PHI Thieves Are Usually After Financial Information

Now that many physicians and other healthcare organizations are purchasing and utilizing EMRs, they seem to be focused on safeguarding the clinical Protected Health Information (PHI) of their patients. In the process, some are forgetting to protect patient financial information even though it is also PHI.

The FierceHealthIT newsletter of October 24, 2012 indicates that healthcare system data thieves are usually after financial information.

Despite reports of efforts to blackmail patients and the possibility of hacking pacemakers, healthcare data breaches in the end are similar to other cyber crimes, according to a new report from Verizon. In an examination of approximately 60 confirmed data breaches over the past two years, the report concludes that those who attack healthcare systems primarily look for information from which they can make a profit.

According to this Verizon report, point-of-sale systems (credit card machines) and desktop and laptop computers are the most common points of breach. Thieves attack the weakest links in the payment chain. Rather than going after your server, they hack into peripheral equipment that can get them access to this financial information.

Here at SOS, we harp on the need to secure the data in your billing and clinical record software. We have been amazed at the lack of awareness of even our largest customers. Every week, we receive emails that contain PHI or a direct way to get to PHI. Employees of behavioral health organizations often do not realize that sending an email with PHI in it is like sending a postcard with the same information. Anyone who sees that postcard and who knows how to read can take a look at your message. The same is true with insecure, unencrypted email. Anyone who knows how to do so and who has any interest can take a look at your email.

This study indicated that, among the breaches they studied, most of the incidents occurred at businesses that had from one to one hundred employees.

The simple solution….encrypt all PHI while it is resting on your system and while it is in transit from one place to another. If you don’t know how to do that, learn how, now!

Please share your experiences, direct or indirect, with safeguarding PHI. Do you encrypt? What procedures has your organization developed to assure that all of the PHI in your possession is as safe as possible from thieves?

Professional Identification and Behavioral Health Providers

Well, I have finally done it. I have completed the state of Florida Psychology License Renewal form to change my license status to Inactive. After nineteen (19) years of not practicing, I think it is time.

While it may be time, it is not a simple matter. For me, as for many other professionals, a large portion of my personal identity is tied up with my education and my work. In spite of not having worked as a  psychologist for so many years, being a psychologist has continued to be a strong part of my identification of who I am. I think I have a reached a phase of my life where it is time for me to re-define that. I still have a great deal of work to do to figure out exactly how to do that re-definition.

In the meantime, I continue to be fascinated by the changes in the behavioral healthcare world and the challenges being faced by mental health provider organizations. Last week, I attended the Spring members meeting of the Software and Technology Vendors Association (SATVA) at the tail end of the National Council annual conference in Chicago. For the past couple of years, we at SATVA have been focused on the future interoperability of our products and the need to assure that exchanged EHR data will be secure and released in accordance with law and the desires of the person to whom the record belongs.

I was delighted to have the opportunity to observe two of my colleagues/competitors participating in a panel and demonstrating an exchange of patient data between their systems. The protocol that is being used for the exchange is designed to meet the requirements of 42 CFR Part 2, and may become a model for the exchange of all ultrasensitive patient information. SATVA plans to share the methods and protocol so other behavioral health EHR software vendors can implement the same protocol in their exchanges. Dennis Grantham, Editor-in-Chief of Behavioral Healthcare Magazine sums it up this way in his summary review of the conference.

  • Members of the Software and Technology Vendors’ Association, or SATVA, closing ranks around an EHR interoperability solution – a cloud-based Health Information Services Platform (HISP) – with a new twist: an interoperable Continuity of Care Document that allows for real—not simulated—interchange of “ultrasensitive” addiction treatment information. SATVA members argue that demonstrating compliance with federal 42 CFR Part 2 requirements electronically eliminates the technical barriers posed by compliance with a range of federal and state health-information protection laws that go beyond HIPAA requirements.
This is very exciting progress in the behavioral health EHR world. We who are SATVA members hope that other behavioral health software vendors will also use this protocol to speed the movement toward interoperable EHR programs.
And who knows, I may even find myself consolidating my professional identity as a software entrepreneur. Maybe it is time; we have been doing this business for twenty-seven years. I would love to have your suggestions about how to migrate my professional identification. Any ideas?

Electronic Permanence: Changing records and releases

On September 22, 2011, I attended a webinar sponsored by the Business Operations for Behavioral Health Collaborative, a SAMHSA-funded joint venture of the National Council for Community Behavioral Healthcare, the National Association of Community Health Centers, NIATx, and the State Associations of Addictions Services (SAAS). The topic of the webinar was Health Information Exchange and Behavioral Health.

This is an area that has interested and concerned me for quite a while. As developers of software for behavioral health providers, SOS has for years been monitoring developments in the arena of Health Information Exchange (HIE). This is the method by which Electronic Medical Record (EMR) software will exchange information among providers and healthcare organizations. The HIE is both the process of exchanging information and any repository of that information for easy access by those with rights to the data.

This is the bugaboo that has always bothered me as well as my colleagues in the behavioral health software trade association to which we belong (Software and Technology Vendors Association). SATVA members are committed to assuring that our products share information only as the law allows and as consumers wish.

Work is currently in progress to assure that a universal method of acquiring patient permission for release of their information is part of any HIE. Such a method would undoubtedly allow a patient to specify providers to whom their treatment and diagnosis information can be released and any providers to whom it cannot be released. But what happens when a patient changes their mind?

Here’s a hypothetical example that jumps into the future by a few years, when all or most healthcare providers have EMRs and are connected into their regional HIEs.

John D. is admitted to the Emergency Room of a local hospital after a panic attack that he interprets as a heart attack. Among the papers that he signs is a release for the ER to access any information in the regional HIE about his health conditions. Since he is not thinking very clearly as he is sure he is dying from a heart attack, he signs everything put in front of him. After he is medicated, stabilized and sent home, he wonders about what he signed and which of his health information will now be available to whom. Does he really want his optometrist to know that he was treated with an anti-anxiety medication and prescribed an antidepressant (which he decided not to take)? Is it necessary for his urologist to have this information? What does he do to protect just that ER visit information and keep it from being sent on to other providers?

And what do our mental health and substance abuse patients do to secure their sensitive information?

This process concerns me because of my experience that once a piece of information has been entered into some large electronic database, getting it out may be near to impossible. Several years ago, I attended a conference in New Jersey. I rented a car, drove to the city in which the conference was held, returned the car and paid my bill in a timely fashion, and returned home.

The next time I needed to rent a car was three months after Katrina flooded New Orleans when my mother and I returned to check on her home and attend the funeral of one of my uncles. For some reason, the car was reserved in my mother’s name…the airline tickets were purchased with her card…even though I had placed my name on everything. The rental agency manager noticed something wrong when we picked up the car; there was a block on my account even though there was no balance. She overrode the block, gave me the keys to the car, and we were on our way. I did not give it another thought.

In several return visits to New Orleans, I again rented cars from the same company and always wound up with a car, not even knowing there continued to be a block on my account. Each time the agent or manager overrode the hold and gave me the keys. In November 2010, we arrived in New Orleans on a Sunday. The agent and assistant manager decided they did not have the authority to override the block on my account and there was no one they could contact to clear it. They refused to rent a car to me and offered no solution. They gave me a phone number I could call on Monday, but did not even offer my 90 year old mother and me transportation to another agency. I cursed and swore I would never rent from their unprofessional agency again and called my brother to come pick us up. Fortunately, he was thinking clearly enough to suggest that we go across the highway to a different company and rent a car there.

I did call the company the next day and eventually got the written apology and clearance of my account that I requested. It took six years for this correction of an error to happen.

What processes will we insist be put in place to assure that patients can change their minds about release of information or correct errors or enter corrected information into their records? What kind of advocacy will be required? What do mental health and substance abuse providers need to do to assure that the privacy of their patients’ sensitive information will be handled as they choose?

Please share your thoughts about HIE and EMRs and where we are going with this process.

Psychologists and EMR: Movement forward

Last week I attended a continuing education workshop for psychologists at my local chapter of the Florida Psychological Association. Psychological Records: Basic Requirements and the (Forced?) Choice of EMRs was presented by Robert J. Porter, Ph.D., president of the Tampa Bay chapter and treasurer of Florida Psychological Association. Dr. Porter’s presentation was attended by about 30 psychologists and other mental health providers. The last FPA workshop on EMRs that I attended was over 10 years ago, and it was given by me. There were about five psychologists present at that workshop.

The difference in attendance speaks to multiple issues. First, Dr. Porter is an excellent presenter who talked broadly about EMRs. His years as a researcher and university professor combined with recent years in private practice give him great credibility. Secondly, the EMR landscape has changed hugely in the past decade with government requirements to migrate patient records to an EMR a distinct possibility.

The psychologists who are my age peers who used an EMR  loved computers and liked doing all their work there. Most of our age-mates would never have considered keeping records that could not be locked up in a file cabinet behind their locked office door. The younger psychologists who are now replacing us in the private practice community are not only willing to consider keeping their records electronically. . . they are willing to keep them online using a Software as a Service (SaaS) type product. The move from needing to hold the patient record in my hot little hands to allowing it to float out there in the cloud is a sea change.

While Dr. Porter presented a great deal of information in the two hours he spoke, there were several items I thought you might find interesting.

  1. The American Psychological Association published Record Keeping Guidelines in the December 2007 issue of the American Psychologist. If you are a psychologist and you keep records, you should read them. If you keep behavioral health records but are not a psychologist, you might take a look at them. Such Guidelines frequently become part of the standard of care in a professional community.
  2. The APA Guidelines recommend disclosure to the patient of your record keeping procedures, including the limitations of confidentiality of the records. Those limitations of confidentiality lead to a likely need to maintain a separate  record of care for each person you treat, including for each individual member of a family or couple. (Guideline 4)
  3. Ofer Zur, Ph.D., a licensed psychologist in California, offers extensive information about and continuing education on record keeping and many other aspects of behavioral health practice. [Retrieved 4/19/2011 from]
  4. Dr. Zur points out that a treatment plan usually includes problems or symptoms, a diagnosis, goals of treatment, interventions to be used to achieve the goals, and the rationale for use of those interventions.


I would add a quick note about the possibility of a requirement to keep records of psychological care in an EMR. At present, the only behavioral health providers who are Eligible Providers (EP) for ARRA funding to purchase an EMR are psychiatrists and nurse practitioners. Psychologists, social workers, mental health counselors and addiction professionals do not qualify, nor do psychiatric hospitals. While this may change, there is currenly no way for most mental health providers to obtain stimulus funds. At the same time, there is no requirement for them to move to an EMR, nor will they be penalized for not doing so (psychiatrists and nurse practitioners may be subjected to Medicare withholds). Fortunately, most of the products aimed at the private mental health practitioner are relatively inexpensive and can easily be obtained without resorting to government funding or a second mortgage on your house.

While an electronic medical record can be a powerful way to significantly increase the quality of the records maintained by you and your organization, you must know what you are required to maintain in the record. . . by the governmental jurisdictions and the professional guidelines to which you are subject.

How does your organization determine what goes in the client’s record? Who is responsible for those records? Are you using an EMR, a paper record, or some hybrid system?

Please share your thoughts on records in the Comments below.

Security and Backup: Yes…backup, again!

Once a month, on average, our technical support specialists are confronted with a customer whose database has become corrupted because of some hardware issue and who has no usable backup. After last week’s adventure, I decided I would again write about backup. Then, last night, I saw a discussion on a Psychology and Technology listserv that included some of our customers talking about full disk encryption of a Mac laptop. Encryption is something we recommend for every customer who uses our software or maintains any Protected Health Information (PHI) on a computer…especially on a laptop. To round out the clues that security and backup should be my topics of choice this week, I noticed an article in eweek of March 21, 2011 entitled ‘Remote access presents complexity, security issues.’

The rate at which users want to be able to access their work applications remotely has grown geometrically. Fifteen years ago, we were asked about remote access a couple of times a year. Five years ago, that increased to a couple of times a month as many more users wanted to be able to access their software from home. Now, everyone who carries a laptop, or even a smart phone, wants to be able to do everything they need to do for their jobs from wherever they are located with whatever device they have handy.

Whew! If only they realized what an expectation that is! And, all of these expectations complicate the issue of security in ways that those of us who are not very technically savvy cannot imagine. But imagine we must…if we plan to protect PHI, that is.

First, the issue of backup. This is the primary way in which you protect the security and integrity of client information. If you do not have a usable backup from which you could restore PHI in the event of a catastrophe, you are only one step away from having allowed the destruction of your client’s PHI.

Yes, the identifying demographics together with the diagnosis you use to file claims is PHI and is protected under HIPAA. Everything you have in an EMR is PHI. Yes, you are responsible to assure that this information is intact, safe from destruction, and secure from preying eyes (and hacks). Without a usable backup (preferably encrypted) stored in a secure location ready at a moment’s notice to replace data on your computer system, you are not even doing the most basic things necessary to provide protection to your patients. You could probably be demonstrated to be guilty of ‘willful neglect,’ the level of culpability that will generate the highest of fines from HHS and OCR under their HIPAA authority.

If you are not sure of what kind of backup strategy is minimally adequate, take a look at the backup recommendations and product suggestions we make to our customers.

The issue of remote access, especially from handheld devices like smart phones and iPads, is one that concerns me considerably. HIPAA requires that we must provide for the security of PHI while it is at rest (on a computer drive or CD or smart phone) and while it is in motion (being transmitted from one location or device to another).

Access tunnels like a secure VPN or MS Terminal Services are specifically designed to assure the safety and security of the data being transmitted through those tunnels. Those of us who are not very technically sophisticated may assume that the developers of the iPad and smart phones have already taken care of equivalent security for us. Not so, folks. While there are some products that will provide that security, they are not built into those hand held devices and we are on our own to find them.

Do you realize what that means? Do you understand that using your cell phone to access your desktop computer and patient information without adding specific protection assures that your data are vulnerable? There is not built-in security in your telephone or tablet. Even having your client names and phone numbers in your telephone contact list is potentially a breach of their privacy.

No one has volunteered to create a secure environment for your data…that is your job. You must do the research and determine which products will give your PHI the greatest protection.

Not being informed about a problem of insecurity is not considered an excuse by HIPAA. You must know what security your devices use to assure the safety of PHI. Do you have password protection on your phone? Do you have a way of wiping all data from the phone if you lose it or it is stolen? Have you initiated the services that are available to accomplish those purposes?

I know, this has started to sound like a rant. I do not mean to suggest that everyone is acting irresponsibly with client PHI. I do mean to suggest that we take a much too casual attitude toward protection of that PHI…especially when it comes to technologies about which we know little but assume much.

What policies does your organization have in place about use of portable devices and the protection of PHI? Have you found products that are wonderful to accomplish that protection? Will you share their names and your experiences with the rest of us?

Please enter your comments below.