Welcome to EMR and HIPAA

I just completed my very last class of my educational career (I’ll graduate with my Masters in IS on Saturday. Yeah Me!). My last class was a Business Intelligence class. While I wasn’t necessarily fond of this class or the teacher, I am definitely interested in business intelligence.

Business Intelligence to me is really just about being able to look at large amounts of data in really cool ways. EMR is basically synonymous with the concept of large amounts of data. Each and every day thousands of really interesting pieces of information are being entered into an EMR. Many times this data is organized in such a way that in can be easily accessed and reported on.

For my class, we’ve been using SQL Server 2005’s business intelligence components. While Microsoft may have its downfalls, they really have put some thought and effort into SQL Server 2005’s BI components. For my final project, I decided to extract some appointment data from my EMR (yes, I guess it’s really my PMS, except for things like the room for the appointment) and run some BI analysis on the EMR data.

I actually had to anonymize all the EMR data before using it, because I was working in a group where they weren’t allowed access to all the HIPAA related information. However, it wasn’t too big of a deal in the end. Although, it does lose some of the reporting ability when you do that.

Since we ended up only pulling out simple appointment data from the EMR database, we could only really run reports about appointments. Don’t get me wrong. There is some really cool stuff you can report on appointments. We reported on appointments by date (this includes day, month, quarter, year, etc), provider, gender, birthdate, ethnicity, etc. We also uploaded the room number that an appointment used so that we could measure the utilization of our exam rooms. Luckily our EMR stored all the information about exam rooms. We also pulled in the data that described when a patient arrived at the clinic, when the nurse started the intake and when the provider finally saw them. We haven’t actually built any reports on that time study data, but it would be really interesting.

That’s really just the beginning of what we were able to do with the EMR data, but I think you get the point. The real question at this point is what other EMR data could benefit from some quality BI analysis? Here’s a few of my thoughts:

-Blood pressure - Depending on how this is stored will determine how easy it is to report. However, it would be really interesting to see trends in blood pressure across our entire population. Add in a few filters for certain medications and you could see some amazing results
-Average Charge per Patient - Could be interesting to look at this and identify which patients are the most profitable. Wait, doctors aren’t about profit are they?
-Average Number of Visits per Patient - Would be interesting to see this grouped too.

Those are just a few off the top of my head. I’m sure there are a hundred more that could be done with diagnosis, prescriptions, charges, procedures, referrals, etc etc etc. Which reports would you find interesting from the data in your EMR?

The best part of this all is that in the next couple weeks I have planned to upgrade my EMR from SQL Server 2000 to SQL Server 2005. That means that I could really easily use all th SQL Server BI tools to create the various BI reports with all the data in my EMR.

Has anyone else done this type of EMR reporting before?

I think that Google is confused about my blog. I don’t think it knows if it should categorize me as an EMR blog or as a HIPAA blog. In fact, sometimes it even thinks I’m an EHR blog which is perfectly fine by me. Right now I think that Google thinks that I’m a HIPAA blog, but quite honestly I think I’d rather be an EMR blog. Sure, I cover HIPAA and some of the various HIPAA related news on here. In fact, it’s kind of hard to cover EMR and not cover certain aspects of HIPAA. However, I think at the end of the day I’m more interested in EMR and EHR and I really don’t care about HIPAA. It’s a necessary evil.

I guess I’ll have to focus more of my posts on EMR and EHR and stop using that naughty H word since Google seems to like to classify with that H word when I want to show up for EMR and EHR. At the end of the day it doesn’t really matter too much, but as a tech person I always think it’s fun to see what the Google bots see in my content. It’s kind of a way to justify myself that the bots are happy and classify me as an authority on a subject.

Are you listening Google bots? I’m an EHR and EMR blog. Make sure I make it to the top of searches related to EMR and EHR. That’s really where I’m meant to be. I can feel it in my bones. Well, at least that’s who I want to be.

Think about how wonderful the ability to send a discharge summary by email to a patient straight from your EMR. I think it’s pretty easy to see the tremendous benefits of this type of communication. Send the patient information to one place they probably visit every day and where they can read and process the information away from the hustle and bustle of the clinic. Certainly many doctors have been doing this with little pamphlets or handout sheets with clinical information. Unfortunately, too many of these sheets never get read. Certainly that same thing could happen with an email, but at least the next generation of patients are going to want this information in their email box.

Of course, the problem with sending this information in an email is that email is not secure. Email encryption hasn’t taken hold fast enough to make it encrypted. Is a user’s email box really a secure location where they want their health information? I personally don’t have a problem with it, but I would expect that many people wouldn’t want their health information in their email any more than their regular mailbox. Either way, without the encryption it wouldn’t be difficult for someone to sniff out what’s being sent in an Email containing for example a patient’s discharge. It would be going across the internet in basically plain text.

This situation actually happened in Austrailia a little while back in an article I read called “Unsecured email sparks dispute.” I know I wouldn’t be happy if a clinic just decided to send these unsecured emails. Not so much because I was personally worried about my information being lost. I personally have nothing to hide (yet anyway). However, I would feel uncomfortable patronizing an organization that would deal so flippantly with my information.

I’m sure that someone will chime in that this is the whole purpose of a Patient Portal or EHR interface that allows people a secure method to receive and send protected health information. This is all well and good, but from what I’ve seen this usually requires the doctor’s EMR company to support this type of interaction. Plus, even more serious of an issue is that you’re giving your patients one more login and password that they’ll need to remember. Certainly not a deal breaker, but one more inconvenience for our users and the staff that have to support our users when they forget their password. Unfortunately, I think that this is the future of secured messaging, but I can always hope that there’s something better that we’re just missing.

We should also realize that this isn’t going to get any easier. In fact, I think we can reasonably say that this is going to get harder and harder. Don’t be surprised if soon some patient would like their health information somehow incorporated into some site like Facebook. It’s really only a matter of time until some developer creates a health interface into Facebook.

It might not make sense to most people, but the next generation of patients are going to grow up living and breathing their online life in some sort of social network (Facebook is just one example of these). They are very comfortable with transparency and will be interested in being able to track and compare health information with other people. Not to mention interact in a social network with other people who have similar conditions. It seems like this isn’t a question of if, but when this type of interaction will happen.

Even if you think that health information on a social network like Facebook is far fetched, we are already seeing health information propagating to the web in Microsoft’s HealthVault and Google Health. Is this going to be ok? Will it become as synonymous as online banking has become to the banking world? It’s not that far of a stretch to think that Google Health could easily be tied into Google’s OpenSocial platform which would allow a patient’s health information to do all sorts of cool things.

The convergence of Health Care and IT is going to be really interesting. It’s taken health care a while to get going with IT, but I think almost everyone agrees that IT could do amazing things to better the health care a person receives.

Today I found a really interesting article in Utah’s local paper the Deseret Morning News. In the story, a box of medical charts was lost by UPS after being sent from a Hospital to somewhere in Las Vegas for a medicare audit. You can read the article for all the facts, but essentially the box somehow got misdirected and ended up being bought by a Utah school teacher purchasing some “scrap” paper.

I was kind of surprised by how long it took the hospital to get in touch with UPS after the box was lost. Ok, so I’m not really surprised that the hospital is not watching all of the HIPAA information they sent out to make sure that it arrives safely, but maybe it should. UPS has some pretty incredible tracking tools these days that really aren’t that hard to use.

The other interesting thing to consider is how these types of audits/information transfer happens in an electronic world. I know that we transfer eligibility lists to insurance companies using Secure FTP and that works quite well. We’ve worked with a scanning company who is scanning our old paper charts and when we need to access one of those old records, they send us an encrypted file through email. That works pretty smoothly.

Unfortunately, I think if a patient wants a record right now or if we needed to send some health information out for an audit (not sure why we would need to) then we’d have to pretty much just print out the electronic record like we do when a patient makes a . In fact, we’ve even made a request to our EMR software company to give us a one click method that will allow us to print the entire chart. It’s a pain to print out everything in the paper chart from what’s scanned in, to prescriptions, to lab results, to referrals, etc etc etc. Any EMR companies have a better way to do this?

The AP had a story today that told about a pilot project using a Cleveland Hospital to test out the anticipated Google Health. Here’s an excerpt from the story:

The pilot project announced Thursday will involve 1,500 to 10,000 patients at the Cleveland Clinic who volunteered to an electronic transfer of their personal health records so they can be retrieved through Google’s new service, which won’t be open to the general public.

I’ve covered Google Health a number of times on this blog and I still wonder what Eric Schmidt is going to say at HIMSS next week. I can’t imagine him not speaking about Google Health at that time. The question is how much will he actually say.

Many people are afraid of what it means for Google to have our Health information. It looks like they won’t have to comply with HIPAA requirements at all. Other people are scared that Google Health will just help Google to offer targeted Viagra (or other drug) ads.

I’m not personally as concerned as most people with Google having health information. However, it is definitely something we’ll have to watch and see how the public accepts it. The AP article described the type of content Google Health will contain:

Each health profile, including information about prescriptions, allergies and medical histories, will be protected by a password that’s also required to use other Google services such as e-mail and personalized search tools.

Too bad most doctors don’t care about Google Health and will probably never use it.

Today I got an email asking about whether someone should use a hosted HIPAA compliant fax application or get their own fax server. Here’s the full email (with names removed):

I’m setting up a web based application for administrative work at doctors offices. I want to be able to allow these offices to purchase an electronic fax service that is HIPAA compliant and integrated with my application from me. I have tried to research this and have only gotten more confused. What should I do?

* Should I use one of these internet fax providers through a partnership program where I can brand the product to my own? Are they HIPAA compliant? and how come some of them like smartfax.com charges only $12.95 for unlimited faxing, and someone like sfaxme.com who claims to be HIPAA compliant charges $99.00 for 1000 pages.
* Or should I use some sort of fax server.

Any help would be highly appreciated.

Best Regards,
Name Removed

Some very good questions. I will admit that I’m definitely not an expert on the hosted HIPAA compliant fax server market. I’d love for people to correct anything I’ve said which is wrong. Here’s what I wrote in response to the email:

I can understand your confusion. There are a lot of different options out there. I personally don’t know much about the fax service providers. I knew there were some out there, but I’ve never personally used one myself. I’m not sure I ever would use one at least for HIPAA related information. You’re probably ok if you have a business associates agreement, but here again I’m not a lawyer and laws may depend on which state you’re in.

As far as the pricing difference, I’m sure there are a number of factors, but it makes a lot of sense that a HIPAA compliant fax service would be more expensive than a non-HIPAA compliant service. Not necessarily because the technology is all that different, but because they “should” implement more safeguards to protect your data in order to be HIPAA compliant. Not to mention if a company can claim HIPAA compliant faxes, then they’ll probably charge more just because they can.

I personally prefer the fax server route. They are inexpensive (like $50 or less) and everything is stored in house. If you have a Windows Server 2003 server in your office, then the fax application to keep logs of all your faxes is also free. If you don’t have a server like that, then it will be a little more difficult but a good fax program only costs around $50-100 last I checked.

One thing you should know about a fax server (and probably the fax providers) is that you’ll need to have some sort of scanner to be able to scan things in order to fax them. Unless of course you’re planning to only fax things that are already electronic. Basically a fax server can fax anything you can print. If you can print it, you can fax it with a fax server.

Anything else that I left out about fax servers vs. hosted fax applications that people in healthcare should know?

This information is a little bit dated, but it was sitting in my draft posts and I think that it’s still very relevant to those interested in HIPAA compliance. Computer World posted an article about Atlanta’s Piedmont hospital being the first organization to have a HIPAA audit by the HHS.

In the report they identified 42 questions that HHS reportedly asked Piedmont hospital during the HIPAA audit. Regardless of how accurate this is, I think that it’s interesting for all those in the healthcare industry to evaluate these questions and how they apply in their environment.

Here’s the list of questions:

1. Establishing and terminating users’ access to systems housing electronic patient health information (ePHI).
2. Emergency access to electronic information systems.
3. Inactive computer sessions (periods of inactivity).
4. Recording and examining activity in information systems that contain or use ePHI.
5. Risk assessments and analyses of relevant information systems that house or process ePHI data.
6. Employee violations (sanctions).
7. Electronically transmitting ePHI.
8. Preventing, detecting, containing and correcting security violations (incident reports).
9. Regularly reviewing records of information system activity, such as audit logs, access reports and security incident tracking reports.
10. Creating, documenting and reviewing exception reports or logs. Please provide a list of examples of security violation logging and monitoring.
11. Monitoring systems and the network, including a listing of all network perimeter devices, i.e. firewalls and routers.
12. Physical access to electronic information systems and the facility in which they are housed.
13. Establishing security access controls; (what types of security access controls are currently implemented or installed in hospitals’ databases that house ePHI data?).
14. Remote access activity i.e. network infrastructure, platform, access servers, authentication, and encryption software.
15. Internet usage.
16. Wireless security (transmission and usage).
17. Firewalls, routers and switches.
18. Maintenance and repairs of hardware, walls, doors, and locks in sensitive areas.
19. Terminating an electronic session and encrypting and decrypting ePHI.
20. Transmitting ePHI.
21. Password and server configurations.
22. Antivirus software.
23. Network remote access.
24. Computer patch management.

HHS also had a slew of other requests:

1. Please provide a list of all information systems that house ePHI data, as well as network diagrams, including all hardware and software that are used to collect, store, process or transmit ePHI.
2. Please provide a list of terminated employees.
3. Please provide a list of all new hires.
4. Please provide a list of encryption mechanisms use for ePHI.
5. Please provide a list of authentication methods used to identify users authorized to access ePHI.
6. Please provide a list of outsourced individuals and contractors with access to ePHI data, if applicable. Please include a copy of the contract for these individuals.
7. Please provide a list of transmission methods used to transmit ePHI over an electronic communications network.
8. Please provide organizational charts that include names and titles for the management information system and information system security departments.
9. Please provide entity wide security program plans (e.g System Security Plan).
10. Please provide a list of all users with access to ePHI data. Please identify each user’s access rights and privileges.
11. Please provide a list of systems administrators, backup operators and users.
12. Please include a list of antivirus servers, installed, including their versions.
13. Please provide a list of software used to manage and control access to the Internet.
14. Please provide the antivirus software used for desktop and other devices, including their versions.
15. Please provide a list of users with remote access capabilities.
16. Please provide a list of database security requirements and settings.
17. Please provide a list of all Primary Domain Controllers (PDC) and servers (including Unix, Apple, Linux and Windows). Please identify whether these servers are used for processing, maintaining, updating, and sorting ePHI.
18. Please provide a list of authentication approaches used to verify a person has been authorized for specific access privileges to information and information systems.

Since most of my interest is in ambulatory care, I wonder if an audit would be this extensive for ambulatory care. Talk about putting a company out of business. This would be an extensive report for a hospital but could be really detrimental to a small doctor’s office. Still interesting to think about.

I expect that no one is fully compliant with this list. Of course, that raises the question of what’s full compliance, but we’ll save that topic for another day.

As I pointed out in my previous post on patients filling out forms electronically, it is absolutely essential that your EMR software supports a robust set of preferences for determining which forms a patient should fill out.

Let’s take three example forms to illustrate most of the needed options: HIPAA privacy form, Health History form, Consent for Pap Smear. All of these forms need to be filled out in different intervals.

HIPAA Privacy Form
I think that in most cases, the HIPAA privacy form is something that just has to be filled out one time. Once I’ve filled it out, then I don’t want to have to ever see that form again. What does this mean for the EMR self check in kiosk? That means the computer has to check my account and know if that form has been filled out already or not. Easy enough right. I check in for my appointment, the EMR checks to see if I’ve filled out a privacy form and presents the form to me if one doesn’t exist. No sweat…or is it.

Of course, you can’t forget about the case where the government decides to change HIPAA laws and so now you have to change your HIPAA privacy forms. Let’s assume you change this form on January 1, 2007. This now means that your EMR self check in kiosk needs to now provide the new HIPAA privacy form to anyone who has not filled one out since January 1, 2007. Can this be done? Of course, and it really isn’t that hard. However, it’s an important difference that must be planned for.

Health History Form
How often do you make your patients fill out a health history form? Some may only do it once and then never ask again. If that’s the case, then you can see my comments above on HIPAA privacy form. In our clinic (and I think most others), a health history form should be filled out every year [Emphasis Added]. My clinicians tell me it’s just good practice to get the history if it’s been more than a year, because you never know what else might have happened to them or their family in that time. Is this really possible with a paper chart? Not very easily. However, with a computer it’s no problem.

When a patient checks in for the appointment, the EMR self check in kiosk checks the patient’s notes for the last time they filled out the form called “Health History.” If the form is more than a year old, then the patient is prompted to fill out a new health history form. Of course, we’ve previously set a preference that the Health History form should have be filled out every year. Again, it’s not rocket science, but an important difference from the HIPAA privacy form.

Consent for Pap Smear
This form is even more difficult. Unless of course your EMR is like ours and requires you to use specific appointment reasons when scheduling an appointment. When scheduling an appointment our front desk will choose appointment reasons like Pap Smear, Wart Removal, etc. This makes it easy for the EMR self check in kiosk to quickly check the reason for the patient visit and require patients to fill out forms like the Consent for Pap Smear.

A few other points of note:

Minors: I could easily see an EMR self check in kiosk determining a patient’s age and displaying special minor consent forms for those that are under 18. We’ve solved this problem using conditional questions on our forms which I think I’ll leave for a future post if people are interested. Minors is another good reason to capture the electronic signature as opposed to just using some sort of individually identified login for a signature.

The Unseen Procedure: Often you won’t know if a patient needs to fill out a consent for treatment form until after they’ve seen the doctor. This is obviously a problem since they can’t just fill this form out when they check in for their appointment. We’re still working through this problem, but we’re either going to go with scanning a paper form or possibly some sort of portable workstation with signature pad. I sure wish that UMPC’s were a little farther along. I’ll let you know how it turns out. This could also apply to forms like birth control and the unplanned pap smear.

One thing that’s important to understand is just because you could sign the form electronically doesn’t mean that it’s always beneficial. Does it really matter if you have your consent for treatment or HIPAA privacy form in your EMR immediately? It’s certainly nice, but it’s not like someone’s going to go looking for it in the EMR the next day to see what was done. The EMR notes contain the time sensitive information. As long as it’s eventually scanned into the EMR, then some forms can wait. Of course, don’t forget to weigh the cost of scanning to the cost of signing it electronically.

In the end, there are a bunch of business and operational decisions that are required to make using an EMR self check in kiosk work properly.

I’ve been seriously looking at a way to manage the HIPAA documentation for my clinic. I think that a wiki is going to be the way to go. I wonder if anyone else has thought of this idea.

It seems like the logical method. It would definitely have to be secured and password protected. However, the ability to have it accessible by the entire clinic and to be editable by anyone is great. Plus, it is great because you can dynamically add new pages on the fly. In fact, I plan on using it for all of our documented policies and procedures.

I found a really good article detailing the various wikis. I think that I’m going to try out the one that powers Wikipedia, Media Wiki. Anyone else have thoughts on how to do this?

I don’t usually like to post blanket statements like the above, but I’ve really fallen in love with facial recognition. I absolutely love my facial recognition. I’ve been working lately with Sensible Vision a vendor of facial recognition software getting the single sign on to work with my EMR package called Medicat. It’s pretty impressive.

I brought in the director of the health center to take a look at the single sign on. I opened my EMR application and it pretty much goes straight into the application. The director of the health center pulled one of those “Ohhh!” because she was surprised at how quick it was.

I showed one of the front desk personnel and she said, “When do we get that?” As soon as possible was my answer.

I just can’t get over how smart it is. Continuous authentication is the best type of security you can have on your PC. Facial recognition constantly is looking for your face and making sure that you haven’t left. It’s the very best feature.

I only have one more thing I have to get working properly and we’ll be putting into our clinical environment. We have to still make it so that two people can use the computer. Too bad our application isn’t browser based because then it wouldn’t be an issue at all. Unfortunately, my application is in VB and so there’s a little more programming to get the facial recognition software to logoff the application if someone forgot to do that.

I’ll let you know once I have it in the clinic.