Critical Aspects to Achieving Meaningful Use: Patient Admission and Discharge

Chris Strammiello
Chris Strammiello

Chris Strammiello, vice president of marketing and product strategy, Nuance.

Patient admissions and discharge processes implemented at many hospitals today are rife with vulnerabilities and potential HIPAA violations. One of the greatest challenges hospitals face is how they can successfully deliver on dual requirements to make the information in a patient’s electronic health record (EHR) more accessible while at the same time making it more secure, especially because of their reliance on paper, analog fax machines and unmonitored multi-function devices (MFDs).

Every time a document or form is copied, scanned, printed, faxed or emailed — on either an analog fax machine, digital MFD or mobile phone or tablet — a patient’s protected health information (PHI) can be accidentally exposed or intentionally compromised. In light of this, federal standards have now defined digital MFDs as workstations, where PHI must be protected with administrative, physical and technical safeguards that authenticate users, control access to workflows, maintain an audit trail of all activity and encrypt data at rest and in motion.

Healthcare organizations need to add a layer of security and control to electronic and paper-based patient admissions and discharge processes to help minimize the manual work and decisions that invite human error, automatically mitigate the risk of non-compliance and avoid the fines, reputation damage and other costs of HIPAA violations and privacy breaches.

As hospitals are rapidly approaching an FY 2015 deadline for meaningful use, they must demonstrate their “meaningful use” of certified EHR technology, including the ability to protect patients’ health information, or face reduced Medicare payments. The recent HIMSS Analytics survey found that despite the vast majority of hospitals reporting progress toward Stage 2 EHR, barely half of them — just 54 percent — were yet capable of protecting electronic health information, a required Core Objective in Stage 1.

Acting under provisions of HITECH, the Department of Health and Human Services Office of Civil Rights issued new rules in 2013 that enhance patients’ privacy protections, expand individuals’ rights to their health information and strengthen the government’s ability to enforce the law. One new development from these rules is that a security risk assessment tool prepared by the Office of the National Coordinator for Health Information Technology (ONC) mentions copiers 15 times as being workstations where PHI must be protected with administrative, physical and technical safeguards that authenticate users, control access to workflows, encrypt data handled on the device and maintain an audit trail of all activity.

Hospitals also need to conduct a risk assessment to identify threats and vulnerabilities (including copiers), implement and train workers in data loss protection (DLP) technology and procedures, and establish security incident reporting.

Continue Reading

Keeping An Eye On Redaction and Data Automation: Why It’s Important to Small Practices

David Rasmussen
David Rasmussen

Guest post by David Rasmussen, president, Extract Systems.

There’s little argument that overwhelming responsibility is placed on practice leaders to protect the security of patient records. Maintaining the accuracy, privacy and control of this data is one of the most crucial roles within the care setting. Given the high level of risk for exposure of this information and because of expanded enforcement of HIPAA, practices managing the release of information (ROI) must be more vigilant now than they have been in the past. Their processes for handling ROI need to meet not only the requirements of the law, but what’s in the best interest of the practices’ patients.

Along with a significant rise in HIPAA enforcement, practices must remain sensitive of how they handle the data that’s released to third parties. Redaction of personal information from records is one important way practice administrators can improve security, though it’s not the only way. Automating the removal of PHI by integrating redaction solutions with existing practice technology –  such as electronic health records – searching and removing any protected information becomes electronic, eliminating a manual, repetitive process.

Removing risks associated with the release of PHI is possible with automated solutions that can remove data fields like patient name, dates of service, medication lists and other general information in the health record. But, even though solutions exist to automate the redaction of protected PHI, most organizations process records manually even as they migrate to electronic systems in other areas. Continue Reading