HHS’ Office for Civil Rights reports $28.7M in payments for record HIPAA enforcement year

The Department of Health and Human Services Office for Civil Rights had a record year for settlements from its enforcement of the nation’s largest healthcare privacy law. 

In 2018, OCR settled 10 cases and secured one judgment totaling $28.7 million in fines for healthcare provider and health-related companies’ violations of the Health Insurance Portability and Accountability Act (HIPAA). It is 22% higher than the previous record of $23.5 million in 2016.

That was due in part to the single largest HIPAA settlement in history of $16 million with Anthem Inc. The insurer agreed to pay HHS the settlement in October for a landmark 2015 breach that impacted nearly 79 million consumers.

An investigation by OCR found that the insurance giant failed to conduct an enterprise-wide risk analysis, regularly review system activity or identify and respond to a known threat.

The previous record settlement was $5.5 million in 2016.

  • The University of Texas MD Anderson Cancer Center was ordered to pay a $4.3 million penalty issued by an administrative law judge in June—the second summary judgment victory in OCR’s history of HIPAA enforcement. The cancer center faced penalties over three data breaches dating back to 2012 and 2013, when an unencrypted laptop was stolen from an MD Anderson employee and two unencrypted USB thumb drives containing information on 33,500 patients were lost.

    An investigation found that MD Anderson had written encryption policies dating back to 2006, and an internal risk analysis found a lack of encryption on hospital-owned devices posed a security risk.
  • Fresenius Medical Care, which operates more than 2,200 dialysis clinics, along with outpatient cardiac and vascular labs and urgent care centers, agreed to a $3.5 million settlement after an OCR investigation revealed that the company failed to perform an accurate and thorough risk assessment, which led to five separate data breaches over a five-month period in 2012. 
  • Cottage Health agreed to pay $3 million to OCR and “to adopt a substantial corrective action plan” after OCR received two notifications from Cottage Health regarding breaches of unsecured electronic protected health information affecting over 62,500 individuals in 2013 and 2015. Cottage Health operates Santa Barbara Cottage Hospital, Santa Ynez Valley Cottage Hospital, Goleta Valley Cottage Hospital and Cottage Rehabilitation Hospital in California.
Jan. 2018Filefax Inc. (settlement)$100,000
Jan. 2018Fresenius Medical Care North America (settlement)$3.5M
June 2018MD Anderson (judgment)$4.35M
Aug. 2018Boston Medical Center (settlement)$100,000
Sep. 2018Brigham and Women’s Hospital (settlement)$384,000
Sep. 2018Massachusetts General Hospital (settlement)$515,000
Sep. 2018Advanced Care Hospitalists (settlement)$500,000
Oct. 2018Allergy Associates of Hartford (settlement)$125,000
Oct. 2018Anthem Inc. (settlement)$16M
Nov. 2018Pagosa Springs (settlement)$111,400
Dec. 2018Cottage Health (settlement)$3M

“HHS’ Office for Civil Rights reports $28.7M in payments for record HIPAA enforcement year”. Fierce Healthcare, US. Retrieved February 28, 2019.

Former Aetna Medical Director Admits To Never Reviewing Medical Records Before Denying Care

Is this the exception or the rule?

In an eye-opening exclusive reported by CNN, it was revealed that former Aetna Medical Director, Dr. Jay Ken Iinuma, admitted under oath that “he never looked at patients’ records when deciding whether to approve or deny care.”

This admission was made during a deposition in a lawsuit brought against Aetna by Gillen Washington, a 23 year old with common variable immune deficiency (CVID) who was denied coverage for an infusion of intravenous immunoglobulin (IVIG) four years ago.

California’s insurance commissioner, Dave Jones, is now looking into Aetna’s relevant protocols.

In his deposition, Iinuma, as reported by CNN, “said he was following Aetna’s training, in which nurses reviewed records and made recommendations to him.”

In this particular case, Iinuma admitted that he had minimal if any knowledge of the medical condition, common variable immune deficiency (CVID), that Washington suffered from. He was also not clear about what the most effective drug would be to treat the patients’s condition, the symptoms of CVID, or even the consequences of the abrupt discontinuation of therapy for the condition.

“Do I know what happens?” Iinuma said. “Again, I’m not sure…I don’t treat it,” according to the deposition, as reported by CNN.

Further, when asked by Washington’s attorney if it was his general practice to look at medical records as part of his decision making process, he replied that it was not.

This opens up the obvious question of just how transparent health insurers are being with the public regarding their process for approval or denial of coverage, especially for complex medical care and procedures.

Aren’t we to expect that an experienced and knowledgeable physician review a person’s medical records before approving or denying a potentially disease-modifying therapy or treatment?

In Aetna’s response to CNN’s inquiry, the company said “we…look forward to explaining our clinical review process.”

And we, the public, certainly look forward to learning more about it.

“Former Aetna Medical Director Admits To Never Reviewing Medical Records Before Denying Care”. Forbes Media, US. Retrieved February 28, 2019.

Doctors snooped into Humboldt Broncos patient records, privacy commissioner finds

“This has been a major tragedy in our province and I’m disappointed that people got tempted,” information and privacy commissioner Ronald Kruzeniski said.

Saskatchewan’s privacy commissioner has found several people inappropriately gained access to the electronic health records of the Humboldt Broncos team members involved in a deadly bus crash last April.

Sixteen people were killed and 13 were injured in the crash between the junior hockey team’s bus and a semi trailer at a rural Saskatchewan intersection on April 6, 2018.

“This has been a major tragedy in our province and I’m disappointed that people got tempted,” information and privacy commissioner Ronald Kruzeniski said in an interview with The Canadian Press on Monday. “Now that it’s happened … it’s my job to work with others through education and legislative change (to) make the system work.”

In four reports posted on his website, Kruzeniski noted that eHealth Saskatchewan began monitoring the profiles of the patients — which included lab results, medication information and chronic diseases — three days after the crash.

From April 9, 2018, to May 15, 2018, the health agency detected at least seven users, mostly doctors, accessed the system to view the profiles of up to 10 patients.

The reports said that eHealth reported the breaches to the privacy commissioner.

Kruzeniski detailed the privacy breaches in those reports.

In one case, an employee of a medical clinic examined the health information of three people involved in the collision.

The assistant admitted she consulted the records because “her family members had heard one of the individuals had died and she wanted to verify the information; she thought another individual was a patient … (and) she wanted to verify a detail that was reported by the media about one of the individuals.”

The report said the employee’s access to eHealth was suspended and she was given further training, but she has since resigned.

Another case involved a doctor at a Humboldt clinic who viewed the records of two people who were patients prior to the crash.

“Dr. D wanted to know what injuries the individual sustained, if the individual received care or if it was an instant fatality,” said the report. “For the other individual, Humboldt clinic explained to eHealth that Dr. D was concerned.

“Based on these explanations, Dr. D did not have a need-to-know.”

Other breaches included three doctors who provided emergency care at the Nipawin Hospital and who reviewed patient records of those they treated.

“They believed they were in the individuals’ ’circle of care,”’ said the report.

The privacy commissioner said the province’s Health Information Protection Act does not address circles of care so the doctors were no longer authorized to access the records.

“You are entitled to access when you have a need to know, not an anticipated need, not, ’Gee, I might like to know,” he explained.

During the monitoring period, two medical residents also looked at the records of one crash patient when the residents were reviewing the records of dozens of other patients with a particular illness.

Kruzeniski made a number of recommendations to eHealth —including that it conduct regular monthly audits for the next three years of the physicians involved.

The privacy commissioner also recommended that the organization comply with a need-to-know principle rather than a circle-of-care concept and that users of eHealth be made to regularly review their training.

A statement from eHealth said it took a number of measures to address the breaches, including notifying the privacy commissioner and the families affected.

It terminated the account of the medical office assistant, suspended the accounts of the medical residents until they had further training and sent letters to the doctors. It’s reviewing the recommendations from the privacy commissioner.

The Saskatchewan Health Authority said it is also following up on the breaches and apologized to the patients and their families.

“We are deeply sorry that the situations described in the privacy commissioner’s reports may add to their stress,” the authority said in a statement.

“We believe the physicians cited in the cases … specifically those who provided care to the patients affected, acted in good faith and out of sincere concern for the patients and families touched by this terrible tragedy.”

The health authority said it will work with the Ministry of Health on possible amendments to privacy regulations.

“Doctors snooped into Humboldt Broncos patient records, privacy commissioner finds”. National Post, Canada. Retrieved February 15, 2019.

Healthcare record breaches tripled in 2018

There was at least one health data breach a day and 503 health data breaches overall in 2018 according to analysis released this week.

The number of breached patient records tripled in 2018, to the tune of some 15 million patient records, according to research released this week.

Those numbers – 5,579,438 records in 2017 to 15,085,302 records in 2018 – come despite only a modest uptick in health data breaches, from 477 in 2017 to 503 in 2018.

The research, Protenus’ 2019’s Annual Breach Barometer Report, looked at healthcare data breaches reported in 2018, including information taken from the Department of Health and Human Services’ Office for Civil Rights, letters to state attorney generals, and Databreaches.net.

The numbers are about in line with research published throughout the year last year. In August the firm said there were 3.14 million patient records breached across 150 incidents in Q2 alone that year, a number which when extrapolated across a year, gets close to 15 million records.

Looking at the cause of breaches, hacking-related incidents took the cake in 2018, accounting for 44 percent of breaches, a number that correlates to a jump in incidents, 178 in 2017 to 222 in 2018. Insider theft, a topic the researchers included human error and insider wrongdoing incidents in, was still prevalent but less so than the previous year. In 2017 insiders carried out more than a third of breaches, 37 percent. In 2018 insiders committed 28 percent of breaches.

Nearly half, 49 percent, of incidents involved the disclosure of health data by a business association or third party. Family snooping remains a big issue and can cause of breaches too; 67 percent of insider breaches came as the result of family members, while snooping co-workers were responsible for 16 percent.

It should come as little surprise that healthcare providers were among the hardest hit in 2018, accounting for 353 breaches, roughly 70 percent of all breaches. 62 of the breaches were reported by health plans and 39 were reported by other entities.

Those statistics lend credence to research published last November that suggests that more protected health information (PHI) is leaked by healthcare providers, not hackers. Research carried out by Michigan State University and Johns Hopkins University found that a quarter of the cases the researchers looked at were caused by internal unauthorized access or disclosure, more than twice the amount caused by external hackers.

That’s just one research paper, one that looked at breaches between October 2009 and December 2017, it should be added.

The 44 percent figure in Protenus’ research accounts for 11.3 million patient records impacted by hacking in 2018, more than three times the 3.4 million compromised by hacking in 2017.

One of 2018’s biggest breaches came after AccuDoc, a third party billing vendor of Atrium Health, formerly Carolinas HealthCare System, experienced a breach in September. The North Carolina-based healthcare system indirectly had the billing information of 2.65 million people compromised as a result. Insurance policy information, medical record numbers, invoice numbers, account balances and dates of service may have also been accessed.

These days, it’s difficult for healthcare orgs to be completely immune from cyberattacks. A survey published (.PDF) by the Healthcare Information and Management Systems Society (HIMSS) earlier this month said that two-thirds of non-acute and vendor organizations experienced a security incident over the last 12 months. To that effect, only a small fraction of respondents, 22 percent, said they didn’t experience a significant security incident during the past 12 months.

Securing a modern healthcare organization can be a challenge but is essential in order to safeguard patient data. The Office for Civil Rights at the US Department of Health and Human Services encourages organizations to perform security risk assessments to identify vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. Orgs should also ensure they perform security training, phishing simulation tests, and mitigate issues inherent with legacy systems.

Implementing a data protection platform that can secure PHI, both in the cloud, on internal desktops and laptops, or network servers, can ensure data security while satisfying the requirements of today’s regulatory environment.

“Breached Healthcare Records Tripled in 2018”. Digital Guardian, US. Retrieved February 15, 2019.

Verizon 2018 Data Breach Investigations Report

What went wrong? An exploration in trends and data.

Within the 53,000+ incidents and 2,200-odd breaches you’ll find real takeaways on what not to do, or at the very least, what to watch for.

At first glance, identifying 53K+ incidents in only 12 months suggests an information security dystopia, an uneven playing field where the bad guys consistently win out. And, the 2018 Data Breach Investigations Report (DBIR) is full of nefarious events by offenders both known and unknown.

However, that same catalog of unscrupulous activities offers security pros a first-hand view into current cybercrime trends, and a map towards developing a prosperous and mature security program.

View the full DBIR here.


Healthcare is the only industry where the threat from inside is greater than that from outside. Human error is a major contributor to those stats. Employees are also abusing their access to systems or data, although in 13% of cases, it’s driven by fun or curiosity—for example, where a celebrity has recently been a patient.

The Healthcare vertical is rife with Error and Misuse. In fact, it is the only industry vertical that has more internal actors behind breaches than external. In addition to these problem areas, ransomware is endemic in the industry.

Not easy like Sunday morning

If we were to assess the overall wellness of the Healthcare vertical with regard to security, the prognosis would not be terrifying, but neither would it be encouraging. Something along the lines of “greatly improve your diet, stop smoking and increase your workout routine or else” would cover it. Before we judge them too harshly, however, we must keep in mind a few important facts about the Healthcare vertical:

  • They deal with a vast amount of highly sensitive data that they must retain and protect;
  • That data must be kept current and accurate and must be accessible in a very timely manner for the healthcare professionals who need it (as life or death decisions might be based on it);
  • It is subject to a much higher standard of scrutiny with regard to privacy and disclosure requirements than are most other verticals, due to regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Et tu, Brute?

As Caesar found out the hard way, often those who do you the most harm can be those closest to you. The Healthcare industry has the dubious distinction of being the only vertical that has a greater insider threat (when looking at breaches) than it does an external threat. This somewhat bleak finding is linked closely to the fact that there is a large amount of both errors and employee misuse in this vertical. With regard to incidents Healthcare is almost seven times more likely to feature a causal error than other verticals in our dataset, but you might not want to ponder that when you go in to get that appendix removed.

Errors most often appear in the form of misdelivery (62%)—which is the sending of something intended for one person to a different recipient—and is followed by a grouping of misplacing assets, misconfigurations, publishing errors and disposal errors.

Misuse, on the other hand, takes the form of privilege abuse (using logical access to assets, often databases, without having a legitimate medical or business need to do so) in 74% of cases. Interestingly, the motive (when known) is most often (47%) that of “fun or curiosity.” Examples of this are when an employee sees that their date from last weekend just came in for a checkup, or a celebrity visits the hospital and curiosity
gets the better of common sense. Not to be forgotten, our faithful friend avarice is still alive and well, with financial gain being the motivation in 40% of internal misuse breaches.

Ransomware is everywhere

No doubt over Thanksgiving dinner you and your family fell in to conversation about the possible reasons for the rise of the Crimeware pattern to the number two position in the Healthcare vertical. Of course, you did. It’s only natural. It is due to the ransomware epidemic that continues to plague the Healthcare industry. Ransomware accounts for 85% of all malware in Healthcare. Due to Department of Health and Human Services regulations, ransomware outbreaks are treated as breaches (rather than data at risk) for reporting purposes. Consequently, it is difficult to know if Healthcare is more susceptible to ransomware than are organizations in other industries, or if the high percentages of it being recorded are simply a product of more stringent reporting requirements. Regardless of the reason, the wise security practitioner will take immediate steps to combat this ubiquitous attack type. Due to the ease of the attack, the low risk for the criminal, and the potential for high monetary yields, it is likely here for a lengthy stay in spite of the quality of the hospital food.

Please do not feed the phish

Social attacks (mostly phishing and pretexting) appear in approximately 14% of incidents in Healthcare and are a definite matter for concern. Phishing (70% of social attacks) occurs when an attacker sends a communication—usually an email—to an individual attempting to influence them to open an infected file or click on a malicious link. Once the victim clicks, the criminal can upload malware and engage in other insidious acts that will enable prolonged access to the system. Pretexting (20%) is a similar social attack but is somewhat more involved. In this scenario, the criminal emails, calls or even visits an employee in person and engages them in conversation to fool the victim into providing the attacker with credentials, or other sensitive data, with which they can launch an attack. Like a sort of Norman Vincent Peale gone wrong. Healthcare has a wide attack surface for social tactics due to the very nature of what they do. Relatives and friends calling in to check on patients, third-party providers of equipment and services and so on can provide a social engineering criminal with a great deal of both opportunities and cover.

Please report to lost and stolen

The theft of assets accounts for 90% of the physical action types in Healthcare. The number of stolen assets also went up this year, but that is likely caseload bias. Regardless, laptops and other portable devices, and paper documents consistently go missing from healthcare organizations each year. Victim work areas (offices) account for 36% of theft locations, and employees’ personal vehicles account for 32% of theft. The latter is particularly worrisome because in many instances, the asset in question residing in an employee’s personal vehicle was likely to be a policy violation. However, it must be admitted that we do not have the hard data to definitively prove that statement, but it is offered in the same spirit as “Do you know what the penalty for cruelty to laptops is in this state? No, sir, I don’t. Well, it’s probably pretty stiff.”

Things to consider

Dr., I can’t read this Rx

The theft or misplacement of unencrypted devices continues to feed our breach dataset. Full Disk Encryption (FDE) is both an effective and low-cost method of keeping sensitive data out of the hands of criminals. FDE mitigates the consequences of physical theft of assets by limiting exposure to fines and reporting requirements. Reduce your risk footprint where you can. Seriously, please do this as we are tired of repeating this same recommendation!

Institute a smackdown policy

Ensure that policies and procedures are in place which mandate monitoring of internal Protected Health Information (PHI) accesses. Make all employees aware via security training and warning banners that if they view any patient data without a legitimate business need there is potential for corrective actions.

Don’t spread the virus

Preventive controls regarding defending against malware installation are of utmost importance. Take steps to minimize the impact that ransomware can have on your network. Our data shows that the most common vectors of malware are via email and malicious websites, so focus your efforts around those factors.

“2018 Data Breach Investigations Report”. Verizon Enterprise, US. Retrieved February 18, 2019.

Four ways Aligned Risk Management makes HIPAA easier in 2019

Many health care organizations struggle to comply with required HIPAA regulations and many have forfeited important Merit-base Incentive Payment System (MIPS) incentive funds. Aligned Risk Management is here to ensure that every health care organization can affordably comply with HIPAA and MIPS. Below are four simple steps you can take today.

  1. Visit our HIPAA site.
  2. Call or email for a free HIPAA checkup.
  3. Take advantage of our low cost, comprehensive HIPAA privacy and security risk assessment.
  4. Check out our free FAQ.

Visit our HIPAA site.


Here you will find many free educational opportunities, tools, policy and procedure templates, and other important materials to assist you with your HIPAA compliance efforts.

Call or email for a free HIPAA checkup.

505-908-9040 or patrick@riskaligned.com

Have an easy conversation with our certified HIPAA professional and gain confidence about your current HIPAA and MIPS readiness, or find out what steps you can take to benefit your organization and patients.

Take advantage of our low cost, comprehensive HIPAA privacy and security risk assessment.

505-908-9040 or patrick@riskaligned.com

Federal HIPAA regulations and the advancing care information (ACI) category of MIPS require you to perform an audit-worthy security risk analysis and complete a risk management plan to become HIPAA and MIPS compliant. Aligned Risk Management will guide you through the process and provide you with the policy and procedure templates, tools, and materials necessary to comply with HIPAA, pass an audit, and receive the MIPS incentives you deserve.

Check out our free FAQ.


Whether you are new to HIPAA or just need a refresher, you will find our HIPAA webinars informative
and helpful. Join us as we share our HIPAA knowledge and experience, and answer your HIPAA

Memo: Train your staff on the use of password management software

Aligned Risk Management recommends password management software for all staff and especially for staff who work with a large number of external web application accounts.

  • A password manager can help encourage the use of long, complex, and unique passwords.
  • A password manager can reduce the need for users to commit their passwords to memory, making it less likely that they could expose their passwords inadvertently to social engineering attackers.
  • Automated password managers will fail to populate password fields on look-alike phishing pages, which can alert users that they are not accessing the system they expected.
  • Best practices recommended by the National Institute of Standards and Technology (NIST) endorse the use of password managers.

“Verifiers SHOULD permit claimants to use ‘paste’ functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets.”

National Institute of Standards and Technology, NIST Special Publication 800-63-3: Digital Identity Guidelines.

Memo: Stop periodic password changes

Requiring users to change passwords periodically may encourage them to create less secure passwords. It may have worked 20 years ago, but it doesn’t work anymore. Stop it. Just stop it.

According to cybersecurity firm SecureState, password complexity policies combined with password aging policies consistently lead, on large systems, to a predictable percentage of passwords chosen by users to serve as seasonal mnemonics, e.g., Spring2017 or January18!.

Periodic password changes mitigate only a small number of risks. Those risks can be more effectively mitigated by other controls, including two-factor authentication.

Check out Aligned Risk Management’s Secure Passphrase Generator.

Cybersecurity research indicates that password aging policies provide only minimal security benefit because users will predictably create new passwords that can be easily guessed by an attacker who knows the old password.

“We believe our study casts doubt on the utility of forced password expiration. Even our relatively modest study suggests that at least 41% of passwords can be broken offline from previous passwords for the same accounts in a matter of seconds, and five online password guesses in expectation suffices to break 17% of accounts.”

Yinqian Zhang, Fabian Monrose, and Michael K. Reiter. The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis.

A number of security experts have begun expressing skepticism about the utility of mandatory password changes, including Lorrie Cranor, Chief Technologist at the Federal Trade Commission, and Bruce Schneier, board member of the Electronic Frontier Foundation.

“But my favorite question about passwords is: ‘How often should people change their passwords?’ My answer usually surprises the audience: ‘Not as often as you might think.’ […] [U]sers who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily.”

Lorrie Cranor. Time to Rethink Mandatory Password Changes.

“The downside of changing passwords is that it makes them harder to remember. And if you force people to change their passwords regularly, they’re more likely to choose easy-toremember – and easy-to-guess – passwords than they are if they can use the same passwords for many years. So any password-changing policy needs to be chosen with that consideration in mind.”

Bruce Schneier. Changing Passwords.

Latest NIST standards no longer recommend periodic password changes.

“Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”

National Institute of Standards and Technology. NIST Special Publication 800-63-3: Digital Identity Guidelines.

EHRs are killing medical innovation

“The purpose of humanity is not just to sit behind a counter and do things. More free time is not a terrible thing.”

Bill Gates, paraphrased

I have innovated. I developed a mutation assay. I discovered that vacuum ultraviolet light from excimer lasers is safe to use on human tissue. I invented an imaging device to detect burn wound depth and discovered the best laser to debride burn wounds. I invented a laser-based treatment for acne. I developed and patented an online gamified collective intelligence solution to identify dermatology images. I have participated and published as a clinician in numerous population health studies. I’ve got a few more things that I want to build and do based on my four years of medical school education, eight years of post-medical school residency and fellowship training in internal medicine, dermatology and cutaneous surgical oncology and two decades of clinical practice. Ideas for innovation arise from experience as a clinician-physician. We physician-clinicians care for patients, use all our senses, and our minds to recognize problems and apply solutions to improve the value (outcomes/costs) of preventive, medical, surgical or palliative outcomes. One needs to spend only a few hours in the basement stacks of Harvard’s Countway Medical Library to recognize the speed of physician-clinician led medical innovation which has in many ways dwarfed Moore’s Law.

For physician-clinician innovation to occur, doctors need extra-hours to work on innovative projects. Clinician-physicians working alone or with others often sacrifice family and friends to accomplish meaningful innovation, but the pay-off intrinsically for the physician and extrinsically for society and patients has been worth it. Impediments to physician-clinician led innovation has devolved during the last five years that are robbing continued progress against diseases and optimized preventive, medical, surgical and palliative care outcomes. The gift of giving clinicians time to gaze, dream and work together to apply the art and sciences of medicine towards the advancement of health care innovation has been stolen by electronic health records (EHR) and insurance company prior authorization (PA) rationing industries.

When EHRs were first introduced, health information technology seemed like a sound idea. Patient personal medical health information, labs, photos as well as physicians’ assessments and plans would be inputted into interoperable EHRs by physicians around the nation. The EHR in return would tabulate and reveal individual and aggregated data from interoperable EHRs according to all medical chart variables resulting in optimized preventive, medical, surgical and palliative outcomes and costs as well as improved clinical safety for patients and clinical efficiency for their physicians. We now know, despite federal law forcing American physicians to lease EHRs plus an additional $35 billion in taxpayer subsidies poured into the EHR industry — none of the assumed clinical advantages of EHRs have reached fruition. Blockchain or FHIR type decentralized interoperable encoded population health benefiting patients and physicians isn’t happening because optimizing data value equals outcomes/cost solutions are proprietary to industry and may diminish the earnings of the health insurance, pharmaceutical, medical malpractice, hospital, and EHR industries.

Another major unintended consequence of the government forcing physicians to use EHRs has been the shift of physician-clinician work, financial resources and time away from direct patient care and innovation into manual data entry. A recent study published in the Annals of Internal Medicine revealed that for every hour a physician spends in direct patient care the physician must perform two hours of EHR data entry. A similar study by the AMA reveal that the physicians EHR data entry tasks often follow the physician home into the late evening hours (pajama time) leaving little time for extra-clinical activities such as family, friends and continuing medical education or innovation. Yet, not one EHR company in America will be transparent and reveal its physician time-motion EHR use data to refute the damning published research. Most patient personal health information, lab data and images entered by physicians (who pay the EHR companies for the privilege of entering data) are sold by the EHR companies to ancillary health care companies but not tabulated, aggregated and returned to physicians or patients to improve outcomes/costs.

With little or no extra time for extracurricular activities beyond their practices and inputting data for sale by the EHR companies, there can be little physician-clinician innovation on any kind of translatable scale.

In addition to the EHR industry, another time drain has devolved to interfere with the ability of the physician-clinicians to innovate. Until recently, physicians would use their clinical intelligence based on years of training, continuing medical education and clinical experience to optimize preventive, medical, surgical and palliative outcomes and costs for their patients and their families. Physicians perform histories and physical examinations often resulting in prescriptions for medications, diagnostic orders, specialist referrals or recommended treatments to optimize prevention, medical, surgical and palliative outcomes for patients and their families. This science of the physician-patient interaction combined with the art of empathy is the essence of what doctors do.

Today, most private health insurance corporations ration and interfere with physicians diagnostics and treatment decisions via a health insurance industry solution termed, “prior authorization” (PA) to enhance insurance company profits. Prior authorization forces millions of patients and their physicians daily to spend hours daily manually completing multiple pages of paper or internet forms for re-submission to a non-physician insurance industry bureaucrat who — after days, weeks or months of delay — decides if the physicians recommended diagnostics or treatments for his or her patient will be reimbursed or allowed by the health insurance company.

Most often, health insurance corporate PA decisions against the patients and against medical advice are not made by a board-certified physician who performs a history or physical exam or discussion with the targeted patient. There is not a patient or physician in America with private health insurance who hasn’t experienced the demeaning and potentially dangerous task of manual PA health care rationing of medications, diagnostics or treatments. What’s good for the patient based on the physician’s assessment may be harmful to the earnings of the insurance or pharmaceutical benefits company, and thus PA rationing was spawned.

Spending tens of hours each week on the clinically valueless and inefficient tasks of data entry into EHRs and attempting to override insurance company prior authorization rationing leaves no time for the physician-clinician to innovate or iterate advances in medicine. The future of health care and the value equals outcomes/costs of health care in America will continue to be damaged by the EHR and health insurance industries by inhibiting clinicians-physicians from participating in medical innovation and clinical translation in America.

“EHRs are killing medical innovation”. Kevin MD, US. Retrieved February 15, 2019.

How our company’s public exposure benefited from the government shutdown

Sit back, relax, and read my story about how the Aligned Risk Management team was able to benefit in a most unexpected way from the recent government shutdown.

The longest partial government shutdown in the history of the United States was ended recently. It began on December 22, 2018 after Democrats refused to support a new temporary continuing resolution in the Senate that included approximately $5 billion for the new border wall. Lasting 35 days, the deadlock was resolved on January 25, 2019.

With a 1980 interpretation of the 1884 Antideficiency Act, a “lapse of appropriation” caused by political impasse on proposed appropriation bills requires that the federal government curtail agency activities and services, close down non-essential operations, furlough non-essential workers, and only retain essential employees in departments covering the safety of human life or the protection of property.

This lapse of appropriation impacted the National Institute of Standards and Technology. NIST is a physical sciences laboratory, and a non-regulatory agency of the US Department of Commerce. Its mission is to promote innovation and industrial competitiveness. The institute’s activities are organized into laboratory programs. For our purposes, we’re going to focus on the institute’s information technology standards.

NIST has published a great number of excellent standards followed by innumerable business, government agencies, and the like. They’re referred to as NIST Special Publications, which are a type of publication issued by NIST. Specifically, the Special Publication 800-series reports on the Information Technology Laboratory’s research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations

Just days before the shutdown, NIST released the highly anticipated Risk Management Framework 2.0. Because of the shutdown, this directly impacted the availability of this new document as the NIST website was partially taken offline.

For about 35 days, the Aligned Risk Management team […] were unable to review certain NIST Special Publications […].

For about 35 days, the Aligned Risk Management team and the entire country were unable to review certain NIST Special Publications that serve as standards for the information technology industry and related fields.

Aligned Risk Management takes great pride in consolidating the best industry practices in information technology, security, and privacy, and relies on standards set by NIST and other trusted bodies. As such, we were among those that were anticipating the release of the Risk Management Framework 2.0. We published a story related to the release.


Everyone these days is aware of Search Engine Optimization, or SEO. Do your keywords right and you’ll show up better in search results. As a result of our increased focus on our own SEO, the unavailability of the NIST site allowed Aligned Risk Management to pick up on some of the NIST-specific keyword traffic during the shutdown.

Aligned Risk Management’s quantifiable benefits resulting from the partial government shutdown, in the form of Google analytics.

The unavailability of certain web-pages caused Google, Bing, DuckDuckGo, and other search engines to penalize the cached listings of NIST in search results. The timing was perfect, and Aligned Risk Management picked up considerable traffic for search terms related to the NIST Risk Management Framework 2.0 for obvious reasons: our page was available and theirs wasn’t.

In unrelated news, here’s our copy of NIST Special Publication 800-63-3: Digital Identity Guidelines. You know, just in case.

The team at Aligned Risk Management wish to thank President Donald Trump, Speaker of the House Nancy Pelosi, and the United States Senate for allowing us to take such great leaps in public exposure. We promise to use this newfound publicity wisely.

That’s my story. Thanks for reading.