EHR and Health IT Consulting
33.7K views | +9 today
Follow
EHR and Health IT Consulting
Technical Doctor's insights and information collated from various sources on EHR selection, EHR implementation, EMR relevance for providers and decision makers
Your new post is loading...
Your new post is loading...
Scoop.it!

EHR Interoperability Plan Raises Concerns

EHR Interoperability Plan Raises Concerns | EHR and Health IT Consulting | Scoop.it

Several healthcare associations have raised concerns about some of the privacy and security components of the Office of the National Coordinator for Health IT's proposed 10-year electronic health record interoperability roadmap.


For example, they expressed concern about proposals related to obtaining patient consent for sharing health information, cybersecurity activities and governance "rules of the road" for national data exchange.


ONC, the unit of the Department of Health and Human Services responsible for standards and policies of the HITECH Act EHR incentive program, in January released a draft roadmap for achieving nationwide secure health data exchange built on interoperable EHR systems.

While the ONC draft is a 10-year vision, it contains critical actions that can be taken by regulators and healthcare stakeholders in increments over the next three, six and 10 years, to help remove technical, policy and regulatory barriers that are hindering information exchange. The idea behind the plan is to make it possible for clinicians to securely access and share timely, potentially life-saving data about a patient, no matter where that patient is treated.


Over the next several months, ONC will review the comments it received and consider how they might be reflected in the final version of its interoperability roadmap expected to be released later this year.

Patient Consent

ONC in its roadmap introduced the concepts of "basic choice" patient consent related mostly to information that's allowed to be disclosed by covered entities under HIPAA for treatment, payment and operations, versus "granular choice" consent that patients would provide to allow sharing of specific data, such as sensitive information related to substance abuse or mental health treatment.


Under the HIPAA Privacy Rule, an individual's written authorization is not required for the sharing of health information for treatment, payment or operations. But many covered entities choose to obtain an individual's consent anyways, ONC notes. And that's what ONC describes as "basic choice" consent.


ONC says "granular choice" consent refers "not only to granular choice among clinical conditions that are protected by laws in addition to HIPAA, but eventually, granular choice, should a patient wish to express it, regarding other data distinctions to be determined ... such as research ... in which an individual has chosen to participate."

Some organizations in their comments say they are opposed to federal regulators introducing the concept of granular choice consent. That's because they say it could potentially fuel more confusion among healthcare entities about the patient data that can or cannot be exchanged under HIPAA versus other government regulations, including state privacy laws.


For instance, the Healthcare Information and Management Systems Society says it "does not see the benefit of, nor is in favor of, the introduction of the concepts of 'basic' and 'granular' choice, particularly in view of these concepts being contradictory and inconsistent with applicable law, for example, HIPAA and state law."


HIMSS says it "supports the idea that interoperability efforts should focus on facilitating exchange of data when the law expressly authorizes use or disclosure of protected health information. ... HIPAA should not be essentially rewritten, through a reinterpretation, with respect to erroneously stating that individuals have the right to individual access and individual choice under the Nationwide Privacy and Security Framework, based on the Federal Trade Commission's Fair Information Practice Principles."


Similarly, as it relates to information sharing and consent, the American Hospital Association says that it opposes potential changes to current government privacy and security policies in the effort to drive healthcare providers to share electronic health information. "With regard to privacy and security issues, the AHA strongly believes that improving the infrastructure to support secure data sharing in support of clinical care can be accomplished within the existing HIPAA requirements."

Cybersecurity Activities

When it comes to issues related to cybersecurity, the AHA urges ONC to leverage existing guidance, including the National Institute for Standards and Technology's framework, rather than start from scratch.

"The roadmap includes proposed activities for ONC or HHS, but activities in this area must align with the ongoing collaboration of the Departments of Homeland Security and HHS with public-private collaborations, including the Healthcare and Public Health Sector Coordinating Council, to work through health sector-specific issues," AHA says.


"Further, any detailed standards should be aligned with the NIST Cybersecurity Framework, which is the overarching federal approach to cybersecurity, and the existing HIPAA security rules."

Rules of the Road

ONC's draft interoperability roadmap also included "a call to action" for healthcare IT stakeholders to come together to establish a coordinated governance process for nationwide interoperability. Those proposals also included the possibility that ONC would consider regulatory options to ensure compliance to so-called governance "rules of the road."


But some organizations, including the College of Healthcare Information Management Executives and the Association of Medical Directors of Information Systems, oppose too much government intervention in governance issues.


"We caution against being overly ambitious with the development of a nationwide governance mechanism and encourage focused prioritization through ingrained collaboration among private and public sector stakeholders," CHIME and AMDIS say in its joint comments to ONC. "In our view, interoperability in the service of high quality, safe patient care should remain the principal focus of the near-term."

Other Recommendations

As part of its comments on the interoperability roadmap, HIMSS also made several privacy and security recommendations. Those include suggestions that ONC, federal partners and industry stakeholder groups collaborate on developing:


  • A central portal that aggregates cyberthreat indicators and vulnerability information, across critical infrastructure sectors;
  • Guidance for what a thorough, holistic risk management program looks like - including plans, policies, procedures, application security testing, penetration testing, networking monitoring and detection, incident response, continuity, disaster recovery and resilience; and
  • Guidance on issues related to encryption, including practical guidelines on encryption requirements for protected health information stored or accessed via devices and software.


"Encryption is not a silver bullet, but it can be a useful safeguard when the right technology and know-how are used appropriately to keep information both private and secure," HIMSS notes.


more...
No comment yet.
Scoop.it!

Why Should Your Practice Have a Cloud-Based EHR? - HITECH AnswersHITECH Answers

Why Should Your Practice Have a Cloud-Based EHR? - HITECH AnswersHITECH Answers | EHR and Health IT Consulting | Scoop.it

If you’re still debating whether to go with a web-based EHR or a server-based EHR, you should know why a growing number of practices are choosing to go with a cloud EMR.

How does a web-based EMR differ from the older technology of a client server-based EHR system?

A cloud EMR is different (and better, in our opinion) due to the following factors:

Your software is always up to date
With a web-based EMR, the software is always up to date, usually at no additional charge. No more expensive upgrades causing delays; just open the SaaS-based software and you have the latest version.

Rest easy on HIPAA data requirements
Data security is much easier to manage with a web-based system. Cloud EHR vendors can provide much more security for your data than you can internally with office servers. As reported by the Business Insurance site, “Data breaches seem to be everywhere these days except the one place everyone fears—the cloud.” That could be because cloud EMRs offer financial-level security for your data.

Accessibility—work from anywhere
One of the things many users love about the cloud is the ability to work from anywhere—whether it’s e-prescribing from a smartphone or checking a patient record from the beach while on vacation. We don’t recommend you work on your vacation, but we understand the realities of medical practice.

Cloud-based EHR systems allow continued functioning during and immediately after disasters
Hospitals and physicians discovered the benefits of cloud-based data first after Hurricane Katrina and again after Super Storm Sandy; with a web-based system, you can practice (and bill) from anywhere.

Reduced expense for both software and hardware
A cloud-based system is more cost-effective, particularly for small to medium sized practices, since there are no large hardware expenditures and the software expense is a consistent, low subscription rate. You won’t have to plan for large hardware and software expenditures.

Better IT support
Damn it, Jim, you’re a doctor—not an IT person. And you will probably not be able to hire IT support of the same caliber as the staff of a web-based EHR vendor. Why not make use of their resources and eliminate your headaches?

You can use a cloud-based EHR on a mobile device such as an iPad or other tablet
A survey of physicians by web-based EHR review group Software Advice showed that 39% of physicians want to use their EHR on a tablet such as iPad, and in another survey, a majority of patient respondents indicated that they find use of an EHR on a tablet in the exam room to be “not at all bothersome.”

Satisfaction levels are higher among mobile EHR users
A recent survey by tablet-based EHR review group Software Advice found that providers using a mobile EHR expressed twice the satisfaction levels of those using EHRs via non-mobile systems. And as mentioned above, an effective mobile EHR needs to be cloud-based.

It’s particularly important to note that cloud-based systems are nearly always more secure than any system you could set up in your office. For most practices, data security and HIPAA best practices are not their area of expertise—excellent patient care is. But for cloud EMR systems, those areas are key to our success. We are better at it because we must be in order to continue in business. And as mentioned above, the proof is in the lack of data breaches among cloud-based companies.

One proof of the idea that a cloud-based EHR is the best choice is the fact that most EHRs that were originally server-based have since developed cloud-based offerings as well. If server-based technology is state of the art, why are those vendors switching platforms?


more...
No comment yet.
Scoop.it!

Can EHRs Be Secure and Fast?

Can EHRs Be Secure and Fast? | EHR and Health IT Consulting | Scoop.it

Are we ready to replace passwords with biometrics for access to our facilities' networks and EHRs? I know that I'm ready for something easier and more secure than my ever-changing facility login, a byproduct of being forced by the system to change my password every couple of months.

In its current iteration, the EHR at my facility takes three separate login steps to get into the record to document a patient encounter or retrieve information. This doesn't seem like much, but multiply it by 20 or 30 patients and it becomes burdensome and a significant time waster.

If a terminal is locked, I have to enter my credentials to access the system and from there, I have to enter my credentials to open the EHR. Then if I want to dictate any notes, I have to again enter my credentials to open the dictation software. It gets old in a hurry, and is a major complaint among members of the medical staff at my community hospital.

The IT team in our organization is experimenting with using the embedded "near field" chip in our ID cards as a way in which to log in to the EHR. It would be a big step forward and would eliminate the majority of authentication to access our EHR. It would also have the added advantage of encouraging all members of the medical staff to carry their hospital IDs, but not all software needed for charting supports this mode of authentication.

Fast Identity Online (FIDO) is the current buzz phrase that refers to all of the biometric authentication technology currently available or planned. We are already using our fingerprints in a variety of ways to unlock our phones and doors, and there are readily available technologies that rely on retinas, irises, face recognition, or voice recognition that are being developed to solve authentication and security problems. We have seen the future in a variety of science fiction films, and much of it is working and available technology.

While there is a tremendous upside to FIDO technology, there are also significant downsides in the form of privacy. We constantly see that passwords are not 100 percent secure, and companies tasked with protecting our personal data stored on their servers also fail. It is not too much of a stretch to raise concerns about personal biometric data being stored on vulnerable servers, and the privacy vulnerability that this represents to us all as individuals.

There should be similar concerns with biometric security data. My fingerprints are stored on my phone as a security measure, but could an enterprising criminal find a way to use that data to reconstruct my fingerprints?

As always, computer technology and software are well ahead of privacy protections and personal security, and will remain so for some time, possibly forever.

To make it work on an EHR, we need enterprise level solutions, as the thought of customizing my FIDO login separately at each terminal in the hospital, defeats the purpose and intent of making this simultaneously easier and more secure.

It seems that an enterprising technology company would see the opportunity in allowing medical providers to quickly and securely sign into an EHR. I know that there are a lot of smart people working on this problem in an attempt to make this both easier and more secure for those of us in the trenches.

As the pace of technology development and implementation becomes more rapid, so does the need for increasing security and privacy, as well as reducing the technological burden on the healthcare providers who daily have the use this technology in the performance of their jobs. These competing trends get more important everyday as the penetration of the EHR becomes more ubiquitous.


more...
No comment yet.