Pros

Lower hardware cost due to the fact you won’t need a server on site.

Lower PC system requirements.

Lower on site costs due to the support is all on the hosted server side.

The vendor is responsible for all upgrades to the software and hardware.

Cons

You never really own the software you rent it.

Application Service contracts will start low to entice new users but I expect them to soar after a time and this format becomes more mainstream.

It will be very difficult to change from this platform once you go down this path.

The internet is very unreliable in our region and what this would mean is when your internet connection  goes down so will your system (hard to process customer without a working computer these days, give it a try)  You can add a second internet connection  from a different ISP to help prevent this problem if the outage is cause just by your ISP being down and not the main trunk lines.

Some vendors have you install an emergency server on your site that will cache transactions locally at your site if their servers are down or the internet connection fails. When it comes back online it will sync the two. Looks like we have lost one of the Pros with this option as you now are buying a server and software anyway.

Hosted applications will have a reoccurring monthly or yearly fee along with the initial start up costs.

This is one I would like everyone to think about for a real long time. If your Vendor’s business fails for any reason and they do all the time, how would you get your data back from them and in the event of a bankruptcy could you ever get it back at all? If companies as large as banks and car manufactures can fail small software companies in comparison can and do fail as well.

Many vendors as we all know may not call you back for hours or sometimes days and now your only IT support will be located in some other state. There will not be a option to call someone locally to help get you back on line.

The safety and integrity of your data has always been a key concern, now you would be leaving it up to someone else. It has not been unheard of that even the largest of the cloud computing companies like Microsoft, AOL, Google and Yahoo do at least lose data for a time or even  permanently as it has been reported on the news from time to time. Google Danger, the creator of the Sidekick smartphone. They just lost a load of customer data.

Hopefully this will help you make a smarter decision on whether or not cloud computing is a smart choice for your business.

Share on Facebook

DSC Secure Networking is a one stop shop IT company that can help you choose your EMR software, implement your hardware requirements, and support your system. Below is an article informing you of money that you are entitled to from the government, deadlines, and penalties.

HIPAA EMR security and the stimulus plan
Written by Patricia King, JD

The American Recovery and Reinvestment Act (the ARRA, commonly known as the stimulus bill) included $19 billion in funding for adoption of electronic medical records (EMRs). Proponents of health information technology believe that widespread adoption of EMRs will help control health care costs and enhance quality, especially as providers begin to share patient information electronically. However, privacy advocates worry that as more and more patient information is kept electronically, we will see more instances of patient information getting into the wrong hands. While the security of paper records can be far from perfect1], most large-scale security incidents in recent years involved electronic records (such as lost laptops containing unencrypted protected health information (PHI), and PHI improperly secured in web-based applications and exposed online). So as the stimulus bill, with its incentives for EHR adoption, moved through Congress, privacy advocates sought to strengthen security protections for electronic PHI.[2] They succeeded – and as a result, practices will need to dust off their Health Information Portability and Accountability Act (HIPAA) privacy and security manuals, and strengthen protections for electronic PHI.

What to do first about HIPAA security
The practice’s first priority should be to review and update HIPAA security procedures. The ARRA provides for greatly increased penalties for security breaches involving electronic PHI, and these are in effect now.

Under the HIPAA enforcement rule published in 2006[3], providers who violated HIPAA could be assessed a maximum civil monetary penalty of $100 per violation, up to $25,000 during a calendar year for identical violations. Under the ARRA, there will be a three-tier system for determining the penalty. The previous rate of $100 per violation/$25,000 per year will apply for innocent mistakes (if the provider did not know, and would not have known if exercising reasonable diligence, that the violation occurred). If it was not an innocent mistake, but the provider was not guilty of willful neglect, the penalty goes up to $1,000 per violation, not to exceed $100,000 per year. For violations due to willful neglect, the penalty can be as much as $50,000 per violation, not to exceed $1.5 million per year.

Suppose a laptop with unencrypted information on ten patients is lost. Under the previous HIPAA enforcement rule, the maximum penalty would have been $1,000. Under current law, the maximum will be either $10,000 or $500,000, depending on whether the loss of the laptop was considered “willful neglect”. This is a significant liability that is likely not covered under the practice’s insurance.

There is another change in enforcement that may increase the likelihood that health care providers will encounter these penalties. While enforcement of HIPAA was previously the exclusive domain of HHS, the ARRA now allows state attorneys general to bring enforcement actions. HHS had been criticized for alleged lax enforcement of HIPAA, because the agency had not conducted regular security audits of providers but had focused on responding to patient complaints.

In addition to the substantial increase in penalties for HIPAA violations, the ARRA introduces a requirement to notify the Secretary of Health and Human Services and affected patients, if there is a breach of unsecured PHI. PHI is considered unsecured if it is not secured through use of a technology that renders the information unusable, unreadable or indecipherable to unauthorized persons. Some states have had a security breach requirement for years, but in most cases, this applied only if the information disclosed was the type that could be used for identity theft (such as the social security number). The notification requirement under the ARRA is much broader, since it applies to improper disclosure of any PHI. This requirement will apply to business associates as well as covered entities (providers, health plans and clearinghouses). The security breach notification requirement will come into effect when HHS has published regulations, but no later than September 15, 2009.

If there has been an inappropriate disclosure of unsecured PHI, the provider must notify the patient by mail. If the disclosure affected more than 500 persons in a state, a notice must be published in a local newspaper, and will also be published on the HHS website. This would be, of course, a public relations nightmare for a practice that has to notify patients that their private information has been disclosed.

If you haven’t reviewed your HIPAA policies since they were first adopted, now is the time to revisit them, especially in light of problems encountered by other providers. Here are a couple of suggestions:

Make sure any PHI contained on laptops, PDAs or other portable devices is encrypted or password-secured.
If any web-based services are used to transmit PHI (for example, some types of electronic billing), make sure the service uses secure encryption technology and follows state-of-the-art security practices.
See “Computer security for physicians.”

Next steps: revising HIPAA policies
The next task for practices should be to revise HIPAA policies, in light of some new patient rights provided under the ARRA. Under HIPAA, providers were permitted to disclose PHI for purposes of patient treatment, payment, or health care operations. Patients had the right to request restrictions on such disclosures, but the provider was not obligated to grant the patient’s request. Under the ARRA, patients will now have the right to prohibit disclosure of information to the payor, if the patient pays out-of-pocket for a service. This provision will take effect February 17, 2010. In the intervening months, practices should revise their HIPAA and medical record policies to specify how, if a patient makes this request, information on a procedure paid out-of-pocket can be flagged or segregated so it is not inadvertently disclosed to a payor auditing the record for other reasons.

Future developments in HIPAA regulations
The ARRA provides for other enhancements to patient rights, but allowing some lead time for HHS to develop regulations, and for developers of electronic medical records to build into their systems the capability to comply. HIPAA currently gives patients the right to request an accounting of disclosures of their PHI, but there are several exceptions. Currently, health care providers do not have to include disclosures for treatment, payment or health care operations in the accounting. The ARRA will now require providers with EMRs to produce an accounting that does include these disclosures. Because the EMR itself will probably have to be modified to capture this information, the effective date is delayed. Providers that already have an EMR must be able to produce an accounting covering disclosures for treatment, payment and health care operations made after January 1, 2014. This date may be extended by HHS, but to no later than 2016. Providers that acquire an EMR after January 1, 2009 must provide an accounting of disclosures after the later of the acquisition date, or January 1, 2011. Again, the law permits HHS to extend this deadline, but no later than 2013.

The ARRA also changes the definition of “health care operations” to remove some disclosures for marketing and fund-raising purposes. Since under HIPAA, disclosures for health care operations did not require the patient’s authorization, the effect is that greater restrictions are imposed on these disclosures.

The ARRA also prohibits the sale of PHI without the patient’s authorization, with certain exceptions, such as research. Privacy rights advocates were concerned that providers were selling patient data to pharmaceutical companies and other commercial interests. HHS will develop regulations to implement this restriction by no later than February 17, 2010.

HIPAA Expansion
Finally, the ARRA greatly expands the reach of HIPAA. Previously, HIPAA applied only to “covered entities”: health plans, clearinghouses, and health care providers that used electronic transactions. HIPAA will now apply directly to business associates of covered entities, such as billing companies, record storage companies, and other firms that handle PHI.

While vendors of personal health records will not be covered under HIPAA, they will be required to notify individuals of a security breach affecting their personal information. The Federal Trade Commission will be responsible for enforcement of this requirement.

Patient privacy issues clearly have Congress’s attention. They will likely be a focus of regulatory interest for HHS in coming years.

——————————————————————————–

Footnotes
[1] A significant recent enforcement action under the Health Insurance Portability and Accountability Act (HIPAA) was the $2.25 million penalty recovered from CVS Pharmacy, Inc. CVS was found to have disposed of patient information, such as old prescription labels, in unsecured dumpsters.

[2] Many of the privacy and security provisions adopted in the ARRA were originally proposed in a bill introduced in the last Congress, known as the Health Information Technology for Economic and Clinical Health Act (the HITECH Act).

[3] 71 Fed. Reg. 8389 (Feb. 16, 2006).

About the Author
Patricia King is a health care attorney in Illinois, and principal of the web-based business Digital Age Healthcare LLC (http://www.digitalagemd.com/).

Link to article: http://www.netdoc.com/Physician-Practice-Articles/General-Medical-Practice/HIPAA-EMR-security-and-the-stimulus-plan/

Share on Facebook