Have you heard of the term “Big Data”? My guess is that for many orthodontists the term is likely a bit like the term “The Cloud.” They may have a general idea of the concept, but are not entirely sure how it is or will be important to them. In fact, there is a strong relationship between the two terms that I will discuss later in this article. First, however let’s look at “Big Data” by itself. According to Wikipedia “Big data is a blanket term for any collection of data sets so large and complex that it becomes difficult to process using on-hand data management tools or traditional data processing applications.”
In 2009 the United States Congress passed the American Recovery and Reinvestment Act (ARRA) which included the Health Information and Technology for Economic and Clinical Health Act (HITECH). [For a detailed summary of this legislation please see Kirt Simmons blog posting from July 9, 2012 “The Electronic Patient Record: How it Affects the Private Practitioner”]. One of the requirements of HITECH is that full implementation of electronic health records (EHRs) for all patients is required by 2016. The requirements of this act specifically pertain to healthcare providers who participate in the Medicare and Medicaid programs. That means that currently few dentists are covered by this mandate. However, this does not mean that we are not being affected. Since 2009 doctors and hospitals across the country have spent billions of dollars, with the help of government subsidies, converting paper based systems to electronic digitally based health records. These new digital systems are now collecting vast amounts of valuable data related to patient care. Much of this information was collected before the legislation, but in a paper non-standardized format that was not easily aggregated and retrievable for meaningful analysis. The value of all of this collected digital data is only beginning to be fully understood. Big Data from all healthcare providers is being aggregated and programs to analyze the data are being used to improve the quality, safety, and efficiency patient care. Hospitals are examining treatment protocols and doctors are making better informed treatment decisions based on the previous care of thousands of similar patients.
As I stated earlier, the EHR requirement of HITECH does not specifically pertain to most orthodontists so why is this important to us? Many orthodontists have or are now also in the process of converting their practices to paperless systems (without the assistance of the government money). Several of the orthodontic specific software vendors offer cloud based systems and here is where “Big Data” and “The Cloud” come together. The aggregation of data from hundreds or thousands of individual private orthodontic practices into cloud servers is beginning to open the door for data analysis (mining). Just think about how valuable that information can be to our patients and practices. Most of the research studies published in our journals today involve treatment samples of less than one hundred. The biannual Journal of Clinical Orthodontics Practice Study generally relies on the input for a few hundred survey responders (out of a possible pool of more than 8,000). Wouldn’t it be helpful for us to know the most efficient type of Class II corrector based on the actual metrics collected from the previous care of thousands of patients treated in practices all across the country or the globe? Wouldn’t the knowledge that your treatment times/appointments vary significantly from the national or regional averages be useful? There is little question that access to “Big Data” analytics will offer our profession the opportunity to improve treatment quality, safety and efficiency for our patients just as it is beginning to do for the other fields of healthcare.
By Steve McEvoy, Technology Consultant
There is a new Virus threat spreading quickly across the Internet currently that is particularly wicked. It’s called CryptoLocker. I am writing this because I think there is some chance you could be at risk, either with your home PC or work computers. We had five people call us infected on the first day the virus was out. Please take a minute and read through this to the end where I suggest what you can do to help prevent getting infected.
The virus’s design has made it so that even current Antivirus products running in your firewall and antivirus software on your PCs aren’t detecting it until it’s too late, if at all. The antivirus companies are trying to respond, but the virus ‘morphs’ each time it replicates, so its slippery for them to detect and block or quarantine.
What does it do?
In short, the virus is a form of Ransomware. Once it gets into your PC, it ‘encrypts’ all your personal files and data, and then holds your data hostage for ransom. In this case they want $300 to provide you with the unlock code to decrypt your files and remove their application.
To motivate the affected user to quick action, they only give you 72 hours to act, then the data is lost forever.
Its design is such that if your IT person then tries to remove it, this will leave your files encrypted forever.
It gets worse. If your PC has external media like USB hard drives and USB keys attached, it encrypts those too. Imagine if your Backup drive was attached, it would be encrypted and unusable to restore your data from before the attack. Even worse, if your infected PC is connected to a network and you have connections to a Server, it reaches out and encrypts the data on the Server too. If you use a Cloud based storage like Dropbox or Google Drive, it will encrypt the data within those folders as well. If you use Internet Backup, the backup will pick up copies of the encrypted files. A giant mess.
What can you do if it happens to you?
If you get hit by this virus – make a note of the time you have left (in the 72 hours) and then SHUT OFF THE PC entirely! The longer it remains on, the more time it has to search and encrypt more files. It might be prudent to disconnect the network cable too if you are connected to an office network. Contact your IT person immediately for their assistance in recovery.
Our experiences so far indicate there is no way to simply clean it and recover like other spyware or viruses. If you have a backup that is safe somewhere (not connected to the infected PC), this is your best option for recovery, but don’t try to recover data to a machine infected with CryptoLocker, it will just destroy that precious backup. Backups come in many forms, so I can’t tell you exactly how to best use it, but your IT person can. Its highly likely that you will need to reinstall Windows to your PC, and then restore your data to this Clean PC (huge hassle). If your Server’s data got infected, you’ll need to restore that data as well.
Your very, very last option is to pay the ransom. In most Ransomware attacks, paying the ransom does not unlock your data (why would they?). We have seen reports that people paying the ransom in this particular case has been unlocking the data as indicated. You are paying criminals, who will just use that money to do more evil things. Think hard about this before you consider it. Might it be better to lose the data you ‘sort of need but could reconstruct’ than to propagate this issue and reward a criminal.
How it’s getting in
I can’t tell you for certain how it’s been getting in (which is troubling). With its ability to slip through the Antivirus filters it comes down to there is no defense (yet) other than you using your smarts. Reports to date seem to indicate it gets in using one of two methods:
As an attachment to an email message. Typically something claiming to be a shipping notice or receipt for your review. A common lure to get you to try and open the attachment to see what it is, and if you open that attachment the virus sets in.
If your computer is already infected with some mild spyware (pop ups, other nuisances) they have found a way to exploit the Spyware’s communication methods to slip in and get started that way. This doesn’t need a user’s interaction, and is crazy scary.
To Defend Yourself:
Don’t open attachments that come with emails unless you are 100% certain to the validity of the attached file. Meaning you should know who is sending it to you, why they are sending it, and you should have been expecting it. Even an emailed attachment from someone you know could be a cleverly disguised virus, so be SURE before you open it. You can always pick up the phone and contact that person to be sure they sent you something. YOU CAN’T rely on your antivirus software to defend you at the moment. You have to use your own smarts and avoid things that will trigger it.
If you suspect that your PC has Spyware in any other way (acting weird, slow, pop-ups) contact your IT person to address this immediately. When in doubt, turn off the PC until your IT person evaluates it.
Keep your Antivirus program up to date on a daily (or more frequent) basis. (If you are an MME client running Symantec Endpoint Protection, this happens automatically several times per day without your interaction needed.)
Basically, responsible surfing is the best defense.
I wish I had better news, but I thought I would at least give you a heads up for now.
Please spread the word to others in your office.
If you have any questions or concerns, please let me know.
MME Consulting, Inc.
4714 Duckhorn Drive
Sacramento, CA 95834-2592
Toll Free: (866) 419-1102 (ext. 2008)
Fax: (916) 419-1103
By Steve McEvoy, Technology Consultant
Is Your UPS Connected Right?
If you have a ‘Server’ in your Practice (a computer that holds all your precious data), it’s probably protected by a device called an Uninterruptable Power Supply (UPS). The UPS’s job is to keep the Server running for a short period of time in the event of a power failure. They are essentially a small battery pack. Servers shouldn’t just be switched off in a power failure else you run the risk of corrupting data that was in use at the time (like your Management software that runs your Practice). You could even corrupt the entire Server operating system leaving it unusable. A properly installed and configured UPS is your protection against this corruption. I say ‘properly installed and configured’ because in many offices this is not the case.
In Part 1 of this article we covered watching out for Surge Only ports and linking the UPS to the Server with its Communication Cable properly. Here are the final few issues that you should check on for your Practice.
You Get What You Pay For
A UPS is designed to generate AC power (Alternating Current – same as your building) when your power fails. They do this using batteries contained within the UPS. These batteries are like the battery in your car and they store DC (Direct Current) power. All UPS’s generate AC power from its DC reserves, and this is done with an AC/DC power convertor. The problem is not all power convertors are created equal, and lower quality units generate a ‘Stepped’ or modified sign wave rather than a pure sign wave that your Server prefers/needs. They do this because it’s cheaper to make. A simulated stepped sign wave can cause all sorts of odd problems for your Server. I’ve seen Servers that don’t power up every time or run at all when on UPS battery power, some that reboot randomly, and other power related issues. You may not even know you have this issue (yet – until the power goes out). All of these issues can result in corruption of your data. You should verify that your UPS is a true sign wave model by looking up the specifications online. If you need a new UPS verify this prior to purchasing.
Figure 2 – Depiction of a Stepped Sign Wave DC to AC power conversion vs. a true Sign Wave
Figure 3- Specifications of a UPS with a true Sign Wave output
Figure 4 – Specifications of a UPS with a Stepped Sign Wave. Note the listing of some Surge Only plugs
Batteries Wear Out
Just like your car battery, the batteries within a UPS have a limited lifespan. I expect them to last 3 to 5 years at the most. This means that they usually do not outlast the life of the Server. If your UPS is more than 3 years old it might not be providing the protection you think it is. In the worst cases, I’ve seen old batteries unable to keep the Server up for more than a handful of seconds, not enough time to allow an orderly shutdown. If this was the case, you could be risking data corruption. Many UPS’s have built in periodic self-tests to watch for this problem, and typically will turn on some form of LED saying ‘replace battery’ if it needs servicing. Personally I recommend that you undertake a ‘calibration’ of the UPS once every six months. A calibration will simulate a power failure and times how long the battery will last prior to depletion. Since it’s an actual test, you can trust the result. If the UPS has insufficient runtime when on battery it is time to do something about it. Most UPS’s have replaceable batteries, and I would say this is a good option to follow if your UPS is properly installed and configured already as noted above (why have to go through all that setup with a new UPS if you can just rejuvenate your old one). The battery won’t be cheap, but it will be less than the price of replacing the UPS. Installing it is usually a fairly simple process, but be sure you do it with the Server OFF and follow the manufacturer’s instructions. Be sure to recycle that old battery.
Figure 5 – Typical UPS Replacement Battery
Pull the Plug
Once you think you have all these issues in order, you might consider a real life test to be absolutely sure you have it all configured right. Pull the plug (the main power cord to the UPS) to make the power fail, and watch ALL the results until the Server has shut down properly. Plug the cord back in and see if it all starts back up. Make sure that everything that ‘should’ happen actually does. Do this when the Practice is closed and shutting down the Server won’t be a disruption. Not the most exciting way to spend 20-30 minutes of your life, but taking the time now to be sure the entire system is working right can give you some peace of mind.
By Steve McEvoy, Technology Consultant
Is Your UPS Connected Right?
If you have a ‘Server’ in your Practice (a computer that holds all your precious data), it’s probably protected by a device called an Uninterruptable Power Supply (UPS). The UPS’s job is to keep the Server running for a short period of time in the event of a power failure. They are essentially a small battery pack. Servers shouldn’t just be switched off in a power failure else you run the risk of corrupting data that was in use at the time (like your Management software that runs your Practice). You could even corrupt the entire Server operating system leaving it unusable. A properly installed and configured UPS is your protection against this corruption. I say ‘properly installed and configured’ because in many offices this is not the case. Here are the issues that you should check on for your Practice.
Beware of Surge Only Ports
Some models of UPS’s have a combination of Battery protected outlets and Surge protected outlets, and this is where the problems arise. UPS’s are surge protectors as well as battery backup protection. In some units the manufactures might provide 3 outlets on the back with full surge and battery protection, and then 3 additional ports with just surge protection (to use for less important peripherals such as a monitor). These ‘Surge Only’ ports are the problem I want to warn you of. It’s a simple enough mistake to not realize these ports don’t have the desired battery protection for your Server as you’d expect, and to accidentally plug your Server into one of them. In a power failure, your Server will slam off risking the corruption you sought to avoid. The solution is simple: Check to see if your UPS has a mix of ports, and if so, verify that your Server is plugged into one of the battery protected outlets. The manufacturer usually clearly labels the ports for you to see.
Figure 1 – Example of UPS with several Surge Only ports. Notice they are clearly labeled
Don’t Forget the Communication Cable
In the event of a power failure, the UPS can only keep the Server running for some small amount of time (usually 5 to 20 minutes). Larger UPS’s can run longer (perhaps an hour), but eventually they will run out of battery reserves and shutoff. To avoid slamming off the Server most UPS’s have a communication cable that can be hooked to the Server (typically via USB) and allow it to ‘tell’ the Server when it’s about to turn the power off. The Server typically has a small program from the manufacturer installed that is used to ‘hear’ this message from the UPS, and when it does begin an ‘orderly shutdown’ of the Server, essentially the same process as you walking up to the Server and clicking on Shutdown. Some people think “I can just go shutdown the Server myself if the power fails”, but what about if the failure occurs at night time, or while you are at lunch, etc.? I see setups all the time where the UPS is installed and the critical cable and/or software aren’t. Without them, you are just delaying the power failure for a few minutes and the corruption can occur. Check that your UPS is setup to communicate with your Server properly.
To be continued …
In Part 2 of this article we’ll discuss two more important aspects of your UPS system that are essential to check.
Rio Rancho, NM – www.gregjorgensen.com
I recently watched the AAOIC’s Annual Risk Management DVD and took the quiz so that I could save 10% on my insurance premium. One of the new topics mentioned was cyber liability insurance. I had never heard of it. What is it and do you really need it?
According to InsureNewMedia, a company specializing in insurance solutions for technology, software, and Internet businesses, (http://www.insurenewmedia.com/pages/cyberliability.asp), if you have a website you are legally considered a publisher and are liable for all things associated with it. These include infringements of intellectual property, virus transmission, and email liabilities of all types.
Do you have legal rights to all of the pictures used on your website? How about the content found thereon? The InsureNewMedia story cited an example of a 1999 lawsuit in which a website was successfully sued for improperly displaying a sport celebrity’s name and photograph. The settlement for “fair market value” was $750,000. The legal area of cyber liability is in its infancy and there is no telling what will be included in future lawsuits.
In her article “6 Reasons You Should Have Cyber Liability Insurance,” (http://www.inc.com/minda-zetlin/6-reasons-you-should-have-cyber-liability-insurance.html) Minda Zetlin explains another common liability that faces small businesses: the breach of the data on our servers. Cyber liability insurance may cover the costs of notifying patients, income lost by the interruption of your business due to a malicious hack, the hiring of a PR firm to repair damage to your reputation, and even fines imposed for HIPAA violations. Zetlin also states that we are legally liable for patient data that is hosted “in the cloud.”
The AAO Insurance Company’s general liability policy excludes issues related to the Internet. If you want to be covered, you will need to invest in a separate cyber liability policy. For more information, call the AAOIC at (800) 622-0344.
By Dr. Greg Jorgensen
Rio Rancho, NM – www.gregjorgensen.com
I have exciting news. This will be my last blog post because I am retiring. This past week I received an email from South Africa notifying me that a distant cousin who was pretty high up in the government down there passed away without a will (I would have thought that most millionaires would have wills, but I’m not one to question). Anyway, turns out that I’m his closest living relative and I can lay claim to his entire twenty million dollar fortune just by emailing the trustee (who is an actual attorney) my name, address, social security number, bank account number and routing number, and $2,500 for legal fees. Once he gets that information, he’ll transfer the entire twenty million into my account and I can sell my practice and start traveling!
Obviously, none of us would fall for such a transparent scam as the one described above, and yet within the past month several of our AAO members turned over personal information in an online scam disguised as correspondence from the AAO. Thousands of AAO members received these emails from “email@example.com” notifying them that they had a security message and needed to access their online AAO profile to resolve the problem. Some very educated doctors innocently clicked the link provided in the email and entered their login information and personal data. The problem was that the AAO never sent that email. It just goes to show that it can happen to anyone.
Phishing is a type of online identity fraud in which criminals attempt to obtain personal information through misrepresentation. Pretending to be trusted businesses or organizations like banks, government, or online service providers (AOL, PayPal, etc.), criminals ask unsuspecting users to provide login names, passwords, and account numbers that can then be used to steal money and services. These requests might explain that there is a problem with your account and that you need to re-set your password. They might tell you that they received your “recent order” and your account has been charged (BTW, if you didn’t place the order, you can just click on the link and enter all of your personal data to cancel it). They may notify you that your account has been placed on hold until you log in. They may just ask you to login to your online account and verify the accuracy of the data. Regardless, there is always a hook that makes you think there is a problem then a request for you to follow a link and give them personal information.
Here are some things you can do to avoid being duped:
- Is the email addressed specifically to you or is it generic? Is it to “Dear Dr. Jorgensen,” or is it to “Dear member”? Most phishing schemes involve millions of emails sent to random or collected email addresses where the name of the actual recipient is not known and therefore they are addressed to generic recipients.
- Do you even have an account with the bank or business? Many times the criminals will use random email generating algorithms that just happen to create your email address. If you’ve been contacted by the “Bank of America” about a problem but you don’t have an account with them, that is a dead giveaway!
- Does the email contain poor or incorrect spelling or grammar? Many phishing attempts originate in foreign countries. The probability of the AAO using bad grammar is decreasing all the time! (haha)
- Does the link actually point to the appropriate website? Hover your mouse pointer over (but DO NOT click on) the link provided in the email. Look at the status bar in your email window (usually the lower left hand corner) and see where the link will really take you. The link in the AAO email above read “Secure account log in,” but it pointed to “kikmfurniture.com/language/pdf_fonts-/www.aaomemebers.org/Association.html.” This is a way to see in a glance where the click would take you.
- Even if you think the email is legitimate, it is safest to go directly to the site yourself. Open a browser, log in to your account yourself without the aid of a link, and then see if the problem or request exists on the actual website.
These are just a few ideas for keeping private information safe. Scammers are trying to exploit every new technology and technique to make a buck. Be careful when you are online. Be equally careful when you receive an Internet link in an unsolicited email.
By Steve McEvoy, Technology Consultant
Is your password based on your name or one of your family members? How about some number related to your birthday? Your favorite Disney character? A pet’s name? The numbers to your home or office? I’ve seen all these approaches, and unfortunately so have the hackers.
In recent weeks hackers have stepped up their attacks on the Internet. One of their latest exploits includes using other infected computers as Robots (Bots) to attempt to login to computers connected to the Internet with RDP Remote Access enabled (see my other blog article on the details of this, and how to defend yourself from it). They can make a try every one or two seconds, easily more than 40,000 tries per day. They don’t get tired and they don’t give up easily. If you have a simple password, it increases the chances a hacker could get through. This is just one of many reasons to have a good password.
What makes up a good password?
The obvious answer is something that no one could guess or reasonably hack. Five or more years ago, it was generally accepted that a good password included:
- A mix of upper and lower case
- At least one number
- At least 7 characters in length
For example, ‘cowboy’ was a bad password, but ‘Cowboy7’ was a good one. But alas, in today’s more hostile environment Cowboy7 is now considered a weaker password.
S6&k#)Y3f^dT!a would be a great password, but incredibly difficult for you to remember.
Somewhere there needs to be a balance between security and functionality. This is even further compounded by the strong suggestion you should NEVER use the same password in two places, meaning that you will need to remember multiple complex passwords.In my opinion, a stronger password today should include at least:
- One or more special characters such as !@#$%^&*()
- At least one number, preferably two or more
- A mix of upper and lower case
- At least 7 characters in length, more (10+) is better
- A non-dictionary word, ideally something totally random
I suggest inventing some algorithm in your mind to create your passwords. Start with some totally random thought like “The Quick Brown Fox Jumped Over the Lazy Dog” or “My Car is Blue”. Then take the first or last letter of each word, such as “TkBxJrLg”. Now blend in random numbers and syntax, and it might become “Tk5Bx@Jr&Lg”. Invent your own system in a way that you can remember it.
You should also change your passwords periodically. Microsoft suggests every 30-60 days. I don’t know about you, but my brain probably can’t hold that much change and complexity. I think at least once per year is a good start.
Some resources that you might find handy
Store your passwords in a safe place: Why try and remember them all when you can store them in a database? One of many free application to store all your passwords in an encrypted database is called Password Safe. They have a Windows and Android Smart Phone versions, so you can have your passwords with you wherever you are. Password Safe also has a nifty feature where it will also generate a hard, random password automatically for you. If you write it down on paper (gasp), lock it in a safe (seriously). Don’t put it on a post-it note next to the computer or under the keyboard.
Random Password Generator: Not feeling creative, and want a computer to generate a really hard random password for you? One of several free ones available on the Internet is StrongPasswordGenerator.com. You tell it how long you want the password and if you want symbols, and it generates it for you. If you use this, remember to document the password somewhere in case you forget (and you will).
Want to learn what Microsoft thinks is a good online password, read it here.
Whatever your password is I hope this inspires you to review it and change it as needed. Think beyond just your own password, and review EVERY password on your practice network. Enlist the help of your IT person if needed.
An Electronic Dental Record (EDR) is simply the dental equivalent to the EMR, and describes what almost all dental professionals who are keeping “electronic records” are currently keeping. It contains the dental and treatment history of patients in one practice (although this may be a large group practice with multiple clinicians). It has the same problem as an EMR in that information in the EDR doesn’t travel easily out of the practice and in addition it typically does not integrate with other medical data.
An Electronic Health Record (EHR) is a longitudinal electronic record of patient health information generated by one or more encounters in any care delivery setting. Included in this information are patient demographics, progress notes, problems, medications, vital signs, past medical history, immunizations, laboratory data, and radiology reports (per the Healthcare Information and Management Systems Society- HIMSS). The EHR focuses on the total health of the patient in that it reaches out beyond the health organizations (clinicians’ offices or hospitals) that originally collect the information. They are “built” to share information with other health care providers and the information “moves” with the patient between health facilities/providers. In addition, EHRs are designed to be accessed by all persons involved in a patient’s care, including the patients themselves. Indeed, that is an explicit expectation in the Stage 1 definition of “meaningful use” of EHRs (“meaningful use” is a term developed by the ONC to describe use sufficient to apply for funds set aside to increase EHR adoption). An EHR would ideally include all dental, medical, pharmacy, chiropractic, etc. records in essentially “real time” and be “qualified” and “certified” as such.
A “qualified” EHR, per Section 3000, Definitions, of Subtitle A, Part 1, of Title XIII in the American Recovery and Reinvestment Act (ARRA) of 2009,includes:
“An electronic record of health-related information on an individual that-
(A) Includes patient demographic and clinical health information, such as medical history and problem lists
(B) Has the capacity—
(i) to provide clinical decision support
(ii) to support physician order entry
(iii) to capture and query information relevant to health care quality
(iv) to exchange electronic health information with, and integrate such information from other sources.”
Many advantages have been touted for EHRs. Among these are their ability to consolidate all dental, medical, pharmacy, chiropractic, etc. records in a single “location”; their ability to allow emergency departments to quickly be aware of any life threatening conditions, even if patient is unconscious; the ability of a patient to log on to their own record and see the trend of lab results over the last year for instance, which can help motivate them to take their medications and keep up with the lifestyle changes that have improved the numbers; ability of the EHR to be stored “off site” securely so it is not lost in disasters (i.e. Katrina, tornados, fires, etc.); lab results run last week are already in the record for a specialist to access without running duplicate tests; prescriptions, notes, and orders are legible; notes from a hospital stay can help inform discharge instructions and follow-up care, especially if the patient will be followed up in a different (more local) care setting; patients seeing new clinician / clinic do not have to enter their information or their child’s or carry paper copies with them; and public health officials and researchers can more readily be alerted to, respond to, and research illness trends (SARS, Swine Flu, influenza, etc.), treatment differences, outcomes differences, etc.
A Personal Health Record (PHR), sometimes called a Patient-Controlled Health Record (PCHR), is a patient created electronic record that conforms to certain interoperability standards (the same as EHRs). It can be drawn from multiple sources. It is managed, shared, and controlled by the individual patient. The patient may or may not choose to grant other entities access to it since it is controlled by the patient (unlike EHRs). The intent is to allow PHRs and EHRs to interact if desired and allowed by the patient.
There are many factors currently “driving” the change to EHRs: Congress, The American Recovery and Reinvestment Act (ARRA) 2009 (including the Health Information Technology for Economic and Clinical Health Act [HITECH]), the President, Third Party Payers (Medicaid, insurance companies, etc.), technology and software vendors, Standards Organizations – DICOM, HL7, etc., public demand (in response to Hurricane Katrina, etc.), researchers, and Public Health organizations. One of the most prevalent of these “driving forces” is the HITECH Act. The objectives of the HITECH Act are to leverage health information technology (IT), so health care providers will have: accurate and complete information about a patient’s health so they can give the best possible care, whether during a routine visit or a medical emergency; the ability to better coordinate the care they give (especially important if a patient has a serious medical condition); a way to securely share information with patients and their family caregivers over the Internet (for patients who opt for this convenience); the chance to allow patients and their families to more fully take part in decisions about their health care. Per the framers of this legislation, this increased access to health information will help clinicians diagnose health problems sooner, reduce medical errors, and provide safer care at lower costs. This legislation also claims widespread use of health IT can make our health care system more efficient, reduce paperwork for patients and doctors, expand access to affordable care, and build a healthier future for our nation.
The “overseer” of the EHR in the U.S. is the Office of the National Coordinator for Health Information Technology (ONC). This office was set up to support adoption of health IT and promotion of a nationwide health information exchange to improve health care. The ONC is part of the Office of the Secretary for the U.S. Department of Health and Human Services (HHS). It is directed by the position of National Coordinator of the ONC and was created in 2004, through an Executive Order and legislatively mandated in the HITECH Act of 2009. Dr. David Blumenthal is the current National Coordinator but he is stepping down in the spring of 2011.
Some important issues are how the EPR will be accessed and where it will be stored. Individual PHRs will be kept by patients and stored by them (USB, CD, DVD, etc.). For EHRs there are several potential options that have been proposed, including the National Health Information Network (NHIN), an as yet unidentified national repository, or within Health Information Exchanges (HIEs – which are specific regional/area/network repositories).
This has not yet been finalized as of this time but regardless it will require standards for interaccessibility of the data whether a single, central repository or multiple HIEs.
The NHIN was formed to create a common platform for health information exchange across diverse entities, within communities, and across the country. Its purpose was to promote a more effective marketplace, greater competition, and increased choice through accessibility to accurate information on health care costs, quality, and outcomes. In essence, this is what is generally thought of as the “ideal”- a single, national, all-inclusive database for all citizens. An HIE on the other hand, is a state or regional program set up to ensure the development of health information exchange within and across their jurisdictions. These are currently being advanced as a more readily implemented means of meeting the aggressive EHR implementation timelines. Of course, in order for different HIE’s to be able to interact and “play well” with each other they all need to be “speaking the same language” and this requires accepted standards. The standards that are relevant for EHRs include the Digital Imaging and Communication in Medicine (DICOM) standard which is the established standard for the exchange of digital information between medical imaging equipment (i.e. radiographs, photographs, digital models, cone beam computed tomographs, etc.) and other systems. Hospitals have long used the DICOM standard in their radiology departments which allows any type of radiograph obtained at one hospital to be transported, accessed and used at any other hospital, regardless of their radiologic software program. Another EHR standard in use is the Health Level 7 (HL7) standard, which is the established standard for data exchange, management and integration to support clinical patient care as well as the management, delivery and evaluation of healthcare service (ie billing, demographics, outcome measures, etc.).
What’s the timeline of the EHR? In his 2004 State of the Union address then President George W. Bush set as a goal for most Americans to have a universal EHR by the year 2014. In 2009 the Congress passed the ARRA and HITECH legislation, which established further guidelines for the development, adoption and implementation of the EHR. Per this legislation by 2010 the Rules, definitions (especially for “Meaningful Use”– a term used in the legislation), certification process and certification bodies were identified and developed. In 2011 Stage 1 of the implementation process will be completed. Stage 1 consists of “Data Capture” – the electronic capture of health care information in a standardized format. In 2013 Stage 2, “Data Aggregation” – electronic exchange of the collected health information will occur in order to improve the quality of care. In 2015 Stage 3, “Data Use for Outcome Impact” will occur as necessary to improve the quality, safety and efficiency of healthcare through clinical decision support (CDS) and patient management tools. By 2016 full implementation (ie all healthcare providers will be fully using and all persons will have an EHR) will be completed. The legislation initially provides for financial incentives if healthcare providers/organizations “qualify” but these quickly change to disincentives for those who do not comply. For instance this year (2011) for healthcare providers who do not begin (ie “write” a certain percentage of their prescriptions) e-prescribing drugs their payments through Medicaid will be reduced.
This brings us to the Medicaid EHR Incentive Program legislated by the HITECH Act. This program provides incentive payments to eligible professionals and eligible hospitals as they adopt, implement, upgrade, or demonstrate meaningful use of certified EHR technology in their first year of participation and demonstrate meaningful use for up to five remaining participation years. There are minimum Medicaid patient volumes to be eligible, which differs by state. The program is voluntarily offered by individual states and territories and begins as early as 2011, depending on state. Eligible professionals (including dentists) can receive up to $63,750 in funds over six years if they choose to participate in the program and meet all requirements. There are no payment adjustments under the Medicaid EHR Incentive Program. By contrast, just to be confusing, the Medicare EHR Incentive Program provides incentive payments to eligible professionals and eligible hospitals that demonstrate meaningful use of certified EHR technology. Participation in the Medicare Program can begin as early as 2011 with eligible professionals able to receive up to a maximum of $44,000 over five years under the Medicare EHR Incentive Program for treating patients that qualify under Medicare. In addition, if the eligible professionals provide services in a Health Professional Shortage Area (HSPA) they qualify for additional incentives above the $44,000 maximum under the Medicare EHR Incentive Program. For maximum incentive payment, Medicare eligible professionals must begin participation by 2012. For 2015 and later, Medicare eligible professionals, etc. that do not successfully demonstrate meaningful use will have a “payment adjustment” (read reduced payment or penalty) in their Medicare reimbursement. In order to qualify for these Medicaid / Medicare EHR Incentive Program eligible healthcare providers must use a certified EHR program and demonstrate meaningful use of the program for their patients. For dentistry, as of this writing (early 2011), there is only one EHR dental software that meets the Federal guidelines and has been certified as such.
A reasonable question for most dentists might be “Who cares?” There is no federal deadline for adoption of EHRs by dentists who do not submit claims to Medicare and since “I don’t mess with Medicare/Medicaid” it’s not going to effect me. Unfortunately, although you may not “mess” with the public payer programs the legislation IS going to “mess” with you! Specifically, new privacy and security provisions (on top of current HIPPA requirements) and accessibility requirements are among the ARRA / HITECH legislation provisions. These include privacy and security provisions extended to “business associates” (for instance laboratories, etc.), breach notification requirements, health information privacy education requirements for your staff, a requirement to honor withholding of protected health information from a health plan when a patient pays for treatment “out of pocket”, a prohibition of the sale of protected health information, a requirement for patient authorization for marketing and fundraising-related activities, new accessibility requirements (to patient information- i.e. patients may request an electronic copy of their record and it must be provided and in a timely fashion), and finally it authorizes patients the right to request an “audit trail” of all access to their record (i.e. who, when, why anyone accessed their record for any reason!). The “final rules” have not yet been established but it behooves you to stay aware of these upcoming requirements and be prepared to meet them before they are enforced. Theoretically a “certified” EHR program takes these requirements and provisions into account so if one purchases and implements these programs in their practice they will be able to meet many of these provisions. Unfortunately, for any “early adopter” dentists who wish to implement a certified EHR program for their practice, there is only one at this time. Several companies, although not currently certified, have indicated they were aware of the situation and were planning to eventually introduce a certified program. So one should check with their practice management software company for updates or “modules” to meet these requirements and insist they provide them if they indicate they are not considering these issues.
Since the Government will be promoting and advertising the EHR heavily in all provider settings patients will quickly expect dental offices to be EHR compliant as this becomes commonplace in the other “healthcare” settings they are exposed to. According to the ONC more than 21,000 providers had initiated registration for the EHR Incentive Programs during the first month it was available (January, 2011) and more than 45,000 additional providers had requested information or registration help from Regional Extension Centers during this same time. In addition, it is quickly becoming obvious that third party payers will require offices to interact with them in an EHR compliant fashion (since it will save them money/resources), due to potential legal implications many malpractice/liability insurers may require their clients to be EHR compliant, privacy/security regulations will essentially require it (for instance each office must have a “Privacy & Security Officer”- per DHHS Guideline 45 CFR, Part 146), pharmacies/DEA will likely require, and lastly new (or updates to) imaging hardware/software will require DICOM compatibility.
Lastly, on a personal note, if and when one is contemplating their own PHR options it is useful to take into account the findings of a “Roundtable on PHRs” the ONC conducted and published in their blog of Dec. 3rd, 2010. At the PHR Roundtable, four panels of experts and industry representatives explored the growth of PHRs, focusing on the nature and adequacy of privacy and security protections. The key message to come out of this roundtable was that PHRs grow in value when people find them useful and trustworthy. A key message from the Roundtable was that PHRs grow in value when people find them useful and trustworthy. Their usefulness grows as they are able to readily pull information from EHRs and other sources of clinical information, as well as from monitoring devices and mobile applications. The usefulness increases even more as that information can be organized to help people with their particular health care concerns and inform clinical decision-making.