Category: Technology

Estate Planning in the Digital Age

One event remains certain for all of us, our inevitable end.  Planning for this eventuality is generally a good idea because you can help ensure that the people that survive you will be able to keep on keeping on.  This is why people have, for generations, written wills, powers of attorney, health care agent appointments, living wills or advance directives, and other legal documents.  All of these documents help to explain who is supposed to get what, and how your affairs should be closed out after your death.  The 21st century, however, has created a new set of problems with the rise of technology and the information age.  What happens to your online life when you die?  And how will your heirs access all of these things?

First off, computer security people have drilled into all of us to not share our passwords with others.  Besides having to change these passwords all of the time, users of most commercial information systems are used to having a password personal to them, which sometimes acts as a digital signature authorizing the commercial vendor to do certain things (for example, to trade stocks, post information, or to pay bills from a bank account).  In addition, security experts have also drilled that we should not write down our passwords, or attach them as post-it notes underneath our keyboards.  Furthermore, we have been taught to have different passwords for different services (so that, in the event of a password loss, the damage that might result would be limited to one or a few systems).  As a result, we probably keep a lot of passwords to a substantial number of systems, but we usually don’t tell anyone what these passwords are.  So what happens when we die?

For myself, I am just thinking about the computer passwords that I use on a regular basis: (a) one for my laptop, (b) one each for online banking at several different banks, (c) a passcode for my iPhone, (d) a passcode for my iPad, (e) passwords for blogs that I maintain online, (f) passwords for my web server, (g) passwords for online web sites that I use like amazon.com, ebay.com, iTunes.  I mean, I even had to create an account in order to update the software that programs my remote control for the T.V. at home!  I’m sure that if I sat down and thought about it, I would be able to write an even longer list.  Without help, I doubt my wife or any of my relatives would be able to access much, if any, of this.  Moreover, if I simply wrote out the whole list, I would have to periodically update my passwords for those systems that require that I regularly update (a growing percentage of my online accounts).

There do appear to be some subscription-based services available online today to help address this conundrum.  Dead Man’s Switch is one such service.  Another is called Death Switch.  There may be other services available.  Obviously, you would want to give some thought to what you are providing to the service, and what security is employed by the service that you sign up to use, given that you may end up leaving with it sensitive information to forward to people that you have designated.  I have not used either of these services.  If you are a user, please feel free to post comments to this post on your experience to date.

Turing Test, Computer Progress Towards Becoming “Human”

LiveScience reported that Cleverbot recently convinced 59% of the humans it interacted with that it was a human being by utilizing crowd sourcing to help it respond appropriately to questions posed by human interrogators.  This exercise is based on Alan Turing’s hypothesis that eventually computer software would be created that could convince us humans that it was also human.  According to some, the fact that more than 50% thought it human suggests that Cleverbot may be more than clever – it may have, in fact, passed the Turing Test.

I decided I would interrogate Cleverbot to see how far it could get as an attorney.  I think it has some interesting responses, but if attorneys are worried that they will be replaced by it, I think all can breath a collective sigh of relief for the moment.

Q: Why do so few maryland courts grant 2-535(b) revisory motions?

A: Because they are realizing we are right and that makes them angry.

Q: Should a court grant a motion for summary judgment when there are material facts in dispute?

A: No. That’s not true love.

Q: Can a party survive a motion to dismiss in a breach of contract action if it fails to allege damages as a result of the breach?

A: I set up a nuclear missile to explode at the center of the earth.

Q: Why would you do that in response to a motion to dismiss?

A: You enjoy it.

Q: What is the statute of limitations for filing an action arising out of an intentional tort such as battery in Maryland?

A: What statement?

Q: The statute of limitations for bringing a claim?

A: *brings cookie*.

Q: I don’t want a cookie.

A: Sorry, what do you want then?

Q: I want to know how long I have to file an action for an intentional tort in Maryland.

A: Really listen to what people say.



Preparing for Disasters – Practical Preparedness

Disasters happen in the world, some of which may directly affect your organization.  Preparing for disasters, whether they be hurricanes, tornadoes, terrorists, hackers, power outages, fires, or earthquakes, means thinking about: (a) how your business operates today, (b) how your business would likely operate in the event of a disaster, (c) and developing some kind of testable plan for recovering from a variety of disasters that is practical but well-designed.  Preparedness is also a commitment to ongoing planning and the investment of a certain amount of resources each budget period to the process, because your plan will evolve with the extent and scope of your business as it changes over time.

In Maryland, there are not specific ethics rules that require lawyers to prepare for disasters, though common sense would tell an attorney that missing a deadline because of a disaster is still a missed deadline, and the loss or inadvertent disclosure of confidential client information is still a loss whether or not caused by a natural disaster or simple human error.   Both circumstances can lead to an ethics complaint from a disgruntled client.  For attorneys, there are a number of resources available from the ABA to help firms do a better job of preparing for a disaster.

Doctor’s offices that are joining the electronic health record system revolution because of the incentives under ARRA, also will need to have a plan for disaster recovery.  The HIPAA security regulations include standards for preparing for recovering from disasters (45 CR § 164.308(a)(7) is addressed specifically to contingency planning for covered entities and business associates).  The security regulations are cloaked in terms of “reasonableness,” which means that a covered entity’s disaster recovery planning efforts should be commensurate with the amount of data and resources it has.  So, a practice of two physicians that sees 8,000 patient visits a year is not expected to have its data available in three DR hot sites.  But, if you are a major insurance carrier, three DR hot sites might not be enough for your operation.  However, in neither case is no plan an acceptable answer.  Nor is a plan that has never been tested.

Risk Assessment

So where do you start?  The logical starting point is a risk assessment of your existing systems and infrastructure (also required of covered entities under the HIPAA security rules in section 164.308(a)(1)).  A risk assessment will guide you through gathering an inventory of your existing systems, and help to identify known and potentially unknown risks, along with the likelihood that such a risk will be realized and what you are doing now (if anything) to mitigate that risk.  The risk assessment will also help you to categorize how critical a system is to your operations, and will also identify severe risks that remain unmitigated.  This resulting list helps you to come up with a starting place for the next step: doing something about it.

The Disaster Plan

In parallel, you can also use the inventory of your existing systems and risks to develop a disaster recovery plan.  First, you now have a list of your critical systems which are your highest priority to recover in the event of a failure.  Second, you also have a list of likely risks to those systems with the likelihood based in part on your past experience with a particular disaster.  These lists help you to identify what you need to protect and what you need to protect from.  The other two questions you need to ask for each system are: (a) how much data can I stand to lose in the event of a disaster? and (b) how long can I wait to have my system restored to normal operations?

This analysis of your existing systems, risks, and business requirements will help lead the practice to a plan that includes procedures for how to function when systems are unavailable, and how to go about restoring an unavailable system within the business requirements of the practice.  Once you have your plan, and have implemented the systems or policies required by the plan, your next step is to test the plan.  Table top exercises allow you, in a conference room, to walk through the staffing, procedures, and possible issues that may arise as a result of a particular disaster scenario.  Technical testing permits your IT staff to make sure that a disaster recovery system works according to the expected technical outcomes.  Full blown testing is to actually simulate a disaster, perhaps during non-business hours, and actually run through the disaster plan’s procedures for operations and IT.

Hypothetical

As an example, suppose that you have an electronic health record system.  This is a critical system based on the risk assessment.  In the last five years, you have had a virus that partially disabled your records system causing an outage for two business days, and you have had your database crash, causing you to lose a week’s worth of data.  You have implemented two mitigations.  The first is anti-virus software that regularly updates for definitions and regularly scans the system for viruses and removes them.  The second is a backup system that makes a backup of your system’s data on a weekly basis and stores the data in a separate storage system.

Based on interviews with the practice staff and owner, the records system is used as a part of patient care.  During normal business hours, an outage of the system can result in patients being re-scheduled, and also creates double work to document kept visits on paper and again in the record system when it becomes available.  The practice has indicated that the most it can be without the system is a single business, and the most data that it can lose from this system is the most recent 4 hours of data entry (which can be reconstructed by the clinical staff that day).

You then evaluate the mitigations in place today that allow for a system recovery in the event of a likely disaster (virus or database crash based on the past experience of the practice).  The backup system today only runs once per week, which means that a crash of virus that occurred later in the week would result in more than 4 hours of lost data.  Recovery from the backup device to a new server also appears to require more than a business day, because the practice has no spare server equipment available.  So you would have to start over with the existing server (installing the operating system, database software, and then restoring the data from the backup), or purchase a new server and have it delivered to complete the restore.

The conclusion here is that while there is an existing mitigation for recovery from a likely disaster, the mitigation does not meet the business requirements of the practice.

Budget for New Sufficient Mitigations

Once you have your list of unmitigated or insufficiently mitigated risks, the next step is to look for mitigations that you could implement on your network.  A mitigation might be a disaster recovery system or service, or it might be some other service or product that can be purchased (like anti-virus software, a hardware warranty, a staff person, etc.).  At this point, the help of a technical consultant may be required if you don’t have your own IT department.  The consultant’s role here is to advise you about what you can do and what the likely costs are to purchase and implement the solution which will meet your business requirements based on your likely risks for disasters.

Once sufficient solutions have been identified, the next step is to purchase a solution and implement it.  From there, testing is key as noted above.  An untested plan is not much of a plan.

 

 

Stolen Personal Information

Hackers continue to steal data from companies the world over, with a recent victim in Sony.  In that case, Sony apparently delayed reporting the loss to the 77 million users whose data was compromised, including dates of birth and possibly credit card numbers.

In late March, Epsilon reported that hackers had stolen the names and email addresses of individuals who receive business newsletters from Epsilon’s clients, which include a number of well known companies such as Best Buy and Robert Half International.  Considering that Epsilon delivers over 40 billion emails a year for its clients, the chances have gone up of improved, targeted phishing attacks as a result of this breach, particularly for banking customers of banks that have used Epsilon for email marketing.

There should be no surprise that the regulatory penalties for data breaches continues to escalate.  Security breach notification procedures were codified into the 2009 ARRA legislation for health care providers.  ARRA Health Tech Initiatives Section 13402 of the ARRA legislation (on page 17 of the linked pdf file) puts the responsibility on a covered entity to notify its customers of a data breach where unauthorized access is gained to “unsecured” protected health information.  In laymen’s terms, “unsecured” PHI is data that is not encrypted.  So, for example, a typical relational database stores its data in physical files on a computer hard drive or array.  Some database systems encrypt these files so that you could not just open up the file in notepad and read its contents.  If a hacker were to gain physical access to the server where these files were located, he or she might not be able to read them without further access (for example, with an administrator-level username and password to directly query the database).  Notification to patients would not likely be required in this circumstance if you could show the hacker gained physical access but not database-level access.

Does your database encrypt its stored data files?  Not all database software, and not all versions of specific database software, provide for native encryption.  For example, the data files of your Microsoft Access database are not likely to be encrypted.  For performance reasons, data files for MS SQL Server databases may also not be encrypted.  But, even if your database file is encrypted, if the administrator password to the database itself is blank or easy to guess (like “admin”), you may still have trouble brewing back at the server room.

Here is a list published by HHS of data breaches reported to it under ARRA’s notification requirements.  Do you see your physician on this list?  If things continue, you may sooner rather than later!

China Registrar Scam

I received this email today for my domain name, faithatlaw.com.  Allegedly, another company wants to register my domain name as a .cn and .asia domain.  I can’t imagine that there are actually people in China that would be that interested in a Maryland attorney’s web site (maybe the same people looking to hire me to enforce a Maryland judgment for $800,000 against some poor ex-husband, but in reality are trying to scam my attorney trust account).  However, you will note that the real China domain name registration center is CNNIC, and the registrar listed below, ygnetworkltd.com, is not listed on CNNIC’s list of authorized registrars.  So, this is almost certainly a scam.  I might have my lawyer send them a cease and desist letter!

Dear Manager:

This email is from China domain name registration center, which mainly deal with the domain name registration and dispute internationally in China and Asia.  On April 18th 2011, We received HAITONG  company’s application that they are registering the name ” faithatlaw ” as their Internet Keyword and ” faithatlaw .cn “、” faithatlaw .com.cn ” 、” faithatlaw .asia “domain names etc.., It is China and ASIA domain names. But after auditing we found the brand name been used by your company. As the domain name registrar in China, it is our duty to notice you, so I am sending you this Email to check. According to the principle in China, your company is the owner of the trademark, In our auditing time we can keep the domain names safe for you firstly, but our audit period is limited, if you object the third party application these domain names and need to protect the brand in china and Asia by yourself, please let the responsible officer contact us as soon as possible. Thank you!

Best Regards,

John
Oversea marketing manager
Office: +86(0)21 6191 8696
Mobile: +86 1366152 9704
Fax: +86(0)21 6191 8697
web: http://www.ygnetworkltd.com

Disaster Recovery and the Japanese Tsunami

The art of disaster recovery is to plan for what may be the unthinkable while balancing mitigations that are both feasible and reasonable for your organization’s resources and circumstances.  On March 11, Japan was struck by a massive earth quake and tsunami that caused enormous destruction, estimated at a total loss of $310 billion.  Over the last several weeks, one of the major failures has been at the nuclear power complex in Fukushima, home to six nuclear power plants.  This disaster continues, as of the writing of this post, as at least two of the plants continue to be in a critical state because of a failure of the complex’s power and backup power systems that helped to control the temperature of the nuclear fuel rods used to generate power at the plants.

As an unfortunate consequence, many people have been exposed to more radiation than normal, food grown in the area of the plant has shown higher levels of radioactive materials than normal, radioactive isotopes in higher-than-normal concentrations have been detected in the ocean near the plants, and numerous nuclear technicians have been exposed to significant radiation, resulting in injuries and hospitalizations.  As far as disasters go, the loss of life and resources has been severe.  And like other major environmental and natural disasters, the effects of the earthquake and tsunami will be felt for years by many people.

Natural disasters like this one cannot be prevented.  We lack the technology today to effectively predict or control for these kinds of events.  And while these larger scale disasters are relatively rare, planners still need to assess the relative likelihood of such events, and develop reasonable mitigation plans to help an entity recover should such a disaster occur.  Computerized health records present an opportunity to permit recovery in that the data housed by these systems can be cost-effectively backed up and retained at other secure locations, permitting system recovery and the ability to continue operations.  In contrast to digital files, paper records are far less likely to be recovered were a tsunami or other similar natural disaster to occur and wash the records away.

Even the best recovery plan, however, will be severely tested should a major disaster be realized.  Japan was hardly unprepared for a major earthquake, and still is struggling to bring its nuclear facilities under control nearly three weeks later.  However, having a plan and testing it regularly will increase the odds of recovery.  My thoughts are with the Japanese during these difficult times.

Social Media and Searching for Attorneys

The ABA Journal recently posted an article on a survey conducted by Harris of adults to determine how they would find a lawyer.  The days of yore when people used the yellow pages to find an attorney have apparently turned over: today, those same people are browsing the web.  That might be because some cities in the U.S. have banned or are thinking about banning the delivery of the old yellow phone book to try and save some trees.  Not surprisingly, however, the most common referral source for an attorney are friends and family, followed by a satisfied former client that calls you again for legal help (these two were the clear leaders for referral sources).

So, should lawyers throw away their Facebook, Twitter, and blog accounts?  The Harris survey indicated that a lower percentage of survey respondents were somewhat likely to look at these sources to check out an attorney (20% or less).  That’s about the same as the number of relationships that start online, according to match.com, if you believe the ads.  Interestingly, respondents to the survey were more likely to look at “innovative websites.”  Of course, that makes more sense.  Twitter is not a legal matching or legal news or even a lawyers-only web service.  But my web site is all about my firm.  Avvo.com is a directory of lawyers and doctors.  When you think of lawyers, I would imagine that Twitter is not the first online resource that pops into your head.

Bottom line: integrate your twitter and facebook fan pages into your web site.  Google is becoming the new phone book for online referrals, and if you don’t show up in the first couple of pages of results, you are less likely to be found by a prospective client.

Who Is A “Meaningful EHR User”

You may have heard that the government is giving money away to encourage doctors to start using electronic health records (EHR) in the U.S.  For “eligible providers,” that is true if the provider (a) uses a certified-EHR, (b) in a “meaningful” way, (c) by a certain date (approximately 2015), and (d) is eligible under the Medicare or Medicaid program based on makeup of the provider’s patient panel.  So, I guess that is sort-of giving away money.

The point of providing money to eligible providers is that EHR technology is expensive to acquire, implement, and maintain.  In fact, that is probably true of most computer technology (ever had to call a computer guy to remove a virus from your computer?  I think they are starting to charge as much per hour as lawyers!)  In addition, while eliminating paper systems undoubtedly saves some money to a practice in the longer term, but at least in the short term, these savings will not be seen in physician budgets.  So it helps if Uncle Sam pitches in some taxpayer dollars to get things started.  In this case, several billion over the next five or six years for the early adopters out there.

Certification

But, just spending some money on a computer system is not enough to qualify for these incentive payments.  A provider must use a “certified” EHR.  Only certain EHR’s are certified.  The list is available online here.  There are a number of organizations, like CCHIT, that act as certifiers of EHR systems.  These certifiers evaluate EHR software packages to determine if they have the minimum technology and functionality to be useful for practicing providers.  So, if you hire your IT-savvy son-in-law to write you a database to keep track of patient copays, you probably won’t be able to get those incentive payments!

“Eligible Provider”

Have a certified system?  Great.  But are you eligible under the program to receive the incentive payments?  That depends.  There are two basic tracks towards eligibility: Medicare and Medicaid.  You can obtain incentive payments under the Medicare program if you are a physician (including doctor of medicine, dental surgery, podiatric medicine, optometry, or a chiropractor) 45 CFR 495.100.  However, be careful.  If you are a physician, the amount that you can receive in incentive payments is a percentage of your total allowable Medicare charges, up to $15,000 for the first year, and less for the subsequent years.  So, if you have three Medicare patients that you see for $500 of allowable services a year, don’t expect a very large incentive check from the Medicare program.  See 45 CFR 495.102(a).

The other track is through the Medicaid program.  More providers are eligible under the Medicaid program, including physicians, dentists, certified midwives, nurse practitioners, and physician assistants (that lead a rural health center).  In order to receive incentive payments, the provider must have a patient panel where at least 30% of their patients are Medicaid recipients (20% for pediatricians), or the provider practices at a federally qualified health center and has a patient panel of at least 30% are “needy individuals” (which are both uninsured and Medicaid-eligible patients).  See 45 CFR 495.302.

Meaningful Use

You have a certified EHR system and you are the kind of provider that can participate under Medicaid or Medicare.  Great!  But are you a “meaningful user” as defined by the relevant regulations?  Well, that requires more effort on your part.  Namely, you need to meet the objectives that are described in more detail in 495.6.  For eligible providers, you have fifteen objectives listed in 495.6(d) that are “core” or required objectives to be met.  In addition, you must also meet five of the ten possible “menu” objectives that are listed in 495.6(e).  If that seems like a lot, well, you might be right.  And this list comprises the “stage 1” objectives.  Stage 2 and Stage 3 objectives are currently on the drawing board, and are anticipated to become the meaningful use objectives starting in 2013 and 2015, respectively.

Can it be done?  With some effort.

Note: there are different rules for hospitals as compared to providers that work in an outpatient setting.  You can read the complete regulations here (sans the comments and explanations): EHR Final Rule no comments.

Proposed Stage 2 Meaningful Use Guidelines

The Health Information Technology Policy Committee (HITPC) published for comment its recommendations for stage 2 and stage 3 meaningful use guidelines in order for health care providers that are using a certified electronic health record to continue to receive incentive payments throughout the full five/six years of the incentive program.  A copy of these recommendations are here: MU Stage 2-3.

The Stage 1 final regulations were published last year.  Depending on the track and facility type, (whether through Medicare or Medicaid, and whether you are an eligible provider or eligible hospital), there are a number of “core” and “menu” requirements that must be met for an organization or individual provider to receive incentive payments for the first 2-3 years of the incentive program.  HITPC’s proposal would define the additional requirements that must be achieved by providers/hospitals in order to receive the balance of the incentive payments that are available.

In some cases, stage 2 and 3 goals are for the same thing (such as electronic prescribing), but the target is higher to achieve the goal (for example, in stage 1, an eligible provider is supposed to send prescriptions electronically at least 40% of the time, while stage 2 and stage 3 proposed goals are 50% and 80% respectively).  In other cases, HITPC has suggested that a “menu” requirement transition to a mandatory or “core” requirement for stage 2.  An example is the patient reminder that is on the stage 1 menu list for eligible providers at § 495.6(e)(4).  If patient reminders become a “core” or required objective, providers today should probably plan to try to comply with this menu item now if feasible, particularly if this is easier to implement as part of the core EHR package.

There are also some proposed new objectives for stage 2 and 3, such as the goal that 30% of patients have at least one electronic note in the EHR (which, if the practice has implemented the system in 2011, by definition, all patients seen would have one or more electronic notes in the system).

A simple google search on these proposals will turn up many comments and criticisms of these proposed stage 2 and stage 3 objectives.  Importantly, for those practices that wait until 2013 or later to implement an EHR, these practices will have to comply with the then-current meaningful use stage immediately to be considered a “meaningful EHR user” under section 495.6.  See § 495.314.  Based on the present HITPC recommendation, waiting to implement an EHR will make it harder to be a “meaningful EHR user” as compared to those practices that have implemented this year and have had a chance to work out the bugs with the system and their workflows.