[ Tuesday, August 17, 2004 ]
A little late summer spring cleaning:
I've got a bunch of stuff in my e-mail inbox that I've been holding until I got the chance to blog on it.
Electronic Medical Records:
Here's an article
from the NY Times on hospitals going paper-less. Obviously there are some benefits, such as reduction in errors and streamlining of information processing, making the same information available to all care providers across the enterprise, etc. Obviously there are some downfalls, such as the risk of a system crash taking all medical records off-line, greater privacy and security risks, etc. Not quite so obviously, there are some hurdles to making this type of thing work, not the least of which is physicians who are used to doing things on paper or their way, or those who have migrated to electronic records but using a different platform than the hospital. Hat tip: Alan Goldberg.
Risk Analysis: Here's
a WEDI (Workinggroup for Electronic Data Interchange) white paper on HIPAA Security Rule risk analysis, including examples of how some covered entities have approached the process. Hat tip: Gordon Apple.
As part of your risk analysis, you do need to figure out which of your systems need to be audited, and keep audit logs. In making those determinations, look at systems, look at applications, and look at data to determine what needs auditing. Make it realistic, based on what you think you can catch, what you can analyze and deal with, and what you really need to worry about. Don't try to look at everything, and definitely don't capture more information than you'll be able to review and deal with effectively. Don't make your logs so big you can't easily store them. And most importantly, don't make the auditing process negatively impact the delivery of care.
It needs to be effective, but if it hinders care, or slows down the nurses or physicians, they you'll get push-back (and rightfully so).
Thinking about going wireless?
First, identify your risks: is PHI stored on mobile devices, is it encrypted, and is access protected? Wireless systems don't come in HIPAA-compliant and non-compliant; compliance depends on your usage and protections. Secondly, train your staff. Make sure your tech people know that they must play be the rules, and make the rules simple and clean. And make sure you teach your doctors, and if they're likely to leave their PDAs sitting around, make sure there's some access protection built into the system. Encrypt if you need to. And document what you've done and why. If you make a bad choice but you can prove it was for a good reason, you're much less likely to find yourself in hot HIPAA water. Hat tip: Hospital Compliance Wire's e-mail service.
Jeff [10:56 PM]
Blogger: HIPAA Blog - Edit your Template