Go to AAD Home

Is your EHR high maintenance?

Now that electronic health records (EHRs) are a staple in nearly all dermatologists' offices, what is involved in maintaining them?

Dermatology World abstract illustration of maintenance workers

Is your EHR high maintenance?

Now that electronic health records (EHRs) are a staple in nearly all dermatologists' offices, what is involved in maintaining them?

Dermatology World abstract illustration of maintenance workers

By Ruth Carol, contributing writer 

Office-based physician adoption of EHRs is up from 42% to 87% in the United States between 2008 and 2015, according to the Office of the National Coordinator for Health Information Technology. Similarly, according to the AAD’s 2016 Electronic Health Records Survey Final Report, three-fourths of all dermatologists have now adopted EHRs, noted Swapna Bhatia, MPH, the AAD’s manager of health technology and informatics. “The adoption of EHRs has increased tremendously because the advantages of having an EHR outweigh the advantages of using paper records,” she said. Those advantages include easier access to health care records with a more user-friendly system, less paper in the office/less storage, better clinical workflow and efficiency, and increased quality of care.

The passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 kick-started EHR adoption, followed by the Meaningful Use (MU) incentive program that created incentives for EHR use and then penalties for non-EHR use. Although MU is phased out, most practices that adopted EHRs continue with them because it was replaced with the Merit-based Incentive Payment System (MIPS), stated Erin Gardner, MD, chair of the Academy’s EHR Task Force. In order to receive a portion of the points in the now-compulsory MIPS program, physicians must employ EHRs to provide patients access to their health care information and to electronically prescribe, Dr. Gardner said. 

Maintaining EHRs

Physicians who have implemented EHRs need to maintain their systems. What that entails depends, in part, on whether the EHR is hosted in the cloud or hosted on servers in the medical office. In general, EHRs require regular updates to software, operating systems, cybersecurity measures, and antivirus software, among others. Most practices either have an outsourced information technology (IT) company or in-house IT personnel to perform maintenance tasks.

Server-based EHR systems require the additional task of server management, Dr. Gardner said. A practice should follow a server maintenance plan that may be designed by an IT service management company. The plan should include hard disk maintenance, network integrity checks, data backup execution, software installation, service pack patches, and security software updates, he said.

“Even if you are using a cloud-hosted system, you still need IT support to make sure your internal network, Wi-Fi, internet, and workstations are all functioning and supported to ensure connectivity to the cloud,” noted Morris Stemp, MBA, director of EHR Integration for Slingshot Health. Early EHRs were all locally hosted in the physicians’ office, but today the majority are in the cloud or hosted by large entities, such as very large physician practices or health systems. The switch is due, in part, to EHR vendors incentivizing cloud-based systems to avoid having to deal with their clients’ server issues, he added. “In the old days when a server went down, the office couldn’t function,” Stemp said. “Now if one workstation goes down, everyone else can still work.”

Updates vs. upgrades

When it comes to maintenance, there are updates, which may be included as part of the subscription service, and there are upgrades, which often require additional financial investment, Dr. Gardner noted.

EHR vendors publish patches and updates to the operating system for a few reasons, Stemp said. One is for providing optimal security protection because breaches can occur when the software and/or firmware is not patched. Another is for improving performance, making the system faster or better functioning. A third reason is for ensuring compatibility among the various programs after they are updated. Updates may also be installed to improve battery performance for handheld devices, Dr. Gardner said. He recommends instituting a regular check and/or installation of available updates as a best practice. IT professionals often recommend updates be performed on a quarterly basis.

Upgrades feature changes to system functionality or performance that are on a much larger scale than updates, Dr. Gardner noted. Software upgrades are typically new versions of a program. Operating system upgrades generate significant changes in system functionality or user interface. The latter may feature the use of a different operating system or inclusion of functionality that meets new regulations.

After approximately four years, a workstation’s performance begins to degrade, as parts start malfunctioning and slowing down, Stemp said, adding, “The new hardware is just so much faster.” Sometimes upgrades can’t be installed on older hardware, requiring the server and software to be updated. The latter is a large expense and another reason why cloud-based servers are preferred. “As EHR vendors make upgrades in the cloud, physician practices don’t have to make changes to their internal hardware, saving the practice money,” he said.

The most substantial upgrades often involve regulatory changes. For example, physicians who want to report for the 2019 MIPS performance year must use the 2015 Certified EHR Technology Edition. The 2014 Edition is no longer accepted. .

EHR-icon2.pngDon’t break the bank!

Read more about what you should do before adopting new technology at staging.aad.org/dw/monthly/2018/january/dont-break-the-bank.

Cybersecurity and HIPAA

“Cybersecurity must be a high priority for practices,” Dr. Gardner said, “not only for the Health Insurance Portability and Accountability Act (HIPAA) purposes, but as an obligation to patient privacy.” Practices can enhance cybersecurity by performing regular updates on operating system software, maintaining firewall and antivirus system protection and updates, and educating staff about potential sources of breaches into the system. Cybersecurity is a never-ending challenge, he added.

Both HIPAA compliance and successful participation in MIPS require physicians to perform a security risk assessment, Dr. Gardner explained. Unfortunately, the same assessment cannot be used for both HIPAA and MIPS. Furthermore, a HIPAA risk assessment is not a one-time exercise. Assessments should be reviewed periodically and whenever new work practices are implemented, or when a new technology is introduced. The Department of Health and Human Services does not specify a frequency for such reviews other than to suggest that they may be conducted annually, depending on an organization’s circumstances, he said.

The importance of training staff to recognize and combat phishing and ransomware threats cannot be overstated, said Julie Dooling, director of practice excellence for the American Health Information Management Association (AHIMA). A common practice is for the IT vendor to send fake phishing emails to staff to determine which employees could cause a potential breach in the system. Staff also need to be trained regarding password management to ensure security, Stemp said. For example, they should be using complex passwords that include lower- and upper-case letters, numbers, and symbols. Change passwords every three months and do not reuse passwords. Enforcing password policies is easier on a cloud-based system, he noted.

Encryption is another important security issue that must be addressed under HIPAA. When physicians download protected health information (PHI) to their laptop, or make it easy to access the EHR from their laptop, the laptop must be encrypted to ensure that the PHI is protected if the laptop gets stolen, Stemp said. “If the laptop is not encrypted, having it stolen or lost would be considered a reportable security breach,” he noted.

EHR-icon3.pngCyber-hacking in health care

Read more about cybersecurity at staging.aad.org/dw/monthly/2018/february/cyber-hacking-in-health-care.

Backup, contingency, and recovery plans

The two most important considerations for EHR use may be protecting the medical records and data as well as maintaining connections, Dr. Gardner said. Dermatologists must have a disaster recovery and contingency plan in place to address disruptions to the functioning of the EHR system, per the HIPAA Security Rule. It calls for the following:

  • A data backup plan for creating and storing copies of electronic health information,

  • A recovery plan to restore lost data,

  • An emergency-mode operation plan that enables facilities to continue performing required operations (i.e., relying on paper records or a read-only version of the EHR that is based off site),

  • An assessment of all applications that would be affected, including the impact of a widespread outage, and

  • A protocol for testing and revising the contingency plan.

It is imperative to have accessible backup data on separate systems, Bhatia stated. The backup system should be tested routinely to make sure it is effective. “Make sure all staff knows what to do in an emergency, especially with the medical records and data,” she added. If the EHR is hosted in the cloud, the cloud vendor is responsible for all these critical activities.

The United States Computer Emergency Readiness Team recommends using the 3-2-1 Rule for Backups: Keep three copies: One primary and two backups. Keep the files on two different media types to protect against different hazards. Store one copy off site. The primary copy of data may be on a server-based system’s hard drive and a cloud-based server for cloud-computing EHR systems, Dr. Gardner said. For on-site server-based systems, consider using both a cloud-based secure storage vendor for one of the backups and a removable storage medium, such as an external hard drive or solid-state drive, for the second backup, he said.

A recovery plan to restore data is equally as important. Other devices that could be impacted by an interruption in EHR service should also be catalogued, and an emergency mode for continued functioning of operational processes and equipment during a shutdown should be designed and ready to be deployed, Dr. Gardner noted. Some EHR vendors offer a disaster recovery system that automatically shuts off if a major threat is detected, and a failover system that is initiated for use during the unexpected downtime, said Dooling — adding that AHIMA publishes a Disaster Planning and Recovery Toolkit that focuses on collecting and protecting health information. Practicing a disaster contingency plan, which should address both natural and man-made disasters, is essential, she emphasized. Not only do these plans have to be routinely tested, HIPAA requires written policies detailing the plans, Stemp added.

A contingency plan should also address such scenarios as a dermatologist retiring or leaving the practice unexpectedly. In both cases, the medical records must be transferred to an official custodian, which could be another physician practice or a commercial storage firm, Dr. Gardner said. Patients must be notified and given the opportunity to obtain a copy of their health records or transfer them prior to the office closing, Dooling added. Patients should be contacted via email, written letter, and electronic posting. In Missouri, where Dr. Gardner practices, he must notify patients going back seven years.

EHR-icon4.pngClosing time

For more information on what to do when retiring and closing a practice visit staging.aad.org/dw/monthly/2016/july/closing-time-what-to-do-when-its-time-to-move-out-and-move-on.

Custodianship and retention requirements for medical records vary by state, as well as by federal and accreditation agencies, Dooling said. Find out your state medical record custodian and retention requirements at www.healthit.gov/sites/default/files/appa7-1.pdf. A records destruction firm that can guarantee confidentiality — if, and when, the records are eventually destroyed — is a must, Dr. Gardner said.

Maintaining records during transitions

Whether transitioning from paper records to an EHR, or from one EHR system to another, PHI must be protected and properly converted. “Your data integrity in the new EHR system depends on a clean data conversion,” Dooling said. “It’s extremely important to get it right the first time.”

Dermatologists moving from paper records to an EHR must make sure that the paper records are easily accessible. In the past, the entire paper record was scanned into the EHR, a very time-consuming and laborious task. Today, physicians are selectively entering important patient history, medication, and allergy information into the new EHR while archiving the paper record, Dr. Gardner said. Another option gaining in popularity is point-of-service scanning, whereby the service vendor indexes the records and then prepares them to be put into the EHR, Dooling said. The documents are scanned on an on-site server and sent to a central repository that assigns the records to the right patient, she explained. The next generation of record scanning involves data mining of the unstructured medical documents to identify relationships and traits that match them to the correct patient, Dooling said. Amazon Comprehend Medical is an example of this emerging technology.

After the paper records are converted into the EHR, the paper version should only be used as a reference, Bhatia said. How long the paper records are maintained really depends on those using the converted data and how much they trust the EHR. Once staff members are confident that the transition was successful, it is safe to destroy all paper-based records that have been converted, she said. Stemp recommends that practices consider scanning just the last two years’ worth of paper records and then putting them into storage for seven years. Retaining and destroying records must be done in compliance with state and federal and accreditation agency requirements, Dooling added.

Two EHRs?

Ideally, when changing EHR systems, there would be a complete data migration or conversion from the old system to the new one, Dr. Gardner said. However, interoperability challenges continue to make an effective migration or transfer challenging, if not impossible. Consequently, transitioning to a new EHR may require maintaining the old system for a while after the new one has been implemented. Practices occasionally have to run a legacy system on the computer network or in the cloud, alongside the newly implemented EHR, allowing toggling between the two systems, he said.

How long it’s necessary to maintain both systems depends on what transition provisions are in the EHR contract, Bhatia said. It behooves dermatologists to negotiate specific transition rights and obligations in the contract to minimize the disruption and risks that may occur when switching vendors. It’s critical to have enough time to make the transition to the new EHR and options to renew service/support at reasonable prices for the old EHR. Another option is to negotiate caps on future price increases upfront, thus limiting the amount of money the vendor can charge for renewing the contract. Remember, the software is good only as long as the EHR vendor supports the system.

“If you convert all of the information over, and have verified that it’s all converted, there’s no reason to retain the old system for too long,” Stemp said. He recommends retaining it for two years to make sure there are no glitches with the new EHR system. It’s best to retain them both for seven years, but that can be quite costly, he noted. Another option is to move the PHI to a hosted environment, eliminating the need to maintain the old server. Hosting the data in a “terminal services environment” in the cloud could cost $300 to $400 a month, Stemp said, but at least the records will be accessible if needed and it’s cheaper than maintaining the old server. If converting from one cloud-based EHR vendor to another, HIPAA requires the vendor to maintain the data, although they will charge for a “read only” environment, he said.

Maintaining an EHR system does require some diligence and dollars (see sidebar), but with a qualified IT company or good in-house IT support, dermatologists can get the most out of their EHRs.