I told you on the weekends I’d try to go through and highlight some of my previous 774 posts (but who’s counting?). Obviously, there’s a lot to choose from. So, this time I decided to hit the big red button on my stats program that said “Top Posts for All Time” Yes, that’s crunching 2,636,682 pageviews to provide this data. That’s right. Over 2.6 million pageviews. I kind of shutter thinking about that. Plus, I didn’t implement this stats system (since it didn’t exist) until well into this blog, but I digress.

2 posts that I knew would be near the top is my Overwhelming List of EMR Companies post which I did back on 2/21/06 and my EMR and EHR vendors page. The former just barely edged out the prior.

Man a lot has changed since early 2006 with that list of EMR vendors. Kind of fun to look back at the state of EMR vendors in 2006. A lot more entrants. Also, I’ve mostly stopped updating that page, and instead have been linking to this EMR and EHR matrix wiki page. Although, I do generally update the EMR and EHR vendors page for those vendors that advertise on EMR and HIPAA.

Coming in close behind my list of EMR and EHR vendors was a couple posts about the EMR stimulus package (imagine that). One was called, “Details of Obama’s EMR stimulus Package” that I posted on 1/24/09 and the other was titled,”Economic Stimulus Bill Simplified” that I posted February 17, 2009.

I kind of shudder going back and reading those initial posts. So much of the information was vague and we were doing our best to guess what the government process would produce. Needless to say, we know a lot more about it now then we did then. I’m also glad I updated those posts with a link to my EMR Stimulus presentation. It’s mostly right, but we just have a lot more information now about Meaningful Use and Certified EHR than we had when I gave that presentation. The sad part of course, is that we’re still missing a lot of necessary details.

Another one that’s pretty interesting was a post I did back on June 21, 2006 about HIPAA Violation Examples. Turns out, a lot of people search the web for examples of HIPAA violations. I guess it’s kind of like passing a car wreck. You just need to look. This post is also proof that at least at some point, I’ve written about HIPAA. Thus the name EMR and HIPAA. Ok, I admit it’s probably about 99.6% EMR posts and 0.4% HIPAA posts. When I started I thought HIPAA would be interesting. I was wrong (at least for a computer nerd like me).

Another popular post was one listing the Top 10 Open Source EMR projects. Make sure you read the comments. That’s where the real action happened in that post. I might have to contact Sam Bowen about the Open Source Medical Software’s move to get OpenEMR certified. I’m guessing they still want to, but are just waiting for HHS to get their ducks in a row first.

I still love open source. I’d love to hear more updates about these open source EMR projects. So, if you’re someone who uses or codes for these open source EMR projects, I’d love to get an update (hopefully one I can share on the site).

Ok, that’s enough for now. Let me know if you like these type posts or not. I bet they’ll get better as I go down the list even more.

Guest Post: Hayden Hartland works at Spearstone, makers of Spearstone’s DiskAgent offering which provides a multi-platform approach to smartphone security by allowing lock, data-wipe, and GPS-tracking from any web-browser along with online backup for your business.

Breathtaking advances in smartphone capabilities are changing the ways we work and live. In their latest forms, phones such as the iPhone, Android, Blackberry, Windows Phone, Symbian, and Palm are beginning to rival, and in several areas (think GPS, camera and video) exceed the capabilities of laptops and desktops.

Increasingly, we email, keep contacts, track tasks and appointments, browse the internet, capture family moments, connect with friends, shop, and even run powerful business apps from our hand-held do-it-alls. No wonder then that surveys show some people giving up computers altogether for smartphones. Trends indicate smartphone sales and usage will exceed that of laptops in the next five years. Analysts describe a future where Smartphones that dock to keyboards and monitors obsolesce the laptop altogether.

The problem is that while smartphones are leapfrogging laptops and desktops in utility and connectivity, they have introduced security risks that too few take seriously. Unlike desktops and laptops where some of the biggest risks lie in viruses, and the eventual failure of spinning hard drives, the biggest risk with a smartphone is the loss and exposure of the information you store on it.

More than 5,000 smartphones are lost or stolen each day. Most smartphones hold thousands of confidential records – patient lists, emails, documents, medical records, patient payment records, and so on – yet there is little or no ability to prevent their compromise if your phone is lost or stolen. Many were carried by healthcare professionals (doctors, nurses, dentists, office managers, billing providers, support staff, and so on) whose information represents real risk to their practices and patients if compromised.

Next time you notice a staff member, equipment rep, supply rep  or any BAA using a smartphone, consider asking, “Are our emails accessible on that phone?” and “If you lose it, can anyone access them on the phone?” If you are a medical professional carrying a smartphone you need protection because odds are that eventually you will lose your phone. Furthermore, HIPAA, the FTC and state consumer organizations require notification of all patients of a data breach (not exactly good for any practice or healthcare business).

Current phones and typical user practices do a poor job of safeguarding your confidential information. While many smartphones can require a password or PIN number to use them, few of us can tolerate the hassle of actually using one. We simply use our phones too frequently to put up with it. Yet without one, we’re completely exposed. And while a phone password may protect your information in the case of loss, it can’t stop someone with phone hacking skills who wants to access your information.

Here are some practical tips you can employ to reduce your risks:

1. Create a passcode for your phone. If you (like me) hate being pestered by it, set it to be required after 4 or 8 hours, so that you only need to enter it once or twice a day. If your phone is stolen and locked the thief will either need to hack your phone or reset the phone to factory settings thereby removing all the data in the process.
2. Create a splash screen when your phone is locked displaying a contact phone number or email address and reward value. Consider etching your name and contact information somewhere on the phone.
3. Remove sensitive information from your phone as soon as possible.
4. Write down your IMEI (International Mobile Equipment Identity) number. If your phone is stolen, call your carrier immediately and ask them to deactivate the IMEI number and the phone will be rendered inoperable for calling on all networks. This ensures the phone is unusable although it doesn’t protect any unencrypted information on your phone.

Fortunately, a few larger clinics and hospitals are beginning to address these concerns. If yours is a larger practice with a Blackberry Enterprise server and or Exchange Mail Server and your users exclusively use the corresponding phones (Blackberries, and Windows Mobile devices), you can remotely remove emails and some other sensitive information in the event of a loss or theft. Other alternatives are to deploy encryption software or use the expensive MobileMe services provided by Apple. For other organizations, Spearstone’s DiskAgent offering provides a multi-platform approach to smartphone security by allowing lock, data-wipe, and GPS-tracking from any web-browser.

This story coming out of Oregon came across my feeds today which tells of the Oregon Health and Science University contacting 1,000 patients after a physician’s laptop was stolen from a car parked at the doctor’s home.

This story made me think of two things:
1. Why is PHI being stored on the laptop in the first place? I wish I could find out if there was an EMR involved. If there was, then the EMR should be storing all of the patient information on the server and none of that data should be stored on the laptop. So, if it gets stolen there’s no breach. That’s the beauty of an EMR these days. There should be no need for this to happen.

2. There’s some really cool technology that’s been coming out in recent laptops that will allow you to remotely wipe out the laptop if it ever gets connected to a network. Basically, once your laptop is stolen you report it stolen and they start tracking it down kind of like they do with stolen cars (same people from what I understand).

Once the stolen laptop is connected to the network, it will call back to the main center and receive the command to wipe out the laptop. Then, it will also give them information about where it was connected in order for police to possibly recover the stolen laptop as well. We’re implementing this on all our new laptops. I’ll be very happy once we have them all with this feature.

Today I found a really interesting article in Utah’s local paper the Deseret Morning News. In the story, a box of medical charts was lost by UPS after being sent from a Hospital to somewhere in Las Vegas for a medicare audit. You can read the article for all the facts, but essentially the box somehow got misdirected and ended up being bought by a Utah school teacher purchasing some “scrap” paper.

I was kind of surprised by how long it took the hospital to get in touch with UPS after the box was lost. Ok, so I’m not really surprised that the hospital is not watching all of the HIPAA information they sent out to make sure that it arrives safely, but maybe it should. UPS has some pretty incredible tracking tools these days that really aren’t that hard to use.

The other interesting thing to consider is how these types of audits/information transfer happens in an electronic world. I know that we transfer eligibility lists to insurance companies using Secure FTP and that works quite well. We’ve worked with a scanning company who is scanning our old paper charts and when we need to access one of those old records, they send us an encrypted file through email. That works pretty smoothly.

Unfortunately, I think if a patient wants a record right now or if we needed to send some health information out for an audit (not sure why we would need to) then we’d have to pretty much just print out the electronic record like we do when a patient makes a . In fact, we’ve even made a request to our EMR software company to give us a one click method that will allow us to print the entire chart. It’s a pain to print out everything in the paper chart from what’s scanned in, to prescriptions, to lab results, to referrals, etc etc etc. Any EMR companies have a better way to do this?