Privacy & Security
Matthew R. Fisher chairs the Health Law Group within the firm Mirick O'Connell in Worcester, Massachusetts, a fitting role given his passion for understanding the practicality of healthcare regulations in the real world.
At the end of this month at HIMSS16 he'll bring this legal background to the Social Media Ambassadors program.
[Also: Bill Bunting talks 2016 predictions, patient engagement]
Fisher shared insights including understanding the next steps for IT security in healthcare, the microbreweries he cannot wait to visit in Las Vegas, and what he’s most looking forward to at the conference.
Q: One health IT prediction for 2016?
A: I think the HIPAA audits will finally occur. After the first round we'll likely find widespread noncompliance and that, in turn, will finally spur others to immediately put into place the minimum security measures of HIPAA. But HIPAA is just the ground floor: true security measures need to go above and beyond the regulation.
Q: What’s something about you that even your devout followers likely don’t know?
A: They don't know how much I love craft beer. I'm definitely a craft brewery fan and try to visit one wherever I go. I even have some planned out in Vegas: Hop Nuts and Camo Brewing.
Q: What inspired you to apply for the Social Media Ambassador program?
A: Having followed HIMSS through the social media channels and selected social media ambassadors in the past, I wanted to add my voice to that. And hopefully I can bring a different perspective on things coming from the legal side, as opposed to the health IT-side, which is already well represented.
See all of our HIMSS16 previews
Q: What is the untold benefit of social media in healthcare today?
A: The ability to make connections with people you often wouldn’t be able to meet or otherwise interact with. We also can gain access to vast amounts of information and the ability to learn from others. I'm certainly learning from people I wouldn’t have come across in the health law field – and it helps to understand how the laws affect them rather than just stating regulations without knowing the consequences.
Q: What are you most looking forward to learning about at HIMSS16?
A: Learning more about the current thinking in health IT, in terms of what people are doing regarding security and how they're responding to threats. Unfortunately, healthcare has gotten a lot of bad press lately, in that payers and providers haven’t been focusing on security enough. The world has changed so quickly they haven’t been able to keep up. It will be interesting to learn about the new solutions and options out there. It's always nice to see what's really happening since the legal side only gets a small portion; it’s the tech side that drives the focus.
See all of our HIMSS16 previews
This story is part of our ongoing coverage of the HIMSS16 conference. Follow our live blog for real-time updates, and visit Destination HIMSS16 for a full rundown of our reporting from the show. For a selection of some of the best social media posts of the show, visit our Trending at #HIMSS16 hub.
HIMSS is pushing the National Institute of Standards and Technology to keep its Framework for Improving Critical Infrastructure Cybersecurity voluntary.
HIMSS, which represents more than 52,000 health IT professionals, wrote to NIST on Monday in response to its request for information. NIST has extended the original Tuesday comment deadline to Feb. 23.
NIST noted it was looking for ways in which the framework is being used to improve cybersecurity risk management; how best practices for using the framework are being shared; the relative value of different parts of the framework; the possible need for an update of the framework, and options for long-term governance of the framework.
[Also: Cybersecurity strategies evolving in face of big risk]
As HIMSS sees it, the framework could be used as a tool to develop a common set of consensus-based, private sector-led guidelines, best practices, methodologies, procedures and processes in relation to privacy and information security risk management.
Since many healthcare organizations could benefit from improving their risk management process and better address cybersecurity risks, HIMSS supports the idea that the Framework could be useful in helping healthcare organizations improve their security posture, wrote HIMSS President and CEO H. Stephen Lieber and and HIMSS Board Chair Dana Alexander in their response.
They also discussed how NIST’s Cybersecurity Framework serves to inform organizations that are in need of either creating or updating their own risk management program. Whether an organization is standing up a new cybersecurity program or has a sophisticated program already in place, the Framework has the potential to serve organizations well in advancing the capabilities of organizations in addressing cybersecurity risk.
[Like Healthcare IT News on Facebook]
NIST first released Version 1.0 of the framework in February 2014. It is among a handful of security best practices and guidance standards gaining purchase in healthcare, including HITRUST Common Security Framework, ISO/IEC 27002 and Control Objectives for Information Technology, or COBIT.
Responses will contribute to shaping NIST's decision-making about how to strengthen the framework and, ideally, the nation's critical infrastructure.
Twitter: @HealthITNews
SPONSORED
(SPONSORED) For today's organization, managing risks to critical information has become a business priority, not just an IT responsibility. We all know cyberattacks damage reputations, destroy customer trust, and affect revenues.
The Department of Health and Human Services has proposed new rules on patient record disclosures to ensure substance use disorder patients can participate in new integrated healthcare models without risk of having their records shared inappropriately.
The revisions on the Confidentiality of Alcohol and Drug Abuse Patient Records would also facilitate health information exchange and to address legitimate privacy concerns of patients seeking treatment for substance use, HHS said.
[Also: eRx of controlled substances now legal in 50 states]
“This proposal will help patients with substance use disorders fully participate and benefit from a healthcare delivery system that’s better, smarter and healthier, while protecting their privacy,” HHS Secretary Sylvia Burwell said in a statement.
The proposal reflects the changing healthcare landscape, including the development of an electronic infrastructure that focuses on managing and exchanging patient data and an increased focus on performance measurement and quality improvement.
The current rules, sometimes referred to as 'Part 2', were created in 1975 amid concerns that potential substance use disorder treatment information used in criminal prosecutions would deter individuals from seeking necessary treatment. It was last updated in 1987. Part 2 rules are more stringent than other federal protections, including the Health Insurance Portability and Accountability Act, due to its targeted population.
[Like Healthcare IT News on Facebook]
“We're moving Medicare and the healthcare system as a whole toward new integrated care models that incentivize providers to coordinate and put the patient at the center of their care, and we're modernizing our rules to protect patients,” Burwell said.
The public comment session on this proposal is open until 5 p.m. Eastern on April 11.
Twitter: @JessiefDavis
JoAnn Klinedinst, Vice President of Professional Development at HIMSS, previews the topics and approach for education sessions at HIMSS16 and how attendees can access content online after the conference in the newly redesigned Learning Center.
LEARNING CENTER: Health IT's most comprehensive online learning platform
Two employees of Jackson Memorial Hospital have been fired for accessing and leaking the medical records of New York Giants defensive end Jason Pierre-Paul after the football star lost part of his hand in a July 4, 2015 fireworks accident.
The hospital, in its statement, said it had chosen not to comment earlier due to litigation surrounding the incident that has since been settled.
[Also: Hospital draws HIPAA heat after NFL medical record tweet]
"As part of our investigation into the breach, it was discovered that two employees inappropriately accessed the patient's health record. That finding resulted in the termination of both employees,” officials said in the statement.
“Protecting the privacy of our patients is a top priority at Jackson Health System. Any time we have allegations of a breach, we immediately and thoroughly investigate."
Pierre-Paul’s medical records were reportedly leaked to an ESPN reporter in July, who then posted a portion of the player's info on Twitter. The record showed that Pierre-Paul had his right finger amputated after the July 4 fireworks accident.
[Like Healthcare IT News on Facebook]
HIPAA laws only apply to healthcare providers, which means the ESPN reporter did not violate HIPAA in posting the leaked record on Twitter. However, the reporter’s ethical judgment was heavily debated after he posted Pierre-Paul’s protected patient data.
Pierre-Paul missed much of the 2015 NFL season due to the injury. He has since returned and plays with a protective glove over his injured hand.
Twitter: @HealthITNews
Respiratory care provider Lincare has been ordered to pay $239,800 in penalties for violating the HIPAA Privacy Rule.
An administrative law judge ruled in favor of the Office for Civil Rights, which is charged with enforcing the rule. OCR had asked the judge to approve the penalties, and the judge granted them on all issues, the agency announced on February 3.
[Also: Obama gun control push leads HHS to change HIPAA rule]
"While OCR prefers to resolve issues through voluntary compliance, this case shows that we will take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA Rules," OCR Director Jocelyn Samuels, said in a press statement. "The decision in this case validates the findings of our investigation."
Lincare claimed it had not violated HIPAA rules because the protected health information was "stolen" by the individual who discovered it on the premises previously shared with the Lincare employee. The judge rejected this argument.
Lincare provides respiratory care, infusion therapy and medical equipment to in-home patients. The company operates more than 850 branch locations in 48 states.
[Also: Oncology group slapped with $750K HIPAA fine]
OCR's investigation of Lincare began after the agency received a complaint that a Lincare employee left behind documents containing the protected health information of 278 patients after moving to another home.
According to OCR, the employee removed patients' information from Lincare's office, left it exposed where an unauthorized person had access, and then abandoned it altogether.
[Like Healthcare IT News on Facebook]
The OCR investigation found that Lincare had inadequate policies and procedures in place to safeguard patient information that was taken off site, although employees, who worked in patients' homes, routinely removed PHI from Lincare offices. Moreover, evidence revealed Lincare had an unwritten policy requiring certain employees to store protected health information in their own vehicles for extended periods.
Even when Lincare was aware of the complaint and the OCR investigation, the company "took only minimal action to correct its policies and strengthen safeguards to ensure compliance with the HIPAA Rules," OCR officials stated.
Twitter: @HealthITNews
Chuck Kesler, chief information security officer at Duke Health, and Mac McMillan, CEO and cofounder of healthcare IT security consulting firm CynergisTek, share similar philosophies on healthcare data security.
ESET researcher Stephen Cobb will explain at HIMSS16 why CIOs and CISOs should think of their organization like a patient and address the most urgent problems first.
Only a few days remain to submit a speaking proposal for the HIMSS and Healthcare IT News Privacy & Security Forum in Los Angeles, May 11-12.
The deadline for submitting a proposal is Thursday, Feb. 4 at 5 p.m.
Speaking opportunities are limited to security professionals and experts from healthcare provider and payer organizations, government agencies and academic institutions. Presentations should be practical, actionable, and solutions-based.
Click here for additional information and to submit a proposal.
The two-day Privacy & Security Forum will bring together more than 200 leading providers, payers, researchers and government officials. The forum's goal is to provide healthcare security professionals with tools, solutions, best practices and expert insights into how they can better manage risk and protect their organization’s data assets.
Presentations will address, among others, the following topics: BYOD, cybersecurity, incidence response, cloud security, data-loss prevention, HIPAA compliance, security frameworks, medical device security and third-party management.
