AXEL.org

Health

National Technology Day: How Tech has Changed the Way We Live

What was life like twenty years ago? What technology did we use? How did we get work done in 2002? While twenty years may seem like a relatively short period of time, our everyday lives have drastically changed over the past two decades. We went from flip phones to iPhones, from CDs to music and video streaming, from printed-out MapQuest papers to instant GPS directions. In the past twenty years, modern technology has changed nearly every aspect of our lives. 

Because of the incredible technological advances we’ve seen in the past twenty years, AXEL founded National Technology Day, a holiday celebrated every year on January 6th. On National Technology Day, we encourage everyone to reflect on the advances made in business, culture, and entertainment. From maximizing efficiency at the office to sharing your own media online, technology has changed the way we live and will continue to change our lives in the future. While it’s unclear what the world will look like in twenty years, we do know one thing: Technology will continue to innovate.

With that said, here are a few ways how recent technological advances have radically impacted our everyday lives:

How Tech Changed Public Health

Undoubtedly, one of the greatest technological triumphs in public health in the past twenty years has been the widespread use of messenger RNA (mRNA) vaccines. Most COVID-19 vaccines are mRNA vaccines, and with billions of doses administered in one year, these high-tech vaccines have saved countless lives. But how are mRNA vaccines different from traditional vaccines? With an mRNA vaccine, a weakened pathogen isn’t injected into your body like with traditional vaccines. An mRNA vaccine delivers “coded” mRNA to your immune cells, and using that code, your immune cells can produce proteins that are found on the specific pathogen [1].

The development of mRNA vaccines was made possible by technological advances in the pharmaceutical industry. Although they are relatively new today, mRNA vaccines have been studied and theorized for decades. Finally, modern technology caught up with researchers, and a new soldier in the war on infectious diseases was created.

While vaccines have certainly had a massive impact on the world, they aren’t the only way that technology has changed public health. An obvious example is the rise of fitness and health trackers. Today, about one in five Americans use a fitness tracker and corresponding app [2]. With these trackers, users can track their steps taken, calories burned, steps climbed, blood pressure, sleep quality, and dozens of other metrics. While research on their effectiveness has been mixed, fitness trackers give people fun, convenient ways to check on their health [3].

How Tech Changed Education

If the pandemic taught us one thing, it’s that technology allows us to be connected, even when we can’t be physically present together. This was particularly apparent when schools across the world were closed and classes were taught online. Although there are certainly valid criticisms of e-learning, the fact that instruction was able to continue in the midst of a pandemic highlights just how much technology allowed education to evolve. Now, almost every lecture or assignment can be completed online, ensuring that education can continue even after future pandemics or natural disasters.

While e-learning is certainly new, the advancement of technology has always correlated with expanded access to education [4]. Think about it: 500 years ago, the only educational materials were books, and books were only available to the extremely well-off. However, the technological innovation of the printing press made books far more available for middle and lower-class people. Now, thanks to the Internet, there are millions of educational websites and videos available to all. Today, a student can learn calculus or biology from reliable sources on their own time, for free. While some may criticize technology for “dumbing down” our youth, it’s a simple fact: Technological progress leads to greater access to education.

How Tech Changed Business

Even before the pandemic, technology was radically changing the modern office. One of the biggest changes in the past twenty years has been the way employees share information with each other. Although email existed twenty years ago, it was certainly in its infancy, and when files needed to be shared, physical documents were printed off and delivered. Now, most documents are shared electronically, without the need for paper and ink, helping to save businesses time and money. Outside of file-sharing, even the way workers communicate with each other has greatly changed. Today, software applications like Slack make it easy for employees to communicate without anyone being left out of the loop. Technological advances have made office communication digital and instantaneous, making the necessary transition to remote work during the pandemic relatively simple.

Outside of office communication, technology has allowed businesses to increase efficiency in nearly every department. From resumé software to digital marketing, technology has greatly changed the way businesses operate. Unfortunately, this also means that the businesses that haven’t embraced technology are at risk of going under. After all, if your business doesn’t have a digital presence, such as social media or a simple website, it may as well not exist. 

Technology has fundamentally changed the way work gets done in the United States, and it’s not done changing either. In twenty years, Mark Zuckerberg’s vision of the “Metaverse” may become our everyday office. One thing is known: If it can save money, businesses will continue to test and use innovative modern technology.

How Tech Changed Cybersecurity

Twenty years ago, “cybersecurity” was little more than simply having a password. Unfortunately, as technology has progressed, so have cybercriminals. Today, features like encryption, multi-factor authorization, and artificial intelligence are the norm when it comes to cybersecurity. 

It’s no coincidence that the technological advancement of computers and their related technologies is correlated with the number of cybercriminal attacks [5].

In 2002, cybercriminals mostly utilized phishing attacks to make their money. Cybercriminals used fake emails and pop-ups to trick users into divulging their names, addresses, credit card information, or even Social Security numbers. Thankfully, most of these phishing attacks were easy to identify [5]. However, cybercriminals quickly learned even more efficient methods of making money. Today, ransomware is the main tool that cybercriminal organizations use to wreak havoc around the world. Much more efficient than individual phishing emails, ransomware can shut down an entire business, forcing executives to pay millions in order to get their data back. Put simply, as technology has advanced, so too have cybercriminals. It’s an unfortunate fact, but all hope is not lost.

While cybercriminals are taking advantage of modern technology for a quick buck, more savory organizations are also working to prioritize security. Even AXEL is utilizing modern cybersecurity technology in innovative ways to protect users. One of AXEL’s patents, US11159306B2, describes a token identification system that allows users to perform transactions privately, while making the transaction verification public. This technology prioritizes the digital privacy of users, secures the specific aspects of the transaction, and offers public verification. Patents like this are being presented, approved, and utilized every day, creating a more private, secure Internet. So while cybercriminals may be quick to exploit technological flaws, an army of individuals and businesses are ready to fight for digital security.

About AXEL

Technology will continue to advance, and our lives will become more digitized than ever before. That’s why data security and user privacy remain as important as ever. At AXEL we believe that privacy is a human right, and that your information deserves the best protection. That’s why we created AXEL Go. AXEL Go uses military-grade encryption, blockchain technology and decentralized servers to ensure it’s the best file transfer software on the market. Whether you need cloud video storage or cloud file management, AXEL Go is the secure file hosting solution. If you’re ready to try the best file sharing app for PC and mobile devices, try two free weeks of AXEL Go here.

[1] Dolgin, Elie. “The Tangled History of mRNA Vaccines.” Nature News. Nature Publishing Group, September 14, 2021. https://www.nature.com/articles/d41586-021-02483-w

[2] “19% Of Americans Use Wearable Fitness Trackers and MHealth Apps.” Mercom Capital Group, October 13, 2021. https://mercomcapital.com/90-americans-wearable-mhealth-apps/#:~:text=According%20to%20a%20new%20survey,or%20tablet%20app%20(32%25)

[3] Marks, Adam. “Do Exercise Trackers Make You Healthier?” Ace.edu, February 16, 2021. https://www.ace.edu/blog/post/2021/02/16/do-exercise-trackers-make-you-healthier

[4] “How Has Technology Changed Education?” Purdue University Online.. https://online.purdue.edu/blog/education/how-has-technology-changed-education

[5] Acharjee, Sauvik. “The Evolution of Cybercrime: An Easy Guide (2021).” Jigsaw Academy, February 13, 2021. https://www.jigsawacademy.com/blogs/cyber-security/evolution-of-cybercrime/

Apps That Wreak Havoc On HIPAA

This is the era of multiple devices and millions of apps. Phones, tablets, and smartwatches are filled with apps intended to make our lives easier.  And it seems almost daily we read about how some – or all – of those apps are spying on our lives.

Many people don’t care.  To some extent, I am one of those.  “I don’t do anything so special in life that anyone will want to hack me” is how I feel about most of my internet presence.  I happily share photos of my family, my dogs, and my travels.

But, I do worry about money and health issues; the things that I feel need to be secure.  So when my iPhone asked for access to my health information I was hesitant to share.

The iPhone comes standard with the “Health” app (Fitbit and other devices also take, store, and share health information). In the app, you can enter your health record data and share it with other health related apps on your device.  It can also pull such data from your other apps too.

You can enter vitals, lab test results, and even track your reproductive health – where it asks for everything from your menstruation history, to sexual activity.

Wow.  To say I was surprised to see this information on an app is an understatement.

Maybe I am old fashioned, but I cannot imagine grabbing my iPhone after sex and entering the event in; it’s akin to grabbing a cigarette in the old movies.  And if you did enter it, if you ask Siri about the last time you had sex… would she answer?   I will leave that alone for now.

Is your phone secure?

Naturally, I thought that if my phone wanted to hold my very private health information, it must be secure.  So to play off the old movie reference, it’s For Your Eyes Only.  But the app is not secured by any authentication.  Well, once your phone is unlocked that is.

So, if anyone gains access to your phone, guess what…they would quickly be able to learn your sexual activity, recent blood alcohol content, and anything else you happened to trust your handy-dandy iPhone with.

Of course, if that information is on your phone…. guess who else has it?  Apple, Google, Amazon, or whomever you have your back-up account with.

As I look at my phone, I realize that I have access to all my information but so does Apple.  Certainly the type of information Apple Health is seeking from me is my private health information; HIPAA calls it Protected Health Information (PHI).

Thus, it could be subject to HIPAA regulations. If so it’s safe and secure under federal law.  But, is Apple is an entity that would be subject to the privacy and security rules of HIPAA? Are they a Covered Entity (CE)?  The answer is no.

HIPAA applies to doctors, hospitals, medical insurers, and other health care providers.  They are what’s classified as CEs under HIPAA.  So the people that normally treat you and deal with your medical records and billings have to comply with HIPAA.  But, just having medical records does not create a HIPAA obligation.

Further, other companies which support CE’s can be subject to HIPAA as well – they are the Business Associates (BAs).  An example might be a medical device manufacturer; a hospital’s cleaning service or vendor that supports medical care in some way.

Tech companies aren’t restricted by HIPAA

Apple is none of these things.  So Apple has no requirement of privacy or security over my medical data.  Likewise Fitbit, Sprint, or whoever is similarly NOT restricted by HIPAA.  But they will have all my PHI… which is a scary thought.

As I read more and more about the medical profession and IT, it occurs to me that doctors and patients are using their smartphones to communicate.  And we should ALL encourage more communication.  But what if I use an app to share with my physician?

In that case the data gathered by the physician would likely come under the purview of HIPAA.  But what if the app we are using, itself, is not secure (e.g. the Health App, or simply iMessage)?

Does the doctor need to comply with HIPAA privacy and security standards, even though we all know the data is already compromised by the patient’s method of delivery?  I don’t know the answer to this one.

It would appear similar to a waiver of the attorney-client privilege when the information is shared in the presence of a third party.  But, HIPAA has express provisions for when HIPAA can be waived; not a single word exists about an unintentional waiver.

Thus it would seem that a doctor would have to abide by HIPAA, even knowing that the patient has exposed the very records to others. Certainly you don’t want your doctor to send your records to anyone willy-nilly and have the defense be that you texted them to him/her.  Once the doctor has the PHI, it’s protected.

But I have not seen anyone litigate this question.

HIPAA and the emerging tech world

Do we have HIPAA issues with our new-fangled “wearables”?  The answer is… maybe.  HIPAA does not apply to everyone.  You can give your health records to whomever you want; after all HIPAA was created to protect “you” from unauthorized acts of “others”.

But HIPAA also has clear limiting applications to what they call Covered Entities and Business Associates of those entities.

So you may want to think twice about entering any personal heath data into your new device; it’s not secure as it sits on your device and your cloud provider has no obligations to make it secure.

But if you provide any of that information to your health care provider, they will have an obligation to meet HIPAA’s requirements for privacy and security for the data they receive.

A HIPAA Breach

A HIPAA breach can cripple your medical practice

Over the last few months we have discussed HIPAA in very general terms.  I have tried to impart some of the basics of its security and privacy obligations upon each of you, while ignoring the rest of the Act.

Certainly, it is a massive undertaking to fully grasp all of HIPAAs ins-and-outs, and I will not ever try to bore you with the entire 5 sections of HIPAA.  So if you need to know about Insurance Portability, Tax Matters, Group Plans, or Revenue Offsets, please feel free to read the other four Titles.

Now that we have discussed what information is subject to HIPAA and who is responsible to keep and control electronic protected health information (ePHI), it’s a good time to learn what I like to call the “so what?” of HIPAA.  As I travel, meet, speak with, and interact with doctors, I am often presented with the “so what?” response.

Many doctors have told me: “Steve I understand that HIPAA exists, but we have always done it this way.  I think we are compliant.  Or we don’t know how to fully comply.”  And almost all those conversations end with “so what if we are not compliant, no one will even look at my little office to audit us.”

So, I realized that I needed to do a little more in this blog. Let’s discuss what a breach is, what you have to do if you are in breach and finally the “so what?”, namely what are the fines?

Let’s first learn what a “breach” is and is not.  A breach can be defined as the acquisition, access, use, or disclosure of protected health information in a manner not permitted, which compromises the security or privacy of the protected health information.

This means that if protected health information is in the possession of the wrong person and they can read it, a breach exists.  If you give Jan Smith’s records to Jane Smith, there is a breach.  Or if you fax medical records to (702) 555-1234, but the patient’s number was (712) 555-1234, you have a breach.

It’s these little mistakes that plague offices at times.  Most certainly, if your patient charts are on your laptop and it’s stolen, that’s a breach.  Should your server be accessed due to a hacking incident, or if you email a patient’s records to Kinkos as opposed to Dr. Kinko (the physician you intended to refer your patient to), you have a breach event.

Simply put, records must be seen only by those authorized to see them, and Covered Entities (CE) and Business Associates (BA) in possession of the records hold the responsibility to ensure no breaches take place.

“But what if my PHI is encrypted?” you ask. If the PHI is encrypted when the breach took place, you are probably covered.  The unauthorized use or disclosure of PHI is presumed to be a breach, unless there is a low probability that the information was compromised.

So when the PHI ends up in the wrong hands, but all they see is 0s and 1s due to your encryption, you may be protected. If you realize an email went to joesmith@mail.org as opposed to josmith@mail.org, but the email was sent with encryption, you are probably ok not reporting a breach.

However, a breach notification is necessary in all situations except those in which the CE demonstrates through a risk assessment that there is a low probability that the PHI has been compromised. We will discuss what a “risk assessment” is in the next blog.

But today’s blog is addressing a breach.  So, assuming a reportable breach took place, now what?  Once a CE or BA is made aware of a possible breach, they must report the breach to the Department of Health & Human Services.

The report must be made without “unreasonable delay”.  While it is not 100% certain what constitutes an “unreasonable delay”, 60 days appears to be the outer limit for reporting, and waiting until the 60th day could be unreasonable as well.

Some state laws provide stricter reporting rules such as California’s mandate that you have 5 days to report a breach.   We will discuss the notice details in a later blog

And now the “So what?”  Here are the federal breach penalties.  But please take note that some states allow separate penalties.  Additionally, some states allow private causes of action against the CE by the harmed patients.  So these charts present only the tip of the iceberg in some cases.

Looking through the charts it is easy to see the risks you’re taking by not making sure your office is HIPAA compliant. In 2016, the Office for Civil Rights (OCR) collected over $20 million in fines, and in 2017 they have already disclosed over $17 million in fines collected.

Finally, don’t think that just because you are only an employee for a company, that you are immune from these fines and prison sentences. If an executive is aware of a violation, delegating the responsibility to someone else (the company’s “Security Officer”, perhaps) DOES NOT protect the executive from a personal penalty.

So now that you know what the ramifications are for a HIPAA breach, it is crucial that you take the necessary steps to ensure you don’t end up as one of OCR’s statistics.

Take the painful (but important) measures to be compliant now to save yourself a lot of stress, heartache, and money in the future. Otherwise the question you’ll be asking isn’t “so what?” but rather “does anyone know a good attorney?”

Who’s Covered by HIPAA?

Our previous HIPAA entry exposed you to some of the basics of HIPAA.   One of the things we did was to identify who was covered by the HIPAA rules.  Entities or individuals that are Covered Entities (remember: Health Care Plans, Health Care Clearinghouses, or Health Care Providers) are certainly subject to HIPAA.

But, effective February 17, 2010 under the HITECH Act, Business Associates (BA) became subject to HIPAA privacy and security rules as well.  What this means is that a company that is not in the healthcare industry, per se, but deals with medical records as part of their job duties, COULD be subject to HIPAA rules.

A BA is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a Covered Entity; attorneys, accountants, consultants, and others are some possible examples.  But there is not a list in HIPAA which defines who is a BA by trade.  Thus, the following test is used:

  • a party who is performing a function for a Covered Entity;
  • that has access to PHI;
  • but is not an employee of the Covered Entity.

Now that you have had a chance to determine if you are or are not a BA, what are your HIPAA requirements?  Well, you must comply with HIPAA of course.  But generally you must secure the PHI, and use it only for the same purpose it was given to the Covered Entity.

Where it sometimes gets tricky is, you must make the PHI “accessible” to the individual to whom the PHI belongs; most often the patient.  So you cannot just lock it up and throw away the key.  You must also perform risk assessments of your security and mitigate determined risks.  Finally, you have notice obligations should there be a breach.

Next we will talk about what a breach is, your reporting requirements, and the related fines and penalties for a breach.

What is HIPAA?

Since our previous HIPAA entry exposed you to some of the shock value of the recent HIPAA violations, I assume you are checking back because you’re interested in how HIPAA may apply to your company.  With this article, I wanted to provide a little foundation for HIPAA.

HIPAA is the acronym for The Health Insurance Portability and Accountability Act which was legislation passed in 1996.  For you legislative purists, HIPAA was initially known as the Kennedy–Kassebaum Bill.   But, yes, HIPAA has been around since 1996!  I bet that, if polled, most medical or insurance privacy officers would tell you that HIPAA was enacted in the last few years.

Not only is HIPAA not new, it was also not written solely to provide punishment to medical practices that get lazy with their record keeping.   It’s made up of five sections, of which only one, Title II, addresses items such as patient’s access, security, and privacy.  Perhaps another day I will talk about the coding, automation, coverage, and standardization requirements of HIPAA, but not today.

The Department of Health and Human Services (HHS) enforces HIPAA, and its Office for Civil Rights (OCR) performs all the audits.   Interestingly, in 2009 then-President Obama signed the American Recovery and Reinvestment Act of 2009.  Contained therein, was the HITECH Act, which enabled the OCR to be funded by the very fines it levies and collects.  Thus, there is little doubt that HIPAA investigations, enforcement, and fines are here to stay.

Understanding that HIPAA and its enforcement is here to stay, the next question is:  “does it apply to us?”  Most certainly, HIPAA does not apply to anyone who holds a medical record in their hand.  But it does apply to Covered Entities such as:  Health Care Plans and Clearinghouses (some may just call them the insurance side) and Health Care Providers (doctors, nurses, hospitals, those trained and licensed to provide medical care, etc.).  And finally HIPAA applies to Business Associates (BA) (a party who is performing a function for a covered entity that has access to PHI, but is not their employee).  So, if you are one of those folks, the HIPAA rules apply to you.

Who is, or may be, a BA will be the subject of the next HIPAA blog.

HIPAA Violations – An Open Discussion

An open Discussion on HIPAA.

First, its HIPAA, not “HIPPA” which you see a lot as you navigate an internet search about HIPAA.  If you Google HIPPA, you will find plenty of articles, discussing HIPAA, but spelling it as HIPPA.  You can even find professionally appearing and academic articles spelling it incorrectly.  Second, HIPAA is more than just a privacy law, it deals with document access, insurance coverage, pre-existing conditions, and many other things.  Finally, HIPAA compliance is not impossible or some secret for experts only… it is attainable.  But, first things first, why should you worry about HIPAA?

Look we are all busy, none of us want to read a bunch of legislation written by attorneys which makes almost no sense to non-attorneys; I get it.   When it comes to legal issues, I always find it important to know the real reasons why I should take notice of something.  Large monetary fines and possible prison time seem to get my focus.  The Federal Government issued almost $11.4 million in HIPAA fines before March 1, 2017; paying attention yet?   How about knowing that you can face Federal jail time for wrongful disclosures?  Now that you realize HIPAA is serious, let’s look at the governments’ enforcement activity in 2017.

Just to get your ears perked up, here are some examples of the fines issued by the Federal Government before the end of February 2017:

January 9, 2017 – The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and Presence Health agreed to settle potential violations of the HIPAA Breach Notification Rule by paying $475,000.00.

Presence Health discovered that paper-based operating room schedules, which contained the PHI (Protected Health Information) of 836 individuals, were missing from the Presence Surgery Center at the Presence St. Joseph Medical Center in Joliet, Illinois.  Making matters worse, Presence Health failed to timely notify each of the 836 individuals affected by the breach, prominent media outlets (as required for breaches affecting 500 or more individuals), and the OCR.  This case is a great first case to take notice of, as it addresses both the loss of the medical information and the failure to report the breach.

January 18, 2017 – The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and MAPFRE Life Insurance Company of Puerto Rico (MAPFRE) agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $2.2 million.

MAPFRE filed a breach report with the OCR indicating that a USB data storage device containing ePHI (electronic Protected Health Information) for 2,209 patients was stolen from its IT department, where the device was left without safeguards. MAPFRE also failed to conduct proper risk analysis, implement risk management plans, and failed to deploy encryption or an equivalent alternative measure on its laptops and removable storages.  This investigation revealed many breaches, across many levels of HIPAA.  Yet, one of its teaching points is about laptop and USB drive security.  Many offices use laptops and USB drives on a daily basis to access and transfer information.  If they contain PHI, they must secure them.

February 1, 2017 – The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) issued a civil money penalty of $3.2 million to Children’s Medical Center of Dallas (Children’s), who paid the fine in full.

Children’s filed a breach report with the OCR indicating the loss of an unencrypted, non-password protected BlackBerry device at the Dallas/Fort Worth International Airport.  The device contained the ePHI of approximately 3,800 individuals.  Later, Children’s filed a separate HIPAA Breach Notification Report with the OCR, reporting the theft of an unencrypted laptop from its premises which contained the ePHI of 2,462 individuals.  Again, we see issues with remote devices being compromised.  In a review of OCR violation history, remote device compromises appear to be a majority violator.  Probably a good time to determine if your office had PHI on any remote or removable devices.

February 16, 2017 – Memorial Healthcare System (MHS) paid the U.S. Department of Health and Human Services (HHS) $5.5 million to settle potential violations.

MHS reported to the HHS Office for Civil Rights (OCR) that the protected health information (PHI) of 115,143 individuals had been impermissibly accessed by its employees and impermissibly disclosed to affiliated physician office staff. The login credentials of a former employee of an affiliated physician’s office had been used to access the ePHI.  This final case shows that your password protocols must be established and followed.  Of course, the hardest part of protecting your company is protecting it from its employees.  However, there is no excuse for allowing former employees to retain access rights to your data.

These four fines are just the tip of the iceberg when dealing with HIPAA, but together they do shed some light on the many different types of violations your company can face.  Many states now can assert similar level fines upon a party in breach.  Some states even allow private causes of action for damages caused by a breach.  And then, there can be criminal consequences as well.  Now that I have your attention, be sure to check back soon for more on HIPAA.