Welcome to EMR and HIPAA

I was browsing the internet and ran across a webpage that described an interface between MediNotes and Quest. It described how you could download the results from Quest’s website and then upload them into MediNotes. As far as I’m concerned that’s not an interface.

An interface receives the lab request and then passes the results back to the original system. I’m fine with talking about one way and bidirectional interfaces. Just have the result passed back or just have the request made. Although I don’t think that makes much sense with labs I can at least understand it. However, manually uploading the results yourself isn’t what I call an interface. It is Electronic Medical Record, but it’s not an Interface(at least not a good one).

I’ve been trying to convince my EMR vendor to implement a digital signature for a while. I had 2 requirments. I want the signature captured by a signature pad similar to one you might use at a local shopping mark. The second was capturing it on a tablet PC. I’ll discuss this more in the future and some of my thoughts on the subject, but I learned something really interesting the other night. A tablet PC keeps track of pen pressure, angle and a whole bunch of other things that recognize not only that someone is writing, but I’m told that you can also recognize if it is the same person writing the signature. I’m skeptical, but the idea is quite interesting.

Imagine someone comes into your Health Center or Counseling Center and you capture their signature the first time they are seen. Then, you can verify the fact that it is them when they are filling out any consent forms or referral forms by verifying the same signature tendencies as captured by the tablet. I’d like to test this, but it sure adds a great layer of security to the signature.

Wireless Security is always a hot topic when you look at using it in Healthcare. There are some best practices that should always be implemented:

1. Hide the SSID
2. Restrict Access by Mac Address to only your machines
3. Create a public network and a private network so patients/clients have access to the internet without access to your private network
4. Encrypt the data going across the wire
5. Use WEP or some sort of VPN technology to encrypt all wireless communication(ie. passwords that may be the same as your EMR)

I’m sure there a few more things, but I’ll add those as I get them. This implementation will give you a good start and I believe with this well documented will satisfy HIPAA Security Rule compliance quite well. Personally I also reccoment not using WEP for protection, but I much prefer using a secure password protected VPN technology to encrypt the data. I personally use L2TP technology to encrypt the data and provide a secure VPN connection on the wireless.