What’s more important, your computer’s hardware or its software? You tell me: What’s more important, your heart or your lungs? Obviously, if you’re going to function, you need both. The same is true for electronic medical record (EMR) and electronic health record (EHR) software: Your hardware is mission-critical to the success of your electronic records, and this is not the place to compromise.
On-Site or Remote?
No matter how small your office, you will require more than one computer. These computers have to “talk” to one another through another computer, a server. A server is a physical hardware system (a computer) that “serves” the needs of and “has conversations” with other computers. It usually has a faster CPU, more memory and a large hard drive on which to store your data, and it can also store your EHR software. Servers may be housed locally or remotely. If you have more than one office site, some computers will, by necessity, be remote. These computers will likely be connected to your server through the Internet. There are literally hundreds of thousands of routers, modems and domain-name servers out there that provide access to the Web.
Like any good marriage, servers require maintenance, and someone is going to have to assume that responsibility. Some physicians have developed the skills to maintain hardware and can keep up with HIPAA regulations, but most of us don’t have a clue what to do—nor should we. Therefore, by necessity, you will likely need to delegate this responsibility to another business or to an employee if you are large enough to have your own IT staff. This is where decisions regarding your server maintenance and location become really important.
Like any good marriage, servers require maintenance, and someone is going to have to assume that responsibility.
Finding a Host
You may choose to house your server locally, feeling that your data and system are more secure. Just be aware that you will now be reliant on technicians to come to you for maintenance, emergency failures, upkeep of your backup systems and disaster recovery. The key to this decision is finding a business, not a single person, who can reliably provide these services. Individuals get sick, go on vacation and are certainly not available “24/7”—and please don’t delegate this responsibility to your local high school or college “techy.” Response times are crucial to your practice, and a 24-hour response time is not satisfactory with your EHR. You are now dependent on your EHR for providing patient care, so it is mission critical for your organization.
Alternately, you may feel more secure with your servers located remotely with a company that has on-site facilities and personnel trained to maintain your servers and protect them from risks such as viruses, fire and earthquakes. Ideally, the service provider you choose will have experience in the healthcare industry and will be familiar with its associated regulatory requirements. Don’t forget to choose a company that follows HIPAA regulations regarding EHRs and EMRs, is aware of their associated fines, and understands the increasing regulatory burdens of the Patient Protection and Affordable Care Act.
The Health Information Technology for Economic and Clinical Health (HITECH) Act altered the HIPAA regulations by mandating the protection of patient and personal information. The Act’s “Security Rule” is interpreted very broadly, which has resulted in stronger compliance mandates and enforcement powers. The HITECH Act now covers all “business associates” in addition to your organization. Jurisdiction and enforcement of these laws now comes through state attorneys general, the Centers for Medicare and Medicaid Services, the Department of Health and Human Services (HHS) Office of Civil Rights, the HHS Office of Inspector General and the Joint Commission. Noncompliance or breach of the new laws results in stiff fines: $50,000 per violation and up to $1,500,000 per calendar year. Obviously, a thorough vetting of your service vender is prudent. Any breach in confidentiality is likely to come through your service and not your office practice, so the company you choose must have experience in the highly regulated field of medicine.
If possible, hire a good consultant to help you through the process of selecting a server or server provider. Talk with other local physician groups about the support solutions that have worked for them. Find the names of local experts who support and maintain servers.
Don’t be afraid to ask for help in reviewing contracts and negotiating rates. As a general rule, never use a vendor’s template to draw up an IT outsourcing contract. These contracts, which are heavily slanted towards the vendor, are going to require a lot of modifying. You likely do not have the expertise to go “head to head” with their negotiators. Your consultant should know the best way to protect data and can outline the appropriate exit strategies if the vendor does not meet your expectations. The consultant should also be able to help you define a service-level agreement (SLA). Chances are, you wouldn’t know where to begin, and you might even get sucked into a SLA to-be-determined metric that will leave you and your organization in jeopardy. If the SLA is not associated with a penalty, then it is merely an objective without recourse. Penalties are necessary should you need to force the service provider to meet the expectations outlined in the contract. From my perspective, contract consultants are worth the money, because they can keep you and your organization out of trouble!
Next time, we will take a look at cloud computing as an alternative to your EMR/EHR needs.
Rodney Lusk, MD, is director of the Boys Town Ear, Nose and Throat Clinic and Cochlear Implant Center at Boys Town National Research Hospital in Omaha, Neb. He has been working with EMRs since 1996. He may be reached at email@example.com.