PHRs: The Next Big Thing?
July 14, 2008
Magazines and newspapers are spilling much ink over Personal Health Records (PHRs), the latest piece of IT that will fix healthcare. I asked my small-practice doctor a few weeks ago what he would do if a patient presented him with a PHR. Not much, he answered (first I had to explain what it is.) No insurer would pay him to populate the data and it isn’t integrated with his (limited) PPM system. The patient would be welcome to a copy of his medical records (for an exorbitant “handling & copying” fee) to populate the PHR himself, but good luck making out the doctor’s handwriting, medical abbreviations and terminology. If one had seen specialists, those separate records would need to be secured and entered as well.
The PHR hype is in full swing, and it will likely take a decade minimum for a majority of patients to have PHRs. I doubt most people will even look at their PHR even if they have one. Progressive insurers like Aetna offer members a pre-populated PHR based on claims data. In the long term, this will help Aetna improve care, reduce errors and lower costs. Follow the money and one will see the adoption path PHRs follow.
As with all technologies, the question of standards is arising with PHRs. AHIP has taken a good first step in creating a standard that is expected to be ready by December of ‘08. The standard includes data set and portability requirements to take into consideration a person’s change in employers and health plans.
Some payors like Medical Mutual of Ohio and Anthem BCBS have PHRs that align with the AHIP standard. Time will tell how PHRs are accepted by consumers. Nationally, CCHIT, the Certification Commission for Health Information Technology, will be certifying personal health records (PHRs) next year. Criteria will be proposed in April, 2009, along with a comment period. Certification will officially start in July 2009.
CCHIT’s certification of EMRs met with mixed reactions early on, with smaller vendors crying foul over the $20,000 fee. Since then, it’s become a somewhat important stamp of approval in large enterprise purchasing decisions. This will likely happen with PHR certification as well.
Locally here in Massachusetts Blue Cross Blue Shield of Massachusetts partnered with Google Health to enable members to import their claims data into their Google Health profile. BCBSMA says that members with Google Health PHRs will be able to share data with healthcare providers who currently don’t have access to their data. Also, they can download medical records and prescription history from other connected providers.
_________________________________________________________________________________________________
By Shawn Whalen, SVP & Director, Healthcare IT Practice, Schwartz Communications
Save to Browser Favorites
Ask
backflip
blinklist
Bloglines
BlogMarks
Blogsvine
BUMPzee!
CiteULike
co.mments
Connotea
del.icio.us
DotNetKicks
Digg
diigo
dropjack.com
dzone
Facebook
Fark
Faves
Feed Me Links
Friendsite
folkd.com
Furl
Google
Hugg
Jeqq
Kaboodle
linkaGoGo
LinksMarker
Ma.gnolia
Mister Wong
Mixx
MySpace
MyWeb
Netvouz
Newsvine
PlugIM
popcurrent
Propeller
Reddit
Rojo
Segnalo
Shoutwire
Simpy
sk*rt
Slashdot
Sphere
Sphinn
Spurl.net
Squidoo
StumbleUpon
Technorati
ThisNext
Webride
Windows Live
Yahoo!
Email This to a Friend
If you like this then please subscribe to the New Haven: Scanning the Environment to Capitalize on Emerging
July 12, 2008
In January 2007, New Haven, Conn. received a $3 million grant from the Center for Community Health Leadership to help the city create a community-wide health information exchange (HIE) to support the exchange of data with community physicians. Read more
Security Risks- What’s the Rule?
July 10, 2008
The first step towards compliance with the HIPAA Security Rule is to perform a risk assessment on your system. You aren’t required to do this yourself- you may choose to hire a consultant- but you will be expected to understand the assessment findings. So what are ‘risks’, and how are they measured? Let’s start by defining some terms as they appear in the Rule.
Section 164.308(a)(1) requires covered entities to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI held by the covered entity.” In this statement:
“EPHI” stands for Electronic Personal Health Information. This includes all medical information related to patients in your care.
“Vulnerabilities” are weaknesses in the way your system handles information. This can mean anything from inadequate physical security at your office (such as locks and alarms), to employing out-of-date software, to failing to employ the security features included in your software (not creating passwords, etc.).
Threats are forces that will exploit vulnerabilities. This can mean people, such as disgruntled employees, burglars and hackers, or it can mean things like fires, floods, earthquakes and tornadoes.
“Risk”, therefore, is a calculation of two things: first, the probability that a given threat will exploit vulnerabilities in your system, and second, an estimate of how much damage would be caused by that exploitation. Risk is hard to assess; the factors involved are often subjective. Just because an event has a low probability level doesn’t mean it can’t or won’t happen…and highly probable events with risk assigned might not impact your system security at all.
For instance: a viral infection on a computer in your system is highly probable, but the likelihood that the infection would lead to a system failure or security breach is small…therefore it would be considered a low-risk scenario. If a burglar, however, were to break into your office and steal all of your equipment, there is a 100% chance that your data will become unavailable to you and a good chance it may end up in malicious hands. Even if the crime rate is low in your neighborhood, this would be considered a high-risk scenario.
No matter what your assessment finds, when you address the vulnerabilities of your system and (where possible) eliminate threats, you reduce your overall risk levels- this is the best way to ensure you’ll be in compliance with the Rule.
Join us next week for some tips on how to conduct your risk analysis.
Ryan Ricks
Security Officer
ryan.ricks@xlemr.com
www.xlemr.com