Stolen Personal Information

Hackers continue to steal data from companies the world over, with a recent victim in Sony.  In that case, Sony apparently delayed reporting the loss to the 77 million users whose data was compromised, including dates of birth and possibly credit card numbers.

In late March, Epsilon reported that hackers had stolen the names and email addresses of individuals who receive business newsletters from Epsilon’s clients, which include a number of well known companies such as Best Buy and Robert Half International.  Considering that Epsilon delivers over 40 billion emails a year for its clients, the chances have gone up of improved, targeted phishing attacks as a result of this breach, particularly for banking customers of banks that have used Epsilon for email marketing.

There should be no surprise that the regulatory penalties for data breaches continues to escalate.  Security breach notification procedures were codified into the 2009 ARRA legislation for health care providers.  ARRA Health Tech Initiatives Section 13402 of the ARRA legislation (on page 17 of the linked pdf file) puts the responsibility on a covered entity to notify its customers of a data breach where unauthorized access is gained to “unsecured” protected health information.  In laymen’s terms, “unsecured” PHI is data that is not encrypted.  So, for example, a typical relational database stores its data in physical files on a computer hard drive or array.  Some database systems encrypt these files so that you could not just open up the file in notepad and read its contents.  If a hacker were to gain physical access to the server where these files were located, he or she might not be able to read them without further access (for example, with an administrator-level username and password to directly query the database).  Notification to patients would not likely be required in this circumstance if you could show the hacker gained physical access but not database-level access.

Does your database encrypt its stored data files?  Not all database software, and not all versions of specific database software, provide for native encryption.  For example, the data files of your Microsoft Access database are not likely to be encrypted.  For performance reasons, data files for MS SQL Server databases may also not be encrypted.  But, even if your database file is encrypted, if the administrator password to the database itself is blank or easy to guess (like “admin”), you may still have trouble brewing back at the server room.

Here is a list published by HHS of data breaches reported to it under ARRA’s notification requirements.  Do you see your physician on this list?  If things continue, you may sooner rather than later!

China Registrar Scam

I received this email today for my domain name,  Allegedly, another company wants to register my domain name as a .cn and .asia domain.  I can’t imagine that there are actually people in China that would be that interested in a Maryland attorney’s web site (maybe the same people looking to hire me to enforce a Maryland judgment for $800,000 against some poor ex-husband, but in reality are trying to scam my attorney trust account).  However, you will note that the real China domain name registration center is CNNIC, and the registrar listed below,, is not listed on CNNIC’s list of authorized registrars.  So, this is almost certainly a scam.  I might have my lawyer send them a cease and desist letter!

Dear Manager:

This email is from China domain name registration center, which mainly deal with the domain name registration and dispute internationally in China and Asia.  On April 18th 2011, We received HAITONG  company’s application that they are registering the name ” faithatlaw ” as their Internet Keyword and ” faithatlaw .cn “、” faithatlaw ” 、” faithatlaw .asia “domain names etc.., It is China and ASIA domain names. But after auditing we found the brand name been used by your company. As the domain name registrar in China, it is our duty to notice you, so I am sending you this Email to check. According to the principle in China, your company is the owner of the trademark, In our auditing time we can keep the domain names safe for you firstly, but our audit period is limited, if you object the third party application these domain names and need to protect the brand in china and Asia by yourself, please let the responsible officer contact us as soon as possible. Thank you!

Best Regards,

Oversea marketing manager
Office: +86(0)21 6191 8696
Mobile: +86 1366152 9704
Fax: +86(0)21 6191 8697

Social Media and Searching for Attorneys

The ABA Journal recently posted an article on a survey conducted by Harris of adults to determine how they would find a lawyer.  The days of yore when people used the yellow pages to find an attorney have apparently turned over: today, those same people are browsing the web.  That might be because some cities in the U.S. have banned or are thinking about banning the delivery of the old yellow phone book to try and save some trees.  Not surprisingly, however, the most common referral source for an attorney are friends and family, followed by a satisfied former client that calls you again for legal help (these two were the clear leaders for referral sources).

So, should lawyers throw away their Facebook, Twitter, and blog accounts?  The Harris survey indicated that a lower percentage of survey respondents were somewhat likely to look at these sources to check out an attorney (20% or less).  That’s about the same as the number of relationships that start online, according to, if you believe the ads.  Interestingly, respondents to the survey were more likely to look at “innovative websites.”  Of course, that makes more sense.  Twitter is not a legal matching or legal news or even a lawyers-only web service.  But my web site is all about my firm. is a directory of lawyers and doctors.  When you think of lawyers, I would imagine that Twitter is not the first online resource that pops into your head.

Bottom line: integrate your twitter and facebook fan pages into your web site.  Google is becoming the new phone book for online referrals, and if you don’t show up in the first couple of pages of results, you are less likely to be found by a prospective client.

Who Is A “Meaningful EHR User”

You may have heard that the government is giving money away to encourage doctors to start using electronic health records (EHR) in the U.S.  For “eligible providers,” that is true if the provider (a) uses a certified-EHR, (b) in a “meaningful” way, (c) by a certain date (approximately 2015), and (d) is eligible under the Medicare or Medicaid program based on makeup of the provider’s patient panel.  So, I guess that is sort-of giving away money.

The point of providing money to eligible providers is that EHR technology is expensive to acquire, implement, and maintain.  In fact, that is probably true of most computer technology (ever had to call a computer guy to remove a virus from your computer?  I think they are starting to charge as much per hour as lawyers!)  In addition, while eliminating paper systems undoubtedly saves some money to a practice in the longer term, but at least in the short term, these savings will not be seen in physician budgets.  So it helps if Uncle Sam pitches in some taxpayer dollars to get things started.  In this case, several billion over the next five or six years for the early adopters out there.


But, just spending some money on a computer system is not enough to qualify for these incentive payments.  A provider must use a “certified” EHR.  Only certain EHR’s are certified.  The list is available online here.  There are a number of organizations, like CCHIT, that act as certifiers of EHR systems.  These certifiers evaluate EHR software packages to determine if they have the minimum technology and functionality to be useful for practicing providers.  So, if you hire your IT-savvy son-in-law to write you a database to keep track of patient copays, you probably won’t be able to get those incentive payments!

“Eligible Provider”

Have a certified system?  Great.  But are you eligible under the program to receive the incentive payments?  That depends.  There are two basic tracks towards eligibility: Medicare and Medicaid.  You can obtain incentive payments under the Medicare program if you are a physician (including doctor of medicine, dental surgery, podiatric medicine, optometry, or a chiropractor) 45 CFR 495.100.  However, be careful.  If you are a physician, the amount that you can receive in incentive payments is a percentage of your total allowable Medicare charges, up to $15,000 for the first year, and less for the subsequent years.  So, if you have three Medicare patients that you see for $500 of allowable services a year, don’t expect a very large incentive check from the Medicare program.  See 45 CFR 495.102(a).

The other track is through the Medicaid program.  More providers are eligible under the Medicaid program, including physicians, dentists, certified midwives, nurse practitioners, and physician assistants (that lead a rural health center).  In order to receive incentive payments, the provider must have a patient panel where at least 30% of their patients are Medicaid recipients (20% for pediatricians), or the provider practices at a federally qualified health center and has a patient panel of at least 30% are “needy individuals” (which are both uninsured and Medicaid-eligible patients).  See 45 CFR 495.302.

Meaningful Use

You have a certified EHR system and you are the kind of provider that can participate under Medicaid or Medicare.  Great!  But are you a “meaningful user” as defined by the relevant regulations?  Well, that requires more effort on your part.  Namely, you need to meet the objectives that are described in more detail in 495.6.  For eligible providers, you have fifteen objectives listed in 495.6(d) that are “core” or required objectives to be met.  In addition, you must also meet five of the ten possible “menu” objectives that are listed in 495.6(e).  If that seems like a lot, well, you might be right.  And this list comprises the “stage 1” objectives.  Stage 2 and Stage 3 objectives are currently on the drawing board, and are anticipated to become the meaningful use objectives starting in 2013 and 2015, respectively.

Can it be done?  With some effort.

Note: there are different rules for hospitals as compared to providers that work in an outpatient setting.  You can read the complete regulations here (sans the comments and explanations): EHR Final Rule no comments.

Proposed Stage 2 Meaningful Use Guidelines

The Health Information Technology Policy Committee (HITPC) published for comment its recommendations for stage 2 and stage 3 meaningful use guidelines in order for health care providers that are using a certified electronic health record to continue to receive incentive payments throughout the full five/six years of the incentive program.  A copy of these recommendations are here: MU Stage 2-3.

The Stage 1 final regulations were published last year.  Depending on the track and facility type, (whether through Medicare or Medicaid, and whether you are an eligible provider or eligible hospital), there are a number of “core” and “menu” requirements that must be met for an organization or individual provider to receive incentive payments for the first 2-3 years of the incentive program.  HITPC’s proposal would define the additional requirements that must be achieved by providers/hospitals in order to receive the balance of the incentive payments that are available.

In some cases, stage 2 and 3 goals are for the same thing (such as electronic prescribing), but the target is higher to achieve the goal (for example, in stage 1, an eligible provider is supposed to send prescriptions electronically at least 40% of the time, while stage 2 and stage 3 proposed goals are 50% and 80% respectively).  In other cases, HITPC has suggested that a “menu” requirement transition to a mandatory or “core” requirement for stage 2.  An example is the patient reminder that is on the stage 1 menu list for eligible providers at § 495.6(e)(4).  If patient reminders become a “core” or required objective, providers today should probably plan to try to comply with this menu item now if feasible, particularly if this is easier to implement as part of the core EHR package.

There are also some proposed new objectives for stage 2 and 3, such as the goal that 30% of patients have at least one electronic note in the EHR (which, if the practice has implemented the system in 2011, by definition, all patients seen would have one or more electronic notes in the system).

A simple google search on these proposals will turn up many comments and criticisms of these proposed stage 2 and stage 3 objectives.  Importantly, for those practices that wait until 2013 or later to implement an EHR, these practices will have to comply with the then-current meaningful use stage immediately to be considered a “meaningful EHR user” under section 495.6.  See § 495.314.  Based on the present HITPC recommendation, waiting to implement an EHR will make it harder to be a “meaningful EHR user” as compared to those practices that have implemented this year and have had a chance to work out the bugs with the system and their workflows.

Health IT Investments in the US Health System

The federal government, through passage of legislation in 2009 as part of the American Recovery and Reinvestment Act (ARRA), has provided capital incentives for qualifying providers through the federal Medicare and state Medicaid programs who implement certified electronic health records systems in the coming years.  Over the next five or six years, the ARRA program will authorize literally billions of dollars in incentive payments to health care providers that can demonstrate “meaningful use” at each of the three regulatory stages as set by the Centers for Medicaid and Medicare (CMS).

Interestingly, while we are reasonably sure of some of the health care delivery problems today (such as medication errors, duplicate lab tests that are ordered by different providers, lack of coordinated care between various providers), there is less data on what impact EHR technology has on these problems.  This is in part because of the still relatively low adoption rates of EHRs throughout the U.S.  However, as reported here, a literature review of 154 articles published on health IT adoption indicated that most of the time, improvements have been attained by practices adopting an EHR.  These improvements include increased “access to care, patient satisfaction, efficiency, and effectiveness of care.”

The longer term effects of EHR technology are still to be seen on patient care, particularly as overall adoption rates increase among health care providers.

An Unscientific Survey on Legal Tech – Results

In preparation for speaking at the Small and Solo Conference on November 12, I solicited feedback from fellow MSBA solo attorneys via an online survey on technology.  My survey was designed to get at some basic questions on what solos use in their practice here in Maryland.  I received 32 responses from fellow attorneys, and I share some of the results here in comparison to a larger survey conducted last year by the American Bar Association.

I asked a series of multiple choice questions of respondents, including “what kind of technology do you use in your practice?” and “what online marketing resources do you use in your practice?”  I also asked respondents to categorize their practice, and how long they had been in practice.  The ABA’s survey asked respondents nationally whether the respondent used a smartphone in their practice (such as a blackberry or iPhone), whether the respondent used social media for their practice, whether the attorney used a Windows PC or a Mac to practice, and what kind of web-based research and practice management tools the attorney used.

There are some interesting differences between the ABA survey and my informal survey.  First, only 12% of ABA respondents indicated that they used some form of social media in their law practice.  However, Maryland respondents indicated a considerably higher utilization rate (42% used an online law directory listing service like, 39% used LinkedIn, and 23% used Facebook).  Second, only 4% of ABA respondents indicated that they used a Mac to practice law.  However, Maryland respondents indicated 6% used a Mac and another 13% indicated they used both a Mac and a PC to practice, suggesting that Macs have enjoyed a greater market penetration with attorneys who may have a legacy PC practice management system that they now operate in a virtual environment on their Mac.  Third, only 28% of ABA respondents indicated that they regularly used some kind of practice management system, whereas 70% of Maryland respondents indicated that they had and used one in their practice.  (Also notably, when asked what kind of practice management system, there was considerable diversity in the vendors named by responding attorneys).

Solos (at least here in Maryland), appear to be above average in their use of technology in their practices.  Perhaps this is by necessity in order to reduce overhead costs.  63% of survey respondents indicated that they were proficient with technology, but less than 19% indicated they felt they were experts.  Comments?

Some Technology Resources for Attorneys

I am scheduled to speak for the MSBA tomorrow at 10:45 at their annual Solo and Small Firm Conference, and will be talking about legal tech for attorneys.  As a part of that presentation, I have prepared a list of some additional resources for attorneys to help plan for their technology needs, particularly for those considering starting out as a solo practitioner.  Here are some additional resources from that list:

  • Nelson, et al., “The 2010 Solo and Small Firm Legal Technology Guide” (note that the 2009 version of this book is available on Google Books for free)
  • Siskind, et al., “The Lawyer’s Guide to Marketing on the Internet”
  • Susskind, “The End of Lawyers?  Rethinking the Nature of Legal Services”
  • Elefant, et al., “Social Media for Lawyers: The Next Frontier”

Here are some common web pages that I use in my practice:

And here are some additional web applications that may be helpful for attorneys:

The Small and Solo Conference is a great opportunity to learn more about Social Media, Technology for Practice, Legal Ethics, and a host of other timely and useful legal topics.  I hope you will join us tomorrow and Saturday!