A Thoughtful Approach to EHR Implementation Five Tips to Success and Pitfalls to Avoid Implementing an EHR solution can be a formidable challenge as many private practices are learning. Without buy-in or proper planning, the process could result in massive productivity losses for physicians and staff, not to mention a reduction of patients seen. In most cases, EHR failure is evidenced by an increase in costs that can far exceed any monetary benefit that could have otherwise been obtained through federal stimulus incentive programs. BJ Vander Linden, director of implementation services at ADP AdvancedMD, describes some of the pitfalls of EHR implementation and suggests how to create an implementation plan to achieve successful outcomes across all areas of the practice. • Don’t buy an EHR until you learn the ‘5 Pitfalls to Avoid in EHR Implementation’ • 5 EHR Implementation Pitfalls and how to avoid them • 5 EHR Implementation Tips to Avoid the Pitfalls

Risk assessments limited breaches in 2012

A new report from IT security assessment provider Redspin reveals two ways to look at health data breaches that occurred last year. On one hand, the number of patient records compromised dropped significantly. However, there was a sizable increase in what were categorized as large data breaches.

The Redspin report examined 538 incidents affecting more than 21.4 million individuals since the interim breach notification rule under the HITECH Act went into effect in August 2009. 

Although findings showed a 77 percent decline in the number of patient records compromised in breaches, the report also revealed a 21.5 percent increase in the number of large data breaches. According to Redspin, more than 2.4 million patients were affected by 146 breaches investigated by the Department of Health & Human Services in 2012.

"While the breach data shows improvement year-over-year, we caution against complacency," said Daniel W. Berger, president and CEO of Redspin, in a statement. "Clearly the increase in the number of health providers who conducted HIPAA security risk assessments in 2012 had a positive impact. But continuous and durable security requires continuing investment and effort -- it is an ongoing process of vigilance." 

Findings also suggested that the majority of breaches (57 percent) involved business associates (BAs). Moreover, report officials said business associates impacted more than five times the number of patients than covered entities in regard to data breaches.

"The recently published HIPAA Omnibus Rule now requires business associates to comply with HIPAA privacy and security regulations directly and extends civil liability to BAs for PHI breach," said Berger. "This is a major regulatory change. But health providers should not just assume all BAs will comply -- they need to be proactive [and work] closely with their business partners to build a secure chain of PHI custody."

Additionally, according to the report, the lack of encryption on laptops and other portable electronic devices caused more than one-third of PHI breaches (38 percent).  

Redspin officials warned that personal health records are high-value targets for cybercriminals, as they can be exploited for identity theft, insurance fraud and falsified prescriptions. Although there has been a relatively low incident rate of hacking among all PHI breaches to date, Berger said last year's attack on the Utah Department of Health – where some 780,000 Medicaid and Children's Health Plan records were targeted – "may be the canary in the coal mine."