Bowtie Confidential: The Internal Security Threat 6/30/12

Despite the potential impact of negative publicity, penalties, fines, and lawsuits, healthcare organizations continue to breach patient information. The threat to privacy and security is not only external; it is also internal, including employees, temporary staff, and third parties.

Technology can be a culprit (it is easier to access and transfer data online), but it can also be part of a solution. Although it is impossible to prevent all insider attacks, you can leverage technology to minimize the risk.

Culture is also a culprit. Look at Facebook – people are becoming comfortable putting personal information online. There is a cultural “loosening” of privacy boundaries, which can affect an organization’s culture and therefore its security.

The following action steps should be part of your plan for reducing internal security threats:

• Cultivate a leadership culture of respect for individual privacy regarding access to information
• Include the “insider threat” plan in the organizational strategic plan
• Create and assign the role of a chief information security / privacy officer
• Develop enhanced human resource screening processes and interview techniques to seek out potential insider threats
• Develop ongoing and consistent HIPAA (security and privacy) training and awareness programs that extend beyond orientation
• Implement appropriate data and application access monitoring software
• Establish clear policies and procedures to address identity, access management and overall data protection
• Develop and implement a system and data access monitoring process that includes summary dashboard reports to leadership
• Implement and schedule risk assessment audits

Internal threats are just as dangerous as external threats – or more. By creating and implementing a specific strategy to reduce and address insider threats, healthcare organizations can better manage their risk. Everyone is accountable for privacy and security. However, the message has to come from the top with policies, procedures, and monitoring to reinforce it.

Rob Drewniak is vice president, strategic and advisory services, for Hayes Management Consulting.

News 6/28/12

From MGMA: the biggest challenges of running a group practice include managing finances with the uncertainty of Medicare reimbursement rates, preparation for reimbursement models that place greater financial risk on the practice, the ICD-10 transition, rising operating costs, and participation in the EHR MU program.

The 38-provider Mowery Clinic (KS) selects NextGen Ambulatory EHR/PM and Patient Portal.

Mitochon, a provider of free EHR, launches a free, integrated e-prescribing solution.

Atlanta Women’s Health Group (GA) contracts with VeriStor Systems to provide cloud services, data protection, and disaster recovery for its 30 locations.

Physicians have until July 6 to comment on NCQA standards for specialty practices wanting to become part of a PCMH “neighborhood.” NCQA’s specialty practice recognition program will be designed to recognize specialty practices that work with PCMHs to coordinate care, provide timely access, use IT to reduce test duplication, and work toward quality improvement.

The president of CVS Caremark’s MinuteClinics says the company plans to expand from today’s 565 retail walk-in clinics to 1,000 by 2016. He adds that the clinics support continuity of care by providing each patient a copy of their medical records at the end of each visit and by sending patients’ physicians a copy of the records either electronically or via fax.

Wal-Mart, by the way, has closed 33 of its retail walk-in clinics this year and currently has only 149, which far less than the 2,000 the company had projected in 2007.

Medical billing and collections company Alleviant announces plans to open a facility in Vermillion, SD and hire 120 people by the end of 2013. Alleviant already employs about 240 workers in South Dakota.

In case you missed it, we had our first HIStalk Practice Advisory Panel post yesterday. We asked the provider participants to share impressions of their EMR and other office technologies. Participants offered feedback on eClinicalWorks, GE Centricity, Pulse, Cerner, and a few others and most responses were quite enlightening. Some highlights:

As we apply to be certified as a Patient Centered Medical Home, the EHR’s registry function is critical to our ability to manage registrations of patients with various demographic, clinical, or therapeutic criteria. Identifying all asthmatic patients, for example, who do not have a current Asthma Action Plan by a search of our registry allows proactive patient scheduling and improved care.

Our EHR has easily customizable templates to fit my workflow.

Our vendor’s technical support has historically and notoriously been abysmal. That could very well hold true for other EHR vendors.

Secure messaging has gotten pretty hot recently. I’d love to it see fully implemented at my facility.

We do use a nifty system for security which involves initial authentication with a card swipe, but then system security via a sensor on the door.

The vendor needs to stop making claims that are not true.

If you’d like to share your impressions of the Panel post or if you are a provider interested in participating, let me know.

E-mail Inga.

News 6/26/12

The Office of Inspector General finds that 57% of Medicare physicians used an EMR in 2011; 75% of those EMRs were certified to document E/M services. Allscripts, eClinicalWorks, and GE Healthcare were the vendors most widely used by physicians for documenting E/M services.

Gateway EDI completes it purchase of RCM provider National Healthcare Exchange Services (NHXS) for more than $8 million.

Physicians say their biggest practice management challenges are administrative tasks tied to payers and and integrating EMR. The same survey found that only 39% of physicians believe EMRs will improve care, while 34% say it will cause care to deteriorate.

Health Nuts Media launches a Spanish-language version of its animated asthma education series Huff & Puff: An Asthma Tale. Health Nuts Media uses digital media to communicate health issues and HIStalk Practice’s own Dr. Gregg Alexander is the company’s chief medical officer.

EMR/PM provider Cloud-MDs acquires Doctors Network of America, a physician billing and consulting firm.

ChartLogic names Brenner Adams SVP of business development. Most recently Adams was director of business development for Microsoft’s X-Box Games Studio.

Humana is named the top payer among US health insurers in athenahealth’s PayerView Rankings, which measure the financial and administration performance of health insurers, as well as their transaction efficacy. For the first time since 2008, Payerview metrics dipped slightly from the previous year, likely due to disruptions associated with the ANSI 5010 transition.

Hackensack University Medical Center (NJ) expands it billing service contract with SPi Healthcare to include 300 providers in 55 practices.

Wayne County Health Clinic (IN) selects iSALUS Healthcare’s OfficeEMR solution.

Reminder: eligible providers and group practices participating in CMS’s eRx Group Practice Reporting Option must report on a minimum of 10 e-prescribing events before June 30, 2012 in order to avoid a 1.5% payment reduction on their 2013 Medicare Part B services.

E-mail Inga.

Physicians at 2,600 hospitals linked in new health care database
The project by the Premier alliance is part of wider efforts to get doctors to use EHR data to identify ways to improve medical practice.
http://www.elabs10.com/ct.html?rtr=on&s=x8pbgr,12ocp,2kdo,b0y4,c5bb,bbxn,fyg8

Healthcare Informatics 6/22/12

Healthcare Infrastructure Data Models
Option 2 — The Federated Model 

Option 1: The Centralized Repository is described in my previous post.

While this may evoke images of the United Federation of Planets for Star Trek fans, there is unfortunately no Starfleet here. Instead of pushing all the data to a single repository (option 1), this model lets the data sit wherever it is recorded. With this option, the desire by some institutions to keep patient health record data within their own walls is fulfilled. 

Although the data isn’t legally the property of healthcare providers, patients have entrusted them to maintain the data, mainly because we really wouldn’t know what to do with it anyway. Secondarily, we secretly hope they can do some cool visualization with it much like those that have been done for Facebook or make us all amateur epidemiologists much like Google has done. They haven’t yet, but here’s to hoping.

Given that all of the data is locked over a multitude of institutions, we need a sneaky way of coaxing it out. Therefore, to access the data, a query or request is sent to multiple locations asking if they have any patients that meet certain criteria. The system (i.e. an EHR at your local healthcare organization) then performs a subquery on its own system to find what the original query wants. For those that are SQL-minded, this is the same concept as a nested query. For those that are not SQL-minded, this is what children commonly refer to as a scavenger hunt. The end result is that each location responds with an aggregated number or numerator / denominator and all that is left is to total them up.  

On paper, this looks very fancy and is being carried out in some form on a limited basis with the HMO Research Network and potentially on a large-scale basis with Query Health. While this process is the modus operandi  of an actual bureaucratic federation ("You’ll have to fill out form 156B, then take it to the first floor department to get a stamp, then take it up to room 237 to copy it to form 198-2C…"), a computer scientist would tell you that messing about with subqueries is not the most efficient way of doing things.

In terms of record portability, this surely isn’t the most efficient process either. Sending out a mass query hoping to find information about one patient? That leads to the other looming problem: the issue of duplication and/or incomplete data. How can we be sure we aren’t counting some patients twice or missing some of their data if they travel around? We would need some unique identifier for every person in America (don’t say national patient identifier; 1% of the population will scream.)

We are also left with a struggle to analyze population data. The HMO Research Network has shown that this can be done, but each time a query goes out, there is an actual person at each location that manually looks over the query result and modifies it because “They know their data best.” 

On top of all of this, if the Query Health initiative takes hold (they want it part of Meaningful Use Stage 3) every healthcare provider will need to not only have an EHR, but have a secondary database used for querying and possibly someone manually taking a look at all of the results. Job creation and economic stimulus? Check. While this clearly isn’t the most efficient solution, it does get around some of the political problems that come along with acquiring and storing health information. However, what neither of the options so far has addressed is actually letting the patient get in on the action. 

Aaron Berdofe is an independent health information technology contractor specializing in Meditech’s’s Medical and Practice Management Suite and EHR design and development.

HIStalk Practice Advisory Panel 6/27/12

The HIStalk Practice Advisory Panel is a group of physicians, ambulatory care professionals, and a few vendor executives who have volunteered to provide their thoughts on topical issues relevant to physician practices.  I’ll seek their input every month or so on an important news development and also ask the non-vendor members about their recent experience with vendors. E-mail me to suggest an issue for their consideration.

If you work for a practice, you are welcome to join the panel. Many thanks to the HIStalk Practice Advisory Panel members for willingness to participate.

For this report, I asked panel members about their experiences with EMRs and other technologies. Their responses have been edited for brevity and to ensure their anonymity. Your comments are welcome.

What’s the one highly useful feature of your EMR that others may not have?

I use eClinicalWorks and the one highly useful feature that other EMRs may not have is “eclinisense” in which the EMR remembers every RX, procedure, diagnostic image, and written advice per diagnosis for every single note you have ever written. You don’t have to write any template for the diagnosis (called an “order set” in eCW). To use it, you just put in a diagnosis and then click one button and it will show you everything you have ever done for that diagnosis or everything another provider in your practice has done for that diagnosis. You can also suppress any entry to customize the results. The value in eclinisense is that while you might write templates for common diagnoses, eclinisense works behind the scenes for every diagnosis and does so without any work on your part.

The registry function, when it actually works! That and the integrated Provider2Provider and Patient Portal functionality (again, when it works). If you haven’t guessed it yet, our primary EHR is eClinicalworks.

GE Centricity. Honestly, there’s really nothing that special that I haven’t seen in other solutions. My facility hasn’t gotten to that high of a stage rollout, however.

eClinicalWorks: easily customizable templates to fit my workflow.

We use eClinicalWorks and I love the MAQ Dashboard, i.e. the Meaningful Use, Adoption, and Quality dashboard. It calculates all Meaningful Use measures that require a denominator and numerator. It’s offered at no additional cost and each provider can go straight to their dashboard when logged into the application. Sure, we’ve spent a fair bit of time QAing the calculations and working with eCW to resolve some issues, but it is a very nice tool.”

We are on an older version of Centricity and unfortunately there are no features that it has that contemporary systems do not have.

It’s all about the jelly beans. Unintentionally, they have become the culture / trademark feature of eClinicalWorks. At a glance, you know immediately what workflow items you have outstanding to work on. The numbers in each of those jelly beans can be overwhelming. However, you at least know where you stand at all times. Click on one of those beans and the task list of items for that workflow pops up.

Cerner: one of my favorite features is called the ‘auto-complete’ (which is not unique to Cerner). But it means I can pull in relevant pieces of data into my note (e.g. the last five cholesterol profiles) and place them in the section where I document on high cholesterol. And when I see the patient the next time and copy forward my note, that section will update automatically with the updated cholesterol results.

We use eClinicalWorks. As we apply to be certified as a Patient Centered Medical Home, the eCW registry function is critical to our ability to manage registrations of patients with various demographic, clinical, or therapeutic criteria. Identifying all asthmatic patients, for example, who do not have a current Asthma Action Plan by a search of our registry allows proactive patient scheduling and improved care.

My EHR (Bond Clinician) has the Blausen Medical content, which is just great. 3D videos/slides/text and the ability to annotate make it a wonderful patient education tool.

If you could change one thing about your EMR or vendor, what would it be?

Improved customer support responsiveness and better trainers.

The service and support. They’ve made significant strides in improving it, but their technical support has historically and notoriously been abysmal. That could very well hold true for other EHR vendors. The biggest complaints we get from physicians are that engineers are difficult to understand (heavy accents), do not explain what was wrong and what was fixed, they always call back at the wrong times, and they hijack the physicians computer to remotely troubleshoot and thus leaving the provider without a system to use during what often times is a lengthy period. Overall they are extremely poor at communication. They also don’t fix any bugs unless they impact safety or revenue, based on their judgment. I’m still not sure what process they follow to adjudicate bugs, but they certainly aren’t being addressed in a timely manner. We still have practices who are having eligibility checking issues related to the 5010 fixes.

Stop making claims that are not true. Our EMR (PureSafety’s Systoc) promised when we were evaluating them that their system fully supported voice recognition. Their big promised feature for the next release is that they will support voice recognition. Their product is a slow cumbersome dinosaur. We tell them about bugs in their program which they say they have fixed in the last release. The new release is usually worse than the last release with many new bugs. They have sent us releases which were then pulled back off the market because the updated version was crashing constantly. The update was never tested before release.

Pay the implementation folks more to keep the good folks around. The biggest challenge with EMRs is the track record of poor implementations. A great trainer will lay the foundation for a great client.  If you have a poor or below average trainer, the vendor will spend five times the money to try and turn the installation around. Occasionally they can, but by and large, that practice will struggle.

eCW uses a Clinical Decision Support System (CDSS) which was developed in concert with requirements by New York City, a major customer of the company. Unfortunately, it is not user customizable, and some of the items in their system either do not apply to our patient population or are not perfectly aligned with other nationally accepted recommendations (e.g., some immunizations). The system does prompt us to deliver many appropriate elements of primary care but the decision support function would be improved if the system allowed for some end-user customization.”

Like many EMR’s, data for my daily rounds is found in many disparate areas (Centricity). It would be nice to have a nice summary page for my patient that collates recent information that would allow me to finish my notes quickly. Ultimately, once we move to electronic physician documentation this will not be as necessary, but that’s not going to happen anytime soon for us.

Application change (eCW): need an easy way for providers in different practices in one database to communicate with each other. Technical change: LDAP awareness.

It is truly amazing that a company the size and stature of GE would in essence under-resource and then abandon a platform (Centricity) that could have been a winner. So the one thing I would change is their willingness to invest in their product to keep it competitive for longstanding customers.

Overcome the language and personal interaction cultural barriers that exist between eClinicalWorks support staff and their clients in the field. At their core, they truly wish to do the right things for their clients. However, a majority of the employees have very strong non-English accents that make communication and shared understanding very difficult to achieve without significant effort on both the part of eCW and the client. This is leading to a perception of poor customer service in their client base even though they are placing significant effort to improve this perception. Until the communication barriers are overcome, reorganizing their support structure and throwing more eCW employees into the service and support arena will not resolve a majority of their customer support complaints.

I would like it to run native on a Mac.

I’d change the sunsetting decision that the current owner of my EHR (Allscripts) made. It appears they chose to continue other product lines with far less technical sexiness and prowess, probably because they’re easier to support. They killed off a great system which still, even with no significant development for a while now, competes well with, and often beats, the capabilities of most systems currently available.

Needs to TRULY handle and display discrete data and conform to standards (eCW).

They’re really not a very good EMR (Pulse) with a pretty ugly interface. Allegedly I can meet MU with it. I’m a specialist with a lot of referrals, so I hope to import lots of granular data from the primary docs to fill out some of this stuff. My intention is to use Dragon dictation for the cognitive material, only entering data for the specialty-specific history that I think some non-psychotic person might actually want to use.

Better documentation tools (Cerner). Ideally they would figure out a way to merge the concept of ‘forms’ with the more regular note concept so that I could pull up a form from within any note and have the results of that form pull into the note easily. This would allow for a combination of benefits.

What unique or usual technology are you using in your practice, or that you have seen that you are interested in using?

Our practice uses statistical process control (SPC) analysis to identify opportunities for improvement in the care delivered to registries of patients. Using frequent SPC chart feedback to the office and our practitioners has resulted in significant improvement in the care we provide. The data on which the charting is based is extracted from the registry noted above.

We are about to pilot some of the patient portal capabilities in eCW. We are hopeful that the efficiencies gained by using the patient portal are not lost by the added burden of supporting yet to be discovered needs in providing this service to our patients, e.g., locked patient accounts that self-service password resets will not resolve, multi-care giver access to a single patient’s records, parent / guardian access to minor patient records, etc.

I coded a bunch of VBA macros that do a lot of formatting and error correction of my documents, which have the virtue of being organized and actually readable at the same time.

Use of iPads/iPhones and smartphones, plus voice recognition software.

It’s not unique or unusual, but we are eagerly awaiting the eCW iPad app that should be available this summer/fall.

The more visually oriented EMRs look interesting, though they still work on templates which are always “one size fits none.”

Using a charge capture tool called Ingenious Med to better capture medical group physician charges that originate in the hospital and reduce leakage of charges.

Secure messaging has gotten pretty hot recently. I’d love to it see fully implemented at my facility. I’ve wondered how successful those vendors have been getting full adoption by all the physicians in a hospital setting – without that, it becomes much less useful.

I am using the Patient Portal (eCW) for communication paired with the Registry to send custom messages to a subset of patients based on categories such as diagnosis, Rx, last visit, lab value, or combinations of categories.

We do use a nifty system for security which involves initial authentication with a card swipe, but then system security via a sensor on the door. When the office door opens (e.g. a doctor entering or leaving), the computer goes into ‘secure’ mode, which then requires a card swipe (or manual password entry.) The result is that it becomes impossible for the patient to be alone in the room with access to the computer. Also, we use “fast user switching” so that a nurse or other user can’t mistakenly piggyback onto a doctor’s login.

Better analytics tools. Physician practices have typically operated in silos. In today’s market, groups have to be more efficient and need better and more streamlined processes (clinically and financially) to yield the same levels of income they did several years ago. Measuring and comparing practice results would allow savvy administrators to leverage the information to make better informed decisions for the practice/organization.

I’d love a technology that allows us to do plug-and-play integration / interfacing which is user (dummy) proof. One of our practices recently started using IMO integrated with ECW and that is “a trillion times better” than eCW’s built in ICD-9 coding module, and it’s ICD-10 ready!

I’m looking forward to checking out smart phone stethoscopes and an app I read about not long ago which can capture not only heart rate, but also rhythm, respiration, and blood oxygen level as accurately as clinical-grade monitors simply by capturing video of blood pulsing in patients’ fingers.