Identity Theft Often Begins at the Workplace

The law is just a part of my identity

Julie Meadows-Keefe

Identity Theft and the Mythical Evil Hacker Across the World.


When we think about identity theft, maybe we tend to think about evil hackers in foreign countries trying to gain access to our data.

Or maybe we think about cerebral kids with nothing better to do than to try and gain access to confidential databases for the sheer love of doing it.

We may also picture paper medical records being thrown into the trash and being retrieved by someone who uses them to take out credit cards, loans or apply for benefits.

Sometimes the last thing we think of is malicious data theft by employees we hire to serve our patients.

Identity Theft Under Our Noses!

This recently occurred at a clinic serving low income patients in Palm Beach County, Florida.  Here, the individual had been collecting the data to sell as part of a fraud scheme.  Fortunately, a delivery truck driver who grew suspicious of the woman who ostensibly wanted to spend $36.00 to ship a card overnight.  The driver  opened the package and discovered lists with clients’ information.  Information included client’s social security numbers.  The employee was fired and has been arrested on several counts of fraud.

Additionally, in Texas there have been several reports of similar identity thefts.

A former Texas Department of Health and Human Service worker in Mount Pleasant assumed the identity of clients receiving immunizations and other services at the Texas Department of Health and Human Services. She then used this client information and applied for credit cards online and – once approved – made as many purchases as the credit card would allow.  The former employee was arrested and several hundreds of patient names and social security numbers were retrieved from her residence.

The former employee has been charged with Fraudulent Use or Possession of Identifying information, a 2nd Degree Felony, and Credit Card Abuse, a State Jail Felony.

What Can Be Done to Prevent Identity Theft By Trusted Employees?

Unfortunately, it is impossible to filter all bad apples out of the barrel of potential job applicants.  Perhaps employees fall on hard times and feel that stealing confidential information is a quick way out of financial difficulty.  They may not seek employment involving confidential data with the intent to steal it.  They may also think there is a low likelihood they will be caught.  This is where there logic falls apart.

Most employers storing and utilizing confidential data electronically are deploying tracking software.  This allows them to see what employees are accessing what data and when it’s being accessed.  Assuming that the employer has someone assigned to check those logs, it can be easy to detect unauthorized access-thereby decreasing the likelihood that improperly accessed patient data can be used for identity theft purposes.  If you have not deployed tracking software, this should be a top priority to accomplish in 2013.

Next, employers should be consistently training on HIPAA Privacy and Secutiy Policies. This training should contain ample “scare tactics” of what happens to people who violate the policies.  I’ve included two examples in this post.  Jobs are lost, arrests are made, lives are ruined.

It is gratifying to see that both employers in the above example appear to have acted appropriately in terminating the employees, communicating with authorities and potentially affected patients and reflecting transparently on what other measures they are taking to assure these incidents do not occur again.

If you are cultivating a culture of compliance in your organization, it goes a long way towards making sure that identity thieves do not feel welcomed as employees.



HHS Is Serious About Privacy and Security!

HHS is Serious About Privacy & Security

HHS is serious about privacy and security! Last week, HHS again demonstrated this on January 2, 2013, when HHS announced the first HIPAA breach settlement involving less than 500 patients. The provider, Hospice of North Idaho, (HONI) settled with HHS for $50,000.

This is the first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals.

The HHS Office for Civil Rights (OCR) began its investigation after HONI reported to HHS that an unencrypted laptop computer containing the electronic protected health information (ePHI) of 441 patients had been stolen in June 2010. Laptops containing ePHI are regularly used by the organization as part of their field work. Over the course of the investigation, OCR discovered that HONI had not conducted a risk analysis to safeguard ePHI. Further, HONI did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule. Since the June 2010 theft, HONI has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program.

“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said OCR Director Leon Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”

HONI entered into a 2 year CAP (corrective action plan) with HHS which included the following findings related that demonstrate that HHS is serious about privacy and security

  1. HONI did not conduct an accurate and thorough analysis of the risk to the confidentiality of ePHI on an on-going basis as part of its security management process from the compliance date of the Security Rule to January 17, 2012. In particular, HONI did not evaluate the likelihood and impact of potential risks to the confidentiality of electronic PHI maintained in and transmitted using portable devices, implement appropriate security measures to address such potential risks, document the chosen security measures and the rationale for adopting those measures, and maintain on an on-going basis reasonable and appropriate security measures.
  2. HONI did not adequately adopt or implement security measures sufficient to ensure the confidentiality of ePHI that it created, maintained, and transmitted using portable devices to a reasonable and appropriate level from the compliance date of the Security Rule to May 1, 2011
  3. HONI was required to designate an authorized representative to be the point of contact with HHS throughout the 2 year corrective action plan.
  4. HONI has to report to HHS any violations of its Privacy and Security policies and detail remedial actions they have taken to respond to the violation.
  5. Any further HIPAA violations can result in additional civil money penalties.

The Resolution Agreement can be found here.

You should know that the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to the Secretary of HHS and the media within 60 days after the discovery of the breach. Smaller breaches affecting less than 500 individuals must be reported to the Secretary on an annual basis.

So many problems can be averted through diligent and consistent usage of encryption and common-sense measures that staff may use when traveling with computers and other mobile devices.

HHS is serious about Privacy and Security.  You and your practice should be too.

Tagged , , ,

What Are Physical Safeguards?

Julie Meadows-Keefe

Julie Meadows-Keefe

What Are Physical Safeguards?




Physical Safeguards are important.

You never know who your patient (or patient’s mom) is…..

A few nights ago my daughter was sick enough to warrant a trip to the ER. (She’s fine now, thank you).

In my haste to get her there, I left my cell phone at home so on two occasions I used the phone at a station in the ER. On one occasion, I was led to the phone where the staff member dialed 9, let me dial the number and left me standing in front of the computer screen on the desk. It had identifiers for the current patients in the pediatric ER. I deliberately averted my eyes.

On the next occasion, the staff member dialed 9 and the number I wanted and instructed me to stand behind the computer screen.

Props to staff member number 2. She used what’s known as physical safeguards….which simply means that she used measures to prevent me from seeing other people’s information.

HIPAA’s Definition of Physical Safeguards

HIPAA defines physical safeguards as policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.  Therefore, health care providers like the ER must implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. HIPAA also requires that health care providers implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.

In this example, a provider serving mainly HIV patients entered into a resolution agreement with Health and Human Services that required them to reposition its computer monitors to prevent patients from viewing information on the screens. The practice installed computer monitor privacy screens to prevent impermissible disclosures.

Physical Safeguards Are Important

This isn’t meant to call out a “wrongdoing”-just to illustrate how easy it is to forget to protect someone’s data and how easy it is to protect it.

Training staff on practices using actual scenarios like mine and repeating the training often are keys to success. Ingrain it so it can’t be forgotten easily. Kind of like those ubiquitous “employees must wash hands before returning to work” signs.

Have you ever seen anyone’s data by mistake? What did you see?

Tagged , ,

Are NFL Teams Covered Entities Under HIPAA?

Even NFL coaches know about HIPAA and are interpreting it to the news Media!  John Harbaugh, head coach of the Baltimore Ravens got pretty peeved  the week after the Ravens were fined $20,000 by the NFL for not listing Ed Reed on the injury report.  Their head coach John Harbaugh said that the team will cite every “hangnail” going forward, and questioned the validity of the weekly report.

“There’s no credence on the injury report now,” Harbaugh said. “It doesn’t mean anything. It has no value. The injury report has no value.”

Ed  Reed confessed he had been playing most of the season with a slightly torn labrum. The Ravens never listed him because  he  hadn’t missed any game or practice time with the injury.

“If a guy that goes out there and doesn’t miss a practice and doesn’t miss a game and doesn’t want to be on the injury report and we have to put him on the injury report, I want the league’s answer on that,” Harbaugh said. “I’m looking forward to hearing that.”

Harbaugh also questioned the wording of the league’s injury report policy which states, “All players with significant or noteworthy injuries must be listed on the report, even if the player takes all the reps in practice, and even if the team is certain that he will play in the upcoming game. This is especially true of key players and those players whose injuries have been covered extensively by the media.”

“I’ll go back to the significance thing. The way the thing is written, it says, ‘if a player has practiced fully or played fully and he has an injury and he is a significant player and it affects his play, then he should be on there.’ Well, I think player safety is important for all of the players. I’m going to say that every injury is significant,” Harbaugh said. “If that’s how they want to word it, I’m not going to go with the league saying that one player is more significant than another player. That’s absurd to me. They can get mad at me if they want for saying that, but they need to write that a little more clearly. We’ll just put every guy on there that has a hangnail and go from there.”

Harbaugh also voiced concerns about player’s privacy. “Aren’t there HIPAA rights here?,” Harbaugh asked. “If I’m a player and I’ve been out there playing and I don’t want that on the injury report and I’m told I have to put that on the injury report, we’ve got some players that resent that. So yeah, I got a problem with that in all honesty.”

Some quick research on my part produced this link to the NFL Injury Report where, for example you can see that Atlanta Falcon Zach Streif and Atlanta Falcon Sam Baker are both struggling with groin issues.   So I assume from all of this that NFL players are required by the terms of their contracts to disclose conditions that might impact their play.  Further perusal of the website led me to theorize  that one of the purposes of the injury report is to assist fantasy football participants and Vegas odds-makers.  I guess if you were betting on the Kentucky Derby you’d want to know if your horse had a groin injury.  Same difference, right?

And coach Harbaugh’s HIPAA reference gives me a jumping off point to clear up a frequently believed myth that anytime someone’s health information is disclosed someone or some entity has violated HIPAA. This is not the case.  HIPAA can only be violated  by individuals and entities within HIPAA’s purview.  These are called covered entities.  HIPAA violations can also be committed by business associates who have contracts with covered entities.  I initially was going to say that it would appear that The National Football League and teams are not a covered entities.  The players are contracted employees of their teams and HIPAA does not apply to employers.  So health records in your employment file aren’t protected under HIPAA, but may be protected by other confidentiality laws.  But then I realized that the teams  have physicians who treat the players.  Physicians are typically covered entities when they treat patients.  But then I went to this flowchart  I would argue that the main job of  NFL teams is playing football,  but accompanying that, they are obviously intimately involved with the health of a player and his ability to play. So it would appear that the teams furnish health care in the normal course of business.  So we say “yes” and move forward on the chart.


Then, the next part of the chart asks if  the person or business sends any covered transactions electronically.  I do not know what their practice is, however, if they do send electronic transactions, the chart indicates the team would be a covered entity.  If it does not send electronic transaction it would not be covered by HIPAA.  So, if all the health information is transmitted by paper only they could ostensibly scoot out from under HIPAA.    Also, it could be that players agree to disclosure of relevant injuries as part of their contracts.  Further, from the sound of this article, it sounds like players only have to report general types of injuries and that things like specific treatment they are undertaking would be covered by HIPAA.

So my conclusion is that team treating physicians are covered by HIPAA so only the most general type of disclosure is made, but specifics of treatment and other non-football related health issues are not disclosed due to HIPAA concerns.

Please comment if you think differently or have some insight to add.




Are You Antsy over ANSI & Why It’s Hanging Out in HIPAA Regs?

Are You Antsy over ANSI?

ANSI stands for the American National Standards Institute. ANSI is a private non-profit organization that oversees the development of voluntary consensus standards for products, services, processes, systems, and personnel in the United States. The organization also coordinates U.S. standards with international standards so that American products can be used worldwide. For example, standards ensure that people who own cameras can find the film they need for that camera anywhere around the globe.  The Institute administers five standards panels including the Healthcare Information Technology Standards Panel.  The panel works to identify, coordinate, and harmonize relevant voluntary standards relevant to these areas.  So you may now see why ANSI would be relevant to HIPAA.

ANSI is referenced in Section 160.103 of the Health Information Portability and Accountability Act (HIPAA), within the definitional section. HIPAA authorizes HHS to require the use of standards for the electronic exchange of health care data and to specify what medical and administrative code sets should be used within those standards.   Later, ANSI appears in the administrative requirement section of HIPAA- Section 162.940- which explains how an organization may petition HHS to deviate from standard transactions and code sets.  HHS sets forth a list of evaluative criteria by which such requests will be examined.  The petitioning process is extensive and burdensome. In part, an organization must show that the modification be supported by an ANSI-accredited standard setting organization or public organization that would maintain the standard over time.


There has been much discussion and gnashing of teeth regarding a looming requirement that all HIPAA covered entities update to ANSI 5010 and begin using the updated ICD-10 code set. Here, think of ANSI 5010 as the pipeline and ICD-10 as the oil—the highly detailed and discrete coding information system to help ensure precise reimbursement.

By October 1, 2014, all covered entities must be ready to embrace the new coding system, having made all the necessary technological updates and provided adequate training to physicians and administrative staff.

ANSI Understanding?

Hopefully, you now have a better idea about ANSI’s role in standardizing the method by which health care information is coded and conveyed.

Please comment if you have thoughts or questions.  You can also e-mail me @

Thinking too much about ANSI

Julie Meadows-Keefe

Tagged , , , ,

How to Scrub Your PHI

Thinking too much about meaningful use

Julie Meadows-Keefe

Protected Health Information (PHI) is Personal

Protected health information (PHI) is some of the most personal information that exists about you and I.  It includes things like our date of birth, height, weight, address, contact numbers, family member names, medication history and more.  Generally an individual receiving health care knows that their PHI will be used for their treatment, for payment and for certain health care operations.  Do they also know that their PHI can be sanitized (de-identified) and used for research?

PHI Can Be De-Identified, and therefore, less personal.

At long last, the HHS Office of Civil Rights (OCR) has issued guidance regarding how health insurers, clearinghouses and medical providers should strip patient records of identifying information, in order to permit data to be exempt from privacy restrictions and used in clinical and research studies.

The HHS guidance presents two methods by which health care companies can satisfy a so-called de-identification standard contained within the privacy rule of the Health Insurance Portability and Accountability Act, affectionately known as HIPAA.  These two methods are expert determination and safe harbor.  OCR’s guidance is designed to assist covered entities to understand de-identification, the general process by which de-identified information is created, and the options available for performing de-identification.

The HIPAA Privacy Rule permits a covered entity or its business associate to create information that is not individually identifiable by following certain de-identification methods. The Privacy Rule provides two de-identification methods: 1) a formal determination by a qualified expert; or 2) the removal of specified individual identifiers as well as absence of actual knowledge by the covered entity that the remaining information could be used alone or in combination with other information to identify the individual.

Regardless of the method by which de-identification is achieved, the Privacy Rule does not restrict the use or disclosure of de-identified health information, as it is no longer considered protected health information.

If a covered entity decides to de-identify information via the expert route, the guidance states that the following criteria are met:
(1) A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:
(i) Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and
(ii) Documents the methods and results of the analysis that justify such determination;


Interestingly, OCR takes pains to state that there is no particular credential necessary for this expert.  If the matter becomes one of OCR enforcement, OCR would look at a particular expert’s qualifications on a case-by-case basis. The expert does not necessarily need to be a statistician.

If a covered entity decides to de-identify by entering the “safe harbor” there is a rather exhaustive list of what information must be removed.  This includes names, street addresses, complete ZIP codes, telephone numbers and social security numbers.  OCR points out that only 3 data points-date of birth, gender and zip code uniquely identify over ½ of US Citizens.

PHI is Irresistable to Researchers and Others Because it is a Rich Resource

My personal take on this dates back several years when I recognized that HITECH was invariably tied to the Affordable Care Act in the following ways:

  1.  HITECH has incentivized health care providers through both a carrot and stick approach to adopt electronic health records.
  2. HITECH established funding for networking health care providers to share this data.
  3. HITECH, through the mechanism of meaningful use has developed a methodology for collecting health data on all patients.  This includes things like smoking status and body mass index.
  4. The Affordable Care Act ties patient outcome and cost of care to reimbursement.
  5. To control health care costs and maximize better health care outcomes, it makes sense to draw from all available data to see what treatments work best for high-cost chronic conditions that strain the health care system such as heart disease, asthma and diabetes.  The data has to come from somewhere.
  6. Privacy advocates and others are concerned that our health information will be grist for the research mill whether we want it to be or not.
  7. Many individuals are concerned about privacy breaches involving their most sensitive personal information.
  8. On the other hand, researchers, policy-makers and others are salivating over the rich data that now exists to answer many compelling questions and bring us further down the road to curing cancer and other devastating illness.

Varying interests must be balanced moving forward, but one wonders if a patient will be able to fully comprehend that their health information may be scrubbed and used for research.  Perhaps we all have a moral obligation to contribute to the body of scientific research aimed at helping us all live healthier lives.  But at what point could such research be used to deny care on the basis that it has been proven that in most cases a particular treatment succeeds very seldom yet is very expensive.


We enter into a brave new world.  May patients, providers and the public remain engaged on the topic of PHI. Please leave a comment if you’d like to join the discussion!


What is a Health Care Clearinghouse?

What is a health care clearinghouse?  Most people hear the word “clearinghouse” and think of commercials featuring shocked sweepstakes winners having their lives changed when strangers come to their door with tv cameras, balloons, bouquets  and big cardboard checks.

However, for purposes of HIPAA (Health Insurance Portability and Accountability Act), a health care clearinghouse is an entity that transforms or translates data from one form to another so that it usable for a particular purpose. A health care clearinghouse is a covered entity under HIPAA.  That means that a health care clearinghouse is governed by HIPAA.

In trying to understand the nature of a health care clearinghouse,  imagine the difficulty you have traveling abroad and not speaking the native language.  You will need a translator to in order to communicate.  A clearinghouse can be thought of as a sort of translator.  A clearinghouse can also organize or structure data.  Whereas health data used by a doctor or hospital may be useful to them for documenting patient care, data in that form may not be useful to payors.  Data may need to be coded or presented in a certain way to be usable for a permitted purpose.

Health care clearinghouses can be public or public or private entities.  As HIPAA considers a clearinghouse, the entity most often is one of the following:

  • a billing service
  • a repricing company (which takes the bills, matches them up with the insured’s contract with the hospital, and adjusts them to the pre-negotiated price).
  • a  community health management information system or community health information system and “value-added” networks and switches, that does either of the following functions:

(1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction.   A key objective of HIPAA was to require national uniform methods and uniform codes for the exchange of electronic information between health care providers and health plans.

(2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.

Health care clearinghouses make data user-friendly for particularized purposes.  Most often, clearinghouses are trying to convert data for billing purposes, price comparison and cost-effectiveness analysis.  It’s reasonable to speculate that health care clearinghouses will have an enhanced role to play in a post Affordable Care Act world, because costs and benefits of particular treatments and efficient use of resources will become even more important.

Although you have not won a sweepstakes by reading this post, you now know what a health care clearinghouse is, how it functions, its purpose and why it’s important for clearinghouses to understand HIPAA’s requirements.

If you need assistance understanding HIPAA’s applicability to your organization, contact me: or leave a comment below.


What is a Health Plan?

Health Plans Under HIPAA

The law is just a part of my identity

Julie Meadows-Keefe








Health Plans are important to Americans.  HIPAA applies to health plans, health care providers and health care clearinghouses.

 What does HIPAA Consider a Health Plan?

Today, I want to focus on its applicablity to health plans 45 CHR 160.102(a)(1). Health plans are probably familiar to you.  These are most often known as health insurance companies.  More specifically, a health plan means an individual or group plan that provides or pays the cost of medical care.

I’ll provide a quick list of further definitional aspects of what consitutues a health plan.  A health plan can have one or several aspects of the following:

(i) A group health plan;

(ii) A health insurance issuer;

(iii) An HMO (Health Maintence Organization);

(iv) Part A or Part B of the Medicare program;

(v) The Medicaid program;

(vi) An issuer of a Medicare supplemental policy;

(vii) An issuer of a long-term care policy, excluding a nursing home fixed-indemnity policy;

(viii) An employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers;

(ix) The health care program for active military personnel under title 10 of the United States Code;

(x) The veterans health care program under 38 U.S.C. chapter 17;

(xi) The Civilian Health and Medical Program of the Uniformed Services (CHAMPUS);

(xii) The Indian Health Service program under the Indian Health Care Improvement Act;

(xiii) The Federal Employees Health Benefits Program;

(xiv) An approved State child health plan under title XXI; providing benefits for child health assistance;

(xv) The Medicare+Choice program under Part C of title XVIII;

(xvi) A high risk pool that is a mechanism established under State law to provide health insurance coverage or comparable coverage to eligible individuals;

(xvii) Any other individual or group plan, or combination of individual or group plans, that provides or pays for the cost of medical care.

What’s not considered a health plan under HIPAA?

Any discussion of what a health plan includes should also include a list of what’s excluded from the definition of a health plan.  These exclusions include:

(ii) A government-funded program (other than one listed in paragraph (1)(i)–(xvi) of this definition):

(A) Whose principal purpose is other than providing, or paying the cost of, health care; or

(B) Whose principal activity is:

(1) The direct provision of health care to persons; or

(2) The making of grants to fund the direct provision of health care to persons.

 Under HIPAA, there is a rather specific laundry list of what is and isn’t a health plan.

It’s intuitve to think you already know what a health plan looks like for general purposes, but I hope that it was helpful to receive more details regarding how HIPAA defines a health plan.

If your organization would like further training, please contact me at



“Human Error” Avoidance: the Google Earnings Misfire

Julie Meadows-Keefe

Julie Meadows-Keefe

“Human Error” Avoidance: the Google Earnings Misfire


Google rules the world. As someone who teaches companies and individuals about crisis communication, I followed with interest this weeks as Google shares were halted from trading on the NASDAQ due to an early release of earnings.  I waited for the Investor conference call to air on CNBC to see how Google would communicate about it.  Notably, very early in the call, the Director of Investor relations introduced CEO Larry Page.  Mr. Page has been keeping a low profile recently due to an unspecified illness.  In spite of having a hoarse voice, Mr. Page did get on the call to address the earnings report.  He apologized for the “scramble on release” of the earnings report.   He indicated that the “printers” sent them out early as a result of “human error”.  This referred to how earlier in the morning, RR Donnelley, the financial printer advised Google that they had filed Google’s 8k earnings statement without authorization.  Mr. Page then quickly moved things forward, stating that revenue was up 45%  year on year and that this is “not bad” for a teenaged company only fourteen years old. He went on to discuss the simultaneous disruption and opportunity that has been brought about by the abundance of mobile devices.  The challenge Google faces moving forward are monetizing mobile ads and devices as users shift away from pc’s.  There are currently ½ billion androids in the world.  1.3 million Androids are being added each day. Google shareholders were unpleasantly shocked to find out that at one time today, their stock had lost approximately 10% of its value.   Google and its financial printer RR Donnelley face both financial and reputational harm from today’s misfire.

 I see a few things that Google did well today:


  • It brought out CEO Larry Page after a period of illness-related absence to directly address the concerns related both to the premature release of the report and to the contents of the report itself.  Google utilized Mr. Page even though his voice was hoarse.
  • Mr. Page addressed it first thing.
  • Mr. Page emphasized how well Google is positioned to meet future challenges.

Google stock recommenced trading prior to the end of the business day.


A few things seemed to be missing:


  • Too much time elapsed from when the stock stopped trading to when it resumed trading, giving pundits and analysts opportunity to speculate.
  • Google did not seem to be out in front of the issue.
  • Google seemed too quick to blame RR Donnelley and did not own ultimate responsibility for when its own earnings report was released.

Google did not outline steps to demonstrate how it will avoid this in the future.


Observing this situation with Google unfold this week on cable and via the web demonstrated to me the following:


  • Even in an environment where computer glitches, viruses and even malicious cyber terror can and do sabotage companies, there is a still an active role for humans to take in making mistakes.
  • Human error will always be a variable, but processes can be put in place to reduce their likelihood.
  • When approaching a crucial deadline, there can never be enough communication and verification that everyone knows what role they are playing at what time.
  • There is a communication strategy in place in case something goes wrong.
  • The event is analyzed to identify exactly what happened and what will be done to assure that lessons are learned and the mistake is not repeated.
  • If a mistake like this can happen to a company like Google, it becomes even more important for smaller organizations to have policies and procedures in place to execute required tasks.


Google is a dominant global brand that is trusted and brings enormous value to both its users and investors.  This “glitch” will most likely soon be forgotten and the company will continue to be a global leader as it extracts lessons-learned and moves forward into a world that it has impacted perhaps more than any other company has before.


Please contact me if you have questions about crisis communication and management.  Learn more about me here.



Privacy and Meaningful Use Stage Two Proposed Rule

Meaningful Use Stage Two

As you might know, this week the Center for Medicare and Medicaid released its proposed rule for Meaningful Use Stage II.

You will note that the proposed rule emphasizes direct contact with patients, patient safety (especially in medication administration to those hospitalized) and a modicum of flexibility in order to reduce burdens upon providers and vendors.  There didn’t appear to be much discussion of HIPAA/privacy.

I spend a great deal of time in my practice thinking about issues of privacy and security and HIPAA compliance and was therefore interested in seeing how the draft rules dealt with these.

Where is Privacy Considered Within Meaningful Use?

A rudimentary word search revealed that the first reference to privacy was found on page 77 of a 445 page document.  That particular reference basically exorts eligible providerss”Oh, and hey, by the way, remember that thing called HIPAA!”  Actually, the reference goes on to redeem itself a bit, because it then explicitly tells provider that HIPAA does not restrict a provider from giving the patient access to his/her clinical summaries.  Indeed, the rule requires the patients be provided with their clinical summaries within 24 hours 50 percent of the time.

The next two references were music to this breach avoidance evangalist’s ears!  The draft points out the vital nature of encryption and states that almost 40 percent of large breaches rep0orted to HHS involve lost or stolen devices.  If these devices are properly encrypted, covered entities basically “get out of jail free.”  Thorough risk analysis and security updates are  also highlighted.

The rule drafters take pains to highlight that discussion of certain  HIPAA requirements within the context of defining Stage Two Meaningful Use does not in any way diminish the requirement that eligible providers adhere to all requirements of the HIPAA Privacy and Security Rules as well as state confidentiality rules.  Additionally, those providing substance abuse and mental health services are reminded to review SAMHSA regulations.

Stage Two also includes a requirement that Eligible Providers give patients the ability to access view, download and transmit their own health information within 4 business days of the information being available to the Eligible Provider.  This is less a nod to HIPAA than it is to Fair Information Practice Principles, implemented in the 1970’s, which set forth minimum standards for allowing citizens access to information collected about them.  These principles were instrumental in HIPAA’s development.

Meaningful Use Presupposes Some meaningful protection of PHI.

In sum, the Proposed Rule defining Stage Two of Meaningful Use highlight the need to ensure adequate protection for protected health information.

The #: meaningfuluseprivacy

The 140:  Meaningful Use Stage 2 mentions HIPAA compliance & incorporates by reference more than emphasizing it.










Tagged , , ,