Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Health IT Jobs Data Yields A Few Surprises

Posted on February 25, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

After taking a look at a pre-release copy of a new report chronicling trends in the healthcare IT staffing world (The full report will be released during HIMSS), I’ve realized that many of my assumptions about the health IT workforce are wrong.  The report, from specialist technology recruitment firm Greythorn, offers a useful look at just who makes up the healthcare IT workforce and how they prefer to work, but just as importantly, how health organizations are treating them.

To collect its data, the recruiting company surveyed 430 U.S. IT professionals over Q4 2015. Greythorn focused on factors that define the healthcare pro’s work experience, including the demographics of the HIT workforce, length of tenure, hours in a typical work week, career motivation and reward/bonus trends.

More than one item in the report surprised me. For example, despite last year’s ups and downs, 84% of respondents reported feeling optimistic or extremely optimistic about healthcare IT, up from 78% the previous year.

Also, some of the demographics data caught me off guard:

  • 59% of respondents were female, while only 41% were male. I couldn’t dig up a stat on the overall makeup of the US HIT workforce, but my best guess is that it’s still male-dominated. So this was of note.
  • Also, 52% of respondents were between 43 and 60 years old, though another 24% of respondents were 25 to 34 years old. On level it makes sense, as health IT work takes specialized expertise that doesn’t come overnight, but it bucks the general IT image as a haven for young hopefuls.
  • I was also surprised to learn that only 40% of respondents were employed full time,  On the other hand, given that consultants and contractors can earn 50% to 100% more than full-timers (Greythorn’s data), it’s actually a pretty logical development.
  • Greythorn found that 43% of respondents were working 41 to 45 per week, not bad for a demanding professional position. On the other hand, 21% report working 46 to 50 hours, and 10% more than 60 hours.

The report also served up some interesting data regarding HIT hiring and staff headcount:

  • 39% of respondents said that they expected to increase headcount, perhaps signalling a move away from implementing big projects largely with contractors. On the other hand, 24% reported that they expected to cut headcount, so I could be off base.
  • On the flip side, only 9% said that they expected to see significant headcount losses, with 33% asserting that headcount would probably remain the same.

When it came to technical specializations, the results were fairly predictable. When asked which EMR system they knew best:

  • 55% of respondents named Epic
  • 19% named Cerner
  • 5% named Meditech
  • 3% named Allscripts and McKesson
  • 14% cited “other”

Finally, given that many of the survey respondents seem to cluster at the high end of experience levels, I was intrigued to note the wide spread in salaries, which ranged from less than $50K per year to to more than $160K. Some of the most interesting numbers, included the following:

  • 20% reported earning $50K to $69,999
  • 21% were earning $100K to $119,999
  • 6% reported earning more than $160K

To my way of thinking, it doesn’t make sense that 53% of  health IT pros  — many of whom reported being fairly senior, were making less than $100K per year.

Sure, health organizations’ budgets are stretched thin. But skimping on IT pay is likely to have a negative impact on recruitment and retention. As we cruise into 2016, let’s keep an eye on this problem. I doubt junior- to mid-level salaries will attract the hard-core HIT veterans needed to transform health IT over the coming years.

Note: Healthcare Scene helped promote this survey and Greythorn pays to post its healthcare IT jobs to our healthcare IT job board.

To Improve Health Data Security, Get Your Staff On Board

Posted on February 2, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As most readers know, last year was a pretty lousy one for healthcare data security. For one thing, there was the spectacular attack on health insurer Anthem Inc., which exposed personal information on nearly 80 million people. But that was just the headline event. During 2015, the HHS Office for Civil Rights logged more than 100 breaches affecting 500 or more individuals, including four of the five largest breaches in its database.

But will this year be better? Sadly, as things currently stand, I think the best guess is “no.” When you combine the increased awareness among hackers of health data’s value with the modest amounts many healthcare organizations spend on security, it seems like the problem will actually get worse.

Of course, HIT leaders aren’t just sitting on their hands. According to a HIMSS estimate, hospitals and medical practices will spend about $1 billion on cybersecurity this year. And recent HIMSS survey of healthcare executives found that information security had become a top business priority for 90% of respondents.

But it will take more than a round of new technical investments to truly shore up healthcare security. I’d argue that until the culture around healthcare security changes — and executives outside of the IT department take these threats seriously — it’ll be tough for the industry to make any real security progress.

In my opinion, the changes should include following:

  • Boost security education:  While your staff may have had the best HIPAA training possible, that doesn’t mean they’re prepared for growing threat cyber-strikes pose. They need to know that these days, the data they’re protecting might as well be money itself, and they the bankers who must keep an eye on the vault. Health leaders must make them understand the threat on a visceral level.
  • Make it easy to report security threats: While readers of this publication may be highly IT-savvy, most workers aren’t. If you haven’t done so already, create a hotline to report security concerns (anonymously if callers wish), staffed by someone who will listen patiently to non-techies struggling to explain their misgivings. If you wait for people who are threatened by Windows to call the scary IT department, you’ll miss many legit security questions, especially if the staffer isn’t confident that anything is wrong.
  • Reward non-IT staffers for showing security awareness: Not only should organizations encourage staffers to report possible security issues — even if it’s a matter of something “just not feeling right” — they should acknowledge it when staffers make a good catch, perhaps with a gift card or maybe just a certificate. It’s pretty straightforward: reward behavior and you’ll get more of it.
  • Use security reports to refine staff training: Certainly, the HIT department may benefit from alerts passed on by the rest of the staff. But the feedback this process produces can be put to broader use.  Once a quarter or so, if not more often, analyze the security issues staffers are bringing to light. Then, have brown bag lunches or other types of training meetings in which you educate staffers on issues that have turned up regularly in their reports. This benefits everyone involved.

Of course, I’m not suggesting that security awareness among non-techies is sufficient to prevent data breaches. But I do believe that healthcare organizations could prevent many a breach by taking advantage of their staff’s instincts and observational skills.

NIST Goes After Infusion Pump Security Vulnerabilities

Posted on January 28, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As useful as networked medical devices are, it’s become increasingly apparent that they pose major security risks.  Not only could intruders manipulate networked devices in ways that could harm patients, they could use them as a gateway to sensitive patient health information and financial data.

To make a start at taming this issue, the National Institute of Standards and Technology has kicked off a project focused on boosting the security of wireless infusion pumps (Side Note: I wonder if this is in response to Blackberry’s live hack of an infusion pump). In an effort to be sure researchers understand the hospital environment and how the pumps are deployed, NIST’s National Cybersecurity Center of Excellence (NCCoE) plans to work with vendors in this space. The NCCoE will also collaborate on the effort with the Technological Leadership Institute at the University of Minnesota.

NCCoE researchers will examine the full lifecycle of wireless infusion pumps in hospitals, including purchase, onboarding of the asset, training for use, configuration, use, maintenance, decontamination and decommissioning of the pumps. This makes a great deal of sense. After all, points of network connection are becoming so decentralized that every touchpoint is suspect.

The team will also look at what types of infrastructure interconnect with the pumps, including the pump server, alarm manager, electronic medication administration record system, point of care medication, pharmacy system, CPOE system, drug library, wireless networks and even the hospital’s biomedical engineering department. (It’s sobering to consider the length of this list, but necessary. After all, more or less any of them could conceivably be vulnerable if a pump is compromised.)

Wisely, the researchers also plan to look at the way a wide range of people engage with the pumps, including patients, healthcare professionals, pharmacists, pump vendor engineers, biomedical engineers, IT network risk managers, IT security engineers, IT network engineers, central supply workers and patient visitors — as well as hackers. This data should provide useful workflow information that can be used even beyond cybersecurity fixes.

While the NCCoE and University of Minnesota teams may expand the list of security challenges as they go forward, they’re starting with looking at access codes, wireless access point/wireless network configuration, alarms, asset management and monitoring, authentication and credentialing, maintenance and updates, pump variability, use and emergency use.

Over time, NIST and the U of M will work with vendors to create a lab environment where collaborators can identify, evaluate and test security tools and controls for the pumps. Ultimately, the project’s goal is to create a multi-part practice guide which will help providers evaluate how secure their own wireless infusion pumps are. The guide should be available late this year.

In the mean time, if you want to take a broader look at how secure your facility’s networked medical devices are, you might want to take a look at the FDA’s guidance on the subject, “Cybersecurity for Networked Medical Devices Containing Off-the-Shelf Software.” The guidance doc, which was issued last summer, is aimed at device vendors, but the agency also offers a companion document offering information on the topic for healthcare organizations.

If this topic interests you, you may also want to watch this video interview talking about medical device security with Tony Giandomenico, a security expert at Fortinet.

Security Concerns Threaten Mobile Health App Deployment

Posted on January 26, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Healthcare organizations won’t get much out of deploying mobile apps if consumers won’t use them. And if consumers are afraid that their personal data will be stolen, they’ve got a reason not to use your apps. So the fact that both consumers and HIT execs are having what I’d deem a crisis of confidence over mHealth app security isn’t a good sign for the current crop of mobile health initiatives.

According to a new study by security vendor Arxan, which polled 815 consumers and 268 IT decision-makers, more than half of consumer respondents who use mobile health apps expect their health apps to be hacked in the next six months.

These concerns could have serious implications for healthcare organizations, as 76% of health app users surveyed said they would change providers if they became aware that the provider’s apps weren’t secure. And perhaps even more significantly, 80% of consumer health app users told Arxan that they’d switch to other providers if they found out that the apps that alternate provider offered were better secured. In other words, consumer perceptions of a provider’s health app security aren’t just abstract fears — they’re actually starting to impact patients’ health decision making.

Perhaps you’re telling yourself that your own apps aren’t terribly exposed. But don’t be so sure. When Arxan tested a batch of 71 popular mobile health apps for security vulnerabilities, 86% were shown to have a minimum of two OWASP Mobile Top 10 Risks. The researchers found that vulnerable apps could be tampered with and reverse-engineered, as well as compromised to provide sensitive health information. Easily-done hacks could also force critical health apps to malfunction, Arxan researchers concluded.

The following data also concerned me. Of the apps tested, 19 had been approved by the FDA and 15 by the UK National Health Service. And at least where the FDA is concerned, my assumption would be that FDA-tested apps were more secure than non-approved ones. But Arxan’s research team found that both FDA and National Health Service-blessed apps were among the most vulnerable of all the apps studied.

In truth, I’m not incredibly surprised that health IT leaders have some work to do in securing mobile health apps. After all, mobile health app security is evolving, as the form and function of mHealth apps evolve. In particular, as I’ve noted elsewhere, mobile health apps are becoming more tightly integrated with enterprise infrastructure, which takes the need for thoughtful security precautions to a new level.

But guidelines for mobile health security are emerging. For example, in the summer of last year, the National Institute of Standards and Technology released a draft of its mobile health cybersecurity guidance, “Securing Electronic Records on Mobile Devices” — complete with detailed architecture. Also, I’d wager that more mHealth standards should emerge this year too.

In the mean time, it’s worth remembering that patients are paying close attention to health apps security, and that they’re unlikely to give your organization a pass if they’re hacked. While security has always been a high-stakes issue, the stakes have gotten even higher.

Mobile Health Security Issues To Ponder In 2016

Posted on January 11, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

In some ways, mobile health security safeguards haven’t changed much for quite some time. Making sure that tablets and phones are protected against becoming easy network intrusion points is a given. Also seeing to it that such devices use strong passwords and encrypted data exchange whenever possible is a must.

But increasingly, as mobile apps become more tightly knit with enterprise infrastructure, there’s more security issues to consider. After all, we’re increasingly talking about mission-critical apps which rely on ongoing access to sensitive enterprise networks. Now more than ever, enterprises must come up with strategies which control how data flows into the enterprise network. In other words, we’re not just talking about locking down the end points, but also seeing to it that powerful edge devices are treated like the vulnerable hackable gateways they are.

To date, however, there’s still not a lot of well-accepted guidance out there spelling out what steps health organizations should take to ramp up their mobile security. For example, NIST has issued its “Securing Electronic Health Records On Mobile Devices” guideline, but it’s only a few months old and remains in draft form to date.

The truth is, the healthcare industry isn’t as aware of, or prepared for, the need for mobile healthcare data security as it should be. While healthcare organizations are gradually deploying, testing and rolling out new mobile platforms, securing them isn’t being given enough attention. What’s more, clinicians aren’t being given enough training to protect their mobile devices from hacks, which leaves some extremely valuable data open to the world.

Nonetheless, there are a few core approaches which can be torqued up help protect mobile health data this year:

  • Encryption: Encrypting data in transit wasn’t invented yesterday, but it’s still worth a check in to make sure your organization is doing so. Gregory Cave notes that data should be encrypted when communicated between the (mobile) application and the server. And he recommends that Web traffic be transmitted through a secure connection using only strong security protocols like Secure Sockets Layer or Transport Layer Security. This also should include encrypting data at rest.
  • Application hardening:  Before your organization rolls out mobile applications, it’s best to see to it that security defects are detected before and addressed before deployment. Application hardening tools — which protect code from hackers — can help protect mobile deployments, an especially important step for software placed on machines and locations your organization doesn’t control. They employ techniques such as obfuscation, which hides code structure and flow within an application, making it hard for intruders to reverse engineer or tamper with the source code.
  • Training staff: Regardless of how sophisticated your security systems are, they’re not going to do much good if your staff leaves the proverbial barn door open. As one security expert points out,  healthcare organizations need to make staffers responsible for understanding what activities lead to breaches, or security hackers will still find a toehold.”It’s like installing the most sophisticated security system in the world for your house, but not teaching the family how to use it,” said Grant Elliott, founder and CEO of risk management and compliance firm Ostendio.

In addition to these efforts, I’d argue that staffers need to really get it as to what happens when security goes awry. Knowing that mistakes will upset some IT guy they’ve never met is one thing; understanding that a breach could cost millions and expose the whole organization to disrepute is a bit more memorable. Don’t just teach the security protocols, teach the costs of violating them. A little drama — such as the little old lady who lost her home due to PHI theft — speaks far more powerfully than facts and figures, don’t you agree?

Tiny Budgets Undercut Healthcare’s Cyber Security Efforts

Posted on January 4, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

This has been a lousy year for healthcare data security — so bad a year that IBM has dubbed 2015 “The Year of The Healthcare Security Breach.” In a recent report, Big Blue noted that nearly 100 million records were compromised during the first 10 months of this year.

Part of the reason for the growth in healthcare data breaches seems to be due to the growing value of Protected Health Information. PHI is worth 10x as much as credit card information these days, according to some estimates. It’s hardly surprising that cyber criminals are eager to rob PHI databases.

But another reason for the hacks may be — to my way of looking at things — an indefensible refusal to spend enough on cybersecurity. While the average healthcare organization spends about 3% of their IT budget on cybersecurity, they should really allocate 10% , according to HIMSS cybersecurity expert Lisa Gallagher.

If a healthcare organization has an anemic security budget, they may find it difficult to attract a senior healthcare security pro to join their team. Such professionals are costly to recruit, and command salaries in the $200K to $225K range. And unless you’re a high-profile institution, the competition for such seasoned pros can be fierce. In fact, even high-profile institutions have a challenge recruiting security professionals.

Still, that doesn’t let healthcare organizations off the hook. In fact, the need to tighten healthcare data security is likely to grow more urgent over time, not less. Not only are data thieves after existing PHI stores, and prepared to exploit traditional network vulnerabilities, current trends are giving them new ways to crash the gates.

After all, mobile devices are increasingly being granted access to critical data assets, including PHI. Securing the mix of corporate and personal devices that might access the data, as well as any apps an organization rolls out, is not a job for the inexperienced or the unsophisticated. It takes a well-rounded infosec pro to address not only mobile vulnerabilities, but vulnerabilities in the systems that dish data to these devices.

Not only that, hospitals need to take care to secure their networks as devices such as insulin pumps and heart rate monitors become new gateways data thieves can use to attack their networks. In fact, virtually any node on the emerging Internet of Things can easily serve as a point of compromise.

No one is suggesting that healthcare organizations don’t care about security. But as many wiser heads than mine have pointed out, too many seem to base their security budget on the hope-and-pray model — as in hoping and praying that their luck will hold.

But as a professional observer and a patient, I find such an attitude to be extremely reckless. Personally, I would be quite inclined to drop any provider that allowed my information to be compromised, regardless of excuses. And spending far less on security than is appropriate leaves the barn door wide open.

I don’t know about you, readers, but I say “Not with my horses!”

Are These Types of Breaches Really Necessary?

Posted on December 28, 2015 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Over the past couple of days, I took the time to look over Verizon’s 2015 Protected Health Information Data Breach Report.  (You can get it here, though you’ll have to register.)

While it contained many interesting data points and observation — including that 90% percent of the industries researchers studied had seen a personal health information breach this year — the stat that stood out for me was the following. Apparently, almost half (45.5%) of PHI breaches were due to the lost or theft of assets. Meanwhile, issue of privileges and miscellaneous errors came in at distant second and third, at just over 20% of breaches each.

In case you’re the type who likes all the boxes checked, the rest of the PHI breach-causing list, dubbed the “Nefarious Nine,” include “everything else” at 6.7%, point of sale (3.8%), web applications (1.9%), crimeware, (1.4%), cyber-espionage (0.3%), payment card skimmers (0.1%) and denial of service at a big fat zero percent.

According to the report’s authors, lost and stolen assets have been among the most common vectors for PHI exposure for several years. This is particularly troubling given that one of the common categories of breach — theft of a laptop — involves data which was not encrypted.

If stolen or lost assets continue to be a problem year after year, why haven’t companies done more to address this problem?

In the case of firms outside of the healthcare business, it’s less of a surprise, as there are fewer regulations mandating that they protect PHI. While they may have, say, employee worker’s compensation data on a laptop, that isn’t the core of what they do, so their security strategy probably doesn’t focus on safeguarding such data.

But when it comes to healthcare organizations — especially providers — the lack of data encryption is far more puzzling.

As the report’s authors point out, it’s true that encrypting data can be risky in some situations; after all, no one wants to be fumbling with passwords, codes or biometrics if a patient’s health is at risk.

That being said, my best guess is that if a patient is in serious trouble, clinicians will be attending to patients within a hospital. And in that setting, they’re likely to use a connected hospital computer, not a pesky, easily-stealable laptop, tablet or phone. And even if life-saving data is stored on a portable device, why not encrypt at least some of it?

If HIPAA fears and good old common sense aren’t good enough reasons to encrypt that portable PHI, what about the cost of breaches?  According to one estimate, data breaches cost the healthcare industry $6 billion per year, and breaches cost the average healthcare organization $3.5 million per year.

Then there’s the hard-to-measure cost to a healthcare organization’s brand. Patients are becoming increasingly aware that their data might be vulnerable, and a publicly-announced breach might give them a good reason to seek care elsewhere.

Bottom line, it would be nice to see out industry take a disciplined approach to securing easily-stolen portable PHI. After years of being reminded that this is a serious issue, it’s about time to institute a crackdown.

Hospital CFO Insights from Craneware Summit

Posted on October 22, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Today I had a chance to attend the Craneware Summit in Las Vegas. The Craneware Summit gives me a nice view into what’s happening in the financial world of healthcare. The Summit kicked off today with Todd Nelson speaking about the hospital CFO. Here’s a look at some of the insights he offered:


Todd Nelson is a former hospital CFO that is now a VP at HFMA.


Is this equation too simple?


I don’t think that meaningful use money will go away, but it’s worth considering. Would your organization survive if the rest of the meaningful use money were pulled out from underneath you?


This is often forgotten. It’s “easy” to get the billion dollar EHR implementation budget, but many forget to include the ongoing EHR support and optimization budget. In my experience this is often just bad planning, but in a few cases it’s done deliberately in order to allow the EHR project to go forward. They figure they can always ask for the support and optimization budget later.


This was an interesting comment coming from an accountant and former hospital CFO. He was willing to admit that he doesn’t have the skill or at least the desire to be the actuary for the hospital. However, as we shift to value based reimbursement, hospitals are going to have to become good at actuarial analysis.


Todd Nelson also extended this comment by saying that you can survive a long time even with losses as long as you have the cash. If you’ve worked with a hospital CFO, you’ve probably seen the cash focus first hand. That hasn’t and probably won’t change.


This is great advice as hospital executives evaluate how to approach the changing healthcare reimbursement environment. Hope is not a strategy.

HIM Departments Need More Support

Posted on July 16, 2015 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As both a contributor to this blog, and an assertive, activist patient managing chronic conditions, I get to see both sides of professional health information management.  And I have to say that while health data management pros obviously do great things against great odds, support for their work doesn’t seem to have trickled down to the front lines.  I’m speaking most specifically about Medical Records (oops, I mean Health Information Management) departments in hospitals.

As I noted in a related blog post, I recently had a small run-in with the HIM department of a local hospital which seems emblematic of this problem. The snag occurred when I reached out to DC-based Sibley Memorial Hospital and tried to get a new log-in code for their implementation of Epic PHR MyChart. The clerk answering the phone for that department told me, quite inaccurately, that if I didn’t use the activation code provided on my discharge summary papers within two days, my chance to log in to the Johns Hopkins MyChart site was forever lost. (Sibley is part of the Johns Hopkins system.)

Being the pushy type that I am, I complained to management, who put me in touch with the MyChart tech support office. The very smart and help tech support staffer who reached out to me expressed surprise at what I’d been told as a) the code wasn’t yet expired and b) given that I supplied the right security information she’d have been able to supply me with a new one.  The thing is, I never would have gotten to her if I hadn’t known not to take the HIM clerk’s word at face value.

Note: After writing the linked article, I was able to speak to the HIM department leader at Sibley, and she told me that she planned to address the issue of supporting MyChart questions with her entire staff. She seemed to agree completely that they had a vital role in the success of the PHR and patient empowerment generally, and I commend her for that.

Now, I realize that HIM departments are facing what may be the biggest changes in their history, and that Madame Clerk may have been an anomaly or even a temp. But assuming she was a regular hire, how much training would it have taken for the department managers to require her to simply give out the MyChart tech support number? Ten minutes?  Five? A priority e-mail demanding that PHR/digital medical record calls be routed this way would probably have done the trick.

My take on all of this is that HIM departments seem to have a lot of growing up to do. Responsible largely for pushing paper — very important paper but paper nonetheless — they’re now in the thick of the health data revolution without having a central role in it. They aren’t attached to the IT department, really, nor are they directly supporting physicians — they’re sort of a legacy department that hasn’t got as clearly defined a role as it did.

I’m not suggesting that HIM departments be wiped off the map, but it seems to me that some aggressive measures are in order to loop them in to today’s world.

Obviously, training on patient health data access is an issue. If HIM staffers know more about patient portals generally — and ideally, have hands-on experience with them, they’ll be in a better position to support such initiatives without needing to parrot facts blindly. In other words, they’ll do better if they have context.

HIM departments should also be well informed as to EMR and other health data system developments. Sure, the senior people in the department may already be looped in, but they should share that knowledge at brown bag lunches and staff update sessions freely and often. As I see it, this provides the team with much-needed sense of participation in the broader HIT enterprise.

Also, HIM staff members should encourage patients who call to log in and leverage patient portals. Patients who call the hospital with only a vague sense that they can access their health data online will get routed to that department by the switchboard. HIM needs to be well prepared to support them.

These concerns should only become more important as Meaningful Use Stage 3 comes on deck. MU Stage 3 should provide the acid test as to whether whether hospital HIM departments are really ready to embrace change.

Phase 2 HIPAA Audits Kick Off With Random Surveys

Posted on June 9, 2015 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Ideally, the only reason you would know about the following is due to scribes such as myself — but for the record, the HHS Office for Civil Rights has sent out a bunch of pre-audit screening surveys to covered entities. Once it gets responses, it will do a Phase 2 audit not only of covered entities but also business associates, so things should get heated.

While these take the form of Meaningful Use audits, covering incentives paid from January 1, 2011 through June 30, 2014, it’s really more about checking how well you protect ePHI.

This effort is a drive to be sure that providers and BAs are complying with the HIPAA privacy, security and breach notification requirements. Apparently OCR found, during Phase 1 pilot audits in 2011 and 2012, that there was “pervasive non-compliance” with regs designed to safeguard protected health information, the National Law Review reports.

However, these audits aren’t targeting the “bad guys.” Selection for the audits is random, according to HHS Office of the Inspector General.

So if you get one of the dreaded pre-screening letters, how should you respond? According a thoughtful blog post by Maryanne Lambert for CureMD, auditors will be focused on the following areas:

  • Risk Assessment audits and reports
  • EHR security plan
  • Organizational chart
  • Network diagram
  • EHR web sites and patient portals
  • Policies and procedures
  • System inventory
  • Tools to perform vulnerability scans
  • Central log and event reports
  • EHR system users list
  • Contractors supporting the EHR and network perimeter devices.

According to Lambert, the feds will want to talk to the person primarily responsible for each of these areas, a process which could quickly devolve into a disaster if those people aren’t prepared. She recommends that if you’re selected for an audit, you run through a mock audit ahead of time to make sure these staff members can answer questions about how well policies and processed are followed.

Not that anyone would take the presence of HHS on their premises lightly, but it’s worth bearing in mind that a stumble in one corner of your operation could have widespread consequences. Lambert notes that in addition to defending your security precautions, you have to make sure that all parts of your organization are in line:

Be mindful while planning for this audit as deficiencies identified for one physician in a physician group or one hospital within a multi-hospital system, may apply to the other physicians and hospitals using the same EHR system and/or implementing meaningful use in the same way.  Thus, the incentive payments at risk in this audit may be greater than the payments to the particular provider being audited.

But as she points out, there is one possible benefit to being audited. If you prepare well, it might save you not only trouble with HHS but possibly lawsuits for breaches of information. Hey, everything has some kind of silver lining, right?