An interesting report was released by the Consumer Health Information Corporation (CHIC) which looked into the use of smartphone apps. The report was based on a survey of 395 respondents and was conducted to gauge consumer interest in health apps and evaluate the likelihood of patient adherence to them.

According to the report

The CHIC survey shows that the availability of a better app (34.4%) and lack of user friendliness (32.6%) are the top reasons for discontinuation of smartphone apps.

Another data point that seems fairly obvious is:

In general, ease of navigation (90.9%) was the top feature that made apps favorable. In terms of interest in health apps, the majority of surveyed consumers stated that they would be most interested in using a health app to gain information (91.1%).

The one piece of information that I think is very useful is how patients would like to be reminded to perform a health related task. The overwhelming response (41%) was that they would like to receive a text reminder. Only 1.3% said they wanted to receive a phone call as a reminder.  Clearly people do not want phone calls as reminders.

So if you are calling patients to remind them of upcoming appointments, you may want to explore implementing a text reminder instead.

Other information from the study included:

Consumers were most likely to use a health app to find information about drugs (42.2%) or disease states (26.5%).

39.8% were willing to use such a health app several times a day.

National health organizations were the most trusted source of health information (51.8%).

The majority of consumers were either somewhat influenced by (55.8%) or very much influenced (32.2%) by consumer ratings of apps.

33.4% of consumers preferred health apps to be free but the majority were willing to pay, with 30.9% willing to pay $1.00-$5.99.

In terms of preference for health-related task reminders, consumers did not want phone calls, drug vials, or email reminders.  The majority of consumers preferred reminders through their mobile phones such as text messages (41.1%), smartphone apps (20.3%), or phone alarm (19.5%).

This is truly a very challenging time if you are a health care organization. There is a fundamental change occurring that will transform the way medicine is practiced in the next 20 years. Almost like the invention of electricity, the light bulb or the first gas powered engine, the change will have enormous impact to everyone that it touches.

At the same time the risks associated with this change cannot be ignored. As our society moves to the use of electronic medical records, the security issues and associated risk levels have never been greater.

The burden on health care organizations is incredible when looking at securing electronic medical records, smart phones and tablets, USB drives, wireless access points, and remote access solutions. Combine that with the impact of natural disasters such as earthquakes and tornadoes that have been all over the news lately. Implementing disaster recovery solutions only adds to the overwhelming security burden.

Health care organizations are already strapped for the necessary resources to implement electronic medical records. Where will they find the resources to ensure that the appropriate security and disaster recovery procedures are properly implemented?

Like all new technologies, electronic medical records offer incredible opportunities but along with opportunities are real risks that need to be addressed. We will look back in a few years and see that health care organizations made the move from the dark ages to a much more modern area. Unfortunately we will see lots of mistakes and security issues that could and should have been addressed.

Backup tapes have been stolen, from a van, that contained 1.7 million records of patients.  The tapes had patient history and electronic protected health information (ePHI) dating back 20 years.  The information on the tapes includes names, addresses, Social Security numbers and medical information.

This is a huge data breach affecting an enormous amount of people.  Each of the 1.7 million people could  be in danger of identify theft and other identity related crimes.  Stop for a second and think through the value on the black market that this data including Social Security numbers, patient health records, name and addresses would be worth.

The first question that MUST be asked is: why were these backup tapes not encrypted?  Let’s not glaze over this.  This is a crime to jeopardize this many people.  Encrypting backup tapes is not only cheap but it is very easy to do.  It is just a setting in the backup software.  It is just an encryption password.

The second question is: why is the HIPAA Security Rule not being enforced?  How can we watch as millions and millions of patients are having their social security numbers and health records being breached.  How can we ignore the government regulations that were put in place to protect patients?  How many patients must be victims of identity theft before we say enough is enough!?

Source: Apple

Have you ever looked over a doctor’s shoulder when they are using an EMR?  What you see is hard to describe. Picture a crowded screen with fields, data,  buttons and menus that fill up the entire screen.  Picture a screen so crowded that if you wanted to add another data field you would be hard pressed to find some real estate on the already crowded screen. But if you keep watching you would be even more amazed.  If a doctors wants to send an electronic prescription to a pharmacy for the patient she might have to click on 4 or 5 pages to accomplish the task. The amount of options and choices that the doctor has to navigate through is truly daunting. What I just described is not true for every EMR.  With over 300 EMRs on the market, and growing, some of the EMR vendors have figured out usability and design.  But unfortunately many of the vendors have not.

Up until about 5 months ago I have been a dedicated and devoted user of Windows based applications.  My time on Apple computers was very rare.  And I admit that I have engaged in the typical technology driven arguments that the Windows operating system was superior to the Apple operating system.  In fact, I always failed to understand the cult based Apple loving mindset.

Fast forward to the present and after purchasing an Apple iPad my perspective has changed.  I won’t go into details about the iPad because by now you would have to be living under a rock to not know about the smashing success that Apple has had with the iPad.  The one thing that I will point out is how good the interface and usability is on the iPad.  I am amazed that without a keyboard and with only one button on the front of the device, how easy it is to use and navigate iPad (iOS) applications.  And I totally understand your doubt if you have not used an iPad but I ask that you trust me on this one.

iPad EMRs

So can the usability of the iPad be leveraged for EMRs?  Clearly an iPad strategy is a must for most of the EMR vendors. Will they take their existing user interface and shoehorn it into the iPad or will they totally redesign the interface and focus on usability?

For more insight into how some of the EMR vendors have approached the iPad check out this post over at Software Advice.  They go into the booming demand for iPads and tablets as well as review some of the existing iPad EMRs and applications.

There is a very sad article out today about how a cancer researcher had a laptop stolen from her car that possibly had a cure for prostate cancer.  The researcher at Oklahoma University, Sook Shin, had her laptop stolen from her car while she was at a local restaurant.  When she came out of the restaurant she found her window smashed and the laptop gone.  What is worse is that the data was not backed up.   Her and her husband are offering up a $1,000 reward for the return of the laptop.

Sook said that some of the data could take 2 years to recreate but some of the data could never be replicated.  The loss of this data could push back a cure for prostate cancer.

As unfortunate as this story is, it is a very good example of the importance of protecting data on portable media including laptops and USB drives.  Many people don’t think about it until the laptop or drive is lost or stolen.  So whether it is your personal laptop with priceless pictures of your family or vacations, or whether it is a work related computer; make sure you protect the data.

For personal computers I found that services like Dropbox, Mozy or Carbonite work very well.  These low priced backup solutions are perfect for protecting your valuable data.

For business, I recommend the following:

• Laptops and portable media are very likely to be lost or stolen, as this story shows.  Make sure you encrypt any and all portable media devices to protect the contents of the data.
• Ensure that you are backing up your data to a network share that is included in the network backup routine.  (make sure your network administrator is encrypting the backup tapes or drives as well).
• Laptops that are transported from the office to home might contain data that has not been backed up since the last time it was in the office.  If you are going to save the data periodically at home, make sure you use an encrypted drive as well.

Finally, let’s hope that the researcher’s lost laptop is returned with it’s valuable data intact.

Putting a gun in an inexperienced person’s hands is a very bad idea.  Hand guns can be very safe if safety precautions are taken.  Experienced gun owners take the right steps to ensure that the gun does not cause harm.  Not storing a loaded gun, safety locks and ensuring that guns are stored in a locked gun cabinet are all steps that knowledgeable and experienced gun owners take.

This year many health organizations are implementing EMRs for the first time.  They are going from paper charts and relatively few computers to complex networks, servers, tablets and other computing devices.  These organizations are used to protecting patient’s information by ensuring that charts are not left where unauthorized persons can read them, storing charts in locked cabinets and other general precautions to protect paper based records.

The switch to electronic medical records is a new adventure for some of these organizations.  They probably spent months evaluating, planning and implementing their new EMR.  The first weeks and months of an EMR implementation is usually a very hallowing experience.  New systems, new workflows, hardware and software issues all put a lot of stress and strain on an organization’s employees.  Doctors, nurses and the entire staff usually struggle in the beginning of an implementation.  In addition, the total amount of training that the EMR vendor provides is on an average 1-2 hours per employee (and that number may be high in some cases).  The training is usually focused on how to use the new EMR, how to login, how to enter progress notes, how to e-prescribe, etc.  Little or no training is provided on how to protect patients’ information.

The topics of securing the daily tape backup, encrypting USB drives and laptops, ensuring that emails are sent securely, performing a risk assessment and other topics are usually not discussed in the EMR training.  Some may argue that the EMR vendor should address these topics but that is for another discussion.  The reality is that you have an organization that is struggling with learning and using a new EMR and have little or no knowledge on computer and patient data protection.  Is it any wonder why we have so many patient data breaches?

EMRs and electronic data accessed and used by inexperience employees are very dangerous to the organization’s patients.  Just as dangerous as putting guns in an inexperienced person’s hands.

As 2010 draws to a close, a lot of people are starting to focus on the New Year.  New Year’s always brings new resolutions and one of them for many healthcare professionals is to get involved in social media.  By social media I am referring to blogging, facebook, LinkedIn, Twitter, etc.  You may be thinking about social media for your medical practice or using it for your own personal professional reasons.

It feels a little awkward writing a guide to social media when I am still a newbie to this whole thing.  I started posting to the Entegration Blog barely 10 months ago.  And I just starting using Twitter (@EntegrationBlog) 2 months ago.  So you can see I am clearly not an expert on the subject. With that said, I will offer up some advice from the perspective of a newbie.

OK, so you want to start using social media but are not quite sure where to begin.  Start with reading the AMA’s recently published guide to social media.

Sit and watch

The first thing I recommend you do is sit back and watch.  Find a few people to follow that you are interested in. I offer some recommendations below.  Read their blogs,analyze their writing style and read the comments that they get on their posts.  You will see that some topics trigger a lot of responses and other topics are ignored. Make mental notes about this activity. Also notice  that some comments are negative and others are positive. Ask yourself what you would do if you posted a topic and received some negative feedback.

The next step is to sign-up on Twitter.  Create a Twitter account and start following people that interest you. Again, sit back and observe.  Twitter is a lot different than blogs.  It is not as easy to get your point across in 140 characters.  But yet some people use Twitter with skill and precision.  I believe it takes a while to figure Twitter out but once you do you will see it is a great resource for information.

Facebook is another resource that you want to observe.  I recommend that you read this post on the doctor-patient relationship and facebook.

Questions that you should ask yourself regarding facebook are:

• Are you interested in setting up up a facebook page for your practice?
• Are you interested in setting up a personal facebook page?  If so, are you going to friend your patients or colleagues?

I decided early on that I would setup a facebook page that was purely for personal interaction.  I don’t friend clients, vendors or business associates.  I use my LinkedIn account for all business related interaction.  I find this works best for me.  In no way is this a recommendation.  You have to decide for yourself what works best for you.

Baby steps

Once you get comfortable observing how people are using blogs, Twitter, facebook, LinkedIn you are ready to make the next step. The next step is to get your “online voice”.  If you read a post on a blog that interests you, leave a comment.  Start to interact with the blogs that you are reading.  The first comment may be a little frightening.  I remember the first comment I left on a blog, I checked the spelling and grammar at least 10 times before hitting submit.  I also checked, over and over, to see if someone responded to my comment.  After the first comment the rest are easy.  As a blogger, I can tell you that getting comments and feedback is greatly welcomed.  Start interacting with the blogs that you read and start to get a feel of putting your thoughts and words out there for everyone to read.

Once you are comfortable with Twitter start to Tweet yourself.  If you read a blog or article that is interesting, Tweet about it.  Twitter is all about sharing information so go ahead and share.  You can also retweet other people’s post and pass it along to the people that are following you.  At first you may not have anyone following you but eventually as you tweet and retweet, people interested in your content will start to follow you.  You may have to follow a lot of people and tweet for a while before others are interested in you but trust me it will happen.

The same goes for facebook.  ”Like” other medical practices or friend other colleagues (if you decide that you are comfortable with that).  Observe how they utilize facebook.  Interact with these resources or simply observe the interaction until you are comfortable. You will decide what you want and do not want to do on facebook, which is extremely important if you decide to start your own facebook page or personal account.

Get involved in LinkedIn discussion groups.  Add your comments to on-going discussions or start a new discussion.  You will see that LinkedIn is a great resource for online conversation and sharing of ideas.

Dive in

Once you get a good understanding about how the whole social media works you may want to dive in. Some people choose to start their own blog to share their ideas.  Others use facebook, LinkedIn and Twitter to share ideas without blogging.  Some use all types of social media to get their message out.  There is no right or wrong answer.  Do what you are most comfortable with.

If you do decide to start a blog here are a few pointers:

• Identify who your audience is.  Who do you want to read your blog?  Write to that audience every time you post a blog.
• Don’t feel pressured to write a book each time you blog.  Keep it short and to the point.
• Coming up with ideas is not easy.  If you don’t have a good idea don’t force it.
• If you read someone else’s blog that you feel is interesting to both you and your audience share it. Summarize it or analyze it by adding your input to the blog.  Make sure you give credit to the author and provide a link or reference to the original post.

Once you start blogging make sure you share your blog posts via Twitter, LinkedIn and facebook.

I would like to point out that I have only mentioned blogging, Twitter, LinkedIn and facebook as sources of social media.  There are many other sources that you can utilize.  These are the only one’s that I use and feel comfortable discussing but do not limit yourself.

Final thoughts

Here are some final thoughts I have:

• Utilizing social media is not easy.  It takes a lot of time and work.
• At first you may feel like you are talking to yourself.  You will probably be correct.  It takes time to gain an audience.
• Post interesting material and utilize the various methods of sharing information and you will see the results.
• Enjoy yourself.  At first it may seem like additional work that you don’t have time for but hopefully you will start to enjoy it and look forward to blogging, twittering or facebooking.

Some people to follow:

• Kevin Pho M.D. – self proclaimed “Social media’s leading physician voice”.  His site provides excellent information and insight.
  • Blog: http://www.kevinmd.com/blog/
  • Twitter: @kevinmd
• Bryan Vartabedian –  aka Doctor_V.  His Twitter profile states “Dispatches from the frontline of social media and medicine”.  An excellent resource and someone who clearly gets the social media thing.
  • Blog: http://www.33charts.com
  • Twitter: @Doctor_V
• John Lynn – I find John’s stuff to be very interesting and informative.  He is on the front-line in terms of EHR implementations, HIPAA and general healthcare IT related topics.   His writes several blogs and utilizes Twitter with a couple of different accounts.
  • Blog: http://www.emrandhipaa.com/
  • Blog: http://www.emrandehr.com/
  • Twitter: @ehrandhit
• Mary Pat Whaley -her goal is to “provide medical practice managers a place to find resources and information”.  She does a great job at achieving her goal.
  • Blog: http://www.managemypractice.com/
  • Twitter: @mpwhaley

If rocket scientists can’t protect confidential data there is little hope that others could protect it either.  The Inspector General released a report that details how NASA sold old equipment without first  ensuring that the sensitive data was properly removed.  What is even worse is that this was not an isolated case for NASA.  The report stated that breaches were found at each of the 4 NASA locations that were audited.  There is clearly a breakdown in the disposal procedures at NASA.

Health organizations, like NASA, have to be concerned with disposal procedures.  Electronic protected health information (ePHI) needs to be properly deleted prior to disposing of any computer equipment that contains ePHI.  The HIPAA Security Rule states:

§ 164.310   Physical safeguards.

A covered entity must, in accordance with §164.306:

(d)(1) Standard: Device and media controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.

(2) Implementation specifications:

(i) Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.

(ii) Media re-use (Required). Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.

Proper disposal of media containing ePHI or sensitive data includes utilizing a software and/or hardware that ensures that data is deleted and can not be accessed.  Proper disposal of media includes Degaussing (to demagnetize) the media or running a software product that complies with the US Department of Defense (DoD) standard 5220.22-M for data destruction.  If neither of these methods are feasible then the media needs to be destroyed so that the information can not be read.

It should be noted that if the media is going to be reused then the ePHI needs to be properly destroyed prior to reuse. An example would be sharing a USB drive with various employees or giving an older laptop that contains ePHI to another employee.

Keep in mind that a lot of copy machines have hard drives that store a copy of everything that is copied or printed on the machine.  Make sure you properly delete any data on the the copier before returning it to a vendor or disposing of it.

So the next time you are throwing out, recycling or donating an old piece of equipment be sure to following the below steps

1. Check to see if the equipment contains ePHI (or sensitive data)
2. Utilize a degaussing utility to destroy the data
3. If degaussing is not an option then utilize a software program that deletes the data in compliance with the DoD standard 5220.22-M for data destruction
4. If the media can not be degaussed or a utility to delete the data can not be run (i.e. the drive is no longer working) then the media must be destroyed (disintegrate, incinerate, pulverize, shred, or melt).

Make sure you incorporate the above steps in a documented procedure and ensure that it is utilized every time you dispose or reuse media.

The AMA has released a policy to help physicians walk the fine line between maintaining an online presence and preserving the integrity of the patient-physician relationship.

The new policy encourages physicians to:

Use privacy settings to safeguard personal information and content to the fullest extent possible on social networking sites.

Routinely monitor their own Internet presence to ensure that the personal and professional information on their own sites and content posted about them by others, is accurate and appropriate.

Maintain appropriate boundaries of the patient-physician relationship when interacting with patients online and ensure patient privacy and confidentiality is maintained.

Consider separating personal and professional content online.

Recognize that actions online and content posted can negatively affect their reputations among patients and colleagues, and may even have consequences for their medical careers.