Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Meaningful Use is Easy

Posted on July 15, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

My readers make some of the best comments. They’re definitely engaged in what’s happening in the EHR world and provide me amazing inspiration for future posts. In this case, John Brewer commented on my post about meaningful use forcing doctors into ACOs. Here’s a portion of his comment:

MU is actually easy…depending on your EHR. Much of MU is dependent on whether you EHR is able to pull the relevant data – Oh sure, you need to change your ways to ensure you get the required “counters”, and THIS is really where many docs get frustrated.

Add to the frustration that it generally takes clicking in 3 to 7 different places within an EHR to get ONE counter, and you can see why the frustration grows.

I really find it interesting that John Brewer says that meaningful use is easy, and then illustrates what makes it not easy. I think the point he’s making is that there’s nothing that’s a real challenge to accomplish in meaningful use. You can do any of the tasks really easily. However, just because something is easy doesn’t mean that it’s not time consuming. Meaningful use really is quite easy, but it can also be a real time suck.

When I think about the meaningful use time suck, I wonder if we’re creating a generation of doctors who hate their EHR because of the meaningful use time suck. I’ve written previously about the EHR physician revolt. If I dig a little deeper into this revolt, I see a revolt against the EHR time suck and not the technology itself.

Doctors don’t want to become data entry clerks. Unfortunately, the meaningful use requirements often have this affect on doctors. I fear that this will create a cohort of doctors who hate their EHR. Most doctors won’t be able to separate the technology from the regulations. For them it will always be the software’s fault.

Are we creating a generation of doctors who hate EHR?

Meaningful Use and HIPAA – The Risk Analysis

Posted on April 6, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Guest Poster: John Brewer is the founder of HIPAAaudit.com.  He and his team help physicians run HIPAA Compliant practices in the simplest, most pain free way.

So far we’ve covered Information System Activity Review & Sanction Policy.

The next item to tackle for the HIPAA side of Meaningful Use is the Risk Analysis.  This may also be referred to by some as the Risk Assessment also.

The Risk Analysis is simply a look at the way your practice operates as it pertains to PHI and your computer network.

Your risk analysis shouldn’t be a handful of questions.  It should be a set of targeted questions – partly to see that your practice is doing things correctly and partly to invoke conversation to ensure you fix other areas of how your practice does business.

The risk analysis we use is just north of 100 questions…and it continually grows as technology changes and new phishing scams arrive on the scene.

How often should a risk analysis be accomplished?

Once a year is reasonable for most practices.  An additional risk analysis should be accomplished anytime there is a major technological or physical change.

A technological change would include: a new EHR, a new component to your EHR new computer network architecture, and even something as innocent as a new photocopier (more on this later).

Physical change would include any remodeling that might change the layout to the waiting area or a complete location change for the office.

Can I accomplish the risk analysis?

Sure, you or your staff may accomplish the risk analysis.  Be aware though, the risk analysis can become quite technical, so you may need to have your IT staff involved, at least in part of this analysis.

But don’t be fooled, this risk analysis is not just technology based.  Your risk analysis should cover areas including:

  • Does the practice have a privacy window at the sign in station?
  • Does the practice close the privacy window to the lobby except when speaking to a patient directly?
  • Does the practice use an acceptable procedure to hide patient names on the sign-in form?
    • What is acceptable?  Here are a few examples:
      • Individual sign-in slips that are handed to the receptionist
      • Peel-off name labels that are removed by the receptionist and stuck to the file (yes, even in the electronic world paper still exists)
      • An electronic sign-in system – this is a fancy way of saying a computer in the lobby on which the patient signs in.
  • Who has keys to the office?
  • Where is the list of who has keys to the office?
  • Who has the alarm code to the office?
  • Where is the list of who has the alarm code?
  • Is the door from the waiting area always locked?
  • Does the facility have a sprinkler fire system?
  • Does the server have a fire system sprinkler above it?
  • Are all computers at least 3 inches off the ground?

Now we’ve hit 3 of the 4 HIPAA items in the required Risk Analysis in the Meaningful Use Core Objectives.

Next time we’ll at least start on Risk Management.

 

Meaningful Use and HIPAA – The Sanction Policy

Posted on March 16, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Guest Poster: John Brewer is the founder of HIPAAaudit.com.  He and his team help physicians run HIPAA Compliant practices in the simplest, most pain free way.

As previously mentioned, the Sanction Policy is an integral part of Meaningful Use.

What exactly is a Sanction Policy?

Quite simply, it is clarification to your staff…all staff…yes, this includes the physicians, that there are ramifications for breaking company computer policies, specifically HIPAA violations.

First, your practice must have policies.  Without knowing the rules, nobody will know if they are breaking them or not.

The computer policies of a practice are the foundation on which your office will operate.  The computer policies are different than human resource company policies…actually, they are different, but enhance the HR policies.

For example:

  • Which websites can staff go to during business hours?
  • Which websites are completely banned?
  • Is your staff allowed to check their personal email on office computers?

These are all policies you may think are understood by your staff, but if you do not have these policies in writing AND ensure all staff has signed a document of understanding AND have them sign this document of understanding every year…you will run into trouble

So, this sanction policy will generally be in addition to any Human Resources sanction policy that exists (it does exist, right?).  Remember, this Sanction Policy is geared toward HIPAA violations and computer use violations.

This Sanction Policy should cover:

  • Initial reaction to a violation
    • Document the violation
    • Detail the exact violation to the offender
    • Document this communication
    • Initiate any company checklists that may be required depending on the specific violation
  • Secondary reaction to a violation
    • Retraining
      • Re-attend Annual Awareness Training
      • Document this re-training
    • Document understanding of the violation
  • Repeat violations
    • Repeat violations need to be dealt with in a solid and consistent way
    • How many repeat violations before termination?
    • Is any HIPAA violation a “counter” toward termination or should it be an exact repeat violation?
    • Is the training for repeat violations different?

As you can see, there are many parts to what appears to be a “single line” requirement within the Core Requirements for Meaningful Use.

Also note, this Sanction Policy originally reared its head in the HIPAA regulations, and yes, it is still a HIPAA requirement.  As I expected, the feds are using Meaningful use to push you toward HIPAA compliance.

Next time, the Risk Analysis (you guessed it, another HIPAA requirement).

 

Guest Post: Meaningful Use and HIPAA

Posted on March 9, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

John’s Note: One of the requests I got in the recent survey I did was to cover more details of HIPAA. So, I’m glad to have John Brewer (yes, another John) providing some guest posts on the subject.

Do they go together like peanut butter and jelly?  Cookies and milk?

Nothing quite as good as these…but they do go together…now.

HIPAA has been around for some time.  Many argue that HIPAA has no “teeth”.  Sure it has big fines…but when’s the last time you heard of a physician getting fined for a HIPAA violation?

In steps Meaningful Use.

Buried in the details of the Stage 1 Core Objectives is a single block that refers to the seemingly innocuous statement of “Conduct a risk analysis per 45CFR164.308(a)(1)”.

A risk analysis seem simple enough…right?

Dig a little deeper and you’ll see something a bit more unpleasant.  164.308(a)(1) requires the following:

  • Risk analysis – clear enough…
  • Risk management – with reference to 164.306(a) – Uh oh…
  • Sanction policy
  • Information System Activity Review

Whew…now it is starting to get ugly.  Where shall we start?

As usual, I like to go from easiest to most difficult.

The easiest thing to tackle here is the Information System Activity Review.

This is a mouth full, but your shiny new Meaningful Use certified EHR will have a report for this, which will cover most of this requirement.

In order for this report to show information that is useful, you need to ensure you have setup the users in your EHR in the correct way.

By this I mean:

  • Each user must have their own login,
  • Each user must only have access to the areas of the EHR that are appropriate for their position,
    • By this I mean, the front desk “receptionist” should only have access to the calendar section of the EHR, whereas a nurse would have full medical record access.

Next time we’ll attack the Sanction Policy.

John Brewer is the founder of HIPAAaudit.com.  He and his team help physicians run HIPAA Compliant practices in the simplest, most pain free way.