Looks like my suspicions are correct. Most health data breaches are inside jobs. But, what’s surprising, according to a somewhat recent survey from Veriphyr — an access and identity provider – is that the majority of data breaches of medical records is by practice employees.
According to the survey, most of the data breeches of medical records more than 35 percent were of healthcare employees peeking into the files of their co-workers. Another 27 percent of the breeches reported were of a healthcare employee’s family or friends
Also gleaned from the survey is that of the hospitals and healthcare facilities surveyed, 70 percent reported some form of data breech. Data breeches cost healthcare organizations more than $6 billion a year, according to Veriphyr’s CEO, Alan Norquist, so they really are big business.
Some of the report’s key findings include:
Top breaches by type:
Snooping into medical records of fellow employees (35 percent)
Snooping into records of friends and relatives (27 percent)
Loss/theft of physical records (25 percent)
Loss/theft of equipment holding record (20 percent)
When a breach occurred, it was detected in:
One to three days (30 percent)
One week (12 percent)
Two to four weeks (17 percent)
Once a breach was detected, it was resolved in:
One to three days (16 percent)
One week (18 percent)
Two to four weeks (25 percent)
According to Health Data Management, there have been more than 31,000 data breeches in the last two-and-a-half years. Most of these breaches are unintentional, though, according to magazine, with “employee transferring records to a flash drive or sending records to a personal e-mail account to work on them from home, or even sending records to a peer for advice.”
Accordingly, some steps to limiting internal data breeches is to continuously educate your employees about the dangers and consequence of handling HIPAA-protected data appropriately, and in some case, it’s may be necessary to adopt new policies to help manage how data is accessed. For example, if personal devices are allowed to be used in the work setting, you need to establish some rules to protect the data the the devices access, and in some cases, you’re going to have to offer support of the devices.
Nevertheless, the information about data breeches is shocking. The number of employees sneaking peeks at patient’s profiles is like the rest of the world surfing the social profiles of complete strangers. Sure, the information is there, but that doesn’t mean we should take advantage of it.
This line pretty much sums it up: Improve quality of care through electronic health records.
Apparently, it’s a motto of sorts for the New York City Department of Health and Mental Hygiene. Not bad when you think about it. Sort of has a “I-love-health-IT” ring to it.
As cool as the organization’s unofficial motto, it features a wealth of great information about the benefits of EHRs, how they can improve healthcare and patient outcomes and steps practice leaders need to take when working to protect the data contained in the records.
As such, NYC’s health department site is filled with great advice for practice administrators to take to create proper procedures and practices to maintain data security.
Here’s a nice, 12-step program for you, courtesy of the NYC:
1. Continue following the rules and regulations set forth by HIPAA. Do not leave printed patient health information where others have access to it. When scanning information into a patient’s EHR, destroy the paper copy when it is no longer needed. Unlike paper charts, it is easy to see a computer screen from across the room. Computer screens should not be visible from the waiting room, check-in area or any place an unauthorized person may be able to see a patient’s EHR. Install privacy filters on monitors to block anyone from viewing the computer from a side view.
2. Install antivirus, intrusion detection and firewall software.
3. Do not use social security numbers as a unique patient identifier. This is something I’d like to see adopted universally in healthcare. There’s no need for my SSN to be sitting on the top of my new patient forms for all the world to see.
4. Patients have the right to control who sees their information. Whether or not an EHR system is in place, do not share patients’ health information with anyone unless the patient has personally authorized it or such disclosure is authorized by law (e.g., mandated disease reporting). Ensure that employers,marketers and law enforcement or immigration officers do not have access to patient records. If your practice is part of a Health Information Exchange network, patients have the right to choose whether or not they will participate. Patients have the right to revoke their consent for sharing information.
5. Patients should understand their rights to consent, as listed in #4 above.
6. Always log out of the EHR system when leaving the computer. If EHRs are left open on the screen, other people can access and/or modify patient information. This activity will be logged as the user’s and he/she may be held accountable for any privacy violations.
7. Keep all passwords safe and secret. Create a password carefully. Passwords should not be obvious, such as birthdays, pets’ names or favorite sports teams. Think of something that is easy for you to remember, but impossible for anyone else to guess. Never share passwords. If anyone asks a staff member for his/her password, the staff member should report that person immediately to the practice administrator. Passwords should not be posted or written down near the staff members’ desks. Change passwords every three months.
8. Ensure hardware is safe and secure. Portable computers are easy to steal. Computers, servers and other equipment that contain data should be locked in a secure place when not being used.
9. Be careful when accessing EHRs from outside of the office. When opening a patient’s EHR in public, make sure no one can see the computer screen. Only access EHRs from a secure Internet connection.
10. Train all staff members on data security policies and procedures. Make sure everyone in the practice understands and observes the policies and procedures for protecting patient health information.
11. Keep up with staffing changes. If an employee leaves the practice, change the user’s status to inactive. This means they can no longer sign in with their old password.
12. Review audit trails periodically. Reviewing audit trails can alert practices to potential system abuse or misuse. Some staff members forget to log out of their system, as well as access parts of the EHRs that are beyond their practice function. Audit trails can let practice administrators know when this occurs and take appropriate action.
So, as the old saying goes, “The more you know, the further you’ll go.”
To this point in the meaningful use experiment, Phil Suiter, CEO of digiChart, has had the privilege of sitting at the front of one of healthcare’s greatest movements. From his place, he’s watched the market act and react, and has seen colleagues seek solutions to corner their respective markets all in the name of providing the best service for the most people.
Suiter, however, may have a view of the current health IT landscape like no other. Leading a specialty only provider of electronic health records and practice management systems, digiChart serves only OBGYNs.
Long before healthcare reform and the thought of meaningful use, digiChart created and built solutions solely for this space, and, unaplogoetically, will continue to serve the space. Plans for expansion may one day include moving into the pediatrician market, which seems to be a safe bet given the connection between the two specialties, but according to Suiter, that’s not a plan actively being pursued.
What’s interesting about digiChart’s position, as Suiter tells it, is that even though meaningful use is vitally important to digiChart and the company has helped many physician achieve stage 1, OBGYNs have not voraciously jumped aboard the program.
What this means, he says, is that it’s a clear sign that the OBGYN market continues to live up to its reputation as a fiercely independent group of healthcare providers. Suiter said that only 20 percent of all digiChart’s clients have chosen to pursue meaningful use. Apparently, the other 80 percent have chosen to overlook the federal incentives and go at it alone.
From conversations he’s had with clients, they’re just are not seeing the benefit of meaningful use, especially for all of the work required with the only benefit is $44,000 over five years.
“At this particular point, they don’t realistically see a flip side in changing. In some practices, some have decided that they are better off without changing,” Suiter said. “Practices have determined that they can survive and be profitable if they are efficient and continue doing what they are doing, especially in the OBGYN space.”
Being profitable means they’ll ultimately forego Medicare patients to avoid the federal penalties levied against them for not meeting meaningful use. In many cases, they don’t see enough Medicare and Medicaid patients to make all the effort worth their while, Suiter said, so the work required simply is not worth the effort.
And, frankly, the question remains: Is the federal money going to still be available as stage 2 progresses? And, what happens in February 2013, should a new administration take office?
Despite the answers to these questions and whatever happens with the election in November, Suiter sees plenty of change ahead for the market. For example, EHR vendor contraction is coming after a period of great anticipation.
He predicts the market will dramatically shrink from more than 400 companies to less than 100, many fewer of them actually viable and sustainable long term.
At the same time, he believes hospital’s appetite for buying and owning private practices will disintegrate as soon as 12 months from now.
“I think we’ll see a disgorgement of practices by hospital systems within the next 12 to 18 months,” Suiter said, marking the end of a repeat performance last seen in the mid-1990s (1995, ’96 and ’97, he said specifically).
Hospitals have been voraciously trying to align themselves with private practice to capitalize on funds generated from meaningful use; however, they don’t seem capable of effectively managing private practices and their employees as they seem to be able to do with their internal systems and hospital employees, he said.
Private practices are too independent, for the most part, he said; especially, OBGYNs.
The fiercely independent group of physicians might have all the leverage they need to withstand outside pressure for adopting new technologies or changing the way they run there businesses at this point in their careers.
Why?
The average physician in the OBGYN space is 62 years old. At this point in their careers, they are not particularly interested in becoming hospital employees and if they are not interested pursuing meaningful use, which seems to be the case, they’ll either retire or go their own way.
Clearly, the technology used in healthcare will gain greater acceptance as new doctors enter the space. As colleges begin to implement the systems to train their residents (which they are not readily doing now), perhaps the appetite within the space will change. Clearly, there’s room for more adoption in the market Suiter serves.
But, digiChart is positioned well, serving a market it, and Suiter, understand, and know they’re place – as leaders – in it. There are very few vendors that can represent the specialty space well, especially in the land grad market of one-size-fits-all solutions penetrating the market. DigiChart and Suiter seem to understand that sometimes it’s better not to be the jack of all trades, but a master of one.
I had a conversation with a family member today. She’s getting to the point where it’s time to start thinking about taking some precautionary tests to determine whether or not she needs to pursue additional screening for some health issues that have run in her family.
She’s obviously concerned, and scared, to find out the results of what those test might show. So much so that she might even be able to be convinced not to pursue them.
Let me explain.
We’re in a new age of healthcare. With all the benefits gained because of electronic systems, and all the promises they are supposed to deliver, there are some unintended (perhaps they actually are intended) consequences that we as patients need to consider.
Our health information is now easily tracked. As soon as it enters the electronic record, it’s like it’s gone into the vault. No matter what, it will always be there, like a small deposit into a savings account; earning interest until it needs to be withdrawn.
Obviously, paper records could contain the exact same information as an electronic health record, it’s just the information is a little less searchable; perhaps a little less likely to be found. Multiple pages from multiple locations sometimes just seem to come together as easily as a record where a couple of buttons can do all of the collating for you.
So, upon requesting some of the tests she thought she needed, my relative’s physician stopped her for a second to caution her. The doc simply said that if she submitted the information into her record it would always be there, like a glaring error, forever, for all the world to see; for insurance to question — as a way to establish a possible prior pre-existing condition.
For fear of being dropped from her insurance in the future or having her claims denied when she needs them paid, my relative decided to forego the tests. She took her doctor’s advice, like she usually does, and cancelled her test request.
Better not to raise any red flags, she decided. Better to practice cautionary care rather than let her insurance carrier be alerted now to something that might be nothing anyway.
See, like it or not, this is the age we’re in. Cost controlling comes down to care control in some cases. Having worked in insurance, I understand how this game is played. In this case, a doctor cautioned against a test, necessary or not, to protect her patient in the long run and to ensure she remained insurable for the short term, at least.
Sadly, though, in the long term, she may lose more sleep over not taking the tests rather than worrying about what might live on in her electronic health record. But that’s the era in which we live and these are now the decisions we must face, like it or not.
Maintaining the security of a practice’s EHR data is probably one of the biggest reasons physicians decide to implement one in the first place. With all of the reported benefits of electronic health records or their paper counterparts, the information kept guarded in your electronic system clearly is more secure, in most cases, than paper.
In addition to being able to securely protect your clinic’s data and patient information, there’s a clear advantage the EHR offers over paper records in that you are able to monitor, track and audit everyone who has ever accessed certain data and viewed specific records within your system.
This feature is especially valuable when you need to track employees who you think may be trying to gain access to information they should not have access to, as was the case recently when a Florida Hospital Celebration Health employee illegally accessed the personal data of multiple patients. According to American Medical News, fortunately for the hospital, through its EHR it employed a tool known at role based access control, or RBAC.
With RBAC in place, an organization is able to allow system users access to only the information employees need to perform their jobs. Obviously, role based access control systems can be used in any business setting where leadership determines certain information must be protected, as is the case in healthcare and hospital setting where HIPAA is concerned.
What seems to pique my curiosity the most, though, is just how much data snooping occurs in healthcare settings. I’ve often wondered how much of my personal information, like my social security number, birthday and home address are exposed to people who really have no business seeing it, and if it’s seen by an inappropriate person, is anything done about it.
As we know, patients worry that their personal health information might not be kept private and secure if stored electronically, and we’re especially concerned about who will have access to our records. There’s nothing truly valuable in the health record other than that which can be used for financial fraud, like social security numbers and my home address
So, to most fully protect the data included in the record, practices should take whatever precautions needed to protect the data captured in the electronic health record.
The process of protecting my data really begins during the selection and implementation of your EHR, and, according to the New York Department of Health and Mental Hygiene, you should chose a system that has the following security features:
Role-based access control
As stated above, this allows you to define access privileges of each staff person and ensures that only authorized providers can see patients’ health information. Administrative staff should be restricted to basic information such as address, date of birth and other demographic information.
Practice leadership should be the only people who are responsible for establishing the access privileges of staff members.
Audit trails
Audit trails track activities within the EHRs. Documented events in an audit trail include a staff member logging in or out of the system, opening, modifying, creating or deleting a record, scheduling a patient, signing a chart, querying the system or printing personal ealth information.
Audit trails also document the date and time of an event, where the event occurred and who performed the event. Again, only authorized administrators should have access to read these records. No one, not even the office administrator, should be able to modify or delete audit trails.
Password protection
EHRs must require a password to access the system. EHRs should be able to support additional passwords or identifiers for each user. The practice administrator should be able to define the rules for password complexity and expiration, like the practice may require all users to have passwords with five letters and at least one number, and that staff members change their password every three months.
The system must automatically log out a staff member if they forget to log out or leave the screen inactive for a period of time. The system must also require the user to enter his password to get back into the system. If someone repeatedly tries to enter the wrong password, the system should lock the user out. This keeps people from guessing other users’ passwords.
Data encryption
EHRs should encrypt patient data, which helps to protect data if hardware is stolen or messages are intercepted.
Consent
EHRs should have the ability to print, store and display patient consent forms.
All in all, pretty standard information, especially if the EHR you operate performs to industry standards. If you feel the need to contract with an outside vendor for such services, they do exist, are relatively inexpensive and are experts in managing audits and ensuring your data is safe.
Ensure these steps, though, and create and audit schedule so your information and mine remain safe.
My fascination with the benefits of patient portals continues to grow as the technology continues to grow in popularity.
Given their resurgence in popularity over the course of the last three or four years, and with the latest push for patient engagement through stage 2, clearly they have a very strong future in the practice of healthcare for the foreseeable future; probably until a game-changing technology moves us beyond the era of EHRs.
Until quite recently, patient portals have been viewed as a novel concept, and, overwhelmingly, practice leaders and physicians kept coming back to how they were going to get patients to actually use the communication systems, and, likewise, what benefit would they deliver the practice if the patients used them.
It’s safe to say we’re now living in a different time than even just a few years ago. People are more mobile, landlines have been cut and actually using a phone to make a call is essentially going to the way of the tube television.
We’re in an always on society where access to information, regardless of the subject, must be had. As you’re well aware, portals don’t necessarily come automatically with your EHR; they’re not bolted on, in other words. They cost money in addition to what you pay for your practice management system and electronic health record. In some cases, they’re actually quite expensive, or have been known to be in a traditional sense.
And, if the case could be made to invest in the technology (practice portals that is), the most obvious question often went unanswered: How can a practice bill for the time spent by its physicians when administering it and when responding to communications from patients, for example.
I digress. This is all water under the bridge. Everyone knows this stuff. It’s been overworked and underpaid.
The feds now require portals to play a huge part in health IT through meaningful use. Insurance companies are now jumping on board and allowing physicians and practices to bill for the time they spend administering data collected through portals, and patients have become so engaged in their mobile lives that it’s only a short matter of time before portals are utilized as heavily as online banking and ATMs, let’s say.
When I began thinking about this post, I thought of grandiose ways in which I could depict the usability of the portal and speak to its ever-increasing importance to the world of heath IT, but I just don’t think I can sum up their benefits better than simply listing them, as they speak for themselves.
As we know, patient portals can increase patient engagement by providing secure access to medical information online. Additionally, they allow physicians to:
Send and receive messages to and from doctor’s office
Communicate with patients through secure messages
Post lab and imaging results
Send reminder notices to patients
Post patient consent forms
Make billing information available
Provide patient education materials
With patient portals, patients can:
View and enter medical history
View and update allergy and medication lists
Send messages to their doctor’s office
Complete registration forms
Update demographic information
Request appointments and prescription refills
Obtain patient education materials
View account statements and pay medical bills
Not a bad day’s work for a fascinating bit of technology that’s changing the face of healthcare IT.
Will meaningful use Stage 2 reach patient engagement?
Patient engagement now requires patient action. So says the Department of Health and Human Services in meaningful use stage 2.
As a patient, your physician is counting on you to engage with him or her. It’s up to you, folks, to bring it home. Your physician’s incentive, and ultimately his or her potential non-penalty for Medicare, is on your shoulders.
That’s an awful lot of weight to bear. Can’t you feel it? It’s overwhelming. I’m exhausted just thinking about it.
Seriously, though, I’m confused. Someone please set me straight; seriously.
Meaningful use is now up to the patient? Whether or not I choose to interact with my physician via electronic means determines his/her level of success as gauged by the government?
I’m sure I don’t need to recite the language from the ruling, but I’ll do so for good measure.
In short:
Five percent of more of patients must send secure messages to their physicians (yes, I said “must”)
Five percent or more of patients must access their health information online (yes, I said “must” again)
The language isn’t written in an inviting tone, but one that tries to demand respect. It doesn’t say “may’ or “can,” if says “must.”
Is this a Ray Kinsella moment and HHS’ field of dreams?
“If you build it, he (they) will come,” sounds the whispered voice across the sky.
Cue the sound of rustling corn fields blowing in the wind as each of us imagine memories of our happy places where dreams live on forever.
If this gets built, will we all come and play? How can this be a requirement of our physicians? How can their level of success, the quality of the care they provide, be gauged based on whether or not I choose to interact with them via the web? After all, I want healthcare, not a Facebook friend or a Twitter follower. (I’m using obvious over exaggeration to make a point.)
I am all for patient engagement and believe it will increase given time and effort behind it, but forcing me — as a patient — to do something makes me a little less likely to follow so easily along. I’m not a lemming, and I don’t intend to be.
Sure, five percent seems like a manageable number; not that big of a deal. Surely, it’s just a few people, right?
Until next time, when the number increases to 25 percent of the overall patient population then 50 percent then 75 percent and so on until it’s just mandatory.
What might be the most troubling, though, is how this affects physicians and practices. Engaging patients to receive incentives and keep from being penalized becomes a marketing function, not a care function.
I can see it now: Your doctor will start offering club-type discount cards and try to cajole you with attractive terms like, “Sign up today for the patient portal and after you send just one email to your physician, you’ll be receive a $5 credit to your account.”
Or, perhaps the whole thing will have physicians sounding like to cashiers at Target: “Sign up for your patient portal access today and you’ll not only receive a nifty tote bag for your things, but you’ll get 25 percent off of of your next purchase!”
Lastly, I’m reminded of the lines of credit card pushers lining the student union of every college in the U.S. trying to convince our young and inexperienced that credit is the same as cash, don’t you know.
As noted on HealthWorks Collective, meeting this portion of the stage 2 requirement will take everyone in the practice, not to mention the support of those outside it.
But portals can only facilitate access to patient’s information, but it can’t force the participation of people to do something they don’t want. Requiring physicians and their practices to encourage me to engage with my care providers is up to me, and no matter how useful or entertaining, whether I choose to engage is something I commit to on my own terms.
Just because “they” build (read as “require”) it doesn’t mean I’ll come.
Death by PowerPoint: Overly used templates filled with a variety of bland information that does little to emphasize the point of the presenter. In this scenario, slides are often filled with generic information that could have been excluded the presentation in the first place had the speaker actually taken the time to time the point he was trying to make.
Likewise, there’s “death by a thousand clicks.” Pretty close to the term “death by a thousands cuts.”
The oft used phrase is usually mentioned by physicians, practice leaders, members of the health IT community and nearly everyone to interact with a template-filled electronic health record. It’s derived from the seemingly endless clicking as a user navigates the encounter note in the respective system, or so the story goes.
Click after click after click of the same, repetitive information in case after case, even if two patients present with the exact same conditions on the same day. No matter, when using a template system, you’ll be forced to re-key every piece of detail and click the exact clicks as the previous encounter, no way around it.
All the clicking reminds me of a cartoon I saw recently. It goes something like this: a doctor goes to his doctor for an exam. “What seems to be the problem,” the presiding doctor says to his doctor patient. The doctor patient replies, “Well, doc, I think I’ve developed a case of carpal tunnel syndrome from too many clicks in my EHR.”
I recently met Dr. Bob. Those of you with a Praxis system know who I’m talking about. In actuality, Dr. Bob is nothing more than a mascot for Praxis, which is the maker of template-free EHRs.
After ridding his practice of paper, Dr. Bob celebrates because of his decision to implement some technology. However, he quickly finds himself boxed in by templates and non-customizable data fields populated by click after click. “The templates soon bogged him down. Everything was a drop down menu or pick list. His thoughts had to pick one of the options. There was no flexibility.”
Templates slowed Dr. Bob down. Dr. Bob felt more like he was becoming more like a data entry clerk than a physician.
Sound familiar?
I thought so.
The Praxis system is written by its users in free text. The more it’s used, the easier the system is to use, remembering data from an earlier note and it essentially begins to auto populate certain data that can then be customized and changed given the varying scenarios encountered during the visit.
The system allows you to enter a few minor details like condition or medication as you to build a case. The system remembers the details of each encounter and when you enter similar details again in the future, it helps you populate the field.
And the “thinking” the Praxis system does on behalf of the user is essentially the same as what you’d find when using Google to search the web. For every search conducted, Google remembers your past searches and auto populates what it thinks you are attempting to find. And, as you type, Google offers suggestions for what you might want to see.
From the demo, it’s clear the template-free system has its advantages and certainly would alleviate the some of the click, click, clicking. For some users, though, they may not enjoy the freedom the system seems to provide as it seems to provide the exact intuitiveness that so many EHR users seem to crave.
All in all, it’s intuitive, fast, and – in my opinion – pretty slick.
So, for those of you seeking more flexibility in your system and wanting to do away with the endless clicks and data administration, the Praxis system seems pretty cool.
And for the record, Praxis had nothing to do with this post; the company didn’t know I was writing it.