Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Does Your HIPAA Risk Analysis Tool Protect Your Practice?

Posted on December 15, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Fourth quarter signifies more than a countdown to the holidays, many healthcare organizations are met with the realization that it is time to complete HIPAA risk analysis in order to comply with MACRA – MIPS. Of course, HIPAA risk analyses are nothing new, practices should be conducting  them regularly,  in light of the HIPAA Omnibus Rule which gave teeth to the regulations and made  an annual HIPAA risk analysis a requirement for every healthcare organization.

Recently, I was recently reading a blog post by HIPAA One called “Not All Risk Analysis Tools Created Equal” and it made me think about the requirements for a bona fide risk analysis. I realize that HIPAA One provides a risk analysis solution and therefore, approaches the conversation as a vendor would, however, they are also deeply embedded in the HIPAA risk assessment world and have a unique understanding of what’s happening.

I’ve seen first-hand the principle they describe in the post with many medical practices. Most medical practices are so overwhelmed  with the daily grind of dealing with staff issues, schedules, billing, supplies, etc that it’s hard for them to distinguish between a high quality risk analysis tool and one that was built 3 years ago and hasn’t been updated since then.

In HIPAA One’s blog post they offered a list of what you should look for in a HIPAA risk analysis solution and I think this is a great  starting point for any organization that needs a tool or is evaluating their existing tool:

  1. Industry-Certified Auditors on Staff – Verify the vendor has:
    1. Auditors who are certified professionals, such as CHPS, CISSP, HCISPP, CISA, etc. and
    2. Previous experience responding to AND PASSING government and private-sector audits.
  2. Compliance Gap-Assessment – This assessment determines if your workplace meets each of the HIPAA requirements as selected the Office for Civil Rights’ (OCR) HIPAA Audit Protocol.
  3. Mock-Audit – Put your money where your mouth is. If your workplace maintains HIPAA compliance, prove it with proper supporting documents and examples per the OCR’s HIPAA Audit Protocol.
  4. Risk Analysis –Bona Fide security risk analysis which digs into any non-compliant areas along with a calculation tool that addresses which gaps are low, medium or high risk to the organization using NIST-based methodologies (i.e. at minimum NIST800-30 rev1 and NIST 800-53 rev 4).
  5. Remediation Plan – This documented plan answers the questions: “Who will do what by when” in regards to remediating gaps in compliance.
  6. Final Report – Key deliverable proving compliance with HIPAA security risk analysis.
  7. Ongoing Tracking – Track the resolution of those gaps in compliance by proving due diligence in the event of an audit.
  8. Periodic Re-evaluation – Each year take a new “snapshot” performing steps 2-6 on any changes that happened from the previous year.

The item on this list that I see fall short in many solutions and services on the market today is the remediation plan. It’s amazing how many tools only account for a risk analysis, and do not provide any guidance on creating remediation plans for any risks you find. That’s a big deal and could leave you in trouble if your practice is ever audited and hasn’t remediated any of your security deficiencies .

The good news is that HIPAA risk analysis tools have come a long way over the years. ]  Much like you need to make sure EHR vendors are updating and improving their systems to meet your needs and comply with changes in government regulations, the same is true with HIPAA risk analysis tools. Make sure you take the time needed to ensure the quality of the tools and services you’re using. Ignorance is not bliss when a HIPAA audit occurs.

Note: HIPAA One is a Healthcare Scene sponsor.

Make The Busy Patient’s Living Room Their Waiting Room

Posted on December 14, 2017 I Written By

The following is a guest blog post by Chelsea Kimbrough from Stericycle Communication Solutions, as part of the Communication Solutions Series of blog posts. Follow and engage with them on Twitter: @StericycleComms

Chelsea Kimbrough

Patients are busier than ever before. Between the hours of eight to five, a majority have only limited availability to reach out to their healthcare providers. And after the day’s work is done, other responsibilities – such as their children’s after-school activities or errands – reign supreme. Providing easy-access avenues to securing care is the key to acquiring these patients’ loyalty.

In many ways, I’m the busy patient described above. And when I recently came down with a stubborn cough and began looking for an urgent care that could quickly see me, I experienced what I already knew: many healthcare organizations are unequipped to provide care that caters to digitally-minded patients. There were three key problems with my experience.

Problem: Limited Information Available Online
When initially searching for a local urgent care, I struggled to learn more about what a typical experience looked like at various locations. As a first time, admittedly nervous urgent care patient, I wanted to make an informed decision about where to receive care. However, I found that many websites did not offer the insight I sought. Without more information to go off of, I made my decision based on the health system’s good reputation.

Solution: Beef Up Your Web Presence
Ensuring your website has information for all patient types – especially those who may be less familiar with what your unique experience may include – will provide greater peace of mind, set accurate expectations, and enhance patient satisfaction.

Problem: Inability to Reserve Estimated Treatment Time Online
For many, leaving work to sit in a waiting room isn’t a viable option. And without an easy way to reserve an estimated treatment time or insight regarding how long the wait time may be, making time to seek valuable care can be a challenging task. While I was able to leave work early and spend the afternoon at my chosen urgent care, many others don’t have the same flexibility in their positions.

Solution: Introduce Urgent Care Digital Check-In
Enabling patients to reserve their place in line from wherever they may be creates a more seamless patient experience, enhances their sense of access, and creates greater operational efficiency within your facility.

Problem: Forced to Wait in Waiting Room
Though I was lucky be able to leave work early and wait for care at the facility, I would have much rather waited at home. Unfortunately, the urgent care only allowed patients to wait to be seen from within the waiting room with little way of entertainment; leaving would forfeit the patient’s place in the queue. As someone who has been spoiled with this capability across numerous restaurant, veterinary, and mechanic experiences, I was disappointed to find this feature wasn’t readily provided by the healthcare facility.

Solution: Automatically Notify Patients When It’s Time to Be Seen
More patients than ever have access to convenient communication tools. By digitizing your check-in process, you can enable patients to wait from the comfort of their home and notify them when it’s nearly time to be seen via an automated text message or voice call.

In all, my urgent care experience took over two hours. Had the facility provided access to more information regarding what my experience could include, the ability to reserve an estimated treatment time online, and a convenient reminder when my time to be seen neared, I could have saved over an hour spent sitting in the waiting room. If I had access to these capabilities, I could have spent this time completing important work tasks while relaxing (and keeping my germs) at home.

To learn more about how busy, consumer-minded patients are driving the need for omnichannel experiences in the healthcare industry, check out our recent e-book, OmniWhat?!

The Communication Solutions Series of blog posts is sponsored by Stericycle Communication Solutions, a leading provider of high quality telephone answering, appointment scheduling, and automated communication services. Stericycle Communication Solutions combines a human touch with innovative technology to deliver best-in-class communication services. Connect with Stericycle Communication Solutions on social media: @StericycleComms

What’s Keeping HealthIT From Soaring to the Cloud? – #HITsm Chat Topic

Posted on December 12, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

We’re excited to share the topic and questions for this week’s #HITsm chat happening Friday, 12/15 at Noon ET (9 AM PT). This week’s chat will be hosted by David Fuller (@genkidave) on the topic of “What’s Keeping HealthIT From Soaring to the Cloud?.”

Premise and Private HealthIT architectures have ruled in healthcare and were unfortunately reinforced by the timing of ACA/HITECH. Infrastructure-as-a-Service, Platform-as-a-Service and other cloud-native approaches are revolutionizing all industries, and while for some somewhat valid reasons Healthcare has been slow to adopt the Cloud it’s now firmly ripe for transformation. So what are the forces keeping HealthIT from soaring to the Cloud? And how will cloud adoption in other industries and also within certain sectors of the healthcare landscape such as pharma and insurance give HealthIT the lift it needs to get off The Ground and into The Cloud?

Join us as we dive into this topic during this week’s #HITsm chat using the following questions.

Topics for This Week’s #HITsm Chat:

T1: How do premise and cloud-native HealthIT strategies differ? #HITsm

T2: What’s gained by moving HealthIT from premise-based designs to hosted, virtual and private cloud architectures? #HITsm

T3: What cyber-security concerns are keeping Cloud-native HealthIT from soaring? And how can these concerns be overcome? #HITsm

T4: Once HealthIT is truly in the Cloud what can HealthIT professionals see and do better than they can on ‘The Ground’? #HITsm

T5: What are the pros/cons of Cloud ‘dev-ops’ model and Ground ‘upgrade/migration’ IT deployment models? #HITsm

Bonus: How quickly will HealthIT professionals have to adopt pervasive Cloud-native HealthIT architectures? #HITsm

Upcoming #HITsm Chat Schedule
12/22 – Holiday Break

12/29 – Holiday Break

We look forward to learning from the #HITsm community! As always, let us know if you’d like to host a future #HITsm chat or if you know someone you think we should invite to host.

If you’re searching for the latest #HITsm chat, you can always find the latest #HITsm chat and schedule of chats here.

E-Patient Update: Clinicians May Be Developing Strong EMR Preferences

Posted on December 8, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

Not long ago, I wrote about a story from another publication, one which engaged in a bunch of happy talk about how EMR companies were improving their user interfaces. At the time, I expressed a great deal of skepticism about this claim, suggesting that the vendors had misled the reporter into believing that user aspects of EMRs were changing for the better across the industry.

While I stand by my original skepticism to some degree, I have to say that I got a surprise recently when I heard some nurses discussing two major EMR platforms. The one they were using, they said, was awful and awkward to use. Apparently, they missed the other terribly.

Now, at the time I was a patient in the emergency department, so I didn’t have a chance to ask them any questions about their preferences, but I was struck by the conversation because I knew which vendors they were discussing. However, they could have been talking about any enterprise EMR.

Clinicians developing preferences

I don’t mention this exchange to praise one EHR over another. I bring this up merely because this is the first time, having spent a lot of time in medical environments due to chronic illness, that I’d heard any front-line clinician express a preference for one enterprise EMR over the other.

In the early days of widespread EMR adoption, I could scarcely find a clinician who didn’t hate the system they were working with, much less one who truly liked it and wanted to use it. Eventually, I began to find that many clinicians thought the system they worked with was more or less okay, though I rarely found any screaming fans for any system in particular.

Now, I’m arguing that we may be at a new stage in clinician adoption of EMRs. The point I am making is that now, some of the clinicians with whom I’ve had contact showing some enthusiasm about one EMR or another.

No big surprise: Experience breeds preference

The truth is, when you think about it, it’s not surprising that clinicians have finally developed preferences (rather than the lists of EMRs which they truly hate). After all, it’s been going on 10 years since the HITECH Act was passed and the money started to flow into EMR subsidies.

Since then, clinicians have had the opportunity to work with multiple EMR platforms at various facilities, and informally at least, develop a catalog of the strengths and weaknesses. Nurses and doctors know which interfaces they like, whether tech support tends to respond when they have a problem with the particular system, whether any analytics tools they provide are worth using and so on.

Given this fact it’s hardly surprising that they’ve figured out what they like and what they don’t, and which vendors seem to suit those needs. After this much time, why wouldn’t they?

As I see it, this is something of a turning point in the industry, a new moment in which clinical professionals have learned enough to know what they want from an EMR. I don’t know about you, but speaking as an e-patient, I think this is a very good thing. The more empowered clinicians feel, the better the work they will do.

The Benefits Of Creating Data Stewards

Posted on December 7, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

Maybe I’m behind the times, but until today I’ve never heard of the notion of a “data steward” for healthcare organizations. An article I read today from the Journal of AHIMA IGIQ blog has given me some ideas on the subject to ponder, however.

The blog author lays out a role which combines responsibility for data structure and consistent data type definitions — in other words, which sees that datatypes are compared on an apples-to-apples basis and that data categories make sense and relate to each other appropriately.

In the article, “Data Stewards Play an Important Role in the Future of Healthcare,” writer Neysa Noreen, MS, RHIA, notes that providers are already struggling to categorize and describe types of medical data, much less leverage and benefit from them. But while we need to impose such a level of discipline, it isn’t easy, she notes.

“[Creating a workable data structure] it is a complex process with many challenges,” Noreen writes. “There are many data terms and concepts, roles and structures to decipher from information governance and data governance to data integrity,” which is why we need to put data stewards and place in many organizations, she suggests.

Though the idea of the data steward isn’t new, “emphasis on data comparison and quality has increased their necessity,” Noreen argues. “Data stewards are essential to ensure that standard data sets and definitions are implemented and used for data integrity and quality.”

The question then becomes what qualifications and skills a data steward should have. According to Noreen, data stewards aren’t necessarily IT experts. What they will need is to have a thorough understanding of the data itself and how to extract value from that data on the broadest level.

Data stewards will often turn out to be people who are already working with data in some other manner, which will allow them to know what organization needs to do to resolve discrepancies between data definitions, according to Noreen. Such a past also gives them a head start in figuring out how data can be organized and leveraged effectively into classes.

Given their knowledge of data standards and definitions, as well as a history of working with the data sets the organization has, data stewards will be in a good position to make data use more efficient. For example, they will be able to review and compare data requests on an institutional level, identifying data redundancy in finding opportunities for cost-efficiencies.

Having given this some thought, I find it hard to argue that most healthcare organizations could benefit from having a data steward in place. Providers may begin by starting with a committee that handles this function, rather than creating one or more dedicated positions, but eventually, the scope of such efforts will call for specialized expertise. Expect to see these positions pop up often in the future.

The Future Of Telemedicine Doesn’t Depend On Health Plans Anymore

Posted on December 6, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

For as long as I can remember, the growth of telemedicine depended largely on overcoming two obstacles: bandwidth and reimbursement. Now, both are on the verge of melting away.

One, the availability of broadband, has largely been addressed, though there are certainly areas of the US where broadband is harder to get than it should be. Having lived through a time when the very idea of widely available consumer broadband blew our minds, it’s amazing to say this, but we’ve largely solved the problem in the United States.

The other, the willingness of insurers to pay for telemedicine services, is still something of an issue and will be for a while. However, it won’t stay that way for too much longer in my opinion.

Yes, over the short term it still matters whether a telemedicine visit is going to be funded by a payer –after all, if a clinician is going to deliver services somebody has to pay for their time. But there are good reasons why this will not continue to be an issue.

For one thing, as the direct-to-consumer models have demonstrated, patients are increasingly willing to pay for telemedical care out-of-pocket. Customers of sites like HealthTap and Teladoc won’t pay top dollar for such services, but it seems apparent that they’re willing to engage with and stay interested in solving certain problems this way (such as, for example, getting a personal illness triaged and treated without having to skip work the next day).

Another way telemedicine services have changed, from what I can see, is that health systems and hospitals are beginning to integrate it with their other service lines as a routine part of delivering care. Virtual consults are no longer this “weird” thing they do on the side, but a standard approach to addressing common health problems, especially chronic illness.

Then, of course, there’s the most important factor taking control of telemedicine away from health plans: the need to use it to achieve population health management goals. While its use is still a little bit lopsided at present, as healthcare organizations aren’t sure how to optimize telehealth initiatives, eventually they’ll get the formula right, and that will include using it as a way of tying together a seamless value-based delivery network.

In fact, I’d go so far as to say that without the reach, flexibility and low cost of telehealth delivery, building out population health management schemes might be almost impossible in the future. Having specialists available to address urgent matters and say, for example, rural areas will be critical on the one hand, while making specialists need for chronic care (such as endocrinologists) accessible to unwell urban patients with travel concerns.

Despite the growing adoption of telemedicine by providers, it may be 5 to 10 years or so before it has its fullest impact, a period during which health plans gradually accept that the growth of this technology isn’t up to them anymore. But the day will without a doubt arise soon enough that “telemedicine” is just known as medicine.

EHR, Patient Portals and OpenNotes: Making OpenNotes Work Well – #HITsm Chat Topic

Posted on December 5, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

We’re excited to share the topic and questions for this week’s #HITsm chat happening Friday, 12/8 at Noon ET (9 AM PT). This week’s chat will be hosted by Homer Chin (@chinhom) and Amy Fellows (@afellowsamy) from (@MyOpenNotes) on the topic of “EHR, Patient Portals and OpenNotes: Making OpenNotes Work Well.”

There are now nearly 100 health systems across the United States using secure patient portals to share visit notes with more than 20 million of their patients. And as the saying goes, if you’ve seen one OpenNotes implementation, you’ve seen one OpenNotes implementation.

No two health systems approach OpenNotes in the same way, and much of the variation stems from human resistance to change. Change is hard; whether it involves assuring and supporting clinicians in their move toward sharing notes or whether it’s surmounting technical challenges within the electronic health record.

We know the electronic health record is here to stay. We’re not going back to paper. And we know that when patients are offered online access to the medical information in their records, including access to notes, these patients continue to want that access and they share its benefits.

At their annual meeting in November 2017, the American Medical Informatics Association (AMIA) announced a formal collaboration with OpenNotes, stating, “The evidence-base is clear: providing patients access to their physician’s notes improves physician-patient communication and trust, patient safety, and perhaps even patient outcomes.”

So how do we bridge resistance to change? And as OpenNotes expands, how do we guide health systems to ensure the best possible patient experience?

Join us as we dive into this topic during this week’s #HITsm chat using the following questions. Homer Chin and Amy Fellows will be on hand to share key learnings from vendors and health IT teams that have been making OpenNotes work over the past few years.

Reference Materials:

Topics for This Week’s #HITsm Chat:

T1: What cultural barriers to OpenNotes adoption and use exist within the #healthcare IT profession vs. the clinical/medical community? #hitsm

T2: Given that OpenNotes is a movement and not a discrete software product, what are the technical challenges for implementing OpenNotes inside the patient portal? #hitsm

T3: If you’re currently implementing OpenNotes in your health system: What advice and/or cavetats can you share with colleagues? #hitsm

T4: If you haven’t implemented OpenNotes at your health system: What’s holding you back? What do you believe are the key challenges impeding implementation? #hitsm

T5: What customization strategies and/or tips do you have for helping patients navigate healthcare portals to find their #medical record notes? #hitsm

BONUS: What type of “OpenNotes-related” functionality should #EHR vendors be including in their product(s) to serve both clinicians AND patients? #hitsm

Upcoming #HITsm Chat Schedule
12/15 – What’s Keeing HealthIT from Soaring to the Cloud?
Hosted by David Fuller (@genkidave)

12/22 – Holiday Break

12/29 – Holiday Break

We look forward to learning from the #HITsm community! As always, let us know if you’d like to host a future #HITsm chat or if you know someone you think we should invite to host.

If you’re searching for the latest #HITsm chat, you can always find the latest #HITsm chat and schedule of chats here.

Slow Learners Teach Big Lessons – $2 Million State HIPAA Penalty

Posted on December 4, 2017 I Written By

Mike Semel is a noted thought leader, speaker, blogger, and best-selling author of HOW TO AVOID HIPAA HEADACHES . He is the President and Chief Security Officer of Semel Consulting, focused on HIPAA and other compliance requirements; cyber security; and Business Continuity planning. Mike is a Certified Business Continuity Professional through the Disaster Recovery Institute, a Certified HIPAA Professional, Certified Security Compliance Specialist, and Certified Health IT Specialist. He has owned or managed technology companies for over 30 years; served as Chief Information Officer (CIO) for a hospital and a K-12 school district; and managed operations at an online backup company.

Editor’s Note: We’d like to welcome Mike Semel as the latest addition to the Healthcare Scene blog team.  We’ve been working with Mike for quite a while as a guest blogger, so it’s great to have Mike now covering security and privacy with us in a more formal capacity.  Check out all of Mike Semel’s EMR and HIPAA blog posts.

I think it is fair to call people slow learners if they get caught violating HIPAA:

  • after they published 50,000 patient records to the Internet for a 2-year period, so patients Googling themselves found their medical records,
  • and THEN DID IT AGAIN DURING THE INVESTIGATION for the first incident.

Duh.

On November 22, California Attorney General Xavier Becerra announced a $2 million settlement with Cottage Health System and its affiliated hospitals for violating both state and federal privacy laws. The settlement came after two separate data breaches where more than 50,000 patient records were made publicly available online. The state settlement is on top of a $4.125 million class-action settlement with its patients, that Cottage Health’s insurance company is trying to recover, because it said Cottage Health was not truthful on its insurance application.

It’s bad enough that from 2011 until 2013 (after it was notified by a patient that he found his medical records online), Cottage Health had a server with protected health information that was not encrypted, password protected, protected by firewalls, or protected against unauthorized access.

What is truly stunning is that, in 2015, during the federal investigation for the first incident, Cottage Health reported that it made another 4,596 patient records available online.

I have been the Chief Information Officer in a hospital, and know how bad executive and departmental management and oversight would have to be to create an environment where that can happen once, let alone twice.

Based on the complaint provided by the California Attorney General, there are a lot of lessons you can learn from this penalty.

LESSONS

1. It not just the OCR. This HIPAA penalty was issued by a state Attorney General. The federal HITECH Act (2009) gave state AG’s the authority to enforce civil penalties for violations of the HIPAA Privacy and Security Rules. It doesn’t take the federal Office for Civil Rights to go after you. It could be your state Attorney General, who is probably motivated by wanting to impress voters for his campaign to be governor or senator someday.

2. Know your state laws. California’s Confidentiality of Medical Information Act and Unfair Competition Law were also cited in the penalty. Forty-eight states, plus DC and Puerto Rico, have their own laws protecting Personally Identifiable Information. Some, like California, have state laws that protect medical records beyond the scope of HIPAA. State laws have different patient notification requirements than HIPAA’s maximum of 60 days. In California, patients must be notified within just 15 days.

3. Management should pay attention to security and compliance, before it has to sign $6 million in checks, plus legal fees. From the IT department to the executive suite, this penalty is proof that management was not validating the organization’s security and compliance.

Cottage Health isn’t a small, rural hospital with 25 beds, trying its best, with limited resources, to serve a community. According to its 2016 Annual Report, Cottage health generated over $746 million in revenue and had 3,120 employees.  Seventeen of them are Vice Presidents.

At least Cottage Health’s CEO didn’t publicly blame his IT guy, like the former CEO of Equifax did in front of Congress. Maybe he realizes he could have avoided spending $6 million by having better management.

4. Patients are Consumers, who are protected against Negligence & Unfair Business Practices. The $4 million settlement plus the $2 million penalty are proof that management was ignoring the commitment it made to its patients every day in the Cottage Health Notice of Privacy Practices.

Our Pledge
We understand that medical information about you and your health is personal, and we are committed to protecting it.

The Federal Trade Commission forced the closure of a small medical lab because it said the lab violated its prohibition of Unfair Business Practices by not protecting patient information.

There is a lawsuit in Connecticut where the state appeals court certified a Notice of Privacy Practices as a contract with a patient.

Yes, patients (and now their lawyers) really do read those notices. Treat yours with respect because it is a contract, not a brochure.

5. Don’t Assume Your HIPAA Compliance Program is Working. Not having policies, procedures, basic IT security like passwords and firewalls, means that a lot of Cottage Health managers and executives had to be asleep at the switch. Not complying with the HIPAA Security Rule, effective since 2005, which protects electronic data, means that Cottage Health’s compliance program was a mirage. I can imagine their compliance and security staff telling management that they had everything handled. Management believed them. Over 50,000 patients and an Attorney General disagree.

6. Prevent the Triggering Event. This wildfire started with a small spark. An IT engineer configured a server and plugged it into the network. Things as simple as checklists could have prevented the negligent publication of the medical records to the Internet.

The NIST Cybersecurity Framework (NIST CSF) is a 41-page document simple enough for even small organizations to use to improve their data security.

Bring in a qualified independent third party to evaluate your compliance and security against the HIPAA rules and the NIST CSF, and give the report directly to the CEO. Not a good use of the CEO’s time? It’s much better than the CEO’s involvement after an investigation has started.

7. If You Are Being Investigated, Don’t Let the Same Problem Happen Again. Duh.

Healthcare Costs Video

Posted on December 1, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

In all the crazy discussions that are happening about healthcare, it’s always frustrating to me that so few of them talk about healthcare costs. Politicians are talking a lot about healthcare insurance and coverage. Those in healthcare IT talk about meaningful use, MACRA, and over regulation. No doubt there are challenges associated with insurance coverage and with health IT regulation. However, none of them will move the needle on how much healthcare is costing this nation.

Sometimes it takes a little bit of humor to illustrate the point and that’s what this video from Adam Ruins Everything does with healthcare costs:

Not exactly a Fun Friday video like we usually do, but kind of. The saddest part of this video though is near the end when she asks what can be done to fix the problem and he says nothing. Rolling back healthcare costs is the real issue with healthcare today and there are a lot of entrenched interests that want nothing to do with it.

Machine Learning, Data Science, AI, Deep Learning, and Statistics – It’s All So Confusing

Posted on November 30, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

It seems like these days every healthcare IT company out there is saying they’re doing machine learning, AI, deep learning, etc. So many companies are using these terms that they’ve started to lose meaning. The problem is that people are using these labels regardless of whether they really apply. Plus, we all have different definitions for these terms.

As I search to understand the differences myself, I found this great tweet from Ronald van Loon that looks at this world and tries to better define it:

In that tweet, Ronald also links to an article that looks at some of the differences. I liked this part he took from Quora:

  • AI (Artificial intelligence) is a subfield of computer science, that was created in the 1960s, and it was (is) concerned with solving tasks that are easy for humans, but hard for computers. In particular, a so-called Strong AI would be a system that can do anything a human can (perhaps without purely physical things). This is fairly generic, and includes all kinds of tasks, such as planning, moving around in the world, recognizing objects and sounds, speaking, translating, performing social or business transactions, creative work (making art or poetry), etc.
  • Machine learning is concerned with one aspect of this: given some AI problem that can be described in discrete terms (e.g. out of a particular set of actions, which one is the right one), and given a lot of information about the world, figure out what is the “correct” action, without having the programmer program it in. Typically some outside process is needed to judge whether the action was correct or not. In mathematical terms, it’s a function: you feed in some input, and you want it to to produce the right output, so the whole problem is simply to build a model of this mathematical function in some automatic way. To draw a distinction with AI, if I can write a very clever program that has human-like behavior, it can be AI, but unless its parameters are automatically learned from data, it’s not machine learning.
  • Deep learning is one kind of machine learning that’s very popular now. It involves a particular kind of mathematical model that can be thought of as a composition of simple blocks (function composition) of a certain type, and where some of these blocks can be adjusted to better predict the final outcome.

Is that clear for you now? Would you suggest different definitions? Where do you see people using these terms correctly and where do you see them using them incorrectly?