Signs of Spring in HIPAA?

 — HHS Updates “Wall of Shame” Web page — Now on the new HHS OCR Portal — 

The calendar says it’s spring, but today has a forecast of below zero wind chill and the lawn furniture is solidly frozen into the ground.  Don’t even think of trying to get that last row of firewood off of the ground — it’s not going anywhere until when, May?  I think we’ve all stopped hoping for warm weather, yet we dream…

Well, time to snap out of it, because there are indeed signs of Spring over at the HHS Office for Civil Rights, in the form of the new HIPAA Breach Notification “Wall of Shame” Web page for larger breaches, now located at .  The new page is designed well, using modern, secure technology, and offers a huge variety of search and analysis options, built-in.  You can click on any entry and get more details, sort, and export the data to Excel, PDF, CSV, and XML formats.  Click on the “Show Advanced Options” link and you’ll have access to powerful searching and sorting capabilities, so you can see for yourself what kind of issues are prevalent at what kind of entity, over what time period, for instance.

But that’s not the only story here.  In addition to the vastly improved Wall of Shame, you’ll note that the page is located in the new domain, which will host the communications and data submissions for the revived HIPAA Audit Program.  As you may know, HHS OCR is eager to get under way with the new HIPAA Audit Program for 2014 — oops! — now 2015, and they’ve been waiting to get the new portal set up to handle the process for the hundreds of desk audits that will take place.  So, while I long ago gave up on trying to crystal ball any predictions of when certain activities or regulations would be forthcoming from HHS, this new site does indicate that HHS OCR is moving forward and that the mystical, mythical new portal has appeared.  How long before they get started on Audits?  Who knows, not me, but there are signs of life.  Signs of Spring.

 — NIST Relocates link to SP 800-61 rev 2, Computer Security Incident Handling Guide — 

While we’re on the topic of new links, here’s a new one for the eminently useful NIST Special Publication 800-61 revision 2.  If you have some kind of a security incident and HHS wants to ask any questions, they’ll want to see your incident report.  You know, the one you’ll create to describe the incident handling process you used to determine the facts and the right course of action to take.  You do have such a process, don’t you?  Well, I know many of you don’t have much of a process, but this publication from NIST is accessible, useful, and well-founded.  While you’re updating your bookmark for this, take a look through and see what you can do to beef up your incident handling.

 — Speaking of Beefing Up Security — 

So, is it clear now that health information has become a very real target?  And please, don’t let the hackers roam around in your networks for most of a year before you discover it.  You really do need to apply the resources to actively monitor your network health; the only way you’ll see the bad guys these days is if you notice any anomalies in your traffic and system use, and that requires a consistent effort involving the establishment and fine tuning of monitoring tools and processes.  

 — And Backups?  Do you know how you’d recover from the loss of your data center? — 

So, did you hear about that hospital in California that lost its EHR for a week after an air conditioner died at the data center?  One cooling unit went down, then the other overheated trying to keep up, and it died too.  And so did the hospital’s EHR system.  And oh sure, everyone went back to using the paper processes and life went on as normal.  No?  

Here’s the problem, and I’ve seen it, and it makes me worry.  In the olden days, a hospital’s EHR was a relatively simple thing (compared to today) and it took resources to operate it that would seem almost trivial today, such that it was reasonable for a hospital to keep nearby the systems, backups, and capacity to quickly recover from any outages.  But, as the newer systems go in, what once would run on a few boxes now requires a dozen or two, and the amount of data being managed has exploded, such that many hospitals don’t have the robustness needed for recovery from the loss of a data center’s worth of equipment.

I think this recent example may send a wake up call to the facilities in similar situations — either you get what you need in place to reasonably recover without making national news, or you look at having it hosted in the cloud, not that that’s exempt from availability issues either.  No matter what, and with inadequate Contingency Planning identified as a leading issue in the 2012 HIPAA Audits, we are more wedded to our EHRs than ever before, and need to put some serious thinking into making sure that disaster recovery really will work.

 — Cell Phones and Texting — 

Face it.  You can’t deny it any longer.  Texting is happening and you can’t stop it.  You’d better say in your policies how texting may or may not be used, and how.  If you need it for casual intra-office communications, get one of the free secure texting apps, like Cortext from Imprivata, or TigerText, or DocHalo.  If you need it to communicate with your patients, use one of the new texting tools that provide integration with your EHR, team-based communication management, and security, like the system from (no financial interest in them, but they’re a client of mine and I provided them guidance on HIPAA, and they’re local).

But most of all, don’t try to deny the devices are being used — manage them!  And don’t forget the end-of-term issues.  What happens when someone turns in their old phone full of PHI, for a new one?  Even if you have it managed well, once it’s been turned in you can’t remotely wipe it and there it may be, loaded with PHI, out of your hands.  People need to know about this before they decide a nice shiny new Android or iPhone 6 is essential to their happiness.  Manage, inform, train, and audit.  Back to the basics.

 — And before I forget… (Department of Shameless Self-Promotion) — 

Be sure to check out my list of upcoming Webinars and seminars.  I know many of you are your organizations' key HIPAA compliance specialists, and if you are, I know folks really enjoy my two-day HIPAA A to Z sessions, and I really love teaching them.  My next 2-day session is in Baltimore, Maryland, April 16 and 17, and I’d love to see any of my clients or former students there.  Yes, HIPAA can be fun!  See the whole list of sessions at and sign up for my 2-day session at  You will learn a TON about HIPAA.

So, stay warm and keep your snow shovel nearby!  Maybe my next newsletter will be when it’s actually warm outside…


              Copyright © 2002-2023 Lewis Creek Systems, LLC  Charlotte, Vermont, USA
Privacy Policy   Terms and Conditions of Use   Contact Us