Welcome to EMR and HIPAA

In my favorite forum I ran across a poster that had a really interesting perspective on EMR. I liked it so much I emailed him to get more of his story so I could post it here.

Here’s his response to my email describing his reason for posting about EMR and why he chose(or was forced) to pursue private practice.

In a situation when you feel desperate, alone and all you have is your
wife, the belief on your own capabilities and a 2 year old daughter to
inspire you to be the best you can be, it is hard not to be very emotional
exuding enthusiasm on my posts. It is hard when you meet your ceiling, and
have to be subservient to others that have half your education.
Furthermore, it is devastating to find out, that you are not allowed to go
back to work after I came back from vacation after 2 years of continuous
work, to visit my family (wife and daughter) in the old country venturing
on another potential business, and not seeing them for 9 months. All I
have was a phone message not to report without any reason at all other
than I have to sign a non compete clause! I will never forget that day!

Here’s his post about what an EMR system has helped him do and his devotion to his current EMR.

My loyalty to this product is because of the direct and indirect financial benefit I derived from having an EMR. I saved at least 20k individually from prior transcription overhead and indirectly my patients were pleased with my quick response, knowing their case, less filing, and easy retrieval of records. Maybe sentimental value as well, as I took out our own life savings to start my own practice back in Jan 1998. Almost every employed practitioner tried to scare me from pursuing Private practice as they just sold theirs years back. One even told me he had to take a second loan, and ask me how do you think you can do it? As I was pursuing my own business I explored the world of EMR, and as most of you know, there was not much resources then as I recall. A few systems approached me and cost 100k at the time that I almost smacked the guy!

Within 1 to 1.5 years we used Medisoft for billing. Dragon NS for my dictation, and later Praxis in 1999, implementing it when I finally moved to a larger office space where I can have a network. That is the etiology of my devotion I suppose - .

Fine words from the heart. My hope is that this site can help many more people find and implement EMR the right way and benefit from it.

I use to live and work in Hawaii and so many times I’ve considered working out an arrangment with them to store a backup of my EMR in Hawaii since I could easily transfer it over the internet. What better backup location then Hawaii? In the end the idea pretty much fell apart when I started thinking about the HIPAA hurdles that I would have to deal with to make it work. Since my employer probably doesn’t want to fly me to Hawaii to do security audits how would I really know what is going on there? Also, how would I manage who gained access to their data center. I could put a little server in my own locked cage which is only accessible by a couple people who have signed the Privacy agreement. However, once you start talking cages and security the price tag continues to rise. If anyone reading this would like to work with me on this, I’d be happy to make the trips out to see friends if they want to pay for that kind of backup.

Since my Hawaii idea fell through we just have a fire proof safe in an undisclosed location that is kind of like the old movie Get Smart to gain access(minus the automated doors). As a college health organization we have a few more resources than most doctor’s offices. This is why I was happy to find someone offering a service I’d been looking around for. The service is offered by Creative Software Solutions and they offer a service called Handy Backup Service. I’m not an end user and I have no affilitation to the company so I can’t vouge for that, but it’s nice to see someone offering this type of service. The best part is that they are willing to sign a Business Associates agreement. We all know how important that is for this kind of service.

I really think that the future of offsite backups is with the EMR vendors themselves. If you are an EMR vendor reading this…You should partner with some good, quality, technical people(a few still do exist) that could help you offer this service to your customers. I know that in the event of a disaster the first person I am going to call to restore my EMR is my EMR vendor. They know their EMR system infinitely better than me. Why not take it one step further and give them all the tools(and data) that they need to restore your system in case of a disaster. Not to mention they’ve already signed the Business Associate’s agreement.

Sorry for yet another biometrics, but I’ve been working with biometric logins at this stage of my EMR implementation. I contacted a vendor about getting some logins to test with my EMR and he obliged with 3 of them. I later figured out that he has some other motives then just me purchasing them, but who cares, I got 3 biometric logins to test free.

I asked him about having multiple users using the same computer and the biometrics integrated with active directory and my EMR. He pointed out an idea that I can’t believe I didn’t think of before. Windows has user switching. He said that the biometrics is integrated with User Switching in Windows XP and so when a new user comes in it will switch to their account automatically. This is a nice idea because that means that all of the EMR programs could already be logged in when you switch to your user. I’m not sure how this will work in real life, but the concept is great. I’m afraid that having multiple users on one computer both connecting to the EMR database might cause a problem.

We’ll see soon enough. I have 3 of them coming.

I found a pretty interesting blog about a Doctor in Canada’s experience implementing an EMR. So far it has a pretty good overview of a bunch of things to consider when implementing an EMR. It is also good because it comes for a doctor’s perspecitve rather than a vendor or tech person. In fact, some of the posts I’ve read have some good asides describing some of the technology so even the non technical user can understand. I look forward to reading more as this blog continues. I was going to do this myself when I started to implement my EMR. I’m glad I didn’t, because it wouldn’t have been what I expected. Although it may have been interesting seeing a tech person try to learn not only a new software system, but also understand how a clinic works. Oh how quickly life changes and you end up blogging about EMR.

Biometrics is a great option and I believe will be the future of authentication in the Healthcare field. When you have an EMR authentication is absolutely important since the integrity of your medical record is dependent on people using a individually identifiable login. Everyone knows that passwords and usernames are a major pain. Biometrics is one obvious solution. As I’ve said in previous posts, I really think that one of the keys to biometric success is having it integrated with Active Directory and then having your EMR do an ldap query to authenticate you into your EMR. Good enough overview.

Here’s a few things to consider should you decide to apply biometrics and EMR. First, many(not all) biometrics have a lovely red light. I’m not really sure why, but I assume it is needed to recognize your fingerprint. While this isn’t really a major problem, if you have many kids in your office then they LOVE those little red lights(my son included). There are of course ways around it by placing it in a position that kids can’t see it or securing it appropriately. If you do have kids and biometrics with the red light then you probably want to make sure you have some replacement devices.

Second, you have to find a way to remember your passwords. Most biometrics can remember not just your EMR passwords, but also authenticate you into all of your programs(ie. email, websites, PMS, etc). This is great until you want to log in without your biometrics or get a new computer. You’ll need to know your passwords in these cases to get your biometrics to work again.

I found a very nice list of HIPAA guidelines at EMRUpdate by the infamous AlBorg. Here’s his list that I’d like to take and refine as a permanent posting on the site. I really think this gives people a good outline of what’s most important in HIPAA compliance in an EMR:

1. Under the Privacy Rule, patients have the right to adequate notice of the uses and disclosures of their private health information that may be made by “the covered entity” (s.a. the provider), as well as their rights and the covered entity’s legal obligations. Notices must be in plain language and clearly posted. Certain covered entities must make a good faith effort to obtain an individual’s acknowledgment of receipt of this notice. In certain cases, notice may be provided electronically… i.e. via your EMR.
2. HIPAA requires restricted access to sensitive data, including password protection. The minimal level of this protection has not yet been established, but most systems in hospitals have upped the difficulty of entering into a computer to including both password protection at the level of Windows logon and later to the software logon.
3. Encryption of emails, faxes, and other document transmissions should be considered, although difficult. If you encrypt an email, for example, how will the patient, physician, or hospital receiving entity decript the message?
4. You should add the capability to track the use or users of protected health information.
5. For billing, any electronically transmitted information should be encrypted, and if you use an intermediary, make sure that they use HIPAA-compliant ANSI format e-billing forms.
6. Should you have to provide documentation to a legal entity, s.a. during a lawsuit, you should be able to set user restrictions to only the patient data needed, making the rest of the EMR patient data locked.
7. You should make sure that users know how to report to the covered entity any use or disclosure of the information, in violation of the agreement, of which it becomes aware.