EHR and Health IT Consulting
40.4K views | +7 today
Follow
EHR and Health IT Consulting
Technical Doctor's insights and information collated from various sources on EHR selection, EHR implementation, EMR relevance for providers and decision makers
Your new post is loading...
Your new post is loading...
Scoop.it!

Medical Data Exchange, Cloud Solutions Impact EHR Design

Medical Data Exchange, Cloud Solutions Impact EHR Design | EHR and Health IT Consulting | Scoop.it

Over the last two decades, the medical industry has changed drastically in terms of patient care and access to medical records. It was nearly impossible to obtain one’s own health record 20 years ago. Forbes reports that patients had little choice but to press legal action if they wished to access their own medical data.


In 1996, however, the Health Insurance Portability and Accountability Act (HIPAA) was passed, which did offer legal protections to patients who needed to see their health records. Nonetheless, there was still significant difficulty in accessing this information and most people never went through the challenging process.


Today, these problems are slowly disappearing, as patients have more ability to readily view their medical history and test results via patient portals and through other electronic means.


A study published earlier this year shows that after three hospital systems in separate states offered their patients the ability to view their health records and physician notes, nearly 70 percent of patients reported understanding their conditions better and taking better care of themselves including remaining vigilant about taking their medications on time. The results from the study also showed that providing patients with this ability did not majorly impact the physician workflow.


The design and evolution of certified EHR technology and health IT systems that held medical data are now changing toward a more cloud-based and mobile platform. This leads to more digitizing of medical records and providing more flexible solutions for healthcare professionals within the clinical setting.


Both mobile health and wearables are also impacting the design of certified EHR technology. The Apple watch, for instance, could potentially hold relevant medical data for physicians to view and patients to access. Additionally, mobile apps on smartphones or tablets could be used by patients to request drug refills and securely message doctors or nurse practitioners.


In a new report from market research firm IDC, Judy Hanover, Research Director at IDC, explains, “The new concept of flexible, mobile, cloud-based acute care EHR supports digitizing paper workflow and reengineering processes … There’s a huge appetite for getting better workflows into healthcare, looking at department specific and mobile apps. I would see an environment where hospitals and health systems would perhaps rip out and replace in some cases.”


According to the report, it is expected that over the next few years, providers will begin to replace their current certified EHR technology with cloud-based solutions instead. Greater investment will continue to be poured into the health IT industry as providers move onto meeting Stage 3 Meaningful Use requirements under the Medicare and Medicaid EHR Incentive Programs.


Additionally, the future of EHRs will continue to depend on EHR interoperability and the ready access of medical data across the healthcare industry. Forbes states that many within the medical sector believe EHR interoperability will be the “biggest game changer.” However, it may take longer than expected for interoperability and medical data exchange to expand across multiple healthcare settings, as this industry “moves slowly.”


more...
No comment yet.
Scoop.it!

The Fastest Path to a Secure Cloud

The Fastest Path to a Secure Cloud | EHR and Health IT Consulting | Scoop.it

Personal Health Information (PHI) records and electronic PHIs (ePHIs) comprise our most confidential data, including demographic information, medical history, test and laboratory results and insurance information. Health care professionals utilize the PHI to identify the patient and determine appropriate care and treatment; insurers input financial data, and patients can access this information by request. Due to this highly sensitive combination of medical and financial data, these records have become a favorite target for hackers, as shown by the recent Premera and Anthem breaches.


As hackers become more sophisticated in their attacks, organizations must become increasingly vigilant in implementing HIPAA compliant standards to secure their data. Healthcare organizations currently use both on premise and cloud deployments to house their information. In fact, a recent survey of healthcare provider organizations indicates that 83% of IT executives report that they are currently using cloud services. The areas with the most uptake include lab systems and email services; electronic health record and information exchanges (CHIs, EMRs, Telehealth, etc.), and Shadow IT – which is enlisting cloud-based services, but not via their IT departments.


While the advantages in moving to the cloud include improved access, powerful processing capabilities, higher availability and significant savings with on-demand hosting, healthcare organizations are still wary that the cloud may deliver a less secure option. They are reluctant to transfer mission-critical and sensitive information to a seemingly anonymous IT admin in an unidentified location. Other organizations may be concerned that their IT teams may not have the requisite skills and processes to manage the migration and maintenance of the cloud deployment.


In the Public Cloud environment, responsibility for IT security is shared between the health care organization and the Cloud Service Provider (CSP), with a clearly defined demarcation. The CSP is in charge of securing access to the physical servers and the virtualization layer, while the health care organization is responsible for securing the hosted Operating Systems, the applications and the data itself. CSPs differ in the ‘native’ security features they offer, but those always fall short of best-practice security requirements. Therefore, organizations using public clouds are required to supplement the CSP offering to ensure a HIPAA compliant cloud deployment.


As part of a cloud migration process, ePHIs may be ‘exported’ to the cloud, to share with other healthcare organizations, clinicians and insurers, or for cloud-based storage and processing.  In such cases encryption of the data in transit and at rest is critical. Firewall policies to control data transfer and access are also required. Since many healthcare organizations have only migrated a portion of their resources to the cloud, the encryption and firewall policies must encompass the hybrid, private and enterprise cloud environments.

When ePHI or other clinical or sensitive data is stored in the cloud, the issue of remote access must also be addressed. Health care professionals and IT staff as well as others need to access cloud resources from remote offices and via mobile devices. Although remote access provides flexibility it is also a significant security caveat. Almost half of the healthcare security incidents last year were the result of loss or theft of devices such as laptops, phones or portable drives. Internal threats are especially worrisome, as 15% of the security incidents in healthcare in 2014 have been attributed to unapproved or malicious use of organizational resources.


The answer to these threats are strong integration with identity controls as well as access management. To protect their resources, organizations must implement a strong two factor or multi-factor authentication systems. Identity-based access management policies assure that employees are not able to access unauthorized data, and multi-factor authentication ensures that those who steal or find lost devices will not be able to reach internal resources.


Another important step in securing healthcare information involves implementing monitoring and logging capabilities. This is emphasized in a cloud environment where the infrastructure is owned by a third party and is shared among several organizations (i.e. multi-tenant). Although logs are important, unless they are regularly monitored in an accurate manner, important or suspicious events will not be noted. Therefore, visibility and automated alerts are critical in early detection of security incidents.


The cloud is becoming the default choice for healthcare CIOs. The fastest path to a secure, compliant healthcare deployment in the cloud requires careful planning and implementation. Key to a viable security solution are encryption, access management and firewall policies, combined with event monitoring capabilities and alerts. Solutions that provide this set of security elements for the public and hybrid cloud are now becoming available in the marketplace, evidence that cloud technologies for healthcare are coming of age.


more...
No comment yet.
Scoop.it!

Calif. Hospital Challenges Nurses Union's Claims About EHR Outage

Calif. Hospital Challenges Nurses Union's Claims About EHR Outage | EHR and Health IT Consulting | Scoop.it

Officials from Antelope Valley Hospital in Lancaster, Calif., are disputing recent allegations from a nurses union that an electronic health record outage caused the hospital's emergency department to close, Becker's Health IT & CIO Review reports.

Background

Last week, representatives of the California Nurses Association/National Nurses United asked the Los Angeles County Department of Public Health to investigate the Feb. 27 outage, contending that the incident put patients at risk.

According to the nurses, the outage caused myriad issues at the hospital, including difficulty:

  • Dispensing medication;
  • Verifying physician orders;
  • Reviewing patient labs and other diagnostic procedures; and
  • Reviewing patient records.

The nurses union also asserted that the outage forced the hospital to shut down its ED. Further, they claimed that the hospital did not have a backup plan in place for such outages.

Hospital Statement

In an emailed statement, hospital officials said, "The emergency department continued to treat patients, logging more than 900 patients over the weekend." The statement noted, "At times during the outage, certain patients were diverted to other nearby facilities based on their treatment needs."

The hospital said it activated its "downtime procedures" while working to fix the EHR errors. Officials say patient safety was not affected by the issues, and the pharmacy continued to fill prescriptions using a management system that was not connected to the network outage. Meanwhile, patient records and medication requests were filled by hand.

Antelope Valley CEO Dennis Knox said, "Our team of professionals worked tirelessly throughout the weekend to process lab orders and results, review radiology exams, carry out treatment plans and deliver overall patient care as promptly as possible".


more...
No comment yet.
Scoop.it!

Records Exchange Raises Privacy Worries

Records Exchange Raises Privacy Worries | EHR and Health IT Consulting | Scoop.it

A new survey shows that many consumers are concerned about whether their healthcare information will remain private once electronic records are routinely exchanged among providers. But experts say a good way to address those concerns is for organizations to be transparent with patients about who's accessing their data and why.

Devore Culver, executive director and CEO of HealthInfoNet, Maine's statewide health information exchange organization, says that HIEs and healthcare providers should take key steps to earn patients' trust that their records will remain private.


"Acknowledge their concerns," Culver says. "Be clear and transparent about how data will be used and by whom. Confirm that the organization adheres to current data security practices and standards. ... Provide the option for consumers to access audit reports of who is looking at their data."

Survey Results

The new survey, published this month in the Journal of the American Medical Informatics Association, found that more than half of California consumers believe that EHRs worsen information privacy and nearly 43 percent believe they worsen security.

When it comes to the impact of health information exchange, 40 percent of consumers surveyed say it worsens privacy and 43 percent say it worsens security.

The report was based on a phone survey of 800 consumers in California conducted by researchers at the University of California's Sacramento and San Diego campuses.

"While consumers show willingness to share health information electronically, they value individual control and privacy," the researchers wrote. "Responsiveness to these needs, rather than mere reliance on HIPAA may improve support of data networks."

Access Reports

Consumer confidence in EHRs and HIEs could be boosted if patients are given the opportunity to get reports on who accesses their records, says David Whitlinger, executive director of the New York eHealth Collaborative. The group coordinates activities for the Statewide Health Information Network of New York, which is the state's health information exchange.

SHIN-NY plans to provide consumers will such access reports through the HIE's patient portal, he says.

"They'll be able to look to see who accessed their records via SHIN-NY," he says. Providing patients with access reports about their health records is akin to credit bureaus providing consumers with reports about who accessed their credit reports, he says. "If patients ask who has accessed their records, and can get a report, that will go a long way to alleviate concerns."

Regulatory Activity

In fact, federal regulators have been working on a proposals regarding an accounting of health information disclosures and EHR access reports for patients.

The HITECH Act mandated the Department of Health and Human Services update HIPAA requirements for an accounting of disclosures of protected health information. In May 2011, HHS' Office for Civil Rights issued a notice of proposed rulemaking for updating accounting of disclosures requirements under HIPAA. The proposal generated hundreds of complaints from healthcare providers and others. Many of the complaints were aimed at a controversial new "access report" provision.

As proposed, the access report would need to contain the date and time of access, name of the person or entity accessing protected health information, and a description of the information and user action, such as whether information was created, modified or deleted. That access report would include EHR disclosures for treatment, operations and payment, which are categories of disclosures exempt from the current HIPAA accounting of disclosures rule.

Many of the public comments that HHS received on the access report proposal claimed that it would prove to be technically unfeasible for EHR vendors to implement, and complex and expensive for healthcare organizations.

But Whitlinger doesn't buy those arguments. "The provider community realizes that they will get challenged about who accessed [a patient's] record, and they don't want to deal with that," he says. And he believes that some EHR vendors "don't want to have to go down the path of how to make these access reports representative and valuable" for patients.

OCR Director Jocelyn Samuels said in January that the agency was considering a possible request for additional public input on HHS' proposed accounting of disclosures rule making. OCR is still evaluating the comments it received on the proposed accounting of disclosures rule it issued in 2011, as well as recommendations from the HIT Policy Committee about refining the rule, she said.

Patient Control

An executive at EHR vendor Athenahealth says that patients will become more confident in the security and privacy of their health records if they have more control over that information.

"Too often, patient data and its sharing is controlled not by the patient but by large care organizations and their health IT vendors," says Dan Healy, Athenahealth's vice president of government and regulatory affairs. "Our vision is of a system of patient-centered information exchange, putting control back in the hands of the patient. That will do more than anything else to increase confidence."


more...
No comment yet.
Scoop.it!

Securely Disposing Medical Practice Equipment

Securely Disposing Medical Practice Equipment | EHR and Health IT Consulting | Scoop.it

It goes without saying that computers are expensive. Medical practices will often gift used office equipment to employees or family members; or donate them to vocational programs. Risk management attorney Ike Devji says that donating old equipment like scanners, fax machines, and computers at the end of the year is very common. "At the end of the year practices will rush to spend money so that it is not taxable. They buy [new] equipment … and computers are replaced."

There's just one small problem. Deleting sensitive patient data will not permanently eliminate it from the hard drive of the device. And if you've donated your practice's scanner to the local thrift store, it still contains sensitive patient data that "a well-trained 12-year-old kid with access to YouTube can get … off the hard drive," says Devji.

Devji points out that a high-end digital scanner can store up to 10,000 pages of patient data. And equipment that is synched to your EHR, even smartphones and tablets, needs to be destroyed or disposed of in a secure manner.

If you have old equipment that you'd like to get rid of, contact your IT consultant. He should be able to point you in the right direction. Or you could follow Devji's approach: He uses his old equipment for target practice in the Arizona desert.


more...
No comment yet.
Scoop.it!

Electronic Health Record Vendors Take Patient Data Hostage: What Should We Do?

Electronic Health Record Vendors Take Patient Data Hostage: What Should We Do? | EHR and Health IT Consulting | Scoop.it

In today’s interconnected world it seems intuitively true that instant access to comprehensive medical patient histories will help physicians to provide better care at a lower cost. This simple argument was persuasive enough for the federal government to spend $26 billion to incent medical providers to adopt electronic health records (EHR) systems so that they can electronically share medical records. The initial investment appeared to be large, but it was an economically sound solution to control the rising healthcare expenditure. The resulting HITECH act is one of the few healthcare laws that maintains bipartisan support. To establish a nationwide health information exchange network, officials designed a two-stage plan. First, incent every medical provider to create an electronic archive of their patients’ medical records. Second, connect these electronic archives together so that the providers can share their patients’ records. The $26 billion in federal incentives was a lucrative source of revenue for hundreds of different software vendors to develop and aggressively market their own type of EHR products in a medical market that knew little about information technology. According to the Office of National Coordinator for Health IT, in 2008, less than 10 percent of hospitals had basic EHR systems, and a mere five years after, 94 percent of the hospitals use a certified EHR system.

The next step forward is to connect these electronic silos together so that physicians can share their patients’ records. The billions of dollars in federal spending will only have any tangible benefit if this is done successfully. EHR vendors have taken patient data hostage and are not willing to release it unless they receive a big ransom. They typically claim that technical problems limit the interoperability of their products. This prevents physicians from sharing their patient records with other doctors. This is like T-Mobile claiming that its users cannot make calls to AT&T customers. The claimed interoperability limitation does not end here. The vendors are proposing hefty charges to allow data sharing between their own customers.

As I have discussed in detail before, this a hole that the government has dug for itself. A nationwide health information exchange network sounds great, but it is not possible to achieve this goal without the proper alignment of economic benefits for every player in the healthcare market. In the face of this problem, the government has three choices:

  1. Pay EHR vendors the ransom that they are asking to release their hostage and allow sharing of the patient data among medical providers.
  2. Regulate the industry and force the EHR vendors to allow sharing of patient data among medical providers.
  3. Do nothing.

The government appears to be following the first plan. Officials had not anticipated interoperability challenges and assumed that all of the providers with EHR systems would have the capacity to exchange records. Based on this assumption, the third stage of the EHR incentives program was designed to encourage physicians to actively engage in the exchange of medical records. Today nearly every physician has an EHR system and although many of them also want to exchange information, the EHR vendors do not allow them. The incentives, which were initially planned to encourage physicians, will end up with EHR vendors and help drive future profits. As Rep. Phil Gingrey (R-GA) put it, "we have been subsidizing systems that block information instead of allowing for information transfers, which was never the intent of the [HITECH] statute.”

Regulating the industry seems like the only feasible solution to this problem. Rep. Michael Burgess (R-TX), the leader of the House Energy and Commerce trade subcommittee is drawing up a bill to enforce data sharing. The benefits of regulating the EHR industry, if any, will take a very long time to become tangible. The EHR vendors will furiously push back against any kind of regulation and will insist that technical challenges are a real barrier to interoperability. Congress is poorly situated to adjudicate this claim. Time is a critical factor in the long term success of HITECH plans, which threatens the viability of this strategy.

The best solution for the government is to do nothing. The new pay for performance payment methods in which the medical providers are being paid a fixed amount for treating patients would drive them to become more efficient and increase their profit margin by seeking solutions such as health information exchange to cut costs. Because the market for new EHR products is now saturated, the only revenue source for EHR vendors are charges for data exchange. Currently, they can get away with outlandish charges because they know the incentives from the federal government allow doctors to cover their costs. But if the free money from the government were to stop, then EHR vendors would have to persuade the physicians to pay for the exchange fees. Just like any other service, the highest price that the medical providers would pay is equal to the value of the service for them. If the electronic exchange of information helps medical providers to cut back on their costs and save some money they will be willing to pay a fair price for it. EHR vendors will end up lowering their fees to a reasonable level or will eventually go out of business.


more...
No comment yet.