Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Does Your HIPAA Risk Analysis Tool Protect Your Practice?

Posted on December 15, 2017 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Fourth quarter signifies more than a countdown to the holidays, many healthcare organizations are met with the realization that it is time to complete HIPAA risk analysis in order to comply with MACRA – MIPS. Of course, HIPAA risk analyses are nothing new, practices should be conducting  them regularly,  in light of the HIPAA Omnibus Rule which gave teeth to the regulations and made  an annual HIPAA risk analysis a requirement for every healthcare organization.

Recently, I was recently reading a blog post by HIPAA One called “Not All Risk Analysis Tools Created Equal” and it made me think about the requirements for a bona fide risk analysis. I realize that HIPAA One provides a risk analysis solution and therefore, approaches the conversation as a vendor would, however, they are also deeply embedded in the HIPAA risk assessment world and have a unique understanding of what’s happening.

I’ve seen first-hand the principle they describe in the post with many medical practices. Most medical practices are so overwhelmed  with the daily grind of dealing with staff issues, schedules, billing, supplies, etc that it’s hard for them to distinguish between a high quality risk analysis tool and one that was built 3 years ago and hasn’t been updated since then.

In HIPAA One’s blog post they offered a list of what you should look for in a HIPAA risk analysis solution and I think this is a great  starting point for any organization that needs a tool or is evaluating their existing tool:

  1. Industry-Certified Auditors on Staff – Verify the vendor has:
    1. Auditors who are certified professionals, such as CHPS, CISSP, HCISPP, CISA, etc. and
    2. Previous experience responding to AND PASSING government and private-sector audits.
  2. Compliance Gap-Assessment – This assessment determines if your workplace meets each of the HIPAA requirements as selected the Office for Civil Rights’ (OCR) HIPAA Audit Protocol.
  3. Mock-Audit – Put your money where your mouth is. If your workplace maintains HIPAA compliance, prove it with proper supporting documents and examples per the OCR’s HIPAA Audit Protocol.
  4. Risk Analysis –Bona Fide security risk analysis which digs into any non-compliant areas along with a calculation tool that addresses which gaps are low, medium or high risk to the organization using NIST-based methodologies (i.e. at minimum NIST800-30 rev1 and NIST 800-53 rev 4).
  5. Remediation Plan – This documented plan answers the questions: “Who will do what by when” in regards to remediating gaps in compliance.
  6. Final Report – Key deliverable proving compliance with HIPAA security risk analysis.
  7. Ongoing Tracking – Track the resolution of those gaps in compliance by proving due diligence in the event of an audit.
  8. Periodic Re-evaluation – Each year take a new “snapshot” performing steps 2-6 on any changes that happened from the previous year.

The item on this list that I see fall short in many solutions and services on the market today is the remediation plan. It’s amazing how many tools only account for a risk analysis, and do not provide any guidance on creating remediation plans for any risks you find. That’s a big deal and could leave you in trouble if your practice is ever audited and hasn’t remediated any of your security deficiencies .

The good news is that HIPAA risk analysis tools have come a long way over the years. ]  Much like you need to make sure EHR vendors are updating and improving their systems to meet your needs and comply with changes in government regulations, the same is true with HIPAA risk analysis tools. Make sure you take the time needed to ensure the quality of the tools and services you’re using. Ignorance is not bliss when a HIPAA audit occurs.

Note: HIPAA One is a Healthcare Scene sponsor.

Make The Busy Patient’s Living Room Their Waiting Room

Posted on December 14, 2017 I Written By

The following is a guest blog post by Chelsea Kimbrough from Stericycle Communication Solutions, as part of the Communication Solutions Series of blog posts. Follow and engage with them on Twitter: @StericycleComms

Chelsea Kimbrough

Patients are busier than ever before. Between the hours of eight to five, a majority have only limited availability to reach out to their healthcare providers. And after the day’s work is done, other responsibilities – such as their children’s after-school activities or errands – reign supreme. Providing easy-access avenues to securing care is the key to acquiring these patients’ loyalty.

In many ways, I’m the busy patient described above. And when I recently came down with a stubborn cough and began looking for an urgent care that could quickly see me, I experienced what I already knew: many healthcare organizations are unequipped to provide care that caters to digitally-minded patients. There were three key problems with my experience.

Problem: Limited Information Available Online
When initially searching for a local urgent care, I struggled to learn more about what a typical experience looked like at various locations. As a first time, admittedly nervous urgent care patient, I wanted to make an informed decision about where to receive care. However, I found that many websites did not offer the insight I sought. Without more information to go off of, I made my decision based on the health system’s good reputation.

Solution: Beef Up Your Web Presence
Ensuring your website has information for all patient types – especially those who may be less familiar with what your unique experience may include – will provide greater peace of mind, set accurate expectations, and enhance patient satisfaction.

Problem: Inability to Reserve Estimated Treatment Time Online
For many, leaving work to sit in a waiting room isn’t a viable option. And without an easy way to reserve an estimated treatment time or insight regarding how long the wait time may be, making time to seek valuable care can be a challenging task. While I was able to leave work early and spend the afternoon at my chosen urgent care, many others don’t have the same flexibility in their positions.

Solution: Introduce Urgent Care Digital Check-In
Enabling patients to reserve their place in line from wherever they may be creates a more seamless patient experience, enhances their sense of access, and creates greater operational efficiency within your facility.

Problem: Forced to Wait in Waiting Room
Though I was lucky be able to leave work early and wait for care at the facility, I would have much rather waited at home. Unfortunately, the urgent care only allowed patients to wait to be seen from within the waiting room with little way of entertainment; leaving would forfeit the patient’s place in the queue. As someone who has been spoiled with this capability across numerous restaurant, veterinary, and mechanic experiences, I was disappointed to find this feature wasn’t readily provided by the healthcare facility.

Solution: Automatically Notify Patients When It’s Time to Be Seen
More patients than ever have access to convenient communication tools. By digitizing your check-in process, you can enable patients to wait from the comfort of their home and notify them when it’s nearly time to be seen via an automated text message or voice call.

In all, my urgent care experience took over two hours. Had the facility provided access to more information regarding what my experience could include, the ability to reserve an estimated treatment time online, and a convenient reminder when my time to be seen neared, I could have saved over an hour spent sitting in the waiting room. If I had access to these capabilities, I could have spent this time completing important work tasks while relaxing (and keeping my germs) at home.

To learn more about how busy, consumer-minded patients are driving the need for omnichannel experiences in the healthcare industry, check out our recent e-book, OmniWhat?!

The Communication Solutions Series of blog posts is sponsored by Stericycle Communication Solutions, a leading provider of high quality telephone answering, appointment scheduling, and automated communication services. Stericycle Communication Solutions combines a human touch with innovative technology to deliver best-in-class communication services. Connect with Stericycle Communication Solutions on social media: @StericycleComms

EHR is the Fossil Fuel of Healthcare

Posted on December 13, 2017 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Healthcare has become completely dependent on EHR. There’s no getting around it.

In every organization that has an EHR, it’s the center of pretty much every healthcare providers work day. We’ve seen all the studies that talk about how much time doctors spend on the EHR. The problem I have with those studies is they never compare how much time doctors spent doing paper charts to the time they’re now spending on the EHR. However, these studies do also illustrate how integral the EHR has become in healthcare.

Expanding beyond the time spent on an EHR, could a hospital or medical practice get paid without an EHR today? I guess some medical practices still do, but if the EHR were to shut down healthcare organizations would largely stop being able to bill for the services they offer. Healthcare billing is completely dependent on the EHR.

Looking at this in a more positive light, EHR data is also the fuel of so many other exciting healthcare IT initiatives. Clinical decision support is all largely built into the EHR and on the back of EHR data. Much of the personalized medicine that is happening (except genomic medicine) is happening with EHR data. The same goes for population health analysis and all the healthcare analytics that are looking at ways to improve care and lower costs.

Is there any department in healthcare that doesn’t have a dependency on the EHR? I guess the cleaning staff don’t. However, that illustrates how dependent we are on EHR.

We could, of course, talk about whether this is a good or a bad thing for healthcare. I’m torn on this myself. We are completely dependent on the EHR, but it’s also a foundation for much of the innovation that is and will happen in healthcare. Plus, is dependency a problem when the thing you’re depending on is very reliable?

What could help this situation? The only real solution I can see is to create an environment where a healthcare organization could leave their EHR and go to another one if needed. This reduces the dependency and forces the EHR software provider to have to continually innovate so that you don’t want to leave to another vendor.

Unfortunately, we don’t have this in healthcare. In the hospital EHR world, I’m not sure we’ll ever get there. Once you spend $100+ million on an EHR, it’s pretty hard to justify ripping it out and putting in a new one.

What do you think about our dependency on EHR? Is it a good thing? Is it a bad thing? What can and should we do to make this situation better?

What’s Keeping HealthIT From Soaring to the Cloud? – #HITsm Chat Topic

Posted on December 12, 2017 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

We’re excited to share the topic and questions for this week’s #HITsm chat happening Friday, 12/15 at Noon ET (9 AM PT). This week’s chat will be hosted by David Fuller (@genkidave) on the topic of “What’s Keeping HealthIT From Soaring to the Cloud?.”

Premise and Private HealthIT architectures have ruled in healthcare and were unfortunately reinforced by the timing of ACA/HITECH. Infrastructure-as-a-Service, Platform-as-a-Service and other cloud-native approaches are revolutionizing all industries, and while for some somewhat valid reasons Healthcare has been slow to adopt the Cloud it’s now firmly ripe for transformation. So what are the forces keeping HealthIT from soaring to the Cloud? And how will cloud adoption in other industries and also within certain sectors of the healthcare landscape such as pharma and insurance give HealthIT the lift it needs to get off The Ground and into The Cloud?

Join us as we dive into this topic during this week’s #HITsm chat using the following questions.

Topics for This Week’s #HITsm Chat:

T1: How do premise and cloud-native HealthIT strategies differ? #HITsm

T2: What’s gained by moving HealthIT from premise-based designs to hosted, virtual and private cloud architectures? #HITsm

T3: What cyber-security concerns are keeping Cloud-native HealthIT from soaring? And how can these concerns be overcome? #HITsm

T4: Once HealthIT is truly in the Cloud what can HealthIT professionals see and do better than they can on ‘The Ground’? #HITsm

T5: What are the pros/cons of Cloud ‘dev-ops’ model and Ground ‘upgrade/migration’ IT deployment models? #HITsm

Bonus: How quickly will HealthIT professionals have to adopt pervasive Cloud-native HealthIT architectures? #HITsm

Upcoming #HITsm Chat Schedule
12/22 – Holiday Break

12/29 – Holiday Break

We look forward to learning from the #HITsm community! As always, let us know if you’d like to host a future #HITsm chat or if you know someone you think we should invite to host.

If you’re searching for the latest #HITsm chat, you can always find the latest #HITsm chat and schedule of chats here.

Evolving Message Systems Learn To Filter And Route Alerts For Health Care Providers

Posted on December 11, 2017 I Written By

Andy Oram is an editor at O’Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space.

Andy also writes often for O’Reilly’s Radar site ( and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O’Reilly’s Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

Because health care is a collaborative endeavor, patients can suffer if caretakers don’t get timely notifications. At the same time, the caretakers suffer when they are overloaded with alerts. Threading one’s way through this minefield (“Communications are complicated,” Vocera CMIO, Dr. Benjamin Kanter told me) was the theme of November’s Healthcare Messaging Conference and Exhibition at the Harvard Medical School. Like HIMSS, the major conference in health IT, something of a disconnect existed here between the conference and the exhibition. The speakers in the sessions implicitly criticized what the vendors were offering, information overload being the basic accusation.

Conference speakers told story after story of well-meaning installations of messaging systems that almost literally assaulted the staff with dozens of messages an hour. Kenny Schiff of CareSight reported seeing boxes full of expensive devices stuffed into closets in many hospitals. Dr. Trey Dobson reported research suggesting that 85% of standard hospital alarms require no intervention at all. He speculated that messaging has similar wasteful effects. In his facility, the Southwestern Vermont Medical Center at Dartmouth, they determined which lab results need to be delivered to the physician immediately and which could wait. They greatly reduced the number of messages sent about labs, which in turn decreased delivery time for important messages from an average of 50 minutes to only 7 minutes. These stories show both the benefits and drawbacks of current messaging systems.

State of the science
We all remember the first generations of pagers. Modern messaging systems, as represented by the vendors at the Healthcare Messaging Exhibition, offer a much sleeker experience, including:

  • Knowledge about who is responsible for a patient. No longer should messages be delivered to the nurse who left his shift an hour ago. The technical mechanism for tracking the role played by each clinician is group membership, familiar from the world of security. All clinicians who share a responsibility–such as working on a particular ward or caring for a particular patient–are assigned to a group. The status of each clinician is updated as he or she logs into the system, so that the message is delivered to the doctor or nurse currently on duty. A clinician dealing with one urgent situation should also not be interrupted by messages about another situation.

  • Full tracking of a message throughout its lifetime. The system records not only when a message was sent, but whether and when it was read. A message that goes ignored after a certain period of time can be escalated to the next level, and be sent to more and more people until someone addresses it.

  • Flexibility in delivery medium: mobile device, pager, computer, WiFi link, cellular network.

  • Sophisticated auditing. If a hospital needs to prove that a message was read (or that it was never read), the logs have to support that. This is important for both quality control and responses to legal or regulatory actions.

  • Integration with electronic health record systems, which allows systems to include information about the patient in messages.

  • HIPAA compliance. This essentially requires just garden-variety modern encryption, but it’s disturbing to learn how many physicians are breaking the law and risking their patients’ confidentiality by resorting casually to non-compliant messaging services instead of the ones offered at this exhibtion, which are designed specifically for health care use.

  • Cloud services. Instead of keeping information on devices, which can lead to it becoming lost or unavailable, it is stored on the vendor’s servers. This allows more flexible delivery options.

Although some of these advances generate more informative and useful messages, none of them reduce the number of messages. In fact, they encourage a vast expansion of the number of messsages sent. But some companies do offer enhancements over the common traits just cited.

  • Vocera has been connecting health care staff for many years. The company formed the subject of my first article on health IT in 2003, and of course its technology has evolved tremendously since then. Their services extend beyond the hospital to the primary care physician, skilled nursing facilities, and patients themselves. Dr. Kanter told me that they conceive of their service not simply as messaging, but as a form of clinical decision support. Their acquisition of Extension Healthcare in 2016 allowed them to add a new dimension of intelligence to the generation of messages. For instance, the patient’s health record can be consulted to determine the degree of risk presented by an event such as getting out of bed: if the patient has a low risk of falling, only the patient’s nurse may be alerted. Location information can also be incorporated into the logic, so that for instance a nurse who is already in the patient’s room will not receive an alert for that patient. Vocera has a rules engine and works with hospitals to develop customized rules.

  • HipLink has a particularly broad range of both input and delivery devices. In addition to all the common devices used by clinicians, HipLink can convert text to voice to call a plain telephone with a message. CEO Pamela LaPine told me it also accepts input not only from medical sensors, but from sensors embedded in fire alarms, doors, and other common props of medical environments.

  • OnPage helps coordinate secure communications through the use of schedules, individual and group messaging, and message tracking. For instance, the end of an operation may generate a message to the nursing staff to prepare for the arrival of a post-op patient. A message to the cleaning staff might be generated in order to prepare a room. All the necessary messages are presented to a dispatcher on a console.

  • 1Call, which provides a suite of innovative and integrated scheduling and communication applications, includes prompts to call center staff, a service they call Intuitive Call Flow Navigation. For a given situation, the service can help the staff give the information needed at the right point in each call. The same logic applies to the automated processes carried out with 1Call’s integration engine and automated notification software, which can also consolidate messaging based on rules, be customized to each organization’s needs, and improve efficiency throughout the organization.

Michael Detjen, Chief Strategy Officer of Mobile Heartbeat, laid out the pressures on messaging companies to evolve and become more like other cutting-edge high-tech companies. As messaging become universal through a health care institution, workflows come to depend on it, and thus, patient lives depend on it too. Taking the system down for an upgrade–or even worse, having it fail–is not acceptable, even at 2:00 in the morning. Both delivery and successful logging must be guaranteed, both for quality purposes and for compliance. To achieve this kind of reliability, developers must adopt the advanced development techniques popular among the most savvy software companies, such as DevOps and continuous testing and integration.

Looking toward the future
In his presentation, Schiff described some of the physical and logistical requirements for messaging devices. Clinicians should be able to switch devices quickly in case one is lost. They should be able simply to run their ID card through a reader, pick up a new device, and have it recognize them along with their message history (which means storing the messages securely in the cloud). Login requirements should be minimized, and one-hand operation should be possible. Schiff also looks forware to biometric identification of users.

Shahid Shah pointed out that the burden current messaging places on caregivers amounts to a form of uncompensated care. If messages are sent just to reassure patients, doctors and nurses will treat them as annoyances to be avoided. However, if the messages improve productivity, staff will accept them. And if they improve patient outcomes, so much the better–as long as fee-for-value reimbursements allow the health care provider to profit from improved outcomes.

To introduce the intelligence that would make messaging beneficial, Shah suggests more workflow analysis and the automation of common responses. A number of questions regarding patients could be answered automatically by bots, leaving only the more difficult ones for human clinicians.

The message regarding messaging was fairly consistent at the Healthcare Messaging Conference. Messaging has only begun to reap the benefits it can provide, and requires more analytics, more workflow analysis, and more integration with health care sites to become a boon to health care staff. The topic was a rather narrow one for a two-day conference, perhaps the reason it did not attract a large audience in its first iteration. But perhaps the conference will help drive messaging to new levels of sophistication, and become true life-savers while reducing burdens on clinicians.

Healthcare messaging and communication is also one of the focuses of our conference Health IT Expo happening May 30-June 1, 2018 in New Orleans. If you’re in charge of your hospital messaging systems, join us in New Orleans for an in depth look at best practices, hacks, and strategies for hospital messaging and communication.

E-Patient Update: Clinicians May Be Developing Strong EMR Preferences

Posted on December 8, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

Not long ago, I wrote about a story from another publication, one which engaged in a bunch of happy talk about how EMR companies were improving their user interfaces. At the time, I expressed a great deal of skepticism about this claim, suggesting that the vendors had misled the reporter into believing that user aspects of EMRs were changing for the better across the industry.

While I stand by my original skepticism to some degree, I have to say that I got a surprise recently when I heard some nurses discussing two major EMR platforms. The one they were using, they said, was awful and awkward to use. Apparently, they missed the other terribly.

Now, at the time I was a patient in the emergency department, so I didn’t have a chance to ask them any questions about their preferences, but I was struck by the conversation because I knew which vendors they were discussing. However, they could have been talking about any enterprise EMR.

Clinicians developing preferences

I don’t mention this exchange to praise one EHR over another. I bring this up merely because this is the first time, having spent a lot of time in medical environments due to chronic illness, that I’d heard any front-line clinician express a preference for one enterprise EMR over the other.

In the early days of widespread EMR adoption, I could scarcely find a clinician who didn’t hate the system they were working with, much less one who truly liked it and wanted to use it. Eventually, I began to find that many clinicians thought the system they worked with was more or less okay, though I rarely found any screaming fans for any system in particular.

Now, I’m arguing that we may be at a new stage in clinician adoption of EMRs. The point I am making is that now, some of the clinicians with whom I’ve had contact showing some enthusiasm about one EMR or another.

No big surprise: Experience breeds preference

The truth is, when you think about it, it’s not surprising that clinicians have finally developed preferences (rather than the lists of EMRs which they truly hate). After all, it’s been going on 10 years since the HITECH Act was passed and the money started to flow into EMR subsidies.

Since then, clinicians have had the opportunity to work with multiple EMR platforms at various facilities, and informally at least, develop a catalog of the strengths and weaknesses. Nurses and doctors know which interfaces they like, whether tech support tends to respond when they have a problem with the particular system, whether any analytics tools they provide are worth using and so on.

Given this fact it’s hardly surprising that they’ve figured out what they like and what they don’t, and which vendors seem to suit those needs. After this much time, why wouldn’t they?

As I see it, this is something of a turning point in the industry, a new moment in which clinical professionals have learned enough to know what they want from an EMR. I don’t know about you, but speaking as an e-patient, I think this is a very good thing. The more empowered clinicians feel, the better the work they will do.

The Benefits Of Creating Data Stewards

Posted on December 7, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

Maybe I’m behind the times, but until today I’ve never heard of the notion of a “data steward” for healthcare organizations. An article I read today from the Journal of AHIMA IGIQ blog has given me some ideas on the subject to ponder, however.

The blog author lays out a role which combines responsibility for data structure and consistent data type definitions — in other words, which sees that datatypes are compared on an apples-to-apples basis and that data categories make sense and relate to each other appropriately.

In the article, “Data Stewards Play an Important Role in the Future of Healthcare,” writer Neysa Noreen, MS, RHIA, notes that providers are already struggling to categorize and describe types of medical data, much less leverage and benefit from them. But while we need to impose such a level of discipline, it isn’t easy, she notes.

“[Creating a workable data structure] it is a complex process with many challenges,” Noreen writes. “There are many data terms and concepts, roles and structures to decipher from information governance and data governance to data integrity,” which is why we need to put data stewards and place in many organizations, she suggests.

Though the idea of the data steward isn’t new, “emphasis on data comparison and quality has increased their necessity,” Noreen argues. “Data stewards are essential to ensure that standard data sets and definitions are implemented and used for data integrity and quality.”

The question then becomes what qualifications and skills a data steward should have. According to Noreen, data stewards aren’t necessarily IT experts. What they will need is to have a thorough understanding of the data itself and how to extract value from that data on the broadest level.

Data stewards will often turn out to be people who are already working with data in some other manner, which will allow them to know what organization needs to do to resolve discrepancies between data definitions, according to Noreen. Such a past also gives them a head start in figuring out how data can be organized and leveraged effectively into classes.

Given their knowledge of data standards and definitions, as well as a history of working with the data sets the organization has, data stewards will be in a good position to make data use more efficient. For example, they will be able to review and compare data requests on an institutional level, identifying data redundancy in finding opportunities for cost-efficiencies.

Having given this some thought, I find it hard to argue that most healthcare organizations could benefit from having a data steward in place. Providers may begin by starting with a committee that handles this function, rather than creating one or more dedicated positions, but eventually, the scope of such efforts will call for specialized expertise. Expect to see these positions pop up often in the future.

The Future Of Telemedicine Doesn’t Depend On Health Plans Anymore

Posted on December 6, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

For as long as I can remember, the growth of telemedicine depended largely on overcoming two obstacles: bandwidth and reimbursement. Now, both are on the verge of melting away.

One, the availability of broadband, has largely been addressed, though there are certainly areas of the US where broadband is harder to get than it should be. Having lived through a time when the very idea of widely available consumer broadband blew our minds, it’s amazing to say this, but we’ve largely solved the problem in the United States.

The other, the willingness of insurers to pay for telemedicine services, is still something of an issue and will be for a while. However, it won’t stay that way for too much longer in my opinion.

Yes, over the short term it still matters whether a telemedicine visit is going to be funded by a payer –after all, if a clinician is going to deliver services somebody has to pay for their time. But there are good reasons why this will not continue to be an issue.

For one thing, as the direct-to-consumer models have demonstrated, patients are increasingly willing to pay for telemedical care out-of-pocket. Customers of sites like HealthTap and Teladoc won’t pay top dollar for such services, but it seems apparent that they’re willing to engage with and stay interested in solving certain problems this way (such as, for example, getting a personal illness triaged and treated without having to skip work the next day).

Another way telemedicine services have changed, from what I can see, is that health systems and hospitals are beginning to integrate it with their other service lines as a routine part of delivering care. Virtual consults are no longer this “weird” thing they do on the side, but a standard approach to addressing common health problems, especially chronic illness.

Then, of course, there’s the most important factor taking control of telemedicine away from health plans: the need to use it to achieve population health management goals. While its use is still a little bit lopsided at present, as healthcare organizations aren’t sure how to optimize telehealth initiatives, eventually they’ll get the formula right, and that will include using it as a way of tying together a seamless value-based delivery network.

In fact, I’d go so far as to say that without the reach, flexibility and low cost of telehealth delivery, building out population health management schemes might be almost impossible in the future. Having specialists available to address urgent matters and say, for example, rural areas will be critical on the one hand, while making specialists need for chronic care (such as endocrinologists) accessible to unwell urban patients with travel concerns.

Despite the growing adoption of telemedicine by providers, it may be 5 to 10 years or so before it has its fullest impact, a period during which health plans gradually accept that the growth of this technology isn’t up to them anymore. But the day will without a doubt arise soon enough that “telemedicine” is just known as medicine.

EHR, Patient Portals and OpenNotes: Making OpenNotes Work Well – #HITsm Chat Topic

Posted on December 5, 2017 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

We’re excited to share the topic and questions for this week’s #HITsm chat happening Friday, 12/8 at Noon ET (9 AM PT). This week’s chat will be hosted by Homer Chin (@chinhom) and Amy Fellows (@afellowsamy) from (@MyOpenNotes) on the topic of “EHR, Patient Portals and OpenNotes: Making OpenNotes Work Well.”

There are now nearly 100 health systems across the United States using secure patient portals to share visit notes with more than 20 million of their patients. And as the saying goes, if you’ve seen one OpenNotes implementation, you’ve seen one OpenNotes implementation.

No two health systems approach OpenNotes in the same way, and much of the variation stems from human resistance to change. Change is hard; whether it involves assuring and supporting clinicians in their move toward sharing notes or whether it’s surmounting technical challenges within the electronic health record.

We know the electronic health record is here to stay. We’re not going back to paper. And we know that when patients are offered online access to the medical information in their records, including access to notes, these patients continue to want that access and they share its benefits.

At their annual meeting in November 2017, the American Medical Informatics Association (AMIA) announced a formal collaboration with OpenNotes, stating, “The evidence-base is clear: providing patients access to their physician’s notes improves physician-patient communication and trust, patient safety, and perhaps even patient outcomes.”

So how do we bridge resistance to change? And as OpenNotes expands, how do we guide health systems to ensure the best possible patient experience?

Join us as we dive into this topic during this week’s #HITsm chat using the following questions. Homer Chin and Amy Fellows will be on hand to share key learnings from vendors and health IT teams that have been making OpenNotes work over the past few years.

Reference Materials:

Topics for This Week’s #HITsm Chat:

T1: What cultural barriers to OpenNotes adoption and use exist within the #healthcare IT profession vs. the clinical/medical community? #hitsm

T2: Given that OpenNotes is a movement and not a discrete software product, what are the technical challenges for implementing OpenNotes inside the patient portal? #hitsm

T3: If you’re currently implementing OpenNotes in your health system: What advice and/or cavetats can you share with colleagues? #hitsm

T4: If you haven’t implemented OpenNotes at your health system: What’s holding you back? What do you believe are the key challenges impeding implementation? #hitsm

T5: What customization strategies and/or tips do you have for helping patients navigate healthcare portals to find their #medical record notes? #hitsm

BONUS: What type of “OpenNotes-related” functionality should #EHR vendors be including in their product(s) to serve both clinicians AND patients? #hitsm

Upcoming #HITsm Chat Schedule
12/15 – What’s Keeing HealthIT from Soaring to the Cloud?
Hosted by David Fuller (@genkidave)

12/22 – Holiday Break

12/29 – Holiday Break

We look forward to learning from the #HITsm community! As always, let us know if you’d like to host a future #HITsm chat or if you know someone you think we should invite to host.

If you’re searching for the latest #HITsm chat, you can always find the latest #HITsm chat and schedule of chats here.

Slow Learners Teach Big Lessons – $2 Million State HIPAA Penalty

Posted on December 4, 2017 I Written By

Mike Semel is a noted thought leader, speaker, blogger, and best-selling author of HOW TO AVOID HIPAA HEADACHES . He is the President and Chief Security Officer of Semel Consulting, focused on HIPAA and other compliance requirements; cyber security; and Business Continuity planning. Mike is a Certified Business Continuity Professional through the Disaster Recovery Institute, a Certified HIPAA Professional, Certified Security Compliance Specialist, and Certified Health IT Specialist. He has owned or managed technology companies for over 30 years; served as Chief Information Officer (CIO) for a hospital and a K-12 school district; and managed operations at an online backup company.

Editor’s Note: We’d like to welcome Mike Semel as the latest addition to the Healthcare Scene blog team.  We’ve been working with Mike for quite a while as a guest blogger, so it’s great to have Mike now covering security and privacy with us in a more formal capacity.  Check out all of Mike Semel’s EMR and HIPAA blog posts.

I think it is fair to call people slow learners if they get caught violating HIPAA:

  • after they published 50,000 patient records to the Internet for a 2-year period, so patients Googling themselves found their medical records,
  • and THEN DID IT AGAIN DURING THE INVESTIGATION for the first incident.


On November 22, California Attorney General Xavier Becerra announced a $2 million settlement with Cottage Health System and its affiliated hospitals for violating both state and federal privacy laws. The settlement came after two separate data breaches where more than 50,000 patient records were made publicly available online. The state settlement is on top of a $4.125 million class-action settlement with its patients, that Cottage Health’s insurance company is trying to recover, because it said Cottage Health was not truthful on its insurance application.

It’s bad enough that from 2011 until 2013 (after it was notified by a patient that he found his medical records online), Cottage Health had a server with protected health information that was not encrypted, password protected, protected by firewalls, or protected against unauthorized access.

What is truly stunning is that, in 2015, during the federal investigation for the first incident, Cottage Health reported that it made another 4,596 patient records available online.

I have been the Chief Information Officer in a hospital, and know how bad executive and departmental management and oversight would have to be to create an environment where that can happen once, let alone twice.

Based on the complaint provided by the California Attorney General, there are a lot of lessons you can learn from this penalty.


1. It not just the OCR. This HIPAA penalty was issued by a state Attorney General. The federal HITECH Act (2009) gave state AG’s the authority to enforce civil penalties for violations of the HIPAA Privacy and Security Rules. It doesn’t take the federal Office for Civil Rights to go after you. It could be your state Attorney General, who is probably motivated by wanting to impress voters for his campaign to be governor or senator someday.

2. Know your state laws. California’s Confidentiality of Medical Information Act and Unfair Competition Law were also cited in the penalty. Forty-eight states, plus DC and Puerto Rico, have their own laws protecting Personally Identifiable Information. Some, like California, have state laws that protect medical records beyond the scope of HIPAA. State laws have different patient notification requirements than HIPAA’s maximum of 60 days. In California, patients must be notified within just 15 days.

3. Management should pay attention to security and compliance, before it has to sign $6 million in checks, plus legal fees. From the IT department to the executive suite, this penalty is proof that management was not validating the organization’s security and compliance.

Cottage Health isn’t a small, rural hospital with 25 beds, trying its best, with limited resources, to serve a community. According to its 2016 Annual Report, Cottage health generated over $746 million in revenue and had 3,120 employees.  Seventeen of them are Vice Presidents.

At least Cottage Health’s CEO didn’t publicly blame his IT guy, like the former CEO of Equifax did in front of Congress. Maybe he realizes he could have avoided spending $6 million by having better management.

4. Patients are Consumers, who are protected against Negligence & Unfair Business Practices. The $4 million settlement plus the $2 million penalty are proof that management was ignoring the commitment it made to its patients every day in the Cottage Health Notice of Privacy Practices.

Our Pledge
We understand that medical information about you and your health is personal, and we are committed to protecting it.

The Federal Trade Commission forced the closure of a small medical lab because it said the lab violated its prohibition of Unfair Business Practices by not protecting patient information.

There is a lawsuit in Connecticut where the state appeals court certified a Notice of Privacy Practices as a contract with a patient.

Yes, patients (and now their lawyers) really do read those notices. Treat yours with respect because it is a contract, not a brochure.

5. Don’t Assume Your HIPAA Compliance Program is Working. Not having policies, procedures, basic IT security like passwords and firewalls, means that a lot of Cottage Health managers and executives had to be asleep at the switch. Not complying with the HIPAA Security Rule, effective since 2005, which protects electronic data, means that Cottage Health’s compliance program was a mirage. I can imagine their compliance and security staff telling management that they had everything handled. Management believed them. Over 50,000 patients and an Attorney General disagree.

6. Prevent the Triggering Event. This wildfire started with a small spark. An IT engineer configured a server and plugged it into the network. Things as simple as checklists could have prevented the negligent publication of the medical records to the Internet.

The NIST Cybersecurity Framework (NIST CSF) is a 41-page document simple enough for even small organizations to use to improve their data security.

Bring in a qualified independent third party to evaluate your compliance and security against the HIPAA rules and the NIST CSF, and give the report directly to the CEO. Not a good use of the CEO’s time? It’s much better than the CEO’s involvement after an investigation has started.

7. If You Are Being Investigated, Don’t Let the Same Problem Happen Again. Duh.