System performance is one of the biggest issues that I have seen in implementing an EMR.  It seems that almost immediately after “going live” with an EMR implementation a sudden swell of enthusiasm is stopped in its tracks due to system performance.  From my experience there are 3 main reasons an EMR may experience performance problems along with many less prominent reasons.

The three main reasons for EMR performance issues are:

1. Underpowered EMR database server – I am not sure why EMR vendors don’t beef up their minimal system requirements.  The requirements are as they say “minimal” and will give you just that; “minimal” performance.  I guess the truth is, the faster the server the more expensive it is.  EMR vendors try to minimize the expense to implement their product.  My recommendation is to push back on the EMR vendor and keep asking them if the recommended server will provide good performance today and for the next 3 years.  My gut feeling is they will be very non-committal on the server lasting 3 years but may push you to a more powerful server to hedge their bet.  It is cheaper to spend the money upfront then to rip and replace in 2 years.  Additional memory and processors can significantly improve performance.
2. Slow disks or not enough disks in the EMR database server – An EMR database server is constantly hit with read and write functions.  A slow set of disks or not enough disks can cripple the server and produce awful results and significantly impact performance.  Without getting into too many technical details it is safe to say that you should put as many disks that you can into your database server.  You should also buy the fastest disks you can (15K RPM).  A significant amount of fast disks can add considerable expense to a database server especially if you are looking at an external cage of fast disks but the performance gains can be significant.
3. System Performance across a wide area network connection - the third main reason for EMR performance issues is trying to run an EMR application across a network connection between 2 or more locations (Wide Area Network – WAN).  The amount of data that is sent back and forth between the EMR client and the EMR server can be significant.  In an scenario where the clients and the server are in the same building (Local Area Network) there many not be any performance impact.  That is because there is a lot of bandwidth between the clients and the server (usually 100Mbps and up to 1000Mbps).  But when the client is in one location and the server is in another location (separate building) there could be significant delay and performance problems.  A typical T-1 has the bandwidth of 1.5Mbps which is significantly slower than LAN connections (again 100Mbps up to 1000Mbps).  Increased bandwidth between locations can help but the expense can be significant.  A better solution is to implement Citrix or Terminal Services to run the EMR client at the remote locations.  Citrix requires 1 or more additional servers located next to the EMR server (on the same network subnet) but requires very little bandwidth between offices.  Citrix performance can be as good as running the EMR client and server in the same location.  In almost every implementation we have done, Citrix provided the best performance running an EMR across a WAN.  The additional expense is well worth it.  One note:  if your EMR is web based and utilizes a browser to run the program then the  bandwidth requirements would be very minimal and not require Citrix.

The take away from this is that in order to ensure you have good performance from your EMR, it is essential to purchase the right EMR database server.  In addition, a Citrix solution for remote offices/locations should be explored.

My last post discussed a hybrid strategy for utilizing local and cloud based IT services.  I concluded the post by stating that I didn’t think we were ready for all cloud based IT services.  Let’s fast forward a few years and assume that businesses can run a majority of their IT services in the cloud.  Let’s assume that reliability, security and accessibility have all matured to the point that a total cloud based IT infrastructure is possible.   A key component would be that Internet access will mature to the point that it is as reliable and scalable as other utilities such as electric, natural gas, etc.  High speed Internet access would be ubiquious and reliable no matter whether you are utilizing wired or wireless connections.  Connecting to the cloud would be as reliable as turning on a light switch in a home or office.

What does a total cloud based IT infrastructure look like?  Let’s take some of the typical IT services that businesses utilize today and compare them to what would be offered by competing cloud based services.

IT Services

1. User Authentication – basic ability to log into your network and use those credentials to access other services
2. File Services – ability to access files (documents, spreadsheets, presentations, etc).  Ability to restrict access based on defined user access lists (i.e. only the marketing department can access the marketing network share)
3. Print Services – ability to print to various printers.  Queue multiple print jobs that require the same printer.
4. Email Services
5. Database Services
6. Firewall Services – protection of a network from outside access
7. Anti-virus / Anti-malware Services
8. Line of Business Applications – EMR, ERP, Accounting, etc.
9. Document Creation – ability to create documents, spreadsheets, presentations (i.e. Microsoft Office)
10. Remote Access Services – ability to gain access to other services when you are outside your network (i.e. home, traveling or at another location)

There are many other IT Services that businesses utilize but let’s just limit the conversation to these 10.

At this point I started having trouble wrapping my mind around how a total cloud based network would look like. I decided to take the approach that the network was fundamentally the same as it is today but just moved into the cloud.  I think this is the easiest approach.  Although it is an interesting exercise of trying to figure out how the network of the future would look.  A network that tied together all other cloud based services.  For more details on how it may possibly work, take a look at Dave Winers excellent post.

Let’s take our list of 10 typical IT Services and move them to the cloud

Cloud based IT Services

1. User Authentication – these services would function basically the same except that the servers you authenticate against would be running virtually in the cloud.  Amazon, Rackspace and other companies currently offer these services.  For this mind exercise we are going to assume that you can now take these validated credentials and use them to access other cloud based services.  This would be very similar to how both Google and Microsoft use a single account to access multiple services.
2. File Services – files would be stored on other cloud based services.  Access to the files would still be restricted to user access lists.
3. Print Services – ability to print to various local printers.
4. Email Services – ability to send and receive emails would be another function provided by a cloud based solution.  The solution would include anti-malware, anti-SPAM, email encryption and other services that are now usually added onto existing Email Services.
5. Database Services – SQL Server, Oracle, MySQL databases that would be hosted in the cloud.
6. Firewall Services – protecting a network from outside access will have a much more diminished role.  Local networks would no longer contain data that needed to be protected.  The role of Firewall Services would be much simpler and less complex.
7. Anti-virus / Anti-malware Services – currently these are separate services that are applied to other services such as protecting files, email, etc.  These services would be seamlessly integrated into the other cloud based services and would no longer be a separate function.  Cloud based providers would be responsible for integrating and managing these services.
8. Line of Business Applications – EMR, ERP, Accounting, etc.  Again these services would be provided in the cloud and most likely the individual vendor of the application would provide it as a cloud based service.
9. Document Creation – documents would be created using cloud based utilities such as Google Docs or Microsoft Office Web Apps.
10. Remote Access Services – the concept of Remote Access would totally shift.  EVERYTHING would now be remotely accessible from the cloud.  This would no longer be a separate service.

A typical office would now consist of just low cost workstations, laptops, tablets, thin clients and printers.  There would be no servers and no data stored locally in the office.  There would be no data to be backed up and the cloud providers would be responsible for data backups.  The IT support requirements would be minimal and the network complexity would be drastically reduced.

Companies who’s function is to implement and support the local IT services, would have a greatly diminished role.  With local IT services all moved to the cloud there will no longer be a need for a lot of  local IT support.   Although the functions that today’s IT companies now provide would still be needed.  User accounts will still need to be setup and maintained, printers setup, email accounts setup, etc.  Although these function would not require a lot of technical skill and may be able to be performed by non-technical staff.

A business that moves their IT services into the cloud would no longer have to worry about local IT support.  They would no longer be faced with the constant workstation and server upgrades, software upgrades and the monthly expense of supporting the network. All of these functions would be pushed onto the cloud based providers.  The cloud based providers would now take on these responsibilities and factor the associated expenses into the monthly fee that they charge.

All in all, a cloudy future looks pretty good.  We are not there today but we can make steps in that direction.  Some of the benefits can be realized today.  And as the cloud becomes more reliable, secure and accessible more benefits can be realize in the future.

Regular readers of this blog have heard me discuss cloud computing in the past.  I have pointed out the potential problems of cloud computing as well as discussed incredible things you can do utilizing the cloud. So it may I sound like I am all over the board regarding cloud computing.  I thought I would discuss the cloud a little more and try to clear up my stance.

Cloud computing offers businesses an opportunity to utilize computing resources and services that in the past may have been too expensive or too complex to setup.  This is especially true for the small to mid-size market (medical practices included).  I find it amazing that businesses can utilize full blown accounting systems, electronic medical records (EMR), disaster recovery services, etc. all from the cloud.  There is no local infrastructure to setup, no maintenance and support of servers and software, no capacity planning, etc.  In theory it is a dream come true for many businesses.  Usually the pricing model on cloud based services are reasonable and it provides a fixed cost and ability to accurately budget for IT services.  What’s not to like?

As long as all goes well, cloud based services are a good thing.  But if things don’t go well then the real issues with the cloud become apparent very quickly.  Single points of failure can completely stop an organization from accessing critical IT services.  A failure in communications links (i.e. T-1, FIOS, cable, etc.) could prevent access to the cloud.  Cloud based services do fail as we have seen in recent months.  These failures can leave an organization without access to critical IT services  for hours or even days. You can’t mention cloud computing without the discussion of security.  The truth is, your data is now sitting in servers and storage outside your organization.  You no longer know the individuals that have access to the data.  You don’t have control over the backups and really don’t know how or when they occur.  You data is commingled with data of other organizations. The cloud is usually publicly  accessible and you don’t have control over how the data is protected from unauthorized access.

All of the above issues are true but in reality they are no different then if you had the infrastructure, programs and data local.  Most businesses (aside from large Enterprise organizations) have many single point of failures which could produce similar problems as cloud based services.  Security in many small to mid-size organizations are usually much worse then you will find in the cloud.  Data backup and disaster recovery is usually very sketchy for many businesses.  Anyone who has faced the situation where critical data had to be restored from backup tape can attest to the level of praying required that the data on the backup tape is valid and can be restored.

So by now you may be saying to yourself that my cloud schizophrenia is clearly apparent again.  Let me lay out a framework for businesses that want to utilize cloud based services.

Start moving all non-essential services into the cloud.  If you are a medical organization your main business is treating patients. Your main IT related services are storing and retrieving patient information to assist with treatment.  Computer virus protection, Internet content filtering, email SPAM filtering, email encryption, and accounting services are not essential IT services that directly help you with your primary focus which is treating patients.  Don’t get me wrong, these are very important services but these are the type of services that are well suited for the cloud.  If you don’t have access to your cloud based accounting system but still have access to a local EMR there is minimal impact on the treatment of patients.

Utilize the cloud for services that are far to complex or expensive to implement locally.  Businesses with single offices or minimal IT resources have difficult times implementing costly and complex disaster recovery services or off-site data backup.  As I mentioned in this article, disaster recovery utilizing cloud based services can be setup for a couple hundred dollars a month.  This is far less costly then implementing redundant infrastructure in another location.  Again these are services that are important but not critical to a business’ essential services.

Keep essential services local to the organization.    Services that support the main focus of your business (EMR, manufacturing systems, etc.) should be kept local.  If you start moving non-essential services into the cloud that will make your infrastructure much more simple and easy to support.  You can then focus on ensuring that you have a stable and reliable infrastructure to run your critical IT services that support your main focus of your business.  As you start to move non-essential services into the cloud, you will be amazed at the reduction; in complexity, in the amount of servers needed and in the amount of operational support that will be needed.   This will then allow a business to focus on ensuring that there is the appropriate capacity needed for the core IT services.  That local infrastructure redundancies are in place for the core IT services.   Moving non-essential services to the cloud and keeping essential services local will allow a business to focus on ensuring that critical IT services are designed and supported properly.

By taking a hybrid approach to local and cloud based services, organizations can get the best of both worlds. Cloud based services are extremely useful and provide efficiencies and features that are difficult and costly to setup locally.  Local IT services for critical functions provide access and security. One day everything may be in the cloud and businesses may just focus on their business and have little or no thoughts of local IT services.  I don’t believe we are a this point yet.  So for now I say, keep your head (an non-essential services) in the cloud but keep your feet (an essential services) local to your business.

I read an article over at KevinMD.com called Business reasons to get compliant with HIPAA that had me nodding my head in agreement throughout the whole article. The author, Rosemarie Nelson, discusses the HIPAA Security Rule and gives some good insight.  I suggest you read the full article but some highlights include:

Most covered entities had two full years — until April 21, 2005 — to comply with these standards.

The reality is, though, that most covered entities, especially providers (read medical practices), did not comply by that date and are still not HIPAA compliant today.

From what I have seen this statement is very true.  Medical providers have done a lot to implement the HIPAA Privacy Rule but not the HIPAA Security Rule.  And maybe this is the reason why:

Most experts originally agreed that the HIPAA Security Rule requirements were much more extensive than the HIPAA Privacy Rule — and you know how much your practice has done to accommodate that!

To make matters worse, most medical practices covered by the Rule continue to have limited staff resources to comply with the Security Rule. And available information security consulting expertise in many communities has been and remains limited.

The combination of all of these forces has produced a very clear result: very poor information security in the healthcare industry.

Rosemarie goes on to give the hard cold facts:

HIPAA requires all healthcare CEs — that’s you! — and their BAs — that’s me, for instance! — to safeguard the privacy of patient health information. The HIPAA law also requires CEs and BAs to implement required security measures to protect patient health information.

And HHS’s Office of Civil Rights (OCR) is coming to audit that compliance. The security audits will check that organizations have completed a risk assessment and implemented appropriate administrative, technical, and physical safeguards.

When OCR starts doing HIPAA compliance audits on medical provides you can’t say you haven’t been warned. It is coming and I suspect we will see some high profile audits in the beginning of 2011.

Her advice, which I 100% agree with, is:

What do you do? Start by doing that risk assessment first. That will let you establish a baseline scorecard against which you can begin to track your progress on compliance with the privacy and security regulations.

She goes on to give more insight into the Risk Assessment process and some of the fines for not complying with the HIPAA Security Rule.  Very good article and a must read for all medical practices.

As I wrote in this open letter to Research in Motion, I have recently switched to a Motorola  Droid 2 from a Blackberry Tour. I had various BlackBerry devices for 10 years prior to switching.  First off I want to say that there are many things that I truly love about the Droid 2 including:

• Incredible searching capabilities (would you expect anything less from Google?)
• Speech to text works amazing.  The ability to speak and search works great and I have composed long emails and texts with just talking into the phone.  The accuracy is very good.
• The turn by turn navigation is incredible.  Add in the ability to  speak and search for a destination and you will understand why my TomTom GPS is never used anymore.
• Some great Apps including Tasker (to totally automate so many different tasks), Google Sky Map, ShopSavvy, Live Scores and Zillow to name a few.
• The Browser is great.  It is so nice to have a truly functional and fast Browser and be able to access any website that I want.
• WiFi Hotspot – the ability to turn the Droid 2 into a WiFi hotspot for my iPad, laptop and my son’s iPod Touch is very useful.  I am not that happy having to pay Verizon $20/mo extra for that feature but that is another story.

Unfortunately there are some things that I truly dislike about the Droid 2 and Android OS including:

• Truly awful email client.  The standard email client is awful against an Exchange Server (I have a conspiracy theory that Google purposely made the email client to under perform with Exchange to highlight their Gmail product but I will leave it at that).  When you contrast the standard email client on the Droid 2 with the standard email client on the iPhone there is absolutely no comparison. I have purchased the Touchdown for Android email client and it is much better than the standard client but is not without its faults.   Which brings up the first reason why I miss my BlackBerry.  There is no better email experience than on the BlackBerry in my opinion.  Although the iPhone/iPad email client is very good.
• The Droid 2 keyboard.  The keyboard is not awful but it is inferior to the BlackBerry Tour keyboard.  Sending and receiving email  is vital to me throughout the day.  I actually use the speech to text because it is easier than typing on the Droid 2 (ok that is a positive and a negative for the Droid 2).  And maybe I am stuck in my ways but the touch typing is just not the same as having a keyboard.
• Battery life.  I live in constant fear of my battery dying.  It is impossible to make it through the day on a single overnight charge.  I have to shut the screen off every time I am done looking at it to preserve the battery.  I turn the WiFi off immediately when leaving my house or office.  And don’t even think about the GPS unless it is plugged into my car charger (speaking of GPS, you can almost fry an egg on the Droid 2 it gets so hot with the GPS on).  I charge it throughout the day if I know I will need it at night.  All in all it is a pain to babysit the battery.
• Force Close – having to force an application to close when it stops responding.  It seems to happen more and more lately.  And having to resort to actually restarting the Droid to get it to function correctly (not that frequently but it does happen).  Although I have to say the time it takes to boot up the Droid 2 is very quick especially compared the what seemed like 2 hours for the BlackBerry reboot.

All in all I do like the Droid 2 and the Android OS.  The power of the phone is incredible and the ability to access websites and run useful Apps is great.  So why do I miss my BlackBerry?  Here are a few reasons:

• The email experience.  As I said I believe the BlackBerry has the best email client and email experience.
• The keyboard.  I miss the speed in which I could type emails on the BlackBerry.
• The battery life – not having to worry about making it through the day was very nice.  Not worrying about turning off the screen when I was done using it was very nice.
• The weight.  The Droid 2 is heavier and more awkward to hold than the BlackBerry.

But don’t get me wrong.  For the things that I miss with the BlackBerry there are so many more positive things that I love about the Droid 2.  I can’t see myself going back to the BlackBerry.  I will stick with the Droid 2 for now but maybe a different phone such as the the Droid Pro that is coming out or a future model will be a better fit.  Or maybe the Windows Phone 7 is worth a look.  But for now the Droid 2 and I are married at the hip.

Disaster Recovery is usually reserved for enterprise or large businesses.  Disaster Recovery (DR) has historically been too complex and too expensive for small to mid size businesses and medical practices.  In the past if you had multiple servers for different functions like database, email, file services, etc. you would need physical servers at another (backup)  site that duplicated those functions.  In addition, you would need to replicate the data between the primary servers and the DR servers at the backup site.  Replicating data meant that you needed complicated software and high speed communication links between the two sites.  So between the duplicate physical servers and data replication requirements you can see how the expense and complexity can be a deterrent to small to midsize businesses.

Virtual Servers

Over the past few years some of the costs have been lowered through the use of Virtual Servers.  Virtual Server technology that is provided by VMware, Microsoft and Citrix allow a physical server to run multiple Virtual Servers.  So one physical server can be configured with enough memory, processors and hard drives to run multiple servers.  For example, one physical server can run a database, email and file server.  In addition, the cost of hardware including servers have dropped which further contribute to reduced costs.  Virtual Servers are perfect technology for a DR infrastructure.

Double-Take and XOsoft Replication Software

In addition to Virtual Servers and falling hardware costs, modern replication technology from Double-Take and CA XOsoft has greatly reduced the complexity of replicating information from primary servers to DR servers.  The replication software has simplified setting up DR environments but add significant costs. The replication software is licensed per server and can run between $2,500 and $3,500 per server.  Taking the example of 3 physical primary servers and 1 backup server running Virtual Servers the replication software can cost around $12,000-$15,000.  Add in hardware and other licensing costs and you are looking at a $20,000 or more in DR implementation costs.  At that price point it is still elusive to many small to mid-size businesses.

Utilize  Cloud Computing

The next step to making DR more affordable to all companies is it to take advantage of Cloud computing. Amazon’s EC2 infrastructure let companies run Virtual Servers in the Amazon cloud utilizing the massive amount of computing infrastructure that they have built.  Companies can run Virtual Servers for just pennies an hour.  This Virtual Server environment in the Amazon EC2 cloud is a perfect fit for DR.  It enables companies to setup their DR infrastructure without any hardware expenses.

DR for everyone

Double-Take software has partnered with Amazon to develop a product / service called Double-Take Cloud. This service allows companies to rent the Double-Take software on a monthly basis for under $100 per server. Factor in the computing costs for utilizing the Amazon infrastructure and a company’s DR costs for the 3 physical server DR environment can be setup for around $350/month.  This monthly expenses requires no upfront hardware or software expenses.  At this price point Disaster Recovery is now affordable to all companies.

If you don’t have a Disaster Recovery plan in place for your business or medical practice, you should seriously consider looking into it.

A crisis; is the message I get from an article written by Anthony Guerra over at healthsystemCIO.com.  Anthony refers to a study by CHIME that states 51% of CIO’s said IT staffing deficiencies will possibly affect their chances to implement an EHR and receive stimulus funding.  Anthony’s article addresses the lack of IT staffing in hospitals and I will extrapolate the findings to say it is even worse for medical practices.

As more and more medical practices are rushing to grab a piece of the stimulus funding by implementing and achieving Meaningful Use of an EHR, the lack of IT resources will have a huge impact.  Here are some of the areas I think will be impacted the most.

Implementation

Entegration has been supporting medical practices for 10 years.  This experience has given us insight into what works and what doesn’t work with an EHR implementation. Many practices will rely on the EHR vendor to help them plan the implementation.  From experience this is not always a good thing.  A lot of EHR vendors try to cookie-cut the EHR implementation based on best practices from previous implementations.  While in theory this sounds good, the lack of specific knowledge about a practice’s processes, workflow, and  lack of knowledge about staff’s IT skills can lead to major problems after the implementation.  I don’t specifically blame EHR vendors because they are doing what they can without detailed knowledge of the practice.  The practice has no choice but to take the EHR vendor’s recommendations because they usually don’t have dedicated IT staff and if they do, the staff probably has not been through too many EHR implementations.   And on top of that, many EHR vendors have a lack of resources with experience assisting in the EHR implementations.  I believe the industry-wide lack of IT resources and skills is a major factor in the high rate of EHR failures.

Support

Supporting medical practices is not easy.  I can honestly say that from years of experience.  Medical practices are very demanding and tend to have complex networks.  On the surface you would think medical practices would have more simple networks consisting of the EHR, email, and file services.  But when you add in the integration of other pieces of technology including lab interfaces, outsourced billing, digital x-rays, heavy use of digital scanning, ultra sound machines, multiple offices, and  mobile physicians you start to understand the complexity.   Many practices outsource the support of their network to IT consultants.  From what I have seen, the lack of detailed knowledge regarding medical practices is a major issue in providing a high level of support.  Supporting a medical practice is much different then supporting a car dealership or other small businesses.  Without a specialized focus on medical practice support, it is very difficult to understand the unique IT needs and requirements of medical practices.  As more and more practices move to EHRs, the lack of IT staff both in-house and at IT consulting companies will have a major negative impact on the use of EHRs at medical practices.

Privacy and Security

Many medical practices put in new EHRs with little thought of privacy and security.  This is not to say they are not concerned about privacy and security.  Privacy and specifically security is an area that a practice has minimal past knowledge.  They don’t know what they don’t know.  Without a security focus and without proper guidance, practices tend to make bad decisions regarding security.  Look at the number of data breaches due to unencrypted laptops and portable storage devices.  Simple encryption prevents most of these breaches but the lack of knowledge regarding encryption and the proper guidance from IT consultants lead to many practices ignoring this technology.  In addition, the lack of compliance with HIPAA security and specifically the lack of having detailed policies and procedures, performing risk assessments and providing training to the entire staff will lead to more and more data breaches.  Again the lack of available IT resources that understand privacy and security and can provide these services to medical practices will have a negative impact on protecting patient’s privacy.

The lack of IT resources is an industry-wide problem.  The problem will only get worse as more and more healthcare organizations from large hospitals to small medical practices rush to implement and use EHRs.  The results will show up in failed EHR implementations, organizations not realizing the full benefits of EHRs and privacy and security issues with patient health information.  It is almost like an accident happening in slow motion.  You see it coming but there is nothing you can do to prevent it.

The North Carolina Healthcare Information and Communications Alliance (NCHICA) published a very in-depth whitepaper (pdf) on the privacy and security implications of Meaningful Use for healthcare providers.  Some of the key points of the paper include:

Recommendations for Health Care Providers:  Achieving Privacy and Security Compliance in Meaningful Use Criteria

1. Review existing governance of privacy and security programs.
2. Implement effective security governance processes.
3. Include privacy and security as primary components of the organization’s strategic planning process.
4. Enhance internal controls for compliance with privacy and security requirements (HIPAA and other federal and state regulations).
5. Conduct regular evaluations and audits of compliance with HIPAA and new requirements included in HITECH (e.g., breach notification, accounting of disclosures, sale of PHI for marketing and fundraising).  Understand the gaps and prioritize improvement efforts.
6. Develop an ongoing and documented process for evaluating the privacy and security programs.  This is not a one-time process, but rather a regular recurring assessment to consider changes in the environment and regulatory requirements.
7. Include privacy and security risk assessment in the enterprise-wide risk assessment and management (EWRA) processes.
8. Develop new and enhanced training programs in privacy and security for management, board, staff, and all those considered to be part of the organization’s workforce (e.g., medical students, residents, fellows, volunteers, contractors, etc.).

Key points from above are on-going risk assessments, on-going process for evaluating your privacy and security programs and on-going training of your staff.  Unfortunately this is not a one-time and done process but rather a reoccurring process that keeping integrating privacy and security deeper and deeper into every aspect of your practice.

The paper goes on to discuss the importance of the Privacy and Security Officers.

Privacy and Security Officers need clearly defined roles and responsibilities.  They should be viewed as key participants in the provider’s governance processes, with regular, ongoing reporting of privacy and security program progress and issues to senior leaders and the Board.

The roles and responsibilities of Privacy and Security Officers should be clearly delineated and serve as a check/balance to protect the organization against possible privacy and security issues that can increase risk and jeopardize the AMC missions related to patient care, research, and education.

I found their phased approach to privacy and security very interesting.  I tend to agree with the phased approach much like learning to walk before running.  Each iteration drives privacy and security deeper and further into an organization.