EMR and HIPAA

October-23-2014

17:48

If a picture is worth a thousands words, the above picture is worth about 10,000. I think this picture is best summed up by saying that the medical device industry is a heavily regulated industry. You can see why EHR vendors don’t want to be regulated by the FDA. It would get pretty crazy.

This image also illustrates to me why a company that’s built an FDA or medical device compliance capability has something of real value. Navigating the process is not easy and it helps if you’ve been there and done it before.

As to Dr. Wen’s comment on the tweet. There are a lot of challenges when it comes to medical device security. Definitely no antivirus and many are running on old operating systems that can’t be updated. We’re going to have to put some serious thought into how to solve problems like these in future medical devices.

October-22-2014

14:03

I recently heard Elliot Lewis, Dell’s Chief Security Architect, comment that “The average new viruses per day is about 5-10k appearing new each day.” To be honest, I wasn’t quite sure how to process that type of volume of viruses. It felt pretty unbelievable to me even though, I figured he was right.

Today, I came across this amazing internet attack map by Norse which illustrates a small portion of the attacks that are happening on the internet in real time. I captured a screenshot of the map below, but you really need to check out the live map to get a feel for how many internet attacks are happening. It’s astounding to watch.

Norse - Internet Attack Map

For those tech nerds out there, here’s the technical description of what’s happening on the map:

Every second, Norse collects and analyzes live threat intelligence from darknets in hundreds of locations in over 40 countries. The attacks shown are based on a small subset of live flows against the Norse honeypot infrastructure, representing actual worldwide cyber attacks by bad actors. At a glance, one can see which countries are aggressors or targets at the moment, using which type of attacks (services-ports).

It’s worth noting that these are the attacks that are happening. Just because something is getting attacked doesn’t mean that the attack was successful. A large majority of the attacks aren’t successful. However, when you see the volume of attacks (and that map only shows a small portion of them) is so large, you only need a small number of them to be successful to wreak a lot of havoc.

If this type of visualization doesn’t make you stop and worry just a little bit, then you’re not human. There’s a lot of crazy stuff going on out there. It’s actually quite amazing that with all the crazy stuff that’s happening, the internet works as well as it does.

Hopefully this visualization will wake up a few healthcare organizations to be just a little more serious about their IT security.

October-21-2014

15:44

I’ve been writing about the need to do a HIPAA Risk Assessment since it was included as part of meaningful use. Many organizations have been really confused by this requirement and no doubt it will be an issue for many organizations that get a meaningful use audit. It’s a little ironic since this really isn’t anything that wasn’t already part of the HIPAA security rule. Although, that illustrates how well we’re doing at complying with the HIPAA security rule.

It seems that CMS has taken note of this confusion around the HIPAA risk assessment as well. Today, they sent out some more guidance, tools and resources to hopefully help organizations better understand the Security Risk Analysis requirement. Here’s a portion of that email that provides some important clarification:

A security risk analysis needs to be conducted or reviewed during each program year for Stage 1 and Stage 2. These steps may be completed outside OR during the EHR reporting period timeframe, but must take place no earlier than the start of the reporting year and no later than the end of the reporting year.

For example, an eligible professional who is reporting for a 90-day EHR reporting period in 2014 may complete the appropriate security risk analysis requirements outside of this 90-day period as long as it is completed between January 1st and December 31st in 2014. Fore more information, read this FAQ.

Please note:
*Conducting a security risk analysis is required when certified EHR technology is adopted in the first reporting year.
*In subsequent reporting years, or when changes to the practice or electronic systems occur, a review must be conducted.

CMS also created this Security Risk Analysis Tipsheet that has a lot of good information including these myths and facts which address many of the issues I’ve seen and heard:
CMS HIPAA Security Risk Analysis Myths and Facts

Finally, it’s worth reminding people that the HIPAA Security Risk Analysis is not just for your tech systems. Check out this overview of security areas and example measures to secure them to see what I mean:
CMS HIPAA Security Risk Analysis Overview

Have you done your HIPAA Risk Assessment for your organization?

October-20-2014

13:12

Last week I had the chance to attend the Craneware Summit in Las Vegas. It was a really interesting event where I had the chance to meet and talk with a wide variety of people from across the spectrum of healthcare. I love getting these added perspectives.

One of the sessions I attended was an E&M session which provided some really interesting insights into the life of an E&M coder and how they look at things. There’s a lot more to their job, but I tweeted these comments because they made me laugh and illustrated part of the challenge they face in a new EMR world.


I thought these immediate responses to the question were interesting. They came from a crowd of HIM and coding professionals. Overall, they were quite supportive of EMR it seemed.


Many doctors don’t understand this. That’s why so many coders still have jobs.


Too funny.


Said like a true coder.

October-17-2014

15:05

The people at online physician community, QuantiaMD, recently sent me a list of the top 3 “Crazy ICD-10 Codes” that they got from their community. It was quite interesting to learn that when they asked their community for these codes, they yielded double the participation the company typically sees. No doubt, physicians have globbed on to these funny and crazy ICD-10 codes. I’ll be honest. I’ve gotten plenty of laughs over some of the funny ICD-10 codes as well. Seriously, you can’t make some of this stuff up. Here’s a look at the top 3 crazy ICD-10 codes they received (and some awesome color commentary from the nominators):

1. W16.221 – Fall into bucket of water, causing drowning and submersion. I didn’t realize mopping the floor was so dangerous!
2. 7. Z63.1 – Problems in relationship with in-laws. Really, Who does not?
3. V9733xD – Sucked into jet engine, subsequent encounter. Oops I did it again.

While these codes are amazing and in many respects ridiculous, they’re so over the top that they’ve branded ICD-10 as a complete joke. For every legitimate story about the value of ICD-10 there have probably been 10 stories talking about the funny and crazy ICD-10 codes. You can imagine which story goes viral. Are you going to share the story that talks about improvement in patient care or the one that makes you laugh? How come the story about their being no ICD-9 code for Ebola hasn’t gone viral (Yes, ICD-10 has a code for Ebola)?

Unfortunately, I don’t think the proponents of ICD-10 have done a great job making sure that the dialog on the benefits of ICD-10 is out there as well. Yes, it’s an uphill battle, but most things of worth require a fight and can easily get drowned out by humor and minutiae if you give up. If ICD-10 really is that valuable, then it’s well worth the fight.

My fear is that it might be too late for ICD-10. Changing the ICD-10 brand that has been labeled as a joke is going to be nearly impossible to change. However, there are some key people on the side of ICD-10. CMS for starters. If you can get the law passed, then the ICD-10 branding won’t matter.

One thing I do know is that doing nothing means we’ll get more and more articles about Funny ICD-10 codes and little coverage of why ICD-10 needs to be implemented. I encourage those who see the value in ICD-10 to make sure their telling that part of the story. If you don’t have your own platform to share that part of the story, I’ll be happy to offer mine. Just drop me a note on my contact us page.

Blog url: 
http://www.emrandhipaa.com/

Follow Us: