Tag: Behavioral health EMR

The Devil and Database Encryption

Posted on | by SOS Blog | Leave a Comment on The Devil and Database Encryption

Most every week I have a call from my credit card company’s security department to see if the recent activity on our account is actually ours. We used to get these calls maybe a couple of times a year, but now it is literally weekly.

A while back our credit card processor for SOS transactions notified us of new, stricter, security measures that we must follow or face the possibility of very substantial penalties. As a result, our customer credit card transactions now live in an encrypted database on a standalone computer that is not connected to our network or the Internet, and authorizes charges through a quaint dial-up modem connection directly to the processor’s system.

Arguably, financial data is a more tempting target for bad guys than most healthcare information, but there is little question that any data stored and moved around via electronic means is vulnerable. HIPAA requires that covered entities, and soon, business associates, take steps to determine the potential risk to the data that is in their systems, and to address the risk through a variety of security measures. These measures run the gamut from locked doors, user access passwords and workstation timeouts, through military-grade data encryption.

I have been thinking a good bit about the last of these: encryption. From CMS’s summary in HIPAA Security Series, Security Standards – Technical Safeguards (page 6-7):

4. ENCRYTION AND DECRYPTION (A) – § 164.312(a)(2)(iv)
Where this implementation specification is a reasonable and appropriate safeguard for a covered entity, the covered entity must:
“Implement a mechanism to encrypt and decrypt electronic protected health information.” (EPHI)

Encryption is a method of converting an original message of regular text into encoded text. The text is encrypted by means of an algorithm (i.e., type of procedure or formula). If information is encrypted, there would be a low probability that anyone other than the receiving party who has the key to the code or access to another confidential process would be able to decrypt (i.e., translate) the text and convert it into plain, comprehensible text.

There are many different encryption methods and technologies to protect  data from being accessed and viewed by unauthorized users.

  • Sample questions for covered entities to consider:
    Which EPHI should be encrypted and decrypted to prevent access by persons or software programs that have not been granted access rights?
  • What encryption and decryption mechanisms are reasonable and  appropriate to implement to prevent access to EPHI by persons or software programs that have not been granted access rights?

Generally, the safeguards you are expected to implement scale proportionately to the risk and the size of your organization. Thinking about the data stored in your billing and EMR systems, you would have to judge the risk to your data as very high if you have the database installed on a notebook computer that is routinely carried around by a staff member. Likewise, data moved across a network over a wi-fi connection would have to be considered as high risk. Even a solo practitioner or two person practice in either of these scenarios would probably be seen as negligent if the data were not protected by available encryption technology.

In the case of the notebook computer, I would think that whole-disk encryption should be in force, as there are likely to be letters, emails, and other sensitive data on the system that would not be protected if just your practice management/EMR database were encrypted.  Microsoft includes its BitLocker encryption system in Windows Server 2008 and the high-end versions of Windows Vista and Windows 7, but there also are many third party disk encryption products that one could use.

Wi-Fi protection means that you should use the best possible wi-fi encryption technology, at this moment, WPA2, coupled with a truly random password. Doing so would prevent virtually anyone “eavesdropping” on your wireless traffic from extracting meaningful information.

The correct path is not so obvious when it comes to encryption of primary databases, especially in the offices of small providers without dedicated IT personnel. Encryption is seeded by a string of characters, similar to a password or passphrase, called an encryption key. It is analogous to the key to your home or office, except that you can’t just break a window or call a locksmith if you lose the key. Good encryption is, for all practical purposes, impossible to crack. So, although the conscientious provider or practice owner’s first impulse probably would be to strongly encrypt, the risk analysis should include the risk of losing the encryption key, and therefore access to all the data stored in the database! The end result would be the same as a catastrophic hard drive failure with no backup — complete data loss and a very serious HIPAA violation.

Database encryption is only workable, therefore, in the presence of a formal, well-considered, bullet-proof procedure for encryption key management. Google that last phrase (“encryption key management”) and you will see that there are government documents several hundred pages in length that describe the procedures that must be followed to assure that  keys are both secure, and also readily available to those who need them.

To encrypt or not to encrypt? Devil or deep blue sea? What do you think? There are simple, keyless encryption schemes that are not terribly secure. Do you use something like that? Do you have a proven procedure for key management that you would be willing to share? You could lock your server in a bank rated vault, but then what if you forget the combination? We are back where we started! Anyone have any answers? Please click the title of this entry and leave us your comments.

Alphabet Soup: HITSP, CCHIT, ONCHIT, SNOMED CT

Posted on | by SOS Blog | 4 Comments on Alphabet Soup: HITSP, CCHIT, ONCHIT, SNOMED CT

I try to keep informed about Electronic Medical records (EMRs), certification of those products, and funding for them provided through the economic stimulus bill (ARRA). After all, as a developer and vendor of a behavioral health EMR, I really should know some of this stuff. This week, I was struck by the number of acronyms that have come into common parlance in the past six months. I find the amount of information being generated about healthcare information technology (HIT) overwhelming. I am sure it feels even worse to someone who has not been trying to keep up with this information. After all, who can possibly know what all of these shorthands stand for and mean? 

So what would any good technology hound do? Well, of course, I googled ‘Health Information Technology acronyms‘ to see who out there has started to organize this information for the public. To my pleasant surprise, several documents attempt to do just that.

To start with, our federal department of Health and Human Services has a whole web site dedicated to HIT. On the left side of the page, there is a list of tabs. Under Resources there is a page called Acronyms. And that is just what it is. A list of the letters used as the shorthand referents for 112 terms ranging alphabetically from AHIC (American Health Information Community) to WW (Wounded Warrior). You can then cut and paste a name into the Search box on the top right of the page to find documents on the site that reference this “term”. When I do this for American Health Information Community, I get a list of 601 documents linked to this site that refer to AHIC in some fashion. If I do this same search on Google, I get about 129,000,000 hits. Be careful what you search for!

The Rural Health Resource Center, a not-for-profit located in Duluth, Minnesota has a document containing a list of 53 acronyms including brief definitions or descriptions of the terms or organizations listed as well as links to the sites of some of the organizations described.

Likewise, the Department of Health Services of the state of Wisconsin has published a list of acronyms and what they stand for. This list relates to eHealth rather than just health information technology, so it is bound to have some different entries.

A web site created by Pivotal Solution Group called HITECH Answers has their own list of acronyms and definitions. Pivotal Solution Group is a coaching and consultancy organization…a private group as opposed to the government sources listed above.

And finally, the Software and Technology Vendor Association (SATVA), a trade association of behavioral health software vendors to which we belong, has developed a section on their web site to monitor information regarding behavioral health EMR certification. Behavioral Health Certification Watch will be updated as new information is received. 

While some of you have probably clicked on the links above, I think it highly unlikely that you will spend much time reviewing this information. After all, who has the time to go looking into the masses of information that are being created about HIT, certification of products and paying for those products. Most behavioral health organizations are likely to just continue doing what they do until someone finally tells them they must move to an electronic medical record (EMR) by a certain date or they will not get paid for the services they provide. Oh wait, that is what has happened…at least, for Medicare and Medicaid payments.

Is that enough to start movement toward an EMR in your organization? Is your practice beginning to consider the possibilities? What do you believe it will take to move mental health providers into EMRs?

Death and EMRs: Disruptive events?

Posted on | by SOS Blog | Leave a Comment on Death and EMRs: Disruptive events?

The deaths of the past week have set me to thinking. The mother of a friend passed away early in the week followed by the wife of a family friend. Then, news of the death of cultural icon, Michael Jackson, was everywhere.

I come from a family and culture (New Orleans-based) where death is an intrinsic part of life. It very much affects those who are touched most directly by the loss, but it is also integrated into day-to-day life in such a fashion that life moves on with barely a ripple. The deceased is celebrated and mourned in one or multiple events ranging from wake to jazz funeral. Burial in above-ground graves and mausoleums (the water table in New Orleans is very high) caps off the events, and the cemeteries are daily reminders of the short-term nature of life. As with everything else in New Orleans, after death there is a party, but there is real disruption only for those immediately touched by the death. Life goes on.

I married into a family that shares the more traditional views of death held by most of American culture. It is not to be talked about too openly, lest it be invited to approach. And, as for most people in our culture, death is definitely considered to be a disruptive event, dislocating those related to the deceased from the ordinary course of life for an extended period of time. In fact, the disruption is frequently so severe that it is no surprise to those around the survivors that they are forever changed.

The term disruptive technology was introduced by Clayton M. Christensen in 1995 and together with his modification disruptive innovation has become a catch-phrase for technological change that is so radical that it dramatically alters the course of events that follow. If you read any articles about technology, you will come across the terms.

On the way to an event yesterday, we were listening to a podcast of The Week in Technology (TWIT) in which Twitter was discussed as a disruptive technology…disruptive to the field of journalism and to our whole way of communicating and thinking about news events. The techno-nerds who are the mainstay of TWIT are convinced that the immediacy of communication enabled by Twitter is and will continue to radically alter the way in which we receive information, likely becoming the jumping off point for even newer innovations in the realm of communication and information sharing.

I find myself wondering if Electronic Medical Records (EMRs) will not become the same kind of disruptive technology for our current healthcare system. Since EMRs have been around  for a while now, many would argue that they will certainly change healthcare, but do not reach the level of disruptive technology. But when I think about many of our customers in the behavioral health community and the radical changes to their organizations that will be required to move to EMRs and to use them in a meaningful way, I can imagine few more disruptive events.

Some would say that managed care had the potential to be just as disruptive…it certainly changed the way in which private mental health practices have conducted themselves over the last twenty years…but it did not intrinsically change the way in which the provider interacts with the recipient of healthcare services. The consumer may be seen less frequently and for a shorter total length of treatment, the managed care organization may refuse to pay for certain types of care (which the patient can then purchase with their own dollars), but the provider still sees the patient, assesses the problem at hand and provides treatment.

EMRs have the potential for changing that sequence of events. If used in a “meaningful” way, if decision support tools and treatment protocols that are based on scientifically assessed methods (evidence-based treatment) are incorporated into the EMR products and utilized by providers at the point of care in the way envisioned by the framers of HITECH, we will have a new healthcare system….or maybe not.

What do you think? Will widespread adoption of EMR systems be a disruptive innovation for healthcare? Do behavioral health EMRs have the potential to be disruptive technology for the mental health community?

Please add your comment by clicking on the title of this article and typing your thoughts in the comment box at the bottom of the page.

Decision Making 101

Posted on | by SOS Blog | Leave a Comment on Decision Making 101

Last week I mentioned the scholarly book,  The Rise of Homo Sapiens: The evolution of modern thinking, written by our friend Fred Coolidge and his colleague, Tom Wynn. This week’s read has been a popular book (also about the brain and cognition) titled How We Decide by Jonah Lehrer.  Both books focus on the executive functions of the brain. The Rise of Homo Sapiens explores how those functions may have developed and evolved and How We Decide focuses on how we utilize the Executive — both important issues in psychology and neuropsychology.

Not surprisingly, one of the most crucial responsibilities of the Executive is to decide not to behave, that is, to withhold or inhibit action. When I decide not to emit an expletive, even though I am angry, to avoid further inflaming a confrontation, I have utilized that part of the brain which makes me human…the one that keeps me from behaving purely on the basis of my emotions. The prefrontal cortex allows me to inhibit behaviors that might be destructive to me and to others.

On the other hand, when I am in a situation where it is perfectly safe to respond in a purely emotional fashion, that same Executive sometimes keeps me from doing so. Rather than taking a deep breath and enjoying a sensory experience, such as a bicycle ride, to its fullest, my prefrontal cortex questions how much pollen is in the air today and complains of the humidity that makes the air seem so heavy. Sometimes, we cannot do even the simplest of things without analyzing every aspect of, and all the implications for, that behavior.

It sometimes seems to me that our country is filled with people who have not learned how to moderate or inhibit behaviors. They see or hear the statement of some other person and cannot help but react. Their Executive does not kick in until they have already done their knee-jerk reaction. Then they either regret their comment or spend an inordinate amount of time analyzing or defending it so they can feel justified.

I used to think it was just pundits, bloggers, news analysts and elected officials who reacted without benefit of the Executive, but as I read the newspaper and see the comments of my neighbors to events in our community, I become more and more convinced that we have not effectively learned when it is best to behave on the basis of our emotions and when some logic would be more useful. We may have evolved the brain structures and capacities that allow us to behave in balanced fashion, but we seem as a nation to do a poor job of educating ourselves on how to utilize those abilities toward the general good. I usually don’t even read rants any more…and I’m doing my best to avoid reading pieces written by the Chicken Littles of the world. My own tendency toward negative emotions and thinking needs lots of logical balance plus the input of other folks who always see the glass as half full.

In the world of behavioral health services and practice, I sometimes see my colleagues and customers fail to utilize the executive functions of the brain to best advantage. Some impulsively rush to action taking a bit of information provided and implementing suggestions therein immediately. “The stimulus bill says we need to buy CCHIT certified EMRs, so we are doing so now! No, the ones we see are not designed for behavioral health. No, they are not particularly easy to use. But we will have a certified EMR.” Some behave in just the opposite fashion. They do not like the message they hear, so they avoid information about it. They withhold response to the extent that they do not inform themselves about the choices they will have to make in the future. “It will be ten years before anything actually happens. I’ll retire before that goes into effect. None of this pertains to me.” Somewhere in between lies a moderated response that may include ‘wait and see’, but informs itself in the time spend waiting and seeing. 

How We Decide is a good read. It might remind you of some of your own decision making strengths and weaknesses.

How do you decide to comment on this and other blog articles or not to do so? Let us hear what you have to say. Just click on the title of this article and enter your comment in the box at the bottom of the page. Your thoughts are always welcome, whether modulated by the Executive or not!

42 Months post-Katrina: Where are health records?

Posted on | by SOS Blog | Leave a Comment on 42 Months post-Katrina: Where are health records?

I’m getting ready for a week of vacation in my hometown–New Orleans. As some of you who know me well may remember, my 89-year-old mother has been with us in Florida since Katrina-breached levees filled her New Orleans home with 8 feet of water. Our last visit was almost 22 months ago; it is definitely time for Mom to see family and friends who returned to LA after the storm.

Preparing for this trip in the midst of all the hubbub about EMRs and economic stimulus plans reminds me of those first few weeks after the storm. Mom was two months post MI when Katrina threatened and I was on my third post heart attack visit. When the mayor started talking about mandatory evacuation, we left Mom’s house with a change of clothes and her medications, and headed to my brother’s place in Louisville, MS. Three days later, when it became clear that we would not be returning to NOLA soon, we came here to Florida.

The first week post storm was spent buying a few clothes, shopping for doctors and getting prescriptions transferred to a local pharmacy. Fortunately, many pharmacies already shared data electronically in 2005, even when prescriptions were written by hand; but prescriptions were expiring and we needed a physician to write new ones. As we started going to appointments with a new primary care physician and a cardiologist, I was faced with the challenge of recreating 85 years of health history with my mother’s limited memory and my tangential recollections from a 600 mile distance. Mom was about half way through a cardiac rehabilitation program at the hospital at which she had been treated. Our local hospital was willing to have her participate in their rehab program, but they decided not to charge her rather than try to deal with Medicare about incomplete services for which there were no records.

At the end of Mom’s fourth week with us, I headed to Washington, D.C. for a meeting of the Software and Technology Vendor Association (SATVA) and to attend the National Summit on Defining a Strategy for Behavioral Health Information Management and Its Role within the Nationwide Health Information Infrastructure (Summit) co-hosted by SATVA and SAMHSA . When Tom Trabin, Ph.D. (then SATVA Executive Director) and others came up with the idea of a Summit, the need was only an abstraction for me. Of course mental health providers needed to be involved in the gradual move toward EMRs. By the time of the Summit, I had concrete first-hand experience with the reason for the meeting. My 85 year old mother and thousands of other New Orleans residents were completely without health records. Doctors’ offices and hospitals were flooded just as was her home. It was not even possible to reach her doctors, much less get information from them; they were displaced just as their patients were. The Summit pressed me to a concrete conclusion: behavioral health providers and consumers could not afford to be left out in the cold when catastrophe happens, and mental health could not let the general health field get too far ahead in the move to electronic medical records (EMRs).

After all, what physician or psychologist would be able to recreate a record from memory? And how many individuals carry an accurate health history in their head? The best anyone could do in 2005 was use health claim information from insurance carriers, Medicare and Medicaid. Frankly, for most physicians, it was too much trouble to attempt to obtain such information, even though a means of getting that data had been established. In some places that received large numbers of evacuees who had urgent healthcare needs and no family members with them, the network of access that was cobbled together from Medicare, Medicaid and VA claims databases allowed diagnosis and treatment of those with acute needs, but that took weeks to put in place. This destruction of health records became one of the most obvious reasons to press for a national system of electronic health records (EHRs), one that would not simply be washed away in eight feet of water.

So where are we 3 1/2 years later? If another Katrina-like catastrophe occurred tomorrow, would we be in any better position to treat evacuees based on information from an EMR or from a Personal Health Record (PHR)?

My guess is that we would be in just the same position we were in 2005. More physicians and hospitals are now using EMRs. The President and Congress have just appropriated 19 billion dollars for expanding the infrastructure and use of EHRs that we were discussing in 2005; but the reality is that we are nowhere near where we need to be to assure that continued care can be provided for general health or for mental health consumers. For the last 3 1/2 years there has been lots of activity, but today between 13% and 17% of provider organizations use EMRs; and there is still no system in place for sharing information among different organizations. Given a flood and no off-site backup of the electronic data, we would have exact duplication of the Katrina results.

Now that $19 billion that has been made available for meaningful use of EMRs over the next few years, we can expect more frenzied activity and attempts to implement EMRs in more organizations. We can hope that a simultaneous effort will be made to assure that the information in those records will be protected from destruction and can be shared from one organization to another. Where will you be in this process? Is it time for your organization to start to consider implementation of a behavioral health EMR? Are you obtaining the necessary information to qualify for federal funding? How will your clinical records be handled 3 1/2 years from now?

To comment on the article, click on the title and enter your comment in the box at the bottom of the page.