The New York City skyline, including the Empire State BuildingIn a post on February 28, Fox associate Kristen Marotta discussed the privacy and security issues arising from the growing use of telemedicine, particularly for mental health treatment. Now on the firm’s Physician Law blog, Kristen continues her discussion of telepsychiatry by diving into recent developments in New York State surrounding the innovative practice model. Kristen notes new funding from the New York Office of Mental Health to expand its use, and breaks down the OMH regulations that psychiatrists and physicians will need to consider before offering telepsychiatry services.

We invite you to read Kristen’s piece.

Kristen Marotta writes:

Many believe that educated millennials are choosing to work in urban, rather than rural areas, during their early career due to societal milestones being steadily pushed back and the professional opportunities and preferences of a young professional. Recent medical school graduates are a good example of this dichotomy. The shortage of physicians in rural areas is a well-known phenomenon. Over the years, locum tenens staffing has helped to soften the impact and, recently, so has telemedicine.

Illustration of stethoscope and mobile phone, symbolizing telemedicineThe growing prevalence of telemedicine around the country is an important consideration for new physicians as they decide where to settle down and establish their careers.  In New York, medical graduates should be aware that a $500,000 federal grant was given to New York State’s Office of Mental Health this month, February 2018 by the U.S. Department of Agriculture Rural Development Distance Learning and Telemedicine program.  Using telemedicine to provide mental health services may be a productive and efficient way to deliver healthcare, not only because many mental health examinations would not have to be conducted in-person, but also because of the general shortage of psychiatrists and mental health providers to meet these patient needs. Now, medical graduates who would like to establish their lifestyle in a city can simultaneously care for patients living miles apart from them.

It is essential that health care providers engaging in telemedicine understand the implications of this practice model with respect to compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  Providers rendering health care services via telemedicine should update and adjust their security risk assessments and HIPAA privacy and security policies and procedures, because protected health information is likely to be created in two separate locations (i.e., the location of the provider and the location of the patient).  Providers should also make sure that their (or their practice’s) Notice of Privacy Practices has been updated to reflect the provision of services via telemedicine, so that the patient has the opportunity to make an informed decision about engaging in this type of health care. Additionally, new business associate agreements may be required with telehealth vendors that do not meet the narrow “mere conduit” exception and any new parties who will have access to the individual’s protected health information as a result of the provision of services via telemedicine. In connection with these efforts, Providers should research and conduct due diligence on vendors to confirm that they understand the services model and are HIPAA-compliant.

As telemedicine emerges and gains more traction in health care, state laws and regulations will also be created and/or updated, and physicians will need to keep abreast of these changes. A good example of this is the State of New York, which has an entire section of mental health regulations dedicated to telepsychiatry. Stay tuned to Fox Rothschild’s Physician Law Blog for further updates on these specific New York regulations, as well as the developments in telemedicine.

Kristen A. Marotta is an associate in the firm’s Health Law Department, based in its New York office.

Many employers who offer wellness programs to their employees may not have considered compliance with HIPAA privacy, security and breach notification rules (collectively, “HIPAA Rules”), since they don’t think of their wellness programs as a group health plan. Part 1 of this post covered why most employee assistance programs (“EAPs”) are subject to the HIPAA Rules. This part discusses wellness programs. As with EAPs, wellness programs must comply with the HIPAA Rules to the extent that they are “group health plans” that provide medical care.

A wellness program may be considered a group health plan in at least two common ways. First, if an employer offers a wellness program as part of another group health plan (e.g., a major medical plan), any individually identifiable health information collected from participants in the wellness program is protected health information (“PHI”) under the HIPAA Rules. In other words, if the wellness program is part of another group health plan, such as a major medical plan—for example, by offering incentives like premium reductions or lower cost-sharing amounts for major medical coverage based on participation in the wellness program—the wellness program will be subject to the HIPAA Rules.

Second, a wellness program will be a group health plan subject to the HIPAA Rules if it provides medical care to employees. Some benefits commonly provided by wellness programs are not medical benefits—a health risk assessment (“HRA”), for example, is typically a questionnaire intended to identify an employee’s possible health risks and to motivate the employee to make positive behavior changes to reduce those risks. HRAs are not medical care if they are not administered by medical professionals and are not intended to diagnose illness or prescribe treatment. Other non-medical benefits offered by wellness programs include exercise, nutrition, or weight loss programs, as long as they are not connected with or recommended in response to a medical practitioner’s diagnosis. A wellness program may also provide general health-related information, or referrals (if made by people without any special medical training), without providing medical care (and without triggering compliance obligations under the HIPAA Rules).

Other common wellness program benefits, however, may provide medical care. A biometric screening (often conducted in conjunction with an HRA) is typically medical care because it often involves a blood draw, labs and a clinical assessment of an employee’s health and is intended to diagnose, or indicate an increased risk of, certain health conditions (heart disease, diabetes, etc.). Wellness programs also often include disease management and smoking cessation services, which are considered medical care because they are designed to assist with specific health conditions. Even something as simple as an employee flu shot is medical care, whether or not it is part of another group health plan. Individualized health coaching by trained nurses or counseling provided by trained counselors also would be considered medical care. Providing any of this medical care through a wellness program may lead to unexpected compliance obligations under the HIPAA Rules.

Employers/plan administrators facing unexpected compliance obligations under the HIPAA Rules because of a self-insured wellness program that provides medical care will need to enter into a the HIPAA Rules business associate agreement with the wellness program vendor, amend the plan document for the wellness program to include language required by the HIPAA Rules and develop and implement other compliance documents and policies and procedures under the HIPAA Rules. One option is to amend any existing compliance documents and policies and procedures in place under the HIPAA Rules for another self-insured group health plan (such as a major medical plan) to make them apply to the wellness program as well. If the wellness program is the plan administrator’s only group health plan for which it has compliance responsibility under the HIPAA Rules, the plan administrator should consult with legal counsel to develop and implement all necessary documentation for compliance under the HIPAA Rules.









You may be surprised to learn that those “extra” benefits your company offers to its employees such as your employee assistance program (“EAP”) and wellness program likely are subject to the HIPAA privacy, security and breach notification rules (collectively, “HIPAA Rules”). Part 1 covers why most EAPs are subject to the HIPAA Rules. Part 2 will discuss wellness programs. In both cases, EAPs and wellness programs must comply with the HIPAA Rules to the extent that they are “group health plans” that provide medical care.

As background, the HIPAA Rules apply to “covered entities” and their “business associates.” Health plans and most healthcare providers are “covered entities.” Employers, in their capacity as employers, are not subject to the HIPAA Rules. However, the HIPAA Rules do apply to any “protected health information” (“PHI”) an employer/plan administrator holds on a health plan’s behalf when the employer designs or administers the plan.

Plan administrators and some EAP vendors may not consider EAPs to be group health plans because they do not think of EAPs as providing medical care. Most EAPs, however, do provide medical care. They are staffed by health care providers, such as licensed counselors, and assist employees who are struggling with family or personal problems that rise to the level of a medical condition, including substance abuse and mental health issues. In contrast, an EAP that provides only referrals on the basis of generally available public information, and that is not staffed by health care providers, such as counselors, does not provide medical care and is not subject to the HIPAA Rules.

A self-insured EAP that provides medical care is subject to the HIPAA Rules, and the employer that sponsors and administers the EAP remains responsible for compliance with the HIPAA Rules because it acts on behalf of the plan.   On the other hand, for an EAP that is fully-insured or embedded in a fully-insured policy, such as long-term disability coverage, the insurer will have the primary obligations for compliance with the HIPAA Rules for the EAP. The employer will not be responsible for overall compliance with the HIPAA Rules for an insured EAP even though it provides medical care, but only if the employer does not receive PHI from the insurer or only receives summary health information or enrollment/disenrollment information. Even then, the employer needs to ensure it doesn’t retaliate against a participant for exercising their rights under the HIPAA Rules or require waiver of rights under the HIPAA Rules with respect to the EAP.

An EAP that qualifies as an “excepted benefit” for purposes of HIPAA portability and the Affordable Care Act (as is most often the case because the EAP is offered at no cost, eligibility is not conditioned on participation in another plan (such as a major medical plan), benefits aren’t coordinated with another plan, and the EAP does not provide “significant benefits in the nature of medical care”) can be subject to the HIPAA Rules. In other words, just because you’ve determined that your EAP is a HIPAA excepted benefit doesn’t mean the EAP avoids the HIPAA Rules. Most EAPs are HIPAA excepted benefits, yet subject to full compliance with the HIPAA Rules.

Employers/plan administrators facing unexpected compliance obligations under the HIPAA Rules because of a self-insured EAP that provides medical care will need to enter into a HIPAA business associate agreement with the EAP vendor, amend the EAP plan document to include language required by the HIPAA Rules and develop and implement other compliance documents and policies and procedures under the HIPAA Rules. One option is to amend any existing compliance documents and policies and procedures under the HIPAA Rules for another self-insured group health plan to make them apply to the EAP as well. If the EAP is the plan administrator’s only group health plan for which it has compliance responsibility under the HIPAA Rules, the plan administrator should consult with legal counsel to develop and implement all necessary documentation for compliance with the HIPAA Rules.

Text messaging is a convenient way for busy doctors to communicate, but for years, the question has remained: are doctors allowed to convey sensitive health information with other members of their provider team over SMS? The answer is now “yes,” thanks to a memo published last week by the U.S. Department of Health & Human Services (HHS), Centers for Medicare & Medicaid Services (CMS).   The memo clarifies that “texting patient information among members of the health care team is permissible if accomplished through a secure platform.”

However, texting patient orders is prohibited “regardless of the platform utilized” under the CMS hospital Conditions of Participation or Conditions of Coverage, and providers should enter orders into an electronic health record (EHR) by Computerized Provider Order Entry (CPOE).

According to the memo, CMS expects providers and organizations to implement policies and procedures that “routinely assess the security and integrity of the texting systems/platforms that are being utilized” to avoid negatively affecting patient care.

What’s interesting about the CMS memo is that texting on a cell phone has become as routine (if not more routine) as speaking into a cell phone – and HHS published guidance way back in 2013 explaining that the HIPAA Privacy Rule permits doctors and other health care providers to share protected health information over the phone. Telling a 21st century doctor not to communicate by text message (within the proper HIPAA parameters, of course) is like telling the President he can’t communicate on Twitter.

CMS’s restriction on texting patient orders appears to relate to concerns about medical record accuracy, not privacy and security. “CMS has held to the long standing practice that a physician … should enter orders into the medical record via a hand written order” or by CPOE, “with an immediate download into the … [EHR, which] would be dated, timed, authenticated, and promptly placed in the medical record.”

I asked a couple of IT security experts here at Fox how a provider or organization would go about “routinely assessing the security and integrity of the texting systems/platforms” being used by doctors. According Fox partner and Chief Privacy Officer Mark McCreary, CIPP/US, the provider or organization might want to start by:

“… receiv[ing] and review[ing] their third party audits and certifications.  Most platform providers would make those available to customers (if not the public).  They like to tout their security.”

Matthew Bruce, Fox’s Information Security Officer, agreed:

“That is really the only practical way to routinely assess. SMS, which is standard text messaging, isn’t secure so it would likely require the potential use of third party app like Signal.  iMessages are encrypted and secure but only between iPhone users. Both companies should publish their security practices.”

So, providers or organizations participating in Medicare can (continue to) allow doctors to communicate (but not enter treatment orders) by text, but should periodically review the security of the texting systems or platforms the doctors are using. They may also want to remind doctors to make sure they know when and how to preserve text messages, whether by taking screen shots, using an SMS backup app, or some other method.

In our most recent post, the Top 5 Common HIPAA Mistakes to Avoid in 2018, we noted that the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) has recently published guidance on disclosing protected health information (PHI) related to overdose victims. OCR published this and other guidance within the last two months in response to the Opioid Crisis gripping the nation and confusion regarding when and to whom PHI of patient’s suffering from addiction or mental illness may be disclosed.

Pills and capsules on white backgroundTo make the guidance easily accessible to patients and health care professionals, OCR published two webpages, one dedicated to patients and their family members and the other dedicated to professionals.

  • Patients and their family members can find easy-to-read commentary addressing the disclosure of PHI in situations of overdose, incapacity or other mental health issues here.
  • Physicians and other health care professionals can find similar fact sheets tailored to their roles as covered entities here.
  • OCR also recently issued a two-page document summarizing its guidance on when health care professionals may disclose PHI related to opioid abuse and incapacity [accessible here].

The main points from this guidance include:

  1. If a patient has the capacity to make decisions regarding his or her health care, a health care professional may not generally share any PHI with family, friends or others involved in the patient’s care (or payment for care), unless the patient consents to such disclosure.  However, a health care professional may disclose PHI if there is a serious and imminent threat of harm to the patient’s health and the provider in good faith believes that the individual to whom the information is disclosed would be reasonably able (or in a position) to prevent or lessen such threat. According to OCR, in the context of opioid abuse, this rule allows a physician to disclose information about the patient’s opioid abuse to any individual to whom the physician in good faith believes could reasonably prevent or lessen the harm that could be caused by the patient’s continued opioid abuse following discharge.
  2. If the patient is incapacitated or unconscious, HIPAA allows health care professionals to disclose certain PHI to family and close friends without a patient’s permission where (i) the individuals are involved in the care of the patient, (ii) the health care professional determines that disclosing the information is in the best interests of the patient, and (iii) the PHI shared is directly related to the family or friend’s involvement in the patient’s health care (or payment for such health care). As an example, OCR clarified that a physician may, in his or her professional judgment, share PHI regarding an opioid overdose and related medical information with the parents of someone who is incapacitated due to an overdose.
  3. OCR also addressed the difficult situation where a patient is severely intoxicated or unconscious, but may regain sufficient capacity to make health care decisions several hours after arriving in the emergency room.   In such situations, HIPAA would allow a physician or nurse to share PHI related to the patient’s overdose and medical condition with the patient’s family or close personal friends while the patient is incapacitated, so long as the nurse or doctor believes that it is in the patient’s best interest to do so and the information shared with the family member or friend is related to the individual’s involvement in the patient’s health care.

OCR published similar guidance, available at the above websites, regarding the disclosure of PHI related to the mental health of a patient.  Included in that guidance is clarification that HIPAA does not prohibit treating physicians from sharing PHI of a patient with a mental illness or substance use disorder for treatment purposes, except in the case of psychotherapy notes.

However, it is important to understand that OCR’s guidance on these issues does not supersede state laws or other federal laws or rules of medical ethics that would apply to disclosure of a patient’s PHI, including the federal confidentiality regulations [located at 42 CFR Part 2] pertaining to patient records maintained in connection with certain federally-assisted substance use disorder treatment programs.  The “Part 2” regulations (as well as state patient confidentiality laws that are more restrictive than HIPAA) could prohibit some or all of the disclosures which OCR has now clarified are permitted under HIPAA.

If you have a question regarding how this new guidance may affect your practice, please contact a knowledgeable attorney.

Elizabeth G. Litten, Partner, Fox Rothschild LLPOn November 9, the Florida Supreme Court ruled in the case of Emma Gayle Weaver, etc. v. Stephen C. Myers, M.D., et al., that the right to privacy under the Florida Constitution does not end upon an individual’s death. Fox partner and HIPAA Privacy & Security Officer Elizabeth Litten recently reacted to the decision in an article in Data Guidance. She noted the decision’s compatibility with HIPAA regulations concerning the protected health information of a deceased patient. She also discussed certain elements of the Florida statutes that were deemed unconstitutional by the court, and how they differ from HIPAA’s judicial and administrative proceedings disclosure rules.

We invite you to read the article and Elizabeth’s remarks.

Long gone are the days when social media consisted solely of Myspace and Facebook, accessible only by logging in through a desktop computer at home or personal laptop. With every single social media platform readily available on personal cellular devices, HIPAA violations through social media outlets are becoming a frequent problem for healthcare providers and individual employees alike. In fact, social media platforms like Snapchat® and Instagram® that offer users the opportunity to post “stories” or send their friends temporary “snaps” seem to be a large vehicle for HIPAA violations, specifically amongst the millennial generation.

Megaphone and social media illustrationIn a recent poll by CNBC of the younger-end of the millennial generation, CNBC found that a majority of teens ranked Snapchat and Instagram among their top three favorite apps.  One teen claimed that they enjoyed the “instant gratification” of having a quick conversation, and another teen even stated that “Snapchat is a good convenient way to talk to friends (sharing pictures) but you can say things you would regret later because they disappear (I don’t do that though).”

This dangerous and erroneous mentality, while prevalent in teens, exists to some extent among the younger generation of nurses, residents, and other employees working for healthcare providers. With just a few taps and swipes, an employee can post a seemingly innocuous disclosure of PHI. Interns and residents of the younger generation may innocently upload a short-term post (be it a picture for two-seconds or an eight-second long video) of a busy hospital room or even an innocent “selfie” without realizing that there is visible and identifiable PHI in the corner. Two major categories of HIPAA violations have become apparent to me in relation to Snapchat and Instagram Stories and HIPAA: (1) The innocent poster, as described above, who does not realize there is PHI in their post; or (2) The poster who knows that their picture or video could constitute a HIPAA violation, but posts it anyway because they think it’s “temporary”.

The first category of violators are employees who do not realize that they’re violating HIPAA but can still be punished for such behavior. Think of a resident deciding to post a picture on their “Snapchat story” of a cluttered desk during a hectic day at work, not realizing that there are sensitive documents in clear view. Again, whether the resident meant to or not, he or she still violated HIPAA.

The second category of violators think that they’re safe from HIPAA violations, but don’t realize that their posts may not be as temporary as they think. Let us imagine a nursing assistant, working at an assisted-living facility, “snapping” a video of an Alzheimer’s patient because the patient “was playing tug of war with her and she thought it was funny.”  The story only lasts 24 hours on the nursing assistant’s Snapchat “story”, but it is still a clear breach of HIPAA. In this case (a true story), the nursing assistant was fired from the facility and a criminal complaint was filed against her.

Violations in this category do not even need to be as severe as the one in the scenario with the nursing assistant. An employee at a hospital taking a “snap” with one of their favorite patients and sending it to just one friend on Snapchat directly (instead of posting it on their “story”) is a violation because that friend could easily take a screenshot of the “snap”. In fact, any “snap” is recordable by a receiving party; all the receiving party would have to do is press and hold the home button in conjunction with the side button on their iPhone. Voila, now a third-party has PHI saved on their phone, and worse yet, that third-party can distribute the PHI to the world on any number of social media outlets.

Snapchat posts and Instagram stories are not temporary. In fact, in 2014, Snapchat experienced a security breach that released 100,000 Snapchat photos.  The hack – cleverly called “The Snappening” – involved hackers who released a vast database of intercepted Snapchat photos and videos that they had been amassing for years.  In that instance, the hackers acquired the files from a third-party site called “”, which allowed users to send and receive “snaps” from a desktop computer and stored them on their servers. Snapchat argued back then that it was not in fact their own server which was hacked, but currently the app does allow users to save “snaps” on their phone and on the application before sending them to their friends or stories. This change was made in 2016. Where are those pictures being saved? Could hackers get their hands on them?

The appeal of “instant gratifications” and “temporary conversations” is what makes social media platforms such as Snapchat and Instagram dangerous to healthcare providers. To avoid HIPAA violations of this nature, it is important to inform and educate employees, especially of the millennial generation, of the dangers of posting pictures that they think are temporary. I have an anonymous friend at the age of 26 who is a resident at a hospital that completely disabled her ability to access G-mail through her phone. While this method is a severe solution to a growing issue, and not absolutely necessary, healthcare providers should definitely consider other creative ways to keep their younger employees off their social media apps.

Individuals who have received notice of a HIPAA breach are often offered free credit monitoring services for some period of time, particularly if the protected health information involved included social security numbers.  I have not (yet) received such a notice, but was concerned when I learned about the massive Equifax breach (see here to view a post on this topic on our Privacy Compliance and Data Security blog).

The Federal Trade Commission’s Consumer Information page sums it up well:

If you have a credit report, there’s a good chance that you’re one of the 143 million American consumers whose sensitive personal information was exposed in a data breach at Equifax… .”

I read the news reports this morning, and decided to go on the Equifax site,, to see if my information may have been affected and to sign up for credit file monitoring and identify theft protection (the services are free to U.S. consumers, whether or not affected by the breach, for one year).

The Equifax site describes the breach and lets users click on a “Potential Impact” tab to find out whether their information “may have been impacted” by the breach. Users can find out by clicking on the “Check Potential Impact” link and following these steps:

  1. Click on the below link, “Check Potential Impact,” and provide your last name and the last six digits of your Social Security number.
  2. Based on that information, you will receive a message indicating whether your personal information may have been impacted by this incident.
  3. Regardless of whether your information may have been impacted, we will provide you the option to enroll in TrustedID Premier. You will receive an enrollment date. You should return to this site and follow the “How do I enroll?” instructions below on or after that date to continue the enrollment and activation process. The enrollment period ends on Tuesday, November 21, 2017.

Before satisfying my curiosity, though, I decided to click on the “Terms of Use”, that too-rarely-used link typically included at the bottom of a webpage that sets forth the quid pro quo of using a website. Perhaps it was because my law partner (and the firm’s Chief Privacy Officer), Mark McCreary, has instilled some cautiousness in me, or because I wondered if there might be a catch. Why would Equifax offer a free year of credit monitoring to everyone, even those not affected by the breach? What would Equifax get in return?

I skimmed the “Product Agreement and Terms of Use”, noted the bolded text requiring arbitration of disputes and waiving my right to participate in a class action, but wasn’t concerned enough to resist the urge to find out if my information was affected.

I then followed the “Getting Started” process by following the TrustedID Premier link, and quickly received a notice stating that my information “may have been impacted” and that I could enroll on September 11, 2017 (my “designated enrollment date”).

Not more than a couple of hours later, I came across an article warning of the legal rights consumers give up by signing up on Equifax’s website. The article describes the arbitration clause in the Terms of Use provisions, and reports on New York Attorney General Eric Schneiderman’s tweet stating that the arbitration provision is “unacceptable and unenforceable”. The article also reports that, today, Equifax updated the Terms of Use language to include a new provision allowing a user to write to Equifax to opt-out of the arbitration provision within 30 days of the date the user first accepts the Product Agreement and Terms of Use.

My curiosity got the best of me and I now know I’m on the “affected persons” list, but I haven’t yet signed up for my free TrustedID Premier credit monitoring service. I have the weekend to decide whether to sign up for the service, and 30 days from Monday (if I actually sign up for the service) to decide whether to accept the “cost” of agreeing to binding arbitration.


In some respects, HIPAA has had a design problem from its inception. HIPAA is well known today as the federal law that requires protection of individually identifiable health information (and, though lesser-known, individual access to health information), but privacy and security were practically after-thoughts when HIPAA was enacted back in 1996. HIPAA (the Health Information Portability and Accountability Act) was originally described as an act:

To amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes.”

The privacy of individually identifiable health information was one of those “other purposes” only peripherally included in the 1996 act. Privacy protection was to be a follow-up, a “to-do” checklist item for the future. HIPAA directed the Secretary of Health and Human Services to recommend privacy standards to specified congressional committees within a year of enactment, and, if Congress did not enact privacy legislation within 3 years of enactment, the Secretary was to proceed with the promulgation of privacy regulations. Security was a bit more urgent, at least in the context of electronic health transactions such as claims, enrollment, eligibility, payment, and coordination of benefits. HIPAA required the Secretary to adopt standards for the security of electronic health information systems within 18 months of enactment.

This historical context casts some light on why our 2017-era electronic health records (EHR) systems often lack interoperability and yet are vulnerable to security breaches. HIPAA may be partially to blame, since it was primarily designed to make health insurance more portable and to encourage health insurers and providers to conduct transactions electronically. Privacy and security were the “oh, yeah, that too” add-ons to be fully addressed once electronic health information transactions were underway and EHR systems needed to support them already up and running. Since 1996, EHRs have developed at a clunky provider-by-provider (or health system-by-health system) and patient encounter-by-patient encounter basis, not only making them less accurate and efficient, but vulnerable to privacy and security lapses. (Think of the vast quantity of patient information breached when a hospital’s EHR or a health plan’s claims data base is hacked.)

This past June, I participated on a California Israel Medical Technology Summit panel discussing privacy and security issues. An audience member asked the panel whether we thought blockchain technology was the answer to HIPAA and other privacy and security-related legal requirements. I didn’t have a good answer, thinking “isn’t that the technology used to build Bitcoin, the payment system used by data hackers everywhere?”

This past July, Ritesh Gandotra, a director of global outsourcing for Xerox, wrote that blockchain technology could overhaul our “crippled” EHR management system. Gandotra writes “Historically, EHRs were never really designed to manage multi-institutional and lifetime medical records; in fact, patients tend to leave media data scattered across various medical institutes … This transition of data often leads to the loss of patient data.” He goes on to explain how blockchain, the “distributed ledger” technology originally associated with Bitcoin, can be used to link discrete patient records (or data “blocks”) contained in disparate EHRs into “an append-only, immutable, timestamped chain of content.”

Using blockchain technology to reconfigure EHRs makes sense. Ironically, the design flaw inherent in HIPAA’s original 1996 design (the promotion of electronic health transactions to foster portability and accountability in the health insurance context while treating privacy and security as an afterthought) can be fixed using the very same technology that built the payment network favored by ransomware hackers.