Free Hospital EMR and EHR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to Hospital EMR and EHR for FREE!

Are Hospitals Ready for HIPAA Omnibus?

I’ve been thinking quite a bit about the new HIPAA Omnibus rules ever since I interviewed Rita Bowen at HIMSS about the new HIPAA rules. While Rita highlights some other changes that came as part of HIPAA Omnibus, I still think that the biggest change is all of the new details around business associates.

There are a lot of changes when it comes to business associates and the work to make sure everything is in place with business associates requires the healthcare institution and the business associates. Considering the HIPAA Omnibus rule went into effect on March 26th, there’s no time for an organization to delay this work. They’re already behind if they haven’t done this already.

Considering the lack of discussion I’ve seen from hospitals, I have a feeling that many of them haven’t dealt with this issue yet at all. In fact, I wouldn’t be surprised if many of them didn’t even really realize that they had to do anything. Instead, I expect that many just figured it was on the back of the business associate to change. That’s just not the case and the hospital should be consulting their HIPAA lawyer to make sure everything is in place.

I’d love to hear if others are having different experiences. Did you go through the HIPAA Omnibus rule? Did you have to make a lot of changes? Did you change how you work with business associates?

Post a Comment(0)
March 30, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit.

Filed Under: Hospital CIO  Hospital Healthcare IT  Hospital Security
Tags:            

Hospitals, Health Systems Don’t Feel Prepared For Meaningful Use Stage 2

A new survey by KPMG confirms what most us would have guessed — that hospital and health system leaders aren’t that sure they’re ready to meet Meaningful Use Stage 2 requirements.

The study, which was conducted last month, found that 47 percent of hospital and health system business leaders surveyed were only somewhat confident in their readiness to meet Stage 2 requirements. Just over one-third (36 percent) said they were confident, and four percent weren’t confident at all, KPMG found. Another 11 percent said they didn’t know what their level of readiness was.

Respondents are also worried about meeting privacy and security standards included in both Stage 2 and HIPAA. Forty-seven percent of respondents were only somewhat comfortable with their organization’s ability to meet all parts of HIPAA, including the need for new annual risk assessments and protecting patient-identifiable information. Eight percent of respondents said they weren’t comfortable at all, 13  percent said they weren’t sure and 31 percent said they were comfortable, KPMG reported.

To help close the readiness gap, hospitals and health systems are bringing in outside help. Thirty percent of respondents said their organization had hired new or additional team members to help complete EMR deployment. And 22 percent said they’d hired outside contractors to get the job done.

So why are so many healthcare business leaders insecure about Stage 2?  When asked to name the biggest challenge in complying with Stage 2 requirements, 29 percent cited training and change management issues.

Tied for second were lack of monitoring processes to ensure sustained demonstration of MU, and capturing relevant data as part of the clinical workflow, at 19 percent each. Twelve percent named lack of a dedicated Meaningful Use team, and 6 percent availability of appropriate certified vendor technology. Fourteen percent said “other.”

Post a Comment(1)
December 31, 2012 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies.

Filed Under: Hospital EHR  Hospital Electronic Health Record  Hospital Electronic Medical Record  Hospital EMR  Hospital Healthcare IT  Hospital IT Systems  Hospital Security  Meaningful Use
Tags:    

Hospitals Stepping Up Security Risk Analysis, While Practices Lag

As hospitals have implemented EMRs, they’ve created a tempting target for criminal hackers, as the goldmine of patient data they house can be very valuable on the black market.  At the same time, patient access to health data has expanded dramatically, expanding possible points of failure.

Aware of these issues, hospitals are almost all conducting an annual security risk analysis, but fewer medical practices are on the bandwagon, according to new research by HIMSS.

Since 2008, HIMSS has conducted an annual security survey of healthcare providers, supported by the Medical Group Management Association and underwritten by Experian Data Breach Resolution. That first year, three-quarters of respondents (largely hospitals) said their organization had conducted an annual risk analysis.

For 2012, a total of 303 individuals completed the HIMSS survey, a self-selected Web-based survey. Those responding had to answer qualifying questions which verified that they were involved directly in working with security at their organization.

This year, a full 90 percent of hospitals reported conducting an annual risk analysis, while just 65 percent of physician practices said that they do so. (I’m actually surprised that so many physician groups are doing any kind of audit, but maybe the respondents came from larger practices.)

What’s really interesting, though, isn’t the mere fact that these organizations are taking their medicine and doing their risk surveys.  Some other highlights of the study:

* Twenty-two percent of respondent reported a security breach in the last year: While scary to contemplate, it’s nonetheless true that both hospitals and medical practices had a one-in-five chance of being breached this year. Most breaches affected less than 500 patients, but providers can’t count on that being the rule.

* Less than half of the hospitals and doctors had tested their data breach response plan:  Auditing your security arrangements is all well and good, but if you’re not sure your data breach plan will actually help you respond to breaches, it’s not worth the (digital) paper it’s written on.

As the pressure mounts to protect EMR data — across patient portals, mobile devices, laptops, desktops and more — let’s hope that physicians catch up with hospitals when it comes to security.  Otherwise, I think 2013 may be remembered as the year big ‘n ugly physician practice break-ins dominated the news.

Post a Comment(1)
December 14, 2012 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies.

Filed Under: Hospital EHR  Hospital Electronic Health Record  Hospital Electronic Medical Record  Hospital EMR  Hospital Healthcare IT  Hospital Security  Mobile Technology
Tags:      

Healthcare Cloud Spending Slated For Major Growth

Hospitals may still be ambivalent about using the cloud for clinical data transport, but attitudes are likely to undergo a major change over the next few years, according to research firm MarketsandMarkets. The firm projects that the healthcare cloud market will expand by about 20.5 percent per year over the next five years, hitting $5.4 billion by 2017.

Right now, healthcare cloud spending has hit roughly $1.8 billion, which represents penetration of four percent, MarketsandMarkets found.  That’s just a drop in the bucket, particularly given the big competitors who are aiming their guns at the healthcare cloud market today. (Other estimates put healthcare cloud penetration at 16.5 percent of the marketplace, still a small number though meaningfully larger than MarketsandMarkets’ number.)

As our sister site EMRandHIPAA.com previously noted, Verizon’s Enterprise Solutions division is offering five “healthcare-enabled” services, including colocation, managed hosting, enterprise cloud, an “enterprise cloud express edition” and enterprise cloud private edition. Verizon hopes to capture healthcare IT managers who are worried not only about HIPAA-secure clinical data transport, but also HIPAA-appropriate data protection on site, as it’s training hosting workers to be HIPAA-ready.

Another set of deep pocketed healthcare cloud vendors are AT&T and IBM, who are partnering to capture what they deem to be a $14 billion healthcare cloud market.  Under the terms of an agreement announced in early October, IBM will provide data storage facilities and services, while AT&T will provide the network.

What could possibly hold back the advance of such giants?  Well, a number of issues, MarketsandMarkets notes. While vendors large and small may promise to be compliant with healthcare regs, healthcare data is challenging to manage, given that it requires special security, confidentiality, availability to authorized users, traceability of access, reversibility of data and long-term preservation.

My guess is that hospitals will respond to the efforts of vendors to attract cloud business, but that the market for public cloud services in particular won’t shoot upward as MarketsandMarkets predicts, as there’s just too many things that worry CIOs.  How about you, readers?

Post a Comment(0)
October 30, 2012 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies.

Filed Under: Cloud EHR  Hospital EHR  Hospital Electronic Health Record  Hospital Electronic Medical Record  Hospital EMR  Hospital Healthcare IT  Hospital IT Systems  Hospital Security
Tags:            

Health Management Associates Makes System-Wide Deal With athenahealth

Cloud-based EMR vendor Athenahealth has struck a deal with hospital chain Health Management Associates that its vendor competitors would die for.

HMA has signed an agreement with athena under which the chain’s 1200+ employed physicians — cutting across 15 states and 300 locations — will now use the vendor’s practice management, EMR and patient communication services. HMA’s 10,000-odd independent physicians will also have access to the systems.

In the announcement, HMA and athena took pains to emphasize that the selection process was a fair and thorough one:

Health Management selected athenahealth after a twelve-month review and due diligence process that involved more than 350 clinical experts, including more than 200 physicians. The evaluation process included detailed questionnaires, onsite and virtual demonstrations, site visits, and clinical template shootouts.

Perhaps those details were included to convince observers that the deal didn’t include some kind of payola. I don’t think doctors are going to be too impressed by the IT talk. (If it were me I’d care about only one demonstration — how it worked for me on Day One.)

HMA may not be the country’s largest hospital chain, but it’s still a heavyweight, operating 66 hospitals spanning 10,330 licensed beds. Its hospitals span Alabama, Arkansas, Florida, Georgia, Kentucky, Mississippi, Missouri, North Carolina, Oklahoma, Pennsylvania, South Carolina, Tennessee, Texas, Washington, and West Virginia.

Particularly given its scale, this deal intrigues me for a few reasons. It raises what seem to me to be important questions:

* Is HMA expecting its independent physicians to dump whatever EMR they may already have in place and switch it out for athena?  Or adopt its practice management module instead of what they use now?  That seems, uh, a bit unrealistic?

* I don’t know what enterprise EMR system HMA uses (do you, readers?) but whatever it is, I doubt it will plug seamlessly into to the athena cloud.  How do the IT types at HMA plan to connect the whole schlemiel?

* If the independent physicians don’t want to adopt the athena package, what will HMA do? Club them like baby seals?  Or just accept that a large percentage of its docs aren’t connected?

Post a Comment(0)
September 21, 2012 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies.

Filed Under: Cloud EHR  Hospital EHR  Hospital EHR Company  Hospital EHR Vendor  Hospital Electronic Health Record  Hospital Electronic Medical Record  Hospital EMR  Hospital EMR Company  Hospital EMR Vendor  Hospital Healthcare IT  Hospital IT Budget  Hospital IT Jobs  Hospital IT Systems  Hospital Security  IDN  International Hospital EHR  Mid-Size Hospitals
Tags:                

Is There Such A Thing As Too Much Patient Info Sharing?

Today, when I was skimming my tweetstream, I caught a message that stopped me dead in my tracks:

We spend a lot of time on these pages mulling over the best ways to get information from one provider to another, be it via the Direct Project approach, EMR integration across sites or HIEs. And all of this discussion is predicated on the notion that more sharing is largely a Very Good Thing.

And we have good reason to do so. For all of the bitterly skeptical things we can say about EMRs, in the rare cases where they’re humming like a fine ‘Vette they can improve care and avoid patient harm in a long list of ways.  They can also serve as a repository for data which can be manipulated, studied, and learned from for both commercial and public health purposes.

But I had never taken a moment to stop and think how ease of sharing patient records might come with downsides of its own. I’m not sure which ones Dr. Trainer had in mind, but my guesses would be:

-  HIPAA mistakes become much easier to make and much harder to fix, as data tends to stay where its sent.

-  Clicking one button and sending 600 pages of information may be easier for the sending provider, but it may be far more data than needed, which can actually distract from finding the right information.

While security is of course a top priority for the business, making it simple for doctors to send just what’s needed isn’t at the top of the charts for EMR vendors to my knowledge.  Maybe it should be.

Post a Comment(3)
July 12, 2012 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies.

Filed Under: HIE  Hospital EHR  Hospital Electronic Health Record  Hospital Electronic Medical Record  Hospital EMR  Hospital Healthcare IT  Hospital Security
Tags:                

Healthcare Cloud “dos and don’ts”

While the cloud has become an increasingly important part of consumer computing — see Apple’s cloud product and Google’s plans to transform Documents into Google Drive — healthcare organizations are rightfully waiting just a bit before moving ahead.

If you’re wrestling with cloud issues, you might find some of the following cloud “dos and don’ts” tips to be of use. These are my favorite of the recommendations Mariano Maluf, CTO of Atlanta-based GNAX, shared with Healthcare IT News:

* Assess your environment and capabilities for short-term and long-term opportunities for cloud use, then prioritize. Which would you implement first?

* Be aware that there are some apps that probably shouldn’t be migrated to a private cloud initially, Maluf suggests. Hybrid models, secure multi-tenant public clouds and enterprise-grade cloud storage may be first-line choices.

* Don’t forget to look into the effects of cloud installations, such as architectural dependencies. Also analyze the impact of refresh cycles and application latency tolerance.

* Do develop an integrated cloud strategy, with a related roadmap, Maluf advises. “Focus on incremental value by emphasizing infrastructure delivery and management simplification,” he told HIN.

* Do benchmark your application performance today. Otherwise, it will be tough to know how the cloud has affected app performance, and then it will be tough to establish SLAs with vendors.

I really like these tips because they dig into application performance, rather than going off on a fishing expedition as to what security breaches could possibly happen. (Security is certainly important, but once you establish a security baseline the discussion must inevitably move on to performance.)

Do you have any other tips on cloud implementation to add?  Do you disagree that we should table security as the primary discussion around the cloud?  Is it too soon to do that yet?

Post a Comment(2)
June 28, 2012 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies.

Filed Under: Cloud EHR  Hospital Electronic Health Record  Hospital Electronic Medical Record  Hospital EMR  Hospital Healthcare IT  Hospital Security
Tags:                    

Smartphones Not Secure Enough For HIPAA Or MU

Like it or not, smartphones have become an important part of clinicians’ professional lives, and that includes accessing secure hospital systems.  Unfortunately, few of these devices meet even half of Meaningful Use or HIPAA requirements, according to ONCHIT.

While the BlackBerry and iPhone do a bit better, most mobile phones sold today meet no more than 40 percent of Meaningful Use Stage 2 or HIPAA standards, at least as they’re configured out of the box.  When manually configured, iPhone and BlackBerry smartphones can reach only about 60 percent compliance, according to a piece in MobiHealthNews.

ONC has released these statistics ahead of planned guidance documents designed to help small- and mid-sized provider groups secure mobile devices on the healthcare grid.  ONC plans to publish its guidance as a series of best practices documents next year.

This is positive news. After all, making best practice models available — such as how to handle “BYOD” situations — is quite necessary. That being said, why must providers wait until late this year? I’d argue that providers need best practices for smartphone use immediately, not in several months.

HIT administrators need guidance not only for how to configure the devices adequately, but also how to tailor data delivery to the device’s small brain, how to make the devices uncrackable even if lost and what kind of health data UI works on a smartphone. (Technically, the latter isn’t a security concern, but I think we can all safely assume that if the UI is ugly, physicians will try to “break” it to their use or simply switch to a less secure device.)

Readers, have you had any security concerns arise specifically due to smartphone use? Do you think smartphones are as big of a security threat as tablets and laptops?

Post a Comment(2)
June 20, 2012 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies.

Filed Under: Hospital EHR  Hospital Electronic Health Record  Hospital Electronic Medical Record  Hospital EMR  Hospital Healthcare IT  Hospital IT Systems  Hospital Security  iPad/iPhone  Meaningful Use
Tags:              

CPOE Acceptance Still Slowed Down By Workflow Changes

Computerized Physician Order Entry (CPOE) adoption rates have been very slow over the last few years, but now, driven by Meaningful Use pressure, more providers are adopting such technology.  That being said, a goodly number of providers still haven’t managed to speed adoption, largely due to doctors’ resistance to changes in workflow, according to a new survey.

The survey, in which vendor Imprivata looked at HIT trends, found that 45 percent of respondents were seeing success with CPOE adoption, with more than half their doctors placing orders using CPOE. This represents substantial progress from a few years ago, when I was seeing studies citing total adoption rates below 10 percent.

That being said, 38 percent of respondents said that less than 25 percent of doctors were using CPOE. What’s slowing things down? Sixty-three percent of respondents said that physician resistance to workflow changes was the hangup.

When asked what technologies could speed adoption of CPOE, respondents said single sign-on (74 percent), virtualized desktops (48 percent) and remote/mobile access (46 percent) were all effective ways to engage physicians in CPOE use. I’m not surprised to hear that single sign-on leads the pack; anything that reduces the hassle factor for users has got to be a winner.

By the way, these trends are fairly consistent previous year’s research, in which the vendor found that 82 percent of respondents considered single sign-on a key factor in CPOE adoption as well as meeting Meaningful Use goals.  It’s worth remembering, when talking about SSO, that Imprivata is a security vendor, so take the prominence of that stat with a grain of salt. Still, I thought it was interesting and probably a valid observation.

By the way, Meditech’s solution ranked well at the top for preferred CPOE systems, with 24 percent using it in their facilities. Cerner and McKesson each had 14 percent of responding firm’s business, Siemens 10 percent and Epic 9 percent.

Post a Comment(1)
May 14, 2012 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies.

Filed Under: Community Hospitals  Healthcare CIO  Hospital CIO  Hospital EHR  Hospital EHR Company  Hospital EHR Vendor  Hospital Electronic Health Record  Hospital Electronic Medical Record  Hospital EMR  Hospital EMR Company  Hospital IT Systems  Hospital Security  Mobile Technology
Tags:                  

AHA Slams MU Patient Portal Requirement, Pundits Slam AHA

As readers know, CMS is now reviewing comments on the proposed rules for Stage 2 Meaningful Use.  Not surprisingly, one of the reviewers who’s sent in a critique is the American Hospital Association (AHA), which a few days ago sent a 68-page barrage complaining about the burden imposed on hospitals by on Stage 1 MU requirements.

Yesterday, the AHA made another MU move, this time slamming CMS’s Stage 2 proposal that hospitals be required to offer patients access their protected health information via a portal.  As I noted in the previous post on AHA, I’m surprised at how late to the game AHA is — trade groups like these aren’t known for their delicacy — and this notion has been in the air since well before CMS made it an official proposal.

Anyway, in its current letter to CMS on portals, the AHA has given them a big thumbs-down. “CMS’s plan is not supported by current technology, raises significant security issues, and goes beyond current technical capacity,” the group argues in its issue brief.

The AHA argues that with systems integration levels still dicey, hospitals are being asked to offer data in a way that may end up violating HIPAA. (Unspoken additional thought: “And then you’re going to blame us, aren’t ya, huh, you meanies!”)

Since AHA issued the statement, talking heads have popped up to bash the AHA’s position, arguing that the hospital group is dragging its feet just as the most important part of the work has begun, i.e. empowering patients to share, use and benefit from their own health information.

Well, yes and no. While I’m known for ridiculing the trade group talking heads in this business, I’d wait just a minute before we declare the AHA to be the bad guys here.

On the one hand, I can see where people are frustrated with hospitals picking this moment to complain about the task at hand. It’s not as though they’re hearing about it for the first time.

On the other hand, creating a really bulletproof portal is no joke, either, and there’s definitely some truth in the notion that making it everything it should be is very tough.  Hey, there’s no point in denying it; creating a patient portal may remain a part of MU Stage 2 requirements, but it’s not going to be a walk in the garden for hospitals.  Let’s not come down on them too hard if they flinch.

Post a Comment(3)
May 7, 2012 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies.

Filed Under: Community Hospitals  HITECH  Hospital EHR  Hospital Electronic Health Record  Hospital Electronic Medical Record  Hospital EMR  Hospital IT Systems  Hospital Security  Meaningful Use  Mid-Size Hospitals
Tags:                

    • Next