it was a first-time incident and it will better protect patient data going forward, the way the employee was able to gain entry into these EHRs should be a bit scary for patients. Since Community didn’t say anything about technical safeguards, the assumption can be made that there were none in place. This looks to be a relatively large network and one would think decision-makers have seen all of the health data breaches over the past few years.

]]> http://healthitsecurity.com/2013/05/17/community-health-sends-patients-data-breach-notifications/feed/ 0 Health IT security vendor news: May 17 http://healthitsecurity.com/2013/05/17/health-it-security-vendor-news-may-17/ http://healthitsecurity.com/2013/05/17/health-it-security-vendor-news-may-17/#comments Fri, 17 May 2013 15:39:24 +0000 Patrick Ouellette http://healthitsecurity.com/?p=8293 more »]]> Health IT security vendor news for the week of May 13-17

TigerText and AirWatch partner to offer healthcare mobile security solution: TigerText, the leader in secure, real-time messaging for health care and enterprise and AirWatch, the global leader and innovator in mobile device security and the largest Enterprise Mobility Management (EMM) provider, today announced a partnership to offer a solution that allows health care organizations to secure their mobile platform and all text message and email communications. The solution has been chosen by Community Hospice of Texas, giving them the ability to securely send messages, images and files within the TigerTextPRO application, fully integrated with AirWatch’s EMM platform.

Imprivata and Dell Wyse to discuss healthcare desktop virtualization, Single Sign-On: Imprivata, a leading global provider of healthcare IT security solutions, will participate in a speaking session titled “Improving patient care with desktop virtualization and SSO” during Citrix Synergy™ (May 22-24, 2013 at the Anaheim Convention Center in Anaheim, Calif.). Imprivata will join Dell Wyse, an Imprivata technology partner, and Franciscan Missionaries of Our Lady Health System, an Imprivata customer, to discuss how single sign-on (SSO) and desktop virtualization can help optimize workflows and enable fast, secure access to clinical systems and patient information.

App locks down doc communications: With developing a HIPAA-compliant messaging system for physicians on the top of many an agenda, a new partnership between two mHealth companies is gaining notice. Announced at last week’s American Telemedicine Association meeting in Austin, Texas, Medweb and DocbookMD have unveiled Docbook Gateway, a mobile application designed to enable clinicians to communicate and share labs, images and reports via mobile device with other clinicians.

ManageEngine adds auditing capabilities to Exchange Reporter Plus: ManageEngine, the real-time IT management company, today announced it has added change auditing and mailbox access monitoring to Exchange Reporter Plus, its Exchange server reporting software. Now, Exchange Reporter Plus can report and alert on critical Exchange events that carry security or compliance implications. In turn, organizations can use Exchange Reporter Plus to implement or enhance an email security and compliance program that easily demonstrates regulatory compliance and prevents data leaks.

MediSwipe Inc. announces cloud HIPAA-compliant digital ID: MediSwipe Inc., a data management solutions company for the medicinal marijuana and health care industry, today announced that the Company has launched the first HIPAA compliant toll free number and faxing application that will allow medical marijuana patients and their caregivers/dispensaries to send state certification forms and selected medical records to a cloud based data storage platform within the MediSwipe DMS application.

VisualShare selects ClearDATA HIPAA-compliant cloud platform: ClearDATA, the leading healthcare cloud computing platform and service provider, today announced that VisualShare, an imaging informatics company and leading provider of image exchange, management and collaboration solutions, has selected the ClearDATA HealthDATA Cloud Computing Platform for HIPAA compliant hosting of its line of VisualStrata Healthcare Information Technology Solutions. ClearDATA will host both the image management software and corresponding medical images.

]]> http://healthitsecurity.com/2013/05/17/health-it-security-vendor-news-may-17/feed/ 0 OCR to offer free HIPAA omnibus webinars this summer http://healthitsecurity.com/2013/05/17/ocr-to-offer-free-hipaa-omnibus-webinars-this-summer/ http://healthitsecurity.com/2013/05/17/ocr-to-offer-free-hipaa-omnibus-webinars-this-summer/#comments Fri, 17 May 2013 14:05:13 +0000 Patrick Ouellette http://healthitsecurity.com/?p=8285 more »]]> To help prepared HIPAA covered entities for the new omnibus rule coming into effect on Sept. 23, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has planned four free HIPAA omnibus webinars between June 14 and July 26.

OCR plans on discussing privacy, security, breach notification and enforcement rule modifications and the Genetic Information Nondiscrimination Act. OCR has worked with Workgroup for Electronic Data Interchange (WEDI) to prepare the 90-minute webinars (all from 1 p.m. to 2:30 p.m. EST), which are targeted to small clinical practices looking to learn more about HIPAA omnibus compliance. After either logging into your WEDI account or creating one, you can register here for the webinars. Topics include:

- Individual Rights
- Uses and Disclosures for Fundraising
and Marketing
- Prohibited Disclosures
- Breach Notification
- Enforcement
- Updates from the OCR Audit Program
- Business Associate Liability

The June 14 webinar will go through an overview of the new HIPAA rules and the June 28 edition will tackle the privacy rule. Then the July 17 webinar will explain the nuances of the breach notification and enforcement rules and the final webinar, on July 26, will cover business associate (BA). Dial-in instructions will be sent to registrants the day before each of the webinars. The rule was published on January 25 and these webinars are part of HHS’s promise for further instruction.

]]> http://healthitsecurity.com/2013/05/17/ocr-to-offer-free-hipaa-omnibus-webinars-this-summer/feed/ 0 HL7 Integration: From Trial and Error to Predictable Project Outcomes and Margins http://healthitsecurity.com/2013/05/17/hl7-integration-from-trial-and-error-to-predictable-project-outcomes-and-margins/ http://healthitsecurity.com/2013/05/17/hl7-integration-from-trial-and-error-to-predictable-project-outcomes-and-margins/#comments Fri, 17 May 2013 13:25:14 +0000 Sean Brooks http://healthitsecurity.com/?p=8283 more »]]> The costs and risks associated with the entire interfacing lifecycle are no longer acceptable in a world that requires fast turnarounds and go-live dates. Those implementing HL7 interfaces can tap into new – and proven – best practices for more effective scoping and overall project success.

Download the HL7 Interface Lifecycle Management white paper

]]> http://healthitsecurity.com/2013/05/17/hl7-integration-from-trial-and-error-to-predictable-project-outcomes-and-margins/feed/ 0 Rethinking HL7 Integration: Start with the Gaps http://healthitsecurity.com/2013/05/17/rethinking-hl7-integration-start-with-the-gaps/ http://healthitsecurity.com/2013/05/17/rethinking-hl7-integration-start-with-the-gaps/#comments Fri, 17 May 2013 13:20:50 +0000 Sean Brooks http://healthitsecurity.com/?p=8281 more »]]> With integration taking on a critical role due to Meaningful Use and related initiatives, hospital CIOs are seeking ways to cost-effectively build out the HL7 interfacing that underpins integration projects.

Download Rethinking HL7 Integration: Start with the Gaps

]]> http://healthitsecurity.com/2013/05/17/rethinking-hl7-integration-start-with-the-gaps/feed/ 0 Options for adolescent PHR privacy and security http://healthitsecurity.com/2013/05/16/options-for-adolescent-phr-privacy-and-security/ http://healthitsecurity.com/2013/05/16/options-for-adolescent-phr-privacy-and-security/#comments Thu, 16 May 2013 18:33:02 +0000 Patrick Ouellette http://healthitsecurity.com/?p=8276 more »]]> In a recent guest post on John Halamka’s blog, Fabienne Bourgeois, MD, of Children’s Hospital Boston analyzed some privacy concerns and roadblocks for adolescent personal health record (PHR) interactions while detailing Children’s approach to patient portals. The subject of patient privacy and confidentiality with adolescent PHRs is an interesting one. Back in November 2012, the American Academy of Pediatrics (AAP) questioned the consent capabilities of current EHRs and said there needs to be standards in place that allow these patients to make decisions regarding who has access to their data. This complicated by the fact that patients have shared responsibility of the record with their parents or guardians.

Bourgeois spoke to this topic in the blog post, explaining that “protecting the adolescent’s legal right to privacy and confidentiality within this hyprid/proxy-control model” can be difficult. By nature, EHRs contain the sensitive data such as sexually-transmitted infections (STI), substance abuse or mental health information that healthcare organization promise to protect.

Children’s has created a custom patient portal for adolescent patients to access their PHRs that divides levels of access to the portal. The parent and patient have separate accounts that are linked, but not until the adolescent patient turns 13 (the maturity tipping point, according to Children’s) are they able to access the portal. And at 18, the parent’s account is usually deactivated and the portal access is limited to only the patient.

The organization also spent a good amount of time deciding what type of patient data would go into the portal and how it would be tagged. The sensitive data listed above currently goes through both the parent and patient’s accounts but Bourgeois said that in the future, regardless of age, only the patient would be able to view that data. This type of segmentation is likely what the AAP was referring to in their letter in November, but there doesn’t seem to be a consensus at the moment as to the technical and policy standards that organizations would follow with adolescent PHRs. Bourgeois did also offer a few alternative ideas for differentiating access to these portals.

Shared access for patient and parent, but filtering of sensitive information – One could then choose the age at which patients would gain access without worrying about the parent seeing sensitive information at any age. This makes the age at which the patient obtains access, whether it is 10 or 13 years, less important. Unfortunately, this option restricts adolescent access to confidential information and creates a fragmented and incomplete record.

Adolescent access only – This is trickier, because choosing the appropriate age when parental access is discontinued is difficult and may vary depending on patient characteristics. Many practices choose 12 or 13 years. However, if sensitive information is not being filtered, you may very well have the occasional 11-year-old with an STI. Also, some parents object to being cut off from their child’s medical information and many play an important role in supporting their adolescent children and guiding them through healthcare decisions.

]]> http://healthitsecurity.com/2013/05/16/options-for-adolescent-phr-privacy-and-security/feed/ 0 LSU Health alerts patients of exposed billing data http://healthitsecurity.com/2013/05/16/lsu-health-alerts-patients-of-exposed-billing-data/ http://healthitsecurity.com/2013/05/16/lsu-health-alerts-patients-of-exposed-billing-data/#comments Thu, 16 May 2013 16:39:51 +0000 Patrick Ouellette http://healthitsecurity.com/?p=8272 more »]]> Following problems with patient privacy back in January at Louisiana State University LSU Health Sciences Center (LSUHSC) that involved exposed protected health information (PHI), LSUHSC-Shreveport Vice Chancellor Hugh Mighty said that patient privacy policies will be reviewed and revised by June. Perhaps that wasn’t soon enough, as of 8,330 LSU Health patients’ data was compromised because of a billing database error where the wrong data was put in a computer entry field.

LSU Health alerted patients of the breach on Wednesday that their billing statements contained wrong billing information, but didn’t include Social Security numbers, birth dates or financial account numbers. According to ksla.com, a LSU Health contractor, Siemens Healthcare, prints and mails LSU Health doctors’ bills and a single mistype in the computer field led to a patient’s name and treatment information becoming misaligned with another patient’s mailing address. Because of the incorrect rows, 8,330 patients received inaccurate billing data and LSU told them to destroy the incorrect statements within their notification letter.

While LSU said that the problem has been resolved, this is also the organization’s second issue with patient privacy rights since January. What they’re doing to address the problem would be helpful for patients and the public in general.

]]> http://healthitsecurity.com/2013/05/16/lsu-health-alerts-patients-of-exposed-billing-data/feed/ 0 DENT Neurologic Institute informs patients of data breach http://healthitsecurity.com/2013/05/16/dent-neurologic-institute-informs-patients-of-data-breach/ http://healthitsecurity.com/2013/05/16/dent-neurologic-institute-informs-patients-of-data-breach/#comments Thu, 16 May 2013 13:48:05 +0000 Patrick Ouellette http://healthitsecurity.com/?p=8267 more »]]> While human error is unavoidable from time to time, what healthcare organizations do to minimize the impact of those mistakes with health data goes under the microscope when breaches occur. DENT Neurologic Institute of Amherst, NY recently experienced a data breach and hasn’t explained whaat (if any) email technical safeguards it had in place at the time, or how it plans on preventing this type of incident in the future.

A DENT office clerk inadvertently emailed 200 people an attachment with personal information of 10,200 patients. Because the organization had exposed that data without technical safeguards, it had to alert each of those patients to explain the data breach. The attachment contained information such as name, address, whether they were an active or former patient, last appointment, visit type, primary care physician, referring physician and email address. DENT called those 200 mistaken recipients on Monday night and asked them to erase the Excel spreadsheet that held the data and followed that with the letter to the 10,000 patients.

Though the data didn’t include medical conditions, birth dates or Social Security number, as PHIPrivacy.net said, it’s hard to argue that publicizing patients’ Neurologic appointments is a good thing for them.

Additionally, the Buffalo News reports that DENT had to deal with a similar breach recently, when instead of mailing letters to only Catholic Medical Partners physicians, it sent letters to all of the organization’s patients. DNI self-reported the incident to the New York Department of Health.

DENT released this statement in a press release Tuesday, according to WGRZ.com:

“We are very sorry this happened and we deeply apologize to all of our patients, referring physicians and WNY healthcare partners,” Fritz said. “Patient confidentiality is extremely important in our field and we take it very seriously and we will review how this accident happened so we can steps to minimize the possibilities it could ever happen again. This is an inexcusable event.”

]]> http://healthitsecurity.com/2013/05/16/dent-neurologic-institute-informs-patients-of-data-breach/feed/ 0 Boston Public Health responds to patient privacy questions http://healthitsecurity.com/2013/05/15/boston-public-health-responds-to-patient-privacy-questions/ http://healthitsecurity.com/2013/05/15/boston-public-health-responds-to-patient-privacy-questions/#comments Wed, 15 May 2013 17:27:49 +0000 Patrick Ouellette http://healthitsecurity.com/?p=8250 more »]]> Pitting public health and well-being against patient confidentiality is nothing new in the healthcare industry and won’t die down anytime soon, but the ongoing debate has been magnified of late in Boston.

The Boston Public Health Commission recently received criticism from local Boston public unions for sending letters to 13 area hospitals and 25 health clinics shortly after the Boston Marathon bombings seeking the patient data from the organizations. The letters raised questions of whether the commission considered patient privacy rights and how HIPAA factors into the situation given the special circumstances regarding Boston’s bombing victims.

The commission asked that hospitals give up names, birthdays, addresses, cellphone numbers, chief complaint and diagnoses of victims while citing this information as the only way to provide the victims Boston’s city services. Boston police, fire and EMS unions, according to the Boston Herald, are saying that the Boston Public Health Commission has taken advantage of the unusual conditions to inappropriately access medical information about those who sought “primary care and other outpatient” assistance.

However, as usual, there are two sides to every story and Nick Martin, Director of Communications at the Boston Public Health Commission, told HealthITSecurity.com that while it may have looked like the commission was seeking the information without good reason, that couldn’t be further from the truth. Martin maintained that the Health Commission is actually compliant with HIPAA in sending the requests and is using the data solely to improve patient care.

The commission had heard one-off questions from patients about the services being provided, so it decided to do ask for the information to better serve patients as a whole. It approached hospitals in the immediate aftermath of the marathon bombings to get patient contact information for people that were injured to gather data for specific support.

Traditional healthcare providers may not necessarily know about some of the wraparound services and resources that Boston is offering and the commission sees itself as a conduit for those companies offering the services and patients. Martin doesn’t believe that it would be the healthcare provider’s role to link survivors with the various resources that are being set up for them.

One example would be people who have experienced various serious physical injuries, amputation in some cases. If you live on a third-floor walkup [apartment] but you’re now in a wheelchair or crutches, you have some serious housing needs that you need to address and we want to make that process as easy as possible. We’ve been in touch with companies that are willing to help people renovate their homes or aid them in finding temporary housing. That’s a resource that your doctor’s office may not know about, but we know about and want to make families aware of. Another example is if we hadn’t been able to keep in touch with the families, we wouldn’t know that a lot of them were seeking a private support group of families involved. We need the data to be able to do that and the help getting it from their providers.

HIPAA special exceptions and talks with HHS

Martin also cited the HIPAA exception for public health agencies to have access to data like this in the event of emergencies. HIPAA’s public health exception states that a covered entity may disclose PHI without specific, individual authorization to a “public health authority that is authorized by law to collect and receive such information for the purpose of preventing and controlling disease, injury, or disability, including . . . reporting of disease . . . and the conduct of public health surveillance . . . .” Public health authorities include local health departments, such as the Boston Public Health Commission.

This is certainly an unprecedented emergency and our focus is on providing the best support possible for the victims and their families. We considered [the HIPAA rules] internally and our legal counsel signed off on it and felt it was appropriate we get that data. Now we’ve now gone to U.S. Department of Health and Human Services (HHS) and asked them for their guidance. It’s ongoing communication, but [Boston Public Health Commission] Executive Director Barbara Ferrer happened to be in a meeting with Howard K. Koh, Assistant Secretary for Health for HHS, recently and she raised the patient privacy concern with them.

While patient and first responder concerns are understandable, the Boston Public Health Commission does have the HIPAA exception and HHS support behind it and their use of the data seems to be benign. And it’s not as though the commission was taking the data with force. It was just a request that we sent; if they decided that they weren’t comfortable with providing that or wanted to run it by their legal team, they’re welcome to do that,” said Martin. “There was no repercussion for not sharing the data with us.”

]]> http://healthitsecurity.com/2013/05/15/boston-public-health-responds-to-patient-privacy-questions/feed/ 0 More details from Presbyterian Anesthesia Associates breach http://healthitsecurity.com/2013/05/15/more-details-from-presbyterian-anesthesia-associates-breach/ http://healthitsecurity.com/2013/05/15/more-details-from-presbyterian-anesthesia-associates-breach/#comments Wed, 15 May 2013 15:27:45 +0000 Kyle Murphy, PhD http://healthitsecurity.com/?p=8247 more »]]> Pursuant to a law in North Carolina, the Identity Theft Protection Act of 2005, businesses or government agencies are required to report details about security breaches to the state’s Attorney General’s Office. Editors from HealthITSecurity.com have acquired a copy of the North Carolina Security Breach Reporting Form submitted by Presbyterian Anesthesia Associates, which provides further information about the breach.

The security breach was discovered on April 18 and reported to the NC Attorney on May 8. Of the 9,988 estimated individuals affected by the breach, an estimated 9,000 are state residents. As noted in the initial coverage of the breach, a security flaw enabled a hacker to access the names, contact, dates of birth, and credit card numbers of these individuals.

As the Security Breach Reporting Form reveals, the breach occurred on a server used by E-Dreamz, Inc., the Charlotte-based company hired by Presbyterian Anesthesia Associates to operate and maintain its e-commerce service. The medical practice has subsequently switched to a new service provider in the wake of the incidence.

The description of the data breaches says that an “unauthorized person gained access to E-Dreamz’s server via a software vulnerability and stole key enabling person to decrypt and take patient payment information.” The information on the server was encrypted using 128-bit AES (Advanced Encryption Standard) encryption.

Presbyterian Anesthesia Associates notified state residents in writing. No details are mentioned about notifying the remaining individuals affected by the data breach. The Federal Bureau of Investigation is currently investigating the cybercrime.

Update: Piedmont Healthcare has also been affected by the breach, according to PHIPrivacy.net. Patient data that may have been compromised include names, addresses, phone numbers, email address, credit card numbers and potentially Social Security numbers.

]]> http://healthitsecurity.com/2013/05/15/more-details-from-presbyterian-anesthesia-associates-breach/feed/ 0