Free Hospital EMR and EHR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to Hospital EMR and EHR for FREE!

Heard at #AHIMACon17: Lessons Learned for HIM – HIM Scene

Posted on October 18, 2017 I Written By

The following is a HIM Scene guest blog post by Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, Vice President, Privacy, Compliance and HIM Policy, at MRO.  

The American Health Information Management Association (AHIMA) held its annual convention and exhibit in Los Angeles last week. Beginning with preconvention meetings and symposia, this year’s event delivered a renewed focus on the profession’s stalwart responsibility to protect and govern patient information. Updates for privacy, security, interoperability and information governance were provided. Here is a quick overview of my lessons learned at AHIMACon17.

Privacy and Security Institute

The 11th anniversary of AHIMA’s Privacy and Security Institute didn’t disappoint. Speakers from the HHS Office for Civil Rights (OCR), Federal Bureau of Investigations (FBI) and HITRUST joined privacy and HIM consultants for an information-packed two-day symposium. The most important information for HIM professionals and privacy officers came from the nation’s capital.

Cutbacks underway—Recent defunding of the Chief Privacy Officer (CPO) position by ONC makes practical sense for the healthcare industry and the national budget. The position has been vacant for the past year, and during this time Deven McGraw successfully served as acting CPO and deputy director for health information privacy. Her imminent departure along with other cutbacks will have a trickle-down impact for privacy compliance in 2018.

Onsite audits cease—Yun-kyung (Peggy) Lee, Deputy Regional Manager, OCR, informed attendees that onsite HIPAA audits would no longer be conducted for covered entities or business associates due to staffing cutbacks in Washington, D.C. The concern here is that whatever doesn’t get regulatory attention, may not get done.

To ensure a continued focus on privacy monitoring, HIM and privacy professionals must remain diligent at the organizational, regional, state and national levels to:

  • Maintain internal privacy audit activities
  • Review any patterns in privacy issues and address through corrective action
  • Use environmental scanning to assess resolution agreement results
  • Review published privacy complaints to determine how to handle similar situations
  • Compare your state of readiness to known complaints

Interoperability advances HIPAA—The national push for greater interoperability is an absolute necessity to improve healthcare delivery. However, 30 years of new technology and communication capabilities must be incorporated into HIPAA rules. Old guidelines block us from addressing new goals. We expect more fine-tuning of HIPAA in 2018 to achieve the greater good of patient access and health information exchange.

Luminary Healthcare Panel

Tuesday’s keynote session was the second most relevant discussion for my role as vice president of privacy, compliance and HIM policy at MRO. Panelists provided a glimpse into the future of healthcare while reiterating HIM’s destiny—data integrity and information governance.

HIM’s role extends beyond ensuring correctly coded data for revenue cycle performance. It also includes the provision of correct and complete data for the entire healthcare enterprise and patient care continuum under value-based reimbursement. The need for stronger data integrity and overall information governance was threaded through every conversation during this session.

Final Takeaway

Make no doubt about it! HIM’s role is expanding. We have the underlying knowledge of the importance of data and the information it yields. More technology leads to more data and an increased need for sophisticated health information management and governance. Our history of protecting patient information opens the door to our future in the healthcare industry.

About Rita Bowen
In her role as Vice President of Privacy, Compliance and HIM Policy for MRO, Bowen serves as the company’s Privacy and Compliance Officer (PCO), oversees the company’s compliance with HIPAA, and ensures new and existing client HIM policies and procedures are to code. She has more than 40 years of experience in Health Information Management (HIM), holding a variety of HIM director and consulting roles. Prior to joining MRO, she was Senior Vice President and Privacy Officer for HealthPort, Inc., now known as CIOX Health. Bowen is an active member of the American Health Information Management Association (AHIMA), having served as its President and Board Chair, as a member of the Board of Directors, and of the Council on Certification. Additionally, Bowen is the chair for the AHIMA Foundation. She has been honored with AHIMA’s Triumph Award in the mentor category; she is also the recipient of the Distinguished Member Award from the Tennessee Health Information Management Association (THIMA). Bowen is an established author and speaker on HIM topics and has taught HIM studies at Chattanooga State and the University of Tennessee Memphis. Bowen holds a Bachelor of Medical Science degree with a focus in medical record administration and a Master’s degree in Health Information/ Informatics Management Technology.

MRO is a proud sponsor of HIM Scene.  If you’d like to receive future HIM posts in your inbox, you can subscribe to future HIM Scene posts here.

Healthcare Analytics is a Big Privacy Issue

Posted on March 18, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Coming out of HIMSS, everyone said that healthcare analytics was a major discussion. I talked to someone from Allscripts today and they quoted me that something like 42% of their business is coming from population health (analytics, patient portal, and HIE) functionality. Today someone else told me that the future of healthcare IT is going to really be around analytics and how we use the data. When you think about future revenue streams, the data is likely going to be the center of most business models.

Analytics is going to play a major role in the future of health IT and I believe will lead to really important improves in the care patients receive. My guess is that one day we’ll look back on the EHR of today and wonder how we saw patients with such limited data and intelligence built into the EHR.

However, Sheri Stoltenberg from Stoltenberg Consulting made a great comment to me at HIMSS which is the title of this blog post: Healthcare Analytics is a Big Privacy Issue.

While we love to talk about the benefits of big healthcare data and the value of healthcare analytics, it’s also got a lot of big privacy issues that I think we’re going to need to address. Many will argue that we already have HIPAA and that should be enough. Certainly it will provide the framework for privacy and security of healthcare data and analytics. However, that’s likely going to need to evolve as the healthcare analytics involves. I’m not sure we even know the issues that healthcare analytics will pose to privacy in 5 years. Unfortunately, I don’t see HIPAA being able to keep up with it.

If the healthcare IT industry were smart, it would start working together and appropriate privacy and security within healthcare analytics. If they don’t, be ready for the government to step in and impose it on them. We know how that usually works out.

Hopefully this blog post will be inspiration for every organization to consider the privacy and security issues associated with their healthcare analytics.

How Easy Are Hospitals Hacked?

Posted on July 31, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This is an interesting tweet. I find it interesting that a hospital is working with local hackers. I guess it’s even more interesting that an EMR vendor has enough clout to be able to get a local hospital to not install software. Although, knowing the industry like I do, it’s not that surprising. Should a hospital listen to some local hackers or someone they’ve invested hundreds of millions and sometimes billions of dollars in? (yes, an EHR purchase is an investment)

Of course, this tweet reminded me of a great story my best friend in college told me about when he hacked into the major hospital system where he went to high school. Turns out he used a mix of physical and technical hacks to breach the hospital system.

The key to him breaching the hospital system was that he got access to a computer on the hospital system and left a back door for him to access that computer remotely. All he did to do this was put on a jacket, went to an office in the network where he said he was working for their IT department and was there to run some updates on the computer. They happily let him run the “update” on their computer. Instead, he created a back door where he could get access to the hospital network from anywhere.

I’m sure that many reading this will think twice when someone comes in saying they need to update their computer now. It’s not like most people in the hospital know all the tech support people in their hospital.

Of course, this is a simple little hack. Certainly there are plenty of other ways that someone can hack into healthcare systems. The interesting thing is that most people don’t care about healthcare information. They want financial information. So, someone that does hack a healthcare system is unlikely to do much with the healthcare info. Yes, I’ve read the people who say a patient record is worth $50. I’m still waiting to see someone try to sell one at that price.

I should also mention that I think the tweet isn’t actually talking about this type of hacker. I think the tweet is talking about the Fred Trotter version of “hacker” which just puts together a great solution to a problem (ie. a hack). We need more great solutions in healthcare, so I hope that EMR vendors stop impeding local application hackers to work with hospitals.

Are Hospitals Ready for HIPAA Omnibus?

Posted on March 30, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’ve been thinking quite a bit about the new HIPAA Omnibus rules ever since I interviewed Rita Bowen at HIMSS about the new HIPAA rules. While Rita highlights some other changes that came as part of HIPAA Omnibus, I still think that the biggest change is all of the new details around business associates.

There are a lot of changes when it comes to business associates and the work to make sure everything is in place with business associates requires the healthcare institution and the business associates. Considering the HIPAA Omnibus rule went into effect on March 26th, there’s no time for an organization to delay this work. They’re already behind if they haven’t done this already.

Considering the lack of discussion I’ve seen from hospitals, I have a feeling that many of them haven’t dealt with this issue yet at all. In fact, I wouldn’t be surprised if many of them didn’t even really realize that they had to do anything. Instead, I expect that many just figured it was on the back of the business associate to change. That’s just not the case and the hospital should be consulting their HIPAA lawyer to make sure everything is in place.

I’d love to hear if others are having different experiences. Did you go through the HIPAA Omnibus rule? Did you have to make a lot of changes? Did you change how you work with business associates?

Hospitals, Health Systems Don’t Feel Prepared For Meaningful Use Stage 2

Posted on December 31, 2012 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

A new survey by KPMG confirms what most us would have guessed — that hospital and health system leaders aren’t that sure they’re ready to meet Meaningful Use Stage 2 requirements.

The study, which was conducted last month, found that 47 percent of hospital and health system business leaders surveyed were only somewhat confident in their readiness to meet Stage 2 requirements. Just over one-third (36 percent) said they were confident, and four percent weren’t confident at all, KPMG found. Another 11 percent said they didn’t know what their level of readiness was.

Respondents are also worried about meeting privacy and security standards included in both Stage 2 and HIPAA. Forty-seven percent of respondents were only somewhat comfortable with their organization’s ability to meet all parts of HIPAA, including the need for new annual risk assessments and protecting patient-identifiable information. Eight percent of respondents said they weren’t comfortable at all, 13  percent said they weren’t sure and 31 percent said they were comfortable, KPMG reported.

To help close the readiness gap, hospitals and health systems are bringing in outside help. Thirty percent of respondents said their organization had hired new or additional team members to help complete EMR deployment. And 22 percent said they’d hired outside contractors to get the job done.

So why are so many healthcare business leaders insecure about Stage 2?  When asked to name the biggest challenge in complying with Stage 2 requirements, 29 percent cited training and change management issues.

Tied for second were lack of monitoring processes to ensure sustained demonstration of MU, and capturing relevant data as part of the clinical workflow, at 19 percent each. Twelve percent named lack of a dedicated Meaningful Use team, and 6 percent availability of appropriate certified vendor technology. Fourteen percent said “other.”

Adolescent Data Needs Stronger EMR Protections, Group Says

Posted on November 13, 2012 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

The American Academy of Pediatrics is calling for changes to EMRs to protect the privacy of adolescent patients, whom, it says, don’t currently get the same level of protection as adults.

According to the AAP, there are several reasons adolescents don’t enjoy the same privacy protections as adults.

For one thing, there are the legal issues. HIPAA doesn’t provide specific guidance on adolescent privacy, and the medical industry hasn’t put clear standards in place outlining when adults can access an adolescent’s health records either.

What’s more, states vary in how they handle this issue, according to the AAP report. State laws typically allow minors to consent for their healthcare on the basis of their status — for example, if they’re a pregnant or parenting teen — and on the basis of the services they seek  — such as STI diagnosis and treatment or contraception. However, while state and federal laws provide protection of privacy when minors  consent for their own care, privacy protections differ widely.

To make sure adolescent privacy is protected across all data platforms, the AAP is recommending a set of principles that it feels should ideally govern not only EMRs, but also PHRs and HIEs. These include :

*  Creation of a set of criteria for EMRs that meet adolescent privacy standards

*  Creating and implementing technology for EMRs which would allow determination of who has access to, or ability to control access to, any part of the adolescent medical record.

* Making it possible for adolescents to record consents and authorizations according to privacy laws using the HL-7 Child Health Profile DC.1.3.3 standard

*  Flexibility within standards to allow for protection of privacy for diagnoses, associated lab tests, problem lists and any other documentation containing confidential data.

* EMR systems must be able to apply state and federal confidentiality rules when assembling aggregate data to prevent identification of individuals.

The AAP has a lot more to say, but in summary, it seems to be putting the burden for protecting adolescent privacy largely on EMR vendors, though I believe it’s hoping members will advocate for these changes as well.

Either way, it doesn’t work well if there’s a protected class (certain adolescents) whose rights simply can’t be protected adequately with today’s technology.  Time to get on this issue, I’d say.

Healthcare Cloud Spending Slated For Major Growth

Posted on October 30, 2012 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

Hospitals may still be ambivalent about using the cloud for clinical data transport, but attitudes are likely to undergo a major change over the next few years, according to research firm MarketsandMarkets. The firm projects that the healthcare cloud market will expand by about 20.5 percent per year over the next five years, hitting $5.4 billion by 2017.

Right now, healthcare cloud spending has hit roughly $1.8 billion, which represents penetration of four percent, MarketsandMarkets found.  That’s just a drop in the bucket, particularly given the big competitors who are aiming their guns at the healthcare cloud market today. (Other estimates put healthcare cloud penetration at 16.5 percent of the marketplace, still a small number though meaningfully larger than MarketsandMarkets’ number.)

As our sister site EMRandHIPAA.com previously noted, Verizon’s Enterprise Solutions division is offering five “healthcare-enabled” services, including colocation, managed hosting, enterprise cloud, an “enterprise cloud express edition” and enterprise cloud private edition. Verizon hopes to capture healthcare IT managers who are worried not only about HIPAA-secure clinical data transport, but also HIPAA-appropriate data protection on site, as it’s training hosting workers to be HIPAA-ready.

Another set of deep pocketed healthcare cloud vendors are AT&T and IBM, who are partnering to capture what they deem to be a $14 billion healthcare cloud market.  Under the terms of an agreement announced in early October, IBM will provide data storage facilities and services, while AT&T will provide the network.

What could possibly hold back the advance of such giants?  Well, a number of issues, MarketsandMarkets notes. While vendors large and small may promise to be compliant with healthcare regs, healthcare data is challenging to manage, given that it requires special security, confidentiality, availability to authorized users, traceability of access, reversibility of data and long-term preservation.

My guess is that hospitals will respond to the efforts of vendors to attract cloud business, but that the market for public cloud services in particular won’t shoot upward as MarketsandMarkets predicts, as there’s just too many things that worry CIOs.  How about you, readers?

The Dawn Of “Compliance As A Service”?

Posted on October 5, 2012 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

A few days ago, I posted a quick report on our EMRandHIPAA.com sister site discussing Verizon’s plans to offer a HIPAA-compliant cloud service.

Verizon, which has beefed up on security services over the past few years, seems to see its role as being compliance vendor rather than just a mere business associate.  The carrier notes that not only does it offer super-secure data centers, it has trained staffers on HIPAA-specific data handling issues.

But Verizon obviously isn’t the only cloud vendor out there capable of offering HIPAA-compliant services. Could this be the dawn of CaaS (compliance as a service) for healthcare? (Others industries, like banking, are already well into this approach.)

According to reader Scott Gardner, who commented on the story, this concept has legs. “I’ve been pitching [Compliance As A Service] to cloud-based persistency vendors targeting mobility for some time,” writes Gardner, whose company Inyago focuses on private practice IT services via MacPractice. “Offering this service makes perfect sense, especially in private practice healthcare. And you get interoperability (core #14) right out of the box for all users on the platform.”

The burning question here, I suppose, is whether CIOs feel safe trusting outsiders with clinical data flow. Right now the answer seems to be “no.” As my colleague John noted in a related blog post, at present even those providers who are cloud users are more prone to access it for “commodity” services such as e-mail, file storage, videoconferencing and online learning, according to a CDW survey.

With providers needing interoperability under Meaningful Use Stage 2, the landscape may change, however. Whether or not they’re terribly comfortable with Verizon and its rivals, CIOs might find it easier to delegate compliance than cope with the difficulties of build-your-own-interoperability schemes. So perhaps CaaS really does have a chance at achieving rapid uptake — unless someone invents the insta-install HIE!

Smartphones Not Secure Enough For HIPAA Or MU

Posted on June 20, 2012 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

Like it or not, smartphones have become an important part of clinicians’ professional lives, and that includes accessing secure hospital systems.  Unfortunately, few of these devices meet even half of Meaningful Use or HIPAA requirements, according to ONCHIT.

While the BlackBerry and iPhone do a bit better, most mobile phones sold today meet no more than 40 percent of Meaningful Use Stage 2 or HIPAA standards, at least as they’re configured out of the box.  When manually configured, iPhone and BlackBerry smartphones can reach only about 60 percent compliance, according to a piece in MobiHealthNews.

ONC has released these statistics ahead of planned guidance documents designed to help small- and mid-sized provider groups secure mobile devices on the healthcare grid.  ONC plans to publish its guidance as a series of best practices documents next year.

This is positive news. After all, making best practice models available — such as how to handle “BYOD” situations — is quite necessary. That being said, why must providers wait until late this year? I’d argue that providers need best practices for smartphone use immediately, not in several months.

HIT administrators need guidance not only for how to configure the devices adequately, but also how to tailor data delivery to the device’s small brain, how to make the devices uncrackable even if lost and what kind of health data UI works on a smartphone. (Technically, the latter isn’t a security concern, but I think we can all safely assume that if the UI is ugly, physicians will try to “break” it to their use or simply switch to a less secure device.)

Readers, have you had any security concerns arise specifically due to smartphone use? Do you think smartphones are as big of a security threat as tablets and laptops?

AHA Slams MU Patient Portal Requirement, Pundits Slam AHA

Posted on May 7, 2012 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

As readers know, CMS is now reviewing comments on the proposed rules for Stage 2 Meaningful Use.  Not surprisingly, one of the reviewers who’s sent in a critique is the American Hospital Association (AHA), which a few days ago sent a 68-page barrage complaining about the burden imposed on hospitals by on Stage 1 MU requirements.

Yesterday, the AHA made another MU move, this time slamming CMS’s Stage 2 proposal that hospitals be required to offer patients access their protected health information via a portal.  As I noted in the previous post on AHA, I’m surprised at how late to the game AHA is — trade groups like these aren’t known for their delicacy — and this notion has been in the air since well before CMS made it an official proposal.

Anyway, in its current letter to CMS on portals, the AHA has given them a big thumbs-down. “CMS’s plan is not supported by current technology, raises significant security issues, and goes beyond current technical capacity,” the group argues in its issue brief.

The AHA argues that with systems integration levels still dicey, hospitals are being asked to offer data in a way that may end up violating HIPAA. (Unspoken additional thought: “And then you’re going to blame us, aren’t ya, huh, you meanies!”)

Since AHA issued the statement, talking heads have popped up to bash the AHA’s position, arguing that the hospital group is dragging its feet just as the most important part of the work has begun, i.e. empowering patients to share, use and benefit from their own health information.

Well, yes and no. While I’m known for ridiculing the trade group talking heads in this business, I’d wait just a minute before we declare the AHA to be the bad guys here.

On the one hand, I can see where people are frustrated with hospitals picking this moment to complain about the task at hand. It’s not as though they’re hearing about it for the first time.

On the other hand, creating a really bulletproof portal is no joke, either, and there’s definitely some truth in the notion that making it everything it should be is very tough.  Hey, there’s no point in denying it; creating a patient portal may remain a part of MU Stage 2 requirements, but it’s not going to be a walk in the garden for hospitals.  Let’s not come down on them too hard if they flinch.