Imagine a world without HIPAA
Imagine a world without 100 zillion insurance companies (each with different policies)
Imagine a world where people didn’t shop for drugs
Imagine a world where patient care was the only reason for health care

Never going to happen. However, I can’t help but wonder the type of EMR software we could create if we didn’t have to worry about the above items.

I’ve been reading some things about ARRA’s changes to HIPAA. I’ve heard a number of times the phrase that “ARRA has now given teeth to HIPAA.” I’ve also heard grumblings about a change in the HIPAA requirement that an EMR account for disclosures. I’ve been trying to get a number of experts on HIPAA to do a guest post on these various changes with no success, but I’ll keep trying.

However, I recently heard that the accounting for disclosures is even more stringent than I had thought about before. From what I’ve heard, the law will now require that you are storing and able to report on the disclosure of a patients health information to both internal and external sources. The external sources is something that we’ve done forever and is really not a problem. The challenge is accounting for the internal disclosure of the HIPAA information. Not to mention displaying that information in a nice report.

Let’s say for example, a nurse pulls up a list of patients during a search for a patient by last name. Does the EMR need to know all of the people that were in that list that could have been seen by the nurse? Do you need to audit how long the nurse had that list open? I’m sure there are more situations like this that seem to be required by the new HIPAA laws.

I actually saw a demo of a hospital EMR that recorded this type of granular auditing. I have a feeling many EMR software aren’t even close to this type of tracking.

I’m also reminded of my post talking about the number of users who legitimately access a patient’s chart. In that post I talk about the number of people who can mess up the chart. Now let’s think about the audit logs that will be required for all of those people who are accessing each granular part of a patient’s record.

I’d love to hear people’s thoughts on this subject and any clarifications on things I’m misunderstanding. No doubt we’re going to hear more about this in the future.

Yes, this website is called EMR and HIPAA, but as you can tell from the content I’m much more interested in EMR than I am in HIPAA. Although there is certainly some correlation.

That said, I think there’s some interesting things happening with HIPAA that people need to be aware of. HHS released the Breach Notification Final Rule. Healthcare POV said the following about the rule:

The Department of Health and Human Services (HHS) has released a final rule on breach notification requirements for covered entities (CEs) and business associates (BAs). Published in the Federal Register, the rule dictates proper procedure for responding to a breach, including when notification is required, who to tell and how to dispense that information. The rule also reiterates and clarifies recommended methods of data encryption.

The announcement came 2 days after the Federal Trade Commission (FTC) released its breach notification final rule, which covers personal health record vendors and other non-HIPAA CEs. HHS consulted with FTC on requirements and asked the public for input through a request for information released earlier this year.

The link above has more analysis of these changes as well. I’ll admit that I’m not an expert in this area. Anyone else who cares to chime in on the impact of these changes, I’d love to hear about it in the comments or even a guest blog post if someone’s interested.

Text messages are becoming more and more popular in the US. It’s funny, because the US is about 5 or so years behind Europe when it comes to the use of text messages. Better late than never I guess. The addiction is especially true with high school children, but the college ranks are ravaged with students who are addicted to texting. I’ve heard some parents say that a text message is the only way they can communicate with their child (how sad is that?).

Considering text messages are getting so popular, I wonder if any EMR companies have integrated text messaging into their software. The most obvious use would be to send a text message reminder about the appointment. I think many patients would love this service. A text message reminder for an annual pap smear or other follow up appointment would be really beneficial as well.

This really wouldn’t be that hard to implement since you can send an email which then goes to someone as a text message. The challenge is only figuring out which provider that person was on in order to send the email to the right place.

Is anyone doing text messages from their EMR? Certainly there are some HIPAA considerations here, but that should be covered by the agreement when they give you their cell number.

I’m not sure how many of my readers have heard about the Virginia Prescription Monitoring Program being hacked yesterday. The Prescription Monitoring Program is used by pharmacists and others to discover prescription drug abuse. The story gets really interesting since it looks like the hackers encrypted over 8 million patient records and over 35 million prescriptions. Then, the hackers posted the following note on the Virginia Prescription Monitoring Program website (according to wikileaks):

“I have your [expletive] In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh For $10 million, I will gladly send along the password.”

The website has now been entirely disabled and just times out if you try to visit the site.

The Washington Post blog has reported the following:

Sandra Whitley Ryals, director of Virginia’s Department of Health Professions, declined to discuss details of the hacker’s claims, and referred inquires to the FBI.

“There is a criminal investigation under way by federal and state authorities, and we take the information security very serious,” she said.

A spokesman for the FBI declined to confirm or deny that the agency may be investigating.

Whitley Ryals said the state discovered the intrusion on April 30, after which time it shut down Web site site access to dozens of pages serving the Department of Health Professions. The state also has temporarily discontinued e-mail to and from the department pending the outcome of a security audit, Whitley Ryals said.

“We do have some of systems restored, but we’re being very careful in working with experts and authorities to take essential steps as we proceed forward,” she said. “Only when the experts tell us that these systems are safe and secure for being live and interactive will that restoration be complete.”

Seems interesting that 5 days after they discovered the intrusion the website is still not back online. Must have been a pretty serious hack job.

The Washington Post also explained that this is the second such extortion attack using patient health care data.

In October 2008, Express Scripts, one of the nation’s largest processors of pharmacy prescriptions, disclosed that extortionists were threatening to disclose personal and medical information on millions of Americans if the company failed to meet payment demands. Express Scripts is currently offering a $1 million reward for information leading to the arrest and conviction of the individual(s) responsible for trying to extort money from the company.

Stories like this will set back any sort of RHIO or national HIE movement. Sure makes you think about the security of it all. What is interesting is that the patient data doesn’t seem to have much value outside of extortion. Otherwise, I’d think those who breached the system would have used it in some other way.

In my first post on IM in a clinical environment I discussed some of the benefits and options available by having an IM program rolled out in a doctor’s office. IM really is a killer application that can facilitate communication. We all know the benefits good communication can bring to a doctor’s office and the pains bad communication can cause.

I love the idea of IM being integrated into an EMR. In fact, so much so that I asked my vendor if they were going to integrate IM into their EMR when they told me that they were looking to integrate the whole Outlook like messaging and calendaring system into the EMR. The response to my IM question was that it wasn’t on their roadmap and that they weren’t sure they’d want an IM popping up while they were in the middle of a patient visit.

I haven’t thought through all the complexities of integrating IM into an EMR in a way that wouldn’t be obtrusive, but would still facilitate the needed communication. However, I’m confident that with a little thought it could be built so that the communication happens without leaving the doctor in an awkward position and while still protecting the privacy of the patient.

Matt Chase, of Medtuity (one of the more forward thinking EMR companies out there), offered some interesting insights into possible benefits of having IM integrated into an EMR. Here’s a quick summary of some of his thoughts on it with some of my own additions.

IM Direct Link to Patient Chart – If I’m sending a message about a patient to the doctor, then it’s very likely that the doctor will want to look at the patient chart.  Certainly I could send the number or possibly the name, but if the IM is integrated into the EMR, then I could include a link in the IM which would take me directly to the patient chart.  As I’m typing this, why not have the ability to embed a part of the patient’s chart right in the EMR?  You could even direct link to a specific part of the chart or document that was uploaded that the doctor might need to see.

Patients Image Shown in Discussion – Assuming you’ve captured the patients image in your EMR for reference (and many do this), why not show the patient’s image in the IM message when someone mentions the patient.  How much would having the picture of the patient help if you received an IM message that said, “John Doe from last week has an abnormal lab.”  Most doctors are much better with faces than they are with names.  In the name of HIPAA, they probably should be.  Why not jog their memory of the patient by including a picture?

Click To Save to Patient’s Chart – Some IM discussions might be worth saving in a patient’s chart.  Sure copy and paste works from other IM programs, but why not make it one click to save it to the patient chart.  Of course, I suggest making it a one click add, but still let it be editable so that someone can format the IM before saving it completely.

EMR Access = IM Access – No one needs to know where you’re signed into EMR.  As long as you’re accessing EMR, then you’ll get your message.  This could be in a room, in your office, on your cell phone at the hospital, or in the Bahama’s when you were checking your EMR because you missed it so much (hopefully not likely).

EMR Defined Groups – Built intelligently, the EMR could be built to know which staff was on duty.  For example, we have a number of lab techs in our clinic.  Either a flag in the EMR or just by the lab tech’s activity in EMR it could know who to send a lab message to.  Look at it like a virtual IM account that the EMR intelligently knows who is available.

I’m sure there are many more features or benefits that would be only available by having IM integrated with EMR.  Are there any others that I missed?  Are there people using IM in their practice?  Is it integrated with your EMR?  I’d love to hear people’s thoughts and experiences with IM in health care.

I’ve been participating in a really interesting discussion going on over on EMRUpdate. The discussion revolves around the integration of IM into an EMR or EHR and the role of IM in a clinical environment.

One person suggested the use of a LAN only IM that he’s been using for a while. Looks like a pretty cool software and prevents your users from chatting it up with their best friend across town all day on work time.

My biggest problem with the LAN only IM software is that it’s just one more program that you have to manage. This is why in our clinic we’ve been using MSN Messenger. This comes installed by default on Windows and so it seemed like a logical choice. It also had some good upload features that allowed us to add our long list of users to a new person with little hassle. We have upgraded most of our computers to the latest MSN Messenger, but now it will just manage itself.

The other advantage of the commercial messengers is their advanced chatting and status features. You can add users to an existing discussion or start a discussion with a large group. The status of your messenger automatically updates as you’re away from your computer. I also loved messenger for when I was at home helping my wife who was sick. Just by going to their messenger, everyone in the clinic could see my status that I was at home taking care of my sick wife.

There are a whole host of other features that make the commercial version nice. One simple example is that it tells you when the person you’ve sent an IM to is typing or not. That way you can have at least some idea of whether you’re going to get a reply soon or not.

We only use IM in our individual offices, but I’ve heard of one person that has an IM user called “Room 1″ that is signed into Room 1. That way when he’s in the room, he can IM from that room without a problem. Of course, if you’re carrying a laptop around this isn’t a problem. Also, I haven’t tested this yet, but the next version of MSN Messenger seems like it has the ability to be signed into 2 locations. Could be pretty cool.

Of course, I’m sure that everyone’s wondering about HIPAA. In our clinic we’ve decided to just not put information protected by HIPAA in IM. We might say, Dr. Smith Pt 12345’s labs are available now. This makes it so IM doesn’t have to follow the security guidelines required by HIPAA. Some might argue that this isn’t failsafe. I’d respond that of course it’s not, but neither is someone sending an email with the same information. Neither is someone doing any countless number of things electronically. Therefore I treat it similar to how we treat email.

Despite the benefits we’ve seen from using IM in our clinic. It is really interesting to imagine what an IM program integrated with your EMR would look like. What new possibilities would it open up to you? Tomorrow I’ll discuss some of the cool integrations that could be created by a forward looking EMR company that integrates IM into their EMR.

I’ve previously written about using a patient kiosk for inputting information into an EHR. I still think this is a fantastic idea. So much so that I’ve actually implemented it in the clinic I work in for my full time job. This includes “Walmart” like signature pads where patients can sign their HIPAA form, financial agreement and other check in forms. We also require them to fill out their health history form electronically where it’s automatically available to the doctor in the EMR. There are some other major advantages to this method which I’ll save for another post.

Today I came across another interesting use for self service check in kiosks in a doctor’s office. Here’s a description of a different implementation of self service kiosks:

Two years ago, Galantino visited a trade-show booth staffed by Clearwave, a Marietta, Georgia-based company that is one of several check-in kiosk manufacturers. Similar to check-in kiosks found in airports, Clearwave kiosks ask patients to swipe their insurance card or type in the information from it.

The kiosk then recognizes the patient and populates the system with his or her personal and medical information. The kiosk also sends a Health Insurance Portability and Accountability Act 270 inquiry, regarding benefits eligibility and coverage, to the patient’s insurance company.

The insurance company, in turn, sends a HIPAA 271, which tells the practice everything it needs to know about the patient, including co-pay, co-insurance, deductible, and how much of the deductible has been met.

For a quarterly fee, Clearwave provides real-time updates of insurance company information.

The idea behind check-in kiosks is not only to increase the accuracy of patient records, but also to improve patient and staff satisfaction by decreasing tedious administrative tasks. Verifying eligibility status, for example, can be a time-consuming chore for an office administrator. The kiosks, on the other hand, connect directly to more than 1,000 insurance companies and provide an automated response in 10 seconds, according to Clearwave.

I love the integration of automatic insurance checking into the patient check in process. I can see how this would be very useful for most offices.

Reading through some of the other financial details in the article doesn’t make me see the financial benefit of the change (this might just need more analysis of the financial details), but I can agree completely that patients haven’t been averse to using the technology for check in at all. In fact, many prefer it.

I never thought when I started this blog that it would do so well. I mostly just started it as a labor of love. It still is a labor of love, but I was really happy when a number of advertisers were interested in advertising on EMR and HIPAA.

Thanks to Medical Software Associates and emrexperts for advertising on EMR and HIPAA. I really appreciate your financial support of this blog and my wife appreciates it even more.

If there are any other advertisers interested in advertising on EMR and HIPAA, please leave a comment on this post or email john [at] emrandhipaa {.} com Visitors to this site stay an average of 4 minutes and 40 seconds and visitors are almost exclusively interested in EMR and health care related topics. A very nice targeted market for EMR vendors, EHR vendors or I would think it would work really well for pharmaceutical companies too.

Today I was looking over some of the various statistics for this EMR and HIPAA blog. I can’t believe I started this blog about 2.5 years ago all in my quest to become an expert on EMR. I guess time will tell how much I really know about EMR. Either way, this blog has been a great way for me to learn about EMR and document some of the lessons I’ve learned.

As I was looking through the statistics for this blog, I decided to do a quick back of the napkin excel formula calculation of how much time people have spent reading my EMR and HIPAA articles. Here’s how I broke it down using statistics over the past year:

Number of Visits: 50,000
Average Time Spent on EMR and HIPAA: 2:04 minutes

Then, I took the above 2 numbers to calculate how many hours people have spent reading about EMR and HIPAA on this site and came up with the following:
1722 hours
or
71.75 days

Hopefully that was a well spent 71.75 days that helped improve a doctors use of EMR.