Here’s a handy little blog item from health IT consulting firm Entegration. While many bloggers focus on big-picture issues, firm president Art Gross has offered three easy-to-understand, concrete suggestions on how medical practices should protect themselves when they’re first rolling out their EMR.
Gross suggests they consider the following steps:
* HIPAA security: Gross recommends hiring HIPAA security services to help train employees and implement protocols which will make sure protected patient information isn’t compromised.
* Off-site data backup: Few medical practices do more than back up their existing files to tape, but as he notes, data gets corrupted, backups are sometimes overwritten by mistake and disasters (fire, floods and more) can destroy on-site archives.
* Disaster recovery: To be prepared for all contingencies, practices must have more than one copy of current data available, methods for accessing that data and detailed procedures in place for accessing the duplicate data.
Sure, companies with big IT staffs would do these things as a matter of course, but many small physician practices don’t even have a single full-time IT employee, relying instead on consultants to do basic maintenance. That drive-by consultant is unlikely to be evaluating the practice’s overall readiness to keep an EMR up and running securely.
Reminding doctors that they must be careful custodians of their new digital data is a good idea. Let’s hope more consultants )and vendors) dealing with small practices are preaching this gospel.
Katherine – thank you for the shout out, I appreciate it! I wrote the blog because many practices are overwhelmed when they first implement an EHR. They focus on how to use the new EHR and how to avoid losing productivity. Most practices are not thinking about the 3 items that I discussed. In addition, without the proper IT guidance most practices aren’t even aware of offsite backup and disaster recovery. They think “we have a backup tape so we are protected” until something serious happens and they find out the hard way that just backing up to tape is not enough.
Hopefully my blog and yours will shine some light on this subject and get people thinking about adding the additional layers of protection for their EHR and their practice.
Katherine and Art: these are certainly three good items to keep in mind – for those people that have any mind left after going through an EMR implementation process. I would add to the HIPPA Security the need to perform and document a HIPAA Risk Assessment. It’s one of the 15 Core Meaningful Use objectives, but it is not a function of an EMR application, so you actually have to do it independently. Those who are interested can read more about it at http://www.foxgrp.com/blog/hipaa-compliance-ehr-incentives-risk-assessment-and-penalties/.