Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

5 Tips When Implementing a Secure Text Messaging Solution

Posted on December 20, 2016 I Written By

The following is a guest blog post by Matthew Werder, CTO, Hennepin County Medical Center. Thanks to Justin Campbell from Galen Healthcare Solutions for facilitating this guest post for us.

Now twelve months into our secure messaging implementation, and it’s safe to say our transition to a secure-messaging application with the aspiration to eliminate pagers has been quite a journey.  Recently, I answered a couple of reference calls on the selection process from some of my healthcare colleagues and determined it was time to share 5 (of many) tips for implementing a secure messaging solution.  Like most healthcare technologies, what may appear to be simple isn’t and even with the best of the best implementation plans, project manager, and leadership support – the road to implementing a secure messaging solution contains many challenges.

To start, here are five tips that have left me with scars & memories:

#1 – Define Your Strategy.  Are you just adding another technology, enhancing an existing, or just buying into the hype of secure text messaging applications?  In his post dated January 26, 2016, Mobility Solutions Consultant, Jason Stanaland from Spok stated, “secure text messaging should be implemented as a workflow solution, and not simply a messaging product.”  Before putting ink to paper, ensure that your goals are aligned, providers are supportive, and a measureable outcome has been identified.  Just because you can implement a technology doesn’t mean you should.

#2 – Beware of the Pager Culture.  In the words of Peter Drucker, “culture eats strategy for lunch,” and the same can be said for the pager culture.  This was impressed on me last summer when a physician stopped me in the hallway and had questions about the new text messaging solution we were implementing.  She was very excited and encouraged to hear that we were taking communication, mobility, and security seriously.   What I wasn’t prepared for was her question, “What is your plan to address the 4, 5, and 9-digit callback needs?”

In many institutions, a pager Morse code exists.  Telemediq’s Derek Bolen wrote in December last year that the, “Pager culture’ is real, and extremely persistent, in healthcare.” Judy Mottl, of Fierce Mobile Healthcare, talks about “Why the pager remains a viable and trusted tool for providers.” She wrote that the pager has been a resilient tool and in order for new technologies to replace it, they must overcome the benefits of such a simple mobile device – the pager!  Don’t underestimate #PAGERPOWER!

#3 – Text Administration and Etiquette Policy.  If your goal is to replace your paging system or add a secure text messaging solution in addition to pagers, your paging and messaging policy will need to be archived and a new text messaging/secure messaging policy will need to be authored.  Who authors the policy will be a collaborative effort between the medical staff, legal, IT, nursing, compliance, and operations.  Gentle reminders as written by Dana Holmes, Family Lifestyle Expert of the Huffington Post, in her 2013 blog, “A Much-Needed Guide to Text Etiquette”, highlights the necessary rules and guidelines of texting. Many of these are well known, yet good reminders in the adoption of secure text messaging in healthcare.

#4 – Think Beyond Text Messaging.  Regardless of your strategy, text messaging alone will provide minimal value.  Organizations implementing secure text-messaging solutions should think beyond the implementation and think in terms of “Connection Point” or “Communications Hub” opportunities with the patient/customer in mind.  On August 19, 2015, Brad Brooks, TigerText Co-Founder and Chief Executive Officer, stated that secure texting not only fosters a collaborative environment, but it also enables users to quickly communicate and coordinate with other colleagues while eradicating the need for multiple devices and tedious communication channels. Unlike emails, secure texting is instantaneous and avoids outside threats or hackers. Secure texting encompasses everything we love about mobile messaging, but with built-in features and tools to help one work faster and more easily with his or her team.  Does the vendor have a roadmap to take you where you want? Intersect it with patients, and make for texting amongst patients and provider. Include the patient, how can they take advantage of the texting platform?  Turn it into an engagement tool.  Drive collaboration and improve the patient experience and family experience.

#5 – Enjoy and Have Fun.  I am amazed at times when technologists don’t embrace the adoption of a new technology that could have a significant impact on their organization.  The secure text messaging industry is rich and deep right now with countless options and innovative solutions at every corner.  You run into unforeseen obstacles and workflows, and despite the promise of a short implementation multiple it by two.  We all know that change in healthcare is challenging and exhausting so enjoy the ride!

Of course there are many more. At last count, about 37 additional lessons and tips should be considered when implementing your new secure-messaging solution, so feel free to comment and share your experiences.

About Matthew Werder
Matthew Werder brings over 20 years of healthcare experience in his position as Chief Technology Officer at Hennepin County Medical Center, a 477-bed Level 1 Trauma Center and Academic Medical Center in Minneapolis. In his role, he is responsible for advancing HCMC’s technology vision and strategy to enable the organization to achieve its critical priorities.  Currently, Matthew is leading the development of an enterprise telemedicine strategy, migration to a new data center, and leading the execution of the organization’s technology strategy.

Prior to his role as CTO, Matthew was the Director of Supply Chain at HCMC, where over the course of 4 years achieved over $12M in cost savings while transforming the supply chain organization whom received recognition by Supply & Demand Chain Executive as Pros to Know.  He also worked as a Supply Chain Manager for Medtronic, Inc. at their Physiological Research Laboratories and in the Global Strategic Sourcing group. Matthew is a certified Master Lean instructor and previously worked as a Lean Consultant with Operational Excellence, Inc. 

Matthew holds a Master’s Degree in Health and Human Services Administration from Saint Mary’s University and graduated from Concordia University with a degree in natural science.  He has presented and been published on several topics focusing on operational excellence, cost management, technology and the patient experience, and strategic sourcing for services in healthcare.

What Should Coffee Shops and Healthcare Organizations Have in Common?

Posted on December 8, 2016 I Written By

The following is a guest blog post by Sarah Bennight, Marketing Strategist of Stericycle Communication Solutions as part of the Communication Solutions Series of blog posts. Follow and engage with them on Twitter:@StericycleComms
sarah-bennight
Several months ago, I failed to get up in time for my normal coffee brew. So on the way to work, I decided to stop at a local Starbucks to grab a latte. The drive-thru was packed. Panicking, I stepped inside where the line was sure to be shorter. It was not. As I waited, I noticed folks walking in and going straight to the barista bar, giving an order, and receiving it immediately. No line. No wait. What was this amazing service and why didn’t I receive it? I felt left out of cool kids club as I waited my turn and finally arrived 3 minutes late to work. After searching my junk email, I found several emails touting a new order in app and pay service. With my busy lifestyle and love of coffee, I thought this was too good to be true.

Next time I was running late, I opened the app and ordered my favorite beverage with one hand while putting on makeup with the other. I felt like a true VIP when I sauntered into my local cafe and whispered my order to the barista, who had my drink ready and waiting. You can bet, if I need a coffee on a hurried morning, I will remain loyal to the pre-order app from Starbucks. It’s just too easy.

With increasingly busy lifestyles and the need to complete more in less time, consumers look for the quickest and easiest goods and services. We are much more willing to adventure into unknown spaces if it promises to give us precious time back. After moving last month, I received a card in the mail from a well-known grocer saying “welcome to the neighborhood, we now offer online grocery shopping.” Busy people in my neighborhood are celebrating an end to their most hated and time-consuming weekly errand. I have yet to try this service since there are rarely timeslots open, but the Starbucks’ model of order online and avoid the wait is becoming the norm.

We are so accustomed to immediate service that we sometimes get frustrated with even small delays. Take, for example, my two very different experiences at urgent care centers. Earlier this year, I had to take my daughter in for possible strep throat. I avoided the trip long enough that her primary care physician office was closed and urgent care was the only option. We took our chances with the local pediatric urgent care and waited for our sick child to be seen for over two hours – 45 minutes of which was spent in the examination room before anyone came in to see us.

When the need arose for me to visit an urgent care clinic recently, I was already well versed in the advantages of ordering online without a wait. Although I had been to the local ER for the same condition and they had all of my labs and records, the thought of a potentially lengthy wait was daunting. So, I searched for a clinic that could accommodate my schedule and decided to try a new clinic because they offered the “online ordering model” for urgent care visits. I signed up online and was called back within 10 minutes of arriving at the clinic. The doctor saw me within 15 minutes of being placed in a room. The experience was so positive the clinic has earned my loyalty for future care needs. Not only do they have a caring staff, they get me in and out in a reasonable time.

This trend is rapidly being adopted across commercial industries, but healthcare isn’t far behind. And health providers that aren’t ready to adapt will soon feel the pressure as consumers demand convenience. Services and tools such as Amazon PrimeNow and Disneyland FastPasses prove one thing: Americans simply hate to wait.

Recently, I spoke with a client who made the decision to implement our online scheduling solution as a result of increasingly consumer-driven expectations. Competition with retail clinics for primary care visits also played a role in their decision. They stated, “We are now competing with Walgreens and CVS for simple clinic visits because we make it too difficult to get the patient in the door.” A McKinsey 2015 Consumer Health Insights Survey found the same, as two thirds of the people surveyed reported they would be comfortable using retail clinics such as CVS or Walgreens for care. When asked why, the major reason cited was accessibility.

With two very different clinic visits shaping my view, I imagine on demand access and appointment scheduling will continue to shape the healthcare access scene in the next few years. Convenience is king in our consumer-minded world, and those who rely on only traditional methods of getting patients in the door could miss potential opportunities – or worse, lose existing patients to competitors who provide easier access. I won’t return to the first urgent care clinic because the more recent visit offered better access and a more convenient experience by significantly cutting my wait time. With my new found love for ordering online and avoiding the wait, I have also recently changed the family eye doctor to one who offers this service. Now, if they could only offer an onsite coffee bar…

The Communication Solutions Series of blog posts is sponsored by Stericycle Communication Solutions, a leading provider of high quality call center & telephone answering servicespatient access services and automated communication technology. Stericycle Communication Solutions combines a human touch with innovative technology to deliver best-in-class communication services.  Connect with Stericycle Communication Solutions on social media:  @StericycleComms

A New Platform for Women in Healthcare IT – Doyenne Connections

Posted on December 2, 2016 I Written By

The following is a guest blog post by Janae Sharp (@coherencemed).
janae-sharp
Every day, healthcare loses potential profit from a lack of representation of women in technology. Healthcare IT takes a larger hit than some other technology areas. Taking the problems of gender pay disparity and lack of representation for women in healthcare to a dinner party was the beginning of Doyenne Connections. Founded by Max Stroud, a lead consultant at Galen Healthcare, this group of women in leadership roles in Health IT is about creating real life connections for women in technology.

Max had a vision of forward thinking women in health IT meeting together to enhance their careers and develop ideas together. A sort of “un-conference” emerged and the first weekend was a huge success. Organizations that would be an ideal match for Doyenne connections are companies that are concerned about gender equality. Organizations that believe in the value of a human connection can get involved from the corporate level. The founders club invites women leaders in healthcare IT to mentor and meet up with other women.

In healthcare technology there is so much interest in the next innovation and how technology connects us. Employees can telecommute. Patients can see a doctor over the internet. Providers can collaborate about patients and companies to improve systems via video call. While technology and social media connects us in person meetings are still invaluable.

Healthcarescene.com is proud to partner with Doyenne connections to help promote women in Health IT and how companies can increase their profitability through improving the workplace for women. Investing in the individual women and mentorships and meetups will help improve Health IT innovation and profitability. The costs of gender inequality in the workforce are high and the loss of women in technology and healthcare is an economic problem for our companies and a social problem. Women are underrepresented in leadership roles and average 78 cents for every dollar their male counterparts make.

Want to invest in your company’s gender equality? The Founders club is looking for current and future leaders in Healthcare and Doyenne Connections has spots for corporate sponsorships.

Are Providers Using Effective Patient Communication Methods?

Posted on December 1, 2016 I Written By

The following is a guest blog post by Cristina Dafonte, Marketing Associate of Stericycle Communication Solutions as part of the Communication Solutions Series of blog posts. Follow and engage with them on Twitter:@StericycleComms
cristina-dafonte
This year at MGMA 2016, the Stericycle Communication Solutions team had the opportunity to survey over 800 providers about their patient communication strategy. Getting to collect our own data, rather than relying on facts and figures from scholarly articles, was truly invaluable. But what was even more exciting was sitting down and analyzing the results.

Many of the statistics weren’t surprising – nearly 100% of providers are sending appointment reminders, 60% of providers are using technology to send these reminders, and 2/3 of providers surveyed love the idea of online self-scheduling. These statistics all made sense to me… it’s almost 2017, of course providers would prefer to use technology when it comes to their patient communications.

But as I dug more into the numbers, I saw a startling trend:

  • Only 1 out of 3 providers who “love” online self-scheduling offer it to their patients
  • While almost all providers are sending appointment reminders, 1/3 are still manually calling their patients
  • Over 60% of providers are only sending appointment reminders via ONE modality

I started to think about other parts of my life where I booked appointments or used technology to interact with a vendor– did these healthcare numbers match their non-healthcare counterparts?

First I looked to my hair salon. When I go to their website, I have the ability to book an appointment with my current hair dresser directly on their home screen. I get an email reminder the day that I book the appointment with a calendar attachment. The day before the appointment, I get a text reminding me what time my appointment is and whom it is with. Four months after the appointment, I get an email reminding me that it’s time to come in for my next appointment… with a link to book an appointment online. Surprisingly, this didn’t match what I was seeing in my survey data analysis. When I looked at scheduling an appointment to get my car serviced, I saw the same trend – booking was conveniently online, the communications were all automated, and I received more than one reminder.

So why does there seem to be such a difference when it comes to healthcare communication? Our survey shows that providers like the idea of technology, so, I wonder, why are most providers only going halfway? What is it that is holding them back from fully investing in automated patient communications? According to TIME, the average person looks at his or her phone 46 times per day. As we near 2017, shouldn’t we reach and capture patients where they are engaged and spend most of their time – on their mobile devices and computers?

For more MGMA survey results and a sneak peak into how Stericycle Communication Solutions can help you adopt an automated patient communication strategy, download the infographic here.

The Communication Solutions Series of blog posts is sponsored by Stericycle Communication Solutions, a leading provider of high quality call center & telephone answering servicespatient access services and automated communication technology. Stericycle Communication Solutions combines a human touch with innovative technology to deliver best-in-class communication services.  Connect with Stericycle Communication Solutions on social media:  @StericycleComms

Don’t Yell FHIR in a Hospital … Yet

Posted on November 30, 2016 I Written By

The following is a guest blog post by Richard Bagdonas, CTO and Chief Healthcare Architect at MI7.
richard-bagdonas
The Fast Healthcare Interoperability Resource standard, commonly referred to as FHIR (pronounced “fire”) has a lot of people in the healthcare industry hopeful for interoperability between the electronic health record (EHR) systems and external systems — enabling greater information sharing.

As we move into value-based healthcare and away from fee-for-service healthcare, one thing becomes clear: care is no longer siloed to one doctor and most certainly not to one facility. Think of the numerous locations a patient must visit when getting a knee replaced. They start at their general practitioner’s office, then go to the orthopedic surgeon, followed by the radiology center, then to the hospital, often back to the ortho’s office, and finally to one or more physical therapists.

Currently the doctor’s incentives are not aligned with the patient. If the surgery needs to be repeated, the insurance company and patient pay for it again. In the future the doctor will be judged and rewarded or penalized for their performance in what is called the patient’s “episode of care.” All of this coordination between providers requires the parties involved become intimately aware of everything happening at each step in the process.

This all took off back in 2011 when Medicare began an EHR incentive program providing $27B in incentives to doctors at the 5,700 hospitals and 235,000 medical practices to adopt EHR systems. Hospitals would receive $2M and doctors would receive $63,750 when they put in the EHR system and performed some basic functions proving they were using it under what has been termed “Meaningful Use” or MU.

EHR manufacturers made a lot of money selling systems leveraging the MU incentives. The problem most hospitals ran into is their EHR didn’t come with integrations to external systems. Integration is typically done using a 30 year old standard called Health Level 7 or HL7. The EHR can talk to outside systems using HL7, but only if the interface is turned on and both systems use the same version. EHR vendors typically charge thousands of dollars and sometimes tens of thousands to turn on each interface. This is why interface engines have been all the rage since they turn one interface into multiple.

The great part of HL7 is it is standard. The bad parts of HL7 are a) there are 11 standards, b) not all vendors use all standards, c) most EHRs are still using version 2.3 which was released in 1997, and d) each EHR vendor messes up the HL7 standard in their own unique way, causing untold headaches for integration project managers across the country. The joke in the industry is if you have seen one EHR integration, you’ve seen “just one.”

image-1
HL7 versions over the years

HL7 version 3.0 which was released in 2005 was supposed to clear up a lot of this integration mess. It used the Extensible Markup Language (XML) to make it easier for software developers to parse the healthcare messages from the EHR, and it had places to stick just about all of the data a modern healthcare system needs for care coordination. Unfortunately HL7 3.0 didn’t take off and many EHRs didn’t build support for it.

FHIR is the new instantiation of HL7 3.0 using JavaScript Object Notation (JSON), and optionally XML, to do similar things using more modern technology concepts such as Representation State Transfer (REST) with HTTP requests to GET, PUT, POST, and DELETE these resources. Developers love JSON.

FHIR is not ready for prime time and based on how HL7 versions have been rolled out over the years it will not be used in a very large percentage of the medical facilities for several years. The problem the FHIR standard created is a method by which a medical facility could port EHR data from one manufacturer to another. EHR manufacturers don’t want to let this happen so it is doubtful they will completely implement FHIR — especially since it is not a requirement of MU.

And FHIR is still not hardened. There have been fifteen versions of FHIR released over the last two years with six incompatible with earlier versions. We are a year away at best from the standard going from draft to release, so plan on there being even more changes.

image-2
15 versions of FHIR since 2014 with 6 that are incompatible with earlier versions

Another reason for questioning FHIR’s impact is the standard has several ways to transmit and receive data besides HTTP requests. One EHR may use sockets, while another uses file folder delivery, while another uses HTTP requests. This means the need for integration engines still exists and as such the value from moving to FHIR may be reduced.

Lastly, the implementation of FHIR’s query-able interface means hospitals will have to decide if they must host all of their data in a cloud-based system for outside entities to use or become a massive data center running the numerous servers it will take to allow patients with mobile devices to not take down the EHR when physicians need it for mission-critical use.

While the data geek inside me loves the idea of FHIR, my decades of experience performing healthcare integrations with EHRs tell me there is more smoke than there is FHIR right now.

My best advice when it comes to FHIR is to keep using the technologies you have today and if you are not retired by the time FHIR hits its adoption curve, look at it with fresh eyes at that time. I will be eagerly awaiting its arrival, someday.

About Richard Bagdonas
Richard Bagdonas has over 12 years integrating software with more than 40 electronic health record system brands. He is an expert witness on HL7 and EDI-based medical billing. Richard served as a technical consultant to the US Air Force and Pentagon in the mid-1990’s and authored 4 books on telecom/data network design and engineering. Richard is currently the CTO and Chief Healthcare Architect at MI7, a healthcare integration software company based in Austin, TX.

Quality Reporting: A Drain on Practice Resources, New Study Shows

Posted on November 17, 2016 I Written By

The following is a guest blog post by Steven Marco, CISA, ITIL, HP SA and President of HIPAA One®.
Steven Marco - HIPAA expert
If time is money, medical practices are sure losing a lot of both based on the findings in a new study published in Health Affairs. The key take-a-way, practices spend an average of 785 hours per physician and $15.4 billion per year reporting quality measures to Medicare, Medicaid and private payers.

The study, conducted by researchers from Weill Cornell Medical College, assessed the quality reporting of 1,000 practices, including primary care, cardiology, orthopedic and multi-specialty and the findings are staggering.

Practices reported spending on average 15.1 hours per week per physician on quality measures. Of that 15.1 hours per week, physicians account for 2.6 hours with the rest of the administrative work divided between nurses and medical assistants. About 12 of those 15.1 hours are spent logging data into medical records solely for quality reporting purposes. Additionally, despite a wealth of software tools on the market today, about 80 percent of practices spend more time managing quality measures than they did three years ago and half call it a “significant burden.”

Aside from the major drain on administrative resources, there are heavy financial ramifications for such lengthy and cumbersome reporting as well. The report found practices spend an average of $40,069 per physician for an annual national total of $15.4 billion.

The findings of this study clearly demonstrate the need for greater reporting automation in the healthcare industry. By embracing technology to manage labor-intensive, error-prone and mundane tasks; practices free up their staff to focus on patient care. In the past few years, we have watched electronic medical record (EMR) companies do just that by embracing cloud-based software solutions.
physician-and-administrator-growth-over-time
This overwhelming administrative bloat and financial burden can be addressed by implementing software tools and solutions designed to streamline reporting and compliance management. For example, if your practice or organization is still conducting your annual risk analysis through spreadsheets and other manual methods, it is time to embrace automation and a Security Risk Analysis software solution. Designed to control costs, a cloud based Security Risk Analysis solution automates 78% of the manual labor needed to calculate risk for organizations of all size.

There’s no time like the present to embrace best practices for your quality reporting. Allow technology to do the heavy lifting and free up your resources.

About Steven Marco
Steven Marco is the President of HIPAA One®, leading provider of HIPAA Risk Assessment software for practices of all sizes.  HIPAA One is a proud sponsor of EMR and HIPAA and the effort to make HIPAA compliance more accessible for all practices.  Are you HIPAA Compliant?  Take HIPAA One’s 5 minute HIPAA security and compliance quiz to see if your organization is risk or learn more at HIPAAOne.com.

What to Expect When You are Expecting: The Challenges of Technology Adoption Across A Dispersed Organization – Breakaway Thinking

Posted on October 26, 2016 I Written By

The following is a guest blog post by Mark Muddiman, Engagement Manager at The Breakaway Group (A Xerox Company). Check out all of the blog posts in the Breakaway Thinking series.
Mark Muddiman
Imagine you have just installed your new clinical information system. Everyone has been waiting for months and excitement has peeked; the big day is right around the corner. Go live is coming and all the organizational sites are prepared for the new workflows and application. The application goes live and suddenly everyone needs help, support is inundated, and it becomes apparent that the expectations were not aligned to the reality of preparedness.

All too often this is a common scenario for organizations that are dispersed over large geographic areas. Adopting healthcare technology is difficult in a singular location, but certain challenges are uniquely amplified when an organization is dispersed. What challenges can you expect related to adoption and learning, and what can you do to ensure you are prepared?

Expect a greater emphasis on change management
As HIMSS reports, individual sites may fight the loss of autonomy as everyone is brought to a standard application or workflow. Each location has developed their own way of using the legacy application, and they must now learn new procedures and processes in addition to a new application. Multiple locations present multiple groups to manage at a distance, without the ability of physical project team members to be present at all locations throughout the adoption process.

Expect deviations from best practice and follow-up learning
Medical Economics recommends that learning continues beyond the initial go live. Staff will deviate from the best practice workflows as they forget less common tasks, and learn to navigate and use the application in different ways. Deviation from workflows introduces inefficiencies, dependency for support, and impedes the ability of staff to rotate between locations because the experience differs. Anticipate a need to provide follow up learning that reinforces best practices and helps avoid poor use of the application.

Expect each location will need onsite support
During go live, staff will often forget where to start and need a source to turn to when they forget a step in the new application and workflow they are using. However, it is very expensive and likely impractical to have a project team available at each location. Instead, providing assistance through super users and clinical champions along with easily referenced education materials will provide accessible onsite support for most issues.

What can you do?

Bring local leadership into decision making
Regional and local leaders can clarify the unique needs and constraints of their site when selecting applications and designing workflows. Whether equipment varies at each site or there are different service offerings, there are multiple benefits of involving local leadership. It allows leadership to determine the appropriate level of standardization that still respects the unique needs of each site, consequently removing the necessity to deviate from the standard workflow. Involving local and regional leaders engages them, provides a sense of ownership and cooperation in the project, and will help reduce resistance to change. It is imperative leadership is aligned at all levels, engaged in the adoption process, and supportive of the approach if adoption is to succeed.

Implement and ensure metrics are utilized
Metrics serve as key indicators to progress, knowledge retention, and proficiency, but in dispersed locations metrics also serve as indicators that would otherwise be filled with in-person observation. Metrics show whether a location is developing poor workflow practices or struggling with the change; subsequently metrics indicate whether a site needs additional support or learning. New metrics may be employed, such as surveys to gain feedback from multiple sites that could otherwise be obtained from a meeting or observation.

Follow up with each location often
Some sites will likely be more vocal in their need of support than others. It’s important to follow up with all sites and provide remedial education if metrics indicate a need to do so. Staff may need refresher training if inefficiencies arise, but there may be a root cause such as an educational or workflow gap that was previously unknown. Because adoption is a long-term commitment, it is important to provide continuous availability of learning while sustaining content to support changes to the application and learning needs.

Employ communication from leadership effectively
Effective communication goes a long way in reducing resistance to change. It also provides a channel for feedback and continuous collaboration. Communication should come from executive leaders to show their support of the adoption initiative, but also from local leaders. Staff can’t stop operations in a healthcare setting to join conference calls, and emails aren’t always read, but local leaders are able to directly communicate with staff. A comprehensive set of communications ensures an aligned message at all leadership levels and improves the ability of messages to reach staff.

While these suggestions may help, there is a proven methodology to comprehensively address challenges. At the Breakaway Group, we work with leadership to support engagement and change management at all levels while providing comprehensive sets of communication. Our experienced teams can provide workflow recommendations and develop education directly from the application that is sustained through the life of the partnership. Real-time data and metrics provide indicators of how each location is performing and undergoing change. Regardless of the organizational structure or of what to expect, we employ a methodology to help any organization achieve successful technology adoption and value realization.

Xerox is a sponsor of the Breakaway Thinking series of blog posts. The Breakaway Group is a leader in EHR and Health IT training.

Don’t Worry About HIPAA – When Your License Is At-Risk!

Posted on October 24, 2016 I Written By

The following is a guest blog post by Mike Semel, President and Chief Compliance Officer at Semel Consulting.
medical-license-revoked
Not long ago I was at an ambulance service for a HIPAA project when one of their paramedics asked what the odds were that his employer would get a HIPAA fine if he talked about one of his patients. I replied that the odds of a HIPAA penalty were very slim compared to him losing his state-issued paramedic license, that would cost him his job and his career. He could also be sued. He had never thought of these risks.

Doctors, dentists, lawyers, accountants, psychologists, nurses, EMT’s, paramedics, social workers, mental health counselors, and pharmacists, are just some of the professions that have to abide by confidentiality requirements to keep their licenses.

License and ethical requirements have required patient and client confidentiality long before HIPAA and other confidentiality laws went into effect.  HIPAA became effective in 2003, 26 years after I became a New York State certified Emergency Medical Technician (EMT). Way back in 1977, the very first EMT class I took talked about my responsibility to keep patient information confidential, or I would risk losing my certification.

While licensed professionals may not talk about an individual patient or client, weak cybersecurity controls could cause a breach of ALL of their patient and client information – instantly.
health-data-encryption
Most certified and licensed professionals will agree that they are careful not to talk about patients and clients, but how well do they secure their data? Are their laptops encrypted? Are security patches and updates current? Do they have a business-class firewall protecting their network? Do they have IT security professionals managing their technology?
psychologist-loses-license-prostitute-takes-laptop
Lawyers have been sanctioned for breaching confidentiality. Therapists have lost their licenses. In one well-publicized case a psychologist lost his license when a prostitute stole his laptop. In rare cases a confidentiality breach will result in a jail sentence, along with the loss of a license.

Cyber Security Ethics Requirements
Lawyers are bound by ethical rules that apply to confidentiality and competence. The competence requirements typically restrict lawyers from taking cases in unfamiliar areas of the law. However, The American Bar Association has published model guidance that attorneys not competent in the area of cyber security must hire professionals to help them secure their data.

The State Bar of North Dakota adopted technology amendments to its ethics rules in early 2016. The State Bar of Wisconsin has published a guide entitled Cybersecurity and SCR Rules of Professional Conduct. In 2014, The New York State Bar Association adopted Social Media Ethics Guidelines. Lawyers violating these ethical requirements can be sanctioned or disbarred.

A State Bar of Arizona ethics opinion said “an attorney must either have the competence to evaluate the nature of the potential threat to the client’s electronic files and to evaluate and deploy appropriate computer hardware and software to accomplish that end, or if the attorney lacks or cannot reasonably obtain that competence, to retain an expert consultant who does have such competence.”

Some licensed professionals argue that their ethical and industry requirements mean they don’t have to comply with other requirements. Ethical obligations do not trump federal and state laws. Lawyers defending health care providers in malpractice cases are HIPAA Business Associates. Doctors that have to comply with HIPAA also must adhere to state data breach laws. Psychiatric counselors, substance abuse therapists, pharmacists, and HIV treatment providers have to comply with multiple federal and state confidentiality laws in addition to their license requirements.

There are some exemptions from confidentiality laws and license requirements when it comes to reporting child abuse, notifying law enforcement when a patient becomes a threat, and in some court proceedings.

While the odds of a federal penalty for a confidentiality breach are pretty slim, it is much more likely that someone will complain to your licensing board and kill your career. Don’t take the chance after all you have gone through to earn your license.

About Mike Semel
mike-semel-ambulance
Mike Semel is the President and Chief Compliance Officer for Semel Consulting. He has owned IT businesses for over 30 years, has served as the Chief Information Officer for a hospital and a K-12 school district, and as the Chief Operating Officer for a cloud backup company. Mike is recognized as a HIPAA thought leader throughout the healthcare and IT industries, and has spoken at conferences including NASA’s Occupational Health conference, the New York State Cybersecurity conference, and many IT conferences. He has written HIPAA certification classes and consults with healthcare organizations, cloud services, Managed Service Providers, and other business associates to help build strong cybersecurity and compliance programs. Mike can be reached at 888-997-3635 x 101 or mike@semelconsulting.com.

States Strengthen Data Breach Laws & Regulations

Posted on October 18, 2016 I Written By

The following is a guest blog post by Mike Semel, President and Chief Compliance Officer at Semel Consulting.

If your cyber security and compliance program is focused on just one regulation, like HIPAA or banking laws, many steps you are taking are probably wrong.

Since 2015 a number of states have amended their data breach laws which can affect ALL BUSINESSES, even those out of state, that store information about their residents. The changes address issues identified in breach investigations, and public displeasure with the increasing number of data breaches that can result in identity theft.

Forty-seven states, plus DC, Puerto Rico, Guam, and the US Virgin Islands, protect personally identifiable information, that includes a person’s name plus their Driver’s License number, Social Security Number, and the access information for bank and credit card accounts.

Many organizations mistakenly focus only on the data in their main business application, like an Electronic Health Record system or other database they use for patients or clients. They ignore the fact that e-mails, reports, letters, spreadsheets, scanned images, and other loose documents contain data that is also protected by laws and regulations. These documents can be anywhere – on servers, local PC’s, portable laptops, tablets, mobile phones, thumb drives, CDs and DVDs, or somewhere up in the Cloud.

Some businesses also mistakenly believe that moving data to the cloud means that they do not have to have a secure office network. This is a fallacy because your cloud can be accessed by hackers if they can compromise the local devices you use to get to the cloud. In most cases there is local data even though the main business applications are in the cloud. Local computers should have business-class operating systems, with encryption, endpoint protection software, current security patches and updates, and strong physical security. Local networks need business-class firewalls with active intrusion prevention.

States are strengthening their breach laws to make up for weaknesses in HIPAA and other federal regulations. Between a state and federal law, whichever requirement is better for the consumer is what those storing data on that state’s residents (including out of state companies) must follow.

Some states have added to the types of information protected by their data breach reporting laws. Many states give their residents the right to sue organizations for not providing adequate cyber security protection. Many states have instituted faster reporting requirements than federal laws, meaning that incident management plans that are based on federal requirements may mean you will miss a shorter state reporting deadline.

In 2014, California began requiring mandatory free identity theft prevention services even when harm cannot be proven. This year Connecticut adopted a similar standard. Tennessee eliminated the encryption safe harbor, meaning that the loss of encrypted data must be reported. Nebraska eliminated the encryption safe harbor if the encryption keys might have been compromised. Illinois is adding medical records to its list of protected information.

Massachusetts requires every business to implement a comprehensive data protection program including a written plan. Texas requires that all businesses that have medical information (not just health care providers and health plans) implement a staff training program.

REGULATIONS

Laws are not the only regulations that can affect businesses.

The New York State Department of Financial Services has proposed that “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law” comply with new cyber security regulations. This includes banks, insurance companies, investment houses, charities, and even covers organizations like car dealers and mortgage companies who handle consumer financial information.

The new rule will require:

  • A risk analysis
  • An annual penetration test and quarterly vulnerability assessments
  • Implementation of a cyber event detection system
  • appointing a Chief Information Security Officer (and maintaining compliance responsibility if outsourcing the function)
  • System logging and event management
  • A comprehensive security program including policies, procedures, and evidence of compliance

Any organization connected to the Texas Department of Health & Human Services must agree to its Data Use Agreement, which requires that a suspected breach of some of its information be reported within ONE HOUR of discovery.

MEDICAL RECORDS

People often assume that their medical records are protected by HIPAA wherever they are, and are surprised to find out this is not the case. HIPAA only covers organizations that bill electronically for health care services, validate coverage, or act as health plans (which also includes companies that self-fund their health plans).

  • Doctors that only accept cash do not have to comply with HIPAA.
  • Companies like fitness centers and massage therapists collect your medical information but are not covered by HIPAA because they do not bill health plans.
  • Health information in employment records are exempt from HIPAA, like letters from doctors excusing an employee after an injury or illness.
  • Workers Compensation records are exempt from HIPAA.

Some states protect medical information with every entity that may store it. This means that every business must protect medical information it stores, and must report it if it is lost, stolen, or accessed by an unauthorized person.

  • Arkansas
  • California
  • Connecticut
  • Florida
  • Illinois (beginning January 1, 2017)
  • Massachusetts
  • Missouri
  • Montana
  • Nevada
  • New Hampshire
  • North Dakota
  • Oregon
  • Puerto Rico
  • Rhode Island
  • Texas
  • Virginia
  • Wyoming

Most organizations are not aware that they are governed by so many laws and regulations. They don’t realize that information about their employees and other workforce members are covered. Charities don’t realize the risks they have protecting donor information, or the impact on donations a breach can cause when it becomes public.

We have worked with many healthcare and financial organizations, as well as charities and general businesses, to build cyber security programs that comply with federal and state laws, industry regulations, contractual obligations, and insurance policy requirements. We have been certified in our compliance with the federal NIST Cyber Security Framework (CSF) and have helped others adopt this security framework, that is gaining rapid acceptance.

About Mike Semel
mike-semel-hipaa-consulting
Mike Semel is the President and Chief Compliance Officer for Semel Consulting. He has owned IT businesses for over 30 years, has served as the Chief Information Officer for a hospital and a K-12 school district, and as the Chief Operating Officer for a cloud backup company. Mike is recognized as a HIPAA thought leader throughout the healthcare and IT industries, and has spoken at conferences including NASA’s Occupational Health conference, the New York State Cybersecurity conference, and many IT conferences. He has written HIPAA certification classes and consults with healthcare organizations, cloud services, Managed Service Providers, and other business associates to help build strong cybersecurity and compliance programs. Mike can be reached at 888-997-3635 x 101 or mike@semelconsulting.com.

Patients Want the Ultimate Experience – Convenient, Considerate, and Compassionate

Posted on October 13, 2016 I Written By

The following is a guest blog post by Chelsea Kimbrough, a copywriter for Stericycle Communication Solutions as part of the Communication Solutions Series of blog posts. Follow and engage with them on Twitter: @StericycleComms
Chelsea Kimbrough
For many patients – myself included – braving the doctor’s office can be a difficult, scary task. So, when I moved to a new state, I put off finding a new healthcare clinic. My procrastination recently turned to panic when the time for an annual wellness check arrived.

After researching local providers, reading countless patient reviews, and cross-examining healthcare capabilities, I hesitantly scheduled an appointment. When the appointment finally passed, I was surprised to not only enjoy the experience, but to confidently schedule another. Here’s why:

  1. They offered patient-friendly online self-scheduling. With a majority of my weekdays absorbed by work, I had little opportunity to make phone calls. But with the option of online self-scheduling, I was able to schedule an appointment at a time and in a way that worked best for me.
  2. They ensured I was aware of and prepared for my upcoming appointment. I received a text message prompting my appointment confirmation and an email outlining what I needed for the appointment. Both these nontraditional communications supported my appointment’s success.
  3. My wait time was minimal. From the moment I arrived, I was met with friendly, courteous support. And before leaving the facility, I was able to quickly schedule a follow-up appointment – all of which minimally impacted the remainder of my day.
  4. I received one-on-one, thoughtful attention and service. And for a nervous patient, this was the difference between loyalty and abandonment.
  5. I was able to provide feedback about my experience. Though my feedback was primarily positive, I appreciated that my opinions and experience were valued.

Though online reviews helped me make my initial decision to schedule an appointment, the entire experience is what put my nervousness at ease. From an online self-scheduling option to a post-appointment survey, this organization’s patient-focused approach was both a novel and welcome experience, and is what will ensure I continue trusting my health in their care for years to come.

The Communication Solutions Series of blog posts is sponsored by Stericycle Communication Solutions, a leading provider of high quality telephone answering, appointment scheduling, and automated communication services. Stericycle Communication Solutions combines a human touch with innovative technology to deliver best-in-class communication services. Connect with Stericycle Communication Solutions on social media: @StericycleComms