It wasn’t long ago that I was having a “discussion” with somebody about the use of smart phones by physicians.

This discussion wasn’t that a smart phone is not a useful tool, but that in a medical office a smart phone is not a professional device.

First the easy answer…

You are out-and-about and get called on scene (away from your office/hospital) and need to look something up – smart phone to the rescue!

This is one of the perfect situations where a smart phone can help look up issues about drugs, or even pull up a patients records.

Yet in the office…

In the office it is a different situation entirely.

Yes, call me old fashioned, but to have my doc tapping away on a smartphone while I’m half dressed is not my idea of a quality visit.

• Is he texting?
• Is he checking his stocks?
• Is he checking the weather?
• Is he checking sport scores?
• Why is he smiling?

If my 14 year-old is texting while I am speaking to him, things get ugly.

“Oh Come On…

It really isn’t that big of deal.”

Maybe not, but the AMA did just have an article on this topic.

“Besides, computers are a part of medical offices now.”

I get it.

Yet, to me, a smart phone appears unprofessional while a PC or Tablet does not come across this way.

“This is Ridiculous…”

Maybe it is.

Maybe I’m out of touch (I’m not).

Maybe you have a completely realistic reason to be tapping away on your phone in front of a patient.

This may all be perfectly legitimate.

BUT – turn the tables for a moment and see how it feels.

How do you react when your child is texting at the dinner table or while you are speaking?

“But I have to Research…”

Before computers where everywhere, you did your research out of the view of a patient.

Maybe…just maybe, that is where it should go again…behind the curtain.

It comes as no surprise that the Health and Human Services (HHS) has announced a delay to the Meaningful Use (MU) Stage 2 requirements.

At Stage 1 created loads of confusion, the delay of Stage 2 seemed…expected.

Additionally, the HHS is clarifying that those who got their act together in 2011, wouldn’t be under a different timeline than those who still have not attested.

This isn’t really any different, though before this announcement, as the rules were written, those who attested for Stage 1 in 2011, would have to meet Stage 2 in 2013.

Now everyone has until 2014 to meet Stage 2 requirements.

The American Medical Association (AMA) has apparently  urges the HHS to make the proposed requirements less rigorous and burdensome.

Stage 1 requirements are not all the rigorous.  Especially if your EHR is worthwhile.

Many EHRs approach MU in such a way that makes use of the EHR in a “meaningful way” cumbersome.

Additionally, reporting from many EHRs for MU stage 1 is weak.

When an EHR becomes Meaningful Use certified, part of that certification should require EASY pulling of data for attestation.

This is not the case for most EHRs.

As I’ve preached before, if you are going to store PHI on a mobile device (laptop, external hard drive, etc), you better make sure that you encrypt the hard drive.

Typically, I am less concerned about desktop PC’s and servers as, you should have proper physical security systems in place.

The recent Sutter Medical Foundation breach affected about 5 million patients…and brings to light the further need to encrypt desktop computers.

The device stolen was a desktop PC.

So, should that computer have been encrypted?

From the standpoint of minimizing risk, I would say that either:

• This computer should have been encrypted, or
• The room that contained this computer should have a very high level of security.

The basic assumption that is typically made with a desktop pc/server is they are in a secure area.

Well, that may need to be revisited.

Again, if you have upwards of 5 million patient records on a computer, I’d say the best practice would be to not only encrypt the device, but also have a very secure work area.

What about your practice?  You may “only” have a few thousand patient records in your EHR database.

Should your server be encrypted?

The knee-jerk reaction is, OF COURSE you should encrypt your server!

The more realistic answer is: encrypting your server may not be necessary if you have your server in a locked room.

Remember, it is not unusual to have many non-staff members roaming your office.
The cleaning crew is my favorite example, as they are usually there after everyone else is gone.

If the device on which you store your PHI is not either in a locked room OR fully encrypted, you are in danger of having an ugly breach.

Take a look at a list of PHI breaches and there are a few items that stand out:

• Many are at the hands of a contractor
• Most are portable storage device losses or theft (this includes tapes, laptops, etc)
• Lots are at big government entities

One of the goals of HIPAA regulations is to give those that deal with PHI guidance on how to properly handle that PHI.

Specifically, follow the HIPAA regulations and you will greatly reduce the risk of a PHI breach.

The challenge of course, is the government can rarely explain anything clearly.

Add to that we are dealing with digital information – whether you use Windows, Macs, Linux or whatever operating system – managing your risk is a challenging.

Let me get back on topic…
If anyone should be able to follow the rules, it would seem like our government could.

Well, the aren’t so good at it.

Here’s the deal, IF you store PHI on any portable device THEN you better encrypt it OR you are setting yourself up for failure.

Hard drive encryption is not difficult nor expensive.

Additionally, IF you encrypt your PHI THEN you have safe harbor IF it is lost or stolen.

Believe me, you would rather deal with the prevention of a PHI breach that the after math of a PHI breach.

If you are a Centricity user you should now have received the official bad news.

The direct quote is:

GE Healthcare recently became aware of inaccuracies with reports in Centricity Practice Solution and Centricity Electronic Medical Record (EMR) that may affect customers who have attested or are currently planning to attest for Meaningful Use through the Medicare EHR Incentive Program.

Not good.

They go on to clarify that if you have already Attested (I’d love to hear how many actually have) that you should re-run your reports, once GE has fixed them and:

If your results are different from those used for attestation, you may need to evaluate if you have still cleared all applicable Meaningful Use thresholds for the original period or would meet the thresholds for all applicable measures.

Lovely.

A few things to note here:

• GE gives not expected date upon which those new reports should be ready
• This in no way affects Core Object 15 which requires you: “Ensure adequate privacy and security protections for personal health information”, in other words, conduct a HIPAA risk assessment…so go ahead and get this out of the way.

I’ve been dealing with a client on Centricity and we’ve raised many questions about the reports.

I’ve also been dealing with clients on other EHRs with similar report questions.

The over riding issue is this:

Your EHR may be Meaningful Use Able straight out of the box,
but NOT Meaningful Use Ready.

Yes, you have the capability to use your MU certified EHR in a “meaningful way”, but unless you have it properly configured you won’t be tracking that fact.

And really, the ability to track meaningful use is what you want.

You can operate in a meaningful way all day long, but unless you know exactly which check-boxes to mark, or the 2 locations you must annotate the vitals…your EHR may not properly track your meaningful use.

Note: If you run your reports and a number seems funny, you better look further into it.

Those of you that blindly run MU reports, and see all green, be aware that is would be smart to scrutinize those numbers a bit.