technology Archives - Medical Association of the State of Alabama

Posts Tagged technology

Tracking A Patient’s Every Move: HIPAA Compliance Risk

Posted by Mallory Camerio on April 17, 2024

By: Kelli Fleming with Burr & Forman LLP

The Health and Human Services Office for Civil Rights (”OCR”) recently published a guidance bulletin addressing the use of online tracking technologies by entities covered by HIPAA, including but not limited physician practices.

A tracking technology is used to collect information about how online users interact with websites or mobile applications. For example, have you ever wondered why after you search for a product on google, it automatically appears as an ad in your social media for the next few days? That is the result of a form of tracking technology.

When used by healthcare providers, the information that is collected by way of a tracking technology may be considered protected health information (“PHI”) covered by HIPAA. If a healthcare provider utilizes a tracking technology vendor to gather and analyze information, including information about patients, the provider must ensure that the release of the information to the vendor is compliant with HIPAA and is not an impermissible use or disclosure.

In the recent bulletin, OCR clarified that individually identifiable information “collected on a regulated entity’s website or mobile app generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the [information] does not include specific treatment or billing information like dates and types of healthcare services.”

Covered entities that engage a user-authenticated webpage (i.e., a website that requires a log-in) should only allow tracking technologies to use and disclose information in compliance with HIPAA, including in a secure manner. In order to comply with HIPAA, the covered entity must either enter in a Business Associate Agreement (“BAA”) with the vendor, or obtain patient authorization for such use and/or disclosure. Disclosing PHI to tracking technology vendors based solely on informing individuals of such use in the website’s privacy policy or terms of use is not sufficient, nor is merely accepting or rejecting cookie use. There must be either a valid, HIPAA compliant patient authorization or a BAA, and the use and/or disclosure must be permissible under HIPAA. For example, a disclosure to a tracking vendor for marketing purposes, without an authorization, would be impermissible.

Covered entities using a website that is not user-authenticated (i.e., does not require a log-in) need to determine if any of the information obtained by the tracking vendor would be individually identifiable and constitute PHI. If so, a BAA and compliance with HIPAA would be required. However, the determination as to whether or not PHI is being collected by the vendor is not always clear and may not necessarily be known by the provider. OCR provides the example that if a student is writing a term paper regarding oncology services and visits a hospital’s oncology services webpage, information tracked in connection with that website visit would not be considered PHI. However, if a patient were looking at the same page regarding oncology services to see a second opinion on treatment options for a brain tumor, information tracked in connection with that website visit would be considered PHI. It would be difficult, if not impossible, for providers to determine the purpose of the visit.

Thus, based on the recent OCR guidance, if a covered entity is utilizing tracking technologies on its websites, in my opinion, the provider should always act as if PHI is being tracked and enter into a BAA with the vendor and ensure the use/disclosure is appropriate under HIPAA.

Kelli Fleming is a Partner at Burr & Forman LLP practicing exclusively in the Healthcare Practice Group. Kelli may be reached at (205) 458-5429 or kfleming@burr.com.

Tags: HIPAA, social media, technology, tracking

Posted in: HIPAA, Legal Watch, Technology

Leave a Comment (0) →

What Are Some Common Challenges and Solutions for Medical Practices?

Posted by admin on August 1, 2019

Regulatory compliance and technology are changing the landscape of the health care industry. New technologies, revenue cycles resolution and changes in leadership can all have a positive impact on your practice. Are you prepared to take on these new opportunities? In this article, Tammie Lunceford answers a few questions about how the landscape is changing and how facing these changes can help breathe new life into your practice.

Question: What are some of the common challenges you have seen in medical practices recently?

Answer: I often see revenue cycle problems. It is more difficult now than ever to get paid by the carriers and by the patient. As you know, we’ve had a shift from the carrier paying all of the health claims to now the patient has more responsibility over the costs, and it can be difficult to ask patients for money. Physicians are there to serve the patient and many feel uncomfortable asking the patient for money. I also see problems with adopting new technologies that are available, and problems where too much responsibility is on the front office…having them answer the phone and also deal face-to-face with the patient, which can be challenging. We also have seen a lot of highly qualified managers (Baby Boomers) leaving the market, which can lead to issues with changing leadership.

Question: Can you describe a couple of examples you’ve seen in medical practices where, with a few small changes, you saw a big impact.

Answer: I work with both large and small practices, and I have a couple of stories that I could share. One from this year was a Practice Assessment for a new client. The manager was overwhelmed because the practice had doubled in size over a four-year period. The physicians were overwhelmed because they were finding themselves making decisions for a large practice when they had been a small practice for so many years. Their revenue cycle manager, who had been very loyal to the practice, was not qualified to handle the new load, and were having some financial issues. MACRA was approaching as a big project and that they had no idea how to attempt that undertaking. Plus, throughout their growth, they had failed to build the appropriate infrastructure to adequately support the practice, like hiring a mid-level manager or supervisory staff to assist the manager in staying highly effective. So, after I identified these problems during the assessment, I worked closely with the group and over a short period of time we recruited and hired a revenue cycle manager who was effective and innovative. The practice’s profitability has increased, they relieved the front desk staff from answering the phones and allowed them to focus on the patients standing in front of them. Through coaching the group and the manager, they have been able to work more cohesively and make better decisions. They’ve identified some team leaders to lead other areas, and they are doing great. They are approaching projects more on their own now, but I’m still their advisor and have built a long-term relationship and I know we will continue working with that practice.

We also work with smaller practices. We received a call from a physician who was leaving a large practice and going out on her own to form a “boutique practice.” I assisted her early in her practice. She couldn’t afford a high-level manager to help her make decisions, so I became her advisor. I continued this over a five-year period and we have taken her from being too small to hire a manager to hiring a manager, to hiring to mid-level providers, and now we are about to hire a partner for her. I love forming these lasting relationships with managers and providers.

Question: What new changes are we seeing in healthcare as we move forward into the next few years?

Answer: Because we’ve seen a decline in reimbursement and collections over the last few years, it can be difficult for us to get physicians to invest in their practice because many are afraid. They want to hang on to their money rather than investing in their practice. They really don’t know where we are going in the future of healthcare, there are changes in the payment models, administrative burdens are at their highest, and manager and physician burnout is at its highest. There has never been a time where I’ve seen practices need advisory services more than now. I think with technology growing as quickly as it is, we will need to guide these physicians on what technologies they should incorporate and invest in to keep their practice vital.

Article contributed by Tammie Lunceford, Healthcare and Dental Consultant, Warren Averett Healthcare Consulting Group. Warren Averett is an official Gold Partner with the Medical Association.

Tags: compliance, management, regulatory, technology

Posted in: Management

Leave a Comment (0) →

You Can Help Improve Transparency in the Certified Health IT Market

Posted by admin on May 9, 2019

Visit Open Forums in May to Inform a New Comparison Tool

Stop by to provide input at an upcoming open forum on the new EHR Reporting Program, which will provide publicly-available, no-cost, comparative information on certified health IT available on the market.

We are also providing a link for regional stakeholders to participate in the open forums virtually. Please note that the open forums are scheduled for two hours, but feel free to drop-in when you’re available.

In the 21st Century Cures Act of 2016, Congress directed the US Department of Health and Human Services (HHS) to establish a new EHR Reporting Program, which the Office of the National Coordinator for Health IT (ONC) is currently developing. The goal of this program is to provide publicly-available, comparative information about certified health IT features related to security, usability, interoperability, conformance to certification testing, and other areas in order to improve the transparency of the market.

ONC has contracted with the Urban Institute and its subcontractor, HealthTech Solutions, to obtain stakeholder input on how to develop the EHR Reporting Program through public open forums across the country. Input from people like you will help determine:

What information should developers of certified health IT report? What information from users could be made available?
How that information is collected
How this information will be disseminated to the public (for example, would you prefer a product comparison website, data in a spreadsheet, or something else?)

Upcoming Open Forums

Public Health/AL Medicaid/AL Health Information Exchange
Monday, May 20, 2019
9 AM – 11 AM CDT
Montgomery County Health Department
3060 Mobile Highway
Montgomery, AL 36108
https://healthtechsolutions.zoom.us/j/155156076

AL Primary Healthcare Assn (FQHC)/ Rural Health
Monday, May 20, 2019
1 PM – 3 PM CDT
Montgomery County Health Department
3060 Mobile Highway
Montgomery, AL 36108
https://healthtechsolutions.zoom.us/j/432907928

AL Academy of Pediatrics/Primary Care
Monday, May 20, 2019
5 PM – 7 PM CDT
Renaissance Montgomery Hotel & Spa
201 Tallapoosa St
Montgomery, AL 36104
https://healthtechsolutions.zoom.us/j/505593044

Health Systems/Hospitals
Tuesday, May 21, 2019
9 AM – 11 AM CDT
Montgomery County Health Department
3060 Mobile Highway
Montgomery, AL 36108
https://healthtechsolutions.zoom.us/j/824124145

General Public Open Forum
Tuesday, May 21, 2019
1 PM – 3 PM CDT
Montgomery County Health Department
3060 Mobile Highway
Montgomery, AL 36108
https://healthtechsolutions.zoom.us/j/806771227

General Public Open Forum
Tuesday, May 21, 2019
5 PM – 7 PM CDT
Renaissance Montgomery Hotel & Spa
201 Tallapoosa St
Montgomery, AL 36104
https://healthtechsolutions.zoom.us/j/675043250

Can’t make any of these events? Watch for more events where stakeholders can make suggestions at: https://healthtechsolutions.com/EHR-reporting-program.

If you have any questions regarding the Open Forum, please contact Pam Zemaitis of HealthTech Solutions at Pam.Zemaitis@HealthTechSolutions.com.

Tags: interoperability, IT, ONC, security, technology

Posted in: Technology

Leave a Comment (0) →

HHS Proposes New Rules to Improve Interoperability of EHI

Posted by admin on February 15, 2019

Could new innovations in technology promote patient access and make no-cost health data exchange a reality for millions?

The U.S. Department of Health and Human Services (HHS) has proposed new rules to support seamless and secure access, exchange and use of electronic health information. The rules, issued by the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC), would increase choice and competition while fostering innovation that promotes patient access to and control over their health information. The proposed ONC rule would require patient electronic access to this electronic health information (EHI) be made available at no cost.

“These proposed rules strive to bring the nation’s health care system one step closer to a point where patients and clinicians have the access they need to all of a patient’s health information, helping them in making better choices about care and treatment,” said HHS Secretary Alex Azar. “By outlining specific requirements about electronic health information, we will be able to help patients, their caregivers, and providers securely access and share health information. These steps forward for health IT are essential to building a health care system that pays for value rather than procedures, especially through empowering patients as consumers.”

CMS’ proposed changes to the health care delivery system support the MyHealthEData initiative and would increase the seamless flow of health information, reduce burden on patients and providers, and foster innovation by unleashing data for researchers and innovators. In 2018, CMS finalized regulations that use potential payment reductions for hospitals and clinicians to encourage providers to improve patient access to their electronic health information. For the first time, CMS is now proposing requirements that Medicaid, the Children’s Health Insurance Program, Medicare Advantage plans and Qualified Health Plans in the Federally-facilitated Exchanges must provide enrollees with immediate electronic access to medical claims and other health information electronically by 2020.

In support of patient-centered health care, CMS would also require these health care providers and plans to implement open data sharing technologies to support transitions of care as patients move between these plan types. By ensuring patients have easy access to their information, and that information follows them on their health care journey, we can reduce burden, and eliminate redundant procedures and testing thus giving clinicians the time to focus on improving care coordination and, ultimately, health outcomes.

“Today’s announcement builds on CMS’ efforts to create a more interoperable healthcare system, which improves patient access, seamless data exchange, and enhanced care coordination,” said CMS Administrator Seema Verma. “By requiring health insurers to share their information in an accessible, format by 2020, 125 million patients will have access to their health claims information electronically. This unprecedented step toward a health care future where patients are able to obtain and share their health data, securely and privately, with just a few clicks, is just the beginning of a digital data revolution that truly empowers American patients.”

The CMS rule also proposes to publicly report providers or hospitals that participate in “information blocking,” practices that unreasonably limit the availability, disclosure, and use of electronic health information undermine efforts to improve interoperability. Making this information publicly available may incentivize providers and clinicians to refrain from such practices.

ONC’s proposed rule promotes secure and more immediate access to health information for patients and their health care providers and new tools allowing for more choice in care and treatment. Specifically, the proposed rule calls on the health care industry to adopt standardized application programming interfaces (APIs), which will help allow individuals to securely and easily access structured and unstructured EHI formats using smartphones and other mobile devices. It also implements the information blocking provisions of the 21st Century Cures Act, including identifying reasonable and necessary activities that do not constitute information blocking. The proposed rule helps ensure patients can electronically access their electronic health information at no cost. The proposed rule also asks for comments on pricing information that could be included as part of their EHI and would help the public see the prices they are paying for their health care.

“By supporting secure access of electronic health information and strongly discouraging information blocking, the proposed rule supports the bi-partisan 21st Century Cures Act. The rule would support patients accessing and sharing their electronic health information while giving them the tools to shop for and coordinate their own health care,” said Don Rucker, M.D., National Coordinator for Health IT. “We encourage everyone – patients, patient advocates, health care providers, health IT developers, health information networks, application innovators, and anyone else interested in the interoperability and transparency of health information – to share their comments on the proposed rule.”

Policies in the proposed CMS and ONC rules align to advance interoperability in several important ways. CMS proposes that entities must conform to the same advanced API standards as those proposed for certified health IT in the ONC proposed rule, as well as including an aligned set of content and vocabulary standards for clinical data classes through the United States Core Data for Interoperability standard (USCDI). Together, these proposed rules address both technical and health care industry factors that create barriers to the interoperability of health information and limit a patient’s ability to access essential health information. Aligning these requirements for payers, health care providers, and health IT developers will help to drive an interoperable health IT infrastructure across systems, ensuring providers and patients have access to health data when and where it is needed.

For a fact sheet on the CMS proposed rule (CMS-9115-P), please visit: https://www.cms.gov/newsroom/fact-sheets/cms-advances-interoperability-patient-access-health-data-through-new-proposals

For fact sheets on the ONC proposed rule, please visit: https://healthit.gov/nprm

To receive more information about CMS’s interoperability efforts, sign-up for listserv notifications, here: https://public.govdelivery.com/accounts/USCMS/subscriber/new?topic_id=USCMS_12443

To view the CMS proposed rule (CMS-9115-P), please visit: https://www.cms.gov/Center/Special-Topic/Interoperability-Center.html

Tags: EHR, electronic, health, information, interoperability, IT, record, technology

Posted in: Technology

Leave a Comment (0) →

Plan While You Still Can

Posted by admin on June 21, 2018

In our work with hundreds of medical practices, and in our Firm’s medical practice manager roundtable meetings, a common issue among medical practitioners is the uncertainty about the economic future of their medical practices.

Reimbursement levels may drop, many patients may choose medical coverage offered by a state-sponsored exchange, and the burden of changing technology is felt in many areas of practice. Since so many aspects of a medical practice are beyond the control of physicians, it is essential that doctors, in a private practice, exercise intentional control over the areas where they still can. This strategic planning is less daunting than many think, and can produce a more dynamic practice than you have experienced in years.

The process of strategic planning begins with an honest assessment of your practice’s current situation. Each physician’s candid opinions must be sought and considered in the development of an agenda for the group meeting. Since candor, among even the most collegial doctors in a given practice may be difficult to elicit, consider having an outside facilitator conduct these interviews. Based on the content of each doctor’s concerns, build an agenda for the planning meeting. It is recommended that these meetings be held at a neutral site outside the office but can be held in the practice conference room as long as no physician is permitted to exert his or her authority by sitting in their “power” chair or heavy‐handedly controlling the agenda.

Prior to the actual retreat, the administrator and facilitator must assemble background information and construct schedules necessary to answer as many fact‐based questions as possible. The goal of these schedules is to lessen the likelihood that a decision is postponed for want of additional data or a projection of the impact of the decision. Physicians are among the worst at group decision making. Some are so accommodating of their partners that they permit everyone to have “veto power” over any issue. Others let one member of the group require that the matter be tabled until every conceivable question can be addressed. Some groups apply their appropriately cautious medical decision-making processes to business decisions, which are not nearly as lethal or consequential. Whatever the reason, these result in what we refer to as Decision Deficit Disorder in medical practices. This too is a reason to have an outside facilitator.

With an agenda built on the issues of concern to all members of the group and background material developed for each point, the meeting is a time to make strategic decisions and assign tactical responsibilities. Select one of the easier matters for first on the agenda to establish a quick tempo, gain a positive perspective and promote participation by the entire group. If painful issues must be addressed, these should be handled privately unless that avenue has been tried and failed.

A sufficient content would be five to seven decisions, depending on the magnitude of the topics. We have been involved in planning processes where more than ten issues were resolved but a recent strategic process resolved five matters. In that instance, the group decided where to open a satellite office, determined to recruit two new physicians, renewed their commitment to reach out to referring physicians, decided to hire a marketing director for the practice and affirmed a plan to make their clinic days more accessible to patients. This proves that major things can happen when doctors focus on their own business needs.

Article contributed by Sae Evans, Maddox Casey and Jim Stroud, Members, Warren Averett Healthcare Consulting Group. Warren Averett is an official partner with the Medical Association.

Tags: averett, control, decide, decision, economy, group, manage, plan, strategic, technology, warren

Posted in: Leadership

Leave a Comment (0) →

Are Your Electronic Devices Physically Secure?

Posted by admin on June 13, 2018

In the age of electronic medical records and ransomware attacks, recent focus with regard to HIPAA compliance seems to be on electronic security. How are your electronic medical records stored? Do you require two-factor authentication to access your electronic system remotely? What firewalls and malware detection systems do you have in place to prevent a cyber-attack?

However, in the May 2018 OCR Cyber Security Newsletter, the Office of Civil Rights (OCR) reminded providers that, in the midst of electronic security, appropriate physical security controls are also an important component. The HIPAA Security Rule requires that all workstations (including laptops, desktops, tablets, smartphones and portable electronic devices) accessing PHI must have physical safeguards in place to restrict access to authorized users.

According to OCR, the following methods may be helpful in achieving compliance with this requirement: privacy computer screens, cable locks, port and device locks (preventing access to USB ports or removable devices), positioning work screens in a manner in which they cannot be viewed, locking rooms that store electronic equipment, security cameras and security guards. Of course, which methods are appropriate for each provider will vary based on the provider’s risk analysis and risk management process.

In reviewing the physical security of electronic devices, OCR recommends that providers ask the following questions:

Is there a current inventory of all electronic devices (i.e., computers, portable devices, electronic media) including where such devices are located?
Are any devices located in public areas or other areas that are more vulnerable to theft, unauthorized use, or unauthorized viewing?
Should devices currently in public or vulnerable areas be relocated?
What physical security controls are currently in use (i.e., cable locks, privacy screens, secured rooms, cameras, guards, alarm systems) and are they easy to use?
Could additional physical security controls be reasonably put into place?
Are policies in place and employees properly trained regarding physical security (i.e., use of cable locks and privacy screens)?
Are signs posted reminding personnel and visitors about physical security policies or monitoring?

A copy of the May 2018 OCR Cyber Security Newsletter is available at https://www.hhs.gov/sites/default/files/cybersecurity-newsletter-may-2018-workstation-security.pdf.

Kelli Fleming is a Partner with Burr & Forman LLP practicing in the firm’s Health Care Industry Group. Burr & Forman LLP is a partner with the Medical Association.

Tags: HIPAA, security, technology

Posted in: Technology

Leave a Comment (0) →

Phishing Schemes Can Paralyze Your Medical Practice

Posted by admin on April 5, 2018

“Phishing” occurs when emails are sent to individuals or entities in an attempt to fraudulently gain access to personal information or introduce malware into the computer system. These emails are often disguised to look familiar to the recipient. The perpetrator may disguise their communication to appear to be from a colleague, family member or friend. They may also attest to be from a reputable source, like your bank, PayPal or other legitimate websites. They request that you click on a link or open an attachment. Fraudulent links will generally request that you update your information by entering your username or password. Some may ask for other types of personal information like address, date of birth, social security number or credit card information. Fraudulent attachments may contain malware, the most common being ransomware, which has had a significant impact on the health care industry.

What Is “Spear Phishing”?

Spear phishing is a specific kind of phishing that customizes its attack to specific individuals. For instance, the perpetrator may study an individual’s social media profiles and send them an email that appears to be from a co-worker or organization that they belong to. Just as with normal phishing exercises, the goal is for the target individual to click on a fraudulent link or attachment that will either provide the perpetrator with personal information or provide an opportunity to introduce malware into their computer system.

How Are Phishing Schemes Impacting Health Care Entities?

The threat of phishing activities to health care entities has steadily increased. Perpetrators are learning that the types of identifying information that health care entities attain and maintain are the exact types of identifiers they need to participate in a wide range of fraudulent activity from filing false tax returns to credit card fraud. These identifiers include data that health care professionals work with daily, like date of birth, social security numbers and health plan information.

When health care professionals fall victim to these phishing schemes it can threaten their entire organization. With the widespread use of Electronic Medical Records (EMRs), compliance professionals are seeing ransomware attacks on the rise as entity administrators attempt to recover their vital data.

Reduce Your Risk

Ensure that your entity has a clear and documented policy which addresses how employees should handle email communications. Some entities forbid accessing personal emails on work equipment while others set specific parameters. Your entity should determine the process that works best for your workforce and enforce that policy.
Train your staff on how they can identify phishing schemes and educate them on the threat that these schemes pose to your organization.
Ask your Information Technology (IT) personnel to send phishing emails to employees to test the number of employees who fall for phishing schemes after training.
Consider purchasing cyber insurance to protect your entity in the event of an attack.

Identify Phishing Activity

Often these fraudulent emails will have email links that are misspelled. For example, instead of customerservice@regionsbank.com, it may have customerservic@reggionsbank.com. Those variations are small and often overlooked.
Be careful about the information that you share on social media. Try not to post personal information like your address, phone number and birth date.
Be suspicious about sites that attempt to redirect you to other similar looking websites.
If you think an email looks suspicious, contact your supervisor or HIPAA Security Officer so that it can be investigated properly.

Report Phishing Attempts

If you believe that you or someone that you know may have been the victim of a phishing attempt, there are a number of authorities that receive these reports and act to minimize their impact.

You may file a report with the Federal Trade Commission (FTC). Reports can be sent electronically at FTC.gov/complaint.
Reports can be made to APWG at reportphishing@apwg.org. This is an anti-phishing workgroup that analyzes and fights cybercrimes.
Always notify your IT support staff or your HIPAA Security Officer when you believe that you have received a fraudulent email so that they can investigate the email and take action to minimize the threat.

If you have questions regarding phishing and malware, or if you believe that it is time to update your entity’s policies and procedures, please consult a health care compliance expert.

Article contributed by Samarria Dunson, J.D., CHC, CHPC, attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama. Find more of Ms. Dunson’s contributions on her partnership page.

Tags: EMR, fraud, ftc, IT, link, paypal, phish, ransom, ransomware, technology

Posted in: HIPAA

Leave a Comment (0) →

What Eight Things You Should Do to Protect Your Business from Cyber Threats

Posted by admin on November 16, 2017

Cyber threats take many forms. The widespread WannaCry ransomware attack in May 2017 highlighted how computer files could be held hostage in return for payment, while the Dyn denial of service in October 2016 highlighted how websites like Airbnb and Twitter could be made inaccessible. Cyber threats are on the rise within the health care industry, as the information gained as a result is lucrative in value. Thus, it is important every physician practice take steps to protect itself from a cyberattack.

Identify the types of cyberattacks to which your practice is most likely vulnerable.

By doing so, you can invest in measures that will be most relevant to your practice. For instance, practices that host websites must preempt denial of service attacks, while those that hold private customer information electronically must prevent unauthorized access to their data. Of course, many practices will likely be vulnerable to a variety of cyberattacks.

Develop a framework to prevent, investigate and respond to the cyberattacks to which your practice is most vulnerable.

In 2014, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) issued and continues to update, a voluntary Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”). In addition to their own independent initiatives, practices should periodically consult the Framework to keep abreast of cybersecurity best practices in order to assess their security status relative to others. In addition, the website for the Office of Civil Rights, the government entity responsible for HIPAA compliance, contains guidance on various cybersecurity topics that may also prove helpful.

Invest in the latest computer security and protection measures.

To the extent feasible, practices should strive to use the most up-to-date software and avail themselves of periodic releases of software updates. Cyberattack methods constantly evolve, and older versions of software are more vulnerable to newer and more complex threats. For example, victims of the WannaCry ransomware attack were mainly those organizations that ran older versions of Windows operating software. Practices should also consider regularly backing up data and insulating that data from their computer network, segmenting their computer network, and monitoring network activity.

Implement employee vigilance and training measures.

Perpetrators of cyberattacks often employ phishing scams by sending emails with attached malware to individuals who then promptly download the attachments and infect their employers’ computer networks. Practices should train employees to identify suspicious emails in order to guard against phishing schemes. Such training can be incorporated into your practice’s periodic HIPAA training.

Given that malicious emails are often sent by seemingly familiar senders, practices should teach employees how to spot subtle clues that indicate dangerous emails. For instance, employers should instruct employees to check whether the domain name of the originating account is a “near-miss” from what would be expected. For example, an employee recognizing “dot com” and “dot co” could be the difference in avoiding hefty losses.

Test your cybersecurity measures and monitor the effectiveness.

To test whether employees take instructed precautions against phishing attacks, practices should send their employees emails from a “near-miss” domain and tally how many employees fall for them. Of course, even after enhancing computer security systems and increasing employee awareness of network defenses, practices may nonetheless succumb to a cyberattack, but at least the chances of doing so may be reduced.

Obtain effective cyberattack insurance coverage.

Practices should compare potential damages in the event of a cyberattack to the coverage provided in their existing insurance policies and seek out supplementary insurance for any uncovered damages or liabilities that may arise in the event of a cyberattack. For instance, since courts are divided as to whether computer systems constitute “tangible property” for purposes of an insurance claim, practices should consider consulting their insurance companies, brokers, or legal counsel to obtain insurance that covers the types of damages that arise in cyberattacks, including, but not limited to, expenses associated with providing patients with written notice when a reportable HIPAA breach occurs.

Adopt an effective legal strategy for your practice that preempts and limits liability.

As practices retain confidential personal and medical information, any data breach or unauthorized disclosure could subject the practice to liability under a host of federal and state law claims, in addition to HIPAA fines and penalties. Thus, the establishment of an effective legal strategy that preempts and limits liability is essential.

Employ traditional security measures for your practice at locations that could be vulnerable to physical disruption of your cyber capabilities.

Practices should account for some of the more traditional ways in which perpetrators can disrupt their computer networks. To prevent someone from unplugging the power source to a computer network or server, you could consider installing CCTV cameras and limiting access to such areas. In addition, have security incident procedures in place and be prepared to continue operations if an interruption occurs. For example, if an interruption with respect to your EMR system occurs, be prepared to continue business utilizing paper medical records until the interruption can be resolved and your EMR is back online.

Article contributed by David D. Dowd III, Elizabeth B. Shirley and Kelli C. Fleming with Burr & Forman LLP practicing in the firm’s Health Care Industry Group. Burr & Forman LLP, is an official Bronze Partner with the Medical Association.

Tags: attack, cyber, HIPAA, software, technology

Posted in: Technology

Leave a Comment (0) →

Report: EMR Industry Must Reckon with Physician User Frustration

Posted by admin on July 21, 2017

ROCKVILLE, MD – A new study by health care market researcher Kalorama Information has found that physician frustration over the use of EMR systems will be a trend for vendors to deal with. Previously, incentives paid to providers to buy and use electronic medical records were enough for a market boost, but now user frustration is driving vendor switches and contributing to implementation costs. Kalorama has covered EMR for a decade and has issued a new report: EMR Market 2017: Electronic Medical Records in an Era of Disruption.

Kalorama based its findings on attendance at the 2017 HIMSS conference, and from vendor and end-user consults.

“During the HIMSS 2017 conference, discussions revolved around physician dissatisfaction with EMRs,” said Mary Ann Crandall, author of the report. “Physicians still feel that vendors are missing the mark when addressing the needs of physicians.”

Physicians have repeatedly complained that EHRs are difficult to use. Many EHR interfaces are awkward and non-intuitive creating more problems than solutions. Physicians are not convinced that EMRs will cut costs or help to provide better and safer care. One of the reasons for this may be that vendors do not seem to be in touch with what physicians need in their individual practices. Furthermore, EHRs often get in the way and slow users down because of the way they are configured or are not convenient to use. Most EHRs are not designed to help physicians juggle the simultaneous tasks they all face, like answering a question about one patient while in the middle of writing a prescription for another. In addition, because most of the programs that are on the market were developed many years ago before today’s sophisticated interface tools were developed, it compounds the problems.

“Furthermore, physicians get tired of having to sign into multiple hospital systems to locate data on their patients. Smartphones, iPads and the Internet are so intuitive and well integrated that they make EHRs look even worse,” said Crandall in the report.

A survey of nearly 3,000 physicians reported that most physicians do not like the Affordable Care Act and many of them do not like EMRs. Only 30 percent of the physicians surveyed think that EMRs will have a positive effect on the quality of care. One big reason for the sour feeling it that Medicaid and Medicare reimbursement continues to fall, and Medicaid will cover many of the 32 million uninsured individuals targeted to be insured under the law. The survey also did not show a lot of support for accountable care organizations, which is an emerging payment model authorized in the reform bill.

Crandall said physicians feel that there needs to be a concentrated effort to focus on evidence, accuracy, how it is integrated with the physician’s EMR and how it is integrated within the practice. According to Michael Hodgkins, AMA CMIO, physicians are spending twice the amount of time on deskwork and EHR maintenance, including 38 hours a month spent on EHRs after work hours. This is creating dissatisfaction and contributing to burnout for physicians. Michael Hodgkins further stated that physicians just want to provide high-quality care, but EHR work seems to get in the way. At the same time, practice sustainability and changing reimbursement models that favor scale and shift risk to the providers is leading many practices to merge or sell out altogether. Simply, physicians are overwhelmed with platforms, apps, regulations and computer work.

Several vendors are listening to the physician complaints and are attempting to make changes. Kalorama reported in April that Allscripts is developing separate workflows for mobile devices and desktop computers, and will focus on touch speech recognition and other non-keyboard interfacing techniques that will help to improve physician perception.

Kalorama notes that while there are a few leaders in the EMR market, there isn’t much brand and mind share and few favorites among physician users. Greater detail on these trends are included in Kalorama Information’s report, EMR 2017: Electronic Medical Records in an Era of Disruption.

Tags: EHR, EMR, technology

Posted in: Management

Leave a Comment (0) →

Between Doctors & Patients…Technology in the Treatment Room

Posted by admin on September 28, 2016

Editor’s Note: This article was originally published in the Spring 2016 issue of Alabama Medicine magazine

Love them or hate them, electronic records are here to stay.

Electronic health records, or EHRs, are an evolution of the electronic medical records, or EMRs, that some medical practices use internally. EMRs are a digital version of the paper charts containing the medical and treatment history of the patients in one medical practice. EMRs have advantages over paper records in that they allow physicians to track patient data over time, identify which patients are due for preventive screenings and check ups, and monitor overall quality of care within the practice.

EMRs, however, are not built to travel easily outside the medical practice should the physician need to send the patient to another physician. This is where EHRs are intended to pick up and be more effective. EHRs are built to share patient information between medical practices, laboratories, hospitals and other health facilities. Should your patient be seen in the emergency room, EHRs are supposed to allow you to view those charts and results, including all the physician’s notes, labs and any films.

That’s how the system is supposed to operate. While the EHR systems work well for some, mostly larger practices and specialty physicians, they cause more problems than they solve for others, particularly smaller practices and family care physicians.

The surgeons with Alabama Orthopaedic Specialists, PA, in Montgomery, began looking for a solution to their charting issues in 2006, long before federal regulations started to trickle down concerning electronic records. Finding the best solution for the practice didn’t happen
overnight. It was a process, according to practice manager Ron O’Neal.“It took a little while for us to discover exactly what this would mean to the practice…the good and the bad…and it needed to be something everyone was on board with,” O’Neal explained. “It took time for us to come up with a checklist of everything we wanted and needed our EHR to do. It was important we found a system that would work for our practice instead of our practice working for that system, so we took our time.”

“It took a little while for us to discover exactly what this would mean to the practice…the good and the bad…and it needed to be something everyone was on board with,” O’Neal explained. “It took time for us to come up with a checklist of everything we wanted and needed our EHR to do. It was important we found a system that would work for our practice instead of our practice working for that system, so we took our time.”

Michael Davis, M.D., a surgeon with Alabama Orthopaedic Specialists, helped lead the search to find the perfect EHR for the group and agreed with O’Neal that while the search for the best system may have seemed long, it was for a good reason.“Historically we had paper charts. So, when a patient would be seen by one of our physicians yesterday and referred to me today didn’t really have any idea why they were seeing me and would expect me to know why they were here. It would take time for me to collect the paper chart, if everything was there, and sometimes re-interview the patient. That took a lot of time. If you don’t have to filter through all those notes to get to the bottom of the problem when someone else already has, you save a lot of time. You’re not duplicating tests and x-rays, and patients aren’t exposed to more tests or irradiated more than once just because you can’t get your hands on those results,” Dr. Davis said.

“Historically we had paper charts. So, when a patient would be seen by one of our physicians yesterday and referred to me today didn’t really have any idea why they were seeing me and would expect me to know why they were here. It would take time for me to collect the paper chart, if everything was there, and sometimes re-interview the patient. That took a lot of time. If you don’t have to filter through all those notes to get to the bottom of the problem when someone else already has, you save a lot of time. You’re not duplicating tests and x-rays, and patients aren’t exposed to more tests or irradiated more than once just because you can’t get your hands on those results,” Dr. Davis said.For Dr. Davis, having the EHR in hand can make explaining a complicated procedure a bit smoother when the tool can be used to illustrate the nuances of a surgical procedure by showing the patient his or her x-rays, MRIs, and other test results. But, the EHR is just that…a tool, which Dr. Davis is quite mindful of making sure doesn’t become an intrusive object in the treatment room.

For Dr. Davis, having the EHR in hand can make explaining a complicated procedure a bit smoother when the tool can be used to illustrate the nuances of a surgical procedure by showing the patient his or her x-rays, MRIs, and other test results. But, the EHR is just that…a tool, which Dr. Davis is quite mindful of making sure doesn’t become an intrusive object in the treatment room.

Yet, Dr. Davis and O’Neal agreed EHRs work better for specialties than with family practices when considering the diagnostic possibilities family physicians face with their patients. What’s streamlined in a specialty is often wide ranging in family practice.

Maarten Wybenga, M.D., a family physician in Prattville, hasn’t made the switch from paper charts to EHRs and doesn’t have any plans to in the immediate future. For Dr. Wybenga, e-prescribing and electronic billing are sufficient to keep the federal mandates at bay.

“I’m always going to be ‘pro-the-patient.’ I never jump on the bandwagon when something new comes out. I want to read the research, see how it works first before I start using it with my patients. It’s the same with technology in the medical office,” Dr. Wybenga said. “I’ve wanted to stand back and watch it a little rather than jump right in. When things started getting interesting with electronic records, we talked about it. Should we do this, or should we wait and see what’s going to happen? Should we give it a year or two? As we watched the technology arena grow and grow, the software companies exploded. There were just too many offering too much. We keep watching, but I’m just not satisfied, and I haven’t made that decision. To this day, we’re still on handwritten medical records.”

According to Amy Wybenga, Dr. Wybenga’s practice manager and immediate past president of the Alliance to the Medical Association of the State of Alabama, the number of reasons against using EHRs in the practice simply outweighed the positive outcomes.“No one could give us a good, sound reason of what benefit it would be to us or our patients if we changed over. For our practice, the negative reasons definitely outweigh the positive reasons,” Wybenga said. “We would have to cut down on the number of patients we could serve for at least a year because it could take up to that long for us to switch everything over, and it would slow us down too much. Being a family practice in a rural area, there’s just no way we can cut back on the number of patients we see. Those patients have to be seen. Why would we go to a system that would slow us down even more, something that we can’t share with anybody, would still have to print off information to fax or email to other doctors because it won’t communicate with other systems…where’s the benefit?”

“No one could give us a good, sound reason of what benefit it would be to us or our patients if we changed over. For our practice, the negative reasons definitely outweigh the positive reasons,” Wybenga said. “We would have to cut down on the number of patients we could serve for at least a year because it could take up to that long for us to switch everything over, and it would slow us down too much. Being a family practice in a rural area, there’s just no way we can cut back on the number of patients we see. Those patients have to be seen. Why would we go to a system that would slow us down even more, something that we can’t share with anybody, would still have to print off information to fax or email to other doctors because it won’t communicate with other systems…where’s the benefit?”

For one gastroenterologist who just started a new practice in January using paper charts, Bradley Rice, M.D., of Huntsville, who is also a member of the Association’s Board of Censors, is working to make the transition to EHRs a seamless one for his staff and patients. “I actually try to use the computer a small amount of time while in the room with a patient. I talk with the patient and take notes on a sheet I have designed,” Dr. Rice noted. “I prefer to speak with the patient instead of talking to them while looking at a computer, so I wait until the end of the appointment to then work on the computer, then escort them up to the check-out area. My goal is to make sure the patient feels comfortable and understands that I am there to meet with them instead of focusing on the computer in the room.”

“I actually try to use the computer a small amount of time while in the room with a patient. I talk with the patient and take notes on a sheet I have designed,” Dr. Rice noted. “I prefer to speak with the patient instead of talking to them while looking at a computer, so I wait until the end of the appointment to then work on the computer, then escort them up to the check-out area. My goal is to make sure the patient feels comfortable and understands that I am there to meet with them instead of focusing on the computer in the room.”

Dr. Rice and his staff have seen both sides of the EHR coin and agree with Dr. Davis and O’Neal that the initial setup of a system can be difficult and costly. It takes time to scan and input data into a new system, but once the system is online, it can help with documentation and accountability.

Interoperability was one of the initial selling points for EHRs from the Office of the National Coordinator for Health Information Technology. Fully functioning EHRs are designed to “talk” to other systems. However, many physicians are finding this may not be the case, and after years of voicing complaints through their medical societies and associations, their concerns seem to be getting through.

Department of Health and Human Services Secretary Sylvia Burwell recently announced the nation’s top five health care systems and companies, which provide EHRs covering more than 90 percent of hospital patients, have agreed to principles designed to improve patient access to health data and eliminate the practice of data blocking. These groups have also agreed to adopt federally recognized, national interoperability standards by 2018.

To unlock the data and make it useful to physicians, the companies have agreed to:

Implement application programming interface (API) technology so smartphone and tablet apps can be created, facilitating patient use and transfer of health care data.
Work so physicians can share health data with patients and other physicians whenever permitted by law, while not blocking such sharing either intentionally or unintentionally.
Use the federally recognized Fast Healthcare Interoperability Resources data standard.

In late 2015, the Medical Association led a coalition of nearly 40 Alabama specialty and county medical societies in asking to the Alabama Congressional Delegation to support the Patient Access and Medicare Protection Act, which granted the Centers for Medicare & Medicaid Services the authority to expedite applications for hardship exemptions from Meaningful Use Stage 2 requirements for the 2015 calendar year. President Obama signed the bill. Because CMS didn’t publish the MU Stage 2 final rule until Oct. 16, physicians weren’t informed of the requirement until fewer than the 90 required days remained in the calendar year, leaving most in a penalty-assured lurch. CMS extended the deadline for physicians to apply for MU hardship exemptions to EHR incentive program. The new deadline is now July 1, 2016. The extension is being granted “so providers have sufficient time to submit their applications to avoid adjustments to their Medicare payments in 2017.” The new application forms and instructions to file a hardship exemption are on the CMS website.

Because CMS didn’t publish the MU Stage 2 final rule until Oct. 16, physicians weren’t informed of the requirement until fewer than the 90 required days remained in the calendar year, leaving most in a penalty-assured lurch. CMS extended the deadline for physicians to apply for MU hardship exemptions to EHR incentive program. The new deadline is now July 1, 2016. The extension is being granted “so providers have sufficient time to submit their applications to avoid adjustments to their Medicare payments in 2017.” The new application forms and instructions to file a hardship exemption are on the CMS website.

For physicians contemplating switching from paper charts to EHRs, Dr. Rice and his office staff offer these tips:

Always remember, “Treat the patient, not the computer”
Think about the big picture in terms of technology and how the flow and setup will affect the office. For example, how many screens, what type of computers, scanners, etc., should I choose? Who will be using these computers? Laptops vs. desktop computers in treatment rooms? A personal analysis needs to be conducted of what type of layout/format fits your practice.
Choose a good program that has excellent technology support. Make sure to choose the correct computers and equipment necessary for the EHR program that is chosen for your practice.

Article by Lori M. Quiller, APR, director of communications and social media

Tags: advocacy, EHR, EMR, technology

Posted in: Uncategorized

Leave a Comment (0) →