Category: The technical world

Get Out of HIPAA Jail Free

Posted on | by SOS Blog | 6 Comments on Get Out of HIPAA Jail Free

Consider a couple of nightmares that might easily come true:

1. Your laptop, with a variety of documents and files containing confidential, protected health information on its hard drive, is stolen from your car, hotel, or disappears while you are traveling.

2. Your office is burglarized and all the desktop computers, as well as a server containing your patient database, are stolen.

I ran across the following set of statistics, or very similar ones, repeatedly, most often on web sites of security companies:

  • Every 53 seconds another laptop is stolen in the USA.
  • At least 600,000 laptops are stolen each year in the USA. 
  • Hardly any (3%) stolen laptops are ever recovered. 
  • Laptop computer theft trails only identity theft as the most common crime. 
  • Almost half of all data leaks and breaches are the result of lost or stolen portable computers, according to a study by The Identity Theft Resource Center .
  • Laptops are the number-one item stolen in San Francisco – San Francisco Police Department.
  • The Identity Theft Resouce Center’s recent list of 397 significant data breaches so far for the year of 2009 includes 51 healthcare breaches that compromised almost 9 million records.

Most of the sources of these data are trying to sell a security solution of one sort or another, but the vulnerability of laptops, especially in transit, is obvious. I don’t have any statistics for burglaries of computer systems from offices, but I’ll wager that most of you either know of a victim of such a crime, or have been a victim yourself.

Long before HIPAA, health professionals – especially mental health professionals – had a professional responsibility to safeguard the privacy of their patients/clients and the confidentiality of the personal and clinical information in their custody. HIPAA came along and increased our awareness of the special risks of electronic records and communications, defining Protected Health Information (PHI) at a federal level and providing some rules and guidelines for securing PHI stored or transmitted in electronic form. Now the Health Information Technology for Economic and Clinical Health Act (HITECH) has arrived and adds some pretty sharp teeth to HIPAA’s privacy and security rules.

If you need a push to get you to take privacy and security compliance seriously, consider the following from Section 13402 – Notification In The Case Of Breach. (This section is from HITECH/HIPAA: Notification in the case of breach at lawtechtv.com (a site I would strongly recommend that you visit). The bold italics are mine:

If PHI is secured as per the guidance then providers have a “safe harbor” and the notification requirements are not triggered in case of a breach. Despite the safe harbor, other federal and state PHI laws remain in full force and effect. Any PHI not secured as per the guidance is considered to be unsecured PHI whose breach will trigger the notification requirements. 13402(a): Covered Entities (CE’s) must notify individuals. 
13402(b): Business Associate’s must notify CE’s. 
13402(d): Notification must be no later than 60 days after discovery. 
13402(e): Specific notification methods are required depending on the number of individuals whose PHI was breached. 
13402(f): the notification must contain specific content.
13402(h): unsecured PHI* means PHI that is not secured through: 1) encryption; and/or 2) destruction—as provided by HHS guidance. Methods must render PHI “unusable, unreadable, or indecipherable” to unauthorized individuals (see HIPAA Security Rule  & NIST standards).

If PHI is secured as per the guidance then providers have a “safe harbor” and the notification requirements are not triggered in case of a breach. Despite the safe harbor, other federal and state PHI laws remain in full force and effect. Any PHI not secured as per the guidance is considered to be unsecured PHI whose breach will trigger the notification requirements.

If over 500 individuals’ PHI has been compromised then the media must be notified and the Secretary of HHS as well.

Breach: “the unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of such information, except where an authorized person to whom such information is disclosed would not be able to retain such information.”

Do you really want to have to choose between:

  1. Significant civil penalties (between $100 and $50,000 per violation, up to $1.5 million maximum per incident) and …
  2. Publishing in the local media a notice of your failure to protect your patients’ private information?

Of course not! Why not take advantage of the explicitly defined safe harbor? If the hard drive of that missing laptop has been encrypted, using appropriate technology, then there is no notification requirement at all! The same technology can be applied to every hard drive in your organization, especially the servers on which the bulk of the PHI resides. There are numerous commercial disk encryption approaches available, as well as free, open-source solutions such as TrueCrypt, that would provide you with the protection you want and owe to your patients, all penalties aside.

My previous post regarding encryption resulted in no reader response whatsoever. Does this information about your notification responsibilities make it more likely that you will move forward with data encryption? If not, why not?

Cheap Productivity Booster: Add a monitor

Posted on | by SOS Blog | 6 Comments on Cheap Productivity Booster: Add a monitor

Sometimes I am doing so many things at one time that I lose track of where I am and need to stop and scan my environment for clues to what I was last doing. Because each of us at SOS wears so many hats, most of us multitask every day. We have found a simple and inexpensive way to increase productivity.

First I must tell you that I resisted doing this for about a year. Seth and Manon had both expanded their world view as had two of our programmers before I decided it was something that might be useful. This simple solution is adding a second monitor to your desktop.

Okay, okay…I know. What could you possibly need with a second monitor? After all, your desktop is already hopelessly cluttered with stacks of paper (at least, if it is like mine it is) and there is no available real estate for adding something as silly as a monitor. That is what I thought. Then I added one.

Now I am able to spread the six or eight applications that I keep open all the time across two screens so I can see and use multiple programs at one time. This is especially useful if I am working in bookkeeping and spreadsheets simultaneously. I can go back and forth from one program to the other by turning my head and clicking. In the past, I could only view a small window into each application if I wanted both on my screen at one time.

One Monitor
One Monitor

You can see how scrunched things are above.  Below is the image of two monitors, side by side. My two open programs shown overlapping on the screen above have now gone to five open programs plus Google Sidebar. I still have several other items in my program tray that are not currently maximized, but with the two monitor arrangement, I can easily see my multiple tasks at one time.

Two Monitors
Two Monitors

 

This is especially useful for those of you who keep a product (like SOS Software or some other mental health billing software) active on your computer all the time. You need it there ready in case you have a phone call from a client, so you can check someone in when they arrive to see their psychotherapist, so you can enter their payment when they leave. But today you are also actively writing letters in your word processor, you are working on spreadsheets you have created by exporting some of your reports from Office Manager, and you are occasionally checking your email. With two monitors, all those tasks can be visible at one time!

To add the second monitor, you need to be sure you have adequate inputs on the computer box. Then use the Windows Control Panel > Display Properties > Settings to select which monitor is primary and to verify the appropriate settings. Just Google ‘dual monitors xp’ or ‘dual monitors vista’ without the quotation marks to get guidance from Microsoft about just what to do in your operating system.

We all have too much to do, so finding the most efficient and cost effective ways to get that work done is very high priority. Let us know what kind of steps you have taken to increase your efficiency. Have you considered multiple monitors?

To enter you comments, just click on the title of this article and enter your thoughts in the box at the bottom of the page.

Death and EMRs: Disruptive events?

Posted on | by SOS Blog | Leave a Comment on Death and EMRs: Disruptive events?

The deaths of the past week have set me to thinking. The mother of a friend passed away early in the week followed by the wife of a family friend. Then, news of the death of cultural icon, Michael Jackson, was everywhere.

I come from a family and culture (New Orleans-based) where death is an intrinsic part of life. It very much affects those who are touched most directly by the loss, but it is also integrated into day-to-day life in such a fashion that life moves on with barely a ripple. The deceased is celebrated and mourned in one or multiple events ranging from wake to jazz funeral. Burial in above-ground graves and mausoleums (the water table in New Orleans is very high) caps off the events, and the cemeteries are daily reminders of the short-term nature of life. As with everything else in New Orleans, after death there is a party, but there is real disruption only for those immediately touched by the death. Life goes on.

I married into a family that shares the more traditional views of death held by most of American culture. It is not to be talked about too openly, lest it be invited to approach. And, as for most people in our culture, death is definitely considered to be a disruptive event, dislocating those related to the deceased from the ordinary course of life for an extended period of time. In fact, the disruption is frequently so severe that it is no surprise to those around the survivors that they are forever changed.

The term disruptive technology was introduced by Clayton M. Christensen in 1995 and together with his modification disruptive innovation has become a catch-phrase for technological change that is so radical that it dramatically alters the course of events that follow. If you read any articles about technology, you will come across the terms.

On the way to an event yesterday, we were listening to a podcast of The Week in Technology (TWIT) in which Twitter was discussed as a disruptive technology…disruptive to the field of journalism and to our whole way of communicating and thinking about news events. The techno-nerds who are the mainstay of TWIT are convinced that the immediacy of communication enabled by Twitter is and will continue to radically alter the way in which we receive information, likely becoming the jumping off point for even newer innovations in the realm of communication and information sharing.

I find myself wondering if Electronic Medical Records (EMRs) will not become the same kind of disruptive technology for our current healthcare system. Since EMRs have been around  for a while now, many would argue that they will certainly change healthcare, but do not reach the level of disruptive technology. But when I think about many of our customers in the behavioral health community and the radical changes to their organizations that will be required to move to EMRs and to use them in a meaningful way, I can imagine few more disruptive events.

Some would say that managed care had the potential to be just as disruptive…it certainly changed the way in which private mental health practices have conducted themselves over the last twenty years…but it did not intrinsically change the way in which the provider interacts with the recipient of healthcare services. The consumer may be seen less frequently and for a shorter total length of treatment, the managed care organization may refuse to pay for certain types of care (which the patient can then purchase with their own dollars), but the provider still sees the patient, assesses the problem at hand and provides treatment.

EMRs have the potential for changing that sequence of events. If used in a “meaningful” way, if decision support tools and treatment protocols that are based on scientifically assessed methods (evidence-based treatment) are incorporated into the EMR products and utilized by providers at the point of care in the way envisioned by the framers of HITECH, we will have a new healthcare system….or maybe not.

What do you think? Will widespread adoption of EMR systems be a disruptive innovation for healthcare? Do behavioral health EMRs have the potential to be disruptive technology for the mental health community?

Please add your comment by clicking on the title of this article and typing your thoughts in the comment box at the bottom of the page.

Personal vs. Professional: Social Networking Sites

Posted on | by SOS Blog | 8 Comments on Personal vs. Professional: Social Networking Sites

I checked my email on Sunday night to find two new requests for “friend” status on my Facebook page…one was from a customer, the other was from my mother-in-law. The juxtaposition of requests brought directly home the conflict and confusion that some folks are having about use of the social media sites. Is your use personal or professional? Is it acceptable to mix the two? Would you and your contacts be better served if you have two separate online identities, a personal one and a professional one?

I am a firm believer in synchronicity. I think of Carl Jung and his notion of synchronicity (an acausal connection of events in time) often as I experience the unexpected confluence of events. This weekend was no exception.

  1. On Friday, I had time (for the first time in weeks) to tune in to HubSpot TV, a podcast done by staff members of the Internet Marketing firm whose products and services I use. They mentioned this issue of social media utilization and the possible need to keep one’s “identities” separate. One of their blogs addressed the issue on Friday and the author lays out some considerations.
  2. On Friday evening, my partner, Seth Krieger, suggested that I write a blog on social media and professional vs. personal concerns.
  3. On Sunday I got the Friend requests I mentioned above.
  4. This morning I looked at two print newspapers I receive: The New England Psychologist ran an article featuring input from Thierry Guedj, Ph.D., “Psychologists navigate use of online social networking sites“; and The National Psychologist included John Grohol, Psy.D.’s article “How ‘tweet’ it is: Social networking using Twitter”. Both of these psychologists explore some of the concerns unique to providers in the behavioral health community.

This confluence of events was impossible for me to ignore. I have found myself thinking about these issues often over the past several months. Since I began use of social networking as a way to spread our business presence more broadly on the Internet, the differences between personal and professional presence have been playing around the periphery of my mind.

While I have not seen clients for the last 16 years, I was trained as a psychologist and saw patients in a private practice and in a CD program setting from 1978 to 1993. I am well aware that boundary issues are confronted regularly by psychotherapists charged with providing a safe space in which consumers of their services can deal with issues ranging from relatively minor personal problems to serious chronic mental health issues. Protecting that ‘space’ is part of building trust and of maintaining the privacy of the client.

The sanctity of that space is challenged regularly, sometimes by the spill-over of the therapist’s life into the therapy. Personal illness and family deaths are regular intruders, but many others exist. I hosted a live, call-in television show on psychology topics from 1981 to 1983. Some of my clients were proud of the public education work I was doing; others felt that they lost a part of me that they owned and were not happy to share me with the public. As a feminist psychologist treating lots of women, it was not unusual to cross paths with a client in the ‘real’ world. Prior agreements about how or whether to greet in public aside, face-to-face interaction outside the therapy space was often a cause for discomfort for me and for the client.

Those challenges to privacy are part of the physical community in which we live. Now we add the complication of a virtual world in which massive quantities of information, both personal and professional, are available to anyone who bothers to Google us. Factor into that the fact that we have no idea which information the client has. Each form of social media provides different challenges.

1. blog: A weblog, or blog, can be an excellent way for you to provide useful information to your own clients and to many others who see your blog articles. But if you go out there into the blogosphere and take a look at the material available, you will find that the writing styles are much less formal than other published documents, especially journal articles. Because of that informality, there can be a tendency to slip into personal revelation.

Potential benefits: Great way to become more known in your community, to educate and share valuable information with your clients, and to provide a community service through public education.
Potential risks: Informal style of blogs can lead you to share more personal information than you would usually do in journals or in direct contact with your clients.

2. Facebook: When I started to use Facebook, I intended that use to be purely personal. My nephew’s wife invited me to join first. I resisted. When an age-mate with whom I share a book club and a social sphere invited me, I joined. Facebook has been great fun! I have connected with classmates, friends and family members. As with many people in my age group, my postings are rather tame. They do reveal personal relationships and history. I was a little conflicted when business associates asked for ‘friend’ status, but decided that I do not live a wild and crazy life and there is little about me on Facebook that I am not comfortable sharing with customers and other business associates.

Potential benefits:Facebook is a great way to keep up with new family photos and to stay in more frequent contact with friends and family members who are far away.
Potential risks: If you do live a wild and crazy life and do not want your clients to know that, do not give ‘friend’ status to those clients.

3. LinkedIn: LinkedIn is the only one of the social networking sites I use that is designed for professional purposes. It is professional networking, par excellence. If you want to connect with other colleagues, this is the place to do it. If you are looking for a job, this is certainly the place I would start. There are headhunters who frequent the site looking for the most qualified individuals for their position postings. You can join groups that meet your interests and connect there with other folks who have like concerns. 

Potential benefits: LinkedIn is a great place to network with other professionals. It is designed for peer-to-peer connections.
Potential risks: If your clients/patients are other professionals, you might run into them here and need to make some decisions about who your network should include or exclude.

4. Twitter: Twitter is something else. I am still not sure about Twitter. I use it in a purely professional way. In fact, the name under which I tweet is @SOS_Software. The people I follow are other professionals who have similar interests. Those other folks are great sources of information. The tweets I find most useful are about articles, blogs and news that is relevant to my professional world. Most of the people who follow me are also interested in healthcare and software. Sometimes, I get a follow from someone who seems totally unrelated to anything in which I am interested. I blocked the clearly pornographic Follow that appeared last week.
     The way I use Twitter is totally contrary to the way most young people use it. To folks who are used to text messaging for everything, Twitter is a way to disperse text messages much more broadly. You can let everyone in your network know your status all at one time. To me, this is useless. To many others it is an essential part of staying connected.

Potential benefits: This is an excellent way to disperse a communication to a large group of people at one time. You could use Twitter to communicate educational information to all of your clients at once.
Potential risks: Twitter is like Facebook. Everybody who follows you sees everything. If you intersperse personal messages with your professional ones, everybody who follows you still sees all of it.

What do you think about these social networking sites? Do you use them? Does your organization use them to keep in touch with consumers? What do you see as the potential benefits or glaring weaknesses of being connected 24/7?

One last word of advice: If you decide to jump into the sphere of social networking, decide whether you are going to do so as a professional or for your personal needs. Once you decide, choose your networking sites accordingly. If you want to do both, you might be best served by having two different social networking identities.

Beyond Backup: Creating an image of your hard drive

Posted on | by SOS Blog | 6 Comments on Beyond Backup: Creating an image of your hard drive

Last week I started writing an article about my attendance at the Software and Technology Vendor Association (SATVA) meeting. That quickly went by the wayside as my time was gobbled up by the crucial task of restoring my laptop computer to a usable state. On my return from New Orleans at the end of March, it stopped working, a bit at a time until I could not get it to boot in anything but Windows SAFE mode.

Oh no, I can hear you say. She had a computer crash and did not have a backup! But, you see, I did have a backup. I am an avid Windows Live OneCare user. My computers are backed up weekly…and all of the data produced on both machines is backed up daily on our network, which is, in turn, backed up several different ways. I did not lose any data, but I was still faced with the ordeal of getting my computer back to where I need it to be so that I can be productive. So what happened?

I have become the victim of an infamous catch-22. I had complete and incremental Windows Live OneCare backups of my computer…but I could not run Windows Live OneCare in order to restore my backed up files.  Even if I could restore the files backed up by OneCare, chances are that Windows would still be broken to the point of unusability. My computer even has built-in recovery support, so I had a complete backup of the machine stored on the hard drive. But the problem was in the operating system (OS)…Windows itself had become corrupted. And here’s the kicker…I bought the laptop with Windows Vista pre-installed, so I did not have CDs from which I could reinstall the OS, and the built-in recovery program on the hard drive would not run.

Once we had tried all the restore options we thought we had in place here locally with no success, I called Lenovo for support. They determined that I needed to reinstall Windows and sent me CDs with which to accomplish that task. Before getting to this point, I had easily spent three days trying to recover from the fatal problem; Seth had spent two additional days of his weekend trying to do the same. This was just the beginning.

The CDs from Lenovo arrived while I was at the SATVA meeting and Seth started the installation process for me while I was away. When I returned, I spent another day monitoring the computer while it completed all the necessary updates. Then I began the time-consuming process of re-installing the software I use on the machine. That was last Monday. I got Microsoft Office installed along with a couple of smaller programs I use all the time. 

Next I performed what we have decided is a crucial step to keep this total waste of time from happening again in the future…I created an “image” of the hard drive including all the programs and registry settings for everything I had installed up to this point. An image backup differs from the usual file backup in that it is a bit for bit copy of the hard drive, a snap-shot of the entire hard drive at a specific point in time. It can be restored without the need to install Windows first.

While we used an inexpensive “techy” Linux-based program to do this image, there are many excellent products on the market. Some traditional backup programs, such as current versions of NovaBackup, also include image backup capability. I had not yet installed all the programs I use, but we were still uncertain about the stability of my computer, so we wanted to be sure to have an image of the hard drive sooner rather than later. I will repeat this step when I have completed installation of all of the programs I use and do not want to have to reinstall the next time something like this happens.

Twenty days later, I am almost back to where I started. Today I am installing the last of my frequently-used software. I cannot even imagine where I would be if most of my data were not stored daily to our network and backed up each night. At least I have been able to access most of my data files once reinstalling the program that created the files. I am fortunate that I also run a desktop computer from which I can operate most of my critical computer functions. The original purpose of this dual computer capability at my desk was multi-tasking and minimizing wait times, but during recovery I have been able to keep up with email and customer contacts and bookkeeping because all of that is done on my desktop computer. I will create an image of that machine tonight! I did that immediately after we originally setup the computer, but the image has not been updated since then. As I have learned, that is a disaster waiting to happen!

It does not matter what you use your computer for. If you do mental health billing or medical billing; if you use the system for a behavioral health EMR or for a psychiatric clinical record; if you are the bookkeeper and maintain the financial records for your organization; if you are a home user who maintains emails and pays bills and shops on the Internet…you need more than a backup. If your computer is used for crucial functions of any kind, or if your time is limited and you don’t want to spend days rebuilding your machine’s contents, you need more than just regular backup of your data. You need an image of your hard drive and you need it somewhere other than on the hard drive of your computer!

The lesson learned from this experience is that we cannot afford the down-time and rebuilding time that it takes to get a machine functioning again after a crash. Data backups are not enough. We are now developing a schedule for regular imaging of each computer in the SOS network. Perhaps you will do the same without needing to go through this experience first hand.

Feel free to share your experiences with computer crashes and restorations. Do you have particular image and/or backup software to recommend? Let us know what you think. Just click on the title of this article and enter your comment in the box at the bottom of the page.