Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Defining the Legal Health Record, Ensuring Quality Health Data, and Managing a Part-Paper Part-Electronic Record – Healthcare Information Governance

Posted on January 20, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This post is part of Iron Mountain’s Healthcare Information Governance: Big Picture Predictions and Perspectives Series which looks at the key trends impacting Healthcare Information Governance. Be sure to check out all the entries in this series.

Healthcare information governance (IG) has been important ever since doctors started tracking their patients in paper charts. However, over the past few years, adoption of EHR and other healthcare IT systems has exploded and provided a myriad of new opportunities and challenges associated with governance of a healthcare organization’s information.

Three of the most important health information governance challenges are:
1. Defining the legal health record
2. Ensuring quality health data
3. Managing a part-paper, part-electronic record

Defining the Legal Health Record
In the paper chart world, defining the legal health record was much easier. As we’ve shifted to an electronic world, the volume of data that’s stored in these electronic systems is so much greater. This has created a major need to define what your organization considers the legal health record.

The reality is that each organization now has to define its own legal health record based on CMS and accreditation guidelines, but also based on the specifics of their operation (state laws, EHR options, number of health IT systems, etc). The legal health record will only be a subset of the data that’s being stored by an EHR or other IT system and you’ll need to involve a wide group of people from your organization to define the legal health record.

Doing so is going to become increasingly important. Without a clearly defined legal health record, you’re going to produce an inconsistent release of information. This can lead to major liability issues in court cases where you produce inconsistent records, but it’s also important to be consistent when releasing health information to other doctors or even auditors.

One challenge we face in this regard is ensuring that EHR vendors provide a consistent and usable data output. A lot of thought has been put into how data is inputted into the EHR, but not nearly as much effort has been put into the way an EHR outputs that data. This is a major health information governance challenge that needs to be addressed. Similarly, most EHR vendors haven’t put much thought and effort into data retention either. Retention policies are an important part of defining your legal health record, but your policy is subject to the capabilities of the EHR.

Working with your EHR and other healthcare IT vendors to ensure they can produce a consistent legal health record is one strategic imperative that every healthcare organization should have on their list.

Ensuring Quality Health Data
The future of healthcare is very much going to be data driven. Payments to ACO organizations are going to depend on data. The quality of care you provide using Clinical Decision Support (CDS) systems is going to rely on the quality of data being used. Organizations are going to have new liability concerns that revolve around their organization’s data quality. Real time data interoperability is going to become a reality and everyone’s going to see everyone else’s data without a middleman first checking and verifying the quality of the data before it’s sent.

A great health information governance program led by a clinical documentation improvement (CDI) program is going to be a key first step for every organization. Quality data doesn’t happen over night, but requires a concerted effort over time. Organization need to start now if they want to be successful in the coming data driven healthcare world.

Managing a Part-Paper Part-Electronic Record
The health information world is becoming infinitely more complex. Not only do you have new electronic systems that store massive amounts of data, but we’re still required to maintain legacy systems and those old paper charts. Each of these requires time and attention to manage properly.

While we’d all love to just turn off legacy systems and dispose of old paper charts, data retention laws often mean that both of these will be part of every healthcare organization for many years to come. Unfortunately, most health IT project plans don’t account for ongoing management of these old but important data sources. This inattention often results in increased costs and risks associated with these legacy systems and paper charts.

It should be strategically important for every organization to have a sound governance plan for both legacy IT systems and paper charts. Ignorance is not bliss when one of these information sources is breached because your organization had “forgotten” about them.

The future of reimbursement, costs, quality of care, and liability in healthcare are all going to be linked to an organization’s data. Making sure your data governance house is in order is going to be a major component in the success or failure of your organization. A good place to start is defining the legal health record, ensuring quality health data, and managing a part-paper part-electronic record.

Join our Twitter Chat: “Healthcare IG Predictions & Perspectives”

On January 28th at 12:00 pm Eastern, @IronMtnHealth is hosting a Twitter chat using #InfoTalk to further the dialog. If you have been involved in governance-related projects, we’d love to have you join. What IG initiatives have shown success for you? How have you overcome any obstacles? What do you see as the future of IG? Keep the conversation going during our “Healthcare IG Predictions & Perspectives” #InfoTalk at 12pm Eastern on January 28th.

The Value of an Integrated Specialty EHR Approach

Posted on January 19, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

As many of you know, I’ve long been an advocate for the specialty specific EHR. There are just tremendous advantages in having an EHR that’s focused only on your specialty. Then, you don’t get things like child growth charts cluttering your EHR when you don’t see any children. Or taken the other way, you have child growth charts that are designed specifically for a pediatrician. This can be applied across pretty much every industry.

The reason that many organizations don’t go with a specialty specific EHR is usually because they’re a large multi specialty organization. These organizations don’t want to have 30 different EHR vendors that they have to support. Therefore, in their RFP they basically exclude specialty specific EHR vendors from their EHR selection process.

I understand from an IT support perspective and EHR implementation perspective how having 30 different EHR implementation would be a major challenge. However, it’s also a challenge to try and get one EHR vendor to work for 30+ specialties as well. Plus, the long term consequence is physician and other EHR user dissatisfaction using an EHR that wasn’t designed for their specialty. The real decision these organizations are making is whether they want to put the burden on the IT staff (ie. supporting multiple EHRs) or whether they want to put the burden on the doctors (ie. using an EHR that doesn’t meet their needs). In large organizations, it seems that they’re making the decision to put the burden on the doctors as opposed to the IT staff. Although, I don’t think many organizations realize that this is the choice they’re making.

Specialty EHR vendor, gMed, recenlty put out a whitepaper which does an analysis and a kind of case study on the differences between a integrated GI practice and a non-integrated GI practice. In this case, they’re talking about an EHR that’s integrated with an ambulatory surgery center and one that’s not. That’s a big deal for a specialty like GI. You can download the free whitepaper to get all the juicy details and differences between an integrated GI practice and one that’s not.

I’ve been seeing more and more doctors starting to talk about their displeasure with their EHR. I think much of that displeasure comes thanks to meaningful use and reimbursement requirements, but I also think that many are suffering under an EHR that really doesn’t understand their specialty. From my experience those EHR vendors that claim to support every specialty, that usually consists of one support rep for that specialty and a few months programming sprint to try and provide something special for that specialty. That’s very different than a whole team of developers and every customer support person at the company devoted to a specialty.

I’m not saying that an EHR can’t do more than one specialty, but doing 5 somewhat related specialties is still very different than trying to do the 40+ medical specialties with one interface. One challenge with the best of breed approach is that there are some specialties which don’t have an EHR that’s focused just on them. In that case, you may have to use the every specialty EHR.

What’s clear to me is that most large multi specialty organizations are choosing the all-in-one EHR systems in their offices. I wonder if force feeding an EHR into a specialty where it doesn’t fit is going to eventually lead to a physician revolt back to specialty specific EHRs. Physician dissatisfaction, liability issues, and improved interoperability could make the best of breed approach much more attractive to even the large organizations. Even if it means they back into a best of breed approach after trying the one-size-fits all approach to EHR.

I’ll be interested to watch this dynamic playing out. Plus, you have the specialty doctors coming together in mega groups in order to combat against this as well. What do you think is going to happen with specialty EHR? Should organizations be doing a best of breed approach or the one-size-fits all EHR? What are the consequences (good and bad) of either direction?

Full Disclosure: gMed is an advertiser on this site.

Never Sell Your EHR Company – According to eCW Founder

Posted on January 16, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I recently came across an interesting article in Entrepreneur magazine authored by Girish Navani, CEO and Co-founder of eClinicalWorks. If you read this site, you know doubt are familiar with the quite popular eCW EHR software. In this article Girish gives some interesting insight into the future of eCW as a company:

After grad school, I set out to create my own version of my father’s bridge. After working many odd jobs developing software, I created credit check software for an acquaintance’s business. This made him a lot of money, which prompted me to ask (perhaps naively) for a share of the profit. I had developed a very successful facet of the company – didn’t I deserve it? His response surprised me, but I will never forget it. He said, “If you build something you like, don’t sell it.”

Twenty years later, I still remember my acquaintance’s advice. For that reason, my company, eClinicalWorks is, and always will be, a privately-held company. I have no interest in selling it, regardless of any offer I may get. In addition, we don’t use investor cash or spend money we don’t have.

This is not a philosophy that is unique to eCW. #1 on Epic’s list of principles is “Do not go public.” I imagine that Judy Faulkner (CEO of Epic) has a somewhat similar philosophy to Girish. There are certainly a lot of advantages to not going public and most of them get down to control. I’ll never forget when I heard one of the Marriott children talk about their decision to stay a private company. He said that Marriott would likely be a lot bigger if they had become a public company, but they would have lost a lot of the company culture if they’d chose to do so.

I imagine this is a similar feeling that Epic and eCW share. However, there’s also some accountability that comes with being a public company as well. It’s not easy for an organization to assess the financial well being of a private company. During the golden age of EHR which we just experienced, that hasn’t been an issue for either eCW or Epic. However, as we exit this golden age of EHR that was propped up by $36 billion in government stimulus money, the financial future may be quite different.

As in most things in life, there are pros and cons to staying private or going public. It’s interesting that two of the major EHR players (eCW and Epic) have made it clear that they have no interest in ever going public. We’ll see how that plays out long term.

Top 4 HIT Challenges and Opportunities for Healthcare Organizations in 2015 – Breakaway Thinking

Posted on January 15, 2015 I Written By

The following is a guest blog post by Mitchell Woll, Instructional Designer at The Breakaway Group (A Xerox Company). Check out all of the blog posts in the Breakaway Thinking series.
Mitchell Woll - The Breakaway Group
Healthcare organizations face numerous challenges in 2015: ICD-10 implementation, HIPAA compliance, new Meaningful Use objectives, and the Office of the National Coordinator’s (ONC) interoperability road map.  To adapt successfully, organizations must take advantage of numerous opportunities to prepare.

Healthcare leaders must thoroughly assess, prioritize, prepare, and execute in each area:

  1. Meaningful Use Stage 2 objectives require increased patient engagement and reporting for a full year before earning incentives.
  2. The ONC’s interoperability road map demands a new framework to achieve successful information flow between healthcare systems over the next ten years.
  3. There are 10 months left in which to prepare for the October 1 ICD-10 deadline.
  4. HIPAA compliance will be audited.

1. Meaningful Use
For those who have already implemented an EHR, Meaningful Use Stage 2 focuses new efforts on patient access to personal health data and emphasizes the exchange of health information between patient and providers. Stage 2 also imposes financial penalties for failure to meet requirements.

CMS’s latest deadline for Stage 2 extends through 2016, so healthcare organizations have additional time to fulfill Stage 2 requirements. Stage 3 requirements begin in 2017, so healthcare organizations should take the extra time to build interoperability and foster an internal culture of collaboration between providers and patients. For Stage 3, Medicare incentives will not apply in 2017 and EHR penalties will rise to 3 percent.

CMS has also proposed a 2015 EHR certification, which requests interoperability enhancement to support transitions of care.  Complying with this certification is voluntary, but provides the opportunity to become certified for Medicare and Medicaid EHR incentive programs at the same time.

Meaningful Use Stage 2 and the ONC roadmap require that 2015 efforts concentrate on interoperability. Healthcare organizations should prepare for health information exchange by focusing efforts on building patient portals and integrating communications by automating phone, text, and e-mail messages. After setting up successful exchange methods, healthcare organizations should train staff how to use patient portals. The delay in Stage 2 means providers have more time to become comfortable using the technology to correspond with patients. Hospitals should also educate patients about these resources, describing the benefits of collaboration between providers and patients. Positive collaboration and successful data exchange helps achieve desired health outcomes faster.

2. Interoperability
The three-year goal of the ONC’s 10-year roadmap is for providers and patients to be able to send, receive, find, and use basic health information. The six and ten-year goals then build on the initial objectives, improving interoperability into the future.

Congress has also shown initiative on promoting interoperability asking the ONC to investigate information blocking by EHRs. Most of the ONC’s roadmap for the next three years is similar to Meaningful Use Stage 2 goals.

Sixty-four percent of Americans do not use patient portals, so for 2015 healthcare organizations should focus on creating them, refining their workflows, and encouraging patients to use them. Additionally, 35 percent of patients said they are unaware of patient portals, while 31 percent said their physician has never mentioned them. Fifty-six percent of patients ages 55-64, and 46 percent of patients 65 and older, said they would access medical information more if it were available online. Hospitals need their own staff to use and promote patient portals in order to conquer the challenges of interoperability and Stage 2.

3. HIPAA Compliance
In 2015, the Office of the Inspector General (OIG) will audit EHR use, looking closely at HIPAA security, incentive payments, possible fraud, and contingency plan requirements. Also during the HIPAA compliance audit, the Office of Civil Rights (OCR) will confirm whether hospitals’ policies and procedures meet updated security criteria.  Healthcare organizations should take this opportunity to verify compliance with 2013 HIPAA standards to prepare for upcoming audits. Many helpful resources exist, including HIPAA compliance toolkits, available from several publishers. These kits include advice on privacy and security models. Healthcare organizations and leaders can also take advantage of online education, or hire consultants to help review and implement the necessary measures. It’s important that action be taken now to educate staff about personal health information security and how to remain HIPAA compliant.

4. ICD-10 Deadline
The new ICD-10 deadline comes as no surprise now that it was delayed several times. In July 2014, the US Department of Health and Human Services (HHS) implemented the most recent delay and set a new date of Oct. 1, 2015, giving hospitals a 10-month window to prepare for the eventual ICD-10 rollout. Because healthcare organizations are more adaptable than ever, they can use their practiced flexibility and experience to meet these demands successfully.

As Health Information and Management Systems Society (HIMSS) suggests, communication, education and testing must be part of an ICD-10 implementation plan. Informing internal staff and external partners of the transition is a crucial first step. ICD-10 should be tested internally and externally to verify the system works with the new codes before the transition. Healthcare organizations should outline and develop an ICD-10 training program by selecting a training team and assessing the populations who need ICD-10 education. They should perform a gap analysis to understand the training needed and utilize role-based training to educate the proper populations. Finally, organizations should establish the training delivery method, whether online, in the classroom, one-on-one, or some combination of these to teach different topics or levels of proficiency. In my experience at The Breakaway Group, I’ve seen that the most effective and efficient education is role-based, readily-accessible, and offers learners hands-on experience performing tasks essential to their role. This type of targeted education ensures learners are proficient before the implementation. As with any go-live event, healthcare organizations must prepare and deliver the new environment, providing support throughout the event and beyond.

Facing 2015
These challenges require the same preparation, willingness, and audacity needed for prior HIT successes, including EHR implementation and meeting Meaningful Use Stage 1 requirements. ICD-10, HIPAA compliance, Stage 2, and interoperability all have the element of education in common. Healthcare organizations and leaders should apply the same tenacity and discipline to inform, educate, and prepare clinicians for upcoming obligations.

Targeted role-based education will best ensure proficiency and avoid comprehensive, costly, and time-consuming system training. Through role-based education, healthcare organizations gain more knowledgeable personnel who are up to speed on new applications. These organizations probably already have at least a foundation for 2015 expectations, and they should continue to recall the strategies used for prior go-live events. What was successful? It’s important to plan to replicate successful strategies, alleviating processes that caused problems.  This is great opportunity to capitalize efforts for organizational improvements. Healthcare leaders must let the necessity of 2015 government requirements inspire invention and innovation, ultimately strengthening their organizations.

Xerox is a sponsor of the Breakaway Thinking series of blog posts.

De-Identification of Data in Healthcare

Posted on January 14, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Today I had a chance to sit down with Khaled El Emam, PhD, CEO and Founder of Privacy Analytics, to talk about healthcare data and the de-identification of that healthcare data. Data is at the center of the future of healthcare IT and so I was interested to hear Khaled’s perspectives on how to manage the privacy and security of that data when you’re working with massive healthcare data sets.

Khaled and I started off the conversation talking about whether healthcare data could indeed be de-identified or not. My favorite Patient Privacy Rights advocate, Deborah C. Peel, MD, has often made the case for why supposedly de-identified healthcare data is not really private or secure since it can be re-identified. So, I posed that question to Khaled and he suggested that Dr. Peel is only telling part of the story when she references stories where healthcare data has been re-identified.

Khaled makes the argument that in all of the cases where healthcare data has been reidentified, it was because those organizations did a poor job of de-identifying the data. He acknowledges that many healthcare organizations don’t do a good job de-identifying healthcare data and so it is a major problem that Dr. Peel should be highlighting. However, just because one organization does a poor job de-identifying data, that doesn’t mean that proper de-identification of healthcare data should be thrown out.

This kind of reminds me of when people ask me if EHR software is secure. My answer is always that EHR software can be more secure than paper charts. However, it depends on how well the EHR vendor and the healthcare organization’s staff have done at implementing security procedures. When it’s done right, an EHR is very secure. When it’s done wrong, and EHR could be very insecure. Khaled is making a similar argument when it comes to de-identified health data.

Khaled did acknowledge that the risks are never going to be 0. However, if you de-identify healthcare data using proper techniques, the risks are small enough that they are similar to the risks we take every day with our healthcare data. I think this is an important point since the reality is that organizations are going to access and use healthcare data. That is not going to stop. I really don’t think there’s any debate on this. Therefore, our focus should be on minimizing the risks associated with this healthcare data sharing. Plus, we should hold organizations accountable for the healthcare data sharing their doing.

Khaled also suggested that one of the challenges the healthcare industry faces with de-identifying healthcare data is that there’s a shortage of skilled professionals who know how to do it properly. I’d suggest that many who are faced with de-identifying data have the right intent, but likely lack the skills needed to ensure that the healthcare data de-identification is done properly. This isn’t a problem that will be solved easily, but should be helped as data security and privacy become more important.

What do you think of de-identification in healthcare? Is the way it’s being done a problem today? I see no end to the use of data in healthcare, and so we really need to make sure we’re de-identifying healthcare data properly.

EHR Computer Setup

Posted on January 6, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I recently had a doctors visit at a local quick care. When I go to these visits, it’s almost like work since I’m interested in what EHR they’re using and what they think of the EHR, meaningful use, government money, ICD-10, etc.

In this case, the organization had an EHR for half of the work they did, but were still on paper for the other half. However, they were switching all of their work over to a new EHR the next week. I think they told me they gave them a couple hours of training to learn the new system (good luck with that).

While I was waiting in the exam room, I saw this wall mounted computer setup (pictured below):

EHR Wall Computer Setup

Obviously you can tell that this wall mounted computer wasn’t being used yet. It must have come with the new EHR roll out. I’ll be interested to go back again in the future and see how this computer is used. I’m a big proponent of computers in the room. Plus, this looks like a pretty good setup that stays out of the way when needed. Although, I wonder if the ergonomics of this setup will catch up with the clinic.

How do you have the computers setup in your exam rooms? I’d love to hear what you’re doing or even see pictures of your exam room computer setup. Do you just use a tablet or laptop you carry around with you? Let’s see some more examples.

“Blended” Super User Team

Posted on December 31, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

At a conference I attended this Fall, I heard one person describe the “blended” super user team that they used during their EHR implementation. This is such a valuable idea for any EHR implementation. Having each areas input can really improve your probability for success. The various viewpoints will help you avoid major issues that could hijack or derail completely your EHR implementation.

The key thing you have to do with a blended super user team is to make sure you don’t demean the feedback, comments, and suggestions of anyone on the team. If you demean or belittle many of the people mentioned (technical, front desk, HIM, nurses, etc), then they’ll shut down and end up being a thorn in the side of your EHR implementation as opposed to a support. However, if you thoughtfully listen to, consider, and appreciate the feedback from all of these people, then you’ll be able to benefit from their ongoing support and insights in the process. I’ve seen both things happen and it’s not pretty for anyone when the staff feel alienated. It can get really ugly.

It turns out these “blended” super user teams are also what you need to optimize your EHR implementation as well. Sometimes that can be the same people that were part of the EHR implementation super team, but you also want to integrate other voices to the conversation as well.

Many doctors love to just pour as much work as possible on their staff. Indeed, you want to have everyone in your organization working to the highest level of their license. You also want to make sure you’re utilizing your most expensive resource (usually the doctor) in the most effective way possible. However, if you only focus on optimizing the doctors time and not the rest of the staff, that will eventually catch up with you. Once it catches up with you, the doctor will be doing work they don’t want to do, the other staff will feel overworked and no one will be happy.

You have to optimize the entire EHR spectrum to get the most value out of your EHR investment.

Wearables And Mobile Apps Pose New Data Security Risks

Posted on December 30, 2014 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

In the early days of mobile health apps and wearable medical devices, providers weren’t sure they could cope with yet another data stream. But as the uptake of these apps and devices has grown over the last two years, at a rate surpassing virtually everyone’s expectations, providers and payers both have had to plan for a day when wearable and smartphone app data become part of the standard dataflow. The potentially billion-dollar question is whether they can figure out when, where and how they need to secure such data.

To do that, providers are going to have to face up to new security risks that they haven’t faced before, as well as doing a good job of educating patients on when such data is HIPAA-protected and when it isn’t. While I am most assuredly not an attorney, wiser legal heads than mine have reported that once wearable/app data is used by providers, it’s protected by HIPAA safeguards, but in other situations — such as when it’s gathered by employers or payers — it may not be protected.

For an example of the gray areas that bedevil mobile health data security, consider the case of upstart health insurance provider Oscar Health, which recently offered free Misfit Flash bands to its members. The company’s leaders have promised members that use the bands that if their collected activity numbers look good, they’ll offer roughly $240 off their annual premium. And they’ve promised that the data will be used for diagnostics or any other medical purpose. This promise may be worthless, however, if they are still legally free to resell this data to say, pharmaceutical companies.

Logical and physical security

Meanwhile, even if providers, payers and employers are very cautious about violating patients’ privacy, their careful policies will be worth little if they don’t take a look at managing the logical and physical security risks inherent in passing around so much data across multiple Wi-Fi, 4G and corporate networks.

While it’s not yet clear what the real vulnerabilities are in shipping such data from place to place, it’s clear that new security holes will pop up as smartphone and wearable health devices ramp up to sharing data on massive scale. In an industry which is still struggling with BYOD security, corralling data that facilities already work with on a daily basis, it’s going to pose an even bigger challenge to protect and appropriately segregate connected health data.

After all, every time you begin to rely on a new network model which involves new data handoff patterns — in this case from wired medical device or wearable data streaming to smartphones across Wi-Fi networks, smart phones forwarding data to providers via 4G LTE cellular protocols and providers processing the data via corporate networks, there has to be a host of security issues we haven’t found yet.

Cybersecurity problems could lead to mHealth setbacks

Worst of all, hospitals’ and medical practices’ cyber security protocols are quite weak (as researcher after researcher has pointed out of late). Particularly given how valuable medical identity data has become, healthcare organizations need to work harder to protect their cyber assets and see to it that they’ve at least caught the obvious holes.

But to date, if our experiences with medical device security are any indication, not only are hospitals and practices vulnerable to standard cyber hacks on network assets, they’re also finding it difficult to protect the core medical devices needed to diagnose and treat patients, such as MRI machines, infusion pumps and even, in theory, personal gear like pacemakers and insulin pumps.  It doesn’t inspire much confidence that the Conficker worm, which attacked medical devices across the world several years ago, is still alive and kicking, and in fact, accounted for 31% the year’s top security threats.

If malevolent outsiders mount attacks on the flow of connected health data, and succeed at stealing it, not only is it a brand-new headache for healthcare IT administrators, it could create a crisis of confidence among mHealth shareholders. In other words, while patients, providers, payers, employers and even pharmaceutical companies seem comfortable with the idea of tapping digital health data, major hacks into that data could slow the progress of such solutions considerably. Let’s hope those who focus on health IT security take the threat to wearables and smartphone health app data seriously going into 2015.

Elder Care, EMR to Control Doctors, and EMR to Educate Med Students

Posted on December 28, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.


I think the elder care market is going to be a great opportunity. However, I wonder if we’re currently ahead of the curve. You have to make so many compromises to really do well in the elder care market. 5-10 years from now you won’t have to make those compromises.


I can definitely see this. I think that EMR can also be used to hold people accountable. Your view on these depends on your position in healthcare and whose using them to control you or hold you accountable.


I really love this concept and I love it paired with the previous tweet. EMR documentation templates can create a framework for med students to learn. Many worry that it will create robotic doctors, but I don’t think that is the case. Implemented properly, it can help med students be less robotic and more effective.

Meaningful Use Created A Big Need for Certified MAs

Posted on December 26, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

One of the changes that as best I can tell has come from meaningful use (if there are other forces at play, I’d love to hear them) is the push to use certified MAs. A whole cottage industry has sprung up around certifying MAs. In fact, I even know some EHR vendors who are certifying MAs because it’s such an important need.

Now when I say need, I use that word lightly. It’s a need because meaningful use requires that many of the MAs be certified in order for that MA to participate in many aspects of the meaningful use program. The EHR vendors that are doing it likely don’t want to be in this business at all. However, for their customers to be successful with meaningful use, they need their MAs to be certified.

Certainly there are ways for a doctor to attest to meaningful use without using certified MAs. For example, if you use RNs, then their RN certification is sufficient to meet the needs of meaningful use. Plus, you can have MAs do some tasks in the office that aren’t impacted by meaningful use. However, if you’re using an MA in your office and want to attest to meaningful use, you probably need to have that MA certified.

I’ll admit that I’m not an expert on the MA certification, but I can’t imagine that this new MA certification improves the quality of care that a patient receives in the office. I’d love to be proven wrong on this. Does your office provide better patient care because you know have a group of certified MAs as opposed to non-certified MAs? I just don’t see a short certification like the one that’s required making a huge difference.

Chalk this up to one more layer of bureaucracy and hoop jumping that’s required for a clinic. When will we start really focusing on the value of something? Is there a value to these certified MAs that I’m missing? If so, I’d love to hear about it.