Welcome to EMR and HIPAA

I came across an interesting idea today from the Change Now 4 Health community where they are giving away $10k for the best healthcare idea. They are calling it Innovation xChange. Here’s a summary of what they’re trying to do:

Do you want to improve the U.S. health care system? Or at least be part of the much-needed dialogue?

If you have ideas or solutions to improve the system, submit your ideas through ChangeNow4Health’s Innovation xChange and you can win up to $10,000 or have your ideas published in the e-book, Tomorrow’s Health Care.

The Innovation xChange is looking for practical ideas and suggestions for improving the health care system. All participants in the system, from providers and health plans to consumers and government, are encouraged to join in the discussion.

$10k isn’t a ton of money, but for just submitting an idea it’s not too bad. It’ll be interesting to see what happens with the contest and what kind of creative ideas come out of it. I wonder if any EMR applications or EMR features will make it into the contest.

I just completed my very last class of my educational career (I’ll graduate with my Masters in IS on Saturday. Yeah Me!). My last class was a Business Intelligence class. While I wasn’t necessarily fond of this class or the teacher, I am definitely interested in business intelligence.

Business Intelligence to me is really just about being able to look at large amounts of data in really cool ways. EMR is basically synonymous with the concept of large amounts of data. Each and every day thousands of really interesting pieces of information are being entered into an EMR. Many times this data is organized in such a way that in can be easily accessed and reported on.

For my class, we’ve been using SQL Server 2005’s business intelligence components. While Microsoft may have its downfalls, they really have put some thought and effort into SQL Server 2005’s BI components. For my final project, I decided to extract some appointment data from my EMR (yes, I guess it’s really my PMS, except for things like the room for the appointment) and run some BI analysis on the EMR data.

I actually had to anonymize all the EMR data before using it, because I was working in a group where they weren’t allowed access to all the HIPAA related information. However, it wasn’t too big of a deal in the end. Although, it does lose some of the reporting ability when you do that.

Since we ended up only pulling out simple appointment data from the EMR database, we could only really run reports about appointments. Don’t get me wrong. There is some really cool stuff you can report on appointments. We reported on appointments by date (this includes day, month, quarter, year, etc), provider, gender, birthdate, ethnicity, etc. We also uploaded the room number that an appointment used so that we could measure the utilization of our exam rooms. Luckily our EMR stored all the information about exam rooms. We also pulled in the data that described when a patient arrived at the clinic, when the nurse started the intake and when the provider finally saw them. We haven’t actually built any reports on that time study data, but it would be really interesting.

That’s really just the beginning of what we were able to do with the EMR data, but I think you get the point. The real question at this point is what other EMR data could benefit from some quality BI analysis? Here’s a few of my thoughts:

-Blood pressure - Depending on how this is stored will determine how easy it is to report. However, it would be really interesting to see trends in blood pressure across our entire population. Add in a few filters for certain medications and you could see some amazing results
-Average Charge per Patient - Could be interesting to look at this and identify which patients are the most profitable. Wait, doctors aren’t about profit are they?
-Average Number of Visits per Patient - Would be interesting to see this grouped too.

Those are just a few off the top of my head. I’m sure there are a hundred more that could be done with diagnosis, prescriptions, charges, procedures, referrals, etc etc etc. Which reports would you find interesting from the data in your EMR?

The best part of this all is that in the next couple weeks I have planned to upgrade my EMR from SQL Server 2000 to SQL Server 2005. That means that I could really easily use all th SQL Server BI tools to create the various BI reports with all the data in my EMR.

Has anyone else done this type of EMR reporting before?

Recently I’ve been reading a fair amount about the movement that many are calling Health 2.0. I think the most simple description of Health 2.0 is applying many of the Web 2.0 concepts to health care. My question is whether EMR fits into Health 2.0. My personal feeling is that most of them don’t. Most Web 2.0 projects are consumer facing projects that allow people to interact, collaborate and participate in the process. EMR software is more about facilitating a doctor’s charting.

Certainly you could make a good case that a patient portal or EHR is more Health 2.0. In fact, that really seems to cut to the heart of Health 2.0. Creating a powerful interface between doctors and patients so that patients are a part of the process. However, I think that most EMR in their current state don’t benefit from this type of interaction.

Of course, this begs the question of whether an EMR should have this type of interaction. My short answer is that it should, but until the payment systems catch up with the technology that creates these interactions we won’t see broad Health 2.0 application to EMR software.

About a month ago I got an email that I just got around to reading today. Essentially it was someone announcing a new social network for prescription drug consumers. Here’s a part of the release that I was sent about the prescription drug social network:

I’d like to invite you to try out the eDrugSearch.com Community — a brand new social network for prescription drug consumers. To join, just go to www.edrugsearch.com/register and sign up; it takes only a couple of minutes.

Why a social network for drug consumers? At eDrugSearch.com, we believe that online communities will forever change the face of healthcare — by giving consumers the information and resources they need to ask better questions of caregivers, to support one another, and to save money on treatments and medications.

Prescription drug consumers, in particular, have shown a strong interest in social networks on general health sites, indicating an unmet demand for a niche community. U.S. drug consumers relish the opportunity to share their experiences — their discoveries, their frustrations, their solutions. These Americans are turning to each other rather than relying solely on pharmaceutical company advertising or rushed doctor’s appointments.

We want the eDrugSearch.com Community to be a place you can come for help, reassurance and advice.

Of course, this really begs the question of if we need a social network around prescription drugs. Of course, my gut reaction is that prescription drugs sounds like much to small of a category for a social network. I’m certain that a lot of niche social networks are going to do very well (in fact, I’m working on a sports one myself), but can prescription drug consumers support a social network.

Seriously, when I’m taking prescription drugs I want to get off them as soon as possible. Are people going to just visit the site for entertainment. Certainly there are people who have chronic illnesses that take drugs for a long time, but won’t they stop visiting the site after taking the same drug for so many years? I guess maybe they’re hoping for advancements or alternatives to that drug, but that still feels like a stretch.

The other part of me thinks that something like this might work. I’ve always felt like one of the advantages of my job is that I had access to not only a bunch of doctors, nurse practioners and PAs, but I also support a pharmacy. In the past three years, there have been a number of times where I make the rounds of doctors, APNs and the pharmacist to learn about the drugs that were prescribed to myself or my family. To me this illustrates the need for information that people have when they are prescribed a drug.

Of course, the biggest challenge of this all is can you trust the information that this prescription drug social network provides? How do you know when someone is qualified in the area or not? Not to mention I could see the drug companies really abusing this site with false information. I think we all have been to hotel sites where the ratings just sounded too good to be true. Sounds pretty easy for the drug companies to do the same thing.

Now, if they had a way to certify providers (MD, DO, APN, PA), then you could give some credibility to what was being said. In fact, a social network for these providers to discuss the various drugs is something that could be very strong and useful. That sounds pretty Health 2.0 to me.

Think about how wonderful the ability to send a discharge summary by email to a patient straight from your EMR. I think it’s pretty easy to see the tremendous benefits of this type of communication. Send the patient information to one place they probably visit every day and where they can read and process the information away from the hustle and bustle of the clinic. Certainly many doctors have been doing this with little pamphlets or handout sheets with clinical information. Unfortunately, too many of these sheets never get read. Certainly that same thing could happen with an email, but at least the next generation of patients are going to want this information in their email box.

Of course, the problem with sending this information in an email is that email is not secure. Email encryption hasn’t taken hold fast enough to make it encrypted. Is a user’s email box really a secure location where they want their health information? I personally don’t have a problem with it, but I would expect that many people wouldn’t want their health information in their email any more than their regular mailbox. Either way, without the encryption it wouldn’t be difficult for someone to sniff out what’s being sent in an Email containing for example a patient’s discharge. It would be going across the internet in basically plain text.

This situation actually happened in Austrailia a little while back in an article I read called “Unsecured email sparks dispute.” I know I wouldn’t be happy if a clinic just decided to send these unsecured emails. Not so much because I was personally worried about my information being lost. I personally have nothing to hide (yet anyway). However, I would feel uncomfortable patronizing an organization that would deal so flippantly with my information.

I’m sure that someone will chime in that this is the whole purpose of a Patient Portal or EHR interface that allows people a secure method to receive and send protected health information. This is all well and good, but from what I’ve seen this usually requires the doctor’s EMR company to support this type of interaction. Plus, even more serious of an issue is that you’re giving your patients one more login and password that they’ll need to remember. Certainly not a deal breaker, but one more inconvenience for our users and the staff that have to support our users when they forget their password. Unfortunately, I think that this is the future of secured messaging, but I can always hope that there’s something better that we’re just missing.

We should also realize that this isn’t going to get any easier. In fact, I think we can reasonably say that this is going to get harder and harder. Don’t be surprised if soon some patient would like their health information somehow incorporated into some site like Facebook. It’s really only a matter of time until some developer creates a health interface into Facebook.

It might not make sense to most people, but the next generation of patients are going to grow up living and breathing their online life in some sort of social network (Facebook is just one example of these). They are very comfortable with transparency and will be interested in being able to track and compare health information with other people. Not to mention interact in a social network with other people who have similar conditions. It seems like this isn’t a question of if, but when this type of interaction will happen.

Even if you think that health information on a social network like Facebook is far fetched, we are already seeing health information propagating to the web in Microsoft’s HealthVault and Google Health. Is this going to be ok? Will it become as synonymous as online banking has become to the banking world? It’s not that far of a stretch to think that Google Health could easily be tied into Google’s OpenSocial platform which would allow a patient’s health information to do all sorts of cool things.

The convergence of Health Care and IT is going to be really interesting. It’s taken health care a while to get going with IT, but I think almost everyone agrees that IT could do amazing things to better the health care a person receives.

Well, my prediction that Eric Schmidt would announce Google Health at the HIMSS08 conference were pretty close. From what I’ve read so far, that’s all he really talked about. I’m still waiting to see my contact that was able to attend HIMSS to see his thoughts on what was said. Sounds like he mostly reiterated what we already knew. A few interesting points:

-Google Health will not contain ads (although I bet that won’t stop them from using the information to target the ads it shows you other places)
-Eric Schmidt repeatedly said no data would be shared without the consumer’s consent (unless of course some hacker finds a way around Google’s security measures)
-1,370 volunteers at the Cleveland Clinic are beta testing the application
-Portability is the key (we heard that this was a form of CCR, but if it requires consent are people going to go to the effort to make it portable?)

Despite certain privacy questions and fears around Google Health I think that Eric Schmidt made a very good point about the way Google will protect your information from legal cases when he said:

“In the Google implementation, your personal health information will not be given to anyone without their explicit permission, which is not true completely for HIPAA-compliant systems. If we get a subpoena, we always check our judgment as to whether the subpoena is narrow enough. If we think it’s a fishing expedition, we will fight it in court. That has worked well for us so far.”

The battle of PHRs by Google Health and Microsoft HealthVault have begun. While I love to see the big players participating in healthcare, I’m not sure they’ve figured out the right motivational drivers that will make this a smashing success. It wouldn’t surprise me if in a few years we hear stories about a life being saved because of proper information and how even one saved life is worth it.

The biggest disappointment: No announcement about when we can get in and try it out ourselves.

UPDATE: Techcrunch think that whoever cracks the healthcare nut will have a huge new market. I don’t see it ever cracking. Marissa Mayer talks about Google Health on the Official Google Blog.

The AP had a story today that told about a pilot project using a Cleveland Hospital to test out the anticipated Google Health. Here’s an excerpt from the story:

The pilot project announced Thursday will involve 1,500 to 10,000 patients at the Cleveland Clinic who volunteered to an electronic transfer of their personal health records so they can be retrieved through Google’s new service, which won’t be open to the general public.

I’ve covered Google Health a number of times on this blog and I still wonder what Eric Schmidt is going to say at HIMSS next week. I can’t imagine him not speaking about Google Health at that time. The question is how much will he actually say.

Many people are afraid of what it means for Google to have our Health information. It looks like they won’t have to comply with HIPAA requirements at all. Other people are scared that Google Health will just help Google to offer targeted Viagra (or other drug) ads.

I’m not personally as concerned as most people with Google having health information. However, it is definitely something we’ll have to watch and see how the public accepts it. The AP article described the type of content Google Health will contain:

Each health profile, including information about prescriptions, allergies and medical histories, will be protected by a password that’s also required to use other Google services such as e-mail and personalized search tools.

Too bad most doctors don’t care about Google Health and will probably never use it.

In a recent comment, Tom Hamilton from KnowBrainer software sent some interesting insights about using Dragon Naturally Speaking. His observation about more and more physicians using Dragon Naturally Speaking with their EMR or EHR is very true. I expect this trend to continue for quite a while. I don’t know how many times doctors have asked me for this ability. Unfortunately, it is like any software program and takes some getting use to, but those that do get use to it seem to really love it.

Here’s what Tom sent me. I hope it’s valuable for those looking at voice recognition with their EMR or EHR. I always welcome guest posters who want to post information like this to my blog. If you’re an expert at something related to EMR, EHR, or other Healthcare IT related topics, then let me know if you’re interested in being a guest blogger.

EMR Software and Dragon NaturallySpeaking are being utilized together in more practices and by more physicians every year. In light of that fact I would like to offer this information to the curious.

1. If you’re using Vista you should have 3-4 GB of RAM. For an XP platform you will require 2 GB of RAM. The software will run on less but won’t be very as effective.

NOTE: If you’re looking at buying a new computer to use with DNS I would consider looking at ASUS computers. Regardless of what system you by, you want a Core2 Duo 2 GHz or better CPU speed, 2 GB of RAM an XP platform (3 GB on Vista), 2 - 4 MB of L2 cache, a SATA hard drive of at least 100 GB although you may be able get 160 for about the same price. Your soundcard will be important so go with a mid to high end Soundblaster.

2. Unless you’re using a Soundblaster card don’t depend on the integrated soundcard in your computer as it is probably poorly shielded. Get yourself an external soundcard (USB Pod) and use a USB port on the back of your computer as opposed to the front.

3. Here is a copy of the manual we wrote for version 9. It’s designed as version 9.5 upgrade manual but if you are a new user to DNS you can download a full copy manual at KnowBrainer.com. KnowBrainer Manual

4. Here is a copy of the KnowBrainer Quick Tips which is PDF help file for day to day troubleshooting that is updated all the time from questions answered on our forum.

5. Here is a copy of our DNS 9 Review. I think you’ll find it pretty thorough.

6. For research feel free to use the KnowBrainer Speech Recognition Forum as it is by far the largest and most active of its kind.

7. I know there are quite a few users of NaturallySpeaking version 9 who don’t know about the Free upgrade to 9.5. Then there are some that do but don’t have time to find a path to it and worry about difficulty installing it. You should always use the most updated software especially when it’s free. Version 9.5 consolidates the code between version 9 and 9.1 and contains a few minor tweaks. The main purpose for the upgrade is for Vista compatibility. Here is your path and instructions - DNS 9.5 Update Guide

KnowBrainer, Inc. Support Staff – Tom Hamilton
Now Providing FREE (1st 5 min.) Tech Support 615-884-4558
A Nuance Gold Certified Endorsed Vendor
ALWAYS Ask If Your Speech Recognition Vendor Is Nuance Certified

Thanks Tom for the information. I think I’m going to have to “borrow” the dragon naturally speaking software one of my users cast aside and try it for myself.

Today I read an article about Misys leading healthcare into open source. I guess I can mostly agree with the idea of them leading into open source, but even Misys is taking baby steps into the open source realm. The article says that it’s going to “open source components of its proprietary Connect Healthcare solution”[emphasis added]. So, I don’t want to completely knock Misys for only making some components open source, but if we’re going to call them a leader in healthcare’s movement to open source then it needs to be more than just components. I think the real leader was VistaEMR (I think that’s it’s official name) was open sourced. Granted, I don’t think they had much choice, but that’s being a leader.

One thing that does look good for Misys is they have “hired Ryan Bloom, a founder of the Apache Portable Runtime project and a major contributor to the Apache HTTP 2.0 project.” I don’t know any specifics about Ryan Bloom, but I can tell you that the Apache open source project is a great one that I believe will power most of the web in the future.

This will be really interesting to watch as it evolves. Open source is now a pretty proven model in other software categories. Will it work for healthcare?

This information is a little bit dated, but it was sitting in my draft posts and I think that it’s still very relevant to those interested in HIPAA compliance. Computer World posted an article about Atlanta’s Piedmont hospital being the first organization to have a HIPAA audit by the HHS.

In the report they identified 42 questions that HHS reportedly asked Piedmont hospital during the HIPAA audit. Regardless of how accurate this is, I think that it’s interesting for all those in the healthcare industry to evaluate these questions and how they apply in their environment.

Here’s the list of questions:

1. Establishing and terminating users’ access to systems housing electronic patient health information (ePHI).
2. Emergency access to electronic information systems.
3. Inactive computer sessions (periods of inactivity).
4. Recording and examining activity in information systems that contain or use ePHI.
5. Risk assessments and analyses of relevant information systems that house or process ePHI data.
6. Employee violations (sanctions).
7. Electronically transmitting ePHI.
8. Preventing, detecting, containing and correcting security violations (incident reports).
9. Regularly reviewing records of information system activity, such as audit logs, access reports and security incident tracking reports.
10. Creating, documenting and reviewing exception reports or logs. Please provide a list of examples of security violation logging and monitoring.
11. Monitoring systems and the network, including a listing of all network perimeter devices, i.e. firewalls and routers.
12. Physical access to electronic information systems and the facility in which they are housed.
13. Establishing security access controls; (what types of security access controls are currently implemented or installed in hospitals’ databases that house ePHI data?).
14. Remote access activity i.e. network infrastructure, platform, access servers, authentication, and encryption software.
15. Internet usage.
16. Wireless security (transmission and usage).
17. Firewalls, routers and switches.
18. Maintenance and repairs of hardware, walls, doors, and locks in sensitive areas.
19. Terminating an electronic session and encrypting and decrypting ePHI.
20. Transmitting ePHI.
21. Password and server configurations.
22. Antivirus software.
23. Network remote access.
24. Computer patch management.

HHS also had a slew of other requests:

1. Please provide a list of all information systems that house ePHI data, as well as network diagrams, including all hardware and software that are used to collect, store, process or transmit ePHI.
2. Please provide a list of terminated employees.
3. Please provide a list of all new hires.
4. Please provide a list of encryption mechanisms use for ePHI.
5. Please provide a list of authentication methods used to identify users authorized to access ePHI.
6. Please provide a list of outsourced individuals and contractors with access to ePHI data, if applicable. Please include a copy of the contract for these individuals.
7. Please provide a list of transmission methods used to transmit ePHI over an electronic communications network.
8. Please provide organizational charts that include names and titles for the management information system and information system security departments.
9. Please provide entity wide security program plans (e.g System Security Plan).
10. Please provide a list of all users with access to ePHI data. Please identify each user’s access rights and privileges.
11. Please provide a list of systems administrators, backup operators and users.
12. Please include a list of antivirus servers, installed, including their versions.
13. Please provide a list of software used to manage and control access to the Internet.
14. Please provide the antivirus software used for desktop and other devices, including their versions.
15. Please provide a list of users with remote access capabilities.
16. Please provide a list of database security requirements and settings.
17. Please provide a list of all Primary Domain Controllers (PDC) and servers (including Unix, Apple, Linux and Windows). Please identify whether these servers are used for processing, maintaining, updating, and sorting ePHI.
18. Please provide a list of authentication approaches used to verify a person has been authorized for specific access privileges to information and information systems.

Since most of my interest is in ambulatory care, I wonder if an audit would be this extensive for ambulatory care. Talk about putting a company out of business. This would be an extensive report for a hospital but could be really detrimental to a small doctor’s office. Still interesting to think about.

I expect that no one is fully compliant with this list. Of course, that raises the question of what’s full compliance, but we’ll save that topic for another day.