Electronic Health Records: Boon or Boondoggle?

Electronic Health Records: Boon or Boondoggle?

In 2009, the U.S. Congress passed the Healthcare Information Technology for Economic and Clinical Health (HITECH) Act, which requires doctors’ offices and hospitals to implement electronic health record (EHR) systems. Facilities face penalties if they do not implement EHR systems meeting certain standards by 2015. The idea of EHR systems is to improve the quality of care by enabling patient health record interchange among doctors, nurses, and other healthcare professionals, to coordinate care, reduce duplicate tests and conflicting medications and reduce errors. Hospital IT departments have been working hard to implement EHR systems, and, as is often the case with large-scale IT projects, the results so far are mixed. Although nurses and doctors using some EHR systems are satisfied, in many other cases they feel that the systems are ineffective and difficult to use.

What sets the successful EHR implementations apart from the rest? The answer is no different for EHR systems than it is for other IT projects, large and small: Get the requirements right, and involve the end users.

Source: freedigitalphotos.net

Source: freedigitalphotos.net

Get the Requirements Right

A successful EHR project starts with a complete, correct set of user-level requirements. Although the HITECH Act provides a high-level framework to work within, many of the details of how users are to interact with the system are left to the system designers and developers. Getting these details right means considering all of the end users of the system (such as doctors, nurses, and facility administrators), the processes that must be supported, and the working environments in which the users will use the system. For example, a general practitioner working at a desk will use the system in a very different manner from a nurse working in a hospital emergency room. This is a formidable task, especially in large facilities with many departments (and possibly multiple locations), each of which has its own special needs.

Get the End Users Involved

So how do the designers identify, document, and validate all of these detailed user requirements? The end users must be involved in every phase of the implementation. They have to be observed in their working environments, they have to be interviewed, they have to review and confirm the documented requirements and they have to help test the system.

Apart from ensuring a complete set of requirements and getting the bugs out of the system before it is rolled out, keeping the end users involved gives them a sense of ownership and empowerment. The alternative—deciding for them and cramming it down their throats—is a recipe for low morale, high turnover, and difficulty in attracting talented personnel, plus poor-quality care for the patients.

Without good requirements and end user involvement (plus good project management), you can implement an EHR system that meets the letter of the HITECH law, but is a complete disaster for practitioners and patients alike.

Dean
Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

The Proper Dose of Big Data

The Proper Dose of Big Data

In the wired healthcare realm, it is common to hear the term “big data” tossed around. What does this term mean for the average patient and the average clinician?

The trouble with big data is that it is so big – both as a concept and in actuality. The data sets we are dealing with in big data are massive and complex, so traditional modes of analyzing and processing these data sets may not be up to snuff. Once security issues are added to the mix of difficulties of dealing with big data – how to capture, analyze, share and benefit from it – it is tempting to toss its use aside.

However, some clinicians are advocating for a more proactive approach to healthcare big data, even implying that neglecting careful analysis of big data could violate the Hippocratic oath. So what are the benefits for doctors and patients, and how do we make sense of big data in a digital world?

First Do No Harm?

Dr. Bob Wachter, a nationally-recognized hospitalist and advocate for doctors going digital, argues that big data is an absolute must for determining the best course of treatment for patients in need. While due diligence must be taken regarding treatment protocols and settings and the individual needs of each patient, there is another issue that many clinicians still ignore: the cost. Wachter argues that doctors must be more invested in determining the best way to treat patients without ignoring the important mission of controlling healthcare costs, and that not doing so is akin to “doing harm”:

“When we are profligate in our spending we don’t take advantage of the data we have to figure out the best way to treat patients, the best way to prevent bad things from happening, the cheapest way … to safely and effectively take care of a patient. Should that be in the hospital, should that be at home, should that be in a clinic? When we’re not doing that, I think we’re not following our Hippocratic Oath.”

Those are strong words, but Wachter makes a valid point. Snowballing healthcare costs in this country must be brought under greater control, and big data gives clinicians access to a huge amount of information that is useful for determining what treatment approach is best. When this data is ignored and costs are removed from the equation, we can end up with lives saved but ruined by financial crisis – on both a micro (individual patient) and macro (US healthcare system) level.

Where Do We Go from Here?

Wachter proposes a new equation for analyzing healthcare value: quality plus safety plus patient satisfaction divided by total treatment cost. Ignoring the cost factor is no longer feasible in the modern age. First, the economy will not allow it, and big data is available to help physicians determine what treatments will resolve health issues effectively and which are too costly and inefficient to bear. Along with addressing the huge hurdle of ineffectual healthcare security, new focus must also be given to how to better capture and apply big healthcare data. It is not only patients’ lives and wallets but also our nation’s economy that depend on it.

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

To EHR Infinity and… Beyond?

To EHR Infinity and… Beyond?

The Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs provided hospitals and physicians with financial incentives to implement certified EHR technology and achieve “meaningful use.” To meet the requirements for financial incentives, healthcare providers must prove that they are meaningfully using the EHRs to record patient information, exchange care records, and meet other previously established thresholds for measurement.

Just last summer, the U.S. Department of Health and Human Services shared new data compiled by the Office of the National Coordinator for Health IT that showed “significant increases in the use of electronic health records.” So now what?

source: freedigitalphotos.com

The Post-EHR Era?

Now that the vast majority of private practice physicians are using at least a basic EHR platform, and nearly half are using advanced functionality EHRs, is it safe to say that providers have met or surpassed the minimal requirements for meaningful use? If so, what happens now?

It’s exciting to see such broad and successful adoption of EHRs, but some prominent healthcare players are indicating that this is just the beginning. Adoption is a key first step, but to capture the full capabilities of EHRs and address major ongoing security concerns, it is important to acknowledge that the technology currently in place is but the first in a long series of steps. Dr. John Halamka, CIO of Beth Israel Deaconess Medical Center in Boston, was recently quoted as saying: “EHRs are bi-planes, not yet jet aircraft.”

What’s Next?

Putting EHRs in place was a monumental challenge, and the U.S. healthcare system seems to have risen to it rather successfully. But now that the basic infrastructure is there, it is time to take some crucial next steps:

  • Addressing serious security concerns
  • Improving compatibility, especially for rural or smaller critical access hospital systems
  • Increasing patient access to EHRs to compile a more accurate lifetime health timeline completely portable for the globalized world
  • Taking a broader IT approach to EHRs, including improving storage options to help organize and protect private patient data and imagery

With such major work still to be done, could it be that providers’ ongoing struggles to reach the thresholds required for establishing “meaningful use” have held back the process? It’s no secret that navigating through federal bureaucracy to establish certification is not exactly a walk in the park.

The Future

The future may hold an entirely different healthcare system in which the current iteration of EHRs plays only a small part. Imagine linking wearable health technology such as FitBits and even incorporating health monitoring information in an EHR “live stream” that may alert physicians to potential health troubles before the patient is even aware. Now that the meaningful use framework has been well established, the outlook is exciting for the future of EHRs and other healthcare technology – as long as major issues like security can be “meaningfully” addressed.

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Transparency in Payments Sheds New Light on Medical Funding

Transparency in Payments Sheds New Light on Medical Funding

For the first time, the total of payments that doctors and teaching hospitals received from pharmaceutical companies and medical device makers was made public. The reported amount, $3.5 billion, reflects the final five months of 2013, and is the most extensive such data collection ever subjected to public scrutiny.

Breakdown on Payments

The payments not only included professional nods such as consulting and speaking fees with research grants, but also travel, meals, and entertainment, according to the Centers for Medicare and Medicaid Services (CMS). Although the names of the recipients of about 40 percent of payments were withheld due to data inconsistency concerns, approximately 546,000 providers and 1,360 teaching hospitals altogether received 4.4 million individual payments from healthcare companies amounting to $23 million per day.

Source: freedigitalphotos.net/FrameAngel

Why Transparency Matters

As part of federal healthcare reform law enacted in 2010, any payment of over $10 must now be disclosed to CMS, including those sent immediately to charity. This aspect of the Affordable Care Act, called the Physician Payments Sunshine provision, received bipartisan support from both Democrat and Republican lawmakers in an effort to increase transparency. Years of research indicate that the majority of physicians (83 percent) receive gifts from drug or medical service companies, and 28 percent of providers receive payments for research or consulting.

Despite requests from physician groups, including the American Medical Association (AMA), the CMS would not delay the release of payment data. Physician groups complained about over errors that had the potential to create an inaccurate representation of the medical industry particularly the impact that such payments have on individual doctors.

Patients’ awareness of potential conflicts of interest that are financially based can cause them to question the reasons behind prescriptions or treatment recommendations. With increased financial transparency, doctors can know whether experts who recommended guidelines were paid for their opinions by parent companies that stand to benefit. Health insurers have voiced concerns that extensive industry payments cause physicians to overprescribe expensive drugs and medical devices out of financial motives.

Misaligned Incentives

The tenet of “First do no harm” should trump kickbacks and incentive payments, yet the pharmaceutical and medical device industry boasts deep pockets that may tempt physicians into making care decisions based on the wrong motivations.

Brendan Buck, the spokesman for America’s Health Insurance Plans, describes the payments as the “perfect symbol for the misaligned incentives in our healthcare system.” Unlike other healthcare stakeholders who work to lower costs, drug makers are invested in inflation-based pricing that benefits their profit margin instead.

Research shows no correlation between patient trust and industry payments, as patients may view the request to—for example—consult in return for an all-expenses-paid trip as a compliment to their physician’s expertise rather than a symbol of his or her corruption.

The new emphasis on increased transparency in medical funding serves as a reminder that financial involvement with the medical industry, while it can be beneficial, also needs to be conducted above-board rather than behind locked doors.

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Has the ICD-10 Delay Caused a Loss in Momentum?

Has the ICD-10 Delay Caused a Loss in Momentum?

The deadline extension for the ICD-10 conversion was originally intended to give healthcare providers, payers and vendors the chance to improve readiness before the switchover date. Instead, the delay in implementation seems to have had the opposite effect of promoting procrastination; momentum has apparently slowed down instead of picking up speed.

The Workgroup for Electronic Data Interchange (WEDI) conducted a survey in August 2014 to better gauge the progress of those within the healthcare industry as the October 1, 2015 deadline inches closer. Survey data that initially sounds encouraging—like that half of providers state that they’ve completed impact assessments—ends up not so hopeful when that’s the same percentage of providers who claimed readiness last year. Instead of taking advantage of the extra time, the ICD-10 conversion has slowed to a snail’s pace, particularly among smaller providers.

freedigitalphotos.net/Stuart Miles

Providers vs. Payers vs. Vendors

When comparing states of conversion readiness among different segments within the healthcare industry, it’s clear that some are moving forward with a greater alacrity than others.

  • Among payers, nearly 75 percent say they’ve completed impact assessment while 17 percent more say they’re nearly there.
  • Compared to a similar 2013 survey, when only 25 percent of payers had begun external testing, the 2014 survey shows that over half of plans report that they’ve already started testing their ICD-10 tools.
  • Only 10 percent of vendors say that their development is less than halfway complete. One-third says they’re about 75 percent of the way there, and two-fifths say they’re ready to go.
  • About two-thirds of vendors report that their ICD-10 tools are already available, although about 25 percent say their products won’t be ready until 2015.

Essentially, when evaluating the state of overall readiness, payers and vendors are in much better shape than providers.

While roughly a third of providers report that they’ve begun external testing, responses from the 2013 survey indicated that a far greater percentage—approximately three-fifths—had expected to reach that stage of development by this time. In the most recent survey, over half of respondents said they’re not sure when testing will start, or won’t be able to begin until early 2015.

Evaluating the Next 12 Months

In a Sept. 24 letter to Burwell, WEDI Chair Jim Daley wrote that the survey results indicate “the delay has negatively impacted provider progress, causing two-thirds of provider respondents to slow down efforts or place them on hold.”

What does this imply for healthcare organizations to meet the ICD-10 conversion deadline? As Daley warns, “Unless all industry segments make a dedicated effort to continue to move forward with their implementation efforts, there will be significant disruption on October 1, 2015.”

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

The Biggest Heartbleed Hack in History?

The Biggest Heartbleed Hack in History?

The buzz surrounding the Heartbleed vulnerability may have mostly died down, but does that mean the vulnerability itself is no longer a concern? Unfortunately not, judging from the recent cyber-attack on Community Health Systems Professional Services Corporation’s (CHSPSC) network. One of the largest disclosed data breaches with a reported 4.5 million personal patient records accessed, this incident serves as an excellent reminder for healthcare providers to take extra precautions for digital security.

Source: blogs.zoho.com

Breach Details

The Heartbleed vulnerability was first revealed last spring, and involves a serious flaw in OpenSSL that can steal OpenSSL private and secondary keys, plus retrieve memory from the affected server. This results in a decryption of traffic between server and client.

CHSPSC issued a statement in August stating that they had been attacked at some point between April and June, although the breach was not discovered until July. The company, based in Tennessee, provides IT services (including management and consulting) to clinics and physicians. As for the breach itself, an unpatched network device was determined to be the exploited access point. Although CHSPSC has not publicly confirmed that the Heartbleed vulnerability specifically was responsible for the breach, some of the ports compromised are the same as those that have been accessed for other hacks by Heartbleed.

The company said that, while payment and billing information remain secure, personal data stolen included specifics like patient names, addresses, phone numbers, birth dates, and social security numbers. This information may be used directly by the hackers, or sold to the highest bidder on the black market. In some cases, personal data can be even more valuable to hackers, as these types of files contain clues which can be used to break passwords and guess verifications required for primary banking or credit card accounts, abetting identity theft and insurance fraud.

Protecting Against Future Hacks

In this instance, CHSPSC determined that highly sophisticated malware technology was responsible for launching the attack, bypassing security measures to copy and transfer protected data. Moreover, CHSPSC isn’t the only victim; the FBI has warned that the same group has targeted other organizations within the healthcare industry to steal intellectual property related to medical research and development.

To protect your own company, take the extra time to go over security measures with a fine-toothed comb and address any potential weaknesses immediately. Although new hacks are constantly being developed, that doesn’t mean that older vulnerabilities like Heartbleed can’t still be just as easily exploited.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Is New Focus Needed for EMRs?

Is New Focus Needed for EMRs?

The 2009 economic stimulus package, designed to help the US recover from a record financial downturn, included several smaller, targeted programs supporting projects in a variety of fields. In healthcare, federal grants for converting from paper medical records to electronic medical records (EMRs) provided clinic and office-based physicians with significant monetary incentives to accelerate their transition to a 21st century healthcare records system. While the shift to digital is a smart and necessary move for a planet struggling to stave off climate change by reducing waste, it doesn’t come without complications.

Source: freedigitalphotos.net/stockimages

EMRs and Incompatibility

One large issue with EMRs is that, like iPhones and Androids, their proprietary software makes them unable to “talk” to EMRs created on a competitor’s system. If a hospital system uses EMR software from Acme Corporation, but your records are from a hospital in a neighboring state that signed a contract with Beta Industries, you may be in trouble when you show up at the Acme Corporation hospital without identifying information.

Part of the goal of the Affordable Care Act (“Obamacare”) was to make healthcare more portable, preventing job changes or unexpected unemployment from costing Americans their healthcare insurance. What the ACA doesn’t make more portable, however, is EMRs.

At this point in the EMR revolution, it’s time for the US to have a serious conversation about data portability. Hospital administrators should be very selective when choosing an EMR vendor and verify that data is formatted in a way that is compatible with other popular systems:

  • EMR data should be easily exportable; ease of data export should be a built-in feature of any software solution.
  • Data must be formatted in a non-proprietary fashion recognized by other popular software.
  • Be sure that data and databases are organized in a logical fashion. A standard import/export language and the ability to transfer data in a standard table or Excel file format will be of great value should a healthcare organization must update or change EMR systems.

EMRs and Security: A Complex Proposition

Data breaches continue to stack up. As security experts come up with more creative ways to secure patients’ healthcare data, hackers, and digital miscreants are rising to each new challenge and finding novel ways to access and capture private health data. Harsh penalties have not been enough to slay the security beast and retroactive actions like offering identity theft insurance to affected patients isn’t enough.

Going digital shouldn’t mean danger. At this critical turning point in U.S. healthcare policy, as much or more attention should be focused on securing patient information and EMRs as is focused on insuring the uninsured and controlling rising costs.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Ripe for the Picking: Why Healthcare Security Needs a Partnered Approach

Ripe for the Picking: Why Healthcare Security Needs a Partnered Approach

Underestimating the threat of security and data breaches may leave patients more at peril after they’ve left the hospital than when they’re in the ICU. With the U.S. Department of Health and Human Services reporting in August that major breaches alone – that is, incidents affecting upwards of 500 people – now number nearly one thousand. That is 30.1 million Americans to date who have had their personal health information (PHI) severely compromised.

What’s being done to stop the flood of PHI being snatched, leaked or even willingly served to hackers and cybercriminals primed to do just about anything they want with it? Isn’t HIPAA privacy enough protection to prevent exactly these kinds of incidents?

Source: freedigitalphotos.net

HIPAA

It’s dangerous to underestimate the crucial importance of the HIPAA privacy law because it brought a new national awareness to the importance of protecting patient data. The legislation secured sensitive health information such as test results and to prevent unauthorized disclosures of pre-existing conditions and diagnoses. Now, patients see HIPAA-related paperwork at every office visit, at least they have investment in the privacy of their information.

For the medical community, HIPAA requires that practices and practitioners invest in reducing risk. They must think through some scary “what if” situations and create contingency plans to help reduce the impact of a breach. But is following HIPAA enough to keep PHI safe and secure?

Security Measures

It turns out just about any IT professional or security expert will say “No.” HIPAA is a good starting point, but it will not seal an already leaky dam. The onus is on hospitals and private practices to implement key security technologies designed to secure networks powered by the most personal details about every patient. Important steps include:

  • Firewalls
  • Spam and spyware protection
  • Improved sign-on requirements, including single sign-on authentication with stricter security standards
  • Encryption

In a recent article in the “New England Journal of Medicine,” the executive director of Harvard Medical School’s Center for Biomedical Informatics, Eric Perakslis, said healthcare is in the crosshairs and “is being aggressively and specifically targeted.”

The Outlook

The question of healthcare information security cannot be answered with only one tool. Taming this rather ferocious beast will require an entire platform of strategies for security success. Perhaps what will be most interesting is whether the public – the patients whose information is being so “aggressively targeted” – will rise to this challenge by demanding stronger action by both the government and industry. Without a singular commitment to this partnered approach, including both HIPAA provisions and purposed security actions, healthcare information will remain ripe for the hackers’ picking.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Guilty Until Proven Innocent: A Paradigm Shift for Healthcare IT Security

Guilty Until Proven Innocent: A Paradigm Shift for Healthcare IT Security

With sensitive patient information like diagnoses, test results and financial data on the line, healthcare administrators must take a different approach to protecting patient privacy. While our judiciary system guarantees us all the assumption of innocence until proven guilty beyond a reasonable doubt, the same philosophy may be a dangerous proposition for patients’ personal health information (PHI).

Source: freedigitalphotos.net

We Built It; They Came

To prepare for a presentation titled “The New Security Reality: Assume the Breach and Reduce Your Risk” at September’s Privacy and Security Forum, Seattle Children’s Hospital chief information security officer Cris Ewell spoke with Healthcare IT News about this important shift in the way healthcare organizations approach security and why assumption of guilt may be a necessary evil:

“In today’s world, security controls just are not enough to protect an organization against the cyber threats that are out there, both internal and external, and if you solely rely on the very prescriptive controls, whether you believe in NIST, ISO, HIPAA or any of those things, it’s the wrong philosophy to take from a very strategic point…You can’t put up larger walls, you can’t post more guards, you can’t do those things to keep people out, therefore change your philosophy to ‘they’re already inside.’ Now what would you do to protect that information?”

Wow. That sobering thought goes a long way to scare the pants off us and makes us wonder what might be gained from more organizations – and perhaps the largest organization of all, the federal government – making similar philosophical shifts. If most current efforts are focused on attempting to seal cracks in an already irreparably leaky dam, then why not abandon or reduce those efforts in favor of securing the waters from inside?

The Threat from Inside

We’ve examined how it’s healthcare employees themselves, not necessarily those foreign cybercriminals we might imagine, who may pose many of the largest threats to PHI. Greater efforts should be focused on reducing loss and theft of devices containing sensitive information. Performing regular, thorough audits of networks and systems is a good place to start. An even better jumping off point is good old fashioned encryption: not enough institutions are doing so, and unencrypted devices are like red carpets upon which ill-intended information poachers may glide swiftly and silently into healthcare systems.

Again, the threat of insider breaches is alarming. But Ewell makes a larger point with great clarity: other threats – foreign, domestic, organized, amateur or otherwise – are already inside the proverbial house. What remains to be seen and decided is how smart, responsible organizations will detect and remove those threats with surgical skill while protecting the best interests of both the patients and the hospitals.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Can Healthcare Employees Threaten Patient Privacy?

Can Healthcare Employees Threaten Patient Privacy?

First, do no harm. This most basic of healthcare tenets is second nature for most physicians, but what happens when healthcare staff has their own self-interests in mind while handling sensitive medical data? It turns out that while most people believe hackers and other professional ne’er-do-wells are the biggest threats to private patient information, medical practices’ own staffers may be also be likely to compromise patients’ personal health information (PHI).

Source: freedigitalphotos.net/phasinphoto

New Cases

New criminal cases centering on unscrupulous medical office staff going rogue with personal data happen all the time.  Just this week there is news of a Washington state woman employed at a physical therapy clinic who used her access to an elderly woman’s PHI unlawfully transferring more than $13,000 out of the victim’s bank account. This summer, a University of Cincinnati Medical Center employee posted a screen shot of a patient’s medical record—complete with syphilis diagnosis—to Facebook. There is a lawsuit pending.

Accidentally Doing Harm?

While ill-intended staffers are one threat to private patient data and PHI, there may be an even greater threat from uninformed employees who misunderstand or unwittingly ignore key privacy policies. Regardless of the motivation – benign or nefarious – employees, revealing patient information is a real threat.  According to a 2013 report from the Healthcare Information and Management Systems Society (HIMSS), nearly four fifths of healthcare IT security experts believe employee “snooping” on private patient information is a top threat motivating security breaches.

Assessing the Threat

Whether these inside operators are functioning as lone wolves or as part of larger organized crime syndicates, the healthcare sector definitely has an employee snooping problem. The 2014 Verizon Data Breach Investigations report found that 15 percent of healthcare privacy and security breaches result from insider prying or misuse.

Smart organizations are conducting regular security audits to keep careful tabs on which employees have access to data and use of the information. A clear chain of custody is vital for all PHI, and enterprise-level healthcare firms and small private practices must invest in careful auditing to eliminate the threat of insider abuse and misuse of private patient records.

With the numbers of these types of breaches on the rise and increasingly creative criminals prepared to do just about anything to steal money, healthcare information and identities, ethical organizations are battening down their collective hatches against further breaches while carefully monitoring their security procedures to minimize the threat.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.