HIPAA’s Security Rule is as much about good business practices as it is about securing confidential patient information. Data integrity, one of the pillars of HIPAA’s Security Rule, contains overarching security themes that pose layered questions, such as, how does the system’s functionality allow you to know who has been in the system, what did the user do with the content after he or she accessed it, or did the system block a potential intruder who did not use the correct user ID and password?

When evaluating an EHR system, you want to ask how data validation functionalities work. So during the EHR due diligence, I would ask, “How does your EHR software enable the practitioner to generate quality measurement reports, (suggest you hold up the Meaningful Use Matrix), and how do we validate the data going into the system is accurate and placed in the correct fields?” As an EHR project manager, I request a data validation report on the third and fifth day of Go-Live week so that we can quickly catch and retrain data entry errors.

A sampling of questions to ask include:

1. Of my current health information exchange partners (labs, hospitals, pharmacies, imaging centers) where have you already built bi-direction interfaces with your EHR system?
2. Does your system send e-prescribing alerts based on the content in the patient’s medication history?
3. Does your system identify whether the drug is on the patient’s formulary?
4. Does your system gather data on our computer-generated orders?
5. Does your system generate a clinical summary?
6. Does your system capture billing codes and push them into our PM system?
7. Does your system identify patients with personal health records?
8. Does your system ensure data validation so I know my workforce is entering information worth reporting?

The physician’s responsibility is to ensure that the practice/organization has met more stringent HIPAA privacy and security safeguards and that the infrastructure, including encryption is in place to support secure exchange. Vendors cannot prepare policies and procedures for physicians; they’ll have their hands full building their own as covered entities. Meaningful use reporting is dependent on both physician and vendor meeting their responsibilities.

While my sister and brother battled terminal aggressive cancers, it was their caregiver who carried the pharmacological list of medications, nutritional supplements, allergies, adverse reactions, near fatal overdoses, sleep patterns, and vitals in a spiral-bound paper notebook. Between visits to oncologists, radiation oncologists, labs, and hospital rooms, the notebook became the hub of health information exchange. In 2006, my sister’s healthcare providers were part of a pilot site for health information exchange, but what had become “The Notebook” evolved into THE hard copy resource that her clinician’s relied on for subjective patient information. Even though each of the doctors could access her record electronically, they looked to the caregiver for the complete story, partly out of compassion, partly because they knew it was more complete than the picture they had, given the current state of health information exchange.

Content of your personal health record (PHRs) should include fields for the following: emergency contact information, payer information (subscriber, your relationship to the subscriber), name of primary care physician, allergies, medications (active and inactive), current medical history, current health concerns, family medical history, social habits such as drinking and smoking, surgeries. In a future posting, I’ll provide my list of favorite PHR companies, their cost, and what I like about them.

Privacy and Security in Disasters or Emergency Guidance

If the president declares an emergency or disaster and the secretary of HHS declares a public health emergency, the secretary may waive sanctions and penalties against a covered hospital that does not comply with certain provisions of the HIPAA Privacy Rule, as noted here:

» the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care (45 CFR 164.510(b));

» the requirement to honor a request to opt out of the facility directory (45 CFR 164.510(a));

» the requirement to distribute a notice of privacy practices (45 CFR 164.520);

» the patient’s right to request privacy restrictions (45 CFR 164.522(a)); and

» the patient’s right to request confidential communications (45 CFR 164.522(b)).

When and to what entities does the waiver apply?

If the secretary issues such a waiver, it only applies:

» in the emergency area and for the emergency period identified in the public health emergency declaration.

» to hospitals that have instituted a disaster protocol. The waiver would apply to all patients at such hospitals.

» for up to 72 hours from the time the hospital implements its disaster protocol.

When the presidential or secretarial declaration terminates, a hospital must then comply with all requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol.

Regardless of the activation of an emergency waiver, the HIPAA Privacy Rule permits disclosures for treatment purposes and certain disclosures to disaster relief organizations. For instance, the Privacy Rule allows covered entities to share patient information with the American Red Cross so it can notify family members of the patient’s location. See 45 CFR 164.510(b)(4). This guidance is available online at http://www.hhs.gov/ocr/hipaa/emergencyPPR.html.

Need help with Emergency Planning?

The following websites offer federally-developed planning tools.

1. Office for Civil Rights (OCR) the agency named to oversee privacy of confidential health information. This is HHS’s primary site for assisting you in emergency preparedness and disaster recovery planning and response. At its Web site, http://www.hhs.gov/ocr/hipaa/emergencyPPR.html, OCR provides links to its own planning documents and also provides links to other agencies inside and outside of HHS that have developed disaster recovery guidance tools (see number 2 in this list); other links will take you to the National Aging Network.

2. Agency for Healthcare Research and Quality. At AHRQ’s Web site, http://www.ahrq.gov/path/katrina.htm, you will find links to multiple tools and resources to assist in response and recovery efforts. Those that are most likely to affect a physician practice include

a. Personal protective equipment, decontamination, isolation/quarantine, and laboratory capacity

b. Computer staffing model for disaster preparedness response

c. Alternate site locator

d. Health Emergency Assistance Line and Triage Hub model

3. Decision tool to help you determine who, when, and how health information can be disclosed in emergencies. That tool is available at http://www.hhs.gov/ocr/hipaa/decisiontool/tool/source1.html.

Section 3012 of the Public Health Service Act (PHSA), as added by the HITECH Act, authorizes a Health Information Technology Extension Program to make assistance available to all providers, but with priority access to Health IT for the uninsured, underinsured, historically underserved and other special-needs populations, and use of that technology to achieve reduction in health disparities.

The major focus for the Centers’ work with most of the providers that they serve will be to help to select and successfully implement certified electronic health records (EHRs). Assistance is NOT limited to new users, but may also be provided to existing EHR users who need technical assistance to achieve “meaningful user” status.

Goals of the HITRC are to: encourage adoption of electronic health records by clinicians and hospitals; assist clinicians and hospitals to become meaningful users of electronic health records; and increase the probability that adopters of electronic health record systems will become meaningful users of the technology.

The centers shall offer to all providers in a designated region access to information and to some level of assistance. The regional centers will become, upon award, members of a consortium that will be coordinated and facilitated by the to-be-established Health Information Technology Research Center.

We expect that each HITRC will provide technical assistance within a defined geographic area, and that each defined geographic area will be served by only one center.

To apply to host a center, an entity may have to:

» Define the geographic region and the provider population within that region it proposes to serve.
» Describe proposed levels and approaches of support for prioritized and other providers to be served.
» Address how the applicant would structure its organization and staffing to enable providers served to have ready access to reasonably local health IT “extension agents” and provide training and on-going support for these critical workers.
» Demonstrate the capacity to facilitate and support cooperation among local providers, health systems, communities, and health information exchanges.
» Propose an efficient and feasible strategy to furnish deep specialized expertise broadly to all providers served and intensive, individualized, “local” presence from an interdisciplinary extension agent to smaller groups of providers assigned to individual agents.

Initially, HITRC would have to provide matching funds, but ONC proposes to exercise the option in the HITECH Act to not require matching funds for awards made in FY 2010. It anticipates providing $1 – $2 million per center, with the largest center receiving a maximum of $10 million.

Centers will begin to be awarded in the first quarter of fiscal year 2010 (October – December 2009), and awards will continue through the end of fiscal year 2010 (September 2010).

The comment period is open for two weeks, and must be received not later than 5 p.m., June 11, 2009. Electronic responses are preferred and should be addressed to HealthIT-comments@hhs.gov.

E9-12419 ONC Guidance on HITRC.pdf

Technology management and support helps determine the degree to which your clinic or practice can systematically and proactively manage technology assets. For example, you want to know the IT skill set of your staff, the current state of your organization’s technology infrastructure, your approach to technology planning, the existing technology management structures and technology project management capabilities. The technical assessment looks also at how well management and technology infrastructure can effectively support quality and operational goals.

A technical assessment can save thousands of dollars, simply by identifying what you have and what you need. High-level items in the technical assessment or checklist include completion of a security risk assessment and the processes and procedures you plan to implement to protect confidential health information, identifying interfaces, third-party software, networking and security needs, staff, IT support, clinic layouts, identification of hardware needs, tablet/notebook and licenses, wireless drops, phone jacks, and so forth.

Please contact us for a free copy of our IT Technical Infrastructure Checklist.

In the third of our readiness assessments or “environmental scans,” evaluate what kind of data you collect, how data are gathered, and where it is stored.  Old paper storage habits (a file here, another there) can easily translate into a messy and over-loaded server as well.

Start by knowing what data is collected? A typical list of health information in a medical record includes the following.

Clinical data:

» H & P’s
» Medication lists
» Encounter Notes
» Procedure reports
» Pathology reports
» Other labs reports
» Imaging results/reports
» Treatment Plans
» Diagnosis based documentation and treatment templates
» External Care (notes, reports, inpatient care)

Non-clinical Data:

» Demographics Sheet
» Insurance information
» Driver’s license
» Consent and authorization forms
» Emergency contacts

You are going to love how the EHR organizes all of these content fields for you. All of these content areas are housed in data fields so they are searchable. In EHR training, you learn how to put the right information in the right place so that the right person can access it at the right time. All of us develop storage habits while functioning in the paper world – most of them we don’t want to carry over into the EHR. In a data management assessment, look for the following:

How often does the same lab result get filed into the patient record?

How many times do you duplicate a patient record when you can’t find the original? And do you know which file is the original?

How often does health information get filed into the wrong folder?

As paper comes in to the practice, is it stored chronologically, or is it indexed?

The next assessment area is to know how you document the encounter.

How Do You Collect Data?

Paper records have been both a point of contention (Who has Mrs. Jones’ file?) as well as a comfort zone for physicians who are accustomed to writing. The traditional pen and paper process of capturing clinical notes does not have to be a major challenge for the staff and physicians during the transition.

Start by making a list of how your providers prefer to create content. Most likely this includes handwritten notes, typing, and dictation.

In an EHR, clinical information still goes into the medical record, but it now is captured electronically in one or more of the following ways:

» Point and click templates using drop down menus
» Free text (typing)
» Handwriting recognition (using a stylus)
» Medical imaging and graphics (drawings built in the software for markup with a stylus)
» Speech recognition using software
» Digital voice dictation using a transcriptionist

The physician leadership may say, “we’re all going to learn to type,” but to the typical visual learner, that means hunt and peck – head down focused on the keyboard rather than maintaining eye contact with the patient – lost productivity. Instead, start with where you are. For clinicians who want to continue dictation, consider voice recognition software or electronic dictation. Physicians who want to keep writing can learn how to use a stylus instead of a pen. Other physicians type the encounter into the EHR outside the exam room where you also may be generating lab orders and writing prescriptions.

Point and click and/or drop down templates and free text are standard in all EHRs, but handwriting, speech recognition and digital dictation require additional licensing fees for the software, well worth the cost to maintain the clinician’s productivity.

Of the many comments the FTC seeks is to identify entities that would fall under this ruling. We believe this rule will strengthen the trust consumers/patients have in sharing information in their PHRs with their health care providers. Major players entering the PHR market such as Google and Microsoft in March 2009 said HIPAA Privacy and Security Rules did not apply to them, but comments on the FTC’s NPRM may assist in helping the technology giants rethink compliance with privacy and security.  What do you think?

You can read the NPRM here.

Make comments to the NPRM here:

FTC Publishes Proposed Breach Notification Rule for Electronic Health Information

The American Recovery and Reinvestment Act of 2009 (the Recovery Act) includes provisions to advance the use of health information technology and, at the same time, strengthen privacy and security protections for health information. ARRA recognized new types of Web-based entities that collect or handle consumers’ sensitive health information. Some offer personal health records, which consumers can use as an electronic, individually controlled repository for their medical information, a real plus for patients managing chronic illnesses such as diabetes and heart conditions. Other online applications help consumers track and manage information in their personal health records, such as connecting a pedometer to computers and uploading miles traveled, heart rate, and other data. Patients with cancer can enter chemotherapy regimens, scheduled appointments, tumor staging, and recovery plans, a critical tool for cancer survivors. These innovations have the potential to provide numerous benefits for consumers, which can only be realized if they have confidence that the security and confidentiality of their health information will be maintained.

In keeping with the Recovery Act, the proposed rule requires vendors of personal health records and related entities to provide notice to consumers following a breach. The proposed rule also stipulates that if a service provider to one of these entities experiences a breach, it must notify the entity, which in turn must notify consumers of the breach. The proposed rule contains additional requirements governing the standard for what triggers the notice, as well as the timing, method, and content of notice. It also requires entities covered by the proposed rule to notify the FTC of any breaches. The FTC can then post information about the breaches on its Web site, and notify the Secretary of Health and Human Services.

With respect to the scope of the proposed rule, the Commission seeks comment on (1) the nature of entities to which its proposed rule would apply; (2) the particular products and services they offer; (3) the extent to which vendors of personal health records, PHR related entities, and third party service providers may be HIPAA-covered entities or business associates of HIPAA-covered entities; (4) whether some vendors of personal health records may have a dual role as a business associate of a HIPAA-covered entity and a direct provider of personal health records to the public; and (5) circumstances in which such a dual role might lead to consumers’ receiving multiple breach notices or receiving breach notices from an unexpected entity, and whether and how the rule should address such circumstances.

We have had the pleasure of working with most of the DOQ-IT program leaders, building substantial friendships. We hope that their work will be a strong impetus to build on as physicians continue to select, implement and thrive in a health IT environment.

With passage of the American Recovery and Reinvestment Act (ARRA), privacy and security compliance increased significantly with business associates immediately required to comply directly with many of HIPAA’s rules. It also dramatically expanded other remedial actions (such as increasing federal government audits; granting attorneys fees in some HIPAA lawsuits; and allowing a method for individuals to recover penalties under HIPAA). Business associates also are subject to civil and criminal penalties , including a provision that allows individuals to receive financial compensation for the violation.

If you are a business associate, your “To-Do” list looks similar to the list the covered entities complied with in 2004. These tasks include: appointing a Security Official; developing written policies and procedures, including physical safeguards, (such as locking computers that contain EPHI), and technical safeguards (such as encrypting emails); and training workforce on how to protect electronic protected health information (“EPHI”). Also, effective immediately:

» You are required to notify each individual affected by a security breach by mail, or if specified as preference, by email.
» If you don’t have contact information for that individual, you may be required to post notice of the breach on your website, in newspapers, or other broadcast media.
» For breaches involving more than 500 residents in one area, you must notify a “prominent media outlet.”
» You also must contact the Department of Health and Human Services. DHHS is establishing a website listing these breaches. There is an exception for certain unintentional breaches. Consult a health law attorney if you have any questions or concerns about building your policies and procedures, or tasks assigned to the Security Official.

Penalties for ePHI Violations

The Office of Recovery Act Coordination, which reports to the Assistant Secretary for Resources and Technology (ASRT), will ensure that the Act’s requirements and OMB’s guidance are followed, including:

» Making sure that reporting due dates are met,
» Maintaining a repository of official HHS ARRA information,
» Establishing and tracking performance outcomes, mitigating risks, and
» Keeping the public constantly informed through the web and other means of communication.

This Office will coordinate and oversee all ARRA activities for the Department, and convene those involved in ARRA implementation to accomplish tasks in a timely manner. The Office will report to the Assistant Secretary for Resources and Technology (ASRT), since many of the Offices with which it needs to coordinate are within ASRT. Leadership will be provided by a new Deputy Assistant Secretary for Recovery Act Coordination. Most Recovery Act work will be completed by HHS Operating Divisions and the Office of the Secretary Staff Divisions, but this Office will have a dedicated staff to coordinate among the various organizations and prepare reports, updates, and compile official HHS Recovery Act material.

What to Do

Conduct a risk assessment to determine the practice’s security safeguards and vulnerabilities.

How to Do It

As you go through your risk assessment, assign a value from 1 to 5 for each risk/ Risks receiving a “1″ value indicate the risk is probably low, but still needs attention; a risk given a “5″ rating means the event, such as theft, breaking into the offices, fire, weather damage, has happened at least once, and is likely to happen again.

For those risks given a 3 or 4 rating, assign an owner or owners to manage those risks. For example, you’ve decided to purchase EHR software, and you’ll be purchasing new tablets for all the clinicians. Without even accessing a risk assessment, you can already build a list of potential problem areas, such as theft, malicious software, or damage from dropping. HIPAA’s physical safeguard standard, (45 CFR 164.310{b}) requires that you implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation that can access electronic protected health information.

You not only want to safeguard protected health information, you also want to safeguard your investment. The owners of this physical safeguard could be a lead physician, a nurse, and a lab technician.

If you are the Security Official and have any concerns about your responsibilities, or if you’d like a copy of our risk assessment, give us a call or send us an email. We’re here to help.

» Are you a healthcare provider that conducts transactions electronically?
» Are you a healthcare clearinghouse? (Do you process healthcare claims?)
» Are you a health plan? (insurance payer)

If you answered no to these questions, you are not a covered entity under HIPAA’s Privacy Rule. That said, you probably are more concerned about users sharing health information online that if stolen, could be used in identity theft.

Consumers (patients) often use social networking sites to keep friends and family members updated on health conditions. Or, using secure patient portals, patients (consumers) may create their own confidential and secure personal health records (PHR). These records typically contain information such as medications including dosages, allergies, health insurance plan, if applicable, emergency contact, current medical conditions – typically all the things you have to answer again and again on paper every time you see a doctor. Our nation is rapidly heading into an environment where consumers (patients) can store their health information on smart phones, online patient portals, or in portable devices, such as USB drives so that you can quickly provide information to an Emergency Room physician or your own doctor.

Patients are not covered entities, but they are responsible for creating, maintaining and sharing their own health information, a very smart thing to do, but it should be done on a secure PHR service, not on social networking sites. To find PHR companies, search online using keywords, “Personal Health Record software.”
Finally, we applaud social networking sites that demonstrate concern for their users privacy. With the rapid uptick in use, we recommend you put a notice on your site warning users to be cautious about providing identifiable information, such as date of birth (especially year), address, telephone number, or social security number.

If you are considering offering a patient portal service, first consult the services of a health law attorney.

Key words used by both House and Senate are “meaningful use” and “shovel ready”. In other words, everything is set in place ready to go, but just needs money to get it off the ground.  You’ve made a decision on your health IT system, you’ve completed your readiness assessments, and you’ve built a strategy to move forward. All you need now is money.  Where do you fit in the funding equation below?

» $18 billion through the Medicare and Medicaid reimbursement systems for hospitals and physicians who are “meaningful users” of HIT.

» $2 billion to the Office of the National Coordinator that must begin to be spent within 90 days of the legislation being signed into law on items such as the infrastructure necessary to allow for, and promote, the electronic exchange and use of health information for each individual in the United States; updating the Department of Health & Human Services’ technologies to allow for the electronic flow of information; integrating health IT education into the training of healthcare professionals; and, promoting interoperable clinical data repositories.

» $1 billion to be made available for renovation and repair of health centers and for the acquisition of health IT systems.

» $550 million for – among other things – the purchase of equipment and services including, but not limited to, health IT within Indian Health Service facilities.

» $400 million for comparative effectiveness research on how use of electronic data impacts healthcare treatments and strategies.

» $300 million to support regional and sub-national efforts towards health information exchange.

» $40 million to be used by the Social Security Administration to use EMRs to submit disability claims.

A good starting point is to complete a readiness and/or needs assessment. Several are available online, including one from the California Community Clinics EHR Assessment and Readiness Project.

Some specialties receive as much as 70 percent of health care information from outside sources, including information from hospitals, labs, diagnostic imaging centers, payers, referring physicians, patients and pharmacies.

The most common interfaces to manage that flow of patient information include:

» Practice management system
» In-house and outsourced Labs
» Medication management (in house pharmacy or e-prescribing)
» Pathology
» PACS (picture archiving and communication system)
» Inbound faxes (typically comes with the EMR)

Step 1 – Build an Interface Schedule

Lab interfaces take the most time to coordinate. Contact your lab representative at least 90 to 120 days before you plan to go live on the system.

The vendor’s e-prescribing component must be certified (such as by CCHIT or SureScripts/RxHub) for you to participate in CMS’ e-prescribing Reimbursement Incentive program. You may want to use the e-prescribing component early in your training.

Your EMR vendor will work with you to coordinate the interface with your PM system. Count on 60 days if they have interfaced with your PM system. Add 45 to 90 days if this is their first interface with your PM system.

Step 2 – Test the Interfaces

Fifteen to thirty days before training test the interfaces to see if you can:

» Order a lab test from the EMR to the Lab
» Receive results from the Lab into the EMR
» Produce a billable encounter into your PM system. Lab systems often push multiple bills for the same encounter. Do NOT skip this step.

Step 3 – Approve the Interfaces

Zero to fifteen days before training approve the interface and move it into production.

Step 4 – Move the Interface into Production

Your vendor will work with you to move your interfaces into production for training and go-live.

As part of your clearance procedures, determine which of the following you will do:

» Require a written application for employment.
» Require written proof of citizenship or resident alien status.
» Confirm prior employment history.
» Request professional/personal references and contact those references.
» Confirm educational history and practicing credentials.
» Verify licenses.
» Verify candidate’s compliance history with any regulatory or medical requirements relevant to employment.
» Conduct a criminal background check using a consulting service.
» Confirm application statements, as appropriate.
» Require up-to-date written documentation for Federal and state tax withholding and Social Security Numbers.

Document all assigned security clearances, such as passwords, building entrance pass, and office key to each workforce member, as appropriate. Expect workforce members to acknowledge in writing receipt of clearances and immediately inform the Security Official of any change in job responsibilities.

Authorize your Security Official to cancel immediately any clearances when notified that a member of the workforce’s employment has terminated for any reason.

Send the RFI to your top five vendors and ask them to respond within 30 days. Do NOT use this RFI to “kick the tires” with vendors. An RFI is your way of saying you are ready to do business.

Ask the vendor to explain costs for: licensing fees, ongoing service, technical support, maintenance fees, interface fees, training, and hardware costs. Your IT consultant can advise you on infrastructure enhancements you’ll need to make to your site.

Participate in online demonstrations, then narrow your selection to two vendors and invite them to come to your practice. During the visit, watch for the following:

Documentation Entry: How many clicks does it take to enter patient information? Does the documentation entry feel clumsy or does it seem logical? Does the system provide you with ample templates? Does the system support your documentation style–dictation, data entry (keyboarding), voice recognition, handwriting recognition?

Technical Support: Ask how often the company schedules an update (typically to fix a coding issue) or upgrade (usually because doctors have requested a new feature)? During the onsite demonstration, present the sales person with a situation you often see in your practice.

Interfaces: How many times has your EMR system interfaced with a practice management system used by gastroenterologists? How many times has your EMR interfaced with our laboratory information systems?

For more information on vendor selection, consult the Technical and Financial Guide to EHR Implementation, published by the American Medical Association.

The rule of thumb is based on the principle of threes. If there are three or fewer physicians in your practice, you should hire a part time consultant to coach an internal person through the implementation process. After your implementation, the consultant can hand off the day-to-day IT management to an internal person who also should participate in the vendor’s user groups, blogs or chats. Contract with a local IT group to assist with hardware updates, wired and wireless service and backup support.

Practices with four to nine physicians typically hire an IT consultant for a period of 18 months to help navigate the implementation process. This consultant is the physician advocate and holds the vendor accountable to contract terms, as well as to train an internal person to take over as part-time internal IT management. Practices with three or more specialties (OB-GYN, Cardiology, and Urology, for example) fit into this category.

Practices with ten or more physicians—or with more than one location—should hire a full-time IT person. We recommend you hire this person on a consulting basis first, and then bring them on full time if, after six months, you still want to work with this consultant.

When an event causes your server or the Internet to go down, your IT person or consultant will prove his or her worth times three. A good IT person will have a clinical or practice management background and understands clinical workflow in multiple specialties.