Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

HIPAA Cloud Bursts: New Guidance Proves Cloud Services Are Business Associates

Posted on October 10, 2016 I Written By

The following is a guest blog post by Mike Semel, President and Chief Compliance Officer at Semel Consulting.
It’s over. New guidance from the federal Office for Civil Rights (OCR) confirms that cloud services that store patient information must comply with HIPAA.

Many cloud services and data centers have denied their obligations by claiming they are not HIPAA Business Associates because:

  1. They have no access to their customer’s electronic Protected Health Information (ePHI),
  2. Their customer’s ePHI is encrypted and they don’t have the encryption key,
  3. They never look at their customer’s ePHI,
  4. Their customers manage the access to their own ePHI in the cloud,
  5. Their terms and conditions prohibit the storage of ePHI, and
  6. They only store ePHI ‘temporarily’ and therefore must be exempt as a ‘conduit.’

Each of these excuses has been debunked in HIPAA Cloud Guidance released on October 7, 2016, by the Office for Civil Rights.

The new guidance clearly explains that any cloud vendor that stores ePHI must:

  1. Sign a HIPAA Business Associate Agreement,
  2. Conduct a HIPAA Security Risk Analysis,
  3. Comply with the HIPAA Privacy Rule,
  4. Implement HIPAA Security Rule safeguards the ePHI to ensure its confidentiality, integrity, and availability.
  5. Comply with the HIPAA Breach Reporting Rule by reporting any breaches of ePHI to its customers, and be directly liable for breaches it has caused.

The OCR provides examples of cloud services where clients manage access to their stored data. It discusses how a client can manage its users’ access to the stored data, while the cloud service manages the security of the technical infrastructure. Each needs to have a risk analysis that relates to its share of the responsibilities.
OCR also recently published guidance that cloud services cannot block or terminate a client’s access to ePHI, for example, if they are in a dispute with their customer or the customer hasn’t paid its bill.

As we have been saying for years, the 2013 HIPAA Omnibus Final Rule expanded the definition of HIPAA Business Associates to include anyone outside a HIPAA Covered Entity’s workforce that “creates, receives, maintains, or transmits PHI” on behalf of the Covered Entity. It defines subcontractors as anyone outside of a Business Associate’s workforce that “creates, receives, maintains, or transmits PHI on behalf of another Business Associate.”

‘Maintains’ means storing ePHI, and does not distinguish whether the ePHI is encrypted, whether the Business Associate looks at the ePHI, or even if its staff has physical access to the devices housing the ePHI (like servers stored in locked cabinets in a data center.)
A small medical clinic was fined $100,000 for using a free cloud mail service to communicate ePHI, and for using a free online calendar to schedule patient visits. Recently the OCR issued a $2.7 million penalty against Oregon Health & Science University (OHSU) partly for storing ePHI with a cloud service in the absence of a Business Associate Agreement.

“OHSU should have addressed the lack of a Business Associate Agreement before allowing a vendor to store ePHI,” said OCR Director Jocelyn Samuels.  “This settlement underscores the importance of leadership engagement and why it is so critical for the C-suite to take HIPAA compliance seriously.”

So what does this mean to you?

If you are Covered Entity or a Business Associate…

  • A common myth is that all ePHI is in a structured system like an Electronic Health Record system. This is wrong because ePHI includes anything that identifies a patient, nursing home resident, or health plan member that is identifiable (many more identifiers than just a name) and relates to the treatment, diagnosis, or payment for health care.

    EPHI can be in many forms. It does not have to be in a formal system like an Electronic Health Record (EHR) system, but can be contained in an e-mail, document, spreadsheet, scanned or faxed image, medical images, photographs, and even voice files, like a patient leaving a message in your computerized phone system requesting a prescription refill. During our risk analyses we find ePHI everywhere- on servers, local devices, portable media, mobile devices, and on cloud services. Our clients are usually shocked when we show them where their ePHI is hiding.

  • Never store ePHI in any cloud service without first knowing that the service is compliant with HIPAA and will sign a HIPAA Business Associate Agreement.

    This automatically disqualifies:

    • The free texting that came with your cellular phone service;
    • Free e-mail services like Gmail, Yahoo!, Hotmail, etc.;
    • Free e-mail from your Internet service provider like Cox, Comcast, Time Warner, Charter, CenturyLink, Verizon, Frontier, etc.;
    • Free file sharing services from DropBox,, Google Drive, etc.
    • Consumer-grade online backup services.


  • Another common myth is that if data is stored in the cloud that you don’t have to secure your local devices. This is wrong because if someone can compromise a local device they can gain access to your data in the cloud. Be sure the mobile devices and local devices you use to access the cloud are properly protected, including those on your office network, and at users’ homes. This means that all mobile devices like phones and tablets; PCs; and laptops should be secured to prevent unauthorized access. All devices should be constantly updated with security patches, and anti-virus/anti-malware software should be installed and current. If ePHI is stored on a local network, it must be a domain with logging turned on, and logs retained for six years.
  • Use an e-mail service that complies with HIPAA. Microsoft Office 365 and similar business-class services advertise that they provide secure communications and will sign a HIPAA Business Associate Agreement.
  • You may be using a vendor to remotely filter your e-mail before it arrives in your e‑mail system. These services often retain a copy of each message so it can be accessed in the event your mail server goes down. Make sure your spam filtering service secures your messages and will sign a HIPAA Business Associate Agreement.


  • Never send or text ePHI, even encrypted, to a caregiver or business associate at one of the free e-mail services.
  • Never use the free texting that came with your cell service to communicate with patients and other caregivers.
  • If you have sent text messages, e-mails, or stored documents containing ePHI using an unapproved service, delete those messages now, and talk with your compliance officer.
  • Review your HIPAA compliance program, to ensure it really meets all of HIPAA’s requirements under the Privacy, Security, and Data Breach Reporting rules. There are 176 auditable HIPAA items. You may also need to comply with other federal and state laws, plus contractual and insurance requirements.

If you are a cloud service, data center, or IT Managed Service Provider …

  • If you have been denying that you are a HIPAA Business Associate, read the new guidance document and re-evaluate your decisions.
  • If you do sign HIPAA Business Associate Agreements, you need to review your internal HIPAA compliance program to ensure that it meets all of the additional requirements in the HIPAA Privacy, Security, and Data Breach Reporting rules.
  • Also become familiar with state regulations that protect personally identifiable information, including driver’s license numbers, Social Security numbers, credit card and banking information. Know which states include protection of medical information, which will require breach reporting to the state attorney general in addition to the federal government. Know what states have more stringent reporting timeframes than HIPAA. You may have to deal with a large number of states with varying laws, depending on the data you house for customers.


  • Make sure your Service Level Agreements and Terms & Conditions are not in conflict with the new guidance about blocking access to ePHI. Compare your policies for non-payment with the new guidance prohibiting locking out access to ePHI.
  • Make sure your Service Level Agreements and Terms & Conditions include how you will handle a breach caused by your clients when they are using your service. Everyone should know what will happen, and who pays, if you get dragged into a client’s data breach investigation.
  • Make sure all of your subcontractors, and their subcontractors, comply with HIPAA. This includes the data centers you use to house and/or manage your infrastructure, programmers, help desk services, and backup vendors.
  • Learn about HIPAA. We see many cloud vendors that promote their HIPAA compliance but can seldom answer even the most basic questions about the compliance requirements. Some believe they are compliant because they sign Business Associate Agreements. That is just the first step in a complex process to properly secure data and comply with the multiple regulations that affect you. We have helped many cloud services build compliance programs that protected them against significant financial risks.
  • If you have administrative access to your client’s networks that contain ePHI, you are a Business Associate. Even if your clients have not signed, or refused to sign, Business Associate Agreements, you are still a Business Associate and must follow all of the HIPAA rules.
  • If you are reselling hosting services, co-location services, cloud storage, file sharing, online backup, Office 365/hosted Exchange, e-mail encryption, or spam filtering, you need to make sure your vendors are all compliant with HIPAA and that they will sign a Business Associate Agreement with you.
  • Look at all the services your regulated clients need. Include in your project and managed service proposals clear links between your clients’ needs and your services. For example, when installing replacement equipment, describe in detail the steps you will take to properly wipe and dispose of devices being replaced that have stored any ePHI. Link your managed services to your client’s needs and include reports that directly tie to your clients’ HIPAA requirements.

About Mike Semel
Mike Semel is the President and Chief Compliance Officer for Semel Consulting. He has owned IT businesses for over 30 years, has served as the Chief Information Officer for a hospital and a K-12 school district, and as the Chief Operating Officer for a cloud backup company. Mike is recognized as a HIPAA thought leader throughout the healthcare and IT industries, and has spoken at conferences including NASA’s Occupational Health conference, the New York State Cybersecurity conference, and many IT conferences. He has written HIPAA certification classes and consults with healthcare organizations, cloud services, Managed Service Providers, and other business associates to help build strong cybersecurity and compliance programs. Mike can be reached at 888-997-3635 x 101 or

The Variables that Need Adjusting to Make Health Data Sharing a Reality

Posted on October 7, 2016 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

During today’s #HITsm chat, John Trader offered this fascinating quote from SusannahFox, CTO at HHS:

I quickly replied with the following:

This concept is definitely worth exploring. There are a lot of things in life that we want. However, that doesn’t mean we want them enough to actually do them. I want to be skinny and muscular. I don’t want it enough to stop eating the way I do and start working out in a way that would help me lose weight and become a chiseled specimen of a man. The problem is that there are different levels of “want.”

This applies so aptly to data sharing in healthcare. Most of us want the data sharing to happen. I’ve gone so far as to say that I think most patients think that the data sharing is already happening. Most patients probably don’t realize that it’s not happening. Most caregivers want the data shared as well. What doctor wants to see a patient with limited information? The more high quality information a doctor has, the better they can do their job. So, yes, they want to share patients data so they can help others (ie. their patients).

The problem is that most patients and caregivers don’t want it enough. They’re ok with data sharing. They think that data sharing is beneficial. They might even think that data sharing is the right thing to do. However, they don’t want it enough to make it a reality.

It’s worth acknowledging that there’s a second part of this equation: Difficulty. If something is really difficult to do, then your level of “want” needs to be extremely high to overcome those difficulties. If something is really easy to do, then your level of want can be much lower.

For the programmer geeks out there:

If (Difficulty > Want) Then End

If (Difficulty < Want) Then ResultAchieved

When we talk about healthcare data sharing, it’s really difficult to do and people’s “want” is generally low. There are a few exceptions. Chronically ill patients have a much bigger “want” to solve the problem of health data sharing. So, some of them overcome the difficulty and are able to share the data. Relatively healthy patients don’t have a big desire to get and share their health data, so they don’t do anything to overcome the challenge of getting and sharing that data.

If we want health data sharing, we have to change the variables. We can either make health data sharing easier (something many are working to accomplish) or we can provide (or create the perception of) more value to patients and caregivers so that they “want” it more. Until that happens, we’re unlikely to see things change.

CommonWell and Healthcare Interoperability

Posted on October 6, 2016 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Healthcare Scene sat down with Scott Stuewe, Director at Cerner Network and Daniel Cane, CEO & Co-Founder at Modernizing Medicine, where we talked about Cerner’s participation in CommonWell and Modernizing Medicine’s announcement to join CommonWell. This was a great opportunity to learn more about the progress CommonWell has made.

During our discussion, we talk about where CommonWell is today and where it’s heading in the future. Plus, we look at some of the use cases where CommonWell works today and where they haven’t yet build out that capability. We also talk about how the CommonWell member companies are working together to make healthcare interoperability a reality. Plus, we talk a bit about the array of interoperability solutions that will be needed beyond CommonWell. Finally, we look at where healthcare interoperability is headed.

In the “After Party” video we continued our conversation with Scott and Daniel where we talked about the governance structure for CommonWell and how it made decisions. We also talked about the various healthcare standards that are available and where we’re at in the development of those standards. Plus, we talk about the potential business model for EHR vendors involved in CommonWell. Scott and Daniel finish off by talking about what we really need to know about CommonWell and where it’s heading.

CommonWell is a big part of many large EHR vendors interoperability plans. Being familiar with what they’re doing is going to be important to understand how healthcare data sharing will or won’t happen in the future.

A Look At Vendor IoT Security And Vulnerability Issues

Posted on October 5, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Much of the time, when we discuss the Internet of Things, we’re looking at issues from an end-user perspective.  We talk about the potential for IoT options like mobile medical applications and wearable devices, and ponder how to connect smart devices to other nodes like the above to offer next-generation care. Though we’re only just beginning to explore such networking models, the possibilities seem nearly infinite.

That being said, most of the responsibility for enabling and securing these devices still lies with the manufacturers, as healthcare networks typically don’t integrate fully with IoT devices as of yet.

So I was intrigued to find a recent article in Dark Reading which lays out some security considerations manufacturers of IoT devices should keep in mind. Not only do the suggestions give you an idea of how vendors should be thinking about vulnerabilities, they also offer some useful insights for healthcare organizations.

Security research Lysa Myers offers IoT device-makers several recommendations to consider, including the following:

  • Notify users of any changes to device features. In fact, it may make sense to remind them repeatedly of significant changes, or they may simply ignore them out of habit.
  • Put a protocol in place for handling vulnerability reports, and display your vulnerability disclosure policy prominently on your website. Ideally, Myers notes, makers of IoT medical devices should send vulnerability reports to the FDA.
  • When determining how to handle a vulnerability issue, let the most qualified person decide what should happen. In the case of automated medical diagnosis, for example, the right person would probably be a doctor.
  • Make it quick and easy to update IoT device software when you find an error. Also, make it simple for customers to spot fraudulent updates.
  • Create an audit log for all devices, even those that might seem too mundane to interest criminals, as even the least important of devices can assist criminals in launching a DDoS attack or spamming.
  • See to it that users can tell when the changes made to an IoT device’s software are made by the authorized user or a designated representative rather than a cybercriminal or other inappropriate person.
  • Given that many IoT devices require cloud-based services to operate, it’s important to see that end users aren’t dropped abruptly with no cloud alternative. Manufacturers should give users time to transition their service if discontinuing a device, going out of business or otherwise ending support for their own cloud-based option.

If we take a high-level look at these recommendations, there’s a few common themes to be considered:

Awareness:  Particularly in the case of IoT devices, it’s critical to raise awareness among both technical staffers and users of changes, both in features and security configurations.

Protection:  It’s becoming more important every day to protect IoT devices from attacks, and see to it that they are configured properly to avoid security and continuity failures. Also, see to that these devices are protected from outages caused by vendor issues.

Monitoring:  Health IT leaders should find ways to integrate IoT devices into their monitoring routine, tracking their behavior, the state of security updates to their software and any suspicious user activity.

As the article suggests, IoT device-makers probably need to play a large role in helping healthcare organizations secure these devices. But clearly, healthcare organizations need to do their part if they hope to maintain these devices successfully as health IT models change.

What Do You Think Of Data Lakes?

Posted on October 4, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Being that I am not a high-end technologist, I’m not always up on the latest trends in database management – so the following may not be news to everyone who reads this. As for me, though, the notion of a “data lake” is a new one, and I think it a valuable idea which could hold a lot of promise for managing unruly healthcare data.

The following is a definition of the term appearing on a site called KDnuggets which focuses on data mining, analytics, big data and data science:

A data lake is a storage repository that holds a vast amount of raw data in its native format, including structured, semi-structured and unstructured data. The data structure and requirements are not defined until the data is needed.

According to article author Tamara Dull, while a data warehouse contains data which is structured and processed, expensive to store, relies on a fixed configuration and used by business professionals, a data link contains everything from raw to structured data, is designed for low-cost storage (made possible largely because it relies on open source software Hadoop which can be installed on cheaper commodity hardware), can be configured and reconfigured as needed and is typically used by data scientists. It’s no secret where she comes down as to which model is more exciting.

Perhaps the only downside she identifies as an issue with data lakes is that security may still be a concern, at least when compared to data warehouses. “Data warehouse technologies have been around for decades,” Dull notes. “Thus, the ability to secure data in a data warehouse is much more mature than securing data in a data lake.” But this issue is likely to receive in the near future, as the big data industry is focused tightly on security of late, and to her it’s not a question of if security will mature but when.

It doesn’t take much to envision how the data lake model might benefit healthcare organizations. After all, it may make sense to collect data for which we don’t yet have a well-developed idea of its use. Wearables data comes to mind, as does video from telemedicine consults, but there are probably many other examples you could supply.

On the other hand, one could always counter that there’s not much value in storing data for which you don’t have an immediate use, and which isn’t structured for handy analysis by business analysts on the fly. So even if data lake technology is less costly than data warehousing, it may or may not be worth the investment.

For what it’s worth, I’d come down on the side of the data-lake boosters. Given the growing volume of heterogenous data being generated by healthcare organizations, it’s worth asking whether deploying a healthcare data lake makes sense. With a data lake in place, healthcare leaders can at least catalog and store large volumes of un-normalized data, and that’s probably a good thing. After all, it seems inevitable that we will have to wring value out of such data at some point.

Apple’s Healthcare Data Plans Become Clearer

Posted on October 3, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Though it’s not without competitors, I’d argue that Apple’s HealthKit has stood out since its inception, in part because it was relatively early to the game (mining patient-centered data) and partly because Apple products have a sexy reputation. That being said, it hasn’t exactly transformed the health IT industry either.

Now, though, with the acquisition of Gliimpse, a startup which pulls data from disparate EMRs into a central database, it’s become clearer what Apple’s big-picture goals are for the healthcare market – and if its business model works out they could indeed change health data industry.

According to a nifty analysis by Bloomberg’s Alex Webb, which quotes an Apple Health engineer, the technology giant hopes to see the health data business evolve along the lines of Apple’s music business, in which Apple started with a data management tool (the iPod) then built a big-bucks music platform on the device. And that sounds like an approach that could steal a move from many a competitor indeed.

Apple’s HealthKit splash
Apple made a big splash with the summer 2014 launch of HealthKit, a healthcare data integration platform whose features include connecting patient generated health data with traditional systems like the Epic EMR. It also attracted prominent partners like Cedars-Sinai Medical Center and Ochsner Health System within a year or so of its kickoff.

Still, the tech giant has been relatively quiet about its big-picture vision for healthcare, leaving observers like yours truly wondering what was up. After all, many of Apple’s health data moves have been incremental. For example, a few months ago I noted that Apple had begun allowing users to store their EMR data directly in its Health app, using the HL7 CCD standard. While interesting, this isn’t exactly an earth-shattering advance.

But in his analysis — which makes a great deal of sense to me – Bloomberg’s Webb argues that Apple’s next act is to take the data it’s been exchanging with wearables and put it to better use. Apple’s long-awaited big idea is to turn Apple’s HealthKit into a system that can improve diagnoses, sources told Bloomberg.

Also, Apple intends to integrate health records as closely with its proprietary devices as possible, offering not only data collection but suggestions for better health in a manner that can’t be easily duplicated on Android platforms. As Webb rightly points out, such a move could undermine Google’s larger healthcare plans, by locking consumers into Apple technology and discouraging a switch to the Google Fit health tracking software.

Big vision, big questions
As we know, even a company with the reputation, cash and proprietary user base enjoyed by Apple is far from a shoo-in for consumer health data dominance. (Consider the fate of Microsoft HealthVault and Google Health.) Its previous successes have come, as noted, by creating a channel then dominating that channel, but there’s no guarantee it can pull off such a trick this time.

For one thing, the wearables market is highly fragmented, and Apple is far from being the leader. (According to one set of stats, Fitbit had 25.4% of the global wearables market as of Q2 ’16, Xiaomi 14%, and Apple just 7%.) That doesn’t bode well for starting a health tracker-based revolution.

On the other hand, though, Apple did manage to create and dominate a channel in the music business, which is also quite resistant to change and dominated by extremely entrenched powers that be. If any upstart healthcare player could make this happen, it’s probably Apple. It will be interesting to see whether Apple can work its magic once again.

Validic Survey Raises Hopes of Merging Big Data Into Clinical Trials

Posted on September 30, 2016 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site ( and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

Validic has been integrating medical device data with electronic health records, patient portals, remote patient monitoring platforms, wellness challenges, and other health databases for years. On Monday, they highlighted a particularly crucial and interesting segment of their clientele by releasing a short report based on a survey of clinical researchers. And this report, although it doesn’t go into depth about how pharmaceutical companies and other researchers are using devices, reveals great promise in their use. It also opens up discussions of whether researchers could achieve even more by sharing this data.

The survey broadly shows two trends toward the productive use of device data:

  • Devices can report changes in a subject’s condition more quickly and accurately than conventional subject reports (which involve marking observations down by hand or coming into the researcher’s office). Of course, this practice raises questions about the device’s own accuracy. Researchers will probably splurge for professional or “clinical-grade” devices that are more reliable than consumer health wearables.

  • Devices can keep the subject connected to the research for months or even years after the end of the clinical trial. This connection can turn up long-range side effects or other impacts from the treatment.

Together these advances address two of the most vexing problems of clinical trials: their cost (and length) and their tendency to miss subtle effects. The cost and length of trials form the backbone of the current publicity campaign by pharma companies to justify price hikes that have recently brought them public embarrassment and opprobrium. Regardless of the relationship between the cost of trials and the cost of the resulting drugs, everyone would benefit if trials could demonstrate results more quickly. Meanwhile, longitudinal research with massive amounts of data can reveal the kinds of problems that led to the Vioxx scandal–but also new off-label uses for established medications.

So I’m excited to hear that two-thirds of the respondents are using “digital health technologies” (which covers mobile apps, clinical-grade devices, and wearables) in their trials, and that nearly all respondents plan to do so over the next five years. Big data benefits are not the only ones they envision. Some of the benefits have more to do with communication and convenience–and these are certainly commendable as well. For instance, if a subject can transmit data from her home instead of having to come to the office for a test, the subject will be much more likely to participate and provide accurate data.

Another trend hinted at by the survey was a closer connection between researchers and patient communities. Validic announced the report in a press release that is quite informative in its own right.

So over the next few years we may enter the age that health IT reformers have envisioned for some time: a merger of big data and clinical trials in a way to reap the benefits of both. Now we must ask the researchers to multiply the value of the data by a whole new dimension by sharing it. This can be done in two ways: de-identifying results and uploading them to public or industry-maintained databases, or providing identifying information along with the data to organizations approved by the subject who is identified. Although researchers are legally permitted to share de-identified information without subjects’ consent (depending on the agreements they signed when they began the trials), I would urge patient consent for all releases.

Pharma companies are already under intense pressure for hiding the results of trials–but even the new regulations cover only results, not the data that led to those results. Organizations such as Sage Bionetworks, which I have covered many times, are working closely with pharmaceutical companies and researchers to promote both the software tools and the organizational agreements that foster data sharing. Such efforts allow people in different research facilities and even on different continents to work on different aspects of a target and quickly share results. Even better, someone launching a new project can compare her data to a project run five years before by another company. Researchers will have millions of data points to work with instead of hundreds.

One disappointment in the Validic survey was a minority of respondents saw a return on investment in their use of devices. With responsible data sharing, the next Validic survey may raise this response rate considerably.

Please, No More HIE “Coming Of Age” Stories

Posted on September 29, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Today I read a Modern Healthcare story suggesting that health information exchanges are “coming of age,” and after reading it, I swear my eyes almost rolled back into my head. (An ordinary eye roll wouldn’t do.)

The story leads with the assertion that a new health data sharing deal, in which Texas Health Resources agreed to share data via a third-party HIE, suggests that such HIEs are becoming sustainable.

Author Joseph Conn writes that the 14-hospital system is coming together with 32 other providers sending data to Healthcare Access San Antonio, an entity which supports roughly 2,400 HIE users and handles almost 2.2 million patient records. He notes that the San Antonio exchange is one of about 150 nationwide, hardly a massive number for a country the size of the U.S.

In partial proof of his assertion that HIEs are finding their footing, he notes that that from 2010 to 2015, the number of HIEs in the U.S. fluctuated but saw a net gain of 41%, according to federal stats. And he attributes this growth to pressure on providers to improve care, lower costs and strengthen medical research, or risk getting Medicare or Medicaid pay cuts.

I don’t dispute that there is increased pressure on providers to meet some tough goals. Nor am I arguing that many healthcare organizations believe that healthcare data sharing via an HIE can help them meet these goals.

But I would argue that even given the admittedly growing pressure from federal regulators to achieve certain results, history suggests that an HIE probably isn’t the way to get this done, as we don’t seem to have found a business model for them that works over the long term.

As Conn himself notes, seven recipients of federal, state-wide HIE grants issued by the ONC — awarded in Connecticut, Illinois, Montana, Nevada, New Hampshire, Puerto Rico and Wyoming — went out of business after the federal grants dried up. So were not talking about HIEs’ ignoble history of sputtering out, we’re talking about fairly recent failures.

He also notes that a commercially-funded model, MetroChicago HIE, which connected more than 30 northeastern Illinois hospitals, went under earlier this year. This HIE failed because its most critical technology vendor suddenly went out of business with 2 million patient records in its hands.

As for HASA, the San Antonio exchange discussed above, it’s not just a traditional HIE. Conn’s piece notes that most of the hospitals in the Dallas-Fort Worth area have already implemented or plan to use an Epic EMR and share clinical messages using its information exchange capabilities. Depending on how robust the Epic data-sharing functions actually are, this might offer something of a solution.

But what seems apparent to me, after more than a decade of watching HIEs flounder, is that a data-sharing model relying on a third-party platform probably isn’t financially or competitively sustainable.

The truth is, a veteran editor like Mr. Conn (who apparently has 35 years of experience under his belt) must know that his reporting doesn’t sustain the assertion that HIEs are coming into some sort of golden era. A single deal undertaken by even a large player like Texas Health Resources doesn’t prove that HIEs are seeing a turnaround. It seems that some people think the broken clock that is the HIE model will be right at least once.

P.S.  All of this being said, I admit that I’m intrigued by the notion of  “public utility” HIE. Are any of you associated with such a project?

Is Your EHR Contributing to Physician Burnout?

Posted on September 28, 2016 I Written By

The following is a guest blog post by Sara Plampin, Senior Instructional Writer from The Breakaway Group (A Xerox Company). Check out all of the blog posts in the Breakaway Thinking series.
Sara Plampin - The Breakaway Group
It’s finally come, the day you’ve been working toward for years – Go Live. Thousands (or even millions) of dollars, hundreds of hours planning and calculating and going back to the drawing board, and it’s about to pay off. You sit back and take a breath, proudly watching as your organization takes its first steps into the future.

And then the complaints start to trickle in. The Electronic Health Record (EHR) feels clunky, it doesn’t match current workflows, documentation takes too long, and the physicians refuse to use it.

Frustrations over EHR functionality and increased documentation time are a leading cause of burnout among medical workers. Physician practices, in particular, are showing a decrease in EHR use over time. Physicians say hefty documentation requirements take away valuable face-to-face time with patients, making them feel more like scribes than doctors.

The issue has led to physician groups reviving the ‘Quadruple Aim’ movement, in which physician wellness is more emphasized.


While many are quick to attribute this dissatisfaction to the EHR itself, it is more likely the result of a poor implementation plan that focused more on technological requirements and less on long-term adoption needs. There are three ways to ensure the needs of physicians and clinical staff are met and you have a successful EHR adoption.

Involve Clinical Staff from the Get-Go
One of the biggest mistakes you can make is failing to include clinical staff in the initial decision-making process. Before choosing an EHR vendor, assemble a team of representatives from all areas of your organization – not just physicians and nurses. Ancillary departments such as therapy, radiology, and pharmacy are often overlooked when it comes to EHR design and training. Each representative will be aware of the specific needs and workflows for their department; they can compile requests from their colleagues and help research different vendor options to determine which EHR is the ideal match for your organization.

Once the EHR is selected, clinical staff members become an integral part of the design team. Although vendor representatives can help identify best practice workflows, ultimately your employees are the experts on how the EHR will be used in their department. HIMSS physicians cited five factors that contribute to EHR usability issues: navigation, data entry, structured documentation, interoperability, and clinical decision support. Involving clinicians in the design and testing phases allows them to identify solutions to some of these common issues, making the EHR more intuitive for future users.

Including members from all areas of the organization not only ensures better EHR selection and design – it also improves morale. When staff feel like their voices are heard, the project becomes a joint initiative rather than a regulation from upper management. Representatives from the design team act as a go-between, communicating their peers’ requests to executives, while in turn reinforcing the importance of the transition and garnering excitement for go live and beyond.

Realistic, Time-Effective Training
Once the EHR design is solid, the next step is to make sure all staff are properly trained and comfortable using the application. While this may seem obvious, training is another area where many organizations fall short. It is not just the amount of training that matters, but also the type and timing of training. Full-day classroom training sessions can be ineffective for adult learners. Additionally, planning training days around complicated shift schedules is difficult, as is finding replacement staff. This is particularly an issue at small physician practices, where physicians may have to sacrifice patient time in order to complete training.

A more modern, time-effective approach to training is online simulation. Learning is chunked into modules based on small tasks users may complete throughout their day. Thus, learning can be spread over days or weeks, whenever the physician has a free moment. Simulations allow learners to practice using the EHR, giving them the chance to fail without repercussions and develop muscle memory for daily tasks. By go live, using the EHR should feel like second nature.

A lot of the frustrations users feel about navigation and documentation requirements result from their unfamiliarity with the application. When they receive the right training, they will feel confident using the EHR, thus reducing documentation time and increasing face-to-face time with patients.

Constant Feedback/Reevaluation
As with all large-scale projects, even the best laid plans are bound to hit a snag or two. If you’ve established a solid communication channel with all department representatives, you will be prepared to handle any complaints that come your way after go live. It is important that all staff have a clear path to communicate problems and suggestions, and that they are comfortable doing so. The best way to avoid dissatisfaction among your employees is to hear their complaints and proactively fix these issues.

If you’ve already implemented an EHR and are now dealing with the types of complaints outlined above, this is the place for you to start. Create testing and measurement procedures to determine how users are currently using the EHR, where they are getting stuck and where their actions deviate from prescribed workflows. Then, work with each department to determine where EHR functionality can be tweaked, workflows redesigned or a combination of both. Effective adoption requires a constant cycle of communication, design, training, evaluation, and redesign.

If you want to make sure your employees are happy with the EHR and physicians avoid burnout, go live is just the beginning.

Xerox is a sponsor of the Breakaway Thinking series of blog posts.

The Required Shift in How Patients View Wearables

Posted on September 27, 2016 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This post is sponsored by Samsung Business. All thoughts and opinions are my own.

We’ve all seen the explosive growth that’s occurred in the wearables market. The most extraordinary part of the wearables explosion is that the majority of wearables growth has been in the healthcare space. The problem we now see in healthcare is that most people don’t look at wearables as a disease management tool as much as they see them as lifestyle tools. This was described really well by Megan Williams on the Samsung Insights blog:

Perhaps the most challenging part of meeting that desire [Physician Access to Patients’ Lives and Health] is the fact that patients mostly view wearables as an aid in lifestyle improvement instead of disease management. The task of helping patients understand that wearables are about much more than weight loss will fall squarely on the shoulders of providers.

Patients have traditionally shown a preference for lifestyle apps including fitness, nutrition and heart rate aids, and have been much slower to adopt disease management tools, even as chronic disease remains a burden on healthcare as a whole. Encouraging the use of a broader range of wearables, digital tools and apps will be a challenge for any provider.

Changing habits and perceptions is always a challenge. However, it’s also a great opportunity.

No one would argue that today’s wearables are more than novelty items that may have some impact on your lifestyle (fitness, nutrition, etc). That’s largely because the initial wearables were designed around those retail areas of the market. It’s much easier to create a retail wearable device than to create a disease management focused healthcare device.

As the healthcare wearables market matures so will patients expectations around the benefits they can receive from those wearables. I think there are two main keys to development of wearables as true healthcare devices: Depth of Tracking and Connection to Providers.

Depth of Tracking
I’ve argued for a while now that all the various fitness trackers were not clinically relevant. I still believe that today, but I also believe that wearables like the various fitness trackers will start tracking us in ways that are clinically relevant. That just takes a lot longer to develop.

Whether it’s new trackers that screen for sleep apnea or ECGs that monitor our heart, we’re seeing more and more wearable devices monitoring data that’s more clinically relevant than the number of steps you’ve taken. This trend will continue. As wearables more deeply track various parts of the human body, the opportunities to understand your health and improve your health will follow along with it. This will provide doctors the impetus to request access to your wearable data.

The deep data these wearables will provide will challenge the tried and true beliefs healthcare holds so dearly today. That can be scary for some, but is also very exciting.

Connection to Providers
While wearables will provide the data, we’ll still want to consult a healthcare provider to understand the data and to create a plan of action based on that data. At least in the foreseeable future, our health will depend on collaboration with healthcare providers as opposed to a replacement of healthcare providers. This will be particularly true as the type of data our wearables collect gets more complicated. Understanding your step chart is quite different than understanding your ECG.

In order to facilitate this collaboration, our wearables will have to be connected to our care providers. Note that I said care providers and not doctors. In some cases it might be our doctor, but in other cases it could be a nurse, care manager, social worker, or some other care provider. I’m hopeful that we eventually reach the point of a true care team that collaborates on our health. That’s a far cry from where most of our healthcare is today, but that is the hope.

If we can solve these two wearable challenges: Deeper Data and Connected Providers, then we’ll be well on our way to changing how patients view wearables. This shift won’t happen over night, but I believe it will happen a lot quicker than most people imagine.

For more content like this, follow Samsung on Insights, Twitter, LinkedIn , YouTube and SlideShare.