Anyone that has worked in healthcare has the palpable fear of the word HIPAA. Any time the word’s mentioned, I have this visceral emotion shoot threw my body. I’m sure it’s the same for many people. HIPAA is like the nasty word that no one can argue with. Just say something is a HIPAA violation and no one can argue with you (assuming you’re right).

In the clinics I’ve worked in, there really is a desire to try and follow the HIPAA rules as best as possible. They all hate it, but they all try in good faith to follow the HIPAA rules. They likely do this because of fear of the dreaded HIPAA audit. Check out this interesting comment made on a previous post I did which puts the HIPAA audit in a new light:

Same goes for the HIPAA rules. We all spend so much effort and time to comply, yet the handful of cases arise when a disgrunted, recently fired employee becomes a whistleblower to screw their past boss and “tells all” to the feds who then pounce on the poor unsuspecting doctor to showcase their enforcement muscle. I’ve heard of anecdotal cases s.a. this, but I have never actually seen an office raided for an HIPAA violation or a major article on the subject in my medical journal reading. Considering that, if say, there are a dozen cases, then 12/780000 practicing doctors, my chances of an HIPAA audit are about 0.002%.

It’s a crazy world we live in. I agree that the risk of a HIPAA audit is pretty small and I think most people acknowledge this internally. Yet, people are afraid to say this publicly, because it sends a message that they don’t care about patient privacy. I think most clinics go through this amazing internal conflict. Basically, they want to support patient privacy, but they also don’t want HIPAA to get in the way of caring for patients and running their business.

The solution I believe most clinics employ: If I don’t talk or acknowledge it, then I don’t have to worry about it. Basically, ignorance is bliss. So, they address any privacy issues that come out and they try to maintain privacy generally, but few of them take it head on and make sure that they are HIPAA compliant. Should they? There’s only a 0.002% chance they’ll have a HIPAA audit.

Note 1: Hospitals are different than clinics. There’s other issues related to HIPAA at hospitals.

Note 2: See, I do occasionally write about HIPAA. That’s why this website is named EMR and HIPAA. Every 6 months is about right, no?

Note 3: Patient Privacy is very important to me, so this post isn’t meant as an excuse for people to not protect their patients’ privacy. It is an attempt to discuss openly what I think is really happening with HIPAA in clinics.

Guest Post: Hayden Hartland works at Spearstone, makers of Spearstone’s DiskAgent offering which provides a multi-platform approach to smartphone security by allowing lock, data-wipe, and GPS-tracking from any web-browser along with online backup for your business.

Breathtaking advances in smartphone capabilities are changing the ways we work and live. In their latest forms, phones such as the iPhone, Android, Blackberry, Windows Phone, Symbian, and Palm are beginning to rival, and in several areas (think GPS, camera and video) exceed the capabilities of laptops and desktops.

Increasingly, we email, keep contacts, track tasks and appointments, browse the internet, capture family moments, connect with friends, shop, and even run powerful business apps from our hand-held do-it-alls. No wonder then that surveys show some people giving up computers altogether for smartphones. Trends indicate smartphone sales and usage will exceed that of laptops in the next five years. Analysts describe a future where Smartphones that dock to keyboards and monitors obsolesce the laptop altogether.

The problem is that while smartphones are leapfrogging laptops and desktops in utility and connectivity, they have introduced security risks that too few take seriously. Unlike desktops and laptops where some of the biggest risks lie in viruses, and the eventual failure of spinning hard drives, the biggest risk with a smartphone is the loss and exposure of the information you store on it.

More than 5,000 smartphones are lost or stolen each day. Most smartphones hold thousands of confidential records – patient lists, emails, documents, medical records, patient payment records, and so on – yet there is little or no ability to prevent their compromise if your phone is lost or stolen. Many were carried by healthcare professionals (doctors, nurses, dentists, office managers, billing providers, support staff, and so on) whose information represents real risk to their practices and patients if compromised.

Next time you notice a staff member, equipment rep, supply rep  or any BAA using a smartphone, consider asking, “Are our emails accessible on that phone?” and “If you lose it, can anyone access them on the phone?” If you are a medical professional carrying a smartphone you need protection because odds are that eventually you will lose your phone. Furthermore, HIPAA, the FTC and state consumer organizations require notification of all patients of a data breach (not exactly good for any practice or healthcare business).

Current phones and typical user practices do a poor job of safeguarding your confidential information. While many smartphones can require a password or PIN number to use them, few of us can tolerate the hassle of actually using one. We simply use our phones too frequently to put up with it. Yet without one, we’re completely exposed. And while a phone password may protect your information in the case of loss, it can’t stop someone with phone hacking skills who wants to access your information.

Here are some practical tips you can employ to reduce your risks:

1. Create a passcode for your phone. If you (like me) hate being pestered by it, set it to be required after 4 or 8 hours, so that you only need to enter it once or twice a day. If your phone is stolen and locked the thief will either need to hack your phone or reset the phone to factory settings thereby removing all the data in the process.
2. Create a splash screen when your phone is locked displaying a contact phone number or email address and reward value. Consider etching your name and contact information somewhere on the phone.
3. Remove sensitive information from your phone as soon as possible.
4. Write down your IMEI (International Mobile Equipment Identity) number. If your phone is stolen, call your carrier immediately and ask them to deactivate the IMEI number and the phone will be rendered inoperable for calling on all networks. This ensures the phone is unusable although it doesn’t protect any unencrypted information on your phone.

Fortunately, a few larger clinics and hospitals are beginning to address these concerns. If yours is a larger practice with a Blackberry Enterprise server and or Exchange Mail Server and your users exclusively use the corresponding phones (Blackberries, and Windows Mobile devices), you can remotely remove emails and some other sensitive information in the event of a loss or theft. Other alternatives are to deploy encryption software or use the expensive MobileMe services provided by Apple. For other organizations, Spearstone’s DiskAgent offering provides a multi-platform approach to smartphone security by allowing lock, data-wipe, and GPS-tracking from any web-browser.

Imagine a world without HIPAA
Imagine a world without 100 zillion insurance companies (each with different policies)
Imagine a world where people didn’t shop for drugs
Imagine a world where patient care was the only reason for health care

Never going to happen. However, I can’t help but wonder the type of EMR software we could create if we didn’t have to worry about the above items.

I’ve been reading some things about ARRA’s changes to HIPAA. I’ve heard a number of times the phrase that “ARRA has now given teeth to HIPAA.” I’ve also heard grumblings about a change in the HIPAA requirement that an EMR account for disclosures. I’ve been trying to get a number of experts on HIPAA to do a guest post on these various changes with no success, but I’ll keep trying.

However, I recently heard that the accounting for disclosures is even more stringent than I had thought about before. From what I’ve heard, the law will now require that you are storing and able to report on the disclosure of a patients health information to both internal and external sources. The external sources is something that we’ve done forever and is really not a problem. The challenge is accounting for the internal disclosure of the HIPAA information. Not to mention displaying that information in a nice report.

Let’s say for example, a nurse pulls up a list of patients during a search for a patient by last name. Does the EMR need to know all of the people that were in that list that could have been seen by the nurse? Do you need to audit how long the nurse had that list open? I’m sure there are more situations like this that seem to be required by the new HIPAA laws.

I actually saw a demo of a hospital EMR that recorded this type of granular auditing. I have a feeling many EMR software aren’t even close to this type of tracking.

I’m also reminded of my post talking about the number of users who legitimately access a patient’s chart. In that post I talk about the number of people who can mess up the chart. Now let’s think about the audit logs that will be required for all of those people who are accessing each granular part of a patient’s record.

I’d love to hear people’s thoughts on this subject and any clarifications on things I’m misunderstanding. No doubt we’re going to hear more about this in the future.

Yes, this website is called EMR and HIPAA, but as you can tell from the content I’m much more interested in EMR than I am in HIPAA. Although there is certainly some correlation.

That said, I think there’s some interesting things happening with HIPAA that people need to be aware of. HHS released the Breach Notification Final Rule. Healthcare POV said the following about the rule:

The Department of Health and Human Services (HHS) has released a final rule on breach notification requirements for covered entities (CEs) and business associates (BAs). Published in the Federal Register, the rule dictates proper procedure for responding to a breach, including when notification is required, who to tell and how to dispense that information. The rule also reiterates and clarifies recommended methods of data encryption.

The announcement came 2 days after the Federal Trade Commission (FTC) released its breach notification final rule, which covers personal health record vendors and other non-HIPAA CEs. HHS consulted with FTC on requirements and asked the public for input through a request for information released earlier this year.

The link above has more analysis of these changes as well. I’ll admit that I’m not an expert in this area. Anyone else who cares to chime in on the impact of these changes, I’d love to hear about it in the comments or even a guest blog post if someone’s interested.

Text messages are becoming more and more popular in the US. It’s funny, because the US is about 5 or so years behind Europe when it comes to the use of text messages. Better late than never I guess. The addiction is especially true with high school children, but the college ranks are ravaged with students who are addicted to texting. I’ve heard some parents say that a text message is the only way they can communicate with their child (how sad is that?).

Considering text messages are getting so popular, I wonder if any EMR companies have integrated text messaging into their software. The most obvious use would be to send a text message reminder about the appointment. I think many patients would love this service. A text message reminder for an annual pap smear or other follow up appointment would be really beneficial as well.

This really wouldn’t be that hard to implement since you can send an email which then goes to someone as a text message. The challenge is only figuring out which provider that person was on in order to send the email to the right place.

Is anyone doing text messages from their EMR? Certainly there are some HIPAA considerations here, but that should be covered by the agreement when they give you their cell number.

I’m not sure how many of my readers have heard about the Virginia Prescription Monitoring Program being hacked yesterday. The Prescription Monitoring Program is used by pharmacists and others to discover prescription drug abuse. The story gets really interesting since it looks like the hackers encrypted over 8 million patient records and over 35 million prescriptions. Then, the hackers posted the following note on the Virginia Prescription Monitoring Program website (according to wikileaks):

“I have your [expletive] In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(For $10 million, I will gladly send along the password.”

The website has now been entirely disabled and just times out if you try to visit the site.

The Washington Post blog has reported the following:

Sandra Whitley Ryals, director of Virginia’s Department of Health Professions, declined to discuss details of the hacker’s claims, and referred inquires to the FBI.

“There is a criminal investigation under way by federal and state authorities, and we take the information security very serious,” she said.

A spokesman for the FBI declined to confirm or deny that the agency may be investigating.

Whitley Ryals said the state discovered the intrusion on April 30, after which time it shut down Web site site access to dozens of pages serving the Department of Health Professions. The state also has temporarily discontinued e-mail to and from the department pending the outcome of a security audit, Whitley Ryals said.

“We do have some of systems restored, but we’re being very careful in working with experts and authorities to take essential steps as we proceed forward,” she said. “Only when the experts tell us that these systems are safe and secure for being live and interactive will that restoration be complete.”

Seems interesting that 5 days after they discovered the intrusion the website is still not back online. Must have been a pretty serious hack job.

The Washington Post also explained that this is the second such extortion attack using patient health care data.

In October 2008, Express Scripts, one of the nation’s largest processors of pharmacy prescriptions, disclosed that extortionists were threatening to disclose personal and medical information on millions of Americans if the company failed to meet payment demands. Express Scripts is currently offering a $1 million reward for information leading to the arrest and conviction of the individual(s) responsible for trying to extort money from the company.

Stories like this will set back any sort of RHIO or national HIE movement. Sure makes you think about the security of it all. What is interesting is that the patient data doesn’t seem to have much value outside of extortion. Otherwise, I’d think those who breached the system would have used it in some other way.

In my first post on IM in a clinical environment I discussed some of the benefits and options available by having an IM program rolled out in a doctor’s office. IM really is a killer application that can facilitate communication. We all know the benefits good communication can bring to a doctor’s office and the pains bad communication can cause.

I love the idea of IM being integrated into an EMR. In fact, so much so that I asked my vendor if they were going to integrate IM into their EMR when they told me that they were looking to integrate the whole Outlook like messaging and calendaring system into the EMR. The response to my IM question was that it wasn’t on their roadmap and that they weren’t sure they’d want an IM popping up while they were in the middle of a patient visit.

I haven’t thought through all the complexities of integrating IM into an EMR in a way that wouldn’t be obtrusive, but would still facilitate the needed communication. However, I’m confident that with a little thought it could be built so that the communication happens without leaving the doctor in an awkward position and while still protecting the privacy of the patient.

Matt Chase, of Medtuity (one of the more forward thinking EMR companies out there), offered some interesting insights into possible benefits of having IM integrated into an EMR. Here’s a quick summary of some of his thoughts on it with some of my own additions.

IM Direct Link to Patient Chart – If I’m sending a message about a patient to the doctor, then it’s very likely that the doctor will want to look at the patient chart.  Certainly I could send the number or possibly the name, but if the IM is integrated into the EMR, then I could include a link in the IM which would take me directly to the patient chart.  As I’m typing this, why not have the ability to embed a part of the patient’s chart right in the EMR?  You could even direct link to a specific part of the chart or document that was uploaded that the doctor might need to see.

Patients Image Shown in Discussion – Assuming you’ve captured the patients image in your EMR for reference (and many do this), why not show the patient’s image in the IM message when someone mentions the patient.  How much would having the picture of the patient help if you received an IM message that said, “John Doe from last week has an abnormal lab.”  Most doctors are much better with faces than they are with names.  In the name of HIPAA, they probably should be.  Why not jog their memory of the patient by including a picture?

Click To Save to Patient’s Chart – Some IM discussions might be worth saving in a patient’s chart.  Sure copy and paste works from other IM programs, but why not make it one click to save it to the patient chart.  Of course, I suggest making it a one click add, but still let it be editable so that someone can format the IM before saving it completely.

EMR Access = IM Access – No one needs to know where you’re signed into EMR.  As long as you’re accessing EMR, then you’ll get your message.  This could be in a room, in your office, on your cell phone at the hospital, or in the Bahama’s when you were checking your EMR because you missed it so much (hopefully not likely).

EMR Defined Groups – Built intelligently, the EMR could be built to know which staff was on duty.  For example, we have a number of lab techs in our clinic.  Either a flag in the EMR or just by the lab tech’s activity in EMR it could know who to send a lab message to.  Look at it like a virtual IM account that the EMR intelligently knows who is available.

I’m sure there are many more features or benefits that would be only available by having IM integrated with EMR.  Are there any others that I missed?  Are there people using IM in their practice?  Is it integrated with your EMR?  I’d love to hear people’s thoughts and experiences with IM in health care.

I’ve been participating in a really interesting discussion going on over on EMRUpdate. The discussion revolves around the integration of IM into an EMR or EHR and the role of IM in a clinical environment.

One person suggested the use of a LAN only IM that he’s been using for a while. Looks like a pretty cool software and prevents your users from chatting it up with their best friend across town all day on work time.

My biggest problem with the LAN only IM software is that it’s just one more program that you have to manage. This is why in our clinic we’ve been using MSN Messenger. This comes installed by default on Windows and so it seemed like a logical choice. It also had some good upload features that allowed us to add our long list of users to a new person with little hassle. We have upgraded most of our computers to the latest MSN Messenger, but now it will just manage itself.

The other advantage of the commercial messengers is their advanced chatting and status features. You can add users to an existing discussion or start a discussion with a large group. The status of your messenger automatically updates as you’re away from your computer. I also loved messenger for when I was at home helping my wife who was sick. Just by going to their messenger, everyone in the clinic could see my status that I was at home taking care of my sick wife.

There are a whole host of other features that make the commercial version nice. One simple example is that it tells you when the person you’ve sent an IM to is typing or not. That way you can have at least some idea of whether you’re going to get a reply soon or not.

We only use IM in our individual offices, but I’ve heard of one person that has an IM user called “Room 1″ that is signed into Room 1. That way when he’s in the room, he can IM from that room without a problem. Of course, if you’re carrying a laptop around this isn’t a problem. Also, I haven’t tested this yet, but the next version of MSN Messenger seems like it has the ability to be signed into 2 locations. Could be pretty cool.

Of course, I’m sure that everyone’s wondering about HIPAA. In our clinic we’ve decided to just not put information protected by HIPAA in IM. We might say, Dr. Smith Pt 12345′s labs are available now. This makes it so IM doesn’t have to follow the security guidelines required by HIPAA. Some might argue that this isn’t failsafe. I’d respond that of course it’s not, but neither is someone sending an email with the same information. Neither is someone doing any countless number of things electronically. Therefore I treat it similar to how we treat email.

Despite the benefits we’ve seen from using IM in our clinic. It is really interesting to imagine what an IM program integrated with your EMR would look like. What new possibilities would it open up to you? Tomorrow I’ll discuss some of the cool integrations that could be created by a forward looking EMR company that integrates IM into their EMR.

I’ve previously written about using a patient kiosk for inputting information into an EHR. I still think this is a fantastic idea. So much so that I’ve actually implemented it in the clinic I work in for my full time job. This includes “Walmart” like signature pads where patients can sign their HIPAA form, financial agreement and other check in forms. We also require them to fill out their health history form electronically where it’s automatically available to the doctor in the EMR. There are some other major advantages to this method which I’ll save for another post.

Today I came across another interesting use for self service check in kiosks in a doctor’s office. Here’s a description of a different implementation of self service kiosks:

Two years ago, Galantino visited a trade-show booth staffed by Clearwave, a Marietta, Georgia-based company that is one of several check-in kiosk manufacturers. Similar to check-in kiosks found in airports, Clearwave kiosks ask patients to swipe their insurance card or type in the information from it.

The kiosk then recognizes the patient and populates the system with his or her personal and medical information. The kiosk also sends a Health Insurance Portability and Accountability Act 270 inquiry, regarding benefits eligibility and coverage, to the patient’s insurance company.

The insurance company, in turn, sends a HIPAA 271, which tells the practice everything it needs to know about the patient, including co-pay, co-insurance, deductible, and how much of the deductible has been met.

For a quarterly fee, Clearwave provides real-time updates of insurance company information.

The idea behind check-in kiosks is not only to increase the accuracy of patient records, but also to improve patient and staff satisfaction by decreasing tedious administrative tasks. Verifying eligibility status, for example, can be a time-consuming chore for an office administrator. The kiosks, on the other hand, connect directly to more than 1,000 insurance companies and provide an automated response in 10 seconds, according to Clearwave.

I love the integration of automatic insurance checking into the patient check in process. I can see how this would be very useful for most offices.

Reading through some of the other financial details in the article doesn’t make me see the financial benefit of the change (this might just need more analysis of the financial details), but I can agree completely that patients haven’t been averse to using the technology for check in at all. In fact, many prefer it.