Free EMR Thoughts Newsletter Want to receive the latest EMR Thoughts, Healthcare IT happenings, and EMR Market trends sent straight to your email? Join thousands of healthcare pros who subscribe to EMR Thoughts for FREE!

Getting HITECH: Unraveling the Complexities of Compliance

The following is a guest blog post by Jason Carolan, CTO for ViaWest.
Jason Carolan

HITECH and HIPAA compliance are incredibly important to the bottom lines of many companies. But what exactly does this compliance entail? In 2009, the HITECH Act (Health Information Technology for Economic and Clinical Health) was passed, expanding the scope of the previous Health Insurance Portability and Accountability Act (HIPAA). HITECH enforces the rules of HIPAA, while invoking stiff fines for non-compliance. Now more than ever before it is absolutely imperative that companies working with healthcare organizations ensure they have all the facts before designing IT solutions. And one of the keys to having all the facts is knowing the core terminology.

A Covered Entity under the HIPAA privacy rule refers to health plan groups, health care clearinghouses and health care providers that transmit health information electronically, including, doctors, dentists, chiropractors, insurers, Medicare, medical plans and billing services. These Covered Entities face the additional challenge of managing their Business Associates, revisiting agreements and ensuring privacy, security, enforcements and breach notification updates in order to meet the requirements of the Final Rule.

A Business Associate (BA) under the HIPAA privacy rule refers to a person or organization that conducts business with a Covered Entity that involves the use, access or disclosure of protected health information (PHI). HITECH also specifies that an organization that provides data transmission of PHI is a BA. Examples of BAs include vendors, subcontractors and IT service providers that provide managed hosting services requiring access, use or disclosure of PHI.

All HIPAA Covered Entities and Business Associates must comply with security controls to safeguard PHI through the following due diligence efforts:

  • Ensure the confidentiality, integrity, and availability of PHI
  • Protect against any reasonably anticipated threats and hazards
  • Protect against reasonably anticipated uses or disclosures of PHI that are not permitted
  • Ensure compliance by its workforce through Administrative Safeguards, Physical Safeguards, Technical Safeguards, Organizational Requirements and Policies and Procedures
  • Documentation of breach notification procedures and timeliness of breach notification

Covered Entities and Business Associates who have a strong security posture and can prove their due diligence through establishments and audit of controls and breach preparedness have a lower risk of fines than those companies that do nothing.  Proven due diligence includes:

  • Prioritizing compliance efforts
  • Culture awareness
  • Implementing security policies
  • Conducting risk assessments
  • Enforcing and validation of controls to protect PHI

IT departments are dealing with the same or shrinking budgets.  So, with a larger component of IT budget consumed by compliance, CIOs and CTOs are getting pressure from a resource standpoint but shrinking budgets. Failing on compliance can bring stiffer punishments and fines, so, more and more companies are looking at outsourcing so that they can share the burden and ensure they aren’t missing important components.

An audit may not be a pleasant experience, but it’s a reality, and being prepared is the key. The right technology provider can help you not just with a compliance checklist, but can take it a step further and provide a comprehensive set of solutions to be “baked in” upfront – minimizing the risk of audit or the “pain” of the audit if you are in the midst of one.

With increased regulation comes increased risk and complexity surrounding HIPAA compliance.  Are you confident in your company’s data security?

March 6, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit.

Will Texans Own Their DNA? Greg Abbott, Candidate for Governor, Thinks They Should

The following is a guest post by Dr. Deborah Peel, Founder of Patient Privacy Rights.

On November 12th, Abbott released his “We the People Plan” for Texas. Clearly he’s heard from Texans who want tough new health data privacy protections.

Topping his list are four terrific privacy recommendations for health and genetic data:

  • “Recognize a property right in one’s own DNA.”
  • “Make state agencies, before selling database information, acquire the consent of any individual whose data is to be released.”
  • “Prohibit data resale and anonymous purchasing by third parties.”
  • “Prohibit the use of cross referencing techniques to identify individuals whose data is used as a larger set of information in an online data base.”

The federal Omnibus Privacy Rule operationalized the technology section of the stimulus bill. It also clarified that state legislatures can pass data privacy laws that are stronger than HIPAA (which is a very weak floor for data protections).

Texans would overwhelmingly support the new state data protection laws Abbott recommends . If elected, hopefully Abbott would also include strong enforcement and penalties for violations. Contracts don’t enforce themselves. External auditing and proof of trustworthy practices should be required.

Is this the beginning of a national trend?  I think so. The more people know about today’s health IT, the more they will reject electronic systems and data exchanges designed for the hidden use and sale of sensitive personal health data.

November 26, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit.

Preventable Issues Arise When Paper Documentation is Used

It’s an unfortunate truth that the health care system is not fool proof, and mistakes happen. Many of these mistakes happen because of paperwork that is lost, unreadable, or misplaced. Even with the implementation of EMRs across the country, many healthcare providers are still relying on paper for many aspects of their practice. Referral MD created an infographic that shows some of the current problems in healthcare related to using paper documents:

Pretty scary, if you ask me. Doctor’s are notorious for having terrible handwriting, but 7000 patients die a year because of it? And 30 percent of tests have to be reordered because the orders were misplaced? These statistics are startling, in large part because they are preventable. Those are only two of the facts presented in this infographic, and in combination with everything else, it makes me wonder why anyone that has an EMR would still use paper, and why the practices that don’t use EMRs haven’t started. It makes me not want to trust the system even more.

I can see how patients and doctors alike may find it hard to switch over. When I wasn’t given a physical, paper prescription to take to the pharmacy to get my son’s medication, I was a bit taken back, but it made things so much easier when I actually arrived at the pharmacy. I compare that to the many prescriptions and lab orders I lost during my pregnancy because I set it down and forgot to pick it up again, never to find it again until months later while doing some cleaning. It made me really wish my OB/GYN had electronic documents more incorporated into his practice. I’m curious to see if he has any EMR at all. Since he’s been a doctor for 40+ years, maybe he’s having a hard time making the switch.

It’s one thing if a person dies from a terminal illness, but to pass away because of a preventable mistake is uncalled for. I realize that no one is perfect. Everyone makes mistakes. But when a mistake could mean someone dying, a patient’s information being misused, or a HIPAA violation occurring, something is wrong. Hopefully as EMRs become better and more practices have them, paper documentation will become a thing of the past, and these mistakes, breeches, and all other issues that are related to using paper, will go that way as well.

November 5, 2012 I Written By

Katie Clark is originally from Colorado and currently lives in Utah with her husband and son. She writes primarily for Smart Phone Health Care, but contributes to several Health Care Scene blogs, including EMR Thoughts, EMR and EHR, and EMR and HIPAA. She enjoys learning about Health IT and mHealth, and finding ways to improve her own health along the way.

EMR in the Age of Skype

The physician community has something of a split persona. Doctors are probably the only community still dedicated to using pagers to communicate with their offices. And yet, it’s no secret that the medical establishment is among the fastest growing segment among smartphone and tablet users. A widely quoted statistic from Manhattan Research stated that 81 percent of doctors would own a smartphone. Manhattan now states that the 81 percent rate has already been reached in 2011, while average America is at 40 percent adoption, according to Nielsen.

So, the medical establishment is clearly ahead of the curve in some ways.

But you just have to juxtapose pagers and smartphones against each other to understand the real advantages of the smartphone. If you have an iPhone and your doctor has one too, you’re going to probably take it to the next level, right? Yeah, FaceTime. (Surprisingly enough, that’s not what the statistics show. A full 78 percent of respondents said they didn’t want to chat or IM with their doctors, according to this recent article on Technology Review.)

For this kind of face to face interaction to work, it really depends on how good a rapport you have with your doctor, but if there’s a good doctor-patient relationship, you might just consider making the move. Let’s be clear, doctors are not taking to video-conferencing via Skype or Face-Time in droves (or rather, there are no published statistics from the bean-counting firms about the trend), but there are some anecdotal stories on blogs like Dr. Brian Goldman’s on CBC.ca. But it’s interesting to think ahead to how video consultations might change EMR.

The Pros:
Direct connection with your doctor, in an instant: Great for the patient, furthers doctor-patient relationship but could be something of a double-edged sword.
Show, don’t tell: For those times, when you don’t know whether a symptom needs an in-office visit, or when you’re not in town and some conference magic and ePrescribing can save the day.
No more Lost in Translation: The paging process has that additional office staff layer in between, who convey your message to the doctor. It’s tempting to think that you can axe the middleman with Skype.

The Cons:
Direct connection with your doctor, in an instant: How long before patients are calling at all hours of the night demanding FaceTime? Blackberries and iPhones might simply be another way to tether yourself to your business (Next time you see 24-7 IT support, know that there is a person dreading the Blackberry ping somewhere in the world)
Too many interruptions spoil the day: Pagers let the doc put off calling till she’s done with the task at hand, not when the patient demands.
Privacy issues: From an EMR perspective, this is the big kahuna. There are several nuances to consider. The doctor-patient line has to be securely done, with HIPAA in mind. For CYA purposes, video-cons will probably need to be recorded.

Microsoft’s main intent behind its purchase of Skype might be its conferencing features for business, but wouldn’t it be awesome if Skype also showed up in HealthVault (which only has image saving capabilities so far, according to this Q&A on MSDN forums)? Or if any advice dispensed via Skype could be saved into your doc’s EMR system and become part of your health profile. There are several possibilities out there when you throw video into the mix, and they seem quite interesting.

September 12, 2011 I Written By

Priya Ramachandran is a Maryland based freelance writer. In a former life, she wrote software code and managed Sarbanes Oxley related audits for IT departments. She now writes about healthcare, science and technology as well as traditional news features.

Innovation Exchanges for Healthcare Stakeholders and IT Folks

Health IT is revolutionizing healthcare in front of our eyes. Every other day, you hear about yet another device or app that measures various aspects of your health, reports findings to doctors. Some of the biggest names in the business world have entered the healthcare market or at least experimented with it (sorry, Google Health, better luck next time). Between HITECH, HIPAA and the monetary implications of the Affordable Care Act, there’s a governmental push for HIT as well, which in some ways bestows an immediacy (and dollars) to health IT.

To regular IT people, health IT looks like a great industry to be in. Healthcare is generally considered recession proof, there’s ample opportunity for innovation, and there’s a certain democratization in how health is managed – an iPhone app can do what your optometrist did, and while you’re never going to be able to write yourself a prescription for sunglasses, there’s a lot more you can know about your health compared to 10 years ago.

And yet, here’s the secret. Not many IT folks know how to make the jump to health IT. I get this question all the time – how do *I* make the switch to healthcare IT? To me at least, it looked as if the best thing would be to network with healthcare industry people, and figure out a way to segue inwards. Clearly there’s a shortfall of health IT professionals (and the paradoxical personal experiences that the newly minted health IT certified folks face – not being trained on vendor specific software is making it difficult to get jobs, but that’s another topic for another day.)

That’s why I’m particularly enthused by what’s coming from the Office of National Coordinator for Health Information Technology (ONC). ONC is spearheading Innovation Exchanges as part of the White House Startup America initiatives. The idea for the exchanges is to bring together healthcare stakeholders with developers and others from the IT world, so they can work together from early stage idea innovation right through to the concrete realization of these ideas.

If you’re someone with a good health IT idea in proof-of-concept stages or even someone just breaking into the health IT market, here’s a great chance to test out the waters with healthcare people who are as eager to strike up collaborations with IT folk. Health 2.0 Conferences are scheduled in San Francisco, Indianapolis and the New England area.

September 6, 2011 I Written By

Priya Ramachandran is a Maryland based freelance writer. In a former life, she wrote software code and managed Sarbanes Oxley related audits for IT departments. She now writes about healthcare, science and technology as well as traditional news features.

Data Security in the Age of Self-logged Health

Over at EMR and EHR I have a post going about the self-logging trend, in which people log their medical and other observations on a regular basis. I’m fascinated by the trend, but as an IT person, I shudder at the data nightmares this movement will leash if it becomes widespread.

Quantified Self, a major web hub for self-trackers, has posts on monitoring devicest hat can measures the vitals of people up to 10 meters away, and microsensor embedded mindfulness pills that transmit data to your phone when ingested.

So if someone steals my smartphone, does it mean that not only can s/he spam-text all my friends, but s/he can access all my health logs and PHRs that only my HIPAA compliant provider’s office and EMR systems were supposed to get their hands on?

Indeed, a news story in Med City News says that physical theft, not hacking, is the major concern for mobile storage devices. It’s far easier to flick an iPhone lying on somebody’s desk than to devote the brain- or computing power needed to hack into an EHR system from a reputable vendor.

Med City News reports that during the period from 2009-2011, there were 116 cases of data breaches involving at least 500 patient records (breaches that exposed fewer than 500 records were not included). Physical loss of devices accounted for a whopping 60% of security breaches.

As the Med City News piece notes:

HIPPA violations aren’t happening in the cloud. Rather, they’re happening in the doctor’s office, hospital IT closets, cars, subways, and homes.

Think about how much more this problem can be compounded if health logging becomes practise du jour?

Bottomline: Self-tracking may yet revolutionize healthcare, but could we as individuals potentially jeopardize our own data security? Possibly. It might be a fad among tech geeks but it needs some thinking through from an EMR/EHR perspective.

August 29, 2011 I Written By

Priya Ramachandran is a Maryland based freelance writer. In a former life, she wrote software code and managed Sarbanes Oxley related audits for IT departments. She now writes about healthcare, science and technology as well as traditional news features.

HIPAA Violations Aren’t Happening in SaaS EHR

Micheal Koploy over at Medical Software Advice put together an interesting post that looked at all the HHS breach data. He does a pretty in depth look at the various incidents of breach that occurred and even does a deep dive into the specific EMR related HIPAA breaches that are listed. He then forms an interesting conclusion:

HIPAA Violations Aren’t in the Cloud
Some have said that increasing the number of EMRs make our records more vulnerable. I’d cite the above data to argue otherwise. Paper records and portable devices are the weakest link in HIPAA security. The systems themselves – and certainly cloud-based systems – have a pretty good track record. HIPPA violations aren’t happening in the cloud. Rather, they’re happening in the doctor’s office, hospital IT closets, cars, subways, and homes.

And the statement that cloud-based EMR systems are more vulnerable to security breaches simply isn’t supported by facts. Of course, it remains to be seen if this holds true as more cloud-based systems are deployed. As more physicians move their records to the cloud, the opportunity for breaches will increase.

If my doctor asked me how to ensure patients’ data is secure, I would offer the following: go to the cloud. Web-based EMRs eliminate the most common security risks because there aren’t physical files to be compromised. And no matter your system, it’s essential to train your staff on the necessary security measures to ensure patient privacy is a systematic imperative

I think he makes a good point about it possibly being too early to really know how many cloud based SaaS EHR companies are going to have breaches. I also think it’s fair to consider that when those do happen, they’re going to be big breaches. They won’t just be a few records that are breached, but a whole bunch. Although, this is true for any electronic medical record HIPAA breach as compared with a paper chart HIPAA breach.

The other thing I can’t help but wonder is if there are more breaches with cloud EHR software, but we just don’t know that their happening. Although, that goes against the common thinking that EHR software does a much better job of tracking breaches than a paper chart. Your digital fingerprints are all over a digital chart and can be reported on quite easily. It’s a little harder to track the inappropriate fingerprints on a paper chart.

All in all, I’d have to agree with Michael and his assertion that we’re likely to see many fewer EHR breaches from a SaaS or cloud based EHR company than we will see from all the in house EHR software. In an in house system, the EHR company can just blame the clinic for the breach (in most cases). In a SaaS based EHR system, a HIPAA breach would have a much more damaging effect on the future sales of that EHR company. So, they’re more likely to put in the effort needed to avoid such breaches.

June 20, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit.

HIPAA and Mobile Health Applications

I’m a really big fan of the mobi health news website. They do a really great job covering the mobile healthcare industry. Today someone pointed me to a series of articles they have going right now about HIPAA and mobile health applications.

These articles are being written by Adam H. Greene, JD, MPH who use to work at HHS and so he’s intimately familiar with the HIPAA laws. Here’s 2 articles that I’d consider must read articles for those that are interested in the HIPAA requirements for a mobile health app:

When HIPAA Applies to Mobile Applications
Mobile health: How to comply with HIPAA

The first article asks the question most mobile health developers ask, Whether HIPAA even applies to mobile health apps. The second one talks about how to comply if your mobile health app does require HIPAA compliance.

Very important steps if you’re working in the mHealth space.

Of course, if you’re doing a mobile health EMR app, you’re going to have to worry about HIPAA. Although, you should already be quite familiar with that.

June 19, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit.