A recent survey conducted by SERMO indicated that more than one-half of U.S. physicians believe that an EHR outage or malfunction has jeopardized the health/safety of a patient (or, conversely, 43% believe these outages don’t impact safety).  SERMO is a social network for physicians which includes 600,000 verified and credentialed physicians, worldwide.

According to the Office of the National Coordinator of Health Information Technology (ONC), EHR downtime impacts, documented in the medical literature, include higher medication errors, unavailability of radiology images, and cancelled appointments.  An effective HIPAA Security Risk Analysis (SRA) will identify and quantify these impacts.  Once documented, best practices in risk management are to present these risks to senior management, who has the spending authority to mitigate, transfer or accept these patient safety risks.

Security Risk Analysis Reviews by Eagle Consulting Partners

Image courtesy of Health Data Management

Unfortunately, too often the HIPAA Security Risk Analysis process is confined to the information technology department or compliance staff.  Without sufficient input from clinical staff, who can articulate the impacts of downtime and/or other EHR malfunction, potential patient safety impacts are neither quantified nor documented.  To be useful, the risk analysis should quantify impacts in dollar terms, patient safety terms and/or the impact on the organization’s reputation.

A useful resource for both the assessment process is the ONC’s SAFER guide collection.  This resource consists of nine guides which identify recommended practices to optimize the safety and safe use of EHRs.  These guides can be used as part of the SRA process.   The SRA should further specify recommended strategies for prevention and/or mitigation.  As an example, one of the SAFER guides suggests as a prevention strategy to deploy backup systems with automatic failover.  Another example is a mitigation strategy to maintain a backup system for read-only access to the EHR data, combined with a set of paper forms for use during downtime.

A further flaw in the risk management process is that the SRA is often not presented to senior management.  Most healthcare organizations are conducting annual SRAs because this report is required for Meaningful Use and/or MIPS Advancing Care Information.  However, all too often the SRA is simply a “checklist” item completed for the purposes of compliance and/or to maximize Medicare reimbursement.  The risk analysis is prepared and filed, without serious thought or mitigation action.

Senior leadership in most healthcare organizations place a high priority on patient safety.  To serve the organization well, those preparing the risk analysis are advised to include safety impacts in the SRA, and to present the SRA to senior leadership.  When patient safety risks and impacts are presented, senior leadership will likely be appreciative of the information.

About Gary Pritts

President, Gary Pritts

Gary consults in the areas of physician practice management, medical information systems, HIPAA compliance, health and productivity management and general business management.  Gary serves on the board of Lakewood Hospital, one of the Cleveland Clinic Regional Hospitals, and is a founder and past president of eHealth Ohio, and is active with numerous professional organizations.  He served as product development manager for the EDI clearinghouse division of Quadax, a regional clearinghouse, and  understands provider organizations from his 6 years as President and owner of Premier Rehab, a Medicare Certified Rehab agency with two Cleveland locations.  His computer background includes 15 years in various computer and computer service organizations.  He has a B.S. in Computer Science from Purdue University and an M.B.A. from Harvard Business School.

Get Eagle Healthcare IT & HIPAA Alerts

Get Eagle Healthcare IT & HIPAA Alerts

Join our mailing list to receive the latest news and updates from the Eagle team.

You have Successfully Subscribed!

Pin It on Pinterest