37 responses

  1. Robert Rowley, MD
    July 15, 2008

    There seem to be several concerns raised about free EMRs and potential personally-identifiable patient data leaking into the hands of marketers and vendors (e.g. pharmaceutical companies or insurance companies). Personally-identifiable health data is what is specifically protected by HIPAA – with Practice Fusion, as with any other EMR, individual personal data is protected and private. Period.

    What drives Practice Fusion advertising is more on the physician side – the frequency of making prescriptions, dealing with certain diagnoses, or even the declared physician’s specialty are the elements that will target context-appropriate ads to the physician.

    From the standpoint of a practicing physician, we are continuously bombarded on all sides by medical advertising – magazines, supplies, samples delivered by in-office sales reps. It is a fact of life. These sorts of ads in an EMR window is no different. Physicians have learned, through the experience of day-to-day professional life, how to judge such ads. Most are not bothered by them and willingly accept “freebies” every day, with ads and logos on them. Some physicians attempt to be “ad-free” and ban all forms of pharmaceutical ads in their offices – Practice Fusion offers an option to such physicians where they can pay a monthly subscription fee in lieu of ads, and their EMR window will thus have the ads suppressed.

    Practice Fusion recognizes that physician adoption of EMRs is at a low level in this country, and helping increase e-adoption by physicians is an important element for the health of everyone. The main barriers to adoption of EMRs have been (1) cost, and (2) disruption of workflows (and therefore revenue stream) due to adopting a new system. Practice Fusion has employed a radical new business model to try to break the logjam in EMR adoption by physicians – being free (subsidized by in-product ads) is an important step in that direction. Ease of implementation is another step actively addressed by Practice Fusion. “Live in Five” signifies that a practice can self-provision and start using the product almost-immediately. Of course, training in using the feature set is encouraged, and this can be done with videos found in the product, and by no cost webinars with training staff. If a practice can export a patient demographic list from their billing software, then Practice Fusion can upload that with same-day turnaround, and the new practice will have “charts” for each patient in the practice right away.

    Physicians will judge Practice Fusion vs other EMRs largely on ease-of-use of interface, and on feature set. Practice Fusion already has a robust feature set, and has a roadmap for development and release of all the features of established EMRs, so that feature-for-feature comparison will be something in Practice Fusion’s favor. Incremental roll-out of features as they are developed is the Practice Fusion approach, and is easily done by virtue of being web-based – there are new “upgrades” to install.

  2. EMR and HIPAA
    July 15, 2008

    I’m not too worried about patient’s personal information being leaked. At least not any more than any other EMR. However, that doesn’t mean that patients won’t still feel the impression that their information is being used inappropriately.

    I think it’s a great point that doctors are inundated with pharmaceutical advertising already. However, I think that there is a different feel when the ads are being shown at the specific time that a doctor is deciding which medications I should receive. Seems a bit different than a drug rep who is quickly forgotten when they leave.

    I think the benefits of a hosted EMR like Practice Fusion are clear. The benefits and challenges have been discussed at length many times, so I’ll leave that to other threads. Practice Fusion has certainly used the marketing angle well in an attempt to increase EMR adoption. I hope that they are successful and that thousands of more doctors are able to successfully able to implement an EMR because of their efforts. My goal is just to help doctors be aware of potential challenges they will face when choosing a free EMR. Hopefully pointing out these challenges will help doctors to not only implement an EMR, but prevent EMR implementation failures.

    Time will tell how Practice Fusion does as far as EMR features and business model. Be certain that I’ll be a most interested observer of Practice Fusion and its lofty goals.

  3. Adam
    October 15, 2008

    An important consideration when evaluating a “free” EMR is the company’s business model. I would be suspect of an advertiser-supported EMR but some companies might use limited features for free as part of their marketing strategy. For example, you can download VersaForm’s Electronic Medical Records Software for free, but you will be required to purchase a license in order to add features or to get upgrades.

  4. Dani
    November 20, 2008

    I think putting the medical information in hands of someone else where the medical professional does not any control with the data of its own patients poses great deal of problem to protect the privacy of patients.
    This type of information may fall into hands of pharmaceutical, insurance companies that may use it for their own interest.
    I believe the solution is to have a product that is affordable and must be running within the provider premises where the provider has a full control of the patients data.
    There are some software that offer full suite of medical practice and one of them is EzMedPro http://www.dsoftsystems.com. It provide mostly everything for less then $299.

  5. Bill Blaise
    September 15, 2009

    This and Google Apps do NOT meet the requirements laid out in HIPPA period.

  6. John
    September 15, 2009

    Bill,
    That’s kind of missing the point of the article. You’re right that Google Apps isn’t HIPAA compliant, but neither are 99% of email systems out there. That’s why you use some secure messaging system if you want to communicate with patients by email.

  7. Patrick
    September 16, 2009

    I tapped into this one from another article and would like to add the following to the thought process. If your data resides on a third party server it may not be as protected in a litigation event. There is already at least one case of a physician using hospital email with thier attorneys in a divorce proceding which have been discovered since the hospital owned the system and not the doctor. At the point of using the hospital email server the physican lost his atty client protection and the information was deemed public by the court. Think of a large hospital’s risk managemnt incident reporting residing outside on a 3rd party server which then becomes discoverable as public???

    Also I’d like you all’s input on the post I made to the other article as it would relate to preservation and production of this information from a company’s server that is not in your control and may not even be in business when the info is needed years down the road — as a benefit to an EHR EMR linked up with TXT and email is that by having the TXT messages and or email as an integral part of the EHR/EMR the integrity of the metadata for these media hopefully will be preserved eternally. This needs to be the case for patient interaction txts and emails as well as for interprovider txting and emails. Read up on the new rules for e-discovery based upon the Federal Rules of Civil Procedures modified in 2006-2007. Most states now have their own rules related to electronic discovery too. So think of now in a mulitstate hospital system or multistate physician practice having to comply with several different rules for e-discovery all in the midst of a contentious medical negligence case. Add to that the unfortunate position of finding out the medicine is irrelevant due to txt messages or emails not haivng been preserved properly. Simply by opening a document to read it at any point or even to copy it for your lawyer you most likely overwrite the metadata that establishes the evidentiary nature of the document itself. This is why it is so important to get all correspondence somewhere its integrity can not be questioned 3 to 5 years down the road in your own defense.

  8. John
    September 16, 2009

    Patrick,
    I’m not sure on the details of what you’re talking about. That’s why we pay for legal council at our clinic. We’ve actually begun some discussions similar to what you’re talking about. Basically, we’ve been asking if a student emails the doctor/counselor, then is that part of their medical record or not. Sounds like from what you said that it could be discoverable.

  9. Patrick
    September 16, 2009

    John your question is a good one and understand I am not a lawyer-but as an insurance guy who works in this field I can give you real life examples. The Plaintiff’s will want emails and your cell phone and your personal laptop and will get them as all forms of electronically stored information pertaining to any litigation are to be provided to the opposing side if they are reasonably accessible–backup tapes may be “reasonably” accessible or they may not depending on how they are stored and how they are used–a whole topic there unto itself. Once you suspect there is a “reasonable” –there is that word again— potential for litigation all the ESI must be preserved–no deleting txt messages or emails as well as things in your EHR/EMR.

    Treating a student and communicating by email or txt message skipping the HIPAA and HITECH and Red Flag rules –lets take this scenario –you treat this person and you do not maintain your txt messages or emails as you don’t consider them part of the medical record. He sues you for malpractice and produces his version of txt messages he claims you sent him -they are time and date stamped to the appropriate dates but they are not what you claim you said or did–without your version you cannot refute his version easily. The next step is to legally request his cell phone or laptop then hire a forensic guy to go in and see if they can prove the txt or emails were modified by the student—a very expensive proposition and if he is smart enough to have only a paper copy not electronic then–you missed your chance at the forensic investigation as paper copies hold no metadata and therefore cannot be analyzed for ESI. You may think this unfair and it is but the courts seem to look at it this way… you should have kept your records better.

    Google this article in ahima—E-Discovery: Preparing for the Coming Rise in Electronic Discovery Requests
    by Chris Dimick

  10. emr software
    February 22, 2010

    I went on a seminar and the speaker told us that all free websites leads to hacking whether secured or not. maybe it’s better to spend a lot for the real security than having your medical info out in public.

    -nj

  11. John
    February 22, 2010

    Don’t trust every speaker you hear. Even paid client software can be hacked. So, maybe you should not use software. Might as well not leave your house either since someone could be waiting outside to rob you.

  12. Patrick
    February 22, 2010

    Well thanks for the great info John -I think you missed her point which is when someone else hosts your data it can be problematic as the hacking is totally out of your control. For example, Google was hacked by nefarious Chinese hackers just recently -the bigger and more recognized the firm the more chances organized crime will hack it. Health information is so much more rich in its data not only do you get name address and social security but you get eye color, hair color, age, weight, next of kin, etc etc etc and as most healthcare facilities run credit reports you can get the results of that too. It is the type of ignorance exhibited in your response that has lead the healthcare field full steam ahead into the cyber crime world as the most fertile and least sophistcatedly protected data source out there.

  13. John
    February 22, 2010

    Patrick,
    I didn’t miss the point. I’m all too familiar with the various issues related to hacking. It’s an eternal argument that will have no answer. The larger web based EMR are bigger targets for hacking. Sure. However, you can also say that the smaller self hosted client installs are done by non technical people who don’t know how to secure the information properly and so they can more easily be hacked than the large web based installs who have professional IT people securing the systems.

    I’m not trying to downplay the need for security in healthcare IT either. It’s an important role, but the idea that free websites are the reason that healthcare gets hacked is the ignorance that you should be worried about.

    Interestingly, have we seen any incident where healthcare data was hacked and used for some nefarious purpose? Certainly, the financial data stored in healthcare systems has been compromised in a number of places and caused trouble. Hackers are more interested in that financial data than they are in someone’s medical history.

    Anyway, my point in my comment is more that security should not be a reason not to implement healthcare IT and in my opinion web based EMR systems are just as likely (although maybe less likely) than client based EMR systems to be hacked. Security of your EMR system is important and necessary in both types of installs, but shouldn’t be a reason not to implement.

  14. Patrick
    February 22, 2010

    Hey John thanks for the inteeligent reply and unfortunetly the answer is a resounding yes. There are actually plenty of stolen laptops and data breaches that have lead to whole clinics being set up by nefarious orgainzed crime units to bill medicare millions of dollars and then they simply disappear. No matter your politics we all must ask what impact does this have on all of us as we struggle with healthcare reform. Likewise if you google medical identity theft you will find plenty of horror stories too–now are they all hacks- no not necessarily the most notibly one down in FL was a result of a driver’s license stolen from her husbands car at a shopping center leading to a drug addicted mother delivered a baby using someone else’s identity. The perosn whose identity was stolen only found out when the departmen of social services showed up to take away all of her children since “her baby” tested positive for Methaphetamines. She fought the hospital for almost two years over the collections for the bills related to the delivery. Once it was known that it was identity theft the hospital refused to give her copies of her own medical records for fear of a hipaa violation since it contain the health information of someone else which is ironically also protected. For example from http://www.indentitytheft.info —According to the most recent official government statistics, approximately 250,000 people are victims of medical identity theft each year in the United States. Arguably, this number significantly understates the overall number of potential instances of medical identity theft. For example, in June of 2008 the University of Utah Hospital announced the personal information of 2.2 million patients had been stolen. Heathcare data is the target now so the worst is yet to come!

  15. Patrick
    February 22, 2010

    From:
    Are Healthcare Organizations Under Cyberattack?
    Ellen Messmer, Network World

    Feb 27, 2008 6:49 pm

    Healthcare organizations store a lot of valuable personal, identifiable information such as Social Security numbers, names, addresses, age, in addition to banking and credit-card information,” says Don Jackson, researcher at Atlanta-based security services firm SecureWorks.

    SecureWorks has recorded an 85% increase in the number of attempted attacks directed toward its healthcare clientele by Internet hackers, with these attempts jumping from 11,146 per healthcare client per day in the first half of 2007 to an average of 20,630 per day in the last half of last year through January of this year.

  16. John
    February 22, 2010

    Patrick,
    I’m not arguing that security isn’t an issue with these things. No doubt security will be a major problem and we’ll see more breaches as we go. Your quote in your second comment highlights my point that they want “financial” related information and not healthcare data. So, we need to make sure our focus of securing that data is correct.

    Also, I think our number one threat is not actually hackers, but internal people who have access to the information. We can spend billions on IT security only to find out that people behind that security are the ones who are most dangerous.

  17. Patrick
    February 22, 2010

    Totally agree but to tie it back to the original comment if you think internal personal at the hospital are potentially a bigger problem than I would say outsourcing the “server” to a third party only makes that much more difficult to control -does it not?

  18. John
    February 22, 2010

    I think it doesn’t change what the internal personelle will do at a hospital whether it’s hosted in house or off site by a third party.

    However, off site does require the third party to be responsible for protecting and securing the data. With the new HIPAA regs, they’re still responsible even as businesses associates. There’s no right answer here though, in house IT people could be as much of a risk as out house. The each have pros and cons and risks associated with them. It’s just about mitigating those risks in either situation.

    I think one of the points you’re trying to make and I agree with is that no IT system is invincible and impenetrable. There is always some risk that it could be compromised. It’s about mitigating those risks as much as possible as opposed to removing them completely.

  19. Patrick
    February 22, 2010

    Yes we do pretty much agree but I think from a liability standpoint here it is in a nutshell. Hospitals have trouble keeping thier own direct employees in line whether IT or just normal staff that have access. Most of these people will still be in the picture when the server is outsourced as well now a whole slew of non-employed people of the third party vendor. While they can be “responsible” under the business associate theory your facility is still ulitmately responsible if for no other reason the decision to use the third party vendor. So you have certainly increased your exposure numerically speaking and have less control over these non employees. So lets say the hospital terminates an employee for cause but the third party vendor doesn’t get around to lock them out of thier system for 24 hours–see how it can create new unexpected problems. As for trying to shift the liability even by a contractual hold harmless or indemnification agreement hopefully the vendor is still around 8 years from now when you are sued and they dont then simply declare bankruptcy or only have $1 Million dollars of insurance coverage versus the deep pocket that is the hospital. All this and we are not even discussing the potential discoverablity issues of data outside your system and able to be viewed by non hospital IT people at the third party vendor and the court’s perception that may make it public and discoverable! Add to that you vendor decides to upgrade and coverts data in the process erasing metadata needed to defend your facility and establish the EHR as evedentiary or there is a conversion error and mg/dl become mg/l or mg/ml its like squeezing jello the more you think about the ramifications of it all why would anyone in thier right mind want to be the first kid on the block with the new toy?

  20. John
    February 22, 2010

    Patrick,
    Good discussion. I should also point out that my comments are directed towards ambulatory EMR and not hospital EMR. There are so many similarities that it’s often hard to distinguish between the two. However, there are subtle differences.

    For example, in the ambulatory setting you’ll often find the doctor or one of their office staff doing the IT support. Compare that to an enterprise level IT staff at a respected EMR vendor. Certainly not fallible, but I’m willing to bet that the EMR vendor has better IT security procedures than most tech savvy doctors that support an in house EMR. There are exceptions, but just speaking generally.

    The upgrade and conversion stuff is true, but applies regardless of where the data is stored too.

    One other thing is true. There haven’t been that many court cases to establish precedence for many of the challenges you describe. So, until those court cases happen we won’t know for sure what the courts will do.

  21. kaushal k gupta
    February 28, 2010

    I just saw practice-fusion’s billing software charges 6%. is that not how they charge for product/service? I just need few referrals of EMR, which are cost-effective and suitable for not-so-computer-savvy small practice. can someone help?

  22. John
    February 28, 2010

    Kaushal,
    That’s one source of revenue, but they also make money in other way. First, they show ads to pay for the free service, they also have left open the option to selling the aggregate data I believe. They also offer a paid version for those that don’t want to have ads.

    It’s really hard for someone to just name a few EMR vendors for you. In fact, someone who does likely has some other interest. It’s just not right to list EMR vendors when we know nothing about your clinic or its needs.

    I can suggest you check out: http://www.emrconsultant.com/ It’s a free service that will analyze your clinic and give you some suggestions. It’s not perfect either, but a start.

    *Disclaimer: EMR consultant is an advertiser on this site, but you’ll find me recommending them even before they became an advertiser.

  23. K Patel
    April 5, 2011

    As far as data is concerned, practice fusion locks you in. They only let you take data you came over with, your documents and your demographics. Everything else they don’t let you take.

    So you have two options. You either continue to use it and not move over (their ideal scenario) or you use it to refer to past history for patients while using your new ehr.

  24. John
    April 5, 2011

    K Patel,
    I know I had this conversation with them before. Although, I’ve had the conversation with many EHR vendors about this subject so I can’t remember their policy on getting it out. I want to say they had a method to get your data out. You just had to give them some notice. I’ll have to ask them again.

  25. Jay
    July 11, 2011

    We are having a very difficult time getting PF to cooperate with laboratories. They are virtually strong-arming laboratories to promote their EMR/EHR. If they don’t agree to X number of lab interfaces, they will not interface with the lab at all.

  26. John
    July 15, 2011

    Jay,
    Interesting comment. So, what do they say when you ask if they work with your laboratory? How did you learn that they’re doing this?

    I imagine they will come and say that they just have to prioritize the lab interfaces and if a lab doesn’t have enough doctors, then it doesn’t become a priority to develop.

  27. Sam Bowen, MD
    August 29, 2011

    Dear John,

    OpenEMR 4.1 is now 100% ONC-ATB EHR Ambulatory EHR software. OpenEMR does not have any “gotchas”. It is free, no ads, no hidden anything. Come visit at http://www.oemr.org/ .

    Sam Bowen, MD
    oemr.org

  28. John
    August 29, 2011

    Sam,
    I wouldn’t agree that “OpenEMR does not have any “gotchas”.” It has one really big gotcha: you have to find your own support if something goes wrong. Of course, there’s a community you can lean on to some extent, but navigating that community is important if you choose the open source route.

  29. Bruce
    October 24, 2011

    Here’s something else to consider using a service like Practice Fusion: We relied on it, and over the months added thousands of records into our Practice Fusion account. All was well until we had to fire our office manager…who retaliated by changing our Practice Fusion account password, effectively denying us access. Citing the need for keeping our medical records “safe and secure”, Practice Fusion informed us they’ve suspended our account “indefinitely”, even after we met their demands of providing them with our business license and my medical license.

    All those long hours of entering records, wasted. And due to our own stupid reliance on Practice Fusion, we now have to make trips to our filing cabinets for something as simple as looking up a patient’s medical record number.

    I rue the day I ever heard of Practice Fusion.

  30. Christy
    March 9, 2012

    @ Bruce: Why did practice fusion suspend your account? Isnt the account registered to the provider? this is ridiculous, im not an advocate of practice fusion but it does seem a little far fetched or maybe there is more to it.

    @ topic: Excellent article John, it was very insightful and to be honest i also do not feel comfortable with the revenue stream of practice fusion, however they do allow you to purchase their services and not have to deal with the patient confidentiality issue but we are not talking about that here…because if you are paying for practice fusion you might aswell pay a little more and get something like curemd, which is quite affordable in comparison to other vendors. Practice fusion though now has the largest user community and its acting as gateway for doctors to experiment with emrs. I really wish they can re-consider their tactic, i know alot of doctors wont mind seeing just pharmaceutical or medical equipment ads as long as they know their patient data is secure.

  31. Bruce
    March 9, 2012

    Christy, there’s not much more to tell. Apparently before I joined the practice it was the office manager who set up the Practice Fusion account, so I guess Practice Fusion decided she took precedence over the physicians when it came to ownership of our medical records. I communicated with everyone up to the president of Practice Fusion, and as I noted, presented them with everything from our business and medical licenses, but we never were granted access back into our account. Rather than restore access to the physicians who made the records, they instead also blocked access by the office manager, so all those thousands of records are now accessible only by Practice Fusion employees. (At least, I hope…I have no way of verifying that they blocked the office manager’s access…for all I know, she could have transferred them to the new clinic she moved to). I reported Practice Fusion’s actions to the state medical board, but as of yet haven’t heard anything.

  32. Christy
    March 9, 2012

    hmmm…i really don’t know what to say. did you guys try to get in touch with the previous practice manager before approaching practice fusion? if she did not co-operate and this was stated to practice fusion. I think you should be proceeding with a litigation on both the manager and practice fusion. The office manager does not hold significance over the provider using the system and quite frankly i quite appalled with the stance practice fusion took over this matter.

  33. Bruce
    March 9, 2012

    Yes, “appalled” is a good word choice. We decided, however, to choose our battles, and not to pursue litigation over a “free service” (although obviously not “free” when you factor in man-hours).

    The office manager was not in a cooperative mood…changing our passwords to Practice Fusion was but one of the petulant actions she took.

    This is part of living in the future…if you store data “in the cloud”, there’s always the chance that either by technological failure, or in this case, human shortcomings, you can lose everything, as the users of MegaUpload and other cloud-storage services recently discovered.

    Had I been part of the original decision-making process, I’d have vetoed a service like this, especially since, as I learned after-the-fact, we had no local backups of our records.

  34. Michael
    January 26, 2013

    Practice Fusion receives “F” with the Better Business Bureau.
    Report your complaints at www. practicefusioncomplaints.com
    Together we can make things better!

Back to top
mobile desktop