-
Website
http://efficientmd.blogspot.com/ -
Original page
http://efficientmd.blogspot.com/2008/09/evernote-for-doctors-revisited-privacy.html -
Subscribe
All Comments -
Community
-
-
Top Commenters
-
Popular Threads
As a HIPAA Privacy & Security Manager for six years at a large healthcare system, I'm having a little trouble understanding what "HIPAA certification" is. HHS does not have any approved certification process for HIPAA P&S, so certification would have to be something sold by some company with a claim that they reviewed the product and in their opinion it is compliant. This is relatively easy to do, especially when one takes into account that the HIPAA law itself (a separate document from the rules as pub'd by HHS) does not allow a private cause of action -- any company selling "HIPAA certification" could take comfort in knowing that they would not have to take the witness stand to support a provider being sued for a privacy breach, since such a suit would currently be dismissed (though there are a couple of suits, one in NC and one in UT that are making their way through the courts; they do not necessarily involve breaches associated with electronic healthcare-related systems, though).
I'm also unclear as to how sending encrypted PHI to the the Evernote servers would not be "allowed" by HIPAA. No such restriction exists within either the Privacy Rules or the Security rules. Instead, the use of encryption is an addressable, not required, specification. Here is what the Security rule says:
§ 164.312 Technical safeguards. . .
(e)(1) Standard: Transmission security. Implement technical security measures to guard against unauthorized
access to electronic protected health information that is being transmitted over an electronic communications
network.
(2) Implementation specifications:
(i) Integrity controls (Addressable).
Implement security measures to ensure that electronically transmitted electronic protected health information
is not improperly modified without detection until disposed of.
(ii) Encryption (Addressable).
Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
"Addressable" is defined as:
§ 164.306 Security standards: General rules.
(d)(2)(1) When a standard adopted in § 164.308, § 164.310, § 164.312, § 164.314, or § 164.316 includes
addressable implementation specifications, a covered entity must—
(i) Assess whether each implementation specification is a reasonable and appropriate safeguard in
its environment, when analyzed with reference to the likely contribution to protecting the entity’s electronic
protected health information; and
(ii) As applicable to the entity—
(A) Implement the implementation specification if reasonable and appropriate; or
(B) If implementing the implementation specification is not reasonable and appropriate—
(1) Document why it would not be reasonable and appropriate to implement the implementation
specification; and
(2) Implement an equivalent alternative measure if reasonable and appropriate.
Not a *requirement* regarding encryption in sight, whether the transmission is by email or other means.
I'm not familiar with the system you are referring to, but if I understand your description correctly, it allows you to send PHI to its servers on an encrypted pathway, which is certainly compliant with the rule above since the vendor has apparently done a risk analysis and concluded it to be reasonable and appropriate for such transmissions to be encrypted.
Unencrypted transmissions are allowed if the risk analysis has been performed and the covered entity has shown that to implement encryption would be unreasonable (for example, too expensive, though with strong SSLs available for $500 a year, that's hardly a compelling argument).
I wouldn't recommend that a practice communicate with any server that was not encrypted. But, many providers are taking the risk by emailing their patients with clinical information, even though their patients cannot receive encrypted email due to their use of web-based email, inability to share PKI certificates, etc. I personally see the risk during transmission to be minimal; what the patients do with the email afterwards can be a very different type of risk.
Providers could choose to allow their patients to opt in to the provider's use of this system (get written authorization from the patients for their PHI to be transmitted to/from Evernotes for the stated purposes), though the administration of such a scheme could be a problem should the practice be a large one.
If I were asked by my providers whether they could use a system that performed as what you've described, I'd have no compliance issues at all, and I believe that such use would easily stand to the scrutiny of HHS. Of course, HHS is still doing complaint-based compliance, so they're not much help even when breaches are egregious. Their recent fine of Providence for $100K was a pittance compared to Providence's behavior.
Hope this helps; please feel free to email me with any questions or additional concerns you may have.
Lane Hatcher
hiaadiva@yahoo.com
hipaadiva.wordpress.com
You do not mention 45 CFR 308 and 314. They require such storage occur "only if the covered entity obtains satisfactory assurances, in accordance with §164.314(a) that the business associate will appropriately safeguard the information." and that agreements assure the party " (A) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity as required by this subpart; (B) Ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it; (C) Report to the covered entity any security incident of which it becomes aware"
Evernote has told Dr. Schwimmer they are not willing to agree to those terms by saying they will not certify their HIPAA compliance. That is a cause to have compliance issues with Evernote. By contrast, established EHR storage providers and medical dictation providers routinely offer covered entities a HIPAA agreement, and agree to the terms above.
I've been thinking about setting up a system like the one here on efficientmd.com with either microsoft's one note or evernote. The one probelms that i'm having is that it takes time to navigate between programs to do all the copy and pasting.... plug I have to pull up the correct page. Is there some program that anyone knows about that would allow me to right-click in evernote or onenote to insert text--- such as URI subjective or HTN plan? This would help me greatly. thanks
you to do exactly that.
However, I am now a step closer thanks to you. I appreciate the help. Also, I will try and comment more on your blog. this is becoming regular reading for me. I always look forward to new posts
I'm not sure if Activewords does.
It is surprising to me that Evernote would not agree to a business associate agreement. There are no requirements that I can see that a company doing business as a data storage facility would not already (or should not already) be doing. I would think all their customers would expect them to have in place the reasonable requirements to safeguard the data, maintain its confidentiality, integrity, and availability. Why else would they be in this particular business? Indeed, it is an excellent reason not to do business with them if they wouldn't agree to such terms regardless of the type of data they maintain. Too bad for them.
This is such a wide open market for providers. All I can add is that whatever method is used to store patient notes, please ensure that if the data is stored on a server over which you do not have direct oversight, you have some sort of agreement in place to protect yourself. Privacy breaches are quickly becoming a-dime-a-dozen (see pogowasright.org and phiprivacy.net for the gory details) and state and federal legislators are starting more and more to look at stricter (and perhaps draconian, in some cases, legislation. For example, in CA you can now be sued for privacy breaches; the patient cannot collect more than $1000 per case regardless of whether they can prove damages. Not so great for either party: situations with egregious damages should be able to collect more, but simple mistakes should not, in my opinion, have liability particularly when malice cannot be shown.
Please feel free to let me know if you have any HIPAA issues or Qs, happy to help.
Best,
Lane Hatcher