Cybersecurity is top issue for hospital IT professionals

HIMSS survey suggests focus on other IT priorities may lag; influence of security leaders may cause tension.

Cybersecurity, privacy, and security are creating such pressing issues for hospitals, other technology projects may be waylaid and discord among IT leadership could occur if the emerging influence of security professionals is not handled properly, according to the 2019 HIMSS U.S. Leadership and Workforce Survey.

The annual study included feedback from 269 U.S. health information and technology leaders between November 2018‒January 2019. The 30th edition of the survey examines trends and provides insights into the rapidly changing market for healthcare and IT professionals.

Among the key takeaways for hospitals:

  • The emergence of information security leaders as the third influential member of hospital IT leadership teams—following CIOs and senior clinical IT leaders—may create tensions for some organizations.
  • The top issue for hospital IT leaders is cybersecurity, privacy, and security.
  • The focus on security is so predominant, authors of the study suggest that other technological priorities may be put on the back burner.

Information about trends and issues for vendors and non-acute care facilities are also addressed in the full report.


The study examines employment trends for specific job titles and, in some cases, compares rates to the prior year. Information security leaders continue to expand their presence in hospitals.

While employment of CIOs and senior clinical IT leaders remains fairly steady; employment of senior information security leaders at hospitals rose by 14% between 2018 and 2019. The study also documents how many hospitals employ professionals for other emerging technology leadership roles, such as chief technology, innovation, and transformation officers, but does not provide comparisons to previous years.

Hospital employment of IT leaders in the following positions for 2019 includes:

  • Chief Information Officer 84% (-3% compared to 2018)
  • A senior clinical IT leader (CMIO, CNIO, CHIO) 68% (+1% compared to 2018) 
  • A senior information security leader (CISO) 56% (+14% compared to 2018)
  • Chief Technology Officer 36%*
  • Chief Innovation Officer 19%*
  • Chief Transformation Officer  7%*
  • None of the above  9%*

“The emergence of a third leader overseeing a hospital’s information and technology efforts is bound to result in internal tensions as competing interests and overlapping jurisdictions present themselves,” says Lorren Pettit, MS, MBA, vice president at HIMSS in a news release. “These challenges have the potential to stymy a hospital’s progression if hospital leaders are not careful to manage these hurdles effectively.”

The report further elaborates that unless roles and responsibilities are clearly delineated, the influence of security professionals could impede a hospital’s progression on information and technology priorities as leaders “work through internal territorial challenges.”


The survey gauges interest from IT professionals about 24 topics. While cybersecurity outranked all other responses, “improving quality outcomes” and “clinical informatics and clinician engagement” also was highly rated for hospital respondents. Telehealth ranked ninth; innovation took the twenty-first spot.

Survey participants ranked these topics on a scale of one (not a priority) to seven (essential priority). Following are the ranking and mean scores for hospital respondents:

  1. Cybersecurity, Privacy, and Security 5.81
  2. Improving Quality Outcomes Through Health Information and Technology 5.28
  3. Clinical Informatics and Clinician Engagement  5.24
  4. Process Improvement, Workflow, Change Management 5.03
  5. Culture of Care and Care Coordination 4.92
  6. Data Science/Analytics/Clinical and Business Intelligence 4.91
  7. Leadership, Governance, Strategic Planning 4.90
  8. User Experience, Usability and User-Centered Design  4.86
  9. Telehealth 4.82
  10. Consumer/Patient Engagement & Digital/Connected Health 4.80
  11. Population Health Management and Public Health 4.77
  12. Safe Info and Tech Practices for Patient Care 4.62
  13. HIE, Interoperability, Data Integration and Standards 4.62
  14. Public Policy, Reporting, and Risk Management 4.31
  15. Healthcare App and Tech Enabling Care Delivery  4.20
  16. Social, Psychosocial & Behavioral Determinants of Health 4.06
  17. Consumerization of Health 3.75
  18. Clinically Integrated Supply Chain 3.66
  19. Healthy Aging and Technology  3.60
  20. Health Informatics Education, Career Development & Diversity  3.53
  21. Innovation, Entrepreneurship and Venture Investment 3.47
  22. Precision Medicine/Genomics  3.47
  23. Disruptive Care Models 3.39
  24. Grand Societal Challenges 2.88


Study authors characterized the prioritization of cybersecurity, privacy, and security by providers as “remarkably higher” than the next highest priority. The focus is so predominant, the authors suggest that other technological priories may be put on the back burner.

“Of the array of priorities presented respondents, ‘cybersecurity, privacy, and security’ was one of the only ‘defensive’ business tactics respondents were asked to consider,” states the report. “That providers (especially hospital respondents) responded so passionately to this priority suggests a growing number of provider organizations realize the need to protect existing business practices before aggressively pursuing other information and technology issues. If true, then there are potential downstream implications for the market as other information and technology priorities considered in this study may be put on hold or ‘slow walked’ until the security concerns of organizations are settled.”

In addition to this survey, HIMSS also released a related report last week, the 2019 HIMSS Cybersecurity Survey, which sheds additional light on some of these issues. Among the highlights:

  • A pattern of cybersecurity threats and experiences is discernable across U.S. healthcare organizations. Significant security incidents are a near universal experience with many of the initiated by bad actors, leveraging e-mail as a means to compromise the integrity of their targets.
  • Many positive advances are occurring in healthcare cybersecurity practices and healthcare organizations appear to be allocating more of their IT budgets to cybersecurity.
  • Complacency with cybersecurity practices can put cybersecurity programs at risk.
  • Notable cybersecurity gaps exist in key areas of the healthcare ecosystem. The lack of phishing tests in certain organizations and the pervasiveness provides insight into what healthcare organizations are doing to protect their information and assets, in light of increasing cyber-attacks and compromises impacting the healthcare and public health sector.




How are hospitals complying with patient medical record requests? Not well, study finds

Image result for medical record access

Most hospitals were found to be noncompliant with federal and state regulations when completing patient medical records requests, according to a study published in JAMA Network Open.

Through a simulated patient experience, researchers analyzed 83 U.S. hospitals across 29 states that maintained independent medical records request processes and medical records departments reachable by telephone. The hospitals were among the top 20 hospitals for each of the 16 adult specialties in the 2016-17 U.S. News & World Report Best Hospitals National Rankings.

Under HIPAA, patients have a right to access their protected health information. Federal law requires medical record requests must be fulfilled within 30 days of receipt, in the format the patient requests and for a fair cost to the patient.

Information on records request authorization forms differed from that obtained from patient telephone calls in terms of requestable information, formats of release and costs, according to the researchers. Additionally, 8 percent of hospitals were noncompliant with state requirements for processing times.

On telephone calls, all 83 hospitals said they were able to release entire medical records to patients, but on the forms, fewer than 9 hospitals (11 percent) provided the option of selecting one of the categories of requestable information, such as laboratory test results, medical history and discharge summaries, and only 44 hospitals’ forms (53 percent) gave patients the option to acquire the entire medical record.

There were also differences between the formats hospitals said they could use to release information. On telephone calls, 83 percent of hospitals stated they would allow the patient to pick up their records in person, compared with 48 percent of forms listing this option. Forty-seven percent of hospitals indicated they could email patients their records when patients asked on the telephone calls, while only 33 percent of hospitals’ forms listed email as an option.

The researchers also identified 48 hospitals that charged well above the federal government’s recommendation of $6.50 for electronic records — charging as much as $541.50 for a 200-page record.

“Requesting medical records remains a complicated and burdensome process for patients despite policy efforts and regulation to make medical records more readily available to patients,” the study reads. “As legislation, including the recent 21st Century Cures Act, and government-wide initiatives like MyHealthEData continue to stipulate improvements in patient access to medical records, attention to the most obvious barriers should be paramount.”



















Hospital ER worker fired for allegedly selling patient records

Image result for stealing patient records

An employee at Kings County Hospital’s emergency room stole nearly 100 patients’ private information and sold it through an encrypted app on his phone, according to New York Daily News.

Orlando Jemmott, 52, has worked at the city-run Brooklyn hospital for more than 10 years, where he was in charge of charting patient demographic data into the hospital’s computer system. But between December 2014 and April 2015, he allegedly sold patient data to Ron Pruitt, 43, a buyer in Pennsylvania.

FBI agents arrested Mr. Jemmott in February after receiving a tip in June 2017. A tipster told the FBI she had learned two years earlier that Mr. Jemmott was stealing and selling health records.

Hospital officials told the publication that Mr. Jemmott sold the names of 98 patients, and he accessed the private health records of at least 88 of those patients.

Kings County fired Mr. Jemmott in April. He has been negotiating a plea deal with prosecutors since.

“We have zero tolerance for anyone who intentionally violates our patient privacy rules,” Kings County Hospital CEO Sheldon McLeod said in a written statement to the New York Daily News. “The privacy of patient information is an important foundation for the care we provide.”




Image result for cybersecurity


What does cyber fraud look like for a hospital or a healthcare group? Where does it happen, and how can organizations protect themselves? As you assess the security of your organization, here are top trends, emerging threats and things to consider.

1. Don’t forget the basics

As complicated as cyber fraud may seem, don’t forget the basics. The scariest headlines for healthcare executives are about fraudsters using ransomware to shut down a system, as happened to the UK’s National Health Service in 2017. But a breach doesn’t require sophistication. “A lot of cyber fraud continues to be perpetrated via good old-fashioned phishing techniques,” says Charles Alston, Market Executive at Bank of America Merrill Lynch. “Fraudsters send an email that gets them into an organization. Then employees, oftentimes even though thoroughly trained, can make an error in judgment by clicking on a link or responding to a fraudulent email. That one action ends up pulling a thread that creates a system wide problem.”

2. Watch for wire fraud

In addition to straightforward check and ACH fraud, “Healthcare is just as susceptible as any other business to wirefraud,” Alston says. In a wirefraud, the fraudster sends an email to a treasury employee that appears to be from a top-level executive in the organization; often it will be sophisticated enough to mimic the executive’s writing style, or arrive when the exec is at a conference or on vacation, and hard to reach. The message asks the recipient to wire funds to an account—again, presenting it as an emergency or time-sensitive situation. The recipient is reluctant to turn down the request, since it’s coming from management. “People ask, ‘Why would a controller or treasury employee respond to an email like that?’” Alston says. “Well, it appears legitimate, and it’s a rare event; no one has likely seen something like that before.

And once that transfer is executed, the money is gone, because employees hadn’t been trained, or regularly reminded about such types of fraud, and there wasn’t a process in place to handle such situations. These are the situations that training can help avoid.”

3. Monitor for ransomware

Criminals’ use of ransomware is a threat that organizations should consider carefully, and will handle best if well prepared. One of the most effective preparation tools is a tabletop exercise that can walk the organization through a simulated ransomware event.

Doing a simulation can help answer the key questions: Would we be able to identify a situation and stop it? Would we be able to trace where it came from? Do we have all the right disciplines at the table? What kind of communications do we need to let people know what’s happening? Can we get the system back up? Many executives may be tempted to invest in cryptocurrency like Bitcoin, so they’re able to quickly pay in the event of a ransom demand, but should carefully consider whether paying a ransom is the best solution. Lynn Wiatrowski, National Treasury Executive at Bank of America Merrill Lynch suggests that healthcare providers, who often train for emergency medical events and natural disasters, can apply those learnings to handle a cyber fraud event.

4. Tighten provider-insurer connections

The connections between healthcare providers and insurance companies can create cracks where cyber fraud can flourish. “The structure of health insurance involves a lot of transactions and a slow process, a complicated architecture. And there is a lot of money fueling the system,” says Roger Boucher, Market Executive at Bank of America Merrill Lynch. “The process of reimbursement creates a back and forth interaction that the patient never sees; it can be weeks or months of submission, denial, resubmission, correction, denial (again), before the bills are processed. That lag creates a vulnerability. With so much data traveling back and forth, and such delays in payment, crooks find a way to insert themselves in the gap.” He says healthcare providers need to assess, and continually re-assess, the reimbursement process to double check that insurance companies are sending payments to the correct entity

5. Protect patient data

Patient data needs to be protected in as many ways as possible. Not only do healthcare providers need to be cognizant of patient privacy and HIPAA rules, they need to continually remind themselves that patient data is currency for criminals. As patient records are migrated from paper to digital forms, organizations need to be vigilant in keeping track of older records and how they are handled, stored or disposed of. Policies need to be in place to ensure safety, for instance, when employees handle patient data while working at home. Similarly, to keep records safe and up to date, providers need to regularly back up the data contained in their computer systems. Organizations will complain that backing up the database for the entire system is too time-consuming, or creates too much downtime. A solution is to break the data into smaller pieces, backing up a department or a piece at a time.

6. Keep tabs on third-parties

Whether it’s insurance companies, labs, doctors’ offices or other partners, an organization is only as protected as the third parties it works with and shares its computer connections and its data with. “A healthcare organization should be asking, ‘Where is all my data going, and who is keeping an eye on it?” Boucher says.

A strong vendor management program should include regularly checking the data protection policies and cybersecurity procedures of vendors, third-party services and strategic partners to make sure everyone is on the same page. “When contracts are reviewed, there should be an opportunity to build on a security element as well as outline liability of loss, if those items do not already exist,” Alston says.

7. Secure new equipment

The industry has been buzzing about how new products in the internet of things and medical devices are offering new entry points into a healthcare system. “When a hospital is introducing the newest, most sophisticated piece of medical equipment, thoughts are on the difference this new technology will make in patients’ lives, rather than considering that the new technology may also be introducing a cyberthreat,” Wiatrowski says. “It is not second nature to think about who is on the other end of those pieces of equipment, and what entry points may be introduced.”

8. Stay alert for new threats

Finally, remember that the threat environment will continue to evolve. Stay updated on the newest forms of cyberattacks by reading trade publications, attending conferences and webinars to share information with your peers, and comparing notes with your own strategic partners about what they are seeing. Says Alston, “There is a lot more ground to protect if you are in a healthcare organization, and a lot more opportunity for fraud to occur. And it’s hard to stop something if you have never seen it before. That’s why ongoing education and training are so important.”



New York nonprofit healthcare organization hit with $200K HIPAA fine

Image result for HIPAA data breach


The Arc of Erie County, a Buffalo, N.Y.-based nonprofit that serves people with developmental disabilities, agreed to pay a $200,000 penalty to the state of New York to resolve allegations it violated HIPAA in a yearslong data breach.

As part of the settlement, Arc of Erie County is required to conduct a thorough risk analysis of vulnerabilities of all electronic equipment and data systems, as well as review its policies and procedures. It must submit a report on its findings to the Attorney General’s Office within 180 days of the settlement.

“The Arc of Erie County’s work serves our most vulnerable New Yorkers — and that comes with the responsibility to protect them and their sensitive personal information,” New York Attorney General Barbara Underwood said in a news release. “This settlement should provide a model to all charities in protecting their communities’ personal information online.”

In early February 2018, Arc of Erie County learned clients’ personal information — including full names, Social Security numbers, gender, race, primary diagnosis codes, IQ scores, insurance information, addresses, phone numbers, dates of birth and ages — was exposed on its website.

An investigation determined the information had been publicly accessible in spreadsheets since July 2015 and 3,751 clients were affected. The webpage was intended only for internal use, but the investigation noted several unauthorized third parties accessed the datasets on numerous occasions. Officials said there is no evidence of malware on the system or ongoing communications with outside IP addresses.

The organization notified all affected individuals in March, and it offered them one year of free identity theft protection services.


Senators Consider Dueling Bills Over Texas Individual Mandate Litigation

Litigation in Texas over the constitutionality of the individual mandate and, with it, the entire Affordable Care Act (ACA) is receiving more and more attention in Congress. On August 23, 2018, Republican Senators released new legislation that they believe would help blunt the impact of a ruling for the plaintiffs in Texas v. United States. The stated aim of the bill is to “guarantee” equal access to health care coverage regardless of health status or preexisting conditions. However, in the event that the court agrees with the plaintiffs—or even just the Trump administration—the legislation leaves significant gaps.

At the same time, Democratic Senators had their efforts to potentially intervene in the litigation rebuffed during the debate over a recent appropriations bill for the Departments of Labor, Health and Human Services (HHS), Education, and Defense. With a hearing on Texas scheduled for September 5, 2018—the same time as hearings are set to begin in Congress over the confirmation of D.C. Circuit Judge Brett Kavanaugh to the Supreme Court—attention on the case is only likely to increase.

Brief Background On Texas

In Texas, 20 Republican state attorneys general and two individual plaintiffs challenge the constitutionality of the individual mandate, which was zeroed out by Congress beginning in 2019. Without the penalty, the plaintiffs argue that the mandate is unconstitutional. Because the mandate cannot be severed from the rest of the law, they believe the entire ACA should also be struck down.

In June, the Department of Justice (DOJ) declined to defend the constitutionality of the individual mandate alongside the ACA’s provisions on guaranteed issue (42 U.S.C. §§ 300gg-1, 300gg-4(a)), community rating (42 U.S.C. §§ 300gg(a)(1), 300gg-4(b)), and the ban on preexisting condition exclusions and discrimination based on health status (42 U.S.C. § 300gg-3). These provisions collectively ensure that individuals with preexisting conditions cannot be charged more for their coverage or denied coverage or benefits based on health status or other factors.

The plaintiffs have asked Judge Reed O’Connor of the federal district court in the Northern District of Texas to enjoin HHS and the Internal Revenue Service (IRS) from enforcing the ACA and its implementing regulations—or, at a minimum, to strike down the law’s guaranteed issue and community rating provisions alongside the mandate. Judge O’Connor is considering ruling on the merits of the case (instead of issuing a preliminary injunction) and has scheduled a hearing on the motion for a preliminary injunction for September 5.

As noted above, the hearing will coincide with confirmation hearings for Judge Kavanaugh. Texas will likely be a focal point in the Kavanaugh proceedings because of the possibility that the case will reach the Supreme Court and because previous decisions suggest that Judge Kavanaugh believes that a President can decline to enforce laws that he or she believes to be unconstitutional.

The New Republican Legislation

Recognizing the potential impact of the Texas lawsuit, 10 Republican Senators released new legislation on August 23. The bill is sponsored by Senators Thom Tillis (NC), Lamar Alexander (TN), Chuck Grassley (IA), Dean Heller (NV), Bill Cassidy (LA), Lisa Murkowski (AK), Joni Ernst (IA), Lindsey Graham (SC), John Barrasso (WY), and Roger Wicker (MS). It is tied directly to the Texas litigation: Press releases acknowledge the September 5 hearing and state that “protections for patients with pre-existing conditions could be eliminated” if Judge O’Connor rules in favor of the plaintiffs.

The legislation would amend the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Although HIPAA offered significant new protections at the time it was passed, these protections were limited in terms of ensuring that people with preexisting conditions could access affordable, comprehensive coverage, particularly in the individual market. HIPAA established a minimum set of federal protections for certain consumers—for example, those who lost their group coverage—facing certain situations, such as job lock because of a new preexisting condition exclusion period. HIPAA also required guaranteed issue in the small group market and guaranteed renewability in the individual and group markets.

As mentioned, the DOJ has declined to defend the ACA’s provisions on guaranteed issue (42 U.S.C. §§ 300gg-1, 300gg-4(a)) and community rating (42 U.S.C. §§ 300gg(a)(1), 300gg-4(b)), and the ban on preexisting condition exclusions and discrimination based on health status (42 U.S.C. § 300gg-3). Thus, their position in the lawsuit implicates parts of four provisions of federal law: 42 U.S.C. §§ 300gg, 300gg-1, 300gg-3, and 300gg-4.

The legislation introduced by Republican Senators would restore only two of the four provisions that stand to be invalidated in Texas: 42 U.S.C. § 300gg-1 (guaranteed issue) and most of § 300gg-4 (guaranteed issue and rating based on health status). So the bill would prohibit the denial of coverage and rating based on health status, but it would not prohibit preexisting condition exclusions or rating based on other factors, such as age, gender, tobacco use, or occupation. This means that many individuals, including those with preexisting conditions, could still face higher premiums, higher out-of-pocket costs, and the denial of benefits because of a preexisting condition even after paying premiums for many months.


The protections offered by the restoration of the two provisions included in the Senate GOP bill, § 300gg-1 and most of § 300gg-4, are largely illusory without the other parts of the ACA—community rating and the ban on preexisting condition exclusions—that are at risk in the lawsuit. Assuming the at-risk provisions are struck down and the new legislation is adopted, consumers would still face significant gaps. For instance, a woman with a history of cancer could purchase a policy under the new bill, but she could be charged more based on her gender and age, potentially pricing her out of the market. In addition, her policy could have a preexisting condition exclusion, meaning that any recurrence of cancer—or any other health condition—might not be covered at all; this could lead to much higher out-of-pocket costs and far less financial protection.

If Congress were to enact this bill today, it would largely be duplicative of existing law (and would do nothing to disturb the ACA). If Congress were to enact this bill in response to the Texas litigation, its effect would depend on how (if at all) a court would invalidate the ACA provisions in Texas. Would a court strike the entire provisions, including what was adopted under HIPAA and other federal laws? Or would a court simply strike the amendments that were made by the ACA?

If the latter, the new legislation might do even less than its authors think, because much of the bill is, in fact, devoted to readopting existing federal law that may not be at issue in Texas. These provisions were adopted before the ACA and touch on, for instance, genetic information nondiscrimination and long-standing exceptions to guaranteed issue.

No Vote On Manchin Resolution To Potentially Intervene In Texas

In July, Democratic Senators led by Joe Manchin (WV) introduced a resolution with the goal of intervening in Texas to defend the ACA’s protections for people with preexisting conditions. The resolution would authorize the Senate Legal Counsel to move to intervene in the case on behalf of the Senate and defend the ACA. During last week’s debate over an HHS appropriations bill, Senate leadership blocked a vote on the amendment.



The Texas lawsuit could end some of the ACA’s protections for employer coverage

Image result for health insurance guaranteed issue

The Trump administration’s refusal to defend portions of the Affordable Care Act is shocking enough. Equally shocking is how little it seems to care what happens if it gets what it’s asking for.

One question in particular: what about legal protections for the 160 million people who get insurance through their employers? Will their insurance still cover their preexisting conditions, even if they switch jobs? I honestly have no idea.

In its brief, the Justice Department argues that the community rating and guaranteed issue provisions of the ACA must be invalidated. But it never mentions that those provisions apply not only to individual health plans, but also to employer plans.

So should those rules give way across the board? Or only for individual insurance plans?

Maybe it should be the latter. The mandate isn’t critical to securing the health of the employer market, so the ACA rules that protect employees aren’t inextricably linked to the mandate and shouldn’t be invalidated. But it could also plausibly be the former: if the rules governing community rating and guaranteed issue are inseverable, maybe the court shouldn’t do micro-surgery to save some subpart of those rules.

But guess what? In its brief, the Justice Department doesn’t say which approach it endorses.

Actually, it’s worse than that.  When the Justice Department identifies the rules governing community rating and guaranteed issue, it doesn’t cite the ACA itself (Public Law 111-948). Instead, it cites parts of the U.S. Code that codify portions of the ACA (e.g., 42 U.S.C. 300gg). The implication is that the Justice Department wants the court to enjoin those code provisions.

But the code provisions were on the books long before the ACA was adopted. Prior to the ACA, they listed protections for employer-sponsored plans that had been adopted in the Health Insurance Portability and Accountability Act. Among other things, HIPAA limited the circumstances under which an employer could refuse to cover an employee’s preexisting conditions. The protections weren’t perfect, but they were something. The ACA patched HIPAA’s gaps by amending those code provisions.

So if the U.S. Code provisions are enjoined altogether—which, again, is what the Justice Department appears to be asking for—some of the HIPAA-era protections would be wiped from the books too.* Is that really what the Justice Department wants? Because that’s the thrust of its brief.

The confusion may reflect a basic legal mistake, one that Tobias Dorsey highlighted in Some Reflections on Not Reading the Statutes: the U.S. Code is a codification of existing laws, but it’s not itself the law. That’s why code provisions shouldn’t themselves be the target of any injunction. Any injunction should run against the ACA itself. If that’s what the Justice Department really wants, then it has to clarify what it’s really asking for. Failing to do so could wreak havoc in the employer-sponsored market.

Even if the injunction only runs against portions the ACA, however, that still wouldn’t resolve whether the ACA’s protections would still apply to employer-sponsored plans. If they don’t, that’s a big deal: HIPAA’s protections are porous.

So far, however, the Trump administration hasn’t said a word—leaving 160 million people in the lurch.


EMR v. EHR: Electronic Medical, Health Record Differences

The differences between EMR and EHR have largely eroded but speak to the maturation of health IT use among providers.

The terms electronic medical record (EMR) and electronic health record (EHR) have become widely synonymous, but they did not start that way and some still argue that a distinction between is necessary to restate.

Healthcare organizations and providers have a greater tendency to still use EMR when discussing the health IT system in use by clinicians in the treatment of patients, but many have gravitated toward saying EHR when describing this technology. And there is ample evidence to suggest that the shift is the byproduct of a nationwide effort to promote health data exchange and interoperability.

While EHR is common parlance nowadays, that was not always the case. With EMR usage waning for a large portion of the healthcare industry, an understanding of the EMR/EHR difference demonstrates how far the industry has come — and the progress still needed to be made.

What will become of MACRA, Obamacare, health IT? HIMSS boss weighs in (podcast)–eP25rc0Hwmk-R_rXgYAaImEVTiuXGNVDLeAIeDlnNnpp2Rvr8-S6CoixHNz2e8IgTczIQUGzbzH8tZZzvUQQvptzPVQ&_hsmi=42936331

HIMSS Chicago 2015

The annual Healthcare Information and Management Systems Society (HIMSS) conference gets under way Monday in Orlando, Florida, with numerous preconference activities starting Sunday.

As more than 40,000 people descend on Central Florida for the grueling event, MedCity News talked to HIMSS CEO and President H. Stephen Lieber for what has become an annual ritual, at least for this reporter. As usual, it’s on tape.

HIMSS17 is the last HIMSS conference with Lieber in charge; he announced in December that he would retire at the end of 2017.

Lieber is preparing to depart at a time when health IT is at a crossroads.

Healthcare organizations in the U.S. have spent the better part of the last 10 years installing and now optimizing electronic health records, though they continue to lag when it comes to sharing data across systems. And they continue to gripe about EHR usability and Meaningful Use requirements.

Providers in recent years also have grappled with updates to HIPAA regulations and the conversion to ICD-10 coding. Now, they face some new regulations affecting health IT.

Notably, the 2016 Medicare Access and CHIP Reauthorization Act (MACRA) is coming into force for ambulatory care. The rise of accountable care is “certainly having an impact already in terms of how care is not only delivered,” as well as how payers calculate reimbursements, Lieber noted.

They also face the uncertainty that comes with a change in administration in Washington.

Still, some things do remain relatively constant in health IT.

“The ongoing challenge in dealing with security, there is going to be an even greater focus this year as we try to bring more attention, more focus on what it takes to make sure that we’re handling data in a secure way,” Lieber said.

Clinical analytics has become a normal course of business in the field as well, though it has changed from merely clinical decision support and retrospective analytics to predictive analytics and machine learning. “As the field evolves, we’re evolving the programming with it.” Lieber noted.

Policy seems to be where a lot of intrigue is right now. It’s easy to make assumptions about what the new Trump administration might do, but assumptions are just that.

Memorial Healthcare Systems to pay $5.5M over potential HIPAA violations

Dive Brief:

  • Memorial Healthcare Systems has paid HHS $5.5 million to settle potential HIPAA violations, HHS disclosed on Thursday.
  • The six-hospital nonprofit system disclosed to HHS’ OCR that 115,143 individuals’ protected health information (PHI) had been impermissibly accessed by employees and impermissibly disclosed to affiliated physician office staff.
  • The settlement comes weeks after Children’s Medical Center of Dallas was fined $3.2 million over HIPAA violations.

Memorial Healthcare System provided Healthcare Dive the following statement on the subject:

It’s important to put this settlement in perspective to the fact that this situation happened six years ago, and that Memorial Healthcare System proactively reported the actions of the two employees and the findings of its internal investigation regarding the affiliated physicians’ staff to the Department of Health and Human Services’ Office of Civil Rights (OCR). Upon learning of the breaches, Memorial quickly acted to implement new, sophisticated technologies designed to monitor use and access of patient data, further restricted access to protect patient information, and enacted new policies and procedures to enhance password security. 

Memorial’s February 2017 settlement with the OCR resolves all allegations surrounding these breaches.  While Memorial strongly disagrees with many of OCR’s allegations, has admitted no liability and has chosen to settle this case, it nevertheless agrees with the importance OCR places on maintaining the security of patient information. We will continue to vigorously monitor access and use of patient information and maintain rigorous cybersecurity and internal safeguards.