Here's an overview of what business and IT pros need to know about EHRs (electronic health records), the standard in medical documentation. HIPAA, securing patients' data, and more topics are covered.
The days of messy folders stuffed with patients' charts and indecipherable doctors' scribbles are over: Electronic health records (EHRs) are now standard. You may not even realize that there was a transition to digital medical records, but if your doctor has ever been typing on a computer during your appointment, you've seen EHRs in action.
TechRepublic's cheat sheet about EHRs is an introduction to this relatively new standard in medical records. This article will be updated periodically as new laws about EHRs are passed, and software platforms are developed.
SEE: Electronic data retention policy (Tech Pro Research)
- What are EHRs? EHRs are digitized patient files that contain an individual's complete medical history; this digitization makes it possible for healthcare providers to instantly share patients' information. Several EHR platforms are available for doctors and other medical professionals to use.
- Why do EHRs matter? EHRs make life easier for medical care providers because the digital medical records eliminate the need for paper files. Also, since it's less likely to lose an EHR than a paper file, patient data is more secure when it's stored in EHRs.
- Who do EHRs affect? EHRs affect everyone who has ever seen a doctor. With over 90% adoption in the US as of the end of 2017, there's a good chance your medical records have already been digitized.
- What do IT professionals need to know about EHRs? Tech support professionals who deal with healthcare providers need to know how EHRs work, how to implement EHRs, how EHRs interface with medical devices, and more. EHR systems can be complicated, but with nearly all doctors and hospitals in the US using them it's a near certainty that you'll have to support them at some point.
- How can EHR patient data be protected? EHRs contain a treasure trove of personal data that make them top targets for cybercriminals. Responsibility for protecting that data isn't just on IT teams--it falls to healthcare professionals as well.
- When is the EHR transition happening? The US government mandated EHR adoption starting in 2011, and offered adoption incentives that ended in 2016.. As of 2018 the period to receive incentives has ended, and providers who haven't adopted EHR systems will be penalized with progressively larger medicare reimbursement reductions, though hardship deferments are possible.
- Who benefit from EHRs? EHRs don't just make medical providers' lives easier--they also simplify continuity and quality of care for patients. You might not even realize EHRs were the new standard in medical practice, but if your doctor has ever entered the room with a laptop instead of a folder, you've already experienced the change.
What are EHRs?
An electronic health record is a digital document containing (ideally all) information about a patient's medical and health history. It includes records of any interaction a patient has with their medical providers, including immunizations, diagnoses, medications prescribed, lab test results, and allergies.
Of the EHR platforms that medical professionals can choose from, each of the top five--eClinicalWorks, Epic, McKesson, Care360, and Allscripts--offer local installation options and cloud hosting. Many EHR systems operate from onsite servers, but nearly 90% of new EHR installations are cloud based.
A major advantage to using EHRs is instant sharing of patients' information. Paper records had to be hand carried or mailed between offices, but EHRs make the process of sharing patient data between healthcare providers much simpler. Healthcare providers can use health information exchanges (HIEs) to send EHRs back and forth.
There are three types of HIEs:
- Directed: Providers can send patients' records directly to other providers.
- Query-based: A provider can look up a patient's record in a database.
- Consumer mediated: The patient keeps, maintains, and shares their record.
- Five Steps to Successful EHR Adoption (HP white paper)
- Health information exchanges and health insurance exchanges make for complexity and excitement (TechRepublic)
- Four EHR Change-Management Mistakes (HP and Intel white paper)
Why do EHRs matter?
EHRs are maintained by all clinicians a patient comes into contact with. So if a patient visits multiple specialists, those doctors can look at the EHR and see what kinds of tests and procedures the patient's other doctors have done, or what medications they've prescribed. This is meant to cut down on redundant treatments and help providers collaborate with each other.
In the IT world EHRs matter because they contain highly sensitive personal data; therefore, security is of the utmost importance. All EHRs must be stored and maintained according to security rules outlined in the Health Insurance Portability and Accountability Act (HIPAA).
- 7 ways tech can help fix the US healthcare system (TechRepublic)
- Bedside manner in the days of EHR (ZDNet)
- Why healthcare is a prime target for hackers, and how to treat the problem (TechRepublic)
- Two deep dives into open source EHR (ZDNet)
Who do EHRs affect?
Patients and doctors are far from the only ones affected by EHRs: IT professional face a whole host of security and policy changes that affect the way they work and how they interact with medical clients.
IT teams are a key part of HIPAA compliance, which in turn is a key part of EHR meaningful use. Meaningful use is at the core of the US government's EHR push, and drilling even further down we find IT's fundamental role.
The government's EHR mandate includes financial incentives for medical professionals meeting meaningful use goals, with security being a key component. Take a look at any of the government pages on EHR adoption for long and you're likely to stumble upon the term "health IT" because that's what's happening: Healthcare is going completely digital.
- Key to HIPAA compliance is understanding your data center and cloud risks (TechRepublic)
- Health data in the cloud (ZDNet)
- EHR, the cloud, and your medlist (ZDNet)
- The state of the Industry Cloud in the healthcare sector (ZDNet)
What do IT professionals need to know about EHRs?
Electronic health records can be complicated--something I know first-hand. The time I spent working at a managed service provider (MSP) was mostly spent supporting medical practices, each with a different EHR platform that had its bugs, quirks, and unique features. That was several years ago, and EHRs have evolved since then, especially with nearly all new implementations being cloud-based.
That doesn't mean IT pros don't need to know a lot about EHR systems in order to support them.
Local installations of EHRs are far more complicated than those hosted in the cloud. In many cases, locally hosted EHR systems interface with medical devices, require secure connections between offices spread across geographic locations, and have to be set up with HIPAA considerations in mind from day one.
EHRs differ greatly, and knowing how one works isn't a guarantee of knowing anything about another. That also makes it difficult to say what specifically IT needs to know about EHRs as a whole.
IT professionals who are going to work in a medical facility will need to train on the specific software they support, and MSPs should plan to train staff whenever a new EHR platform enters their support network.
How can EHR patient data be protected from cybercriminals?
EHRs contain a lot of personally identifying information (PII) about patients: Birth dates, family relations, social security numbers, addresses, and more can all be invaluable to identity thieves and cybercriminals.
Healthcare-related websites, web apps, and other services have been hot targets for hackers for that very reason: PII is worth a lot of money to the right (or wrong) person and getting it can be as easy as phishing an unsuspecting healthcare professional.
Because of the sensitive nature of patient data, EHR security needs to be a primary focus for IT teams and the medical staff that use the systems. Typical cybersecurity best practices apply to EHRs, so IT teams should be sure systems are kept up to date, reliable antivirus software is installed, and that users have limited rights on machines running EHR software to avoid malware installation.
SEE: Phishing attacks: A guide for IT pros (free PDF) (TechRepublic)
Medical professionals should be primarily concerned with keeping an eye out for phishing attacks, which are one of the most popular ways to gain access to EHR databases. Healthcare providers should also be sure they're following HIPAA rules to the T, which can prevent unauthorized individuals from gaining access.
- How to keep EHRs secure and safe from cybercriminals (TechRepublic)
- Healthcare's $3 trillion question: Should the likes of Google and Facebook control this data? (ZDNet)
- Electronic health records: The new gold standard for cybercriminals (TechRepublic)
- Majority of criminal health care data breaches target point-of-sale, not EHR (ZDNet)
- Billing data in EHRs is attracting more unwanted attention from cybercriminals (ZDNet)
When is the EHR transition happening?
The Obama administration made EHR adoption mandatory starting in 2011. Three phases of adoption were planned, with the last running through 2016. As of 2018 the government-mandated transition period has ended, and those healthcare providers who are not yet compliant will be facing increasingly stiff penalties.
Penalties for non-compliance started in 2015 with a 1% reduction in Medicare reimbursements. The reduction will grow by 1% each year, ideally pushing providers to adopt EHRs quickly.
Healthcare providers who can show an EHR implementation hardship can defer penalties, but approved hardship conditions are few, and providers have to submit for deferment each year, and cannot defer for more than five years.
Adopting an EHR system takes months: IT has to plan infrastructure, records have to be digitized, staff have to be trained, and government paperwork has to be filled out. In some cases a total transition can take years, which is why the government had a five-year plan for implementation.
The bottom line: If you're a healthcare provider or an IT professional who has yet to transition, time has run out and penalties have begun.
- Philips wants to combine Fitbit data and medical records with new HealthSuite cloud data platform (TechRepublic)
- Five quick tips for successful EHR implementation (ZDNet)
- Healthcare's use of big data stumbles but isn't down for the count (TechRepublic)
How do healthcare providers, patients, and IT staff benefit from EHRs?
The benefits of EHR implementation happen behind the scenes and in most cases patients won't even realize a large-scale transition has occurred.
Providers don't just benefit from easier records access: there are also considerable financial benefits to EHR implementation. Unfortunately, many of the larger-scale payouts took place several years ago, though there are still benefits available for Medicaid providers who adopt EHR this year.
Patients benefit from EHR due to more health record transparency: most EHR platforms feature online portals where patients can log in, see their records, and contact their doctor in a secure, HIPAA-compliant system.
IT professionals don't necessarily benefit at all, though: EHR implementation simply means more work, more systems to learn, and more points of failure to keep track of.
- 4 vital elements in a robust healthcare IT security strategy (TechRepublic)
- Where is the internet of healthcare 'things'? (ZDNet)
- Healthcare IT's battle to keep sensitive data safe (TechRepublic)
- Meaningful use: ready and willing, but not sure how able (ZDNet)