Health Care IT Security

Health Care IT SecurityThe conditions in which health information may be used is established by the HIPAA Privacy Rule. The rule’s intention is to insure that patient information and data is only seen by those who actually need to see it. But these days, where information may be stored in many different places and on many different systems, adhering to these rules has become more and more challenging. IT system security breaches are becoming common place and in the end the responsibility lies with the covered entity or health care provider.

Part of the issue, according to health care IT security companies, is the perception of many health care organizations. A lot of smaller hospitals and practices think that since they don’t collect credit card numbers, they don’t need to invest in security for their IT systems. What they don’t realize is that personal data, particularly medical data, is a valuable commodity to hackers and that information can be sold or given to unscrupulous entities.

Another issue is the recent onset of newer technologies. The widespread integration of EHR systems in the health care industry is streamlining and making patient information more readily available to doctors and health institutions, but it’s also become a popular target for hackers.

Additionally, many vendors are developing apps to work with providers IT and EHR systems, but don’t take HIPPA concerns into consideration when developing the apps allowing hackers to easily subvert security and steal data.

Providers and vendors aren’t always at fault, however. When Windows recently ended it’s support for Windows XP, it created a security risk for any practice that accesses electronic Protected Health Information via that product. While these practices weren’t at fault for the risk created, it is their responsibility to upgrade their systems.

When security breaches occur, the cost is usually a lot more than just stolen information. Once they are discovered, laws require providers to notify anyone who may have been affected by the breach which, in turn, undermines patients trust in the health organization or vendor. If the lost information ends up being used maliciously, the provider is almost certain to be staring down the barrel of a lawsuit.

In the end health care security needs to be taken very seriously, regardless of the size or function of the organization. When working with outside vendors, providers need to vigilantly research and confirm the security of any IT system they will be using.


BC Solutions specializes in full-scale, clinical laboratory software system installation and management solutions. We offer a complete range of services for our clients because installed compliant systems are more than just testing and validation.

Patients to Have Direct Access to Lab Reports

A new amendment to the Clinical Laboratory Improvement Amendments 1988 (CLIA) regulations and the Health Insurance Portability and Accountability Act 1996 (HIPAA) Privacy Rule will allow patients means to direct access of their laboratory test reports according to a recent announcement by the Department of Health & Human Services.

Previously, these reports were only accessible to people designated as authorized persons, such as health care providers or someone using the test results to administer treatments. But the new CLIA regulations say that labs may now allow a patient, or a patient’s personal representative, access to copies of test results upon request. Likewise, the new HIPAA Privacy Rules also allow patients test result access to Labs subject to HIPAA.

Advocates of the measure see this as an essential step for patients to make decisions regarding their health care.

“The right to access personal health information is a cornerstone of the [HIPAA] Privacy Rule,” said Kathleen Sebelius, Secretary of HHS, in a press release. “Information like lab results can empower patients to track their health progress, make decisions with their health care professionals, and adhere to important treatment plans.”

Others see difficulties arising from the decision.

“These reports are written for the benefit of medically trained personnel and not laypersons. Many patients will find it difficult to interpret and understand such reports without the assistance of their treating physician.” Anna Spencer, Partner at Sidley Austin LLP, in a statement to DataGuidance (www.dataguidance.com).

For compliance of the new rule, Labs covered by HIPAA will have to update their Notices of Privacy Practices (NPP) to keep patiends informed of the their new rights. The rule takes effect on April 7th, 2014 with full compliance required by October 6th, 2014 for both the CLIA and HIPAA changes.