2017 Winter Conference – Technology: Balancing Profit, Lifestyle & Patient Care

By Dr. Doug Depew

The 2017 AAO Winter Conference is quickly approaching. Our theme of this year’s meeting Technology: Balancing Profit, Lifestyle and Patient Care.  It promises to be a meeting filled with information for both newer and established practices to help make those tough decisions on what technology is important to use in our practices and when we may wish to invest in it.

The meeting will begin with keynote speaker Jack Shaw.   Mr. Shaw is a world- renowned technology futurist who will be discussing how cutting edge and disrupting technologies will change the way we do business and run our practices in the coming years.

IT guru Steve McEvoy will be answering some of those pesky questions we all have about computer hardware, effective and cost-efficient data backup, and security.   In the ever changing world of computers, what you hear at this meeting will certainly be different than what Mr. McEvoy would have talked about even a couple of years ago.

On Friday afternoon we’ll have a lively discussion by Drs. Greg Jorgensen and Neil Kravitz regarding building our practices through social media, websites, and Internet marketing. Their success in these areas has been paramount in growing their thriving practices.

Saturday morning will begin with Dr. Aaron Molen sharing his experience and thoughts on bringing emerging technology into our practices to help create more efficient and more comfortable patient care.

We’re excited to have Drs. Ed Lin and Christian Groth discussing how to integrate some of the latest technology hardware into our orthodontic practices. This includes workflows for using CBCT, Scanners and 3D Printing.

The conference will conclude with Chris Bentson and Charles Loretto with a discussion on how technology can affect the value and profitability in our practices. This should help answer the question about at what stage of practice a doctor might consider investing in advanced technology.

The location for the meeting is at the gorgeous Marriott Harbor Beach Resort and Spa in Ft. Lauderdale, Florida. The dates are February 10-11, 2017. The schedule is organized in a way to allow some time for afternoon recreation.

There will be plenty of time allotted for attendees to ask questions of the speakers to be sure all bases are covered.   To learn more and to register, visit https://www.aaoinfo.org/meetings/2017-winter-conference-technology-balancing-profit-lifestyle-patient-care

Am I legally responsible if I receive a patient referral from another dentist and it is sent to me unsecured?

By: Charlie Frayer, JD, MS, HCISPP, CIPP, CIPM

DISCLAIMER: Protected Trust cannot and does not provide legal advice, and the following question(s) and response(s)—like everything else we publish—are not intended as legal advice or opinion. If you need legal assistance, you should contact an attorney licensed to practice law in your jurisdiction.

For the purpose of this answer, we assume that “sent” means “emailed.” Yes, it is possible that you could be responsible if something bad happens to the patient’s electronic protected health information (ePHI) contained in the email referral, but only if it happens after you receive it.

Under HIPAA, a health care provider is called a “covered entity”. The HIPAA Privacy Rule defines “treatment” to include, “…the referral of a patient for health care from one health care provider to another.” The Privacy Rule also states that, “A covered entity is permitted to use or disclose protected health information…[f]or treatment…”. Therefore, under the scenario you describe, neither the referring dentist nor you are violating HIPAA by merely sending (disclosing) or receiving a patient’s ePHI as part of a referral. Given this good news, the core question now becomes, “Does a covered entity violate HIPAA by sending (or receiving) ePHI in an “unsecured” manner?” Again, the answer is mostly good news, but BE VERY CAREFUL AND READ THE REST OF THIS RESPONSE!!!

First, we have to know what makes ePHI “unsecured” vs. “secured”. Then, we need to know whether HIPAA requires ePHI to be secured (seems like a silly question, but you’ll probably be surprised). And, lastly, if HIPAA does not require ePHI to be secured, then what risks do you have if you face by choosing to leave it unsecured?

Unsecured vs. Secured ePHI
The HIPAA Breach Notification Rule states that, “Unsecured protected health information means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary [of HHS] in the guidance issued…”. The HHS guidance emphasizes the use of encryption to make ePHI secure. So, technical details aside, the simple answer is that “unsecured” means unencrypted, and “secured” means encrypted.

HIPAA: Encryption Is NOT Required…What?!?
That’s the title of one of our blog posts from Feb.-Mar. 2016—republished by AAO, which we highly recommend that you read immediately (here or here). Although you would be crazy to not use encryption when emailing ePHI—because the risks are enormous, it is true that HIPAA does not literally require encryption (again, read our blog post here or here right now). Rather, what the federal government decided to do was strongly encourage the use of encryption by making it a get-out-of-jail-free card (apologies to Parker Bros.). Under the HIPAA Breach Notification Rule, you must notify certain persons and/or entities whenever you have a breach (e.g., a loss or theft) of unsecured (unencrypted) ePHI. For example, depending on the breach details, HIPAA requires notifying not only the affected patients, but also the federal government (HHS) and prominent members of the media. But—and here’s the GREAT NEWS—if you have a breach of secured (encrypted) ePHI, you do not have to notify anyone. Why? Because the loss or theft of encrypted ePHI—which cannot be read without the key(s)—is not considered a breach at all. So, encryption=no breach=no notifications=no problems for you.

Risks of NOT Encrypting ePHI Emails
If you’ve already read the above-mentioned blog post—and, if you haven’t, stop now and do so immediately (here or here), then you already know the frightening list of risks you face for not using encryption. In summary, in the event of a breach of ePHI:

No Encryption = Notification(s)

Notification(s) = Investigations, Fines, Lawsuits, PR Disaster, and Lost Business

Investigations, Fines, Lawsuits, PR Disaster, and Lost Business = Wasted $,$$$,$$$.

Our Recommendations

  1. Never email ePHI without using Protected Trust Healthcare Email Encryption.
  1. Require all of your fellow covered entities (e.g., health care providers and insurers), other business associates, and patients to use Protected Trust Healthcare Email Encryption.

IMPORTANT REMINDER: As a Protected Trust client, all of these third-party persons and entities can communicate securely with you, free of charge, and forever. No catch!

  1. To comply with HIPAA, make sure everyone in your office has their own Protected Trust Healthcare Email Encryption account (shared accounts are not permitted by HIPAA).

CryptoWall Virus Affecting Practices

By Steve McEvoy, Technology Consultant

steveMWe are seeing a fast spreading outbreak of a new virus called CryptoWall affecting many practices.   Similar to the Cryptolocker virus that emerged last year, this virus seeks to encrypt all your precious data on your computer, and hold it for ransom (asking you to send them $500 USD in Bitcoin to get the decryption key).

What makes this virus so alarming is that as of a few days ago ZERO out of nearly 50 antivirus programs were able to detect it. None.

How to protect yourself

Eventually the Antivirus programs will catch up and learn how to detect it, but at this point in time you need to rely on your own wits and acting responsibly.

So far the virus has been arriving as an attachment to an email message (usually a ZIP or PDF file). We’ve seen it claiming to be airline ticket confirmations, monthly statements from the power company, shipping receipts, etc. Avoid ANY email with attachments that you are not 100% expecting. If you receive an email that you are unsure of – DON’T OPEN IT – and contact the sender by other means and confirm that they did send it to you.   Reading the email doesn’t infect your PC, only opening the attachment will.

Signs that you are infected

2The virus needs time to tackle the encryption.   The longer it goes undetected, the more of your data it can encrypt.   You will notice the PC running much slower than normal (since it is using the computers processing power to encrypt your files). You may see files named DECRYPT_INSTRUCTION.TXT and DECRYPT_INSTRUCTION.HTML on the desktop, documents, pictures, mapped drives or any location where you have data saved.


What to do if you suspect an infection

Open the DECRYPT_INSTRUCTION.HTML file and note the time remaining to decrypt your data (they only allow you a short period of time to send them the money before they destroy the data permanently). Once you have that information TURN OFF THE PC. The longer it remains online the more data it can encrypt. Do not attempt to run scans and clean the system, this only buys it more time to encrypt data. Do not connect any external drives to restore backups of data as it will attempt to encrypt your backups when it sees the drives. Contact your IT person IMMEDIATELY for their assistance in recovery.

A License is Required to Show Movies in Your Office

Recently, a number of AAO members have received a letter from the Motion Picture Licensing Corporation (MPLC) regarding the alleged improper showing of movies in waiting rooms or other areas of the members’ orthodontic offices. The most common letter received is a strongly worded offer to enter into a licensing agreement with the MPLC in order to avoid paying a hefty penalty for future violations.

The AAO has explored the possibility of a group purchasing discount that would cover all AAO members with the MPLC, but has not yet reached an agreement.  Concomitantly, the AAO is exploring other arrangements that would allow members to offer certain videos at a much lower cost than a typical licensing agreement with the MPLC, which costs approximately $340 per year.

Below are some frequently asked questions and answers regarding the MPLC and the display of movies in orthodontic offices:

Q. Is the MPLC a legitimate organization?  Its letter seems like a scam attempt.  
A. The MPLC is a legitimate organization and is at least one of the licensing companies for a number of large media companies, including Disney. It is not a governmental body. It has been known to use tactics that could be described as aggressive with potential customers.

Q. Can I show DVDs of movies in my office?
A. Yes, but you have to have a license to do so. The MPLC and other similar vendors offer umbrella licenses for a set yearly fee. Any showing of a movie that is intended for an audience larger than family or friends, without such a license, constitutes a public performance in violation of the US Copyright Act.

Q. I received a letter from MPLC stating that I am in violation of the law for showing movies without a license, but I don’t even have a TV in my office. Where did they get their information?  
A. A number of orthodontic offices have reported that they have received the letter, but are puzzled because they do not have TVs in their offices. It is unknown how the MPLC gathers its information relative to which offices show such movies without a license.

Q. I have been showing movies. What are my options?
A. You need to either stop showing the movies or buy a license.  Continuing to show the movies without a license puts you at substantial risk for a large penalty—anywhere from $750 to $150,000. Willing infringement, or continuing to show the videos after you have been notified that you are in violation, carries the highest penalties.

Q. Does the MPLC license cover every movie?
A. No. If you buy a license from MPLC or one of its competitors, you should verify with the company which videos you are allowed to show in your office.

Q. Can I simply put my TV on cable/satellite and broadcast CNN, Nickelodeon, the Disney Channel, etc.?
A. You need to check the contract you have with your cable/satellite TV provider to make sure you have the proper service.  Service listed as “residential” typically restricts public performances—i.e., showings for an audience larger than family or friends.

Q. Can I stream movies or TV shows from Netflix or a similar provider?
A. No. Netflix and its competitors restrict usage to personal use.

Electronic Records Transfer: Do You Use E-mail to Transfer Records? Is it HIPAA Compliant?

Screen Shot 2014-08-22 at 3.44.15 PMThe August 2014 complimentary lecture of the month is now online.  Click the link below to immediately begin viewing:

Electronic Records Transfer: Do You Use E-mail to Transfer Records? Is it HIPAA Compliant?  presented by Dr. J. Martin Palomo.


Do You Need Cyber Liability Insurance?

By Dr. Greg Jorgensen
Rio Rancho, NM – www.gregjorgensen.com

I recently watched the AAOIC’s Annual Risk Management DVD and took the quiz so that I could save 10% on my insurance premium. One of the new topics mentioned was cyber liability insurance. I had never heard of it. What is it and do you really need it?

According to InsureNewMedia, a company specializing in insurance solutions for technology, software, and Internet businesses, (http://www.insurenewmedia.com/pages/cyberliability.asp), if you have a website you are legally considered a publisher and are liable for all things associated with it. These include infringements of intellectual property, virus transmission, and email liabilities of all types.

Do you have legal rights to all of the pictures used on your website? How about the content found thereon? The InsureNewMedia story cited an example of a 1999 lawsuit in which a website was successfully sued for improperly displaying a sport celebrity’s name and photograph. The settlement for “fair market value” was $750,000. The legal area of cyber liability is in its infancy and there is no telling what will be included in future lawsuits.

In her article “6 Reasons You Should Have Cyber Liability Insurance,” (http://www.inc.com/minda-zetlin/6-reasons-you-should-have-cyber-liability-insurance.html) Minda Zetlin explains another common liability that faces small businesses: the breach of the data on our servers. Cyber liability insurance may cover the costs of notifying patients, income lost by the interruption of your business due to a malicious hack, the hiring of a PR firm to repair damage to your reputation, and even fines imposed for HIPAA violations. Zetlin also states that we are legally liable for patient data that is hosted “in the cloud.”

The AAO Insurance Company’s general liability policy excludes issues related to the Internet. If you want to be covered, you will need to invest in a separate cyber liability policy. For more information, call the AAOIC at (800) 622-0344.

Is That a HIPAA in Your Hip Pocket?

By Kirt E. Simmons D.D.S., Ph.D.

In this day and age it is “hip” to be connected everywhere and very easy given the nearly universal presence of powerful “smart” phones and tablets connected to the Internet.  My iPhone is in essence a much more powerful computer than my first Mac I bought in 1986 and able to communicate to others via text messaging, E-mail, internet blogs or forums, web sites (Facebook, Twitter, etc.), and voice.  In this day and age it is easily possible to access one’s patient records on such a device or a tablet, copy any of the information and relay it via any of the aforementioned methods.  It is also very easy to get high quality photographs with these devices, including of patients or any of their records.  Any of your patients with such devices can also easily capture photos of themselves or others in your treatment areas.

“Great!” You say, but beware of potential HIPAA violations with these devices.  Many health care workers and organizations in other environments (mostly medical to date) have run afoul of HIPAA in this regard and paid heavy fines, been personally sued, lost their jobs and/or lost public credibility/trust.  The classic example is the health care worker who “tweets” or posts on other social media sites about celebrities they have seen/treated in their facility (without the patient’s consent/knowledge of course!).  Even non-celebrities but extreme or “shocking” cases, easily identifiable without “naming names”, have been the subject of these illegal disclosures and resultant negative consequences.

As a health care provider, and especially if you are the owner or proprietor of your practice, you are responsible for any breaches of patient confidentiality by yourself or any of your employees and you are also responsible for that confidentiality in your facility.  For this reason many medical offices now require patients to turn off any cell phones, computers, tablet computers, or cameras while in treatment areas or leave them outside treatment areas.  The HIPAA regulations also require that ALL transmission of personal health information (PHI) be “protected”.  Common E-mail, text messaging, social media sites, etc. are not “secure and protected”.  So even if the sharing of PHI is allowed between two entities (say yourself and the patient’s general dentist), doing so by the above means is NOT allowed (but IS required to be noted and tracked by yourself!).  The ADA has some excellent resources discussing the proper sharing of PHI I encourage you to follow (ADA Technical Reports No. 1048, Attachment of DICOM Dataset Using Email, and No. 1060, Secure Exchange and Utilization of Digital Images in Dentistry, are available for download purchase from the ADA Catalog at www.adacatalog.org or by calling 1-800-947-4746).

What Makes a Good Password?

By Steve McEvoy, Technology Consultant

Is your password based on your name or one of your family members?  How about some number related to your birthday?  Your favorite Disney character?  A pet’s name?  The numbers to your home or office?  I’ve seen all these approaches, and unfortunately so have the hackers.

In recent weeks hackers have stepped up their attacks on the Internet.  One of their latest exploits includes using other infected computers as Robots (Bots) to attempt to login to computers connected to the Internet with RDP Remote Access enabled (see my other blog article on the details of this, and how to defend yourself from it).  They can make a try every one or two seconds, easily more than 40,000 tries per day.  They don’t get tired and they don’t give up easily.  If you have a simple password, it increases the chances a hacker could get through.  This is just one of many reasons to have a good password.

What makes up a good password?
The obvious answer is something that no one could guess or reasonably hack.  Five or more years ago, it was generally accepted that a good password included:

  • A mix of upper and lower case
  • At least one number
  • At least 7 characters in length

For example, ‘cowboy’ was a bad password, but ‘Cowboy7’ was a good one.  But alas, in today’s more hostile environment Cowboy7 is now considered a weaker password.
S6&k#)Y3f^dT!a would be a great password, but incredibly difficult for you to remember. 

Somewhere there needs to be a balance between security and functionality.  This is even further compounded by the strong suggestion you should NEVER use the same password in two places, meaning that you will need to remember multiple complex passwords.In my opinion, a stronger password today should include at least:

  • One or more special characters such as !@#$%^&*()
  • At least one number, preferably two or more
  • A mix of upper and lower case
  • At least 7 characters in length, more (10+) is better
  • A non-dictionary word, ideally something totally random 

I suggest inventing some algorithm in your mind to create your passwords.  Start with some totally random thought like “The Quick Brown Fox Jumped Over the Lazy Dog” or “My Car is Blue”.  Then take the first or last letter of each word, such as “TkBxJrLg”.  Now blend in random numbers and syntax, and it might become “Tk5Bx@Jr&Lg”.  Invent your own system in a way that you can remember it.

You should also change your passwords periodically.  Microsoft suggests every 30-60 days.  I don’t know about you, but my brain probably can’t hold that much change and complexity.  I think at least once per year is a good start.

Some resources that you might find handy
Store your passwords in a safe place:  Why try and remember them all when you can store them in a database?  One of many free application to store all your passwords in an encrypted database is called Password Safe.   They have a Windows and Android Smart Phone versions, so you can have your passwords with you wherever you are.  Password Safe also has a nifty feature where it will also generate a hard, random password automatically for you.  If you write it down on paper (gasp), lock it in a safe (seriously).  Don’t put it on a post-it note next to the computer or under the keyboard.

Random Password Generator:  Not feeling creative, and want a computer to generate a really hard random password for you?  One of several free ones available on the Internet is StrongPasswordGenerator.com. You tell it how long you want the password and if you want symbols, and it generates it for you.   If you use this, remember to document the password somewhere in case you forget (and you will).

Want to learn what Microsoft thinks is a good online password, read it here.

Whatever your password is I hope this inspires you to review it and change it as needed.   Think beyond just your own password, and review EVERY password on your practice network.  Enlist the help of your IT person if needed.

Read more from this author…

The Electronic Patient Record: How it Affects the Private Practitioner

By Kirt E. Simmons D.D.S., Ph.D.
Prior to engaging in a discussion of this topic it is imperative to provide some definitions, as there are some common discrepancies in the terms associated with the electronic patient record.  An “electronic patient record” is simply an electronic or digital form of a health record.  This includes the following examples and their abbreviations/acronyms:  electronic medical record (EMR), electronic dental record (EDR), electronic health record (EHR), and personal health record (PHR).  A word about acronyms is appropriate now, since the US Federal Government Agencies, including the Office of the National Coordinator for Health Information Technology (ONC), are enamored with acronyms and even use acronyms in their definitions of other acronyms and even as part of other acronyms.  On the ONC website, for instance, there are five web pages of Health Information Technology (HIT) acronyms (see www.healthit.hhs.gov).What are the different forms of electronic patient records?  An Electronic Medical Record (EMR) is simply an electronic form of the paper medical charts classically used in a clinician’s office.  An EMR contains the medical and treatment history of the patients in a single practice. It allows clinicians to track clinical/financial/other data over time, it easily identifies patients due for preventive screenings or checkups, and it allows the clinician to check certain patient parameters—such as blood pressure readings or vaccinations, and to potentially monitor and improve the overall quality of care within that practice.  The major problem with an EMR is that the information in an EMR does not travel easily out of the practice.

An Electronic Dental Record (EDR) is simply the dental equivalent to the EMR, and describes what almost all dental professionals who are keeping “electronic records” are currently keeping.  It contains the dental and treatment history of patients in one practice (although this may be a large group practice with multiple clinicians).  It has the same problem as an EMR in that information in the EDR doesn’t travel easily out of the practice and in addition it typically does not integrate with other medical data.

An Electronic Health Record (EHR) is a longitudinal electronic record of patient health information generated by one or more encounters in any care delivery setting.  Included in this information are patient demographics, progress notes, problems, medications, vital signs, past medical history, immunizations, laboratory data, and radiology reports (per the Healthcare Information and Management Systems Society- HIMSS).  The EHR focuses on the total health of the patient in that it reaches out beyond the health organizations (clinicians’ offices or hospitals) that originally collect the information. They are “built” to share information with other health care providers and the information “moves” with the patient between health facilities/providers.  In addition, EHRs are designed to be accessed by all persons involved in a patient’s care, including the patients themselves.  Indeed, that is an explicit expectation in the Stage 1 definition of “meaningful use” of EHRs (“meaningful use” is a term developed by the ONC to describe use sufficient to apply for funds set aside to increase EHR adoption).  An EHR would ideally include all dental, medical, pharmacy, chiropractic, etc. records in essentially “real time” and be “qualified” and “certified” as such.

A “qualified” EHR, per Section 3000, Definitions, of Subtitle A, Part 1, of Title XIII in the American Recovery and Reinvestment Act (ARRA) of 2009,includes:
“An electronic record of health-related information on an individual that-
(A) Includes patient demographic and clinical health information, such as medical history and problem lists
(B) Has the capacity—
(i) to provide clinical decision support
(ii) to support physician order entry
(iii) to capture and query information relevant to health care quality
(iv) to exchange electronic health information with, and integrate such information from other sources.”

Many advantages have been touted for EHRs.  Among these are their ability to consolidate all dental, medical, pharmacy, chiropractic, etc. records in a single “location”; their ability to allow emergency departments to quickly be aware of any life threatening conditions, even if patient is unconscious; the ability of a patient to log on to their own record and see the trend of lab results over the last year for instance, which can help motivate them to take their medications and keep up with the lifestyle changes that have improved the numbers; ability of the EHR to be stored “off site” securely so it is not lost in disasters (i.e. Katrina, tornados, fires, etc.); lab results run last week are already in the record for a specialist to access without running duplicate tests; prescriptions, notes, and orders are legible; notes from a hospital stay can help inform discharge instructions and follow-up care, especially if the patient will be followed up in a different (more local) care setting; patients seeing new clinician / clinic do not have to enter their information or their child’s or carry paper copies with them; and public health officials and researchers can more readily be alerted to, respond to, and research illness trends (SARS, Swine Flu, influenza, etc.), treatment differences, outcomes differences, etc.

A Personal Health Record (PHR), sometimes called a Patient-Controlled Health Record (PCHR), is a patient created electronic record that conforms to certain interoperability standards (the same as EHRs).  It can be drawn from multiple sources.  It is managed, shared, and controlled by the individual patient.  The patient may or may not choose to grant other entities access to it since it is controlled by the patient (unlike EHRs).  The intent is to allow PHRs and EHRs to interact if desired and allowed by the patient.

There are many factors currently “driving” the change to EHRs: Congress, The American Recovery and Reinvestment Act (ARRA) 2009 (including the Health Information Technology for Economic and Clinical Health Act [HITECH]), the President, Third Party Payers (Medicaid, insurance companies, etc.), technology and software vendors, Standards Organizations – DICOM, HL7, etc., public demand (in response to Hurricane Katrina, etc.), researchers, and Public Health organizations.  One of the most prevalent of these “driving forces” is the HITECH Act.  The objectives of the HITECH Act are to leverage health information technology (IT), so health care providers will have: accurate and complete information about a patient’s health so they can give the best possible care, whether during a routine visit or a medical emergency; the ability to better coordinate the care they give (especially important if a patient has a serious medical condition); a way to securely share information with patients and their family caregivers over the Internet (for patients who opt for this convenience); the chance to allow patients and their families to more fully take part in decisions about their health care. Per the framers of this legislation, this increased access to health information will help clinicians diagnose health problems sooner, reduce medical errors, and provide safer care at lower costs.  This legislation also claims widespread use of health IT can make our health care system more efficient, reduce paperwork for patients and doctors, expand access to affordable care, and build a healthier future for our nation.

The “overseer” of the EHR in the U.S. is the Office of the National Coordinator for Health Information Technology (ONC).  This office was set up to support adoption of health IT and promotion of a nationwide health information exchange to improve health care. The ONC is part of the Office of the Secretary for the U.S. Department of Health and Human Services (HHS).  It is directed by the position of National Coordinator of the ONC and was created in 2004, through an Executive Order and legislatively mandated in the HITECH Act of 2009.  Dr. David Blumenthal is the current National Coordinator but he is stepping down in the spring of 2011.

Some important issues are how the EPR will be accessed and where it will be stored.  Individual PHRs will be kept by patients and stored by them (USB, CD, DVD, etc.).  For EHRs there are several potential options that have been proposed, including the National Health Information Network (NHIN), an as yet unidentified national repository, or within Health Information Exchanges (HIEs – which are specific regional/area/network repositories).

This has not yet been finalized as of this time but regardless it will require standards for interaccessibility of the data whether a single, central repository or multiple HIEs.

The NHIN was formed to create a common platform for health information exchange across diverse entities, within communities, and across the country.  Its purpose was to promote a more effective marketplace, greater competition, and increased choice through accessibility to accurate information on health care costs, quality, and outcomes.  In essence, this is what is generally thought of as the “ideal”- a single, national, all-inclusive database for all citizens.  An HIE on the other hand, is a state or regional program set up to ensure the development of health information exchange within and across their jurisdictions.  These are currently being advanced as a more readily implemented means of meeting the aggressive EHR implementation timelines.  Of course, in order for different HIE’s to be able to interact and “play well” with each other they all need to be “speaking the same language” and this requires accepted standards.  The standards that are relevant for EHRs include the Digital Imaging and Communication in Medicine (DICOM) standard which is the established standard for the exchange of digital information between medical imaging equipment (i.e. radiographs, photographs, digital models, cone beam computed tomographs, etc.) and other systems.  Hospitals have long used the DICOM standard in their radiology departments which allows any type of radiograph obtained at one hospital to be transported, accessed and used at any other hospital, regardless of their radiologic software program.  Another EHR standard in use is the Health Level 7 (HL7) standard, which is the established standard for data exchange, management and integration to support clinical patient care as well as the management, delivery and evaluation of healthcare service (ie billing, demographics, outcome measures, etc.).

What’s the timeline of the EHR?  In his 2004 State of the Union address then President George W. Bush set as a goal for most Americans to have a universal EHR by the year 2014.  In 2009 the Congress passed the ARRA and HITECH legislation, which established further guidelines for the development, adoption and implementation of the EHR.  Per this legislation by 2010 the Rules, definitions (especially for “Meaningful Use”– a term used in the legislation), certification process and certification bodies were identified and developed.  In 2011 Stage 1 of the implementation process will be completed.  Stage 1 consists of “Data Capture” – the electronic capture of health care information in a standardized format.   In 2013 Stage 2, “Data Aggregation” – electronic exchange of the collected health information will occur in order to improve the quality of care.  In 2015 Stage 3, “Data Use for Outcome Impact” will occur as necessary to improve the quality, safety and efficiency of healthcare through clinical decision support (CDS) and patient management tools.  By 2016 full implementation (ie all healthcare providers will be fully using and all persons will have an EHR) will be completed.  The legislation initially provides for financial incentives if healthcare providers/organizations “qualify” but these quickly change to disincentives for those who do not comply.  For instance this year (2011) for healthcare providers who do not begin (ie “write” a certain percentage of their prescriptions) e-prescribing drugs their payments through Medicaid will be reduced.

This brings us to the Medicaid EHR Incentive Program legislated by the HITECH Act.  This program provides incentive payments to eligible professionals and eligible hospitals as they adopt, implement, upgrade, or demonstrate meaningful use of certified EHR technology in their first year of participation and demonstrate meaningful use for up to five remaining participation years.  There are minimum Medicaid patient volumes to be eligible, which differs by state.  The program is voluntarily offered by individual states and territories and begins as early as 2011, depending on state.  Eligible professionals (including dentists) can receive up to $63,750 in funds over six years if they choose to participate in the program and meet all requirements.  There are no payment adjustments under the Medicaid EHR Incentive Program.  By contrast, just to be confusing, the Medicare EHR Incentive Program provides incentive payments to eligible professionals and eligible hospitals that demonstrate meaningful use of certified EHR technology.  Participation in the Medicare Program can begin as early as 2011 with eligible professionals able to receive up to a maximum of $44,000 over five years under the Medicare EHR Incentive Program for treating patients that qualify under Medicare.  In addition, if the eligible professionals provide services in a Health Professional Shortage Area (HSPA) they qualify for additional incentives above the $44,000 maximum under the Medicare EHR Incentive Program.  For maximum incentive payment, Medicare eligible professionals must begin participation by 2012.  For 2015 and later, Medicare eligible professionals, etc. that do not successfully demonstrate meaningful use will have a “payment adjustment” (read reduced payment or penalty) in their Medicare reimbursement.  In order to qualify for these Medicaid / Medicare EHR Incentive Program eligible healthcare providers must use a certified EHR program and demonstrate meaningful use of the program for their patients.  For dentistry, as of this writing (early 2011), there is only one EHR dental software that meets the Federal guidelines and has been certified as such.

A reasonable question for most dentists might be “Who cares?”  There is no federal deadline for adoption of EHRs by dentists who do not submit claims to Medicare and since “I don’t mess with Medicare/Medicaid” it’s not going to effect me.  Unfortunately, although you may not “mess” with the public payer programs the legislation IS going to “mess” with you!  Specifically, new privacy and security provisions (on top of current HIPPA requirements) and accessibility requirements are among the ARRA / HITECH legislation provisions.  These include privacy and security provisions extended to “business associates” (for instance laboratories, etc.), breach notification requirements, health information privacy education requirements for your staff, a requirement to honor withholding of protected health information from a health plan when a patient pays for treatment “out of pocket”, a prohibition of the sale of protected health information, a requirement for patient authorization for marketing and fundraising-related activities, new accessibility requirements (to patient information- i.e. patients may request an electronic copy of their record and it must be provided and in a timely fashion), and finally it authorizes patients the right to request an “audit trail” of all access to their record (i.e. who, when, why anyone accessed their record for any reason!).  The “final rules” have not yet been established but it behooves you to stay aware of these upcoming requirements and be prepared to meet them before they are enforced.  Theoretically a “certified” EHR program takes these requirements and provisions into account so if one purchases and implements these programs in their practice they will be able to meet many of these provisions.  Unfortunately, for any “early adopter” dentists who wish to implement a certified EHR program for their practice, there is only one at this time.  Several companies, although not currently certified, have indicated they were aware of the situation and were planning to eventually introduce a certified program. So one should check with their practice management software company for updates or “modules” to meet these requirements and insist they provide them if they indicate they are not considering these issues.

There are some other implications of this push for EHR adoption for dentistry.  These include e-Prescribing (submitting prescriptions digitally online) ability and monitoring, the adoption of the Systematized Nomenclature of Dentistry (SNODENT- designed by the ADA for use in the electronic health and dental records environment it is essentially a single accepted “dictionary” of dental terms in order to standardize/digitize everything “dental”), a requirement of Diagnosis Codes for payment (long common in Medicine, the ADA is currently updating claim forms to include up to four diagnosis codes since some large dental insurers are adding diagnosis codes to claim requirements), and requirements by insurers, Dental Boards, etc. that all images, notes, models, letters, billing, etc. be provided in a standardized digital format.It is also wise to remember some of the other intents of an EHR according to the Government are their supposed ability to “decrease costs”, potentially due to their intended ability to monitor “quality measures” and adjust healthcare practices “appropriately” (through further legislation, payment adjustments, fees, etc.).  They will also provide for “Lifetime” radiation exposure monitoring since certified EHRs will have the capability of recording radiation exposure data and reporting it.  This could potentially be a big “issue” for those dentists taking or prescribing cone beam computed tomographs (CBCTs) since the Federal Department of Agriculture (FDA- under which the HHS resides), per their  “Initiative to Reduce Unnecessary Radiation Exposure from Medical Imaging” issued in February of 2010, is looking closely at “CT”’s.  Per this publication approximately 89% of the yearly exposure of the U.S. population is due to “CT”’s despite the fact they account for only 26% of the total of all imaging procedures.  Although “Medical” Imaging is used by the FDA in the title dentistry is definitely included as evidenced by the fact Table 1 of this publication specifically includes “Dental X-ray”.  Of particular interest to orthodontists and pedodontists is the point the publication stresses the deleterious impact of ionizing radiation on younger individuals is greater than that for adults.

Since the Government will be promoting and advertising the EHR heavily in all provider settings patients will quickly expect dental offices to be EHR compliant as this becomes commonplace in the other “healthcare” settings they are exposed to.  According to the ONC more than 21,000 providers had initiated registration for the EHR Incentive Programs during the first month it was available (January, 2011) and more than 45,000 additional providers had requested information or registration help from Regional Extension Centers during this same time.  In addition, it is quickly becoming obvious that third party payers will require offices to interact with them in an EHR compliant fashion (since it will save them money/resources), due to potential legal implications many malpractice/liability insurers may require their clients to be EHR compliant, privacy/security regulations will essentially require it (for instance each office must have a “Privacy & Security Officer”- per DHHS Guideline 45 CFR, Part 146), pharmacies/DEA will likely require, and lastly new (or updates to) imaging hardware/software will require DICOM compatibility.

Lastly, on a personal note, if and when one is contemplating their own PHR options it is useful to take into account the findings of a “Roundtable on PHRs” the ONC conducted and published in their blog of Dec. 3rd, 2010.  At the PHR Roundtable, four panels of experts and industry representatives explored the growth of PHRs, focusing on the nature and adequacy of privacy and security protections.  The key message to come out of this roundtable was that PHRs grow in value when people find them useful and trustworthy.  A key message from the Roundtable was that PHRs grow in value when people find them useful and trustworthy. Their usefulness grows as they are able to readily pull information from EHRs and other sources of clinical information, as well as from monitoring devices and mobile applications. The usefulness increases even more as that information can be organized to help people with their particular health care concerns and inform clinical decision-making.