EHR Risks

New Texas Privacy Law Increases Privacy Protections and Physician Cyber Liability Risks

Privacy protection is getting bigger in Texas.   Last year the Texas Legislature passed House Bill 300 (HB 300) heavily amending the state's Texas Medical Records Privacy Act.   These amendments increase protection of electronic personal health information (PHI) and become effective on September 1, 2012.    HB 300, along with other state privacy laws such as the Texas Identity Theft Protection Act, are more protective of patients' privacy than HIPAA.  Stronger protections translate to increased physician cyber liability risks.

I support strong protection of patients' electronic PHI through state and federal privacy laws including the imposition of fair penalties, disciplinary actions and audits that are strong enough to deter breaches of PHI.   But I am concerned that there may be low levels of awareness among physicians regarding the new state privacy requirements which increase the physician's cyber liability risks.   In the next month I know of  two physician-oriented publications that will discuss the issue, and I will present on the topic at the Texas Medical Association's TexMed 2012 Conference in Dallas, Texas, on May 18th.    Hopefully we can stimulate more conversations and actions across the state.

I suggest that physicians at least consult with their lawyer to ensure their practice is aligned with HB 300.   Specific actions a physician practice may need to take to be compliant with HB 300 include revising employee privacy training policies and materials; revising policies on patient access to their EHR; updating the Privacy Notice; revising business associate agreements; encrypting protected health information (PHI) stored on mobile devices; and encrypting PHI transported online.    Physicians should also consider purchasing cyber liability insurance (or increasing current liability limits) and consulting with their Regional Extension Center, such as the North Texas Regional Extension Center (NTREC), about assistance with security risk analysis and management.

Stay tuned for more blogs on HB 300...   

cook childrens

Healthcare Industry's Triple Strand of DNA: health IT, payment reform and patient empowerment

Earlier this month I used a genetics anology to describe the amazing progress with electronic health record (EHR) usage by physicians over the past two years (see Progress being made to splice information technology into the healthcare industry's genome in Texas).   Facilitating this progress are the EHR Incentive Program and other federal health IT initiatives that the Office of the National Coordinator for Health IT (ONC) oversees. 

Last Thursday the National Coordinator of ONC, Dr. Farzad Mostashari, took my genetics analogy one step further in his keynote speech at the HIMSS12 Annual  Conference for health IT in Las Vegas.   And I have to admit that he improved upon it.  I guess that's why he's in Washington D.C. and I'm not. 

Dr. Mostashari warned the 36,000  conference attendees that along with this continued progress there are two other societal trends to align health IT with.   He advocated for "twisting health IT to create a triple strand of DNA" with payment reform and patient empowerment. 

Health IT, payment reform and patient empowerment.  The triple strand of DNA to splice into the healthcare industry.  I like that. 

Payment reform is seriously needed to align incentives with the provision of quality care in an efficient manner.   Right now I am basically paid to "encounter" patients and to do procedures.       Although I am personally motivated to provide high quality care, the incentives are oddly there for physicians to "see more" and "do more" rather than to "see it done best".     In addition, my documentation is based on meeting reimbursement rules to make sure I get paid rather than being based on communicating a clear picture of my findings and care plan.   I absorb the extra time it takes to do both.

Consequently it is no surprise that for decades EHR vendors developed products based on episodic care.    Physician's sought out products that would help them document and get paid for patient encounters.  Documentation templates and charge capture functionalities were developed to maximize chances for reimbursement.    

The potential for EHRs to improve quality and chronic disease management is just now starting to be realized.    The ONC's health IT initiatives enacted by CMS under the HITECH portion of the 2009 Recovery Act are providing the push.   But as payment reform proceeds, whether it be value-based purchasing, accountable care or some other program, EHR vendors will be incentivized even more to shift development efforts into chronic disease management and clinical decision support that are a basis for improving patient care. 

And the third strand of DNA to splice into the healthcare industry, patient empowerment, is indeed an active and growing societal influence.  But I will have to blog about that another day...

Health Information Exchanges and Physicians Share Accountability for Safe Patient Care

The $800 billion 2009 American Recovery and Reinvestment Act (ARRA) set aside $36 billion toward health information technology (health IT) initiatives, including over $500 million for the State HIE Cooperative Program.  This federal program provides funds to each state for the successful planning and development of infrastructure that supports the exchange of electronic health data between physician electronic health records (EHRs), hospital EHRs, lab systems, radiology centers and other clinical IT systems.    For example, in Texas we are using these funds to support the development of local health information exchange entities, called HIEs, across the state and to concurrently develop the policies, standards and infrastructure needed to safely/securely connect these HIEs to each other.     The statewide HIE network will also be built to be compatible with national standards and efforts.      

Each state's effort to develop a network of community HIEs and/or a statewide HIE will be more successful with physicians involved upfront with governance and policy development.   When working with local HIEs most physicians will generally understand and appreciate the importance of protecting the privacy and security of electronic patient health information.  Their inherent knowledge on this issue will help guide policies in the right direction.   A more complex issue for physicians to understand is the relationship between HIEs and patient care.   A heightened awareness of this issue will allow physicians to properly inform HIE policymakers about the need to establish an environment where local HIEs, HIE networks and physicians share accountability for safe patient care.   

To deepen physician's understanding of this issue I encourage them and others to think about an HIE as a tool physicians use as a part of patient care, similar to a surgical tool.   If a patient is harmed by a surgical tool that broke because the physician used it incorrectly, the physician is negligent.  If the physician used the tool correctly but it still broke, but it has only broken 8 times in over 10,000 surgeries and the patient consent explains this remote risk of breakage, then no one is negligent.  However, if it broke and the issue had been reported to the vendor by many physicians on a repetitive basis, but the vendor failed to investigate the issue and fix the problem, or failed to inform physicians and patients of the increased risk in the meantime, then the vendor is negligent. 

This perpsective will help physicians advocate for policies that lead to an environment where HIEs and physicians share accountability for safe patient care.   Effective policies will lead to contracts and agreements which acknowledge that:

  1. HIEs and HIE infrastructure are tools used by physicians during the course of patient care
  2. HIEs are responsible for informing patients and doctors about the inherent risks of  the electronic health information exchange including changes in risks when issues are identified
  3. HIEs have a responsibility to continually monitor for and mitigate risks associated with their services that may impact quality of care provided by physicians


Texas Medical Association video provides in-depth look at meaningful use, how RECs can help physicians

This video does a good job of describing Meaningful Use, the electronic health record (EHR) incentive program and how the four regional extension centers (RECs) in Texas leverage federal grants to subsidize services for physicians that help them select/implement or upgrade an EHR, and then use their EHR to improve quality of care and meet the Meaningful Use requirements.  

The four RECs in Texas currently charge primary care physicians only $300 for consulting services valued at $5,000.  These services include:

o    Select and implement a certified EHR (or upgrade your current EHR to a certified version)

o    Optimize your practice workflow,

o    Achieve meaningful use,

o    Qualify for EHR incentives, and

o    Obtain CME credit hours      

 cook children's

Community HIE decisions are best made in collaboration with local physicians who use EHRs

Physicians who use electronic health records (EHRs) in their offices are increasingly being called upon in their communities to participate in the development of local health information exchanges (HIEs).    During the early stages of HIE planning there are important decisions that are best made in collaboration with local physicians.   As with any health information technology usage, the anticipated benefits of exchanging electronic health data must be balanced against the inherent risks of the technology.   Physicians who use EHRs already have valuable experience with some of the inherent risks associated with electronic health data usage, but may not have experience with the clinical risks associated with the exchange of electronic health data.    The following case scenarios are intended to raise awareness and understanding of key patient safety risks associated with the clinical use of electronic personal health information (PHI) that could be obtained through a community-wide HIE.  

Conflicting data scenario:  A nurse records a penicillin allergy in the hospital EHR when a patient experiences GI symptoms after receiving a penicillin injection.   The next day, the patient is seen by her primary care physician (PCP).   After reviewing the history, the PCP is convinced that the reported symptoms were unrelated to the penicillin injection.   She records “No Known Allergies” in her office EHR.   The local HIE retrieves “allergies” from both EHRs and displays this patient’s allergies as both “no known allergies” and “penicillin.”  

In such cases, the physician will have to reconcile the data by considering the sources, dates, and times of each and decide whether additional investigation is necessary.   

Segmented data scenario (this applies only if the HIE will allow patients to exclude some or all of their data as a part of the consent process):   For privacy reasons an HIV patient decides to exclude his diagnoses from the HIE which results in a problem list so that it does not disclose his HIV status.   He also excludes data from two sources: his psychiatrist and a psychiatric hospital.   This patient had suffered an episode of neuroleptic malignant syndrome secondary to an antipsychotic medication a year ago while under the care of the psychiatrist at that hospital.   Since records from the psychiatrist and hospital are excluded, the HIE will not contain this information.   A physician viewing the patient’s information through the HIE will see no record of the patient’s susceptibility to a life-threatening event from a certain class of medications.  

Informing the viewing physician that the patient has excluded some data from the Problem List and some data from both a physician and a hospital may prompt important additional questions and dialogue with the patient that could prevent an avoidable adverse event.  

 Clinical Risk Management

Community-wide HIE initiatives are increasingly turning to local physicians who use EHRs to assist with assessments of both the benefits and risks associated with the clinical use of electronic health data shared across their community.  The clinical risks outlined in these scenarios can be managed through the following principles: 

1.  An HIE must provide physicians access to the source, date and time for all displayed data

 2.  An HIE must alert clinicians when data or data sources are excluded  

  • The alert should specify the type of data (“lab results”) or type of source (“hospitals”) that have been excluded from the HIE through the patient consent process

3.  An HIE must inform physicians about:

  • The patient consent policy used by the HIE (and of policy changes when they occur
  • A list of the specific types of data they are generally able to access through the HIE
  • A list of the specific sources of data that the HIE exchanges with

Comparison of Web-based vs. Traditional EHRs For Physician Offices

An ambulatory electronic health record (EHR) can be provided to the physician practice through one of two different models:    

  1. Web-based-- also referred to as a "hosted EHR" or the "ASP Model" where the physician accesses the EHR through an Internet connection
  2. Client-Server (C/S)--  the traditional model where the EHR server may physically resides in the  physician's office

Both models are considered to be acceptable, but each has inherent pros and cons to consider.   The traditional model of choice has been the “client-server” model.   In this model the EMR software is installed on a server that is typically located in the physician’s office.  The physician and staff access the EMR through computer devices that are connected to the server through a local area network (LAN) set up in the office.  The computers may be connected wirelessly to the network if desired.   This model has a few similarities to loading Quicken on your home computer and then using Quicken to pay bills online: 

  1. After loading Quicken onto your computer you will periodically be advised by Quicken to take "updates" to fix known "bugs" in the software.  Similarly, you will load the EHR software onto the server in your office and physically download any updates to fix "bugs" that the vendor discovers and fixes.     
  2. Microsoft periodically advises you to take security updates on your home computer.  Similarly, the EHR server will need to take periodic updates from Microsoft.
  3. You may later decide to upgrade Quicken to its latest version, and then purchase and install the Quicken upgrade on your computer.  Similarly, you will want to upgrade your EHR software periodically, usually every 12-18 months.
  4. You may decide in the future to purchase a new home computer that is faster;  you will have to then load the Quicken software onto that new computer and transfer all of your old Quicken data to the new computer.  Similarly, you will need to periodically replace the EHR server with a newer one that is faster, stronger and/or meets future recommended requirements of the EHR software.  And make sure your data gets transferred as well.

The web-based model is gaining popularity.  In this model the EHR software is located on a server at a remote location designated and hosted by the EHR vendor.  The physician and staff access the EHR through the Internet on computer devices in the office.  This is analogous to online banking that you access on your home computer and use to pay your bills online (instead of using Quicken).  Using this analogy: 

  1.  You will not physically have to take updates because the bank will update the software themselves
  2.  Microsoft will not ask you to take Microsoft security updates to the online banking server because the bank hosts the server and will do that themselves
  3. When there is an upgrade to the online banking software, you do not have to purchase and physically load that software on your computer because the bank does that on their server that you are simply accessing.
  4. If the online banking server is too slow you will not have to purchase a new server, the bank will do that (if enough customers complain)...and they will migrate your data over to that new server)

Here is a comparison chart for these two EHR models:






















Personally, the business side of me is strongly averse to allowing a 3rd party vendor to take care of the “heart and soul” of my practice (i.e. the revenue dollars and the clinical data).   Hence, in private practice I would strongly favor keeping the server in-house.     However, the clinic I currently work at is a small part of a large academic institution.   For our ambulatory EMR I am leaning toward recommending a web-based model.  The presence of an institutional IT Department whose primary purpose is to support the education of thousands of students, not to understand and dedicate the resources needed to provide a high level of clinical IT support required for a clinician using an EHR.  And I know who is most likely to get trumped down the road when conflicting priorities arise!

Why should primary care physicians enroll for Regional Extension Center services?

Why should primary care physicians sign up for REC services?   What are the unique selling points and assistance they will receive as compared to other consultant organizations?  

These are excellent questions I am hearing from physicians in Texas regarding the four RECs that cover our entire state.  The RECs are subsidized by the federal government through the Health Information Technology for Economic and Clinical Health (HITECH) Act which appropriated $640 million in REC grant funds to create 62 RECs across the nation, including the four in Texas. 

Primary care physicians in Texas should use REC services because they will receive a steep discount for high quality services that are provided through a trustworthy, physician-centric organization that was specifically created to meet the technological needs of physicians in their region.

In Texas the four RECs have collaborated to develop a shared business plan that leverages the federal subsidies to provide onsite technical consulting for a token fee of $300.    For this $300 enrollment fee Texas physicians receive over $5,000 in consulting services which include:

  • EHR implementation and project management;
  • HIT education and training; 
  • Vendor selection and financial consultation; 
  • Practice and workflow redesign; 
  • Privacy and security compliance education; 
  • Meaningful use analysis, tracking, and monitoring; 
  • Assistance in meeting meaningful use requirements for CMS incentives; 
  • Collaboration with state and national health information exchange (HIE); 
  • Ongoing technical assistance; and 
  • Opportunities for CME credit hours

In addition to this steeply discounted enrollment fee, the Texas Medical Association (TMA) works closely with the RECs to help ensure that the RECs are physician-centric and focused on meeting physician needs.    Physicians hold 50% of the seats on each REC's governing board as a result of the TMA’s early efforts.

Another unique selling point is that the REC technical consultants are specifically focused on, and experienced with, the small physician practice.    Other IT consultants naturally give priority to large practices or healthcare systems where they get large amounts of money from a small number of contracts.    The REC consultants, on the other hand, only get a small amount of money per contract, but they get a large number of them.    This business strategy allows them to become more experienced with and more focused on the small practice.    The REC administrative staffs enable this strategy by facilitating the enrollment of a large number of physicians and by using the REC federal grant funds to offer physicians the steep discount.

The four RECs in Texas are:

North Texas Regional Extension Center's Successful Start and Current Activities

Today, while wearing my hat as the Board Chairman of the North Texas Regional Extension Center, I am writing a message primarily to my colleagues who practice medicine across North Texas.   I am sharing this message through my blog, however,  because others may be interested to see and hear what is happening at the grassroots level of local and regional health IT initiatives:


 NTREC logo 
 February 2, 2011

To my physician colleagues across North Texas,

On behalf of the volunteer physician board members of the North Texas Regional Extension Center (NTREC), I am writing to inform you that registration for the federal electronic health record (EHR) incentive program has begun and that the money is already flowing.   In January, for example, two Oklahoma physicians at the Gastorf Family Clinic of Durant, OK, received $21,250 each for having implemented a certified EHR.   If you are considering making the jump to an EHR, or if you already use one, you may become eligible for EHR incentives up to $44,000 under Medicare or $63,750 under Medicaid by meeting “meaningful use” requirements.

NTREC receives federal grant funds for providing on-site technical consulting to enrolled physicians who are selecting, implementing or using an EHR.   This federal subsidy allows NTREC to charge primary care physicians only $300 for consulting services valued at $5,000.  

NTREC is focused on helping you:

  • Select and implement a certified EHR (or upgrade your current EHR to a certified version),
  • Optimize your practice workflow,
  • Achieve meaningful use,
  • Qualify for EHR incentives, and
  • Obtain CME credit hours along the way

I am happy to report that NTREC services were successfully launched four months ago.   Since then, 289 physicians have enrolled for services and another 370 physicians have enrollment contracts in progress.   Our goal is to provide services to more than 1,500 physicians in North Texas by the end of 2011.   Our operational plans will enable us to scale physician services to even higher levels if needed to meet physician demand.  

The federal EHR incentive program and these discounted NTREC consulting services are unprecedented and genuine.   Please call NTREC to enroll and set an appointment for on-site consulting at (469) 648-5140 or by visiting   The NTREC’s dedicated team of experts will be considerate of your valuable time and show you how they can help you identify and meet your unique needs.

If you have questions, please don’t hesitate to contact me.



 Matt Murray, M.D.


Brown Lupton Health Center

Texas Christian University


cook children 

Enhance Safe Use of EHRs By Aligning Implementation To Quality Goals

Safe use of electronic medical records (EMRs) is enhanced when physicians focus their EMR implementation on quality of care improvements.  Effective communication among the staff about these key goals creates a positive environment that serves as a catalyst for successful use of the EMR.  In addition, large healthcare systems and small physician offices are both less likely to encounter patient safety issues when they align their health information technology (IT) strategies to quality of care goals.  

Case Study:  Several years ago the leadership of an Accountable Care Organization (ACO) formed between a local healthcare system and a multi-specialty physician group began working collaboratively on a common vision for patient safety excellence.  System-wide integration and use of medication reconciliation were top priorities.  The EMR used by the hospitals have an ambulatory component that meets all of the critical requirements determined by the physician board members.  If implemented, the ambulatory and hospital EMRs could be integrated and share the same master patient index, drug formulary, medication index, allergy index and set of clinical decision support rules.  However, the physician board, influenced by several leading opinion-makers who favored an alternative EMR, convinced ACO leaders to allow the physicians to purchase their own ambulatory EMR and use system resources to purchase and develop a data repository that could send/receive (bi-directionally) and store data between multiple sources.  The vendors involved promised they could provide the infrastructure and tools necessary to capture and manipulate the data.  Two years later a patient suffers a severe anaphylactic reaction after receiving an antibiotic injection in one of the physician offices.  An investigation reveals that although the EMR had properly displayed the allergy, the antibiotic order had not triggered an allergy alert.  Further research reveals multiple ways for an allergy to be entered into their customized, bi-directional medication reconciliation tool that would successfully display the allergy in the ambulatory EMR, but not trigger an alert during the ordering process.  Their conclusion is that the use of different EMRs with multiple drug formularies, multiple medication and allergy indices and different clinical decision support rules is more complex than anticipated.  They suspended use of the medication reconciliation tool until they could determine whether they could more effectively execute their current strategy.

Key Points:  Effective organizational characteristics and a focus on quality of care are important catalysts for safe EMR use.

Cultivating a culture of safety, promoting transparent communications and alignment of strategic planning with prioritized goals to improve quality of care are examples of organizational characteristics that facilitate safe EMR use.  In this case the organization did well creating a shared vision with common goals/priorities regarding quality of care.   However, organizational alignment fell apart when the unbalanced interests from one part of the organization created the perceived need for an alternative strategy.   Although the new strategic plan was plausible, the organization did not have the resources or organizational discipline to effectively execute plans that were considerably more complex.   It will be paramount for ACOs to effectively manage such issues in the future.  Similarly, even the small, individual physician practice is more likely to be successful with an EMR implementation when they develop a strategy to improve quality of care through the implementation of an EMR.  

"Think Simple" When Developing Order Sets and Clinical Content Screens for EMRs

Physicians would prefer that an EMR computer screen emulate a tri-fold flow sheet that inspires a "gestalt feel" for the whole clinical situation.   Instead, data split among multiple screens with the need for numerous mouse clicks and excessive scrolling in order to see all the information tends to frustrate clinicians.  The frustration comes as a result of the fragmentation of our thought processes and patterns which have developed over time.    In addition, "user interface" issues can become a patient safety risk.  The following case study provides an example of such an issue.   

Case Study:   A small practice had their EMR vendor develop a custom report called the Patient Summary that “pulls in” EMR data including lab and radiology results.  This report is useful while on-call because they can remotely access it from home over the Internet.   Over one weekend the on-call physician discovered that some of the lab results for one of his patients did not show up on the Patient Summary.    He checked several other patients and found another example of missing results.   He decided that this report was unreliable and that he would not use it until the issue was understood.  The EMR vendor was notified on Monday.   They quickly determined that the report was working normally and no data was missing.   They suspected the doctor forgot that this report displays a little <+> symbol at the bottom of the screen if there are additional lab results that will not fit in the space provided.   At that point the physician realized that he had used his new iPhone for the first time and that the small viewing display had made it very difficult to for him to see the small <+> symbol.


Key Points:

  • Displaying medical data on a computer screen in a manner that meets the cognitive challenge at hand is difficult and can fragment a physician’s thought processes

 Since tri-fold computer screens are not a practical solution today, physicians need to involve themselves in the development of the EMR content screens that they will be using on a day-to-day basis.  For most EMR products these screens can be configured and used in various ways.  In this case the small display inherent to smart phones was inadequate when viewing the report.   But this is because it was not designed with the small viewing area and resolution of a smart phone in mind.  If presenting this data on a smart phone is a requirement for this physician, a new report will have to be developed in order to meet that new need.  

  • “Think simple” when developing EMR screens that clinicians interact with

Complexity makes EMR use even more difficult and less safe.   Most EMRs allow modifications to some EMR screens that physicians interact with such as documentation templates, reports, orders and order sets.   Good advice to those who develop these screens is to “think simple”.   For example, if six gastroenterologists decide to each create their own list of 25 order sets to accommodate personal preferences, their EMR order set screen will display 150 order sets.   Creating a screen that displays 125 choices for physicians has a pre-determined fate.  They would be better served by collaborating on 25 evidence-based order sets to share.   The result will be less frustration, less variation from evidence-based medicine and less work when annually reviewing the content of order sets.