Safe EMR Use

New Texas Privacy Law Places More Accountability on Business Associates of Physician Practices

As discussed in my post "New Texas Privacy Law Increases Privacy Protections and Physician Cyber Liability Risks", House Bill 300 (HB 300) strengthens protection of patients' electronic health information in Texas beyond HIPAA and becomes effective on September 1, 2012.   In a series of weekly blogs I am writing to illustrate some of the new protections.   I think that the most important change imposed by HB 300 is the increased accountability placed on business associates of a physician practice to adhere to the state privacy laws.  Consider this case history:

A physician practice was notified by one of their business associates (BA), a medical transcription service, that dictated patient reports were viewable on the Internet by anyone after the BA’s server was compromised.  The breach involved PHI of 1.085 individuals.  In response, the practice immediately terminated the business associate agreement (BAA) with this company and engaged another medical transcription service.  The practice contracted with forensic consultants to ensure that the cause of the compromise was found and all online traces of breached reports were removed.

HB 300 holds accountable any business in Texas that comes into contact with PHI.   This means that BAs of physician practices are accountable to HB 300 protections and HIPAA unless they have no contact with PHI.   Physicians should revise their BAAs to include language compelling BAs to comply with state and federal privacy laws.  Matters to address in a BAA include:   

  • Immediate notification to practice when BA discovers breach
  • Who notifies affected individuals?  Who bears the cost?
  • Contract termination for failure to comply with law or take "reasonable" steps to fix breach
  • BA ‘s compliance with performing security risk analysis at least annually
  • BA’s compliance with employee privacy training
  • Encryption of PHI on BA’s mobile devices or exchanged online; and other circumstances where PHI is at high risk

Physicians should also consider purchasing cyber liability insurance (or increasing current liability limits) and consulting with their Regional Extension Center, such as the North Texas Regional Extension Center (NTREC), about assistance with security risk analysis and management.

More on other HB 300 provisions next week...

cook children's

New Texas Privacy Law Increases Privacy Protections and Physician Cyber Liability Risks

Privacy protection is getting bigger in Texas.   Last year the Texas Legislature passed House Bill 300 (HB 300) heavily amending the state's Texas Medical Records Privacy Act.   These amendments increase protection of electronic personal health information (PHI) and become effective on September 1, 2012.    HB 300, along with other state privacy laws such as the Texas Identity Theft Protection Act, are more protective of patients' privacy than HIPAA.  Stronger protections translate to increased physician cyber liability risks.

I support strong protection of patients' electronic PHI through state and federal privacy laws including the imposition of fair penalties, disciplinary actions and audits that are strong enough to deter breaches of PHI.   But I am concerned that there may be low levels of awareness among physicians regarding the new state privacy requirements which increase the physician's cyber liability risks.   In the next month I know of  two physician-oriented publications that will discuss the issue, and I will present on the topic at the Texas Medical Association's TexMed 2012 Conference in Dallas, Texas, on May 18th.    Hopefully we can stimulate more conversations and actions across the state.

I suggest that physicians at least consult with their lawyer to ensure their practice is aligned with HB 300.   Specific actions a physician practice may need to take to be compliant with HB 300 include revising employee privacy training policies and materials; revising policies on patient access to their EHR; updating the Privacy Notice; revising business associate agreements; encrypting protected health information (PHI) stored on mobile devices; and encrypting PHI transported online.    Physicians should also consider purchasing cyber liability insurance (or increasing current liability limits) and consulting with their Regional Extension Center, such as the North Texas Regional Extension Center (NTREC), about assistance with security risk analysis and management.

Stay tuned for more blogs on HB 300...   

cook childrens

Keep the data collection cart behind the trailblazing horse

In today's Health IT News there is an article expressing dissappointment with the recently released proposed rules for Stage 2 of the Electronic Health Record (EHR) Incentive Program.   Some alarming viewpoints are evident in this article regarding the collection of data for use by the federal government to improve public health .

The proposed rule for Meaningful Use Stage 2 on page 13702-13703 specifically states that the purpose of Stage 2 Meaningful use is to "“encourage the use of health IT for continuous quality improvement at the point of care and the exchange of information in the most structured format possible”.    No where in the rule does it state that the primary purpose of Stage 2 Meaningful Use is to collect data for use by the federal government as is suggested by concerns expressed in this article.   Let's keep the data collection cart behind the trailblazing horse so that it does not aimlessly roll down the steepest part of the hill instead of steering toward most beneficial path.   Stage 2 objectives draw a sensible roadmap to the next planned destination where we can finally begin realizing the maximum potential value of health IT and EHRs.   We currently have the horse trotting around potholes toward the widespread adoption and successful use of EHRs, the development of robust HIE networks, the maturation of EHR product functionalities and an improved understanding of safe EHR usage.   If we fail to align Stage 2 activities with Stage 2 goals by taking unplanned shortcuts to collect and use data in hopes of improving care now, I fear the cart will crash and cripple the momentum that Stage 1 has initiated.

Health Information Exchanges and Physicians Share Accountability for Safe Patient Care

The $800 billion 2009 American Recovery and Reinvestment Act (ARRA) set aside $36 billion toward health information technology (health IT) initiatives, including over $500 million for the State HIE Cooperative Program.  This federal program provides funds to each state for the successful planning and development of infrastructure that supports the exchange of electronic health data between physician electronic health records (EHRs), hospital EHRs, lab systems, radiology centers and other clinical IT systems.    For example, in Texas we are using these funds to support the development of local health information exchange entities, called HIEs, across the state and to concurrently develop the policies, standards and infrastructure needed to safely/securely connect these HIEs to each other.     The statewide HIE network will also be built to be compatible with national standards and efforts.      

Each state's effort to develop a network of community HIEs and/or a statewide HIE will be more successful with physicians involved upfront with governance and policy development.   When working with local HIEs most physicians will generally understand and appreciate the importance of protecting the privacy and security of electronic patient health information.  Their inherent knowledge on this issue will help guide policies in the right direction.   A more complex issue for physicians to understand is the relationship between HIEs and patient care.   A heightened awareness of this issue will allow physicians to properly inform HIE policymakers about the need to establish an environment where local HIEs, HIE networks and physicians share accountability for safe patient care.   

To deepen physician's understanding of this issue I encourage them and others to think about an HIE as a tool physicians use as a part of patient care, similar to a surgical tool.   If a patient is harmed by a surgical tool that broke because the physician used it incorrectly, the physician is negligent.  If the physician used the tool correctly but it still broke, but it has only broken 8 times in over 10,000 surgeries and the patient consent explains this remote risk of breakage, then no one is negligent.  However, if it broke and the issue had been reported to the vendor by many physicians on a repetitive basis, but the vendor failed to investigate the issue and fix the problem, or failed to inform physicians and patients of the increased risk in the meantime, then the vendor is negligent. 

This perpsective will help physicians advocate for policies that lead to an environment where HIEs and physicians share accountability for safe patient care.   Effective policies will lead to contracts and agreements which acknowledge that:

  1. HIEs and HIE infrastructure are tools used by physicians during the course of patient care
  2. HIEs are responsible for informing patients and doctors about the inherent risks of  the electronic health information exchange including changes in risks when issues are identified
  3. HIEs have a responsibility to continually monitor for and mitigate risks associated with their services that may impact quality of care provided by physicians


Why should primary care physicians enroll for Regional Extension Center services?

Why should primary care physicians sign up for REC services?   What are the unique selling points and assistance they will receive as compared to other consultant organizations?  

These are excellent questions I am hearing from physicians in Texas regarding the four RECs that cover our entire state.  The RECs are subsidized by the federal government through the Health Information Technology for Economic and Clinical Health (HITECH) Act which appropriated $640 million in REC grant funds to create 62 RECs across the nation, including the four in Texas. 

Primary care physicians in Texas should use REC services because they will receive a steep discount for high quality services that are provided through a trustworthy, physician-centric organization that was specifically created to meet the technological needs of physicians in their region.

In Texas the four RECs have collaborated to develop a shared business plan that leverages the federal subsidies to provide onsite technical consulting for a token fee of $300.    For this $300 enrollment fee Texas physicians receive over $5,000 in consulting services which include:

  • EHR implementation and project management;
  • HIT education and training; 
  • Vendor selection and financial consultation; 
  • Practice and workflow redesign; 
  • Privacy and security compliance education; 
  • Meaningful use analysis, tracking, and monitoring; 
  • Assistance in meeting meaningful use requirements for CMS incentives; 
  • Collaboration with state and national health information exchange (HIE); 
  • Ongoing technical assistance; and 
  • Opportunities for CME credit hours

In addition to this steeply discounted enrollment fee, the Texas Medical Association (TMA) works closely with the RECs to help ensure that the RECs are physician-centric and focused on meeting physician needs.    Physicians hold 50% of the seats on each REC's governing board as a result of the TMA’s early efforts.

Another unique selling point is that the REC technical consultants are specifically focused on, and experienced with, the small physician practice.    Other IT consultants naturally give priority to large practices or healthcare systems where they get large amounts of money from a small number of contracts.    The REC consultants, on the other hand, only get a small amount of money per contract, but they get a large number of them.    This business strategy allows them to become more experienced with and more focused on the small practice.    The REC administrative staffs enable this strategy by facilitating the enrollment of a large number of physicians and by using the REC federal grant funds to offer physicians the steep discount.

The four RECs in Texas are:

Physicians Use E-mail With Patients Safely By Avoiding Misuse, Mishandling and Medicolegal Issues

Effective communication is a hallmark of patient satisfaction with their physician as well as with quality outcomes.  It is not surprising that surveys reveal more than 90% of patients desire to e-mail their doctors.  Physicians, however, are tentative about moving forward. In a 2009 survey by the Texas Medical Association, only about 20% of physicians reported the use of e-mail with their patients.

Those of us who do successfully use e-mail with patients know that we must be attentive to the risks involved to use e-mail safely. We also recognize that in order to use this technology efficiently we have to think about our work flow and be smart about redesigning it.  The risks of using e-mail with patients can be categorized into misuse, mishandling and medicolegal issues.

Misuses of physician-patient e-mail include:

  • seeking or providing new diagnoses/treatments
  • using e-mail with new patients with no previous face-to-face encounter
  • communicating on sensitive matters such as HIV, sexually transmitted infections, genetics and mental health
  • using e-mail for urgent or emergent issues
  • writing long, complex messages
  • using e-mail attachments with formats that patient’s computers may not be able open and read
  • forwarding e-mails from patients without their consent
  • advertising or promoting goods and products through e-mail

Mishandling issues with physician-patient e-mail include:

  • problems with e-mail triage or distribution within the office such as failure to adhere to established protocols or meet expected turn-around times for actions/replies
  • physicians using their personal e-mail accounts to send e-mail to patients
  • misunderstandings by patients/office staff regarding over who actually received, sent or replied to messages (authorship issues)

Medicolegal, privacy and security issues include:

  • failure to properly identify patients and verify e-mail addresses
  • privacy breaches
  • security problems with the e-mail system or related computer systems
  • not getting e-mail communications into the patient’s medical record
  • repudiation issues (i.e. patient denies sending or receiving an e-mail)
  • accountability issues
  • legal e-discovery issues
  • medical liability associated with diagnoses/treatment
  • failure to follow Texas Medical Board rules, HIPAA regulations or other on privacy/security regulations

These issues are certainly not insurmountable.  With an awareness and understanding of the rules, regulations and guidelines published by one’s state medical board, HIPAA, professional societies and other professional organizations such as the AMA, a physician can develop a set of policies and procedures to safely and efficiently use e-mail with their patients.  The procedures should include oversight mechanisms, adequate training of staff, adherence to privacy and security regulations, appropriate identification and authentication of each patient who consents to the use of e-mail and patient education to clarify what the physician will allow e-mail to be used for.  Patients should also be educated on how the office will manage e-mail messages and on what the expected turn-around times for replies will be.

Enhance Safe Use of EHRs By Aligning Implementation To Quality Goals

Safe use of electronic medical records (EMRs) is enhanced when physicians focus their EMR implementation on quality of care improvements.  Effective communication among the staff about these key goals creates a positive environment that serves as a catalyst for successful use of the EMR.  In addition, large healthcare systems and small physician offices are both less likely to encounter patient safety issues when they align their health information technology (IT) strategies to quality of care goals.  

Case Study:  Several years ago the leadership of an Accountable Care Organization (ACO) formed between a local healthcare system and a multi-specialty physician group began working collaboratively on a common vision for patient safety excellence.  System-wide integration and use of medication reconciliation were top priorities.  The EMR used by the hospitals have an ambulatory component that meets all of the critical requirements determined by the physician board members.  If implemented, the ambulatory and hospital EMRs could be integrated and share the same master patient index, drug formulary, medication index, allergy index and set of clinical decision support rules.  However, the physician board, influenced by several leading opinion-makers who favored an alternative EMR, convinced ACO leaders to allow the physicians to purchase their own ambulatory EMR and use system resources to purchase and develop a data repository that could send/receive (bi-directionally) and store data between multiple sources.  The vendors involved promised they could provide the infrastructure and tools necessary to capture and manipulate the data.  Two years later a patient suffers a severe anaphylactic reaction after receiving an antibiotic injection in one of the physician offices.  An investigation reveals that although the EMR had properly displayed the allergy, the antibiotic order had not triggered an allergy alert.  Further research reveals multiple ways for an allergy to be entered into their customized, bi-directional medication reconciliation tool that would successfully display the allergy in the ambulatory EMR, but not trigger an alert during the ordering process.  Their conclusion is that the use of different EMRs with multiple drug formularies, multiple medication and allergy indices and different clinical decision support rules is more complex than anticipated.  They suspended use of the medication reconciliation tool until they could determine whether they could more effectively execute their current strategy.

Key Points:  Effective organizational characteristics and a focus on quality of care are important catalysts for safe EMR use.

Cultivating a culture of safety, promoting transparent communications and alignment of strategic planning with prioritized goals to improve quality of care are examples of organizational characteristics that facilitate safe EMR use.  In this case the organization did well creating a shared vision with common goals/priorities regarding quality of care.   However, organizational alignment fell apart when the unbalanced interests from one part of the organization created the perceived need for an alternative strategy.   Although the new strategic plan was plausible, the organization did not have the resources or organizational discipline to effectively execute plans that were considerably more complex.   It will be paramount for ACOs to effectively manage such issues in the future.  Similarly, even the small, individual physician practice is more likely to be successful with an EMR implementation when they develop a strategy to improve quality of care through the implementation of an EMR.  

"Think Simple" When Developing Order Sets and Clinical Content Screens for EMRs

Physicians would prefer that an EMR computer screen emulate a tri-fold flow sheet that inspires a "gestalt feel" for the whole clinical situation.   Instead, data split among multiple screens with the need for numerous mouse clicks and excessive scrolling in order to see all the information tends to frustrate clinicians.  The frustration comes as a result of the fragmentation of our thought processes and patterns which have developed over time.    In addition, "user interface" issues can become a patient safety risk.  The following case study provides an example of such an issue.   

Case Study:   A small practice had their EMR vendor develop a custom report called the Patient Summary that “pulls in” EMR data including lab and radiology results.  This report is useful while on-call because they can remotely access it from home over the Internet.   Over one weekend the on-call physician discovered that some of the lab results for one of his patients did not show up on the Patient Summary.    He checked several other patients and found another example of missing results.   He decided that this report was unreliable and that he would not use it until the issue was understood.  The EMR vendor was notified on Monday.   They quickly determined that the report was working normally and no data was missing.   They suspected the doctor forgot that this report displays a little <+> symbol at the bottom of the screen if there are additional lab results that will not fit in the space provided.   At that point the physician realized that he had used his new iPhone for the first time and that the small viewing display had made it very difficult to for him to see the small <+> symbol.


Key Points:

  • Displaying medical data on a computer screen in a manner that meets the cognitive challenge at hand is difficult and can fragment a physician’s thought processes

 Since tri-fold computer screens are not a practical solution today, physicians need to involve themselves in the development of the EMR content screens that they will be using on a day-to-day basis.  For most EMR products these screens can be configured and used in various ways.  In this case the small display inherent to smart phones was inadequate when viewing the report.   But this is because it was not designed with the small viewing area and resolution of a smart phone in mind.  If presenting this data on a smart phone is a requirement for this physician, a new report will have to be developed in order to meet that new need.  

  • “Think simple” when developing EMR screens that clinicians interact with

Complexity makes EMR use even more difficult and less safe.   Most EMRs allow modifications to some EMR screens that physicians interact with such as documentation templates, reports, orders and order sets.   Good advice to those who develop these screens is to “think simple”.   For example, if six gastroenterologists decide to each create their own list of 25 order sets to accommodate personal preferences, their EMR order set screen will display 150 order sets.   Creating a screen that displays 125 choices for physicians has a pre-determined fate.  They would be better served by collaborating on 25 evidence-based order sets to share.   The result will be less frustration, less variation from evidence-based medicine and less work when annually reviewing the content of order sets.

Successful Training Strategy for Staff, Clinicians Facilitiates Safe Use of EMRs

Inadequate training of staff and clinicians is a common problem encountered when an electronic medical record (EMR) is implemented.  The following case study illustrates how poor training can impede the operations of the physician's office and even lead to patient safety issues.   A successful training strategy will avoid these types of problems by ensuring the staff and clinicians are knowledgeable about proper EMR use and that the staff who are responsible for configuring and maintaining the EMR are skilled and working as a team.    

Case Study:   A multi-office practice has used an EMR for 18 months.   Mary, an office manager with project management and IT experience, is the primary caretaker of the EMR.  She has struggled with two other office managers who want to have the same access she has to configure the EMR.   Their argument is that they know what’s best for their offices and that Mary is too busy to meet their needs.   Mary argues that she is not too busy, but that instead it takes time to properly test and manage changes made to the EMR.  Their arguments are taken to the physician’s EMR oversight group who ask Mary to just “let it go” and provide the access those office managers need. 

One week later Mary was suddenly inundated with trouble calls.  Physicians were unable to enter diagnosis codes and their staff unable to work claims.  Mary called the two office managers who swore they had not done anything wrong.  One of them, whose office was having no problems, admitted that she did add several diagnosis codes to a template because her doctor wanted them.  Mary subesequently discovered that she had failed to link all of the other physicians to the new template which is why her office was the only one with no problems.  Mary fixed this issue, but then decided to run an audit to see if any other changes had been made to the EMR without communication or notices.  She indeed discovered a change the other office manager made to a parameter called “Allergy Severity Default” with the default answer changed from “Severe” to “Mild”.  Mary knew about a “quirk” with this EMR whereby it fails to trigger an allergy alert if the allergy is entered as “Mild”.  She had previously taken the issue to the physician oversight group who determined that the answer in this field must default to “Severe” when physicians enter an allergy.  They felt it was a patient safety risk if every time a physician entered an allergy they also had to actively change the default answer to “Severe”. 

When Mary explained this, the office manager replied that her physician claimed a “Severe” allergy is one where anaphylactic shock occurs and that he was tired of always changing the answer from “Severe” to “Mild”.   Mary changed the default answer back to “Severe”, asked the EMR physician oversight group to re-educate the physicians and began working with the EMR vendor to completely remove “Mild” as an available answer.  The vendor complied promptly.

Key Points:

• The most common source of problems with using EMRs is inadequate training

Case studies of EMR implementations, whether successful or failed, consistently list “training” as a key factor for success.   Ongoing educational reminders, especially for “work-arounds” and unique issues as exemplified in this case, are often useful.

Be wary of “work-arounds”

“Work-arounds” are encountered because people creatively develop ways, especially manual ones, to work around technology when it obstructs them from doing something.   Be wary of EMR work-arounds and make sure they are the best solution to the problem. In retrospect, completely removing “Mild” as an option in this case would have been a better initial solution instead of the work-around that was developed.

• Resolving EMR-related patient safety issues is a shared responsibility between the physician and EMR vendor

Work collaboratively with the EMR vendor and prioritize issues for them.  If ten issues are reported but only one of them is a patient safety issue, prioritization will focus the vendor’s resources on the important issue.   Mary immediately notified and educated the vendor about the patient safety issue in this case.

• Proactive management of EMR changes will reduce the number of EMR-related problems

There are standardized “change management” practices that minimize the risk of unexpected EMR problems.  These proactive practices ensure that each change is adequately tested, approved and communicated in advance.  Advance communication of an EMR change should indicate who, what, where, when and why changes are being made. This provides an opportunity for critical feedback.

• Effective communication is essential for safe patient care

Poor interpersonal relationships and the lack of effective communication among staff directly contributed to the problems in this case.  Discussion of the proposed changes would have allowed Mary or others to intervene and avoid the problems entirely.

Safe and Meaningful EMR Use Requires Control and Oversight of Clinical Content and Vocabulary


Case Study:   During the failed resuscitation attempt of a premature newborn in a neonatal intensive care unit (NICU) a nurse discovered the child was receiving 100 times the proper dose of heparin.  An immediate review of all 35 NICU patients revealed three others had heparin IV overdoses running.  These were stopped and those patients suffered no adverse effects.  An immediate investigation by the hospital’s Sentinel Event Rapid Response Team discovered a series of missteps that unfortunately aligned despite the presence of multiple preventative systems and processes including computerized physician order entry (CPOE).  The critical error turned out to be an erroneous heparin overdose order in a “Neonatal Admissions” order set.  Order sets that include medication orders at this hospital must be approved by the Pharmacy and Therapeutics Committee (P&T).  P&T had previously approved the order set, but on the morning of the incident the Medical Director of the NICU had called IT and requested that several non-pharmacy orders immediately be added to the order set.  The purpose of these new orders was to capture additional data needed for a monthly neonatology quality report that is electronically sent to a national database and used for quality benchmarking.  The clinical IT analyst did not think the order set needed to go back to P&T because there were no new pharmacy orders.  However, this EMR requires the analyst to re-enter the entire order set when making any changes.  The analyst made a decimal point error when keying in the Heparin order.  No other clinician reviewed, tested or reviewed the change.


Key Points:


  • Inaccurate or inconsistent clinical content in an EMR is a risk to patient safety and automation can propagate such errors to multiple patients before being discovered and corrected

Physicians and their staff will develop or customize clinical content for parts of their EMR such as order sets, documentation templates, physician orders and discharge instructions.  This case serves as a brutal reminder for the need to be very attentive to the accuracy of clinical content in an EMR.  The tragic outcome in this case was initiated by a type of human error (a “typo”) that can be anticipated and prevented by oversight processes.  


  • Physicians should oversee the processes used to manage and monitor the development of clinical content

Physicians will usually be called on to be the “authors” of EMR clinical content for items they are most knowledgeable about such as the documentation templates and order sets they will use.  Ideally the physician will develop content that is evidence-based and collaborate with others in the practice to avoid conflicting content and to reduce variations in care.  But physicians should also oversee the processes used to manage and monitor the development of other clinical content as well.  Similar to the hospital P&T committee, a physician or physician group should review and approve new or changed content before it is put into their EMR.  Content should also be reviewed by the authors at least annually to keep it up-to-date.


  • Physicians should work with their EMR vendor to assure that the clinical content in their EMR meets the emerging state and federal vocabulary standards for content

Vocabulary standards define how an EMR “encodes” clinical data which facilitates the ability of EMRs to reliably exchange that data with other systems.  In other words, if two EMRs use the same definition of “Gestational Age” and encode that measurement in the same way, those EMRs will be able to exchange that data (“talk” with each other) reliably.  In this case the neonatologists were adding an order to capture “Gestational Age” in the EMR to meet a new vocabulary standard determined by their specialty’s national quality benchmarking entity.  Some state and federal vocabulary standards exist, but more are forthcoming with the HITECH “meaningful use” requirements driving them forward.