Readers Write 10/17/12

Submit your article of up to 500 words in length, subject to editing for clarity and brevity (please note: I run only original articles that have not appeared on any Web site or in any publication and I can’t use anything that looks like a commercial pitch). I’ll use a phony name for you unless you tell me otherwise. Thanks for sharing!

Note: the views and opinions expressed are those of the authors personally and are not necessarily representative of their current or former employers.

ONC Moves on Data at Rest
By Frank Poggio

ONC recently published the draft of the new Stage 2 certification criteria for data at rest — or as they call it, End User Device Encryption Test Procedure 170.314(d)(7). With the almost weekly stories about stolen notebooks, lost thumb drives, and missing data CDs while the new HIPAA audits get underway, this new criteria are no surprise. But as understandable as the ONC goals are, the implementation of 170.314(d)(7) may give system vendors fits.

Per the published ONC test script, there are two ways for a vendor to meet this criteria:

1. If, while your Complete EHR or EHR Module is active you allow data to be moved to external devices, then your system must do it using a FIPS 140-2 (AES 256) encryption algorithm. The data on the device must stay encrypted and only be allowed to be de-encrypted by authorized personnel. Encryption must be the default setting.
2. Or, your system must prohibit any movement of PHI data to external devices.

To pass the new Device Encryption test procedure, you must have either one of the above capabilities embedded in your system.

Here are just a few possible problems you might encounter from a vendor’s perspective under Scenario 1.

If you are currently using a full system encryption tool such as BitLocker under Windows, this will not work for external devices, so you’ll have to move to other third party products such as TruCrypt or 7Zip.

If within your application you support user-generated SQL searches and tools like Crystal Reports, then the reports that the user generates will only be allowed to be copied to external devices (thumb drives, note books, tablets, etc.) if the reports are properly encrypted. The same is true for images, care notes, instructions, etc.

It can get more complicated if you have a patient portal and allow me to download my personal info to my personnel tablet. Will you encrypt the download? And then give me the key to allow me to view my information after I have signed off from your portal? Will my tablet support your encryption tool? If on the other hand you (the vendor) do not support downloads, yet I undertake that step on my own (e.g. use screen print), then per ONC the vendor is not responsible.

If all that seems too complicated to deal with, as noted earlier, you could go for Option 2 and prohibit any movement of PHI to external devices. You allow clients to see reports on screen but not move /copy them. No transfers to Excel or Crystal and no screen dumps. Already I can hear the roar of client complaints.

On a positive note, ONC does say that the vendor must supply the provider with this capability, but it is up to the provider to use it. This new criteria also state if a provider manages to accesses your application data outside your application, you are not responsible.

Finally, included in the last set of Stage 2 test criteria there was a another new one called ‘Safety Enhanced Design’ (170.314(g)(3). I’ll cover that one next time. You can see all the new Stage 2 test criteria here.

Frank L. Poggio is president of The Kelzon Group.

RTLS Offers Value Beyond Asset Tracking to Healthcare Facilities of All Sizes
By Barry Cobbley

HIMSS Analytics Vice President John Hoyt was recently interviewed regarding Real-time Locating Systems (RTLS) for an article that appeared at mhimss.org and healthcareitnews.com. The premise of the article is true enough—that RTLS offers significant ROI as well as improvements to patient safety, yet adoption among hospitals is lower than it should be.

However, other assertions simply miss the mark.

First and foremost, RTLS is discussed primarily in terms of asset tracking. It’s a common use, but forward-thinking healthcare organizations use it for so much more. Mr. Hoyt does mention “patient tracking,” but only as a way to relay completed stages of a patient’s visit to family. The article even goes so far to state that “RFID/RTLS has a lot to offer—but primarily only to hospitals—big ones, at that.”

This couldn’t be further from the truth. Large facilities like The Johns Hopkins Hospital will reap huge value from RTLS, but there’s plenty of evidence that small- and medium-size facilities benefit as well, and the value goes far beyond simple asset tracking.

What Mr. Hoyt seems to miss is that RTLS is not just about tracking. It’s about making healthcare more efficient through workflow automation. In this way, RTLS addresses a fundamental challenge that all healthcare organizations are facing: how to do more with less.

Large and small emergency departments, hospital operating rooms, outpatient clinics, ambulatory surgery centers (ASCs), long-term care facilities, and others successfully use RTLS to improve processes, giving providers more time with patients while increasing volume. They’ve reduced patient wait times and increased patient satisfaction. They’ve nearly eliminated phone calls and search times for patients, assets, and other staff members, allowing more time to focus on the patient. And in one of the most impressive use cases, they’ve automated EMRs, relieving skilled clinicians of tedious data entry.

I agree with Mr. Hoyt that the rate of RTLS adoption would certainly be higher in a healthcare landscape not focused on regulatory compliance. But the fact of the matter is that nearly one in five hospitals have already adopted this technology without a mandate. In other words, based strictly on merit. Those organizations that are truly internalizing the need to operate more efficiently are at the head of the adoption curve.

Take for example Memorial Hospital Miramar, a 178-bed facility in Florida, the first to automate Epic EMR with RTLS. Thanks to their work, RTLS was highlighted as a hot technology recently at Epic UGM. The integration automates the entry of important patient data normally typed manually into Epic (patient arrival, nurse/doc assignment, room/bed assignment, nurse/doc assessment complete, discharge time, etc.)

EMR automation is just one of several ways Memorial Miramar leverages RTLS. This community hospital is one of many who see the big picture of healthcare IT, where technology like RTLS improves efficiency and enhances patient care—far beyond finding assets.

Barry Cobbley is director of location solutions of Versus Technology of Traverse City, MI.

Strategies for Healthcare’s Successful Transition into the BYOD Era
By Brent Lang

Bring Your Own Device (BYOD) is a hot topic as companies across all industries are increasingly faced with allowing employees to use their own smartphones, tablets, and other mobile devices for work purposes. Within the healthcare industry, there continues to be a rise in the number of busy physicians, nurses, and other healthcare professionals who have consolidated their mobile devices to streamline the use for both work and personal into one. In fact, a recent survey of mobile device usage indicates that 84 percent of individuals across all industries use the same smartphone for personal and work issues.[i]

Despite this demand, security concerns have led hospitals and health systems to embrace BYOD in varying degrees. Some organizations permit employees within designated departments to use personal devices, while requiring other employees to use company devices designed specifically for unique healthcare settings. For instance, purpose-built devices or in-building wireless phones are relatively easy to manage, secure, and clean. Conversely, there can be great variation in employee personal devices and operating systems. This lack of uniformity will place an increased burden on IT departments as they seek to configure, manage, and implement both security and network changes on a plethora of devices.

Fortunately, various strategies exist to mitigate the risk caused by this rich diversity of mobile devices entering the healthcare work environment. For example, the use of Mobile Device Management (MDM) software, which can include password protection, software control, version management, remote wiping, inventory, and other security controls. MDM tools can also be used to create “enterprise partitions” in personal devices. This allows for an individual’s work-related applications and data to reside on a secured partition within the device, easily managed by the hospital or health system. Organizations may also consider storing patient information on a centralized enterprise server rather than on the individual device, or creating wireless local area networks (WLANs) specifically for personal devices to help limit network access.

Additionally, executives tasked with health IT purchasing decisions should only partner with healthcare communications vendors that make their applications “BYOD ready.” In certain circumstances, this will include encrypting all data while “at rest” and “in motion” and providing remote wipe capabilities. Vendors should also have the ability to monitor the security of their corporate data.

By and large, BYOD is having an impact on companies across all industries. Its evolution has unique meaning in healthcare, where a generation of internet savvy physicians, nurses, and other clinicians are bringing the promise of mobile technology to the bedside. To ensure the successful transition of the healthcare industry into the BYOD era, hospitals and health systems must carefully consider and adopt policy, software and infrastructure controls, and educational initiatives.

[i]Weber, M. (2012, August 14). BYOD Survey Results: Employees are not playing it safe with company data. 

Brent Lang is president and COO of Vocera Communications of San Jose, CA.

 ICD-10: Time to Act
By John Pitsikoulis

Now that the ICD-10 implementation deadline has been extended to October 1, 2014, time is ticking away as we move closer to the date. The extension was a reaction to intense pressure from the American Medical Association (AMA), hospitals, and others who reported that they need more time to implement the extensive changes. As the deadline loomed, many hospital leaders admitted that their organizations weren’t prepared for the ICD-10 transition.

Now that we have an extension, how can providers use the time wisely, especially as they are contending with other competing and conflicting priorities such as electronic health records projects, Meaningful Use deadlines, and IT system replacements that impact the abilities of organizations to stay on task with their ICD-10 activities? Now is the time for hospitals to go into overdrive and concentrate on their planning, strategic decisions and implementation activities.

Developing the ICD-10 project plan for complying with the deadline is the first step many organizations have accomplished. While there are some great resources for organizations to utilize for managing the assessment and implementation key remediation components, many organizations are relying on a “check the box” methodology for readiness and mitigating the risks associated with the conversion to ICD-10. While this is a good framework for project managing the global tasks associated with ICD-10 initiatives, this approach will not provide the organization with alternative strategic considerations or the content expertise that will complement the organization’s portfolio of strategic initiatives. The average organization’s resources are stretched so thin, they just do not have the bandwidth of personnel to manage all of the activities required to mitigate the risks.

Managing a multi-year enterprise-wide initiative is a monumental initiative that requires planning, preparation, collaboration, progress evaluations, and alternative decisions throughout the project’s life cycle. With any multi-year enterprise project, periodic evaluations of the plan, progress, and timelines are critical success factors for achieving the desired end goals. But how are you measuring the end goals?

For example; there is an industry shortage of medical record coders. The simple answer to meet the demands of the industry would be to train more coders. This might be a solution for the productivity issues associated with ICD-10, but how many CFOs would be comfortable with entry-level coders determining the organization’s reimbursement? Coding is more complex than simply assigning a code from a coding book – it takes years of education, training, and mentoring to be a seasoned coding resource. You may have met the goal of providing education and training, but do you have the confidence that after the coders, physicians, and other contributors are educated they will achieve the same level of proficiency they obtained with the ICD-9 system? Managing the clinical documentation specificity and coding quality requirements will be a continuous process that will require dedicated resources focused on clinical documentation improvement, operational process improvement, and financial analysis to ensure the organization is receiving the appropriate reimbursement under ICD-10.

How will your organization test for ICD-10? We know the testing focus for ICD-10 will be fundamentally different than 5010 testing. Even with the 5010 experience, the industry learned that validating the end result was not sufficient and a significant amount of content modification was required. ICD-10 will require changes to the IT infrastructure, which is the foundation for the organization’s business processes. More importantly, the content of the business transactions that are the core of the healthcare delivery, reimbursement, and data outcome models is being replaced with a new set of coding standards.

Standard testing for compliance with format and content will not be enough for a seamless transition. End-to-end testing with payors and trading partners will require a detailed inspection of the claims submission and adjudication transaction process, both from an internal and external methodology, to ensure that business intent and reimbursement requirements meet the anticipated results.

Testing functionality and content with payors will be a challenge that will be costly from a dollars and resources perspective. Close enough is not good enough when talking about revenue neutrality and compliance with billing guidelines. ICD-10 testing will certainly need to include end-to-end, cross-functional, bi-directional, internal and external testing activities. Additionally, ICD-10 will require coupling testing analytics with ICD-10 coding expertise to validate the results of the test transactions and expected revenue outcomes.

Hospitals must also take a hard look at their strategic approach when it comes to the ICD-10 transformation of the organization’s processes and technology. Emphasis must be placed on the tactical approach for education, clinical documentation improvement, testing, and data outcomes, etc. Organizations that focus on content and desired outcomes and not merely the steps to complete a task will achieve the benefit s of a highly trained workforce and a strategic and comprehensive ICD-10 business transition that covers every major impact area.

John Pitsikoulis is ICD-10 practice leader for CTG Health Solutions of Buffalo, NY.

Seven Things Most Important to Top Performers
By Frank Myeroff

Can you relate?

Recently, a leading HR organization conducted a survey of top performing professionals at a wide variety of organizations in order to understand what they find most important to them on their jobs. Overall top performers ranked the following seven as the most important things to them (industry or practice area did not matter):

1. Challenging and meaningful work. Top performers want to be engaged and energized by their work and organization. In addition, people generally want to feel a sense of achievement, responsibility, and to know that what they’re doing on a daily basis has some purpose behind it.
2. Compensation. Top performers want to make top dollar, and salaries that include bonuses and benefits ranked as very important. Also, regular performance reviews and salary reviews were included as part of compensation.
3. Job security. While job security is hard to come by these days, it is important for workers to avoid layoffs and declining salaries. Therefore, top performers found it important to have up-to-date skills, follow industry trends, and keep pace with their industry in order to bolster their job security.
4. Work-life balance. Top performers are looking for synergy between their personal and professional lives. The 8 a.m. to 5 p.m. schedule isn’t for everyone. They appreciate having a say over when they work and sometimes even where they work, including from home.
5. Career development. Technology innovations and fast-changing trends in any field are hard to keep up with. That’s why top performers value ongoing career development and training. It enhances their capabilities and sharpens their skills.
6. Leadership style. A manager’s leadership style is critical to a satisfactory work environment and production levels. To keep the best and brightest engaged in their jobs and performing at high levels, managers need to provide support, resources, and opportunities.
7. Advancement. A promotion is viewed as important and desirable because of the impact it has on pay, authority, responsibility, and the ability to influence broader organizational decision making. In addition, a promotion raises the status of an employee because it is a visible sign of esteem from the employer.

Frank Myeroff is managing partner and VP of business development and operations of Direct Consulting Associates of Solon, OH.