Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and EHR for FREE!

Windows XP Is No Longer HIPAA Compliant

For those of you who missed it, thousands in healthcare are now out of compliance with HIPAA thanks to Microsoft’s decision to stop supporting Windows XP. I wrote about the details of Windows XP and HIPAA compliance previously. Microsoft stopped supporting the Windows XP operating system on April 8, 2014 and as Mac McMillan says in the linked post, OCR has been clear that unsupported systems are not HIPAA compliant.

I asked Dell if they had any numbers on the number of PCs out there that are still running XP. Here was their response (Note: These are general numbers and not healthcare specific)

The latest data I’ve seen shows that around 20-25% of PCs are still running XP (number vary depending on the publication). But most of those are consumer devices or very small businesses. Larger organizations seem to be complete, on track to completing by April, or have already engaged Dell (or competitor) to migrate them.

Dell also told me that globally, they have helped more than 450 customers (exact count is 471) with Windows 7 migration and automated deployment.

I’m not sure I agree with their assessment that the larger organizations have pretty much all upgraded beyond Windows XP. I agree that they’re more likely to have upgraded, but I’m sure there’s still plenty of Windows XP in large hospital systems across the nation. I’d love to hear from readers to see if they agree or disagree with this assertion.

I’ve heard some people make some cases for why Windows XP might not be considered a HIPAA violation if it was a standalone system that’s not connected to a network or if it was in a highly controlled and constrained use case. Some medical devices that still require Windows XP might force institutions to deal with HIPAA like this. However, I think that’s a risky situation to be in and may or may not pass the audit or other legal challenges.

I think you’re a brave (or stupid if you prefer) soul to still be running Windows XP in healthcare. Certainly there wasn’t a big disaster that occurred on April 8th when Windows XP was no longer supported. However, I’d hate to be your organization if you have Windows XP and get a HIPAA audit.

If you haven’t updated your HIPAA policies lately, you may want to do that along with updating Windows XP. This whitepaper called “HIPAA Compliance: Six Reality Checks” is a good place to start. Remember also that once an auditor finds one violation (like Windows XP), then they start digging for even more. It’s a bit like a shark that smells (or however they sense) blood in the water. They get hungry for more. I don’t know anyone that enjoys a HIPAA auditor, let alone one that really starts digging for problems.

April 14, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus.

OCR Didn’t Meet HIPAA Security Requirements

Oops — this doesn’t sound good. According to a report from the HHS OIG, the agency’s Office for Civil Rights has failed to meet the requirements for oversight and enforcement of the HIPAA security rule.

The 26-page report spells out several problems with OCR’s enforcement of the security rule, which was expanded by the HITECH ACT of 2009 to demand regular audits of covered healthcare organizations and their business associates. The vulnerabilities found leave procedural holes which could harm OCR’s ability to do its job regarding the security rule, the OIG said.

What was OCR failing to do? Well for one thing, the report contends, OCR had not assessed the risks, established priorities or implemented controls for the audits to ensure their compliance. Another example: OCRs investigation files didn’t contain the required documentation supporting key decisions made by staff, because the staff didn’t consistently follow the offices procedures by reviewing case documentation.

What’s more, the OCR apparently hasn’t been implementing sufficient controls, including supervisory review and documentation retention, to make sure investigators follow policies and procedures for properly managing security rule investigations.

The OIG also found that OCR wasn’t complying with federal cyber security requirements for its own information systems used to process and store data on investigations. Requirements it was neglecting included getting HHS authorizations to operate the system used to oversee and enforce security rule. OCR also failed to complete privacy impact assessments, risk analyses or system security plans for two of its three systems, the OIG concluded.

All told, it seems that if the OCR is going to oversee the privacy rule properly, it had better get its own act together.

December 27, 2013 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @annezieger on Twitter.

HIPAA and ICD-10 Courses

One of the real telling things I learned this week as I traveled to the MGMA Annual Conference and then the CHIME Fall Forum was how unprepared organizations are for ICD-10 and HIPAA Omnibus. It was amazing the stories I heard and I’m sure these will be topics I write about much more in the future.

One of the stories I heard was a medical practice who was asked if they were ready for ICD-10. The practice said that they were ready. Then, they were asked what they’d done to prepare for ICD-10. Their response was that their vendor said that they were ready for ICD-10.

We could really dig in to reasons why that practice might want to verify that their EHR vendor is really ready, but we’ll save that for future posts. What was amazing to me was that this practice thought they didn’t need to do anything to train their doctors and coders on ICD-10 to be ready for the change. They’re in for a rude awakening.

At a minimum, these organizations should look at a course like the Certificate of ICD-10-CM Coding Proficiency (20% discount if you use that link and discount code). The course looks at the key changes in coding with the implementation of ICD-10. Plus, it’s a course that looks to bridge your ICD-9 knowledge to ICD-10. Once you start digging into this content, you realize why your organization better have some ICD-10 training or you’re organization will suffer.

The same applies to HIPAA. So many people don’t realize (or remember) that as part of HIPAA compliance you need to have regular HIPAA training for your staff. This is particularly true with all of the changes that came with HIPAA omnibus. How many in your organization know the details of the changes under HIPAA omnibus?

An online courses like the Certified HIPAA Security Professional are such a great option since you can work on them when you have time and come back to them later while helping to protect you against a HIPAA audit. Plus, the course linked above includes a HIPAA “Business Associate Agreement” downloadable template which I’m quite sure many organizations still need. I recently asked a doctor’s office I was working with for their EHR business associate agreement. They told me they didn’t have one (more on that in future posts). Really? Wow!

Certainly each of these courses and training take some commitment to complete. Although, when your colleagues ICD-10 reimbursement becomes an issue or the HIPAA auditor knocks on your door, you’ll sleep much better knowing you’ve made the investment. Those who don’t will likely pay for it later.

October 11, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus.

CMS Plans To Audit 5 Percent of Meaningful Use Participants

Are you ready to be reviewed?  Well, get prepared. As part of its ongoing program of supervision, CMS plans to audit 5 percent of participants in the Meaningful Use program for compliance, according to Modern Healthcare.

Since January, CMS has been auditing program participants that have already received their money, as well as those who have applied to receive incentive payments.  Going forward, the two groups will receive about the same level of attention, with a total of 5 percent of program participants ending up getting closer scrutiny from the feds, MH reports.

To date, there haven’t been many adverse findings by CMS, though the agency has discovered a few questionable situations, Robert Anthony, deputy director of the HIT Initiatives Group at CMS, told the magazine. But a few providers are already beginning the appeal process, and several providers may face fraud enforcement investigations, he said.

The bulk of the Meaningful Use reviews will be what the agency dubs “desk audits,” done by the CMS audit contractor Figliozzi and Co., in which information is exchanged electronically. However, a few on-site audits may be conducted as well, Anthony told Modern Healthcare.

To date, among the most common problems CMS has learned about has been provider failures to meet the requirement that they complete a data security risk assessment, a step also required by HIPAA.  When the auditors find that a provider hasn’t done the required data security risk assessment, they could be referred to the HHS Office of Civil Rights for a HIPAA compliance investigation.

Another issue which has turned up frequently has been a lack of adequate documentation that providers have answered some of the “yes or no” questions which are part of Meaningful Use criteria, such as whether their EMR has been tested for clinical data exchange. In that case, providers must be able to document what happened whether or not the test was successful.

April 29, 2013 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @annezieger on Twitter.

Secure Text and Email, Smartphone Physicals, and EMR Documentation – Around Healthcare Scene

There are so many types of mHealth apps and devices out there, it was inevitable that someone would try to have them work together. At TEDMED 2013, Shiv Gaglani and a team of physicians-to-be will be presenting the “smartphone physical.” Are these types of visits closer to becoming a reality than we may have realized?

One of the amazing technologies that have been developed is a smartphone that measures vitals – maybe this will be used in smartphone physicals someday! The Fujitsu Smartphone analyzes subtle changes in blood flow and determines vital signs, all by the user taking their photo with the phone’s camera. It goes to show that you don’t necessarily need fancy equipment to have incredible mHealth technology.

While some are concerned about the safety of email and texting for healthcare communication, it’s becoming a way of the future. Companies such as Physia and docBEAT are working specifically to make email and texts more secure. So which one is better? Both have their pros and cons – texting is quick and to the point, while email can take more time. Which would you rather receive?

Most doctors will agree, the current documentation options that EMRs offer are frustrating. There’s just too much clicking. However, the tide is shifting and it is very possible full keyboards will be needed. And the need for point of care EMR documentation will be more necessary than ever before.

With the current budget proposal by President Obama, EMR vendors might be impacted significantly. The ONC is suggesting that health IT vendors pay up to $1 million in fees. With the upcoming expiration of the ONC’s $2 billion appropriation from ARRA, the agency is needing some new funds. It also would help maintain ONC’s Certified Health IT Product List. Of course, vendors will not be happy to hear this news.

April 14, 2013 I Written By

Katie Clark is originally from Colorado and currently lives in Utah with her husband and son. She writes primarily for Smart Phone Health Care, but contributes to several Health Care Scene blogs, including EMR Thoughts, EMR and EHR, and EMR and HIPAA. She enjoys learning about Health IT and mHealth, and finding ways to improve her own health along the way.

Pay-for-Play Interoperability, Texting in Healthcare, and Health IT Conferences – #HITsm Chat Highlights

Topic One: Is “pay-for-play” interoperability going to derail CommonWell’s goal of building an industry-wide, interoperable framework?

Topic Two: Will texting in health care become a main driver of #patientengagement? Are iOS iMessage texts HIPAA compliant?

Topic Three: Experts claim data breaches are inevitable for health systems. Agree? What can be done NOW to minimize #healthIT security risks?

Topic Four: What’s the next-best #healthIT event/conference you’re attending? Are there other health IT topics that deserve their own event?

April 13, 2013 I Written By

Katie Clark is originally from Colorado and currently lives in Utah with her husband and son. She writes primarily for Smart Phone Health Care, but contributes to several Health Care Scene blogs, including EMR Thoughts, EMR and EHR, and EMR and HIPAA. She enjoys learning about Health IT and mHealth, and finding ways to improve her own health along the way.

Post-HIMSS13 Discussion — #HITsm Chat Highlights

#HITsm T1: What takeaways from #HIMSS13 can we apply to the challenge of improving #patientengagement?

 

 

#HITsm T2. Best chance at driving #interoperability: A vendor initiative like CommonWell or a community initiative like TheCUREProject?

 

 

#HITsm T3: The recent eHI report notes that most advanced HIEs get revenue from a single source. How can this model be changed?

 

 

#HITsm T4: Now that #HIMSSanity is over, what’s the next major #healthIT conference on your calendar? Why?

 

March 16, 2013 I Written By

Katie Clark is originally from Colorado and currently lives in Utah with her husband and son. She writes primarily for Smart Phone Health Care, but contributes to several Health Care Scene blogs, including EMR Thoughts, EMR and EHR, and EMR and HIPAA. She enjoys learning about Health IT and mHealth, and finding ways to improve her own health along the way.

MyPassport, Transcription Costs, and CDC App — Around Healthcare Scene

Hospital EHR and EMR

Hospitals Beware: EMR Copy and Paste Common

EMR Templates can be helpful, but also makes life harder as well. A recent study found that 82 percent of progress notes by residents had 20 percent or more copied and pasted material. This function is tempting for physicians who need to cut time somewhere, but its something that needs to be watched out for and prevented.

iPad App Helps Patients Understand Inpatient Care Process

In an effort to eliminate confusion that often comes during an inpatient stay, Boston Children’s Hospital has developed an iPad app. The app, called MyPassport, helps patients understand more about what is going on during their stay. It displays photos of doctors and nurses, others involved in care, as well as lab results that have been condensed to patient-friendly terms.

EMR, EHR, and HIPAA

EHR Benefit — Transcription Costs Savings

This is the next part of the EHR benefits series. Many doctors were thrilled to give up their transcription for an EHR in hopes of saving costs. However, some are feeling that their EHR may not be the best solution after all. Because of this, some are wanting to implement transcription services again. So, for some, eliminating transcription may not have saved as much money as some had hoped.

Mixing Physical, Mental Health Data Lowers Readmissions

Physicians aren’t often given access to the psychiatric records of patients they are treating. However, a study by Johns Hopkins found that perhaps they should be. The study showed that a signficant percentage of patients whose physicians had access to both physical and mental health data had a smaller readmission rate than those whose mental health records weren’t available.

Smart Phone Healthcare

CDC Launches New Mobile App

The CDC is getting into mHealth with the recent release of their mobile app. The app has many different features, such as health articles, quizzes, and a news room with information outbreaks or other pertinent information. The app is free and definitely one that should be downloaded if you enjoy hearing about health news.

Google Gets Into Activity Tracking

After the failure of Google Health, Google is making an attempt to get into the activity tracking world. “Google Now” basically turns the phone into a personal tracking device, including for fitness. It isn’t as accurate as some of the more sophisticated tracking devices out there, but it is a lot easier to use because it is embedded into the phone. It may make it easier for people to

January 20, 2013 I Written By

Katie Clark is originally from Colorado and currently lives in Utah with her husband and son. She writes primarily for Smart Phone Health Care, but contributes to several Health Care Scene blogs, including EMR Thoughts, EMR and EHR, and EMR and HIPAA. She enjoys learning about Health IT and mHealth, and finding ways to improve her own health along the way.

Privacy Group Seeks Rules For Healthcare Clouds

It’s time for HHS’ Office for Civil Rights to release “strong guidance” on cloud computing in healthcare, according to a letter sent by advocacy group Patient Privacy Rights. The letter, sent by PPR president Deborah Peel, argues that the transition to EMRs will be hampered if patients aren’t confident that their medical information is protected wherever it goes, including the cloud.

“More specific guidance in the health care ecosystem would help ensure that cloud providers, health care professionals and patients alike are aware of how the privacy and security rules apply to clouds,” Peel writes.

Peel suggests that HHS rely on lessons learned from the recently-settled Phoenix Cardiac Surgery case, in which a medical group was fined $100,000 for HIPAA violations including exposing clinical and surgical appointments on a publicly-available Internet calendar.

Specifically, Peel recommends the following standards be established:

Security Standards: Security standards must be implemented that are consistent and
compatible with standards required of federal agencies including the HIPAA Security
Rule and the HITECH breach notification requirements.

Privacy of Protected Health Information: Standards must be included that establish the
appropriate use, disclosure, and safeguarding of individually identifiable information,
which take into account stronger state and federal requirements, Constitutional rights to
health information privacy, and the fact that HIPAA is the “floor” for privacy protections
and was never intended to replace stronger ethical, or professional standards or “best
practices.”

BAA Requirement and Standardization: Consistent with prior OCR guidance, any
software company given access to protected health information by a HIPAA-covered
entity to perform a service for the covered entity is a business associate. Thus, as OCR
representatives have publicly stated on several occasions, a Business Associate
Agreement (BAA) is required between a cloud computing provider and any customer
entity that uses or discloses protected health information or de-identified health
information. It is imperative that these BAA standards promote the protection of privacy
and security of health information to ensure public trust in health IT systems and promote
quality health care, health care innovation and health provider collaboration.

I was particularly interested to note her suggestion that software companies given access to ePHI sign Business Associate Agreements.  My guess is that some cloud providers would fail miserably if asked to uphold HIPAA standards, simply because they aren’t prepared.  If Peel’s recommendations were enacted, in other words, it could shake up the cloud services industry.  Maybe that’s a good thing, but it won’t be a pleasant one for some.

January 4, 2013 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @annezieger on Twitter.

The Fiscal Cliff of Primary Care and Jubilee Health Community – Around Healthcare Scene

EMR AND HIPAA

The Fiscal Cliff of Primary Care

Everyone has heard about the Fiscal Cliff that is currently being talked about at the White House, but have you heard about the fiscal cliff of primary care? The Hello Health Blog posted some interesting facts about what they refer to as the fiscal cliff of primary care. At the core of the discussion is whether or not EHR software is a financial win or loss.

Mobile Health Trends and Technology

This post features videos that were taken at the mHealth Summit in Washington D.C. The videos are interviews with various people and describe some of the up and coming mobile health trends and technology. David Collins and Jonathan Dreyer talk about different trends they have seen, and provide a perspective on health applications.

Hospital EMR and EHR

Impossible to Say “Wrong EHR”

The title of this isn’t always true — it is possible for a hospital to have implemented the wrong EHR. However, it’s a hard mistake to admit. Especially with EHRs like Epic, which are highly selective and cost so much money.

Oops! Community Hospitals Unhappy with EMR Purchase

The latest KLAS reports revealed that many community hospitals are disappointed with their EMR, and questioning the purchase. Some of the hospitals are even pulling the systems completely from their practice. This may not be the best solution, but some of these hospitals don’t feel like it is worth the time and effort.

Smart Phone Health Care

Jubilee Health Community and NoMoreClipboard Combine Forces To Help Diabetes Patients

Diabetes is very prevalent in the United States today, and it can be difficult to manage. Jubilee Health Community provided NoMoreClipboard with someone of their diabetic patients to help treat and manage their diabetes. After a year, some interesting results were found. In some cases, the health of a patient who actively used the system increased.

December 23, 2012 I Written By

Katie Clark is originally from Colorado and currently lives in Utah with her husband and son. She writes primarily for Smart Phone Health Care, but contributes to several Health Care Scene blogs, including EMR Thoughts, EMR and EHR, and EMR and HIPAA. She enjoys learning about Health IT and mHealth, and finding ways to improve her own health along the way.