It wasn’t long ago that I was having a “discussion” with somebody about the use of smart phones by physicians.

This discussion wasn’t that a smart phone is not a useful tool, but that in a medical office a smart phone is not a professional device.

First the easy answer…

You are out-and-about and get called on scene (away from your office/hospital) and need to look something up – smart phone to the rescue!

This is one of the perfect situations where a smart phone can help look up issues about drugs, or even pull up a patients records.

Yet in the office…

In the office it is a different situation entirely.

Yes, call me old fashioned, but to have my doc tapping away on a smartphone while I’m half dressed is not my idea of a quality visit.

• Is he texting?
• Is he checking his stocks?
• Is he checking the weather?
• Is he checking sport scores?
• Why is he smiling?

If my 14 year-old is texting while I am speaking to him, things get ugly.

“Oh Come On…

It really isn’t that big of deal.”

Maybe not, but the AMA did just have an article on this topic.

“Besides, computers are a part of medical offices now.”

I get it.

Yet, to me, a smart phone appears unprofessional while a PC or Tablet does not come across this way.

“This is Ridiculous…”

Maybe it is.

Maybe I’m out of touch (I’m not).

Maybe you have a completely realistic reason to be tapping away on your phone in front of a patient.

This may all be perfectly legitimate.

BUT – turn the tables for a moment and see how it feels.

How do you react when your child is texting at the dinner table or while you are speaking?

“But I have to Research…”

Before computers where everywhere, you did your research out of the view of a patient.

Maybe…just maybe, that is where it should go again…behind the curtain.

It comes as no surprise that the Health and Human Services (HHS) has announced a delay to the Meaningful Use (MU) Stage 2 requirements.

At Stage 1 created loads of confusion, the delay of Stage 2 seemed…expected.

Additionally, the HHS is clarifying that those who got their act together in 2011, wouldn’t be under a different timeline than those who still have not attested.

This isn’t really any different, though before this announcement, as the rules were written, those who attested for Stage 1 in 2011, would have to meet Stage 2 in 2013.

Now everyone has until 2014 to meet Stage 2 requirements.

The American Medical Association (AMA) has apparently  urges the HHS to make the proposed requirements less rigorous and burdensome.

Stage 1 requirements are not all the rigorous.  Especially if your EHR is worthwhile.

Many EHRs approach MU in such a way that makes use of the EHR in a “meaningful way” cumbersome.

Additionally, reporting from many EHRs for MU stage 1 is weak.

When an EHR becomes Meaningful Use certified, part of that certification should require EASY pulling of data for attestation.

This is not the case for most EHRs.

It is not unusual for me to rant here about the ridiculous level of recklessness the medical community has for our PHI.

Specifically, the easiest thing to point out, as it happens all the time, is the “theft” (or loss) of a portable storage device.

For those keeping score, a portable storage device is anything portable that can store data to include:

[list style="green-check-8"]

• Laptops
• Portable hard drives
• “Thumb” drives, also known as Pen drives or USB drives

[/list]

One reason I continually rant about this is the solution is so easy, it is almost laughable.

The solution is to encrypt the hard drive, or memory, of the storage device.  The proper encryption gives you “safe harbor” if the device is stolen (lost).

Safe Harbor is a good thing – it means you don’t have to report the loss of PHI.

NOTE: a password on your device does NOT equal encryption.

Hard drive encryption is a process that can take 5 hours to complete.

Back to the story.

Last month there was an announcement that an employee of Science Applications International Corporation (SAIC) had some computer backup tapes “stolen from his vehicle in San Antonio, Texas.”

SAIC is a government contractor that supports TRICARE, which is the government’s attempt to reduce medical costs in the military.

As I was in the military, actually I’m still in the Reserves, this specific incident peaked my interest.

Well, last week my oldest child received a letter from SAIC that his data may have been stolen.

Yesterday I received that letter.

Over the next few days I’ll document the process I go through, from the letter(s) I receive the processing of my credit monitoring.

Stay tuned for part 2.

As I’ve preached before, if you are going to store PHI on a mobile device (laptop, external hard drive, etc), you better make sure that you encrypt the hard drive.

Typically, I am less concerned about desktop PC’s and servers as, you should have proper physical security systems in place.

The recent Sutter Medical Foundation breach affected about 5 million patients…and brings to light the further need to encrypt desktop computers.

The device stolen was a desktop PC.

So, should that computer have been encrypted?

From the standpoint of minimizing risk, I would say that either:

• This computer should have been encrypted, or
• The room that contained this computer should have a very high level of security.

The basic assumption that is typically made with a desktop pc/server is they are in a secure area.

Well, that may need to be revisited.

Again, if you have upwards of 5 million patient records on a computer, I’d say the best practice would be to not only encrypt the device, but also have a very secure work area.

What about your practice?  You may “only” have a few thousand patient records in your EHR database.

Should your server be encrypted?

The knee-jerk reaction is, OF COURSE you should encrypt your server!

The more realistic answer is: encrypting your server may not be necessary if you have your server in a locked room.

Remember, it is not unusual to have many non-staff members roaming your office.
The cleaning crew is my favorite example, as they are usually there after everyone else is gone.

If the device on which you store your PHI is not either in a locked room OR fully encrypted, you are in danger of having an ugly breach.

Take a look at a list of PHI breaches and there are a few items that stand out:

• Many are at the hands of a contractor
• Most are portable storage device losses or theft (this includes tapes, laptops, etc)
• Lots are at big government entities

One of the goals of HIPAA regulations is to give those that deal with PHI guidance on how to properly handle that PHI.

Specifically, follow the HIPAA regulations and you will greatly reduce the risk of a PHI breach.

The challenge of course, is the government can rarely explain anything clearly.

Add to that we are dealing with digital information – whether you use Windows, Macs, Linux or whatever operating system – managing your risk is a challenging.

Let me get back on topic…
If anyone should be able to follow the rules, it would seem like our government could.

Well, the aren’t so good at it.

Here’s the deal, IF you store PHI on any portable device THEN you better encrypt it OR you are setting yourself up for failure.

Hard drive encryption is not difficult nor expensive.

Additionally, IF you encrypt your PHI THEN you have safe harbor IF it is lost or stolen.

Believe me, you would rather deal with the prevention of a PHI breach that the after math of a PHI breach.