Category Archives: Electronic Health Records

Electronic Health Records, Middle Market Business, Network Security, Privacy, Risk Management

White House Cyber Security Plan Focuses on EHR Management

According to an article in Government Health IT, the White House is looking to develop a network security strategy “that pays particular heed to the importance of building a trusted arena for electronic health care transactions.”    Howard Schmidt, the White House Cyber Security Czar, said at a May 11 HIPAA conference on privacy and security that the administration will roll out a “trust framework” based on  technologies, standards, services and policies that will eventually be adopted by the government, industry and consumers. 

According to Schmidt, “[o]ne-person physician offices have to be part of this system.  They have to have the capacity to trust identity and to trust medical records and information because they don’t have infrastructure and they don’t have a CIO.”  The White House’s ultimate goal is to instill enough “trust” in the system so that small practice groups and individual providers would be willing to adopt electronic health records (EHRs).   This initiative comes on the heels of the HITECH Act’s goal of prodding the use of EHRs throughout the health care food chain.

Since the passage of the HITECH Act, there has been much criticism regarding the utility of EHRs (the time needed to transcribe notes, mistakes made in such transcriptions, content limitations, etc.) so it remains to be seen whether widespread use will ever take hold notwithstanding the HITECH Act’s stick/carrot approach to prodding implementation.  Indeed, some have argued that one of the goals of the Act, i.e.,  the improvement of health care by changing patient behavior, will likely take a turn for the worse after EHR implementation.  

To the extent practice groups and providers actually take the plunge and devote resources to a new EHR implementation, they should likely apply a holistic approach to security and privacy that applies general risk management principles.   This article recently published by AHRMNY in its Risk Management Quarterly provides an EHR risk management overview that can help start that process.   As well, here is a link to the presentations from the recent HIPAA conference (minus Mr. Schmidt’s keynote address).   There are several linked presentations that talk to risk assessments and other security considerations of interest to providers and those folks who advise them.

Electronic Health Records, IT Consultants, Litigation Management, Network Security, Privacy, Risk Management, Small Business

OCR Website Posts List of Breaches As Required Under HITECH Act

On February 22, 2010, as required by section 13402(e)(4) of the HITECH Act, the Office of Civil Rights (OCR) website posted a list of the covered entities that have reported breaches of unsecured protected health information affecting more than 500 individuals.  By posting this information on the OCR website, OCR has met its HITECH Act obligation, which required Health and Human Services (HHS) make this information public by posting it on an HHS website.    The 36 impacted organizations are located around the country and run the gamut from the very small to one of the largest health plans in the country.

Although the majority of the breaches posted involved lost media and laptops, there were instances involving paper records, including several instances of mailings that included protected information.    As well, there were a number of instances of hacking with a few involving compromises of business associates. 

It remains to be seen whether this public display will shame companies into not losing laptops or being the victim of a theft.  What is clear, however, is that having your name listed on a public site will open you up to more potential litigation expense.

Electronic Health Records, Risk Management

Still Looking for Guidance on EHR

Electronic health records (EHR) should be on the risk management fast track.  First, the FTC promulgated regulations that will require most hospitals to implement a written ID theft prevention program by June 2010.  California  and a few other states have already started requiring that healthcare providers implement technical and physical safeguards to protect patient medical information.  And now, Title XIII of the American Recovery and Reinvestment Act of 2009, also known as the Health Information Technology for Economic and Clinical Health Act (the HITECH Act), has its implementing regulations just now starting to change the EHR landscape. Thankfully, the HITECH Act provides significant funding for the development of this nationwide health information technology infrastructure.  Specifically, the law provides financial incentives through the Medicare program to encourage physicians and hospitals to adopt and use certified EHR .

The keys to the EHR kingdom turn on whether you are actually a “meaningful EHR user”.  Although some guidance was provided by a HHS working committee in June 2009, and further guidance in the form of a proposed rule was provided on December 30, 2009, a final rule on the definition has yet to be delivered.

According to the HHS December 30, 2009 Press Release, “The proposed rule would define the term “meaningful EHR user” as an eligible professional or eligible hospital that, during the specified reporting period, demonstrates meaningful use of certified EHR technology in a form and manner consistent with certain objectives and measures presented in the regulation.  These objectives and measures would include use of certified EHR technology in a manner that improves quality, safety, and efficiency of health care delivery, reduces health care disparities, engages patients and families, improves care coordination, improves population and public health, and ensures adequate privacy and security protections for personal health information.”

What exactly does this nested and partially circular definition mean to someone looking for guidance?   Not very much.   Until such time as the term “meaningful EHR user” is finalized, the door remains open as to just how far-reaching the HITECH Act will become.