Archive for July, 2008
-
0 What Makes a Great Pediatric EHR?
Jul 31, 2008. Insight.A great pediatrician is caring, attentive, available and knowledgeable; a great pediatric office is full of people with these qualities; and a great pediatric EHR allows the doctor and staff to demonstrate what makes them great. Being able to express a caring persona by adding an alert to a child’s record (reminding to ask about Tigger, the family cat) may seem like fluff to the doctor, but the family sees this as a good quality. Let’s consider the remaining qualities of a great pediatrician: attentive, available, and knowledgeable.
Continue Reading... -
2 Open and Closed Medicine
Jul 31, 2008. Insight.Medicine is practiced essentially the same way now as it was several hundred years ago. There are new techniques, equipment, tools, materials, etc. However, the way a patient interacts with his/her physician is essentially the same.
A patient goes to see his/her doctor. The doctor gives the patient an examination and a diagnosis, documents this examination and diagnosis in the patients chart, gives orders or a prescription that they expect will be adhered to, and the patient leaves.
Essentially the same process followed for well over a hundred years. Some of you may say, of course, it is a refined and hallowed method that has been proven repeatedly. However, this scenario describes a “closed” form of medicine. “Closed Medicine” describes a healthcare system that is unable to openly share health-related information electronically, and in a timely, private and cost-effective manner. “Open Medicine” describes a healthcare system with openly available electronic patient health information shared freely between patients and their healthcare providers in a timely, private and cost-effective manner. Open Medicine has the potential to improve healthcare delivery in a dramatic way. Closed Medicine perpetuates the old model of healthcare delivery.
Continue Reading... -
0 Who’s Who – Vulnerabilities and Threats
Jul 21, 2008. Insight.As we saw last time, Section 164.308(a)(1) of HIPAA requires you to conduct a risk analysis. We covered some basic definitions to help you understand what a risk analysis is, and what it involves. This week, we cover some basic categories of vulnerabilities and threats, which you must identify as part of your risk analysis.
Identify potential threats – Threats are weaknesses in your computer systems, networking gear, your staff, and your office building.Access Controls – Check all user accounts for strong passwords. Make sure your data is protected with file and sharing permissions. Make sure your staff has access based on the “need to know” concept.
Network Security – Make sure you have a firewall on each computer as well as between your network and the internet. Configure your firewall to deny all connections unless you explicitly approve them. Make sure your wireless network is protected with maximum strength encryption.
Malware Protection – Make sure your computers have anti-virus and anti-adware and spyware software. Make sure all your machines stay current with Windows updates.
Backups and Storage – Make sure you have local and offsite backups. They should be protected with encryption, file permissions, and other controls. Also consider purchasing battery backups for your computers and networking gear.
Physical Security – Make sure to secure your office against fire and theft by keeping your doors locked and installing security and sprinkler systems.
Staff Habits – Train your staff to be aware of fraudulent emails, instant messages, and never to give their password out to anyone.
Identify potential threats – Threats are forces that will exploit your vulnerabilities, and they can be difficult to determine. Threats can be broken down into four categories: natural, human, software, and environmental.
Natural – Natural threats are things like floods, earthquakes, tornados, and hurricanes. Unfortunately there is nothing you can do to prevent them. Adequate offsite backups will reduce the risk posed by these threats.
Human – Human threats are most commonly your own employees. They may accidentally delete your data or break your computer systems. Employees may also maliciously destroy or steal your data or computer systems. Ex-employees, hackers, patients, and pretty much anyone else could be a potential threat. Luckily fixing the vulnerabilities listed above will drastically reduce the risk posed by human threats.
Software – Software threats consists of viruses, worms, Trojan horses, adware, spyware, and any other malicious software. Adequate anti-virus, anti-spyware and strong firewalls will all but eliminate the risk posed by these threats.
Environmental – Environmental threats include fire and power outages. Like natural threats, there is little you can do to prevent these threats. Making sure your sprinklers, smoke detectors, and fire extinguishers work can help mitigate the risk. Consider also that most damage from a fire occurs from water sprinkler systems and the fire department. You may choose to cover your computers with tarps when the fire alarm goes off. Installing battery backups will help minimize the risk of data loss from power outages.
Identifying vulnerabilities and threats is key to performing a risk analysis, which you need to do periodically to comply with HIPAA. Vulnerabilities are the most important. They affect your computer systems, and luckily there are many controls you can use to fix them. Threats are almost always outside of your control, and they can be difficult to identify. Keep these basic vulnerability and threat categories in mind when you begin your risk analysis.
Join us next week for a basic how-to guide for conducting your risk analysis.
Continue Reading...
Ryan Ricks
Security Officer
www.xlemr.com
-
1 PHRs: The Next Big Thing?
Jul 14, 2008. Insight.Magazines and newspapers are spilling much ink over Personal Health Records (PHRs), the latest piece of IT that will fix healthcare. I asked my small-practice doctor a few weeks ago what he would do if a patient presented him with a PHR. Not much, he answered (first I had to explain what it is.) No insurer would pay him to populate the data and it isn’t integrated with his (limited) PPM system. The patient would be welcome to a copy of his medical records (for an exorbitant “handling & copying” fee) to populate the PHR himself, but good luck making out the doctor’s handwriting, medical abbreviations and terminology. If one had seen specialists, those separate records would need to be secured and entered as well.
The PHR hype is in full swing, and it will likely take a decade minimum for a majority of patients to have PHRs. I doubt most people will even look at their PHR even if they have one. Progressive insurers like Aetna offer members a pre-populated PHR based on claims data. In the long term, this will help Aetna improve care, reduce errors and lower costs. Follow the money and one will see the adoption path PHRs follow.
As with all technologies, the question of standards is arising with PHRs. AHIP has taken a good first step in creating a standard that is expected to be ready by December of ’08. The standard includes data set and portability requirements to take into consideration a person’s change in employers and health plans.
Some payors like Medical Mutual of Ohio and Anthem BCBS have PHRs that align with the AHIP standard. Time will tell how PHRs are accepted by consumers. Nationally, CCHIT, the Certification Commission for Health Information Technology, will be certifying personal health records (PHRs) next year. Criteria will be proposed in April, 2009, along with a comment period. Certification will officially start in July 2009.
CCHIT’s certification of EMRs met with mixed reactions early on, with smaller vendors crying foul over the $20,000 fee. Since then, it’s become a somewhat important stamp of approval in large enterprise purchasing decisions. This will likely happen with PHR certification as well.
Locally here in Massachusetts Blue Cross Blue Shield of Massachusetts partnered with Google Health to enable members to import their claims data into their Google Health profile. BCBSMA says that members with Google Health PHRs will be able to share data with healthcare providers who currently don’t have access to their data. Also, they can download medical records and prescription history from other connected providers.
_________________________________________________________________________________________________By Shawn Whalen, SVP & Director, Healthcare IT Practice, Schwartz Communications
Continue Reading... -
0 New Haven: Scanning the Environment to Capitalize on Emerging
Jul 12, 2008. Insight.In January 2007, New Haven, Conn. received a $3 million grant from the Center for Community Health Leadership to help the city create a community-wide health information exchange (HIE) to support the exchange of data with community physicians.
Continue Reading... -
1 Security Risks- What’s the Rule?
Jul 10, 2008. Insight.The first step towards compliance with the HIPAA Security Rule is to perform a risk assessment on your system. You aren’t required to do this yourself- you may choose to hire a consultant- but you will be expected to understand the assessment findings. So what are ‘risks’, and how are they measured? Let’s start by defining some terms as they appear in the Rule.
Section 164.308(a)(1) requires covered entities to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI held by the covered entity.” In this statement:
“EPHI” stands for Electronic Personal Health Information. This includes all medical information related to patients in your care.
“Vulnerabilities” are weaknesses in the way your system handles information. This can mean anything from inadequate physical security at your office (such as locks and alarms), to employing out-of-date software, to failing to employ the security features included in your software (not creating passwords, etc.).
Threats are forces that will exploit vulnerabilities. This can mean people, such as disgruntled employees, burglars and hackers, or it can mean things like fires, floods, earthquakes and tornadoes.
“Risk”, therefore, is a calculation of two things: first, the probability that a given threat will exploit vulnerabilities in your system, and second, an estimate of how much damage would be caused by that exploitation. Risk is hard to assess; the factors involved are often subjective. Just because an event has a low probability level doesn’t mean it can’t or won’t happen…and highly probable events with risk assigned might not impact your system security at all.
For instance: a viral infection on a computer in your system is highly probable, but the likelihood that the infection would lead to a system failure or security breach is small…therefore it would be considered a low-risk scenario. If a burglar, however, were to break into your office and steal all of your equipment, there is a 100% chance that your data will become unavailable to you and a good chance it may end up in malicious hands. Even if the crime rate is low in your neighborhood, this would be considered a high-risk scenario.
No matter what your assessment finds, when you address the vulnerabilities of your system and (where possible) eliminate threats, you reduce your overall risk levels- this is the best way to ensure you’ll be in compliance with the Rule.
Join us next week for some tips on how to conduct your risk analysis.
Ryan Ricks
Continue Reading...
Security Officer
ryan.ricks@xlemr.com
www.xlemr.com -
0 California health district deal would eliminate faxes
Jul 3, 2008. Government Initiatives, News.California health district deal would eliminate faxes
Continue Reading...
Government HealthIT
The organization has tapped Novo Innovations, a vendor of health information exchange software, to improve data sharing with its physician practices. The San Diego-based health care delivery system will initially use the technology to deliver electronic results and reports, including admission/discharge/transfer data in the form of face sheets, transcriptions, and the results of radiology, pathology and lab tests. -
0 E-prescribing groups merge networks
Jul 1, 2008. News, ePrescribing.E-prescribing groups merge networks
Continue Reading...
The Standard
Two large electronic prescribing networks, one operated by retail pharmacists and the second by pharmacy benefit groups, have merged in an effort to push forward the use of e-prescriptions in the U.S., the networks announced Tuesday.
