Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

The Senate is Promoting Healthcare Innovation – How Organizations Can Keep Pace – Breakaway Thinking

Posted on April 20, 2016 I Written By

The following is a guest blog post by Mark Muddiman, Engagement Manager at The Breakaway Group (A Xerox Company). Check out all of the blog posts in the Breakaway Thinking series.
Mark Muddiman
On March 9, 2016 the Senate Committee on Health Education Labor and Pensions (HELP) approved S.1101, better known as the Medical Electronic Data Technology Enhancement for Consumers’ Health (MEDTECH) Act. As HIMSS reports, the bill aims to limit the regulatory oversight of “low-risk” medical device software, while simultaneously making a clear distinction of the FDA’s reach of authority.

But how do you define “low-risk” when it comes to a person’s health?

The answer might surprise you. These items are deemed low-risk by the MEDTECH act and will no longer require oversight:

  • administrative, operational, or financial records software used in healthcare settings
  • software for maintaining or encouraging a healthy lifestyle unrelated to medical treatment
  • electronic patient records, excluding software for interpreting or analyzing medical image data
  • software for clinical laboratory testing, excluding software for interpreting or analyzing test data
  • software that provides medical recommendations and the basis for those recommendations to healthcare professionals, excluding software for acquiring, processing, or analyzing medical images or signals

Regulations serve a purpose in ensuring that the devices used do not put patients at risk, and some fear that the loosening of these restrictions could be problematic. But the number of policies vendors were previously required to abide by was staggering. There is little value in subjecting vendors or healthcare leaders to such stringent policies with software and devices that are unlikely to lead to increased risk or an adverse event. Unnecessary regulation ultimately restricts patient access to the most current technology and impedes more successful clinical outcomes.

As HIMSS further clarified, the MEDTECH act still allows the FDA to oversee medical software if it considers the product “reasonably likely to cause serious adverse consequences.” The congressional summary goes on to note that the FDA may assess a software function for safety and effectiveness if the medical device has multiple functions. For example, mobile applications do not need supervision if integrated by a vendor unless they become linked to something of medium or high risk such as medication administration. In short, vendors get the freedom they need to explore new avenues, but the FDA doesn’t cede total control and retains an option that can be interpreted broadly enough to intervene when needed. In this sense, the MEDTECH act finds a middle ground using a risk-based approach to focus oversight where it’s needed most.

Key players in the industry have supported the bill; Health IT Now and the American Medical Informatics Association (AMIA) both praised the passage of the act, while major vendors including Athenahealth, IBM, and McKesson strongly supported the push to pass the bill. Undoubtedly, the passing of the MEDTECH act was great news for vendors.

The benefits to patients and vendors are clear, but what about healthcare providers and administrators?

CIOs and CMIOs already have their hands full in keeping pace with a seemingly endless set of transformations in health IT. Now the senate is aiming to quicken innovation and promote shorter times for technology to reach the market, inevitably resulting in a faster rate at which organizations must adopt that technology. Some providers likely viewed the passage of the act with an exasperated palm to the face. The frustration is real; the move to ICD-10 occurred less than seven months ago, not to mention many organizations have implemented EHRs but are focusing on optimization to improve their ROI.

Simply put, there is no end in sight to new technologies arriving in healthcare, and there will not be a slowdown anytime soon. Healthcare organizations must proactively plan a long-term adoption strategy that accounts for continual enhancements in technology, with a focused ability to quickly bring staff to a high level of proficiency. Those that achieve such agility will be able to leverage the best technology to offer the highest standards of care.

Xerox is a sponsor of the Breakaway Thinking series of blog posts. The Breakaway Group is a leader in EHR and Health IT training.

Security Concerns Threaten Mobile Health App Deployment

Posted on January 26, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Healthcare organizations won’t get much out of deploying mobile apps if consumers won’t use them. And if consumers are afraid that their personal data will be stolen, they’ve got a reason not to use your apps. So the fact that both consumers and HIT execs are having what I’d deem a crisis of confidence over mHealth app security isn’t a good sign for the current crop of mobile health initiatives.

According to a new study by security vendor Arxan, which polled 815 consumers and 268 IT decision-makers, more than half of consumer respondents who use mobile health apps expect their health apps to be hacked in the next six months.

These concerns could have serious implications for healthcare organizations, as 76% of health app users surveyed said they would change providers if they became aware that the provider’s apps weren’t secure. And perhaps even more significantly, 80% of consumer health app users told Arxan that they’d switch to other providers if they found out that the apps that alternate provider offered were better secured. In other words, consumer perceptions of a provider’s health app security aren’t just abstract fears — they’re actually starting to impact patients’ health decision making.

Perhaps you’re telling yourself that your own apps aren’t terribly exposed. But don’t be so sure. When Arxan tested a batch of 71 popular mobile health apps for security vulnerabilities, 86% were shown to have a minimum of two OWASP Mobile Top 10 Risks. The researchers found that vulnerable apps could be tampered with and reverse-engineered, as well as compromised to provide sensitive health information. Easily-done hacks could also force critical health apps to malfunction, Arxan researchers concluded.

The following data also concerned me. Of the apps tested, 19 had been approved by the FDA and 15 by the UK National Health Service. And at least where the FDA is concerned, my assumption would be that FDA-tested apps were more secure than non-approved ones. But Arxan’s research team found that both FDA and National Health Service-blessed apps were among the most vulnerable of all the apps studied.

In truth, I’m not incredibly surprised that health IT leaders have some work to do in securing mobile health apps. After all, mobile health app security is evolving, as the form and function of mHealth apps evolve. In particular, as I’ve noted elsewhere, mobile health apps are becoming more tightly integrated with enterprise infrastructure, which takes the need for thoughtful security precautions to a new level.

But guidelines for mobile health security are emerging. For example, in the summer of last year, the National Institute of Standards and Technology released a draft of its mobile health cybersecurity guidance, “Securing Electronic Records on Mobile Devices” — complete with detailed architecture. Also, I’d wager that more mHealth standards should emerge this year too.

In the mean time, it’s worth remembering that patients are paying close attention to health apps security, and that they’re unlikely to give your organization a pass if they’re hacked. While security has always been a high-stakes issue, the stakes have gotten even higher.

Healthcare Faces Massive Cybersecurity Risks

Posted on December 27, 2012 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

When a consumer publication like The Washington Post — hardly an insider journal of computing — picks out your industry and slams it for having poor cybersecurity, you know something’s amiss.

The newspaper has just published a report, following a year-long cybersecurity investigation, arguing that healthcare is one of the most vulnerable industries in the U.S., making it a tasty target for terrorists, black-hat hackers and criminals.

It’s rather embarrassing, but it’s hard to argue with the Post’s conclusion that healthcare data security isn’t what it could be. A few data points:

* Researchers are finding that healthcare institutions routinely fail to fix known bugs in aging software, something other industries have largely overcome.

* Providers are making careless use of such public cybertools;  the paper cites the example of the University of Chicago medical center, which at one point operated an unsecured Dropbox site for new residents managing care through their iPads (with a single user name and password published online, yet!)

* According to Post research, open source system OpenEMR “has scores of security flaws that make it easy prey for hackers”

* In perhaps the scariest example, the paper notes that clinicians routinely work around cybersecurity measures to get their job done.

Another factor contributing to cybersecurity holes is confusion about the FDA’s position on security. While the agency actually wants vendors to update FDA-approved device interfaces and systems, vendors often believe that the FDA bars them from updating device software, the Post found.

That leaves devices, especially defibrillators and insulin pumps, open to attacks. Researchers have been able to find these devices, linked to the web in the clear, simply by using a specialized search engine.

As wireless medical devices and smartphones, iPads and Android devices creep into the mix, cybersecurity vulnerabilities are likely to get worse, not better.  I wonder whether we’ll need to see a cybersecurity disaster take place before the industry catches up to, say, financial services?

GINA, Runtastic, and The Future of Patient Engagement: Around HealthCare Scene

Posted on August 19, 2012 I Written By

Katie Clark is originally from Colorado and currently lives in Utah with her husband and son. She writes primarily for Smart Phone Health Care, but contributes to several Health Care Scene blogs, including EMR Thoughts, EMR and EHR, and EMR and HIPAA. She enjoys learning about Health IT and mHealth, and finding ways to improve her own health along the way.


Worried about HIPAA? Don’t Forget GINA

If remember HIPAA regulations wasn’t hard enough when it comes to EMR security, a new factor is being brought to the table: GINA. GINA, which stands for Genetic Information Non-Discrimination Act, primarily aimed at the workplace. The purpose of GINA is to prevent employers from requesting or obtaining any genetic information concerning an employee at any time. This post discusses GINA, and possible issues that may be related to it.

Hospital EMR and EHR

Medicare’s New Requirement for Evidence-based Order Sets

This is a guest post by Sean Benson, co-founder of ProVation Medical. He discusses the new changes to Medicare’s Conditions of Participation for hospitals that recently went into effect. These changes were small, but significant, and Benson clears up things that might be confusing, and clarifies the new requirements.

5 Mistakes Healthcare Vendors Make in Tracking Customer Satisfaction

The company, KATALUS Advisors, focuses quite a bit on helping healthcare vendors interact with their clients. Chris O’Neal, Managing Partner at KATALUS Advisors, recently created a list of the top 5 mistakes that he sees healthcare vendors make in tracking customer satisfaction. He mentions the importance of customer satisfaction, and how “savvy” vendors are finding ways to avoid this pitfalls.

Smart Phone Health Care

Runtastic Makes Tracking Exercise Easier and More Fun

As a follow up to a recent post about apps for runners, this post has a review of another great running app, Runtastic. The app has tons of features, including a 3D Google Earth view of completed workouts. The basic app is free to download, however, upgrades and exercise plans are available for a fee.

FDA Approves Voice Guided Epinephrine Injector: Auvi-Q

Many people are plagued with allergies, and at times, have to rely on an epinephrine injector to save their lives. However, when an allergic reaction happens, the victim may not be able to use the injector themselves. As a solution, the FDA has recently approved an epi pen, called the Auvi-Q, which provides step by step audio on how to use the injector and save a life.

EHR and EMR Videos

GetWellNetwork Unveils the Future of Patient Engagement Video

GetWellNetwork released a video recently which illustrates how innovations in IPC will improve outcomes for patients for hospitals by becoming a part of everyday life. IPC has been implemented in over 20,000 hospital beds across the US and GetWellNetwork has been leading the way for IPC.

New mHealth App Certification – The Next CCHIT Like Mistake

Posted on January 17, 2012 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I first heard about the new Secure, Branded App Store for Hospitals and Healthcare called Happtique in early December on Techcrunch. At its core, I think it’s an interesting idea to try and filter through what the article claims are “23,000 mobile health apps available for iOS and Android.” Helping physicians and hospital administrators filter through these apps could be valuable. Plus, most hospital administrators would love a way to have a phone that was limited on which apps it could download.

Well, it seems that the company has shifted gears a little bit. As Brian Dolan from Mobi Health News reported, Happtique is taking the first steps to setting up a certification for mobile health apps.

Happtique, a healthcare-focused appstore, announced plans to create a certification program that will help the medical community determine which of the tens of thousands of health-related mobile apps are clinically appropriate and technically sound. The company has tapped a multi-disciplinary team to develop the “bona fide mHealth app certification program” within the next six months. The program is open to all developers and will be funded by developer application fees.

It will certify apps intended to be used by both medical professionals and patients.

While I think that providing some way for people to filter through the large number of mobile apps, I think certification is a terrible way to go about it. Many people know I’ve written many an article about CCHIT pre-EHR incentive money and how screwed up the CCHIT EHR certification was for the industry. I think it’s just as bad news for Happtique to create a certification for the mobile health industry.

Turns out that Happtique seems to have agreed with this idea back in October 2010 where they said in a MobiHealthNews interview, “We are not in the business of opining whether an app is ‘good’ or ‘bad’ though. That’s not our role. Apple doesn’t do that and others don’t either. If the FDA indicates that an app is a medical device and needs to be regulated, well, that’s a different situation and we can take it out of the store.” Seems they’ve seen a different business opportunity.

They have a couple recognizable names on their board to create their certification including Howard Luks and Dave deBrokart (better known as e-Patient Dave), but I believe they’re going to find that it’s an impossible task. First, because they won’t have the breadth of knowledge needed to create certification requirements for every type of mHealth app. Second, what value will the certification really provide? Third, how do you make the certification broad enough to apply to all 20,000+ apps while still providing meaning to those using a very specific mHealth app? Plus, I’m sure there are many other issues I haven’t thought of yet.

The problem with these certification ideas is that they start with great intentions, but always end up bad.

Top Health Industry Issues of 2011 – “Top 10” Health IT List Series

Posted on December 28, 2011 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Next up in our evaluation of the various end of 2011 Health IT lists series is one that takes a bit of a look back at 2011. In this list, PwC lists what they consider the Top Health Industry Issues of 2011. The list starts with an interesting comment about the health IT spending in 2011:

More than $88.6 billion was spent by providers in 2010 on developing and implementing electronic health records (EHRs), health information exchanges (HIEs) and other initiatives. This surge is a sign of technology’s critical place in health system improvement.

$88.6 billion is a lot of health IT spending and larger than most numbers I’ve seen. Although, most numbers I’ve seen are only the EMR and EHR market and doesn’t include HIE spending and other healthcare IT initiatives. It’s quite clear that the health IT spending is up, and up Big!

Their list of top Health issues isn’t that surprising, except possibly one of them:

Meaningful Use – This has to be topic number one for health IT in 2011. It’s had a trans formative effect on healthcare IT and EMR and EHR as we know them. Pretty much every EHR vendor I’ve talked to basically had to take an entire software development life cycle to meet the meaningful use and certified EHR requirements. This is the dramatic effect of meaningful use on EHR development.

PwC actually focuses on how meaningful use will encourage patient participation in their healthcare or “shared medical decision-making.” To be honest, I’m not sure meaningful use has done much to help this goal, yet(?). Possibly meaningful use stage 2 and meaningful use stage 3 will help to further these goals. MU stage 1 has done little to encourage this. Regardless of the impact of meaningful use, shared medical decision-making is going forward fast and furious.

HIPAA 5010 and ICD-10 – The interesting issue for 5010 and ICD-10 is that they’ve basically been overwhelmed by meaningful use and EHR incentive money. Either of these changes alone would have been a reasonable challenge for a normal year. However, clinical organizations are battling through 5010, ICD-10 and meaningful use all at the same time. Are there any other IT projects going on that don’t involved these three things? I’d say probably very few.

Electronic medical device reporting (eMDR) – I found this point quite interesting. There’s been a lot of movement in 2011 in regards to what constitutes a medical device and who should take care of tracking and collecting the adverse events that occur on these devices. I don’t think we’ve come to a final conclusion on what will be considered a medical device and how we’re going to deal with reporting adverse events, but finally getting electronic reporting of adverse events is a good step in the right direction.

Be sure to read the rest of my Health IT Top 10 as they’re posted.

ePrescribing Controlled Substances

Posted on August 3, 2011 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Back on September 13, 2009 I wrote a post titled, “FDA Approves Pilot Electronic Prescribing of Controlled Substances.” I’d link to the post, but unfortunately the news got sent to me prematurely and so I had to take the post down. It was unfortunate, since there was and still is a lot of interest in being able to ePrescribe controlled substances. In fact, I’d say that not being able to prescribe controlled substances electronically is the current Achilles heal of ePrescribing.

Fast forward to the recent announcement that DrFirst’s announcement of the Nationwide Launch of their ePrescribing Controlled Substances product. Their latest ePrescribing product for controlled substances is called EPCS Gold and is fully certified to meet the prescription processing requirements for Surescripts, the DEA’s requirements in the Interim final rule, and the Identify Proofing requirements set by NIST.

I’m really glad to see ePrescribing of controlled substances moving forward. This will make ePrescribing much more attractive to physicians. Especially physicians that regularly prescribe controlled substances like surgeons and pain doctors.

However, this controlled substance ePrescribing announcement does of course come with it’s limitations. I think they’re described well in this part of the press release:

Prescribers enrolling for EPCS Gold™ will be able to send controlled substance prescriptions electronically after a simple credentialing and identity-proofing process with DrFirst. After providers are certified, they can begin e-prescribing Schedule II-V drugs based on their individual state laws and the ability of the receiving pharmacy to meet the DEA’s requirements to process these prescriptions. To avoid any confusion and eliminate guesswork by providers, EPCS Gold™ automatically detects which substances can be sent electronically.

The two challenges are quite clear: state laws and pharmacy ability to meet the DEA’s requirements. I haven’t done any in depth research on either subject, but I have a feeling that both of these things will be major issues across the country. I’d like to think it won’t be, but knowing the pace of state legislation and pharmacy adoption of these standards I’m not hopeful that they’re ready to receive controlled substance prescriptions electronically.

However, the above step is an important one. You have to have all sides ready to handle the security required to make ePrescribing controlled substances a reality. This is the first step and a very good one.

EMR Safety Event Reporting

Posted on December 1, 2010 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The PDR Network in partnership with the iHealth Alliance has launched a new reporting system for adverse EHR events called Some of these adverse EMR events might include: software problems, inadequate user training, security breaches and near-misses. Here’s a short quote from the press release about the new website:

Using a standardized online format, EHRevent will collect reports from physicians and other health care providers who use EHRs, and create reports that medical societies, professional liability carriers and government agencies such as the U.S. Food and Drug Administration (FDA) will use to help educate providers on the potential challenges that EHR systems may bring.

The form breaks out the EHR safety events into 4 categories:
Incident: An EHR event that reached a patient, whether or not the patient was harmed.
Near Miss: An EHR event that is not believed to have impacted a patient.
Non-Patient Issue: An incident or near miss that impacted staff, employee(s), visitor(s).
Unsafe Condition: A circumstance that increases the probability of an EHR event.

I tried out there form and they had a lot of the EHR vendors listed, but there were a few missing. For example, it didn’t have the popular free open source EMR: OpenEMR. I wonder where they got their list. Especially since the list is changing so rapidly.

The form was relatively simple, but it did have like 9 screens that you had to answer. After the fifth I was feeling like it was a bit lengthy and I was just submitting a test. Although, when an adverse EHR event happens, users are usually pretty motivated to tell their story. At least they will be until they get to the page on the event reporting where they have to turn over all their personal information. I’m sure many will be turned off by that little detail.

One more quote about EHR and safety events from the press release:

Alan Lembitz, M.D., vice president of Patient Safety and Risk Management for COPIC Insurance Company, added “Our experience indicates that EHRs have the capacity either to induce or to reduce medical errors in very unique ways, and we have seen data that indicates that EHR adoption may reduce physician liability. It will be increasingly important to understand best practices to improve patient safety for EHRs and for their users, and EHRevent will help both.”

It’s going to be interesting to see how this evolves. Is this something that EMR vendors will support. It seems like e-MDs is on board since Michael Stearns, MD and CEO of e-MDs is quoted in the press release.

Over the years a lot of people have asked me where they could report a situation related to their EHR. This seems to be the best we have so far. As the press release points out, “Professional liability carriers who insure doctors against malpractice claims are among the strongest supporters of EHRevent.” Of course they are. The more information they can get the better they can do their job. We’ll see how many doctors and practices get on board and support this type of EHR reporting initiative.