Healthcare Technology Vendor News

Amazon Lex is Now HIPAA Compliant

Amazon has announced that the Amazon Lex chatbot service now supports HIPAA compliance and can be used by healthcare organizations without violating Health Insurance Portability and Accountability Act Rules.

Amazon Lex is a service that allows customers to build conversational interfaces into applications using text and voice. It allows the creation of chatbots that use lifelike, natural language to engage with customers, ask questions, collect and give out information, and complete a range of different tasks such as scheduling appointments. The conversational engine that powers Amazon Lex is also used by Amazon Alexa.

Until recently, there was limited potential for use of Amazon Lex in healthcare as the solution was not HIPAA-compliant and could therefore not be used in connection with electronic protected health information (ePHI). The service was also not covered by Amazon’s business associate agreement (BAA).

On December 11, 2019, Amazon confirmed that Amazon Lex is now included in its AWS business associate agreement (BAA) addendum and that the service is eligible for use with workloads involving ePHI, provided that a BAA is in place. Amazon Lex has been subjected to third-party security assessments under multiple AWS compliance programs, and in addition to being HIPAA eligible is also compliant with PCI and SOC.

As with any software solution, a BAA does not guarantee compliance. Amazon has ensured appropriate safeguards have been implemented to ensure the confidentiality, integrity, and availability of ePHI, but it is the responsibility of users to ensure that the solution is implemented correctly and used in a manner that complies with HIPAA Rules.

Amazon has released a whitepaper on Architecting for HIPAA Security and Compliance on AWS, which details best practices for configuring AWS services that store, process, and transmit ePHI. Guidelines on the administration of Amazon Lex have also been published.

The post Amazon Lex is Now HIPAA Compliant appeared first on HIPAA Journal.

New Alexa Healthcare Skill Helps Patients Manage Their Medications

Amazon has announced that Alexa has a new healthcare skill that patients can use to manage their medications and order prescription refills.

Earlier this year, Amazon announced that it has developed a HIPAA-eligible environment for skill developers that incorporates the necessary safeguards to comply with the requirements of the HIPAA Privacy and Security Rules. Amazon set up an invite-only program for a select group of skill developers to create new skills that could benefit patients.

The new skill is the result of a collaboration between Amazon and the medication management firm Omnicell. Amazon contacted Omnicell and offered the company the chance to create the new skill after it was noticed that many Alexa users were using their devices to set medication reminders. Amazon had received feedback from several users who requested improvements be made to the reminders feature to allow them to set multiple reminders a day to take their medications.

Initially, the new Alexa capabilities will be available to customers of the Giant Eagle pharmacy chain, which operates over 200 pharmacies throughout the Midwest and Mid-Atlantic. The new skill allows patients to set reminders to take their medications, check their current prescriptions, and order prescription refills at Giant Eagle by issuing voice commands to their Alexa devices.

The new skill incorporates a range of privacy and security protections to prevent unauthorized access and misuse. After enabling the Giant Eagle Pharmacy skill and linking their account, users are required to set up a voice profile and set a PIN. Alexa will recognize a user by their voice profile, but they will be required to provide their PIN before any information will be relayed. Healthcare related information is also redacted in the app to maintain privacy and voice recordings can be reviewed and deleted at any time through the Alexa app, Privacy Settings page, or by issuing voice commands after authentication.

“This new technology is just the beginning, as we continue to identify straightforward and easy-to-use pharmacy tasks that voice–powered devices can perform in the real world to keep the patient at the center of care and streamline pharmacy workflow,” said Danny Sanchez, vice president and general manager, Population Health Solutions, Omnicell.

The initial launch will provide Amazon with valuable data that will be used to improve the customer experience. Amazon will be adding further pharmacy chains in the New Year.

The post New Alexa Healthcare Skill Helps Patients Manage Their Medications appeared first on HIPAA Journal.

Smartwatch Data Act Introduced to Improve Privacy Protections for Consumer Health Data

The Stop Marketing And Revealing The Wearables And Trackers Consumer Health (Smartwatch) Data Act, has been introduced by Sens. Bill Cassidy, M.D., (R-Louisiana) and Jacky Rosen, (D-Nevada). The new legislation will ensure that health data collected through fitness trackers, smartwatches, and health apps cannot be sold or shared without consumer consent.

The Health Insurance Portability and Accountability Act (HIPAA) applies to health data collected, received, stored, maintained, or transmitted by HIPAA-covered entities and their business associates. Some of the same information is collected, stored, and transmitted by fitness trackers, wearable devices, and health apps. That information can be used, shared, or sold, without consent. Consumers have no control over who can access their health data. The new legislation aims to address that privacy gap.

The bill prohibits the transfer, sale, sharing, or access to any non-anonymized consumer health information or other individually identifiable health information that is collected, recorded, or derived from personal consumer devices to domestic information brokers, other domestic entities, or entities based outside the United States unless consent has been obtained from the consumer.

Consumer devices are defined as “equipment, application software, or mechanism that has the primary function or capability to collect, store, or transmit consumer health information.”

The Smartwatch Data Act applies to information about the health status of an individual, personal biometric information, and kinesthetic information collected directly through sensors or inputted manually into apps by consumers. The Smartwatch Data Act would treat all health data collected through apps, wearable devices, and trackers as protected health information.

There have been calls for HIPAA to be extended to cover app developers and wearable device manufacturers that collect, store, maintain, process, or transmit consumer health information. The Smartwatch Data Act does not extend HIPAA to cover these companies, instead the legislation applies to the data itself. The bill proposes the HHS’ Office for Civil Rights, the main enforcer of compliance with HIPAA, would also be responsible for enforcing compliance with the Smartwatch Data Act. The penalties for noncompliance with the Smartwatch Data Act would be the same as the penalties for HIPAA violations.

“The introduction of technology to our healthcare system in the form of apps and wearable health devices has brought up a number of important questions regarding data collection and privacy,” said Sen. Rosen “This commonsense, bipartisan legislation will extend existing health care privacy protections to personal health data collected by apps and wearables, preventing this data from being sold or used commercially without the consumer’s consent.”

The legislation was introduced following the news that Google has partnered with Ascension, the second largest healthcare provider in the United States, and has been given access to the health information of 50 million Americans. That partnership has raised a number of questions about the privacy of health information.

The Ascension data passed to Google is covered by HIPAA, but currently fitness tracker data is not. Google intends to acquire fitness tracker manufacturer Fitbit in 2020 and concern has been raised about how Google will use personal health data collected through Fitbit devices. The Smartwatch Data Act would help to ensure that consumers are given a say in how their health data is used.

The post Smartwatch Data Act Introduced to Improve Privacy Protections for Consumer Health Data appeared first on HIPAA Journal.

House Committee Leaders Demand Answers from Google and Ascension on Project Nightingale Partnership

Leaders of the House Committee on Energy and Commerce are seeking answers from Google and Ascension on Project Nightingale. The Department of Health and Human Services’ Office for Civil Rights has also confirmed that an investigation has been launched to determine if HIPAA Rules have been followed.

The collaboration between Google and Ascension was revealed to the public last week. The Wall Street Journal reported that Ascension was transferring millions of patient health records to Google as part of an initiative called Project Nightingale.

A whistleblower at Google had contacted the WSJ to raise concerns about patient privacy. A variety of internal documents were shared with reporters on the extent of the partnership and the number of Google employees who had access to Ascension patients’ data. Under the partnership, the records of approximately 50 million patients will be provided to Google, 10 million of which have already been transferred.

According to the WSJ report, 150 Google employees are involved with the project and have access to patient data. The whistleblower stated that those individuals are able to access and download sensitive patient information and that patients had not been informed about the transfer of their data in advance. Understandably, the partnership has raised concerns about patient privacy.

Both Google and Ascension released statements about the partnership after the WSJ story was published, confirming that Google was acting as a business associate of Ascension, had signed a business associate agreement, and that it was in full compliance with HIPAA regulations. Under the terms of the BAA, which has not been made public, Google is permitted access to patient data in order to perform services on behalf of Ascension for the purpose of treatment, payment, and healthcare operations.

Google will be analyzing patient data and using its artificial intelligence and machine learning systems to develop tools to assist with the development of patient treatment plans. Google will also be helping Ascension modernize its infrastructure, electronic health record system, and improve collaboration and communication. Google has confirmed in a blog post that it is only permitted to use patient data for purposes outlined in the BAA and has stated that it will not be combining patient data with any consumer data it holds and that patient data will not be used for advertising purposes.

Democratic leaders of the House Committee on Energy and Commerce wrote to Google and Ascension on November 18, 2019 requesting further information on the partnership. The inquiry is being led by House Energy Committee Chairman, Frank Pallone Jr. (D-New Jersey). The letters have also been signed by Chairwoman of the Subcommittee on Health, Anna Eshoo (D-California), Subcommittee on Consumer Protection and Commerce Chair, Jan Schakowsky (D-Illinois), and Subcommittee on Oversight and Investigations Chair, Diana DeGette (D-Colorado).

In the letters, the Committee leaders have requested information on the “disturbing initiative” known as Project Nightingale.

“While we appreciate your efforts to provide the public with further information about Project Nightingale, this initiative raises serious privacy concerns. For example, longstanding questions related to Google’s commitment to protecting the privacy of its own users’ data raise serious concerns about whether Google can be a good steward of patients’ protected health information.”

Ascension’s decision not to inform patients prior to the transfer of protected health information has also raised privacy concerns, as has the number of Google employees given access to the data. Further, employees of Google’s parent company Alphabet also have access to Ascension data.

The Committee leaders have requested a briefing by no later than December 6, 2019 about the types of data being used, including the data being fed into its artificial intelligence tools, and the extent to which Google and Alphabet employees have access to the data. The Committee leaders also want to know what steps have been taken to protect patient information and the extent to which patients have been informed.

The Department of Health and Human Services’ Office for Civil Rights has also confirmed that it has launched an investigation into the partnership. Its investigation is primarily focused on how data is being transferred, the protections put in place to safeguard the confidentiality, integrity, and availability of protected health information, and whether HIPAA Rules are being followed. Google has stated it will be cooperating fully with the OCR investigation.

The post House Committee Leaders Demand Answers from Google and Ascension on Project Nightingale Partnership appeared first on HIPAA Journal.

TigerConnect Survey Finds 89% of Healthcare Providers Still Use Fax Machines and 39% are Still Using Pagers

TigerConnect has released its 2019 State of Healthcare Communications Report, which shows that continuing reliance on decades-old, inefficient communications technology is negatively impacting patients and is contributing to the increasing cost of healthcare provision.

For the report, TigerConnect surveyed more than 2,000 patients and 200 healthcare employees to assess the current state of communications in healthcare and gain insights into areas where communication inefficiencies are causing problems.

The responses clearly show that communication in healthcare is broken. 52% of healthcare organizations are experiencing communication disconnects that impact patients on a daily basis or several times a week. Those communication inefficiencies are proving frustrating for healthcare employees and patients alike.

The report reveals most hospitals are still heavily reliant on communications technology from the 1970s. 89% of hospitals still use faxes and 39% are still using pagers in some departments, roles, or even across the entire organization. The world may have moved on, but healthcare hasn’t, even though healthcare is the industry that stands to benefit most from the adoption of mobile technology.

The HHS’ Centers for Medicaid and Medicare Services (CMS) is pushing for fax machines to be eliminated by the end of 2020 and for healthcare organizations to instead use more secure, reliable, and efficient communications methods. Given the extensive use of fax machines, that target may be difficult to achieve.

“Adoption of modern communication solutions has occurred in every other industry but healthcare,” said Brad Brooks, chief executive officer and co-founder of TigerConnect. “Despite the fact that quality healthcare is vital to the well-being and functioning of a society, the shocking lack of communication innovation comes at a steep price, resulting in chronic delays, increased operational costs that are often passed down to the public, preventable medical errors, physician burnout, and in the worst cases, can even lead to death.”

The cost of communication inefficiencies in healthcare is considerable. According to NCBI, a 500-bed hospital loses more than $4 million each year as a result of communication inefficiencies and communication errors are the root cause of 70% of all medical error deaths.

The communication problems are certainly felt by healthcare employees, who waste valuable time battling with inefficient systems. The report reveals 55% of healthcare organizations believe the healthcare industry is behind the times in terms of communication technology compared to other consumer industries.

One of the main issues faced by healthcare professionals is not being able to get in touch with members of the care team when they need to. 39% of healthcare professionals said it was difficult or very difficult communicating with one or more groups of care team members.

Fast communication is critical for providing high quality care to patients and improvements are being made, albeit slowly. Secure messaging is now the primary method of communication overall for nurses (45%) and physicians (39%), although landlines are the main form of communication for allied health professionals (32%) and staff outside hospitals (37%), even though secure messaging platforms can be used by all groups in all locations.

Even though there is an increasing mobile workforce in healthcare, healthcare organizations are still heavily reliant on landlines. Landlines are still the top method of communication when secure messaging is not available. Landlines are also used 25% of the time at organizations that have implemented secure messaging.

Healthcare organizations that have taken steps to improve communication and have implemented secure messaging platforms are failing to get the full benefits of the technology. All too often, secure messaging technology is implemented in silos, with different groups using different methods and tools to communicate with each other. When secure messaging is not used, such as when the platform is only used by certain roles, communication is much more difficult.

The communications problems are also felt by patients. Nearly three quarters (74%) of surveyed patients who had spent at least some time in hospital in the past two years, either receiving treatment or visiting an immediate family member, said they were frustrated by inefficient processes.

The most common complaints were slow discharge/transfer times (31%), ED time with doctors (22%), long waiting room times (22%), the ability to communicate with a doctor (22%), and the length of time it takes to get lab test results back (15%). Many of these issues could be eased through improved communication between members of the care team. The survey also revealed hospital staff tend to underestimate the level of frustration that patients experience.

Communication problems play a large part in the bottlenecks that often occur in healthcare. Communication problems were cited as causing delayed discharges (50%), consult delays (40%), long ED wait times (38%), transport delays (33%) and slow inter-facility transfers (30%). There is a 50% greater chance of daily communication disconnects negatively impacting patients when secure messaging is not used.

Hospitals that communicate with patients by SMS/text or messaging apps are far more likely to rate their communication methods as effective or extremely effective. 75% of hospitals that use text/SMS and 73% that use messaging apps rate communication with patients as effective or very effective, compared to 62% that primarily use the telephone and 53% whose primary method of communicating with patients is patient portals. The survey also showed that only 20% of patients want to communicate via patient portals.

It has been established that secure messaging can improve communication and the quality of healthcare delivery, but healthcare communication is often not a strategic priority. 69% of surveyed healthcare professionals that are not using a secure messaging platform said this was due to budget constraints, 38% said money was spent on other IT priorities, and 34% cited concerns about patient data security, even though secure messaging platforms offer afar greater security than legacy communications systems.

TigerConnect has made several recommendations on how communication in healthcare needs to be improved.

  • Prioritize communication as a strategy
  • Focus on improving communication to ease major bottlenecks
  • Integrate communication platforms with EHRs to get the greatest value
  • Standardize communication across the entire organization
  • Include clinical leadership in solution design
  • Stop using patient portals to communicate with patients and start using patient messaging in the overall communication strategy.

The survey provides valuable insights into the state of communication in healthcare and clearly shows where improvements need to be made. The full TigerConnect 2019 State of Communication in Healthcare Report is available free of charge on this link (registration required).

The post TigerConnect Survey Finds 89% of Healthcare Providers Still Use Fax Machines and 39% are Still Using Pagers appeared first on HIPAA Journal.

ProtoLytic, LLC Verified as HIPAA-Compliant by Compliancy Group

ProtoLytic, LLC, the Tampa, FL-based developer of decision support tools for medical cost management, has been confirmed as HIPAA-compliant by Compliancy Group.

ProtoLytic tools are used by healthcare providers to develop treatment plans for patients using evidence-based guidelines and demographic data to help claims adjusters process referrals and medical service requests and reduce time to quality of care. The company has also developed a predictive modelling information system to determine the treatment and medical services patients with specific health conditions are likely to need.

These software solutions naturally come into contact with electronic protected health information (PHI). Consequently, ProtoLytic is classed as a business associate under Health Insurance Portability and Accountability Act (HIPAA) Rules. In addition to entering into a business associate agreement (BAA) with HIPAA-covered entities, ProtoLytic is must ensure safeguards are implemented to ensure the confidentiality, integrity, and availability of ePHI and the company and its employees must adhere to the regulatory standards of the HIPAA, Privacy, Security, Omnibus, and Breach Notification Rules.

ProtoLytic is committed to ensuring the privacy and security of all client information and had already implemented its HIPAA compliance program. To take its compliance efforts to the next level, ProtoLytic partnered with Compliancy Group.

Assisted by Compliancy Group’s HIPAA compliance coaches and using the company’s proprietary web-based compliance software solution, The Guard, ProtoLytic successfully completed the 6-Stage HIPAA Risk Analysis and Remediation Process and its good faith compliance efforts were verified as meeting the necessary standards of HIPAA that apply to business associates.

Following the successful completion of the program, Compliancy Group awarded ProtoLytic the HIPAA Seal of Compliance. The HIPAA Seal of Compliance demonstrates to current and future Protolytic clients that the company is committed to privacy, security, and compliance with HIPAA and the HITECH Act, thus helping the firm differentiate its services.

The post ProtoLytic, LLC Verified as HIPAA-Compliant by Compliancy Group appeared first on HIPAA Journal.

New Version of SpamTitan Released, Including New RESTapi

TitanHQ has released a new version of its leading cloud-based anti-spam service and antispam software. The latest version of SpamTitan – v7.06 – includes a new RESTapi which can be used by partners and clients for seamless integrations.

The latest version was debuted on November 12, 2019. Users of the cloud-based anti-spam service have automatically been upgraded to the latest version. SpamTitan software users had had the latest version downloaded to their appliances, although appliance administrators need to apply the update and accompanying security patches by logging into their user interface.

The latest release includes security patches to address issues with the reporting engine and patches and ISO/OVA images are now available for all clients and partners. The patches cover several packages including OpenSSH, OpenSSL, PHP, ClamAV and sudo.

TitanHQ has enjoyed 30% growth in 2019 fueled in a large part by managed services providers serving the SMB market. The TitanHQ platform is proving popular with MSPs for providing spam filtering, DNS filtering, and email archiving solutions to their clients. Q3, 2019 was the busiest ever quarter for MSP growth at TitanHQ and that strong growth has continued in Q4, 2019.

More than 2,200 MSP partners are now using the TitanHQ platform and Q4, 2019 looks set to beat previous records thanks to the launch of the “Margin Maker for MSPs” initiative for Q4, which has made adoption of the platform even more attractive for MSPs.

TitanHQ is encouraging implementation of the RESTapi and API adoption, which are seen to be vital for the company’s partnership expansion plans. “We have enjoyed a record-breaking growth and the latest enhancements and new features that have been added to SpamTitan will help to ensure growth in 2020 continues at record levels,” said Ronan Kavanagh, CEO, TitanHQ.

Technical details of the new RESTapi can be accessed on this link.

The post New Version of SpamTitan Released, Including New RESTapi appeared first on HIPAA Journal.

EnTech Confirms HIPAA-Compliant Status with Compliancy Group

The Fort Myers, FL-based managed IT service provider, EnTech, has been confirmed as in compliance with Health Insurance Portability and Accountability Act (HIPAA) Rules by Compliancy Group.

Entech has been serving businesses in Southwest Florida for more than 20 years. The company offers managed IT and integration services to help businesses get the most out of information technology, along with strategic technology consultancy services to help businesses choose the best IT architectures to meet their needs.

In order to provide those services to healthcare organizations, EnTech is required to comply with HIPAA Rules. The company must implement appropriate safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI) and its employees made aware of their responsibilities with respect to HIPAA and ePHI.

Assisted by Compliancy Group’s HIPAA coaches and using “The Guard” compliance tracking solution, EnTech has successfully completed Compliancy Group’s 6-Stage Risk Analysis and Remediation Process.

Successful completion of that process has been confirmed by Compliancy Group, resulting in the company being awarded Compliancy Group’s HIPAA Seal of Compliance. The HIPAA Seal of Compliance is only awarded to companies that have satisfied all requirements of the HIPAA Privacy, Security, Omnibus, and Breach Notification Rules and have an effective HIPAA compliance program in place.

“We are very proud to have achieved this designation as it shows our commitment to our clients and community,” said David Spire, Entech’s Chief Development Officer. “With the ever-changing threat landscape, organizations in the healthcare field that directly or indirectly provide medical care today need to take all the necessary steps to protect all of our personal information.”

Along with a signed business associate agreement, the HIPAA Seal of Compliance provides reassurances to current and future EnTech clients that the company is committed to privacy and security and is fully aware of its responsibilities under HIPAA.

The post EnTech Confirms HIPAA-Compliant Status with Compliancy Group appeared first on HIPAA Journal.

Vulnerability Identified in Philips IntelliBridge EC40/80 Hubs

A vulnerability has been identified in the Philips IntelliBridge EC40/80 hub which could allow an attacker to gain access to the hub and execute software, modify files, change the system configuration, and gain access to identifiable patient information.

Philips IntelliBridge EC40/80 hubs are used to transfer medical device data from one format to another, based on set specifications. The hub does not alter the settings or parameters of any of the medical devices to which it connects.

The vulnerability could be exploited by an attacker to capture and replay a session and gain access to the hub. The flaw is due to the SSH server running on the affected products being configured to allow weak ciphers.

The vulnerability would only require a low level of skill to exploit, but in order to exploit the flaw an attacker would need to have network access. The flaw – CVE-2019-18241 – has a CVSS v3 base score of 6.3 out of 10 – Medium severity.

The flaw was reported to Philips by New York-Presbyterian Hospital’s Medical Technology Solutions team, and under its responsible vulnerability disclosure policy, Philips reported the vulnerability to the DHS Cybersecurity Infrastructure Security Agency.

The vulnerability is present in all versions of the EC40 and EC80 hubs and will be addressed in a new release, which will not be available until the end of Q3, 2020.

Until Philips issues the new release, users of the affected hubs have been advised to implement the following mitigation measures to reduce the potential for exploitation.

  1. Only operate the hub within Philips authorized specifications, using Philips approved software, configurations, system services, and security configurations
  2. There is no clinical requirement for these devices to communicate outside the Philips clinical network. The devices should be logically or physically separated from the hospital network.
  3. Users should block access to the SSH port. SSH is not meant to be used for clinical purposes, only for product support.
  4. Use a long and complex SSH password and make sure password distribution is controlled to ensure SSH is used via physical access only.

The post Vulnerability Identified in Philips IntelliBridge EC40/80 Hubs appeared first on HIPAA Journal.