Simple human error made the private medical records of 45 patients at Grady Hospital in Atlanta, Georgia available on the internet. The hospital outsourced note transcription to a firm in Marietta, Georgia, who then outsourced it to a contractor in Nevada, who in turn outsourced it to a firm in India. Workers at the Indian firm allegedly caused the breach. Luckily, the exposed information did not include social security or credit card numbers. There was no evidence of theft, and it does not appear that the patients were harmed.

It is unlikely that smaller practices would be vulnerable to this kind of incident. Most practices probably do not have their own intranets, so it would be difficult for their patient records to be made available on the internet. However, some electronic medical records that use the Active Server Pages (ASP) model utilize a web-based interface. There is a risk that these EMR systems could be compromised. The vendors usually take every precaution to lock down their systems; so the risk is small.

The real lesson is to be wary of outsourcing work. While it is not always efficient to do everything in-house, practices should exercise caution when working with third parties. Make sure the contract stipulates that whomever you’re contracting with will perform the work themselves, and not outsource it to someone else. Not only is the recursive outsourcing seen in the Grady incident somewhat absurd, it’s also a huge security risk. Instead of one firm having access to protected health information, three firms and an unknown number of employees now have access.

Have you ever thought about how your practice would survive after a disaster? What would happen if your office burned down, or burglars broke in and stole all your computers? Natural disasters, such as floods, hurricanes, and tornados also pose a threat.

Many businesses fail after disasters because they do not plan ahead. Offsite backups are one of the easiest and best ways to protect your practice. If you still use paper charts, you face an even greater risk. Keeping an updated offsite copy of all your paper charts would be prohibitively expensive.

If you use an EMR, be sure to ask your vendor how they handle offsite backups. If you have a web-based EMR, it’s possible that your data is already stored offsite. In that case, be sure to verify they back up your data. If you have a client/server model or a custom system, you may be responsible for your own backups.

There are many companies that offer hosted offsite backup solutions. Their software runs in the background on your computer and uploads files to a remote server, usually in real time. This kind of service is generally easy to use, and great for when you only need to recover a few files at a time.

There are two main drawbacks to this architecture, however. It is usually subscription based, meaning you pay a monthly fee for the service. The other problem is recovery time. If you lose everything, it can take forever to download all of your data.

Hosted backup solutions can be expensive. They usually charge you by the gigabyte. Our average customer has about 130GB of data, which could cost you as much as $345 per month. That equals $4140 per year, and about $20,700.00 over five years - about the cost of some EMR systems.

The second problem with hosted backups is download time. If you've ever downloaded large files from the internet, you know it can be time-consuming. Let’s imagine your practice has about 130 GB of data, which comes out to 133200 megabytes. If you lose everything, and have to download all of your data, you could be out of business for a long time. If you have a fast internet connection, such as Comcast, your download speed could be about 4.82 MB/s. With this speed it could take you about 19 days to download 130 GB of data.

Sadly, there aren’t many alternative solutions, aside from using backup tapes, or external hard drives and taking them home with you every night. The best bet would be to use a custom solution that would allow you to backup offsite to your home, or another office. That way your recovery time would be limited by how long it takes you to drive home and retrieve your storage device.

Regardless of what system you go with, offsite backups are a vital part of your business continuity plan. The survival of your practice could depend on it.

Representative Pete Stark, Chairman of the House Ways and Means Subcommittee on Health, introduced the Health-e Information Technology Act of 2008 (H.R.6898) on September 15th. If passed, the act would codify certain offices and committees which would make recommendations on standards for interoperability, privacy and security, as well as maximizing the utility for health-related information technology. In addition to recommending standards, the group would also develop an EMR system based on open source technology. Finally, the bill would provide financial incentives to practices that adopt approved EMR systems and reduce Medicare payments for those without a system, or those using an un-approved EMR.

Whether or not this bill becomes law, it shows that Congress has an interest in EMRs and healthcare technology. We can expect more legislation along these lines, and it is very likely that Congress will pass a law requiring every practice to adopt an EMR. This is yet another reason to adopt an EMR. However, don’t just rush out and buy the first EMR you like. Although we don’t know what features will constitute an “approved” system under this or any future legislation, physicians should pick an EMR that can exchange data using the XML and HL7 formats. Physicians should also pick an EMR that has a history of working with the federal government. No one wants to invest thousands in an EMR that doesn’t meet government standards.

Cost is the major barrier that prevents most practices from adopting an electronic medical record (EMR). Most people are uncomfortable purchasing something that costs more money than they have, which is reasonable. However, EMRs are investments that will give you a positive return over time. Today, we’ll look at five ways EMRs can bring you positive returns on your investment.

First, EMRs can reduce operating expenses. They streamline your practice, and help you operate more quickly and efficiently. You can even increase the number of patients you see with less staff. We’re not suggesting you fire anyone, just let natural attrition occur. With an EMR, your practice can easily handle the workload with less staff. You can save up to $45,000 per year with one less employee. That alone will cover the cost of most systems.

Second, EMRs can reduce costs associated with paper. Most practices spend a lot of money managing paper. Printer paper, ink cartridges, and toner all cost money. How many of these items do you buy each quarter? The real cost of paper is in labor. How much time does your staff spend dealing with paper each day? Include time spent copying, stapling, printing, faxing, filing charts, looking for missing charts or other documents, and entering paper-based data into the computer. You could spend around $6000 per year just managing paper. EMRs can eliminate this cost.

Third, EMRs can help you code at higher levels. Physicians usually do a lot of undocumented work. As far as CMS is concerned, if you didn’t document it, you didn’t do it. Documenting all your work can help you quality for higher coding. A one-level increase is worth about $30. Multiply $30 by the number of encounters you have in a year, and you will see how EMRs can increase your revenue.

Fourth, EMRs can help you eliminate billing errors and reduce the number of rejected claims. Normal human error can cost you money – a simply leaving off a zero on a bill could cost you a hundred or thousand dollars. Aside from that, it takes time for employees to find and fix mistakes. You could spend over $1000 per year just fixing billing mistakes. EMRs can save you that money through automated data entry.

Fifth, the 2008 Economic Stimulus Act provides huge incentives for business to make large capital purchases. Section 179 of the act allows you to write off the full purchase-price for items up to $250,000. It also offers 50% depreciation for items exceeding $250k. Therefore, a $35,000 system would only cost you $22,750 after your deduction, assuming a 35% tax rate. The act expires at the end of this year though, so act fast.

As we’ve seen, EMRs can increase your revenue over time. Don’t think about them in terms of what they cost you now; think about how much money they will generate for you over time.

Security Made Simple – Using Passwords

Computer security can be complicated. There are lots of programs and technologies out there to protect your computers and networks. Today we’re going to talk about the most basic form of protection: passwords. Everyone is familiar with passwords; you probably have several for your personal email account, your credit card and bank accounts, and maybe one for a social networking site. Passwords are sometimes your only line of defense, so it makes sense to manage them carefully. Here are a few tips on creating passwords.

First, make sure you use a password. I have been to many medical practices that failed to protect their computers with passwords. Not only does this violate the HIPAA security rule, it also makes it extremely easy for anyone to snoop around on your computer. Remember that the greatest threat you face is from insiders: employees, patients, or even the janitor. Any of these people could snoop through your files, access protected health information, view your financial data, or even steal from you.

Most Windows computers boot to the administrator account when you turn them on for the first time. The absolute first thing you should do is create a new user account, preferably with your first and last name, and give it a strong password. Avoid the temptation to just use the computer as-is. Creating a user account only takes a few minutes, and it will come in handy if you need to use secure file sharing.

Second, you should choose a strong password. Passwords do not help much if they are easy to guess. You should avoid using someone’s name, your pet’s name, your phone number, address, your birth date, or any complete word in any language, including Latin. Password crackers can easily guess words.

The challenge is coming up with a strong password that is difficult to guess. The best way is to take bits and pieces of something you can remember. The last thing you want is a password you have to write down. Here are a few tricks to creating passwords. Some of these are stronger than others.

Swap letters with numbers and symbols. Take the word “password,” and exchange some of the characters like this: p455w0rd.

Interpose numbers between letters. This method is not as secure, but it is easy to remember. Instead of “password,” use p1a2s2s4w5o6r7d8.

Mix and match. Take some letters from your middle name, some letters from the town you grew up, and some digits from your parents’ phone number. For instance, you could use Allmar426.

Now that you have a strong password, be sure not to write it down anywhere, and definitely do not share it with anyone else.