Welcome to EMR and HIPAA

Think about how wonderful the ability to send a discharge summary by email to a patient straight from your EMR. I think it’s pretty easy to see the tremendous benefits of this type of communication. Send the patient information to one place they probably visit every day and where they can read and process the information away from the hustle and bustle of the clinic. Certainly many doctors have been doing this with little pamphlets or handout sheets with clinical information. Unfortunately, too many of these sheets never get read. Certainly that same thing could happen with an email, but at least the next generation of patients are going to want this information in their email box.

Of course, the problem with sending this information in an email is that email is not secure. Email encryption hasn’t taken hold fast enough to make it encrypted. Is a user’s email box really a secure location where they want their health information? I personally don’t have a problem with it, but I would expect that many people wouldn’t want their health information in their email any more than their regular mailbox. Either way, without the encryption it wouldn’t be difficult for someone to sniff out what’s being sent in an Email containing for example a patient’s discharge. It would be going across the internet in basically plain text.

This situation actually happened in Austrailia a little while back in an article I read called “Unsecured email sparks dispute.” I know I wouldn’t be happy if a clinic just decided to send these unsecured emails. Not so much because I was personally worried about my information being lost. I personally have nothing to hide (yet anyway). However, I would feel uncomfortable patronizing an organization that would deal so flippantly with my information.

I’m sure that someone will chime in that this is the whole purpose of a Patient Portal or EHR interface that allows people a secure method to receive and send protected health information. This is all well and good, but from what I’ve seen this usually requires the doctor’s EMR company to support this type of interaction. Plus, even more serious of an issue is that you’re giving your patients one more login and password that they’ll need to remember. Certainly not a deal breaker, but one more inconvenience for our users and the staff that have to support our users when they forget their password. Unfortunately, I think that this is the future of secured messaging, but I can always hope that there’s something better that we’re just missing.

We should also realize that this isn’t going to get any easier. In fact, I think we can reasonably say that this is going to get harder and harder. Don’t be surprised if soon some patient would like their health information somehow incorporated into some site like Facebook. It’s really only a matter of time until some developer creates a health interface into Facebook.

It might not make sense to most people, but the next generation of patients are going to grow up living and breathing their online life in some sort of social network (Facebook is just one example of these). They are very comfortable with transparency and will be interested in being able to track and compare health information with other people. Not to mention interact in a social network with other people who have similar conditions. It seems like this isn’t a question of if, but when this type of interaction will happen.

Even if you think that health information on a social network like Facebook is far fetched, we are already seeing health information propagating to the web in Microsoft’s HealthVault and Google Health. Is this going to be ok? Will it become as synonymous as online banking has become to the banking world? It’s not that far of a stretch to think that Google Health could easily be tied into Google’s OpenSocial platform which would allow a patient’s health information to do all sorts of cool things.

The convergence of Health Care and IT is going to be really interesting. It’s taken health care a while to get going with IT, but I think almost everyone agrees that IT could do amazing things to better the health care a person receives.

The day is fast approaching for me to present at the Pacific Coast College Health Association conference in Hawaii. In fact, I have less than a month to finish my preparations. I feel pretty good about my ability to present and also my knowledge of EMR, but presenting something always gets my nerves going. I think once I get started talking about EMR, then I won’t be able to stop. My real hope is that the people that attend my session will be interested in what I have to say, find it useful and ask good questions. Honestly, a part of me really wishes that I was a member of a panel where I just answered questions about EMR. I think that would be a lot of fun.

Since it’s not a panel, then I’d love to hear any feedback from people on things I should include in my presentation about “Lessons Learned from EMR Implementation.” I have a ton of things already planned about EMR implementation, but I’m sure there are some important things that I’ve missed. Time has a way of doing that to you.

Either way, I’ll be happy if one person in my session on EMR goes away saying they were better prepared to implement an EMR system, then I’ll be happy.

My previous post about Microsoft’s HealthVault was my initial reaction to the announcement of Microsoft entering the healthcare market. While I still haven’t personally had a chance to really review HealthVault in depth, I still think that this could be one of the biggest announcements in healthcare in a long time. Some people might say that says something about healthcare IT, but I think it is just the beginning of a lot of big players in the technology industry to take a serious look at healthcare IT.

Of course, that would make me happy, because I’m certain that EMR’s and EHR’s are the future of healthcare and competition is great for the consumer.

Well, here’s some other things I’ve found about Microsoft’s HealthVault. Most interesting is going to be watching the Microsoft HealthVault blog. Maybe that’s because I’m a crazy blog lover, but I love the idea of being in contact with the people that make it happen. Open communication is the best.

Also, here’s an interview with Peter Neupert talking about the significance of his group’s acquisitions of Azyxii and MedStory for clinicians and consumers and of course HealthVault.

It looks like my previous post about Digital Signatures in an EMR drew quite a bit of interest looking at the stats. Really this isn’t surprising. How long have we been signing things electronically at Walmart. Longer than I can remember honestly. Sure, Walmart is worth billions of dollars, but the technology isn’t that expensive. The real advantage that Walmart has is a great legal team.

Setting the legal items aside, the technology of a digital signature is not rocket science by any means. In fact, it’s the legal questions that are harder mostly because there just hasn’t been much case law that has dealt with it. Just as a thought, I would highly suggest that whoever reads about this talks with a good legal team before implementing it.

Of course, reading the comments from my previous post made me realize that what we’re doing is really quite innovative. I’m not just talking about digital signatures. For more than two years now we’ve been collecting patients health history form in our Health Center and intake questionnaire in our counseling center electronically. These forms don’t require the patient or client to leave a signature. It’s basically just capturing information. I think most people can see why it’s valuable to have a health history form captured electronically. In our case it makes all of the necessary clinical information available in one place without dealing with the time consuming and inaccurate scanning. Even more significant for us as a state institution was the ability to do aggregate reporting on the type of patients we were seeing. How many other people can find out things like 20% of your patients have a family history of heart disease (not our actual number)?

I know there are a number of EMR companies out there that have a whole patient portal where this kind of stuff is done, but I’ve never seen any that use a kiosk at the doctor’s office to collect this information. If you are an EMR vendor that has this feature, please leave a comment. I think we’d all love to know who else does it.

Looking at it now, capturing digital signatures for HIPAA privacy forms, consents, etc is just the next step in ridding ourselves of paper. In fact, this addition means that our patients can bypass the front desk completely. They check in on the computer, fill out their necessary forms and then are directed to have a seat. This notifies the nurse that they have arrived and they are ready to be seen. No face to face contact. Privacy at its best.

Well, I got a few questions and comments in my digital signature post that prompted this post. I’ll do my best to answer them here.

Chris Kozloski said, “I like the idea. A kiosk for registration that they could fill out the paperwork online and sign the blocks on the screen would be really neat.”

See my notes above. It’s not just an idea. We’ve been having them fill out the paperwork for two years now. We also have the technology to do the signatures. Just waiting for the other signature pads to arrive and we’ll be implementing it.

One thing I’m not sure most people think about is how the computer will know which forms need to be filled out by the patient. I think that’ll have to be the topic for my next post.

Craig Briars asked, “What software are you using to do this with?”

This is a good question. We are using Medicat EMR. It’s an EMR that is focused on the College Health community, but could be used in a general practice if needed. I’m not sure how it is in a general practice, but I know that they have a ton of features that make it a solid choice for College Health offices interested in EMR.

Medicat has integrated it’s software with topaz signature pads. Medicat uses the Topaz software to capture the signature. It’s actually quite neat how the signature is captured and stored in the database. We did find that the LCD signature pads with the back light were the best. The cheap $100 topaz signature pads just wouldn’t capture my signature if I did it quickly. Plus, if it isn’t LCD, then I don’t know which part of the signature it missed so that I can correct it.

I think there is a ton of misunderstanding about digital signatures. So, hopefully in this post I can clear up some of the confusion of the various types of digital signatures that can occur. It’s important to understand some of the intricacies since there are a number of choices out there. I’ve been working through some of this digital signature stuff for months now and in the next month we’re finally going to have all of the digital signatures implemented in our office.

The first method of digital signature is basically using your login to sign something. This is the most common digital signature in an EMR and many people don’t even realize that what they are doing is digitally signing their chart. Some EMR programs don’t even ask you to physically sign the chart. Instead, they leave the note open for a certain time period. After that time period, then the note will essentially be locked so that nothing can be changed. Why does this type of signature work? Basically it knows that you were the one that logged in and the EMR logs who enters what piece of data. Essentially, the program is leaving your virtual signature throughout the chart as you enter your information. Pretty neat as long as that EMR has a good audit program so you can see who entered what information on a patient.

The second method is similar to the first in that it uses your username. Often, it may use some of the same principles of the first method by keeping track of who entered what information. However, in this method each electronic note requires you to click a button to “digitally sign” the clinical note. This can also apply to lab or x-ray results. This is the type of digital signature that we use most in our clinic. Each note has a button that lets you sign the note electronically. After clicking the button it imprints your name, credentials and the date and the time of the signature. The date and time is especially useful on lab results so we can know when a doctor may have read the lab results.

The third method is what I call “electronic signature” because it literally takes your physical signature and captures is electronically. Everyone should be familiar with this if they have been to a grocery store or Walmart. Basically all of the major chains are accepting your credit card signature electronically now. I can’t say how much I appreciate the digital signature in stores when I’m holding a baby. Have you ever tried to sign a piece of paper while holding a baby in one arm. It’s nearly impossible, but I digress.

I honestly haven’t heard of many (if any) doctor’s offices that are using a signature pad like Walmart does. However, it really is something that is an essential feature of an EMR that wants to have patients fill our their information electronically. Ok, some larger practices can distribute logins to all their patients. However, even then you’d probably need a physical signature to give them the login. My clinic is currently implementing this technology. The signature pads aren’t cheap, but I think they are well worth the money. It basically allows us to make every patient form electronic. This was never possible before since so many required a signature. Capturing a digital signature is what we’re doing to capture this information.

I hope for the signature pads to all to go live in the middle to end of August so look for more information on this coming soon. Is there anyone else using digital signatures with their EMR?

I’ve been seriously looking at a way to manage the HIPAA documentation for my clinic. I think that a wiki is going to be the way to go. I wonder if anyone else has thought of this idea.

It seems like the logical method. It would definitely have to be secured and password protected. However, the ability to have it accessible by the entire clinic and to be editable by anyone is great. Plus, it is great because you can dynamically add new pages on the fly. In fact, I plan on using it for all of our documented policies and procedures.

I found a really good article detailing the various wikis. I think that I’m going to try out the one that powers Wikipedia, Media Wiki. Anyone else have thoughts on how to do this?

I don’t usually like to post blanket statements like the above, but I’ve really fallen in love with facial recognition. I absolutely love my facial recognition. I’ve been working lately with Sensible Vision a vendor of facial recognition software getting the single sign on to work with my EMR package called Medicat. It’s pretty impressive.

I brought in the director of the health center to take a look at the single sign on. I opened my EMR application and it pretty much goes straight into the application. The director of the health center pulled one of those “Ohhh!” because she was surprised at how quick it was.

I showed one of the front desk personnel and she said, “When do we get that?” As soon as possible was my answer.

I just can’t get over how smart it is. Continuous authentication is the best type of security you can have on your PC. Facial recognition constantly is looking for your face and making sure that you haven’t left. It’s the very best feature.

I only have one more thing I have to get working properly and we’ll be putting into our clinical environment. We have to still make it so that two people can use the computer. Too bad our application isn’t browser based because then it wouldn’t be an issue at all. Unfortunately, my application is in VB and so there’s a little more programming to get the facial recognition software to logoff the application if someone forgot to do that.

I’ll let you know once I have it in the clinic.

I’ve been working on some of our HIPAA policies and I started to create a list of things that should be done to all of our workstations to ensure HIPAA compliance. Here’s the list that I started. I’m sure I’m missing something, but take a look:

-Password enabled screen savers

-Disclosure Notice at Windows Login

-Logged off after 25 minutes

-Adware/Spyware

-Windows Update

-Updated virus software

· Weekly workstation scans of local hard drives;

· Daily checks for updates to their virus definition files.

Anyone have suggestions for things that I’m missing? I think there are a ton of other Windows options that I’d like to have done but aren’t necessarily HIPAA requirements. I just need some more time to do some more research into what you have to do to the workstation to make the Windows policies persist across users. In my counseling center I found the options for disabling the recycle bin and the automatic logoff also.

Also, does anyone have a good disclosure notice that they use when the computer starts up? Is it even necessary? They seem mostly useless, but all the HIPAA documents I’ve seen suggest it. Is it a legal requirement because they could argue you never told them not to use it?

I briefly mentioned Face Authentication in a previous post. As a result of that post the vendor from Sensible Vision contacted me and got me a demo model right away. I must admit that their service was impeccable. All the way up the scale I’ve been impressed with the company and all I did was a demo.

Today they issued pricing on their FastAccess product that is very reasonable compared to other biometric devices. I’ve attached the release below and here’s a short review of the product with certainly more details to come as I continue to use it.

Setup
Setting up the FastAccess was a piece of cake. I got the box with only 15 minutes before I had to be somewhere. I unboxed the product, read the instructions(yes I always feel I must read the instructions on new products) and installed it on my computer. In 15 minutes I had it recognize my face and automatically log me in. The other nice part is that the set was really nothing but plug the camera in and run the CD install file. On restart it starts learning who you are when you log in. Couldn’t have been simpler. I repeated this process on my laptop so I could show my wife and had it set up in 5 minutes(booting my computer took longer than setup).

Facial Recognition/Training
Training facial recognition is much different than other biometrics. Fingerprint biometrics requires you to “train” it to know your fingerprint. Facial recognition(at least with FastAccess) is continually updating every time you login. In fact, it stores 90-100 different biometric “faces” that identify you. The biggest fault with this model is that initially the recognition is poorer than fingerprint recognition. However, with time I’ve seen that it actually is more reliable and recognizes you quicker than fingerprint. Not to mention it recognizes you just coming into view. No need to reach and hold your finger or eye to something. The lazy part of me loves that.

Active Directory Integration
FastAccess has very nice integration with active directory. The best part is that they have two methods of implementing active directory integration. First, they can extend the active directory schema. While this is a common practice, it is difficult to convince my system administrator to do since it can’t be rolled back if we decide we don’t want to do it anymore. Second, FastAccess can be implemented using existing active directory fields. This means that you can test the active directory implementation without extending the schema. I plan on doing this in the near future and you can expect a review of it soon.

Strong Audit Controls
Looking over the audit logs they are pretty standard for what you would need to satisfy HIPAA. Having active directory manage this type of audit control would be key to me.

Continuous Security
The biggest advantage to facial recognition is that it is continuously verifying your access. My biggest problem with fingerprint biometrics had to do with not having a way to easily lock the workstation. Facial recognition biometrics is constantly monitoring to see you are the authorized person. If you leave then it locks the computer. This really changes the way you deal with authentication since it can create a true single sign on.

Security Screen Capture
This idea is inegnious. Since you have a camera you might as well capture a picture of the person that was signed on to a machine. Imagine them saying they didn’t log in and you can show them the picture taken when they did log in. Fantastic!! There is also talk of using this technology as a digital signature. I’d love that with my EMR.

Pictures and Twins
I tried to see what I could do to fool the camera and nothing really worked. I imagine this is theoretically possible, but it would have to be a picture in the exact same place as the biometric match. FastAccess tells me that they add in environmental variables(such as light) which makes it much more difficult to fool. So far so good. The idea of twins is addressed in the documentation. I’ll be testing it on my wife and her twin sister to see how that goes. Sometimes it freaks me out how much they look alike.

Accuracy
In an EMR or healthcare environment FastAccess has designed it properly. Sometimes it didn’t recognize me and so it required me to enter my password and then after logging in, it stores another biometric image. While this could be annoying to some doctors, I see this as an essential key to proper authentication.

Instant Desktop Switching
This seems like it is a somewhat new module being developed by Sensible Vision. The idea is that multiple people can log in to the same account and have a different desktop. This currently works espescially well with Internet Explorer and a few other selected applications. I imagine this list will grow over time. They offered to make it work for my favorite apps. One interesting note is that they have it working for Cerner’s EMR. I’ll be having them develop it for Medicat EMR(my EMR)

Random Points
Since FastAccess is constantly checking for facial recognition, when you answer the phone that changes what your face looks like. This isn’t really a problem since they store 90-100 different biometric “prints”. You just have to “train” it to know what you look like with a phone in hand.

One nice feature is that you can turn off continuous facial recognition when you have a presentation. It lets you disable the recognition for a specified period of time. It also recognizes any keyboard or mouse input and disables locking when it sees either.

Here’s the Press Release:
Sensible Vision Innovates Biometric Facial Recognition for Continuous Computer Access Control and Authentication

FastAccess Virtually Eliminates Passwords, Makes Computer Easier to Use and Ensures Privacy Compliance and Identity Management

Introductory Pricing of $99 per Desktop License

Covert, Michigan, April 3, 2006 – Sensible Vision, an innovator of continuous authentication solutions, today revolutionized computer access control and authentication by replacing a user’s password with their face. Sensible Vision’s FastAccess™ is a powerful yet simple solution that uses patent-pending biometric facial recognition to automatically and continuously authenticate user log-in and instantly secure the computer when the user leaves. This virtually eliminates login passwords, makes the computer significantly more secure and easier to use, and strengthens access control auditing for privacy and identity management policies.

“Because a person’s face is unique and always with them, it is ultimately the ideal password and the best way of continuously ensuring who is accessing the computer,” said George Brostoff, CEO of Sensible Vision. “This is a new paradigm for secure and simplified computer access that goes well beyond initial log-in and inactivity timers. FastAccess identifies and authenticates users in less time than it takes to enter a password and knows the second they leave their computers. These breakthroughs make it a simple, secure and low-cost approach for securing the computer and network.”

Read more…

Security
Biometrics Security is pretty impressive. We’ve joked a few times about what happens if you lose your finger (the situation at Wendy’s comes to mind). Let’s just say that the chances are good that this won’t be a problem. More importantly the biometrics people have really given you quite a few options on keeping it secure. One example is that with the biometrics you can also store a pin number that people can use. If I wasn’t so lazy in this moment I would pull out the part of HIPAA that says something about dual authentication methods. Your finger and a pin number sounds like dual to me. When you add in my previous article about False Acceptance Rate and False Reject Rate, then biometrics is a great option for securing EMR.

One other really nice feature with biometrics security is that you can choose to restrict people from using a password to get into certain programs. While this could be scary if something happens to the biometrics device it is an interesting concept. Since it is all managed by group policy in active directory I could train my end users on just using their fingerprints and never having them know their password(see below for password change policy). I would of course want to be able to use a password or biometrics, but there might be a few cases where you could literally restrict access to EMR to a fingerprint. Now that’s security!

Password Change Policy
One other impressive feature that I had never considered is how does biometrics handle the wonderful password change policies required by HIPAA? It’s not like your fingerprint can be changed. The units I’m testing can take care of this for you as part of the templates you create for each application. In fact, if you don’t want to have users know the password at all you can even have the biometrics software generate a password. I think this might be a little scary since then if the biometric device breaks or some other problem then you have no way of getting into your EMR program(or other application as desired).