As more healthcare providers modernize their IT with cloud solutions and mobile devices, the opportunity for breaches increases dramatically. Hardly a week goes by without a major hospital or practice announcing a data breach. Breach reporting is costly, time-consuming and harmful to the reputation of otherwise legitimate practices. But is it really unsecured data, hackers or doctors sharing information that is causing breaches?
A quick analysis of the public data released by the Department of Health and Human Resources (HHS) reveals that from the first reported breaches in 2009 through early 2013, there were 572 breaches involving 500 or more patients (the threshold for reporting). Of these breaches, only about 10 percent came from hacking/IT incidents or improper disposal, while over half—51 percent—were a result of theft.
When you combine these details with the location of the breach, the picture becomes even more clear: 44 percent of the breaches are from laptops, 13.5 percent are from a computer, 13.1 percent are from portable devices and 10.5 percent are from network servers. That means a whopping 81 percent of breaches are from computing devices, and 57 percent are from mobile devices alone.
The security priority is apparent. Mobile devices cause the majority of PHI breaches and must be secured. While they aren’t foolproof and breaches can still occur, there are a variety of methods to control access to data on laptops, tablets, and smart phones on today’s market, as well as ways to wipe the device and track it.
By Stephen Cobb, senior researcher, ESET North America.
The benefits of making health records available electronically would seem to be obvious. For a start, faster access to more accurate patient information – which is one of the promises of EHRs (electronic health records) and HIEs (health information exchanges) – could save lives. The author of a recent report on the many thousands of lethal “patient adverse events” that occur in America every year, Dr. John T. James, pointed to “more accurate and streamlined medical recordkeeping” as a top priority in the effort to reduce these deadly medical errors. Yet headlines about healthcare facilities exposing confidential patient data to potential abuse have been all over the media this year. So, will security issues and privacy concerns stymie EHR adoption or slow down HIE rollouts?
Today, more than half of all Americans probably have at least some part of their medical record stored on computer. In January, the CDC reported that roughly four out of five office-based physicians are now using some type of EHR system, up from one in five in 2001. A few months later, in a Harris poll sponsored by ESET, only 17 percent of adult Americans said that, to their knowledge, their health records were not in electronic format.
During that same survey of 1,734 American adults, we asked “are you concerned about the security and privacy of your electronic patient health records” and 40 percent said they were. Slightly more of them, 43 percent said they were not. However, if we take out the 17 percent whose records were not in electronic format, the “concerned or not?” question breaks down as 48 percent Yes, versus 50 percent No, a statistical tie.
The Department of Health and Human Services (HHS) published a new meaningful use rule that allows healthcare providers “more flexibility” in how they use certified electronic health record (EHR) technology (CEHRT) to meet meaningful use for an EHR Incentive Program reporting period for 2014. According to the HHS’ statement, “by providing this flexibility, more providers will be able to participate and meet important meaningful use objectives like drug interaction and drug allergy checks, providing clinical summaries to patients, electronic prescribing, reporting on key public health data and reporting on quality measures.”
“We listened to stakeholder feedback and provided CEHRT flexibility for 2014 to help ensure providers can continue to participate in the EHR Incentive Programs forward,” said Marilyn Tavenner, CMS administrator. “We were excited to see that there is overwhelming support for this change.”
Based on public comments and feedback from stakeholders, the Centers for Medicare & Medicaid Services (CMS) identified ways to help eligible professionals, eligible hospitals, and critical access hospitals (CAHs) implement and meaningfully use Certified EHR Technology. Specifically, eligible providers can use the 2011 Edition CEHRT or a combination of 2011 and 2014 Edition CEHRT for an EHR reporting period in 2014 for the Medicare and Medicaid EHR Incentive Programs; All eligible professionals, eligible hospitals, and CAHs are required to use the 2014 Edition CEHRT in 2015.
These updates to the EHR Incentive Programs support HHS’ commitment to implementing an effective health information technology infrastructure that elevates patient-centered care, improves health outcomes, and supports the providers that care for patients.
The rule also finalizes the extension of Stage 2 through 2016 for certain providers and announces the Stage 3 timeline, which will begin in 2017 for providers who first became meaningful EHR users in 2011 or 2012.
As the Centers for Medicaid and Medicare Services (CMS) and the Office of the National Coordinator for Health IT (ONC) finalized a regulation granting providers additional flexibility in meeting meaningful use (MU) requirements in 2014, the final rule lacked a key provision that would ensure continued EHR adoption and MU participation, according to CHIME.
CHIME issued as statement stating that the organization is “deeply disappointed in the decision made by CMS and ONC to require 365 days of EHR reporting in 2015. This single provision has severely muted the positive impacts of this final rule. Further, it has all but ensured that industry struggles will continue well beyond 2014.”
According to the statement by CHIME, roughly 50 percent of EHs and CAHs were scheduled to meet Stage 2 requirements this year and nearly 85 percent of EHs and CAHs will be required to meet Stage 2 requirements in 2015. Most hospitals who take advantage of new pathways made possible through this final rule will not be in a position to meet Stage 2 requirements beginning October 1, 2014. This means that penalties avoided in 2014 will come in 2015, and millions of dollars will be lost due to misguided government timelines.
Nearly every stakeholder group echoed recommendations made by CHIME to give providers the option of reporting any three-month quarter EHR reporting period in 2015. “This sensible recommendation, if taken, would have assuaged industry concerns over the pace and trajectory of rulemaking; it would have pushed providers to meet a higher bar, without pushing them off the cliff; and it would have ensured the long-term vitality of the program itself. Now, the very future of Meaningful Use is in question,” said CHIME.
Reports state that only 39 percent of physicians share data using a health information exchange (HIE). There is even a lower number of only 14 percent who electronically share data with ambulatory care providers or hospitals outside their organization. While these numbers may seem astounding to some with Stage 2 fast approaching — the reason is clear. Because even though providers want to share health information electronically they are hindered by EHRs that can’t communicate with one another, lack information-exchange infrastructure, and the high expense of setting up electronic interfaces and health information exchanges.
Below are the top reasons why EHR sharing remains low for adoption:
Lack of Interoperability. The majority of providers and physicians have acknowledged lack of EHR interoperability and exchange infrastructure as major barriers to health information exchange. They have also identified the cost of creating and maintaining interfaces and exchanges as a major barrier.
Lack of Advanced Technology. Over the last few years, various HIE systems have been developed, but many have failed for technological and organizational reasons. High-level issues must be addressed to implement an HIE successfully, including disparate EHR and HIS systems. Most previous HIE research focused on high-level issues and evaluating impact on healthcare delivery, ROI, Syndromic Surveillance, etc.
Lack of Security and Streamlining. Quantitative measures are crucial to the long-term sustainability of HIEs. Interoperability of patient data doesn’t effectively address concerns on privacy, productivity, workflow and costs. Streamlining HIE access through integration with electronic health records to minimize workflow interruption, and keeping costs reasonably low for providers, may increase participation.
Lack of Affordability and Productivity. The cost and loss of productivity are major barriers to HIE adoption. While there are many compliant products on the market, not all of them provide cost savings and lead to efficiency or increased productivity.
The purpose of EHR and HIE is to make patient specific information available at the point of care to improve the delivery and quality of care. Interoperability of patient data no doubt has many advantages, including improved care coordination, elimination of paperwork, reduction in duplicate tests and reduction of medical errors. It is imperative to develop a long-term plan for standards and interoperability that will support competing public and private-sector Interoperability efforts. We should also encourage clear regulation on compliance with federal privacy and security laws. There should also be national benchmarking to share best practices and lessons learned. There should be significant cooperation among primary-care providers, medical specialists, long term care providers and hospitals to outline common information sharing needs promoting a value-based care.
Guest post by Adnan Ahmed, president of the health IT solutions provider CNSI.
Each year, health IT experts and state health officials from across the country convene at the Medicaid Enterprise Systems Conference (MESC) to discuss the latest technology solutions for serving a diverse and growing Medicaid population.
This year’s event was held the week of August 18 in Denver, CO, bringing together state, federal and private sector individuals who provided the latest insights for the exchange of ideas related to Medicaid systems technology.
With seven million new Medicaid recipients this past year alone, state Medicaid systems face the challenge of onboarding a high volume of newly enrolled recipients, but also benefit from the opportunity to collect a wealth of data that IT systems can utilize to help government health and human services departments optimize managed health care and patient service.
While Medicaid has long been known simply as a system of payments, IT solutions increasingly present the transformative ability to develop and experiment with new value add-ons that will introduce cost-cutting efficiencies while also improving patient care.
The following is a fascinating infographic from UC Berkeley School of Information highlighting, very nicely, the information contained in an EHR; the difference between an EMR and an EHR; top specialties to adopt electronic health records, as well as top (and not top) states to adopt the technology.
The information here clearly speaks for itself. According to Berkeley’s School of Information, “data science holds great promise for patient health, but patient data is only actionable in so far as it is digital. This is where EHRs come in. By 2019, the majority of physicians will have adopted a basic EHR system, and with good reason, too. EHRs may reduce outpatient care costs by 3 percent.
This “Electronic Health Records & the Data of Health Care” infographic from datascience@berkeley explores the health data revolution; if nothing else, I thought it was worth a share.
George Robinson, RPh, senior product manager, First Databank.
Approximately $20 billion is lost annually in the United States because of medication errors, with the average hospitalized patient subject to at least one medication mistake per day.Alert fatigue is often cited as a reason for these errors—even though alerts generated by clinical decision support (CDS) systems call attention to important information (such as potential drug interactions), excessive alerts wear clinicians down, resulting in boy-who-cries-wolf scenarios. The result: clinicians instinctively override the alerts instead of implementing an override monitoring plan.
Consider the following:
In 2009, researchers at the Boston-based Beth Israel Deaconess Medical Center and the Dana-Farber Cancer Institute looked at the safety alerts generated by 2,872 clinicians through 3.5 million electronic prescriptions over a nine-month period. Of the 233,537 alerts, 98 percent were drug-drug interaction issues, and more than 90 percent were overridden.
A more recent 2013 study, published in the Journal of the American Medical Informatics Association, showed improved override rates with only about half of alerts overridden by providers, with half of those overrides classified as appropriate. Authors concluded that further refinement of these alerts could improve relevance and reduce alert fatigue.
A Driver in Need of a Clearer View
The afore-mentioned studies conclude that clinicians are indeed overriding medication alerts at alarming rates. Although the industry has made significant progress in addressing alert fatigue during the time the data from these studies was being analyzed, these studies clearly support what most healthcare professionals already suspect: The practice of ignoring and overriding medication alerts is widespread and can potentially lead to undesirable consequences.
