Health IT to-do list: Timetable for maintenance and security tasks

Regular schedules for upkeep and updates can help practices get the most from a technology investment.

By Pamela Lewis Dolan — Posted May 31, 2010

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

Practices have tasks that need to be done regularly to ensure smooth operations. Health information technology adds a new set of recurring chores. These tasks generally are broken down as those needed for maintenance, those that help protect and secure patient data, and those that help the practice get the best return on investment, both from financial and quality standpoints.

Responsibility for these tasks varies, depending on the size, scope and structure of the practice. Here are some common tasks.

Assessing user concerns

What it entails: Performing regular check-ins with staff to determine the good, bad and ugly of each system. Some practices have lunch-and-learn sessions during which employees brainstorm and share user experiences. Others have a more informal process, with open lines of communication between users and those who can optimize, customize and tweak systems. Experts say this assessment should happen frequently right after implementation, and should continue on an ongoing basis.

Why it matters: Andres Jimenez, MD, CEO of ImplementHIT, an online provider of electronic medical record system training, said that with fewer players in the EMR market today, the systems aren't as intuitive for each specialty as they could be. Regular check-ins with staff will help practices configure the systems to meet their needs.

These regular check-ins also can help practices identify training gaps and adjust to changing environments. For example, Dr. Jimenez said, many practices set up protocols to deal with the outbreak of influenza A(H1N1). Or practices might realize that certain tests or medications are ordered frequently, so the system could create shortcuts to those orders.

What a physician has to do: If the physician is a "super user," he or she likely will be on the team in charge of acting on feedback. Physicians who don't use the system as much need to practice using it, thinking about ways the experience can be improved.

Taking care of system infrastructure

What it entails: Monitoring network connectivity to ensure that the practice stays online; monitoring for software or operating system upgrades; and monitoring database storage space.

Why it matters: According to Jeff Cunningham, chief technology officer for the Nashville, Tenn.-based vendor Informatics Corp. of America, these tasks ensure that your system remains in good working order. Good network connectivity, for example, will ensure that all computers in the practice are talking to one another. Software or operating system updates, which often are prompted by glitches reported by users of earlier versions, improve the user experience. Finally, databases that have run out of electronic storage space will prevent practices from storing and backing up files.

Losing this ability to properly store and back up files could hamper a practice's ability to operate smoothly and in a way compliant with regulations of the Health Insurance Portability and Accountability Act.

What a physician has to do: Physicians must ensure that whoever performs these tasks understands the system and the network and how they function, experts say. For many small practices without a large information technology budget, it might be worthwhile to outsource these tasks, or to go with a hosted system, meaning that the server hardware is located elsewhere. In that case, these tasks would be performed by the host.

Monitoring system access and managing passwords

What it entails: Creating unique log-in credentials for each user; ensuring that passwords are hard to guess and changed frequently; and deleting access for employees who leave the practice.

Why it matters: HIPAA laws require that each user of a health information technology system have a unique log-in and identifier. One reason is to restrict access to patient files. Unique credentials also make it possible to do audits of file access.

What a physician has to do: Michael Leonard, project manager for the IT team at Iron Mountain, an information management services company based in Boston, said physician partners need to set policies that define what an appropriate password is and set a schedule for when they are changed, normally every 90 days.

Experts say that although it shouldn't be up to physicians to serve as administrators who set and manage credentials, doctors need to know how to log in as an administrator to perform these tasks if the assigned administrator leaves the practice unexpectedly.

Performing security and HIPAA audits

What it entails: Regularly reviewing who has access to what systems and what patient health records might be exposed.

Why it matters: These audits will help practices mitigate the risk of data exposure. As roles change, as they often do in small practices, the data an employee needs to do his or her job also is likely to change. HIPAA security rules require that practices have administrative safeguards in place to protect all patient information.

What a physician has to do: Physicians need to set policy about how often audits should take place. System or practice administrators can perform these tasks, but physicians always should be told what those audits have found, experts say. Regular meetings or reports will help keep doctors informed.

Backing up files

What it entails: Instituting a regular backup schedule that occurs no less than several times a week; storing data either virtually or on portable devices.

Why it matters: HIPAA and security rules require practices to secure patient information. Backing up those files is among several best practices that physicians should adopt to ensure that a disaster, whether technical or natural, doesn't cause permanent loss of patient files.

What a physician has to do: If data are stored on portable devices, such as tapes or memory cards, a service should be contracted that will pick them up and store them off-site.

Lior Blik, president and CEO of Network Infrastructure Technologies, a New York-based IT solutions firm, said that when data are backed up virtually, most programs send alerts indicating that the backup was successful and detailing what was backed up. While someone else, such as a practice administrator, could actually send data to storage, the physician needs to be the one who receives the backup message.

"I would definitely make sure I get involved in that if I were a physician," Blik said. "That is a key you definitely don't want to lose, because this is your business."

Practices that use hosted systems most likely would have this done for them by the host, but the practice should learn how data are stored. Blik also suggests that physician partners run a data recovery test every few weeks to ensure that storage and recovery processes are working.

Analyzing financial and clinical performance

What it entails: Taking a measurement of how the system is affecting finances and clinical performance by comparing pre-implementation numbers with post-implementation measures. An analysis can run queries by demographics, diagnostic codes, labs, medications and vitals, or a combination of these, and on financial information.

Why it matters: Reviews will help a practice identify its return on investment for its system. The analysis will help the practice identify areas that need further improvement, and areas that an EMR already helped to improve. Reviews also will help a practice prove its case for bonuses or incentives under any insurance plan's program encouraging information technology use, including meaningful use under Medicare and Medicaid.

What a physician has to do: If the physician is not doing the actual queries, he or she needs to be aware of the results. "If you're not able to measure at all, you can't improve," said Chad Kerr, a health information technology consultant with Ingenix Consulting based in Eden Prairie, Minn.

Monitoring the changing health IT landscape

What it entails: Keeping an eye on emerging technologies to determine the ones your staff might try to incorporate into their work lives.

Why it matters: Kerr said that if practices don't know what up-and-coming technologies employees might be trying to use, employees might try technologies that won't be supported by the existing infrastructure. Wireless devices and personal computers are perfect examples, he said, as new tools are being introduced every six months.

What a physician has to do: Physicians need to stay on top of technology trends by reading technology news or blogs, and by talking to employees about new devices they may want to incorporate into the practice. Physicians also should talk with vendors or information technology staff to determine what devices or technology could be supported in a secure, HIPAA-compliant way.

Back to top


What to do when

The scheduling of some tasks may vary from practice to practice, but industry experts shared an approximate schedule of when some of the most key work should be performed.

  • Backing up files: Several times per week
  • Monitoring system access: Monthly
  • Resetting passwords: Every 90 days
  • Performing disaster recovery checks: Every 90 days
  • Assessing user concerns: Quarterly
  • Analyzing financial performance measures: Annually
  • Analyzing clinical performance measures: As needed
  • Terminating access by former employees: When vacancies occur
  • Monitoring changing health IT landscape: Ongoing

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn