ClickCare Café

4 Gaps in EMRs & EHRs That Telemedicine Fixes

Posted by Lawrence Kerr on Wed, Mar 16, 2016 @ 07:30 AM

gapsinemrandehr

 

About 7 years ago, the Health Information Technology for Economic and Clinical Health (HITECH) Act was implemented, investing $30 billion in electronic health records.

The goal was pursuit of "meaningful use" of these EHRs and EMRs, not simply implementation. And there was a "triple aim" of affecting care experiences, population health, and per-capita costs.

A recent Commonwealth Fund report interviewed 47 national leaders and stakeholders and gathered some findings about the success of the HITECH Act. Specifically, they looked at the ways that the Act has and has not affected these triple-aim goals -- and what that means for healthcare moving forward.

Since our colleagues are so deeply affected by this act, and since telemedicine has been a key part of the way meaningful use is pursued at many institutions, we've put together some of the most crucial parts of the report.

Key findings about HITECH's EMR and EHR implementation, and the opportunity (and need) for telemedicine as a complement: 

1. EHR systems do not adequately meet most clinical or operational needs. There were high hopes for the implementation of EMRs and EHRs, but the truth is that they are good tools for storing patient information, but are not sufficient for supporting better or more efficient care. We see telemedicine as one key way to complement EMRs and EHRs and address those clinical and operational needs.

2. There needs to be better reward for the value, rather than the volume, of care. If anything, EMRs and EHRs do a great job recording how much happened, but not supporting high-value care. 

3. The "triple aim" has not been as successful as the dissemination of EMRs/EHRs.

4. EHRs can't really lower costs -- but telemedicine can. As the report summarizes, what is needed now are "clinical decision support systems that can encourage best practice, promote shared decision-making and reduce the variation of care provided." In other words, what we need now are some tools that support good healthcare collaboration. 

 

If you want to learn how hybrid store-and-forward telemedicine can support HITECH, telemedicine, and decreased costs, download our free ebook:

 

ClickCare Quick Guide to Hybrid Store-and-Forward

 

 

Tags: telemedicine, HITECH, healthcare collaboration, EMR

BYOD | Is Any Smartphone HIPAA Secure for Medical Providers?

Posted by Lawrence Kerr on Thu, Aug 14, 2014 @ 03:04 PM

iphonenew resized 600

When President Obama came into office, there was quite an uproar about whether he'd continue to be able to use a smartphone for his communications. Eventually, a lab was established where experts worked for months to create a secure smartphone for the president to use and he's now often seen typing away on his device -- called "Blackberry One."

Of course, the president's security needs are a little greater than the average person's. But with 67% of nurses using their smartphones to support clinical communications and workflow, many BYOD issues are arising for institutions, and many medical providers are using smartphones for telemedicine and other uses. So, many people have wondered:

If the president wasn't cleared to use an off-the-shelf iPhone, Android, or Blackberry, is any smartphone actually HIPAA secure for medical uses?

The short answer is yes, but only if you use the devices in certain ways. Using a smartphone, like an iPhone, to make a call or send text messages may not be secure. That's why the president couldn't use it. Further, as we know, email is never HIPAA secure, much less on a smartphone.

However, logging into an app like iClickCare on your smartphone, Android, or iPhone is actually HIPAA secure. You're absolutely HIPAA safe and protecting PHI (protected health information), including patient data, pictures and videos of the patient, and collaborations with other medical professionals, if: 

  1. Data is NOT stored locally on the device
  2. The company that makes the app promises HIPAA compliance and does rigorous and constant checking of that HIPAA compliance.

So, yes -- use technology to care for your patients. Just be smart about using the right technology for the right use.

Curious what everyone means when they talk about Hybrid Store and Forward Telemedicine as the best way to collaborate in a HIPAA safe way? Get our free guide here: 

ClickCare Quick Guide to Hybrid Store-and-Forward

Tags: telemedicine, HIPAA, HITECH, Personal Health Information, compliance

The 5 Worst Ways to Protect Patient Data in Medical Collaboration

Posted by Lawrence Kerr on Tue, Jul 08, 2014 @ 12:17 PM

mistake resized 600

Most of the time, we're astounded by our our fellow medical providers' ingenuity, insight, and and intelligence.

However, new technologies bring new challenges. And new challenges can bring, well, not-so-smart ideas. As we've talked to doctors, nurses, aides, administrators, and lawyers in the medical field, we've heard some truly terrible ideas about how to protect patient data, photos, and information in HIPAA secure ways.

In service of helping you avoid these HIPAA mistakes and misunderstandings, we bring you the 5 worst ways we've seen of protecting Protected Health Information (PHI) in the medical field:

  1. Do nothing. We've heard a lot of providers say that they can't worry about HIPAA because they're "taking care of patients," and a lot of organizations say that the EHR implementation is their first (read: only) priority. These justifications lead to an approach of denial and neglect, neither of which help the patient, or the provider. The patient comes first -- of course -- but part of caring for them is caring for their data.
  2. Wait for the EMR to incorporate pictures. We've been hearing people say they're waiting for the coming of the pictures for 10 years. Along with the chance that your EMR provider will never effectively incorporate pictures, the focus on this misses the point. Collaboration that only happens through EMRs precludes the inclusion of any provider, anywhere, as part of the team. That means that providers at different points in the spectrum of care, less traditional providers, or providers in other places or institutions can't be part of care -- which is inefficient and ineffective.
  3. Never do anything that's not interoperable. Interoperability is important, and it's a fantastic priority to work toward. However, many fantastic, interoperable systems need to start with some systems that aren't interoperable -- but are the best tools for the job. Then, gradually, the organization can find ways to weave those tools together based on how the providers use them and their effect on patient care. And don't forget we need to educate ourselves and others. Comparison over time and visual trends are invaluable not only for education, but for delivering care as well.
  4. Only allow devices approved by the institution. In the same way that smart companies give employees the discretion to spend money if it's in service of the customer, smart institutions ensure their providers have the right tools to care for patients. Sometimes it's best if all providers use the same tools and devices. Other times, it makes more sense for providers to BYOD (Bring Your Own Device) and for a culture of trust and standards to be developed around HIPAA. Policies that help providers make the best choice around technology are most respectful of providers' -- and patients' -- lives, work, and roles.
  5. Prohibit any pictures or photos.  We heard the General Counsel for a major health organization say that "no photos" was their HIPAA policy, and it is something we hear frequently. However, it's really impossible to turn back the tide of smartphones and digital cameras. The fact is that people, families, and providers will use photos for medical care. (And this data can be an incredible boon to progress, medical education, and collaboration.) The only question is how to provide the tools and support to make these photos safe for PHI, for patients, and for providers.
     
Curious whether a BYOD (Bring Your Own Device) policy is good or bad for HIPAA? Get our BYOD guide here: 
iClickCare IS BYOD Secure

Image courtesy of stereoscopy on Flickr, used under Creative Commons rights.

Tags: medical collaboration, HIPAA, HITECH, Telemedicine and HIPAA, HIPAA secure images

Can Athletic Trainers be Prosecuted Under HIPAA?

Posted by Lawrence Kerr on Wed, Apr 09, 2014 @ 08:39 AM

athletictrainer resized 600 2

Athletic Trainers are skillful folks who often work in in-between spaces: they're not a coach but they guide athletes; they're not physicians but they provide crucial medical care; they're not professors but they work in universities.

So when it comes to Patient Health Information (PHI), and the management of that information, Athletic Trainers have also existed in an in-between spot. These professionals are left with confusion as to whether HIPAA -- and its fearsome set of regulations and punishments -- apply to them. Can they email a picture of a patient's ankle to an Orthopedist? How do they need to save patient information at the right level of security? With whom -- The patient's family? The coach? A doctor? The patient's professor? -- can they share patient medical information?

It is certainly understandable that an Athletic Trainer might be confused, because this is a rapidly evolving field and set of rules with a knot of confusing laws. A college or university may be considered a "covered entity" or hybrid - with a health center being a covered entity and an academic department, not. "Covered entities", of course, do need to comply with HIPAA… but Athletic Trainers are not billing the patient, so it's possible that there is a loophole there.

Despite the confusion, some legal precedent is beginning to make it clear that Athletic Trainers must be aware of, and for the most part, adhere to HIPAA.

As summarized in HIPAA Solutions' Compliance Alert, "Court rulings, along with recent updates to Federal and state regulations reveal that, in fact, HIPAA has a broad reach in relation to health information associated with students."

In particular, another ruling, drills down into the exact HIPAA status of Athletic Trainers themselves: "a Federal District Court applied both HIPAA and FERPA to Penn State University, concluding that both statutes apply to athletic trainers."

Given the legal precedent and ramifications of not complying, here are our 3 tips for Athletic Trainers on staying in compliance with HIPAA:

  • Protect PHI. Especially given the legal precedent above, it's clear that PHI must be protected by Athletic trainers. That means protecting it from people that aren't allowed to access it, making sure it's stored securely, and making sure it's shared securely.
  • Consult an attorney if in doubt. Because there are some grey areas here, you'll certainly need to make the best decision you can, but don’t ignore it. Get the information that exists and then decide what makes sense in your unique situation. 
  • Stop using email to send pictures. When any PHI is sent by electronic means, it is protected under HIPAA. Email isn't HIPAA-secure, so if you want to collaborate with other providers, you'd need to use a telemedicine platofrm like ClickCare that promises HIPAA compliance. 

As Athletic Trainers, how has HIPAA come into your practice? What precautions do you take? Share your experiences in the comments below.

And if you're curious how telemedicine can help you come into HIPAA compliance as an Athletic Trainer, get our free quick guide here:
ClickCare Quick Guide to Telemedicine


Image courtesy of pennstatelive on Flickr, used under Creative Commons rights.

Tags: medical collaboration, HIPAA, HITECH, Telemedicine and HIPAA, athletic trainers

Are You Making HIPAA Mistakes in Sending Medical Photos Online?

Posted by Lawrence Kerr on Thu, Feb 13, 2014 @ 08:54 AM

babyemail resized 600

(Reviewed and updated May 18, 2016)

Recently, we've shared our suggestions on how to share patient files securely and the best ways to take medical photos. From those posts, an additional question came up from our readers who are using technology but still trying to stay HIPAA secure...

How do I send medical photos securely over the internet?

Good question! Many of the tactics for staying HIPAA-safe while sending medical photos over the internet came up in our recent posts, but there are a couple of specific things to keep in mind.

When sending medical photos on the internet, don't make these HIPAA mistakes:

  • Texting from your phone. As with texting patient information, you can't text photos unless you use a secure service. Merely texting from your smartphone definitely won't do the trick when it comes to HIPAA, even if it's just a patient photo (without their record.) 
  • Saving photos on your camera roll. Few people realize that the camera roll on your smartphone is not HIPAA-secure. ClickCare uses a HIPAA-secure camera roll for that very reason.
  • Sending photos via email. Email isn't HIPAA-secure, even "secure" email. If you're looking for the kind of sharing that email and photos can give you, consider doing medical collaboration with a hybrid store-and-forward telemedicine platform, which can let you share photos while not running afoul of HIPAA. 
  • Leaving them on your data card. A final thing to be careful of is the data card in your digital camera. If you store your data card in a place where people can get to it, or you're sharing your camera with other people, that data card is not HIPAA secure. The system we recommend is to erase the data card as soon as you've uploaded your photo to the secure sharing platform you're using. 
  • Saving them on your hard drive. As safe as it may seem, in most contexts it is not HIPAA-compliant to leave patient photos on your computer's hard drive. So use the same protocol as with a data card -- erase the photos as soon as they're uploaded to your telemedicine platform. Did you know your copier also has a hard drive - the old way may not be so safe either!

 

For an in-depth look at HIPAA mistakes you might not know about, get our guide:

 
New Call to action
 
 

Image courtesy of ben_grey on flickr.com, used under Creative Commons rights.

 

Tags: iPhone photography, Medical iPhone Photography, medical collaboration software, HIPAA, HITECH, Telemedicine and HIPAA, HIPAA secure images, mhealth, iPhone medical apps, medical photography

How Secure are Your Medical Photos on the iPhone?

Posted by Lawrence Kerr on Thu, Jan 16, 2014 @ 08:34 AM

iclickcare iphone visit pic 300dpi 2 copy copy

 

Increasingly, taking photos is a part of our lives. We snap photos when we're out at dinner or on a trip. And we certainly want to take a picture when we see an interesting case or need to remember or share something about a patient.

With the significant fines and punishments for HIPAA violations, however, medical photography on your iphone or smartphone brings up a several HIPAA compliance and security issues:

  • If your phone gets lost, all photos on your camera roll are insecure
  • Once a photo is on your phone, it is tempting to email or text it, both of which are in conflict with HIPAA.
  • Photos on your camera roll may be susceptible to access by apps that are not HIPAA compliant.

So what is a person to do? It seems ridiculous to choose not to use technology in service of patient care. Here is the good news: you can and should use your iPhone or other smartphone for medical photography. In fact, we think that medical photography is a simple, powerful way to improve how we care for patients and make our lives as providers a little easier.

So here is a checklist to make sure that your medical photos are secure and useful:

  • Understand HIPAA. You don't need to drive yourself crazy, but a little understanding of the fines and penalties goes a long way 
  • Never put patient photos into your regular camera roll. Sometimes smartphone apps (with the exception of iClickCare) pull from your camera roll-- even sharing pictures without your knowledge. And even if that doesn't happen, your camera roll only has one layer of security -- the login password on your smartphone. So when dealing with patient photos, we recommend using a secure app like iClickCare that doesn't ever save photos to your camera roll. You'll know your pictures are safe, and used only for your purposes. 
  • Use some overall security strategies so you don't have to worry. When your technology is more secure overall, your photos are more secure, too. 
  • Don't email photos. Email is never a secure way to collaborate. 
  • Use apps that are explicitly HIPAA-secure. When you do collaborate, only use collaboration platforms that explicitly promise HIPAA security.

 

Security issues aside, we all want our medical photos to be a little bit better. Get the first chapter of our book on iphone photography for free:

 

medical photography introductory chapter

Tags: HIPAA, HITECH, HIPAA Collaboration, Telemedicine and HIPAA, HIPAA secure images, best medical apps, clinical photography, medical photography, clickcare, telemedicine law

Getting Started Simply: HIPAA for Dentists

Posted by Lawrence Kerr on Mon, Nov 04, 2013 @ 08:54 AM

 

HIPAA compliance represents society

 

We've heard from many of our dentist colleagues that there is increasing pressure to be HIPAA-compliant. Some dentists are choosing to hope for the best and keep using email to communicate about patients. Others are spending upwards of $100,000 to hire HIPAA consultants.

Forget secure email, that is not the answer to keeping you safe. You need to bring your entire office into compliance with HIPAA. 

Here is a brief summary and a tool for how to start the process immediately and quickly, without expensive and slow consultants. You will eventually need more, but this is a start. As you read this, please be aware that we are not lawyers, we do not represent the government, and that this post is merely a place to start. Because our iClickCare Hybrid Store-and-Forward collaboration service was developed from the onset with HIPAA in mind, we want to share some time-saving experience with you. At the end of this post is a link which will bring you to a more complete framework and a tool which reduces 492 compliance questions to only 32

Why should you care and comply with HIPAA, HITECH and the Omnibus Reconciliation 2013 Rule? Increasingly, understanding and adapting to these laws is the only way to care for our patients -- and protect ourselves.

What you need to know about the health privacy laws that affect you as a dentist:

  • HIPAA was passed in 1996. The internet bubble was expanding. The world wide web was born. What about our privacy? The Health Information Portability and Accountability Act came into being. It mandates electronic processes to protect health information. It controls everything from digital electronic information to paper charts to locks on doors and conversations.
  • HITECH is the acronym for Health Information Technology of Economic and Clinical Health Act. It is part of the American Recovery and Reinvestment Act of 2009. It stipulates that healthcare providers be offered financial incentives for demonstrating meaningful use of electronic health records. It also provides penalties for not using them and markedly increases fines and jail terms for disclosure of health information.
  • Omnibus Rule 2013. In 2013, HIPAA was amended with the final rules that expand and detail the reach of the act -- these additional regulations are termed the "Omnibus Rule." The Office of Civil Rights of the Department of Health and Human Services summarized the over 500 pages of Omnibus Rule with four final rules that:
    • Make Business Associates of Covered Entities directly liable for compliance.
    • Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization.
    • Expand individuals' rights to receive electronic copies of their health information.
    • Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others.
    • Require modifications to, and redistribution of, a Covered Entity's notice of privacy practices.
    • Incorporate the increased and tiered civil money penalty structure provided by the HITECH Act.
    • Adopt the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect. 
    • Replace the breach notification rule's "harm" threshold with a more objective standard [Previously, a breach had to reported if there was a “risk of harm”. The Omnibus Rule requires any breach to be reported.]
    • Prohibit most health plans from using or disclosing genetic information for underwriting purposes.

A risk assessment of your practice is required. There are five components:

  • Administrative Safeguards
  • Physical Safeguards
  • Technical Safeguards
  • Organizational Safeguards
  • Policy and Procedures and Documentation Requirements

This assessment can be done by you. Of course, the findings of the assessment and the plan of action must be documented. The assessments need to be ongoing. In addition to the self-assessment below -- ClickCare's Quick Guide to HIPAA Toolkit -- here are a couple of other tools that might be useful:

 

For our free kit to bring your dental office into HIPAA compliance, click here:

Download Quick Guide HIPAA Toolkit 

 

And take a look at some dental cases that can be solved with telemedicine:

What would you do? Fun cases.

 

 

 

Tags: HIPAA, HITECH, HIPAA secure images, Omnibus Rule

HIPAA Final Rule Compliance Deadline: HIPAA and Telemedicine

Posted by Lawrence Kerr on Fri, Sep 13, 2013 @ 02:05 PM

An important deadline is coming up. By 9/23/13, healthcare providers need to come into compliance with the final HIPAA rule. Because our iClickCare hybrid store and forward collaboration system was developed with HIPAA in mind, we want to share some time-saving experience with you. This week, we're covering 3 aspects of the deadline. Monday was overall background; Wednesday was about steps to get in compliance; Today we're discussing HIPAA and telemedicine.

As we wrap up our week of posts addressing the final HIPAA rule deadline, we wanted help you understand how telemedicine fits in with the world of HIPAA.

So, a roundup of our most popoular posts on telemedicine and HIPAA: 

Now, what: 
We've created a tool that reduces the 492 official HIPAA compliance questions to only 32, while still meeting the HIPAA standards. You will eventually need more work in this area, but this is a start. Of course, be aware that we are not lawyers, you shouldn't take action on information in this post alone, and we do not represent the government.

Click below for a quick-and-easy version of an assessment to help you come into HIPAA compliance. 

Free Tool-Kit

Tags: HIPAA, HITECH, telemedicine and hippa, compliance

HIPAA Final Rule Compliance Deadline: Easy Steps

Posted by Lawrence Kerr on Wed, Sep 11, 2013 @ 08:21 AM

HIPAA secure telemedicineAn important deadline is coming up. By 9/23/13, healthcare providers need to come into compliance with the final HIPAA rule. Because our iClickCare hybrid store and forward collaboration system was developed with HIPAA in mind, we want to share some time-saving experience with you. This week, we're covering 3 aspects of the deadline. Monday was overall background; Today we're talking about steps to get in compliance; Friday we're discussing HIPAA and telemedicine.

Why should you care and comply with HIPAA, HITECH and the Omnibus Reconciliation 2013 bill? 

  1. You are a health care professional.
  2. It’s the law (read: you'll pay if you don't "care.") 

The Office of Civil Rights of the Department of Health and Human Services summarized the 500+ pages of the Omnibus Rule as including the following final modifications:

  • Make Business Associates of Covered Entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules' requirements.
  • Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization.
  • Expand individuals' rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
  • Require modifications to, and redistribution of, a Covered Entity's notice of privacy practices.
  • Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to information by family members or others.
  • Increased and tiered civil money penalty structure provided by the HITECH Act.
  • Replacement of the breach notification rule's "harm" threshold with a more objective standard. [Our note: Previously, a breach had to reported if there was a “risk of harm." The Omnibus Rule requires any breach to be reported.]
  • Prohibition of most health plans using or disclosing genetic information for underwriting purposes.

In service of becoming compliant, a risk assessment of your practice is required. There are five safeguards that need to be assessed:

  • Administrative
  • Physical
  • Technical
  • Organizational
  • Policy and Procedures and Documentation Requirements

Now, what: 
This assessment can be done by you but the findings of the assessment and the plan of action must be documented and the assessments need to be ongoing. We've created a tool that reduces the 492 compliance questions to only 32, while still meeting the HIPAA standards. You will eventually need more work in this area, but this is a start. Of course, be aware that we are not lawyers, you shouldn't take action on information in this post alone, and we do not represent the government.

 

Click below for a quick-and-easy version of the assessment and come into HIPAA compliance. 

Free Tool-Kit

Tags: HIPAA, HITECH, telemedicine and hippa, compliance

HIPAA Final Rule Compliance Deadline: Background

Posted by Lawrence Kerr on Mon, Sep 09, 2013 @ 10:56 AM

An important deadline is coming up. By 9/23/13, healthcare providers need to come into compliance with the final HIPAA rule. Because our iClickCare hybrid store and forward collaboration system was developed with HIPAA in mind, we want to share some time-saving experience with you. This week, we're covering 3 aspects of the deadline. Today is overall background; Wednesday we're talking about steps to get in compliance; Friday we're discussing HIPAA and telemedicine.

Healthcare providers have a way of focusing on the "now." There's always another patient to see -- and future deadlines can slip. Plus, truth be told, we get tired of the endless regulatory hoops to jump through.

That said, it's crucial to understand our regulatory context, and the time to avoid expensive andHIPAA secure telemedicine difficult violations penalties is now. After the background below, jump to the button at the end of the post to start the assessment process immediately and quickly, without expensive consultants. 

Some background on this September 23rd HIPAA deadline: 

HIPAA
In the mid-90s, the internet bubble was expanding and the world wide web was born. Amid all that connection, concerns about privacy and insurance arose, and in 1996, HIPAA was passed: the Health Information Portability and Accountability Act. In exchange for the ability to transfer, access to continuing health insurance, and healthcare fraud monitoring, the act mandates processes to protect health information. It controls more than digital electronic information, however: it controls paper charts, locks on doors and conversations as well.

HITECH
HITECH is the acronym for Health Information Technology of Economic and Clinical Health Act. It is part of the American Recovery and Reinvestment Act of 2009 and stipulates that healthcare providers be offered financial incentives for demonstrating meaningful use of electronic health records. It also provides for penalties for not using them and increases fines and jail terms for disclosure of health information.

The 9/23 Deadline
Since the passing of HIPAA in 1996, rules and revisions have been added to clarify and add to the regulations. Most recently, in January of this year, the HIPAA "final rule" -- the 2013 Omnibus -- was released. Part of that release was a mandate that all healthcare providers covered under HIPAA must come into compliance -- typically involving an assessment. There are 492 questions that comprise the rule's components, though-- a daunting asessment for any practice.

The quick and easy way
We've created a tool that reduces the 492 compliance questions to only 32, while still meeting the HIPAA standards. You will eventually need more work in this area, but this is a start. Of course, be aware that we are not lawyers, you shouldn't take action on information in this post alone, and we do not represent the government.

Click below for a quick-and-easy version of the assessment and come into HIPAA compliance. 

Free Tool-Kit

Tags: HIPAA, HITECH, telemedicine and hippa, compliance

Subscribe By Email

Recent Posts

Posts by Topic

see all