This story coming out of Oregon came across my feeds today which tells of the Oregon Health and Science University contacting 1,000 patients after a physician’s laptop was stolen from a car parked at the doctor’s home.

This story made me think of two things:
1. Why is PHI being stored on the laptop in the first place? I wish I could find out if there was an EMR involved. If there was, then the EMR should be storing all of the patient information on the server and none of that data should be stored on the laptop. So, if it gets stolen there’s no breach. That’s the beauty of an EMR these days. There should be no need for this to happen.

2. There’s some really cool technology that’s been coming out in recent laptops that will allow you to remotely wipe out the laptop if it ever gets connected to a network. Basically, once your laptop is stolen you report it stolen and they start tracking it down kind of like they do with stolen cars (same people from what I understand).

Once the stolen laptop is connected to the network, it will call back to the main center and receive the command to wipe out the laptop. Then, it will also give them information about where it was connected in order for police to possibly recover the stolen laptop as well. We’re implementing this on all our new laptops. I’ll be very happy once we have them all with this feature.

A company called FastComany (most notable for famous Microsoft blogger, Scoble having worked there-Yes, I’m showing my geek) wrote an article a while back on EMR and technologies impact on healthcare. It’s an interesting read since it’s kind of an outsider/tech magazine look at healthcare.

One thing that really struck me in the article was the following quote:

In the meantime, Geisinger continues to compile success stories, including that of CEO Steele, who became patient No. 86 in the ProvenCare CABG program. “I was in and out of the hospital in two-and-a-half days,” he says. Casale, who was Steele’s surgeon, says the case opened his eyes to how complex a routine operation really is: “Two weeks after, the head of our IT group called me and said, ‘Al, I just looked through [Steele's] chart, and I want to send you a list of everybody that accessed the medical record from the time he was seen in the clinic to two weeks post-op.’ There were 113 people listed — and every one had an appropriate reason to be in that chart. It shocked all of us. We all knew this was a team sport, but to recognize it was that big a team, every one of whom is empowered to screw it up — that makes me toss and turn in my sleep.”

113 people legitimately accessing the patient chart in an EMR. The most apparent item here is that it’s a lot of people that could screw up the patient chart. However, that’s not what interested me. What I find most interesting is that an EMR enables us to know that 113 people accessed the chart and exactly what each one did. Think about a paper chart. Any of those 113 people could have made a change and it would be difficult to know who.

I’m not sure how many of my readers have heard about the Virginia Prescription Monitoring Program being hacked yesterday. The Prescription Monitoring Program is used by pharmacists and others to discover prescription drug abuse. The story gets really interesting since it looks like the hackers encrypted over 8 million patient records and over 35 million prescriptions. Then, the hackers posted the following note on the Virginia Prescription Monitoring Program website (according to wikileaks):

“I have your [expletive] In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh For $10 million, I will gladly send along the password.”

The website has now been entirely disabled and just times out if you try to visit the site.

The Washington Post blog has reported the following:

Sandra Whitley Ryals, director of Virginia’s Department of Health Professions, declined to discuss details of the hacker’s claims, and referred inquires to the FBI.

“There is a criminal investigation under way by federal and state authorities, and we take the information security very serious,” she said.

A spokesman for the FBI declined to confirm or deny that the agency may be investigating.

Whitley Ryals said the state discovered the intrusion on April 30, after which time it shut down Web site site access to dozens of pages serving the Department of Health Professions. The state also has temporarily discontinued e-mail to and from the department pending the outcome of a security audit, Whitley Ryals said.

“We do have some of systems restored, but we’re being very careful in working with experts and authorities to take essential steps as we proceed forward,” she said. “Only when the experts tell us that these systems are safe and secure for being live and interactive will that restoration be complete.”

Seems interesting that 5 days after they discovered the intrusion the website is still not back online. Must have been a pretty serious hack job.

The Washington Post also explained that this is the second such extortion attack using patient health care data.

In October 2008, Express Scripts, one of the nation’s largest processors of pharmacy prescriptions, disclosed that extortionists were threatening to disclose personal and medical information on millions of Americans if the company failed to meet payment demands. Express Scripts is currently offering a $1 million reward for information leading to the arrest and conviction of the individual(s) responsible for trying to extort money from the company.

Stories like this will set back any sort of RHIO or national HIE movement. Sure makes you think about the security of it all. What is interesting is that the patient data doesn’t seem to have much value outside of extortion. Otherwise, I’d think those who breached the system would have used it in some other way.

I know that many of you are already subscribing to updates to EMR and HIPAA using the EMR and HIPAA RSS feed. Thanks for all those who subscribe. I appreciate your readership.

Recently, I just integrated an email subscription service for those who’d like to get updates to EMR and HIPAA in their email instead of by RSS or visiting the site. I know I use my email heavily and this feature is a really nice one.

All you have to do is click here to subscribe and enter your email address. Then, you’ll have to confirm it’s your email by clicking a link that gets sent to you. That’s too prevent spam. I hate spam and so do you. So, you can trust that I won’t be using your email for spam. It will just send out updates that happen on EMR and HIPAA.

Let me know if you have any questions and what you think of this new feature.

I’ve always been intrigued by the idea of software like Lo Jack that helps you find your laptop should it ever get stolen. The biggest problem of course is the cost associated with the software. Today I found an interesting Open Source system for tracking and recovering stolen laptops. I haven’t had time to try the software yet, but this is definitely going on my to do list of software to try out.

How many times have we seen reports of a laptop stolen that had an entire database of personal or health information being stolen. Way too much. This could be an interesting and free solution. Even the best coded EMR software usually leaves at least some traces of PHI in Windows temp files for example. A free way to recover the laptop would be very beneficial.

I just completed my very last class of my educational career (I’ll graduate with my Masters in IS on Saturday. Yeah Me!). My last class was a Business Intelligence class. While I wasn’t necessarily fond of this class or the teacher, I am definitely interested in business intelligence.

Business Intelligence to me is really just about being able to look at large amounts of data in really cool ways. EMR is basically synonymous with the concept of large amounts of data. Each and every day thousands of really interesting pieces of information are being entered into an EMR. Many times this data is organized in such a way that in can be easily accessed and reported on.

For my class, we’ve been using SQL Server 2005’s business intelligence components. While Microsoft may have its downfalls, they really have put some thought and effort into SQL Server 2005’s BI components. For my final project, I decided to extract some appointment data from my EMR (yes, I guess it’s really my PMS, except for things like the room for the appointment) and run some BI analysis on the EMR data.

I actually had to anonymize all the EMR data before using it, because I was working in a group where they weren’t allowed access to all the HIPAA related information. However, it wasn’t too big of a deal in the end. Although, it does lose some of the reporting ability when you do that.

Since we ended up only pulling out simple appointment data from the EMR database, we could only really run reports about appointments. Don’t get me wrong. There is some really cool stuff you can report on appointments. We reported on appointments by date (this includes day, month, quarter, year, etc), provider, gender, birthdate, ethnicity, etc. We also uploaded the room number that an appointment used so that we could measure the utilization of our exam rooms. Luckily our EMR stored all the information about exam rooms. We also pulled in the data that described when a patient arrived at the clinic, when the nurse started the intake and when the provider finally saw them. We haven’t actually built any reports on that time study data, but it would be really interesting.

That’s really just the beginning of what we were able to do with the EMR data, but I think you get the point. The real question at this point is what other EMR data could benefit from some quality BI analysis? Here’s a few of my thoughts:

-Blood pressure – Depending on how this is stored will determine how easy it is to report. However, it would be really interesting to see trends in blood pressure across our entire population. Add in a few filters for certain medications and you could see some amazing results
-Average Charge per Patient – Could be interesting to look at this and identify which patients are the most profitable. Wait, doctors aren’t about profit are they?
-Average Number of Visits per Patient – Would be interesting to see this grouped too.

Those are just a few off the top of my head. I’m sure there are a hundred more that could be done with diagnosis, prescriptions, charges, procedures, referrals, etc etc etc. Which reports would you find interesting from the data in your EMR?

The best part of this all is that in the next couple weeks I have planned to upgrade my EMR from SQL Server 2000 to SQL Server 2005. That means that I could really easily use all th SQL Server BI tools to create the various BI reports with all the data in my EMR.

Has anyone else done this type of EMR reporting before?

I think that Google is confused about my blog. I don’t think it knows if it should categorize me as an EMR blog or as a HIPAA blog. In fact, sometimes it even thinks I’m an EHR blog which is perfectly fine by me. Right now I think that Google thinks that I’m a HIPAA blog, but quite honestly I think I’d rather be an EMR blog. Sure, I cover HIPAA and some of the various HIPAA related news on here. In fact, it’s kind of hard to cover EMR and not cover certain aspects of HIPAA. However, I think at the end of the day I’m more interested in EMR and EHR and I really don’t care about HIPAA. It’s a necessary evil.

I guess I’ll have to focus more of my posts on EMR and EHR and stop using that naughty H word since Google seems to like to classify with that H word when I want to show up for EMR and EHR. At the end of the day it doesn’t really matter too much, but as a tech person I always think it’s fun to see what the Google bots see in my content. It’s kind of a way to justify myself that the bots are happy and classify me as an authority on a subject.

Are you listening Google bots? I’m an EHR and EMR blog. Make sure I make it to the top of searches related to EMR and EHR. That’s really where I’m meant to be. I can feel it in my bones. Well, at least that’s who I want to be.

Think about how wonderful the ability to send a discharge summary by email to a patient straight from your EMR. I think it’s pretty easy to see the tremendous benefits of this type of communication. Send the patient information to one place they probably visit every day and where they can read and process the information away from the hustle and bustle of the clinic. Certainly many doctors have been doing this with little pamphlets or handout sheets with clinical information. Unfortunately, too many of these sheets never get read. Certainly that same thing could happen with an email, but at least the next generation of patients are going to want this information in their email box.

Of course, the problem with sending this information in an email is that email is not secure. Email encryption hasn’t taken hold fast enough to make it encrypted. Is a user’s email box really a secure location where they want their health information? I personally don’t have a problem with it, but I would expect that many people wouldn’t want their health information in their email any more than their regular mailbox. Either way, without the encryption it wouldn’t be difficult for someone to sniff out what’s being sent in an Email containing for example a patient’s discharge. It would be going across the internet in basically plain text.

This situation actually happened in Austrailia a little while back in an article I read called “Unsecured email sparks dispute.” I know I wouldn’t be happy if a clinic just decided to send these unsecured emails. Not so much because I was personally worried about my information being lost. I personally have nothing to hide (yet anyway). However, I would feel uncomfortable patronizing an organization that would deal so flippantly with my information.

I’m sure that someone will chime in that this is the whole purpose of a Patient Portal or EHR interface that allows people a secure method to receive and send protected health information. This is all well and good, but from what I’ve seen this usually requires the doctor’s EMR company to support this type of interaction. Plus, even more serious of an issue is that you’re giving your patients one more login and password that they’ll need to remember. Certainly not a deal breaker, but one more inconvenience for our users and the staff that have to support our users when they forget their password. Unfortunately, I think that this is the future of secured messaging, but I can always hope that there’s something better that we’re just missing.

We should also realize that this isn’t going to get any easier. In fact, I think we can reasonably say that this is going to get harder and harder. Don’t be surprised if soon some patient would like their health information somehow incorporated into some site like Facebook. It’s really only a matter of time until some developer creates a health interface into Facebook.

It might not make sense to most people, but the next generation of patients are going to grow up living and breathing their online life in some sort of social network (Facebook is just one example of these). They are very comfortable with transparency and will be interested in being able to track and compare health information with other people. Not to mention interact in a social network with other people who have similar conditions. It seems like this isn’t a question of if, but when this type of interaction will happen.

Even if you think that health information on a social network like Facebook is far fetched, we are already seeing health information propagating to the web in Microsoft’s HealthVault and Google Health. Is this going to be ok? Will it become as synonymous as online banking has become to the banking world? It’s not that far of a stretch to think that Google Health could easily be tied into Google’s OpenSocial platform which would allow a patient’s health information to do all sorts of cool things.

The convergence of Health Care and IT is going to be really interesting. It’s taken health care a while to get going with IT, but I think almost everyone agrees that IT could do amazing things to better the health care a person receives.

Today I found a really interesting article in Utah’s local paper the Deseret Morning News. In the story, a box of medical charts was lost by UPS after being sent from a Hospital to somewhere in Las Vegas for a medicare audit. You can read the article for all the facts, but essentially the box somehow got misdirected and ended up being bought by a Utah school teacher purchasing some “scrap” paper.

I was kind of surprised by how long it took the hospital to get in touch with UPS after the box was lost. Ok, so I’m not really surprised that the hospital is not watching all of the HIPAA information they sent out to make sure that it arrives safely, but maybe it should. UPS has some pretty incredible tracking tools these days that really aren’t that hard to use.

The other interesting thing to consider is how these types of audits/information transfer happens in an electronic world. I know that we transfer eligibility lists to insurance companies using Secure FTP and that works quite well. We’ve worked with a scanning company who is scanning our old paper charts and when we need to access one of those old records, they send us an encrypted file through email. That works pretty smoothly.

Unfortunately, I think if a patient wants a record right now or if we needed to send some health information out for an audit (not sure why we would need to) then we’d have to pretty much just print out the electronic record like we do when a patient makes a . In fact, we’ve even made a request to our EMR software company to give us a one click method that will allow us to print the entire chart. It’s a pain to print out everything in the paper chart from what’s scanned in, to prescriptions, to lab results, to referrals, etc etc etc. Any EMR companies have a better way to do this?

The AP had a story today that told about a pilot project using a Cleveland Hospital to test out the anticipated Google Health. Here’s an excerpt from the story:

The pilot project announced Thursday will involve 1,500 to 10,000 patients at the Cleveland Clinic who volunteered to an electronic transfer of their personal health records so they can be retrieved through Google’s new service, which won’t be open to the general public.

I’ve covered Google Health a number of times on this blog and I still wonder what Eric Schmidt is going to say at HIMSS next week. I can’t imagine him not speaking about Google Health at that time. The question is how much will he actually say.

Many people are afraid of what it means for Google to have our Health information. It looks like they won’t have to comply with HIPAA requirements at all. Other people are scared that Google Health will just help Google to offer targeted Viagra (or other drug) ads.

I’m not personally as concerned as most people with Google having health information. However, it is definitely something we’ll have to watch and see how the public accepts it. The AP article described the type of content Google Health will contain:

Each health profile, including information about prescriptions, allergies and medical histories, will be protected by a password that’s also required to use other Google services such as e-mail and personalized search tools.

Too bad most doctors don’t care about Google Health and will probably never use it.