Tag: emr software

EMR Certification Picture Gets Enlarged

Posted on | by SOS Blog | Leave a Comment on EMR Certification Picture Gets Enlarged

On March 2, the Office of the National Coordinator for Health Information Technology (ONC) announced a plan to approve organizations to certify electronic health record software programs. ModernHealthcare.com reported the announcement of this new plan by ONC head, Dr. David Blumenthal, at the big meeting of the Health Information Management Systems Society (HIMSS) occurring in Atlanta this week. The rule being developed will create a system for temporary testing and approval of products that meet the ARRA “meaningful use” criteria as well as a permanent structure for such certification. This is a process for certifying the certifiers.

Since the passage of ARRA last year, there has been rampant speculation about whether the Certification Commission for Health Information Technology (CCHIT) would be the only certifying body approved by HHS. Many who have felt that CCHIT is too closely tied to the large players in the medical EMR community have believed that diversification in the certification community should be a given.

Currently, CCHIT is the only organization designed to certify EMRs. Prior to ARRA, the certification was to a particular set of standards, features and functionalities decided upon by CCHIT as necessary for any electronic medical record program to call itself a player. In the past few months, CCHIT has added an ARRA certification to meet the requirements of “meaningful use” so that providers could qualify for ARRA funds. Unfortunately, the “meaningful use” definition is not yet finalized…and the cost of the ARRA certification is significant.

This cost of certification by CCHIT has been the primary concern for small software vendors. Those of us who have limited financial resources and small development staff have been worried that the fees and methodology of CCHIT would prevent us from obtaining certification for our products. Dr. David Kibbe, senior advisor to the American Academy of Family Physicians Center for Health IT is one of the critics. As reported by Neil Versel at FierceEMR, Dr. Kibbe believes that the cost and complicated nature of the CCHIT certification method stifles innovation and the development of new technologies.

This announcement by ONC may well open the playing field significantly. Whether the stimulus funds are worth the cost to achieve “meaningful use” is a separate issue that eligible providers will need to determine for themselves. Since these incentives are largely aimed at primary care providers, not many behavioral health organizations are likely to be impacted or even eligible for funds. But we must assume that the move toward EMRs in the general medical world will increase the pressure upon behavioral health providers to follow suit.

The Devil and Database Encryption

Posted on | by SOS Blog | Leave a Comment on The Devil and Database Encryption

Most every week I have a call from my credit card company’s security department to see if the recent activity on our account is actually ours. We used to get these calls maybe a couple of times a year, but now it is literally weekly.

A while back our credit card processor for SOS transactions notified us of new, stricter, security measures that we must follow or face the possibility of very substantial penalties. As a result, our customer credit card transactions now live in an encrypted database on a standalone computer that is not connected to our network or the Internet, and authorizes charges through a quaint dial-up modem connection directly to the processor’s system.

Arguably, financial data is a more tempting target for bad guys than most healthcare information, but there is little question that any data stored and moved around via electronic means is vulnerable. HIPAA requires that covered entities, and soon, business associates, take steps to determine the potential risk to the data that is in their systems, and to address the risk through a variety of security measures. These measures run the gamut from locked doors, user access passwords and workstation timeouts, through military-grade data encryption.

I have been thinking a good bit about the last of these: encryption. From CMS’s summary in HIPAA Security Series, Security Standards – Technical Safeguards (page 6-7):

4. ENCRYTION AND DECRYPTION (A) – § 164.312(a)(2)(iv)
Where this implementation specification is a reasonable and appropriate safeguard for a covered entity, the covered entity must:
“Implement a mechanism to encrypt and decrypt electronic protected health information.” (EPHI)

Encryption is a method of converting an original message of regular text into encoded text. The text is encrypted by means of an algorithm (i.e., type of procedure or formula). If information is encrypted, there would be a low probability that anyone other than the receiving party who has the key to the code or access to another confidential process would be able to decrypt (i.e., translate) the text and convert it into plain, comprehensible text.

There are many different encryption methods and technologies to protect  data from being accessed and viewed by unauthorized users.

  • Sample questions for covered entities to consider:
    Which EPHI should be encrypted and decrypted to prevent access by persons or software programs that have not been granted access rights?
  • What encryption and decryption mechanisms are reasonable and  appropriate to implement to prevent access to EPHI by persons or software programs that have not been granted access rights?

Generally, the safeguards you are expected to implement scale proportionately to the risk and the size of your organization. Thinking about the data stored in your billing and EMR systems, you would have to judge the risk to your data as very high if you have the database installed on a notebook computer that is routinely carried around by a staff member. Likewise, data moved across a network over a wi-fi connection would have to be considered as high risk. Even a solo practitioner or two person practice in either of these scenarios would probably be seen as negligent if the data were not protected by available encryption technology.

In the case of the notebook computer, I would think that whole-disk encryption should be in force, as there are likely to be letters, emails, and other sensitive data on the system that would not be protected if just your practice management/EMR database were encrypted.  Microsoft includes its BitLocker encryption system in Windows Server 2008 and the high-end versions of Windows Vista and Windows 7, but there also are many third party disk encryption products that one could use.

Wi-Fi protection means that you should use the best possible wi-fi encryption technology, at this moment, WPA2, coupled with a truly random password. Doing so would prevent virtually anyone “eavesdropping” on your wireless traffic from extracting meaningful information.

The correct path is not so obvious when it comes to encryption of primary databases, especially in the offices of small providers without dedicated IT personnel. Encryption is seeded by a string of characters, similar to a password or passphrase, called an encryption key. It is analogous to the key to your home or office, except that you can’t just break a window or call a locksmith if you lose the key. Good encryption is, for all practical purposes, impossible to crack. So, although the conscientious provider or practice owner’s first impulse probably would be to strongly encrypt, the risk analysis should include the risk of losing the encryption key, and therefore access to all the data stored in the database! The end result would be the same as a catastrophic hard drive failure with no backup — complete data loss and a very serious HIPAA violation.

Database encryption is only workable, therefore, in the presence of a formal, well-considered, bullet-proof procedure for encryption key management. Google that last phrase (“encryption key management”) and you will see that there are government documents several hundred pages in length that describe the procedures that must be followed to assure that  keys are both secure, and also readily available to those who need them.

To encrypt or not to encrypt? Devil or deep blue sea? What do you think? There are simple, keyless encryption schemes that are not terribly secure. Do you use something like that? Do you have a proven procedure for key management that you would be willing to share? You could lock your server in a bank rated vault, but then what if you forget the combination? We are back where we started! Anyone have any answers? Please click the title of this entry and leave us your comments.

ARRA and Mental Health EHR Software

Posted on | by SOS Blog | 6 Comments on ARRA and Mental Health EHR Software

The American Recovery and Reinvestment Act of 2009 (ARRA) contains provisions for spending approximately $19 billion in health IT infrastructure and Medicare and Medicaid incentives to press providers to use health IT, according the NJAMHA Newswire , a publication of the NJ Association of Mental Health Associations. The National eHealth Collaborative, the replacement for AHIC (the American Health Information Community), is clearly relieved that this funding has been approved, assuring their continued existence. They tout the law’s determination to solicit “broad stakeholder input” and “full participation of stakeholders” in the process of recommending how to accelerate adoption of use of health IT.  The National Council for Community Behavioral Healthcare cheers their successful work to include community mental health centers as eligible entities for the available funding.

As a small company that provides mental health EHR software, mental health billing software and medical office billing software to small provider organizations, we are very concerned that the voices of those small providers will get lost in the shuffle. There is no question that hospital systems and the physicians who are part of those systems will adopt medical EMR software as well as other IT tools that will facilitate the deployment of health IT in the general medical arena. The size of those organizations will also make it easier for them to apply for some of the funding that will be available. But what about the solo mental health practitioner or the small group practice or even the large group practice?

While SOS Software has been involved to some extent in the development of a standard for a behavioral health EHR, we have been concerned from the start that the standard will make software too costly for the small provider to acquire. While our current product is very affordable, we do not yet know what the effect of requiring certification for EHRs will be on the cost of our products. We expect to raise this issue repeatedly in this space and other forums in which we participate over the next couple of years in hopes that some of you will be stimulated to get involved and to express your opinions about how far-reaching the requirements should be and what assistance you will need to adopt a mental health EHR in your practice.

Please let us know what you think and how you would like to be involved.

To submit a comment, click on the title of this article and enter your comment in the box at the bottom.