Free Hospital EMR and EHR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to Hospital EMR and EHR for FREE!

Healthcare Analytics is a Big Privacy Issue

Posted on March 18, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Coming out of HIMSS, everyone said that healthcare analytics was a major discussion. I talked to someone from Allscripts today and they quoted me that something like 42% of their business is coming from population health (analytics, patient portal, and HIE) functionality. Today someone else told me that the future of healthcare IT is going to really be around analytics and how we use the data. When you think about future revenue streams, the data is likely going to be the center of most business models.

Analytics is going to play a major role in the future of health IT and I believe will lead to really important improves in the care patients receive. My guess is that one day we’ll look back on the EHR of today and wonder how we saw patients with such limited data and intelligence built into the EHR.

However, Sheri Stoltenberg from Stoltenberg Consulting made a great comment to me at HIMSS which is the title of this blog post: Healthcare Analytics is a Big Privacy Issue.

While we love to talk about the benefits of big healthcare data and the value of healthcare analytics, it’s also got a lot of big privacy issues that I think we’re going to need to address. Many will argue that we already have HIPAA and that should be enough. Certainly it will provide the framework for privacy and security of healthcare data and analytics. However, that’s likely going to need to evolve as the healthcare analytics involves. I’m not sure we even know the issues that healthcare analytics will pose to privacy in 5 years. Unfortunately, I don’t see HIPAA being able to keep up with it.

If the healthcare IT industry were smart, it would start working together and appropriate privacy and security within healthcare analytics. If they don’t, be ready for the government to step in and impose it on them. We know how that usually works out.

Hopefully this blog post will be inspiration for every organization to consider the privacy and security issues associated with their healthcare analytics.

How Easy Are Hospitals Hacked?

Posted on July 31, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This is an interesting tweet. I find it interesting that a hospital is working with local hackers. I guess it’s even more interesting that an EMR vendor has enough clout to be able to get a local hospital to not install software. Although, knowing the industry like I do, it’s not that surprising. Should a hospital listen to some local hackers or someone they’ve invested hundreds of millions and sometimes billions of dollars in? (yes, an EHR purchase is an investment)

Of course, this tweet reminded me of a great story my best friend in college told me about when he hacked into the major hospital system where he went to high school. Turns out he used a mix of physical and technical hacks to breach the hospital system.

The key to him breaching the hospital system was that he got access to a computer on the hospital system and left a back door for him to access that computer remotely. All he did to do this was put on a jacket, went to an office in the network where he said he was working for their IT department and was there to run some updates on the computer. They happily let him run the “update” on their computer. Instead, he created a back door where he could get access to the hospital network from anywhere.

I’m sure that many reading this will think twice when someone comes in saying they need to update their computer now. It’s not like most people in the hospital know all the tech support people in their hospital.

Of course, this is a simple little hack. Certainly there are plenty of other ways that someone can hack into healthcare systems. The interesting thing is that most people don’t care about healthcare information. They want financial information. So, someone that does hack a healthcare system is unlikely to do much with the healthcare info. Yes, I’ve read the people who say a patient record is worth $50. I’m still waiting to see someone try to sell one at that price.

I should also mention that I think the tweet isn’t actually talking about this type of hacker. I think the tweet is talking about the Fred Trotter version of “hacker” which just puts together a great solution to a problem (ie. a hack). We need more great solutions in healthcare, so I hope that EMR vendors stop impeding local application hackers to work with hospitals.

Are Hospitals Ready for HIPAA Omnibus?

Posted on March 30, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’ve been thinking quite a bit about the new HIPAA Omnibus rules ever since I interviewed Rita Bowen at HIMSS about the new HIPAA rules. While Rita highlights some other changes that came as part of HIPAA Omnibus, I still think that the biggest change is all of the new details around business associates.

There are a lot of changes when it comes to business associates and the work to make sure everything is in place with business associates requires the healthcare institution and the business associates. Considering the HIPAA Omnibus rule went into effect on March 26th, there’s no time for an organization to delay this work. They’re already behind if they haven’t done this already.

Considering the lack of discussion I’ve seen from hospitals, I have a feeling that many of them haven’t dealt with this issue yet at all. In fact, I wouldn’t be surprised if many of them didn’t even really realize that they had to do anything. Instead, I expect that many just figured it was on the back of the business associate to change. That’s just not the case and the hospital should be consulting their HIPAA lawyer to make sure everything is in place.

I’d love to hear if others are having different experiences. Did you go through the HIPAA Omnibus rule? Did you have to make a lot of changes? Did you change how you work with business associates?

Hospitals, Health Systems Don’t Feel Prepared For Meaningful Use Stage 2

Posted on December 31, 2012 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

A new survey by KPMG confirms what most us would have guessed — that hospital and health system leaders aren’t that sure they’re ready to meet Meaningful Use Stage 2 requirements.

The study, which was conducted last month, found that 47 percent of hospital and health system business leaders surveyed were only somewhat confident in their readiness to meet Stage 2 requirements. Just over one-third (36 percent) said they were confident, and four percent weren’t confident at all, KPMG found. Another 11 percent said they didn’t know what their level of readiness was.

Respondents are also worried about meeting privacy and security standards included in both Stage 2 and HIPAA. Forty-seven percent of respondents were only somewhat comfortable with their organization’s ability to meet all parts of HIPAA, including the need for new annual risk assessments and protecting patient-identifiable information. Eight percent of respondents said they weren’t comfortable at all, 13  percent said they weren’t sure and 31 percent said they were comfortable, KPMG reported.

To help close the readiness gap, hospitals and health systems are bringing in outside help. Thirty percent of respondents said their organization had hired new or additional team members to help complete EMR deployment. And 22 percent said they’d hired outside contractors to get the job done.

So why are so many healthcare business leaders insecure about Stage 2?  When asked to name the biggest challenge in complying with Stage 2 requirements, 29 percent cited training and change management issues.

Tied for second were lack of monitoring processes to ensure sustained demonstration of MU, and capturing relevant data as part of the clinical workflow, at 19 percent each. Twelve percent named lack of a dedicated Meaningful Use team, and 6 percent availability of appropriate certified vendor technology. Fourteen percent said “other.”

Adolescent Data Needs Stronger EMR Protections, Group Says

Posted on November 13, 2012 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

The American Academy of Pediatrics is calling for changes to EMRs to protect the privacy of adolescent patients, whom, it says, don’t currently get the same level of protection as adults.

According to the AAP, there are several reasons adolescents don’t enjoy the same privacy protections as adults.

For one thing, there are the legal issues. HIPAA doesn’t provide specific guidance on adolescent privacy, and the medical industry hasn’t put clear standards in place outlining when adults can access an adolescent’s health records either.

What’s more, states vary in how they handle this issue, according to the AAP report. State laws typically allow minors to consent for their healthcare on the basis of their status — for example, if they’re a pregnant or parenting teen — and on the basis of the services they seek  — such as STI diagnosis and treatment or contraception. However, while state and federal laws provide protection of privacy when minors  consent for their own care, privacy protections differ widely.

To make sure adolescent privacy is protected across all data platforms, the AAP is recommending a set of principles that it feels should ideally govern not only EMRs, but also PHRs and HIEs. These include :

*  Creation of a set of criteria for EMRs that meet adolescent privacy standards

*  Creating and implementing technology for EMRs which would allow determination of who has access to, or ability to control access to, any part of the adolescent medical record.

* Making it possible for adolescents to record consents and authorizations according to privacy laws using the HL-7 Child Health Profile DC.1.3.3 standard

*  Flexibility within standards to allow for protection of privacy for diagnoses, associated lab tests, problem lists and any other documentation containing confidential data.

* EMR systems must be able to apply state and federal confidentiality rules when assembling aggregate data to prevent identification of individuals.

The AAP has a lot more to say, but in summary, it seems to be putting the burden for protecting adolescent privacy largely on EMR vendors, though I believe it’s hoping members will advocate for these changes as well.

Either way, it doesn’t work well if there’s a protected class (certain adolescents) whose rights simply can’t be protected adequately with today’s technology.  Time to get on this issue, I’d say.

Healthcare Cloud Spending Slated For Major Growth

Posted on October 30, 2012 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

Hospitals may still be ambivalent about using the cloud for clinical data transport, but attitudes are likely to undergo a major change over the next few years, according to research firm MarketsandMarkets. The firm projects that the healthcare cloud market will expand by about 20.5 percent per year over the next five years, hitting $5.4 billion by 2017.

Right now, healthcare cloud spending has hit roughly $1.8 billion, which represents penetration of four percent, MarketsandMarkets found.  That’s just a drop in the bucket, particularly given the big competitors who are aiming their guns at the healthcare cloud market today. (Other estimates put healthcare cloud penetration at 16.5 percent of the marketplace, still a small number though meaningfully larger than MarketsandMarkets’ number.)

As our sister site EMRandHIPAA.com previously noted, Verizon’s Enterprise Solutions division is offering five “healthcare-enabled” services, including colocation, managed hosting, enterprise cloud, an “enterprise cloud express edition” and enterprise cloud private edition. Verizon hopes to capture healthcare IT managers who are worried not only about HIPAA-secure clinical data transport, but also HIPAA-appropriate data protection on site, as it’s training hosting workers to be HIPAA-ready.

Another set of deep pocketed healthcare cloud vendors are AT&T and IBM, who are partnering to capture what they deem to be a $14 billion healthcare cloud market.  Under the terms of an agreement announced in early October, IBM will provide data storage facilities and services, while AT&T will provide the network.

What could possibly hold back the advance of such giants?  Well, a number of issues, MarketsandMarkets notes. While vendors large and small may promise to be compliant with healthcare regs, healthcare data is challenging to manage, given that it requires special security, confidentiality, availability to authorized users, traceability of access, reversibility of data and long-term preservation.

My guess is that hospitals will respond to the efforts of vendors to attract cloud business, but that the market for public cloud services in particular won’t shoot upward as MarketsandMarkets predicts, as there’s just too many things that worry CIOs.  How about you, readers?

The Dawn Of “Compliance As A Service”?

Posted on October 5, 2012 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

A few days ago, I posted a quick report on our EMRandHIPAA.com sister site discussing Verizon’s plans to offer a HIPAA-compliant cloud service.

Verizon, which has beefed up on security services over the past few years, seems to see its role as being compliance vendor rather than just a mere business associate.  The carrier notes that not only does it offer super-secure data centers, it has trained staffers on HIPAA-specific data handling issues.

But Verizon obviously isn’t the only cloud vendor out there capable of offering HIPAA-compliant services. Could this be the dawn of CaaS (compliance as a service) for healthcare? (Others industries, like banking, are already well into this approach.)

According to reader Scott Gardner, who commented on the story, this concept has legs. “I’ve been pitching [Compliance As A Service] to cloud-based persistency vendors targeting mobility for some time,” writes Gardner, whose company Inyago focuses on private practice IT services via MacPractice. “Offering this service makes perfect sense, especially in private practice healthcare. And you get interoperability (core #14) right out of the box for all users on the platform.”

The burning question here, I suppose, is whether CIOs feel safe trusting outsiders with clinical data flow. Right now the answer seems to be “no.” As my colleague John noted in a related blog post, at present even those providers who are cloud users are more prone to access it for “commodity” services such as e-mail, file storage, videoconferencing and online learning, according to a CDW survey.

With providers needing interoperability under Meaningful Use Stage 2, the landscape may change, however. Whether or not they’re terribly comfortable with Verizon and its rivals, CIOs might find it easier to delegate compliance than cope with the difficulties of build-your-own-interoperability schemes. So perhaps CaaS really does have a chance at achieving rapid uptake — unless someone invents the insta-install HIE!

Smartphones Not Secure Enough For HIPAA Or MU

Posted on June 20, 2012 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

Like it or not, smartphones have become an important part of clinicians’ professional lives, and that includes accessing secure hospital systems.  Unfortunately, few of these devices meet even half of Meaningful Use or HIPAA requirements, according to ONCHIT.

While the BlackBerry and iPhone do a bit better, most mobile phones sold today meet no more than 40 percent of Meaningful Use Stage 2 or HIPAA standards, at least as they’re configured out of the box.  When manually configured, iPhone and BlackBerry smartphones can reach only about 60 percent compliance, according to a piece in MobiHealthNews.

ONC has released these statistics ahead of planned guidance documents designed to help small- and mid-sized provider groups secure mobile devices on the healthcare grid.  ONC plans to publish its guidance as a series of best practices documents next year.

This is positive news. After all, making best practice models available — such as how to handle “BYOD” situations — is quite necessary. That being said, why must providers wait until late this year? I’d argue that providers need best practices for smartphone use immediately, not in several months.

HIT administrators need guidance not only for how to configure the devices adequately, but also how to tailor data delivery to the device’s small brain, how to make the devices uncrackable even if lost and what kind of health data UI works on a smartphone. (Technically, the latter isn’t a security concern, but I think we can all safely assume that if the UI is ugly, physicians will try to “break” it to their use or simply switch to a less secure device.)

Readers, have you had any security concerns arise specifically due to smartphone use? Do you think smartphones are as big of a security threat as tablets and laptops?

AHA Slams MU Patient Portal Requirement, Pundits Slam AHA

Posted on May 7, 2012 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

As readers know, CMS is now reviewing comments on the proposed rules for Stage 2 Meaningful Use.  Not surprisingly, one of the reviewers who’s sent in a critique is the American Hospital Association (AHA), which a few days ago sent a 68-page barrage complaining about the burden imposed on hospitals by on Stage 1 MU requirements.

Yesterday, the AHA made another MU move, this time slamming CMS’s Stage 2 proposal that hospitals be required to offer patients access their protected health information via a portal.  As I noted in the previous post on AHA, I’m surprised at how late to the game AHA is — trade groups like these aren’t known for their delicacy — and this notion has been in the air since well before CMS made it an official proposal.

Anyway, in its current letter to CMS on portals, the AHA has given them a big thumbs-down. “CMS’s plan is not supported by current technology, raises significant security issues, and goes beyond current technical capacity,” the group argues in its issue brief.

The AHA argues that with systems integration levels still dicey, hospitals are being asked to offer data in a way that may end up violating HIPAA. (Unspoken additional thought: “And then you’re going to blame us, aren’t ya, huh, you meanies!”)

Since AHA issued the statement, talking heads have popped up to bash the AHA’s position, arguing that the hospital group is dragging its feet just as the most important part of the work has begun, i.e. empowering patients to share, use and benefit from their own health information.

Well, yes and no. While I’m known for ridiculing the trade group talking heads in this business, I’d wait just a minute before we declare the AHA to be the bad guys here.

On the one hand, I can see where people are frustrated with hospitals picking this moment to complain about the task at hand. It’s not as though they’re hearing about it for the first time.

On the other hand, creating a really bulletproof portal is no joke, either, and there’s definitely some truth in the notion that making it everything it should be is very tough.  Hey, there’s no point in denying it; creating a patient portal may remain a part of MU Stage 2 requirements, but it’s not going to be a walk in the garden for hospitals.  Let’s not come down on them too hard if they flinch.

Guest Post: iPad or Android? Maybe We Need Both

Posted on March 16, 2012 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

This post is written by Brian Martin, MD.

Brian Martin is a physician informaticist – a software engineer who went to medical school, spent most of his career designing clinical software, and now spends his time helping physicians select technologies that improve their personal lives, their clinical practice, and the health of their patients.

I was asked today about whether iPad or Android-based devices will become the device of choice for practicing physicians. My answer? It could be that both have their place.

The issue isn’t whether someone will create the perfect iPad or Android tablet. Technological barriers, security issues, hackers, HIPAA, encryption, voice recognition, handwriting recognition are all technology problems. Easily solvable, especially with all the under-employed rocket scientists looking for work.

The hard work is to develop an elegant solution to the user experience that lies at the crossroads between technology and the physician’s workflow. And different situations may call for different devices.

If the doc is seeing patients in an outpatient setting or rounding on inpatients, then it’ll be the iPad. If the doc is away from the office or hospital, on personal time, then it’ll be the fits-in-your-pocket mobile device – an iPhone or Android device. It’s all about the user experience, how the technology fits into the doc’s workflow, and how the technology impacts the patient’s experience of the face-to-face physician visit.

For many, and perhaps the majority of physicians, being a doc isn’t a 40 hour-per-week job that you leave at the office. Not a chance. Clinical excellence is more than a full-time commitment, and for many, it’s a 24×7 commitment. Sure, you can go out to a nice restaurant, play a round of golf, a set of tennis, but…

When you are away from the office or hospital, and one of your patients needs your attention, do you really want to interrupt your personal life to drive to the office?

Or if you’re on a dinner date with your spouse/partner/date, and the lab calls to say that one of your patients has a wacked-out finding that you need to make an immediate treatment decision on, do you cancel your date and head back to the office? I wouldn’t want to. But if I’ve got 3,000 patients in my practice, I don’t have a choice, simply because I’m not going to rely on sheer memory power, no matter how highly I might think of myself (snicker if you will), to remember what diagnoses and allergies this patient has, what medications I’ve prescribed and why, and what the last test results were. Nope. No one’s that good.

But what if I could excuse myself for 5 minutes, step outside, pull this patient’s summary EMR up on my iPhone, make a diagnostic and treatment decision, select and submit one of my standard order sets, transmit a prescription to the pharmacy, then call the patient and tell him to stop taking one of his medications and go to his pharmacy to pick up the medications I just prescribed? Fantastic! I don’t cancel my date and ruin what was developing into a seriously romantic evening, my patient is properly managed, and life is good.

Have you ever seen a doctor walk into the doctor’s lounge in the hospital, then call the nursing station with his/her patient orders just to avoid entering data into the hospital’s EMR? I have. I’ve also watched my primary-care physician, who is not a touch typist, try to maintain eye contact with me while his eyes flitted rapidly between the keyboard and monitor.

And why can’t he maintain eye contact? Because his employer mandated that all physicians do their own clinical data entry, including progress notes, lab and medication orders, referrals, etc. Sure, that’ll get the employer to HIMSS Level 6, but at what cost? Or imagine a psychiatrist constantly switching his/her attention between the patient and a computer monitor during a psychotherapy session… And if that patient has paranoid/delusional traits?

I have yet to see an EMR with a keyboard/mouse/monitor (KMM) interface that does not interfere with the physician/patient experience. What we need is a technology that enhances the clinical experience FOR THE PATIENT. Docs know how to use traditional paper charts and pens for taking notes and looking up information during a face-to-face patient consultation, while keeping their focus on the patient. The iPad is the closest we have to a replacement for the pen and paper chart. Creating iPad, iPhone and Android interfaces to existing EMRs can be a first step.

The hard work is to develop an elegant solution to the user experience that lies at the crossroads between technology and the physician’s workflow. And different situations may call for different devices.

So. If you are a C-level health systems exec who is being pitched to make a “me-too” decision to spend mega bucks on an enterprise-wide KMM-interface EMR built using 1960s-era software (MUMPS is the COBOL of medicine), spend some time walking around and visiting docs in your community who use EMRs. Ask them if they’ll let you watch how they interact with their patients and their EMR. Pay attention to the user experience, and ask them about some of the scenarios I’ve described above. Then watch a three-year-old use an iPad.