Virtual Nurse Associate

Virtual Nurse Associate

What is a virtual nurse associate?  
A virtual associate is an independent contract worker who works remotely in support of clients nationally. Typical tasks include administrative, technical, and business support services. Legal Nurse Consultants are well suited to work in a similar capacity serving law firms who may need assistance on a regular or per diem basis. This allows firms to scale staffing to their immediate needs and “right-size” when/if workflow subsides.  

What does a virtual office assistant do?  
Virtual nurse associates do many things including records analysis, case summaries, chronologies, identifying missing records and/or gaps in care, as well as identifying experts. A virtual nurse can do almost anything an in-house nurse can do. A virtual nurse associate can easily maintain office hours consistent with their clients or work in an asynchronous fashion, whichever benefits the client the most.   

Skills Set of a Virtual Nurse Associate  

Working virtually can be a challenge and is not a good fit for everyone.   Some people find working remotely to be isolating and stressful and prefer to work in an office environment.  Nurses are adaptable and are well suited to virtual work.  Characteristics of most nurses include:  

  • Self-starter 
  • Ability to set and see goals through fruition. 
  • Able to manage multiple competing priorities. 
  • Problem-solving skills.  
  • Excellent oral and written communication skills  

Benefits of Working with a Virtual Nurse Associate  

Communication virtually with a nurse associate need not be a challenge. The nurse can adapt their online hours to match that of the client. Should short notice taskings arise the nurse is available, just as an in-house nurse would be.  

Working with a virtual nurse associate is cost-effective in that they can be used as much or as little as needed. No doubt this model increases profits for firms. For example, the nurse could be used for a working surge before trial. If a client needs to “right-size,” no-layoff will occur as the nurse is an independent contractor without any benefits typical of an employee. The Virtual Nurse Associate does not require other benefits from their clients such as sick time, paid time off, vacation time, health insurance, or retirement benefits.  

A virtual nurse is an excellent fit for a firm who is searching for their “best fit” but needs assistance in the interim. If a less experienced nurse is hired, a virtual nurse could also serve as a mentor to the new nurse. Should the new nurse turn out not to be the best fit, the virtual nurse continues to service the firm seamlessly.  

R&G Medical Legal Solutions, LLC has a virtual nurse program, and no job is too big or too small. R&G nurses have a wide variety of backgrounds to include medical-surgical, emergency department, critical care, and long-term care, just to name a few. This allows firms to take a variety of cases knowing R&G can match the virtual nurse to the background of the case. Please contact Pamela Showers, COO at 623-566-3333 for rates and any questions.  

Ransomware is getting worse

There has been another high-profile ransomware attack and this one could possibly be more significant that the ones before.  

We covered ransomware awhile back, on what it was and how it is a growing threat. You can read that blog here. 

Just last week, Colonial Pipeline, which accounts for 45% of the US East Coast’s fuel, was attacked by ransomware. It took down its systems and forced them to shut down operations.  

https://www.zdnet.com/article/colonial-pipeline-cyberattack-shuts-down-pipeline-that-supplies-45-of-east-coasts-fuel/

Also last week, Scripps Health, a very large hospital network with over 10,000 employees and 7,000 patients, got taken down by a cyberattack.

https://www.10news.com/news/local-news/scripps-health-ceo-addresses-cyberattack-in-an-internal-memo

and

https://healthitsecurity.com/news/scripps-health-ehr-patient-portal-still-down-after-ransomware-attack

both cover that news and the implications they are still dealing with.

In the past year there has been well over $215 million in damages from ransomware attacks around the world.  

With most of the workforce still working from home in 2021, due to the Covid-19 pandemic, its making cyberattacks and ransomware much easier to pull off. Where employees and their PCs were once safely behind the office firewall, are now at makeshift workstations in their home office, bedrooms, or kitchen, using all manner of cobbled-together technologies to get the job done. 

Companies now have a MUCH bigger attack surface. This is due to employees now on all different networks and at various locations. They are no longer working within their organization’s network and covered under its normally secure protection and firewall settings. Some are smart and using a secure VPN connection to stay within their office’s network protection, but most are not. ZDNet has a great article by Danny Palmer on this topic as well.  

If you suspect you or your company has been affected by Ransomware, I am sure your first thought is to shut down or reboot all the computers and server(s) in your office. This is something that you DO NOT want to do. Shutting down or rebooting may lead to restarting a crashed file-encryption process and potential loss of encryption keys stored in the memory.  

Experts instead recommend that victims just hibernate their computer(s) and disconnect it from their network. (Easiest way is to pull out the network cable from the back of it, if it is hardwired to the internet). If you suspect more than one machine is affected, disconnect the office network switch(s), and cut its connection to the internet to keep the infection from spreading further if possible. Once done, it is advised to reach out to a professional IT support firm for further steps. 

Victims should take note that there are two stages of ransomware recovery process they must go through. 

The first is finding the ransomware’s artifacts — such as processes and boot persistence mechanisms — and removing them from an infected host. 

Second is restoring the data if a backup mechanism is available. 

When companies miss or skip the first step, rebooting the computer often restarts the ransomware’s process and ends up encrypting the recently restored files, meaning victims will have to restart the data recovery process from scratch. 

In the case of enterprises, this increases downtime and costs the company operating profits. 

To learn more about dealing with ransomware attacks, you can check out the Emsisoft guide on how to remove ransomware and Coveware’s first response guide on dealing with a ransomware attack. 

Above all please keep up with regular training and remind your employees and co-workers, not to click on any questionable links or download anything that they are not sure of. Stress that if they should ever question something, it is always best to just ask their IT department about it first. While it might create more work to make sure something is legit or safe for you to use, it will tremendously save the company in the long run from massive expenses incurred from getting infected by ransomware. 

Stay safe out there everyone. 

How Chronologies Can Assist the Client in Litigation

May 2021 

Chronologies provide an exact and easy to read timeline of medical events. They are an efficient means to parse out relevant data related to a case. When records are voluminous, or a precise and detailed identification of critical events are needed, a chronology may be warranted.  

There are many styles and formats for creating a chronology. Information such as the date, time, place, and provider of care are identified. Further customizable details such bates numbers, an explanation of medical terms/abbreviations, imbedding of pdf medical record pages, and comments regarding standard of care are sometimes included per client preference. Chronologies can be written in a partial verbatim format whereas the nurse utilizes exact words from the chart, or can a summary be written in the nurse’s own words as an interpretation of events. There is no one size fits all chronology. Sometimes a combination of verbatim and pertinent verbatim can be used to produce the most efficient work product.  Pertinent style may be used for events surrounding the alleged injury, while a summary is used for related but noncritical information. Headers within the chronology can be used to identify information such as the source document and author. 

Microsoft Word or Excel can be used as the foundation for a chronology.  The table format is Word is most common.  There is also specialized software to create work products however, given chronologies are sometimes shared, compatibility can be an issue. 

BATES DATE /TIME SOURCE COMMENT 
Pdf 00123 of 000150  Or  JDOE-WAVERLYMED-00010 03/23/2021  0700 Waverly Medical Center / Bill Smith, MD   23 yo presents to ER with cough x3 days & fever 103.2. SOB, unable to complete sentences without cough  SOB = shortness of breath 
Example of a Chron entry

Small, seemingly unrelated events are often a precursor to an injury. Non-medical staff may lack insight and real-world experience needed to understand the relevance to injury and thus, these details are often omitted from the work product. Nurse provided chronologies are a cost-effective way to obtain relevant case data. Through training and education, nurses have in-depth medical knowledge regarding standards of care and the ability to analyze data and link events to breaches in the standard of care, Missing and tampered records as well as gaps in medical care are easily identifiable to a nurse.  

R&G Medical Legal Solution’s nurses provide accurate chronologies and customizable work products. Please call 623-555-3333 today to find out more information about obtaining case related chronologies.  

What is a DICOM?

DICOM Images

What is DICOM? 

In a clinical environment dealing with any medical imaging, DICOM, short for Digital Imaging and Communications in Medicine, has become essential. The broad application of DICOM is not difficult to understand, given the need and usefulness of medical imaging in healthcare. It allows the storage, viewing, and sharing of medical images and related data on devices within and across medical facilities.  
  

The standard communications protocol used to capture, store, and transmit medical images and related information is DICOM. In medical imaging, DICOM acts as a blueprint for the information structures and procedures in medical imaging systems that control the input and output of data. Both the protocol itself and its corresponding file format are referred to by the term. All data acquired in the medical imaging process is stored in this format. Without it, it would be considerably more difficult to exchange information between various imaging devices.  

Differences between DICOM and PACS, RIS, and CIS 

In addition to DICOM, words such as PACS, RIS, and CIS are often discussed , especially when talking about the benefits that have been brought to healthcare by modern software technologies, standards, and protocols. With regard to what differentiates them, this may lead to some confusion, particularly when it comes to the difference between PACS and DICOM.  

Medical IT systems focused on networks of different devices are the former. DICOM is the common protocol and file format that defines the communication between these devices and allows many different systems to communicate equally.  

Now that that’s clear, here’s an overview of the most popular medical IT systems:  

  • PACS (Picture Archiving and Communication Systems) are medical imaging systems that provide multi-modality storage and access to images. Its key application is as a superior storage option that removes the need to store and retrieve data manually. 
  • RIS (Radiology Information System) – Another type of information system for storing and handling medical imaging data widely used in radiological practices is RIS (Radiology Information System). Radiologists typically use it for, among other purposes, scheduling patients, monitoring and interpreting exams, and billing. 
  • As they are applied to the same area and sometimes used in combination, the distinction between RIS and PACS can be a little vague. These are both systems for enabling the handling of patient information, but while PACS provides storage and a long-term patient data management solution, RIS streamlines procedures and enhances workflow by allowing real-time patient monitoring and providing medical records for patients from one central source.  
  • EHR (Electronic Health Record) – EHRs are digital versions of patients’ paper charts. They are digital archives of the entire medical care history of patients. It encompasses medical pictures. EHRs can work in combination with other medical information systems, much like the previously described patient data systems. They can come with a DICOM production, send, or customer, and can be integrated with PACS or RIS as well. 
  • CIS (Clinical Information System) is an information system that documents, stores and manipulates the clinical information of patients. How does this vary, you might ask, from EHRs? EHRs include a patient’s entire medical history and are therefore much more generalized. CIS manages very precise data, obtained directly from inputs from equipment and medical staff. 

In addition to offering countless advantages, such as enhancing workflow and performance, reducing costs and space requirements, these medical information systems allow practices to concentrate more on patient care efforts. In modern medical services, this has made them indispensable.  

To respond to the diverse demands of medical imaging systems, medical technology is continually evolving and diversifying. New kinds of DICOM-compliant applications are constantly being developed, and cloud-based DICOM image viewers have been one of the most important innovations to emerge from this.  

R&G Medical Legal Solutions, is excited to announce that we have developed our very own proprietary online DICOM viewer that is a part of our database management system and will make this service available in the very near future. This will allow our clients to view any records including radiology, 24-7. Please give us a call at 1-623-566-3333 or email us at marketing@rngmedical.com today for a demonstration.  

R&G Medical Legal Solutions, LLC is a highly regarded litigation support services firm.  R&G is a second-generation company headed by Brian Oldham, a retired, service disabled veteran of The United States Air Force.  

Historical Perspective for a Successful Legal Nurse Consulting Firm

R&G Staff 
January 2021 

R&G Medical Consultants, now R&G Medical Legal Solutions, was founded in February 1992 by Rosie Oldham, BS, RN, LNCC. Her background in nursing administration, risk management and quality improvement were extremely valuable in the startup of the firm. 

R&G’s first cases were personal injury and in December 1992, the firm began working on product liability cases (resulting in completion of over 750 cases). This led to staff expansion and rapid company growth. During this project R&G   implemented total quality management procedures. Peer review of work products led to a successful 100% deficiency free submission of claims. From 1994 to 1996, R&G processed over 450 toxic tort cases (water contamination) for the defendants.  In 1997, R&G began focusing on complex medical malpractice and personal injury cases.  

Fast forward to 2021. Use of and incorporation of technology is the foundation of R&G’s continued success to managing large scale projects.  Incorporation of nurse project directors and non-nurse project managers free clients from the administrative burden of coordinating many logistical areas of mass tort. Record retrieval combined with customizable nurse work products allow for one stop shopping for clients.  

Foundational services such as nurse work products that range from in-depth, pertinent verbatim to summaries of care remain a staple.  Hybrid products, such as a combination of pertinent verbatim of key events, combined with summaries of general that capture events in an efficient, cost effective manner are now offered.    

A new service related to radiology films, will be launched in the near future.  Clients will be able to view, manage, and share radiology data online in lieu of tracking and managing CDs.  Key features of the service include cinematographic (CINE) views, digital measuring tools and panning.  

All services at R&G are customizable to fit the needs of each client.  No project is too big or small.  If interested in R&G services please call Catherine Beasley, MS, BSN, LNCC at 623-566-3333 or email cbeasley@rngmedical.com .   

HIPAA Certification, To Do or Not To Do

Catherine Beasley, MS, BSN, LNCC 
Dec 2020 

Breaches of protected health information are becoming commonplace.  The US Department of Health and Human Services, Office for Civil rights now publishes a Breach Report Results which can be accessed at https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf.   

Hospitals and health care organizations must report breaches affecting more than 500 people to the Department of Health and Human Recourses as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.  A breach of more than 500 patients’ information may result in the organization’s name on the Department of Health and Human Resources website.  Simply stated, breaches of protected health information are bad for the business of health care organizations.  Patients are left to wonder about the ability of the organization to provide safe, effective care.  After all, if an organization can’t manage paper, how can they manage safe care?   
 
The Health Insurance Portability and Accountability Act (HIPAA) training is now available online by third party vendors.  Training can be done at the convenience of the trainee and both individual and corporate rates are provided.  Seminars ranging from one or two days are also offered nationwide and pricing varies by vendor.   

The Department of Health and Human Services is very clear in that breaches of protected health care information are unacceptable regardless of the number of victims impacted.  However, does having a HIPAA certification mean an organization is better able to secure the personal data of those they serve?  There are two schools of thought to consider.  First, the training and knowledge will support safe practice and thus decrease risk of any potential breaches.  Training will also increase the confidence level of staff in managing protected health information and recurring training allows the trainee access to up to date information regarding HIPAA.   

An opposing view is that the Department of Health and Human Services does not endorse or recognize HIPAA certifications regarding security rules and warns against misleading marketing claims.   

“We have received reports that some consultants and education providers have claimed that they or their materials or systems are endorsed or required by HHS or, specifically, by OCR. In fact, HHS and OCR do not endorse any private consultants’ or education providers’ seminars, materials or systems, and do not certify any persons or products as HIPAA compliant.” 

The HHS website goes on to reflect:  

“There is no standard or implementation specification that requires a covered entity to “certify” compliance. The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements. The evaluation can be performed internally by the covered entity or by an external organization that provides evaluations or “certification” services. A covered entity may make the business decision to have an external organization perform these types of services. It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation. 

Given certification is not mandatory it is up to an organization to ensure compliance is achieved.  Investment in training, while not required, is an organization decision based on the level of comfort and ability to meet requirements.   

Breach Portal, (n.d.).  Retrieved 23 Nov 2020  from https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf 

HHS.gov. (n.d.).  Are we required to “certify” our organization’s compliance with the standard security rule?  Retrieved 23 Nov 2020 from https://www.hhs.gov/hipaa/for-professionals/faq/2003/are-we-required-to-certify-our-organizations-compliance-with-the-standards/index.html 

HHS.gov. (n.d.) What you should know about OCR HIPAA privacy rule guidance materials.  Retrieved 23 Nov 2020 from https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/be-aware-misleading-marketing-claims/index.html 

Why hackers are going after healthcare records…

 

When data is stolen from a bank, it quickly becomes useless once the breach is discovered and passwords are changed. However, data from the healthcare industry, which includes both personal identities and medical histories, can live and affect people for a lifetime.

Cyberattacks will cost society more than $305 Billion over the next five years.   According to industry consultancy, Accenture, 1 in 13 patients will have their data compromised as a result.

chart

The healthcare sector is uniquely vulnerable to privacy breaches.  Recent government regulations have required healthcare providers to adopt electronic health records (EHR) under the Patient Protection and Affordable Care Act.  This has the potential to expose patient data to potential compromise unless providers make equal investments in the security of the systems used to house and manage that data.   To comply with legal requirements, healthcare organizations often store detailed medical information for many years. The probability of a breach and the potential severity of the consequences increases according to the amount of data store and the length of time it is stored.

To a hacker, healthcare records contain valuable information, including Social Security numbers, home addresses, and patient histories. Criminals can sell this data for a premium on the black market, providing incentive to focus attacks on the healthcare industry.

With the push toward integrated care, medical data is being shared with many different entities whose employees may have access to patient records. This extended access to medical records also increases the potential for privacy breaches.

In summary, as companies move to digital record-keeping, the industry is so focused on regulatory compliance, that cybersecurity has largely been a secondary thought. Companies with legacy systems are trying to connect to and integrate EHRs. Security is not always considered an integral part of that, and patching systems are always filled with issues.

Source:

https://www.accenture.com/t20150723T115443__w__/us-en/_acnmedia/Accenture/Conversion-Assets/DotCom/Documents/Global/PDF/Dualpub_19/Accenture-Provider-Cyber-Security-The-$300-Billion-Attack.pdf

‘Ransomware’ a growing threat

It is 6 a.m. and you’re drinking your favorite cup of coffee as you sit down at your computer to check your daily emails. You get a message from UPS with an attachment that says “track your shipment”.  “Hmm…” you wonder to yourself, “I don’t remember ordering anything. Maybe someone sent me gift or something?” You then proceed to click on the attachment to track your package. Suddenly your computer screen blinks and starts acting weird, a window pops up with a warning…

ransomware example

 

ransonware 2

You sit there in shock as you slowly come to realize you have just gotten infected with some kind of a virus.  You start to panic as you start checking your various files on your computer and are finding out that you cannot open them up as they are encrypted. “Oh no…” you whisper to yourself, “How could this have happened? All the photos of my kids growing up over the years, all my scanned banking statements, PDF copies of my Tax returns, my resume, my entire music library that I have spent the last 6 months ripping my music CD collection to…. All encrypted! I don’t have any backup copies anywhere!” you scream to yourself in horror.

That scenario could have very well happened to you. More and more people and businesses these days are falling victim to “ransomware”. Ransomware is a malicious code that locks up computer files and cybercriminals demand a ransom to free them.  “Ransomware” may have many various names and variants, but they all have one goal in mind. To hold every digital file you own on your computer as well as across your network, hostage until you pay their ransom fee, typically by paying an online currency, such as Bitcoin. Once paid, you might get a “key” and be able to unlock your files. However there have been several cases of this not happening at all, after a ransom is paid and files have been permanently lost.

Some of the more recent and known ransomware code names are “Petya”, “ Jigsaw”, “Crypto-locker”,  “CryptoWall”, “Rokku”, “KimcilWare”, “Coverton”, etc…  Usually ransomware will have you go buy a green dot money card from your local Walgreens or Walmart, and load up the specific dollar amount they are asking for. They will have you follow instructions to convert that amount into Bitcoin (which is currently untraceable) and send it to them over the “Dark-web” using a Tor browser or something similar.

Most ransomware is delivered via email. The typical overall themes are usually shipping notices from delivery companies or purchase orders. In the past year, we have seen the content of these emails being both near-perfect in local languages and also looking much more legitimate than previously. While the majority of ransomware attacks still happen opportunistically, you will often see them being ‘localized’ so they fit their targeted countries. Also, many attacks are being delivered by mass random emails. The intention is to infect as many as possible to maximize the chances of getting a result. Ransomware is also delivered via drive-by-download attacks on compromised websites. Although the problem is well known, avoiding infection is a bigger problem, as well as what to do when you are infected.

Because ransomware is able to encrypt files on mapped network drives, disconnect the mapping where possible if you are not using the drive. Organizations must make sure backups are not accessible from endpoints through disk mounts; otherwise those will be encrypted as well. Once the backups are done and stored securely, we recommend checking that the backups are working and that you can recover from them.

The best way to recover from an attack by ransomware relies largely on if a good backup policy is employed for your data and its entire system backups. Regular backups are the most reliable method for recovering infected systems, which makes it all the more important to prevent the initial infection. Rather than a simple backup, in order to be effective, a backup must be “dated”, with older versions of files available in case newer versions have been corrupted or encrypted. Also get into the habit of storing backups in an offline environment, because many ransomware variants will try to encrypt data on all connected network shared and removable drives. It’s imperative to always have known good and up-to-date backups that are as close to real time as possible. One thing to consider is making sure you don’t overwrite your backups with the compromised data, so that when you go to restore, you are able to. If backups are not an option, you may be able to use Windows’ own shadow copies to restore files, if the ransomware has not disabled its use.

Having a layered approach to security is one of the clichés of modern infrastructure, but for repelling ransomware, it should be taken very seriously.  The best way to protect against a virus is to have defenses set up to ensure you never receive any viruses in the first place. Deploying a layered approach, utilizing technologies such as anti-virus, web filtering and firewalls will help prevent this from happening to you. More modern consumer security software now contains personal firewalls and web filtering alongside the more traditional anti-malware.

Current ransomware will typically run an executable from the App Data or Local App Data folders, so it is best to restrict this ability either through user policy, Windows or by third-party prevention kits that are designed for this purpose. As well as adopting a layered approach, getting software patches installed and being up-to-date remain the best form of security.

The final piece of advice to protect against malware is to ensure your user privileges are locked down. Most organizations or people sharing a home computer are not watching or analyzing all their users’ activities. Cyber criminals will return to someone who paid, so payment to recover your files simply confirms that you will be a good target for future attacks and scams. Most malware will execute with the same privileges as the victim executing the payload. If the person getting compromised has local or global administrative privileges, the malicious code will have access to the same resources. In the instance of ransomware, this also means ransomware will have the capacity to encrypt data across network drives, shares and removable media.

Infection by ransomware does happen. There are free tools that exist from companies such as Kaspersky and Cisco that may work in removing them. There are websites such as www.bleepingcomputer.com  and www.thehackernews.com that have great tutorials on how to remove some of the more popular ones. The worst thing about a restore is the time it takes, but this is obviously less expensive than paying a ransom.

Of course, the biggest problem with paying ransoms is that you are dealing with criminals, and there is no guarantee that the victim will get their data back, or that the attacker will not leave other forms of malware running on the system. Like other scammers, cyber criminals will return to someone who paid, so payment to recover your files simply confirms that you will be a good target for future attacks and scams.

If you are a victim, then consider the sensitivity of your data, your profile and the sophistication of the attacker before you pay, because low sophistication in communication could mean low quality of encryption.

This is a modern problem in malware, combining both sophisticated and basic tactics, and people are still getting caught, despite the fact that there are fairly straightforward methods to avoid becoming a victim.

As ransomware gets more and more advanced, you will start hearing about it on the news more often.  You can almost guarantee that a lot of companies have been affected by it as well, but have elected to keep it under wraps. If word got out that their confidential data was affected, it could potentially ruin a business.

Here are a few recent news articles of events of ransomware that had happened…

http://www.wsj.com/articles/ransomware-a-growing-threat-to-small-businesses-1429127403

http://thehackernews.com/2016/02/ransomware-medical-record.html

http://thehackernews.com/2015/10/fbi-ransomware-malware.html

http://www.reuters.com/article/us-apple-ransomware-idUSKCN0W80VX

http://arstechnica.com/security/2016/04/ok-panic-newly-evolved-ransomware-is-bad-news-for-everyone/

http://www.scmagazine.com/ransomware-and-pos-attackers-to-zero-in-on-small-businesses-retailers/article/466318/

http://www.cio.com/article/3055323/security/ransomware-world-war-business-and-the-post-modern-cio.html

How Copy-and-Paste Makes EMR & EHR Fraud Easy

Healthcare Data Privacy

Federal officials say the copy-and-paste features common to computers which are used to enter Electronic Medical Records (EMR) and Electronic Health Records (EHR) invite fraud.  Merely copying and pasting another patient’s clinical notes can be considered fraud. The Federal Government believes there is a need to reduce the healthcare provider’s ability to duplicate notes.

In a report dated December 2013, the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) says: “Not All Recommended Safeguards Have Been Implemented in Hospital EHR Technology.”  The study was done by the OIG who sent out a questionnaire to 864 hospitals that received Medicare payments as of March 2012. The OIG also visited eight hospitals to see how the EHR & EMR systems were being used.  In addition to obtaining information from health care providers, the OIG surveyed four EHR vendors about the implementation of fraud safe guards in their software products.

According to the report: “Copy-pasting, also known as cloning, allows users to select information from one source and replicate it in another location. When doctors, nurses, or other clinicians copy-paste information but fail to update it or ensure accuracy, inaccurate information may enter the patient’s medical record and inappropriate charges may be billed to partients [sic] and third-party health care payers. Furthermore, inappropriate copy-pasting could facilitate attempts to inflate claims and duplicate or create fraudulent claims.”

When the experts at Evidence Solutions, Inc. examine Electronic Medical Records, they may look for evidence of note cloning. The process is made difficult, however, by the fact that they rarely see more than one patient’s records.

HHS agencies have confirmed they are developing comprehensive rules and regulations to deter fraud and abuse involving EMRs / EHRs, including guidelines for cut-and-paste features. According to the OIG report, “Certain EHR documentation features, if poorly designed or used inappropriately, can result in poor data quality or fraud.”

“When a healthcare provider inappropriately clones sections of a medical record, he or she may be entering the crosshairs of CMS (Centers for Medicare and Medicaid Services),” so says Dr. Burton Bentley II*, an emergency physician with 21 years of clinical practice.  “When an EHR does not accurately reflect the clinical encounter, then the clinician’s documentation may be subject to federal scrutiny.”

While it may seem that copying and pasting information from similar patient records is benign, failure on the part of providers to review what has been copied can lead to significant discrepancies between what really was collected from the patient encounter and the notes recorded in the record.

A missed edit from “positive result” to “negative result” can have devastating effects on not only the patient’s record but on their treatment.

Regarding fraudulent claims, it is easy to understand how copy-and-paste make it too easy to bill for work which wasn’t actually performed. Especially when the copied text comes from a different patient’s record with a couple of keystrokes.

The study found that only about one quarter of the hospitals surveyed had policies in place that governed the use of Copy and Paste in EHR and EMR systems.

* Dr. Bentley is a practicing Emergency Medicine physician and Fellow of the American Academy of Emergency Medicine (EM).  He frequently consults nationally on medicolegal issues while enjoying a busy EM practice in southern Arizona.


About the Author:

For 30 years, Scott Greene has been helping owners, CEO’s, managers and IT departments understand data. Scott Collects, Analyzes and Explains Complex Electronic Evidence in Plain English.

In 2008 he created Evidence Solutions, Inc., a full service Computer, Technology & Digital Forensics firm, from the Technology Forensics department of Great Scott Enterprises.

Scott’s extensive knowledge draws clients to him from all over the United States as well as Internationally for consulting and expert witness services in the field of Computer, Technology & Digital Forensics. His extensive and diverse experience allows him to be an expert in many facets of computer & digital technology. He is a sought after speaker and educator and travels throughout the country presenting to local, regional, national and International organizations.

The Future of TELEHEALTH is NOW!

Doctor with stethoscope Reaches out of computer screen.

The idea that a health care provider could diagnose and treat a patient via teleconferencing technology was a concept more at home in the Star Trek™ realm than what is now an increasingly commonplace event.

Patient consultations currently take place via video conference, e-health including patient portals, remote monitoring of vital signs, sleep studies at home and cardiac monitoring during the patients’ work day are common.  While there are many other applications,  (ATA, 2015) “all are considered part of telemedicine and telehealth”.

There are a great many questions regarding reimbursement, regulations, infrastructure and access as well as provider and patient adoption and whether these will fall into a viable alternative to face-to-face health care.  There are a great number of barriers that need to be overcome for telehealth to enjoy parity with inpatient visits.

With the shortage of health care providers, particularly in primary care, congressional and media attention over the past year has increased dramatically.  According to a Georgia Public Policy Foundation study, without telehealth, patient access might be delayed, denied or otherwise not available.  (Bachman 2015) reflects patient savings in time and money and reduction of stress from delayed or denied face-to-face medical care.

Patient and Doctor Consult via TabletThe Affordable Care Act has brought millions of people into the healthcare system, and currently 44 states have telehealth legislation pending.  Bills are being debated in committees for eventual introduction in Congress. There is also greater media attention highlighted on network TV and radio news shows to include blogs within the online community of health care providers and patients.

There are concerns regarding whether or not patients will readily accept telehealth alternatives, but these are essentially unfounded.  Most of the population has grown along with online technology, which includes user friendly programs that assist with reliable practice.

Elderly senior citizens may face some challenges using digital tools, a Pew Research Study (Smith, 2013) found that, “Six in ten seniors – 59%- report using the Internet.”  This percentage has been increasing by 6% over a similar point annually.  In fact, the rate of adoption of social media among those age 60 and over is the fastest growing segment of the marketplace.

Concerns about reliability of data to inform the provider is mitigated by ongoing advances in the industry making telehealth technology the cutting edge of innovation.   Higher video and image resolution, efficient use of bandwidth has made connectivity more reliable with electronic health record systems facilitating the increased data exchange (iHealthBeat, 2013).  Real time IT-enabled transfer of patient monitoring has evolved sufficiently to support telemedicine platforms. (Darves, 2014)

Scientific studies in the area of telemedicine and quality of care “indicate that the use of telemedicine for such applications as monitoring of chronic care patients or allowing specialists to provide care to patients over a large region have resulted in significantly improved care.  For most telemedicine applications, studies have shown that there is no difference in the ability of the provider to obtain clinical information, make an accurate diagnosis, and develop a treatment plan that produces the same desired clinical outcomes as compared to in-person care when used appropriately”.  (2013 American Telemedicine Report, Telemedicine’s Impact on Healthcare Cost and Quality)

Doctor Consults Specialist and Discuss Readiology Image via ComputerThe same report found that the vast majority of the peer-reviewed research studies about the cost effectiveness of telemedicine (based on large sample sizes and following sound scientific rigor) are relatively new but are consistently concluding that telemedicine saves the patients, providers and payers money when compared with more traditional approaches to providing care.  An August 2014 study by global professional services company Towers Watson estimated telemedicine could potentially deliver more than $6 billion a year in health care savings to U. S. companies (Towers Watson, 2014).

Reimbursement has been a thorny issue in telehealth.  There is a wide discrepancy between how to pay in comparison to traditional in-office visits.  (U.S. Department of Health and Human Services Health Information Technology, 2014).

Health care provider regulatory bodies are just getting started in the process of interstate practice, NCSBN’s Nurse Licensure Compact (LNC) has been ahead of the curve since implementation in 2000.  The NLC allows RNs and LPNs/LVNs to have multistate licenses with ability to practice in their home state and other NLC states.  Currently there are 24 states in the NLC.  BONs (Boards of Nursing) have been actively involved in revising the NLC to ensure it reflects best practices and provides public protection and continued high standards.  Several organizations are actively involved in compiling state by state telehealth nursing licensure requirements similar to what is available for physician requirements.

Telehealth is a concept waiting for all of the factors influencing its acceptance as part of the health care delivery system to align.

References

American Telemedicine Association.  “What is Telemedicine?”

American Telemedicine Association. (2013) “Telemedicine’s impact on healthcare cost and quality.”

Bachman, R.E. (2015).  Telehealth & Patient-Centered Care. Georgia Puclic Policy Foundaiton, Atlanta

Darves, B. (2014). “Technology advances boosting Telehealth, but changes to widespread use remain.”

iHealthBeat (2013). “Health care providers leveraging advances in Telehealth technology.”

Smith, A. (2013). “Older adults and technology use: Attitudes, impacts, and barriers to adoption.”

Towers Watson. (2-14). “Current Telemedicine Technology Could Mean Big Savings. [News Release]

U.S. Department of Health and Human Services Health Information Technology. “What are the reimbursement issues for telehealth?”

Arizona State Board of Nursing Regulatory Journal, (2015), In Focus, Spring.