By Robert Barras, vice president of health solutions, CTG Inc.
There’s nothing like a good bandwagon to get everyone excited. Whether it’s the success of your favorite sports team, or a hot new restaurant in town, or a movie that’s breaking box office records, once something gets hot it seems everyone wants a piece of it.
For healthcare IT, one of the loudest and most visible bandwagons in the last few years has been the cloud. The idea of being able to hand off the expense and resource-intensive hassle of purchasing, implementing, and maintaining hardware and software is very attractive to healthcare organizations continuously being challenged to “do more with less.” Yet that expediency is often offset by continuing concerns about security, especially as it relates to protected health information (PHI), speed of access, and other issues.
The reality is the cloud is the right choice for some organizations, or even some specific applications, but it’s not a panacea for HIT. Following are some things to consider as you make the choice of whether to move to the cloud at all, and what makes sense to move to it.
One of the top reasons in favor of moving data and/or applications to the cloud is the ability to scale them on an ad hoc basis – especially as healthcare data continues to grow exponentially. A report from EMC and research firm IDC projects the volume of healthcare data will grow from 153 exabytes in 2013 to 2,314 exabytes by 2020.
Of course, the growth won’t come in a steady stream. At some points, healthcare organizations will need to be able to manage a high volume of data. At others, they may need to boost their computing power temporarily to drive a specific objective.
Rather than trying to manage data or computing needs internally and ending up with over- or under-capacity, the cloud provides a convenient way to scale up or down quickly. It’s also more cost-efficient, as healthcare organizations only pay for what they consume, significantly reducing costs. Finally, expanding capacity through the cloud ensures processing-heavy analytics applications aren’t slowing down the performance of critical clinical applications.
All of that data won’t be coming from a single source, either. As more of healthcare shifts to being value-based, providers of all types and sizes need to populate their population health management (PHM) and other analytics applications with data drawn from a variety of sources inside and outside of the organization.
Most organizations, especially those hyper-concerned with security, will not want all of that outside data flowing into their core systems or internal data centers. The cloud presents an ideal alternative.
It can create a clean separation between the main storage of PHI and all other data by treating PHI as a source that feeds applications housed in the cloud. With the help of a partner, all the incoming data can be cleaned and normalized so it can be used within analytics or other applications, providing better, more complete answers to PHM, patient engagement, trends, and other questions than can be obtained with internal data alone.
As the use of data in this manner grows, it will simplify the exchange between providers – especially as standards such as FHIR proliferate throughout the industry. The result is interoperability almost becomes a byproduct of the use of data in the cloud, avoiding the need for expensive, time-consuming special projects just to send electronic health records from one provider to another.
Chris Strammiello, vice president of marketing and product strategy, Nuance.
Patient admissions and discharge processes implemented at many hospitals today are rife with vulnerabilities and potential HIPAA violations. One of the greatest challenges hospitals face is how they can successfully deliver on dual requirements to make the information in a patient’s electronic health record (EHR) more accessible while at the same time making it more secure, especially because of their reliance on paper, analog fax machines and unmonitored multi-function devices (MFDs).
Every time a document or form is copied, scanned, printed, faxed or emailed — on either an analog fax machine, digital MFD or mobile phone or tablet — a patient’s protected health information (PHI) can be accidentally exposed or intentionally compromised. In light of this, federal standards have now defined digital MFDs as workstations, where PHI must be protected with administrative, physical and technical safeguards that authenticate users, control access to workflows, maintain an audit trail of all activity and encrypt data at rest and in motion.
Healthcare organizations need to add a layer of security and control to electronic and paper-based patient admissions and discharge processes to help minimize the manual work and decisions that invite human error, automatically mitigate the risk of non-compliance and avoid the fines, reputation damage and other costs of HIPAA violations and privacy breaches.
As hospitals are rapidly approaching an FY 2015 deadline for meaningful use, they must demonstrate their “meaningful use” of certified EHR technology, including the ability to protect patients’ health information, or face reduced Medicare payments. The recent HIMSS Analytics survey found that despite the vast majority of hospitals reporting progress toward Stage 2 EHR, barely half of them — just 54 percent — were yet capable of protecting electronic health information, a required Core Objective in Stage 1.
Acting under provisions of HITECH, the Department of Health and Human Services Office of Civil Rights issued new rules in 2013 that enhance patients’ privacy protections, expand individuals’ rights to their health information and strengthen the government’s ability to enforce the law. One new development from these rules is that a security risk assessment tool prepared by the Office of the National Coordinator for Health Information Technology (ONC) mentions copiers 15 times as being workstations where PHI must be protected with administrative, physical and technical safeguards that authenticate users, control access to workflows, encrypt data handled on the device and maintain an audit trail of all activity.
Hospitals also need to conduct a risk assessment to identify threats and vulnerabilities (including copiers), implement and train workers in data loss protection (DLP) technology and procedures, and establish security incident reporting.
There’s little argument that overwhelming responsibility is placed on practice leaders to protect the security of patient records. Maintaining the accuracy, privacy and control of this data is one of the most crucial roles within the care setting. Given the high level of risk for exposure of this information and because of expanded enforcement of HIPAA, practices managing the release of information (ROI) must be more vigilant now than they have been in the past. Their processes for handling ROI need to meet not only the requirements of the law, but what’s in the best interest of the practices’ patients.
Along with a significant rise in HIPAA enforcement, practices must remain sensitive of how they handle the data that’s released to third parties. Redaction of personal information from records is one important way practice administrators can improve security, though it’s not the only way. Automating the removal of PHI by integrating redaction solutions with existing practice technology – such as electronic health records – searching and removing any protected information becomes electronic, eliminating a manual, repetitive process.
Removing risks associated with the release of PHI is possible with automated solutions that can remove data fields like patient name, dates of service, medication lists and other general information in the health record. But, even though solutions exist to automate the redaction of protected PHI, most organizations process records manually even as they migrate to electronic systems in other areas. Continue Reading