Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Karen DeSalvo and Jacob Reider Leave ONC

Posted on October 24, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

It’s been a tumultuous few months for ONC and it’s just gotten even more tumultuous. We previously reported about the departures of Doug Fridsma MD, ONC’s Chief Science Officer, Joy Pritts, the first Chief Privacy Officer at ONC, and Lygeia Ricciardi, Director of the Office of Consumer eHealth, and Judy Murphy, Chief Nursing Officer (CNO) from ONC. Yesterday, the news dropped that Karen DeSalvo, ONC’s National Coordinator, and Jacob Reider, ONC’s Deputy National Coordinator, are both leaving ONC as well.

Karen DeSalvo has been tapped by HHS Secretary Sylvia Mathews Burwell to replace Wanda K. Jones as assistant secretary of health which oversees the surgeon general’s office and will be working on Ebola and other pressing health issues. I think DeSalvo’s letter to staff describes it well:

As you know, I have deep roots and a belief in public health and its critical value in assuring the health of everyone, not only in crisis, but every day, and I am honored to be asked to step in to serve.

DeSalvo’s always been a major public health advocate and that’s where her passion lies. Her passion isn’t healthcare technology. So, this change isn’t surprising. Although, it is a little surprising that it comes only 10 months into her time at ONC.

The obvious choice as Acting National Coordinator would have been Jacob Reider who was previously Acting National Coordinator when Farzad Mostashari left. However, Reider also announced his decision to leave ONC:

In light of the events that led to Karen’s announcement today–it’s appropriate now to be clear about my plans, as well. With Jon White and Andy Gettinger on board, and a search for a new Deputy National Coordinator well underway, I am pleased that much of this has now fallen into place–with only a few loose ends yet to be completed. I’ll remain at ONC until late November, working closely with Lisa as she assumes her role as Acting National Coordinator.

As Reider mentions, Lisa Lewis who is currently ONC’s COO will be serving as Acting National Coordinator at ONC.

What’s All This Mean?
There’s a lot of speculation as to why all of these departures are happening at ONC. Many people believe that ONC is a sinking ship and people are doing everything they can to get off the ship before it sinks completely. Others have suggested that these people see an opportunity to make a lot more money working for a company. The government certainly doesn’t pay market wages for the skills these people have. Plus, their connections and experience at ONC give them some unique qualifications that many companies are willing to pay to get. Some have suggested that the meaningful use work is mostly done and so these people want to move on to something new.

My guess is that it’s a mix of all of these things. It’s always hard to make broad generalizations about topics like this. For example, I already alluded to the fact that I think Karen DeSalvo saw an opportunity to move to a position that was more in line with her passions. Hard to fault someone for making that move. We’d all do the same.

What is really unclear is the future of ONC. They still have a few years of meaningful use which they’ll have to administer including the EHR penalties which could carry meaningful use forward for even longer than just a few years. I expect ONC will still have money to work on things like interoperability. We’ll see if ONC can put together the patient safety initiative they started or if that will get shut down because it’s outside their jurisdiction.

Beyond those things, what’s the future of ONC?

Medical Device Security – Where Is the Finger Pointing?

Posted on October 23, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

If a picture is worth a thousands words, the above picture is worth about 10,000. I think this picture is best summed up by saying that the medical device industry is a heavily regulated industry. You can see why EHR vendors don’t want to be regulated by the FDA. It would get pretty crazy.

This image also illustrates to me why a company that’s built an FDA or medical device compliance capability has something of real value. Navigating the process is not easy and it helps if you’ve been there and done it before.

As to Dr. Wen’s comment on the tweet. There are a lot of challenges when it comes to medical device security. Definitely no antivirus and many are running on old operating systems that can’t be updated. We’re going to have to put some serious thought into how to solve problems like these in future medical devices.

Amazing Live Visualization of Internet Attacks

Posted on October 22, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I recently heard Elliot Lewis, Dell’s Chief Security Architect, comment that “The average new viruses per day is about 5-10k appearing new each day.” To be honest, I wasn’t quite sure how to process that type of volume of viruses. It felt pretty unbelievable to me even though, I figured he was right.

Today, I came across this amazing internet attack map by Norse which illustrates a small portion of the attacks that are happening on the internet in real time. I captured a screenshot of the map below, but you really need to check out the live map to get a feel for how many internet attacks are happening. It’s astounding to watch.

Norse - Internet Attack Map

For those tech nerds out there, here’s the technical description of what’s happening on the map:

Every second, Norse collects and analyzes live threat intelligence from darknets in hundreds of locations in over 40 countries. The attacks shown are based on a small subset of live flows against the Norse honeypot infrastructure, representing actual worldwide cyber attacks by bad actors. At a glance, one can see which countries are aggressors or targets at the moment, using which type of attacks (services-ports).

It’s worth noting that these are the attacks that are happening. Just because something is getting attacked doesn’t mean that the attack was successful. A large majority of the attacks aren’t successful. However, when you see the volume of attacks (and that map only shows a small portion of them) is so large, you only need a small number of them to be successful to wreak a lot of havoc.

If this type of visualization doesn’t make you stop and worry just a little bit, then you’re not human. There’s a lot of crazy stuff going on out there. It’s actually quite amazing that with all the crazy stuff that’s happening, the internet works as well as it does.

Hopefully this visualization will wake up a few healthcare organizations to be just a little more serious about their IT security.

CMS’ HIPAA Risk Analysis Myths and Truths

Posted on October 21, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’ve been writing about the need to do a HIPAA Risk Assessment since it was included as part of meaningful use. Many organizations have been really confused by this requirement and no doubt it will be an issue for many organizations that get a meaningful use audit. It’s a little ironic since this really isn’t anything that wasn’t already part of the HIPAA security rule. Although, that illustrates how well we’re doing at complying with the HIPAA security rule.

It seems that CMS has taken note of this confusion around the HIPAA risk assessment as well. Today, they sent out some more guidance, tools and resources to hopefully help organizations better understand the Security Risk Analysis requirement. Here’s a portion of that email that provides some important clarification:

A security risk analysis needs to be conducted or reviewed during each program year for Stage 1 and Stage 2. These steps may be completed outside OR during the EHR reporting period timeframe, but must take place no earlier than the start of the reporting year and no later than the end of the reporting year.

For example, an eligible professional who is reporting for a 90-day EHR reporting period in 2014 may complete the appropriate security risk analysis requirements outside of this 90-day period as long as it is completed between January 1st and December 31st in 2014. Fore more information, read this FAQ.

Please note:
*Conducting a security risk analysis is required when certified EHR technology is adopted in the first reporting year.
*In subsequent reporting years, or when changes to the practice or electronic systems occur, a review must be conducted.

CMS also created this Security Risk Analysis Tipsheet that has a lot of good information including these myths and facts which address many of the issues I’ve seen and heard:
CMS HIPAA Security Risk Analysis Myths and Facts

Finally, it’s worth reminding people that the HIPAA Security Risk Analysis is not just for your tech systems. Check out this overview of security areas and example measures to secure them to see what I mean:
CMS HIPAA Security Risk Analysis Overview

Have you done your HIPAA Risk Assessment for your organization?

Interesting and Funny Insights Into EHR and Health Information Management

Posted on October 20, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Last week I had the chance to attend the Craneware Summit in Las Vegas. It was a really interesting event where I had the chance to meet and talk with a wide variety of people from across the spectrum of healthcare. I love getting these added perspectives.

One of the sessions I attended was an E&M session which provided some really interesting insights into the life of an E&M coder and how they look at things. There’s a lot more to their job, but I tweeted these comments because they made me laugh and illustrated part of the challenge they face in a new EMR world.


I thought these immediate responses to the question were interesting. They came from a crowd of HIM and coding professionals. Overall, they were quite supportive of EMR it seemed.


Many doctors don’t understand this. That’s why so many coders still have jobs.


Too funny.


Said like a true coder.

Funny ICD-10 Codes Have Ruined the ICD-10 Branding

Posted on October 17, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The people at online physician community, QuantiaMD, recently sent me a list of the top 3 “Crazy ICD-10 Codes” that they got from their community. It was quite interesting to learn that when they asked their community for these codes, they yielded double the participation the company typically sees. No doubt, physicians have globbed on to these funny and crazy ICD-10 codes. I’ll be honest. I’ve gotten plenty of laughs over some of the funny ICD-10 codes as well. Seriously, you can’t make some of this stuff up. Here’s a look at the top 3 crazy ICD-10 codes they received (and some awesome color commentary from the nominators):

1. W16.221 – Fall into bucket of water, causing drowning and submersion. I didn’t realize mopping the floor was so dangerous!
2. 7. Z63.1 – Problems in relationship with in-laws. Really, Who does not?
3. V9733xD – Sucked into jet engine, subsequent encounter. Oops I did it again.

While these codes are amazing and in many respects ridiculous, they’re so over the top that they’ve branded ICD-10 as a complete joke. For every legitimate story about the value of ICD-10 there have probably been 10 stories talking about the funny and crazy ICD-10 codes. You can imagine which story goes viral. Are you going to share the story that talks about improvement in patient care or the one that makes you laugh? How come the story about their being no ICD-9 code for Ebola hasn’t gone viral (Yes, ICD-10 has a code for Ebola)?

Unfortunately, I don’t think the proponents of ICD-10 have done a great job making sure that the dialog on the benefits of ICD-10 is out there as well. Yes, it’s an uphill battle, but most things of worth require a fight and can easily get drowned out by humor and minutiae if you give up. If ICD-10 really is that valuable, then it’s well worth the fight.

My fear is that it might be too late for ICD-10. Changing the ICD-10 brand that has been labeled as a joke is going to be nearly impossible to change. However, there are some key people on the side of ICD-10. CMS for starters. If you can get the law passed, then the ICD-10 branding won’t matter.

One thing I do know is that doing nothing means we’ll get more and more articles about Funny ICD-10 codes and little coverage of why ICD-10 needs to be implemented. I encourage those who see the value in ICD-10 to make sure their telling that part of the story. If you don’t have your own platform to share that part of the story, I’ll be happy to offer mine. Just drop me a note on my contact us page.

Are You a Healthcare Data Hoarder?

Posted on October 16, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’m thinking I need to start a new healthcare reality TV show called “Healthcare Data Hoarders.” We’ll go into healthcare institutions (after signing our HIPAA lives away), and take a look through all the data a healthcare organization is storing away.

My guess is that we wouldn’t have to look very far to find some really amazing healthcare data hoarders. The healthcare data hoarding I see happening in comes in two folds: legacy systems and data warehouses.

Legacy Systems – You know the systems I’m talking about. They’re the ones stored under a desk in the back of radiology. The software is no longer being updated. In fact, the software vendor is often not even around anymore. However, for some reason you think you’re going to need the data off that system that’s 30 years old and only one person in your entire organization knows how to access the legacy software. Yes, I realize there are laws that require healthcare organizations to “hoard” data to some extent. However, many of these legacy systems are well past those legal data retention requirements.

Data Warehouses – These come in all shapes and sizes and for this hoarding article let me suggest that an EHR is kind of a data warehouse (yes, I’m using a really broad definition). Much like a physical hoarder, I see a lot of organizations in healthcare that are gathering virtual piles of data for which they have no use and will likely never find a way to use it. Historically, a data warehouse manager’s job is to try and collect, normalize, and aggregate all of the healthcare organizations data into one repository. Yes, the data warehouse manager is really the Chief Healthcare Data Hoarder. Gather and protect and and all data you can find.

While I love the idea that we’re collecting data that can hopefully make healthcare better, just collecting data doesn’t do anything to improve healthcare. In fact, it can often retard efforts to leverage healthcare data to improve health. The problem is that the healthcare data that can be leveraged for good is buried under all of this useless data. It takes so much effort to sift through the junk data that people just stop before they even get started.

Are you collecting data and not doing anything with it? I challenge you to remedy that situation.

Is your healthcare organization a healthcare data hoarder?

8 Steps to Creating a Solid EHR Foundation – Breakaway Thinking

Posted on October 15, 2014 I Written By

The following is a guest blog post by Noelle Whang, Sr. Instructional Designer at The Breakaway Group (A Xerox Company). Check out all of the blog posts in the Breakaway Thinking series.
Noelle Whang
Implementing an electronic health record (EHR) is a huge undertaking, but the work after go live can be even more demanding. Mapping and redesigning workflows is an important aspect of EHR implementation and optimization that is often overlooked, especially after the application has been live for a while.  This seemingly simple but complex task involves diagraming and analyzing all current work processes and adjusting them to include use of a new EHR system or upgrade, or to be more effective with a current system.

Workflow mapping and redesign should occur before implementation and regularly after go live to ensure end users truly adopt the EHR and organizational benefits are realized. Following these eight steps can ease the task of mapping workflows to identify any that should be adjusted to maximize optimization:

  1. Identify what workflows will need to be mapped in detail. “Understanding the full clinical context for health IT to the level of task, resources, and workflow is a necessary prerequisite for successful adoption of health IT,” according to a Perspectives in Health Information Management article. It’s helpful to first map out the entire patient care process at a high level, such as from registration to discharge in the inpatient setting and scheduling to check-out in the ambulatory setting. Documenting how business is performed at a high-level facilitates identifying the more granular tasks that need to be mapped in detail, such as scheduling a patient appointment or placing verbal orders.  It also helps in identifying all the roles involved in each workflow, as these can vary depending on the department or patient process.  For example, discharging a patient from Labor and Delivery may include roles, such as a lactation nurse and pediatrician, not found in other departments.  Remember to also consider departments or patient processes that are often overlooked, such as Materials Management and Respiratory Therapy. Other areas of concentration should be those with lower productivity or that relate to how the organization is going to determine return on investment.
  1. Identify teams to map out each process. After identifying what workflows need to be mapped, establish the team that will do the actual mapping. Usually, individuals who perform a particular workflow or those who are responsible for implementing any redesign changes are best suited to map workflows, as they have in-depth knowledge of the process. For example, select one registrar, one nurse and one physician to map out all workflows in the Emergency Department.
  1. Determine the process for mapping the workflows. Once the team has been identified, determine how information about workflows will be gathered, documented, and visually represented. The process for gathering information can be through interviews, observation, or meetings.  The information can be documented with tools such as Microsoft Word or Visio or simply on paper.  The data can be represented in formats such as a swim lane chart, a flow process chart or other process diagrams.   In my experience mapping out workflows, the most commonly used format is a swim lane chart created through Visio.  And remember: Internal staff will most likely need to be trained on how to gather the data and use the appropriate tools.
  1. Map the workflow as actually performed. After determining how information is gathered and documented, create the actual workflows diagrams.  Document all work as it is currently being performed, including any undesirable behavior such as workarounds or inconsistencies.  For a case study on how one organization created their workflow diagrams, see the following Journal of American Medical Information Association article.
  1. Analyze the workflow. Once the workflows are diagramed, begin the analysis. If a vendor has not been selected, use the diagrams to determine if a particular application fits the needs of your organization, with the caveat that it is neither feasible nor desirable to keep workflows exactly the same after an implementation.  If the application is already in place, the diagrams can be used to determine where problems are occurring, what the root cause is, and how to fix them.  The diagrams can also be used to determine where optimization or efficiencies may be gained.
  1. Document the new workflow. Once the analysis is complete and you have determined what workflows are currently not working for your organization, document the new and improved workflow.  It is a good idea to take the new workflows through a couple of use-case scenarios to ensure that the updates are not causing other problems or unintended consequences.
  1. Update or create policies and procedures. New or updated policies and procedures may be necessary to implement and support the new workflow. This can include determining consequences for any end users that do not adhere to the new workflows.  Note that this also requires thinking about how non-adherence will be identified, perhaps through routine application audits or quarterly in-department observation.
  1. Train staff. After all the hard lifting of creating the workflow diagrams, analyzing the processes and updating the workflows, the last step is to train end users on the new workflows, policies and procedures.  Remember to convey why the changes are occurring, and if possible, tie the reasons to big-ticket items such as increasing patient safety and satisfaction.

It’s easy to focus entirely on big tasks such as vendor selection and system configuration when implementing an EHR, but neglecting workflows can have serious negative impacts, including costly reconfigurations and operational inefficiencies.  It’s like building a house where each individual room is perfect, but the doors are all in the wrong place. With poor design you end up having to go through the closet to get to the kitchen, or even worse the foundation may begin to crack.  Similarly, with poorly designed EHR workflows, you can end up with duplicate documentation, activities that take more time than they should, and workarounds or shortcuts that can lead to negative consequences. Set your healthcare organization up for success and create a solid foundation by making workflow mapping and redesign a priority.

Xerox is a sponsor of the Breakaway Thinking series of blog posts. The Breakaway Group is a leader in EHR and Health IT training.

Are You HIPAA Secure?

Posted on October 14, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I was recently asked to provide some tips on health IT and data security for a healthcare lawyer’s website. You can see the final blog post here, but I thought I’d share the 3 suggestions and tips I sent to them.

1. Encrypt all of your computers that store PHI (Protected Health Information) – If your hard drive is lost or stolen and it’s not encrypted, you’ll pay the price big time. However, if it’s encrypted you won’t have to worry nearly as much.

2. Avoid Sending SMS Messages with PHI – SMS is not HIPAA secure and there are plenty of high quality secure, HIPAA compliant text message options out there. Find one you like and use it. While being secure it also has other features like the ability to see if the recipient has read the message or not.

3. Do a HIPAA Risk Assessment – Not only is this required by HIPAA and meaningful use, it’s a good thing to do for your patients. Don’t fake your way through the assessment. Really dig into the privacy and security risks of your organization and make reasonable choices to make sure that you’re protecting your health data.

No doubt there’s a lot more that could be said about this topic, but I think these three areas are a good place to start. A huge portion of the HIPAA breaches that have occurred could have been prevented by doing these three things.

If you have other suggestions for people, I’d love to hear them in the comments. I’m sure there are some more obvious ones that I’ve missed.

Google Helpouts Tested in Google Search Results – Dr. Google?

Posted on October 13, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

It was first noticed by someone on Reddit and then confirmed by Engadget that Google has been testing a Google Helpout style feature which offers a telemedicine video visit with a doctor. You can see an image of the test Google search telemedicine integration below:
Google Helpout - Google Search Integration

This is a really interesting integration for a number of reasons. First, Google wasn’t charging for these initial test visits, but would no doubt charge for these visits in the future. Second, it takes an Act of God to get Google to integrate something into their cash cow: search results. That should tell us how serious Google is about doing these types of integrations.

I can already hear the naysayers who think this is a terrible idea. They might be right as a business. We’ll have to see how that plays out. The reimbursement model could a challenging one. Plus, there are plenty of reasons why this won’t work. Google will have to get really good at knowing when to offer a visit and when not to offer a visit. We’ll see if they want to make the investment required to understand when the visit is something that should be encouraged and when it shouldn’t be encouraged.

One thing I’ve observed with Telemedicine is that it can really work well…if you have the right situation. The reason Telemedicine has gotten a bad rap is that the naysayers have plenty of ammo they can use to explain why Telemedicine could be a terrible thing. These naysayers are correct. There are a bunch of healthcare situations where a telemedicine visit just isn’t going to work. However, just because something doesn’t solve 100% of the situations doesn’t mean it shouldn’t be used for the 30% of the time (I think it could be more than this) that it’s a beautifully elegant solution that’s just as effective as an in office visit?

As noted, this was just at trial by Google. Google is well known for trying things to see how they do and then scraping them after the trial. So, we’ll see how this goes. It does seem that Google can’t keep its hands out of healthcare. I think they see the trillion dollar industry and just can’t resist.