Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and EHR for FREE!

Epic Belatedly Accepts Reality And Drops Interoperability Fees

Posted on April 21, 2015 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

Unbeknownst to me, and perhaps some of you as well, Epic has been charging customers data usage fees for quite some time.  The EMR giant has been quietly dunning users 20 cents for each clinical message sent to a health information exchange and $2.35 for inbound messages from non-Epic users, fees which could surely mount up into the millions if across a substantial health system.  (The messages were delivered through an EMR module known as Care Everywhere.)

And now, Epic chose #HIMSS15 to announce grandly that it was no longer charging users any fees to share clinical data with organizations that don’t use its technology, at least until 2020, according to CEO Judy Faulkner.  In doing so, it has glossed over the fact that these questionable charges existed in the first place, apparently with some success. For an organization which has historically ducked the press routinely, Epic seems to have its eye on the PR ball.

To me, this announcement is troubling in several ways, including the following:

  • Charging fees of this kind smacks of a shakedown.  If a hospital or health system buys Epic, they can’t exactly back out of their hundreds-of-millions-of-dollars investment to ensure they can share data with outside organizations.
  • Forcing providers to pay fees to share data with non-Epic customers penalizes the customers for interoperability problems for which Epic itself is responsible. It may be legal but it sure ain’t kosher.
  • In a world where even existing Epic customers can’t share freely with other Epic customers, the vendor ought to be reinvesting these interoperability fees in making that happen. I see no signs that this is happening.
  • If Epic consciously makes it costly for health systems to share data, it can impact patient care both within and outside, arguably raising costs and increasing the odds of care mistakes. Doing so consciously seems less than ethical. After all, Epic has a 15% to 20% market share in both the hospital and ambulatory enterprise EMR sector, and any move it makes affects millions of patients.

But Epic’s leadership is unrepentant. In fact, it seems that Epic feels it’s being tremendously generous in letting the fees go.  Here’s Eric Helsher, Epic’s vice president of client success, as told to Becker’s Hospital Review: “We felt the fee was small and, in our opinion, fair and one of the least expensive…but it was confusing to our customers.”

Mr. Helsher, I submit that your customers understood the fees just fine, but balked at paying them — and for good reason. At this point in the history of clinical data networking, pay-as-you-go models make no sense, as they impose a large fluctuating expense on organizations already struggling to manage development and implementation costs.

But those of us, like myself, who stand amazed at the degree to which Epic blithely powers through criticism, may see the giant challenged someday. Members of Congress are beginning to “get it” about interoperability, and Epic is in their sights.

The Evolving Security and Privacy Discussion

Posted on April 1, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

HIMSS put out the great tweet above. The image itself is worthy of a laugh. Although, only a partial laugh since in healthcare many people don’t understand that a password doesn’t mean it’s encrypted. Plus, that’s just emblematic of how elementary healthcare’s implementation of security is in most healthcare organizations.

Yes, there are the outlier organizations and there are even the outlier security and privacy individuals within a large organization. However, on the whole healthcare is not secure. The hard thing is that it’s not because of bad intentions. Almost everyone I’ve met in healthcare really want to ensure the privacy and security of health information. However, there’s a general lack of understanding of what’s needed.

With that said, I have seen a greater focus on privacy and security in healthcare than I’ve ever seen before. HIMSS featuring so many sessions is just one indicator of that increased interest in the topic. It’s hard to ignore when every other day some major corporation inside and outside of healthcare is getting breached.

One of the biggest security holes in healthcare is business associates. Most don’t have a real understanding of how to be HIPAA compliant and that’s a massive risk for the healthcare organization and the business associate. That’s why I’m excited that people who get it like Mike Semel are offering HIPAA Compliance training for business associates. Doing HIPAA compliance right is not cheap, but it’s cheaper than getting caught in a breach.

Personally, I’ve seen a whole wave of HIPAA compliance products and services coming out. In fact, I’m looking at creating a feature on EMR and HIPAA which lists all of the various companies involved in the space. I’m sure I’ll hear a lot of discussion around this topic at HIMSS.

Health IT Security: What Can the Association for Computing Machinery (ACM) Contribute?

Posted on February 24, 2015 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site (http://radar.oreilly.com/) and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

A dazed awareness of security risks in health IT has bubbled up from the shop floor administrators and conformance directors (who have always worried about them) to C-suite offices and the general public, thanks to a series of oversized data breaches that recentlh peaked in the Anthem Health Insurance break-in. Now the US Senate Health Committee is taking up security, explicitly referring to Anthem. The inquiry is extremely broad, though, promising to address “electronic health records, hospital networks, insurance records, and network-connected medical devices.”
Read more..

The New Congressional Rider: Unique Patient ID Lemonade?

Posted on January 8, 2015 I Written By

When Carl Bergman isn't rooting for the Washington Nationals or searching for a Steeler bar, he’s Managing Partner of EHRSelector.com, a free service for matching users and EHRs. For the last dozen years, he’s concentrated on EHR consulting and writing. He spent the 80s and 90s as an itinerant project manger doing his small part for the dot com bubble. Prior to that, Bergman served a ten year stretch in the District of Columbia government as a policy and fiscal analyst.

Note: Previous versions referred to Rand Paul as the author of the first congressional rider. That was in error. The first rider was authored by then Representative Ron Paul. I regret the error. CB

Last month, I posted that Ron Paul’s gag rule on a national patient identifier was gone. Shortly, thereafter, Brian Ahier noted that the gag rule wasn’t dead. It just used different words. Now, it looks as if we were both right and both wrong. Here’s why. Paul’s rider’s gone, but its replacement, though daunting, isn’t as restrictive.

The gag rules are appropriation bill riders. Paul’s, which began in 1998, was aimed at a HIPAA provision, which called for identifiers for:

…. [E]ach individual, employer, health plan, and health care provider for use in the health care system. 42 US Code Sec. 1320d-2(b)

It prohibited “[P]lanning, testing, piloting, or developing a national identification card.” This was interpreted to prohibit a national patient id.

As I noted in my post, Paul’s language was dropped from the CRomnibus appropriation act. Brian, however, found new, restrictive language in CRomnibus, which says:

Sec. 510. None of the funds made available in this Act may be used to promulgate or adopt any final standard under section 1173(b) of the Social Security Act providing for, or providing for the assignment of, a unique health identifier for an individual (except in an individual’s capacity as an employer or a health care provider), until legislation is enacted specifically approving the standard.

Gag Rule’s Replacement Language

Unlike Paul’s absolutist text, the new rider makes Congress the last, biggest step in a formal ID process. The new language lets ID development go ahead, but if HHS wants to adopt a standard, Congress must approve it.

This change creates two potential adoption paths. Along the first, and most obvious, HHS develops a mandatory, national patient ID through Medicare, or the Meaningful Use program, etc., and asks congress’ approval. This would be a long, hard, uphill fight.

The second is voluntary adoption. For example, NIST could develop a voluntary, industry standard. Until now, Paul’s rider stopped this approach.

NIST’s a Consensus Building Not a Rulemaking Agency

NIST’s potential ID role is well within its non regulatory, consensus standards development mandate. It could lead a patient ID building effort with EHR stakeholders. Given the high cost of current patient matching techniques, stakeholders may well welcome a uniform, voluntary standard. That would not solve all interoperability problems, but it would go a long way toward that end.

Congress has loosened its grip on a patient ID, now its up to ONC, NIST, etc., to use this new freedom.

Fitbit Data Being Used In Personal Injury Case

Posted on December 8, 2014 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

Lately, there’s been a lot of debate over whether data from wearable health bands is useful to clinicians or only benefits the consumer user. On the one hand, there are those that say that a patient’s medical care could be improved if doctors had data on their activity levels, heart rate, respirations and other standard metrics. Others, meanwhile, suggest that unless it can be integrated into an EMR and made usable, such data is just a distraction from other more important health indicators.

What hasn’t come up in these debates, but might far more frequently in the future,  is the idea that health band data can be used in personal injury cases to show the effects of an accident on a plaintiff. According to Forbes, a law firm in Calgary is working on what may be the first personal injury case to leverage smart band data, in this case activity data from a Fitbit.

The plaintiff, a young woman, was injured in an accident four years ago. While Fitbit hadn’t entered the market yet, her lawyers at McLeod Law believe they can establish the fact that she led an active lifestyle prior to her accident. They’ve now started processing data from her Fitbit to show that her activity levels have fallen under the baseline for someone of her age and profession.

It’s worth noting that rather than using Fitbit data directly, they’re processing it using analytics platform Vivametrica, which uses public research to compare people’s activity data with that of the general population. (Its core business is to analyze data from wearable sensor devices for the assessment of health and wellness.) The plaintiff will share her Fitbit data with Vivametrica for several months to present a rich picture of her activities.

Using even analyzed, processed data generated by a smart band is “unique,” according to her attorneys. “Till now we’ve always had to rely on clinical interpretation,” says Simon Muller of McLeod Law. “Now we’re looking at longer periods of time to the course of the day, and we have hard data.”

But even if the woman wins her case, there could be a downside to this trend. As Forbes notes, insurers will want wearable device data as much as plaintiffs will, and while they can’t force claimants to wear health bands, they can request a court order demanding the data from whoever holds the data. Dr. Rick Hu, co-founder and CEO of Vivametrica, tells Forbes that his company wouldn’t release such data, but doesn’t explain how he will be able to refuse to honor a court-ordered disclosure.

In fact, wearable devices could become a “black box” for the human body, according to Matthew Pearn, an associate lawyer with Canadian claims processing firm Foster & Company. In a piece for an insurance magazine, Pearn points out that it’s not clear, at least in his country, what privacy rights the wearers of health bands maintain over the data they generate once they file a personal injury suit.

Meanwhile, it’s still not clear how HIPAA protections apply to such data in the US. When FierceHealthIT recently spoke with Deven McGraw, a partner in the healthcare practice of Manatt, Phelps & Phillips, she pointed out that HIPAA only regulates data “in the hands of, with the control of, or within the purview of a medical provider, a health plan or other covered entity under the law.”  In other words, once the wearable data makes it into the doctor’s record, HIPAA protections are in force, but until then they are not.

All told, it’s pretty sobering to consider that millions of consumers are generating wearables data without knowing how vulnerable it is.

Apple’s Security Issues and Their Move into Healthcare

Posted on September 3, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’m on the record as being skeptical of Apple’s entrance into healthcare with Apple Health and HealthKit. I just don’t think they’ll dive deep enough into the intricacies of healthcare to really make a difference. They underestimate the complexity.

With that disclosure, I found a number of recent tweets about Apple and healthcare quite interesting. We’ll start first with this tweet that ties the recent nude celebrity photos that were made public after someone hacked the celebrities’ iCloud account together with Apple’s HealthKit release.

For those who don’t follow Apple, they have a big announcement planned for September 9, 2014. Rumors have the new sizes of the iPhone 6 could be announced and the new iWatch (or whatever they finally call it) will be announced alongside the iPhone 6. We’ll see if the announcement also brings more details on Apple Health and HealthKit which has been short on concrete details.

Even if Apple Health and HealthKit aren’t involved in the announcement, every smartwatch I’ve seen has had some health element to it. Plus, we shouldn’t be surprised if the iPhone 6 incorporates health and wellness elements as well. Samsung has already embedded health sensors in the S5. I imagine iPhone will follow suit.

With Apple doing more and more in healthcare, it does bring up some new security and privacy issues for them. In fact, this next tweet highlights one healthcare reaction by Apple that is likely connected with the iCloud security issues mentioned above.

This reminds me of a recent business associate policy I saw from a backup software vendor. They were willing to sign a business associate agreement with a healthcare organization, but only if it was their most expensive product and only if it was used to backup your data to your own cloud or devices. Basically, they just wanted to provide the software and not have to be responsible for the storage and security of the data. Apple is taking a similar approach by not allowing private health data to be stored in iCloud. Makes you wonder if Apple will sign a business associate agreement.

We’ll continue to keep an eye on Apple’s entrance into healthcare. They have a lot to learn about healthcare if they want their work in healthcare to be a success. Security and privacy is just one of those areas.

Interview with Gil Vidals, CEO of VM Racks

Posted on August 14, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The following is an interview with Gil Vidals, CEO of VM Racks.
Gil Vidals
Tell us about VM Racks. How did you get started in the hosting business?
We started consumer hosting in 1997. This was simply vanilla hosting with nothing special. As the competition heated up, it became apparent that competing based on price alone was a formula for razor-thin margins, if any profit at all. Instead, finding a bonafide niche with a growing demand seemed like a better path. VM Racks was born to serve such a niche. Taking the hosting experience of over a decade and retooling that towards secure cloud hosting for companies that require HIPAA Compliant hosting was a better business model.

Why did you choose to focus so much effort on HIPAA Compliant hosting?
Cloud hosting is a very competitive market space. Competing on price alone won’t get you anywhere. Instead, VM Racks focuses on providing secure HIPAA Compliant hosting at an affordable price and we win customers with our amazing technical support. We answer the phone when clients call, we include support at no additional cost in all of our plans and we do this at an affordable price. HIPAA clients tell us how important it is to have a higher level of service and we deliver on that with our products and service.

What are some unique things you do to ensure HIPAA Compliant hosting that many other hosting providers don’t?
Typically, HIPAA hosting providers do not offer or sign a Business Associate Agreement (BAA) with their customers because they don’t want to be held liable in case there is a security breach; VM Racks offers and signs BAAs with all of our HIPAA clients. Amongst the competition, VM Racks also has a competitive edge as we offer HIPAA Compliant Hosting services to government agencies from the City, all the way up to the Federal level.

Beyond price, what other things should people consider when looking for a HIPAA Compliant Hosting Provider?
Unfortunately, the marketplace is looking for HIPAA Compliant hosting providers that are accredited as such. Since there is no governing body that issues accreditation, it isn’t possible to provide a certificate that officially signifies that we are a bonafide HIPAA host. This can be confusing to those looking for a legitimate solution. Instead of trying to find a “certified” HIPAA Compliant Hosting Provider (as there is no governing body that issues such an accreditation), those in need of HIPAA Compliant Hosting should look for a company that is responsive and will fulfill their obligations for the sake of security and well-being of the information to be protected. Such methodologies used for this process include (but not limited to): offsite backups, two-factor authentication, log management, vulnerability assessment scanning, web application firewalls (WAF), anti-DDoS protection, network perimeter firewalls, and multi-tenant isolation. In addition, HIPAA organizations should also ensure that their hosting provider maintains the following audits and certifications: SSAE 16 SOC 1 Type 2, SOC 2 Type 2, and SOC 3 Type 2.

Is VM Racks a better solution for smaller healthcare IT startup companies, mid-sized companies or large enterprise hosting solutions?
VM Racks is the hosting company-of-choice for both commercial startup customers as well as multi-level, high-dollar government agencies. For a healthcare startup, our $199/month HIPAA plan is the best in the industry. This pricing model allows new healthcare businesses, who don’t have a huge initial infrastructure investment and are still concerned about being HIPAA compliant, to quickly get off the ground at a reasonable price.

As a leading provider of HIPAA hosting for the Affordable Care Act, we are experienced in Federal, State, and Local hosting solutions. Our government and large enterprise hosting customers are typically looking for well-designed and constructed virtualization solutions.

Why should an organization consider going with a HIPAA Compliant Hosting solution as opposed to “in-house” hosting?
Hosting in-house is generally suited for enterprise-level organizations that already own/lease space from an existing data center. Building cutting edge servers is expensive. From a strategic perspective, it’s usually better for a business to invest in their core competencies and lease the IT infrastructure. We provide the infrastructure they need in the cloud and allow organizations the flexibility to add or remove resources on demand.

What new things are happening with hosting, servers, and data centers that we should keep an eye on?
Virtualization is no longer a “new” technology or unknown territory. It has been vetted and widely accepted for quite some time now. This process has become more readily available with ease-of-use by way of managed services allowing these virtual resources to be quickly adapted and molded to conform to each and every customer. We continue to focus on providing our customers with the latest in cloud infrastructure technology to transform the capabilities of doing business in a virtualized environment.

How To Respond to Data Breaches

Posted on May 19, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

A lot of people have really liked this whitepaper on the 6 Reality Checks of HIPAA compliance. It’s a good download for those concerned about their HIPAA readiness. It will wake you up to the fact that you need to be ready and compliant with HIPAA.

Mac McMillan recently did a great HIPAA compliance interview with me where he said “A little bit of prevention goes a heck of a long way to preventing a bad event.” That’s great advice and if you read this whitepaper I think you’ll be woken up to the need to do a little more than you’re doing today to be HIPAA compliant.

While prevention is better, I was intrigued by this article (annoying registration required) in Health Data Management that talks about what to do in the event of a data breach. I love this quote from Rita Bowen, Senior VP at Healthport, “Breaches are inevitable.” It’s true. Despite your best efforts, breaches happen in every organization large and small.

Rita also points out that the key to a data breach is to have a system in place to “learn what went wrong and fix it.” I’ve always found HIPAA to be pretty generous with mistakes. As the HIPAA name says, it’s more about accountability than anything else. If you’re accountable for the decisions you’re making, then it’s more lenient than a lot of laws out there.

The article also gives three insights worth considering if you experience a data breach:

  • Honesty, the best policy
  • Keep Asking, “What if?”
  • Go the Extra Mile

All of these are great advice. If you go the extra mile and are honest about what happened, then you’ll usually be able to recover from a data breach. If you try and cover it up or hide what happened, then that will often come back to haunt you and damage you much more than if you were just honest and up front about what happened.

Has EHR Become a Bad Brand?

Posted on April 25, 2014 I Written By

When Carl Bergman isn't rooting for the Washington Nationals or searching for a Steeler bar, he’s Managing Partner of EHRSelector.com, a free service for matching users and EHRs. For the last dozen years, he’s concentrated on EHR consulting and writing. He spent the 80s and 90s as an itinerant project manger doing his small part for the dot com bubble. Prior to that, Bergman served a ten year stretch in the District of Columbia government as a policy and fiscal analyst.

The other day, I had lunch at DC’s Soupergirl with the redoubtable Chuck Webster, workflow tool maven and evangelist. We talked a lot and discovered that both of us had a warm spot for the classic neighborhoods near Atlanta’s Piedmont Park. He as a transplant and I as a native.

More to this blog’s point, we discussed the state of EHRs and their numerous problems. Chuck wondered if EHR, per se, had become a bad brand? It’s a good question. Have we seen a once promising technology become, as has managed care, a discredited healthcare systems? It’s an easy case to make for a host of reasons, such as these:

Poor Usability. There are scads of EHRs in the marketplace, but few, if any, have a reputation as being user friendly. Whenever I first talk to an EHR user, I wait a few minutes while they vent about:

  • How they can’t put in or get out what they need to,
  • Their PCs being poorly located, inflexible or the wrong footprint,
  • Data that’s either missing, cut off or hard to find,
  • Logging in repeatedly,
  • Transcribing results from one system to put it in another,
  • Wading through piles of boilerplate, to get what they need etc., etc.
  • Having to cover PCs with sticky note workarounds.

As for patients, my friend Joe, a retired astrophysicist, is typical. He says when his doctor is on her EHR she doesn’t face him. She spends so much time keying, he feels like he’s talking to himself.

Now, it’s not completely fair to blame an EHR for how it’s implemented. The local systems folks get a lot of that blame. However, vendors really have failed to emphasize best practices for placing and using their systems.

Missing Workflows. EHRs, basically, are database systems with a dedicated front end for capturing and retrieving encounters and a back end for reporting. To carry out, their clinical role they have to be flexible enough to adapt to varying circumstances with a minimum of intervention.

For example, when you make an appointment for a colonoscopy, the system should schedule you and the doctor. It should then follow rules that automatically schedule the exam room, equipment, assign an anesthetist, and other necessary personnel, etc.

When you come in, it should bring up your history, give your doctor the right screens for your procedure, and have the correct post op material waiting. General business software workflow engines have done this sort of thing for years, but such functions elude many an EHR. EHRs without needed workflow abilities increase staff times and labor costs. They also mean users miss important opportunities and potential errors increase.

Data Sharing. Moving from paper to electronic records promised to end patient information isolation. Paper and faxed records can only be searched manually. However, with a structured electronic record, redundant entry would be reduced and information retrieval enhanced. Or so the argument went, but it hasn’t worked out that way.

While there are systems, such as the VA, Kaiser and various HIEs that fulfill much of the promise, it is still a potential rather than a reality for most of us. There are two basic reasons for this state of affairs: ONC’s mishandling of interchange requirements and one member of Congress’ misplaced suspicions.

ONC’s Role. ONC’s Meaningful Use program is meant to set basic EHR standards and promote data interchangeability.

When it comes to these goals, MU fell down from the start. MU1 could have been concise requiring an EHR to capture a patient’s demographics, vitals, chief complaint and meds.

Most importantly, MU could have made this information sharable by adopting one of HL7’s data exchange protocols. This would have given us a basic, national EHR system. Instead, MU focused on too many nice to have features, leaving data exchange way down the list.

ONC has tried to correct its data interchange a failing in MU2 to a degree, but it’s not there yet. Here’s what GAO, has to say about ONC’s efforts:

HHS, including CMS and ONC, developed and issued a strategy document in August 2013 that describes how it expects to advance electronic health information exchange. The strategy identifies principles intended to guide future actions to address the key challenges that providers and stakeholders have identified. However, the HHS strategy does not specify any such actions, how any actions should be prioritized, what milestones the actions need to achieve, or when these milestones need to be accomplished. GAO Report-14-242, March 24, 2014. Emphasis added.

Ron Paul. The other important obstacle to interchange came from Congress. When Congress passed HIPAA in 1996, it mandated that HHS develop a national, patient ID. However, in 1998 Ron Paul, (R-TX) deduced that since HHS wanted the ID system, it therefore wanted to put everyone’s medical records in a government database. He saw this as a threat to privacy. He got a rider added to HHS’s budget forbidding it to implement the ID system or even discuss one.

The ban’s remained in succeeding budgets. The rider has created a national medical data firewall for each of us, which hinders all of us. Paul’s gone from Congress, but Congress continues the ban. As Forbes’ Dan Munroe wrote about Paul’s ban:

The health data chaos we have today doesn’t allow for interoperability, portability or mobility. It’s why fax machines remain the ‘lingua franca” of U.S. healthcare. Every healthcare entity in the U.S. sees each patient, event and location as unique to them. For lack of a single identifier, there’s no easy or cost-effective way to coordinate patient care. Emphasis added.

While the lack of a patient ID is not EHRs fault, it noticeably reduces their ability to interchange information. State or other HIE’s are, in effect, workarounds for lack of a uniform ID. This situation adds to the perception of EHRs as unresponsive technology.

Onerous Agreements. As many an EHR buyer has found, vendors see EHRs as a sellers’ market. They use this to write onerous license agreements exempting their products from adhering to standards such as MU or from responsibility for costly errors or omissions.

These agreements not only limit liability, but often silence a buyer’s adverse comments. The effect is to cut buyers from any meaningful recourse. This shortsighted practice adds one more layer to the EHR industry’s image as unresponsive, self serving and defensive.

Whither the Brand?

The question then is are things so bad that EHR needs rebranding? If so, how should this be done by calling EHRs something else, advocating for a different technology, or yet another alternative?

For some brands, a new name along with some smart PR will do. That’s how Coca Cola reversed its New Coke fiasco. EHRs have a tougher problem. EHRs are not a one vendor product. They are a program class. Reforming EHR’s brand will take more than effective PR. It will take pervasive technical and policy changes.

Change From Where?

Change in a major technical field, as in public policy, requires either overcoming or going around inertia, habit, and complacency. EHRs are no exception. Here are some ways change could happen.

External Events. The most likely source of change is a crisis that brings public pressure on both the industry and government. There is noting like a tragedy to grab public attention and move decision makers off the dime. I don’t want it to occur this way, but nothing like a tragedy makes events go into fast forward and move issues from obscure to inevitable. Given EHRs many patient safety problems, this is all too likely an outcome.

ONC Initiative. ONC could step in and help right matters. For example, as I have advocated, ONC could run NIST’s usability protocols for all systems seeking MU certification. It could then publish the test results giving users a needed, common benchmark. This, in turn, could be a major push to get vendors to regard usability, etc., as an important feature.

ONC is not inclined to do this. Instead, it asks vendors to pick one of several versions of user centric technology. As Bennett Lauber, Chief Experience officer of The Usability People recently told HIEWatch:

“Usability certification for meaningful use really isn’t a test the way the rest of the certification process is. (Testers) go out and observe users, and report back to the certifiers,” Lauber reports. “There seem to be different sets of evaluation criteria because ONC has not really defined usability yet….” Emphasis Added.

Recently appointed ONC Coordinator, Dr. Karen Desalvo, unlike her predecessors, has been frank about changing ONC’s course. She’s revamped her advisory committee structure and spoken about going beyond meaningful use to big data.Notably, she understands the need for and the problems of interoperability. However, she’s not offered any changes in standards. ONC is in the best position to implement real standards, but for both political reasons; it’s unlikely to do so.

To chill things politically, vendors only have to find a few Congressmen who’ll, for a well placed contribution, will send ONC vendor drafted letters threatening its appropriation, committee reviews, etc. It can happen otherwise, but as Damon Runyon has said, “The race is not always to the swift, nor the battle to the strong, but that’s the way to bet.”

User Revolt. The most notable user push back to the status quo has involved unilateral EHR vendor agreements.

As Katie Bo Williams of Healthcare Drive (edited by Hospital EMR and EHR’s Anne Zieger) has notably described, major lawsuits are costing some vendors dearly. The industry, however, has yet to set buyer agreement standards that could aid its and EHRs’ reputation.

These lawsuits might chastise vendors, but users will need to become bolder if they want change. EHR vendors have an association to protect their interests. So do hospitals, physicians, practice managers, etc. Users are the one group that’s not represented.

You may belong to this or that product’s user group, but there is no one group that looks after EHR user’s interest. If there were a well organized and led EHR user group that lobbied for better usability, workflow tools and universal data exchange etc., then these issues would become more visible. More importantly, users would be able to demand a place at the table when ONC, etc., makes policy.

Those interested in patient safety, too, are taking some new directions. Recently, ECRI convened the Partnership for Promoting Health IT Patient Safety to promote changes, within “a non punitive environment,” that is, in a collaborative setting among vendors, practioners, safety organizations, etc. While the group has not issued any reports, it offers two hopeful signs.

The group’s advisory panel includes experts, such as, MIT’s Dr. Nancy Leveson, who works in aeronautic and ballistic missile safety systems. The other factor is that the group has consciously sought to give vendors a place where they see the impact their products have on patient safety without the threat of litigation. Whether the group can bring this off and influence the market remains to be seen.

Technical Fix. It’s possible users may decide to fix EHR’s problems themselves. For example, the University of Pittsburgh Medical Center  (UPMC) uses a combination of EPIC, Cerner and its own clinical systems. It wanted to pull patient information into one, comprehensive, easily used profile. To do this, the Center developed a new, tablet front end that overcomes a variety of common EHR problems.

Once a major actor, such as Pitt, shows there is a market, others will explore it. You’ll know it’s a real trend, when a major vendor buys a front end start up and brands it as its own.

Natural Turnover. Finally, John recently raised the question of EHRs’ future in What Software Will Replace EHR? He thinks that change will come organically as more technically robust software pushes out the old.

Slowly replacing current EHRs with new tools is the most likely path. However, a slow path may be the worst outcome. Slow turnover would give us a mixture of even more incompatible systems. This would make the XP installed base problem look simple.

The EHR brand reminds me of a politician with both high positives and negatives. It may be liked by many, however, it also has a lot of baggage. As with a candidate in that position, something will have to change those negatives or it will find itself just an also ran.

Windows XP Is No Longer HIPAA Compliant

Posted on April 14, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

For those of you who missed it, thousands in healthcare are now out of compliance with HIPAA thanks to Microsoft’s decision to stop supporting Windows XP. I wrote about the details of Windows XP and HIPAA compliance previously. Microsoft stopped supporting the Windows XP operating system on April 8, 2014 and as Mac McMillan says in the linked post, OCR has been clear that unsupported systems are not HIPAA compliant.

I asked Dell if they had any numbers on the number of PCs out there that are still running XP. Here was their response (Note: These are general numbers and not healthcare specific)

The latest data I’ve seen shows that around 20-25% of PCs are still running XP (number vary depending on the publication). But most of those are consumer devices or very small businesses. Larger organizations seem to be complete, on track to completing by April, or have already engaged Dell (or competitor) to migrate them.

Dell also told me that globally, they have helped more than 450 customers (exact count is 471) with Windows 7 migration and automated deployment.

I’m not sure I agree with their assessment that the larger organizations have pretty much all upgraded beyond Windows XP. I agree that they’re more likely to have upgraded, but I’m sure there’s still plenty of Windows XP in large hospital systems across the nation. I’d love to hear from readers to see if they agree or disagree with this assertion.

I’ve heard some people make some cases for why Windows XP might not be considered a HIPAA violation if it was a standalone system that’s not connected to a network or if it was in a highly controlled and constrained use case. Some medical devices that still require Windows XP might force institutions to deal with HIPAA like this. However, I think that’s a risky situation to be in and may or may not pass the audit or other legal challenges.

I think you’re a brave (or stupid if you prefer) soul to still be running Windows XP in healthcare. Certainly there wasn’t a big disaster that occurred on April 8th when Windows XP was no longer supported. However, I’d hate to be your organization if you have Windows XP and get a HIPAA audit.

If you haven’t updated your HIPAA policies lately, you may want to do that along with updating Windows XP. This whitepaper called “HIPAA Compliance: Six Reality Checks” is a good place to start. Remember also that once an auditor finds one violation (like Windows XP), then they start digging for even more. It’s a bit like a shark that smells (or however they sense) blood in the water. They get hungry for more. I don’t know anyone that enjoys a HIPAA auditor, let alone one that really starts digging for problems.