Category: SOS Blog

42 Months post-Katrina: Where are health records?

Posted on | by SOS Blog | Leave a Comment on 42 Months post-Katrina: Where are health records?

I’m getting ready for a week of vacation in my hometown–New Orleans. As some of you who know me well may remember, my 89-year-old mother has been with us in Florida since Katrina-breached levees filled her New Orleans home with 8 feet of water. Our last visit was almost 22 months ago; it is definitely time for Mom to see family and friends who returned to LA after the storm.

Preparing for this trip in the midst of all the hubbub about EMRs and economic stimulus plans reminds me of those first few weeks after the storm. Mom was two months post MI when Katrina threatened and I was on my third post heart attack visit. When the mayor started talking about mandatory evacuation, we left Mom’s house with a change of clothes and her medications, and headed to my brother’s place in Louisville, MS. Three days later, when it became clear that we would not be returning to NOLA soon, we came here to Florida.

The first week post storm was spent buying a few clothes, shopping for doctors and getting prescriptions transferred to a local pharmacy. Fortunately, many pharmacies already shared data electronically in 2005, even when prescriptions were written by hand; but prescriptions were expiring and we needed a physician to write new ones. As we started going to appointments with a new primary care physician and a cardiologist, I was faced with the challenge of recreating 85 years of health history with my mother’s limited memory and my tangential recollections from a 600 mile distance. Mom was about half way through a cardiac rehabilitation program at the hospital at which she had been treated. Our local hospital was willing to have her participate in their rehab program, but they decided not to charge her rather than try to deal with Medicare about incomplete services for which there were no records.

At the end of Mom’s fourth week with us, I headed to Washington, D.C. for a meeting of the Software and Technology Vendor Association (SATVA) and to attend the National Summit on Defining a Strategy for Behavioral Health Information Management and Its Role within the Nationwide Health Information Infrastructure (Summit) co-hosted by SATVA and SAMHSA . When Tom Trabin, Ph.D. (then SATVA Executive Director) and others came up with the idea of a Summit, the need was only an abstraction for me. Of course mental health providers needed to be involved in the gradual move toward EMRs. By the time of the Summit, I had concrete first-hand experience with the reason for the meeting. My 85 year old mother and thousands of other New Orleans residents were completely without health records. Doctors’ offices and hospitals were flooded just as was her home. It was not even possible to reach her doctors, much less get information from them; they were displaced just as their patients were. The Summit pressed me to a concrete conclusion: behavioral health providers and consumers could not afford to be left out in the cold when catastrophe happens, and mental health could not let the general health field get too far ahead in the move to electronic medical records (EMRs).

After all, what physician or psychologist would be able to recreate a record from memory? And how many individuals carry an accurate health history in their head? The best anyone could do in 2005 was use health claim information from insurance carriers, Medicare and Medicaid. Frankly, for most physicians, it was too much trouble to attempt to obtain such information, even though a means of getting that data had been established. In some places that received large numbers of evacuees who had urgent healthcare needs and no family members with them, the network of access that was cobbled together from Medicare, Medicaid and VA claims databases allowed diagnosis and treatment of those with acute needs, but that took weeks to put in place. This destruction of health records became one of the most obvious reasons to press for a national system of electronic health records (EHRs), one that would not simply be washed away in eight feet of water.

So where are we 3 1/2 years later? If another Katrina-like catastrophe occurred tomorrow, would we be in any better position to treat evacuees based on information from an EMR or from a Personal Health Record (PHR)?

My guess is that we would be in just the same position we were in 2005. More physicians and hospitals are now using EMRs. The President and Congress have just appropriated 19 billion dollars for expanding the infrastructure and use of EHRs that we were discussing in 2005; but the reality is that we are nowhere near where we need to be to assure that continued care can be provided for general health or for mental health consumers. For the last 3 1/2 years there has been lots of activity, but today between 13% and 17% of provider organizations use EMRs; and there is still no system in place for sharing information among different organizations. Given a flood and no off-site backup of the electronic data, we would have exact duplication of the Katrina results.

Now that $19 billion that has been made available for meaningful use of EMRs over the next few years, we can expect more frenzied activity and attempts to implement EMRs in more organizations. We can hope that a simultaneous effort will be made to assure that the information in those records will be protected from destruction and can be shared from one organization to another. Where will you be in this process? Is it time for your organization to start to consider implementation of a behavioral health EMR? Are you obtaining the necessary information to qualify for federal funding? How will your clinical records be handled 3 1/2 years from now?

To comment on the article, click on the title and enter your comment in the box at the bottom of the page.

Wal-Mart and Mental Health EMR: Unlikely

Posted on | by SOS Blog | Leave a Comment on Wal-Mart and Mental Health EMR: Unlikely

For the past week the health IT news world (NYTimes; Chicago Sun Times; MSN; ) and blogosphere (FierceHealthIT; Healthcare Informatics) have been abuzz with Wal-Mart’s announcement that they will begin selling electronic health record (EHR) software to doctor’s offices starting this Spring. They will do so in partnership with eClinicalWorks and Dell through their Sam’s Club stores.  

Our initial reaction was panic. After all, if the world’s largest retailer decides to get into our market space, how can we possibly survive? And what does this mean for our customers?

Then we started reading the fine print. The cost for the first physician in the practice will be $25,000 plus $10,000 for each additional physician. The first year’s price includes hardware, installation, some training, technical support, and a variety of other odds and ends. And that is for software as a service. That means you do not own a license for the software; rather you connect into the company’s system and maintain your records there.  (This is the model that some people believe is the only viable one for a broad national system, but many dispute that.) After the first year, the cost per doctor is $500 per month.

John D. Halamka, M.D., CIO of the CareGroup Health System and Harvard Medical School among many other posts, is convinced that this pricing is fair and that Wal-Mart’s expertise in supply chain management and their own experience with IT systems inhouse will make their coordination of this project a success. In fact, he says that its a “good deal“. 

While this sort of price point might be cost effective and competitive for general and speciality medical physician practices, it is certainly not so for those in behavioral health practices. Most community based behavioral health organizations are also not likely to find this pricing structure something they can build into their budget.

If this is the Sam’s Club bargain software, where does that leave mental health providers? While there are currently a few companies with very reasonably priced electronic medical records (EMRs) aimed at the behavioral health community, time will tell whether meeting the requirements for CCHIT certification and paying to acquire that certification will allow the products of this small cadre of companies to remain affordable.

What’s your take on the Wal-Mart announcement? Where do you see this search for the EMR going for you? 

To add your comment, click on the title of the article and enter your thoughts in the box at the bottom of the page.

 


ARRA’s New Privacy and Security Requirements

Posted on | by SOS Blog | 2 Comments on ARRA’s New Privacy and Security Requirements

I was all set to write an article Monday morning on the expanded privacy and security requirements in the American Recovery & Reinvestment Act of 2009 (ARRA) when I remembered that I was registered for a webinar presented by FairWarning (a privacy surveillance company) Monday afternoon on just that subject. I am really glad I waited to write, because this webinar provided a wealth of information on the new requirements. [By the way, you will also see this section of ARRA (Title XIII) referred to as the Health Information Technology for Economic and Clinical Health (HITECH) Act. Subtitle D contains the Privacy provisions.]

Many people and organizations have opined that EHRs will not take hold in general medical settings or in behavioral healthcare until consumers and providers trust that the EHR products and the means of transferring data are truly secure and protect the privacy of the patient. Webinar presenter Deven McGraw, of the Center for Democracy & Technology, most articulately presented the aspects of ARRA that will increase the privacy and security requirements that healthcare providers must follow. She indicated changes in four broad areas including substantive modifications to HIPAA statutory requirements, increased enforcement of HIPAA, provisions to address health information held by entitites not covered by HIPAA, and a variety of administrative changes.

The new law incorporates and expands upon the HIPAA requirements.

  • There has been an attempt to more clearly define certain terms, like just what a “breach” of privacy is.
  • Previously, covered entities where the only ones required to report breaches of privacy; now the same requirement is placed upon Business Associates.
  • HITECH strengthens the individual’s right to restrict disclosures of health information to their insurance plan and even allows the individual to “opt out” of electronic recording and sharing of their information if they pay for their services privately and in advance. Mental health services are frequently cited as  sensitive content that an individual may want left out of their electronic record.
  • The HIPAA mandate requiring that a provider not release psychotherapy notes to the insurer has been included in this act, and the Secretary of Health and Human Services (HHS) has been ordered to study whether psychological test data should be included in this exception.
  • ARRA improves upon the HIPAA “minimum necessary” standard requiring that only the minimum amount of patient information should be disclosed depending upon the specific request for information.
  • The legislation places requirements upon companies that provide Personal Health Records (PHR) for the security of the data in those records, and prohibits the sale of protected health information.
  • Most importantly, the law provides an ongoing process for setting privacy and security standards and evaluating their effectiveness. 

brief summary of these changes written by the American Psychological Association was published by Behavioral Healthcare magazine in February.

Perhaps the most important thing behavioral health providers need to realize is that the move toward mental health EHRs is happening. How exactly those records will interface with the rest of the National Health Information Network and exactly what information will be shared with other healthcare providers remains to be seen, but this endeavor is irrevocably marching forward. Where will you be in this process?

To comment on this article, click on the title and insert your comment in the box at the bottom of the page.

Mental Health and e-Health News Bits

Posted on | by SOS Blog | Leave a Comment on Mental Health and e-Health News Bits

Running a mental health practice or community organization is a demanding endeavor and probably gets in the way of reading some of the huge volumes of info out there. I just thought I would share some quick bits and pieces of information you might find useful.

1.   ICD-10 Update: Last October 31, I posted information about an October 2011 deadline for implementing the ICD-10. HHS has relented and set a new deadline of October 1, 2013 for adoption of the diagnosis and procedure system.  The code sets are complete and available for your information at the HHS web site. An informational document will give you the scoop.

(Reported in Healthcare Informatics on January 16, 2009.)

2. Community Partnership of Southern Arizona has links on their website that many will find useful. They have collected state-by-state information on the following 19 items for all 50 states: Mental Health Authority, NAMI (National Alliance on Mental Illness), Mental Health America, Protection and Advocacy,  2-1-1 Human and Emergency Services, Employment Services, Vocational Rehabilitation Services, Medicaid Authority, Housing Authority, Homeless Information, Food Bank Locator, Food Stamp Program, Resources for Individuals with Disabilities, Psychiatric Advance Directives, Suicide Prevention, Civil Commitment Statutes, National Council: Providers, National Council: State Association, Child Welfare Information, and Department of Education.

3.  Evidence Based Practice Toolkits are available from SAMHSA. Six toolkits are currently available for public use. If you have been considering implementation of EBP in your organization, these toolkits are a good place to begin.

(Reported in the January 15, NJAMHA Newswire.)

4. HIPAA: I have come upon a wonderful way to keep up with and understand all things HIPAA-related. Hipaa.com is a web site devoted to education about HIPAA and has some outstanding articles. You can subscribe to their blog and follow them on Twitter.

What would you like us to discuss in this space? Are there kinds of information that are more useful than others? Let us know which topics you find most important.

To leave your comments, click on the title of this article and enter your message in the box at the bottom of the page.

Are your passwords HIPAA secure?

Posted on | by SOS Blog | 4 Comments on Are your passwords HIPAA secure?

Standard advice for securing computer systems is to require users to change passwords frequently. Something about this recommendation has always bothered me, but I never really thought it through. A current blog posting at Healthcare Informatics by Dale Sanders really hits the nail on the head. He points out that these change-passwords-frequently policies actually undercut password security rather than enhancing it, once you factor in human psychology. If you have to replace your password frequently, you will probably come up with something simplistic, or resort to a post-it note on the monitor, or maintain a paper list. It would be far more secure to create a single, strong password or passphrase and continue to use it for a much longer period.

To manage passwords used on the web, you can’t go wrong with Roboform. Create a strong master password (long, and using a combination of letters, numbers, and special characters), then let Robo’s password generator suggest strong passwords for individual web sites. Once you select and use a password on a web site, Robo will remember and “type” it in for you when you next visit that site. All you have to do is enter your master password once in each browser session; Robo uses that to unlock your password library and cleverly selects the right one whenever you hit a login window. There is even a version of Roboform that you can install on a USB “thumb” drive, so you can securely carry your passwords with you for use on multiple computers, or even public computers when traveling.

In the course of providing technical support on our billing and EMR software, I am exposed to the password selections of many of our users. It is amazing how rare it is to find anyone using serious passwords. Names, almost surely loved ones or pets, are the most common, but way too frequently I see passwords that are identical to user IDs, or non-passwords like “123” and “password”. Although we have optional rules in our products that would require strong password choices if enabled, they rarely are used.

Coming up with an easily remembered, secure, master password is not really all that hard. Just think up a short sentence that includes punctuation and some numbers. You can check the quality of your choice using Microsoft’s password checker.

Here’s an example: “Turning 60! soon.” This easily remembered phrase is actually more secure than “3-vO$aLKG7”, which conforms to all the standard password creation advice.

Maintaining medical privacy is serious business. Current HIPAA rules provide for serious penalties when medical information is not properly secured. Are you guilty of password negligence yourself?

Seth Krieger

To comment on this article, click on the title and enter your comment at the bottom of the article.