News Story

Close
Wednesday, January 28, 2015

Cloud control: Digitizing medical records? BSA says please don't

by Bryan on Scouting - Blog
© Bryan on Scouting - Blog

Digitally storing photos, books and music means everything's at our fingertips wherever we are.

It's convenient, but anyone who follows the news knows it's not exactly secure.

That's why there’s one thing for sure that doesn't belong in the cloud: Scout medical records.

Read the full story
  • Comments (23)
  • Chief Seattle Council Image
    Cubmaster
    Trained Strip
    3 years ago
    Danny Hall
    Federal HIPAA laws actually govern the handling of personally identifiable medical data, so digitizing medical records would definitely be in violation.
    Pending Approval
  • Cascade Pacific Council Image
    3 years ago
    Bryan Reynolds
    Safe to assume ScoutBook isn't HIPPA compliant?
    Pending Approval
  • Three Harbors Council Image
    Committee Chairman
    Trained Strip
    3 years ago
    Miki Cairo
    I'm pretty sure ScoutBook doesn't need to be HIPPA compliant as HIPPA is for insurance portability of information and has nothing to do with anyone else not directly connected to insurance or working for insurance. Unless/until the BSA becomes an insurance company or medical facility (or other business associated with a medical facility) who sends infomation to an insurance company, they never have to be HIPPA compliant.

    Health Insurance Portablity and Protection Act
    Understanding Health Information Privacy
    The HIPAA Privacy Rule provides federal protections for individually identifiable health information held by COVERED entities and their business associates and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of health information needed for patient care and other important purposes.
    The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities and their business associates to use to assure the confidentiality, integrity, and availability of electronic protected health information.
    Pending Approval
  • Hawk Mountain Image
    Assistant Scoutmaster
    3 years ago
    Glenn Piper
    I'm if BSA says no to digitizing medical records, why does the NOAC registration process require users to scan and send medical forms to them electronically? This seems in direct conflict with the policy. It has always been my experience as an adult leader that we carry hard copy forms with us at all times, and never digitize them. Then there is no question as to who has access to one's medical records. For NOAC, I have no idea where those medical forms go once sent. And then they can copy them and do whatever else they want with them without my knowledge. Can someone clarify this?
    Pending Approval
  • Jersey Shore Council Image
    3 years ago
    Denise Brasher
    Honestly from a HIPPA perspective, we don't sign Privacy releases when going to camps or other BSA sites where our personal health information is used and stored. So BSA has no leg to stand on there. I don't like the idea of a leader walking around with all that personal information on a thumb drive though either. But honestly, during popcorn season or when we have to audit our treasury there is a lot of info stored on a thumb drive temporarily and I suppose it could be accessed if someone stole our car.
    So ensuring someone's info is NEVER going to be perfect espeicially on a small scale non-profit standard. But I would point out that if BSA is going to use something like HIPPA, they better be willing to back it up with the endless array of steps, standards, and tools that goes with it. Let me tell you the nighmare and man power that will be. I'd say some simple unit guidelines would be better!
    Pending Approval
  • Water and Woods FSC  (Michigan Crossroads Council) Image
    Unit Chaplain
    Trained Strip
    3 years ago
    Doctor Bob Richard
    This is an issue best resolved but the experts. So I recommend you defer this issue to your Council Risk Management officer, or the Councit Attorney. Just when you think you know the law, it will rise up and bite you where the sun never shines.
    Pending Approval
  • President Ford FSC (Michigan Crossroads Council) Image
    Committee Chairman
    Trained Strip
    3 years ago
    Joel Young
    HIPAA applies to covered entities. Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.

    As I read the article, it is the BSA policy not to digitize the records it is not necessarily a HIPAA violation issue at the Troop or Pack level.
    updated 3 years ago
    Pending Approval
  • Alamo Area Council Image
    Cubmaster
    Trained Strip
    3 years ago
    Stephen Henley
    I have to side with Glenn on this one. If we are digitizing records as requested by NOAC by faxing them, that is in direct contradiction. Can someone please clarify?
    Pending Approval
  • French Creek Council Image
    Assistant Scoutmaster
    Trained Strip
    3 years ago
    Bob Esser
    Joel has the best take on the whole HIPAA issue.

    As to my background - I'm a dentist and past-president of my local dental association that has had to deal with many of these issues. This is not to say I am an attorney with the latest and greatest info on the topic. But I am better informed than 90+% on the forum.

    HIPAA regulates how "Covered Entities" (CE) share "Protected Personal Information" (PPI). It stops CE from selling or sharing info to third parties. Think of hospitals selling lists of patients that just gave birth to diaper companies or blood labs selling info of patients testing positive as diabetic.

    With HIPAA comes requirements of how PPI is transmitted between CE. It must be a 'secure link'. Faxes are 'secure' as long as the fax machine is not publicly accessible at the receiving end. Emails are only permissible if encryption has been enacted. Please remember BSA is not a covered entity to my understanding.

    As to a previous comment that asked /how can I be sure that the health form I submitted is not copied and shared?/ It doesn't matter what type of transmission you use to send health info. The holder of that info has multiple ways to copy and share that info. Think about it.

    The biggest thing about health histories in BSA is that leaders need the info to keep the kids safe!!! Example: One may ask why Cub parents should submit a health history for their Wolf if they just meet at school 1-2x a month. Sounds reasonable on the surface. A health history is the only place to reliably tell Pack Leadership if a Cub has a life threatening PEANUT ALLERGY that can kill a child before EMS arrives!
    I believe it would be wise to gather your the Health History forms of your Scouts and scan them into individual PDFs to save on your cell phone (not save in the Icloud , Dropbox, or other service due to possible breaches). Then if a Scout needs EMS/Hospital services you can either look at it to relay info or quickly email to the hospital.

    Just my 2 cents on the topic.
    Pending Approval
  • Middle Tennessee Council Image
    Assistant Scoutmaster
    2 years ago
    Tyler Yokley
    As a System Administrator in a major health insurance company, we have to constantly work around the HIPAA regulation. Anything that classifies as PHI (Personal Health Information) and is not considered transported securely is a violation of this act and must be reported. What classifies as PHI is any 3 data entries that can identify the person. Most likely if it is just an insurance card, it would not contain enough information to be considered as PHI. On the other hand, most people keep health records. These forms can be considered as PHI. If emailing them, it is best to ensure TLS or PGP is used for encryption. To force TLS to the remote recipient, it would mean both members of the IT department would ensure they have TLS configured as required. If using PGP (Zix and Ironport are examples of this), It would just require the remote user to log onto the email system to retrieve the data.

    Chances are you will not be sending this information to providers unless a boy gets hurt. If that were to come, the question is "how is this data to be stored securely.
    Well, you could encrypt your laptop's hard drive and ensure that if taken out that no one can access it. This is not the best solution as not everyone carries their laptops on camping trips. Next would be to use a remote HIPAA compliant storage solution. Not cost effective, but gets the job done. Another alternative solution (If scoutbook would do so), is to have a place that is encrypted on the back end to store the scouts medical history. The access should be provisioned by the Troop Admin for the leaders on the camping trip and then revoke the rights when done. The next thing is that in order to ensure it is encrypted, scoutbook should release the encryption keys and not have them stored anywhere. (Sorry for talking over everyone's head) If the keys were lost, then the data can not be recovered and all information must be restored. If/when a boy gets hurt, they could use the previous email system along with some PGP application to email the document to the provider forcing them to log on to this security appliance to retrieve the documents.

    This is kind of a high level, semi technical overview that can be accomplished if given the correct tools.
    Pending Approval
  • San Francisco Bay Area Council Image
    2 years ago
    Jim Brown
    Also an IT professional, in the InfoSec space for a payment service organization...

    This is a very interesting topic. Even within the hospital medical records can get "mixed up" and result in unexpected fatalities. (Personal knowledge here)
    PKI within a company is a sizeable undertaking that requires experts to architect, administer, audit and enforce usage. Our company does encrypt drives and forces encrypted e-mail when questionable content is detected. No small feat. Considering even National BSA's IT department is hardly staffed for this level of compliance - I would be surprised (impressed) if they take this on. Given volunteers across the nation use personal e-mail accounts, we are dependent on each messaging provider to support TLS. (And PCI is moving to TLS v1.2 by next year, so each messaging provider would need to remain "current") BSA/Scoutbook would need to support e-mail accounts in THEIR messaging system for each volunteer who uses Scoutbook in order to provide this encrypted communications. It's doable...just not sure the IT budget will allow for such an investment. Think of the support calls from non-tech-savvy volunteers across the nation who forget their password, or can't find an e-mail they accidentally deleted. ;-)

    I've been a bit nervous myself about carrying all medical forms for our troop to Scout Camp, or on High Adventure activities. Do you also shred them when the activity is over? This level of diligence is optimal, but some of the best scout leaders I know are just not as likely to remember those details. In a well organized/trained Troop the Outdoor Activity chair could be trained and responsible...but many troops aren't well organized/trained.

    I concur with Bob: "So I recommend you defer this issue to your Council Risk Management officer, or the Council Attorney". Although I'd expect them to seek guidance from BSA National Risk Management or legal counsel.

    Thankfully I haven't heard of many incidents due to medical record access of BSA leader or boys.
    Keep the OUT in ScOUTing! :-)
    Pending Approval
  • Lewis and Clark Image
    2 years ago
    Bryan Siegfried
    HIPPA is a omnibus law that touches on a lot of issues. It seems to me that as long as BSA has clinics that provide even modest medical care and requests medical infromation such as the physicals, that BSA would fall under HIPPA's privacy regulations. That said, HIPPA does not prevent keeping medical records in "the cloud". In fact, most medical records are probably kept in the cloud in one way or another. However, ensuring HIPPA compliance in the cloud is a bit of an IT subspecialty in its own right. Several cloud providers do provide HIPPA-compliant cloud services, but the software you are running on those services would need to be compliant, as would the system for retrieving information, etc.
    Pending Approval
  • Mt Diablo-Silverado Council Image
    2 years ago
    Michael Fiorino
    There is a set standard for digital encryption when transmitting medical records. I would presume that the organization will follow the same standards.
    Pending Approval
  • Baltimore Area Council Image
    2 years ago
    Scott Shipley
    Regardless of which side of the argument you are on for HIPAA, the easy answer...password protect AND encrypt any file that has sensitive data. There are plenty of tools to do this.
    Pending Approval
  • Longhorn Council Image
    Scoutmaster
    Trained Strip
    2 years ago
    Chris Stoermer
    Listen to the dentist (who actually is a Covered Entity). The BSA is not a Covered Entity. Leave HIPAA out of the discussion. However, National has said we shouldn't digitize, or email, so as an Obedient Scout, I won't do it. Sincerely, Me, the Scoutmaster, Certified HIPAA Professional, Certified HIPAA Security Specialist and Certified Security Compliance Specialist.
    Pending Approval
  • Greater Yosemite Council Image
    2 years ago
    Jean-Louis Crash Curutchet
    So my question for you all is what do you do if your medical information that is provided on part a b and c is compromised.? This just happened to me this past saturday the 16th. Both my sons info and my info was lost by staff of the summer camp that we attended.It was supposedly handed out to another troop who intended the same 5th week session. My sons info was found in another troops folder that had yet to check out. To make matters worse, the camp was out of council so it's not like i can go to my local council for help. Quite frankly, i would like to see and be told by somebody at a national level tell me why this failure occurred. So even though there is a policy of not digitizing info, there is nothing that I have seen regarding what to do if your information is compromised because of the sloppy actions of the staff at camp.
    Pending Approval
  • Laurel Highlands Council Image
    a year ago
    Ray Hyland
    Why doesn't BSA ( a multi million dollar company) create a on line storage program where Leaders can upload medical files into a database. I only have 20-40 kids at any time. There is troops and Packs out there that have around 100 kids. Can you imagine carrying there medical files with them to every activity. My medical file book is a 6 inch binder now.
    Pending Approval
  • Occoneechee Image
    a year ago
    Matthew Price
    Sooo.... Those who have reported that HIPAA would be part of the issue with digitizing the medical records. I hate to tell you - ALL medical records are digitized. It does not matter if you go to see about your Toenail or Bariatric Surgery - they are digitized. You go to the Doctor to have a physical - they are digitized.

    Digitizing the records would require encrypted USB Keys and systems. Which the BSA does not know how to handle - and guess what? I don't expect them to understand it as they are not an IT company. It just so happens that I work at a University that handles HIPAA data - and yep, even your phones have to have encryption. So - that being said - it is highly unlikely that if a USB key is used that the people will be interested in the medical records - they are going to be more interested in the USB storage.

    If the BSA has at any point in time required uploading of records to a system for review (which they have) they are a covered entity. What that means is that they are required by Federal Law to have practices in place to handle the said data. You can be a courier who gets the USB key in an envelope - and you need to have the training and certifications.

    See how that covered agency thing works? Pretty simple.
    Pending Approval
  • Trapper Trails Image
    Committee Advancement Coordinator
    Trained Strip
    a year ago
    Rick Worcester
    The original article was on Digitizing medical records, nothing about HIPPA. BSA says PLEASE do NOT do it so..... don't do it. Putting on a flash drive, your phone etc. still NOT a good idea. You can lose them very easily-- leave them on the chair next to you (granddaughter lost her $600 phone that way), cleaning crew goes into your purse while you are not in the room (happened to my wife), hole in your pocket you didn't know about and falls on the ground (happened to me). Then someone else picks up the item and now has access to EVERYONE's Protected Personal Information. As for me I'll keep the hard copy with me in the "Scout Physical Forms" section of our take along Scout Essentials box (lockable hinged box where everything Scout goes) in the locked cabinet in the locked room accessed by only 5 people (that have had the training on Privacy Act of 1974 and PPI)
    Pending Approval
  • Mount Baker Council, BSA Image
    a year ago
    Pamela Collins
    Who has access to the information should be someone with a need to know basis.
    Pending Approval
  • Central Florida Council Image
    Assistant Scoutmaster
    10 months ago
    Donald Boughton
    I've been thinking about this a lot lately, as I've been reviewing cloud storage sites and I'm planning on setting up an electronic library and collaborative working area for our unit. Here's what I've learned about storing medical records. No, the BSA does not come under HIPAA. I've read the verbiage from HIPAA, and it is very general. In reality, it does not ALWAYS require encryption of HIPAA information transmitted digitally. It says that restrictions and encryption should be considered and used where appropriate. One requirement did state that any online service providing HIPAA information must have and automatic logout feature when no activity is detected for a reasonable amount of time. Computers used to access and store HIPAA information should have a screen saver with the logout/lockout feature enabled, requiring credentials to be entered before removing the lockout. Also, there must be a means of limiting the information so that it is only obtained by those with a "need to know". But, as many have pointed out, HIPAA is really a moot point. It does not apply, nor does it prohibit the practice for entities that it does apply to. So the BSA sees it as a liability risk issue. I did notice on the BSA website the following announcement: "Q. Why don't we have an online version or high-tech medical record? A. Plans are under way to provide the capability to do this, but there is no scheduled completion date at this time." There is also a statement in a document that summarizes the National Camp Standards Accreditation requirements that states, "INTERPRETATION: Medical logs must be in a bound book with pre-numbered pages. Separate books for staff and for campers should include both medical treatment and medications administered. Electronic systems may be approved by application for variance. At a camp that does not operate for a full week, the camp health officer and camp director should meet at the end of each camp session to conduct the review required in specific requirement A.2.” Note that variances to their policy may be approved. It would nice to have that kind of approval possible at the BSA Unit level. I would not suggest using it in order to do away with the hard-copy binder, which I would still recommend using as the primary source, but I DO see it as a great backup if the binder gets lost, accidentally left behind, or the person in possession of the binder is delayed or incapacitated. A cloud storage could be used as a backup in the event of an emergency. Phone access would be good for EMT professionals. A copy can be downloaded and printed if it was left behind at summer camp, and it is as good as a Xerox'd copy. I don't recommend USB or direct storage on a cell phone, as some have pointed out that the device could easily be lost. A cloud storage company called IDrive provides free accounts with enough storage for most units. When registering for the free account, there is an option that allows you to choose to use your own password for the data encryption key. When you use this option, your data is encrypted with the key you provided and IDrive does not keep a record of it. If you lose the key, the data is lost, as even IDrive can't recover it without the key. Also, when an account is set up that way, files and folders cannot be shared with others by an email link or shared with other IDrive account holders so they can access the shared files or folders from their account. Only the leaders who have the password/key and login to THAT one account have access to the files. There is also a cloud storage site called filesanywhere.com that allows you to securely upload and send FAX's. With a small monthly fee, it gives you more storage and the ability to receive FAX's and securely download them as well. Access it on a computer with a lockout screensaver, and I think you would be quite good - as good as carrying around the binder itself. Only those with a need to know would have access to the account, and the password can be changed when there is a change in leadership.

    my 2¢
    Pending Approval
  • Northern Star Council Image
    8 months ago
    Sarah Miller
    I think this is a horrible idea. Medical records should stay confidential!
    Pending Approval
  • Connecticut Yankee Council BSA Image
    Assistant Scoutmaster
    Trained Strip
    a month ago
    Dave Carr
    If people agree and BSA uses a secure, private server this could provide better access to EMT in the case of a emergency. I advise against putting your family social security numbers on your medical records or allowing your drivers license number to be copied by anyone.
    -----------------------------------------------------------------
    I can use 10%of my net earnings to buy advertising that benefits BSA from your individually referred real estate transactions (after closing and passing of title) anywhere in the USA. Find out how I can buy advertising to help your troop.

    updated a month ago
    Pending Approval
  • profile photo
    just now
    Your Name

Delete Comment?

Are you sure you want to delete your comment?

This action cannot be undone.