Free Hospital EMR and EHR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to Hospital EMR and EHR for FREE!

The Important Role of HIM in Healthcare Cybersecurity – HIM Scene

Posted on June 21, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This post is part of the HIM Series of blog posts. If you’d like to receive future HIM posts in your inbox, you can subscribe to future HIM Scene posts here.

Healthcare organizations that rely on their CSO (Chief Security Officer) to handle cybersecurity in their organizations always annoy me. Cybersecurity requires everyone at the organization to be involved in the effort. One person can have a large influence, but your healthcare organization will never be secure if you don’t have everyone working their best to ensure your organization is secure.

A great example of someone who’s often forgotten in healthcare cybersecurity efforts are HIM professionals. Organizations that do this, do so at their own peril. If you’re not involving your HIM professionals in your cybersecurity efforts, I exhort you to do so today.

One of the best reasons to involve HIM professionals in your security efforts is that they’re often experts on the patchwork of healthcare privacy and security laws. It’s not enough to just ensure you’re being HIPAA compliant. That’s essential, but not sufficient.

Healthcare privacy and security are so important, there are multiple layers of laws trying to protect your health information. Or maybe the laws just aren’t well planned and that’s why we have so many. I’ll let you decide. Either way, in your privacy and security efforts you’re going to need to know HIPAA, HITECH, MACRA, and of course don’t forget the state specific privacy and security laws. No doubt there are more and your HIM professionals are likely some of the people in your organization that knows these laws the best.

Beyond the fact that HIM professionals know the privacy and security laws, HIM professionals are usually well versed in ensuring the right access to the right information in your system. One of the biggest form of breaches is internal breaches from people who were given the wrong permissions on your IT systems.

Making sure someone is auditing and monitoring these permissions is a very important part of your cybersecurity efforts. Plus, don’t forget to have a solid process for removing users when they leave your organization as well. Those zombie user accounts are a ticking time bomb in your security efforts. When your employees verify that their records are in order before they leave with HIM, that might be a good time to remove their access.

Another place HIM professionals can help with healthcare cybersecurity efforts is around information governance. More specifically, HIM can help you properly manage your health data and legacy systems. HIM can ensure that your legacy systems are properly managed until their end of life. No doubt this will be done in tandem with your IT professionals who have to keep these legacy systems secure (not always an easy task). However, an HIM professional can assist with your information governance efforts that impact cybersecurity.

In what other ways can HIM be involved in healthcare cybersecurity?

Cybersecurity is always going to be a team effort. That’s why it’s shocking to me when healthcare organizations don’t involve every part of their team. HIM professionals should step up and make the case for why they should be involved in healthcare’s cybersecurity efforts. However, when they don’t, a great leader will make sure HIM is involved just the same.

If you’d like to receive future HIM posts in your inbox, you can subscribe to future HIM Scene posts here.

Healthcare Security is Scaring Hospital CIOs

Posted on November 16, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This post is sponsored by Samsung Business. All thoughts and opinions are my own.

Coming out of the CHIME CIO Forum, I had a chance to mix and mingle with hundreds of hospital CIOs. There was one major theme at the conference: security. If you asked these hospital CIOs what was keeping them up at night, I’m sure that almost every one of them would say security. They see it as a major challenge and the job is never done.

I had more than one CIO tell me that breaches of their healthcare system are going to happen. That’s why it’s extremely important to have a 2 prong security strategy in healthcare that includes both creating security barriers and also a mitigation and response strategy.

One of the most challenging pieces of security identified by these healthcare CIOs was the proliferation of endpoints. That includes the proliferation of devices including mobile devices and the increase in the number of users using these technologies. There was far less concern about the mobile devices since there are some really deeply embedded software and hardware security built into mobile devices like Samsung’s Knox which has made mobile device security a lot easier to implement. The same can’t be said for the number of people using these devices. One hospital CIO described it as 21,000 points of vulnerability when he talked about the 21,000 people who worked at his organization. Sadly, there’s no one software solution to prevent human error.

This is why we see so much investment in security awareness programs and breach detection. Your own staff are often your biggest vulnerability. Training them is a good start and can prevent some disasters, but the malware has gotten so sophisticated that it’s really impossible to completely stop. That’s why you need great software that can detect when a breach has occurred so you can deal with it quickly.

On the one hand, it’s one of the most exciting times to be in healthcare IT. We have so much more data available to us that we can use to improve care. However, with all that data and technology comes an increased need to make sure that data and technology is kept secure. The good news is that many hospital boards have woken up to this fact and are finally funding security efforts as a priority for their organization. Is your organization prepared?

For more content like this, follow Samsung on Insights, Twitter, LinkedIn , YouTube and SlideShare.

E-Patient Update: Hospitals Should Share Ransomware Updates

Posted on October 14, 2016 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

A few weeks ago, a California hospital quietly fended off a ransomware attack without paying a ransom to the attackers. According to Health Leaders Media, Keck Medical Center of USC was hit with a ransomware assault on servers at two hospitals, but managed to fix the problem and retrieve its data.

Employees at Keck Hospital of USC and Norris Comprehensive Cancer Care found ransomware on two servers on August 1, said Keck Hospitals CEO Rod Hanners in a statement on the matter. The attack encrypted files on the servers, which made their data unavailable to hospital employees. However, Hanners reported, the hospitals had no evidence of a breach of patient information.

Still, given that some sensitive information was contained in folders encrypted by the malware, USC notified patients about the breach, Health Leaders reports. Data that could (at least theoretically) have been accessed by the attackers included names and dates of birth, health information such as treatment and diagnosis information and some Social Security numbers.

If what I’ve read is accurate, the crew at Keck did a great job. They got things under control very quickly, and chose to do the right thing in notifying patients about the breach. (And in all truth, the attack might not have been much of a big deal — perhaps one launched by a script kiddie using Ransomware as a Service tools — which could explain why the hospitals seem to be relatively unruffled.) Still, my feeling is that they could have communicated more.

A patient’s perspective

As I ponder the events above, I do wonder whether the professionals managing this particular ransomware attack understand what it’s like to be on the receiving end of a ransomware episode. So here’s a few things to consider from a patient’s perspective:

  • Ransomware is scary: While I’m healthcare technology writer and somewhat familiar with ransomware attacks, they are still new to most of the public. They may turn out to be just another infection vector for your network, but they come across as a dark force to consumers. Be prepared to educate and calm us.
  • People don’t know what to expect: I was due to have a cardiac procedure done by a doctor affiliated with Washington, D.C.-based MedStar Health a couple of weeks after it suffered a ransomware attack. While the news media made it clear that the hospital chain was paralyzed for a time, nobody bothered to tell me what the impact of this paralysis would be. It would have been better if MedStar facilities and doctors reached out to patients in immediate and near-term need of care to clarify.
  • We need progress reports: Clearly, the Keck attack didn’t amount to much, but other ransomware attacks, such as the MedStar incident, can’t be resolved overnight. As patients, we need to know roughly how long our providers may be at less than full capacity. Keep us updated or you’ll lose our trust.

With any luck, healthcare organizations will continue to improve their ability to fight back ransomware attacks, and in time, be prepared to treat them as little more than road bumps in their security efforts. But until then, it makes sense to pull out all the stops and keep patients extra well-informed.

HHS OIG Says Unplanned Hospital EMR Outages Are Fairly Common

Posted on August 24, 2016 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

More than half of U.S. hospitals responding to a new survey reported having unplanned EMR outages, according to a new report issued by the HHS Office of the Inspector General, due to a variety of common but difficult-to-predict technical problems. Some of these outages have merely been inconveniences, but some resulted in patient care problems, the OIG report said.

The agency said that it conducted this study as a follow up to its prior research, which found that both natural disasters and cyberattacks were having a major impact on EMR availability. For example, it noted, hospitals faced substantial health IT availability challenges in the wake of Superstorm Sandy, include damage to HIT systems and problems with access to patient records.

According to the survey, 59% of the hospitals reported having unplanned EMR outages. One-quarter said that the outages created delays in patient care and 15% said that the outage lead to rerouted patient care. Only 1 percent of outages were caused by hacking or breaches.

The most common causes, in order, were topped by hardware malfunctions, followed by Internet connectivity problems, power failures and natural disasters. (For more detail on the root causes of outages, see this great post by my colleague John Lynn.)

It’s worth noting that these hospitals were selected for having their act together to some degree. To conduct the study, researchers spoke with 400 hospitals which were getting Meaningful Use incentive payments for using a certified EMR system in place as of September 2014.

Nearly all of these hospitals reported having a HIPAA-required EMR contingency plan in place. Also, two thirds of the hospitals addressed the four HIPAA requirements reviewed by OIG researchers. Eighty-three percent of surveyed hospitals reported having a data backup plan, 95% had an emergency mode operations mode plan, 95% said they had a disaster recovery plan and 73% said they had testing and revision procedures in place.

Not only that, most of the hospitals contacted by the study were implementing many ONC and NIST-recommended practices for creating EMR contingency plans. Nearly all had implemented practices such as using paper records for backup and putting alternative power sources like generators in place.

Also, most hospitals said that they reviewed their EMR contingency plans regularly to stay current with system or organizational changes, and 88% said they’d reviewed such plans within the previous two years. Most responding hospitals said they regularly trained their staff on EMR outage contingency plans, though just 45% reported training staff through recommended drills on how to address EMR system downtime. And 40% of hospitals that activated contingency plans in the wake of an outage reported that they saw no disruption to patient care or adverse events.

Still, the OIG’s take on this data is that it’s time to better monitor hospitals’ ability to address EMR outages. Now more than ever, the agency would like to see the HHS Office for Civil Rights fully implement a permanent HIPAA compliance program, particularly given the mounting level of cyberattacks endured by the industry. The OIG admitted that HIPAA standards aren’t crafted specifically to address these types of outages, so it’s not clear such monitoring can solve the problem, but the agency would prefer to forge ahead with existing standards given the risks that are emerging.

Managing Health Information to Ensure Patient Safety

Posted on August 17, 2016 I Written By

Erin Head is the Director of Health Information Management (HIM) and Quality for an acute care hospital in Titusville, FL. She is a renowned speaker on a variety of healthcare and social media topics and currently serves as CCHIIM Commissioner for AHIMA. She is heavily involved in many HIM and HIT initiatives such as information governance, health data analytics, and ICD-10 advocacy. She is active on social media on Twitter @ErinHead_HIM and LinkedIn. Subscribe to Erin's latest HIM Scene posts here.

This post is part of the HIM Series of blog posts. If you’d like to receive future HIM posts by Erin in your inbox, you can subscribe to future HIM Scene posts here.

Electronic Medical Records (EMRs) have been a great addition to healthcare organizations and I know many would agree that some tasks have been significantly improved from paper to electronic. Others may still be cautious with EMRs due to the potential patient safety concerns that EMRs bring to light.

The Joint Commission expects healthcare organizations to engage in the latest health information technologies but we must do so safely and appropriately. In 2008, The Joint Commission released Sentinel Event Alert Issue 42 which advised organizations to be mindful of the patient safety risks that can result from “converging technologies”.

The electronic technologies we use to gather patient data could pose potential threats and adverse events. Some of these threats include the use of computerized physician order entry (CPOE), information security, incorrect documentation, and clinical decision support (CDS).  Sentinel Event Alert Issue 54 in 2015 again addressed the safety risks of EMRs and the expectation that healthcare organizations will safely implement health information technology.

Having incorrect data in the EMR poses serious patient safety risks that are preventable which is why The Joint Commission has put this emphasis on safely using the technology. We will not be able to blame patient safety errors on the EMR when questioned by surveyors, especially when they could have been prevented.

Ensuring medical record integrity has always been the objective of HIM departments. HIM professionals’ role in preventing errors and adverse events has been apparent from the start of EMR implementations. HIM professionals should monitor and develop methods to prevent issues in the following areas, to name a few:

Copy and paste

Ensure policies are in place to address copy and paste. Records can contain repeated documentation from day to day which could have been documented in error or is no longer current. Preventing and governing the use of copy and paste will prevent many adverse issues with conflicting or erroneous documentation.

Dictation/Transcription errors

Dictation software tools are becoming more intelligent and many organizations are utilizing front end speech recognition to complete EMR documentation. With traditional transcription, we have seen anomalies remaining in the record due to poor dictation quality and uncorrected errors. With front end speech recognition, providers are expected to review and correct their own dictations which presents similar issues if incorrect documentation is left in the record.

Information Security

The data that is captured in the EMR must be kept secure and available when needed. We must ensure the data remains functional and accessible to the correct users and not accessible by those without the need to know. Cybersecurity breaches are a serious threat to electronic data including those within the EMR and surrounding applications.

Downtime

Organizations must be ready to function if there is a planned or unexpected downtime of systems. Proper planning includes maintaining a master list of forms and order-sets that will be called upon in the case of a downtime to ensure documentation is captured appropriately. Historical information should be maintained in a format that will allow access during a downtime making sure users are able to provide uninterrupted care for patients.

Ongoing EMR maintenance

As we continue to enhance and optimize EMRs, we must take into consideration all of the potential downstream effects of each change and how these changes will affect the integrity of the record. HIM professionals need prior notification of upcoming changes and adequate time to test the new functionality. No changes should be made to an EMR without all of the key stakeholders reviewing and approving the changes downstream implications. The Joint Commission claims, “as health IT adoption becomes more widespread, the potential for health IT-related patient harm may increase.”

If you’d like to receive future HIM posts by Erin in your inbox, you can subscribe to future HIM Scene posts here.

The Cost of Encouraging Patient Engagement

Posted on June 15, 2016 I Written By

Erin Head is the Director of Health Information Management (HIM) and Quality for an acute care hospital in Titusville, FL. She is a renowned speaker on a variety of healthcare and social media topics and currently serves as CCHIIM Commissioner for AHIMA. She is heavily involved in many HIM and HIT initiatives such as information governance, health data analytics, and ICD-10 advocacy. She is active on social media on Twitter @ErinHead_HIM and LinkedIn. Subscribe to Erin's latest HIM Scene posts here.

We all know that healthcare providers want to encourage patient engagement to ensure patients have the information they need to manage conditions and share information with other providers. There has been a longstanding push for the adoption and maintenance of personal health records for many years to give patients the power to share and disseminate information wherever it is needed. We have seen a remarkable new interest in this with Meaningful Use and population health initiatives. Since HIM professionals are charged with maintaining and producing legal copies of records, we are aware that the tasks surrounding these processes can be very expensive. This is especially true if any of the tasks are not handled properly and breaches of protected information occur.

My concern is that lately I have heard many discussions that are pushing for more access yet with fewer costs to patients to encourage patient engagement. Some are even pushing for patients to have “free” access to records- paper or electronic. Don’t get me wrong, I am a huge proponent for patients having copies of their records and I personally keep copies of my own records. The Office of Civil Rights (OCR) recently published further guidance on charging for records. In a nutshell, the OCR says: “copying fees should be reasonable. They may include the cost of labor for creating and delivering electronic or paper copies; the cost of supplies, including paper and portable media such as CDs or USB drives; and the cost of postage when copies of records are mailed to patients at their request.” The OCR actually has the authority to audit the costs of producing records if they feel your organization is violating this patient right and overcharging for release of information.

Living in a state such as Florida where the state law has allowed facilities to charge up to $1 per page means most facilities have charged $1 per page without blinking an eye. The latest OCR guidance has led to questioning if that amount is actually “reasonable” or true to cost. Afterall, HIM professionals must use expensive systems, supplies, and labor costs to produce these records. Many organizations have outsourced release of information functions (another cost) but it is still the responsibility of the custodian of records to oversee the processes for compliance.

That being said, it is beneficial for HIM departments to evaluate the expenses and methods used to produce records as technologies and laws change. Dr. Karen Desalvo of the Office of the National Coordinator (ONC) strives to lead the EMR interoperability movement. At the top of the ONC’s list of commitments is consumer access to records. HIM professionals should continue to assist in the quest for interoperability and electronic data sharing at the notion of patient engagement. We must lead patients to use EMR patient portals and facilitate the efficient electronic data sharing among healthcare providers. We must be creative in lowering overhead costs to produce and maintain the records in order to ensure costs are affordable for healthcare consumers. There will always be costs associated with this important task, whether on the provider’s end or the patient’s end, just as costs are incurred with most services or products in every industry.

If you’d like to receive future HIM posts by Erin in your inbox, you can subscribe to future HIM Scene posts here.

Making the Case for a Unique Patient Identifier – #MyHealthID

Posted on April 13, 2016 I Written By

Erin Head is the Director of Health Information Management (HIM) and Quality for an acute care hospital in Titusville, FL. She is a renowned speaker on a variety of healthcare and social media topics and currently serves as CCHIIM Commissioner for AHIMA. She is heavily involved in many HIM and HIT initiatives such as information governance, health data analytics, and ICD-10 advocacy. She is active on social media on Twitter @ErinHead_HIM and LinkedIn. Subscribe to Erin's latest HIM Scene posts here.

Healthcare is a high priority for the US Government and as HIM professionals, we know the importance of keeping our fingers on the pulse of issues facing our nation. We must stay current with proposed regulatory changes and those that address the needs of the US healthcare system as they relate to HIM, privacy and security, and Health IT. One issue our nation has struggled with is secure universal identification for citizens. Social security numbers were not originally meant to be secure identifiers yet they have controversially been used as unique identifiers by Centers for Medicare and Medicaid Services (CMS) for many years.

In our line of work, we see all of the potential negative implications and the important role that patient identification plays in patient safety, HIPAA compliance, and health record accuracy. When patients are not appropriately identified throughout the continuum of care, many issues arise that can lead to misdiagnosing, incomplete information, unnecessary testing, and fraud to name a few. Duplicates and overlays are far too common due to issues matching patient names and dates of birth versus using a universal secure identifier. Sharing information through health information exchange is nearly impossible when patients are registered in multiple systems with different spellings or misidentification.

The HITECH act of 2009 laid the ground work for the Department of Health and Human Services (HHS) to standardize unique health identifiers among other tasks but we have yet to see any real progress on this subject due to federal budget barriers. In response to this, AHIMA sees this as a critical need and has started a petition to the White House to:

“Remove the federal budget ban that prohibits the U.S. Department of Health and Human Services (HHS) from participating in efforts to find a patient identification solution. We support a voluntary patient safety identifier. Accurate patient identification is critical in providing safe care, but the sharing of electronic health information is being compromised because of patient identification issues. Let’s start the conversation and find a solution.”

The campaign is called MyHealthID and looks to have 100,000 signatures on the petition to garner the attention of the US Government. HIM professionals recently took to Washington, DC to visit with Congressmen and Senators from each state to advocate for MyHealthID. The message that “there’s only one you,” hopes to resonate with politicians and make the case that a unique patient identifier is necessary and important to healthcare.

I encourage all healthcare professionals to sign this petition and assist the advocacy efforts toward a unique patient identifier. MyHealthID will not only help with HIM and Health IT initiatives; it will be in the best interest of healthcare consumers nationwide.

If you’d like to receive future HIM posts by Erin in your inbox, you can subscribe to future HIM Scene posts here.

Medical Record Duplicates and Overlays Impact the HIM Workflow

Posted on February 10, 2016 I Written By

Erin Head is the Director of Health Information Management (HIM) and Quality for an acute care hospital in Titusville, FL. She is a renowned speaker on a variety of healthcare and social media topics and currently serves as CCHIIM Commissioner for AHIMA. She is heavily involved in many HIM and HIT initiatives such as information governance, health data analytics, and ICD-10 advocacy. She is active on social media on Twitter @ErinHead_HIM and LinkedIn. Subscribe to Erin's latest HIM Scene posts here.

HIM professionals are responsible for many different tasks throughout the day and the highest priority is typically on ensuring the accuracy and integrity of the medical record. There are many obstacles that can threaten the integrity of medical records including accidentally creating duplicate medical record numbers or overlaying patient information in the Master Patient Index (MPI). These issues can be costly not only in productive man hours but in potential patient care delays and HIPAA violations. Monitoring these duplicates and overlays is something that must be done daily to keep records accurate and HIPAA compliant.

I was recently interviewed by John Trader for a podcast on this subject. We discussed the downstream affects of patient duplicates and overlays and how this impacts the HIM professionals’ daily workflow.

Check out this 1 minute clip from the podcast to get a taste of our discussion:

If you want to hear more, you can download the full podcast. Thanks John Trader for having me on your podcast.

If you’d like to receive future HIM posts by Erin in your inbox, you can subscribe to future HIM Scene posts here.

Keeping Telehealth in Compliance

Posted on December 9, 2015 I Written By

Erin Head is the Director of Health Information Management (HIM) and Quality for an acute care hospital in Titusville, FL. She is a renowned speaker on a variety of healthcare and social media topics and currently serves as CCHIIM Commissioner for AHIMA. She is heavily involved in many HIM and HIT initiatives such as information governance, health data analytics, and ICD-10 advocacy. She is active on social media on Twitter @ErinHead_HIM and LinkedIn. Subscribe to Erin's latest HIM Scene posts here.

Telehealth, or telemedicine, promises to create better opportunities for increased access to healthcare. It makes perfect sense to meet patients where they are instead of requiring them to travel sometimes long distances for adequate care. We know that some diagnoses and treatments will definitely require an office or hospital visit but staying healthy, keeping compliant with medications, and maintaining chronic diseases could easily be addressed with telehealth.

Technology and EHR advances are already making many healthcare tasks easier and more convenient such as remote coding and web-based training. Smart phones and secure texting are being used by interdisciplinary teams to conveniently reach members of the team for coordination of care. Telehealth fits right into the mix using technology to bridge the geographic distance and gaps in patients’ access to care.

As with all healthcare operations, we must remember the sensitive nature of the subject matter at hand. Many try to cite HIPAA compliance as a potential barrier to adopting new technology. In contrast, HIPAA laws are being updated inline with the technology changes and we are able to securely exchange information by following the rules and taking appropriate measures to safeguard protected health information.

In order to successfully use telehealth, providers must work with health information technology professionals to ensure the technical and physical safeguards are in place for transmitting information to and from patients. Information must be kept secure and private which will continue to challenge health IT and HIM professionals. Patients must feel comfortable trusting that their personal information will be protected in the telehealth format just as it is in other media formats.

Other key concerns with telehealth are payment and insurance coverage. While telehealth will reduce the costs of healthcare, there is still a need for reimbursement to cover the provider’s time and expertise provided through a telehealth “visit” and the technology needed. There are many new conversations going to Congress in the near future to address the need for funding for telehealth particularly in rural areas. One of these is a bill referred to as the Telehealth Innovation and Improvement Act introduced recently. Until the benefits, cost savings, and effectiveness of telehealth can be understood by the Federal Government, we will continue to see the slow adoption rate. Once these issues are addressed and Government funding becomes available, there will be explicit guidelines and criteria for providers to meet in order to be in compliance with the payment structures.

We continue to strive for the best possible methods of meeting the needs of healthcare consumers in today’s technology driven society. We must marry the best of both worlds to provide convenient and cost-effective access to healthcare with secure and confidential methods of transferring protected health information. All of this will come with a price tag and will require the successful collaboration of health IT, HIM, and compliance professionals.

If you’d like to receive future HIM posts by Erin in your inbox, you can subscribe to future HIM Scene posts here.

Privacy and Nudity

Posted on October 2, 2015 I Written By

Colin Hung is the co-founder of the #hcldr (healthcare leadership) tweetchat one of the most popular and active healthcare social media communities on Twitter. Colin speaks, tweets and blogs regularly about healthcare, technology, marketing and leadership. He is currently an independent marketing consultant working with leading healthIT companies. Colin is a member of #TheWalkingGallery. His Twitter handle is: @Colin_Hung.

MedX Privacy Panel - photo by Amy Berman

Last week I had the opportunity to attend the Stanford Medicine X conference – commonly referred to as #MedX. This was my first time attending #MedX in-person. In the prior two years I watched the conference via live-stream.

If you’ve never been to #MedX I would highly encourage you to go. It is one of the only conferences where physicians, administrators, policy makers, med students, healthIT people and patients rub shoulders. The break-time conversations alone are worth the price of admission.

There were many interesting sessions at #MedX and many speakers had tweetable quotes, but there was one statement that was by far the most memorable. On Day 2, there was a panel discussion on the nature of privacy in healthcare (whether it prevented harm or innovation). The all-star panel included: Colleen Young, Pam Ressler, Jodi Sperber, Wendy Sue Swanson MD and Susannah Fox. During the closing remarks, Wendy Sue Swanson made THE BEST statement:

“People’s attitudes towards privacy in healthcare is like our attitudes towards nudity. Some people are completely comfortable exposing everything. They aren’t concerned with letting it all hang out. Some are comfortable with a bikini, which still shows a lot, but not everything. Some prefer to be completely covered up.”

Comedic gold.

Wendy’s comment is spot on. Privacy and nudity have a lot in common. Both are topics that are rarely discussed openly (in some circles the topic is completely taboo) and in both cases being exposed unexpectedly is something no one wants. The attitude towards nudity is deeply personal and no amount of words or persuasive argument is likely to change it. Just imagine a nudist trying to convince an ultra-conservative to shed their clothes.

However, personal experience CAN change how we feel about nudity…I mean privacy. Consider this example. Say I became ill and was unable to obtain a diagnosis. In this situation I would openly share my symptoms and health data with a wide audience – family, friends, other health professionals and even my social network. At this point privacy would not be a primary concern for me. However, once I begin treatment, privacy would suddenly become more important. I wouldn’t want the world to know everything and I would want my data protected but shared with those that were involved with my recovery. After successful treatment, my attitude would likely change again. I would want a high degree of privacy so that my health issue was not easily accessible to insurance companies or my employer (thought admittedly it’s probably easy for them to find out).

Kudos to this panel for a thought-provoking look at privacy and thanks to Wendy Sue Swanson for making an analogy that I’ll not soon forget.