Free Wired EMR Practice Newsletter Want to receive the latest updates on EMR from a Doctor's perspective sent straight to your email? Get all the latest EMR and EHR updates from a practicing doctor for FREE!

The Secure Texting Scam

I fondly remember going deer hunting with my father and grandfather in Pennsylvania where I grew up.  We hardly ever actually killed anything.  One deer hunting technique we never used was called “putting on a drive.”   You start with a group of hunters at each end of the woods.  The first group does the “driving” by walking through the woods making lots of noise.  The other group lies hidden at the other end.  The first group scares the deer towards the second group for an easy blindside kill.  Even if you like hunting it’s not very sportsmanlike.  The deer don’t stand a chance.

Recent developments in health information technology convince me that Washington politicians and health IT vendors are putting a drive on physicians. Together they coerce physicians into technology purchases that may be redundant and unnecessary.  One such example is all the noise health IT vendors make about secure texting.

In November 2011 JCAHO posted a notice deeming the use of texting to communicate physician orders as unacceptable.   This very short statement offered two supporting arguments:  1.  The sender’s identity could not be verified, and 2.  There is no way to preserve the text message for the medical record.  The statement did NOT mention any potential for hacking, eavesdropping or any other privacy / security issue.

The following April a small (5 physician) cardiology practice was fined $100,000 for a number of HIPAA violations.  The worst of these was putting appointment and surgical schedules on a publicly accessible online calendar.  Other violations included failure to appoint a privacy officer and failure to conduct a risk analysis.  The HHS press release for this settlement does not list texting protected health information (PHI) as one of the violations.  Nonetheless many secure texting vendors have cited this settlement as evidence that the Feds are prosecuting providers for texting PHI.  My inbox has been inundated with ads: “Don’t get caught texting PHI!  Buy our secure texting product today!”

Many providers have drunk the Kool-Aid, succumbing also to strong intuitive – but unverified – arguments regarding SMS texting.  It is widely accepted that every text has at least 3 copies:  the sender phone, the receiver phone, and one or more copies on the telecom servers involved in the transmission.  The first 2 clearly exist.  But has anyone verified current practices among telecom providers regarding server storage of text messages?  There is no credible source that clearly documents what those practices are.  Many providers and IT folks also intuitively believe that text messages can be easily monitored / intercepted remotely.

One secure text vendor I reviewed offers secure texting for the “bargain” price of $10 per user per month.  For our practice that totals $12,000 per year.   The app requires installation on both sending and receiving ends, so even after all that money is spent I can text “securely” only to employees inside my practice.  Too bad I don’t need secure communication inside my practice.  My EMR already does that.  So the product is both expensive and useless.  Most secure text products are structured similarly.

The argument for secure texting products fails in several ways:

  1. The November 2011 JCAHO directive regarding texting of physician orders does not mention privacy as an issue.  The two issues it does raise, identity verification and documentation in the medical record, are not solved by secure text products.  Furthermore, the JCAHO arguments should apply to voice conversations as well.  The voice of a caller cannot be objectively identified, and voice conversations are not preserved for the record either.   Telephone orders have been the standard of care for decades.  We have tolerated those “shortcomings” without difficulty.
  2. No federal agency has investigated anyone for texting PHI – although the secure texting vendors would like you to believe otherwise.
  3. There have been no documented PHI security breaches related to texting.
  4. The biggest security issue for texting is the smart phones themselves, where stored text messages are just waiting to be lost or stolen with the phone.  Secure text products don’t solve that problem either.  This is more appropriately handled by password protecting phones and remote-erasing technology for lost or stolen phones.  There are lots of other ways to address the problem, such as storing text messages in the cloud rather than on the phone.
  5. Physicians have been using text communications for almost 20 years, since the advent of text-enabled pagers.  This far predates SMS technology.  We contacted our answering service regarding the security of the text-pages that they send to our smart phones.  We were assured that their secure server adequately addresses the issue.  Really?  Don’t their messages pass through the same telecom servers as other texts to reach our smart phones?  Am I missing something?
  6. Smart phones can be eavesdropped for both voice conversations and text using the same methods.  If the eavesdropping argument is used to outlaw unsecured text, then voice communications should be treated similarly.
  7. How exactly do the wireless carriers handle text messages?   Why isn’t anyone grilling them about securing their servers?  Current practice across the IT community is that the owner of a database is responsible for its security.  Verizon Wireless, starting last April, has expressed great interest in health care and has declared its intention to establish a role in the management of chronic diseases.  How about something simpler and much more useful…like secure texting for health care providers?

The “logical” conclusion – ignoring common sense – is that PHI would be prohibited in all wireless communications.  Doctors would have to return to 1980’s era pagers that only emit a tone.  You call the answering service – on a landline – to get the message.  The privacy policies made necessary by the Information Age would force us back to the Stone Age.

Instead consider the following plan that would serve PHI privacy needs without all the hysteria and expense of add-on products:

-       Establish a set of practices for texting medical information that avoids or minimizes the creation of PHI.  This would include referring to patients by initials and avoiding the use of identity-establishing information.  I have done this for the past few months and it works well.  You can include all the medical information you want in a text, but if the patient is identified only by initials then it is not PHI.

-       Engage telecom providers to establish adequate security measures for its servers.  They should be doing this anyway.  There would be many users willing to pay a reasonable amount to cover the expense.  This would be much better than add-on products since it would be compatible across all users.

-       Aggressively implement protection for smart phones, starting with mandatory password protection and remote erasing, and implementing more sophisticated technologies as they become practical and widely available.

How do you get a marginal product to sell?  Either have the government make people buy it (Meaningful Use) or use marketing sleight of hand to create the illusion of a legal imperative.  Secure text marketing strategy works just like the deer drive.  The “drivers” are the secure texting vendors.  They leverage poorly written and randomly enforced government regulations to make lots of noise in an attempt to scare physicians.  At the other end of the forest lurks Secure Texting Snake Oil – products that only pretend to rescue doctors from prosecution and patients from identity theft.  Their only true effect is to raise health care costs without any improvement in quality of care or data security.

Post a Comment(8)
September 6, 2012 I Written By

Dr. Michael J. Koriwchak received his medical degree from Duke University School of Medicine in 1988. He completed both his Internship in General Surgery and Residency in Otolaryngology-Head and Neck Surgery at Vanderbilt University Medical Center. Dr. Koriwchak continued at Vanderbilt for a fellowship in Laryngology and Care of the Professional Voice. He is board certified by the American Board of Otolaryngology-Head and Neck Surgery. After training Dr. Koriwchak moved to Atlanta in 1995 to become one of the original physicians in Ear, Nose and Throat of Georgia. He has built a thriving practice in Laryngology, Care of the Professional Voice, Thyroid/Parathyroid Surgery, Endoscopic Sinus Surgery and General Otolaryngology. A singer himself, many of his patients are people who depend on their voice for their careers, including some well-known entertainers. Dr. Koriwchak has also performed thousands of thyroid, parathyroid and head and neck cancer operations. Dr. Koriwchak has been working with information technology since 1977. While an undergraduate at Bucknell University he taught a computer-programming course. In medical school he wrote his own software for his laboratory research. In the 1990’s he adapted generic forms software to create one the first electronic prescription applications. Soon afterward he wrote his own chart note templates using visual BASIC script. In 2003 he became the physician champion for ENT of Georgia’s EMR implementation project. This included not only design and implementation strategy but also writing code. In 2008 the EMR implementation earned the e-Technology award from the Medical Association of Georgia. With 7 years EMR experience, 18 years in private medical practice and over 35 years of IT experience, Dr. Koriwchak seeks opportunities to merge the information technology and medical communities, bringing information technology to health care.

Filed Under: EMR  government  HITECH  Meaningful use  mHealth  physician  texting  texting PHI
Tags:              

EMR Note Cloning is Scarier than I Thought

The health IT community is well aware of the dangers of cloning notes in an electronic medical record.  I include myself in that group.  Until recently I prided myself for doing a good job, both in our EMR design and in my own personal practice, of using just the right amount of automation in our documentation workflow.  Two recent events showed me that I still have some work to do.

The first event occurred a few weeks ago when I was reviewing some records.  One patient note documented an enlarged salivary gland containing a stone.  That would be fine except for one small detail – I had removed that gland one week prior to the date of the note!  My nurse had created that note.  A conversation with her revealed she thought she was doing the right thing by always clicking the “previous finding” button, which I had programmed myself.  My nurse is extremely bright; this was my fault for not training her on this issue.  I had also signed that note.  So it was my fault twice.  After a 30 second conversation with my nurse it has not happened since.

The second event was when an attorney interviewed me regarding one of my patients.  I was a treating physician in a malpractice case (I am not the defendant thankfully).  The attorney wanted to know if, in my opinion, the physician defendant had met the standard of care in treating the patient despite the adverse outcome.

This was a high-risk case for note cloning; the patient had multiple abnormal neurologic findings that were stable over time.  In reviewing my records I was satisfied that my notes were accurate, complete and original for every visit.  I avoided cloning those abnormal but stable findings by describing the same exam but using slightly different wording at each visit.  How else do you avoid cloning?  But the attorney pounced on my small changes in description, trying to establish a trend in my notes that the patient was getting worse.  I explained the cloning issue to him, and he understood…. I think.  Nonetheless I felt somewhat uncomfortable defending my documentation, and I was not even the defendant.  In trying to avoid cloning notes I had stepped right into another problem.

This issue is huge in my practice.  I have a large volume of head and neck cancer patients.  The essence of caring for them properly is to monitor them for changes in their abnormal – but stable – physical findings.  A recurrence of cancer might manifest as a subtle change in one of these findings.

How do you document that an examination is stable and unchanging, but change your wording enough to document that you actually examined the patient at every visit?  We do not yet have the cloning issue figured out.

Post a Comment(1)
June 15, 2012 I Written By

Dr. Michael J. Koriwchak received his medical degree from Duke University School of Medicine in 1988. He completed both his Internship in General Surgery and Residency in Otolaryngology-Head and Neck Surgery at Vanderbilt University Medical Center. Dr. Koriwchak continued at Vanderbilt for a fellowship in Laryngology and Care of the Professional Voice. He is board certified by the American Board of Otolaryngology-Head and Neck Surgery. After training Dr. Koriwchak moved to Atlanta in 1995 to become one of the original physicians in Ear, Nose and Throat of Georgia. He has built a thriving practice in Laryngology, Care of the Professional Voice, Thyroid/Parathyroid Surgery, Endoscopic Sinus Surgery and General Otolaryngology. A singer himself, many of his patients are people who depend on their voice for their careers, including some well-known entertainers. Dr. Koriwchak has also performed thousands of thyroid, parathyroid and head and neck cancer operations. Dr. Koriwchak has been working with information technology since 1977. While an undergraduate at Bucknell University he taught a computer-programming course. In medical school he wrote his own software for his laboratory research. In the 1990’s he adapted generic forms software to create one the first electronic prescription applications. Soon afterward he wrote his own chart note templates using visual BASIC script. In 2003 he became the physician champion for ENT of Georgia’s EMR implementation project. This included not only design and implementation strategy but also writing code. In 2008 the EMR implementation earned the e-Technology award from the Medical Association of Georgia. With 7 years EMR experience, 18 years in private medical practice and over 35 years of IT experience, Dr. Koriwchak seeks opportunities to merge the information technology and medical communities, bringing information technology to health care.

Filed Under: EHR  Electronic Health Record  Electronic Medical Record  electronic medical records  EMR  EMR note cloning  physician  workflow
Tags:              

The Nitty-Gritty of Meaningful Use – Part 2

This is the second in the series of how our practice is getting the work of MU done.  The first of the series can be found here.

Starting with Core Set Item #7:

7.   Record demographics as structured data.  We have been doing this for a long time but MU requires us to add race and “ethnicity.”  Isn’t ethnicity the same as race but more specific?  If you have the latter you don’t need the former.  Furthermore we have had patients push back on asking this question.  Some find this question offensive.  They shouldn’t; since many diseases are race / ethnicity – specific the question is medically appropriate.  Fortunately MU considers the term “undetermined” as acceptable for this data point.

8.  Record vital signs as structured data.  This conflicts with lower level CPT E/M coding with does not require vital signs.  Once again the left hand of government doesn’t know what the right is doing.  Nobody thought it through.

9.  Record smoking status.   No problem here.  Medically appropriate for all specialties.

10.  Quality measures.  These are poorly designed and confusing.  There are 2 redundant measures both dealing with tobacco use and cessation, and these are both redundant (but not identical) to core set #9.  Weight screening is reasonable enough but the follow-up requirements are ambiguous and burdensome.  Are we really supposed to bombard our local dietician with weight loss consultations?

11.  Decision support rule.  We will configure our EMR to prompt for hearing loss screenings in patients over 50 years old.  Fair enough.

12.  Provide an electronic copy of health information to the patient upon request.  Who are they kidding?  This should have been delayed to Phase two.  Qualified EMRs can do this easily enough but the product is exported to your remote server desktop; it is cumbersome to copy from there.  We have had few such requests from patients; I wonder if those few are asking just to prove a point.  I don’t know that for sure.

13.  Provide clinical visit summaries.  Again should have been delayed to Phase two.

14.  Exchange key clinical information between systems.  This one is unbelievable.  Fortunately, as I understand it, you only have to do it once.  You are supposed to upload all or part of someone’s chart (or perhaps a test chart or other hypothetical data) to portable media, go to someone else’s EMR and try to upload the data.  Doesn’t matter if you succeed or not.  Am I misunderstanding this one?  If anybody has a better handle on this one please leave a comment.

15.  HIPAA security risk analysis.  Although I hate paying for it I must admit that is a good idea.

 

The last installment will cover the Menu Set Measures.

Post a Comment(1)
September 18, 2011 I Written By

Dr. Michael J. Koriwchak received his medical degree from Duke University School of Medicine in 1988. He completed both his Internship in General Surgery and Residency in Otolaryngology-Head and Neck Surgery at Vanderbilt University Medical Center. Dr. Koriwchak continued at Vanderbilt for a fellowship in Laryngology and Care of the Professional Voice. He is board certified by the American Board of Otolaryngology-Head and Neck Surgery. After training Dr. Koriwchak moved to Atlanta in 1995 to become one of the original physicians in Ear, Nose and Throat of Georgia. He has built a thriving practice in Laryngology, Care of the Professional Voice, Thyroid/Parathyroid Surgery, Endoscopic Sinus Surgery and General Otolaryngology. A singer himself, many of his patients are people who depend on their voice for their careers, including some well-known entertainers. Dr. Koriwchak has also performed thousands of thyroid, parathyroid and head and neck cancer operations. Dr. Koriwchak has been working with information technology since 1977. While an undergraduate at Bucknell University he taught a computer-programming course. In medical school he wrote his own software for his laboratory research. In the 1990’s he adapted generic forms software to create one the first electronic prescription applications. Soon afterward he wrote his own chart note templates using visual BASIC script. In 2003 he became the physician champion for ENT of Georgia’s EMR implementation project. This included not only design and implementation strategy but also writing code. In 2008 the EMR implementation earned the e-Technology award from the Medical Association of Georgia. With 7 years EMR experience, 18 years in private medical practice and over 35 years of IT experience, Dr. Koriwchak seeks opportunities to merge the information technology and medical communities, bringing information technology to health care.

Filed Under: CPT  EHR  Electronic Health Record  Electronic Medical Record  electronic medical records  EMR  government  Meaningful use  Medicare  physician  workflow
Tags:              

Lessons Learned from Anesthesia EMRs

Several years ago one of the hospitals where I operate spent 6 figures on an anesthesia EMR system.  After several months and a huge amount of money the whole thing was scrapped because it was so cumbersome to use.  They have not tried again.

A few weeks ago the anesthesia group that covers our surgery center got an EMR.  The product is called Anescan and apparently has many successful installs.  It runs on Windows 7 tablets that communicate with a central server.  Needless to say I was curious to see how this system differed from the failed system I had seen years ago.  What I learned was very interesting.

Medical record keeping in anesthesia is different from all other medical specialties.  The job includes monitoring vital signs constantly and documenting them in the anesthesia record every few minutes.  It is a task that begs to be automated.  Such technology would presumably free the anesthesiologist from mundane repetitive documentation, allowing more efficient and effective monitoring of the patient.   The necessary technology has been available for years and was used in the failed hospital system from years ago.

I was surprised to learn that Anescan avoids that technology.  A conversation with the Anescan rep revealed that is was precisely that technology which caused earlier systems to fail.  It’s easy to measure blood pressure, heart rate, respiratory rate, and blood oxygen level and push that data to an EMR.  The problem is that the data are often riddled with artifact.  If an EKG lead or pulse oximeter comes loose, or if the surgeon leans on the arm-mounted blood pressure cuff, it is not unusual to get an automated pulse or blood pressure of zero.  The anesthesiologist / anesthetist can easily recognize what is happening, fix the monitors and record accurate vital signs.  This often happens several times during a case and is no big deal.

The automated system makes it much worse.  By the time the bad data are recognized the automated system has already pushed that zero pulse and BP to your EMR.  Now the anesthesiologist / anesthetist has to open some kind of editing function in the EMR and delete, edit, or explain away the false readings…AND at the same time troubleshoot the monitors that sent the bad data in the first place…AND by the way your patient is still asleep and you can’t stop watching him.  AND you only have a couple of minutes to get caught up before the monitors send the next the next set of (? bad) vital signs to the EMR.  The potential downward spiral is easy to see.

Anescan avoids this problem.  The tablet PC presents an image of a standard anesthesia paper record with the patient demographics and other data already in place as structured data.  Vital signs are recorded with “digital ink.”   Use the stylus to record vital signs on the form, on the tablet.  When the case is complete the form images are sent to the server for centralized record keeping and billing.   A paper copy is printed for the surgery center chart.  This is an elegant solution that automates only those parts of record keeping where it is practical.

Someday the artifact problem will be solved either through better monitors or better error recognition within the EMR.  But today this serves as yet another example of too much IT and automation in health care causing more problems than it solves.

Post a Comment(0)
July 24, 2011 I Written By

Dr. Michael J. Koriwchak received his medical degree from Duke University School of Medicine in 1988. He completed both his Internship in General Surgery and Residency in Otolaryngology-Head and Neck Surgery at Vanderbilt University Medical Center. Dr. Koriwchak continued at Vanderbilt for a fellowship in Laryngology and Care of the Professional Voice. He is board certified by the American Board of Otolaryngology-Head and Neck Surgery. After training Dr. Koriwchak moved to Atlanta in 1995 to become one of the original physicians in Ear, Nose and Throat of Georgia. He has built a thriving practice in Laryngology, Care of the Professional Voice, Thyroid/Parathyroid Surgery, Endoscopic Sinus Surgery and General Otolaryngology. A singer himself, many of his patients are people who depend on their voice for their careers, including some well-known entertainers. Dr. Koriwchak has also performed thousands of thyroid, parathyroid and head and neck cancer operations. Dr. Koriwchak has been working with information technology since 1977. While an undergraduate at Bucknell University he taught a computer-programming course. In medical school he wrote his own software for his laboratory research. In the 1990’s he adapted generic forms software to create one the first electronic prescription applications. Soon afterward he wrote his own chart note templates using visual BASIC script. In 2003 he became the physician champion for ENT of Georgia’s EMR implementation project. This included not only design and implementation strategy but also writing code. In 2008 the EMR implementation earned the e-Technology award from the Medical Association of Georgia. With 7 years EMR experience, 18 years in private medical practice and over 35 years of IT experience, Dr. Koriwchak seeks opportunities to merge the information technology and medical communities, bringing information technology to health care.

Filed Under: anesthesia EMR  CPT  EHR  Electronic Health Record  Electronic Medical Record  electronic medical records  EMR  tablet PC  workflow
Tags: