Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

The Impact of HIEs in Natural Disasters – #HITsm Chat Topic

Posted on September 19, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

We’re excited to share the topic and questions for this week’s #HITsm chat happening Friday, 9/22 at Noon ET (9 AM PT). This week’s chat will be hosted by Brian Mack (@BFMack) from @GLHC_HIE on the topic of “The Impact of HIEs in Natural Disasters.”

On August 29th, 2005, Hurricane Katrina, a category 3 storm, made landfall in SE Louisiana. Torrential rain and sustained winds exceeding 110 MPH quickly overwhelmed the protective measures in place, and the subsequent storm surge breached levies and flooded huge swaths of New Orleans and surrounding areas. Mass-devastation across Louisiana and Mississippi contributed to the deaths of nearly 1,500 people, forced tens of thousands more from their homes, and caused an estimated $108 billion in property damage. At that time, only 10% of physicians were actively using electronic medical records, and electronic health information exchange was still was in its infancy. An incalculable number of paper health records were lost forever. The lack of access to patient information during and following the storm significantly hindered medical response efforts, and required years to replace.

Fast forward to Aug. 24th-26th, 2017, when Hurricane Harvey, an even larger (Cat. 4) storm struck Southern Texas, and dumped more than 40 inches of rain on the greater Houston area. While Harvey has been described as “Houston’s Katrina” in terms of its intensity and impact, the story was significantly different for the healthcare delivery system. Two health information exchanges in the region, the Greater Houston Healthconnect (GHHC) and Healthcare Access San Antonio (HASA) worked together to assist both those who stayed through the storm, as well as those who were evacuated. GHHC staff actually shuttled between shelters in the Houston area, overseeing the set-up of HIE portals, to help clinicians provide care for patients. Providers were able to maintain access to patient records, even from remote locations, using laptops and WiFi to access EHR systems in the normal way. As a result, the response to medical needs, and continuity of care for the population impacted by Harvey across Texas was seamlessly maintained at a very high level.

This week’s #HITSM Twitter chat will discuss the opportunities, challenges, and value of community-based Health Information Exchange in connecting the “last mile” of interoperability, particularly in emergency situations.

Some additional reading:

Here are the questions that will serve as the framework for this week’s #HITsm chat:
T1: What lesson(s) should we, as participants in the healthcare ecosystem, take away from events like Hurricanes Katrina & Harvey? #HITsm

T2: What roles do/should stakeholders: government (local, state, federal), HC providers, private sector, citizenry play in assuring adequate preparation for disasters? #HITsm

T3: What responsibilities do health IT infrastructure vendors (EHR), and Health Information Exchange have in supporting successful emergency response? #HITsm

T4: How do community based HIE’s differ from national interoperability efforts and/or vendor based solutions in emergency situations? #HITsm

T5: What examples from your own local communities can you share where community-based health information exchange either made a difference, or COULD have made a difference in responding to a public emergency? #HITsm

Bonus: Aside from the basic task of networking disparate healthcare providers, how could Health Information Exchange contribute to better connected communities? #HITsm

Upcoming #HITsm Chat Schedule
9/29 – Condition Management vs Episodic Care Management
Hosted by Brian Eastwood (@Brian_Eastwood) from @ChilmarkHIT

10/6 – After Death Data Donation – A #hITsm Halloween Horror Chat
Hosted by Regina Holliday (@ReginaHolliday), Founder of #TheWalkingGallery

10/13 – Role of Provider Engagement for Improving Data Accuracy
Hosted by @CAQH

We look forward to learning from the #HITsm community! As always, let us know if you’d like to host a future #HITsm chat or if you know someone you think we should invite to host.

If you’re searching for the latest #HITsm chat, you can always find the latest #HITsm chat and schedule of chats here.

The First Ever “Unchat” – #HITsm Chat Topic

Posted on September 12, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

We’re excited to share the topic and questions for this week’s #HITsm chat happening Friday, 9/15 at Noon ET (9 AM PT). This week’s chat will be hosted by…

That’s right! The #HITsm chat is going rogue this week. The #HITsm chat on Friday, 9/15 at Noon ET (9 AM PT) will have no agenda, no host, and no organization. It will be an hour long #HITsm free for all where anyone can propose any topic, thought, idea, meme that they want. You can share a link, a picture, a thought, a question, or anything else you feel like sharing.

Where this will end, no one knows, but that’s what makes it so exciting! If it falls flat, we’ll blame workflow and never do it again.

This chat was inspired by @burtrosen who asked for a chat where the #HITsm community can have a chance to “blow off steam.” I loved the idea and the “unchat” was born. There are so many great people in the #HITsm community, I’m sure that some amazing conversations will happen in this chat and likely on unexpected topics. Not to mention that random conversations are a great way to inspire new relationships.

To be clear, this is a true unchat. Those that join and participate will start the topics, extend the topics, ask questions, etc. The topics don’t even have to be related to health IT. If you want to talk about your holiday vacation plans, go for it. Is there a part of healthcare IT that’s really bothering you or has you really excited, let’s hear it. If you like cats as much as Brian Eastwood, share a cat photo. If you’ve fallen in love with your healthcare chat bot and want everyone to know it, share away. Of course, this is a community, so just be respectful and appropriate the way you’d be if we were hanging out or having dinner.

Given that this is an unstructured #HITsm unchat, there won’t be any formal questions for the chat. The threads will start and extend however the community sees fit. However, we will throw out this first question to get things started and the community thinking:

T1-5: What’s on your mind? #HITsm

We hope you’ll join us for this new #HITsm Unchat. Let’s get to know each other in new and unique ways.

Upcoming #HITsm Chat Schedule
9/22 – The Impact of HIEs in Natural Disasters
Hosted by Brian Mack (@BFMack) from @GLHC_HIE

9/29 – Condition Management vs Episodic Care Management
Hosted by Brian Eastwood (@Brian_Eastwood) from @ChilmarkHIT

10/6 – After Death Data Donation – A #hITsm Halloween Horror Chat
Hosted by Regina Holliday (@ReginaHolliday), Founder of #TheWalkingGallery

10/13 – Role of Provider Engagement for Improving Data Accuracy
Hosted by @CAQH

We look forward to learning from the #HITsm community! As always, let us know if you’d like to host a future #HITsm chat or if you know someone you think we should invite to host.

If you’re searching for the latest #HITsm chat, you can always find the latest #HITsm chat and schedule of chats here.

Clinical Optimization Effort and ROI Matrix

Posted on September 6, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Over on Hospital EMR and EHR, Galen Healthcare Solutions has been providing some really practical and detailed information on optimizing an EHR as part of their EMR Clinical Optimization Series and they’re just getting started. Along with the EMR Optimization blog posts, they also have published a FREE EMR optimization whitepaper that dives into tips, tricks, and perspectives on how to approach driving a tangible return on your EMR investment.

I love that we are finally moving past the discussion of EMR implementation and moving towards EMR optimization. As David Chou, CIO at Children’s Mercy Kansas City, recently said in the CXO Scene podcast, “Hospitals have invested at minimum $100 million on their EHR and that doesn’t include all the consulting and training services required to implement the EHR on top of it.” Given this massive investment, it is more than time to optimize our EHR implementations and ensure we’re getting a great ROI from the investment.

In Galen’s EMR Optimization Whitepaper, they shared this really impressive matrix that looks at the clinical optimization effort required against the benefits an organization will receive from those efforts:


(Click on the above image to see the large version of the matrix)

There’s a lot to chew on in this matrix, so feel free to spend some time looking over the details. In fact, it would be beneficial to do a deep analysis of this matrix with your organization. No doubt you’ll uncover ways that your organization can benefit from better clinical optimization and it will help you evaluate areas where you should focus your initial attention.

While there’s a lot of detail in this matrix, I was struck by how few levers had an impact on costs. This is a tremendous insight to consider when it comes to EHR and clinical optimization and their impact on healthcare costs. No doubt there are other more important drivers of cost that need to be considered.

On the other hand, I was also struck by how many of the opportunities in the matrix were able to directly maximize revenue while also improving quality. Sometimes I think we look at the care we provide and see our efforts to improve quality as counter to our efforts to maximize revenue. This chart clearly illustrates how you can focus on improving the quality of care your patients receive while still maximizing your organization’s revenue.

I also like to look at the outliers in these matrices. In the matrix above, they’re found in the middle of the matrix. They require less effort, but the monetary ROI is high. I’m talking about “Keeping Patient in Network” and “Driving care delivery and managing acute and chronic diseases by evaluating the patient’s problem list in clinical documentation.” These are both things that can be done much more effectively on the back of the data found in the EHR. Are you maximizing these opportunities? I know many organizations that have barely begun the work of reducing volume leakage and improved clinical decision support. Those might be great places for your organization to start in your EMR optimization efforts.

What stands out to you when you look at the EMR optimization matrix above? Would you change any of the values in the matrix? Are there areas that are missing from the matrix that you would add? How many of these optimization efforts are you working on in your organization? We look forward to hearing your thoughts and perspectives in the comments and on social media.

Note: Galen Healthcare Solutions is a sponsor of Healthcare Scene and the EMR Clinical Optimization Series of blog posts.

Digital Health Innovation in Pharma – #HITsm Chat Topic

Posted on September 5, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

We’re excited to share the topic and questions for this week’s #HITsm chat happening Friday, 9/8 at Noon ET (9 AM PT). This week’s chat will be hosted by Naomi Fried (@naomifried) on the topic of “Digital Health Innovation in Pharma.”

The digital health revolution is in full swing. Each year, more and more digital innovations are coming to market that leverage hardware and software to provide new ways of delivering care and information to patients and providers. These solutions can improve outcomes, drive down costs, and/or boost efficiency.

Healthcare stakeholders are beginning to understand digital health’s ability to radically reshape the healthcare landscape. While many firms in the pharmaceutical and biotech sector (“biopharma”) are only slowly awakening to digital health’s potential, some forward-thinking biopharma companies are aggressively looking for ways to use digital health to strengthen their businesses. They see it as critical to improving patient outcomes, building connections with providers and patients, strengthening their brand, and driving new revenues.

Join our Twitter chat as we explore the growing opportunity for digital health innovation in pharma and biotech. We’ll discuss some of the exciting opportunities that are emerging; what is working and what isn’t; and which business models seem to be succeeding. Share your thoughts during our conversation September 8th at 9-10 am PT!

Reference Materials:

Here are the questions that will serve as the framework for this week’s #HITsm chat:
T1: What are the best #patient-facing digital health solution currently deployed by #pharma & #biotech? #HITsm

T2: What is exciting in “#digiceuticals” (mobile apps & software that treat #medical conditions)? #HITsm

T3: How are #pharma & #biotech effectively leveraging digital health tools to improve and extend communication with providers? #HITsm

T4: What is impeding the deployment of #digitalhealth by #pharma & #biotech? What could help? #HITsm

T5: Buy, build, partner? What models are going to be most successful for #pharma and #biotech to get into #digitalhealth? #HITsm

Bonus: If you were master of the #digitalhealth universe & could make a major change in the #healthcare ecosystem, what would it be? #HITsm

Upcoming #HITsm Chat Schedule
9/15 – Unchat
This chat will have no agenda and no topic. It will be a community free-for-all where anyone can introduce any topic, subject, question, image, video, etc that they want. This could get interesting.

9/22 – TBD
TBD

9/29 – TBD
TBD

We look forward to learning from the #HITsm community! As always, let us know if you’d like to host a future #HITsm chat or if you know someone you think we should invite to host.

If you’re searching for the latest #HITsm chat, you can always find the latest #HITsm chat and schedule of chats here.

Laboy Day Thought

Posted on September 4, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Gaining End User Buy-In to Your EHR – Breakaway Thinking

Posted on August 30, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This post is part of the Breakaway Thinking blog post series which is sponsored by Breakaway Learning Solutions, a Conduent Company.

One of the universal truths about EHR software is that if you don’t get user buy-in, your EHR efforts will fail. You may even complete your EHR implementation, but not having user buy-in will wreak havoc on your ability to use the EHR to improve your organization. The failures may not be immediately apparent, but you can be sure your users will cause it to fail if they haven’t bought into the project.

On the other hand, organizations that do get end user buy-in to their EHR generally see great results.

The best way to ensure end user buy-in to EHR is through great leadership. This is highlighted in this whitepaper Leadership Insights: Gaining Value from Technology Investments, but what can leaders do to help create EHR buy-in with their organization?

One key to ensuring organizational buy-in is to set clear goals. Ideally these goals are created collaboratively with your team. However, it is most important that your EHR goals are attractive to your end users. If the end users are interested and excited about the goals you’ve set for the EHR project, then they’re more likely to support the project. Plus, setting these goals gives the project an important guide when you’re faced with tough decisions. Not to mention these goals serve as the perfect way to evaluate the success or failure of the EHR post-implementation.

Another way to ensure EHR buy-in from your end users is to invest in effectively training those users. There are a lot of skills a doctor needs to see patients effectively. Learning to use an EHR effectively is a learnable skill as well. However, you must invest in training that ensures end users have the skills they need to be effective EHR users. Effective training is a powerful way to improve EHR buy-in within your organization even if you have a less than perfect workflow.

Implementing an EHR often requires a change to your organization’s workflow. Many organizations postpone these workflow changes until after the initial implementation. They see this as a phased approach to the changes brought on by a new EHR. If you’ve done this, don’t forget to go back and reevaluate your current workflow against the new opportunities available in the EHR. You’ll often discover new workflows that will better serve your users and patients.

Finally, cultivating a group of peer champions for your EHR is a great way to get EHR buy-in. These peer champions can be there when challenging situations arise that need to be resolved. As advanced users, they can share solutions to problems with their peers in a powerful way that can’t be replicated by support desks.

The one theme across all of these ideas is having a great leader who understands their end users needs and then empowers them to be successful. Each of the above are just strategies a leader can employ to better understand, empower, and assist their end users to successfully use their EHR.

What other strategies do you use in your organization to gain EHR buy-in? What have been the consequences to organizations that haven’t spent the time and money to get buy-in? What could they and should they have done differently? Share your thoughts in the comments.

Learn more about the Breakaway Thinking blog series sponsor, Breakaway Learning Solutions, and download their FREE whitepaper “Leadership Insights: Gaining Value from Technology Investments.”

Digital Strategies for Improving Consumer Experience – #HITsm Chat Topic

Posted on August 29, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

We’re excited to share the topic and questions for this week’s #HITsm chat happening Friday, 9/1 at Noon ET (9 AM PT). This week’s chat will be hosted by Kyra Hagan (@HIT_Mktg_Maven) from @InfluenceHlth on the topic of “Digital Strategies for Improving Consumer Experience.”

‘Healthcare Consumerism’ is fundamentally changing the entire healthcare delivery system. Accelerated by the ACA and evolving digital landscape, consumers are taking a more active role in their healthcare management. With this paradigm shift, they expect higher quality care, greater choice and on-demand digital experiences. Like a consumer researching and booking a hotel online, healthcare consumers are ‘comparison shopping’ for the provider that best meets their needs – expecting the same timely, personalized and omni-channel experience they’ve grown accustomed to via the retail and hospitality industries.

However, unlike most industries that are leveraging data to gather behavioral insights and investing in tailored digital marketing strategies, healthcare has been sluggish to adopt new models that recharacterize patients as consumers. In fact, in a recent survey conducted by Gartner, CEOs said that two of their three most immediate technical needs are better capability in digital marketing and customer experience management. Yet, only 14% of healthcare marketing budgets went to digital efforts in 2015, while industries like retail consistently increase digital spend by double-digits annually.

Join this Twitter chat to explore how digital strategies can help hospital and healthcare leaders improve the overall healthcare consumer experience at their facilities.

Reference Materials:

Here are the questions that will serve as the framework for this week’s #HITsm chat:
T1: What do you see as the largest barriers keeping hospitals and health systems from implementing digital strategies? #HITsm

T2: What’s the first thing you’d tell a hospital/health system that is looking to improve its consumer experience via digital? #HITsm

T3: 93% of CMOs feel increased pressure to improve ROI. What digital strategies have you seen to be successful in proving ROI? #HITsm

T4: How can healthcare draw inspiration from other thriving industries like retail and hospitality in the digital realm? #HITsm

T5: Many CEOs are adding Chief Experience Officers to their team to lead consumer-focused digital change. Thoughts on this role? #HITsm

Bonus: What can we as HIT leaders do to help drive the digital transformation that the healthcare industry needs? #HITsm

Upcoming #HITsm Chat Schedule
9/8 – Digital Health Innovation in Pharma
Hosted by Naomi Fried (@naomifried)

9/15 – Unchat
This chat will have no agenda and no topic. It will be a community free-for-all where anyone can introduce any topic, subject, question, image, video, etc that they want. This could get interesting.

9/22 – TBD
TBD

9/29 – TBD
TBD

We look forward to learning from the #HITsm community! As always, let us know if you’d like to host a future #HITsm chat or if you know someone you think we should invite to host.

If you’re searching for the latest #HITsm chat, you can always find the latest #HITsm chat and schedule of chats here.

HHS HIPAA Breach Wall of Shame Updated

Posted on August 28, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

HHS has recently updated the HHS Wall of Shame…I mean the HIPAA Breach Reporting Tool (HBRT). Whatever you want to call the tool, you can find the most updated version here. Here’s a short description from the press release about the updates to the breach notification tool:

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) today launched a revised web tool that puts important information into the hands of individuals, empowering them to better identify recent breaches of health information and to learn how all breaches of health information are investigated and successfully resolved. The HIPAA Breach Reporting Tool (HBRT) features improved navigation for both those looking for information on breaches and ease-of-use for organizations reporting incidents. The tool also helps educate industry on the types of breaches that are occurring, industry-wide or within particular sectors, and how breaches are commonly resolved following investigations launched by OCR, which can help industry improve the security posture of their organizations.

The new design is nice and it makes sense to finally archive some of the breaches on the list. How long should we condemn an organization that’s had a breach by having them on the list? Of course, it is still available on the archive.

Since the start of the HIPAA Breach notification tool (October 2009), there have been 1674 breach notifications (only includes breaches of 500 people or more). In just the last 24 months they’ve posted 364 breaches with nearly 28 million individuals affected. I’ll have to get my friends at Qlik to import the data to do more analysis of the data. Here’s a look at the data the tool provides:

The tool includes: the name of the entity; state where the entity is located; number of individuals affected by the breach; the date of the breach; type of breach (e.g., hacking/IT incident, theft, loss, unauthorized access/disclosure); and location of the breached information (e.g., laptop, paper records, desktop computer).

I wish they included more details on what caused the breach and more practical ways to defend against the various breaches. That would make the list a lot more actionable. However, I also understand why that would be a hard task to accomplish.

Just looking over some of the recent breaches, I wasn’t shocked by the number of hacking incidents that are being reported. We’ve widely reported on these types of hacking incidents as well. However, I was pretty shocked by how many of the recent breaches were by email. Once again, I wish I had a lot more information about what actually happened with these email breaches. Looks like HHS collects it when someone files a breach. I guess I understand why they can’t share the individual answers, but it would be nice to have some summary reports of actions taken by those that were breached.

What do you think of HHS’ updates to this tool? Is it useful in helping them reach their goal of making the industry safer? Is there something else they could do with the tool to make it work better? We look forward to reading your thoughts in the comments.

Business Associates are NOT Responsible for Clients’ HIPAA Compliance, BUT They Still Might Be At-Risk

Posted on August 25, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The following is a guest blog post by Mike Semel from Semel Consulting.

“Am I responsible for my client’s HIPAA compliance?”

“What if I tell my client to fix their compliance gaps, and they don’t? Am I liable?”

“I told a client to replace the free cable Internet router with a real firewall to protect his medical practice, but the doctor just won’t spend the money. Can I get in trouble?”

“We are a cloud service provider. Can we be blamed for what our clients do when using our platform?”

 “I went to a conference and a speaker said that Business Associates were going to be held responsible for their clients’ compliance. Is this true???”

I hear questions like these all the time from HIPAA Business Associates.

The answers are No, No, No, No, and No.

“A business associate is not liable, or required to monitor the activities of covered entities under HIPAA, but a BA has similar responsibilities as a covered entity with respect to any of its downstream subcontractors that are also BA’s,” said Deven McGraw, Deputy Director for Health Information Privacy, US Department of Health and Human Services Office for Civil Rights (OCR), Acting Chief Privacy Officer for the Office of the National Coordinator for Health Information Technology. on August 17, 2017.

So, while you aren’t responsible for your clients’ HIPAA compliance, what they do (or don’t do) still might cost you a lot, if you aren’t careful.

In my book, How to Avoid HIPAA Headaches, there are stories about HIPAA Covered Entities that suffered when their Business Associates failed to protect PHI. North Memorial Health Care paid $ 1.55 million in HIPAA penalties based on an investigation into the loss of an unencrypted laptop by one of its Business Associates, Accretive Health.

Cottage Health, a California healthcare provider, is being sued by its insurance company to get $ 4.1 million back from a settlement after Cottage Health’s IT vendor, a Business Associate,  accidently published patient records to the Internet.

Your marketing activities; what you and your salespeople say to prospects and clients; and your written Terms & Conditions; may all create liability and financial risks for you. These must be avoided.

Semel Consulting works with a lot of Business Associates.

Many are IT companies, because I spent over 30 years owning my own IT companies. I’ve been the Chief Information Officer for a hospital and a K-12 school district, and the Chief Operating Officer for a cloud backup company. I now lead a consulting company that helps clients address their risks related to regulatory compliance, cyber security, and disaster preparedness. I speak at conferences, do webinars, and work with IT companies that refer their clients to us.

I look at the world through risk glasses. What risks do our clients have? How can I eliminate them, minimize them, or share them? When we work with our healthcare and technology industry clients, we help you identify your risks, and quantify them, so you know what resources you should reasonably allocate to protect your finances and reputation.

Under HIPAA, compliance responsibility runs one way – downhill.

Imagine a patient on top of a hill. Their doctor is below the patient. You are the doctor’s IT support company, below the doctor, and any vendors or subcontractors you work with are below you.

The doctor commits to the patient that he or she will secure the patient’s Protected Health Information (PHI) in all forms – verbal, written, or electronic. This is explained in the Notice of Privacy Practices (NPP) that the doctor gives to patients.

Under HIPAA, the doctor is allowed to hire vendors to help them do things they don’t want to do for themselves. Vendors can provide a wide variety of services, like IT support; paper shredding; consulting; malpractice defense; accounting; etc. The patient is not required to approve Business Associates, and does not have to know that outsourcing is happening. This flexibility is also explained in the patient’s Notice of Privacy Practices.

As a vendor that comes in contact with PHI, or the systems that house it, you are a HIPAA Business Associate. This requires you to sign Business Associate Agreements and, since 2013, when the HIPAA Omnibus Final Rule went into effect, it also means that you must implement a complete HIPAA compliance program and be liable for any breaches you cause.

IT companies may decide to resell cloud services, online backup solutions, or store servers in a secure data center. Since the HIPAA Omnibus Final Rule went into effect, a Business Associate’s vendors (known as subcontractors) must also sign Business Associate Agreements with their customers, and implement complete HIPAA compliance programs.

Because compliance responsibility runs downhill, the doctor is responsible to the patient that his Business Associates will protect the patient’s confidential information. The Business Associates assures the doctor that they, and their subcontractors, will protect the patient’s confidential information. Subcontractors must commit to Business Associates that they will protect the information. A series of two-party agreements are required down the line from the doctor to the subcontractors.

It doesn’t work the other way. Subcontractors are not responsible for Business Associates, and Business Associates are not responsible for Covered Entities, like doctors.

HIPAA compliance responsibility, and legal and financial liability, are different.

A HIPAA Covered Entity is responsible for selecting compliant vendors. Business Associates are responsible for selecting compliant subcontractors. Subcontractors must work with compliant subcontractors.

Because Covered Entities are not liable for their Business Associates, and Business Associates are not liable for their Subcontractors, they are not required to monitor their activities. But, you still need to be sure your vendors aren’t creating risks. The Office for Civil Rights (OCR) says that:

… if a covered entity finds out about a material breach or violation of the contract by the business associate, it must take reasonable steps to cure the breach or end the violation, and, if unsuccessful, terminate the contract with the business associate. If termination is not feasible (e.g., where there are no other viable business alternatives for the covered entity), the covered entity must report the problem to the Department of Health and Human Services Office for Civil Rights. See 45 CFR 164.504(e)(1).

With respect to business associates, a covered entity is considered to be out of compliance with the Privacy Rule if it fails to take the steps described above. If a covered entity is out of compliance with the Privacy Rule because of its failure to take these steps, further disclosures of protected health information to the business associate are not permitted.

In its Cloud Service Provider (CSP) HIPAA Guidance released in 2016, the OCR said:

A covered entity (or business associate) that engages a CSP should understand the cloud computing environment or solution offered by a particular CSP so that the covered entity (or business associate) can appropriately conduct its own risk analysis and establish risk management policies, as well as enter into appropriate BAAs.  See 45 CFR §§ 164.308(a)(1)(ii)(A); 164.308(a)(1)(ii)(B); and 164.502. 

Both covered entities and business associates must conduct risk analyses to identify and assess potential threats and vulnerabilities to the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit.  For example, while a covered entity or business associate may use cloud-based services of any configuration (public, hybrid, private, etc.),[3] provided it enters into a BAA with the CSP, the type of cloud configuration to be used may affect the risk analysis and risk management plans of all parties and the resultant provisions of the BAA.

How can a Business Associate be affected by a client’s compliance failure?  Here are some scenario’s.

(FYI, I am not a lawyer and this is not legal advice. These ideas came out of meetings I had with my attorney to review our contracts and our marketing. Talk to your lawyer to make sure you are protected!)

  1. IT companies should never tell your client, “We’ll be responsible for your IT so you can focus on your medical practice.”

Sound familiar? This is what many IT Managed Service Providers tell their prospects and clients.

Then the client has a data breach because they were too cheap to buy a firewall, they refused to let you implement secure passwords because it would inconvenience their staff, or they lost an unencrypted thumb drive even though you had set up a secure file sharing platform.

Someone files a HIPAA complaint, the OCR conducts an investigation, and your client pays a big fine. Then they sue you, saying you told them IT was your responsibility. Maybe they misunderstood what you included in your Managed Services. Maybe you did not clearly explain what responsibility you were accepting, and what IT responsibility was still theirs. Either way, you could spend a lot on legal fees, and even lose a lawsuit if a jury believes you made the client believe you were taking over their compliance responsibility.

  1. You must clearly identify what is, and what is not, included in your services.

Your client pays you a monthly fee for your services. Then they have a breach. They may expect that all the tasks you perform, and the many hours of extra labor you incur, are included in their monthly fee. They get mad when you say you will be charging them for additional services, even though they have just hired a lawyer at $ 500 per hour to advise them. Without written guidelines, you may not be able to get paid.

  1. You must be sure you get paid if your client drags you into something that is not your fault.

Imagine you were the IT company that set up an e-mail server for a recent presidential candidate. As unlikely as this may sound, this becomes a political issue. You just did what the client requested, but now you must hire attorneys to advise you. You must hire a public relations firm to deal with the media inquiries and protect your name in the marketplace. You must send your techs and engineers – your major source of a lot of income – to Washington for days to testify in front of Congress, after they spent more unbillable time preparing their testimony.

Who pays? How do you keep from losing your client? How do you protect your reputation?

HOW TO PROTECT YOUR FINANCES AND YOUR REPUTATION

  • Make sure you and your salespeople are careful to not overpromise your services. Make sure you and your sales team tell your prospects and clients that they are always ultimately responsible for their own security and compliance.
  • Make sure your contracts and Terms and Conditions properly protect you by identifying what services are/aren’t covered, and when you can bill for additional services. Don’t forget to include your management time when sending bills. Use a competent lawyer familiar with your needs to write your agreements and advise you on any agreements presented to you by others.
  • State in your Terms & Conditions that you will be responsible for your own company’s compliance (you are anyway) but that you are not responsible for your clients’ compliance.
  • Include terms that require your client to pay for ALL costs related to a compliance violation, government action, investigation, lawsuit, or other activity brought against them, that requires your involvement. Use a competent lawyer familiar with your needs to write your agreements and advise you on any agreements presented to you by others.
  • My attorney said we should include “change in government regulations” in our Force Majeure clause to allow us to modify our contract or our pricing before a contract expires. The 2013 HIPAA Omnibus Rule created a lot of expensive responsibilities for Business Associates. You don’t want to get stuck in an existing contract or price model if your costs suddenly increase because of a new law or rule.
  • Get good Professional Liability or Errors & Omissions insurance to protect you if you make a mistake, are sued, or dragged into a client’s investigation. Make sure you understand the terms of the policy and how it covers you. Make sure it includes legal representation. Ask for a custom policy if you need special coverage.
  • Make a negative a positive by promoting that you offer the specialized services clients will need in case they are ever audited, investigated, or sued.

If you do this right, you will protect your business and leverage compliance to increase your profits. When you focus on compliance, you can get clients willing to pay higher prices because you understand their compliance requirements. I know. I have generated millions of dollars in revenue using compliance as a differentiator.

About Mike Semel

Mike Semel is a noted thought leader, speaker, blogger, and best-selling author. He is the President and Chief Security Officer of Semel Consulting, focused on HIPAA (and other regulatory) compliance; cyber security; and Business Continuity planning. Mike is a Certified Business Continuity Professional through the Disaster Recovery Institute, a Certified HIPAA Professional, Certified Security Compliance Specialist, and Certified Health IT Specialist. He has owned or managed technology companies for over 30 years; served as Chief Information Officer (CIO) for a hospital and a K-12 school district; and managed operations at an online backup company.

Consumer Data Liquidity – The Road So Far, The Road Ahead – #HITsm Chat Topic

Posted on August 23, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

We’re excited to share the topic and questions for this week’s #HITsm chat happening Friday, 8/25 at Noon ET (9 AM PT). This week’s chat will be hosted by Greg Meyer (@Greg_Meyer93) on the topic of “Consumer Data Liquidity – The Road So Far, The Road Ahead.”

As my summer tour of interoperability forums, lectures, and webinars winds down, patient engagement/data liquidity is arguably the hottest talk in town.  This leads me to a time of reflection looking back to my own personal experience over the last 10-15 years (yes, I’m still a fairly young guy) starting with early attempts to access my own family’s records, moving on to witnessing the consumer revolution of Dave deBronkart and Regina Holiday, and finally tracking the progression of HealthIT and public health legislation.  We’ve come a long way from the ubiquity of paper and binders and Xerox (oh my) to CDs and PDFs to most recently CDAs, Direct, and FHIR with the latter paving the way for a new breed of apps and tools.

With the lightning speed of change in technology and disruption vis-à-vis consumer devices, one would expect a dramatic shift in the consumer experience over the past 10 years with nirvana in the not too distant future.  Contrary to intuitive thinking, we haven’t come as far as we would like to think.  Even with legislation and a progression of technology such as C-CDA, OpenNotes, Direct, BlueButton, FHIR, and the promise of apps to bring it all together, pragmatically a lot of same the core broken processes and frustrations still exist today.  In July, ONC released a study on the health records request process based on a small sampling of consumers and 50 large health organizations.  Although most of the stories include modern technical capabilities, the processes reek of variance and inefficiencies that have persisted since the long lost days of the house call.

Not to put the whole state of affairs in gloom, there is still a potentially bright future not too far ahead.  With the convergence of forces from contemporary technical standards and recent legislation like the 21st Century Cures Act, consumer data liquidity is staying in the forefront of public health.  And let’s not forget the consumer.  It is partly because of the consumer revolution and patients demanding portability of their records that is forcing providers and vendors to open their systems as platforms of accessibility instead of fostering silos and walled gardens.

This week’s chat will explore the progression of health data access from the consumer’s perspective.

Here are the questions that will serve as the framework for this week’s #HITsm chat:
T1: Describe your perception/experiences of consumer data access 10-15 years ago. #HITsm

T2: Contrast your previous experience to today. Is your experience better, worse, or the same? #HITsm

T3: What gaps exist between what is available today (data, apps, networks, etc.) vs what you would like to have? #HITsm

T4: Would you prefer to manage/move your data yourself or expect HealthIT to do it for you. #HITsm

T5: Beyond FHIR, APIs, and apps, what is the future of consumer access and data liquidity? #HITsm

Bonus: Remember “Gimme My DaM Data?” What would be your slogan for consumer access? #HITsm

Upcoming #HITsm Chat Schedule
9/1 – Digital Strategies for Improving Consumer Experience
Hosted by Kyra Hagan (@HIT_Mktg_Maven from @InfluenceHlth)

9/8 – Digital Health Innovation in Pharma
Hosted by Naomi Fried (@naomifried

We look forward to learning from the #HITsm community! As always, let us know if you’d like to host a future #HITsm chat or if you know someone you think we should invite to host.

If you’re searching for the latest #HITsm chat, you can always find the latest #HITsm chat and schedule of chats here.