February 6, 2013
Imagine conducting a consultation with a patient, and instead of jotting down chart notes on a form attached to a clipboard, you instead jot down chart notes with a stylus pen on your tablet that is displaying an electronic version of your form. Or, instead of waiting to find out from insurance companies whether a patient is or is not actually covered, your staff could verify the patient’s current insurance eligibility & benefits with the touch of a button. These are just a couple of simple features every healthcare provider should come to expect from their electronic health records & practice management system.
However, many doctors hesitate making the switch from pen & paper to touch-screen tablet or laptop due to fear of abandoning their familiar routine for a new one. Under federal law (HITECH Act of 2009), nearly all healthcare providers across the country must convert to a certified electronic health records system by the end of 2014, literally forcing many medical practices to go paperless, whether they want to or not. While making such a transition can be intimidating, healthcare providers should understand that EHR systems cannot be effective and one-size-fits-all at the same time. Rather, healthcare providers should seek out an EHR system that is customized to fit the way their practice already operates – patient intake, scheduling, clinician data, chart notes, ePrescriptions, coding, billing, accounting, and reporting.
But even with an EHR system that is customized to fit the existing workflow of your practice, the transition can still be a significant change. Medical practices should seek out EHR providers who offer hands-on training and transition support to ensure their entire staff is comfortable using the technology, ideally at no additional charge. Further, medical practices will inevitably have questions along the way, or evolving changes to their workflow, etc. They should seek out EHR providers who are responsive to their questions and requests for further optimization – again, ideally at no additional charge. Why? The goal of the EHR provider should be the same as that of the medical practice – to enable the medical practice to successfully transition and continue to utilize the EHR system long-term.
Another issue to consider with the transition to an EHR system is how to leverage your existing data from your current billing software or EHR software. Medical practices should seek out EHR providers who have the skill to export your existing database of data, and import that database into their EHR system so you can hit the ground running with your entire database of patients in the new system.
Finally, don’t ignore data security as the costs of a medical record breach can be enormous. Medical practices should ensure they ask prospective EHR providers about their data security methods, and if they have completed a credible 3rd party validation of their network & data security architecture.
April 2, 2012
We would like to educate healthcare professionals about the realities of medical record security breaches, and eliminate the “it couldn’t happen to me” attitude. The fact is – it can, and it is, happening to medical practices just like yours, all across the United States, and with significant consequences!
The HHS “Wall of Shame” (http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html) lists 400 reported medical record security breaches from September 2009 to March 2012, each involving more than 500 patients. The cumulative impact involves over 19 million patient records – about 6% of the U.S. population in just 2.5 years, from hospitals and medical practices, both large and small, encompassing nearly every specialty of medicine. The most common root causes of these actual medical record security breaches:
- Thefts (54%) such as stolen laptops with PHI stored on the local hard drive
- Unauthorized Access/Disclosure (22%) such as lost or stolen backup tapes, disks, etc.
- Lost/Improper Disposal (17%) such as papers with PHI that are lost or not properly destroyed
- Intentional Hacking (7%) including stolen passwords, exploiting inherent Windows® vulnerabilities, Trojan horses, exploiting defaults, Main in the Middle, wireless attacks, social engineering, etc.
In 2009, the laws changed such that medical record security breaches are now treated with the same force & effect as breaches of financial records. The HIPAA Breach Notification Rule defines a medical record breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information (PHI) such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.” with exceptions related to inadvertent and unintentional disclosures where the information cannot be further used or disclosed.
In the event your medical practice has a medical record security breach, you are required to do the following:
- Notice to Individuals: Provide written notice to all affected patients following the discovery of a breach of unsecured PHI. This notification must include a description of the breach; the types of information that were involved; the steps affected individuals should take to protect themselves from potential harm; a brief description of what your medical practice is doing to investigate the breach, mitigate the harm, and prevent further breaches; as well as, contact information for the medical practice.
- Notice to Media (> 500 patients affected): Provide notice (e.g. press release) to prominent media outlets serving the affected region including television, newspapers, etc. This notification must include the same details as the Notice to Individuals above.
- Notice to Secretary of Health and Human Services (> 500 patients affected): Provide notice to the Secretary of Health and Human Services by filling out and electronically submitting a breach report form on the HHS.gov website. The details of the medical record security breach will be posted on the HHS “Wall of Shame”.
From there, you should expect that your practice will be thoroughly investigated and scrutinized by federal investigators and auditors who will determine how rigorous your practice was in attempting to secure PHI, and how negligent you were in allowing unauthorized use or disclosure of PHI. Based on these findings, civil and/or criminal penalties will be imposed.
Civil penalties established in Section 13410(d) of the HITECH Act of 2009 are based on a tiered strategy that reflect increasing levels of culpability, and corresponding increasing penalty amounts:
- Tier 1: Violator had no knowledge of the violation, and by exercising reasonable diligence, would not have known of the violation. FINES: $100+ per identical violation (i.e. affected patients), not to exceed $25,000 in a calendar year, and no more than $50,000 per violation, not to exceed $1.5 million for all identical violations in a calendar year.
- Tier 2: Violations due to reasonable cause. FINES: $1,000+ per violation (i.e. affected patients), not to exceed $100,000 for all identical violations in a calendar year, and no more than $50,000 per violation, not to exceed $1.5 million for all identical violations in a calendar year.
- Tier 3: Violations caused by “willful neglect” that were corrected. FINES: $10,000+ per violation (i.e. affected patients), not to exceed $250,000 for all identical violations in a calendar year, and no more than $50,000 per violation, not to exceed $1.5 million for all identical violations in a calendar year.
- Tier 4: Violations caused by “willful neglect” that were not corrected. FINES: $50,000+ per violation (i.e. affected patients), not to exceed $1.5 million for all identical violations in a calendar year.
Additionally, criminal penalties established in Section 13410(d) of the HITECH Act of 2009 may be imposed if PHI was knowingly obtained in violation of the law.
- Up to $50,000 and 1 year in prison for knowingly obtaining or disclosing PHI
- Up to $100,000 and 5 years in prison if the offenses are committed under false pretenses
- Up to $250,000 and 10 years in prison if the offenses are committed with the intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm.
So what’s a medical practice to do? Protect yourself by using an EHR platform with industry-leading security, that addresses every mode of medical record security breach, so that you can confidently avoid civil (and criminal) penalties, the pain & distraction of a federal investigation, and the long-term impacts on the reputation of your medical practice.
The SiliconMesa® EHR platform virtually eliminates the top 4 root causes of actual medical record security breaches:
- Thefts (54%): With SiliconMesa® EHR, there is no PHI stored locally on your PC, laptop, tablet, or smartphone. All data is securely accessed “over the cloud” from the HIPAA-compliant SiliconMesa Data Center with 256-bit encryption of all data, both “at rest” and in-transit using our secure SSL tunnel.
- Unauthorized Access/Disclosure (22%): With SiliconMesa® EHR’s 2-factor authentication, every user is required to authenticate using their mobile phone (or land line) before ever entering a username and password. Also, SiliconMesa will backup all of your data, so there is no need to deal with lost or stolen backups.
- Lost/Improper Disposal (17%): With SiliconMesa® EHR, you can effectively eliminate the need for PHI records on paper – go paperless!
- Intentional Hacking (7%): The SiliconMesa® EHR platform is built upon Security Enhanced Linux (SELinux) – not Windows®. SELinux was co-developed by the U.S. National Security Agency to protect our country’s most sensitive defense and intelligence data. Also, the SiliconMesa Data Center keeps all firewalls, servers, and storage devices up-to-date with the latest security upgrades so you don’t have to worry about it.
Contact SiliconMesa today, to setup your 30-day risk-free trial, and get the piece of mind you need to focus on doing what you do best – caring for your patients!
March 9, 2012
With a federal mandate and all the stimulus money, why is EHR adoption so slow among medical practices? Our market research shows most EHR vendors on the market have missed the concept of delivering real added value for small-medium sized practices.
Some EHR vendors target the needs of large provider networks & institutions (and their incentive money) with expensive customer-hosted software licenses requiring locally purchased servers & storage networks, managed by in-house IT staff.
Other EHR vendors target mass volume with “bare bones” EHR products that are often abandoned for a variety of reasons. Many are difficult to use; require significant changes to existing workflows; provide poor customer service and technical support; have hidden hardware & software costs; and have unknown security risks.
SiliconMesa offers a complete solution with no upfront cost, and no commitment. Our success = your success; our goal is for you to become proficient, tell your friends, and collect your referral bonus! :-)
February 17, 2012
SiliconMesa believes that the right EHR must deliver:
- An affordable path to “Meaningful Use”, and YOUR stimulus incentive money
- Charting YOUR WAY with customized forms & templates to fit your existing workflows, and efficient data input technology to reduce data entry time
- A user-friendly experience with an intuitive interface that bundles all EHR and Practice Management functions of the medical practice
- A highly secure and robust architecture, accessible anywhere & anytime, to avoid security breaches and the resulting fines & penalties
- Customer service excellence
SiliconMesa is committed to fulfilling these needs, with a complete EHR and Practice Management solution that fits YOU – not the other way around!
January 20, 2012
In 2009, President Obama signed into law the HITECH Act (Health Information Technology for Economic & Clinical Health) as part of the American Recovery & Reinvestment Act (ARRA) – also known as the “Stimulus Package”. The goal of this legislation was to reduce healthcare costs and improve patient care quality by driving all medical data in the form of Electronic Hedical Records (EHR) to become the national standard by the end of 2014.
The HITECH Act significantly widens the scope of HIPAA privacy & security rules, increases potential legal liability & reduced Medicare reimbursement payments for non-compliance, and provides mechanisms for periodic government audits & enforcement. However, the HITECH Act also provides significant financial incentives designed to accelerate adoption of EHR technology.
Eligible healthcare providers who demonstrate “Meaningful Use” of an ONC-ATCB Certified EHR technology can qualify for federal stimulus money.
- Up to $44,000 over 5 years for Medicare eligible providers
- Up to $63,750 over 6 years for Medicaid eligible providers
However, if you choose the right EHR product to fit your practice’s actual workflow, then additional benefits include:
- Efficiency and productivity improvements leading to lower operating costs, and increased patient volume (i.e. revenue)
- Improved patient care quality, fewer mistakes, and possibly lower malpractice insurance premiums; and
- Accurate charge capture and faster revenue cycle.