College of American Pathologists






September 2010

Raymond D. Aller, MD
Hal Weiner

Company’s mission: deter and detect patient privacy breaches from within Company’s mission: deter and detect patient privacy breaches from within

Curiosity killed the cat, and it’s becoming more risky for health care workers who illegally access other people’s private health information.

Since last year, when a federal breach notification law was passed requiring that individuals be notified when their health information has been accessed illegally, more and more health care organizations have been searching for ways to prevent and detect breaches.

Preventing internal privacy breaches in health care settings can be particularly challenging, says Shane Whitlatch, senior vice president of global alliance and sales operations for FairWarning. The company, based in St. Petersburg, Fla., provides privacy breach-detection software and guidelines for detecting internal breaches in health care facilities.

“Given the broad access rights that are given to health care workers, and rightfully so, prevention isn’t as cut and dried as in other indus-tries,” Whitlatch says. “Locking someone out of a system can have devastating consequences for all involved because patient care is in ques-tion.”

The most effective way to prevent internal privacy breaches is awareness training, Whitlatch continues. Employees must understand that inappropriate access is not allowed, that tools are in place to detect breaches, and the consequences to themselves and the hospital if a breach occurs. Training employees not to snoop and following up with enforcement if they do has “proven to reduce incidents in many of our customers’ situations,” he says.

The new breach notification law has certainly gained the attention of health care providers. Since early 2009, the number of FairWarning privacy breach-detection software customers has grown by 200 percent and now includes almost 300 hospitals and more than 1,000 clinics in the United States, Canada, and the United Kingdom.

As of July 20, 116 breaches, each affecting more than 500 individuals, were listed on the Web site of the Department of Health and Human Services’ Office of Civil Rights, which developed the regulations. Hospitals and other health care facilities are required to report breaches affecting fewer than 500 individuals to the HHS secretary on an annual basis.

FairWarning’s tool, also called FairWarning, is designed solely to detect privacy breaches by health care employees. It collects and analyzes audit logs from clinical and nonclinical information systems—including everything from an electronic health record or laboratory or pharmacy information system to systems used in human resources and accounting. Using the audit logs, which collect such data as user identification, date, time, patient name, and function performed, the tool searches for improper access or suspicious patterns that might indicate a breach.

“We do have proactive capabilities that alert supervisors to potential inappropriate access so that incidents can be addressed quickly,” says Whitlatch. The software can be set up so that an alert is sent to the appropriate supervisor or privacy officer when a user is accessing the record of someone who is not in his or her care. The alert won’t necessarily prevent a breach, Whitlatch adds, but it can prevent a pattern of snooping from developing.

FairWarning recently introduced three guidelines, collectively called “The FairWarning Privacy Framework,” for breach prevention and detection. The first guideline, “The Patient Privacy Data Definition Guide,” helps clinical application vendors define what types of data, such as user name and date and time of access, need to be included in software system audit logs to perform privacy breach detection. The second guideline, the “Patient Privacy in Enterprise Security Data Definition Guide,” is targeted to enterprise security vendors. It includes standards for integrating privacy auditing systems with an enterprise’s information security systems for detecting outside hackers. The third guideline, “Putting the Patient Privacy Framework into Practice,” which was slated to be released at CAP TODAY press time, is about best practices in privacy auditing. “That’s kind of the tips and the tricks and what to look for that we’ve taken from all of our customers,” Whitlatch says. The free guidelines are available on FairWarning’s Website,, or by emailing guide@fairwarning

While FairWarning’s tool is designed to detect breaches, Whitlatch says customers are especially pleased when it does the opposite—absolves an employee of an accusation of initiating a breach.

Yet the software also proves that employees are all too human. Whitlatch recalls a hospital client in the Southeast that admitted a well-known public official. The hospital’s patient privacy policy immediately took effect and alerts were set up to monitor the record of the public official for unauthorized activity.

“They found 21 [unauthorized employees] who were looking at the record within the first few hours of the first day,” he says. “It shows that even with training and awareness and a system in place, curiosity can still be a powerful drug.”

Investment firm purchases Aspyra Investment firm purchases Aspyra

The investment company Orion Healthcare Ventures has acquired Aspyra, a provider of laboratory information systems and other health care information technology products.

“This transaction strengthens the balance sheet and provides for growth while at the same time maintaining the integrity of Aspyra’s soft-ware solutions,” says Aspyra CEO Ade Lawal.

Aspyra will continue operating under its current name.

Royal Philips and Dako join forces in digital pathology endeavor Royal Philips and Dako join forces in digital pathology endeavor

Royal Philips Electronics and Dako, a Danish company specializing in tissue-based cancer diagnostics, have signed an agreement to integrate a selection of Dako’s image-analysis applications into Philips’ future digital pathology solutions.

The Philips-Dako collaboration initially will focus on leveraging Dako’s image-analysis software for tissue-based breast cancer diagnoses using the company’s reagents for staining HER2, estrogen receptor, progesterone receptor, p53, and Ki-67 proteins. The companies will explore the possibility of extending the collaboration to include image-analysis software for immunohistology-based prostate and colon cancer diagnostics.

“Our goal is to develop integrated digital solutions that enhance the operational efficiency and productivity of pathology departments, as well as increasing diagnostic confidence,” says Bob van Gemen, general manager of Philips Digital Pathology. “I am convinced that our partnership with Dako, with its leading market position and expert knowledge in detecting and quantifying specific biomarkers in cancer tissue, will significantly accelerate our clinical applications development program.”

Ingenix and Axolotl to merge Ingenix and Axolotl to merge

Health information technology and services company Ingenix has reported that it will acquire Axolotl, a provider of health information exchange services. Under terms of the agreement, the Axolotl management team will remain in place and will lead Ingenix’s efforts in health care community connectivity.

Axolotl develops and implements HIE solutions for states, communities, hospitals, and health systems. Ingenix offers decision-support capabilities that can be combined with an HIE solution to enhance health outcomes and improve efficiencies.

“Ingenix will enable us to accelerate our growth and help us continue to deploy our leading secure health information technology,” says Ray Scott, CEO of Axolotl.

Halfpenny and HT Systems partner on biometric product Halfpenny and HT Systems partner on biometric product

Halfpenny Technologies has formed a partnership with HT Systems under which it will integrate HT’s PatientSecure biometric patient identification system into its health information exchange solutions.

Integrating the two products will allow patients who have previously visited a lab’s patient service center to be identified instantly in that lab’s registration system by having the palm of their hand scanned. Once the scan is complete, the patient’s medical record will be retrieved automatically.

To use the PatientSecure system, a patient initially confirms his or her identity by providing relevant identification, such as a driver’s license, insurance card, and Social Security number. The patient is then linked to his or her medical record in the lab information system by placing a palm directly above the Patient-Secure scanning device, which scans the hand using a nonintrusive, near-infrared light wave to capture an image of blood flowing through veins. The resulting scan generates a biometric signature of the patient’s vein pattern.

Once the biometric signature has been attached to the patient’s medical record and integrated with Halfpenny’s HIE solutions, the patient’s financial and medical information can be automatically retrieved in approximately three to five seconds by scanning the patient’s palm.

HL7 standards and guides in federal meaningful use rule HL7 standards and guides in federal meaningful use rule

Health Level Seven International, a global authority on health care information technology interoperability and standards, has announced that five of its standards and guides will be used in the federal government’s final rule on standards and certification criteria for meaningful use under the American Recovery and Reinvestment Act of 2009.

The final rule includes:

  • HL7 version 2.5.1, for submitting lab results to public health agencies.
  • HL7 version 2.3.1 or version 2.5.1, for submitting information to public health agencies for surveillance or reporting, excluding adverse-event reporting.
  • HL7 version 2.3.1 or version 2.5.1, for submitting information to immunization registries as the content exchange standard, and the CDC-maintained HL7 standard code, CVX—Vaccines Administered, as the vocabulary standard.
  • HL7 Clinical Document Architecture, Release 2 (CDA) Continuity of Care Document (CCD), a version 3 standard based on the HL7 Reference Information Model, as one of two options for content exchange standards for the receipt of a patient summary record.
  • HL7 version 2.5.1, Implementation Guide for Electronic Laboratory Reporting to Public Health, when HL7 version 2.5.1 is used for reporting lab results to public health agencies.

Haemonetics signs contract with GPO Haemonetics signs contract with GPO

Haemonetics Corp. has entered an agreement under which it will provide Schaumburg, Ill.-based Consorta, a health care resource management and group purchasing organization, with its new Impact Online blood-management business intelligence portal.

Impact Online will provide Consorta member hospitals with an integrated repository for blood-management data so they can access information related to their blood supply operations to better measure hospital blood use and clinical outcomes.

Dr. Aller is director of informatics in the Department of Pathology, University of Southern California, Los Angeles. He can be reached at Hal Weiner is president of Weiner Consulting Services, LLC, Florence, Ore. He can be reached at