The recent theft of 4.5 million medical records by Chinese hackers coupled with the news that as-yet unidentified hackers were able to penetrate the U.S. government’s health care portal have ignited consumer concerns about the safety of health care records – and rightly so. No patient should have to worry that his or her protected health information (PHI) may fall into the hands of thieves.
The medical industry experiences more security breaches than any other U.S. industry today, serving to undermine public confidence in electronic health records and the industry at large. Last year alone, more than 7 million patient health records were breached, up 138 percent over the previous year, according to a February report by IT security consultant Redspin. Theft or loss of unencrypted portable computing devices (i.e., laptops) or digital media containing PHI was the leading cause of PHI data breach, impacting 83 percent of records breached. Unauthorized access and hacking incidents impacted less than 7 percent of records breached.
It’s reassuring to see the industry break new ground in studying security flaws and addressing vulnerabilities. For example, the Health Information Trust Alliance (HITRUST) teamed with the Department of Health and Human Services (DHHS) last spring to lead CyberRX, a series of no cost, industry-wide exercises designed to simulate cyber attacks on participating health care organizations and help them identify weaknesses in preparedness. Two important findings emerged:
Organizations that participate in cyber exercises are better prepared for a cyber attack, regardless of the maturity and comprehensiveness of their information security program.
More preparation exercises like CyberRX would benefit health organizations by helping them to evaluate their programs, refine policies and procedures, and develop and implement effective communications among internal departments, the industry at-large, and government.
HIMSS released the following infographic that summarizes the findings of 25 years of health IT from its annual leadership surveys. It’s a pretty good depiction of how health IT has changed in the last quarter century. Looking back on the past twenty five years in healthcare, something are fairly interesting. For example, physicians in 1993 said they would not adopt their use in healthcare until they became easier to use. The sentiment still remains, to a certain degree, especially in regard to systems like electronic health records.
Another interesting factoid, is that in 1994, 14 percent predicted that digital patient information would be shared nationwide in one to three years.
Finally, the number of health IT priorities that has changed in the course of the last 25 years is either alarming or inspiring, based on the level of change in the space and how quickly things continue to change. However, the number of changes and their frequency remind me of a dog on a trail stalking down one scent after another without a real sense of purpose – Y2K, HIPAA, patient safety, reducing medical errors, financial survival, meaningful use, etc.
By Stephen Cobb, senior researcher, ESET North America.
The benefits of making health records available electronically would seem to be obvious. For a start, faster access to more accurate patient information – which is one of the promises of EHRs (electronic health records) and HIEs (health information exchanges) – could save lives. The author of a recent report on the many thousands of lethal “patient adverse events” that occur in America every year, Dr. John T. James, pointed to “more accurate and streamlined medical recordkeeping” as a top priority in the effort to reduce these deadly medical errors. Yet headlines about healthcare facilities exposing confidential patient data to potential abuse have been all over the media this year. So, will security issues and privacy concerns stymie EHR adoption or slow down HIE rollouts?
Today, more than half of all Americans probably have at least some part of their medical record stored on computer. In January, the CDC reported that roughly four out of five office-based physicians are now using some type of EHR system, up from one in five in 2001. A few months later, in a Harris poll sponsored by ESET, only 17 percent of adult Americans said that, to their knowledge, their health records were not in electronic format.
During that same survey of 1,734 American adults, we asked “are you concerned about the security and privacy of your electronic patient health records” and 40 percent said they were. Slightly more of them, 43 percent said they were not. However, if we take out the 17 percent whose records were not in electronic format, the “concerned or not?” question breaks down as 48 percent Yes, versus 50 percent No, a statistical tie.
Lance Speck, general manager of Actian cloud and healthcare, speaks here about healthcare big data and how it can be used in healthcare to improve processes from care coordination to coding for ICD-10. In his day job, he is focused on delivering healthcare solutions to help payers and providers address an estimated $450 billion annual opportunity created through data analytics, ranging from fraud analytics to patient re-admission reduction to staff optimization to accountable care reporting and clinical auto-coding. For more than 20 years, Lance has served in a variety of management, sales and product roles in the software industry including a decade focused on SaaS, cloud and healthcare.
How can big data analytics improve patient care?
According to a recent PwC survey, 95 percent of healthcare CEOs are exploring better ways of using and managing big data; however, only 36 percent have made any headway in getting to grips with big data. All agree that big data analytics has the potential to improve the quality and cost of care, but many are still struggling with finding the right ways to infuse analytics into everyday operations. Assuming they realize that they already have access to the data, what do they do with it? What are the areas that will have the biggest impact? Where do they start?
Start with the basics. Organizations should focus in infusing big data analytics where a big impact can be recognized. They should ask themselves:
Is there enough value in solving the problem?
Can the problem can be predicted?
Can the problem be prevented?
Can the predictive action be delivered accurately, and in a timely fashion to make a difference?
Very early in the process, organizations should address how they plan to incorporate big data into the everyday workflow of clinicians, financial staff and other healthcare stakeholders for organizations to:
Use predictive analytics against historical and external data to anticipate patient occupancy needs to adjust staffing levels to have the right care available at the right time.
Use science to determine with accuracy health trends in specific communities and take action to prevent costly
Determine patients’ risk of readmission before they are discharged to improve patient outcomes and reduce costs and penalties by nearly $70 billion.
Realize that for this insight to be effective, you must put this information into the hands of the clinicians and the patients in the format that fits their daily flow.
How can healthcare providers transition to ICD-10 as simply as possible?
Add to the list of known certainties: death, taxes, and the need to lower the cost of healthcare.
Neither HIPAA standards nor encryption were created with the purpose of lowering the cost of healthcare, but neither was penicillin originally purposed as an antibiotic. Both welcome side effects in the world of medicine.
Cloud Computing and Healthcare
Healthcare and medical companies are migrating to cloud computing in record numbers. The cloud offers flexibility and scalability to manage ever-growing databases of patient records. At the same time, it offers mobility to enable care providers to access patient information remotely and shareability to share data with colleagues, specialists, and labs. The cloud, perhaps most importantly, enables cost reduction on several levels.
It eliminates the need healthcare organization have to purchase, maintain, upgrade, and replace costly computing equipment and staff.
It saves costs of multiple providers running multiple tests by enabling them to share and track the results.
It saves time and money by enabling paperless transmission of prescriptions and insurance claims. It also increases the accuracy of reimbursement coding.
Now, HIPAA omnibus and the American Recovery and Reinvestment Act (ARRA) requirements stipulate everyone in the healthcare industry begin migrating patient records and other data to cloud computing. Essentially, by 2015, all medical professionals with access to patient records must utilize electronic medical and health records (EMR and EHR), or face penalties.
Guest post by Brandee Norris, assistant professor healthcare administration and management school of business and technology, Trevecca Nazarene University.
The health information technology (HIT) industry is on the verge of a dramatic dawning. As more healthcare organizations transition to paperless systems and to meaningful use of a certified electronic health record (EHR), the need to ensure the safety and integrity of healthcare data and to eliminate the risk of health IT breaches increases. In the past five years, the Department of Health and Human Services reported more than 800 breaches of healthcare patient data, breaches that affected more than 30 million patients. Breaches in electronic healthcare data cause serious negative outcomes for patients, stakeholders, and organizations—both public and private—and result in millions of dollars in fines and losses.
As the use of HIT systems increases within the healthcare industry, hospitals and providers of private practices are seeking effective methods to enhance data storage and streamline access to patient information without jeopardizing the privacy of the data. A possible solution to this problem is the transference of protected health information from a local system’s network to a cloud-based electronic medical records (EMR) service. Cloud computing may be categorized as private or public. Based on HIPAA regulations, professionals in the healthcare industry continue to dispute the legitimacy of public cloud computing and compliance with specific requirements of the HIPAA.
Contrary to provisions mandated by HIPAA, cloud-based platforms could accommodate the growing needs of healthcare organizations and provide flexibility to adapt to frequent changes, while providing significant cost savings. The primary objectives of using any variation of a cloud-based program are efficient leveraging of healthcare information, enhancement of patient experience, versatility for providers, and improved clinical outcomes. Cloud-based programs permit 24-hour patient access to electronic records.
Consumers in the 21st century prefer convenient methods to access healthcare services and manage personal information. Consequently, healthcare organizations have adopted patient-centered models to deliver health care and increase provider-patient communication. In addition, cloud-based platforms can facilitate the use of mobile devices, such as smartphones and iPads, allowing patients and providers to access health software applications. The number of healthcare consumers using smartphones to access health information soared from more than 60 million to more than70 million in the last two years. Anderson projects an estimated 20 percent annual increase of software application sales during the next five years.
Healthcare providers have suggested that significant benefits could occur for patients using mobile software applications to monitor their health status. Currently, numerous types of health software applications exist that are free or obtainable at a reasonable fee. Last year, healthcare providers used health software applications for obtaining diagnostic test results, sending alerts for patients to self- medicate, track and monitor levels of chronic pain, and store vital signs and emergency contact information. Consumers should be aware that a compatible operating system and adequate storage space are required to download health software applications to a mobile device.
Tina Greene, Senior Regulatory Affairs Consultant, Casualty Solutions Group, Regulatory Affairs and Compliance at Mitchell International.
The Administrative Simplification provisions of the Federal Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) include requirements that national standards for electronic health care transactions be established. These standards were adopted to improve the efficiency and effectiveness of the nation’s health care system by encouraging the widespread use of electronic data interchange in health care.
In the final rule, it’s recognized that:
“Non-HIPAA entities such as workers’ compensation programs and property and casualty insurance accept electronic healthcare transactions from providers, however, the Congress did not include these programs in the definition of a health plan under section 1171 of the Act.
The statutory definition of a health plan does not specifically include workers’ compensation programs, property and casualty programs, or disability insurance programs, and, consequently, we are not requiring them to comply with the standards. However, to the extent that these programs perform healthcare claims processing activities using an electronic standard, it would benefit these programs and their healthcare providers to use the standard we adopt.”
“Health Insurance Reform: Standards for Electronic Transactions; Announcement of Designated Standard Maintenance Organizations; Final Rule and Notice.” Federal Register 65:160 (17 August 2000) p. 50319.
In an effort to realize the effectiveness of electronic data interchange, some states have adopted regulations requiring electronic healthcare transactions for billing and payment. Early implementers of EDI for workers’ compensation in various states identified issues such as payer ID (claim administrator identification), claim filing indicator code and claim number, and worked with stakeholders to find resolutions. These issues have since been addressed in industry standards.
Every day, physicians send and receive clinical information to and from patients, nurses, care managers, pharmacy technicians, specialty clinics and other physicians. These communications occur through a wide range of modes—including smart phones, pagers, CPOE, emails, texts and even messaging features within electronic medical records. Patient health information (PHI) is constantly exchanged through these messages, and to avoid a HIPAA violation, which can cost millions of dollars plus a hit to reputation, practices must make sure proper security features are in place.
Especially for physicians in smaller practices who are already strapped for time and resources, a HIPAA violation could leave their practice in a precarious situation. In fact, according to a recent study by the Ponemon Institute, the average cost of HIPPA breaches from 2010 through 2012 was $2.4 million per organization. To meet evolving guidelines around the quality of care, increase efficiency and potentially avoid financial penalties in the years to come, physicians must address communications security holistically.
The final HIPAA ruling requires physicians look at their entire risk management process, and not just specific technologies, which is why “HIPAA-compliant” text messaging isn’t yet possible. While texts are commonly sent between two individuals via their mobile phones, the “communication universe” into which a text enters is actually much bigger. This universe also includes creating electronic PHI (ePHI) and sending messages—in text and voice modalities—from mobile carrier web sites, paging applications, call centers, answering services and hospital switchboards.
The law stipulates that a covered entity – i.e. a physician, medical group practice, hospital or health system – must perform a formal risk assessment; develop and implement and effective risk management strategy based upon the findings in that risk assessment; implement the strategy using sound policies and procedures; and monitor its risk on an ongoing basis. These regulations apply to physicians creating, transmitting and receiving PHI in any electronic form.
While there is no “one-size-fits-all” approach, medical practices can take the following steps to improve the security of their communications:
Today’s healthcare system is becoming progressively technology dependent. With the need to meet meaningful use requirements, convert to ICD-10, or work with health information exchanges (HIEs), healthcare organizations must have effective IT solutions, but building and implementing one successfully is not an easy task.
Below is a list of 10 fundamentals of successful healthcare IT project implementation, management and execution that will help your organization, whether clinical, business, or IT, design and develop a functional, patient-centered IT solution that fits its needs. It’s easy to let the highly technical elements overwhelm healthcare IT projects, but following these guidelines will help your team focus on the delivery of care.
Develop your plan with a detailed project introduction, clear scope, deliverables, schedules, project methodology, roles and responsibilities, and change management procedures. Consult ISO 9001/13485/62385 for information on best practices for quality management systems.
Healthcare IT projects involve a lot of moving parts and many people from different professional backgrounds. Setting clear expectations that every project member agrees on will ensure a project runs efficiently. Meeting regulatory requirements, including meaningful use goals, is a crucial aspect of carrying out a successful healthcare IT project.
Set goals and objectives
Early on in the process, involve key players – clinical, business, and IT – in determining the goals and objectives of the project. Ask your team to agree on a definition of success. Depending on the project, involving patients may be valuable. A patient portal project is an ideal situation to solicit feedback from patients.
Adapt to changing objectives
Implement effective change management procedures to your plan to ensure that the project meets the goals on-time and within budget.
Change management is important in every project, in every industry. It is particularly important at this time in healthcare. Healthcare reform and government mandates, such as Meaningful Use, are ever-changing. Recently, the deadline for compliance with ICD10 was pushed back a year. If your organization was close to a switchover, ask your project team how those changing objectives impact your plan and your goals.
Doximity is the largest medical network with one in three U.S. physicians as members. Physicians use Doximity to instantly connect with other healthcare professionals, securely collaborate on patient treatment, grow their practices and discover new career opportunities.
Its vision is a future where medical communication is effortless — fast, simple, seamless and secure. Its mission is to “help physicians transcend the fragmented U.S. healthcare system and succeed in the care for their patients.”
Doximity was founded by Jeff Tangney, co-founder and former COO of Epocrates (EPOC), and launched in March 2011. Based in Silicon Valley, it’s backed by Emergence Capital Partners, InterWest Ventures, Morgenthaler Ventures (now Canvas Fund), Draper Fisher Jurvetson, T. Rowe Price and Morgan Stanley Investment Management.
Here, Alexander Blau, MD, vice president of physician marketing and medical director for Doximity — responsible for marketing and user acquisition teams oversees the development of clinical programs, including a socially curated medical literature filter and case-based discussion forums, manages the aggregation, analysis and product integration of diverse healthcare data in charting the first-ever nationwide clinical expertise map — discusses the company, its future and what he’s seeing from his perch.
Give us the short story on what you do and how you came to health IT?
My background is as an emergency physician. During my training, I was drawn to the latest in mobile health technology and eventually built my own app for medical interpretation. From that moment, I knew I was hooked on health tech. Three years ago, I joined Doximity to join a larger team to develop yet more tools that help doctors practice medicine every day.
Tell me about Doxmity. There’s been some press lately about how it’s really innovating the space. What are you doing that makes for such success? Care to share the secret sauce?
Doximity is the first health tech company really built for physicians — as opposed to hospital administrators, billing departments, etc. In just three years, we’ve grown to be the largest network of verified physicians in the US, thanks to our focus on what doctors truly need from technology. Our focus on doctors is the secret sauce.
What are some of the misconceptions you face? Obstacles you must overcome?
There’s a misconception that physicians aren’t technology savvy, which is absolutely not true. Doctors have been among the earliest adopters of all kinds of communication technologies starting with pagers and the first smart phones. When it comes to social media, doctors are necessarily skeptical about privacy and HIPAA compliance. The great thing is that Doximity is specifically built to address physician privacy requirements and enable them to communicate professionally on the mobile devices they rely on.