A “Meaningful” Act (Pt. 2)

by Ruby Raley
Director, Healthcare Solutions

(To read the first part of this blog post, click here.)

The body continues to be an apt metaphor in this post.

One of the other areas I find that people have neglected in their plans is the “nervous system.” So, you’re going to put this new eMR system in, you have to have all of these data breach protections, you have to have encryption, you have to be able to notify people promptly if data is lost. You need a nervous system that knows when any blood vessel is cut, when there is a leakage of information, which would be equivalent to internal bleeding—perhaps not obvious to anyone but going on nonetheless—and a significant impact on your patient’s health, possibly even a cause of death if left untreated.

How are you going to know that there is internal bleeding of data? Are you really going to go through log files and every system you have and verify that every transmission went through? Wouldn’t you rather just have a dashboard where you could quickly see the stats, find anomalous situations, immediately be alerted if something goes astray, and take action promptly and resolve the problem before there is internal bleeding and the “patient” is in critical care? I really think that some of those additional ways of thinking about the HITECH Act are critical to the success of the providers.

It’s just too hard to try to do everything inside your eMR system. You can’t stop people from sending attachments, needing to communicate with third parties, and needing to get data in and out of your enterprise. It’s just a fact of life, so why not put a plan together for it?

People who think that they don’t need a nervous system, that all they have to do is search through log files to find out what happened, I find, have either had better luck in life than I have or aren’t IT people on the front lines, because what I’ve seen over and over again is log files get erased every time there is an upgrade.

If you had an outage on Friday, and you had a system upgrade going in on Saturday, your log files might not be where you can find them on Monday. Maybe they were saved before the upgrade went in. Maybe the tapes didn’t work right. How do you know? In order to do the diagnosis, you have to look at the sending and receiving system, line up the time, look at the messages and try to figure out whether the darn messages were delivered.

To me, thinking that log files sufficiently satisfy the data breach and HIPAA security rule—I don’t quite get that. One of the things that I recommend to providers is that they do a mock exercise. How would they find the data breach? How would they convene their SWAT team? How would they actually plan through and respond to a real-life data breach? It’s much like having a patient flatline on the ER table—mitigating action needs to be taken immediately.

What they’re going to find is that, first of all, they have to include many more departments than they might have thought. When is the last time an IT outage or a service disruption required that the compliance officer, corporate marketing and PR people got called? Did you have to call the CEO when the system last went down? Do you know the criteria that need to be satisfied before you notify people? You have to make sure that a large number of people understand what the process is, because with a data breach, the legal ramifications of not taking due diligence, of exhibiting willful neglect, or of not following your own processes are severe.

And you never had to do that before. Who cared if a file didn’t get received by the insurance company on the other end? They’d call you and you’d resend it. Before, you never called the CEO or CSO to say that a file went astray and you didn’t know it had happened. You’re going to discover department people who aren’t aware, too. You’re going to discover people in the IT organization, people who might not have been exposed to the HITECH Act before, who need training so that they understand the circumstances under which to act. If you don’t have all of this preplanned, then it’s going to be fairly random and it’s not going to come together for you. Can you prove to the HHS and the auditors that your process, as written, was followed in these events? Can you afford the excessive fines and penalties that will follow if you can’t prove that your process, as written, was followed?

Leave a comment

No comments yet.

Comments RSS TrackBack Identifier URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s