Re: Can we talk about EHR security and the big picture?

October 19, 2009

Craig,That's terrible. I read about that huge breach in BCBS patient information. I'm sorry to hear your name was in that mess.I agree with Graham. There should consequences applied to the offending company, BCBS. I think that offering free credit checks for a year is not enough. The consequences need to significant enough to change company behavior and lax policy. Heads need to roll on something like this. The company itself should be punished in some large way. Just think. What would happen if some doc was found to be violating some part of HIPAA? Actually does anyone know what does happens to the doc? Not that I"m planning some do some HIPAA violations. Jail? HIPAA jail? Flogging from the state licensing board?KathleenThe company should be fined ....On Mon, Oct 19, 2009 at 6:45 PM, Craig Ross <rossmd> wrote: An example of bad security:I just found out a Blue Cross employee downloaded provider information onto her personal computer so she could work on it at home. Her computer with all the un-encrypted, unprotected data was stolen. So now, some thief has my SSN.BCBS is paying for a year of credit monitoring but when will people realize they can't go walking around with unsecured personal information?UUUGGHHHHH!Craig> >>> >>> I'm hoping we can engage the subject of EHR security on this very > >>> smart listserv.> >>> I've been thinking about this a lot as a pre-IMP looking at > >>> various options for EHR (see below) but also as citizen patient > >>> who's data is swimming in the big pool. In fact the security and > >>> use of health care data looms large in my mind right now.> >>>> >>> Will 'meaningful use' be defined by whether or not and how use the > >>> patient information is to someone or something larger than, and > >>> outside of our practices? Is that a good thing?> >>>> >>> Clearly there is huge value in identifying best practices in > >>> medicine, tracking outcomes, data mining for research and evidence > >>> based medicine. But there is also huge value to those who would > >>> sell information, predicted to be a 5 billion dollar industry.> >>>> >>> Supposedly this information is scrubbed of individual identity, > >>> however researchers are suggesting perhaps we shouldn't get too > >>> comfortable.> >>> When I saw this piece in the NYT today, I was already primed to be > >>> very uncomfortable as I consider EHR for my someday IMP.> >>>> >>> Practice Fusion jumped right off the page at me, because I know > >>> some of us use it. Here is that paragraph followed by the link to > >>> the NYT article.> >>>> >>> "Big players like the Cerner Corporation, which maintains > >>> electronic health systems for 8,000 clients, including large > >>> hospitals and retail clinics, and smaller players like Practice > >>> Fusion, which offers its Web-based health record systems free to > >>> health care providers, say they make use of patient data collected > >>> from their clients."> >>> http://www.nytimes. com/2009/ 10/18/business/ 18stream. html?th= & > >>> adxnnl=1 & emc=th & adxnnlx= 1255881706- tlmUCp8B5BcqZQf2 Mr2XLA> >>>> >>> This is my primitive category of options for EHR:> >>>> >>> 1.Web based options where information is stored on distant servers > >>> of the host EHR company ( less expensive ) vs> >>>> >>> 2.a system housed in the office ( much more expensive )> >>>> >>> 3. Hybrid system hosted on servers housed in the central hospital > >>> for it's affiliated practices and hosp owned practices. A friend's > >>> practice has this. Caritas Org. Physician Network purchase > >>> eClinical for it's 400+ physicians.> >>>> >>> Can we talk about this?> >>>> >>> Kathleen> >>>> >>>> >>> >>> >>> >>> >>> >>> >>> >>> >> -- > >> Graham Chiu> >> http://www.synapsedirect.com> >> Synapse - the use from anywhere EMR.> >>> >>> >>> >>> >>> >>> >> -- > >> Graham Chiu> >> http://www.synapsedirect.com> >> Synapse - the use from anywhere EMR.> >>> >>> >> >> >> >> >> >> > -- > > Graham Chiu> > http://www.synapsedirect.com> > Synapse - the use from anywhere EMR.> >> >>-- Graham Chiuhttp://www.synapsedirect.comSynapse - the use from anywhere EMR.

October 19, 2009

Sometimes the links get messed up in Yahoo!Groups. Try

http://tinyurl.com/ykjw8nh

It's a good, thought-provoking article. Any EMR that sells or has plans to sell

'double-scrubbed' or 'de-identified' information should be off the short-list.

Every database is 'de-identified'. There is always one more datatable that will

connect all the protected information together. The question in my mind is what

will a software provider like Practice Fusion do when it is federally forbidden

to sell de-identified demographics? They will need to find revenue somewhere.

Security of our patient's PHI goes beyond what the EMR Software as a Service

provider might do with that information, to who controls it and how it is

secured. If there is a breach in their systems, you will be the one notifying

your patients. The only way to control this protected information is to have it

in-house and locked down with industry standard system architecture and

security; which is neither rocket science, nor financially beyond the reach of

sole practitioners.

McQuaid

Frisco, TX

> >

> > An example of bad security:

> >

> > I just found out a Blue Cross employee downloaded provider

> > information onto her personal computer so she could work on it at

> > home. Her computer with all the un-encrypted, unprotected data was

> > stolen. So now, some thief has my SSN.

> >

> > BCBS is paying for a year of credit monitoring but when will people

> > realize they can't go walking around with unsecured personal

> > information?

> >

> > UUUGGHHHHH!

> > Craig

October 19, 2009

,I agree that this is an important discussion to have. Thank you for your thoughts. As someone who has decided to go with Practice Fusion for my EMR, I disagree that it cannot be a reasonable choice for physicians. According to a Google search, you appear to own a company that provides computer and networking services to medical offices. If that is the case, wouldn't you have a financial interest in directing people away from a product such as Practice Fusion? I think it would be fair for you, and anyone commenting on products/services, to note any potential financial conflict or interest in any future posts. I have no financial interest in Practice Fusion or any EMR. SetoSouth Pasadena, CASometimes the links get messed up in Yahoo!Groups. Try http://tinyurl.com/ykjw8nhIt's a good, thought-provoking article. Any EMR that sells or has plans to sell 'double-scrubbed' or 'de-identified' information should be off the short-list. Every database is 'de-identified'. There is always one more datatable that will connect all the protected information together. The question in my mind is what will a software provider like Practice Fusion do when it is federally forbidden to sell de-identified demographics? They will need to find revenue somewhere.Security of our patient's PHI goes beyond what the EMR Software as a Service provider might do with that information, to who controls it and how it is secured. If there is a breach in their systems, you will be the one notifying your patients. The only way to control this protected information is to have it in-house and locked down with industry standard system architecture and security; which is neither rocket science, nor financially beyond the reach of sole practitioners. McQuaidFrisco, TX> >> > An example of bad security:> >> > I just found out a Blue Cross employee downloaded provider > > information onto her personal computer so she could work on it at > > home. Her computer with all the un-encrypted, unprotected data was > > stolen. So now, some thief has my SSN.> >> > BCBS is paying for a year of credit monitoring but when will people > > realize they can't go walking around with unsecured personal > > information?> >> > UUUGGHHHHH!> > Craig

October 19, 2009

As an e-MDs user, I have to respectfully

disagree with your statement that you need to have 3+ docs or 20+ patients/day

to make it worthwhile. We see about 12 on average per day and are a solo

provider office. We wouldn’t trade e-MDs for anything. We purchased it

almost 5 years ago and have been very happy users. I have also used eCW and

did not find it worthwhile.

JM2C,

Pratt

Office Manager

Oak Tree Internal Medicine P.C

www.prattmd.info

From: [mailto: ] On Behalf Of Dr Levin

Sent: Sunday, October 18, 2009

12:41 PM

To:

Subject: Re:

Can we talk about EHR security and the big picture?

3) There are next step up programs with added expense and

more fully integrated systems like eCW, eMDs that will allow you to " do

more " but you'll need to put more into them; if you're a relatively large

organization (3+ docs) or if you generate a sizable above average throughput of

pts (20+/day/doc), the govt " promised " rebate may be worth

it. The structure of such programs would probably be worth it too, but

only if you put alot of effort into usage and it improves your clinical work flow

within 6 months I'd say.

October 19, 2009

If you transmit billing information

electronically, then you do – and that includes if your biller does it

for you.

Pratt

Office Manager

Oak Tree Internal Medicine P.C

www.prattmd.info

From: [mailto: ] On Behalf Of Dr Levin

Sent: Sunday, October 18, 2009

7:13 PM

To:

Subject: Re:

Can we talk about EHR security and the big picture?

" Covered

Healthcare Providers—Any provider of medical or other health services, or

supplies, who transmits any health information in electronic form in connection

with a transaction for which the Department of Health and Human Services (DHHS)

has adopted a standard. "

I

don't " transmit " any information from my EMR. Why do I have to

do this?

Re:

Can we talk about EHR security and the big picture?

Note: In my previous post I wasn't looking for advice,

in particular for my choice of EMR, but more for a discussion of EMR security.

How all of us are faced with it and how can we handle it? or not?

I'm gonna need particular advice when it comes down to

the choosing in future. But right now, can we talk?

Thanks all,

K

I'm

hoping we can engage the subject of EHR security on this very smart

listserv.

I've been thinking about this a lot as a pre-IMP looking at various options for

EHR (see below) but also as citizen patient who's data is swimming in the big

pool. In fact the security and use of health care data looms large in my mind

right now.

Will 'meaningful use' be defined by whether or not and how use the patient

information is to someone or something larger than, and outside of our

practices? Is that a good thing?

Clearly there is huge value in identifying best practices in medicine, tracking

outcomes, data mining for research and evidence based medicine. But there is

also huge value to those who would sell information, predicted to be a 5

billion dollar industry.

Supposedly this information is scrubbed of individual identity, however

researchers are suggesting perhaps we shouldn't get too comfortable.

When I saw this piece in the NYT today, I was already primed to be very

uncomfortable as I consider EHR for my someday IMP.

Practice Fusion jumped right off the page at me, because I know some of us use

it. Here is that paragraph followed by the link to the NYT article.

" Big players like the Cerner Corporation, which maintains electronic

health systems for 8,000 clients, including large hospitals and retail clinics,

and smaller players like Practice Fusion, which offers its Web-based health

record systems free to health care providers, say they make use of patient data

collected from their clients. "

http://www.nytimes. com/2009/ 10/18/business/ 18stream.

html?th= & adxnnl=1 & emc=th & adxnnlx= 1255881706- tlmUCp8B5BcqZQf2

Mr2XLA

This is my primitive category of options for EHR:

1.Web based options where information is stored

on distant servers of the host EHR company ( less expensive ) vs

2.a system housed in the office ( much more expensive )

3. Hybrid system hosted on servers housed in the central hospital for it's

affiliated practices and hosp owned practices. A friend's practice has this.

Caritas Org. Physician Network purchase eClinical for it's 400+ physicians.

Can we talk about this?

Kathleen

--

Graham Chiu

http://www.synapsedirect.com

Synapse - the use from anywhere EMR.

--

Graham Chiu

http://www.synapsedirect.com

Synapse - the use from anywhere EMR.

October 19, 2009

et al:

I agree that disclosure is fair. My apologies if in being brief I appeared

covert.

Yes, for my company that would like to integrate emr into other physician

practices, Practice Fusion would not be one that I would push. For our

practice, that vendor's model also would not be the one I would choose. In my

opinion, information security must be a primary driver for any emr

implementation, and if you don't own the system, it cannot be controlled.

I did not mean to suggest that a particular EMR is an unreasonable choice for

your or any practice(but can see my choice of words may have stated that). I

should have said the product would not be on MY short-list.

I appreciate your longstanding contributions to this group. I have enjoyed the

exchange and variety of opinions and information.

Sincerely,

McQuaid

Frisco, TX

> > > >

> > > > An example of bad security:

> > > >

> > > > I just found out a Blue Cross employee downloaded provider

> > > > information onto her personal computer so she could work on it at

> > > > home. Her computer with all the un-encrypted, unprotected data was

> > > > stolen. So now, some thief has my SSN.

> > > >

> > > > BCBS is paying for a year of credit monitoring but when will

> > people

> > > > realize they can't go walking around with unsecured personal

> > > > information?

> > > >

> > > > UUUGGHHHHH!

> > > > Craig

> >

>

October 19, 2009

Sounds great. Tell us more.

What staff do you have?

nurse?

receptionist ?

full time office manager?

how is billing done?

full time, part time?

what is rent?

What is monthly cost of EMR?

What is insurance cost per year?

What is gross income for one doc?

I'd like to compare that with what would happen if I saw 12 per day in the southeast.

Neighbors, MD.

-----Original Message-----From: [mailto: ]On Behalf Of PrattSent: Monday, October 19, 2009 1:21 PMTo: Subject: RE: Can we talk about EHR security and the big picture?

As an e-MDs user, I have to respectfully disagree with your statement that you need to have 3+ docs or 20+ patients/day to make it worthwhile. We see about 12 on average per day and are a solo provider office. We wouldn’t trade e-MDs for anything. We purchased it almost 5 years ago and have been very happy users. I have also used eCW and did not find it worthwhile.

JM2C,

Pratt

Office Manager

Oak Tree Internal Medicine P.C

www.prattmd.info

From: [mailto: ] On Behalf Of Dr LevinSent: Sunday, October 18, 2009 12:41 PMTo: Subject: Re: Can we talk about EHR security and the big picture?

3) There are next step up programs with added expense and more fully integrated systems like eCW, eMDs that will allow you to "do more" but you'll need to put more into them; if you're a relatively large organization (3+ docs) or if you generate a sizable above average throughput of pts (20+/day/doc), the govt "promised" rebate may be worth it. The structure of such programs would probably be worth it too, but only if you put alot of effort into usage and it improves your clinical work flow within 6 months I'd say.

October 19, 2009

Thanks, , and no problem. We all have information we can learn from each other. I am happy to see open discussions with a variety of viewpoints. That is, besides the 30-40 people (including me) who seem to post the bulk of the messages here. After all, there are now over 830 (!) members of this listserve, and I always enjoy hearing some new perspectives from the people who don't post so often. SetoSouth Pasadena, CA et al:I agree that disclosure is fair. My apologies if in being brief I appeared covert. Yes, for my company that would like to integrate emr into other physician practices, Practice Fusion would not be one that I would push. For our practice, that vendor's model also would not be the one I would choose. In my opinion, information security must be a primary driver for any emr implementation, and if you don't own the system, it cannot be controlled.I did not mean to suggest that a particular EMR is an unreasonable choice for your or any practice(but can see my choice of words may have stated that). I should have said the product would not be on MY short-list.I appreciate your longstanding contributions to this group. I have enjoyed the exchange and variety of opinions and information.Sincerely, McQuaidFrisco, TX> > > >> > > > An example of bad security:> > > >> > > > I just found out a Blue Cross employee downloaded provider> > > > information onto her personal computer so she could work on it at> > > > home. Her computer with all the un-encrypted, unprotected data was> > > > stolen. So now, some thief has my SSN.> > > >> > > > BCBS is paying for a year of credit monitoring but when will > > people> > > > realize they can't go walking around with unsecured personal> > > > information?> > > >> > > > UUUGGHHHHH!> > > > Craig> >> >> >>

October 19, 2009

KathleenI'm not aware of any conviction anywhere under HIPAA.

Craig,That's terrible. I read about that huge breach in BCBS patient information. I'm sorry to hear your name was in that mess.I agree with Graham. There should consequences applied to the offending company, BCBS. I think that offering free credit checks for a year is not enough. The consequences need to significant enough to change company behavior and lax policy. Heads need to roll on something like this. The company itself should be punished in some large way.

Just think. What would happen if some doc was found to be violating some part of HIPAA? Actually does anyone know what does happens to the doc? Not that I " m planning some do some HIPAA violations. Jail? HIPAA jail? Flogging from the state licensing board?

Kathleen

The company should be fined ....On Mon, Oct 19, 2009 at 6:45 PM, Craig Ross wrote:

An example of bad security:

I just found out a Blue Cross employee downloaded provider information onto her personal computer so she could work on it at home. Her computer with all the un-encrypted, unprotected data was stolen. So now, some thief has my SSN.

BCBS is paying for a year of credit monitoring but when will people realize they can't go walking around with unsecured personal information?UUUGGHHHHH!Craig> >>> >>> I'm hoping we can engage the subject of EHR security on this very > >>> smart listserv.

> >>> I've been thinking about this a lot as a pre-IMP looking at > >>> various options for EHR (see below) but also as citizen patient > >>> who's data is swimming in the big pool. In fact the security and

> >>> use of health care data looms large in my mind right now.> >>>> >>> Will 'meaningful use' be defined by whether or not and how use the > >>> patient information is to someone or something larger than, and

> >>> outside of our practices? Is that a good thing?> >>>> >>> Clearly there is huge value in identifying best practices in > >>> medicine, tracking outcomes, data mining for research and evidence

> >>> based medicine. But there is also huge value to those who would > >>> sell information, predicted to be a 5 billion dollar industry.> >>>> >>> Supposedly this information is scrubbed of individual identity,

> >>> however researchers are suggesting perhaps we shouldn't get too > >>> comfortable.> >>> When I saw this piece in the NYT today, I was already primed to be

> >>> very uncomfortable as I consider EHR for my someday IMP.> >>>> >>> Practice Fusion jumped right off the page at me, because I know > >>> some of us use it. Here is that paragraph followed by the link to

> >>> the NYT article.> >>>> >>> " Big players like the Cerner Corporation, which maintains > >>> electronic health systems for 8,000 clients, including large

> >>> hospitals and retail clinics, and smaller players like Practice > >>> Fusion, which offers its Web-based health record systems free to > >>> health care providers, say they make use of patient data collected

> >>> from their clients. " > >>> http://www.nytimes. com/2009/ 10/18/business/ 18stream. html?th= &

> >>> adxnnl=1 & emc=th & adxnnlx= 1255881706- tlmUCp8B5BcqZQf2 Mr2XLA> >>>> >>> This is my primitive category of options for EHR:> >>>> >>> 1.Web based options where information is stored on distant servers

> >>> of the host EHR company ( less expensive ) vs> >>>> >>> 2.a system housed in the office ( much more expensive )> >>>> >>> 3. Hybrid system hosted on servers housed in the central hospital

> >>> for it's affiliated practices and hosp owned practices. A friend's > >>> practice has this. Caritas Org. Physician Network purchase > >>> eClinical for it's 400+ physicians.

> >>>> >>> Can we talk about this?> >>>> >>> Kathleen> >>>> >>>> >>> >>> >>> >>

> >>> >>> >>> >>> >> -- > >> Graham Chiu> >> http://www.synapsedirect.com

> >> Synapse - the use from anywhere EMR.> >>> >>> >>> >>> >>> >>> >> -- > >> Graham Chiu> >> http://www.synapsedirect.com

> >> Synapse - the use from anywhere EMR.> >>> >>> >> >> >> >> >> >> > -- > > Graham Chiu

> > http://www.synapsedirect.com> > Synapse - the use from anywhere EMR.> >> >

>-- Graham Chiuhttp://www.synapsedirect.com

Synapse - the use from anywhere EMR.

-- Graham Chiuhttp://www.synapsedirect.comSynapse - the use from anywhere EMR.

October 19, 2009

Damn You mean I can't go to HIPAA jail? I was hoping I woul d have food and shelter there as last resort.Yeah it is probably some draconian fine 25,000 per each sentence of each offense on each person in each family multiplied by the number of times you saw them inlcuding no shows.