Electronic Permanence: Changing records and releases

On September 22, 2011, I attended a webinar sponsored by the Business Operations for Behavioral Health Collaborative, a SAMHSA-funded joint venture of the National Council for Community Behavioral Healthcare, the National Association of Community Health Centers, NIATx, and the State Associations of Addictions Services (SAAS). The topic of the webinar was Health Information Exchange and Behavioral Health.

This is an area that has interested and concerned me for quite a while. As developers of software for behavioral health providers, SOS has for years been monitoring developments in the arena of Health Information Exchange (HIE). This is the method by which Electronic Medical Record (EMR) software will exchange information among providers and healthcare organizations. The HIE is both the process of exchanging information and any repository of that information for easy access by those with rights to the data.

This is the bugaboo that has always bothered me as well as my colleagues in the behavioral health software trade association to which we belong (Software and Technology Vendors Association). SATVA members are committed to assuring that our products share information only as the law allows and as consumers wish.

Work is currently in progress to assure that a universal method of acquiring patient permission for release of their information is part of any HIE. Such a method would undoubtedly allow a patient to specify providers to whom their treatment and diagnosis information can be released and any providers to whom it cannot be released. But what happens when a patient changes their mind?

Here’s a hypothetical example that jumps into the future by a few years, when all or most healthcare providers have EMRs and are connected into their regional HIEs.

John D. is admitted to the Emergency Room of a local hospital after a panic attack that he interprets as a heart attack. Among the papers that he signs is a release for the ER to access any information in the regional HIE about his health conditions. Since he is not thinking very clearly as he is sure he is dying from a heart attack, he signs everything put in front of him. After he is medicated, stabilized and sent home, he wonders about what he signed and which of his health information will now be available to whom. Does he really want his optometrist to know that he was treated with an anti-anxiety medication and prescribed an antidepressant (which he decided not to take)? Is it necessary for his urologist to have this information? What does he do to protect just that ER visit information and keep it from being sent on to other providers?

And what do our mental health and substance abuse patients do to secure their sensitive information?

This process concerns me because of my experience that once a piece of information has been entered into some large electronic database, getting it out may be near to impossible. Several years ago, I attended a conference in New Jersey. I rented a car, drove to the city in which the conference was held, returned the car and paid my bill in a timely fashion, and returned home.

The next time I needed to rent a car was three months after Katrina flooded New Orleans when my mother and I returned to check on her home and attend the funeral of one of my uncles. For some reason, the car was reserved in my mother’s name…the airline tickets were purchased with her card…even though I had placed my name on everything. The rental agency manager noticed something wrong when we picked up the car; there was a block on my account even though there was no balance. She overrode the block, gave me the keys to the car, and we were on our way. I did not give it another thought.

In several return visits to New Orleans, I again rented cars from the same company and always wound up with a car, not even knowing there continued to be a block on my account. Each time the agent or manager overrode the hold and gave me the keys. In November 2010, we arrived in New Orleans on a Sunday. The agent and assistant manager decided they did not have the authority to override the block on my account and there was no one they could contact to clear it. They refused to rent a car to me and offered no solution. They gave me a phone number I could call on Monday, but did not even offer my 90 year old mother and me transportation to another agency. I cursed and swore I would never rent from their unprofessional agency again and called my brother to come pick us up. Fortunately, he was thinking clearly enough to suggest that we go across the highway to a different company and rent a car there.

I did call the company the next day and eventually got the written apology and clearance of my account that I requested. It took six years for this correction of an error to happen.

What processes will we insist be put in place to assure that patients can change their minds about release of information or correct errors or enter corrected information into their records? What kind of advocacy will be required? What do mental health and substance abuse providers need to do to assure that the privacy of their patients’ sensitive information will be handled as they choose?

Please share your thoughts about HIE and EMRs and where we are going with this process.

PHRs, EMRs, Data Security and Other News

Last week I asked you if you were using a Personal Health Record (PHR). I got only one response…from a college friend who is a technical writer. John is involved with a PHR company called medkaz. This company believes that all electronic medical records should be driven by and owned by the patient. Accordingly, they have developed a thumb-drive based product that the consumer will carry around with them. It is fully encrypted, so the privacy of the patient is guaranteed.

I believe the idea is that the patient will bring their personal record with them when they visit a doctor. The doctor can download relevant information of the patient’s choosing into their own electronic medical record (EMR) system. At the end of the visit with the patient, they will upload their note onto the patient’s thumb drive. The doctor can subscribe to this system themselves, but even if they do not, they will be able to use the patient’s information. This is one way to make sure that the people treating you have the most current medical information about you.

Over the course of the last few weeks, the reason for concern about what information health systems have and how they manage it again came into the public light. The Stanford Hospital in Palo Alto, CA reported that 20,000 records of emergency room patients had been revealed online by their collection agency…one of their Business Associates. The information had been posted on a web site for just short of one year. One of the affected patients saw the posting of the information and reported it to Stanford Hospital and Clinics.

According to IDExperts, there is good reason for concern about the security of medical data. The street value for a stolen medical identity is $50. Using that information, a Medicare or Medicaid or other insurance fraudster can file claims for services never provided….and often get paid.

In other news this week, the White House has proclaimed September 11-16, 2011 to be National Health Information Technology Week. The purpose of the proclamation is to call attention to and educate the citizenry of the benefits of and need for Health IT that will protect the privacy of the patient and involve patients in their health care.

Finally, the Office of the National Coordinator for Health Information Technology (ONC) has announced their new website, HealthIT.gov, designed to become the leading national resource on health IT for both consumers and health care professionals. The goal of the site appears to be to encourage personal responsibility for one’s health and health care through wise use of technology and coordinated efforts with one’s providers.

It was a busy week! Is there news you would like to share?


Psychologists and EMR: Movement forward

Last week I attended a continuing education workshop for psychologists at my local chapter of the Florida Psychological Association. Psychological Records: Basic Requirements and the (Forced?) Choice of EMRs was presented by Robert J. Porter, Ph.D., president of the Tampa Bay chapter and treasurer of Florida Psychological Association. Dr. Porter’s presentation was attended by about 30 psychologists and other mental health providers. The last FPA workshop on EMRs that I attended was over 10 years ago, and it was given by me. There were about five psychologists present at that workshop.

The difference in attendance speaks to multiple issues. First, Dr. Porter is an excellent presenter who talked broadly about EMRs. His years as a researcher and university professor combined with recent years in private practice give him great credibility. Secondly, the EMR landscape has changed hugely in the past decade with government requirements to migrate patient records to an EMR a distinct possibility.

The psychologists who are my age peers who used an EMR  loved computers and liked doing all their work there. Most of our age-mates would never have considered keeping records that could not be locked up in a file cabinet behind their locked office door. The younger psychologists who are now replacing us in the private practice community are not only willing to consider keeping their records electronically. . . they are willing to keep them online using a Software as a Service (SaaS) type product. The move from needing to hold the patient record in my hot little hands to allowing it to float out there in the cloud is a sea change.

While Dr. Porter presented a great deal of information in the two hours he spoke, there were several items I thought you might find interesting.

  1. The American Psychological Association published Record Keeping Guidelines in the December 2007 issue of the American Psychologist. If you are a psychologist and you keep records, you should read them. If you keep behavioral health records but are not a psychologist, you might take a look at them. Such Guidelines frequently become part of the standard of care in a professional community.
  2. The APA Guidelines recommend disclosure to the patient of your record keeping procedures, including the limitations of confidentiality of the records. Those limitations of confidentiality lead to a likely need to maintain a separate  record of care for each person you treat, including for each individual member of a family or couple. (Guideline 4)
  3. Ofer Zur, Ph.D., a licensed psychologist in California, offers extensive information about and continuing education on record keeping and many other aspects of behavioral health practice. [Retrieved 4/19/2011 from http://www.zurinstitute.com/recordkeepingguidelines.html.]
  4. Dr. Zur points out that a treatment plan usually includes problems or symptoms, a diagnosis, goals of treatment, interventions to be used to achieve the goals, and the rationale for use of those interventions.


I would add a quick note about the possibility of a requirement to keep records of psychological care in an EMR. At present, the only behavioral health providers who are Eligible Providers (EP) for ARRA funding to purchase an EMR are psychiatrists and nurse practitioners. Psychologists, social workers, mental health counselors and addiction professionals do not qualify, nor do psychiatric hospitals. While this may change, there is currenly no way for most mental health providers to obtain stimulus funds. At the same time, there is no requirement for them to move to an EMR, nor will they be penalized for not doing so (psychiatrists and nurse practitioners may be subjected to Medicare withholds). Fortunately, most of the products aimed at the private mental health practitioner are relatively inexpensive and can easily be obtained without resorting to government funding or a second mortgage on your house.

While an electronic medical record can be a powerful way to significantly increase the quality of the records maintained by you and your organization, you must know what you are required to maintain in the record. . . by the governmental jurisdictions and the professional guidelines to which you are subject.

How does your organization determine what goes in the client’s record? Who is responsible for those records? Are you using an EMR, a paper record, or some hybrid system?

Please share your thoughts on records in the Comments below.

Security and Backup: Yes…backup, again!

Once a month, on average, our technical support specialists are confronted with a customer whose database has become corrupted because of some hardware issue and who has no usable backup. After last week’s adventure, I decided I would again write about backup. Then, last night, I saw a discussion on a Psychology and Technology listserv that included some of our customers talking about full disk encryption of a Mac laptop. Encryption is something we recommend for every customer who uses our software or maintains any Protected Health Information (PHI) on a computer…especially on a laptop. To round out the clues that security and backup should be my topics of choice this week, I noticed an article in eweek of March 21, 2011 entitled ‘Remote access presents complexity, security issues.’

The rate at which users want to be able to access their work applications remotely has grown geometrically. Fifteen years ago, we were asked about remote access a couple of times a year. Five years ago, that increased to a couple of times a month as many more users wanted to be able to access their software from home. Now, everyone who carries a laptop, or even a smart phone, wants to be able to do everything they need to do for their jobs from wherever they are located with whatever device they have handy.

Whew! If only they realized what an expectation that is! And, all of these expectations complicate the issue of security in ways that those of us who are not very technically savvy cannot imagine. But imagine we must…if we plan to protect PHI, that is.

First, the issue of backup. This is the primary way in which you protect the security and integrity of client information. If you do not have a usable backup from which you could restore PHI in the event of a catastrophe, you are only one step away from having allowed the destruction of your client’s PHI.

Yes, the identifying demographics together with the diagnosis you use to file claims is PHI and is protected under HIPAA. Everything you have in an EMR is PHI. Yes, you are responsible to assure that this information is intact, safe from destruction, and secure from preying eyes (and hacks). Without a usable backup (preferably encrypted) stored in a secure location ready at a moment’s notice to replace data on your computer system, you are not even doing the most basic things necessary to provide protection to your patients. You could probably be demonstrated to be guilty of ‘willful neglect,’ the level of culpability that will generate the highest of fines from HHS and OCR under their HIPAA authority.

If you are not sure of what kind of backup strategy is minimally adequate, take a look at the backup recommendations and product suggestions we make to our customers.

The issue of remote access, especially from handheld devices like smart phones and iPads, is one that concerns me considerably. HIPAA requires that we must provide for the security of PHI while it is at rest (on a computer drive or CD or smart phone) and while it is in motion (being transmitted from one location or device to another).

Access tunnels like a secure VPN or MS Terminal Services are specifically designed to assure the safety and security of the data being transmitted through those tunnels. Those of us who are not very technically sophisticated may assume that the developers of the iPad and smart phones have already taken care of equivalent security for us. Not so, folks. While there are some products that will provide that security, they are not built into those hand held devices and we are on our own to find them.

Do you realize what that means? Do you understand that using your cell phone to access your desktop computer and patient information without adding specific protection assures that your data are vulnerable? There is not built-in security in your telephone or tablet. Even having your client names and phone numbers in your telephone contact list is potentially a breach of their privacy.

No one has volunteered to create a secure environment for your data…that is your job. You must do the research and determine which products will give your PHI the greatest protection.

Not being informed about a problem of insecurity is not considered an excuse by HIPAA. You must know what security your devices use to assure the safety of PHI. Do you have password protection on your phone? Do you have a way of wiping all data from the phone if you lose it or it is stolen? Have you initiated the services that are available to accomplish those purposes?

I know, this has started to sound like a rant. I do not mean to suggest that everyone is acting irresponsibly with client PHI. I do mean to suggest that we take a much too casual attitude toward protection of that PHI…especially when it comes to technologies about which we know little but assume much.

What policies does your organization have in place about use of portable devices and the protection of PHI? Have you found products that are wonderful to accomplish that protection? Will you share their names and your experiences with the rest of us?

Please enter your comments below.

Your Health Information: Where do you want it?

My extreme concern about data protection and privacy have made me wonder how effective the drive to electronic medical records (EMRs) will be, particularly in the behavioral health arena. My clearest recollections from the first day of my psychology internship at a community mental health center are all of the instructions related to protecting patient privacy. As a mental health software vendor, I have continued to have this strong drive to protect the data of any patient. Finally, HIPAA and HITECH have caught up with the concerns of those of us trained to put patient privacy protection ahead of most other concerns.

The rush to EMRs that can share information with one another (interoperability) has as its goal diminished costs and increased quality of health care. The need to keep that information secure and private is usually dealt with almost as a side issue. I have often heard statements like these: “Why, of course the data will be protected. Why are you so worried about keeping data private? Sharing it with other providers is much more important than privacy. Some compromises will need to be made . . . ”

The American Medical Association, in their discussion of patient confidentiality, briefly indicate their concerns about EMRs.

Electronic health information systems allow increased access and tranmission [sic] to health data.  Physicians in integrated delivery systems or networks now have access to the confidential information of all the patients within their system or network. Confidential information also is disseminated through clinical repositories and shared databases. Sharing this information allows patients to be treated more efficiently and safely. The challenge for physicians is to utilize this technology, while honoring and respecting patient confidentiality.

Sharing confidential information among treating professionals is only one aspect of this issue. Now we must consider to the issue of sharing the electronic data with the patient.  

According to John Fully on nextgov, patients want access to the information stored in the electronic records about them maintained by their physicians. 93% of patients have rarely or never asked their physicians for electronic copies of their data, but 70% say it is very important to them that doctors and hospitals provide those electronic records. 60% of patients and over half of physicians say sharing information from EMRs with patients will be a crucial measure of how successful health care reform and provision of stimulus dollars has been.

One potential method for sharing those electronic records is the Personal Health Record (PHR). After all, having an electronic copy of the physician’s record but having no way to store or to access it will not be a very beneficial state. As a result, provider organizations, payers, and even Medicare have begun to connect EMRs, claim histories, and PHRs as an effective way of tracking your health.

Even so, patients are hesitant.

. . . while the products use some of the same technology that banks use to secure financial data, some patients remain wary of putting health information online. Only about 4% of the online population uses Internet-based PHRs, according to Elizabeth W. Boehm, a principal analyst at Forrester Research Inc. in Cambridge, Mass. Many people don’t see the need, Ms. Boehm says, while others are nervous about putting confidential health information online.

That figure is telling. It is not that only 4% of patients use a PHR . . . only 4% of the online pupulation uses one . . . only 4% of the people who use the Internet all the time utilize an online PHR.

I have registered for the PHR used by my insurer. The Privacy policy says all the right things. I have entered some information into it, but I am still hesitant to put everything there. The conventional wisdom is that these programs are secure. I’ll give you an example of why I am slow to completely adopt.

About 18 months ago, I noticed that one of my mother’s physician claims was rejected by her Medicare supplemental plan. When I looked at the EOB more carefully, I noticed that it had been filed on my insurance plan rather than on my mother’s Medicare supplement plan. Since we both have the same insurer, I telephoned, explained what had obviously happened and was assured that it would be corrected. When I checked my PHR today prior to writing this blog, I found that claim still sitting in my record.

I have never been a patient of the physician who filed the claim, so I know he did not file the claim with my insurance information. I am thirty years younger than my mother and my first name does not come close to hers. But the same last name and address resulted in this confusion that has not yet been corrected. I cannot help but wonder what other two bits of information might result in the confusion of something important in my file and that of some stranger. Since this payer automatically adds claim information to the PHR, their system now sees me as the patient of a cardiologist . . . something I have not yet become. I wonder what other data confusions I have in store.

What is your take on PHRs? How do you see them affecting the behavioral health community? Please enter your comments below.