In the land of health IT, innovation is power and those that control it king.
There’s no status quo here. Resting on your laurels, despite all of the industry standardization related to efforts like meaningful use, will get you no where.
As several vendors are discovering that just because they’ve had products in the market for 20 or 30 years doesn’t mean they’ll be in play forever. We’re in the health 2.0 era. Heck, we’re in the era where even the federal government has entered the open source environment.
As such it’s great to see such a resource like Rock Health dedicating itself to the health IT entrepreneur. If you haven’t checked it out yet, you need to do yourself a favor and take a few minutes to familiarize yourself with its site. Then, you need to forward some of the information featured there to all of your entrepreneurial friends.
Not to sound like a commercial for the service, but it’s hard not to since some of the things going on here are pretty incredible. Actually, this is the kind of thing that happens in a country like ours when leaders, innovators, entrepreneurs, creative folks, business minds, a little money and some passion mix.
The cocktail that commences is Rock Health.
So, what is Rock Health?
It’s an accelerator exclusively for health start ups providing capital, office space, mentorship and operational support to entrepreneurs working on ideas in health. As a nonprofit, Rock Health looks for product-centric ideas that solve real problems in healthcare; “Products can be in the form of web or mobile apps, services, have a hardware or sensor component, and should be early and pre-VC funding.”
Ideas can be of anything as long as it solves a healthcare problem.
For those start ups bidding to participate in the Rock Health program, the selected start up receives a $100,000 investment offer from a VC group for an ownership of between 5 and 10 percent.
Other great Rock Health offerings (found on its site and free for everyone) include an interactive funding database that provides the public with sources for potential healthcare start up funding; videos that teach the unknowledgable upstarts almost everything they need to know about topics like marketing, creating boards, accounting, HIPAA, fund raising and dealing with the FDA; healthcare event listings; a great start up handbook that provides legal and financial advice (it’s comprehensive and overwhelmingly impressive); and finally, perhaps my favorite bit of information offered: interesting health facts that once learned will impress everyone, including your closest and most cynical friends.
You get the point.
Rock Health is more than an incubator and a disruptor for health IT — established vendor giants should be concerned about efforts like this — it is the future of innovation in the space, and if you haven’t taken notice, you should.
Crowd funding continues to play big in technology and the star of today continues to be Kickstarter. The site is a funding platform for creative projects including films, games, music, art, design and technology.
According to its site, through it, more than 2.5 million people have pledged more than $350 million to projects posted since 2009 by everyone including company CEOs to hobbyists. Each project is independently created by the person behind it, who have complete control and responsibility over their projects.
If people like the project, they can pledge money to make it happen. If the project succeeds in reaching its funding goal, all backers’ credit cards are charged when time expires. If the project falls short, no one is charged. Funding on Kickstarter is all-or-nothing.
In most cases, the majority of funding comes from the fans and friends of each project. If they like it, they’ll spread the word to their friends, and so on.
Given the scope, there’s an obvious need for something similar in the healthcare space. Hence, it’s good to see MedStartr emerge, a new crowd funding site dedicated solely to the healthcare space.
According to MedStartr, it “is a new way to fund healthcare projects, startups and innovations that improve healthcare and help people live longer, better lives.” Like KickStarter, “MedStartr is powered by an all-or-nothing funding method where projects must be fully-funded or no money changes hands. This makes it so you have no obligations either way if critical mass is not achieved to get to your minimum viable product.”
Medstartr encourages users, such as patients, entrepreneurs, physicians, researchers, nonprofits, artists, filmmakers, musicians, designers, writers, performers and others to drive healthcare forward.
Unfortunately, though, it doesn’t appear that much money has changed hands using MedStartr, even though there is a clear need. For example, of the four successful projects featured on the site, one of them is for the launch of MedStartr. The other three only grossed $23,733. That’s a far cry from some of the projects funded on KickStarter, which reach as highas a few millions dollars.
Okay, so it’s not important that the funding goals are so far apart. In principal, the two sites are competitors, I guess, but they serve much different audiences for the most part. However, given the continuous chatter for improved tech tools the healthcare market needs, and that we’re in the age of do-it-yourself, I surprises me that more people, entrepreneurs and so on, are not using the service.
There are a few apps featured there, and some community events (like conferences), but very few systems or technology that can be used to actually enhance or better healthcare for providers or patients. At least to this point, anyway.
It makes me wonder if MedStartr simply needs to conduct a better PR campaign (call me, I’d be glad to help) or if there’s just not an appetite for micro, crowd-funded project in the healthcare technology space.
There’s a draw, though, and with time there’s a god chance that many good things will come because of the site. Hopefully so. I’d like to see it embraced, and I’d like to see it succeed. If for no other reason than it’s good for all of us, and may be good for our health.
As health IT continues to mature and providers continue to adopt technologies like electronic health records, the data collected from their use in the care setting becomes the most obvious reason so much energy is being put behind getting practices to implement the systems.
Judy Hanover, research director of IDC Health Insights, recently told me, though, that one of the biggest challenges faced by ambulatory and hospital leaders is that the data entering the electronic systems, in most cases, is unstructured, which makes it almost useless from an analytics standpoint.
Without structured data, Hanover said, quantitative analysis across the population can be complicated, and little can be compared to gain an accurate picture of what’s actually taking place in the market. Without structured data, analytics is greatly compromised, and the information gained can only be analyzed from a single, siloed location.
“There must be synergy between the data collected,” Hanover said. “We’re entering the period of structured data where we’re now seeing the benefits of structured data but still need to manage unstructured data.”
In many cases, critical elements of data collected — like medications, vitals, allergies and health condition — are difficult to reconcile between multiple data sources, reducing the quality of the data, she said. Unstructured data proves less useful for tracking care outcomes of a population’s health with traditional analytics.
For example, tax information and census data are collected the same way across their respective spectrums. All the fields in their respective fields are the same and can be measured against each other. This is not the case with the data entering an EHR. Each practice, and even each user of the system, potentially may collect data differently in a manner that’s most comfortable to the person entering the data. And as long as practices continue to forgo establishing official policies for data entry and requiring data to be entered according to a structured model, the quality of the information going in it will be a reflection of the data coming out.
Lack of quality going in means lack of quality coming out.
“In many cases, structured data is not as useful for analytics as we’d hoped,” Hanover said. “There are inconsistencies in the fields of data being entered in to the systems; and that affect data quality as well as results from analytics.
“As we move into the post EHR era, how we choose to leverage the data collected is what will matter,” she said. “We’ll examine cost outcomes, optimize the setting of care and view the technology’s impact.”
As foundational technology, EHRs are allowing for the creation of meaningful use, but once the reform is fully in place, the shift will focus on analytics, outcomes and benefits of care provided.
Currently electronic health records define healthcare, but health information exchanges (HIE) will cause a dramatic shift in the market leading to further automation of the providing care and will change how location-based services and clinical decision making are viewed.
Though some practices are clearly leveraging their current data, others are not. For them, EHRs are nothing more than a computer system that replaced their paper records and qualified them for incentives.
In the very near term, the technology will have to have more capability than simply serving as a repository for information collected, but will become a database of reference material that will have to be drawn upon rather than simply housed.
“Health reform is the end game,” Hanover said. “And there can be no successful reform without EHRs. They are the foundational technology for accountable care.”
The data collected in this manner will lead to a stronger accountable care model, which will once again bring the practice of care in connection with the payment of care.
Evidence-based approaches will continue to dominate care when the data suggests certain protocols require it, which means insurers will feel as though they are working to control costs.
Unfortunately, all of the regulation comes at an obvious cost at the expense of the technology and its vendors, said Hanover. EHR innovation continues to suffer with the aggressive push for reform through meaningful use as vendors scramble to keep up with requirements.
“There’s little or no innovation because all of the vendors are being hemmed down by meaningful use and certification requirements,” she said.
Product standardization means there are far fewer products that actually stand out in the market.
More innovation will likely only come following market consolidation in which only the strong will survive. Hanover suggests that in this scenario, survivors will focus on innovative product research and development and will take a leadership role in moving the market forward
Though vendors will suffer, users of the systems will likely face major set backs and upheavals at the market shifts and settles. Especially as consolidation occurs, suppliers disappear or change ownership, practices and physicians using these systems face the toughest road as they’ll be forced to find new solutions to meet their needs, learn the systems and try to get back to where they were in a meaningful way in a relatively short period of time.
Likely, deciding which system to implement may bear just as much weight as deciding how to use it.
Perhaps creating an opportunity is nothing more than observing the details and taking action once one has been identified.
Lack of opportunity, on the other hand, might be the opposite – keeping your head down and barreling through life without taking an adequate measure of the terrain in which you are navigating.
The feds missed an opportunity. During their planning and roll out of meaningful use, in their effort to collect the health data of this country’s population, specialists, in many cases, were not considered as recipients of their meaningful use incentives.
For many specialties, this might not apply. But pediatrics are different entirely. Not so much for the physicians’ sake, but for the patients they serve.
Given the direct marketing plan that the federal government has undertaken with its latest healthcare pet project, Blue Button, I’m surprised by its lack of foresight related to patient involvement to this group when it comes to meaningful use.
As the feds work desperately to change the perception of electronic data collection, and to move the most information into electronic records as possible, one might think the best way to ensure absolute adoption is by requiring the one group of physicians who might be able to affect the longest term change to participate in the incentive program.
Pediatricians, like it or not, have not been given special treatment as far as meaningful use is concerned. They, like another large group of physicians, OBGYNs, are left to fend for themselves. You can read more about OBs and their fierce independence in my recent interview with digiChart’s CEO Phil Suiter. The reason is well known and obvious: these groups of caregivers don’t necessarily rely on the government (Medicare/Medicaid) to keep their doors open.
The nature of pediatric practice is such that Medicare is not a significant part of their practice so meaningful use incentives don’t apply here. Therefore, the only avenue left for pediatrics is the Medicaid option – and it only works for practices that have more than 20 percent of their volume as Medicaid. In most cases, these groups of physicians don’t meet the minimum requirements of serving Medicare and Medicaid recipients to qualify, and, also in most cases, they don’t go out of their way to do so.
Therefore, given the logic that A+B=C, they are not lining up to get their share of the incentive checks.
But, one would think the feds would try to find some way to make an exception for pediatricians to participate in meaningful use without having to meet the minimum requirement that 20 percent of their population participate in Medicare. I’m not trying to re-open an issue that I know has been discussed countless times; I’m trying to make a different point.
That is, given the new push for patient engagement and the social media-like approach being taken through the Blue Button movement, I believe the importance of pediatricians has been overlooked.
Why? Well, it’s obvious to me that to engage a population, it’s best to change the population’s behavior. To do so, you have to catch them young; so young that they never knew a difference otherwise.
For example, children today will never know what life was prior to the web. They won’t be able to imagine life before mobile devices turned us into an always on society. There’s a lot they’ll never know.
Thus, if they are exposed to electronic health records in their doctor’s office as they grow up, by the time they reach adulthood, they’ll expect their doctors to use nothing but electronic health records. In fact, they won’t even know what to do with a paper record – how to read and understand it – and, therefore, won’t give their money to doctors without the systems.
It’s really the most direct route to changing a population’s behavior.
Sure, engaging the adult population through a service like Blue Button is important, and will certainly help fill the gap currently experience in healthcare’s ownership issue, but as we’ve seen in every other area of life, true change won’t come until those who know no other way become the majority and know no other way.
As the self-proclaimed ONC Blue Button movement gains steam and more members of the public sign up to make sure their data gets downloaded, it seems the Office of the National Coordinator, among others in the fold, have borrowed a marketing campaign from office supply chain, Staples.
The “Easy Button” is vernacular for something that get done at the press of a button, even if said task isn’t necessarily as easy as just pushing as button. Obviously, that’s the point.
Same goes for the Blue Button. From a marketing perspective, the concept is genius. With the simple push of a button, you too (read: “consumer/patient”) can have instant access to every last bit of your media records and personal health information like never before.
With the campaign just getting started, there are already more than one million people who have signed up for the Blue Button service (sounds sort of like “black tie event” when I read it like this). Eventually, the movement will take hold, no doubt, and the consuming public will be on board like never before. I anticipate Blue Button will grow enormously, similar in nature to the culture that social sites the likes of Facebook and Twitter have become. Not that we’ll sit around sharing our records with those who “like” us or posting comments about each others ailments and conditions, I think people will perceive blue button to have the same value.
It’s about access to information – information that until now many people have not realized they owned or had access to – instantly, as long as Blue Button is available to them.
That’s the catch after all, isn’t it? Blue Button has to be available to consumers for them to be able to push that little easy button. Seems like there are only a couple things that might keep someone from it. The most obvious is that a patient’s physician must have a meaningful use EHR in place. Another is that the practice must choose to offer the service.
It goes without saying, then, that consumers without insurance most likely won’t have access to Blue Button as they’ll likely not have access to a regular physician with a certified EHR. The current healthcare reform may change this slightly as more people will be “encouraged” to insure themselves. And, as practices move to EHR, access to Blue Button will increase.
All of these details are beside the point. Right now, it’s about the marketing. Making sure patients know that the health information that is rightfully theirs can be in the palm of their hands as easily as pushing a little button.
As we know, or so we’ve hypothesized, that the more you can engage patients in their care, the better care they’ll take of themselves.
And you’ve got to hand it to the ONC. Creating a message that directly engages the public rather than hoping that physicians and their vendors will carry the task is something I have long advocated for.
So getting us, as patient consumers, to engage in and to own our care really took little more effort than developing an app and marketing it directly to the people.
Looks like my suspicions are correct. Most health data breaches are inside jobs. But, what’s surprising, according to a somewhat recent survey from Veriphyr — an access and identity provider – is that the majority of data breaches of medical records is by practice employees.
According to the survey, most of the data breeches of medical records more than 35 percent were of healthcare employees peeking into the files of their co-workers. Another 27 percent of the breeches reported were of a healthcare employee’s family or friends
Also gleaned from the survey is that of the hospitals and healthcare facilities surveyed, 70 percent reported some form of data breech. Data breeches cost healthcare organizations more than $6 billion a year, according to Veriphyr’s CEO, Alan Norquist, so they really are big business.
Some of the report’s key findings include:
Top breaches by type:
Snooping into medical records of fellow employees (35 percent)
Snooping into records of friends and relatives (27 percent)
Loss/theft of physical records (25 percent)
Loss/theft of equipment holding record (20 percent)
When a breach occurred, it was detected in:
One to three days (30 percent)
One week (12 percent)
Two to four weeks (17 percent)
Once a breach was detected, it was resolved in:
One to three days (16 percent)
One week (18 percent)
Two to four weeks (25 percent)
According to Health Data Management, there have been more than 31,000 data breeches in the last two-and-a-half years. Most of these breaches are unintentional, though, according to magazine, with “employee transferring records to a flash drive or sending records to a personal e-mail account to work on them from home, or even sending records to a peer for advice.”
Accordingly, some steps to limiting internal data breeches is to continuously educate your employees about the dangers and consequence of handling HIPAA-protected data appropriately, and in some case, it’s may be necessary to adopt new policies to help manage how data is accessed. For example, if personal devices are allowed to be used in the work setting, you need to establish some rules to protect the data the the devices access, and in some cases, you’re going to have to offer support of the devices.
Nevertheless, the information about data breeches is shocking. The number of employees sneaking peeks at patient’s profiles is like the rest of the world surfing the social profiles of complete strangers. Sure, the information is there, but that doesn’t mean we should take advantage of it.
This line pretty much sums it up: Improve quality of care through electronic health records.
Apparently, it’s a motto of sorts for the New York City Department of Health and Mental Hygiene. Not bad when you think about it. Sort of has a “I-love-health-IT” ring to it.
As cool as the organization’s unofficial motto, it features a wealth of great information about the benefits of EHRs, how they can improve healthcare and patient outcomes and steps practice leaders need to take when working to protect the data contained in the records.
As such, NYC’s health department site is filled with great advice for practice administrators to take to create proper procedures and practices to maintain data security.
Here’s a nice, 12-step program for you, courtesy of the NYC:
1. Continue following the rules and regulations set forth by HIPAA. Do not leave printed patient health information where others have access to it. When scanning information into a patient’s EHR, destroy the paper copy when it is no longer needed. Unlike paper charts, it is easy to see a computer screen from across the room. Computer screens should not be visible from the waiting room, check-in area or any place an unauthorized person may be able to see a patient’s EHR. Install privacy filters on monitors to block anyone from viewing the computer from a side view.
2. Install antivirus, intrusion detection and firewall software.
3. Do not use social security numbers as a unique patient identifier. This is something I’d like to see adopted universally in healthcare. There’s no need for my SSN to be sitting on the top of my new patient forms for all the world to see.
4. Patients have the right to control who sees their information. Whether or not an EHR system is in place, do not share patients’ health information with anyone unless the patient has personally authorized it or such disclosure is authorized by law (e.g., mandated disease reporting). Ensure that employers,marketers and law enforcement or immigration officers do not have access to patient records. If your practice is part of a Health Information Exchange network, patients have the right to choose whether or not they will participate. Patients have the right to revoke their consent for sharing information.
5. Patients should understand their rights to consent, as listed in #4 above.
6. Always log out of the EHR system when leaving the computer. If EHRs are left open on the screen, other people can access and/or modify patient information. This activity will be logged as the user’s and he/she may be held accountable for any privacy violations.
7. Keep all passwords safe and secret. Create a password carefully. Passwords should not be obvious, such as birthdays, pets’ names or favorite sports teams. Think of something that is easy for you to remember, but impossible for anyone else to guess. Never share passwords. If anyone asks a staff member for his/her password, the staff member should report that person immediately to the practice administrator. Passwords should not be posted or written down near the staff members’ desks. Change passwords every three months.
8. Ensure hardware is safe and secure. Portable computers are easy to steal. Computers, servers and other equipment that contain data should be locked in a secure place when not being used.
9. Be careful when accessing EHRs from outside of the office. When opening a patient’s EHR in public, make sure no one can see the computer screen. Only access EHRs from a secure Internet connection.
10. Train all staff members on data security policies and procedures. Make sure everyone in the practice understands and observes the policies and procedures for protecting patient health information.
11. Keep up with staffing changes. If an employee leaves the practice, change the user’s status to inactive. This means they can no longer sign in with their old password.
12. Review audit trails periodically. Reviewing audit trails can alert practices to potential system abuse or misuse. Some staff members forget to log out of their system, as well as access parts of the EHRs that are beyond their practice function. Audit trails can let practice administrators know when this occurs and take appropriate action.
So, as the old saying goes, “The more you know, the further you’ll go.”
To this point in the meaningful use experiment, Phil Suiter, CEO of digiChart, has had the privilege of sitting at the front of one of healthcare’s greatest movements. From his place, he’s watched the market act and react, and has seen colleagues seek solutions to corner their respective markets all in the name of providing the best service for the most people.
Suiter, however, may have a view of the current health IT landscape like no other. Leading a specialty only provider of electronic health records and practice management systems, digiChart serves only OBGYNs.
Long before healthcare reform and the thought of meaningful use, digiChart created and built solutions solely for this space, and, unaplogoetically, will continue to serve the space. Plans for expansion may one day include moving into the pediatrician market, which seems to be a safe bet given the connection between the two specialties, but according to Suiter, that’s not a plan actively being pursued.
What’s interesting about digiChart’s position, as Suiter tells it, is that even though meaningful use is vitally important to digiChart and the company has helped many physician achieve stage 1, OBGYNs have not voraciously jumped aboard the program.
What this means, he says, is that it’s a clear sign that the OBGYN market continues to live up to its reputation as a fiercely independent group of healthcare providers. Suiter said that only 20 percent of all digiChart’s clients have chosen to pursue meaningful use. Apparently, the other 80 percent have chosen to overlook the federal incentives and go at it alone.
From conversations he’s had with clients, they’re just are not seeing the benefit of meaningful use, especially for all of the work required with the only benefit is $44,000 over five years.
“At this particular point, they don’t realistically see a flip side in changing. In some practices, some have decided that they are better off without changing,” Suiter said. “Practices have determined that they can survive and be profitable if they are efficient and continue doing what they are doing, especially in the OBGYN space.”
Being profitable means they’ll ultimately forego Medicare patients to avoid the federal penalties levied against them for not meeting meaningful use. In many cases, they don’t see enough Medicare and Medicaid patients to make all the effort worth their while, Suiter said, so the work required simply is not worth the effort.
And, frankly, the question remains: Is the federal money going to still be available as stage 2 progresses? And, what happens in February 2013, should a new administration take office?
Despite the answers to these questions and whatever happens with the election in November, Suiter sees plenty of change ahead for the market. For example, EHR vendor contraction is coming after a period of great anticipation.
He predicts the market will dramatically shrink from more than 400 companies to less than 100, many fewer of them actually viable and sustainable long term.
At the same time, he believes hospital’s appetite for buying and owning private practices will disintegrate as soon as 12 months from now.
“I think we’ll see a disgorgement of practices by hospital systems within the next 12 to 18 months,” Suiter said, marking the end of a repeat performance last seen in the mid-1990s (1995, ’96 and ’97, he said specifically).
Hospitals have been voraciously trying to align themselves with private practice to capitalize on funds generated from meaningful use; however, they don’t seem capable of effectively managing private practices and their employees as they seem to be able to do with their internal systems and hospital employees, he said.
Private practices are too independent, for the most part, he said; especially, OBGYNs.
The fiercely independent group of physicians might have all the leverage they need to withstand outside pressure for adopting new technologies or changing the way they run there businesses at this point in their careers.
The average physician in the OBGYN space is 62 years old. At this point in their careers, they are not particularly interested in becoming hospital employees and if they are not interested pursuing meaningful use, which seems to be the case, they’ll either retire or go their own way.
Clearly, the technology used in healthcare will gain greater acceptance as new doctors enter the space. As colleges begin to implement the systems to train their residents (which they are not readily doing now), perhaps the appetite within the space will change. Clearly, there’s room for more adoption in the market Suiter serves.
But, digiChart is positioned well, serving a market it, and Suiter, understand, and know they’re place – as leaders – in it. There are very few vendors that can represent the specialty space well, especially in the land grad market of one-size-fits-all solutions penetrating the market. DigiChart and Suiter seem to understand that sometimes it’s better not to be the jack of all trades, but a master of one.
I had a conversation with a family member today. She’s getting to the point where it’s time to start thinking about taking some precautionary tests to determine whether or not she needs to pursue additional screening for some health issues that have run in her family.
She’s obviously concerned, and scared, to find out the results of what those test might show. So much so that she might even be able to be convinced not to pursue them.
Let me explain.
We’re in a new age of healthcare. With all the benefits gained because of electronic systems, and all the promises they are supposed to deliver, there are some unintended (perhaps they actually are intended) consequences that we as patients need to consider.
Our health information is now easily tracked. As soon as it enters the electronic record, it’s like it’s gone into the vault. No matter what, it will always be there, like a small deposit into a savings account; earning interest until it needs to be withdrawn.
Obviously, paper records could contain the exact same information as an electronic health record, it’s just the information is a little less searchable; perhaps a little less likely to be found. Multiple pages from multiple locations sometimes just seem to come together as easily as a record where a couple of buttons can do all of the collating for you.
So, upon requesting some of the tests she thought she needed, my relative’s physician stopped her for a second to caution her. The doc simply said that if she submitted the information into her record it would always be there, like a glaring error, forever, for all the world to see; for insurance to question — as a way to establish a possible prior pre-existing condition.
For fear of being dropped from her insurance in the future or having her claims denied when she needs them paid, my relative decided to forego the tests. She took her doctor’s advice, like she usually does, and cancelled her test request.
Better not to raise any red flags, she decided. Better to practice cautionary care rather than let her insurance carrier be alerted now to something that might be nothing anyway.
See, like it or not, this is the age we’re in. Cost controlling comes down to care control in some cases. Having worked in insurance, I understand how this game is played. In this case, a doctor cautioned against a test, necessary or not, to protect her patient in the long run and to ensure she remained insurable for the short term, at least.
Sadly, though, in the long term, she may lose more sleep over not taking the tests rather than worrying about what might live on in her electronic health record. But that’s the era in which we live and these are now the decisions we must face, like it or not.
Maintaining the security of a practice’s EHR data is probably one of the biggest reasons physicians decide to implement one in the first place. With all of the reported benefits of electronic health records or their paper counterparts, the information kept guarded in your electronic system clearly is more secure, in most cases, than paper.
In addition to being able to securely protect your clinic’s data and patient information, there’s a clear advantage the EHR offers over paper records in that you are able to monitor, track and audit everyone who has ever accessed certain data and viewed specific records within your system.
This feature is especially valuable when you need to track employees who you think may be trying to gain access to information they should not have access to, as was the case recently when a Florida Hospital Celebration Health employee illegally accessed the personal data of multiple patients. According to American Medical News, fortunately for the hospital, through its EHR it employed a tool known at role based access control, or RBAC.
With RBAC in place, an organization is able to allow system users access to only the information employees need to perform their jobs. Obviously, role based access control systems can be used in any business setting where leadership determines certain information must be protected, as is the case in healthcare and hospital setting where HIPAA is concerned.
What seems to pique my curiosity the most, though, is just how much data snooping occurs in healthcare settings. I’ve often wondered how much of my personal information, like my social security number, birthday and home address are exposed to people who really have no business seeing it, and if it’s seen by an inappropriate person, is anything done about it.
As we know, patients worry that their personal health information might not be kept private and secure if stored electronically, and we’re especially concerned about who will have access to our records. There’s nothing truly valuable in the health record other than that which can be used for financial fraud, like social security numbers and my home address
So, to most fully protect the data included in the record, practices should take whatever precautions needed to protect the data captured in the electronic health record.
The process of protecting my data really begins during the selection and implementation of your EHR, and, according to the New York Department of Health and Mental Hygiene, you should chose a system that has the following security features:
Role-based access control
As stated above, this allows you to define access privileges of each staff person and ensures that only authorized providers can see patients’ health information. Administrative staff should be restricted to basic information such as address, date of birth and other demographic information.
Practice leadership should be the only people who are responsible for establishing the access privileges of staff members.
Audit trails track activities within the EHRs. Documented events in an audit trail include a staff member logging in or out of the system, opening, modifying, creating or deleting a record, scheduling a patient, signing a chart, querying the system or printing personal ealth information.
Audit trails also document the date and time of an event, where the event occurred and who performed the event. Again, only authorized administrators should have access to read these records. No one, not even the office administrator, should be able to modify or delete audit trails.
EHRs must require a password to access the system. EHRs should be able to support additional passwords or identifiers for each user. The practice administrator should be able to define the rules for password complexity and expiration, like the practice may require all users to have passwords with five letters and at least one number, and that staff members change their password every three months.
The system must automatically log out a staff member if they forget to log out or leave the screen inactive for a period of time. The system must also require the user to enter his password to get back into the system. If someone repeatedly tries to enter the wrong password, the system should lock the user out. This keeps people from guessing other users’ passwords.
EHRs should encrypt patient data, which helps to protect data if hardware is stolen or messages are intercepted.
EHRs should have the ability to print, store and display patient consent forms.
All in all, pretty standard information, especially if the EHR you operate performs to industry standards. If you feel the need to contract with an outside vendor for such services, they do exist, are relatively inexpensive and are experts in managing audits and ensuring your data is safe.
Ensure these steps, though, and create and audit schedule so your information and mine remain safe.