Safe EMR Use

January 10, 2013

Vendors Can Raise EHR Safety, Lower Business Risks Through Patient Safety Organizations

Physicians are disturbed when patient care is put at risk due to a problem caused by their use of an electronic health record (EHR).    Although they will generally tolerate the situation when their reported problem is effectively managed in a transparent manner, there are a number of situations that engender scorn for their vendor.   The most common scorn-generating situation is when they feel that the patient safety issue they reported has not received a high enough priority from their vendor.   These situations should, and often do, resolve when the doctor and vendor communicate a clear understanding of the problem and circumstances.  

But it is another situation that I think is much more frustrating.   A physician’s expectation is that EHR vendors respond to patient safety issues in the same manner physicians respond to adverse medical events.   Physicians engage in peer review activities to not only analyze and resolve a specific adverse event, but also determine a plan that reduces the risk of the adverse event happening again.  The most common peer review activities provide legal protections from discovery which promotes transparency and more effective management of the problem.  Physicians analogously expect EHR vendors to not only fix their problem, but also to transparently fix it for all other physicians using their product.   This puts EHR vendors in a quandary because the legal protections of peer review activities extended to physicians are not extended to EHR vendors.  

Resolving this problem will require assistance from the federal and state governments.    Along those lines the Office of the National Coordinator for Health Information Technology (ONC) published a Health IT Safety Plan on December 21, 2012, and is accepting public comments on it until February 4, 2013.   I believe the most important aspect of this plan is the development and use of patient safety organizations (PSOs) to identify, aggregate, and analyze health IT safety events and hazard reports.    

The aviation industry continually improves passenger safety by engaging pilots in self-reporting of errors and dangerous conditions through an offer of immunity from sanctions.   The federal Patient Safety Act of 2005 provides an analogous environment allowing physicians in the outpatient setting to voluntarily report and share quality and patient safety information to AHRQ-certified PSOs without fear of legal discovery.   Most physicians are familiar with the secure nature of communications when they are involved in hospital quality improvement activities.    The information, documents, discussions and committee reports generated under the hospital’s umbrella of quality programs are held confidential and privileged.   Privileged communications cannot be disclosed and used in medical litigation without consent.   PSOs offer an analogous umbrella of protection for physicians in the ambulatory setting.    Physicians may voluntarily report patient safety issues or quality data from their outpatient practices to a PSO on a privileged and confidential basis.    The PSO can aggregate and analyze information from multiple physicians and healthcare entities to help identify, prioritize and reduce hazards that impede quality care.

The legal protections offered to physicians through PSOs are not currently extended to EHR vendors. They should be, and I will endorse that change in my comments to ONC’s Health IT Safety Plan.   But even without this change there are ways for EHR vendors to safely engage with PSOs today.    Let’s consider one such scenario:

Fictional scenario:  Community physicians and several EHR vendors are associated with the same patient safety organization (PSO). Dr. X is one of the physician members and his EHR vendor, VendorZ, is an analytical contractor with the PSO. After entering a digoxin dose in his EHR’s Medication Reconciliation screen, Dr. X discovered that the dose displays with a misplaced decimal point on the Medication History screen. He reports this dangerous dosing error to his PSO as a patient safety issue. The PSO notifies VendorZ. VendorZ begins working with Dr. X’s office to resolve the issue. Because VendorZ is an analytical contractor with the PSO to which this patient safety issue was reported, the reported problem, analyses, results and recommendations are confidential and privileged. When a solution is identified, there is no legal threat that disincentivizes the PSO or VendorZ to withhold this known problem and solution from other physicians in the PSO who use the same EHR. The PSO notifies all of those physicians who are members of the PSO and proactive work is done to prevent this same problem from harming patients in other practices.

EHR vendors are not inclined to openly discuss EHR problems when there is the threat of litigation against them for doing so, similar to fears physicians have with discussions of their own medical errors.   But this fictional scenario exemplifies one plausible way for EHR vendors and physicians to collaborate on health IT risks today under the protective umbrella of PSOs.

As stewards of safe, quality care physicians should have a basic understanding of PSOs and carefully consider opportunities that arise to engage with a PSO on initiatives to improve outpatient care in their community.   EHR vendors should demonstrate a similar stewardship by helping educate physicians about PSOs and engaging with physicians through PSOs to improve the safety of their EHR products.

Posted at 09:00 AM in Current Affairs, EHR, EHR products, EHR Risks, Health Reform, Leadership, Legal/Compliance, Safe EMR Use | | Comments (0) | TrackBack (0)

| | | | | |

June 01, 2012

New Texas Privacy Law Increases Physician Liability Including Heftier Enforcement Penalties

As discussed in my post "New Texas Privacy Law Increases Privacy Protections and Physician Cyber Liability Risks", House Bill 300 (HB 300) strengthens protection of patients' electronic health information in Texas beyond HIPAA and becomes effective on September 1, 2012.   In a series of weekly blogs I am writing to illustrate how these stronger patient protections increase physicians' cyber liability.  Consider this case history:

An unencrypted USB drive used to store PHI could not be found in the office.   It contained data on 1,105 patients including names, diagnosis codes and Social Security numbers.   The physician subsequently notified all affected individuals and local media, added technical safeguards of encryption for all PHI stored on mobile devices, added physical safeguards by keeping new portable devices locked in a secure combination safe in doctor’s private office when not in use and added administrative safeguards including annual privacy training of staff. 

For breaches affecting >500 individuals HIPAA requires physicians to notify not only the affected individuals, but also local media outlets and the Department of Health and Human Services (HHS) who then posts breach information on their website.    However, if the PHI was encrypted, then it is not considered to be a violation and no notification is required.    The privacy violation in this case would have been avoided by either encrypting the thumb drive (a technology-based prevention strategy) or by not downloading PHI to a mobile device (an employee training-based prevention strategy).   

HB 300 privacy protections are enforced through penalties, disciplinary actions and audits that are intended to deter breaches.   Several factors are considered when determining the consequences of a breach including the seriousness of violation, compliance history, harm done to individuals and efforts made to correct violations.  Civil penalties may be assessed for each violation up to:

  • $5,000 if committed negligently
  • $25,000 if committed knowingly or intentionally
  • $250,000 if committed intentionally and PHI is used for financial gain
  • $1.5 million if a “pattern of practice” found

Physicians should also consider purchasing cyber liability insurance (or increasing current liability limits) and consulting with their Regional Extension Center, such as the North Texas Regional Extension Center (NTREC), about assistance with security risk analysis and management.

cook children

Posted at 07:30 AM in Current Affairs, EHR, EHR Risks, Legal/Compliance, REC, Safe EMR Use | | Comments (0) | TrackBack (0)

| | | | | |

May 23, 2012

Texas Privacy Laws Provide Patients Stronger Rights to Access Electronic Health Record Than HIPAA

As discussed in my post "New Texas Privacy Law Increases Privacy Protections and Physician Cyber Liability Risks", Texas House Bill 300 (HB 300) strengthens protection of patients' electronic health information in Texas beyond HIPAA and becomes effective on September 1, 2012.  Through a series of blogs I am illustrating a variety of these new protections. Today we contrast a patient's right to access their electronic health record (EHR) under HIPAA against HB 300 requirements in Texas. Case history:

A patient alleged that a physician failed to provide him access to his electronic medical record within 30 days of a written request as required by HIPAA. After the Office of Civil Rights (OCR) notified the physician of this allegation, he provided the records but charged the patient a $100.00 “administrative fee” because the patient was delinquent on bills. HIPAA permits only a reasonable cost-based fee (copying and postage) with an explanation or summary if agreed to by the individual. To resolve this matter, the physician refunded the $100.

When state and federal privacy laws diverge, the more protective law prevails.  In Texas HB 300 combined with other state laws are more protective than HIPAA such as with a patient’s right to access their electronic health records (EHRs). HB 300 mandates physicians who use EHRs to provide patients the requested record in electronic form not later than 15 business days after receiving a written request unless there is an allowable exception.   The EHR may be provided in another format if the physician’s EHR is incapable of producing an electronic copy or if agreed upon by the patient in advance.  Physicians in Texas should align with HB 300 by revising policies on patient access to their EHR and updating their Privacy Notice as needed.

Physicians should also consider purchasing cyber liability insurance (or increasing current liability limits) and consulting with their Regional Extension Center, such as the North Texas Regional Extension Center (NTREC), about assistance with security risk analysis and management.

More on other HB 300 provisions next week...

cook children's

Posted at 08:30 AM in Current Affairs, EHR, EHR Risks, Legal/Compliance, Privacy and Security, REC, Safe EMR Use | | Comments (0) | TrackBack (0)

| | | | | |

May 16, 2012

New Texas Privacy Law Increases Employee Training Requirements in Physician Practices

As discussed in my post "New Texas Privacy Law Increases Privacy Protections and Physician Cyber Liability Risks", House Bill 300 (HB 300) strengthens protection of patients' electronic health information in Texas beyond HIPAA and becomes effective on September 1, 2012.   I am concerned that their may be low levels of awareness at this time among Texas physicians regarding the new privacy provisions.  For example, one of the new requirements impacts employee privacy training policies for the physician practice.   As an illustration, consider this case history:

A laptop computer was stolen or lost from the reception desk area possibly after a cleaning crew had left the main door to the building open.   An employee had previously used the laptop to download information that included protected health information (PHI) on 67 patients seen that week.   Following the breach the practice notified all affected individuals, added technical safeguards of encryption for PHI stored on mobile computers, added physical safeguards by keeping all portable devices locked in a cabinet of a locked storage room when not in use and required re-training of all employees on privacy and security policies including immediate training for the cleaning staff.

Many breaches of PHI are avoidable if employees are trained on privacy/security  and remain vigilant when managing PHI.    In Texas HB 300 protects not only PHI as defined by HIPAA, but also “sensitive personal information (SPI)” as defined by the Texas Identity Theft Protection Act.   HB 300 requires all employees who will encounter PHI or SPI to undergo privacy training that is tailored to the employee’s specific responsibilities and types of contact with PHI.    New employees must be trained within 60 days of hiring, and training must be repeated at least once every two years.    A log must be maintained with employee signatures verifying their attendance.    Physicians can prepare by updating employee training policies and materials.

Physicians should also consider purchasing cyber liability insurance (or increasing current liability limits) and consulting with their Regional Extension Center, such as the North Texas Regional Extension Center (NTREC), about assistance with security risk analysis and management.

More on other HB 300 provisions next week...

cook children's

Posted at 08:30 AM in Current Affairs, EHR, EHR Risks, Legal/Compliance, Privacy and Security, REC, Safe EMR Use | | Comments (0) | TrackBack (0)

| | | | | |

May 09, 2012

New Texas Privacy Law Places More Accountability on Business Associates of Physician Practices

As discussed in my post "New Texas Privacy Law Increases Privacy Protections and Physician Cyber Liability Risks", House Bill 300 (HB 300) strengthens protection of patients' electronic health information in Texas beyond HIPAA and becomes effective on September 1, 2012.   In a series of weekly blogs I am writing to illustrate some of the new protections.   I think that the most important change imposed by HB 300 is the increased accountability placed on business associates of a physician practice to adhere to the state privacy laws.  Consider this case history:

A physician practice was notified by one of their business associates (BA), a medical transcription service, that dictated patient reports were viewable on the Internet by anyone after the BA’s server was compromised.  The breach involved PHI of 1.085 individuals.  In response, the practice immediately terminated the business associate agreement (BAA) with this company and engaged another medical transcription service.  The practice contracted with forensic consultants to ensure that the cause of the compromise was found and all online traces of breached reports were removed.

HB 300 holds accountable any business in Texas that comes into contact with PHI.   This means that BAs of physician practices are accountable to HB 300 protections and HIPAA unless they have no contact with PHI.   Physicians should revise their BAAs to include language compelling BAs to comply with state and federal privacy laws.  Matters to address in a BAA include:   

  • Immediate notification to practice when BA discovers breach
  • Who notifies affected individuals?  Who bears the cost?
  • Contract termination for failure to comply with law or take "reasonable" steps to fix breach
  • BA ‘s compliance with performing security risk analysis at least annually
  • BA’s compliance with employee privacy training
  • Encryption of PHI on BA’s mobile devices or exchanged online; and other circumstances where PHI is at high risk

Physicians should also consider purchasing cyber liability insurance (or increasing current liability limits) and consulting with their Regional Extension Center, such as the North Texas Regional Extension Center (NTREC), about assistance with security risk analysis and management.

More on other HB 300 provisions next week...

cook children's

Posted at 08:30 AM in Current Affairs, EHR, EHR Risks, Legal/Compliance, Privacy and Security, REC, Safe EMR Use | | Comments (0) | TrackBack (0)

| | | | | |

May 03, 2012

New Texas Privacy Law Increases Privacy Protections and Physician Cyber Liability Risks

Privacy protection is getting bigger in Texas.   Last year the Texas Legislature passed House Bill 300 (HB 300) heavily amending the state's Texas Medical Records Privacy Act.   These amendments increase protection of electronic personal health information (PHI) and become effective on September 1, 2012.    HB 300, along with other state privacy laws such as the Texas Identity Theft Protection Act, are more protective of patients' privacy than HIPAA.  Stronger protections translate to increased physician cyber liability risks.

I support strong protection of patients' electronic PHI through state and federal privacy laws including the imposition of fair penalties, disciplinary actions and audits that are strong enough to deter breaches of PHI.   But I am concerned that there may be low levels of awareness among physicians regarding the new state privacy requirements which increase the physician's cyber liability risks.   In the next month I know of  two physician-oriented publications that will discuss the issue, and I will present on the topic at the Texas Medical Association's TexMed 2012 Conference in Dallas, Texas, on May 18th.    Hopefully we can stimulate more conversations and actions across the state.

I suggest that physicians at least consult with their lawyer to ensure their practice is aligned with HB 300.   Specific actions a physician practice may need to take to be compliant with HB 300 include revising employee privacy training policies and materials; revising policies on patient access to their EHR; updating the Privacy Notice; revising business associate agreements; encrypting protected health information (PHI) stored on mobile devices; and encrypting PHI transported online.    Physicians should also consider purchasing cyber liability insurance (or increasing current liability limits) and consulting with their Regional Extension Center, such as the North Texas Regional Extension Center (NTREC), about assistance with security risk analysis and management.

Stay tuned for more blogs on HB 300...   

cook childrens

Posted at 07:00 AM in Current Affairs, EHR, EHR Risks, Legal/Compliance, Privacy and Security, REC, Safe EMR Use | | Comments (0) | TrackBack (0)

| | | | | |

April 05, 2012

Keep the data collection cart behind the trailblazing horse

In today's Health IT News there is an article expressing dissappointment with the recently released proposed rules for Stage 2 of the Electronic Health Record (EHR) Incentive Program.   Some alarming viewpoints are evident in this article regarding the collection of data for use by the federal government to improve public health .

The proposed rule for Meaningful Use Stage 2 on page 13702-13703 specifically states that the purpose of Stage 2 Meaningful use is to "“encourage the use of health IT for continuous quality improvement at the point of care and the exchange of information in the most structured format possible”.    No where in the rule does it state that the primary purpose of Stage 2 Meaningful Use is to collect data for use by the federal government as is suggested by concerns expressed in this article.   Let's keep the data collection cart behind the trailblazing horse so that it does not aimlessly roll down the steepest part of the hill instead of steering toward most beneficial path.   Stage 2 objectives draw a sensible roadmap to the next planned destination where we can finally begin realizing the maximum potential value of health IT and EHRs.   We currently have the horse trotting around potholes toward the widespread adoption and successful use of EHRs, the development of robust HIE networks, the maturation of EHR product functionalities and an improved understanding of safe EHR usage.   If we fail to align Stage 2 activities with Stage 2 goals by taking unplanned shortcuts to collect and use data in hopes of improving care now, I fear the cart will crash and cripple the momentum that Stage 1 has initiated.

Posted at 01:02 PM in ARRA/Stimulus Funds, Current Affairs, EHR, Health Information Exchange, Incentive Payments, Leadership, Meaningful Use, Safe EMR Use | | Comments (0) | TrackBack (0)

| | | | | |

November 17, 2011

Health Information Exchanges and Physicians Share Accountability for Safe Patient Care

The $800 billion 2009 American Recovery and Reinvestment Act (ARRA) set aside $36 billion toward health information technology (health IT) initiatives, including over $500 million for the State HIE Cooperative Program.  This federal program provides funds to each state for the successful planning and development of infrastructure that supports the exchange of electronic health data between physician electronic health records (EHRs), hospital EHRs, lab systems, radiology centers and other clinical IT systems.    For example, in Texas we are using these funds to support the development of local health information exchange entities, called HIEs, across the state and to concurrently develop the policies, standards and infrastructure needed to safely/securely connect these HIEs to each other.     The statewide HIE network will also be built to be compatible with national standards and efforts.      

Each state's effort to develop a network of community HIEs and/or a statewide HIE will be more successful with physicians involved upfront with governance and policy development.   When working with local HIEs most physicians will generally understand and appreciate the importance of protecting the privacy and security of electronic patient health information.  Their inherent knowledge on this issue will help guide policies in the right direction.   A more complex issue for physicians to understand is the relationship between HIEs and patient care.   A heightened awareness of this issue will allow physicians to properly inform HIE policymakers about the need to establish an environment where local HIEs, HIE networks and physicians share accountability for safe patient care.   

To deepen physician's understanding of this issue I encourage them and others to think about an HIE as a tool physicians use as a part of patient care, similar to a surgical tool.   If a patient is harmed by a surgical tool that broke because the physician used it incorrectly, the physician is negligent.  If the physician used the tool correctly but it still broke, but it has only broken 8 times in over 10,000 surgeries and the patient consent explains this remote risk of breakage, then no one is negligent.  However, if it broke and the issue had been reported to the vendor by many physicians on a repetitive basis, but the vendor failed to investigate the issue and fix the problem, or failed to inform physicians and patients of the increased risk in the meantime, then the vendor is negligent. 

This perpsective will help physicians advocate for policies that lead to an environment where HIEs and physicians share accountability for safe patient care.   Effective policies will lead to contracts and agreements which acknowledge that:

  1. HIEs and HIE infrastructure are tools used by physicians during the course of patient care
  2. HIEs are responsible for informing patients and doctors about the inherent risks of  the electronic health information exchange including changes in risks when issues are identified
  3. HIEs have a responsibility to continually monitor for and mitigate risks associated with their services that may impact quality of care provided by physicians

 

Posted at 08:00 AM in ARRA/Stimulus Funds, Current Affairs, EHR, EHR Risks, Health Information Exchange, Leadership, Legal/Compliance, Meaningful Use, Safe EMR Use | | Comments (1) | TrackBack (0)

| | | | | |

February 14, 2011

Why should primary care physicians enroll for Regional Extension Center services?

Why should primary care physicians sign up for REC services?   What are the unique selling points and assistance they will receive as compared to other consultant organizations?  

These are excellent questions I am hearing from physicians in Texas regarding the four RECs that cover our entire state.  The RECs are subsidized by the federal government through the Health Information Technology for Economic and Clinical Health (HITECH) Act which appropriated $640 million in REC grant funds to create 62 RECs across the nation, including the four in Texas. 

Primary care physicians in Texas should use REC services because they will receive a steep discount for high quality services that are provided through a trustworthy, physician-centric organization that was specifically created to meet the technological needs of physicians in their region.

In Texas the four RECs have collaborated to develop a shared business plan that leverages the federal subsidies to provide onsite technical consulting for a token fee of $300.    For this $300 enrollment fee Texas physicians receive over $5,000 in consulting services which include:

  • EHR implementation and project management;
  • HIT education and training; 
  • Vendor selection and financial consultation; 
  • Practice and workflow redesign; 
  • Privacy and security compliance education; 
  • Meaningful use analysis, tracking, and monitoring; 
  • Assistance in meeting meaningful use requirements for CMS incentives; 
  • Collaboration with state and national health information exchange (HIE); 
  • Ongoing technical assistance; and 
  • Opportunities for CME credit hours

In addition to this steeply discounted enrollment fee, the Texas Medical Association (TMA) works closely with the RECs to help ensure that the RECs are physician-centric and focused on meeting physician needs.    Physicians hold 50% of the seats on each REC's governing board as a result of the TMA’s early efforts.

Another unique selling point is that the REC technical consultants are specifically focused on, and experienced with, the small physician practice.    Other IT consultants naturally give priority to large practices or healthcare systems where they get large amounts of money from a small number of contracts.    The REC consultants, on the other hand, only get a small amount of money per contract, but they get a large number of them.    This business strategy allows them to become more experienced with and more focused on the small practice.    The REC administrative staffs enable this strategy by facilitating the enrollment of a large number of physicians and by using the REC federal grant funds to offer physicians the steep discount.

The four RECs in Texas are:

Posted at 10:15 AM in ARRA/Stimulus Funds, Current Affairs, EHR, EHR implementation, EHR products, EHR Risks, EHR selection, Health Information Exchange, Incentive Payments, Meaningful Use, Physician Adoption, REC, Safe EMR Use, Work Flow | | Comments (1) | TrackBack (0)

| | | | | |

November 30, 2010

Physicians Use E-mail With Patients Safely By Avoiding Misuse, Mishandling and Medicolegal Issues

Effective communication is a hallmark of patient satisfaction with their physician as well as with quality outcomes.  It is not surprising that surveys reveal more than 90% of patients desire to e-mail their doctors.  Physicians, however, are tentative about moving forward. In a 2009 survey by the Texas Medical Association, only about 20% of physicians reported the use of e-mail with their patients.

Those of us who do successfully use e-mail with patients know that we must be attentive to the risks involved to use e-mail safely. We also recognize that in order to use this technology efficiently we have to think about our work flow and be smart about redesigning it.  The risks of using e-mail with patients can be categorized into misuse, mishandling and medicolegal issues.

Misuses of physician-patient e-mail include:

  • seeking or providing new diagnoses/treatments
  • using e-mail with new patients with no previous face-to-face encounter
  • communicating on sensitive matters such as HIV, sexually transmitted infections, genetics and mental health
  • using e-mail for urgent or emergent issues
  • writing long, complex messages
  • using e-mail attachments with formats that patient’s computers may not be able open and read
  • forwarding e-mails from patients without their consent
  • advertising or promoting goods and products through e-mail

Mishandling issues with physician-patient e-mail include:

  • problems with e-mail triage or distribution within the office such as failure to adhere to established protocols or meet expected turn-around times for actions/replies
  • physicians using their personal e-mail accounts to send e-mail to patients
  • misunderstandings by patients/office staff regarding over who actually received, sent or replied to messages (authorship issues)

Medicolegal, privacy and security issues include:

  • failure to properly identify patients and verify e-mail addresses
  • privacy breaches
  • security problems with the e-mail system or related computer systems
  • not getting e-mail communications into the patient’s medical record
  • repudiation issues (i.e. patient denies sending or receiving an e-mail)
  • accountability issues
  • legal e-discovery issues
  • medical liability associated with diagnoses/treatment
  • failure to follow Texas Medical Board rules, HIPAA regulations or other on privacy/security regulations

These issues are certainly not insurmountable.  With an awareness and understanding of the rules, regulations and guidelines published by one’s state medical board, HIPAA, professional societies and other professional organizations such as the AMA, a physician can develop a set of policies and procedures to safely and efficiently use e-mail with their patients.  The procedures should include oversight mechanisms, adequate training of staff, adherence to privacy and security regulations, appropriate identification and authentication of each patient who consents to the use of e-mail and patient education to clarify what the physician will allow e-mail to be used for.  Patients should also be educated on how the office will manage e-mail messages and on what the expected turn-around times for replies will be.

Posted at 10:31 PM in E-mail, Legal/Compliance, Safe EMR Use, Work Flow | | Comments (0) | TrackBack (0)

| | | | | |

Next »

Categories

Search

Recent Posts

Twitter Updates

    follow me on Twitter

    Archives

    More...

    Enter your email address:

    Delivered by FeedBurner

    Bookmark and Share

    *

    *

    *