EHR and Health IT Consulting
32.7K views | +29 today
Follow
EHR and Health IT Consulting
Technical Doctor's insights and information collated from various sources on EHR selection, EHR implementation, EMR relevance for providers and decision makers
Your new post is loading...
Your new post is loading...
Scoop.it!

Amazing Steps To Encrypt Your Patient Data

Amazing Steps To Encrypt Your Patient Data | EHR and Health IT Consulting | Scoop.it


Think your practice is too small for a data breach to occur? Think again. It’s vital to stay on the right side of HIPAA requirements for data security. This isn’t always easy and can cost a 
significant amount, but in general, locking down data is less expensive than damage control after a breach.

Breaches of patient information are on the rise—138% from 2012 to 2013, according to breach data reported to the Department of Health and Human Services (HHS). And no system is completely theft-proof. However, there are steps you can take to make your privacy harder to invade. That’s important because many data thieves are opportunists who will bypass difficult targets in search of easier quarry.

  1. Consider hiring a security expert and conducting a thorough vulnerability assessment. It isn’t cheap, but there are payoffs for practices that consider this an investment.
  2. Partner with strong IT vendors and services. Is your EHR as theft-proof as possible?
  3. Encrypt all transmission of electronic private health information, including texts and emails.
  4. The biggest threat to data security in your office could be your most loyal employees. Train your staff to be vigilant about email and web use, and develop a policy for BYOD (bring your own device). Many patients and employees now use their own mobile devices—everything from smart phones, laptops and tabletsto wearables—in the workplace. BYOD policies must ensure patient data remains secure.
  5. At the other end of the technology spectrum, paper-based data breaches still account for substantial amounts of data loss. In 2012, for example, there were 50 reports of data loss to HHS involving paper documents, representing information for 386,065 individuals. If your office still has file cabinets full of paper folders, consider scanning then shredding or removal to a secure storage site.
  6. Many small and midsized medical practices are weighing the pros and cons of purchasing cyber or data breach insurance to mitigate the financial risks of a breach. This might be a good option for your office.
  7. Lead by example. HHS offers CME-eligible online educational programs that can help physicians understand what’s required to comply with HIPAA privacy and security rules.

 

If a data breach does occur, inform those affected as soon as possible, and identify the information that has potentially been compromised. Keep in mind you won’t be able to do this if you don’t know what data resides in your practice or what systems are networked.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
CywareCo's curator insight, August 26, 2016 6:32 AM
Healthcare security can no longer be ignored. The details of your entire life in the hands of a hacker who is willing to sell it for money will lead to identity theft - https://cyware.com/journal/healthcare-security-ignored/
Scoop.it!

Medical Data Exchange, Cloud Solutions Impact EHR Design

Medical Data Exchange, Cloud Solutions Impact EHR Design | EHR and Health IT Consulting | Scoop.it

Over the last two decades, the medical industry has changed drastically in terms of patient care and access to medical records. It was nearly impossible to obtain one’s own health record 20 years ago. Forbes reports that patients had little choice but to press legal action if they wished to access their own medical data.


In 1996, however, the Health Insurance Portability and Accountability Act (HIPAA) was passed, which did offer legal protections to patients who needed to see their health records. Nonetheless, there was still significant difficulty in accessing this information and most people never went through the challenging process.


Today, these problems are slowly disappearing, as patients have more ability to readily view their medical history and test results via patient portals and through other electronic means.


A study published earlier this year shows that after three hospital systems in separate states offered their patients the ability to view their health records and physician notes, nearly 70 percent of patients reported understanding their conditions better and taking better care of themselves including remaining vigilant about taking their medications on time. The results from the study also showed that providing patients with this ability did not majorly impact the physician workflow.


The design and evolution of certified EHR technology and health IT systems that held medical data are now changing toward a more cloud-based and mobile platform. This leads to more digitizing of medical records and providing more flexible solutions for healthcare professionals within the clinical setting.


Both mobile health and wearables are also impacting the design of certified EHR technology. The Apple watch, for instance, could potentially hold relevant medical data for physicians to view and patients to access. Additionally, mobile apps on smartphones or tablets could be used by patients to request drug refills and securely message doctors or nurse practitioners.


In a new report from market research firm IDC, Judy Hanover, Research Director at IDC, explains, “The new concept of flexible, mobile, cloud-based acute care EHR supports digitizing paper workflow and reengineering processes … There’s a huge appetite for getting better workflows into healthcare, looking at department specific and mobile apps. I would see an environment where hospitals and health systems would perhaps rip out and replace in some cases.”


According to the report, it is expected that over the next few years, providers will begin to replace their current certified EHR technology with cloud-based solutions instead. Greater investment will continue to be poured into the health IT industry as providers move onto meeting Stage 3 Meaningful Use requirements under the Medicare and Medicaid EHR Incentive Programs.


Additionally, the future of EHRs will continue to depend on EHR interoperability and the ready access of medical data across the healthcare industry. Forbes states that many within the medical sector believe EHR interoperability will be the “biggest game changer.” However, it may take longer than expected for interoperability and medical data exchange to expand across multiple healthcare settings, as this industry “moves slowly.”


more...
No comment yet.
Scoop.it!

The Fastest Path to a Secure Cloud

The Fastest Path to a Secure Cloud | EHR and Health IT Consulting | Scoop.it

Personal Health Information (PHI) records and electronic PHIs (ePHIs) comprise our most confidential data, including demographic information, medical history, test and laboratory results and insurance information. Health care professionals utilize the PHI to identify the patient and determine appropriate care and treatment; insurers input financial data, and patients can access this information by request. Due to this highly sensitive combination of medical and financial data, these records have become a favorite target for hackers, as shown by the recent Premera and Anthem breaches.


As hackers become more sophisticated in their attacks, organizations must become increasingly vigilant in implementing HIPAA compliant standards to secure their data. Healthcare organizations currently use both on premise and cloud deployments to house their information. In fact, a recent survey of healthcare provider organizations indicates that 83% of IT executives report that they are currently using cloud services. The areas with the most uptake include lab systems and email services; electronic health record and information exchanges (CHIs, EMRs, Telehealth, etc.), and Shadow IT – which is enlisting cloud-based services, but not via their IT departments.


While the advantages in moving to the cloud include improved access, powerful processing capabilities, higher availability and significant savings with on-demand hosting, healthcare organizations are still wary that the cloud may deliver a less secure option. They are reluctant to transfer mission-critical and sensitive information to a seemingly anonymous IT admin in an unidentified location. Other organizations may be concerned that their IT teams may not have the requisite skills and processes to manage the migration and maintenance of the cloud deployment.


In the Public Cloud environment, responsibility for IT security is shared between the health care organization and the Cloud Service Provider (CSP), with a clearly defined demarcation. The CSP is in charge of securing access to the physical servers and the virtualization layer, while the health care organization is responsible for securing the hosted Operating Systems, the applications and the data itself. CSPs differ in the ‘native’ security features they offer, but those always fall short of best-practice security requirements. Therefore, organizations using public clouds are required to supplement the CSP offering to ensure a HIPAA compliant cloud deployment.


As part of a cloud migration process, ePHIs may be ‘exported’ to the cloud, to share with other healthcare organizations, clinicians and insurers, or for cloud-based storage and processing.  In such cases encryption of the data in transit and at rest is critical. Firewall policies to control data transfer and access are also required. Since many healthcare organizations have only migrated a portion of their resources to the cloud, the encryption and firewall policies must encompass the hybrid, private and enterprise cloud environments.

When ePHI or other clinical or sensitive data is stored in the cloud, the issue of remote access must also be addressed. Health care professionals and IT staff as well as others need to access cloud resources from remote offices and via mobile devices. Although remote access provides flexibility it is also a significant security caveat. Almost half of the healthcare security incidents last year were the result of loss or theft of devices such as laptops, phones or portable drives. Internal threats are especially worrisome, as 15% of the security incidents in healthcare in 2014 have been attributed to unapproved or malicious use of organizational resources.


The answer to these threats are strong integration with identity controls as well as access management. To protect their resources, organizations must implement a strong two factor or multi-factor authentication systems. Identity-based access management policies assure that employees are not able to access unauthorized data, and multi-factor authentication ensures that those who steal or find lost devices will not be able to reach internal resources.


Another important step in securing healthcare information involves implementing monitoring and logging capabilities. This is emphasized in a cloud environment where the infrastructure is owned by a third party and is shared among several organizations (i.e. multi-tenant). Although logs are important, unless they are regularly monitored in an accurate manner, important or suspicious events will not be noted. Therefore, visibility and automated alerts are critical in early detection of security incidents.


The cloud is becoming the default choice for healthcare CIOs. The fastest path to a secure, compliant healthcare deployment in the cloud requires careful planning and implementation. Key to a viable security solution are encryption, access management and firewall policies, combined with event monitoring capabilities and alerts. Solutions that provide this set of security elements for the public and hybrid cloud are now becoming available in the marketplace, evidence that cloud technologies for healthcare are coming of age.


more...
No comment yet.
Scoop.it!

Calif. Hospital Challenges Nurses Union's Claims About EHR Outage

Calif. Hospital Challenges Nurses Union's Claims About EHR Outage | EHR and Health IT Consulting | Scoop.it

Officials from Antelope Valley Hospital in Lancaster, Calif., are disputing recent allegations from a nurses union that an electronic health record outage caused the hospital's emergency department to close, Becker's Health IT & CIO Review reports.

Background

Last week, representatives of the California Nurses Association/National Nurses United asked the Los Angeles County Department of Public Health to investigate the Feb. 27 outage, contending that the incident put patients at risk.

According to the nurses, the outage caused myriad issues at the hospital, including difficulty:

  • Dispensing medication;
  • Verifying physician orders;
  • Reviewing patient labs and other diagnostic procedures; and
  • Reviewing patient records.

The nurses union also asserted that the outage forced the hospital to shut down its ED. Further, they claimed that the hospital did not have a backup plan in place for such outages.

Hospital Statement

In an emailed statement, hospital officials said, "The emergency department continued to treat patients, logging more than 900 patients over the weekend." The statement noted, "At times during the outage, certain patients were diverted to other nearby facilities based on their treatment needs."

The hospital said it activated its "downtime procedures" while working to fix the EHR errors. Officials say patient safety was not affected by the issues, and the pharmacy continued to fill prescriptions using a management system that was not connected to the network outage. Meanwhile, patient records and medication requests were filled by hand.

Antelope Valley CEO Dennis Knox said, "Our team of professionals worked tirelessly throughout the weekend to process lab orders and results, review radiology exams, carry out treatment plans and deliver overall patient care as promptly as possible".


more...
No comment yet.
Scoop.it!

Cybersecurity in healthcare is now center stage. So who should be responsible?

Cybersecurity in healthcare is now center stage. So who should be responsible? | EHR and Health IT Consulting | Scoop.it

I’ve been involved in building many life-critical and mission-critical products over the last 25 years and have found that, finally, cybersecurity is getting the kind of attention it deserves.

We’re slowly and steadily moving from “HIPAA Compliance” silliness into a more mature and disciplined professional focus on risk management, continuous risk monitoring, and actual security tasks concentrating on real technical vulnerabilities and proper training of users (instead of just “security theater”). I believe that security, like quality, is an emergent property of the system and its interaction with users and not something you can buy and bolt on.

I’m both excited and pleased to see a number of healthcare focused cybersecurity experts, like Kamal Govindaswamy from RisknCompliance Consulting Group, preaching similar proactive and holistic guidance around compliance and security.

I asked Kamal a simple question – if cybersecurity is an emergent property of a system, who should be held responsible/accountable for it? Here’s what Kamal said, and it’s sage advice worth following:

Information Security in general has historically been seen as something that the organization’s CISO (or equivalent) is responsible for. In reality, the Information Security department often doesn’t have the resources or the ability (regardless of resources) to be the owners or be ultimately “accountable” or “responsible” for information security. In almost all cases, the CISO can and must be the advisor to business and technology leaders or management in the organization. He could also operate/manage/oversee certain behind-the-scenes security specific technologies.

If your CISO doesn’t “own” Information Security in your organization, who should?

At the end of the day, everyone has a role to play in Information Security. However, I think the HealthIT managers and leaders in particular are critical to making security programs effective in healthcare organizations today.

Let me explain…

Of all the problems we have with security these days, I think the biggest stumbling block often has to do with not having an accurate inventory of the data we need to protect and defining ownership and accountability for protection. This problem is certainly not unique to Healthcare. No amount of technology investments or sophistication can solve this problem as it is a people and process problem more than anything else.

Healthcare is unfortunately in a unenviable position in this regard. Before the Meaningful Use program that has led to rapid adoption of EHRs over the last five years, many healthcare organizations didn’t necessarily have standard methods or technologies for collecting, processing or storing data. As a result, you will often see PHI or other sensitive information in all kinds of places that no one knows about any longer, let alone “own” them – Network file shares, emails, a legacy application or database that is no longer used etc. The fact that HealthIT in general has been overstretched over the last five years with implementation of EHRs or other programs hasn’t helped matters either.

In my opinion and experience, the average Healthcare organization is nowhere close to solving the crux of the problem with security programs – which is to ensure ownership, accountability and real effectiveness or efficiencies.

Most of us in the security profession have long talked about the critical need for the “business” to take ownership among business and technology leaders. For the most part however, I think this remains a elusive goal for many organizations. This is a serious problem because we can’t hope to have effective security programs or efficiencies without ownership and accountability.

So, how do we solve this problem in Healthcare? I think the answer lies in HealthIT leadership taking point on both ownership and accountability.

HealthIT personnel plan, design and build systems that collect/migrate/process/store data, interact with clinical or business leadership and stakeholders to formulate strategies, gather requirements, set expectations and are ultimately responsible for delivering them. Who better than HealthIT leaders and managers to be the owners and be accountable for safeguarding the data? Right?

So, let’s stop saying that we need “the business” to take ownership. Instead, I think it makes much more pragmatic sense to focus on assigning ownership and accountability on the HealthIT leadership.

I present below a few sample mechanics of how we could do this:

Independence of the CISO. For a start, Healthcare CIOs or leaders should insist on independence for the CISO (or equivalent) in their organizations. Even if the CISO or security director or manager happens to be reporting to the CIO (as it still happens in many organizations), I think it is absolutely critical that you reorganize to make the role one of an advisor and support role and not an IT function itself. The CISO and his may also have their own operational responsibilities, such as management of certain security technologies or operations, performing risk assessments, monitoring risk mitigation or remediation programs, assisting with regulatory compliance and so on. Regardless, they must be an independent function with a strong backing or support from the CIO.

IT (Data) Asset Discovery, Classification and Management. To start with, all IT assets (hardware and software) that collect, receive, process, store or transmit data (CRPST) need to be identified, regardless of whether these assets are owned/leased/subscribed or where they are hosted. Every physical or virtual asset (network device, server, storage, application, database etc.) must have one assigned owner at a manager/director/VP level who is ultimately accountable for security of the information CRPSTed by the asset. As the owner may choose or need to delegate responsibilities (see #3 below) the asset meta-data should also include information regarding personnel that have delegated responsibilities. If you are a smaller organization, you may have one person being the owner that is “accountable” as well as “responsible” .

Directives to HealthIT executives and managers. It is important that Healthcare CIOs send a clear message of sponsorship and accountability to their executives and managers regarding their “ownership” related to security. The asset owners (see #2 above) may in turn delegate “responsibilities” to other personnel (not below a manager) in her department. For example, the VP or Director of IT Infrastructure may delegate responsibilities to Manager of Servers and Manager of networks. Similarly, the VP/Director of Applications may delegate responsibilities to the Database Manager and Manager of Applications and so on. Regardless of the delegation, the VP or Director retains the “ownership” and “accountability” for security of information CRPSTed by the asset.

Bolted-in Security. The HealthIT strategy and architecture teams need to work in close collaboration with the CISO’s team. It is critical that security is an important planning and design consideration and not something of an afterthought. It is much more cost effective to plan, design and implement secure systems from the start (hence bolted-in) than trying to look for a patch-work of controls after the systems are already in place.

Need for HealthIT managers with “responsibilities” to be proactive. Let me explain this with a few examples of the Server Manager’s role in #3 above.
The Server Manager must at all times know the highest classification of the data stored on his servers so he is sure he has appropriate controls for safeguarding the data as required by the organization’s Information Security Policy and standards. If a file server is not “authorized” to contain PHI or PII on its shares, he should perhaps reach out to the CISO with a request for periodic scans of his servers to detect any “sensitive” data that users may have put on their file shares, for example.
If a file server is authorized to store PHI for use by the billing department for example, the Server manager must work with the billing department manager to have her periodically review the access that people have to the billing file shares. If your organization’s Identity and Access Management (IAM) solution or program has capabilities for automating these periodic access reviews, the Server Manager must work with the CISO (or whoever runs the IAM program) to operationalize these access reviews as part of your Business-As-Usual (BAU) activities. The key point here is that it is the Server Manager’s responsibility (and not the Billing Manager or the CISO’s) to ensure that the Billing Manager performs the access reviews in compliance with the organization’s policies or standards for access reviews of PHI repositories.
The Server Manager must all times be aware of who all have administrative access to these servers, so he must look for ways to get alerts for every change that happens to the privileged or administrator access to the servers. If your organization has a Log Management or a Security Information Event Management(SIEM) solution, the Server Manager should reach out to the CISO or his designate so the SIEM solution can collects those events from your servers and send email alerts for any specific administrator or similar privilege changes to the Server Manager. While we are on SIEM, the Server Manager should also work with the CISO and the Billing Manager so the Billing Manager gets an email alert every time there is a change to the access privileges on the file shares containing PHI or PII used by the billing department.
If one of the servers happens to be a database server, the Server Manager may be responsible for the operating system level safeguards while the Database Manager may have the responsibility for the database “asset”. She will in turn need to work with the CISO and the relevant business managers for automation of access reviews, monitoring of potential high risk privilege changes in the database etc.

more...
Joel Finkle's curator insight, January 28, 2015 12:23 PM

Hospitals are playing catch-up to Pharma's security requirements - Pharma info is its principal asset, so it's always been protected, plus "part-11" validations on regulated records require info to be tightly controlled.

Scoop.it!

Ensuring a Smooth Transition to the Cloud - HITECH AnswersHITECH Answers

Ensuring a Smooth Transition to the Cloud - HITECH AnswersHITECH Answers | EHR and Health IT Consulting | Scoop.it

Moving to the cloud is a smart business move for many medical providers these days. The security, convenience, and scalability are attractive attributes for busy practices that don’t want the hassle of attempting to handle all their IT needs in-house. Plus the mandated move to electronic health records (EHR) is causing many enterprises to rethink their entire IT strategy.

While there are many benefits to moving to the cloud, reaping the rewards takes some serious preparation. Following best practices for pre-migration planning is key to ensuring the success of cloud operations. Sure, planning the move sounds simple, but it’s so simple that many firms fail to do it. The result of inadequate preparation is often lost data.

Check the Paper Trail

First, it’s important for medical practices to look closely at the service-level agreements (SLAs) they have with existing vendors. And then look at them again.

Practice groups should make sure the answers to the following questions are clear:

  • What constitutes an outage: Is it lack of access to service or to data?
  • What does the contract cover in terms of storage, data transfers, metadata functions, and copying and deleting files?

Have an Itinerary

It’s important for practitioners to know where data will “live” during the entire process. There should also be a plan spelling out who is responsible for maintaining the data during the migration. For businesses that can’t afford a lot of downtime, it might be a smart option to replicate data rather than doing a straight transfer.

Then, it’s critical to consider every operation the data touches and how those systems will communicate after the move.

Consider Security

Obviously, testing security is key in any case. But when migrating to the cloud it’s important to test it twice. Security should be checked both before porting the data and again after it resides in the cloud. Keep in mind that some aspects of security may need to be reconsidered after the data is refactored for cloud optimization.

Practice groups should also work with their service providers to formulate a porting plan so they can ensure they have a plan for retrieving data.

The upshot: Working with an IT partner that can understand the critical needs of practices’ data integrity and business continuity is key to ensuring a smooth transfer with minimal interruption.


more...
No comment yet.
Scoop.it!

Your Cyber-Risk Policy: What it Covers and What it Doesn't

Your Cyber-Risk Policy: What it Covers and What it Doesn't | EHR and Health IT Consulting | Scoop.it

In healthcare, we deal with highly sensitive and very private electronic information, so of course our ears perk up every time we see headlines about the latest cyber threat or breach. The natural question is whether this could happen to us. This is constructive if it leads to cyber risk-prevention. But all too often, folks are responding with, "it could not happen to me," or "my insurance policy covers this so I'm prepared." These folks are ignoring the growing cyber threat around all of us. They are whistling past the "cyber" graveyard.

We live in a digital age where almost everything is accessible — even more now with the evolution of EHRs — so we have to run our businesses as though we are all at risk. To be prepared, we must first understand the common sources of cyber risk. Second, we must understand the basics of cyber insurance policies we may or may not have in place.


There are several ways breaches at small healthcare organizations may occur:


1. Disgruntled employees are one of the leading reasons for cyber attacks. They know your systems — likely better than you do — so keep a close watch on them and what type of data they have access to. Really pay close attention to new staff and those that may be on their way out. Also make sure they know they are monitored.

2. Cyber criminals are looking for remote Internet access services with weak passwords. Require and enforce more complex passwords and require employees to change their passwords regularly.


A smart form of cyber protection is a cyber-risk insurance policy. These provide bundled services designed to help you quickly respond to a data breach. However, there are many cyber insurance product options to consider. These range from standalone policies with high limits and comprehensive services to policy add-on coverages typically offering less coverage.


Rather than stumbling through a maze of complicated cyber-related insurance rhetoric, do yourself a favor and review your options with an experienced broker:


• Carefully scrutinize "free" cyber coverage or riders added onto your base coverage. While not totally worthless, the majority come nowhere near covering the exposure of a potential cyber breach (which explains why they are typically thrown in at no additional cost). In reviewing your insurance coverages with your broker, it's easy to brush by this one and mentally check off the fact that you have cyber coverage. Drill into the details of what's covered, as outlined below.


• Find out how much you are covered for and what out-of-pocket expenses you could expect. A data breach at a small physician practice could run into the hundreds of thousands of dollars or even higher. This type of uncovered damage could put a small practice out of business. Some expenses physicians can expect to incur when a breach occurs include legal fees, IT forensic costs, notification costs, credit monitoring costs, and public relations and advertising expenses to reclaim patient goodwill as well as making the public aware of the steps taken to address the breach.


Cyber risk is not just a technology issue. It affects all elements of the healthcare business and needs to be well-planned and mitigated through ongoing education and risk-management programs.

more...
No comment yet.
Scoop.it!

Records Exchange Raises Privacy Worries

Records Exchange Raises Privacy Worries | EHR and Health IT Consulting | Scoop.it

A new survey shows that many consumers are concerned about whether their healthcare information will remain private once electronic records are routinely exchanged among providers. But experts say a good way to address those concerns is for organizations to be transparent with patients about who's accessing their data and why.

Devore Culver, executive director and CEO of HealthInfoNet, Maine's statewide health information exchange organization, says that HIEs and healthcare providers should take key steps to earn patients' trust that their records will remain private.


"Acknowledge their concerns," Culver says. "Be clear and transparent about how data will be used and by whom. Confirm that the organization adheres to current data security practices and standards. ... Provide the option for consumers to access audit reports of who is looking at their data."

Survey Results

The new survey, published this month in the Journal of the American Medical Informatics Association, found that more than half of California consumers believe that EHRs worsen information privacy and nearly 43 percent believe they worsen security.

When it comes to the impact of health information exchange, 40 percent of consumers surveyed say it worsens privacy and 43 percent say it worsens security.

The report was based on a phone survey of 800 consumers in California conducted by researchers at the University of California's Sacramento and San Diego campuses.

"While consumers show willingness to share health information electronically, they value individual control and privacy," the researchers wrote. "Responsiveness to these needs, rather than mere reliance on HIPAA may improve support of data networks."

Access Reports

Consumer confidence in EHRs and HIEs could be boosted if patients are given the opportunity to get reports on who accesses their records, says David Whitlinger, executive director of the New York eHealth Collaborative. The group coordinates activities for the Statewide Health Information Network of New York, which is the state's health information exchange.

SHIN-NY plans to provide consumers will such access reports through the HIE's patient portal, he says.

"They'll be able to look to see who accessed their records via SHIN-NY," he says. Providing patients with access reports about their health records is akin to credit bureaus providing consumers with reports about who accessed their credit reports, he says. "If patients ask who has accessed their records, and can get a report, that will go a long way to alleviate concerns."

Regulatory Activity

In fact, federal regulators have been working on a proposals regarding an accounting of health information disclosures and EHR access reports for patients.

The HITECH Act mandated the Department of Health and Human Services update HIPAA requirements for an accounting of disclosures of protected health information. In May 2011, HHS' Office for Civil Rights issued a notice of proposed rulemaking for updating accounting of disclosures requirements under HIPAA. The proposal generated hundreds of complaints from healthcare providers and others. Many of the complaints were aimed at a controversial new "access report" provision.

As proposed, the access report would need to contain the date and time of access, name of the person or entity accessing protected health information, and a description of the information and user action, such as whether information was created, modified or deleted. That access report would include EHR disclosures for treatment, operations and payment, which are categories of disclosures exempt from the current HIPAA accounting of disclosures rule.

Many of the public comments that HHS received on the access report proposal claimed that it would prove to be technically unfeasible for EHR vendors to implement, and complex and expensive for healthcare organizations.

But Whitlinger doesn't buy those arguments. "The provider community realizes that they will get challenged about who accessed [a patient's] record, and they don't want to deal with that," he says. And he believes that some EHR vendors "don't want to have to go down the path of how to make these access reports representative and valuable" for patients.

OCR Director Jocelyn Samuels said in January that the agency was considering a possible request for additional public input on HHS' proposed accounting of disclosures rule making. OCR is still evaluating the comments it received on the proposed accounting of disclosures rule it issued in 2011, as well as recommendations from the HIT Policy Committee about refining the rule, she said.

Patient Control

An executive at EHR vendor Athenahealth says that patients will become more confident in the security and privacy of their health records if they have more control over that information.

"Too often, patient data and its sharing is controlled not by the patient but by large care organizations and their health IT vendors," says Dan Healy, Athenahealth's vice president of government and regulatory affairs. "Our vision is of a system of patient-centered information exchange, putting control back in the hands of the patient. That will do more than anything else to increase confidence."


more...
No comment yet.
Scoop.it!

Securely Disposing Medical Practice Equipment

Securely Disposing Medical Practice Equipment | EHR and Health IT Consulting | Scoop.it

It goes without saying that computers are expensive. Medical practices will often gift used office equipment to employees or family members; or donate them to vocational programs. Risk management attorney Ike Devji says that donating old equipment like scanners, fax machines, and computers at the end of the year is very common. "At the end of the year practices will rush to spend money so that it is not taxable. They buy [new] equipment … and computers are replaced."

There's just one small problem. Deleting sensitive patient data will not permanently eliminate it from the hard drive of the device. And if you've donated your practice's scanner to the local thrift store, it still contains sensitive patient data that "a well-trained 12-year-old kid with access to YouTube can get … off the hard drive," says Devji.

Devji points out that a high-end digital scanner can store up to 10,000 pages of patient data. And equipment that is synched to your EHR, even smartphones and tablets, needs to be destroyed or disposed of in a secure manner.

If you have old equipment that you'd like to get rid of, contact your IT consultant. He should be able to point you in the right direction. Or you could follow Devji's approach: He uses his old equipment for target practice in the Arizona desert.


more...
No comment yet.
Scoop.it!

Electronic Health Record Vendors Take Patient Data Hostage: What Should We Do?

Electronic Health Record Vendors Take Patient Data Hostage: What Should We Do? | EHR and Health IT Consulting | Scoop.it

In today’s interconnected world it seems intuitively true that instant access to comprehensive medical patient histories will help physicians to provide better care at a lower cost. This simple argument was persuasive enough for the federal government to spend $26 billion to incent medical providers to adopt electronic health records (EHR) systems so that they can electronically share medical records. The initial investment appeared to be large, but it was an economically sound solution to control the rising healthcare expenditure. The resulting HITECH act is one of the few healthcare laws that maintains bipartisan support. To establish a nationwide health information exchange network, officials designed a two-stage plan. First, incent every medical provider to create an electronic archive of their patients’ medical records. Second, connect these electronic archives together so that the providers can share their patients’ records. The $26 billion in federal incentives was a lucrative source of revenue for hundreds of different software vendors to develop and aggressively market their own type of EHR products in a medical market that knew little about information technology. According to the Office of National Coordinator for Health IT, in 2008, less than 10 percent of hospitals had basic EHR systems, and a mere five years after, 94 percent of the hospitals use a certified EHR system.

The next step forward is to connect these electronic silos together so that physicians can share their patients’ records. The billions of dollars in federal spending will only have any tangible benefit if this is done successfully. EHR vendors have taken patient data hostage and are not willing to release it unless they receive a big ransom. They typically claim that technical problems limit the interoperability of their products. This prevents physicians from sharing their patient records with other doctors. This is like T-Mobile claiming that its users cannot make calls to AT&T customers. The claimed interoperability limitation does not end here. The vendors are proposing hefty charges to allow data sharing between their own customers.

As I have discussed in detail before, this a hole that the government has dug for itself. A nationwide health information exchange network sounds great, but it is not possible to achieve this goal without the proper alignment of economic benefits for every player in the healthcare market. In the face of this problem, the government has three choices:

  1. Pay EHR vendors the ransom that they are asking to release their hostage and allow sharing of the patient data among medical providers.
  2. Regulate the industry and force the EHR vendors to allow sharing of patient data among medical providers.
  3. Do nothing.

The government appears to be following the first plan. Officials had not anticipated interoperability challenges and assumed that all of the providers with EHR systems would have the capacity to exchange records. Based on this assumption, the third stage of the EHR incentives program was designed to encourage physicians to actively engage in the exchange of medical records. Today nearly every physician has an EHR system and although many of them also want to exchange information, the EHR vendors do not allow them. The incentives, which were initially planned to encourage physicians, will end up with EHR vendors and help drive future profits. As Rep. Phil Gingrey (R-GA) put it, "we have been subsidizing systems that block information instead of allowing for information transfers, which was never the intent of the [HITECH] statute.”

Regulating the industry seems like the only feasible solution to this problem. Rep. Michael Burgess (R-TX), the leader of the House Energy and Commerce trade subcommittee is drawing up a bill to enforce data sharing. The benefits of regulating the EHR industry, if any, will take a very long time to become tangible. The EHR vendors will furiously push back against any kind of regulation and will insist that technical challenges are a real barrier to interoperability. Congress is poorly situated to adjudicate this claim. Time is a critical factor in the long term success of HITECH plans, which threatens the viability of this strategy.

The best solution for the government is to do nothing. The new pay for performance payment methods in which the medical providers are being paid a fixed amount for treating patients would drive them to become more efficient and increase their profit margin by seeking solutions such as health information exchange to cut costs. Because the market for new EHR products is now saturated, the only revenue source for EHR vendors are charges for data exchange. Currently, they can get away with outlandish charges because they know the incentives from the federal government allow doctors to cover their costs. But if the free money from the government were to stop, then EHR vendors would have to persuade the physicians to pay for the exchange fees. Just like any other service, the highest price that the medical providers would pay is equal to the value of the service for them. If the electronic exchange of information helps medical providers to cut back on their costs and save some money they will be willing to pay a fair price for it. EHR vendors will end up lowering their fees to a reasonable level or will eventually go out of business.


more...
No comment yet.
Scoop.it!

FDA Expands EHR Data Analytics with Active Surveillance System

FDA Expands EHR Data Analytics with Active Surveillance System | EHR and Health IT Consulting | Scoop.it

The Food and Drug Administration’s Sentinel Initiative, one of the first active surveillance infrastructures focused on identifying patient safety issues related to pharmaceuticals and other medical products, will expand past its pilot phase this year, announced Janet Woodcock, MD, Director of the Center for Drug Evaluation and Research in a blog post.  As a planned continuation of the Mini-Sentinel project, the full-scale system will allow the FDA to leverage advanced EHR data analytics by scanning millions of files for adverse events linked to drugs that fall under the Administration’s purview.

“Over the past five years, the Mini-Sentinel pilot program has established secure access to the electronic healthcare data of more than 178 million patients across the country, enabling researchers to evaluate a great deal of valuable safety information,” Woodcock writes. “While protecting the identity of individual patients we can get valuable information from Mini-Sentinel that helps us better understand potential safety issues, and share with you information on how to use medicines safely. We have used Mini-Sentinel to explore many safety issues, helping FDA enhance our safety surveillance capabilities, and giving us valuable input in decision-making on drugs and vaccines.”

The Sentinel Initiative differs from previous drug safety monitoring efforts in that it allows FDA researchers to actively dive into EHR data and insurance claims to analyze potential adverse events and establish links to specific pharmaceutical products.  This allows the FDA to work more quickly to identify problems than if they continued to rely on voluntary reporting alone.  Mini-Sentinel has previously confirmed the safety of two vaccines intended to protect infants against rotavirus after the voluntary recall of a third product that raised the risk of intussusception in patients who received the immunization.

The expansion of the project will build upon successful use cases from Mini-Sentinel, Woodcock says.  The FDA will refine its EHR data analytics methodologies as it continues to grow into what the Administration hopes will be a national resource at the center of an industry-wide collaboration between researchers, pharmaceutical developers, and other healthcare stakeholders.

The success of this vision relies on cooperation from academic and research partners, all of whom will need to further develop industry data standards for the system to function effectively.  “This work will allow computer systems to better ‘talk’ to each other and, ultimately will lead to better treatment decisions as clinicians will have a more complete picture of their patients’ medical histories, including visits with other providers,” Woodcock wrote in a previous blog post touting the success of the pilot system.  “Defining standards for capturing data from clinical trials, and using standard terms for items such as ‘adverse events’ or ‘treatments’ will allow researchers to combine data from different clinical studies to learn more.”

“From the outset, the goals of the Sentinel Initiative have been large and of ground-breaking scale,” she concludes. “We knew it would be years in the making, but Mini-Sentinel’s successful completion marks important progress. We look forward to continuing and expanding our active surveillance capabilities as we now transition to the full-scale Sentinel program.”


more...
No comment yet.