Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

“Please Choose One” – A Short Story

Posted on February 25, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Every once in a while I come across a piece of healthcare prose that I have to share, but there’s no good way to share it in pieces. I found that once in The Old Man and the Doctor Fable. It’s a must read if you haven’t read it.

I recently had another such example shared with me called “Please Choose One“. This one took me a second to really get into it, but about a quarter of the way through, I couldn’t stop reading and had to figure out how it ended. I’m sure that many physicians will feel the heartache shared in this short story. Thank you Philip Allen Green, MD for sharing. If you haven’t gone and read it, go read it…we’ll be back here once you’re done.

Obviously, the story is told in an exaggerated worst case scenario fashion. Although, to me that’s what illustrates the point so well. The lesson I took from the story is that we can’t take the human out of healthcare. Technology should help us offer more humanity to patients as opposed to less. Furthermore, we’re at risk for doing the opposite.

What’s your takeaway? I’d love to hear your thoughts on the story.

Thinking About Future EHR Switching When Purchasing EHR Software

Posted on February 24, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

When we start purchasing our EHR, many times we don’t spend enough time thinking about what happens when we reach the end of life for the software we’re purchasing. I was particularly reminded of this when writing my post about the legacy EHR ticking time bombs. During our EHR or other healthcare IT software purchase, we don’t think about 5, 10, 15 years down the road when we might want to switch systems. What happens at the end of a system’s life is not our concern during an EHR purchase, but it should be.

A lot of people like to talk about EHR data portability. This is a very important subject when you’re looking to sunset an old system. However, if you haven’t put the right items in your EHR contract, it becomes a major issue for you to get that data out of the EHR. If you haven’t read the section on EHR contracts in my now somewhat dated EMR selection e-Book, take some time to read it over and check out your EHR contract.

When you can’t get the data out of your EHR, then you’re stuck in a situation that I described in my legacy EHR ticking time bomb post. You limp your legacy EHR system along and have issues with updates, fear the lost of the system completely, and much more. It’s just an ugly situation.

It’s nice to think that an EHR system will just work forever, but technology changes. It’s just the reality of life. I’m interested to see if the concept of an EHR vendor neutral archive will really take off. That would be one major way to combat this. However, I think many are afraid of this option because it’s tough to preserve the granular data elements in the EHR. Plus, it takes a forward thinking CIO to be able to make the investment in it. Although I’ve met some that are doing just this.

What has your organization done to prepare for the day that you’ll sunset your EHR or other healthcare IT systems? Is this a concern for you? Or are you like some CIOs who figure that it will be someone else’s problem?

What’s Your Value Based Care Strategy? What Role Does IT Play?

Posted on February 23, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I pretty regularly take a look at various healthcare IT whitepapers to glean insights into what’s happening in the industry and what advice vendors are offering healthcare organizations. I’ve been keeping a special eye on the changing reimbursement model and move to value based care and so I was interested in this whitepaper titled “How to Win with Value-based Care: Developing Your Practice’s EHR Strategy.”

The whitepaper starts with a dive into some of the changing care and reimbursement models that are emerging in healthcare. Then they offer this 4 step “Winning Strategy” for being ready for these changes:
Step 1: Assess your current situation
Step 2: Develop a customized VBC Plan that’s right for your practice
Step 3: Determine IT solution needs
Step 4: Implementation

In many ways, this 4 step plan could be applied to any project. Of course, the whitepaper dives into a lot more detail for each step. Although, I was struck by step 3. It takes for granted that value based reimbursement will require an IT solution. This whitepaper comes from a healthcare IT company with some value based IT product offerings so you have to question whether IT will be at the core of a practice’s value based care strategy or not.

As I think about the future of coordinated care and value based reimbursement, I think it’s more than fair to say that technology will be at the center of these initiatives. Value based care requires data to prove the quality of the care you’re providing. Certainly you could try and collect some of this data on paper, but does anyone think this is reasonable?

Try identifying all overweight patients in your patient population using paper chats. I can see in my mind’s eye an army of medical records professionals sifting through stacks of paper charts. It’s not a pretty solution and it’s fraught with error. That’s one query on an EHR system.

One of the biggest elements of value based reimbursement will be communication with patients. Can we build that real time communication on the back of snail mail? It sounds almost silly talking about it. Of course we’re going to use mobile devices, secure messages, and even secure video communication. We still have A LOT of work to do in this regard, but it’s the future.

Of course technology is going to be at the core of value based reimbursement. It’s the only way to accomplish what we’re striving to accomplish. The next question is: will the EHR make this possible or are we going to need something new and more advanced?

Are Legacy EHR Sytems the HIPAA Ticking Time Bomb?

Posted on February 20, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Healthcare IT and EHR security is a really important topic right now. Many organizations have started to spend time and resources on this problem after a series of healthcare and non-healthcare breaches. The Anthem breach being the most recent. Overall, this is a great thing for the industry since I think there’s more that could be done in every organization to shore up the privacy and security of patient health data.

In a recent conversation I had with Mike Semel, we talked about some of the challenges associated with legacy EHR and Healthcare IT systems in offices. Our conversation prompted to me to ask the question of whether these legacy EHR systems are the ticking time bombs of many healthcare organizations.

Think about what happens to many of these legacy EHR systems. They get put in some back office or under someone’s desk or in some nondescript closet where they’re largely forgotten. In many cases there are only 1-2 people who regularly use them and in many cases the word “regularly” equates to accessing it a few times a month. These few people are usually not technically savvy and know very little about IT security and privacy.

Do I need to ask the question about how good the security is on a system for which most people have forgotten?

These forgotten systems often don’t get any software updates to the application or the operating system. The former is an issue, but the later is a major problem. Remember that when updates to an operating system are issued, it’s essentially blasted out to the public that there are issues that a hacker can exploit. If you’re not updating the O/S, then these systems make for easy pickings for hackers.

Forget about great audit log tracking and other more advanced security on these legacy systems. In most cases, organizations are just trying to limp them along until they can decommission them and put them out to pasture. It makes for one massive security hole for most organizations.

Of course, this doesn’t even take into the account the fear that many organizations have that these systems will just give up the ghost and stop working all together. There’s nothing quite like security on a Windows 2000 Server box sitting under someone’s desk just waiting for it to die. Hopefully those hard drives and other mechanical elements don’t stop before the data’s end of life requirements.

These legacy systems aren’t pretty and likely present a massive HIPAA privacy and security hole in many organizations. If you don’t have a good handle on your legacy systems, now might be a good time to take a look. Better to do it now than to deal with it after a HIPAA breach or HIPAA audit.

Were Anthem, CHS Cyber Security Breaches Due to Negligence?

Posted on February 19, 2015 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Not long ago, health insurance giant Anthem suffered a security breach of historic proportions, one which exposed personal data on as many as 80 million current and former customers. While Anthem is taking steps to repair the public relations damage, it’s beginning to look like even its $100 million cyber security insurance policy is ludicrously inadequate to address what could be an $8B to $16B problem. (That’s assuming, as many cyber security pros do, that it costs $100 to $200 per customer exposed to restore normalcy.)

But the full extent of the healthcare industry hack may be even greater than that. As information begins to filter out about what happens, a Forbes report suggests that the cyber security intrusion at Anthem may be linked to another security breach — exposing 4.5 million records — that took place less than six months months ago at Community Health Systems:

Analysis of open source information on the cybercriminal infrastructure likely used to siphon 80 million Social Security numbers and other sensitive data from health insurance giant Anthem suggests the attackers may have first gained a foothold in April 2014, nine months before the company says it discovered the intrusion. Brian KrebsAnthem Breach May Have Started in April, 2014

Class action suits against CHS were filed last August, alleging negligence by the hospital giant. Anthem also faces class action suits alleging security negligence in Indiana, California, Alabama and Georgia. But the damage to both companies’ image has already been done, damage that can’t be repaired by even the most favorable legal outcome. (In fact, the longer these cases linger in court, the more time the public has to permanently brand the defendants as having been irresponsible.)

What makes these exploits particularly unfortunate is that they may have been quite preventable. Security experts say Anthem, along with CHS, may well have been hit by a well-known and frequently leveraged vulnerability in the OpenSSL cryptographic software library known as the Heartbleed Bug. A fix for Heartbleed, which was introduced in 2011, has been available since April of last year. Though outside experts haven’t drawn final conclusions, many have surmised that neither Anthem nor CHS made the necessary fix which would  have protected them against Heartbleed.

Both companies have released defensive statements contending that these security breaches were due to tremendously sophisticated attacks — something they’d have to do even if a third-grade script kiddie hacked their infrastructure. But the truth is, note security analysts, the attacks almost certainly succeeded because of a serious lack of internal controls.

By gaining admin credentials to the database there was nothing ‒ including encryption ‒ to stop the attack. The only thing that did stop it was a lucky administrator who happened to be paying attention at the right time. Ken Westin – Senior Security Analyst at Tripwire

As much these companies would like to convince us that the cyber security breaches weren’t really their fault — that they were victims of exotic hacker gods with otherworldly skills — the bottom line is that this doesn’t seem to be true.

If Anthem and CHS going to point fingers rather than stiffen up their cyber security protocols, I’d advise that they a) buy a lot more security breach insurance and b) hire a new PR firm.  What they’re doing obviously isn’t working.

Mobile Health to Transform Care: The Case for Adoption Now – Breakaway Thinking

Posted on February 18, 2015 I Written By

The following is a guest blog post by Todd Stansfield from The Breakaway Group (A Xerox Company). Check out all of the blog posts in the Breakaway Thinking series.
Todd Stansfield
Mobile health (mHealth) is here to stay, and you don’t have to look far for proof. Patients now use mHealth to comparison shop basic healthcare services and access test results. Providers use it to increase efficiencies and lower costs. And CIOs use it to get more out of an electronic health record (EHR) while juggling new security challenges from the bring your own device (BYOD) movement.

Perhaps one of mHealth’s greatest areas of impact is providers’ bottom line. A new study finds that baby boomers and millennials prefer providers who incorporate mobile technology into their practices. Seven percent of patients responded that they are willing to leave their current provider for one who offers remote care, a move that could have a significant financial impact on independent physician practices. This is especially clear when considering that an overall 20 percent of patients reported seeing the same doctor for less than 2 years and 14 percent reported not having a doctor. Additionally, the Centers for Medicare & Medicaid Services (CMS) is now offering providers roughly $42 a month to manage care for Medicare patients with two or more chronic conditions in its Chronic Care Management program. These patients comprise two-thirds of Medicare beneficiaries. For practices with 20 eligible patients, that figure translates to over $10,000 per provider per year. Providers must use mHealth to meet some requirements of Chronic Care Management, such as offering 24-7 access to consultation, and companies are now creating technologies to help. Just last month, Qualcomm and Walgreens announced a joint venture to pair medical devices with mobile and web apps to provide remote patient monitoring and transitional care support.

And then there’s efficiency. Another study finds that “the average hospital loses $1.7 million per year due to inefficient care coordination,” according to a HealthIT Analytics article. Providers are finding mobile technology valuable for improving health information exchange and communication, areas underserved by current EHR systems. More providers are text messaging care information rather than communicating face-to-face with colleagues, resulting in more informed care teams and fewer avoidable healthcare errors. Providers are also using mobile devices to enhance real-time patient engagement rather than relying on cumbersome computers to document in the EHR. Often the result is improved patient care, shorter appointments, and more time to see more patients. And besides getting in and out of their provider’s office sooner, patients are also welcoming new efficiencies with real-time access to their medical records via smartphone, a selling point among younger generations pursuing an active role in their care. In a recent survey of Americans, millennials indicated a preference for patient portals that they can access via a smartphone or tablet.

Yet providers should plan carefully when implementing mHealth, as there are major costs for failing to set up robust infrastructures that support safe mobile use. Providers should perform security risk analysis to ensure the safety of protected health information (PHI). This includes evaluating the security of all mobile devices—tablets and smartphones—ensuring that each device stores, sends, and receives PHI securely using encryption and other methods. Providers must perform this analysis routinely to receive payments under Meaningful Use (MU) and to prevent the ever-growing number of data breaches. Data security has remained a chief concern for healthcare providers and leaders and has largely stifled the widespread adoption of mHealth. This may change as the Department of Health & Human Services plans to offer more guidance to mHealth developers and users for adhering to HIPAA rules, as it recently announced.

Providers must adopt mHealth to survive in today’s competitive marketplace. Not only will they reap the short-term benefits of higher revenues through Chronic Care Management and attracting new patients, but they will also build the secure infrastructure and tools needed for long-term success. mHealth will be critical to population health and health information exchange, two eventual destinations for the healthcare industry. Providers who adopt mHealth now will be ready for when our industry makes the complete shift toward a population-focused, value-based care model.

In my experience at The Breakaway Group, A Xerox Company, effective adoption begins when leaders engage their workforce in the vision and mission of the project; when education is focused, accessible, and targeted; when performance is measured, collected, and analyzed; and when adoption is sustained amid changing technologies and process improvements. For providers to make the transition successfully healthcare leaders must find and implement technologies that patients and providers want to use. They must provide education that is convenient, focused, and practical for providers, education that spans not only how to optimize the technology but also how to use it safely and in accordance with government regulations. Healthcare leaders must also track performance in quality and efficiency, and highlight areas for improvement. And lastly, they must ensure all efforts are sustained, reinforced, and tailored to changing needs.

mHealth is poised to transform healthcare. It’s no wonder that mHealth raised $1.2 billion in venture capital last year, or more than triple what it raised in 2013. I’d venture to say that a significant share of new patients, new revenues, and new efficiencies will be earned by providers who are going “mobile.”

Xerox is a sponsor of the Breakaway Thinking series of blog posts.

Paper or Electronic – Does Physician Age Matter?

Posted on February 13, 2015 I Written By

The following is a guest blog post by Jennifer Della’Zanna, medical writer and online instructor for Education2Go.
Jen - HIM Trainer
During the Annual Meeting of the Office of National Coordinator for Health Information Technology (#ONC2015), one of the presenters commented that the new generation of doctors have never seen a paper chart, and they have fundamentally different views about what an electronic health record can do compared to clinicians who worked with paper charts for most of their careers. I was inclined to agree and thought it would be fun to find out what those differences are. Luckily, I have access to doctors of all ages, so I decided to conduct a very non-scientific investigation.

My first victims—er—test subjects happened to be my daughter’s pediatrician and a resident on his rotation. Who could ask for a more perfect situation to test this theory? She was a young resident, and he has been a physician since before I was born. I was surprised, therefore, to hear the same complaints about what was wrong with the electronic health record from both and no real answers for what they expected from an EHR. Neither were afraid of technology in and of itself, so I considered that factor controlled. Their complaints? The cut/paste feature allows too many errors through (and they had many real-life examples), alert fatigue, and the narrative portions are too long to scroll through. They get hung up on the mistakes and then decide they can find out more, and more quickly, if they just ask the patient for the information again.

Alright, he actually said he hated it, and she didn’t say that, but that was about the only difference. Ideas for what they’d want instead or how the technology should work? Not so much—from either one.

A trauma surgeon friend at Geisinger Medical Center in Pennsylvania recalled her experiences when they first installed an EHR in her hospital. She hated it. You have never seen such hate as when she recalls her first interactions with the system. She is a vocal sort and, eventually, the hospital said to her that they had an opportunity to customize the system to their hospital and asked if she would serve on the consulting committee. She protested that she knew nothing about computers. They told her they didn’t want somebody who knew about computers. They wanted somebody who had definite opinions about how the system could improve clinical workflow.

My friend said yes. Today, she says she can’t imagine practicing medicine without the EHR. She says it makes her a better doctor. For the record, my friend started out in a paper environment, switched to the EHR, but is not really tech savvy at all.

I checked in again with her recently and asked if she saw any real difference between how older docs and her residents use the system. She said that the older docs use it to get information, and the younger docs do things with it. “That’s the reason for the resident minion,” she says. The older docs get their information from the system and tell the minion to do all the things that have to do with CPOE. She says, “I’d never be able to spell ophthalmology correctly in the system in order to get a consultation!”

She agrees that there is some alert fatigue among physicians, but she thinks it definitely keeps patients safer. She also says it’s often a love/hate relationship for most staff members, but that nobody would willingly practice without it again.

So, is adoption of and satisfaction with an EHR a function of age or technical ability or is it something else?

Perhaps it’s specialty. A pediatrician or a family practice doctor sees many different types of problems, usually has a long history with patients, and may have an electronic record much like the old paper records. I’m sure you’ve seen those thick files, bulging with years’ worth of reports and letters and hand-written charts. It seems that the electronic record, in those cases, may be no better than an electronic form of a paper chart. A trauma surgeon, on the other hand, sees a patient for a short period of time, has less information that requires review, probably makes full use of clinical decision tools but hears very few alerts to make decisions about. The patient is seen, operated on, and discharged to another practice (where they have to slog through the narrative details of the patient’s hospital stay).

More likely, EHR satisfaction is simply a matter of not realizing the advantages we have in front of us because of the difficulties we still focus on. Back when the only option was a paper chart, there were plenty of complaints about those, too. At least we no longer have to deal with doctors’ handwriting (and my friend made the case for me about why doctors have such bad handwriting—they can’t spell—but that’s another story).

Are there problems with EHRs that could still stand some fixing up? Of course there are. But, if you had an honest discussion with yourself about whether you’d prefer going back to paper charts, what would your answer be?

Maybe it’s time to crowdsource solutions instead of complaining about the products as they stand today. What do you expect from your EHR, and how can you be part of the solution? By the way, there is one critical element about people who’ve worked with paper charts and those who haven’t—their expectations and ideas about EHRs are equally important!

What’s been your experience with EHR use and the impact of a physician’s age?

About Jennifer Della’Zanna
Jennifer Della’Zanna, MFA, CHDS, CPC, CGSC, CEHRS has worked in the health care industry for 20 years as a medical transcriptionist, receptionist, medical assistant, practice administrator, biller and coding specialist. She has written and edited courses and study guides on medical coding and the use of technology in health care, and she is an associate editor for Plexus magazine. She teaches medical coding, transcription and electronic health record courses and regularly writes feature articles about health issues for online and print publications. Jennifer is active in preparing for the industry transition to ICD-10 as a trainer for the American Academy of Professional Coders (AAPC). You can find Jennifer on Facebook and Twitter.

Are Changes to Meaningful Use Certification Coming?

Posted on February 10, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’d been meaning to write about the now infamous letter from the AMA and 20 other associations and organizations to Karen DeSalvo (ONC Chair and Assistant HHS Secretary). I’ve put a list of the organizations and associations that co-signed the letter at the bottom of this post. It’s quite the list.

In the letter they make these recommended changes to the EHR certification program:

1. Decouple EHR certification from the Meaningful Use program;
2. Re-consider alternative software testing methods;
3. Establish greater transparency and uniformity on UCD testing and process results;
4. Incorporate exception handling into EHR certification;
5. Develop C-CDA guidance and tests to support exchange;
6. Seek further stakeholder feedback; and
7. Increase education on EHR implementation.

Unfortunately, I don’t think that many of these suggestions can be done by Karen and ONC. For example, I believe it will take an act of Congress in order to decouple EHR certification from the meaningful use program. I don’t think ONC has the authority to just change that since they’re bound by legislation.

What I do think they could do is dramatically simplify the EHR certification requirements. Some might try to spin it as making the EHR certification irrelevant, but it would actually make the EHR certification more relevant. If it was focused on just a few important things that actually tested the EHR properly for those things, then people would be much more interested in the EHR certification and it’s success. As it is now, most people just see EHR certification as a way to get EHR incentive money.

I’ll be interested to see if we see any changes in EHR certification. Unfortunately, the government rarely does things to decrease regulation. In some ways, if ONC decreases what EHR certification means, then they’re putting their colleagues out of a job. My only glimmer of hope is that meaningful use stage 3 will become much more simpler and because of that, EHR certification that matches MU stage 3 will be simpler as well. Although, I’m not holding my breathe.

What do you think will happen to EHR certification going forward?

Organizations and Associations that Signed the Letter:
American Medical Association
AMDA – The Society for Post-Acute and Long-Term Care Medicine
American Academy of Allergy, Asthma and Immunology
American Academy of Dermatology Association
American Academy of Facial Plastic
American Academy of Family Physicians
American Academy of Home Care Medicine
American Academy of Neurology
American Academy of Ophthalmology
American Academy of Otolaryngology—Head and Neck Surgery
American Academy of Physical Medicine and Rehabilitation
American Association of Clinical Endocrinologists
American Association of Neurological Surgeons
American Association of Orthopaedic Surgeons
American College of Allergy, Asthma and Immunology
American College of Emergency Physicians
American College of Osteopathic Surgeons
American College of Physicians
American College of Surgeons
American Congress of Obstetricians and Gynecologists
American Osteopathic Association
American Society for Radiology and Oncology
American Society of Anesthesiologists
American Society of Cataract and Refractive Surgery and Reconstructive Surgery
American Society of Clinical Oncology
American Society of Nephrology
College of Healthcare Information Management Executives
Congress of Neurological Surgeons
Heart Rhythm Society
Joint Council on Allergy, Asthma and Immunology
Medical Group Management Association
National Association of Spine Specialists
Renal Physicians Association
Society for Cardiovascular Angiography and Interventions
Society for Vascular Surgery

Will Hospitals Be At Risk for HIPAA Audits If They Don’t Have HIPAA Violations?

Posted on February 5, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Sutter Health’s California Pacific Medical Center (CPMC) recently announced an employee accessing patient files without a business or treatment purpose. Here are the details from their press release:

California Pacific Medical Center (CPMC) recently notified 844 patients of its discovery that a pharmacist employee may have accessed their records without a business or treatment purpose.

CPMC first learned of the incident through a proactive audit of its electronic medical record system on October 10, 2014. The initial audit resulted in identification and notification of 14 individuals on October 21, 2014. Following its policy, CPMC terminated its relationship with the employee and broadened the investigation

The expanded investigation identified a total of 844 patients whose records the employee may have accessed without an apparent business or treatment purpose. It is unclear whether all of these records were accessed inappropriately but, out of an abundance of caution, CPMC notified all of these patients.

This was a fascinating breach of HIPAA. In fact, it starts with the question of whether we should call this a breach. In the HIPAA sense, it’s a breach of HIPAA. In the IT systems security sense, I could see how people wouldn’t consider it a breach since the person didn’t visit anything he wasn’t authorized by the IT system to see. Semantics aside, this is a HIPAA issue and is likely happening in pretty much every organization in the US.

My last statement is particularly true in larger organizations. The shear number of staff means that it’s very likely that some users of your IT systems are looking at patient records that don’t have a specific “business or treatment purpose.” I’m sure some will use this as a call for a return to paper. As if this stuff didn’t happen in the paper world as well. It happened in the paper world, but we just had no way to track it. With technology we can now track every record everyone touches. That’s why we’re seeing more issues like the one reported above. In the paper world we’d have just been ignorant to it.

With this in mind, I start to wonder if we won’t see some HIPAA audits for organizations that haven’t reported any violations like the ones above. Basically, the auditors would assume that if you hadn’t reported anything, then you’re probably not proactively auditing this yourself and so they’re going to come in and do it for you. Plus, if you’re not doing this, then you’re likely not doing a whole slew of other HIPAA requirements. On the other hand, if your security policies and procedures are good enough to proactively catch something like this, then you’re probably above average in other areas of HIPAA privacy and security. Sounds reasonable to me. We’ll see if it plays out that way.

The other lesson we need to take from the above HIPAA breach notification is that we shouldn’t be so quick to judge an organization that proactively discovers a breach. If we’re too punitive with healthcare organizations that find and effectively address a breach like this, then organizations will stop finding and reporting these issues. We should want healthcare organizations that have a culture and privacy and security. Part of that culture is that they’re going to sometimes catch bad actors which they need to correct.

Healthcare IT software like EHRs have a great ability to track everything that’s done and they’re only going to get better at doing it. That’s a good thing and healthcare information security and privacy will benefit from it. We should encourage rather than ridicule organizations like the one mentioned above for their proactive efforts to take care of the privacy of their patients’ information. I hope we see more organizations like Sutter Health who take a proactive approach to the security and privacy of healthcare information.

An EHR Focused On Customer Requests, Not MU

Posted on February 4, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I love taking email exchanges I have with practicing doctors and making their comments into posts. This is one of those cases. The following is a quote from an email I got from a physician friend of mine about his EHR (EHR name removed):

Every time we turn around these days our EHR vendor is adding some new update. Sometimes the updates change the format of how the system appears and functions, sometimes they don’t. Unfortunately, the people who are still chasing after all the crazy government hoops to jump through and those who are not are all forced to deal with the same EHR software system. I really wish there was a separate system with no crazy upgrades that would function the same way that the system did two years ago. That was a much simpler and more commonsensical system. It’s a really sad case of the government says jump and software systems say how high?

I believe this physician has stopped taking Medicare patients and has happily avoided meaningful use. However, as the above comments illustrate, he hasn’t avoided a lot of the impact that meaningful use has had on the design of his EHR system. Plus, that doesn’t even count all the great new features that this doctor could have gotten from his EHR if they weren’t busy turning on all the MU requirements including the MU reporting and tracking.

His comments about wanting a system that isn’t influenced by MU requirements is quite interesting since Pri-Med (the company that acquired Amazing Charts) has announced an EHR product called InLight EHR that’s not certified and doesn’t do MU. The press release says the EHR is designed for Direct Primary Care. This is a really interesting move by them, and my doctor friend above illustrates why an EHR software that’s not MU certified could work.

One challenge to this idea is that a lot of doctors can’t shun Medicare and meaningful use. So, they’ll need to continue with the EHR that are still chasing the government carrot and avoiding the stick. We’ll see how these different EHR markets evolve.