Free Hospital EMR and EHR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to Hospital EMR and EHR for FREE!

Hospitals Stumble When Asked To Share Medical Records With Patients

Posted on October 19, 2018 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

By this point, few would argue that patients are unlikely to be engaged with their medical care if they don’t have free, unfettered access to the medical records. However, unfortunately, research continues to suggest that providers are struggling to meet these goals — and from my point of view, shows signs that they don’t take the entire process that seriously.

Most recently a new study found that not only may hospitals be failing to meet state and federal rules on patient medical record sharing, they may not even be communicating about their own policies consistently.  As a patient with complex medical needs, I found this troubling, though sadly, not so surprising given my past experiences.

The study, which appeared in JAMA Network Open, looked at the way in which 83 US hospitals handled medical record requests by patients. The research team conducted the requests between August 1 and December 7, 2017, tracking what medical information was made requestable, what formats of release were available, costs to receive the information and request processing times. Researchers reviewed hospital processes using medical record release authorization forms and telephone calls with medical records departments.

After analyzing their data, the researchers concluded at least some hospitals weren’t complying with regulations regarding medical information request processing times. Of the 81 hospitals that responded to the researchers with mean times of release for records, seven had ranges extending beyond state requirements before applying the single 30-day extension granted by HIPAA.

In addition, they found that patients obtained different information regarding medical records request processes when they filled out form versus when they communicated directly with medical records departments. For example, just 53% of hospitals gave patients the option to request the entire medical record on their record request forms, while when the medical record department was contacted, all the hospitals said they were able to and release an entire medical record to patients.

Perhaps offering some insight into why patient portals aren’t as muscular as they could be, just 25% of hospital medical record departments said via phone that they were able to release records to online patient portals, and less than half (40%) shared this detail this on their forms.

Another issue highlighted by the study was that the hospitals studied seem to be vague about the costs patients faced in receiving records. Apparently, 22% of hospitals disclosed they would charge patients for such records but did not specify cost, and 43% didn’t specify that there would be a fee.

Having inadvertently walked into a cost backsaw once or twice in my pre-HIT days, I can’t stress enough how disheartening unexpected records fees can be for patients. After all, in some cases patients don’t get the care they need if they don’t have up-to-date-records, and until we have a completely universal interoperability scheme in place patients are on the hook to make this happen.

Getting the records seems to have been pricey. All but one of the hospitals were able to quote the cost for receiving records on paper, at prices which began at zero but went as high as $541.50 for a 200-page record. On the digital side, 59% of the hospital stated a cost of release above the federally-recommended $6.50 flat fee per page for electronically-maintained records.

As the study authors note, it would be helpful if federal regulators keep their eye on issues related to patient medical record access, which is more costly, confusing and time-consuming than it might appear at first glance. In the meantime, hospitals might consider doing a self-audit to see if they are offering patients consistent information on the process when we ask for badly-needed medical data.

 

Rate Of Healthcare Ransomware Attacks Falls In First Half of 2018

Posted on July 12, 2018 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

Most research I’ve read lately suggests that the rate of healthcare cyberattacks is at an all-time high, and that ransomware is leading the parade.

But is that really true? Maybe not. A new security report has concluded that the rate of ransomware attacks on healthcare organizations actually fell during the first half of this year, and what’s more, that such attacks trended lower during the same period.

The study, which comes from security firm CryptoniteNXT, notes that cybercriminals target healthcare because they can fetch great prices for the data by reselling it on the dark web. Also, given the complexity of healthcare networks and the high number of vulnerabilities in those networks, thieves see providers as a fat and easy target.

However, when it comes to ransomware, the landscape may be changing. CryptoniteNXT found that the number of ransomware attacks impacting over 500 patient records dropped from 19 major data breaches in the first half of 2017 to 8 major breaches in the first half of 2018. That’s an impressive 57% decrease.

The biggest reported records IT/hacker-driven breach hit LifeBridge Health, affecting 538,127 individuals. Other organizations targeted included academic medical centers, medical practices, ambulatory surgical centers, health plans and government agencies.

Meanwhile, the rate of ransomware attacks as a percentage of IT/hacking events has fallen substantially, from 30.16% during the first half of 2017 to 13.6% during the first half of this year.

On the other hand, the volume of patients affected has climbed. Roughly 1.9 million patient records were breached in the first half of this year, compared with 1.7 million records the first half of 2017 and 1.8 million records the second half of that year, it concludes.

Also, the report notes that ransomware attackers are far from done with the industry. The authors say that ransomware will still pose a “formidable threat” to healthcare organizations and that new variants such as AI-based malware will pose a major threat to healthcare organizations for the next couple of years.

To fend off hacking attacks, CryptoniteNXT recommends adopting new best practices such as moving target cyber defense and network micro-segmentation, which can address the inherent weakness of TCP/IP networks.

Pager Breach Exposes Patient Data From Six Hospitals

Posted on July 6, 2018 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

The IT worker was shocked. All he had done was buy an antenna and try to get TV channels on his laptop computer, but to his amazement, he inadvertently intercepted a flood of unencrypted pager messages chock full of private patient data.

The pager messages flooded in from six Kansas City area hospitals, including the University of Kansas Hospital, Cass County Regional, Liberty Hospital, Children’s Mercy Hospital, St. Mary’s Medical Center and Wesley Medical Center.  All told, the man had gotten access to information on hundreds of patients, in a fusillade of potential HIPAA violations.

According to an article in the Kansas City Star, patients who learned about the breach were horrified. “Who knows what else is going on, if it’s that easy for that information to get out there?” one woman told the newspaper. “There’s a big security breach there that needs to be stopped.”

When the paper spoke to the hospitals involved, some punted and didn’t respond to questions. Others shrugged off the problem or suggested that the breach was not a big deal.

For example, the University of Kansas told the reporter that the pager vulnerability was due to “a specific vulnerability in our paging system that may allow access to certain personal health information in limited circumstances.” It seems that an apology was not forthcoming.

Another hospital, Children’s Mercy, told the Star that the IT worker was to blame for the problem, contending that the pager data was only accessible to “local hackers with specific scanning and decoding equipment —- and technical knowledge of how to use it for this specific purpose.” In other words, the breach wasn’t really its fault.

As the article points out, the IT worker could be accused of violating the Electronic Communications Protection Act, which restricts the interception of electronic communications. For that reason, the paper never identifies him. But the article strongly suggests that he was surprised to see the messages and operated in good faith.

The worker, for his part, sensibly argues that the hospitals should have realized that the messages were in the clear. “It’s security by obscurity at this point —- and that’s scary,” he told the paper. “In my line of work you see a lot of ‘Let’s hope nobody finds it,’ [or] ‘It’s hard to find, so it’s pretty secure.’ That’s not enough. We can’t just trust people won’t stumble upon it. We have to assume that they do.”

Some Physicians Get Personally Identifiable Information Via Texts Every Day

Posted on June 22, 2018 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

A new survey has concluded that despite efforts to better protect patient data privacy, a substantial number of providers are still getting unsecured messages that contain patient information.

The survey, which was performed by Black Book Market Research, analyze replies from 770 hospital-based users and 1279 physician practices. Researchers looked at how care teams were retaining secure communications.

The market research firm found that 30% of respondents received texts that included individually identifiable data every day. This result should curdle the blood of healthcare cybersecurity experts since I’m pretty sure most of these patients haven’t agreed to these unsecured texts.

However, both hospitals and physicians are pressing forward with platforms that protect patient data while linking teams together. The vast majority of respondents (94% of physicians and 90% of hospitals) told Black Book that mobile technology, in particular, could improve patient safety and outcomes.

The majority of respondents (85% of hospitals and 80% of physician practices) reported that they were committed to investing in secure communications platforms capable of tying together care teams, patients and families. And they’re in a hurry. In fact, 96% of hospitals expected to budget for or invest in comprehensive clinical indication platforms before the close of 2018.

That being said, 63% of study respondents said they were finding it difficult to get mobile technology buy-in from colleagues. Actually, that’s not too surprising. If you ask physicians to switch from an easy-to-use, effective tool like texting to an unknown communications platform, they’re likely to resist. They probably understand intellectually why using secure, collaboration-friendly software is a good idea, but the truth is that these platforms might disrupt physicians’ routines substantially.

Meanwhile, 90% of hospitals and 77% of physician practices that participated in the survey said they were using intrusion detection systems and secure email. However, this news isn’t that encouraging, as the majority of existing physician portals already offer secure email, and intrusion detection systems are pretty much a given by current standards.

The truth is, with healthcare data growing more valuable than ever and the threat landscape expanding rapidly, both hospitals and medical practices will need to step up their game substantially if they want to avoid security breaches. Investing in secure communications platforms is good, but it only addresses part of their security problems.

Over the long haul, both hospitals and doctors will have to get better at protecting both their mobile and enterprise data assets. There are good reasons to focus on secure mobile communications now, but providers can’t let it distract them from enterprise-wide security problems.

 

What? In Some Cases, Additional IT Spending May Not Prevent Breaches

Posted on June 11, 2018 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

A new research study has come to a sobering conclusion – that investing more in IT security doesn’t necessarily reduce the number of breaches.

The research, which appeared in the MIS Quarterly, looked at how many breaches hospitals experienced relative to their IT security spending. The study authors started with the assumption that hospitals spending more on security would enjoy better protection from breaches.

The researchers assumed that looked at broadly, some security investments were “symbolic,” making superficial improvements that don’t get to the root of their problem, while others were substantive investments which met well-defined security needs.

After reviewing their data, researchers noted that many classes of hospitals turned out to be symbolic security investors, including members of smaller health systems, older hospitals, smaller hospitals and for-profit hospitals. They also noted that faith-based and less-entrepreneurial hospitals were prone to such investments. The only category of hospitals routinely making substantive security investments was teaching hospitals.

But that’s far from all. Their more controversial conclusions focused on the role of IT security investments in preventing security breaches. In short, their conclusion was pretty counterintuitive.

First, they found that larger IT security investments did not in and of themselves lower the likelihood of security breaches. Not only that, researchers concluded that the benefits of substantive adoption wouldn’t generate greater breach protection over time.

Researchers also concluded that the benefits of substantive IT security adoption by hospitals would take time to be realized. If I’m reading this correctly, mature IT security systems should offer more advantages over time, but not necessarily better breach protection.

Meanwhile, researchers concluded that the negative consequences of symbolic adoption would grow worse over time.

I don’t know about you, but I was pretty surprised by these results. Why wouldn’t substantively increasing security spending reduce the occurrence of breaches within hospitals? It’s something of a head-scratcher.

Of course, the answer to this question may lie in what type of substantive security investment hospitals make. The current set of results suggests, to me at least, that current technologies may not be as good at preventing breaches as they should be. Or maybe hospitals are investing in good technology but not hiring enough IT security experts to get the installation done right. Plus, purchasing security infrastructure can only do so much to stop bad user behavior. The issue deserves further research.

Regardless, this study offers food for thought. The industry can’t afford to do a bad job with preventing breaches.

AHA Asks Congress To Reduce Health IT Regulations for Medicare Providers

Posted on September 22, 2017 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

The American Hospital Association has sent a letter to Congress asking members to reduce regulatory burdens for Medicare providers, including mandates affecting a wide range of health IT services.

The letter, which is addressed to the House Ways and Means Health subcommittee, notes that in 2016, CMS and other HHS agencies released 49 rules impacting hospitals and health systems, which make up nearly 24,000 pages of text.

“In addition to the sheer volume, the scope of changes required by the new regulations is beginning to outstrip the field’s ability to absorb them,” says the letter, which was signed by Thomas Nickels, executive vice president of government relations and public policy for the AHA. The letter came with a list of specific changes AHA is proposing.

Proposals of potential interest to health IT leaders include the following. The AHA is asking Congress to:

  • Expand Medicare coverage of telehealth to patients outside of rural areas and expand the types of technology that can be used. It also suggests that CMS should automatically reimburse for Medicare-covered services when delivered via telehealth unless there’s an individual exception.
  • Remove HIPAA barriers to sharing patient medical information with providers that don’t have a direct relationship with that patient, in the interests of improving care coordination and outcomes in a clinically-integrated setting.
  • Cancel Stage 3 of the Meaningful Use program, institute a 90-day reporting period for future program years and eliminate the all-or-nothing approach to compliance.
  • Suspend eCQM reporting requirements, given how difficult it is at present to pull outside data into certified EHRs for quality reporting.
  • Remove requirements that hospitals attest that they have bought technology which supports health data interoperability, as well as that they responded quickly and in good faith to requests for exchange with others. At present, hospitals could face penalties for technical issues outside their control.
  • Refocus the ONC to address a narrower scope of issues, largely EMR standards and certification, including testing products to assure health data interoperability.

I am actually somewhat surprised to say that these proposals seem to be largely reasonable. Typically, when they’re developed by trade groups, they tend to be a bit too stacked in favor of that group’s subgroup of concerns. (By the way, I’m not taking a position on the rest of the regulatory ideas the AHA put forth.)

For example, expanding Medicare telehealth coverage seems prudent. Given their age, level of chronic illness and attendant mobility issues, telehealth could potentially do great things for Medicare beneficiaries.

Though it should be done carefully, tweaking HIPAA rules to address the realities of clinical integration could be a good thing. Certainly, no one is suggesting that we ought to throw the rulebook out the window, it probably makes sense to square it with today’s clinical realities.

Also, the idea of torquing down MU 3 makes some sense to me as well, given the uncertainties around the entirety of MU. I don’t know if limiting future reporting to 90-day intervals is wise, but I wouldn’t take it off of the table.

In other words, despite spending much of my career ripping apart trade groups’ legislative proposals, I find myself in the unusual position of supporting the majority of the ones I list above. I hope Congress gives these suggestions some serious consideration.

The Important Role of HIM in Healthcare Cybersecurity – HIM Scene

Posted on June 21, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This post is part of the HIM Series of blog posts. If you’d like to receive future HIM posts in your inbox, you can subscribe to future HIM Scene posts here.

Healthcare organizations that rely on their CSO (Chief Security Officer) to handle cybersecurity in their organizations always annoy me. Cybersecurity requires everyone at the organization to be involved in the effort. One person can have a large influence, but your healthcare organization will never be secure if you don’t have everyone working their best to ensure your organization is secure.

A great example of someone who’s often forgotten in healthcare cybersecurity efforts are HIM professionals. Organizations that do this, do so at their own peril. If you’re not involving your HIM professionals in your cybersecurity efforts, I exhort you to do so today.

One of the best reasons to involve HIM professionals in your security efforts is that they’re often experts on the patchwork of healthcare privacy and security laws. It’s not enough to just ensure you’re being HIPAA compliant. That’s essential, but not sufficient.

Healthcare privacy and security are so important, there are multiple layers of laws trying to protect your health information. Or maybe the laws just aren’t well planned and that’s why we have so many. I’ll let you decide. Either way, in your privacy and security efforts you’re going to need to know HIPAA, HITECH, MACRA, and of course don’t forget the state specific privacy and security laws. No doubt there are more and your HIM professionals are likely some of the people in your organization that knows these laws the best.

Beyond the fact that HIM professionals know the privacy and security laws, HIM professionals are usually well versed in ensuring the right access to the right information in your system. One of the biggest form of breaches is internal breaches from people who were given the wrong permissions on your IT systems.

Making sure someone is auditing and monitoring these permissions is a very important part of your cybersecurity efforts. Plus, don’t forget to have a solid process for removing users when they leave your organization as well. Those zombie user accounts are a ticking time bomb in your security efforts. When your employees verify that their records are in order before they leave with HIM, that might be a good time to remove their access.

Another place HIM professionals can help with healthcare cybersecurity efforts is around information governance. More specifically, HIM can help you properly manage your health data and legacy systems. HIM can ensure that your legacy systems are properly managed until their end of life. No doubt this will be done in tandem with your IT professionals who have to keep these legacy systems secure (not always an easy task). However, an HIM professional can assist with your information governance efforts that impact cybersecurity.

In what other ways can HIM be involved in healthcare cybersecurity?

Cybersecurity is always going to be a team effort. That’s why it’s shocking to me when healthcare organizations don’t involve every part of their team. HIM professionals should step up and make the case for why they should be involved in healthcare’s cybersecurity efforts. However, when they don’t, a great leader will make sure HIM is involved just the same.

If you’d like to receive future HIM posts in your inbox, you can subscribe to future HIM Scene posts here.

Healthcare Security is Scaring Hospital CIOs

Posted on November 16, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This post is sponsored by Samsung Business. All thoughts and opinions are my own.

Coming out of the CHIME CIO Forum, I had a chance to mix and mingle with hundreds of hospital CIOs. There was one major theme at the conference: security. If you asked these hospital CIOs what was keeping them up at night, I’m sure that almost every one of them would say security. They see it as a major challenge and the job is never done.

I had more than one CIO tell me that breaches of their healthcare system are going to happen. That’s why it’s extremely important to have a 2 prong security strategy in healthcare that includes both creating security barriers and also a mitigation and response strategy.

One of the most challenging pieces of security identified by these healthcare CIOs was the proliferation of endpoints. That includes the proliferation of devices including mobile devices and the increase in the number of users using these technologies. There was far less concern about the mobile devices since there are some really deeply embedded software and hardware security built into mobile devices like Samsung’s Knox which has made mobile device security a lot easier to implement. The same can’t be said for the number of people using these devices. One hospital CIO described it as 21,000 points of vulnerability when he talked about the 21,000 people who worked at his organization. Sadly, there’s no one software solution to prevent human error.

This is why we see so much investment in security awareness programs and breach detection. Your own staff are often your biggest vulnerability. Training them is a good start and can prevent some disasters, but the malware has gotten so sophisticated that it’s really impossible to completely stop. That’s why you need great software that can detect when a breach has occurred so you can deal with it quickly.

On the one hand, it’s one of the most exciting times to be in healthcare IT. We have so much more data available to us that we can use to improve care. However, with all that data and technology comes an increased need to make sure that data and technology is kept secure. The good news is that many hospital boards have woken up to this fact and are finally funding security efforts as a priority for their organization. Is your organization prepared?

For more content like this, follow Samsung on Insights, Twitter, LinkedIn , YouTube and SlideShare.

E-Patient Update: Hospitals Should Share Ransomware Updates

Posted on October 14, 2016 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

A few weeks ago, a California hospital quietly fended off a ransomware attack without paying a ransom to the attackers. According to Health Leaders Media, Keck Medical Center of USC was hit with a ransomware assault on servers at two hospitals, but managed to fix the problem and retrieve its data.

Employees at Keck Hospital of USC and Norris Comprehensive Cancer Care found ransomware on two servers on August 1, said Keck Hospitals CEO Rod Hanners in a statement on the matter. The attack encrypted files on the servers, which made their data unavailable to hospital employees. However, Hanners reported, the hospitals had no evidence of a breach of patient information.

Still, given that some sensitive information was contained in folders encrypted by the malware, USC notified patients about the breach, Health Leaders reports. Data that could (at least theoretically) have been accessed by the attackers included names and dates of birth, health information such as treatment and diagnosis information and some Social Security numbers.

If what I’ve read is accurate, the crew at Keck did a great job. They got things under control very quickly, and chose to do the right thing in notifying patients about the breach. (And in all truth, the attack might not have been much of a big deal — perhaps one launched by a script kiddie using Ransomware as a Service tools — which could explain why the hospitals seem to be relatively unruffled.) Still, my feeling is that they could have communicated more.

A patient’s perspective

As I ponder the events above, I do wonder whether the professionals managing this particular ransomware attack understand what it’s like to be on the receiving end of a ransomware episode. So here’s a few things to consider from a patient’s perspective:

  • Ransomware is scary: While I’m healthcare technology writer and somewhat familiar with ransomware attacks, they are still new to most of the public. They may turn out to be just another infection vector for your network, but they come across as a dark force to consumers. Be prepared to educate and calm us.
  • People don’t know what to expect: I was due to have a cardiac procedure done by a doctor affiliated with Washington, D.C.-based MedStar Health a couple of weeks after it suffered a ransomware attack. While the news media made it clear that the hospital chain was paralyzed for a time, nobody bothered to tell me what the impact of this paralysis would be. It would have been better if MedStar facilities and doctors reached out to patients in immediate and near-term need of care to clarify.
  • We need progress reports: Clearly, the Keck attack didn’t amount to much, but other ransomware attacks, such as the MedStar incident, can’t be resolved overnight. As patients, we need to know roughly how long our providers may be at less than full capacity. Keep us updated or you’ll lose our trust.

With any luck, healthcare organizations will continue to improve their ability to fight back ransomware attacks, and in time, be prepared to treat them as little more than road bumps in their security efforts. But until then, it makes sense to pull out all the stops and keep patients extra well-informed.

HHS OIG Says Unplanned Hospital EMR Outages Are Fairly Common

Posted on August 24, 2016 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

More than half of U.S. hospitals responding to a new survey reported having unplanned EMR outages, according to a new report issued by the HHS Office of the Inspector General, due to a variety of common but difficult-to-predict technical problems. Some of these outages have merely been inconveniences, but some resulted in patient care problems, the OIG report said.

The agency said that it conducted this study as a follow up to its prior research, which found that both natural disasters and cyberattacks were having a major impact on EMR availability. For example, it noted, hospitals faced substantial health IT availability challenges in the wake of Superstorm Sandy, include damage to HIT systems and problems with access to patient records.

According to the survey, 59% of the hospitals reported having unplanned EMR outages. One-quarter said that the outages created delays in patient care and 15% said that the outage lead to rerouted patient care. Only 1 percent of outages were caused by hacking or breaches.

The most common causes, in order, were topped by hardware malfunctions, followed by Internet connectivity problems, power failures and natural disasters. (For more detail on the root causes of outages, see this great post by my colleague John Lynn.)

It’s worth noting that these hospitals were selected for having their act together to some degree. To conduct the study, researchers spoke with 400 hospitals which were getting Meaningful Use incentive payments for using a certified EMR system in place as of September 2014.

Nearly all of these hospitals reported having a HIPAA-required EMR contingency plan in place. Also, two thirds of the hospitals addressed the four HIPAA requirements reviewed by OIG researchers. Eighty-three percent of surveyed hospitals reported having a data backup plan, 95% had an emergency mode operations mode plan, 95% said they had a disaster recovery plan and 73% said they had testing and revision procedures in place.

Not only that, most of the hospitals contacted by the study were implementing many ONC and NIST-recommended practices for creating EMR contingency plans. Nearly all had implemented practices such as using paper records for backup and putting alternative power sources like generators in place.

Also, most hospitals said that they reviewed their EMR contingency plans regularly to stay current with system or organizational changes, and 88% said they’d reviewed such plans within the previous two years. Most responding hospitals said they regularly trained their staff on EMR outage contingency plans, though just 45% reported training staff through recommended drills on how to address EMR system downtime. And 40% of hospitals that activated contingency plans in the wake of an outage reported that they saw no disruption to patient care or adverse events.

Still, the OIG’s take on this data is that it’s time to better monitor hospitals’ ability to address EMR outages. Now more than ever, the agency would like to see the HHS Office for Civil Rights fully implement a permanent HIPAA compliance program, particularly given the mounting level of cyberattacks endured by the industry. The OIG admitted that HIPAA standards aren’t crafted specifically to address these types of outages, so it’s not clear such monitoring can solve the problem, but the agency would prefer to forge ahead with existing standards given the risks that are emerging.