EHR and Health IT Consulting
34.5K views | +5 today
Follow
EHR and Health IT Consulting
Technical Doctor's insights and information collated from various sources on EHR selection, EHR implementation, EMR relevance for providers and decision makers
Your new post is loading...
Your new post is loading...
Scoop.it!

New Privacy Threats in Healthcare?

New Privacy Threats in Healthcare? | EHR and Health IT Consulting | Scoop.it

Privacy advocate Deborah Peel, M.D., is worried that several ongoing healthcare sector initiatives, including the emphasis on nationwide, interoperable health information exchange, provisions of the21st Century Cures bill, and a push for a national unique patient identifier, could erode patient privacy and individuals' control over their records.


Electronic health records systems, and databases that store massive amounts of data on millions of patients, have "created a situation where our absolutely most sensitive information is at the greatest risk of all personal information," says Peel, founder and chair of advocacy group, Patient Privacy Rights, in an interview with Information Security Media Group.


"And on top of that, as Congress has woken up and found out, your doctors are not getting the information they need [for treatment]. That was the whole purpose of having an electronic health record system, and it's failed miserably. ..."


Peel's concerned that the intensifying focus on improving electronic health records interoperability and nationwide data sharing, in an effort to ease access to treatment information, could lead to more hacker attacks as well as insider breaches.


Plus, she opposes proposed changes to the HIPAA Privacy Rule included in the 21 Century Cures bill, which the House recently passed and sent to the Senate. Those changes would allow healthcare entities to disclose patient data to other healthcare entities or business associates for research purposes without patient authorization.


"The point of the medical record is to help the physician take better care of you," She says. "Who goes to the doctor to join endless numbers of hidden 'research projects'? I don't know anyone who does."


Patients need to have more control over collection and storage of their own health information, she says, and they should be given the opportunity to approve the use of their records in research projects.

Unique Patient IDs

Peel also is concerned about renewed calls by some healthcare industry associations, including the College of Healthcare Information Management Executives, for Congress to re-examine its long ban on the creation of a national unique patient identifier


When Congress passed HIPAA in 1996, the law called for the creation of a unique health identifier for individuals. But in response to privacy concerns, Congress in 1999 passed a law prohibiting federal funding for the identifier. However, some healthcare IT leaders say some sort of ID is more critical than ever in facilitating secure national health information exchange and ensuring patient record accuracy in the wake of mass adoption of electronic health record systems.


But Peel fears a national patient identifier would open the door for more invasions of privacy. "The rationale for a unique patient ID is exactly the same as the rationale of a Social Security number. It was supposed to be used for one purpose. And what happened to the Social Security number? It's used as a national ID for everywhere, and it allows all kinds of people to collect information about you from everywhere."


Peel, a practicing psychiatrist and psychoanalyst, is founder and chair of the advocacy group Patient Privacy Rights. Peel became active in privacy rights at the federal level in 1993. She advocated first as an individual and later on behalf of state and national medical specialty organizations for patient control of access to medical records. She has made multiple presentations at national panels and Congressional briefings.

more...
No comment yet.
Scoop.it!

Medical Data Exchange, Cloud Solutions Impact EHR Design

Medical Data Exchange, Cloud Solutions Impact EHR Design | EHR and Health IT Consulting | Scoop.it

Over the last two decades, the medical industry has changed drastically in terms of patient care and access to medical records. It was nearly impossible to obtain one’s own health record 20 years ago. Forbes reports that patients had little choice but to press legal action if they wished to access their own medical data.


In 1996, however, the Health Insurance Portability and Accountability Act (HIPAA) was passed, which did offer legal protections to patients who needed to see their health records. Nonetheless, there was still significant difficulty in accessing this information and most people never went through the challenging process.


Today, these problems are slowly disappearing, as patients have more ability to readily view their medical history and test results via patient portals and through other electronic means.


A study published earlier this year shows that after three hospital systems in separate states offered their patients the ability to view their health records and physician notes, nearly 70 percent of patients reported understanding their conditions better and taking better care of themselves including remaining vigilant about taking their medications on time. The results from the study also showed that providing patients with this ability did not majorly impact the physician workflow.


The design and evolution of certified EHR technology and health IT systems that held medical data are now changing toward a more cloud-based and mobile platform. This leads to more digitizing of medical records and providing more flexible solutions for healthcare professionals within the clinical setting.


Both mobile health and wearables are also impacting the design of certified EHR technology. The Apple watch, for instance, could potentially hold relevant medical data for physicians to view and patients to access. Additionally, mobile apps on smartphones or tablets could be used by patients to request drug refills and securely message doctors or nurse practitioners.


In a new report from market research firm IDC, Judy Hanover, Research Director at IDC, explains, “The new concept of flexible, mobile, cloud-based acute care EHR supports digitizing paper workflow and reengineering processes … There’s a huge appetite for getting better workflows into healthcare, looking at department specific and mobile apps. I would see an environment where hospitals and health systems would perhaps rip out and replace in some cases.”


According to the report, it is expected that over the next few years, providers will begin to replace their current certified EHR technology with cloud-based solutions instead. Greater investment will continue to be poured into the health IT industry as providers move onto meeting Stage 3 Meaningful Use requirements under the Medicare and Medicaid EHR Incentive Programs.


Additionally, the future of EHRs will continue to depend on EHR interoperability and the ready access of medical data across the healthcare industry. Forbes states that many within the medical sector believe EHR interoperability will be the “biggest game changer.” However, it may take longer than expected for interoperability and medical data exchange to expand across multiple healthcare settings, as this industry “moves slowly.”


more...
No comment yet.
Scoop.it!

EHR Interoperability Plan Raises Concerns

EHR Interoperability Plan Raises Concerns | EHR and Health IT Consulting | Scoop.it

Several healthcare associations have raised concerns about some of the privacy and security components of the Office of the National Coordinator for Health IT's proposed 10-year electronic health record interoperability roadmap.


For example, they expressed concern about proposals related to obtaining patient consent for sharing health information, cybersecurity activities and governance "rules of the road" for national data exchange.


ONC, the unit of the Department of Health and Human Services responsible for standards and policies of the HITECH Act EHR incentive program, in January released a draft roadmap for achieving nationwide secure health data exchange built on interoperable EHR systems.

While the ONC draft is a 10-year vision, it contains critical actions that can be taken by regulators and healthcare stakeholders in increments over the next three, six and 10 years, to help remove technical, policy and regulatory barriers that are hindering information exchange. The idea behind the plan is to make it possible for clinicians to securely access and share timely, potentially life-saving data about a patient, no matter where that patient is treated.


Over the next several months, ONC will review the comments it received and consider how they might be reflected in the final version of its interoperability roadmap expected to be released later this year.

Patient Consent

ONC in its roadmap introduced the concepts of "basic choice" patient consent related mostly to information that's allowed to be disclosed by covered entities under HIPAA for treatment, payment and operations, versus "granular choice" consent that patients would provide to allow sharing of specific data, such as sensitive information related to substance abuse or mental health treatment.


Under the HIPAA Privacy Rule, an individual's written authorization is not required for the sharing of health information for treatment, payment or operations. But many covered entities choose to obtain an individual's consent anyways, ONC notes. And that's what ONC describes as "basic choice" consent.


ONC says "granular choice" consent refers "not only to granular choice among clinical conditions that are protected by laws in addition to HIPAA, but eventually, granular choice, should a patient wish to express it, regarding other data distinctions to be determined ... such as research ... in which an individual has chosen to participate."

Some organizations in their comments say they are opposed to federal regulators introducing the concept of granular choice consent. That's because they say it could potentially fuel more confusion among healthcare entities about the patient data that can or cannot be exchanged under HIPAA versus other government regulations, including state privacy laws.


For instance, the Healthcare Information and Management Systems Society says it "does not see the benefit of, nor is in favor of, the introduction of the concepts of 'basic' and 'granular' choice, particularly in view of these concepts being contradictory and inconsistent with applicable law, for example, HIPAA and state law."


HIMSS says it "supports the idea that interoperability efforts should focus on facilitating exchange of data when the law expressly authorizes use or disclosure of protected health information. ... HIPAA should not be essentially rewritten, through a reinterpretation, with respect to erroneously stating that individuals have the right to individual access and individual choice under the Nationwide Privacy and Security Framework, based on the Federal Trade Commission's Fair Information Practice Principles."


Similarly, as it relates to information sharing and consent, the American Hospital Association says that it opposes potential changes to current government privacy and security policies in the effort to drive healthcare providers to share electronic health information. "With regard to privacy and security issues, the AHA strongly believes that improving the infrastructure to support secure data sharing in support of clinical care can be accomplished within the existing HIPAA requirements."

Cybersecurity Activities

When it comes to issues related to cybersecurity, the AHA urges ONC to leverage existing guidance, including the National Institute for Standards and Technology's framework, rather than start from scratch.

"The roadmap includes proposed activities for ONC or HHS, but activities in this area must align with the ongoing collaboration of the Departments of Homeland Security and HHS with public-private collaborations, including the Healthcare and Public Health Sector Coordinating Council, to work through health sector-specific issues," AHA says.


"Further, any detailed standards should be aligned with the NIST Cybersecurity Framework, which is the overarching federal approach to cybersecurity, and the existing HIPAA security rules."

Rules of the Road

ONC's draft interoperability roadmap also included "a call to action" for healthcare IT stakeholders to come together to establish a coordinated governance process for nationwide interoperability. Those proposals also included the possibility that ONC would consider regulatory options to ensure compliance to so-called governance "rules of the road."


But some organizations, including the College of Healthcare Information Management Executives and the Association of Medical Directors of Information Systems, oppose too much government intervention in governance issues.


"We caution against being overly ambitious with the development of a nationwide governance mechanism and encourage focused prioritization through ingrained collaboration among private and public sector stakeholders," CHIME and AMDIS say in its joint comments to ONC. "In our view, interoperability in the service of high quality, safe patient care should remain the principal focus of the near-term."

Other Recommendations

As part of its comments on the interoperability roadmap, HIMSS also made several privacy and security recommendations. Those include suggestions that ONC, federal partners and industry stakeholder groups collaborate on developing:


  • A central portal that aggregates cyberthreat indicators and vulnerability information, across critical infrastructure sectors;
  • Guidance for what a thorough, holistic risk management program looks like - including plans, policies, procedures, application security testing, penetration testing, networking monitoring and detection, incident response, continuity, disaster recovery and resilience; and
  • Guidance on issues related to encryption, including practical guidelines on encryption requirements for protected health information stored or accessed via devices and software.


"Encryption is not a silver bullet, but it can be a useful safeguard when the right technology and know-how are used appropriately to keep information both private and secure," HIMSS notes.


more...
No comment yet.
Scoop.it!

The Fastest Path to a Secure Cloud

The Fastest Path to a Secure Cloud | EHR and Health IT Consulting | Scoop.it

Personal Health Information (PHI) records and electronic PHIs (ePHIs) comprise our most confidential data, including demographic information, medical history, test and laboratory results and insurance information. Health care professionals utilize the PHI to identify the patient and determine appropriate care and treatment; insurers input financial data, and patients can access this information by request. Due to this highly sensitive combination of medical and financial data, these records have become a favorite target for hackers, as shown by the recent Premera and Anthem breaches.


As hackers become more sophisticated in their attacks, organizations must become increasingly vigilant in implementing HIPAA compliant standards to secure their data. Healthcare organizations currently use both on premise and cloud deployments to house their information. In fact, a recent survey of healthcare provider organizations indicates that 83% of IT executives report that they are currently using cloud services. The areas with the most uptake include lab systems and email services; electronic health record and information exchanges (CHIs, EMRs, Telehealth, etc.), and Shadow IT – which is enlisting cloud-based services, but not via their IT departments.


While the advantages in moving to the cloud include improved access, powerful processing capabilities, higher availability and significant savings with on-demand hosting, healthcare organizations are still wary that the cloud may deliver a less secure option. They are reluctant to transfer mission-critical and sensitive information to a seemingly anonymous IT admin in an unidentified location. Other organizations may be concerned that their IT teams may not have the requisite skills and processes to manage the migration and maintenance of the cloud deployment.


In the Public Cloud environment, responsibility for IT security is shared between the health care organization and the Cloud Service Provider (CSP), with a clearly defined demarcation. The CSP is in charge of securing access to the physical servers and the virtualization layer, while the health care organization is responsible for securing the hosted Operating Systems, the applications and the data itself. CSPs differ in the ‘native’ security features they offer, but those always fall short of best-practice security requirements. Therefore, organizations using public clouds are required to supplement the CSP offering to ensure a HIPAA compliant cloud deployment.


As part of a cloud migration process, ePHIs may be ‘exported’ to the cloud, to share with other healthcare organizations, clinicians and insurers, or for cloud-based storage and processing.  In such cases encryption of the data in transit and at rest is critical. Firewall policies to control data transfer and access are also required. Since many healthcare organizations have only migrated a portion of their resources to the cloud, the encryption and firewall policies must encompass the hybrid, private and enterprise cloud environments.

When ePHI or other clinical or sensitive data is stored in the cloud, the issue of remote access must also be addressed. Health care professionals and IT staff as well as others need to access cloud resources from remote offices and via mobile devices. Although remote access provides flexibility it is also a significant security caveat. Almost half of the healthcare security incidents last year were the result of loss or theft of devices such as laptops, phones or portable drives. Internal threats are especially worrisome, as 15% of the security incidents in healthcare in 2014 have been attributed to unapproved or malicious use of organizational resources.


The answer to these threats are strong integration with identity controls as well as access management. To protect their resources, organizations must implement a strong two factor or multi-factor authentication systems. Identity-based access management policies assure that employees are not able to access unauthorized data, and multi-factor authentication ensures that those who steal or find lost devices will not be able to reach internal resources.


Another important step in securing healthcare information involves implementing monitoring and logging capabilities. This is emphasized in a cloud environment where the infrastructure is owned by a third party and is shared among several organizations (i.e. multi-tenant). Although logs are important, unless they are regularly monitored in an accurate manner, important or suspicious events will not be noted. Therefore, visibility and automated alerts are critical in early detection of security incidents.


The cloud is becoming the default choice for healthcare CIOs. The fastest path to a secure, compliant healthcare deployment in the cloud requires careful planning and implementation. Key to a viable security solution are encryption, access management and firewall policies, combined with event monitoring capabilities and alerts. Solutions that provide this set of security elements for the public and hybrid cloud are now becoming available in the marketplace, evidence that cloud technologies for healthcare are coming of age.


more...
No comment yet.
Scoop.it!

Calif. Hospital Challenges Nurses Union's Claims About EHR Outage

Calif. Hospital Challenges Nurses Union's Claims About EHR Outage | EHR and Health IT Consulting | Scoop.it

Officials from Antelope Valley Hospital in Lancaster, Calif., are disputing recent allegations from a nurses union that an electronic health record outage caused the hospital's emergency department to close, Becker's Health IT & CIO Review reports.

Background

Last week, representatives of the California Nurses Association/National Nurses United asked the Los Angeles County Department of Public Health to investigate the Feb. 27 outage, contending that the incident put patients at risk.

According to the nurses, the outage caused myriad issues at the hospital, including difficulty:

  • Dispensing medication;
  • Verifying physician orders;
  • Reviewing patient labs and other diagnostic procedures; and
  • Reviewing patient records.

The nurses union also asserted that the outage forced the hospital to shut down its ED. Further, they claimed that the hospital did not have a backup plan in place for such outages.

Hospital Statement

In an emailed statement, hospital officials said, "The emergency department continued to treat patients, logging more than 900 patients over the weekend." The statement noted, "At times during the outage, certain patients were diverted to other nearby facilities based on their treatment needs."

The hospital said it activated its "downtime procedures" while working to fix the EHR errors. Officials say patient safety was not affected by the issues, and the pharmacy continued to fill prescriptions using a management system that was not connected to the network outage. Meanwhile, patient records and medication requests were filled by hand.

Antelope Valley CEO Dennis Knox said, "Our team of professionals worked tirelessly throughout the weekend to process lab orders and results, review radiology exams, carry out treatment plans and deliver overall patient care as promptly as possible".


more...
No comment yet.
Scoop.it!

EHR audit catches snooping employee

EHR audit catches snooping employee | EHR and Health IT Consulting | Scoop.it
Electronic health records not only enable faster access to real-time patient data; they also make it a heck of a lot easier to catch snooping employees who inappropriately view patients' confidential information, as one California hospital has observed this past week. 
 
Officials at the 785-bed California Pacific Medical Center in San Francisco – part of Sutter Health system – notified a total of 844 patients Jan. 23 after discovering a pharmacist employee had been inappropriately snooping on patients' medical data for an entire year.

The incident was discovered after the hospital conducted an EHRaudit back in October 2014. when it was first discovered only 14 individuals had had their PHI compromised. 

Following an "expanded investigation," hospital officials discovered the HIPAA breach was significantly larger than they had originally found, with 844 additional patients being identified as having there information inappropriately accessed. The staff member, whose employment has since been terminated, snooped on patient records from October 2013 to October 2014, including patient demographics, clinical diagnoses, prescription data and clinical notes. 
 
As officials pointed out, the hospital has "reiterated to all staff that policy allows them to access patient information only when necessary to perform job duties and that violating this policy may result in loss of employment," they wrote in a Jan. 23 press notification. 
 
The biggest way to avoid the employee snooping problem? Audit your users and the data, said Suzanne Widup, senior analyst on the Verizon RISK team, who spoke to Healthcare IT News in spring 2014 on Verizon's annual breach report. "You need to know who has the data, who has access the data, and you need to monitor it," Widup pointed out. "When you see organizations implement some sort of auditing scheme, suddenly they start finding a lot of stuff they couldn't see before."
 
This snooping incident at California Pacific Medical Center is far from an isolated event. As more hospitals conduct more regular EHR audits, cases like this are only increasing in number. 
 
One of the more egregious incidents was reported by the five-hospital Riverside Health Systemback in December 2013. Following a random company audit, officials discovered an employee had unrestricted access to Social Security numbers and clinical data of close to 1,000 patients for a period of four years. 
 
Then, of course, there was the HIPAA breach at University Hospitals just in December, where an employee had been reading confidential medical recordsof nearly 700 patients. What's more, the employee had unfettered access to the records for nearly three and a half years before being discovered and was only caught because the health system had received a snooping complaint. 
 
This kind of employee behavior has long been on the minds of chief information officers nationwide. 
 
In an interview with Texas Health Resources Chief Information Officer Ed Marx this past summer, he told us: "The biggest risk, as much as we talk about the hackers and people trying to get in and steal healthcare data, I think the biggest risk is still the individual employee who maybe forgot what the policy was and does something they shouldn't do."
 
Out of the nearly 42 million individuals that have had their protected health information compromised in reportable HIPAA privacy and security breaches, nearly 13 percent of them involve inappropriate access or disclosure of patient records, according to data from the Department of Health and Human Services. 


more...
No comment yet.
Scoop.it!

Employee sacked after snooping patient EMR records | Healthcare IT News

Employee sacked after snooping patient EMR records | Healthcare IT News | EHR and Health IT Consulting | Scoop.it

Your organization can have the most well-crafted privacy and security policies in the world. But if those policies are accompanied by lukewarm emphasis and no accountability, or your staff just downright ignores them, you have a big security problem – just like the folks at one Ohio-based health system did last week. 

Cleveland-based University Hospitals on Friday notified nearly 700 patients of a HIPAA privacy breach after one of its employees was caught snooping on confidential medical records. What's more is the employee was able to inappropriately access patient medical and financial records for nearly three and a half years without UH knowing. 


UH had received a complaint over the employee's inappropriate access to the health system's electronic medical record system, and only after the allegation did UH audit the user's EMR access, according to a UH spokesperson. On Oct. 2, health system officials discovered the staff member had been snooping into the EMRs of 692 patients from January 2011 through June 2014. 

The staff member, whose employment has since been terminated, was able to gain unfettered access to patient names, medical diagnoses, health insurance numbers, dates of birth, home addresses and additional treatment data. Other patients had their Social Security numbers, financial data, credit card numbers and driver's license numbers viewed. 

"UH takes the protection of patient health information very seriously," wrote UH officials in a Nov. 28 press release. "UH continually evaluates and modifies its practices to enhance the security and privacy of its patients' information, including the ongoing training, education and counseling of its workforce regarding patient privacy matters."


The biggest way to avoid the employee snooping problem? Audit your users and the data, said Suzanne Widup, senior analyst on the Verizon RISK team, who spoke to Healthcare IT News this spring regarding Verizon's annual breach report. "You need to know who has the data, who has access to the data, and you need to monitor it," said Widup. "When you see organizations implement some sort of auditing scheme, suddenly they start finding a lot of stuff they couldn't see before."

It's cases like what transpired at UH, where the action comes down to an individual employee, that have many healthcare security officials on edge.

"The biggest risk, as much as we talk about the hackers and people trying to get in and steal healthcare data, I think the biggest risk is still the individual employee who maybe forgot what the policy was and does something they shouldn't do," said Texas Health Resources Chief Information Officer Ed Marx, in an interview with Healthcare IT News this summer. 


Indeed, Marx is in good company. According to a HIMSS security survey released earlier this year, a whopping 80 percent of healthcare IT security professionals identified snooping on personal patient information by employees to be the top threat motivator for breaches. 

More than 41.4 million people have had their protected health information compromised in a reportable HIPAA privacy or security breach, according to data from the Department of Health and Human Services.



more...
Laurie Bolick Wolf's curator insight, June 17, 2015 2:24 PM

This article addresses the issue of breech of confidential information within a patient record using electronic medical records.  Accessing patient's records is much easier with EMR.  Previously, with a paper chart there was only access to information from that visit contained within the record.  With EMR, all information is accessible.  This includes financial and private data.  The potential for a patient to have his or her personal information obtained is huge.  I believe it is the responsibility of the health care provider to monitor the use of this information by their employees to ensure proper use.

Scoop.it!

Health and Electronic Security

Health and Electronic Security | EHR and Health IT Consulting | Scoop.it

The rapid adoption of electronic health records (“EHR”) and other new technology in healthcare has resulted in the introduction of serious security threats. Numerous stories and reports have made it clear that hackers, criminals and others view the healthcare industry as a ripe target due to security vulnerabilities. This issue is exacerbated by the high value placed upon medical records in the black market.


The question that many are asking is was all of the money spent on acquiring EHRs misspent now that security flaws or issues are popping up with such frequency. Namely is healthcare throwing good money after bad. To some degree it may be a misplaced accusation. Any adoption of newer technologies will lead to issues, including exploitation of flaws that may not be expected. Unfortunately, it is also likely that bad actors will be ahead of the field when it comes to finding weaknesses or ways to get at data. Such a scenario should be viewed as an inherent risk in implementing technology. That being said, it is likely an unavoidable risk in this day and age. It is simply too difficult and against expectations to remain on the digital sidelines.


The increase in attacks against healthcare entities should appropriately raise alarm bells and spur action. Medical information is very sensitive on many levels and needs to be protected. One place to look for a solution is HIPAA. As is well-known, the HIPAA Security Rule sets standards for protecting health information. The technical, physical, and administrative safeguards define certain minimum standards to follow. In the current day and age though, the HIPAA standards by themselves are probably not enough. From this perspective, it is important to remember that HIPAA only sets a floor, not a ceiling. Best practices may well require actions beyond those proscribed by HIPAA. The healthcare industry needs to evolve and adapt to new realities.


The speed with which adaptation can occur will dictate how secure medical information remains. While much money was and is being spent in connection with new digital and technological solutions, the expense is not going to end as long as threats remain. Technology takes investment, time and attention, all of which are ongoing and recurring obligations.

more...
No comment yet.
Scoop.it!

The Blocking of Health Information Undermines Interoperability and Delivery Reform

The Blocking of Health Information Undermines Interoperability and Delivery Reform | EHR and Health IT Consulting | Scoop.it

The secure, appropriate, and efficient sharing of electronic health information is the foundation of an interoperable learning health system—one that uses information and technology to deliver better care, spend health dollars more wisely, and advance the health of everyone.


Today we delivered a new Report to Congress on Health Information Blocking that examines allegations that some health care providers and health IT developers are engaging in “information blocking”—a practice that frustrates this national information sharing goal.


Health information blocking occurs when persons or entities knowingly and unreasonably interfere with the exchange or use of electronic health information. Our report examines the known extent of information blocking, provides criteria for identifying and distinguishing it from other barriers to interoperability, and describes steps the federal government and the private sector can take to deter this conduct.

This report is important and comes at a crucial time in the evolution of our nation’s health IT infrastructure. We recently released the Federal Health IT Strategic Plan 2015 – 2020 and the Draft Shared Nationwide Interoperability Roadmap. These documents describe challenges to achieving an interoperable learning health system and chart a course towards unlocking electronic health information so that it flows where and when it matters most for individual consumers, health care providers, and the public health community.


While most people support these goals, some individual participants in the health care and health IT industries have strong incentives to exercise control over electronic health information in ways that unreasonably interfere with its exchange and use, including for patient care.


Over the last year, ONC has received many complaints of information blocking. We are becoming increasingly concerned about these practices, which devalue taxpayer investments in health IT and are fundamentally incompatible with efforts to transform the nation’s health system.


The full extent of the information blocking problem is difficult to assess, primarily because health IT developers impose contractual restrictions that prohibit customers from reporting or even discussing costs, restrictions, and other relevant details. Still, from the evidence available, it is readily apparent that some providers and developers are engaging in information blocking. And for reasons discussed in our report, this behavior may become more prevalent as technology and the need to exchange electronic health information continue to evolve and mature.


There are several actions ONC and other federal agencies can take to address certain aspects of the information blocking problem. These actions are outlined in our report and include:

  • Proposing new certification requirements that strengthen surveillance of certified health IT capabilities “in the field.”
  • Proposing new transparency obligations for certified health IT developers that require disclosure of restrictions, limitations, and additional types of costs associated with certified health IT capabilities.
  • Specifying a nationwide governance framework for health information exchange that establishes clear principles about business, technical, and organizational practices related to interoperability and information sharing.
  • Working with the Centers for Medicare & Medicaid Services to coordinate health care payment incentives and leverage other market drivers to reward interoperability and exchange and discourage information blocking.
  • Helping federal and state law enforcement agencies identify and effectively investigate information blocking in cases where such conduct may violate existing federal or state laws.
  • Working in concert with the HHS Office for Civil Rights to improve stakeholder understanding of the HIPAA Privacy and Security standards related to information sharing.


While these actions are important, they do not provide a comprehensive solution to the information blocking problem. Indeed, the most definitive finding of our report is that most information blocking is beyond the current reach of ONC or any other federal agency to effectively detect, investigate, and address. Moreover, the ability of innovators and the private sector to overcome this problem is limited by a lack of transparency and other distortions in current health IT markets.


For these and other reasons discussed in our report, addressing information blocking in a comprehensive manner will require overcoming significant gaps in current knowledge, programs, and authorities. We believe that in addition to the actions above, there are several avenues open to Congress to address information blocking and ensure continued progress towards the nation’s health IT and health care goals.


Information blocking is certainly not the only impediment to an interoperable learning health system. But based on the findings in our report, it is a serious problem—and one that is not being effectively addressed. ONC looks forward to working with Congress, industry, and the health IT community to properly address this problem and ensure continued progress towards achieving the goals of an interoperable learning health system.


more...
ProModel Analytics Solutions's curator insight, April 17, 2015 11:37 AM

Karen DeSalvo-Leads the Office of the National Coordinator for HIT

Scoop.it!

How cloud computing enables interoperability

How cloud computing enables interoperability | EHR and Health IT Consulting | Scoop.it

CMS has signaled a renewed focus on interoperability, a welcome development for healthcare professionals anxious to more easily exchange insightful data. But there’s still the matter of how well the people involved in various collaborative “Big Data in Healthcare” initiatives operate together.

At some point for most of us in our careers – usually early on – we’ve encountered a project that was initially heralded with a great deal of fanfare, only to ultimately fizzle out after failing to gain enough buy-in. For all the excitement surrounding Big Data projects, many are at similar risk of a premature end if stakeholder concerns aren’t addressed at the outset:

  • Who will host the data?
  • How will data privacy concerns be handled?
  • How have restrictions on data use been addressed?
  • Do existing consents allow for data sharing?
  • Will the data need to be de-identified? If so, using which methodology?
  • Who will be responsible for acquiring, maintaining and distributing it?
  • How will the data be protected as it’s routed to its new home?
  • How well will it be protected in its new home? Who will have access to it?

For this to work, a neutral ground is usually needed, offered by a trusted third party.

The cloud: breaking down barriers to data exchange
In healthcare, massive amounts of data are not stored in pre-defined, structured tables. Instead, they are often composed of text, notes, numbers, images, formulas, dates, and other facts that are inherently unstructured. In fact, certain kinds of data sources are being created so quickly that there is no time to store it before the need to analyze it.

Savvy healthcare executives see Big Data as an opportunity to break down the paradigm of siloed data. They know that isolated data can be inefficient. Yet even while supporting the vision of Big Data, many healthcare leaders are traditionally reluctant to share data outside their own firewalls. Due to competitive considerations and confidentiality risks, there must be a level of trust in the quality and security of the receiving organization’s health data management systems for the data owner to be willing to share it. No one wants to risk a HIPAA privacy or security violation at the hands of another entity.

'Dirty' data can yield hidden treasures
To make an effective Big Data play, data sharing arrangements must be made, data flows defined, data analytics engines and the underlying infrastructure created, and the proper data governance must be agreed upon by all relevant stakeholders. It is at this stage that a trusted third party data warehouse environment is critical for success.

Conventional wisdom leads many to believe that data must be scrubbed, normalized and aggregated into a standard format in order to gain key insights. In fact, for Big Data in Healthcare, the time-tested principle of “garbage in, garbage out” actually may not apply.

Using the right data analytics tools can reveal unexpected insights from unstructured or “dirty” data as some call it.

In addition to enabling insights from disparate data sources, storing and protecting data, data management services are now available that alleviate the need for healthcare organizations to hire additional experts in meaningful use or cloud technology, including:

  • Pulling data from different sources into a single cloud-based repository for collaborative use
  • De-identifying the data and stripping it of identifiable information
  • Data visualization with dashboards and reports
  • Audit trails of who accessed what, when and from where
  • Dynamically scaling the infrastructure as the data volume increases

Cloud for collaborative care
Entities that are members of an accountable care organization or other coordinated care programs also benefit from the neutrality of the cloud for a variety of functions, from the day-to-day, such as claims and billing, to more analytic reporting and collaboration. The cloud provider can host the data along with any other number of data management services that the healthcare organization can’t, or just doesn’t want to take on.

Can you blame them? Healthcare organizations need all of their IT staff on deck for analytics and other data projects. And as we move to a more coordinated and shared model for healthcare, all stakeholders need a neutral and trusted environment that fosters collaboration. And based on the potential for infinite computing power and storage on the cloud, the sky’s the limit for interoperability.


more...
No comment yet.
Scoop.it!

Securely Disposing Medical Practice Equipment

Securely Disposing Medical Practice Equipment | EHR and Health IT Consulting | Scoop.it

It goes without saying that computers are expensive. Medical practices will often gift used office equipment to employees or family members; or donate them to vocational programs. Risk management attorney Ike Devji says that donating old equipment like scanners, fax machines, and computers at the end of the year is very common. "At the end of the year practices will rush to spend money so that it is not taxable. They buy [new] equipment … and computers are replaced."

There's just one small problem. Deleting sensitive patient data will not permanently eliminate it from the hard drive of the device. And if you've donated your practice's scanner to the local thrift store, it still contains sensitive patient data that "a well-trained 12-year-old kid with access to YouTube can get … off the hard drive," says Devji.

Devji points out that a high-end digital scanner can store up to 10,000 pages of patient data. And equipment that is synched to your EHR, even smartphones and tablets, needs to be destroyed or disposed of in a secure manner.

If you have old equipment that you'd like to get rid of, contact your IT consultant. He should be able to point you in the right direction. Or you could follow Devji's approach: He uses his old equipment for target practice in the Arizona desert.


more...
No comment yet.
Scoop.it!

Health System Praises EHR Use After Fire at Paper Record Warehouse

Health System Praises EHR Use After Fire at Paper Record Warehouse | EHR and Health IT Consulting | Scoop.it

A health system spokesperson touted the use of electronic health records to store duplicate copies of patients' medical files after a seven-alarm fire at a document warehouse in Brooklyn, N.Y., this weekend sent charred papers from several medical institutions blowing through the streets, EHR Intelligence reports.

Fire Details

The CitiStorage warehouse -- located on the East River -- was stacked floor to ceiling with archived records, including those from the New York City Health and Hospitals Corporation and members of the Greater New York Hospital Association. 

The blaze -- the first seven-alarm fire in New York City since 2012 -- required more than 60 units and 275 firefighters to contain.

Fire Commissioner Daniel Nigro said no one was hurt in the fire, and the cause of the fire remains under investigation. Authorities have noted that the building was regularly inspected by fire authorities.

Ian Michaels, a spokesperson for HHC, said, "Fortunately, as an early adopter of electronic medical record systems, HHC keeps vital patient records in electronic form and we do not anticipate this will affect our patient-care operations".

According to AP/CBS New York, the fire could take at least a week to put out.

Privacy Concerns

While electronic data breaches are likely more common than warehouse fires, many observers say they are concerned by the private information that the fire has sent blowing into nearby streets.

According to the New York Times, the scattered papers include:

  • Copies of checks containing bank account numbers;
  • Documents marked "confidential";
  • Health insurance forms with Social Security numbers; and
  • Medical reports containing patient names.

Spencer Bergen, a nearby resident, said in an interview with the Times, "They're like treasure maps, but with people's personal information all over them." He reported finding half-charred scraps of documents several blocks from the warehouse.

The city has deployed disaster recovery contractors to collect the documents.


more...
No comment yet.
Scoop.it!

SPOK Secure Texing App

SPOK Secure Texing App | EHR and Health IT Consulting | Scoop.it
Encrypted messages protect sensitive information
Separate inbox on smartphone immediately prioritizes business-related messages
Works using cellular and Wi-Fi networks
Supports iPhone® and Android® devices to accommodate personal preferences
Easy installation via an app download and registration
more...
No comment yet.