Hormazd Romer, Accellion
Productivity must go hand in hand with security
Today’s HIPAA laws place greater pressure on healthcare organizations to prevent negligence and protect sensitive information, which if not addressed can have a penalty of $1.5 million per incident. And many organizations require a quite a bit of improvement.
According to a recent Ponemon Institute survey study on data security in the healthcare industry, 94 percent of healthcare organizations suffered at least one data breach in 2011 and 2012, with nearly half experiencing more than five during that time. As a result, it’s no surprise that HIPAA laws are evolving to address these issues.
Compliance requirements now make secure file-sharing solutions mandatory when addressing patient record requests; yet many professionals are still in the dark about proper security requirements. When it comes to handling sensitive patient data, healthcare professionals must work smarter to ensure that value is being added to the organization’s workflow. If systems are in place to enhance productivity, but are not equipped with proper security features, then those productivity enhancements are doing the opposite of their intent by debilitating the organization and creating greater exposure to risk.
True productivity must go hand in hand with security. Each system set in place must not only enhance employee workflow, but also protect patient data and the organization's reputation.
It is important to identify the most effective and efficient ways to provide medical records directly to patients with secure enterprise technology, including solutions to protect the mobile device, applications and final content. Be aware of the risks associated with unsecure file sharing, and keep in mind that if a system isn’t entirely secure, it’s not truly enhancing productivity.
Patrick Ney, VP, Anton/Bauer MPS
When it comes to mobile systems, it’s all about power
One of the top criteria to achieve MU is a hospital’s ability to capture a patient’s health information electronically in a standardized format. In order to do so, hospitals depend on mobile electronic devices. This exchange of patient information at the bedside is critical, making it necessary to deploy the proper equipment and processes to ensure that no data is lost. Meanwhile, the hospital must evaluate the “business” behind the decisions they make. They must consider what devices should be deployed and how they constrain or support workflow. The power system (battery) component is typically overlooked during planning and frequently adds the greatest constraint to a caregiver’s workflow. Without the proper power system, nothing else matters; the mobile devices simply will not work.
It is imperative the chosen power supply system adequately provides for a hospital’s fleet of mobile devices while eliminating workflow constraints. The power supply vendor should evaluate a hospital’s technology and workflow requirements, recommend a system to fit budget goals, insist on proving the concept before deployment and then follow through with support to ensure the hospital is satisfied with its purchase.
Ruby Raley, director of healthcare solutions, Axway
MU Stage 2 means better patient portals
We all know patient communications are front and center in the requirements for MU Stage 2 (MUS2), and that the primary certification criterion for EHRs is to provide an “online means to view, download and transmit” certain data to patients. Requirements call for online tools for patients to improve communication with their physicians and access their health records. In other words, providers need to implement patient portals on a fundamental level.
After a patient sees a physician, that patient should be able to access his or her health records within 24-48 hours. Although some healthcare providers have reached this stage, it’s not even close to standard practice across the country. Among the many reasons for delay, providers face a number of technological hurdles when providing patients access to their records, such as proper credentialing, data protection and management, and hacker-proofing their networks.
Providers also need to keep the future in mind when building these portals. We’ve entered a new mobile era, and we must enable access from patients’ chosen devices. Instead of simply meeting the objective to gain incentive funds, we actually have an opportunity to embrace the future and improve patient engagement with mobile capabilities such as appointment scheduling, reminders, and health and wellness tips.
The bottom line? Every patient has the right to a healthier life. By building portals that meet MUS2 requirements, we can drive better patient engagement and communication, and ultimately achieve better patient outcomes.
Andrew Nieto, health IT strategist, DataMotion
Direct messaging can eliminate costly interfaces
In 2005, it was estimated that more than 80 percent of U.S. physicians documented a patient’s health, wellness and medical status on paper. Medical diagnostic and treatment technologies were advancing at fantastic rates. Yet, at this point in the 21st century, most physicians still chose to document the same way their forefathers did. Paper is a delicate tool subject to easy damage, loss and destruction. Modern EHR systems tried to address this, but adoption rates were limited.
In August 2005, Hurricane Katrina flooded New Orleans and an estimated 23,000 patients lost all documentation of their medical history. Demand for change rang loudly. That change came with the passage of the HITECH Act as part of the American Recovery and Reinvestment Act (ARRA) of 2009.
Phase 1 of the HITECH Act, or as it is otherwise known, MU Stage 1, was focused on physician adoption of EHR technology. Today, EHR use has flipped with more than 80 percent using a qualified EHR. MU and its associated ARRA funds represent the most effective catalyst for change the healthcare industry has ever experienced.
In its current incarnation, MU Stage 2 is focused on the exchange of information. The Direct Project is one example of this exchange. MUS2, however, does not go far enough to promote real adoption. For example, meaningful utilization of Direct messaging will occur when providers adopt Direct messages as a tool for open dialog about all facets of patient care and wellness. Limiting the measurement of MUS2 to transitions of care only scratches the surface of the capabilities and opportunities that this technology can offer. Direct messaging has the capacity to eliminate costly interfaces to external sources, facilitate dialog across the entire care team and connect healthcare practices with accountable care organizations (ACOs), health information exchange (HIEs) and patients.
Stacy Humphrey, Dimensional Insight
Making your MU data useful
Hospitals are now accumulating a growing reservoir of standardized, clinical data as a result of implementing systems and achieving MU to meet the requirements of the EHR Incentive Programs. As hospitals move to the next stage of MU, where the focus shifts to using EHRs to improve patient care, leveraging EHR data will become increasingly crucial to attaining goals and performance targets.
Tame the data. Stage 1 was an adventure for many providers as they struggled to understand where data resided in their EHRs and adapt their clinical workflows to capture new data. As Stage 2 requirements drive further increases in standardization and data quality, opportunities will arise to use data in more meaningful ways. Business intelligence and analytics solutions can help reduce the time spent on data manipulation processes and make relevant information more readily available for patient care, measurement and decision support.
Monitor and analyze continuously. If hospitals have already attested for MU Stage 1, they now have a baseline for establishing their next set of goals. Continuously monitoring performance of MU measures at both aggregate and detailed levels (by measure, physician, location or department) puts organizations in a position to identify performance improvement opportunities in time to act on them, while patients are still in the hospital.
Bring information to the frontline. Providers meeting MU requirements are well positioned to share helpful information with clinicians and staff. Visualization tools, such as dashboards, engage and communicate data in a meaningful context to frontline staff to help them understand current status, assess the impact of improvement initiatives, recognize best practices and make better data-driven care decisions.
Earl Reber, executive director, eProtex
Why many MU claims today are false
Many healthcare providers who have attested to MU may have done so falsely, even if that was not their intent. In that case, they risk losing MU funds as the federal government is now performing both pre- and post-payment audits. A common oversight is the likely culprit that could land providers in hot water with both MU and HIPAA enforcers.
I recently talked with a health system that received MU funds, but if auditors came knocking, the health system couldn’t tell them where all their ePHI (electronic protected health information) is located – a requirement of both MU attestation and the HIPAA Security Rule. The provider knew they hadn’t fulfilled that mandate and, in their words, had “a lot of heartburn” over it.
You see, ePHI, MU and the HIPAA Security Rule are fully intertwined. Compliance with one is impossible without addressing the others. Yet, the ePHI location mandate often goes unmet.
Why? Unlike traditional computers, which receive plenty of attention from the hospital’s IT department, medical devices are unconventional, FDA-regulated machines that fall outside IT’s capabilities, partly due to FDA restrictions. Meanwhile, a growing number of medical devices – from oximeters to CT scanners – are collecting, storing and transmitting ePHI through your hospital’s network. Leave them out of risk assessments to your own detriment, and false MU attestation – with damage to your reputation and finances – is the likely result.
Bottom line: Complete a thorough risk assessment that accounts for all ePHI residing in your network – including often-neglected medical devices.
Sanjiv Waghmare, VP and GM, Intuit Health
Next-gen patient portals drive patient engagement
MU Stage 2 mandates that organizations provide consumers with the ability to view, download and transmit data. These mandates offer great potential for patient portals that offer this advanced functionality. In community organizations, patient engagement can be increased through portals that allow patients to use a single sign-on to gather information from all providers, regardless of how many HIT systems are used in that community. These portals are akin to banking software used today that enables consumers to access and aggregate data from multiple financial institutions in one place. A portal successful at driving patient engagement would offer:
- A single access point for aggregated data from multiple sources;
- Ease of use and scalability;
- Functionality to simplify key tasks (i.e. appointment scheduling, bill paying and secure two-way provider communication);
- An open and EHR-agnostic platform;
- Patient education tools and resources; and
- The ability for third parties to easily integrate their solutions.
These functions would save patients time, provide valuable insight into their health and serve as a vital link to support stronger patient-provider relationships. Provider offices will also benefit from time-saving features by moving a variety of administrative transactions online. Through this approach, providers would also be able to meet meaningful-use requirements, improve patient satisfaction and support patient-centered care.
David Bickford, Melissa Memorial Hospital
From implementation to attestation
Implementing an EHR and attesting for MU can be challenging for a critical-access hospital because of limited staff and resources, as well as high clinical variability associated with the setting. Despite these challenges, Melissa Memorial Hospital – a 15-bed critical access hospital located in rural Colorado – attested for Stage 1 MU in December 2012, only three months after fully implementing its EHR from NextGen Healthcare’s hospital solutions division. Melissa Memorial is using NextGen Inpatient Clinicals to achieve MU.
Achieving this goal took careful planning and forethought. The organization worked on an MU attestation strategy in parallel with the EHR implementation, tracking MU criteria even before the EHR was fully in use. Before and during go-live, the hospital’s core team of users met twice per day to walk through virtual patient scenarios and handoffs. This fostered teamwork between users and strengthened processes to effectively meet MU criteria.
The organization also relied heavily on the work of a super user – a registered nurse who served as the point person for the attestation effort. The nurse reviewed the organization’s MU dashboard daily to identify opportunities for improvement. She then met with staff members to talk about ways to tweak their use of the EHR to better meet MU criteria. By embedding these conversations into the nurse’s daily workflow, Melissa Memorial Hospital was able to foster transparency about the MU process and make real-time compliance improvements.
To generate organization-wide enthusiasm for MU, Melissa Memorial Hospital’s board of directors developed an incentive program, passing a resolution in January 2012 guaranteeing each full-time employee $500 if the organization successfully attested for MU Stage 1 by the end of the calendar year. By making this tangible commitment, the board set the stage for the MU effort, reinforced its importance and got everyone working together to achieve success.
Marc Perlman, global VP, healthcare, life sciences, Oracle Healthcare
At the intersection of MU and patient engagement
There is little disagreement that the Stage 1 MU foundation is firmly in place, with CMS announcing that the federal government met its 2013 goal for participation in the EHR MU program. The next two stages will bring a new level of sophistication to the use of health information technology (HIT) to improve care.
We have seen several calls for pause as we approach the onset of Stage 2 requirements. First, CMS announced in March that it would not complete Stage 3 rulemaking in 2013 as anticipated, in order to assess the program’s success to date. In April, six Republican U.S. senators proposed reexamining current procedures put in place to safeguard and ensure MU of EHRs prior to forging ahead with Stages 2 and 3. In May, the College of Health Information Management Executives (CHIME) called for a one-year extension to MU Stage 2 to “maximize the opportunity of program success.”
Patient engagement is nearing a tipping point as three important developments converge – awareness of the need for action to reduce overall healthcare spend, HIT advances and HITECH Act funding. These events have the potential to position patient engagement to make a significant impact nationwide on treatment outcomes, help reduce costs and provide patients with a greater sense of empowerment around their care.
The MU program has moved the ball forward, but to achieve the vision requires a roadmap that clearly outlines the characteristics of the transformative system and how to measure progress. What might a potential MU delay mean for advances in patient engagement, and, more broadly, its impact on the pace of HIT innovation, especially in the area of mHealth? Time will tell.
Mike Zayed, Redwood Software
Automated document, report management key to MU
While there are many benefits to EMRs, simply digitizing your patient data doesn’t mean that you’ll meet the MU mandate. MU means that you’re using your digital records in a way that provides improved patient care – not just that you’ve moved from paper files to computer files. The best way to improve patient care is to make sure that your medical staff always has the right information at the right time. Automated document and report management are key components to achieving MU.
One major hospital system we work with, which processes over 175,000 raw reports in an average month, relies heavily on their document and report management solution to extract the information they need from those reports and convert it into other formats for distribution. Users throughout the healthcare system have access to exactly the information they need in the format that is most usable.
Many hospital systems have millions of mission-critical reports in their systems. For this digital information to be really useful, it has to be organized into meaningful parts and distributed securely. With streamlined, automated document storage and distribution you can capture documents from any platform or application. Then, you can break it into separate reports, bundle it together and securely deliver it wherever it’s needed.
For the best results, healthcare systems must connect records across departments, technologies and locations to generate meaningful and accurate reports quickly. Don’t just stop at digitizing data. It’s how you manage it that makes a meaningful difference.
Bruce Gnatowski, senior director, cybersecurity consulting, SecureInfo
As security improves, data breach premiums will decrease
MU is like the car dad promised when you turned 16. You got something for free in return for getting a license and insurance. But just as driver’s ed doesn’t prepare one for the harsh realities of the road, the information security mandates of HIPAA and HITECH’s MU won’t guarantee you’re protected from data breaches and loss. In fact, they only set a minimal floor for security. Often missing for organizations looking to drive the EHR highway are the nuts-and-bolts guidance on how to secure their technical systems and data. That’s exactly where the HITRUST Common Security Framework comes in. Devised by the HITRUST Alliance, a consortium of healthcare players and cyber security experts, it provides a cost-effective, best-practice set of security controls that fulfills both compliance and system hardening. It scales to the size and complexity whether you’re a hospital, insurer, cloud service provider or lab.
So, just as auto insurers charge teen drivers more costly premiums based on their novice status, information security will be made more meaningful in healthcare when there’s a rate that’s linked to security risks. Insurers are beginning to offer a variety of cyber coverages, which will only get more expensive as medical breaches escalate in frequency and severity. But as healthcare organizations improve their security posture, and demonstrate a higher Health Information Trust Alliance (HITRUST) Program Review for Information Security Management Assistance (PRISMA) score (based on the National Institute of Standards and Technology security measurement standard), they will see their data breach premiums go down. With those risk-cost metrics linked, we will then know we have more meaningful security in healthcare.