Resource Search Results

Breach Protection Overview Presentation for Health Centers: A HITEQ Privacy & Security Resource (2017). Resource Type: Publication. Description: Data breaches in healthcare are consistently high in terms of volume, frequency, impact, and cost. High-level breaches are increasingly occurring in a more targeted manner toward health centers. This presentation provides Health Center leadership and trainers with a template to use to build out their own organization-specific presentation on breach. Data breaches in healthcare are consistently high in terms of volume, frequency, impact, and cost. High-level breaches are increasingly occurring in a more targeted manner toward health centers. This presentation provides Health Center leadership and trainers with a template to use to build out their own organization-specific presentation on breach. This presentation template covers the following agenda: Quick Start Healthcare Privacy & Security Healthcare Privacy & Security Policies and Legislation Implications for Breach Management and Mitigation Strategies Questions and discussion More Details...

Understanding EHRs, Analytics, Data Warehouses and HIE Repositories: A HITEQ Center-Developed White Paper (2016). Resource Type: Publication. Description: The goal of this paper is to clarify the roles of several health care data technologies that are often confusing to people, including Electronic Health Record (EHR) Databases, Analytic Systems and Data Warehouses, and Health Information Exchange (HIE) Data Repositories. Health Centers entering the realms of Data-driven Performance Measurement and Quality Improvement may find themselves mired in a bewildering assortment of tools, products and terminologies. There are multiple ways in which Health Centers use information, and for better or worse, multiple technologies designed to most efficiently meet their needs. One of the leading sources of confusion emanates from the oft-used term “data aggregation”. We aggregate data because we want to improve our insights into the data and thereby make better and more timely decisions. Data aggregation, put simply, is the assembly of electronic information from multiple sources for these purposes. More Details...

Assessing the Value of Health Information Exchange (2016). Resource Type: Publication. Description: This issue brief provides an overview of the value of health information exchange, including determining ROI, categories of HIE benefits, and sources for additional information. Assessing the value of health information exchange (HIE) is important to health centers to support the case for using HIE and for increasing the use of HIE. HIE value can be financial value (cost savings, increased revenue) and clinical value (improved clinical processes and outcomes such as greater utilization of preventive care and fewer hospital readmissions). The value of HIE may not be the same across health centers, and some benefits may take longer to accrue than others. This document provides information to help health centers evaluate their return on the investment (ROI) in HIE — a measure of the efficiency of an investment. More Details...

Introductory Letter for EHR/ Health IT Vendor: For use in Health Center RFP process (2016). Resource Type: Publication. Description: A template for the introductory letter to EHR vendors participating in the health center RFP process. Use the following letter template (available for download below) to clearly communicate the importance of addressing your status as a health center to the EHR vendors that have been chosen to participate on your EHR procurement process. This letter template references the Health Center Profile in the Addendum; that template can be found here. For further guidance, this resource can help to guide your organization through the process of EHR procurement using a comprehensive tool such as the EHR Planning and Procurement Toolkit from the Massachusetts eHealth Institute (MEHI). More Details...

Health Center's guide to the MEHI EHR Planning and Procurement Toolkit (2016). Resource Type: Publication. Description: An introduction to creating an EHR RFP using the MEHI EHR Planning and Procurement Toolkit. This resource shows the user how to use a comprehensive tool such as the EHR Planning and Procurement Toolkit from the Massachusetts eHealth Institute (MEHI) to guide your organization through the process of EHR procurement. The process documented in the EHR Planning and Procurement Toolkit offers a field-tested and proven methodology for a health center that is procuring an EHR. The Toolkit offers a process that will lead an organization through readiness and preparation, vendor solicitation, evaluation and selection, and vendor relationship management. Embedded within the Toolkit at critical steps along the way are the tools needed to execute an effective procurement process.  More Details...

Health Center EHR RFP Addendum (2016). Resource Type: Publication. Description: This is an addendum template to be added to an EHR Request For Proposal (RFP) to help health center further specify the EHR functionalities needed. You may also consider using the available template introductory letter for your RFP as well. For further guidance, this resource can help to guide your organization through the process of EHR procurement using a comprehensive tool such as the EHR Planning and Procurement Toolkit from the Massachusetts eHealth Institute (MEHI). This template is intended to be an addendum to the Request for Proposal (RFP) Template for Health Information Technology. This template can be used to add requirements specifically relating to the specialized requirements and operating environments of health centers. More Details...

Encrypting Data at Rest on Servers: Implications for Health Centers (2016). Resource Type: Publication. Description: It is common practice today to encrypt data at rest, that is, data stored on servers. This is especially applicable to health centers who are less frequently actively transporting data across disparate networks. Like many smaller healthcare organizations, Health Centers are particularly vulnerable to potential attack and infiltration by data hackers for several reasons: they tend to have fewer technical support staff, resource limitations make it harder to assess, implement, and maintain safe data practices, and organizational inertia limits preventive action when no threat is perceived.  It is common practice today to encrypt data at rest, that is, data stored on servers. Like many smaller healthcare organizations, Federally Qualified Health Centers FQHC are particularly vulnerable to potential attack and infiltration by data hackers for several reasons: they tend to have fewer technical support staff, resource limitations make it harder to assess, implement, and maintain safe data practices, and organizational inertia limits preventive action when no threat is perceived. To build off an old adage, no one ever got fired for encrypting their data. But what protection does that really provide? Is just encrypting data enough? First, let’s distinguish between three methods for encrypting data at rest. Full-disk encryption. Most modern operating systems like Linux or Windows Server provide the capability to encrypt their disks in their entirety. This is accomplished with symmetric encryption whereby there is a key or passphrase that a computer operator has to enter when the disks are encrypted and when the system boots to allow access to the data. Typically, the password must be manually entered on the physical server console, though some virtualized and cloud-based environments offer remote passphrase entry and varying degrees of passphrase management and automation. With full-disk encryption, software installed on the server does not need to know or do anything special to operate normally: the operating system provides transparent access to the encrypted data as necessary with very little performance loss. But note that the initial encryption needs to be done on a new disk or set of disks as an existing disk will be wiped clean in the process. So it’s easiest to do this during an initial deployment or migration to a new server. File system encryption. Physical disks are typically divided into one or more file systems by the operating system.  As an alternative to full-disk encryption, file system encryption allows administrators to encrypt only selected file systems or even just selected folders within file systems. This makes it possible to configure a server than can boot without a passphrase; and then require a passphase only after the system is up and running and needs to access its encrypted file systems.  Similar to full-disk encryption, the encryption is transparently provided to applications by the operating system.  Unlike full-disk encryption, developers and administrators need to be careful not to store sensitive files on non-encrypted file systems. Database encryption.  Another way to encrypt data at rest is at the database level: The database software Oracle, SQL Server can provide application-level encryption. Like operating system level encryption, a key or passphrase is entered by an operator when the database starts up, after which all database operations access the encrypted data transparently hence the name: Both Oracle and Microsoft SQL Server call the feature “Transparent Data Encryption”. For servers that may store sensitive data in files outside the database, this provides less protection than encrypting the entire file system, but likely protects the most sensitive data on the system. What kind of protection does encrypting data at rest really provide? Here are a few salient points: Benefits of Encrypting Data at Rest First and foremost, encrypting data at rest protects the organization from the physical theft of the file system storage devices which is why end-user mobile devices from laptops to cell phones should always be encrypted. While this might sound unlikely, the physical disk devices are only as secure as the data center where they are located. While data center access control policy is usually quite strict, in practice it can be quite lax. Door entry can employ weak precautions like old push-button unlock devices, and the proliferation of easily-swappable modular disks for quick maintenance makes removing a disk quite easy. Encrypting data at rest can protect the organization from unauthorized access to data when computer hardware is sent for repair or discarded. Encrypting data at rest can help to satisfy information security or regulatory requirements such as the Payment Card Industry Data Security Standard PCI DSS or the Health Insurance Portability and Accountability Act HIPAA. In some deployments, the actual file system where data resides is somewhat disconnected from the server upon which applications are loaded either through the use of a storage area network SAN or cloud-based storage. This introduces the possibility that an intruder could break in to the storage subsystem but not the rest of the system. Encrypting the storage subsystem can protect against such attacks. Limitations of Encrypting Data at Rest Encryption of data at rest provides little protection against intrusions in which a hacker gains remote privileged access to a running server in which the passphrase has already been entered. Even more so, if the applications that access the encrypted files or databases web applications, query systems are not themselves secured, a hacker who penetrates one of these applications gains access to the data, whether it is encrypted or not. For database encryption, note that some database management systems only support data encryption in more advanced read more expensive versions of the software. When full-disk encryption is enabled on a physical non-virtualized server, remember that an operator – a human being – will need to type the passphrase into a console whenever the system starts up. For database-level encryption, the passphrase will need to be entered when the database starts up. While this intervention increases the level of protection, it is at the expense of convenience, as systems cannot reboot automatically without a passphrase or even without someone actually being in the server room which can be especially inconvenient if the system manager is not collocated with the hardware. File system encryption can mitigate some of these startup issues. And, of course, if that passphrase is ever lost your data will be encrypted forever. Special Considerations for Virtualized and Cloud-based Environments As mentioned, some virtualized and cloud-based environments offer remote passphrase entry and varying degrees of passphrase management and automation for full-disk encryption – but be aware that there is often a tradeoff between convenience and security with automated solutions. For example, if a cloud provider keeps your passphrase and automatically provides it to the operating system at boot time, the level of security offered by the full-disk encryption solution is largely dependent on how securely the cloud provider manages the passphrase. While encrypting data at rest can be a useful component in a data security toolbox, it must be implemented with a full understanding of the protection it does and does not provide. Organizations should consult with their vendors, data security staff, system staff, and application staff to determine an appropriate set of actions to secure institutional data. More Details...

Access to Information about Database Structures: Issues and Suggestions for Contract Negotiations (2016). Resource Type: Publication. Description: This issue brief discusses a critical concern during health center’s health IT contracting process – the need to have access to the underlying database structures to the health IT applications (e.g., EHR, reporting system… etc.) The lack of access to database structure will hinder the health center’s ability to access the data captured in the system, and risk vendor lock-in and have records trapped in data silos in the future. Electronic health record (EHR) system customers that can access their data have found that they also need information about the database structure used by the EHR technology developer in order to effectively use the data for custom reports or to even understand the customer’s own patient population and the unit costs of care. Some EHR technology developers are reportedly unwilling to provide data models or “data dictionaries” or are charging significant fees for information that helps the customer understand how the data is held in the EHR and may be efficiently extracted and used for other purposes. More Details...

Ability to Use Data Without Excessive Charges: Issues and Suggestions for Contract Negotiations (2016). Resource Type: Publication. Description: This issue brief discusses a critical concern during health center’s EHR contracting process – the need to preserve the ability to use data without excessive charges, which had hindered many health center’s ability to meet UDS and other reporting requirements. Electronic health record (EHR) systems and related technology are increasingly important as health centers face additional quality reporting requirements and are expected to bear more risk in accountable care organizations (ACOs) and other alternative payment models.  Some health centers have found that their decision to use a hosted EHR (rather than operating the EHR on their own hardware) and the terms of data access in those arrangements are important factors in how well they can respond to these changing requirements. More Details...

Motivating Factors for Engaging in Health IT Enabled QI: Guidance for Health Center Leadership and Partners (2016). Resource Type: Publication. Description: This white paper explores what is bringing a health center to the world of Health IT Enabled QI and lays out some motivating factors and barriers as well as what skill areas may need further consideration in planning next steps. Health centers across the country have a high EHR adoption rate and most have been using an EHR for several years. However, we know that the proliferation of EHRs and their companion reports have not always lead to accurate and robust data that can be used for quality improvement. Many challenges have been identified, including provider workflow and training issues, challenges with scalability, and limitations to data that can be extracted from various EHR systems. In response, a need has been identified for tools and resources that can guide health centers and those working with health centers through some key skill areas in the pursuit of Health IT Enabled QI. More Details...

Engaging the Data Creators: Involving Front-Line Staff in the Health IT Enabled QI Process (2016). Resource Type: Publication. Description: This brief discusses the importance of including frontline staff such as front desk, intake staff, and medical assistants in Health IT Enabled QI process, as they are often the ‘data creators’ or the ones entering the information into the system. Real world examples as well as suggested approaches and further resources are included. The data that is generated within health centers through entry into the EHR or practice management system and used for myriad purposes such as decision support, reporting, and quality improvement is often input by front-line staff. This may include front desk staff who enter information on intake forms, medical assistants who enter height, weight, and vital signs, among others. Another way to look at it is the information that health center leadership, providers, and payers are using to make decisions is often ‘created’ by entry level staff that may have less training and higher turnover. For these reasons, it is critically important to consider these ‘data creators’ in quality improvement activities that are undertaken. More Details...

Accessing your Data: Questions to Consider with your EHR Vendor (2016). Resource Type: Publication. Description: Intended to assist in ensuring full use and understanding of capabilities of current system and assessing the need for additional population health management or data integration tools, this checklist describes the steps health center quality improvement and IT staff can take to ensure they are maximizing the population health management and other capacity of current systems. It Included are questions around the system itself, report generation, training, and resulting data, as well as considerations before and after you contact your vendor. This checklist describes the steps health center quality improvement and IT staff can take to ensure they are maximizing the population health management capacity of their current EHR system. It is intended to assist health centers in ensuring they are utilizing the full capabilities of the current system and assessing the need for additional population health management tools. Included are questions around the system itself, report generation, training, and resulting data, as well as considerations before and after you contact your vendor.  It’s important to note that these questions are just meant for consideration. Not all of the features or aspects discussed will be relevant for your health center, and no system nor approach will check all the boxes. Use this to guide your thinking and discussions so you are able to get a robust understanding of what your EHR is capable of, and what you may need to find elsewhere or find other ways to address. Download the checklist below. More Details...