The AMA has released a policy to help physicians walk the fine line between maintaining an online presence and preserving the integrity of the patient-physician relationship.

The new policy encourages physicians to:

Use privacy settings to safeguard personal information and content to the fullest extent possible on social networking sites.

Routinely monitor their own Internet presence to ensure that the personal and professional information on their own sites and content posted about them by others, is accurate and appropriate.

Maintain appropriate boundaries of the patient-physician relationship when interacting with patients online and ensure patient privacy and confidentiality is maintained.

Consider separating personal and professional content online.

Recognize that actions online and content posted can negatively affect their reputations among patients and colleagues, and may even have consequences for their medical careers.

Dr. Kathy Corby, an emergency room doctor, treated an 8 year old patient using her iPhone and 7 separate apps.  The 8 year old girl was having seizures and was not breathing.  Dr. Corby reached for her iPhone and used the following applications to save the girl:

The child has a rare hereditary disease, and Corby needed to become an instant expert. So she began scanning a number of medical apps loaded onto her iPhone to access “everything you can’t remember on your own in the midst of something like this.”

The power of smartphone and medical apps is truly amazing.  I think stories like this will be told again and again. Scanning through large text books or even going to a computer to do research will be replaced by reaching for a smartphone and instantly accessing information.  And in an emergency situation the use of a smartphone could be even more important.  As Dr. Corby said:

“I did all of this,” she said, “without taking my eyes off the child.”

You have to admit that now is a very interesting time to be in the healthcare field.  This year we saw a $1 Trillion healthcare reform bill get passed.  I don’t believe that anyone has a real understanding of the impact of the bill or its affects on medical practices.  It seems every day more details are revealed of the bill.  It will take years before we see the total impact.

Then you have the ARRA stimulus package which provides $19 Billion in Medicare incentives to doctors that embrace the use of certified EHRs.  This is a huge opportunity for medical practices to implement technology and move from paper charts to EHRs.  But along with the incentives come some significant obstacles.  Medical practices have to use a certified EHR but there is no definition of what that means or who the exact certifying bodies are.  As of today you can not purchase an EHR that is certified and will qualify for the stimulus funds.  Practices not only have to implement certified EHRs but they have to use them in a way that shows “meaningful use”.  Of course the exact rules for meaningful use are not known and many argue that the rules that are being proposed are too rigid and the bar is too high for practices to actually show meaningful use.  Taken altogether, you  have a lot of medical practices that want to cash in on the ARRA stimulus incentives and to implement an EHR but you have uncertainty and obstacles that are keeping them on the sideline.  They are taking the wait and see approach.  Some are even thinking that it may not be worth the effort to attempt to participate in the ARRA stimulus incentives.

One thing for certain is that the medical practices that are moving forward with an EHR implementation are spending a lot of money.  There is no way around it, EHRs are expensive.  The cost of the software, hardware, network, training, staff disruption and all of the other components that go into an EHR implementation all add up.  Of course the hope would be that the costs would be offset by the ARRA stimulus incentives but that is not a guarantee as I mentioned before.

At the same time you have all this uncertainty around healthcare reform and ARRA stimulus, medical practices have to contend with two major economic issues.  The first is the severe recession that we have been in since 2008.  There is no way around it, when the economy is suffering all business including medical practices suffer as well.  I hear from my clients that patient visits are down and that waiting rooms are less filled.  This has a significant and real impact on a medical practice’s cash flow and financial health.  The second economic issue is the proposed cut of 21% in Medicare payments to physicians.  For at least 6 months the looming threat of a 21% cut in Medicare payments have darkened the economic sky for medical practices.  Congress has postponed the cuts several times but have not permanently addressed the situation.  As of today, the 21% cut has been pushed back until November 30, 2010.  Along with postponing the Medicare cut, Congress has given doctors a 2.2% increase until November.  Very few medical practices are rejoicing because in December 2010 they are looking at a 23% cut in Medicare payments followed up by a 30% cut in January 2011.  No one really knows what or when the final outcome will be.

On top of major financial outlays to implement EHRs and the uncertainty surrounding the economy and Medicare reimbursements, medical practices have to deal with many government regulations.  As I have written about often, the looming threat of HIPAA Security Audits are a real concern for medical practices.  Implementing HIPAA Security usually require skill sets that medical practices don’t have.  IT security companies are needed to help with policies and procedures, vulnerability and risk assessments along with implementing new technologies such as email and laptop encryption.  On top of HIPAA Security, medical practices face the “Red Flags Rule”  requiring that certain entities develop and implement written identity theft prevention and detection programs to protect consumers from identity theft.  The Red Flags Rule has been postponed several times and was to go into affect June 1, 2010.  As of now the FTC has agreed to keep physicians exempt from the rule until the outcome of a lawsuit by the American Bar Association.  Once again, the outcome of this regulation is unknown.

When you look at each of the issues a medical practice has to address from healthcare reform to Medicare reimbursement cuts they don’t seem to bad.  Each one taken separately allows a medical practice to address the issue and to make modifications to they way they run their business.  But unfortunately all of the issues are happening at the same time.  A medical practice has to address all of the issues together including major financial outlays, cuts in revenue caused by several factors,  and staying abreast and implementing the latest government regulations.  All the time spent addressing these issues is time not spent on seeing and treating patients.

Have other  industries gone through such dramatic change in such a short period of time?  The changes provide opportunities along with real negative affects.  Medical practices need to be flexible and to adjust to all of these changes.  Some of the changes such as the Red Flags Rule may never occur.  But either way a medical practice needs to be prepared, need to be informed and need to be ready to change their business model to adjust to such dramatic changes.  Strange days indeed.

A story over at FierceHealthcare discusses a survey where parents were asked if they used email regularly and if they would welcome being able to email their children’s doctors.

Out of the 229 parents surveyed, 75 percent (171) said they were “regular email users.” Ninety percent of those parents (154) indicated that they were open to using email to communicate with their child’s doctor, although African-American respondents and those making $30,000 or less annually were much less likely to agree. 

InformationWeek is reporting that University of California-Davis has decided to stop using Google Gmail over privacy concerns.  The University was engaged in a trial of the paid Gmail program for 30,000 of its faculty and staff members. 

Some interesting quotes from the story:

• Many faculty “expressed concerns that our campus’s commitment to protecting the privacy of their communications is not demonstrated by Google and that the appropriate safeguards are neither in place at this time nor planned for in the near future,” the letter said.

 

• “Though there are different interpretations of these sections, the mere emergence of significant disagreement on these points undermines confidence in whether adopting Google’s Gmail service would be consistent with the policy,” the letter states.

 

•  The UC Davis IT leaders’ letter additionally stated that “outsourcing e-mail may not be in compliance with the University of California Electronic Communications Policy.” The policy forbids the university from disclosing or examining the contents of e-mails without the account holder’s consent, and from distributing e-mails to third parties.

This could have major ramifications to Google if other Universities, Medical Practices, Legal Practices and other profession service companies reach the same conclusion regarding the lack of Privacy with Gmail.

In a story that makes you scratch your head, a missing CD with over 300,000 names of New Yorkers with developmental and other health issues has been missing for almost a month.

We have not been able to locate within our Early Intervention program unit one disc out of two discs that we received from New York City,” DOH spokeswoman Claudia Hutton said.”At this point, we have no reason to believe they’ve left the building.”

The contents of the disk were encrypted but unfortunately the encryption password may have been written on the outside of the disk.

Adding to concern is the fear that the disc’s password may be written on the outside, although Hutton said the disc is encrypted and could not be read without advanced technical skill.

 

Hutton conceded that putting the password on the disc was not a good idea and amounted to “sloppy housekeeping.”

An article over at the American Medical Association (AMA) states that patients are more likely to use Personal Health Records (PHRs) if the patient’s doctor recommends it. 

The California HealthCare Foundation commissioned a study in which researchers talked to people who use PHRs as well as people who don’t. Nonusers made up 89% of the 1,864 respondents (the rest didn’t know or refused to answer). The report, “Consumers and Health Information Technology: A National Survey,” found that the biggest barrier to PHR use is privacy concerns, cited by 75% of non-PHR users. Many respondents expressed fears that their medical information could be used against them by insurers or employers, both of which are pushing for PHR adoption.

Meanwhile, 58% said they might be interested in a PHR from a hospital or physician with whom they already have a relationship. Fifty-two percent said they might be persuaded to use a PHR if a doctor said it was safe, while 50% said they would use a PHR if a friend or family member said it was safe.

Patients had a higher trust level for PHRs that came from their provider or their doctor.

What is interesting is that PHRs were defined in light of patient portals from physician’s EMRs.

Although PHRs have been defined as electronic filing cabinets to store personal health information, they are evolving into larger patient portals tethered to a physician’s electronic medical record system and offering benefits beyond data storage. Integrated PHRs allow patients to look up lab and test results, communicate with physicians electronically and request prescription refills online, and offer other convenience features that patients increasingly are demanding.

Of respondents who use PHRs, 26% said they were using one offered by a physician. Another 51% said they were using one owned by their health plan. Only 4% used an employer-issued PHR.

There seems to be a mistrust for PHRs that are offered by employers.

Colin Evans, CEO of Dossia, a PHR offered by a large employer consortium whose members include Wal-Mart Stores Inc., said he was not surprised that employer-sponsored PHRs were at the bottom of the list. “I think the question that tends to lead in people’s minds is who do they trust with their data,” he said.

With an adoption rate of only 7% of all users, PHRs have a long way to go.  It will be interesting to see which PHRs do the best; physician patient portals, employer sponsored PHRs, insurers sponsored PHRs or Google, Microsoft, etc. PHRs.

There is a lot of talk surrounding HIPAA security especially as more and more practices implement EMRs.  I have attempted to shed some light on the steps you need to perform to ensure your network and patient information are protected.  So when I read a story in the Vancouver Sun, I figured I would point out how NOT to implement security.  This is a classic example of a how a medical institution totally ignored security.

The Vancouver Sun sheds light on the lax security at the Vancouver Coastal Health Authority.  Here are some highlights (low-lights) of the story.

“In every key area we examined, we found serious weaknesses,” wrote Doyle. “Security controls throughout the network and over the database were so inadequate that there was a high risk of external and internal attackers being able to access or extract information without the authority even being aware of it.”

“No intrusion prevention and detection systems exist to prevent or detect certain types of [online] attacks. Open network connections in common business areas. Dial-in remote access servers that bypass security. Open accounts existing, allowing health care data to be copied even outside the Vancouver Coastal Health Care authority at any time.”

“Almost all users have some access to confidential information about all clients in the database. Many clients’ full health information is accessible to a large number of users. Team memberships are not up to date, meaning that many unauthorized users could have access to client records that they should not have.”

“Former client records and irrelevant records for current clients are still accessible to system users. Hundreds of former users, both employees and contractors, still have access to resources through active accounts, network accounts, and virtual private network accounts.”

Those are some pretty serious security risks.  Basically they had no way of knowing if someone hacked into their network or what they may have accessed.  Almost all users had access to the EMR no matter what their job function.  They never disabled user accounts after employees or contractors stopped working.  In addition, the terminated employees or contractors still had remote access to the network and could still access patient information even after they stopped working for Vancouver Coastal.

The security was so weak that the auditor of the Vancouver Coastal network delayed publishing his report for 6 months to give Vancouver Coastal time to correct the security problems.  In all, the auditor made 127 recommendations for changes to the security procedures.

So if you are thinking about implementing the correct procedures to ensure that your network is secure; make sure you don’t follow Vancouver Coastal’s methodologies!

There is an interesting article in the Wall Street Journal Health Blog.  The article is based on a study from the California HealthCare Foundation.  In the study it showed that patients were concerned about privacy of their medical records:

Privacy concerns still hover around EMRs, with 68% of survey respondents reporting some degree of worry about what happens to their personal information once it’s stored in a doctor’s computer.

Note:  35% responded that they were very concerned and 33% responded that they were somewhat concerned.

15% of the 1,849 adults surveyed said they’d conceal information from a physician if “the doctor had an electronic medical record system” that could share that info with other groups. Another 33% would “consider hiding information.”

Note: The question made it clear that personal information including name, address, and other personal information would NOT be shared.

It is clear from the survey that there is still a long way to go before patients are comfortable with electronic records.

A survey by NaviNet, the largest real-time healthcare communications network, shows some interesting trends in EMR adoption in medical practices with 10 or fewer physicians.  It seems the reduction in administrative overhead and CMS mandates are spurring adoption more than ARRA stimulus incentives.  Cost still remains the largest obstacle in adoption but 33% surveyed said they plan on implementing in the next 12 months.

In August 2009, 9% of small physician practices projected that they would be implementing an EMR in 6 months. Six months later in 2010, 12% are currently implementing.

Reducing administrative overhead continues to be a key driver for IT adoption.

ARRA is becoming a more important driver of IT adoption – In 2010, 27% of small physician practices said ARRA incentives are impacting IT buying decisions while in 2009 that figure was 12%.

Only about one quarter of small physician practices said that they plan

Only about one quarter of small physician practices said that they plan on following CMS’ guidelines for ‘Meaningful Use’ to qualify for incentive payments provided by ARRA.

 Drivers of IT Adoption

Cost still remains the largest obstacle for adoption

Barriers to EMR Adoption

The amount of practices implementing EMRs have increased and 33% of those surveyed planned on implementing in the next 12 months.

Timeline for EMR Adoption