Home » Advisory Panel » Recent Articles:

Advisory Panel: Surprise Projects for 2013

April 29, 2013 Advisory Panel No Comments

The HIStalk Advisory Panel is a group of hospital CIOs, hospital CMIOs, practicing physicians, and a few vendor executives who have volunteered to provide their thoughts on topical industry issues. I’ll seek their input every month or so on an important news developments and also ask the non-vendor members about their recent experience with vendors. E-mail me to suggest an issue for their consideration.

If you work for a hospital or practice, you are welcome to join the panel. I am grateful to the HIStalk Advisory Panel members for their help in making HIStalk better.

This question this time: What "surprise" IT or informatics projects have come up recently that you didn’t expect to have to deal with in 2013?

We’re about four months away from a pretty big EHR rip-and-replace go-live. The surprise for me has been the steady drumbeat of “business as usual” requests: a new POC lab system, new offices, clinics and moves, interfaces to the legacy system that will be replaced 30 days after go-live, etc. I guess I shouldn’t be surprised — just a little freaked out.

When we began the fiscal year in October, we had not planned on applying for a CMS Shared Savings ACO. The learning curve was steep on this, and now that we were awarded one in January, we are being cautious to make the right decision on an IT platform to support the ACO.

Not sure that it’s a surprise, but the increased focus on meeting regulatory demands have shifted the focus of IS. Even though the organization focuses well on our EHR and Meaningful Use progress, it is difficult to find the funds to refresh our infrastructure and deliver the smaller application needs of the organization (food management and employee health are recent examples that come to mind). Our average age of infrastructure continues to creep upwards while our MU efforts monopolize most of the IS capital. On top of that, there is renewed focus on patient access and experience that have impact to the IS "pot o’ gold" (and for my organization it’s not really much of a pot to begin with – maybe a cup is more accurate). I have had to redirect money away from the non-regulatory projects and leave organizational needs unmet. Old equipment and unhappy customers create uncomfortable CIOs. Not a complaint really, just a reality of the job. These demands on capital make it more critical for IS to be able to tell the story on how we are
going to decrease costs, increase revenues, avoid penalties, etc.

The surprise projects are currently getting planned for 2014 in our organization. Many of them are focused on Meaningful Use – both for 2014 Stage 1 and Stage 2. From our organization’s perspective, it will probably late 2014 or 2015 before we can focus on any significant IT project that isn’t driven by a regulation or a dependency for a project that is.

Multiple instances in my organization where a doctor or department had spent time and money to build out an application for their use and want to now commercialize it. Who knew there would be so much entrepreneurial spirit going on under our hood? Begs the question – should we better create an atmosphere and infrastructure to support these projects, and what is the best way to support them moving forward (e.g. do we help to spin them off into new companies to help create a way to sustain them?) And of course we
have to work through the IP issues as well.

A couple of large HR system and outpatient business analytics projects competing for resources with ICD-10 and Meaningful Use Stage 2 prep projects.

Replace our software for calculating month end reserves. Replacing software for electronic claims submission.

I’m not sure I would call these a complete surprise, but what has surprised me is the volume of good, value-added ideas that are coming up related to using our EMR to further improve quality, safety, efficiency. Multiple IT-enabled optimizations using our EMR and analytic tools to help further reduce readmissions, provide an early warning on septic patients, reduce catheter -associated urinary track infections, and the like. In addition to ensuring readiness for Stage 2 Meaningful Use, we are spending much effort and energy on optimizing our EMR.

No real surprise projects. What is creating unrest is BI, ACO support, and keeping up after we cut our staff by 20 percent.

Interestingly, most surprises here are due to our operational need to jettison existing partners, in my case, in rad onc and imaging. This was primarily due to the relationships going south fairly quickly. Standing up linear accelerators et al, as well as a new PACS, was definitely not even on the radar. Both are significant projects.

HIMSS Healthcare Transformation Project.

Major modifications to our revenue cycle system and the interfaces to our insurance companies, based upon changes to reimbursement policies, particularly capitated payments. Still reeling.

We have a solid strategic plan that’s updated each year. We also have an engaged IT Governance group. I can’t think of any surprises, but we are only halfway through the fiscal year. My mindset is that IS should expect them and not overreact. This is where you can see what your team is made of. Also, surprises provide teaching and growth opportunities.

We have to go through three major code upgrades before February 2014, rather than just two. And we have to implement our EHR vendor’s HIM module upgrade, to our surprise, because none of the vendor’s new functionality works with our current HIM module. That turns out to be a major project, and a prerequisite that has set several other projects (such as physician documentation) back by nearly a year. Lastly, our pharmacy had been trying to "skate by" the MU Stage 2 regs by only implementing bar-coding for IV meds, but we realized after some calculations and CMS FAQs that still wouldn’t hit our required 10 percent. We’re going to have to do a full medication barcode implementation under very tight time frames.

Most surprises have been in the realm of infrastructure upgrades (additional storage and additional wireless capability). Under the heading of wireless capability, the organization chose many years ago to implement a guest wireless network. Our administration wanted to bring their own devices — they balked at having to give permission to sign on to the guest network even with something as simple as an acknowledgement. Because of this, our guest network is regularly exceeding its connection limit. We are working to create a third network for employees and their devices.

New hospital process reengineering projects that will have IT implications.

There is possibility of squeezing in (at least the beginnings of) more inpatient EHR implementations during the latter part of the year than anticipated as we get ever closer to Stage 2 requirements kicking in.

Not a total surprise, but our physicians and our key ambulatory vendor are very rapidly moving toward multiple mobile solutions as well as patient centric solutions. More quickly than we had anticipated, we are learning to support the iPad EMR version, iPhone apps, and patient portal. The vendor is providing new cloud computing solutions and we’re learning how to implement and support these very rapidly.

View/Print Text Only

April 29, 2013 Advisory Panel No Comments

Advisory Panel: Companies That Stood Out at the HIMSS Conference

April 22, 2013 Advisory Panel 5 Comments

If you work for a hospital or practice, you are welcome to join the panel. I am grateful to the HIStalk Advisory Panel members for their help in making HIStalk better.

This question this time: If you attended the HIMSS conference, what companies or products stood out?

Honestly? Nothing really stood out. The exhibit hall was pretty much the same as last year, which was pretty much the same as the year before, which was … you get the idea. It’s a long, grueling march with limited reward for the effort. The value-to-cost ratio for the annual HIMSS meeting has been decreasing for some time, at least for me.

Did not attend HIMSS this year. I try to make it every other year or so. Like many others, I’ve become somewhat disappointed with the quality of the education sessions and prefer to focus my time on the vendor floor.

Nuance – the breadth of offerings.

Explorys continues to impress me with their product.

From the resources here that did attend HIMSS (I did not this year) vendor products and services around data analytics and population health were in large numbers. Integration and interoperability themes and vendor solutions were pervasive.

I did not find any one product that stood out. However, I was pleased that the industry is getting more play and attention on business intelligence. What a difference a year makes.

Health Catalyst, Healthagen, Epic.

I was mainly focused on ACO solutions, since that is something that I think we are all going to have to figure out. How do I do real time analytics and clinical decision support across disparate systems? The HIE products don’t cut it because they are mostly retrospective and have poor or no analytics. The company in this space that stuck out to me the most is Aetna. I think they had done some thoughtful acquisitions of the necessary pieces of technology needed to truly manage an ACO from the provider perspective. I’ll be taking a closer look at them soon.

I was unable to attend, but I have spoken to many people who did attend. There were a few very common themes. New Orleans needs to either improve their infrastructure or stop hosting big events (i.e. boil order during HIMSS, taxi shortages with long lines at HIMSS and Super Bowl, electricity malfunction during Super Bowl), the lack of focus from the staff at the majority of booths (i.e. cell phone usage, talking to their team members and ignoring attendees) and the lack of follow-up or very poor, generic follow-up from the vendors. In a way, I regret not being able to go, but in another way, I am glad that was not able to go – my patience levels are not what they used to be!

I think cloud-based delivery of software (SaaS) is here to stay. I haven’t seen a great deal of innovation in the EHR space other than that. There were a number of vendors selling "analytics" tools that just looked like pretty dashboards — I didn’t see anything groundbreaking.

I really liked the ReadyDock product. I also liked Health Catalyst. I’ve known many of the key folks involved with that company for a long time, so I know they have great people and it looks like their product is also very good.

Did not attend. Not finding much value as a CIO.

I did attend HIMSS, but had little time in the vendor hall this year. Some of the companies that I did spend time with this year included Cisco (looking at their telehealth offerings), Aventura (impressed with their solutions), AirStrip (primarily looking at their future product line, as we currently use their OB and CV solutions), and Ideal Life (looking at their in-home monitoring – they were somewhat obscurely sharing space with Verizon).

Health Catalyst stood out as a cool new data analytics platform; but I noted that they are not yet fully prepared for population health as their current data model does not have the ability to accept CMS claims data.

View/Print Text Only

April 22, 2013 Advisory Panel 5 Comments

Advisory Panel: Data Breaches

April 15, 2013 Advisory Panel No Comments

If you work for a hospital or practice, you are welcome to join the panel. I am grateful to the HIStalk Advisory Panel members for their help in making HIStalk better.

This question this time: Has your facility learned lessons from an attempted or actual data breach? Describe your major concerns and what actions you’ve taken.

Some of our breaches have been the result of thefts of computers and storage media that contained unencrypted PHI. We have since encrypted everything we can identify that contains PHI and have instituted mandatory training for protection of PHI as well as incident response. While we continue to suffer equipment losses from theft, we are losing encrypted equipment that does not entail a breach of PHI.

We have been lucky as we have not had an attempted or actual breach. My biggest concern is the "innocent" breach — the resident who manages to copy PHI to a jump drive or cloud drive like Dropbox. We’ve either encrypted or virtualized all of our laptops, so the USB ports can’t be used for this purpose. But clever people can always find a way to defeat our measures. One resident with a smartphone and an Evernote account can do lots of damage.

We lost a home care worker’s tablet (stolen from her car even though the policy is to keep it with you at all times) and we were concerned about the status of the encryption on this department’s devices. The tablet was retrieved quickly and we did determine that the encryption was on and that no PHI was accessed. We then did a complete inventory of our mobile devices and added a new encryption product to ensure we did not have an issue in any of our settings.

Our facility has not identified any major data breaches. We have had violations where individuals have inappropriately accessed protected PHI. On the one hand, I find it frustrating that some people still take a casual attitude towards HIPAA privacy and security when they should know better. On the other hand, it shows me that we still have much education to do.

We’ve worked through a couple of breach scenarios – including what thankfully turned out to be a drill. Some of our key responses included:

Escalating the priority and completing a system-wide encryption process
Updating our BAA to ensure our business associates are taking encryption steps
Changing policies for how consultants and vendors work with our data (like for conversions and analysis we need)
Overall our focus has been how can we eliminate the risk – so when/if a device is lost/stolen it’s not a breach.
Require our business associates to assume all liability for a PHI breach they cause – this can be an interesting negotiation point. I find myself regularly pointing out that as an organization we don’t see it as an effective partnership for us to be legally required to have unlimited liability related to the breach and the vendor partner who caused the issue to have a contractual cap to their liability.

As we work with vendors, it becomes obvious who has either been through a breach or seriously thought through the scenarios. Some of them apparently don’t understand how big of a deal a breach can be from a PR or monetary issue.

I’m somewhat hopeful the new HIPAA guidelines will help address vendor awareness and accountability for a breach they cause.

We have not had traditional breaches. The much bigger issue has been from legitimate employees doing illegal things, like calling in narcotic or other prescriptions for themselves or their friends. Not surprisingly, they are more likely to do this via phone call than via ePrescribing due to both tracking mechanisms and the current inability to send narcotics that way. It still boggles my mind that a pharmacy will accept a narcotic Rx via voice mail from anyone claiming to be a doctor’s assistant, but won’t accept an authorized eRx! If the FDA wants to minimize illegal narcotic prescriptions, they should ban printed and voice prescriptions and insist they should ONLY be done electronically – they literally have it backwards!

We had a potential breach. On investigation, we found no PHI was compromised. However, we were just lucky. The cell phone number of a new physician’s assistant was entered incorrectly into a call list and non-secure text messages were sent to the incorrect number. Luckily no PHI was included and the recipient notified us pretty quickly. We have subsequently identified a secure messaging platform and will be offering it to all community providers at no cost to the providers and requiring all employed providers to use it. In addition, we have used this as a specific example of the problems with insecure messaging in general to raise awareness.

While a secure perimeter is still important, you have to accept that bad guys are eventually going to get past it. One example is that we have seen a sharp rise in “spear” phishing attacks. Each month we are receiving thousands of phishing messages that are becoming more polished and sophisticated. It only takes one slipping through to potentially create a breach. As a result and as a lesson learned, we are focusing more on monitoring internal data traffic and, importantly, patterns. The idea being that if our network is compromised, we want to identify it and take corrective action as quickly as possible.

Not from any actual event here. However, we have an annual white-hat audit/hack to expose where we are weak in order to stay ahead of potential breaches. I am pretty confident you cannot prevent all of them, but need to perform diligence against what is known and do this on at least an annual basis We may switch to twice a year due to the security threats ever changing, which our Board and Audit team likes.

No data breach (thankfully)

No one ever — I mean ever — reports a laptop as stolen to the police. I think it’s the untold rule of HIT right now. You don’t want to be in the paper, so don’t file a public police report. It’s not like any government entity knew you owned that laptop and it is no longer in inventory. Even if you use encryption on the laptops, its still just better to not have the press.

Other major concerns. The default database usernames and passwords for many of the McKesson Horizon products are still out there in production. Ccdev is normally still the same password and what was said in 2009 is still true — changing the defaults makes for a whole hell of a mess to fix. Also, database fields that aren’t encrypted for personal identifying information. Allscripts Enterprise. No use of encrypted fields at least not in how its implemented by their contractors. Same for McKesson — you get the database, you get the data, and there are some pretty easy Oracle exploits out there if you are going for HCI. You’d have to do a ton of research to know the server names, but most places don’t block people from plugging into their physical LAN via Network Access Control or other means, so it’s possible. The article this week about HIT’s security situation is coming reminded me of all the easy ways to exploit system databases and installs.

Yes, have a pre-packaged response plan and practice it regularly. The plan needs to cover your organizational reaction, your public response, as well as your technical response and forensics. Establish relations with an identity protection service. Establish relations with a hardcore forensics analysis service that can also provide "white hat" attacks against your system, as a broader threat assessment service. For the sake of optics, provide NAC background checks on all employees that could reasonably present a risk as an insider threat. And for God’s sakes, encrypt every hard drive — desktop and laptop. Also, provide password-protected, encrypted thumb drives to employees. Put them in the cafeteria and hand them out like mints.

The only breaches that we have had are ones that would not have been preventable by any technology or policy prevention efforts. One was a paper breach by someone who was taking records for her defense in a lawsuit and the other was someone who compiled an Excel spreadsheet of research patients and sent it to an unsecured Gmail account. Both were actions by internal ‘bad actors’, so that is my biggest concern. We encrypt most everything possible here, even thumb drives, so the chances of a breach due to theft or negligence is pretty small.

A few years ago we had a virus of the keystroke variety. It basically infects the device, captures keystroke information, and sends data to China. The server in China attempts to create identity information from the keystroke data. Through some quick action by staff, we closed the perimeter before any packets of information were sent. At this time, I wasn’t too concerned since we looked up the type of virus on our virus protection vendor’s website and it said "minimal risk" to corporate users. What I failed to understand is that "minimal" meant minimal chance of getting the virus. Once you were infected, then risk went to "high."

The fun began at that moment. Luckily, the users were unaware of the virus since all applications were not affected. It was basically IS vs. Virus. By the time we started our remediation efforts, this bug had infected approximately 1,000 devices. Our virus protection vendor did not have a patch for this variant, so we were on our own for a while. We collected the packets created by the virus and sent them to the vendor. They quickly realized how nastiness of this virus and dispatched an engineer to assist in remediation efforts. He arrived the following day. In the mean time, the virus was able to deduce that it was being thwarted by our efforts and immediately phoned home for instructions.

At this point, the virus mutated and we were now fighting two strains. We closed off the virus’s command and control link (port 80 for you geeks) and continued to remediate. After 24 hours, the vendor programmed the patch and eradication efforts accelerated. We realized at this point many of our newer PCs were not managed by the host virus protection software hub. They had virus protection, but it was out of date and could not be updated remotely. These devices (approximately 1,000 devices or 20 percent of total inventory) had to be identified, knocked off the network, and manually remediated. It took 20 minutes per device, so you can do the math. We also had to contact all laptop users since many of those devices could have outdated virus protection. We set up a depot for laptop users to drop off and pick up. It was a very manual process.

It took us a couple of weeks of concerted effort before we were out of the woods. I was up for 42 hours straight at one point and totally forgot what day it was and many of the names of my team. Fortunately, I didn’t have to drive home. One of our team members had just started that week (of course we blamed him). I found out later that during a break, he walked around the building, phoned his wife, and told her not to sell the house. Fortunately for us, she did, and he now oversees our infrastructure team. We heard a few weeks later that another healthcare facility contracted the same virus but did not discover it for a week. It took them over a month to eradicate the bug and they ended up in breach notification land.

From a lessons learned perspective, we started with our virus protection. We made sure that every device was being managed by the central server and updates going out daily to all devices. We also deployed Malwarebytes to all devices as a secondary precaution. We accelerated our recruitment of a CISO and centralized our security team dedicated to protecting our assets. As of today we have implemented many of technologies needed in a strong security program. Under the leadership of the CISO, we have encrypted all mobile devices, e-mail, and flash media. We have implemented a Security Information and Event Manager (SIEM) tool, Data Loss Protection (DLP), and soon will have an Intrusion Detection System (IDS). We have a top notch security company on retainer. They also perform audits, safe harbor workshops, penetration testing, assist in remediation efforts, staff education, and assist us in staying up to date on any HITECH security updates. Besides a solid security program, we assume a breach is inevitable and have prepared in advance.

For my colleagues I understand the cost associated with this type of program can be daunting both in capital and operating. Outsourcing should be considered for some of the areas (e.g. SIEM) to reduce cost. One of the reasons we are seeing so many breaches is based on the costs associated with implementing a solid security program, especially at smaller organizations. It’s tough to get the program through the budget process. It’s akin to waiting to see how many accidents you have at an intersection before a traffic light is installed. Usually it takes a fatal one. My suggestion to colleagues is to walk leadership through a mock breach event using real examples. I used an article from a local newspaper in California. The hospital explained the breach and what they were doing about it. In the article comment section, a reader wrote, "How can you take good care of me when you can’t take care of my health information? Ouch! Also, besides the fine and ending up on HHS website, the CEO typically apologizes to the community. That usually gets his or her attention.

Sorry for the long-winded response, but it is an area of interest and fascination for me.

Two stories. Our clinic system, located at the vendor’s data center, would automatically forward reports to key individuals on a daily basis. These were primarily statistical reports. Using the same approach, reports were designed to include patient information (today’s schedule, etc.) While this was "known," what wasn’t known was that the e-mail path from the data center to the clinics changed e-mail domains, which meant that the reports were being sent unencrypted across the public domain. The resolution was fairly simple, but it came as a fairly big surprise to us.

Confidential data (a little of which was PHI) being on a phone that a disgruntled employee was slow in returning. Exposure was unknown (likely known), but it caused a change in our approach on how personal phone (vs. vendor provided) should be used.

We have not yet experienced a data breach. We did, however, experience a recent virus attack. First one of any significance for this organization. Lots of lessons learned in terms of adequacy of backups and response plan. Overall not a bad experience, though we have many things to correct.

To date, we have not experienced a data breach, but have been trying to learn from the lessons of other healthcare organizations that have in order to avoid their mistakes. Toward that end, we have had improvements in physical security and made strong efforts to assure device and portable media encryption.

View/Print Text Only

April 15, 2013 Advisory Panel No Comments

Advisory Panel: Job Advice

February 11, 2013 Advisory Panel 1 Comment

If you work for a hospital or practice, you are welcome to join the panel. I am grateful to the HIStalk Advisory Panel members for their help in making HIStalk better.

This question this time: As you look back on the education, experience, and effort that led you to your current position, what advice would you offer to others who aspire to a similar role?

My role is CIO and CMIO, and I used to think my path was pretty unique. But I had lunch last week with another doc trained in the same specialty who is now doing the same thing, so we’re starting a club. If we get another member, we’ll make it a professional society. As for advice, I think my path has much more to do with leadership ability than it does with specific IT training. Obviously, one has to have relevant knowledge and skills, but running an IT department isn’t that different from running an ICU.

Director of IT. Three pieces of advice. Best advice — education and experience outside of IT and/or outside of healthcare are invaluable. I have degrees in political science and foreign studies and graduate coursework in international relations. I went to work during summer break for a mortgage banking software company. Learned technology from the ground up, worked in basically every department, and eventually moved to a larger firms in manufacturing (pet care products), focusing on continuous improvement and project management.

I found my current position volunteering for the hospital and was pulled in by the CEO. I remember facing a huge roadblock in the first group interview when they were concerned that I didn’t have a background specifically in healthcare IT. I had grown up in a family of nurses, so I spoke healthcare pretty well. But my response was, "I didn’t know how to make dog food until I went to work for Purina, either." The point I made, and which eventually got me the job, was that interpersonal skills and a solid understanding of information technology are completely transferable. Bringing to the table the knowledge of how other industries manage IT and its challenges can be a huge strength. Political science is essentially understanding how people work together (or not) in a group. I use every bit of that every day in my current role.

Second piece of advice — stay connected, keep learning. There’s not a day that goes by that I am not exploring something new, even if it doesn’t seem to directly connect to healthcare IT (yet). Eventually, everything does. I’ve developed expertise in HVAC, low voltage systems, change management, public speaking, and many more areas that I’m sure all of my counterparts are also familiar with.

Third piece of advice – love what you do. Find that place you can put your heart and soul into and do it. You and your employer will be well rewarded.

In a CTO role with a vendor organization, I’ve found it beneficial to have worked outside of healthcare previously and experience how technology and data systems are deployed and used in other industries. But in the transition to healthcare, do not underestimate the subtlety of relationships in HIS data. Ensure that healthcare data systems can remain healthy and recover when poor or unexpected data is encountered.

I am sure that coming from hospital clinical operations was the best and most significant experience that has lead me to the role of the highest ranking IS professional in the hospital. The CIO, or IS director if there is no CIO title, must first know the business. Not being a clinician, but having an in depth knowledge of clinical process and challenges was key, then learning the applications and helping adapt them to the workload has been critical to my success. Learning the business side is the second most important.

Spending time with Managed Care, Finance, and Coding was the next most important step. IT knowledge is important, but as my CEO has always said, the further up the chain you get, the less important the technical is and the more important the relationships get.

I chose healthcare as an industry after working in financial services and realizing that the organization’s mission matters to me. I serve as a CIO for an integrated delivery organization with 1,200 ambulatory physicians in 60+ clinics and four hospitals. Best education choice I made was to go for an MBA after getting my foot in the IT world. I applied business skills and knowledge to practical IT issues and communicated better with finance people. I’ve been laid off and otherwise dismissed twice and both times the moves to new positions, while scary and a bit challenging, turned out way better than staying in a situation lacking a solid fit. I’ve quit a couple of positions that didn’t fit to move to other, more challenging situations. I value the breadth of industry experience these changes have provided me.

I’m a CIO and spend a disproportionate time on contracts and talking to lawyers. This time commitment has increased over the years. I’d strongly recommend a business law class or two. I came up on the application side of the IT department, as opposed to the technology side. I think the ability to explain and understand applications to C-suite, physicians, housekeepers, etc. will serve you better than the ability to explain or understand the underlying technology of a Cache’ data structure vs. a SQL Server database.

I’m a managing director with an advisory company (an HIStalk sponsor, of course!)

Like it or not, credentials and degrees help, but they only open doors, not land the position. A varied but productive track record helps immensely. I think I am much more attractive having done a fair amount in multiple entirely different situations than if I had plugged away in the exact same position for the entire time. Plus, it lets me tell stories and derive lessons from several different backgrounds. Cross-pollination, connecting dots, etc. can often be the extra value that you can give to a prospective employer.

You create your own opportunities. It’s impossible to know what efforts will pay off. Will a meeting/conference be a waste of time or will you happen to meet that one critical contact? Get out there and find out. Sorta like investing: sometimes you lose, but you may very will win big. If you do the job you’re told to do and do it well, you’ll continue to do that job. Identify a need (ideally your boss’s pain points) and do that job and you’ll see your stock go up much higher.

Read, read, read. What’s going on in the industry? If you were introduced to a group at a conference, could you jump right into their conversation about the latest developments, chat about where things are headed, etc.? If not, get up to speed. Even if you feel it’s hard to know where to start, keep at it long enough and you’ll accumulate that background before you know it.

I’m one of the minority of CMIOs with formal medical informatics training (masters’ degree from a very academic NLM Fellowship program ), but perhaps my best education came from the school of hard knocks working for major consulting firm. Boy, did I learn a lot that they don’t teach you in the ivory tower — project management, change management, managing up and down, working on a team, presentations, client relationships, how big organizations function, etc. It was a tough couple of years, but it was like a mini-MBA. There are plenty of ways to achieve a CMIO role, but it helps to either have solid preparation in a real-world informatics environment, or to be the right person at the right place at the right time (i.e., be the anointed physician champion during the CPOE implementation and get a battlefield promotion).

Role: CIO. Today’s healthcare CIO needs a combination of technical, administrative, and business skills. It is more important to have an understanding of healthcare and the rapidly changing role of information systems than an in-depth knowledge of a single vendor’s system. The CIO should be seen as understanding the overall mission of the organization and how IT can contribute to and support that mission. Vendor and contract management, astute use of financial resources, and quality of care are all primary aspects of the job. Being an enabler rather than a naysayer are traits the organization expects.

As a CIO, I would ask someone aspiring to this role the following (with long pauses at the commas): "What, exactly, are you thinking?" In general, I give career advice by first referencing a quote attributed to Dwight D. Eisenhower: "Plans are nothing; planning is everything." The process of figuring out what you want to do, what you want to become, and what you are willing to give up is vital in pursuing a career that you’ll find rewarding. But, you need to continuously reevaluate that plan as new opportunities arise and your life changes.

Some of the best career decisions I’ve made came from opportunities I did not have in my plan. I reevaluated and adjusted as I went. It’s good to focus on end goals and priorities, but there are many different paths you can take to reach that goal. On top of that, your priorities change over time that affect the balance you need in your life between career, personal, and family time.

I entered the CMIO role about nine years ago after 25 years of clinical practice. In my opinion, the best way to get here is to keep your ears open and learn everything that is put in front of you. I was very attentive to all of the IT presentations while I was in practice and had a good basis when I assumed this role. The other asset that this position requires is the ability to get along with everyone; you have to get used to physicians taking their frustrations out on you, even though it isn’t personal.

In my role as CMIO and medical director of performance improvement, I have the privilege of being on the front line of both technology and quality for our organization. This is truly the sweet spot of HIT. Blending the power of data with the power of information has the potential to provide great potential for improvement in near real time. I would encourage others to pursue educational and practical experience opportunities in wide reaching areas of both technology and quality. Focus on how to tie all your efforts back to the care of the individual patient. In addition, study and apply Lean Six Sigma techniques in the myriad of processes you will encounter along your journey.

My role is CTO. Recommended experience — multiple industries. I was in both banking and government before healthcare. Each industry has different priorities and different levels of IS maturity. Taking the best from each industry or not doing the things you see that don’t work allow you to help make your department or division more productive which in turn helps you progress your career.

Education. For healthcare, especially now, classes like finance or even something softer than that like management or marketing are key. Anyone can learn hard core technical skills, the ones who move forward are the ones who understand the business, how IS fits in it, and can interact with others.

Don’t be afraid of hard work or long hours. Remember IS is 7x24x forever. Be available, be involved, and most of all have fun with it.

As an academic attending physician with an interest in informatics, I would suggest getting the strongest possible clinical training as well as a formal solid foundation in the core areas of informatics, including a good understanding of clinical information systems, decision support, usability and interface design, human-computer interaction, computer databases, project management, and organizational behavior. It’s possible to learn about EHRs on the fly, through practical experience and by apprenticeship, especially with a strong background in clinical practice and in the use of technology. But formal training in each is a huge advantage.

I benefitted a great deal from attending top programs for my clinical and informatics training due to the quality of the education, but also the people who I met and the lifelong connections that I made. Networking through professional organizations and meetings can be a big plus, as is staying up to date by reading great prose such as HIStalk.

I am the CIO/security officer of our organization. My path has been unique in that I started out as a nurses’ aide/unit clerk. I’ve spent over 30 years in hospitals and a couple of years on the vendor side. Knowing the business of my customers first hand has given me a perspective and credibility that CIOs coming from the technology side struggle to achieve. Advice to those striving for a similar role — know the business of the organization front to back. There isn’t any work process that is too insignificant for you to understand. Also, I believe that a MHA or MBA is more valuable than an advanced degree in technology.

Just like mileage on a car, your actual results will vary. With that said, I think there are a few steps aspiring CIO’s would want to consider. First, a mental health evaluation would be in order, as this job is not for everyone and it rife with risk, stress, and the potential to develop bad habits one does not have currently.

More seriously, a graduate level degree is almost a requirement. PMP certification would be a nice add-on, as would Six Sigma or Lean certification at some level. Clinical experience is a plus, and for more and more organizations, those with a significant clinical background that have come over to IT have a leg up on the rest of us. Working as a consultant can help as it teaches you skills you would not get otherwise, from presentation and report writing (communications) to exposure to many more situations than if you stayed with a single employer (experience). Work in more than one of the IT disciplines also is helpful.

You will have to move into a leadership role at some point or have already done this in your past. There is no substitute for this. Don’t be afraid to move for an opportunity or travel for a while, but make sure your family, spouse, partner understand what this means as it is a big step. Have a career mentor if you can find one — I wish I had one in the past and serve as one today. Finally, you need to have a little luck. Sure, part of this is creating your own luck or maybe recognizing an opportunity when it presents itself and having the courage to act on it. But sometimes things line up just right and you have to act.

Finally, humility is very important. Remember that nobody achieves success without help from others. I owe much of my success to those that I have worked with and dare say "led." I would be nothing professionally without investing in the people that really get the work done and the results that go with them. I cannot possibly overstate how important this last point is.

To be a successful CIO, you need to pay your dues. I started as a computer operator in a data center. I continued my education while looking for opportunities to move up. I volunteered for everything, even if it was outside of IT. I learned the business of healthcare, not just the business of healthcare IT. I became a supervisor then a manager then a director over a 10- year period. I can definitely empathize with my staff and leadership since I have held or managed most of their positions.

The leap from director/VP to CIO is a little tougher. A director’s/VP’s job is 80 percent operational and 20 percent strategy. A CIO’s job is just the opposite. Strategic thinking and operational thinking are two very different disciplines. The healthcare IT field is littered with the remains of excellent directors/VPs who should have stayed as directors/VPs instead of reaching for the CIO brass ring. Assuming you make it to a director/VP level position, think long and hard before applying for the CIO position. Understand your strengths and weaknesses. Ending your career as a successful director/VP is more preferable than ending it as a failed CIO. Lastly, above all, BE NICE!

As a non-traditional CIO in an academic environment, I find my clinical, financial, and operational background in healthcare that occurred before my turn to the technical to be invaluable. I use it every day. I can converse fluently with just about anyone in any part of the organization regarding what they do on a daily basis. Understanding the business of healthcare, the issues that it is facing both now and in the foreseeable future, and how technology can both facilitate and support the changes that are occurring brings incredible value to my organization and to the senior management team that I am a part of.

My best advice — it is always about customer support. The best system in the world will be an implementation nightmare if the support is bad. The worst system in the world can still work if the support is superb. People will understand software shortfalls, hardware interruptions if they know you are behind them and will be there for them. Folks will accept that you don’t know if you will tell them you will find out and get back to them in a realistic timeframe. But then you have to follow up every time. I guess what it boils down to is accountability and the relationships that you build. Always remember, it is all centered around the patient.

Head of a business unit within a HIT company. I think my diverse experience in HIT has prepared me in a unique way for my current role. I started my career as a phone support person helping clients with issues from technical problems to how-to questions. From there I moved on to training, implementation, sales, operations, and business development. Along the way I was promoted into various management roles and my responsibilities increased accordingly. I say all this because most of us work in very complex organizations with many functions across the span of control.

In my opinion, you will be better prepared to lead if you have had experience, or maybe exposure, across a broad set of functions. This is why many companies move their management through a number of different areas as they rise through the organization. Embrace those opportunities and take roles in departments that take you out of your comfort zone. Also, pursuing my masters degree really helped me in two ways. First it gave me confidence in the knowledge that I already had and filled in the gaps in areas that I didn’t have the necessary skills. Secondly, it made me more marketable for executive roles.

I am the CMIO, but effectively am the chief clinical Information system officer. My advice for new or aspiring CMIOs/CCIOs/CNIOs is to establish your core clinical competence first, so that you never feel like you are a hostage to keeping your informatics job (i.e., you have something to fall back to if it gets so bad that you have to quit.) Study the quality literature — Deming, Juran, others — and apply Deming’s 14 points as much as possible. Make sure that there is a single person responsible, directly or indirectly, for all aspects of clinical informatics at your organization. Make sure that you have clinical leaders and a boss (preferably not the CIO) who understands the importance of what you do.

Get some business background so that you have a good understanding of strategic planning, budgets, and accounting. Contribute to the national dialogue on HIT and try to help bring Washington to its senses. Examples include contributing comments on Meaningful Use through your state or national professional societies, supporting the movement for physicians to use SNOMED for coding instead of ICD-10 (which is outdated and bloated), belong to AMDIS (the listserv and Ojai meeting are wonderful things).

Read HIStalk regularly. My knowledge of HIT issues went up immensely when I became a regular reader. You are a national treasure.

Get to know all the different stakeholders (internal and external) in healthcare for they are your constituents. Learn and understand their professional and personal challenges in the work they do. Caring for others is the culture of healthcare. Be sincere, humble, and transparent to establish and maintain trust. Once you lose trust and/or credibility in healthcare, your chances for success on individual projects / tasks and your career are very limited. Establish a personal goal or mantra of what you would like to accomplish in your healthcare career; not for your personal benefit, but for the benefit of the constituents you serve in healthcare. (i.e. patients, nurses, physicians, etc.)

I am an HL7 interface analyst with clinical experience. I have a long history of working with computers prior to going to nursing school. Coming out of nursing school, I knew I didn’t want to be a clinician. So while working as a nurse, I immediately returned to school and got my master’s in management information systems. I worked as a nurse, hoping that this experience would make me a better computer person. After a year of nursing and some very rude remarks from a thoracic surgeon, I left bedside nursing for a posting of clinical systems analyst that I found on our hospital job board.

As a clinical systems analyst, I observed the integration team in all their glory. Ours were all-powerful divas who drove the rest of the department crazy, so I made a note to self to try to remain kind and real. I went to my boss and asked her to send me to school for our HL7 engine. She said that she would if there were enough money in the budget, and in a happy coincidence (I had been partially responsible for the budget that year), we had plenty of money for education. She sent me to the vendor-led class. Meanwhile, the divas had all left and been replaced by a single consultant.

Later that same year, our hospital system joined a larger consortium and they created an integration team from those who were qualified and I applied. For the past 12 years I have enjoyed being the only clinician on the HL7 team for them and then a subsequent hospital that wanted to pay me what I was worth. I really enjoy working with clinical systems integration because I feel that I bring unique qualities to each project. When people ask me how I got here, I tell them to grab the brass ring and don’t let go. You need to see the future, make a step-by-step plan, and go for it. Hold yourself accountable and make it happen. Ignore everyone who tells you that you can’t. I encountered several of those, and most are still doing what they were doing when I started. Read inspiring books. My favorite was Why Good Girls Don’t Get Ahead, But Gutsy Girls Do. Watch inspiring movies — my favorite was “Working Girl.” You can do this!

Role: IT manager. First years of my career were in nursing, and have an MSN. Also had teaching and supervisory experience. Always loved the software application stuff, though. Started volunteering for testing/other IT projects whenever nursing input was needed. Became the IT liaison, working with them on any software upgrades/issues. When ambulatory EMRs starting being introduced, found a position with an organization who was looking for someone with nursing expertise and some basic software skills. Now the ambulatory EMR world is red-hot — jobs all over the place. It’s a good time to get into this field. So volunteer, work with IT, learn the language, the testing, and the processes needed to be successful in IT. Then look for that great job — they are out there now.

Professor: (but also corporate researcher in the past). Try to get an internship or at least try to see how people doing the job you aspire to, actually work on a day-to-day basis.

My role now is jokingly referred to as the garbage pail. If you don’t know what else to do with it, give it to me, and I’ll figure out who should take care of it. Any given day, I could be working on a security risk assessment, a patient data report, Medicare medical necessity, and administrative strategic planning. I don’t do hardware work or OS troubleshooting as much any more, but that is mostly because it has been a long time since I’ve needed to, and both have become more specialized over the years. I’ve done everything from cleaning out printers to educational presentations at international conferences.

Education-wise, I have a college degree that bears no relationship to what I do (social sciences, with an emphasis in geography & history). Its only purpose is to prove that I could stick it out and get the degree. I am living proof (or was 20+ years ago) that it was possible to be on academic probation and still graduate college.

The effort? Never be afraid to accept a new challenge. I "do HIPAA" because my boss in 2001 was looking for something to get me re-engaged and not lose me to another job. I’m glad I did, because it has given me a lot of opportunities I wouldn’t have had otherwise.
Don’t be afraid of "tall poppy syndrome." Be willing to go above & beyond, even though you may risk alienating people who don’t want to expend the effort. Give your best. Develop your writing & speaking skills. All the technical skills in the world can’t help you if you can’t communicate the information. A major piece of the failure of the space shuttle Challenger goes back to an inability of the engineers to make everyone else understand what was wrong. An extreme example, but it can be no less vital in healthcare. Lives may be on the line if you can’t make yourself understood.

I love what I do, and I can’t imagine doing anything else. Every day, I get to have an impact on the direction the industry we work in is moving. I can help people who have lives in their hands get the information they need to make those lives better. How many people outside of healthcare get to say that?

Do what you love, love what you do — there are no absolutes. For example, I am a physician in HIT who still very much enjoys seeing patients part-time because I love doing that and because it helps me with my job. But if you don’t love seeing patients, or your job simply is too all-consuming for patient care, then it does not make you a bad CMIO if you can’t do it. With that said, there are some things you don’t know unless you try them, and to be a truly great CMIO, I do think you need to have at least 5-10 years of clinical experience to understand how you really feel about it and to see enough to have both the credibility and experience to speak and represent on the topics of clinical IT.

I am currently an interim Corporate CIO for a multi-hospital system. I spent 10+ years as a CIO prior to this interim contract. As a healthcare CIO, I think it is very important to develop a business acumen and understand the healthcare industry as well as the healthcare IT industry. My career path began in operations and then as an analyst/DBA/web developer.

Once I moved into IT management, my technical skills were diminished. The first CIO position I interviewed for was difficult as I knew that I would be giving up all of my technical skills if I was hired. Not only did I transition to a business leadership position, but I had to learn how to work with clinicians and understand their needs. In my opinion, if a CIO is not a clinician, they should partner with one (or more) to be successful. That is the strategy that has been most successful for me.

My career always progresses best when I help the careers of those around me first.

Success = Q x P x V, where Q = quality of your work, P = the productivity levels of your work, and V = the visibility of your work. Someone has to see and appreciate the work that you perform, and they have to attribute that work to you. If any one of these three variables — QPV – falls to zero, so does your professional success.

The Power of Pure Motives.

The only two metrics that really matter are employee satisfaction and customer satisfaction. Every other metric is a means to those ends. And employee satisfaction must come first.

View/Print Text Only

February 11, 2013 Advisory Panel 1 Comment

HIStalk Advisory Panel: HIPAA Concerns and Priorities

January 30, 2013 Advisory Panel 4 Comments

If you work for a hospital or practice, you are welcome to join the panel. I am grateful to the HIStalk Advisory Panel members for their help in making HIStalk better.

This question this time: When you think of potential HIPAA isses, what parts of your health system’s operation give you the most concern? What are your top HIPAA-related priorities?

Our top HIPAA concerns relate to the use of personal devices such as smartphones to transmit pictures and unsecured text. While we can and do provide secure alternatives, there is really nothing we can do to prevent a medical student from snapping a picture of a patient or patient data and sending it to several hundred of his closest friends.

HIPAA is an interesting concept. How do you balance providing sufficient access to critical information that can impact a patient’s health and still protect their privacy? It’s not easy. For many of the children we care for, privacy is not just a regulation to follow, it’s life and death – for children in custody disputes and victims of violence. The most significant challenges we face involve the fact that both the rules and technology are changing at an ever-increasing pace. The people writing the rules aren’t always the ones with the most knowledge about how (and even if it’s possible) to implement.

It’s ironic that we are both demanding healthcare costs go down and simultaneously creating new and unfunded mandates that require enormous amounts of time and money to implement. The two things I worry about most: mobility of devices and data and staying current on vastly complex laws. Small hospitals outside of a larger system are still required to adhere to the same rules and regulations even if they have a fraction of the resources with which to do so.

Top HIPAA-related priorities and concern for us center around secure communication between our staff with clients and providers. Ensuring that the proper processes and technologies are used to secure communications via e-mail, instant message, or any channel is paramount.

When it comes to protecting PHI, my biggest concern is the data that goes to our physicians’ offices for billing. There are many concerns, but how the practice and the billing services treat this data is my greatest. We have no way to audit how this data is used and disposed of. Practice adherence to HIPAA security and privacy is very minimal, as an independent practice has little knowledge or resources to dedicate to this requirement.

HIPAA security requires complete control of PHI storage. There is so much distributed data acquisition going on that it’s difficult to ensure complete control. Example: digital photos taken in the clinic stored on memory cards. Clinical staff don’t see these cards as containing PHI, but they do. Thieves see the cameras as easy to pawn theft targets. When stolen, we have a privacy breach on our hands. In retrospect, we learned we lack procedures to wipe the cards of data once the images are stored in the EHR. These novel data stores continue to pop up and represent control risks.

I lay awake at night thinking about unencrypted laptops. With all the other projects, this one keeps sliding down the priority list. The CFO all but refuses to fund this. We have a policy against keeping PHI on the PC, but I know no one follows this policy.

I’m glad you’re running my comments anonymously because I don’t want to advertise how many potential HIPAA vulnerabilities we have in our organization, ranging from PHI routinely sent via insecure text messages (and the Web-based paging system), workstations that are visible to the outside world that don’t secure properly, shared common windows passwords, shared common remote login passwords, EHR printouts that aren’t shredded in a timely manner, etc. I’ll stop now before I trigger a subpoena coming your way.

Mobile device security and BYOD are probably our biggest concerns. We have a number of clinicians using their own devices, communicating and coordinating patient care. We are putting in place comprehensive mobile device management system that will provide secure communications options. We are in the process of encrypting laptops and securing USB ports.

General staff knowledge and awareness would be the first thing that comes to mind. We can write policy and implement all the controls we want, but people will find ways to circumvent if they don’t understand the whys. Our top priorities in the coming year include establish ongoing staff education, conduct annual policy review, create mobile device management strategies, and evaluate data loss prevention solutions.

We do a good job of educating our employees on HIPAA. We don’t see too many concerns with patients. We do get the occasional employee who looks at a relative’s records. Our greater concern is office staff of independent providers who have access to our patient database by necessity. We rely on the physicians in their office to provide initial and ongoing HIPAA training and this breaks down. We also have the issue of those employees leaving employment in the physician office and the office not informing us to cancel their access. We do a manual audit every 90 days.

There are really four classes of data we are charged with protecting. First, our current data, which may be stored locally or remotely. Second, the data we push out to others (patients, providers and organizations). Third, the data we receive from others and is received in various formats. Fourth, our archived data which might be scanned, paper, or legacy digital formats. The diversity of data itself poses its own challenges.

We often think of securing data through protection from security breaches such as device theft or hackers. Encryption has become the standard in this regard. However, the more common occurrence would be in the form of end user error — leaving devices without logging out or the dreaded exposed password. While much of our effort has to be on prevention of the "big event," we must still focus on end user HIPAA training and routine auditing as the first line deterrent to loss of PHI.

My biggest technical concerns are with mobile devices. We are pushing quite a bit of data to them in e-mail alone, and even with security policy in place, it is still a huge exposure. While internal threats like staff inappropriately accessing someone’s records may be larger, technical solutions to a threat like that are harder to address. Our privacy officer gets to lose sleep over those.

The inability to control what disgruntled employees can do with sensitive health information. Overly curious individuals are also a problem in terms of celebrities or people they know, but they typically would not compromise the sizable amounts of information that could be breached by someone with a grudge and/or desire to sell information for money. Carelessness is also a major problem when people are working with large data sets or spreadsheets as part of their job and leaving it on laptops or sending it in unencrypted files via e-mail.

The use of workarounds to data security initiatives. The tighter the security lockdown, the greater the impingement on ordinary work and productivity, especially in comparison what people are used to doing in other realms of life. Rather than helping with data security, the workarounds just seem to make matters a whole lot worse because then people exchange info surreptitiously by cell phone images, Gmail, and the like.

Since I’m not in management, my top priority is making sure that I keep the data of my own patients secure. Another goal is to educate residents and medical students about the importance of patient privacy. I also advocate for more enlightened approaches at a local and national level for protecting confidential information and for giving patients more say in the way their sensitive information is stored and shared with others.

Where to start? My biggest concern is not knowing what I don’t know. Our customers are doing all kinds of things that I can’t control. I’m sure that data is leaking like crazy and we’re doing all we can to contain it. I am hopeful that in the next 60 days we will have a much better understanding of what is occurring and that we will have better control. Our biggest HIPAA priorities are data loss protection and then preparing for the inevitable audits.

With the increasing use of clinical and other data (read PHI), our concerns are growing around mobility and continued violations of our use policies. We are moving to our second mobile security platform/tool, but are not convinced that even after best efforts that we are "safe." There will always be threats and we have to continuously evaluate what those threats are and how to prioritize the work to protect our data.

Our organization has finally realized we are not impervious to breaches or attacks and is supporting new efforts to ensure we are doing what is appropriate to secure the environment. In addition, we are trying to play more "hard ball" with violators of policy on data use and access. I am afraid a few examples will have to occur before the majority of our users realize we are serious about this as an organization.

The biggest HIPAA issue would be a breach > 500 which triggers a multitude of bad events We do take the approach of "when" not "if" so we are prepared, but we are implementing technology and procedures to reduce the risk of occurrence. The biggest risk is related to PHI leaving the organization. That can happen in many ways (e.g. mobile devices, mobile media, viruses and e-mail). We have implemented encryption in these areas to reduce this risk. We also have virus protection and a SEIM tool to monitor network attacks.

Our next effort is implementation of a data loss protection (DLP) tool. This tool maps the location of all PHI in your domain. Strict rules can then be applied to govern the movement of that PHI. Besides encryption, my feeling is that DLP will have the biggest impact in protecting an organization from a breach.

We had two significant reportable breaks last year, but neither were related to the electronic medical record or other electronic systems here. The first was a physician who e-mailed an Excel spreadsheet which contained PHI to an external unsecured e-mail server. The other was a resident who took home paper copies of patient records for the purposes of a lawsuit they were gathering potential evidence for. In neither case was the patient information actually exposed, but they were reportable breaches nonetheless.

We are in the process of implementing a new clinical platform, so my focus is creating one balancing the new robust functionality with the safeguards that are needed to protect the information. Not an easy task.

Laptops. No matter what we do or what we say, folks will still copy and past information and manage to store PHI on their laptops. We lock down the laptop as much as possible, train, and continuously educate and inform, but the laptop is still our weakest link in the chain.

New phones. With new phones and applications for them, I believe there is more opportunity to access PHI. If you can clone someone’s phone by walking by them and picking up their information, what happens if someone is sending them e-mails, updates, or questions via e-mail, etc.? I am not very informed in this area, but very concerned.

Top concerns: access controls within older non-core EHR systems, such as radiology, lab, and custom systems that we have developed. Providing appropriate levels of adolescent confidentiality. Opening access to psychiatric care visit information as much as legally possible.

Top priorities: dealing with the above. Getting lawyers and others to understand that data-sharing across legal entities for ongoing and potential future care is the same as "treatment" and therefore allowed by HIPAA. Physicians who are members of different legal entities who practice together (e.g., in an ACO) often need to use the same EMR database and that having two or more separate records in a system for a single patient (which is their idea how to do this) is just dangerous.

Vulnerabilities that are rooted in human behavior or misbehavior concern me the most: apathy, naiveté, curiosity, theft, and vengeance. Continual education and empowering employees and physicians with scenario techniques on how to appropriately deal with common situations is helpful. Not intending to scare or intimidate people into compliance, we share media stories of fines and prosecutions of healthcare systems who have had incidents of security or privacy breaches.

The proliferation of personal devices where clinical information can be accessed (smartphones, tablets). We’re working on how to best encourage provider access / patient engagement while still ensuring appropriate security and privacy.

Many vendors, including our eClinicalWorks vendor, are increasingly utilizing cloud technology. We’re working to be able to make best use of the new products while managing security.

The people. Information technology systems are relatively easy to secure, but people have this aggravating habit of not doing what you tell them or expect them to do. I’m functionally the assistant security officer, although my title doesn’t reflect it. I did about half of the facility education in 2003 for the Privacy Rule implementation and it still amazes me how many people don’t make basic information security and patient privacy a part of their day-to-day existence in healthcare.

In 2003, there were three groups of people: those who lived privacy, those who had heard of privacy but for whom it was an add-on to their daily life, and those who had never heard of privacy or the Privacy Rule. In 10 years, we’ve pretty much stamped out the "never heard of it" problem, but there are a lot of people who still treat patient privacy as something to think about when everything else is done. A text message to a friend here, a social media message to a friend there (even a private one) and you have opened yourself up to serious problems. Somehow we still have to convert those folks over to people whose lives include patient privacy. I’m still working on how.

Not misspelling HIPAA

The use of HIPAA as a way to make life harder for physicians, such as CIOs and lawyers creating inane password policies or medical record clerks denying access to results of study I ordered without a written consent "because of HIPAA.”

Stupid mistakes (e.g. having patient info on an unprotected medium which gets stolen). Interestingly, while this may result in embarrassment and financial penalties, it rarely actually compromises a patient’s medical information.

The reality is that HIPAA is simply a mandate of common sense (i.e. only share patient info with someone who should be able to see it for obvious clinical, operations, or payment reasons), and yet ironically it actually winds up making people lose their common sense in how to deal with data and potentially hurts the quality of care by denying access to data needed by caregivers.

Downloading PHI to personal laptops or other mobile storage devices that are not encrypted and not secured with a strong password. All of our corporate laptops and portable storage devices (e.g., thumb drives) are encrypted and password protected, but that’s not the case with personal laptops which inevitably are used by employees for work-related tasks. I’m also constantly concerned about insiders and trusted agents who engage in for-profit identity theft.

In our organization, a chief privacy officer has virtually shut down all research in the name of HIPAA and patient privacy. She has even begun to question the utility of quality improvement efforts and their need to review patient records.

Our health system is most vulnerable with the new culture of real-time information, which means that caregivers are texting, e-mailing, taking photos, etc. as part of the normal practice of patient care. Our EMS and cardiology service line had a great process in place to get information to cardiologist on the patient prior to arrival by using a smartphone to take a picture of the EKG and text it to the physician. Great idea, but not vetted for patient privacy and security.

It is up to us to stay in front of this new culture and put the appropriate privacy and security measures into place. Our health system is developing its updated security program now and I’m concerned that some of these things are going on without our knowledge or preparation.

View/Print Text Only

January 30, 2013 Advisory Panel 4 Comments

HIStalk Advisory Panel: Vendors at the HIMSS Conference

December 26, 2012 Advisory Panel 2 Comments

If you work for a hospital or practice, you are welcome to join the panel. I am grateful to the HIStalk Advisory Panel members for their help in making HIStalk better.

This question: Vendors are finalizing their preparations for the HIMSS conference. What are some things they should and shouldn’t do to get decision-makers into their booths and then present their company and products effectively?

Pricing is a touchy topic and I understand the sales logic that you don’t want to share the dollars too soon. However, I may need to understand ballpark pricing to even know if it’s worth my time to talk with you. We’ve all been talking about reimbursement cuts. Those cuts directly impact how much we can spend for essential and cool tools. If I go to pricing early in the conversation, I’m probably trying to determine if it’s worth my time and your time to continue the discussion. At a recent conference, we encountered a vendor with a unique solution to challenge we were facing. However, my enthusiasm to continue discussions was notably less after multiple conversations that led to a summary of, "It’s really hard to give you an idea of how much it will cost" and "My price will be less than whatever you currently pay." Instead of being on the top of my follow-up pile, this vendor is a much lower priority, in part because I don’t know if my work will all be for naught because the price is more than we consider reasonable.

Coffee works. I don’t care what you say, at every trade show and conference I attend, the longest line is always where the espresso machine is. Cisco usually has a magic show — that makes me leery. Have ample seating available — people are tired of walking around all day. I think that pre-conference mail-outs have minimal success. When I know I am going to a show, I tend to pay more attention to e-mail, but not any more attention to traditional mail.

They should avoid e-mail spam, phone call spam, and otherwise being overly aggressive prior to the conference. I personally tend to avoid those who pre-annoy me like the plague. Likewise, avoid post-conference harassment. The key is to be accessible without nagging or arm twisting. There is no such thing as successful nagging or successful arm twisting – attendees might passively pay attention or pay lip service in response to such tactics, but they have zero chance of landing a "sale" or cementing a meaningful relationship.

Having and being generous with high quality giveaways never hurts. Often these may be collected by attendees to distribute to team members who cannot attend, so it’s almost like viral marketing in terms of who ends up with these and who sees them. Having edible or drinkable enticements to visit a booth is also not a bad idea, but don’t be cheap or stingy with the stuff (it is far better to have nothing than to appear cheap or to be stingy with this type of thing). Throw nice meal meetings and parties – breakfast, lunch, dinner, snack, after dinner, whatever (be creative). The quality with these events is of paramount importance, though. Going cheap on such an event delivers an obvious and lasting message of how important the attendees are to the vendor and reflect also on what an attendee can expect from the vendor’s customer service and support. Also, realize you are competing against places, restaurants, etc. the attendee might want to experience in the host city. Don’t make them feel like they wasted an opportunity to enjoy something else by giving you their time. A memorable positive experience will always create a favorable impression and build some relationship capital. Put yourself on HIStalk’s Bingo or "recommended" list – people pay attention even if they don’t overtly participate.

Don’t monopolize my time with long meetings. I go to HIMSS to get a "broad brush" on available products and technologies for later investigation. Instead, give me the "elevator speech" (what can you tell me while I’m trapped in the elevator with you) answer my questions, and plan to follow up with me later.

Have a crisp, compelling elevator pitch that all of your salespeople know. Tell us why we should invest our time to see you. Make it simple, clear, and easy to understand.

Quite frankly, HIMSS is so large that my senses are on overload when I hit the vendor booth area. They see CIO on your badge and you become raw meat. I have two official titles. One year I tried to have HIMSS put non-CIO title on badge. They refused. I schedule meetings with vendors weeks in advance so as to use my time more efficiently. I also try to visit the major vendors we have contracts with. Lastly, there is a vendor booth that is an actual bar. It’s a must stop.

Focus on the power of three and stories. Everybody in the booth needs to have a library of stories that show the impact of their solutions. Have the customers in the booth if possible. Secondly, everyone in the booth needs to know the three reasons to spend five minutes in the booth, the three reasons why their product has an impact, the three reasons why they are better than competitor, the three reasons customers buy from them.

I cynically assume that whatever I see on the floor is vapor-ware and do not use it in the decision making process. I am able to get 3-6 months of meetings with my current vendors into 1-2 days, which is a great time saver.

Skip the expensive direct mail pieces – most wind up in the trash. I can’t think of any vendor who has done anything memorable… I suppose that tells a lot of the story.

Don’t send me postcards with the same old prose ("Find out why we are the best / fastest / cheapest / lightest / prettiest… at booth #4321). Do send me something that is tailored to my role (e.g. physician, nurse, pharmacist, IT professional, executive) and tell me how what you do can make life easier for my role or bring real value to my organization (e.g. how does it decrease cost or increase revenue while maintaining or increasing quality.) And of course let me know if you are an HIStalk sponsor, and about any cool giveaways!

The only thing that has worked with me in the past is a special invitation from someone who had researched me and my position and offered a good proposition and a quiet audience. Made me feel special and above the clamoring crowds. Didn’t use the product, but they were in the running.

Send info that is not gimmicky ahead of time. I rarely just pop into a booth, but I will if it looks like something we are interested in. Last year, I was looking for Humedica and had a booth number. When I got there, it was Allscripts and I did not see anything for Humedica. Colocation for a vendor can be a big mistake. I felt like a dolt going all the way around the booth looking for anything with the company name and even asked a booth zombie, but they had no clue. As it turned out, they were there, but not everyone knew it at the booth. Odd and not to be repeated, I hope. On the other hand, I went to the SAS booth, and what made it a great visit is that I had access to all of the right people right away. I was to the point of what I wanted to learn and so were they. Not sales-y at all.

Vendor should bring decision makers to HIMSS. Feedback I am consistently hearing from CIOs and other organizational decision makers is that HIMSS is turning into too much of a sales pitch. Customers don’t feel like they can have meaningful conversations with the vendors. Make sure those people are there. The sales personnel are important to build relationships, heck many of them can have these meaningful conversations, but make sure that you have the right resources available to engage in these conversations, along with the correct non-threatening environment to encourage such conversation. For goodness sake, don’t hire professional talent to deliver a scripted pitch – have the thought leaders in the organization that understand the topic give the presentations and engage their audience in a conversation. It should be two way — listen, challenge, exchange ideas.

View/Print Text Only

December 26, 2012 Advisory Panel 2 Comments

HIStalk Advisory Panel: Working with Startups

December 19, 2012 Advisory Panel 1 Comment

If you work for a hospital or practice, you are welcome to join the panel. I am grateful to the HIStalk Advisory Panel members for their help in making HIStalk better.

This question: Let’s say you are mentoring the founder of a startup that has developed a creative software application for hospitals. What advice would you give that founder about developing a working relationship with a hospital to validate and improve their product to make it marketable?

First, it is important to develop a beneficial relationship with a hospital to, ideally, test out the application in the trenches and provide feedback for improvement. There’s huge value of working with a hospital as a beta user to run the application through the day-to-day uses. It’s important to establish a relationship with the key managers and staff in the area to provide the best feedback. It’s valuable to determine the right relationship scope so that the hospital staff are motivated and willing to provide feedback, in addition to their usual daily tasks.

[from a vendor employee] The main thing is the solution needs to provide enough value for hospital that they would even want to use and collaborate with the vendor. Assuming it’s a great concept and the founder has gained access to hospital decision-makers who are interested in the solution (I think we’ve touched base on this before on the Advisory Panel), the next step is positioning the partnership in a way that’s mutually beneficial for both organizations.

In our early stages, we honed our solution by offering discounted “beta” prices to multiple key sites in exchange for collaborative feedback and a tolerance for a beta product in development. This really was an invaluable process for us to hone both the solution as well as the company for widespread market expansion later. These need to be win-win partnerships to really work. The beta site got a groundbreaking solution that improved their organizations and a vendor relationship that allowed them to play a significant role in its development to fit their own needs. We obviously got early clients, market traction, and an awesome cauldron for rapid improvement of the solution. One drawback is that once a site thinks it’s a beta site and a beta product with beta prices, you’ll have a much harder time moving things to non-beta mentality and normal retail pricing. It was worth it to us, however.

I’ve seen other startups invite early clients to be part of their boards or to actively participate as advisors. Many startups get offered funding by potential hospital clients – I’m torn on whether that’s a good or bad thing. We never did it. It really depends on the hospital client, the deal, and where the startup is financially.

All vendors started somewhere. I like what Voalte did. They consulted with several CIO/CTOs in the industry. They found a local hospital that needed that product and worked with them until they got their product fully tested and implemented. Since then, they have gone on to be successful.

To create a strong working relationship with a hospital like this, the startup should expect to shoulder all associated costs unless they are offering an equity stake (and obviously, shouldering the costs by the startup is the better financial option for the startup). Subsequent to getting that relationship off the ground, the quality of support provided, and responsiveness to hospital feedback on the part of the startup will dictate the quality of the relationship they build and maintain.

We have done this a couple of times. There needs to be a symbiotic relationship. The hospital cannot just take the free or reduced cost software or services. They need to give back in terms of recognition that what is developed must be flexible enough for the marketplace and not driven strictly by the way the individual organization would like it to work. The CIO, clinical leadership, and others need to be ready to be partners through reference calls, site visits, demonstrations etc. The vendor needs to recognize that the hospital is looking for a return on their investment (of time and resources) and also recognize that the relationship needs some form of "cost recovery" be it free or reduced price software and support, site visit credits to use with other products, or other.

[from a vendor employee] GET EVERYTHING IN WRITING!!! Finding a hospital champion is already difficult, much less finding one that wants to partner. Find a facility close to your companies office that you think would be willing to work with you. Look at the background of the person you are trying to work with. Did they work for a vendor in the past or have they done consulting? Are they a consultant on the side? Are they a programmer by trade? Is the facility outsourced and your contact works for the vendor? You need to find someone that understands the entrepreneurial spirit and wants to be a part of building something from the beginning.

Be careful of your selection. Some hospitals will tell you they use mobile products, but I haven’t seen very many do it very well. Clinicians are not always as ready to commit their time as they say they are. They need to make the commitment time very definite up front.

Make an offer they can’t refuse. Most of the offers I hear are weak and not worth my time investment.

Risk-sharing. Don’t charge me an arm and a leg for a pilot. Put your system in for low or no cost if you are confident of its efficacy. The positive reference for a startup is more important than making money on the first sale.

[from a vendor employee] I would take a three-pronged approach. First, make sure my top-level executive/CEO/founder can create a connection with someone at CxO level of hospital. Their focus should not be on technology, but on business issues, pain points, what is getting in the way of the provider hitting their numbers, growing, delivering high quality care, attracting employees. Second, have developers/product management people sit shoulder to shoulder with end users inside the hospital to see the workflow with their own eyes. Roam the halls if possible, interact with employees. Third, have the sales/account manager develop a relationship so that when prospects call or visit, the salespeople have a relationship with key people inside the hospital.

One thing I appreciated about Voalte was the ability for all end users to send text messages to the company. These included use questions and, more importantly, suggestions for product improvement, which were actually implemented quickly. Their service model of putting a rep on site and roaming the halls every week has been a big hit as well. Other vendors haven’t reacted too well to these ideas when I suggested they do the same.

Work with the CIO, CMIO and Quality in combination so that you’ve got all the players you need to get started. Find a physician champion who is committed not overly “salesish.”

Find a physician champion, start small – pilot in one area, and then work on spreading it. Be prepared to answer the usual bureaucratic/legal questions about HIPAA, server info, etc. If it’s the first customer, consider making them a partner (e.g. give it for free/cheap, and give equity) rather than trying to extract a little money — will align both sides better to win long term.

it needs to be an inside job. The current buzzwords are "champion" and "executive sponsor." Someone in the organization, as opposed to someone knocking on the door, has to be so excited by your product that they push for adoption of your software solution. How to get that champion? Bribes with money or sex will probably backfire eventually; specialty society meetings (physicians) and introductions by a friend of a friend (CIO) would seem the best bet. E-mail, snail mail, cold calls probably aren’t worth the time. Professional publications would be good, but they would have to have actual scientific validity.

We are actually in the middle of that situation. The company made connections with our for-profit arm and we are an investor. We continue to work with them to help with the development. My advice would be to create a very strong value proposition and it has to be pitched to the right C-level person first. I would suggest into the CIO / CTO as the idea would have the best chance that route if it is a good idea. The first few are the hardest as many places won’t take the risk if they are first, even if it is free. But if there is real potential, I am happy to take some risk to get to something that is good.

[from a vendor employee] I’m fortunate to have been able to participate in a startup as well live in a startup mode for many years as we both developed the products, but also the market in which we serve. One of the most important lessons that I learned is that people buy from people. This, of course, can touch many aspects of how to be successful. One of the most important is clearly in how we listen to our customers, focus on developing the relationship with our customers, but don’t just blindly listen – challenge, make sure you understand why it is important then work together on how it will be delivered.

I’d also strongly contend that this relationship building isn’t just something a startup should focus on. This should be at the foundation or core values of any company that wants to be successful in delivering products, especially healthcare products. Develop relationships, listen to your customers, challenge each other with new ideas, and deliver great solutions!

In a hospital there are several constituencies and you have to go after one. You have to sell it to the doc, the nurses, IT, or one of the other areas that would find it useful. If it is a timesaver for the physician or nursing, sell it to them and they will pull IT into it. If it is an IT sell, then you can try the senior folks if you have connections. If not, try to find at least a project manager or primary support person for the area that will benefit most from your product. The CIO is bombarded with the latest gadget sales and the latest sales brochures. If you can find a way to market it from inside the organization, you will be more likely to get CIO time.

View/Print Text Only

December 19, 2012 Advisory Panel 1 Comment

HIStalk Advisory Panel: Use of Mobile Devices

December 17, 2012 Advisory Panel No Comments

If you work for a hospital or practice, you are welcome to join the panel. I am grateful to the HIStalk Advisory Panel members for their help in making HIStalk better.

This month’s question: What interesting uses of mobile devices are you seeing by hospital employees and physicians?

We have very limited use of mobile devices in our organization due to security-driven policies. We are hoping that once we complete a virtual desktop infrastructure install we’ll be able to be more flexible.

Jordan Hospital in Plymouth, MA has a terrific mobility approach. They had a serious noise problem on the patient floors. They decided to implement a "quiet hospital" program. They banned the use of the PA system for any reason on penalty of being fired. They bought a large number of iPhone 4s (at a great discount since the 5s have debuted). They disabled their cellular functionality, making them usable only on a WiFi network (the hospital’s). At the beginning of each shift, the nursing staff picks up a phone from a large charging bay. He or she types in a code and that phone automatically rings to his or her personal extension during the shift. In addition, when the nurse logs in, he or she has immediate access to all of the patient EHRs (Meditech) that have been assigned to him or her for that shift. The charge nurses can assign patients individually or take a single nurse’s entire patient load and assign it to another nurse on the next shift with only a few keystrokes. Patient calls to the nursing station are automatically forwarded to the iPhone of that patient’s nurse. If the nurse doesn’t respond in 15 seconds, the call is automatically forwarded to the charge nurse. Doctors affiliated with the hospital also get iPhones, but theirs have their cellular functionality left intact, so he or she can be reached whether or not they are in the hospital. Individual extensions never change, and the on-call physicians in each specialty can be dialed or texted with a single keystroke. Jordan has not lost a single iPhone since the nurses’ units don’t work outside the four walls of the hospital. They were very surprised when they analyzed what functionality was being used by the nurses most frequently. It turned out to be texting, which was not expected since the average nurse’s age is 54. Within two weeks of implementation of the program, patient satisfaction scores went from the low 70s to the mid 90s.

We are using Clinical Expert to do some clinical surveillance relative to sepsis. These alerts are sent to response team via iTouch and iPad app.

[from a vendor employee] We’re definitely seeing increased uses of mobile devices by the people we connect with in revenue cycle, finance, and department heads. They’re relying on their mobile devices to have up-to-date information, dashboards, and reports on the overall financial status of their facility or system. These reports range from AR, productivity, and charge capture for revenue cycle. Department heads are moving toward utilizing mobile devices for up-to-date reports on physician performance and relative ranking within their department. Upper management likes to have this information "at their fingertips" during meetings or ad-hoc discussions. Properly designing these reports and dashboards for viewing and interaction on mobile devices hits the spot.

On the positive side, many hospital employees and clinicians continue to use their mobile devices as a reference tool to assure they properly understand diagnoses, medications, etc. We continue to see good use of these devices for continuing education and various other apps in that regard. One tremendous use of mobile devices done by our IT staff recently was to utilize FaceTime to allow a seriously ill patient to virtual attend their daughter’s wedding. On the dark side, hopefully everyone in the industry is aware that unsecure, unencrypted texting between staff and clinicians continues to be a risk that will not be eliminated without a secure texting solution. The lure of convenient, asynchronous communication is considerable and individuals will disregard policy and use available means to do so if we are not providing them with an appropriate and approved tool.

Nothing out of the ordinary. They are proving to be great for quick communications and coordination. Many providers are very HIPAA security aware and asking that we provide secure messaging apps. We do see responsiveness and coordination to be better than using pagers or other means for contacting individuals.

[from a vendor employee] At a recent visit to see a family member in the hospital, I noticed that all of the staff had a phone that they had clipped to their pockets. It wasn’t the size of a cell phone, but was a little smaller than cordless phone you would have at home (back when people had home phones). I asked one of the nurses what they used them for and she said, "I don’t know, but I hate it." Another nurse said that she loved it because it gave her all of the "notifications" she needed without having them broadcast over the intercom. She did say however, that it was very heavy and that it pulls on the her clothes (scrubs aren’t stiff enough to hold it). I noticed the staff checking theses phone constantly – like my teenager does when he’s texting his girlfriend.

Nothing good. Right now I’m fighting the battle of nurses using their personal cell phones to take pictures of EKG strips (PHI is blacked out) and sending them via unencrypted text to the physician. Evaluating our options right now.

Secure e-mail/calendar access. Texting between providers.

[from a vendor employee] I talk a lot about how the market niche we serve (enterprise clinical content management) has become much more than about how data is managed through its lifetime but rather now how data is accessed within a patient context. I believe the unprecedented demand for clinical data drives a greater need for data liquidity across healthcare IT applications. That said, as we continue to achieve a higher level of data liquidity, we will see clinical content accessed through many mobile devices. Heck, I’d argue that the platform becomes unimportant, data should just be available. Therefore we should be able to access the internal EMR, external EHR, even the HIE, though any device. On top of this, these devices are becoming the portal to multiple types of high definition content – be it pictures, movies, or other Internet-elivered content – why can’t clinical content be just as rich. As we move towards what I like to refer to as the High Definition EMR, I believe all clinical content will be accessed through any device, including mobile devices – especially by hospital employees and physicians.

We have rolled out Epic’s Haiku and Canto for our clinicians using iPhones/droids and iPads. The early response has been very positive. It’s read-only, but we will be adding Dragon functionality soon. We also have over 300 wireless mobile carts roaming the units using virtual desktop (VDI), thin clients, and Imprivata single sign-on with proximity access. Also a big satisfier.

Airstrip OB for fetal heart monitoring. Residents and younger attendings are using lots of apps for providing care instead of textbooks.

Communication! They are doing it now with all sorts of devices, so we are exploring a way to make it (1) integrated with the EMR (e.g. choose from a patient list), (2) more secure, but easy to use, and (3) widely adopted, but we recognize there may be more than one use case scenario (e.g. one use case might be about confirming orders, another about relaying a lab value, another about sending a photo, and another about getting a quick consult). We’ll see if one solution can solve all, or if more than one is needed.

Naturally, mobile devices on the public WiFi (as opposed to the hospital firewall) are not censored like the hospital intranet. So when you can’t get to the breast cancer walk site (because the hospital thinks it might be porn), you whip out your portable device. Same for ESPN.

While we use UpToDate Mobile and Epic’s Haiku and Canto, the cool thing we use today we developed and patients use is called WebAhead. Allows access to our urgent care locations and clinics and you can pick your appointment time on the fly… we call it WebAhead. There may be others being used by staff, but we don’t control the mobile aps nor are we pushing any right now as we are coming our Epic install.

Not seeing a lot. We are throwing new laptops and Dragon with PowerMics at our docs and for most of them that is plenty of technology at one time. We have also upgraded their desktops if they were very old. We have had a couple of request for the iPhone app for our EMR, but since interest is low key, we will add it later.

View/Print Text Only

December 17, 2012 Advisory Panel No Comments

HIStalk Advisory Panel: Recent Vendor Experiences 11/12/12

November 12, 2012 Advisory Panel 5 Comments

If you work for a hospital or practice, you are welcome to join the panel. I am grateful to the HIStalk Advisory Panel members for their help in making HIStalk better.

This month’s question: Have you had notably good or bad experiences with a vendor lately or worked successfully with a small or little-known vendor that deserves exposure?

Allscripts

Notably bad experience: we do pay considerable software and maintenance fees to Allscripts. Typically, software and maintenance fees include either "free upgrades" or minimal costs. We’ve just been told by Allscripts that to move from their MU product (11.2) to MU stage 2/ICD10 functionality (11.4), the cost for the upgrade will be six figures! Not sure if any other vendor in the ambulatory space is priced like this, but it seems pretty steep!

Aspen Advisors

Aspen Advisors is not a household name in HIT consulting and has also done great work for us. Outstanding practice leadership, strategic advice, senior PMs and analysts, and high integrity. Not a body shop.

The Breakaway Group

The Breakaway Group. They have come in and provided a very measurable training methodology that focuses on end user adoption.

Cerner

Cerner deserves enormous credit for working creatively with me to reduce our Cerner TCO, as well as modifying their products to meet some very unique aspects of care in our environment. In the eight years that I’ve worked with Cerner across two different organizations, Cerner has dramatically improved their culture of customer support and commitment. At one time, I thought my Epic customer service would never be surpassed, but in the last three years, Cerner met it and blew right past it, especially in terms of willingness to help optimize our current products and co-develop new functionality that was critical to my environment.

I’ve been working with Cerner for a few years now, and it’s looking like the competition from Judy has forced them to up their game quite a bit. They are headed in the right direction, albeit slowly and expensively.

My primary experience lately has been with our hospital’s EHR vendor, which is Cerner. On the software side, the product is still poorly designed and clunky with some clear flaws that impact safety and clinical decision making. But those things have been fairly constant for years so not really notable. However, I assume that "notably good or bad experiences" refers to the relationship to the vendor’s personnel and not to the experience with the product per se. The vendor sales group, mid-level and high-level liaisons have been very attentive recently. Our high-level administrators (as well as the entire clinical staff) was quite distressed with the vendor a few months ago when the remote hosting service had several lengthy unanticipated downtimes. Also, the vendor has been working with our administration on developing a rather significant ($$$) new contract. Based on past experience, I suspect that the level of attention will revert to baseline as the ink dries on the contract and the memory of the downtime disaster becomes distant.

Computers Unlimited

Had a nice experience on disputed after hours extra charges with the small vendor Computers Unlimited, related to their CPR+ product in the home medical, durable medical equipment space. We are starting to look more and more at vendors that want to charge extra to do support or maintenance work ‘after hours’, since in the healthcare systems, this should be the norm and not the exception for change management windows.

Craneware

The folks at Craneware produce an awesome suite of revenue cycle management products for a very reasonable price, backed by a great culture. They are quietly one of the best software vendors I’ve ever worked with and will become an increasingly important product line on the CIO’s radar screen as the industry transitions into P4P and value based purchasing.

DFB Consulting

We recently contracted with a firm called DFB Consulting to convert clinical data out of Allscripts Enterprise into Epic. They have quite a cottage industry in this area with so many customers switching. They did an outstanding job of something I thought was going to be a nightmare.

Elekta

We have had a very difficult time with our medical oncology vendor Elekta recently. As a niche vendor in this space, there was hope that they would provide a strong clinician-focused product. However, they show a lack of change control that results in upgrades being very painful with many session crashes and system response time problems.

Emdat

Emdat, who I noticed recently became a sponsor. I’d give them a thumbs up even though we didn’t go with them. We decided it was too disruptive of a change for the physicians with everything else we’ve thrown at them recently.

Epic

We went live recently with Epic. They delivered what they promised and more, which I found refreshing and unique when compared to past experiences with Cerner, Allscripts, and Meditech.

Explorys

Explorys. We are in the implementation phase, but so far, wow. Best vendor experience I have ever had during an implementation.

Hielix

One vendor that I worked with and I have grown to love and respect as they have never stirred me wrong is Hielix. They have a plethora of experience under their belt and they like to think of themselves as " the healthcare aggregator!" They deserve your attention and maybe even an interview.

iSirona

MModal and iSirona are two companies we’ve been working with lately. Both have been very positive experiences.

Make Solutions, Inc.

Make Solutions Inc. They supply tools and services geared to improve the transitions that end users go through with each new implementation. The tools assist with process-based testing and role-based curricula development.

MModal

MModal and iSirona are two companies we’ve been working with lately. Both have been very positive experiences.

Phreesia

I have used Phreesia as a consumer/patient in my MD’s office. They put Phreesia on the front end in the waiting room on top of their Allscripts system. They hand you an iPad and a stylus and you zip through updating any new
info, demographic, insurance info, medical changes, etc. As I walked up to the front desk to hand the front desk clerk my iPad, the door opened to the back and the nurse called me. I literally sat in the chair only for the time it took me to tap away on the iPad, probably 5 minutes, and then I was in the back getting my physical. Very easy to use, quick, and great integration to the EMR.

SAIC/Vitalize

Vitalize (now SAIC) supplied 20 Epic-experienced physicians mostly from Allina for at-the-elbow support for two weeks round the clock at our hospitals’ big bang. Wasn’t inexpensive, but the white glove treatment was well worth the investment.

Sayers

We’ve had some pretty positive interactions over the past few years with the company Sayers which would likely qualify as a "little known vendor." We have utilized their services to assist in our tech refresh for end user devices and a few other areas. They seem to provide a high value (low cost vs. services rendered) and their management has always been extremely responsive with rapid and satisfactory resolution to even the smallest of issues brought to their attention. I have particularly had positive experiences with John Kasser, Chris Martinez, and Joe Martinez at the management level in their organization.

Siemens

Siemens has shown great flexibility and willingness to work together, nice surprise

Siemens MobileMD

We are extremely impressed with MobileMD. First rate and affordable private HIE. They are highly ranked in KLAS and now that they have Siemens behind them the future looks even better.

TheraDoc

TheraDoc has continued to deliver for our infection control staff. Our organization has continued to exceed goals in the reduction of healthcare-acquired conditions. At some point we see this potentially moving to our overall EMR vendor suite, but TheraDoc continues to work very well and is a very mature solution compared to the enterprise vendor in this particular area.

Virtual Procurement Services

The only small and little known vendor that I’ve been so impressed with is the one I mentioned above who helps me with our maintenance and other purchasing negotiations, Virtual Procurement Services.

Vitera

We are in the process of evaluating ambulatory EHR vendors for primary care clinics owned and operated by our organization. Vitera has been slow to respond throughout the entire process. I’ve expressed my disappointment in their lack of response but haven’t seen much change. They have a number of existing implementations in this area and the customers I’ve spoken with have expressed a decrease in service levels over the last year. They are obviously experiencing management issues, either from the surge
of sales due to MU payments or integration issues from their string of acquisitions (or a combination I guess). Either way, I’m concerned about their ability to keep up with the rest of the pack.

Zynx Health

After a somewhat rocky initial relationship, Zynx has really stepped up to the plate. They’ve taken a hand-on approach to getting our order set maintenance process back on track, committing a lot of consulting hours gratis to help compensate for our own lack of resources. We’ve been impressed with their willingness to go the extra mile on our behalf as they become more of a business partner rather than just a purveyor of content.

View/Print Text Only

November 12, 2012 Advisory Panel 5 Comments

HIStalk Advisory Panel: Reducing Annual Maintenance Fees for Software

November 7, 2012 Advisory Panel 6 Comments

If you work for a hospital or practice, you are welcome to join the panel. I am grateful to the HIStalk Advisory Panel members for their help in making HIStalk better.

This month’s question: Are you feeling pressure to reduce your software maintenance fees?

Yes. We are talking to our large vendors about reducing or limiting increases. Many have stayed flat, which is helpful. In addition, we are looking at utilization of niche products and determining if we can turn them off.
Overall, yes. As we increase products and functionality to meet Meaningful Use, IS is under pressure to control our operating spend. We’re trying to smooth out our maintenance fees by either negotiating fixed fees for a time period, evaluating longer support contracts (when appropriate) to get further reduced pricing, or taking advantage of timing opportunities where both new product licensing and support renewal agreements are all on the table. I have three situations where our support contracts are up for renewal with vendors that have capital projects in consideration for next year. Not surprisingly, they seem to be more malleable in price discussions.
Haven’t been asked yet. We’re a revenue department with MU. We’re getting most of what we want right now.
I have been asked to assess what applications can go to time and materials vs. annual maintenance. Which is a problem, as most software vendors do not offer T&M for software. In addition, I have negotiated lower maintenance fees.
(from a vendor employee) We are being asked by 90 percent of our customers to reduce our software maintenance fees due to increased pressure on their end from administration.
All or the management team has been asked to push back on our vendors. We cannot continue to see expenses grow as revenues decline. There is no formula mandated, but we have looked at eliminating contracts that we feel we can get by without, and I have continued to negotiate on maintenance more than ever before. In addition to maintenance, I have looked at the many clinical support services like UpToDate and Micromedex. Utilization of these is high, but so is the price. These subscription vendors also need to stop the skyrocketing increases in their renewals or we will need to move to lower cost providers of clinical content.
No particular pressure, but we certainly are looking harder at them to determine if we are getting value for our investment.
There will always be pressure and it is our responsibility to maintain or reduce cost run rates for same store application support and maintenance. Cost creep is unacceptable.
Yes, though pressure is not coming from our organization, but rather simply as we look to align the value of the solutions — what we’re paying and incremental value we obtain each year as we continue to pay maintenance. Essentially we repurchase the software every five years or so given maintenance dollars, but the most value to the organization came upon initial installation, the "first" time we purchased the solution. Continue to reduce our maintenance amounts through standard term renewals, additional purchases and scope expansions, maintenance holidays on new purchases, etc.
Yes, we are feeling pressure to reduce our software maintenance fees. We are handling this in two ways: consolidating functionality where possible on our large vendor systems if the module they offer satisfies our requirements. Additionally, we are working to take advantage of any discounts offered by the vendors where possible.
No pressure thus far.
Yes, and we have become quite successful in doing that. I also use a third-party negotiator to help to secure better deals. I’ve actually saved about $2 million on maintenance and equipment purchases since changing my approach and doing this. (That’s over and above our initial discounts.)
Not per se. We are replacing our best-of-breed platform with an enterprise vendor and will actually have about a $2M reduction in my operating expense in maintenance. Of course I hope to keep those savings in IT because I need it for other things. We are a ridiculously low 2 percent of the operating budget and most academics are about 3.5 percent.
(from a vendor employee) We are not feeling this pressure, but I think that is because we have a pretty satisfied client base and have been able to show the value and return of our service.
Yes. However, the pressure is coming from me rather than outside of IT. I am aware of the organization’s finances, so I’m always looking for ways to positively impact the bottom line. I’m aware that there are duplications of coverage in our applications. I’m also aware that some of our applications are not being used to provide the maximum benefit to the organization, and in some cases, barely at all. One of my personal goals over the next 18 months is to reduce our costs by identifying and targeting those applications for removal.
We are trying to reduce maintenance fees by reducing the number of niche vendors and getting to a core vendor strategy.
Between Medicare and Medicaid reductions (about $20M) the pressure on IT was about $2M, so yes, we asked long-time vendor partners for stated fee reductions, which they conceded in return for commitments to act in their behalf with new sales opportunities and existing customers. This is something new. It will be interesting to see how they use us (me and my CEO).
A huge initiative for us is application rationalization. We are enforcing selection of standard systems and partner vendors for each functional area to drive out variation and have assessed our portfolio of applications for those we are developing
active retirement and decommission plans. We are also actively negotiating with existing strategic partner vendors to freeze maintenance increases or actually reduce future maintenance costs – not an easy task with vendors such as McKesson, however we have had some success.
This has been a very very big deal for us over the past five years. We are becoming aggressive negotiators (and we are re-negotiating contracts) to ensure we get lower-than-market maintenance fees. I am somewhat suspect that it’s a “zero sum game,” and if we push the balloon at one spot, it will bulge elsewhere. My CFO doesn’t agree. He remains focused on reducing maintenance and support fees independent of the impact it may cause on other costs or relationships.
No one on our executive team or board is asking me to cut software maintenance fees, so I’m not necessarily feeling any pressure. I’m taking on that responsibility myself and welcome the chance to squeeze our vendors for price reductions. Having been a vendor, I totally understand the need for vendors to make a decent living and stay financially viable themselves, so I don’t squeeze harshly or unfairly. The reality is, it’s the right thing to do because, speaking from first-hand experience, vendors need to feel the pressure of price reductions or they will never be motivated to be internally efficient or innovative themselves. Also, every dollar overspent on IT is one dollar less that we can pay a nurse, hospice, pharmacist, respiratory tech, or savings passed to patients and employers. I handled this by simply adding up the total cost of ownership for my major software products (including internal costs of labor), shared those details and numbers openly with my vendors, and asked, "What are you going to do to help me reduce these numbers?" If vendors push back, I ask them to "show me your numbers" and be transparent, too. If they still don’t open up the books, I re-compete their contracts. At the end of this process, we will reduce our IT TCO by 25-30 percent over three years without any reductions in service levels, and in some areas, our service levels and capacity will actually improve.
The pressure is to develop a long-term support model that delivers increased value and innovation at an affordable cost while continuously improving price/performance. Not just software maintenance — everything we do.
We pay outrageous software maintenance fees that seem to escalate regularly for no good reason. However, it’s the CIO currently paying most of the bills, not me, and I’m not hearing about any specific pressure to reduce them (as opposed to just cost-cutting pressure in general).
We are under enormous pressure to "get to break-even with Medicare rates." We are looking at cutting back on systems and renegotiating fees with vendors. We have not stopped paying fees.
Yes, resisting where we can. So far are cuts have been more on the hardware side, where we’re able to use third parties.
We are under pressure to reduce all costs. Software maintenance fees seem to be less emphasized in discussion than the fees for new software modules and features (even when needed for Meaningful Use or for enhancing the workflow and efficiencies for clinicians) and the need for ongoing personnel for production support, which is always under-budgeted. Clinical informatics resources are another group of personnel who are absolutely essential to maintaining a usable software product for a large hospital but they are also underestimated in their value and need for sufficient manpower. [Disclaimer: I am not a member of hospital IT or clinical informatics and am not even paid by our hospital -- just a front-line doc and academician.]
Yes, we are working on this in addition to our Supply Chain department working non-software expense reduction. Overall, we are working to reduce spend by 5 percent across IT (to the degree possible). We are focused on the elimination of the annual increases in maintenance and hosting fees for next year (generally 3-4 percent average increase across vendors). Back in 2008/2009 we made a pass at maintenance reduction and had some success. With our major contracts, we were not able to reduce existing contractually committed fees, but several big vendors did waive their annual fee increases, which in total saved significantly more than $200K. We are making a pass at doing that again, not sure if we will get it again, but worth trying for. Also, we are extending the refresh life cycle of some our hardware and networking components. Instead of purchasing maintenance on hardware (Kronos time clocks), we are buying replacement hardware and becoming our own depot (estimated $75K savings). We are going off-contract for Microsoft support for some technology and going to time and materials support calls (estimated $100K savings).

View/Print Text Only

November 7, 2012 Advisory Panel 6 Comments

HIStalk Advisory Panel: How Do You Use Information from KLAS?

November 4, 2012 Advisory Panel 2 Comments

If you work for a hospital or practice, you are welcome to join the panel. I am grateful to the HIStalk Advisory Panel members for their help in making HIStalk better.

This month’s question: How do you use KLAS reports or scores to choose and monitor your vendors?

Generally Negative Comments

I place almost no value in the KLAS scores. Years ago I took a class on research methods and the professor used them as an example of bad methodology. What is great about them is they know all the products from all the vendors, so when I’m looking for that niche departmental system, I can go to them for a list of vendors.
(from a vendor employee) I believe that KLAS has a very flawed system, which has been brought to their attention time and time again with no changes. There is inaccurate information, and when brought to their attention, no changes are made. We are a vendor, and the information they continue to have on us is actually so inaccurate that it’s ridiculous. They list us as "small volumes" and every company but two on the list that is ranked (we are not because of this "small volumes" designation) is much smaller than we are. They will not correct it, so we have decided that it is not worth the hassle to continue to correct them, only to have them continue on as previous. On speaking with customers, we have been told that they have run into the same things in all categories and no longer give any weight to the rankings. A few even think that it is possible to pay for your ranking and rating.
We use KLAS reports (if available) to supplement MAJOR capital purchases. Most of the reports are too expensive to justify unless the expected purchase is one in which we have no experience and is a major capital purchase.
I review KLAS reports, but I do not have a clear sense of the validity of their review or ethics of their process.
Sometimes KLAS is helpful for decision makers who know nothing about the vendor/product landscape. Otherwise, I never use it.
I rarely if ever use it.

Generally Positive Comments

We use KLAS as a data point in selecting a new vendor, but it is not the primary driver unless there are a significant number of negative comments or scores. We also monitor our current vendors to ensure they are keeping up with the market.
I am using KLAS with a grain of salt and not as a gospel. For lack of a better reference frame, we all go to it, but I would not make decisions on KLAS alone. It is pretty much like the board certification for physicians: we all know that it may not reflect the best quality in a physician, but we all look it up and diligently go and take it to stay current.
I view KLAS as just being one gauge on a dashboard when evaluating vendors. For new vendor selections, KLAS is used to populate the initial list of potential vendors. Through the selection process, their rankings are used as a single data point, primarily as a reflection of market penetration, customer service, and overall satisfaction. I have to admit that I rarely refer to KLAS for vendor products we’ve implemented unless we’re experiencing issues or entertaining a product switch.
I have used KLAS as a data point when evaluating vendors. For me, it represents a general standing in the marketplace and the comments are valuable in identifying areas to question.
I view KLAS as a consolidated reference check. I provide feedback to KLAS on products and services once or twice a year and I know that how I replay can vary depending upon the most recent encounter with the vendor in question. As with any reference check, you get a good picture of how one or many are currently viewing the company. KLAS will never be the final word, but is a good place to go to get a consolidated view of how customers are feeling about the vendor.
We use the KLAS scores as a starting place. We also use them as a resource to understand what other hospitals are doing. Adam Gale and his team are great about answering questions. They obviously have a great network of contacts and can often point us to other organizations who have addressed similar challenges.
When private physician practices contact me for advice on EMR vendors that they are reviewing, I share with them the publically available KLAS reports as well as other industry reports on EMR metrics. I also use these reports to see if there is correlation between what is being reported and what is said in private and on HIStalk about the vendors.
We incorporate the results as part of our customer communication and status updates. Specifically, we ask the leaders of our IS teams over each area (e.g., surgical services) to routinely incorporate market feedback from KLAS during their standing customer meetings. This is typically only done twice per year, not at each monthly discussion. It also helps us confirm/deny trends that we may or may not be seeing locally at our organization.
I’ve used KLAS to identify competing products in a space if we are looking to meet a need. We’ve referenced some of the reports when going through vendor selection, but it has not been the deciding factor. I’ve also found the reports to be an encouragement that we’re in the same boat as others.
I routinely review KLAS reports on all current vendors and ones we are looking at. It’s helpful to get updated information. Because I participate in KLAS reviews, I am able to get detailed reports related to vendors and trends. I’m usually looking for details on satisfaction with implementation and ongoing support. Love their question: would you buy from this vendor again?
I review KLAS findings and typically drill down into the individual comments from other users to find information or concerns that I use with the vendors in order to get more specific information. For example, if a number of users complain about some aspect, then I may spend more time than I might otherwise have done drilling the vendor about that aspect. I can also occasionally find out what the vendor has problems with, and if I’m convinced it won’t be a problem for us (and that we want to go forward with them), I can occasionally use that to negotiate a better deal.
I use KLAS primarily in the selection process for software and services and in that regard I find them very valuable, especially the user comments both pro and con. They give me some good direction in term of things I make sure I follow up on in the selection process. Recently they have also created some additional functionality around the creation of affinity group and other functional that gives me a platform to share directly with other organizations who have similar products or are similar to me in structure (academic, for example) that I have found some good utility in.
(from a vendor employee) As a vendor, we do yearly, in-depth, anonymous, customer surveys to see how we truly stand in all areas of our solution, service, and support. That said, KLAS is incredibly helpful for us to get even further information on our performance. I find KLAS gets better executive level feedback than we get on our own (our surveys usually get more responses from managers/directors/end-users). It’s a great way for vendors to see objectively where they’re doing well and where they might have opportunities for improvement. I always tell folks, I love hearing all the great stuff about our company and solution but I’d much rather hear the “tough” stuff as that’s the gold that helps you become better and better.
I use the KLAS reports to come up with a short list of vendors before the application/service search. The reports provide information that I use to educate my customers as to what is available, what others use in similar markets (e.g. practice EMR pool is different for 1-6 providers as compared to a practice of over 100 providers), as well as what applications others are moving from (always good to show there are no perfect vendors). I do peruse the vendor alerts as they come in but to this point I’ve not seen anything that was news to me.
I use KLAS for independent ambulatory physicians who are looking for a system — it is excellent for them and they often do not know it exists. I also use it to go to battle when an operations person wants to buy a niche vendor system that I don’t want. (of course that only works if the KLAS scores are bad). Occasionally use it for our own purchases that I am trying to investigate, but unfortunately many of the systems we are looking to buy are not rated in KLAS (population health, analytics etc.)
Used as one of the tools as part of vendor and system selection or standardization efforts. Also use Gartner info such as magic quadrant and we now ask IT vendors to register on VendorMate and pull reports on financial and sanction info from that resource and use Gartner for contract negotiation market analysis.
I use KLAS infrequently, but it has served as a way to educate and inform our leadership about specific vendor offerings and their comparative value to the market.
KLAS scores and reports are critically important to me in my decision making process. They are my single most influential source of external advice and insight, followed by The Advisory Board and Gartner. KLAS’s integrity is unshakeable and their influence on the industry is invaluable.
I review KLAS to identify top vendors meriting consideration and to yield additional insights into strengths and weaknesses when selecting vendors.
Flawed, but extremely valuable given there’s no better alternatives in many cases. We used it a year ago to help determine whether we should go with a particular vendor on the outpatient side (we didn’t as their product was rated in the bottom of the rankings). The one area where KLAS is lacking is in specialty-specific EMR evaluations, as the niche products that are great don’t show up on the KLAS radar because of lower volumes.
I participate in KLAS surveys because the lady who calls used to work for me and I like her style and that of the company. I find the reports insightful and they help confirm our assessments and sometimes point out weaknesses. I am aware of some of the criticisms of KLAS and certainly recognize their limitations. It is also helpful in working with the senior team, who may see only the glitz. It helps when I show our own vendor’s ratings, with which they usually agree, as a means to establish a level of credibility in KLAS reports.
I don’t have real decision-making power (e.g., authority, monetary control) over HIT purchases. However, as a physician end-user and member of our institutional EHR committees, I have used the KLAS reports as a "reality check" when my personal impression of a particular product is dramatically different from the party line that’s being perpetuated by our hospital IT group and C-suite. They say "This software’s perfectly reasonable, but the doctors are being resistant." It’s nice to be able to say, "I don’t think it’s just our doctors who view this software as having problems…." I would say that the KLAS reports are helpful in encouraging greater honesty and reality checking when too many folks are drinking a LOT of Kool-Aid.
Use it on a limited basis for specialty systems and needs. Good reference point to check and confirm which vendors we should consider for a selection

Key Themes

KLAS uses questionable and non-transparent methodology.
KLAS is far from perfect, but has little competition.
The negative comments and scores are more meaningful than the positive ones.
It’s good for a quick check on what customers think.
KLAS reports can help determine if a trend you’re seeing locally is broad.
It’s a good starting point for researching a vendor or product type, but is not the deciding factor.
New service to allow members to contact each other is useful.
Use KLAS reports to identify available products of a particular type.
Review the scores of IT-recommended systems to make sure they are being considered on merit and not IT department convenience.
Use the reports to educate and influence users involved in selection.
Show negative reports to users who are convinced that they want a particular system or to remind users that all systems have negatives and that implementing them is hard work.

View/Print Text Only

November 4, 2012 Advisory Panel 2 Comments

HIStalk Advisory Panel: Increasing Physician Involvement

September 24, 2012 Advisory Panel 1 Comment

If you work for a hospital or practice, you are welcome to join the panel. I am grateful to the HIStalk Advisory Panel members for their help in making HIStalk better.

This month’s question: What successful actions have you taken to improve the involvement and satisfaction of physicians with IT projects and services?

We ask physicians what kind of IT solutions they believe would be beneficial to our service, quality, and affordability objectives. Physicians help us evaluate proposed solutions. Project teams are partly staffed by physicians, and in some roles, we pay them for their subject matter expertise. CIO meets directly with CMIO to ensure alignment on priorities and clarity regarding improvement opportunities.
We strive to find ways to use HIT to make it easy for our physicians to do the right thing. We obsess over how many clicks each action takes, and whether someone else on the team should be doing it instead of the doctor. We are not perfect, but we’ve stumbled into a few things based on these principles which are unique ways to use our EMR, but which result in improved efficiency and quality.
We formed a physician group called the PIT (Physician Information Technology) group that meets every other week. We do this so frequently because we are in the middle of a large EMR project. We run all decisions impacting docs through this group, from order sets to clinical notes design. Another thing we have done is launched a physician portal that has a blog manned by our CMIO and CIO, but I will have to tell you it does not get much traffic.
The single most important tool for physician engagement has been shoe leather (OK, shoe rubber?) Getting out and making face-to-face contact with them in the hospital and in the clinics. Asking what works and what we can do better. Optimizing the EMR is an ongoing task and the first step is to convince them that we’re committed to it. Also, recognizing that one size does not fit all, whether it is the interface or the device or the software tools, has been critically important. Be flexible wherever possible about the tools we provide.
I think this follows the classical thought process today: First, have a physician in a key leadership area seen as the owner of the project. I like to have a VPMA or Medical Director leading the charge depending on the scope of the project. (IMO, depending on this roles relationships with physicians and the physician model of the organization, this may or may not have any impact on the project.) Another key is having the right type of person in a Physician/IT role (CMIO, Med Dir of Informatics, etc.) Someone that can earn the trust and respect of the other Docs, translate clinical needs between IT and business workflow, and "prep the battlefield" for major decisions by meeting with groups or individuals off-line. Having key physician champions attend discussions with other clinical areas is a must. This is where workflows overlapping various areas (physicians and nursing, for example) come to a head. For ongoing support, maintenance, and optimization, having IT topics on MEC, division meetings, physician steering/champion groups, etc is a key strategy. And as a last resort, free meals are always appreciated.
We’ve taken a new approach to engaging physicians with our EMR via an online collaboration / community. Our "MyEMR" secure intranet site is unique and now has almost 500 physician members. Physician IT champions moderate discussion forums, answer questions for their peers. Education ‘tips and tricks’ videos. Design drafts are posted for review on new content and development items. New information (e.g., Stage 2 Meaningful Use information) also posted for review and education. Project status documents posted so that all can see progress on important efforts. This site was conceived by our physicians and now co-managed with them.
Defining specific roles for physicians and using physicians to recruit other physicians has been a successful approach that I have used. Whether it is software implementation work or ICD-10 implementation or anything in between, physicians need to have clarify on the expectations and time commitments that they will be signing up for.
We created a steering committee for them that reports to the medical staff executive committee. The only person from the hospital who is there routinely is the IT director (no CIO here). It is their chance to blow off steam about issues, and they do. If they gripe to the hospital administration about IT, they’re told that they have a channel for those complaints, and they are asked to use it. Once they recognized that we do listen and that within the strictures of the software and legalities, we’ll accommodate them if we know there are problems, they started using the committee. Now, it is more about moving forward than about fighting the battles of the last 20 years.
With any change, you need executive leadership support (administration and physician), evidence-based metrics, peer-to-peer pressure, and a system’s level continuous process improvement culture that is combined with a comprehensive, multi-pronged communication plan that reaches all levels of your organization. You have to include physicians (champions and high-volume user representatives) at the table from the very beginning and recognize that they are key stakeholders, and not just barriers to IT implementation. Physicians, like us all, are slow to adopt new, disruptive technologies. Active involvement and an active communication plan are critical to getting them involved. If they feel like they are part of the solution, then it will work. The solutions themselves also have to be designed for the user (the physician). They need to here "what is in it for them." Perhaps it is a reduction in time, errors, callbacks, etc. The more specific the better.
We created a CITAC (Clinical Informatics Technology Advisory Council) made up of physicians representing most of the sections of the hospital(s) and we take them all of the new things we look at, get their input, get advice as to how to communicate with the entire medical staff, or to introduce new systems or technologies, etc. They also bring us suggestions from their respective sections on order sets, CPOE screens, prompts, core measure attributes to build in, etc. It’s really been helpful. In addition to the docs, we also include some nursing staff, my IT clinical informatics staff, and our vendor representative. We air some dirty laundry, and deal with some turf issues, some of which can be awkward but the end result is pretty positive. In addition to this, we have made trips to each of the major provider clinics to meet with those physicians to discuss issues and desires related to CPOE screens, prompts, processes, etc. But, one of the biggest things that I feel contributes to better adoption of new technologies, is that we use a lot of hospitalists in our organization, and once we get them to use technology and make some changes based on their feedback, we’re finding the other physicians are more prone to try it (since they see the hospitalists using it).
We’ve worked very hard to partner with and develop Physician Champions. Physicians in this role are more in tune with current projects and services, and enjoy being involved in the decision making process. For many of our physician champions, we have regularly scheduled meetings with them and their Practice Administrators to prioritize projects and discuss options, which is beneficial for all of us. We are expecting to roll out a full Physician Governance program this next year.
Physician IT committee, physician champion for certain projects, specific physician IT ‘helpline’ to facilitate quick resolution of their issues.
The key to physician satisfaction and engagement in health IT efforts is definitely having them involved. It is not enough for them to just be invited to receive information about the project. They need a seat at the decision making table and a voice that is heard and listened to. The level of their involvement in decision making and governance can vary depending on the project/program at hand, but having as many thought and action leaders from the medical staff in active roles in the project/program as feasible pays dividends with the entire medical staff. The opposite situation (zero physician involvement) yields highly negative results in terms of medical staff satisfaction, engagement, and adoption. However, it is also absolutely vital to choose wisely those physicians that are selected for involvement. We naturally want to involve those who have "connectedness" with their peers and thus high influence, but we also must select for traits such as "collaborativeness", ability to understand and explain the "vision" and rationale of what we are doing to peers, and flexibility (as plans necessarily change while in progress more often than not).
Most success has been to not just involve the docs, but have them lead initiatives. For example, we have three MDs that have had tasks and expanding roles in our Epic project. In addition, when you can have the docs be decision makers in projects, and those docs have the respect of most of the medical staff, per se, then things seem to go better. Having docs sit on a committee and updating them or asking for opinion is clearly not enough. They have to be like the pig at a breakfast of bacon, sausage, and eggs. Not like the chicken.
When we went through the process of choosing an EMR we intentionally set up a steering committee made up largely of our physicians. We had representatives from all of our clinic types and almost one from each clinic. These docs were an integral part of the process. Once our selection process was down to three, we did demonstrations of several days with each vendor and asked all of our clinicians docs and staff to sit in. We required a survey upon exiting even if it was just a check mark on a few basic questions. After demos, site visits, and analysis was completed, the only folks who voted were the physicians. We have tweaked the system we purchased to make it as useful to the docs as we can. When we have a live date planned, we make sure the physician has someone within hearing distance to answer all questions and concerns. It is all about the support.
This is a long story, but something for which we are proud. Many years ago (1993, in fact) we created a Clinical Systems Advisory Committee. It came to be because there was significant dissatisfaction among members of the user agreement. It started as a very small group of physicians who would meet with us weekly, then ultimately bi-weekly, to discuss our work. We provided dinner and (cheap) wine. We would always meeting in the evening; we would always make it a comfortable, and somewhat informal meeting. Over the years, it grew, and grew, and grew. And now, we meet monthly. The room is full with doctors, nurses and IT professionals. There are often more than 50 people in the room. Sometimes there are 75 or 80 people in the room. It is open to anyone who wishes to attend, although there is a membership list. Lots of great folks participate, and we all genuinely look forward to the meeting. It’s a social event as well as a work event. Lots of time to network and catch up. The meeting typically lasts for about two hours, but many folks stick around late into the evening. We serve great dessert. We have learned so much, made important decisions, and used the output as a way to advise our executive team. It has been a real joy. Additionally, now that we have embraced Epic as our enterprise-wide solution, we have added a Physician Council and a Nursing Council. In this case, we have ensured that we have a representative from every department or division. It is equally effective, equally active, much more focused and a bit more formal.
Use of "Tech Rounds" at one of our hospitals, conducted by the local CMIO; done monthly and showing latest technology applications, use of system, etc.
We have a mature CPOE implementation and a lot of community docs and contracted hospitalists (in many disciplines). It has been challenging to maintain physician involvement and enthusiasm for continuous improvement of order sets, decision support, etc. On the satisfaction front, hiring a CMIO (me) has been very helpful, and having a crew of dedicated physician educators / support specialists has been essential. Most of our physicians don’t bother with the IT Help Desk any more.
Lots of one on one discussion; open conversations with physicians in various meeting formats, informal lunches, working to provide prebuilt documentation screens by specialty, demonstrating the improvements in outcomes using computer associated protocols agreed to by provider groups.
As part of our Epic implementation, we formed a Physician Advisory Group chaired by our CMIO consisting of physicians representing every discipline across our health system. This group has been key to driving significantly increased engagement by physicians in the requirements, design, implementation, testing, training, go-live, and ongoing improvement of our new EMR. The core advisory group has been meeting weekly for a year and has been very successful. We also invite other physicians, outside the core group, to participate in requirements and design sessions when needed, which extends our reach further into the community. These, and other supporting, actions have been effective in improving involvement and satisfaction of our physicians with IT projects and services.

View/Print Text Only

September 24, 2012 Advisory Panel 1 Comment

Reader Comments

FLPoggio: Larry, Good points. Outdated cumbersome pagers are only one issue. There are a myriad of other hand held devices such a...
Counting: RE: CMIO board certification Why is it doctors feel the need to continually manufacture "credentials" to prove their ...
Cynthia Porter: Thanks to all the HIStalk vendors who participated in the HCI 100. Congratulations It is a great delight to compile thi...
Huh?: Re: CCHF - OK, so how many paper charts have you seen fit on one side of an 8.5 x 11 sheet of paper? Maybe we all need t...
The PACS Designer: TPD will add Ginger.io to the update file for the next TPD's List of iPhone Apps Update #9....

Home » Advisory Panel » Recent Articles:

Advisory Panel: Surprise Projects for 2013

Advisory Panel: Companies That Stood Out at the HIMSS Conference

Advisory Panel: Data Breaches

Advisory Panel: Job Advice

HIStalk Advisory Panel: HIPAA Concerns and Priorities

HIStalk Advisory Panel: Vendors at the HIMSS Conference

HIStalk Advisory Panel: Working with Startups

HIStalk Advisory Panel: Use of Mobile Devices

HIStalk Advisory Panel: Recent Vendor Experiences 11/12/12

HIStalk Advisory Panel: Reducing Annual Maintenance Fees for Software

HIStalk Advisory Panel: How Do You Use Information from KLAS?

HIStalk Advisory Panel: Increasing Physician Involvement

Founding Sponsors

Subscribe to Updates

Search

Related Sites

Report News and Rumors

Recent Posts

Sponsor Announcements

Archives

Sponsor Quick Links

Contact

Participate

Navigate

Sponsor

Platinum Sponsors

Gold Sponsors

Follow

Reader Comments

Text Ads

Tweets

Industry Events