EMR and HIPAA

Amazon AWS Will Sign HIPAA Business Associate Agreement

Amazon has finally issued guidance on their support for HIPPA/HITECH applications on AWS. They now sign BAAs. http://t.co/1EcXIM8Y7i

— Ian Eslick (@ieslick) June 18, 2013

Thanks to Ian Eslick for catching this piece of news. This is really big news, because there were a lot of companies and organizations that were building healthcare applications on the back of Amazon AWS. I’m glad that Amazon has finally put together a policy related to HIPAA.

Here’s their new section describing their compliance with HIPAA:

AWS enables covered entities and their business associates subject to the U.S. Health Insurance Portability and Accountability Act (HIPAA) to leverage the secure AWS environment to process, maintain, and store protected health information and AWS will be signing business associate agreements with such customers. AWS also offers a HIPAA-focused whitepaper for customers interested in learning more about how they can leverage AWS for the processing and storage of health information. The Creating HIPAA-Compliant Medical Data Applications with AWS whitepaper outlines how companies can use AWS to process systems that facilitate HIPAA and HITECH compliance. For more information on the AWS HIPAA compliance program please contact AWS Sales and Business Development.

Obviously the devil is in the details on this. I’ll reach out to one of my HIPAA lawyer friends to see what they think of this. If you’re a healthcare organization or vendor that’s on Amazon AWS, I’d love to hear your thoughts as well. The fact that Amazon is now willing to sign a BAA is really big news and a great step forward for anyone wanting to develop an application covered by HIPAA on Amazon’s AWS.

Post a Comment(0)

June 19, 2013 I Written By John Lynn

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and @ehrandhit and Google Plus.

Tags:Amazon AWS Amazon AWS HIPAA Amazon AWS HITECH HIPAA BAA HIPAA Compliance HIPAA Hosting

Health IT & EHR State Summaries

Written by: John Lynn

I’m always happy to look at data. Certainly data can lie, but it can also inform if you are looking at the right data and considering the biases of the data. I applaud ONC for being as transparent as possible with the EHR incentive program data. They have an entire Health IT Dashboard for analyzing the data. I think this is a great step towards accountability for how the EHR incentive money is being spent.

ONC recently announced a set of Health IT Quick Stats and even created a widget (embedded below) that lets you download a 3 page health IT and HITECH summary for your state. I think a few states are missing from the widget and why they grouped them by area I don’t know, but there’s some interesting data in the reports.

<br />

I downloaded my home state of Nevada to see how we’re doing with Health IT and HITECH. Here are a few thoughts I had when looking at EHR use in Nevada.

I was amazed that so many REC assisted providers were live with an EHR, but less than half of those had demonstrated meaningful use. We’ll see if that changes after this years attestations.

I do have to question some of the data since it shows the overall access to view lab results electronically as 0% for Nevada. Something is wrong with their data there. They did show office based EHR adoption in Nevada at 23% (39% nationally). I’m not sure how that national EHR adoption number meshes with the $60% I’ve heard thrown around. Different sources of data.

For hospital adoption of EHRs they show Nevada at 36% EHR adoption (35% nationally). It’s nice to see Nevada ahead of the national average in something.

I’ve always told people there were about 700,000 providers in America, so I was glad to see they listed 715,984 health care providers.

Lots more data in there, but those were a few of the things that stood out for me in the Nevada Health IT and EHR report. Take a look at your state and let us know what numbers stand out for your state in the comments.

Post a Comment(0)

June 18, 2013 I Written By John Lynn

Filed Under: ARRA EHR EHR Stimulus Electronic Health Record Electronic Medical Record EMR HealthCare IT HITECH Meaningful Use

Tags:EHR Data EHR State Summaries Health IT Adoption HITECH ONC REC

What a Real Open EHR API Should Accomplish

Written by: John Lynn

There’s been a lot of talk in the EHR world about APIs and most of the time they talk about it as an open API. The problem is that there’s been a lot of talk about EHR APIs and not a lot of action. Having an open API is more than just giving a couple people access to some really small subset of your EHR. We need truly open EHR APIs that are more than just a nice press release.

A successful EHR API requires two core elements: Access to EHR Data and a User Base.

The first element is the obvious one and the one that everyone focuses on. An API needs to have access to the data in the EHR. This includes accessing that data for display in an outside application. Plus, it requires that an EHR accept data from an outside application. EHR APIs seem to fall short on both of these areas. Most only give you access to some really small portion of the EHR data. Even fewer let you write any sort of data to the EHR.

If you don’t give an outside application the ability to access the EHR data and write data to the EHR, there are very few applications you can build on top of it. Is it any wonder that the third party EHR developer community isn’t doing more things with EHR software? If they had these two things, EHR vendors would be amazed at what they’d build. I love Jonathan Bush’s idea of “every surface area” of athenahealth being available in an API. If he achieves this vision, third party developers will flock to that EHR and enhance it in ways that would have never been possible for athenahealth to do on their own.

The second piece is just as important to an API. EHR API developers need to get access to your existing EHR user base. This doesn’t mean you have to give them a list of all your clients. It does mean you need to feature the work of these third party developers to your existing user base. This can be in your application, in an email list, at your user conference, etc.

Think about the message you’re sending to your developer community and your existing user base when you do this. The developer community wants to build even more functionality into your product. Your EHR users get more value out of your EHR application thanks to the development efforts of an outside party. Plus, ambitious EHR users can even create their own functionality using the EHR API.

I can’t wait for the day that EHR vendors fully embrace the idea of a third party EHR API. There are so many outside companies that would benefit from an EHR API, but the EHR vendor will benefit just as much. Plus, the real winners will be the EHR users and patients who get the functionality they’ve been wanting from their EHR that the EHR vendor couldn’t deliver.

EMR Profitability, Patient Care Team, and Between EMR and Paper

Written by: John Lynn

@HIMSS analytics: dose-response between EMR adoption level and hospital profitability @govHIT pic.twitter.com/pkLPn8vX2W

— Farzad Mostashari (@Farzad_ONC) June 11, 2013

This is an interesting graph. I’m amazed that the hospitals were willing to give out their operating margin. Of course, some of them are public and so that information is available publicly. It does seem to show a benefit of EMR adoption. Although, I’d also question if those able to adopt EMR were more profitable in the first place. Correlation is not causation.

Patients as full members of care team is powerful lever for change – @ClevelandClinic opens EMR up http://t.co/kKK6Eh7VFX

— Sherry R (@Cascadia) June 9, 2013

You have to love Sherry and her passion for the patient involvement in care. Keep on spreading the message Sherry!

Teetering Between EMR and Paper Charting: Frustration and Duplication | The Nerdy Nurse http://t.co/w7XOLzVYrP

— Brittney Wilson (@TheNerdyNurse) June 9, 2013

I really love The Nerdy Nurse. Not just because she has a cool name (which she does), but also because she writes some great stuff. We need more nurses like her writing about healthcare IT and EMR.

Post a Comment(0)

June 16, 2013 I Written By John Lynn

Filed Under: EHR EHR Benefits Electronic Health Record Electronic Medical Record EMR HealthCare IT

Tags:EMR Profitability Paper Charts Patient Care Team The Nerdy Nurse

Private HIE’s Will Make Nationwide HIE Possible

Written by: John Lynn

We’ve been working for a long time on creating a nationwide HIE. I still remember when I first started blogging about EMR 7.5 years ago we were talking about implementing RHIO’s. I’m sure someone reading this blog can talk about what the exchange of health data was before RHIO’s. The irony is that we keep talking about creating this beautiful exchange of information, but it never really becomes a reality.

As I look at the landscape, there are very few HIEs that are showing a viable business model. The two leaders I think are probably the Indiana HIE and the Maine HIE. They seem to be the two making the most progress. I think there’s also something going on in Massachusetts, but it’s so complicated of a healthcare environment that I’m not sure how much is reality and hyperbole.

With those exceptions, I’m mostly seeing a lot of talk about some sort of community HIE and not very much action. However, I am seeing quite a few organizations starting to take the idea of a private HIE quite seriously. I’m not sure if this is driven by ACOs, by hospital consolidation, or some other force, but the move to implement a private HIE is happening in many health systems.

For a lot of reasons this makes sense. There is a business reason to create a private HIE and you own all the endpoints, so it’s easier to create consensus.

As I look across the landscape, I think these private HIEs could be what makes the nationwide HIE possible. Once a whole series of large private HIEs are in place, then it’s much easier to just connect the private HIEs than it is to try and connect each of the individual healthcare organizations.

Watch for the major hospital CIOs to meet at events like CHIME or HIMSS and discuss connecting their private HIEs. It will create some unlikely relationships, but it could be our greatest hope for a nationwide HIE.

A Primer On HIPAA Compliance For BYOD

Written by: Katherine Rourke

Here’s a statistic that caught me off guard: according to IDC Healthcare Insights, clinicians on average use 6.4 mobile devices in a day. That stat, courtesy of HIT Consultant, underscores the need for a smart and thorough security policy for clinicians who use their own devices at work.

Increasingly, healthcare organizations are crafting security policies for BYOD, but they vary greatly in how much such devices are allowed to access the hospital network, which hospital applications they can access and which devices can access the Internet, HIT Consultant notes.

However, according to Andrew Shearer, CTO at Care Thread, there’s some do’s and don’ts which should be common to all BYOD programs. Here’s some thoughts from Shearer, below.

DO:

* Make sure your vendor and its sub-vendors are compliant with the new HIPAA Omnibus requirements

Be aware that under the new rules, HIPAA requirements now extend to business associates of entities that receive protected health informatoin, such as contractors and subcontractors. Also new, not only vendors to healthcare organizations required to have business associate agreements, vendors must also hold BAAs with their sub-vendors.

* Use two levels of security when users login to enterprise applications

Shearer recommends using Active Directory for the first level, allowing providers to use their hospital login credentials. The second stage, he suggests, is to use a separate PIN for quick access to mobile apps which are in use, one which should disconnect when it goes idle.

* Have the ability to remotely wipe a device if it is missing

This isn’t required by HIPAA, but it’s still an essential part of a strong mobile/BYOD security management program. Be prepared to do anything from deleting data in selected folders to turning the device into a brick (removing all programming or returning it to factor settings).

DON’T:

* Allow PHI to be written to the mobile device

While it’s very common for clinicians to use mobile messaging apps to share patient information, such sharing is generally not HIPAA-compliant, Shearer notes. In his view, the ideal healthcare communication app should allow access to messages and PHI only when the use is logged in.

* Permit integration with insecure file-sharing / hosting services

Cloud-based hosting and file-sharing services like Evernote and Dropbox are very popular, but they’re not HIPAA compliant. To be HIPAA compliant, organizations must use multiple security protocols, including physical security, technical security in PHI storage and user authentication.

* Ignore security updates

Make sure you do periodic audits of mobile devices to make sure any that transmit work-related information meet regulatory standards. Also, make sure apps on mobile devices are up to date, as older versions may not meet current security threats.

4500 Patient Records Found During Drug Bust

Written by: John Lynn

In the healthcare world, it seems that HIPAA privacy violations & HIPAA Lawsuits are the car accidents that people can’t resist checking out. In most cases, people in healthcare are mostly interested to see what happened with the HIPAA violation and what the consequences were for that violation. In fact, these violations wake people up to the HIPAA policies better than any other means, but I digress.

Since this blog is called EMR and HIPAA, I try and cover various HIPAA related issues I hear about in the news. Today’s HIPAA breach is pretty crazy. It was discovered during a drug bust by the Alameda County Sheriff’s department. During the drug related investigation they found information for 4,500 patients from three hospitals: Alta Bates Summit, Sutter Delta, and Eden Medical Center.

Sutter Health posted a notice about the breach. The notice says that the information could have included: a patient’s name, Social Security number, date of birth, gender, address, zip code, home phone number, marital status, name of employer and work phone number. Sutter has offered free credit monitoring services for those patients who are involved. Plus, they have a hotline set up for those who have questions.

This situation is a bit unique since it seems they haven’t been able to identify exactly which hospital the patients are from. If that’s the case, then releasing all of the patient data to all 3 hospitals could be a breach as well, no? I’m good with making sure you notify everyone on the list that could be affected. They should be notified, but I’d be interested to know which parts of the 4,500 patients was shared with which hospital.

I wonder if large organizations like Sutter Health are creating a permanent department for breaches.

EHRA’s EHR Code of Conduct – Will Anything Change?

Written by: John Lynn

The big news that had to be covered today was the announcement by the EHR Association about the EHR Developer Code of Conduct. The core topics of the EHR Developer Code of Conduct are great:

General business practices
Patient safety
Interoperability and data portability
Clinical and billing documentation
Privacy and security
Patient engagement

Certainly there are other areas that I would have loved to see included, like EHR usability, but if we could address each of the areas listed above we’d have a big improvement over where we are today. Be sure to also check out the EHR Developer Code of Conduct and FAQs document and the EHR Developer Code of Conduct Implementation Guide for the full details on the EHR Code of Conduct.

The problem I have with this EHR Code of Conduct is that it has no teeth. There’s no enforcement mechanism or reporting mechanism to show how an EHR vendor has chosen to implement the code of conduct. They won’t even commit to having a list of EHR vendors that have adopted it. Trust me when I say that for every element of the EHR Code of Conduct, there’s A LOT of room for interpretation.

Where there’s room for interpretation, there’s room for abuse.

Obviously, when you bring together 40 EHR vendors it’s a real challenge to create something that has no interpretation. However, it seems they could have created a way to display how an EHR has chosen to meet the EHR code of conduct guidelines.

For example, the guideline says, “We will work with our customers to facilitate the export of patient data if a customer chooses to move from one EHR to another.” Then, it even sets a minimum export of a CCD/CCDA document. We could discuss how that type of document is nearly enough to switch EHR software, but even if it was enough, there’s a lot of ways you could implement this guideline. An EHR vendor could let the customer download a CCD for each patient individually and leave it to the customer to download all 5000 individual CCDs for their patients. That meets the guideline, but would be very different than an EHR vendor that gave you a one click download of CCDs for all your patients.

This qualitative data about how an EHR vendor has implemented the code of conduct should be easily available to doctors to compare across vendors. Otherwise, it has much less meaning and a lot of doctors will get bamboozled by the impression “commitment to the EHR Code of Conduct” implies. It’s similar (and even worse) than the pass/fail EHR certification. Not all certified EHR are created equal and not all EHR Code of Conduct adopters will be equal either. Why not be transparent about how they meet the code?

In the webinar they suggested that “the industry itself will kind of make it transparent who has adopted the code and who hasn’t adopted the code.” Maybe a third party will make that data available, but it’s a lot of work without a clear mechanism to pay for the work.

The other part of the code of conduct that really bothers me is the question posed in the title of this blog post: Will anything change? I loved a question that was asked on the webinar, “What pieces of the code of conduct were an EHR vendor not doing before the code?” They skirted the question saying that they couldn’t comment on it and some other tap dancing around the question. Does this mean that EHR vendors will just use the EHR Code of Conduct’s false trust to sale more product while doing little to change operationally? I’m certain this is not the intent of the committee, but could be the end result if those adopting the EHR Code of Conduct aren’t held accountable.

I got comments from two EHR vendors about the EHR Code of Conduct. Take a look to see what SRSSoft’s CEO Evan Steele said in their press release:

“SRS has always been committed to the principles identified in the Code of Conduct—designing our products with patient safety in mind, supporting physician/patient ownership of their data, safeguarding privacy and security, and communicating honestly in the marketplace,” says Evan Steele, CEO of SRS. “We are pleased to be among the first EHR companies to adopt the formal code, and hope that all vendors will follow suit.”

And John Glaser in the Siemens comment:

“The release of the EHR Developer Code of Conduct by the EHR Association is an important milestone in the maturation of the healthcare information technology industry, and we at Siemens Healthcare are proud to have supported its drafting and ratification,” said John Glaser, PhD, CEO, Siemens Healthcare, Health Services. “The Code of Conduct includes many elements that just make too much sense to be ignored and it’s my belief that Siemens and many players in this industry have already been adhering to many of these principles. Codifying these principles and providing a transparent way to show customers that companies are going to adopt them will help propel our industry’s ability to deliver safer, more effective and more interoperable solutions.”

It’s not like an EHR vendor’s going to come out and say they weren’t following the Code of Conduct principles. They’re not going to come out and say they don’t care about the EHR Code of Conduct principles either. The question is whether they state it in public or not, will EHR vendors really change? I have my doubts without a clear mechanism of accountability.

In some ways this reminds me of the doping scandal in cycling. Everyone knew that everyone else was doing it and no one wanted to say anything to rock the boat because it would mean they’d have to admit to doing it. Once a few cyclists stopped doping, they were at a disadvantage to those who continued the unhealthy practices.

I vividly remember in the post-Lance Armstrong years an interview with Levi Leipheimer where he was asked about doping. He tersely responded, “I hope all the dopers and cheaters get caught. It’s not fair that I’m having to compete with them.” (Not an exact quote, but you get the gist) Once he stopped doping he knew he was at a disadvantage. He wanted those that were still doping to be held accountable. I wonder if we’ll see something similar play out in the EHR world. Some EHR vendors follow the letter and intent of the code of conduct while other EHR vendors continue to skate around the edges since there’s still nothing holding them accountable. Just like Levi couldn’t name names in his interview, EHR vendors won’t be able to name names either.

As I said to start this post, I love the intent of the EHR Code of Conduct. I just worry that it will do little to change the EHR world as we know it.

I’d also be remiss if I didn’t also share a comment someone made on the Code of Conduct announcement webinar. Someone obviously didn’t realize their mic was on and they said, “It’s a love fest, an EHR Love Fest!” I’m not sure who it was that said it or why exactly they said it, but it gave me a good laugh. I always love a good EHR love fest myself.

EMR and EHR Jobs

Written by: John Lynn

I regularly hear from readers that are looking for a job in the healthcare IT and EHR field. It’s an interesting time in the EHR world because many organizations can’t find enough qualified EHR workers and yet there are many who would love to get into the EHR field of labor. Until now, very few organizations have been willing to train someone on the healthcare industry. We’ll see if that changes as meaningful use winds down and organizations don’t feel the same pressure they’ve felt chasing the government carrot.

4-5 years back I implemented an EMR and EHR job board into the sidebar of all of the Healthcare Scene websites. I’m always amazed at the number of views and applications that a job listed on it gets. Hopefully it’s helping both sides of the relationship (those searching for qualified people and those searching for jobs).

This week we’ve had a number of new job postings that I thought might be of interest to my readers:

EHR Information Scientist

Senior Analyst, EHR

HRIS/Benefits Manager

Take a look at those jobs and the others listed. Let your friends who are looking for EHR related jobs know about them. Hopefully we can help to make a difference in someone’s life.

If you’re someone looking for a job, feel free to leave a link to your online resume or LinkedIn page and a short description of your skills and what you’re looking for in the comments of this post. You never know who might be reading and see your comment.

Benefits and Struggles of EMRs, and More – Around Healthcare Scene

Written by: Katie

Are tablets going to take the place of traditional laptops and desktops? Well, Dr. Michael West seems to think so. He talks about his new-found love for his iPad mini, and how it fulfills all his current needs. Have you traded your desktop in for a tablet yet? The new Microsoft Surface is making me kind of want to!

Having a PHR on your phone doesn’t have to be complicated. In fact, if your phone has a camera (what phone doesn’t nowadays?) you can create when quickly and easily. Here are five health-related snapshots you could keep on your phone to assist in a variety of situations.

If you have been following the Affordable Health Care Act, you’ll know that an optional Medicaid State Plan called Medicaid Health Homes was introduced. There are, of course, many questions that people have about this, including what kind of technology will be required for successful implementation. Lori Bernstein, president of GSI Health, addresses some questions and lays out the benefits that this new model has to offer in her guest post at EMR and EHR last week. what kind of technology will Medicaid Health Homes require to ensure successful implementation?

Paper to EMR is a necessary evil for for hospitals, therefore, it’s easy to justify the expense required to do so. But what about when you decide to switch EMRs. Is it justifiable? Not always. There is no ROI to switch from EMR and EMR, and it can be a big risk.

A current pilot program is currently underway to help identify high-risk pregnancies by using an EMR. This pilot program is being led by researchers and people from Johns Hopkins University’s Center for Population Health IT to find hints in a mother’s health history to help determine if her pregnancy is high-risk. It’s a slow-moving project, but may prove to be worth it if it helps get mothers the help they nee.d

Post a Comment(0)

June 9, 2013 I Written By Katie

Katie Clark is originally from Colorado and currently lives in Utah with her husband and son. She writes primarily for Smart Phone Health Care, but contributes to several Health Care Scene blogs, including EMR Thoughts, EMR and EHR, and EMR and HIPAA. She enjoys learning about Health IT and mHealth, and finding ways to improve her own health along the way.

Filed Under: EHR EHR Benefits Electronic Health Record Electronic Medical Record EMR EMR Implementation EMR Selection EMR Technology Healthcare HealthCare IT Hospital EHR Hospitals mHealth PHR

Tags:EHR EMR Medicaid mHealth PHR

EMR and HIPAA Sponsors

Top EMR & HIPAA Posts
- Health Care Administration - MHA Programs
Calendar
June 2013

M T W T F S S

« May

1 2

3 4 5 6 7 8 9

10 11 12 13 14 15 16

17 18 19 20 21 22 23

24 25 26 27 28 29 30
Recent Posts
Jobs by SimplyHired

June 2013
M	T	W	T	F	S	S
« May
	1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30

EMR & HIPAA Resources
Recent Comments
- What a Real Open EHR API Should Accomplish (4)
  - Joseph L Marion: Absolutely agree! Real world example – a site was told by the EHR vendor they would have to...
  - Kyle Samani: Howdy John You are probably right. It won’t fall below 100, and yes, we need better APIs yesterday...
  - John Lynn: For a third party application program to be successful it needs to have a minimum viable user base....
- A Primer On HIPAA Compliance For BYOD (1)
  - Jamica Stokes: I totally agree that their are some dos and don’ts when using mobile devices when working with...
- Private HIE’s Will Make Nationwide HIE Possible (3)
  - John Lynn: Dr. Gregg, You’re right that I don’t know all of the HIEs. There are a lot of them. Glad to...
  - Dr. Gregg: John I’m guessing you haven’t looked at Ohio’s HIE, CliniSync. It is growing a...
- 4500 Patient Records Found During Drug Bust (3)
  - John Brewer: What a completely appropriate place to find PHI but during a drug bust…how better to fund drug...
  - John Lynn: Hi Dr. Fox, I’ve been preaching a similar message for a long time. We have to be careful in saying...
  - jon Fox M.D.: I think this post brings up a fundamental flaw regarding our current thinking about HIPAA privacy...
- EHRA’s EHR Code of Conduct – Will Anything Change? (4)
  - Carl Bergman, ehrselector.com: Whether or not the code becomes a significant factor will depend on vendors giving it...
Categories

Top EMR & HIPAA Posts

Calendar

Recent Posts

EMR & HIPAA Resources

Recent Comments

Categories