Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and EHR for FREE!

Fitbit Data Being Used In Personal Injury Case

Posted on December 8, 2014 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

Lately, there’s been a lot of debate over whether data from wearable health bands is useful to clinicians or only benefits the consumer user. On the one hand, there are those that say that a patient’s medical care could be improved if doctors had data on their activity levels, heart rate, respirations and other standard metrics. Others, meanwhile, suggest that unless it can be integrated into an EMR and made usable, such data is just a distraction from other more important health indicators.

What hasn’t come up in these debates, but might far more frequently in the future,  is the idea that health band data can be used in personal injury cases to show the effects of an accident on a plaintiff. According to Forbes, a law firm in Calgary is working on what may be the first personal injury case to leverage smart band data, in this case activity data from a Fitbit.

The plaintiff, a young woman, was injured in an accident four years ago. While Fitbit hadn’t entered the market yet, her lawyers at McLeod Law believe they can establish the fact that she led an active lifestyle prior to her accident. They’ve now started processing data from her Fitbit to show that her activity levels have fallen under the baseline for someone of her age and profession.

It’s worth noting that rather than using Fitbit data directly, they’re processing it using analytics platform Vivametrica, which uses public research to compare people’s activity data with that of the general population. (Its core business is to analyze data from wearable sensor devices for the assessment of health and wellness.) The plaintiff will share her Fitbit data with Vivametrica for several months to present a rich picture of her activities.

Using even analyzed, processed data generated by a smart band is “unique,” according to her attorneys. “Till now we’ve always had to rely on clinical interpretation,” says Simon Muller of McLeod Law. “Now we’re looking at longer periods of time to the course of the day, and we have hard data.”

But even if the woman wins her case, there could be a downside to this trend. As Forbes notes, insurers will want wearable device data as much as plaintiffs will, and while they can’t force claimants to wear health bands, they can request a court order demanding the data from whoever holds the data. Dr. Rick Hu, co-founder and CEO of Vivametrica, tells Forbes that his company wouldn’t release such data, but doesn’t explain how he will be able to refuse to honor a court-ordered disclosure.

In fact, wearable devices could become a “black box” for the human body, according to Matthew Pearn, an associate lawyer with Canadian claims processing firm Foster & Company. In a piece for an insurance magazine, Pearn points out that it’s not clear, at least in his country, what privacy rights the wearers of health bands maintain over the data they generate once they file a personal injury suit.

Meanwhile, it’s still not clear how HIPAA protections apply to such data in the US. When FierceHealthIT recently spoke with Deven McGraw, a partner in the healthcare practice of Manatt, Phelps & Phillips, she pointed out that HIPAA only regulates data “in the hands of, with the control of, or within the purview of a medical provider, a health plan or other covered entity under the law.”  In other words, once the wearable data makes it into the doctor’s record, HIPAA protections are in force, but until then they are not.

All told, it’s pretty sobering to consider that millions of consumers are generating wearables data without knowing how vulnerable it is.

Apple’s Security Issues and Their Move into Healthcare

Posted on September 3, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’m on the record as being skeptical of Apple’s entrance into healthcare with Apple Health and HealthKit. I just don’t think they’ll dive deep enough into the intricacies of healthcare to really make a difference. They underestimate the complexity.

With that disclosure, I found a number of recent tweets about Apple and healthcare quite interesting. We’ll start first with this tweet that ties the recent nude celebrity photos that were made public after someone hacked the celebrities’ iCloud account together with Apple’s HealthKit release.

For those who don’t follow Apple, they have a big announcement planned for September 9, 2014. Rumors have the new sizes of the iPhone 6 could be announced and the new iWatch (or whatever they finally call it) will be announced alongside the iPhone 6. We’ll see if the announcement also brings more details on Apple Health and HealthKit which has been short on concrete details.

Even if Apple Health and HealthKit aren’t involved in the announcement, every smartwatch I’ve seen has had some health element to it. Plus, we shouldn’t be surprised if the iPhone 6 incorporates health and wellness elements as well. Samsung has already embedded health sensors in the S5. I imagine iPhone will follow suit.

With Apple doing more and more in healthcare, it does bring up some new security and privacy issues for them. In fact, this next tweet highlights one healthcare reaction by Apple that is likely connected with the iCloud security issues mentioned above.

This reminds me of a recent business associate policy I saw from a backup software vendor. They were willing to sign a business associate agreement with a healthcare organization, but only if it was their most expensive product and only if it was used to backup your data to your own cloud or devices. Basically, they just wanted to provide the software and not have to be responsible for the storage and security of the data. Apple is taking a similar approach by not allowing private health data to be stored in iCloud. Makes you wonder if Apple will sign a business associate agreement.

We’ll continue to keep an eye on Apple’s entrance into healthcare. They have a lot to learn about healthcare if they want their work in healthcare to be a success. Security and privacy is just one of those areas.

Interview with Gil Vidals, CEO of VM Racks

Posted on August 14, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The following is an interview with Gil Vidals, CEO of VM Racks.
Gil Vidals
Tell us about VM Racks. How did you get started in the hosting business?
We started consumer hosting in 1997. This was simply vanilla hosting with nothing special. As the competition heated up, it became apparent that competing based on price alone was a formula for razor-thin margins, if any profit at all. Instead, finding a bonafide niche with a growing demand seemed like a better path. VM Racks was born to serve such a niche. Taking the hosting experience of over a decade and retooling that towards secure cloud hosting for companies that require HIPAA Compliant hosting was a better business model.

Why did you choose to focus so much effort on HIPAA Compliant hosting?
Cloud hosting is a very competitive market space. Competing on price alone won’t get you anywhere. Instead, VM Racks focuses on providing secure HIPAA Compliant hosting at an affordable price and we win customers with our amazing technical support. We answer the phone when clients call, we include support at no additional cost in all of our plans and we do this at an affordable price. HIPAA clients tell us how important it is to have a higher level of service and we deliver on that with our products and service.

What are some unique things you do to ensure HIPAA Compliant hosting that many other hosting providers don’t?
Typically, HIPAA hosting providers do not offer or sign a Business Associate Agreement (BAA) with their customers because they don’t want to be held liable in case there is a security breach; VM Racks offers and signs BAAs with all of our HIPAA clients. Amongst the competition, VM Racks also has a competitive edge as we offer HIPAA Compliant Hosting services to government agencies from the City, all the way up to the Federal level.

Beyond price, what other things should people consider when looking for a HIPAA Compliant Hosting Provider?
Unfortunately, the marketplace is looking for HIPAA Compliant hosting providers that are accredited as such. Since there is no governing body that issues accreditation, it isn’t possible to provide a certificate that officially signifies that we are a bonafide HIPAA host. This can be confusing to those looking for a legitimate solution. Instead of trying to find a “certified” HIPAA Compliant Hosting Provider (as there is no governing body that issues such an accreditation), those in need of HIPAA Compliant Hosting should look for a company that is responsive and will fulfill their obligations for the sake of security and well-being of the information to be protected. Such methodologies used for this process include (but not limited to): offsite backups, two-factor authentication, log management, vulnerability assessment scanning, web application firewalls (WAF), anti-DDoS protection, network perimeter firewalls, and multi-tenant isolation. In addition, HIPAA organizations should also ensure that their hosting provider maintains the following audits and certifications: SSAE 16 SOC 1 Type 2, SOC 2 Type 2, and SOC 3 Type 2.

Is VM Racks a better solution for smaller healthcare IT startup companies, mid-sized companies or large enterprise hosting solutions?
VM Racks is the hosting company-of-choice for both commercial startup customers as well as multi-level, high-dollar government agencies. For a healthcare startup, our $199/month HIPAA plan is the best in the industry. This pricing model allows new healthcare businesses, who don’t have a huge initial infrastructure investment and are still concerned about being HIPAA compliant, to quickly get off the ground at a reasonable price.

As a leading provider of HIPAA hosting for the Affordable Care Act, we are experienced in Federal, State, and Local hosting solutions. Our government and large enterprise hosting customers are typically looking for well-designed and constructed virtualization solutions.

Why should an organization consider going with a HIPAA Compliant Hosting solution as opposed to “in-house” hosting?
Hosting in-house is generally suited for enterprise-level organizations that already own/lease space from an existing data center. Building cutting edge servers is expensive. From a strategic perspective, it’s usually better for a business to invest in their core competencies and lease the IT infrastructure. We provide the infrastructure they need in the cloud and allow organizations the flexibility to add or remove resources on demand.

What new things are happening with hosting, servers, and data centers that we should keep an eye on?
Virtualization is no longer a “new” technology or unknown territory. It has been vetted and widely accepted for quite some time now. This process has become more readily available with ease-of-use by way of managed services allowing these virtual resources to be quickly adapted and molded to conform to each and every customer. We continue to focus on providing our customers with the latest in cloud infrastructure technology to transform the capabilities of doing business in a virtualized environment.

How To Respond to Data Breaches

Posted on May 19, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

A lot of people have really liked this whitepaper on the 6 Reality Checks of HIPAA compliance. It’s a good download for those concerned about their HIPAA readiness. It will wake you up to the fact that you need to be ready and compliant with HIPAA.

Mac McMillan recently did a great HIPAA compliance interview with me where he said “A little bit of prevention goes a heck of a long way to preventing a bad event.” That’s great advice and if you read this whitepaper I think you’ll be woken up to the need to do a little more than you’re doing today to be HIPAA compliant.

While prevention is better, I was intrigued by this article (annoying registration required) in Health Data Management that talks about what to do in the event of a data breach. I love this quote from Rita Bowen, Senior VP at Healthport, “Breaches are inevitable.” It’s true. Despite your best efforts, breaches happen in every organization large and small.

Rita also points out that the key to a data breach is to have a system in place to “learn what went wrong and fix it.” I’ve always found HIPAA to be pretty generous with mistakes. As the HIPAA name says, it’s more about accountability than anything else. If you’re accountable for the decisions you’re making, then it’s more lenient than a lot of laws out there.

The article also gives three insights worth considering if you experience a data breach:

  • Honesty, the best policy
  • Keep Asking, “What if?”
  • Go the Extra Mile

All of these are great advice. If you go the extra mile and are honest about what happened, then you’ll usually be able to recover from a data breach. If you try and cover it up or hide what happened, then that will often come back to haunt you and damage you much more than if you were just honest and up front about what happened.

Has EHR Become a Bad Brand?

Posted on April 25, 2014 I Written By

When Carl Bergman isn't rooting for the Washington Nationals or searching for a Steeler bar, he’s Managing Partner of EHRSelector.com, a free service for matching users and EHRs. For the last dozen years, he’s concentrated on EHR consulting and writing. He spent the 80s and 90s as an itinerant project manger doing his small part for the dot com bubble. Prior to that, Bergman served a ten year stretch in the District of Columbia government as a policy and fiscal analyst.

The other day, I had lunch at DC’s Soupergirl with the redoubtable Chuck Webster, workflow tool maven and evangelist. We talked a lot and discovered that both of us had a warm spot for the classic neighborhoods near Atlanta’s Piedmont Park. He as a transplant and I as a native.

More to this blog’s point, we discussed the state of EHRs and their numerous problems. Chuck wondered if EHR, per se, had become a bad brand? It’s a good question. Have we seen a once promising technology become, as has managed care, a discredited healthcare systems? It’s an easy case to make for a host of reasons, such as these:

Poor Usability. There are scads of EHRs in the marketplace, but few, if any, have a reputation as being user friendly. Whenever I first talk to an EHR user, I wait a few minutes while they vent about:

  • How they can’t put in or get out what they need to,
  • Their PCs being poorly located, inflexible or the wrong footprint,
  • Data that’s either missing, cut off or hard to find,
  • Logging in repeatedly,
  • Transcribing results from one system to put it in another,
  • Wading through piles of boilerplate, to get what they need etc., etc.
  • Having to cover PCs with sticky note workarounds.

As for patients, my friend Joe, a retired astrophysicist, is typical. He says when his doctor is on her EHR she doesn’t face him. She spends so much time keying, he feels like he’s talking to himself.

Now, it’s not completely fair to blame an EHR for how it’s implemented. The local systems folks get a lot of that blame. However, vendors really have failed to emphasize best practices for placing and using their systems.

Missing Workflows. EHRs, basically, are database systems with a dedicated front end for capturing and retrieving encounters and a back end for reporting. To carry out, their clinical role they have to be flexible enough to adapt to varying circumstances with a minimum of intervention.

For example, when you make an appointment for a colonoscopy, the system should schedule you and the doctor. It should then follow rules that automatically schedule the exam room, equipment, assign an anesthetist, and other necessary personnel, etc.

When you come in, it should bring up your history, give your doctor the right screens for your procedure, and have the correct post op material waiting. General business software workflow engines have done this sort of thing for years, but such functions elude many an EHR. EHRs without needed workflow abilities increase staff times and labor costs. They also mean users miss important opportunities and potential errors increase.

Data Sharing. Moving from paper to electronic records promised to end patient information isolation. Paper and faxed records can only be searched manually. However, with a structured electronic record, redundant entry would be reduced and information retrieval enhanced. Or so the argument went, but it hasn’t worked out that way.

While there are systems, such as the VA, Kaiser and various HIEs that fulfill much of the promise, it is still a potential rather than a reality for most of us. There are two basic reasons for this state of affairs: ONC’s mishandling of interchange requirements and one member of Congress’ misplaced suspicions.

ONC’s Role. ONC’s Meaningful Use program is meant to set basic EHR standards and promote data interchangeability.

When it comes to these goals, MU fell down from the start. MU1 could have been concise requiring an EHR to capture a patient’s demographics, vitals, chief complaint and meds.

Most importantly, MU could have made this information sharable by adopting one of HL7’s data exchange protocols. This would have given us a basic, national EHR system. Instead, MU focused on too many nice to have features, leaving data exchange way down the list.

ONC has tried to correct its data interchange a failing in MU2 to a degree, but it’s not there yet. Here’s what GAO, has to say about ONC’s efforts:

HHS, including CMS and ONC, developed and issued a strategy document in August 2013 that describes how it expects to advance electronic health information exchange. The strategy identifies principles intended to guide future actions to address the key challenges that providers and stakeholders have identified. However, the HHS strategy does not specify any such actions, how any actions should be prioritized, what milestones the actions need to achieve, or when these milestones need to be accomplished. GAO Report-14-242, March 24, 2014. Emphasis added.

Ron Paul. The other important obstacle to interchange came from Congress. When Congress passed HIPAA in 1996, it mandated that HHS develop a national, patient ID. However, in 1998 Ron Paul, (R-TX) deduced that since HHS wanted the ID system, it therefore wanted to put everyone’s medical records in a government database. He saw this as a threat to privacy. He got a rider added to HHS’s budget forbidding it to implement the ID system or even discuss one.

The ban’s remained in succeeding budgets. The rider has created a national medical data firewall for each of us, which hinders all of us. Paul’s gone from Congress, but Congress continues the ban. As Forbes’ Dan Munroe wrote about Paul’s ban:

The health data chaos we have today doesn’t allow for interoperability, portability or mobility. It’s why fax machines remain the ‘lingua franca” of U.S. healthcare. Every healthcare entity in the U.S. sees each patient, event and location as unique to them. For lack of a single identifier, there’s no easy or cost-effective way to coordinate patient care. Emphasis added.

While the lack of a patient ID is not EHRs fault, it noticeably reduces their ability to interchange information. State or other HIE’s are, in effect, workarounds for lack of a uniform ID. This situation adds to the perception of EHRs as unresponsive technology.

Onerous Agreements. As many an EHR buyer has found, vendors see EHRs as a sellers’ market. They use this to write onerous license agreements exempting their products from adhering to standards such as MU or from responsibility for costly errors or omissions.

These agreements not only limit liability, but often silence a buyer’s adverse comments. The effect is to cut buyers from any meaningful recourse. This shortsighted practice adds one more layer to the EHR industry’s image as unresponsive, self serving and defensive.

Whither the Brand?

The question then is are things so bad that EHR needs rebranding? If so, how should this be done by calling EHRs something else, advocating for a different technology, or yet another alternative?

For some brands, a new name along with some smart PR will do. That’s how Coca Cola reversed its New Coke fiasco. EHRs have a tougher problem. EHRs are not a one vendor product. They are a program class. Reforming EHR’s brand will take more than effective PR. It will take pervasive technical and policy changes.

Change From Where?

Change in a major technical field, as in public policy, requires either overcoming or going around inertia, habit, and complacency. EHRs are no exception. Here are some ways change could happen.

External Events. The most likely source of change is a crisis that brings public pressure on both the industry and government. There is noting like a tragedy to grab public attention and move decision makers off the dime. I don’t want it to occur this way, but nothing like a tragedy makes events go into fast forward and move issues from obscure to inevitable. Given EHRs many patient safety problems, this is all too likely an outcome.

ONC Initiative. ONC could step in and help right matters. For example, as I have advocated, ONC could run NIST’s usability protocols for all systems seeking MU certification. It could then publish the test results giving users a needed, common benchmark. This, in turn, could be a major push to get vendors to regard usability, etc., as an important feature.

ONC is not inclined to do this. Instead, it asks vendors to pick one of several versions of user centric technology. As Bennett Lauber, Chief Experience officer of The Usability People recently told HIEWatch:

“Usability certification for meaningful use really isn’t a test the way the rest of the certification process is. (Testers) go out and observe users, and report back to the certifiers,” Lauber reports. “There seem to be different sets of evaluation criteria because ONC has not really defined usability yet….” Emphasis Added.

Recently appointed ONC Coordinator, Dr. Karen Desalvo, unlike her predecessors, has been frank about changing ONC’s course. She’s revamped her advisory committee structure and spoken about going beyond meaningful use to big data.Notably, she understands the need for and the problems of interoperability. However, she’s not offered any changes in standards. ONC is in the best position to implement real standards, but for both political reasons; it’s unlikely to do so.

To chill things politically, vendors only have to find a few Congressmen who’ll, for a well placed contribution, will send ONC vendor drafted letters threatening its appropriation, committee reviews, etc. It can happen otherwise, but as Damon Runyon has said, “The race is not always to the swift, nor the battle to the strong, but that’s the way to bet.”

User Revolt. The most notable user push back to the status quo has involved unilateral EHR vendor agreements.

As Katie Bo Williams of Healthcare Drive (edited by Hospital EMR and EHR’s Anne Zieger) has notably described, major lawsuits are costing some vendors dearly. The industry, however, has yet to set buyer agreement standards that could aid its and EHRs’ reputation.

These lawsuits might chastise vendors, but users will need to become bolder if they want change. EHR vendors have an association to protect their interests. So do hospitals, physicians, practice managers, etc. Users are the one group that’s not represented.

You may belong to this or that product’s user group, but there is no one group that looks after EHR user’s interest. If there were a well organized and led EHR user group that lobbied for better usability, workflow tools and universal data exchange etc., then these issues would become more visible. More importantly, users would be able to demand a place at the table when ONC, etc., makes policy.

Those interested in patient safety, too, are taking some new directions. Recently, ECRI convened the Partnership for Promoting Health IT Patient Safety to promote changes, within “a non punitive environment,” that is, in a collaborative setting among vendors, practioners, safety organizations, etc. While the group has not issued any reports, it offers two hopeful signs.

The group’s advisory panel includes experts, such as, MIT’s Dr. Nancy Leveson, who works in aeronautic and ballistic missile safety systems. The other factor is that the group has consciously sought to give vendors a place where they see the impact their products have on patient safety without the threat of litigation. Whether the group can bring this off and influence the market remains to be seen.

Technical Fix. It’s possible users may decide to fix EHR’s problems themselves. For example, the University of Pittsburgh Medical Center  (UPMC) uses a combination of EPIC, Cerner and its own clinical systems. It wanted to pull patient information into one, comprehensive, easily used profile. To do this, the Center developed a new, tablet front end that overcomes a variety of common EHR problems.

Once a major actor, such as Pitt, shows there is a market, others will explore it. You’ll know it’s a real trend, when a major vendor buys a front end start up and brands it as its own.

Natural Turnover. Finally, John recently raised the question of EHRs’ future in What Software Will Replace EHR? He thinks that change will come organically as more technically robust software pushes out the old.

Slowly replacing current EHRs with new tools is the most likely path. However, a slow path may be the worst outcome. Slow turnover would give us a mixture of even more incompatible systems. This would make the XP installed base problem look simple.

The EHR brand reminds me of a politician with both high positives and negatives. It may be liked by many, however, it also has a lot of baggage. As with a candidate in that position, something will have to change those negatives or it will find itself just an also ran.

Windows XP Is No Longer HIPAA Compliant

Posted on April 14, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

For those of you who missed it, thousands in healthcare are now out of compliance with HIPAA thanks to Microsoft’s decision to stop supporting Windows XP. I wrote about the details of Windows XP and HIPAA compliance previously. Microsoft stopped supporting the Windows XP operating system on April 8, 2014 and as Mac McMillan says in the linked post, OCR has been clear that unsupported systems are not HIPAA compliant.

I asked Dell if they had any numbers on the number of PCs out there that are still running XP. Here was their response (Note: These are general numbers and not healthcare specific)

The latest data I’ve seen shows that around 20-25% of PCs are still running XP (number vary depending on the publication). But most of those are consumer devices or very small businesses. Larger organizations seem to be complete, on track to completing by April, or have already engaged Dell (or competitor) to migrate them.

Dell also told me that globally, they have helped more than 450 customers (exact count is 471) with Windows 7 migration and automated deployment.

I’m not sure I agree with their assessment that the larger organizations have pretty much all upgraded beyond Windows XP. I agree that they’re more likely to have upgraded, but I’m sure there’s still plenty of Windows XP in large hospital systems across the nation. I’d love to hear from readers to see if they agree or disagree with this assertion.

I’ve heard some people make some cases for why Windows XP might not be considered a HIPAA violation if it was a standalone system that’s not connected to a network or if it was in a highly controlled and constrained use case. Some medical devices that still require Windows XP might force institutions to deal with HIPAA like this. However, I think that’s a risky situation to be in and may or may not pass the audit or other legal challenges.

I think you’re a brave (or stupid if you prefer) soul to still be running Windows XP in healthcare. Certainly there wasn’t a big disaster that occurred on April 8th when Windows XP was no longer supported. However, I’d hate to be your organization if you have Windows XP and get a HIPAA audit.

If you haven’t updated your HIPAA policies lately, you may want to do that along with updating Windows XP. This whitepaper called “HIPAA Compliance: Six Reality Checks” is a good place to start. Remember also that once an auditor finds one violation (like Windows XP), then they start digging for even more. It’s a bit like a shark that smells (or however they sense) blood in the water. They get hungry for more. I don’t know anyone that enjoys a HIPAA auditor, let alone one that really starts digging for problems.

OCR Didn’t Meet HIPAA Security Requirements

Posted on December 27, 2013 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

Oops — this doesn’t sound good. According to a report from the HHS OIG, the agency’s Office for Civil Rights has failed to meet the requirements for oversight and enforcement of the HIPAA security rule.

The 26-page report spells out several problems with OCR’s enforcement of the security rule, which was expanded by the HITECH ACT of 2009 to demand regular audits of covered healthcare organizations and their business associates. The vulnerabilities found leave procedural holes which could harm OCR’s ability to do its job regarding the security rule, the OIG said.

What was OCR failing to do? Well for one thing, the report contends, OCR had not assessed the risks, established priorities or implemented controls for the audits to ensure their compliance. Another example: OCRs investigation files didn’t contain the required documentation supporting key decisions made by staff, because the staff didn’t consistently follow the offices procedures by reviewing case documentation.

What’s more, the OCR apparently hasn’t been implementing sufficient controls, including supervisory review and documentation retention, to make sure investigators follow policies and procedures for properly managing security rule investigations.

The OIG also found that OCR wasn’t complying with federal cyber security requirements for its own information systems used to process and store data on investigations. Requirements it was neglecting included getting HHS authorizations to operate the system used to oversee and enforce security rule. OCR also failed to complete privacy impact assessments, risk analyses or system security plans for two of its three systems, the OIG concluded.

All told, it seems that if the OCR is going to oversee the privacy rule properly, it had better get its own act together.

HIPAA and ICD-10 Courses

Posted on October 11, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

One of the real telling things I learned this week as I traveled to the MGMA Annual Conference and then the CHIME Fall Forum was how unprepared organizations are for ICD-10 and HIPAA Omnibus. It was amazing the stories I heard and I’m sure these will be topics I write about much more in the future.

One of the stories I heard was a medical practice who was asked if they were ready for ICD-10. The practice said that they were ready. Then, they were asked what they’d done to prepare for ICD-10. Their response was that their vendor said that they were ready for ICD-10.

We could really dig in to reasons why that practice might want to verify that their EHR vendor is really ready, but we’ll save that for future posts. What was amazing to me was that this practice thought they didn’t need to do anything to train their doctors and coders on ICD-10 to be ready for the change. They’re in for a rude awakening.

At a minimum, these organizations should look at a course like the Certificate of ICD-10-CM Coding Proficiency (20% discount if you use that link and discount code). The course looks at the key changes in coding with the implementation of ICD-10. Plus, it’s a course that looks to bridge your ICD-9 knowledge to ICD-10. Once you start digging into this content, you realize why your organization better have some ICD-10 training or you’re organization will suffer.

The same applies to HIPAA. So many people don’t realize (or remember) that as part of HIPAA compliance you need to have regular HIPAA training for your staff. This is particularly true with all of the changes that came with HIPAA omnibus. How many in your organization know the details of the changes under HIPAA omnibus?

An online courses like the Certified HIPAA Security Professional are such a great option since you can work on them when you have time and come back to them later while helping to protect you against a HIPAA audit. Plus, the course linked above includes a HIPAA “Business Associate Agreement” downloadable template which I’m quite sure many organizations still need. I recently asked a doctor’s office I was working with for their EHR business associate agreement. They told me they didn’t have one (more on that in future posts). Really? Wow!

Certainly each of these courses and training take some commitment to complete. Although, when your colleagues ICD-10 reimbursement becomes an issue or the HIPAA auditor knocks on your door, you’ll sleep much better knowing you’ve made the investment. Those who don’t will likely pay for it later.

CMS Plans To Audit 5 Percent of Meaningful Use Participants

Posted on April 29, 2013 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

Are you ready to be reviewed?  Well, get prepared. As part of its ongoing program of supervision, CMS plans to audit 5 percent of participants in the Meaningful Use program for compliance, according to Modern Healthcare.

Since January, CMS has been auditing program participants that have already received their money, as well as those who have applied to receive incentive payments.  Going forward, the two groups will receive about the same level of attention, with a total of 5 percent of program participants ending up getting closer scrutiny from the feds, MH reports.

To date, there haven’t been many adverse findings by CMS, though the agency has discovered a few questionable situations, Robert Anthony, deputy director of the HIT Initiatives Group at CMS, told the magazine. But a few providers are already beginning the appeal process, and several providers may face fraud enforcement investigations, he said.

The bulk of the Meaningful Use reviews will be what the agency dubs “desk audits,” done by the CMS audit contractor Figliozzi and Co., in which information is exchanged electronically. However, a few on-site audits may be conducted as well, Anthony told Modern Healthcare.

To date, among the most common problems CMS has learned about has been provider failures to meet the requirement that they complete a data security risk assessment, a step also required by HIPAA.  When the auditors find that a provider hasn’t done the required data security risk assessment, they could be referred to the HHS Office of Civil Rights for a HIPAA compliance investigation.

Another issue which has turned up frequently has been a lack of adequate documentation that providers have answered some of the “yes or no” questions which are part of Meaningful Use criteria, such as whether their EMR has been tested for clinical data exchange. In that case, providers must be able to document what happened whether or not the test was successful.

Secure Text and Email, Smartphone Physicals, and EMR Documentation – Around Healthcare Scene

Posted on April 14, 2013 I Written By

Katie Clark is originally from Colorado and currently lives in Utah with her husband and son. She writes primarily for Smart Phone Health Care, but contributes to several Health Care Scene blogs, including EMR Thoughts, EMR and EHR, and EMR and HIPAA. She enjoys learning about Health IT and mHealth, and finding ways to improve her own health along the way.

There are so many types of mHealth apps and devices out there, it was inevitable that someone would try to have them work together. At TEDMED 2013, Shiv Gaglani and a team of physicians-to-be will be presenting the “smartphone physical.” Are these types of visits closer to becoming a reality than we may have realized?

One of the amazing technologies that have been developed is a smartphone that measures vitals — maybe this will be used in smartphone physicals someday! The Fujitsu Smartphone analyzes subtle changes in blood flow and determines vital signs, all by the user taking their photo with the phone’s camera. It goes to show that you don’t necessarily need fancy equipment to have incredible mHealth technology.

While some are concerned about the safety of email and texting for healthcare communication, it’s becoming a way of the future. Companies such as Physia and docBEAT are working specifically to make email and texts more secure. So which one is better? Both have their pros and cons – texting is quick and to the point, while email can take more time. Which would you rather receive?

Most doctors will agree, the current documentation options that EMRs offer are frustrating. There’s just too much clicking. However, the tide is shifting and it is very possible full keyboards will be needed. And the need for point of care EMR documentation will be more necessary than ever before.

With the current budget proposal by President Obama, EMR vendors might be impacted significantly. The ONC is suggesting that health IT vendors pay up to $1 million in fees. With the upcoming expiration of the ONC’s $2 billion appropriation from ARRA, the agency is needing some new funds. It also would help maintain ONC’s Certified Health IT Product List. Of course, vendors will not be happy to hear this news.