Imagine a world without HIPAA
Imagine a world without 100 zillion insurance companies (each with different policies)
Imagine a world where people didn’t shop for drugs
Imagine a world where patient care was the only reason for health care

Never going to happen. However, I can’t help but wonder the type of EMR software we could create if we didn’t have to worry about the above items.

I’ve been reading some things about ARRA’s changes to HIPAA. I’ve heard a number of times the phrase that “ARRA has now given teeth to HIPAA.” I’ve also heard grumblings about a change in the HIPAA requirement that an EMR account for disclosures. I’ve been trying to get a number of experts on HIPAA to do a guest post on these various changes with no success, but I’ll keep trying.

However, I recently heard that the accounting for disclosures is even more stringent than I had thought about before. From what I’ve heard, the law will now require that you are storing and able to report on the disclosure of a patients health information to both internal and external sources. The external sources is something that we’ve done forever and is really not a problem. The challenge is accounting for the internal disclosure of the HIPAA information. Not to mention displaying that information in a nice report.

Let’s say for example, a nurse pulls up a list of patients during a search for a patient by last name. Does the EMR need to know all of the people that were in that list that could have been seen by the nurse? Do you need to audit how long the nurse had that list open? I’m sure there are more situations like this that seem to be required by the new HIPAA laws.

I actually saw a demo of a hospital EMR that recorded this type of granular auditing. I have a feeling many EMR software aren’t even close to this type of tracking.

I’m also reminded of my post talking about the number of users who legitimately access a patient’s chart. In that post I talk about the number of people who can mess up the chart. Now let’s think about the audit logs that will be required for all of those people who are accessing each granular part of a patient’s record.

I’d love to hear people’s thoughts on this subject and any clarifications on things I’m misunderstanding. No doubt we’re going to hear more about this in the future.

Yes, this website is called EMR and HIPAA, but as you can tell from the content I’m much more interested in EMR than I am in HIPAA. Although there is certainly some correlation.

That said, I think there’s some interesting things happening with HIPAA that people need to be aware of. HHS released the Breach Notification Final Rule. Healthcare POV said the following about the rule:

The Department of Health and Human Services (HHS) has released a final rule on breach notification requirements for covered entities (CEs) and business associates (BAs). Published in the Federal Register, the rule dictates proper procedure for responding to a breach, including when notification is required, who to tell and how to dispense that information. The rule also reiterates and clarifies recommended methods of data encryption.

The announcement came 2 days after the Federal Trade Commission (FTC) released its breach notification final rule, which covers personal health record vendors and other non-HIPAA CEs. HHS consulted with FTC on requirements and asked the public for input through a request for information released earlier this year.

The link above has more analysis of these changes as well. I’ll admit that I’m not an expert in this area. Anyone else who cares to chime in on the impact of these changes, I’d love to hear about it in the comments or even a guest blog post if someone’s interested.

This story coming out of Oregon came across my feeds today which tells of the Oregon Health and Science University contacting 1,000 patients after a physician’s laptop was stolen from a car parked at the doctor’s home.

This story made me think of two things:
1. Why is PHI being stored on the laptop in the first place? I wish I could find out if there was an EMR involved. If there was, then the EMR should be storing all of the patient information on the server and none of that data should be stored on the laptop. So, if it gets stolen there’s no breach. That’s the beauty of an EMR these days. There should be no need for this to happen.

2. There’s some really cool technology that’s been coming out in recent laptops that will allow you to remotely wipe out the laptop if it ever gets connected to a network. Basically, once your laptop is stolen you report it stolen and they start tracking it down kind of like they do with stolen cars (same people from what I understand).

Once the stolen laptop is connected to the network, it will call back to the main center and receive the command to wipe out the laptop. Then, it will also give them information about where it was connected in order for police to possibly recover the stolen laptop as well. We’re implementing this on all our new laptops. I’ll be very happy once we have them all with this feature.

A company called FastComany (most notable for famous Microsoft blogger, Scoble having worked there-Yes, I’m showing my geek) wrote an article a while back on EMR and technologies impact on healthcare. It’s an interesting read since it’s kind of an outsider/tech magazine look at healthcare.

One thing that really struck me in the article was the following quote:

In the meantime, Geisinger continues to compile success stories, including that of CEO Steele, who became patient No. 86 in the ProvenCare CABG program. “I was in and out of the hospital in two-and-a-half days,” he says. Casale, who was Steele’s surgeon, says the case opened his eyes to how complex a routine operation really is: “Two weeks after, the head of our IT group called me and said, ‘Al, I just looked through [Steele's] chart, and I want to send you a list of everybody that accessed the medical record from the time he was seen in the clinic to two weeks post-op.’ There were 113 people listed — and every one had an appropriate reason to be in that chart. It shocked all of us. We all knew this was a team sport, but to recognize it was that big a team, every one of whom is empowered to screw it up — that makes me toss and turn in my sleep.”

113 people legitimately accessing the patient chart in an EMR. The most apparent item here is that it’s a lot of people that could screw up the patient chart. However, that’s not what interested me. What I find most interesting is that an EMR enables us to know that 113 people accessed the chart and exactly what each one did. Think about a paper chart. Any of those 113 people could have made a change and it would be difficult to know who.

I’m not sure how many of my readers have heard about the Virginia Prescription Monitoring Program being hacked yesterday. The Prescription Monitoring Program is used by pharmacists and others to discover prescription drug abuse. The story gets really interesting since it looks like the hackers encrypted over 8 million patient records and over 35 million prescriptions. Then, the hackers posted the following note on the Virginia Prescription Monitoring Program website (according to wikileaks):

“I have your [expletive] In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh For $10 million, I will gladly send along the password.”

The website has now been entirely disabled and just times out if you try to visit the site.

The Washington Post blog has reported the following:

Sandra Whitley Ryals, director of Virginia’s Department of Health Professions, declined to discuss details of the hacker’s claims, and referred inquires to the FBI.

“There is a criminal investigation under way by federal and state authorities, and we take the information security very serious,” she said.

A spokesman for the FBI declined to confirm or deny that the agency may be investigating.

Whitley Ryals said the state discovered the intrusion on April 30, after which time it shut down Web site site access to dozens of pages serving the Department of Health Professions. The state also has temporarily discontinued e-mail to and from the department pending the outcome of a security audit, Whitley Ryals said.

“We do have some of systems restored, but we’re being very careful in working with experts and authorities to take essential steps as we proceed forward,” she said. “Only when the experts tell us that these systems are safe and secure for being live and interactive will that restoration be complete.”

Seems interesting that 5 days after they discovered the intrusion the website is still not back online. Must have been a pretty serious hack job.

The Washington Post also explained that this is the second such extortion attack using patient health care data.

In October 2008, Express Scripts, one of the nation’s largest processors of pharmacy prescriptions, disclosed that extortionists were threatening to disclose personal and medical information on millions of Americans if the company failed to meet payment demands. Express Scripts is currently offering a $1 million reward for information leading to the arrest and conviction of the individual(s) responsible for trying to extort money from the company.

Stories like this will set back any sort of RHIO or national HIE movement. Sure makes you think about the security of it all. What is interesting is that the patient data doesn’t seem to have much value outside of extortion. Otherwise, I’d think those who breached the system would have used it in some other way.

I know that many of you are already subscribing to updates to EMR and HIPAA using the EMR and HIPAA RSS feed. Thanks for all those who subscribe. I appreciate your readership.

Recently, I just integrated an email subscription service for those who’d like to get updates to EMR and HIPAA in their email instead of by RSS or visiting the site. I know I use my email heavily and this feature is a really nice one.

All you have to do is click here to subscribe and enter your email address. Then, you’ll have to confirm it’s your email by clicking a link that gets sent to you. That’s too prevent spam. I hate spam and so do you. So, you can trust that I won’t be using your email for spam. It will just send out updates that happen on EMR and HIPAA.

Let me know if you have any questions and what you think of this new feature.

I’ve always been intrigued by the idea of software like Lo Jack that helps you find your laptop should it ever get stolen. The biggest problem of course is the cost associated with the software. Today I found an interesting Open Source system for tracking and recovering stolen laptops. I haven’t had time to try the software yet, but this is definitely going on my to do list of software to try out.

How many times have we seen reports of a laptop stolen that had an entire database of personal or health information being stolen. Way too much. This could be an interesting and free solution. Even the best coded EMR software usually leaves at least some traces of PHI in Windows temp files for example. A free way to recover the laptop would be very beneficial.

I just completed my very last class of my educational career (I’ll graduate with my Masters in IS on Saturday. Yeah Me!). My last class was a Business Intelligence class. While I wasn’t necessarily fond of this class or the teacher, I am definitely interested in business intelligence.

Business Intelligence to me is really just about being able to look at large amounts of data in really cool ways. EMR is basically synonymous with the concept of large amounts of data. Each and every day thousands of really interesting pieces of information are being entered into an EMR. Many times this data is organized in such a way that in can be easily accessed and reported on.

For my class, we’ve been using SQL Server 2005’s business intelligence components. While Microsoft may have its downfalls, they really have put some thought and effort into SQL Server 2005’s BI components. For my final project, I decided to extract some appointment data from my EMR (yes, I guess it’s really my PMS, except for things like the room for the appointment) and run some BI analysis on the EMR data.

I actually had to anonymize all the EMR data before using it, because I was working in a group where they weren’t allowed access to all the HIPAA related information. However, it wasn’t too big of a deal in the end. Although, it does lose some of the reporting ability when you do that.

Since we ended up only pulling out simple appointment data from the EMR database, we could only really run reports about appointments. Don’t get me wrong. There is some really cool stuff you can report on appointments. We reported on appointments by date (this includes day, month, quarter, year, etc), provider, gender, birthdate, ethnicity, etc. We also uploaded the room number that an appointment used so that we could measure the utilization of our exam rooms. Luckily our EMR stored all the information about exam rooms. We also pulled in the data that described when a patient arrived at the clinic, when the nurse started the intake and when the provider finally saw them. We haven’t actually built any reports on that time study data, but it would be really interesting.

That’s really just the beginning of what we were able to do with the EMR data, but I think you get the point. The real question at this point is what other EMR data could benefit from some quality BI analysis? Here’s a few of my thoughts:

-Blood pressure – Depending on how this is stored will determine how easy it is to report. However, it would be really interesting to see trends in blood pressure across our entire population. Add in a few filters for certain medications and you could see some amazing results
-Average Charge per Patient – Could be interesting to look at this and identify which patients are the most profitable. Wait, doctors aren’t about profit are they?
-Average Number of Visits per Patient – Would be interesting to see this grouped too.

Those are just a few off the top of my head. I’m sure there are a hundred more that could be done with diagnosis, prescriptions, charges, procedures, referrals, etc etc etc. Which reports would you find interesting from the data in your EMR?

The best part of this all is that in the next couple weeks I have planned to upgrade my EMR from SQL Server 2000 to SQL Server 2005. That means that I could really easily use all th SQL Server BI tools to create the various BI reports with all the data in my EMR.

Has anyone else done this type of EMR reporting before?

I think that Google is confused about my blog. I don’t think it knows if it should categorize me as an EMR blog or as a HIPAA blog. In fact, sometimes it even thinks I’m an EHR blog which is perfectly fine by me. Right now I think that Google thinks that I’m a HIPAA blog, but quite honestly I think I’d rather be an EMR blog. Sure, I cover HIPAA and some of the various HIPAA related news on here. In fact, it’s kind of hard to cover EMR and not cover certain aspects of HIPAA. However, I think at the end of the day I’m more interested in EMR and EHR and I really don’t care about HIPAA. It’s a necessary evil.

I guess I’ll have to focus more of my posts on EMR and EHR and stop using that naughty H word since Google seems to like to classify with that H word when I want to show up for EMR and EHR. At the end of the day it doesn’t really matter too much, but as a tech person I always think it’s fun to see what the Google bots see in my content. It’s kind of a way to justify myself that the bots are happy and classify me as an authority on a subject.

Are you listening Google bots? I’m an EHR and EMR blog. Make sure I make it to the top of searches related to EMR and EHR. That’s really where I’m meant to be. I can feel it in my bones. Well, at least that’s who I want to be.