EMR and HIPAA

December-17-2014

9:58

The following is a guest blog post by Carrie Yasemin Paykoc, Senior Instructional Designer / Research Analyst at The Breakaway Group (A Xerox Company). Check out all of the blog posts in the Breakaway Thinking series.
Carrie Yasemin Paykoc
With 2014 coming to a close, there is a natural tendency to reflect on the accomplishments of the year. We gauge our annual successes through comparison with expected outcomes, industry standards, and satisfaction with the work done. To continue momentum and improve outcomes in the coming years we look for fresh ideas. For example, healthcare organizations can compare their efforts with similar types of organizations both locally and abroad. In the United States, looking beyond our existing borders toward the international community can provide valuable insight. Many other nations such as the UK, are further down the path of providing national healthcare and adopting electronic health records. In fact, the National Health Service (NHS) of UK has started plans to allow access of  Electronic Health Records (EHR) on Smartphones through approved health apps. Although healthcare industry standards appear to be in constant flux, these valuable international lessons can help local healthcare leaders develop strategies for 2015 and beyond.

By the year 2024, the Office of the National Coordinator (ONC) aims to improve population health through the interoperable exchange of health information, and the utilization of research and evidence-based medicine. These bold and inspiring goals are outlined in their 10 Year Vision to Achieve Interoperable Health IT Infrastructure, also known as ONC’s interoperability road map. This document provides initial guidance on how the US will lay the foundation for EHR adoption and interoperable Healthcare Information Technology (HIT) systems. ONC has also issued the Federal Health IT Strategic Plan 2015-2020. This strategy aims to improve national interoperability, patient engagement, and expansion of IT into long-term care and mental health. Achieving these audacious goals seems quite challenging but a necessary step in improving population health.

EHR Adoption in UK
The US is not alone in their EHR adoption and interoperability goals. Many nations in our international community are years ahead of the US in terms of EHR implementation and utilization. Just across the Atlantic Ocean, the United Kingdom has already begun addressing opportunities and challenges with EHR adoption and interoperability. In their latest proposal the NHS has outlined their future vision for personalized health care in 2020. This proposal discusses the UK’s strategy for integrating HIT systems into a national system in a meaningful way. This language is quite similar to Meaningful Use and ONC’s interoperability roadmap in the United States. With such HIT parallels much could be learned from the UK as the US progresses toward interoperability.

The UK began their national EHR journey in the 1990s with incentivizing the implementation of EHR systems. Although approximately 96 percent of all general provider practices use EHRs in the UK, only a small percentage of practices have adopted their systems. Clinicians in the UK are slow to share records electronically with patients or with their nation’s central database, the Spine.

Collaborative Approach
In the NHS’s Five Year Forward View they attempt to address these issues and provide guidance on how health organization can achieve EHR adoption with constrained resources. One of the strongest themes in the address is the need for a collaborative approach. The EHRs in the UK were procured centrally as part of their initial national IT strategy. Despite the variety of HIT systems, this top-down approach caused some resentment among the local regions and clinics. So although these HIT systems are implemented, clinicians have been slow to adopt the systems to their full potential. (Sarah P Slight, et al. (2014). A qualitative study to identify the cost categories associated with electronic health record implementation in the UK. JAMIA, 21:e226-e231) To overcome this resistance, the NHS must follow their recommendations and work collaboratively with clinical leadership at the local level to empower technology adoption and ownership. Overcoming resistance to change takes time, especially on such a large national scale.

Standard Education Approach
Before the UK can achieve adoption and interoperability, standardization must occur. Variation in system use and associated quality outcomes can cause further issues. EHR selection was largely controlled by the government, whereas local regions and clinics took varied approaches to implementing and educating their staff. “Letting a thousand flowers bloom” is often the analogy used when referring to the UK’s initial EHR strategy. Each hospital and clinic had the autonomy of deciding on their own training strategy which consisted of one-on-one training, classroom training, mass training, or a combination of training methods. They struggled to back-fill positions to allow clinicians time to learn the new system. This process was also expensive. At one hospital £750 000 (over $1.1 million US) was spent to back-fill clinical staff at one hospital to allow for attendance to training sessions. This expensive and varied approach to training makes it difficult to ensure proficient system use, end-user knowledge and confidence, and consistent data entry. In the US we also must address issues of consistency in our training to increase end-user proficiency levels. Otherwise the data being entered and shared is of little value.

One way to ensure consistent training and education is to develop a role-based education plan that provides only the details that clinicians need to know to perform their workflow. This strategy is more cost-effective and quickly builds end-user knowledge and confidence. In turn, as end-user knowledge and confidence builds, end users are more likely to adopt new technologies. Additionally, as staff and systems change, plans must address how to re-engage and educate clinicians on the latest workflows and templates to ensure standardized data entry. If the goal is to connect and share health information (interoperability), clinicians must follow best-practice workflows in order to capture consistent data.  One way to bridge this gap is through standardized role-based education.

Conclusion
Whether in the US or UK, adopting HIT systems require a comprehensive IT strategy that includes engaged leadership, qualitative and quantitative metrics, education and training, and a commitment to sustain the overall effort.  Although the structure of health care systems in the US and UK are different, many lessons can be learned and shared about implementing and adopting HIT systems. The US can further research benefits and challenges associated with the Spine, UK’s central database as the country moves toward interoperability. Whereas the UK can learn from education and change management approaches utilized in US healthcare organizations with higher levels of EHR adoption. Regardless of the continent, improving population health by harnessing available technologies is the ultimate goal of health IT.  As 2015 and beyond approaches, collaborate with your stakeholders both locally and abroad to obtain fresh ideas and ensure your healthcare organization moves toward EHR adoption.

Xerox is a sponsor of the Breakaway Thinking series of blog posts.

December-16-2014

12:56

Each year Google releases it’s top trending searches in the US and the world. This list isn’t the most frequently searched terms (according to Google the most popular searches don’t change) but is a year versus year comparison of what terms were trending in 2014.

US Trending Searches:
Robin Williams
World Cup
Ebola
Malaysia Airlines
Flappy Bird
ALS Ice Bucket Challenge
ISIS
Ferguson
Frozen
Ukraine

Global Trending Searches:
Robin Williams
World Cup
Ebola
Malaysia Airlines
ALS Ice Bucket Challenge
Flappy Bird
Conchita Wurst
ISIS
Frozen
Sochi Olympics

Pretty interesting look into 2014. Also amazing that a mobile app (Flappy Bird) made the list for the first time. There’s two healthcare terms: Ebola and ALS Ice Bucket Challenge. I wondered what this list would look like for healthcare IT. So, I decide to take a guess at what I think would be the trending healthcare IT terms of 2014:

ICD-10 Delay
EHR Penalties
Wearables
Meaningful Use Stage 2
Epic
Obamacare
FHIR
Cerner-Siemens
HIPAA Breaches
Patient Engagement

What do you think of the list? Would you order it differently? Are there terms you think should be on the list?

December-15-2014

14:07

If you’re like me and sometime gave your email to Healthcare.gov, then you’ve probably getting the daily reminders this past week about December 15th being the last day you can sign up on the Health Insurance Exchange if you want to get health insurance coverage starting January 1st. I wish they would have made the email system a little smarter and let us click a button that said “Already got my insurance this year.” Although, I appreciate that they’re just trying to make sure that everyone knows the timelines.

Based on the news coverage (or lack therof), it seems that Healthcare.gov has survived without any major issues this year. One thing that has annoyed me about the emails is they keep telling me how many people’s health insurance is getting subsidized on the exchanges. It seems that about 8 out of 10 people who get insurance from the exchange are getting a government subsidy.

I guess that means I’m in the 20%. Maybe their marketing is working great for those who can get the subsidy. However, it has the opposite impact on someone who does’t get the government subsidy. In fact, my insurance costs have nearly doubled since pre-Obamacare days.

Turns out, that because I wasn’t getting any government subsidies for my insurance, it was better for me to just go direct to the insurance company. That’s what I did and the process was super simple. In fact, I signed up for a plan that included ZDoggMD’s Turntable Health. I’m especially excited to do e-Visits and text message my doctor as needed. Plus, I’m going to have to see about tapping into the free yoga classes and demonstration kitchen. You can sure I’ll be writing more about this in the future.

I found this piece from HIStalk to be quite interesting:

A Kaiser Health News story called “Federal defense contractors find a new profitable business: Obamacare” notes that HHS’s business purchases doubled to $21 billion in the last decade and are rising, making it the #3 contracting agency, beating out NASA, Homeland Security, and the combined spending of Departments of Justice, Transportation, Treasury, and Agriculture.

Sorry if this post was a bit of a rambling rant. I just saw the deadline and needed to get it out of my system. I think the next 5 years we’re going to see a dramatic change in healthcare as we know it. As a blogger, that means I’ll have plenty to write about. As a patient, I have some cause for concern.

December-12-2014

14:01

In a recent HIPAA compliance survey of 1,000 medical practices and 150 medical billing companies, NueMD found some really startling results about medical practices’ understanding and compliance with HIPAA. You can see their research methodology here and the full HIPAA Compliance survey results.

This is the most in depth HIPAA survey I’ve ever seen. NueMD and their partners Porter Research and The Daniel Brown Law Group did an amazing job putting together this survey and asking some very important questions. The full results take a while to consume, but here’s some summary findings from the survey:

  • Only 32 percent of medical practices knew the HIPAA audits were taking place
  • 35 percent of respondents said their business had conducted a HIPAA risk analysis
  • 34 percent of owners, managers, and administrators reported they were “very confident” their electronic devices containing PHI were HIPAA compliant
  • 24 percent of owners, managers, and administrators at medical practices reported they’ve evaluated all of their Business Associate Agreements
  • 56 percent of office staff and non-owner care providers at practices said they have received HIPAA training within the last year

The most shocking number for me is that only 35% of respondents had conducted a HIPAA risk analysis. That means that 65% of practices are in violation of HIPAA. Yes, a HIPAA risk analysis isn’t just a requirement for meaningful use, but was and always has been a part of HIPAA as well. Putting the HIPAA risk assessment in meaningful use was just a way for HHS to try and get more medical practices to comply with HIPAA. I can’t imagine what the above number would have been before meaningful use.

These numbers explain why our post yesterday about HIPAA penalties for unpatched and unsupported software is likely just a preview of coming attractions. I wonder how many more penalties it will take for practices to finally start taking the HIPAA risk assessment seriously.

Thanks NueMD for doing this HIPAA survey. I’m sure I’ll be digging through your full survey results as part of future posts. You’ve created a real treasure trove of HIPAA compliance data.

December-11-2014

15:50

Anchorage Community Mental Health Services, Inc, has just been assessed a $150,000 penalty for a HIPAA data breach. The title of the OCR bulletin for the HIPAA settlement is telling: “HIPAA Settlement Underscores the Vulnerability of Unpatched and Unsupported Software.” It seems that OCR wanted to communicate clearly that unpatched and unsupported software is a HIPAA violation.

If you’re a regular reader of EMR and HIPAA, then you might remember that we warned you that continued use of Windows XP would be a HIPAA violation since Windows stopped providing updates to it on April 8, 2014. Thankfully, it was one of our most read posts with ~35,000 people viewing it. However, I’m sure many others missed the post or didn’t listen. The above example is proof that using unsupported software will result in a HIPAA violation.

Mike Semel has a great post up about this ruling and he also points out that Microsoft Office 2003 and Microsft Exchange Server 2003 should also be on the list of unsupported software alongside Windows XP. He also noted that Windows Server 2003 will stop being supported on July 14, 2015.

Along with unsuppported and unpatched software, Mike Semel offers some great advice for Firewalls and HIPAA:

A firewall connects your network to the Internet and has features to prevent threats such as unauthorized network intrusions (hacking) and malware from breaching patient information. When you subscribe to an Internet service they often will provide a router to connect you to their service. These devices typically are not firewalls and do not have the security features and update subscriptions necessary to protect your network from sophisticated and ever-changing threats.

You won’t find the word ‘firewall’ anywhere in HIPAA, but the $ 150,000 Anchorage Community Mental Health Services HIPAA penalty and a $ 400,000 penalty at Idaho State University have referred to the lack of network firewall protection.

Anyone who has to protect health information should replace their routers with business-class firewalls that offer intrusion prevention and other security features. It is also wise to work with an IT vendor who can monitor your firewalls to ensure they continue to protect you against expensive and embarrassing data breaches.

Be sure to read Mike Semel’s full article for other great insights on this settlement and what it means.

As Mike aptly points out, many organizations don’t want to incur the cost of updating Windows XP or implementing a firewall. It turns out, it’s much cheaper to do these upgrades than to pay the HIPAA fines for non-compliance. Let alone the hit to your reputation.

Blog url: 
http://www.emrandhipaa.com/

Follow Us: