Readers Write: Naked Cybersecurity

Naked Cybersecurity
By John Gomez

John Gomez is CEO of Sensato of Asbury Park, NJ.

Although the observations in this article are based on my direct experiences over the past four years working with healthcare organizations to secure their systems. I am sure that most of what I am going to share is wrong. I also will apologize upfront for presenting a viewpoint that I am sure is one-sided, and although I believe it to be reflective of the reality of cybersecurity in healthcare, it is probably wrong.

I also want to clarify who I hope will read this article, because it is certainly not meant for everyone. If you are of the belief that academic cybersecurity approaches, checkmark mentality, or putting your faith in things like commercial “trusted” security and privacy frameworks or national cybersecurity information sharing groups is a good idea, then this article is not for you. Reading it will be a total waste of your time.

In fact, if you think that what you have been doing in cybersecurity is right and spot on, this article will just annoy you. And yes, you guessed it, it will be a waste of your time.

On the other hand, if you stay up at night freaked out that despite your best efforts you are losing the battle against a well-armed and informed enemy, then brothers and sisters, you probably will find this article of interest. Yet I warn you — this is more about my opinion (as unqualified as that may be) than any academic, certified, highly-trusted approach you may find in the world of healthcare cybersecurity.

For those who are still reading along, let me drop (in the vernacular of our youth) a truth bomb. A truth bomb that I suspect anyone still reading will not find surprising, but is akin to that small child who once said, “But the emperor has no clothes.” The truth I share with you is that we are losing the cybersecurity war and losing badly. 

There, I said it. And yes, it is rather cathartic to be able to state that in public. Try it with me — I promise you will feel better and empowered. We are losing the cybersecurity war.

Despite our best efforts, despite the beliefs in fancy risk and security frameworks and the latest hyperbole regarding threat intelligence, advanced defenses, and the latest snake oil being peddled by cybersecurity vendors, we are losing ground by leaps and bounds.

If you ever wanted to know what it felt like to be on the receiving end of General Patton’s surge across Europe, just take a job in the world of healthcare cybersecurity. We have some great, passionate, talented people among our ranks, but regardless of how fast they are pedaling, the attacks are overrunning them and taking ground.

In 2016, per a PWC cybersecurity survey, organizations across industries increased their spending on cybersecurity by 20 percent. Yet despite deploying more frameworks, more technology, employing some cool AI stuff, expanding their staffs, and embracing the best practice of the day, we also learned that there was a 38 percent increase in cybersecurity attacks. The cost to remediate an attack rose by 23 percent over 2015.

Talk about a lousy return on investment. You increase spending by 20 percent, and yet you are finding your efforts to not even be closing the gap. In fact, on a cross-industry basis, we are seeing double-digit negative returns on cybersecurity investments.

Years ago, an experiment was conducted where a monkey threw a dart at a list of stocks. The goal was to see if random selection of stocks ended up worst or better than what was selected by professional and well-trained brokers. If I recall, the monkey’s picks fared better. Sadly, for those of us protecting healthcare organizations from attackers, we are seeing similar results. There is no — not one — strategy or best practice that will definitively prevent attackers from gaining access to your systems.

Speaking of attackers, just how painful has life become for their side of the seesaw? I mean, everyone is spending more money; cybersecurity is now a board-level issue; and per HIPAA, it is required that the CEO be intimate with the protection of patient data as it relates to security and privacy. Certainly all this increase in spending, resources, and attention must be making life so very hard for the cyberattacker.

Well, in 2016, the average cost of a highly-sophisticated exploit kit was $1,367, a 44 percent decrease over 2015. Thanks to easy and cheap access to cloud computing (I am looking at you, Microsoft and Amazon), the cost of an attack has dropped 40 percent over 2015. We now have attacker market that include RAS (ransomware as a service), EAS (espionage as a service), and DDoSasS (Distributed Denial of Service as a service). You can contract for any of these attack services from the comfort of your home recliner. We also have learned that the average length of time to successfully execute a breach is now less than 24 hours, a 72 percent decrease over 2015.

Net-net, attackers are winning and probably chilling out, sharing bottles of wine, nibbling on cheese, and laughing their butts off. Yet for those in the trenches, those who get up day to day fighting the good fight, none of this is new. I suspect that the front-line defenders know all of this, yet don’t have the data or podium to yell out, “The emperor has no clothes.”

Ultimately, I believe we all are united (vendors, defenders, management) in understanding that our current approaches are not working over the long term. I also suspect some will have counterarguments, point out that things aren’t that bad, and claim their solution is fault proof. As someone who works with attackers, I can tell you that you would be foolish to believe that your current approaches can thwart attackers. Especially if your approaches date back to 2010, are based on complicated frameworks and tools, and require you to subscribe to checkmark practices.

Here is a final statistical truth bomb that you may find entertaining. About a decade ago, we could detect an attacker in our networks within hours. Over time time-to-detection has evolved from hours to the current average of 265 days. If the attackers keep evolving, soon it will be over a year on average before we can detect an attacker despite our increased spending and advanced defense capabilities.

We can attribute this to advanced persistent threats (even though most attacks are not all that advanced), higher complexity of networks, and technology we defend as among the reasons attackers succeed. I am sure there is some truth in all those reasons, but you don’t win wars by pointing out what you are doing. You win wars by gearing up, toughening up, and figuring out how to fight better and more effectively than your enemy.

I guess the foundational question this article will pose is, is this a lost cause? Should we just wave the white flag and throw up our arms? That is one approach, but I have greater faith in all of you. You who stay awake at night wondering what else you can do to fight the good fight. You who take on your boards, push back against the egotistical physician, and fight to be heard for funding and attention — all to make it a little bit tougher for the attacker. I have tremendous faith for all of you who insist, “Not on my watch.”

I believe there is a lot we can do to turn the tide on the attackers. Right now, we are in a ground war, one that can benefit from technology, but that also requires us to really reconsider our core tactics and principles. One major piece of advice I would give you comes from Luke Cage of Marvel Comics — “…sometimes you have to throw out the science.”

A key approach that should be considered, debated, and tested is simplification. Rather than embrace the false of sense of security that complexity may bring, we should focus on tactics that rely on low-tech solutions that work consistently. You should be establishing last lines of defense that are based on securing high-value targets. It is critical that you take an attacker-centric viewpoint and truly understand attacker motivations. Much of this advice comes from my personal experiences in cybersecurity and in training special operation teams to take the fight to the enemy.

Simply stated, you need to embrace an assertive posture related to your cybersecurity. This is not 2010. It is 2017, and we are now dealing with attackers employing 2020 approaches. We have just seen the release of MedJack 3.0, which bypasses antivirus. We are seeing malware that is polymorphic. We are seeing attackers embrace analytics and machine learning. The answer is not a framework that recommends changing your password every 90 days? A signature-based system is not going to keep an attacker out of your network.

We need to stop putting our faith in those solutions and approaches that are complex and increase complexity. Regardless of the technical solution or tactic, your goal should be to embrace simplicity, reduce excuses, and eliminate barriers to security.

Want to practically eliminate phishing attacks? Invest in a solution that adds the word “External:” to the subject line of any e-mail that comes from outside your organization. You would be surprised how this little low-tech investment dramatically drops the success of phishing attacks. Want to reduce the length of time an attacker is in your network? Learn what scares them most and target their fears (if you don’t know that answer, e-mail me). Turn the tables, get practical, fight back.

Practical real-world security doesn’t require huge expense or complicated approaches. The most critical first step is to become like a child. Open your eyes and realize that the emperor which is healthcare cybersecurity is in the buff.

Readers Write: It’s Time to Bring Back the Noise

It’s Time to Bring Back the Noise
By Andrew Mellin, MD

A very memorable moment for me at one of the first go-lives for a hospital EHR was when I stood on the unit and realized there was an eerie silence. While the beeps of the monitors and the drone of the overhead pages continued, the buzz of the caregivers talking to each other was gone as everyone was staring intently at a computer monitor.

As an implementation team, we quickly learned we needed to frequently remind the caregivers to keep talking to each other as part of our go-live training for future sites. But years later, it is clear the EHR has fundamentally changed the dynamics of how providers and care teams communicate.

The impact of this dynamic is well recognized. The change in communication patterns, sometimes called the "illusion of communication," is identified as one of the key unintended consequences of implementing an EHR. With today’s EHRs, we now have all the information we need at our fingertips, yet the ability for care teams to collaborate in an ongoing, continuous dialogue is not well supported by the systems’ encounter, inbox, and order-based models.

We still have noisy hospitals, but now we hear the wrong kind of noise: the sounds that keep patients awake and require caregivers to respond to beeps emitted from devices in stationary locations that make it difficult to find a real signal that requires action.

It’s time to bring the right kind of noise back to patient care. Not the auditory noise that we hear, but the cognitive buzz that is generated when high-functioning teams are communicating in an effortless, asynchronous manner.

Think of how communication models like iMessage, WhatsApp, and SMS have changed the way we communicate in our personal lives. There’s very low effort required to initiate a simple message. We have the ability to share rich information — such as images, videos, or voice — as well as expressive notifications. We even have an ongoing transcript of the conversation and acknowledgement of message receipt.

Healthcare communications benefit from the same communications models, but require HIPAA compliance, message traceability, integration to other initiators of messages (e.g., the hospital operator), and EHR integration.

The actual messaging app, however, is simply the user window into communications technologies that not only improve care team collaboration, but more importantly, drive improved care team efficacy and patient outcomes.

For example, physicians work in shifts that are largely defined by an on-call schedule. When I worked as a hospitalist on weekends when the staff frequently changed, I needed to find an on-call schedule to determine which specialist would see my patient that day (usually I just asked the nurse or HUC to page a person for me because it was too hard to figure out who was on call.)

To solve this problem, a healthcare communications platform needs to support messaging to a role that resolves to their correct on-call individual. And secure mobile messaging is not only about person-to-person communications — rather it is a way to notify an individual of any important piece of information about a patient, whether it is generated by a machine or a human.

For example, when a CDS alert in an EHR is triggered to indicate that a patient may be becoming septic, a rapid response team can be automatically and immediately notified. When a device triggers an alarm, instead of a loud beep that has to be interpreted, the specific, detailed message with patient context is sent to the right person’s device with the appropriate sense of urgency.

All technologies have limited value unless directly leveraged to improve organizational goals, and communication tools are often an underrepresented element of process improvement initiatives due to the limited modes that exist without a modern communication infrastructure. I’ve seen dramatic operational and clinical improvements achieved when these tools are embraced, such as 30-minute reduction in admission times from the ED and material improvement in HCAHPS scores.

These tools do not eliminate the phone call that is essential in a complex situation or the need to document the care plan in the EHR. Rather, these tools augment the EHR and elevate the quality and cohesiveness of the care team collaboration. The magnitude of the value of healthcare communications is under-appreciated: One large academic medical center sends over 150,000 messages to the caregivers and support staff in their organization every week.

It’s time to give caregivers the communications tools they need to improve the patient’s care experiences and outcomes and care team efficacy while eliminating the auditory noise where care is delivered. And it’s time to bring in the kind of high-value noise where caregivers are rapidly interpreting and responding to targeted messages on the go on their mobile device.

Andrew Mellin, MD, MBA is chief medical officer of Spok of Springfield, VA.

Readers Write: Growing Contingent Workforce Benefits Both Healthcare Organizations and HIT Professionals

Growing Contingent Workforce Benefits Both Healthcare Organizations and HIT Professionals
By Frank Myeroff

There’s high growth when it comes to temporary workers, contractors, independent consultants, and freelancers within healthcare IT. New technologies, cost factors, and a whole new generation of HIT professionals wanting to work in a gig economy are fueling this growth. The rise and growth of the contingent workforce is only expected to accelerate over the next few years into 2020.

This dynamic shift to a contingent workforce makes sense for healthcare organizations and the benefits are well worth it. With a contingent workforce, healthcare organizations experience a big efficiency boost, risk mitigation, and derive a substantial cost savings in these ways:

• The rise of managed service providers (MSP) enable health systems to acquire and manage a contingent workforce. As contingent labor programs continue to grow, these partnerships will be one of the most important workforce solutions that a health system can adopt to effectively manage risk and decrease healthcare hiring.
• The use of vendor management systems (VMS) is a fast way to source and hire contingent labor. These systems make it easy to submit requisitions to multiple staffing suppliers.
• Outsourced expertise will be able to assist healthcare facilities in meeting the January 2018 EHR system requirements. In addition, they often have the extensive knowledge needed when it comes to medical coding. For example, according to the AMA, 2017 ICD-10-CM changes will include 2,305 new codes, 212 deleted ones, and 553 revised ones.
• Healthcare organizations can dial up or dial down staffing as needed without having to pay FTE benefits.
• Improved visibility and the provider stays in control through the use of structured reporting, governance processes, and dashboards.
• Internal resources are freed-up to focus on higher-priority, clinical-facing initiatives such as workflow optimization.

For HIT professionals, contingency work in the HIT space is attractive since opportunities are plentiful, the remuneration is desirable, and the work is rewarding. In addition, work is becoming more knowledge- and project-based and therefore is causing healthcare organizations to become increasingly reliant on their specialized HIT skills and expertise. According to Black Book Rankings Healthcare, this reliance will help to fuel the growth of the global HIT outsourcing market, which should hit $50.4 billion by 2018.

However, making the change from an employee to a contingent worker takes thought and preparation before just jumping in. Here are a few suggestions:

• Identify the niche where you have skills and expertise. Know your passion. Also, pinpoint what type of HIT services and advice you can offer that healthcare organizations are willing to pay for.
• Obtain the required certifications. Getting certified is a surefire way to advance your career in the IT industry. Research IT certification guidesto identify which ones you will need in the areas of security, storage, project management, cloud computing, computer forensics, and more.
• Build your network and brand yourself. It’s important to start building your network once you’ve decided to be a consultant. A strong contact base will help you connect with the resources needed in order to find work. Also, position yourself as an expert, someone that an organization cannot do without. Now combine both a professional network and social network to help you spread with word faster.
• Target your market and location. Determine what type of facility or organization you want to work with, and once decided, think about location. Do you want to work remotely or on site? Are you open to relocation or a commute via airline to and from work?
• Decide whether to go solo or engage with a consulting and staffing firm. If you have the entrepreneurial spirit and want to approach a specific organization directly for a long-term gig, you might want to go solo. However, if you’re open to both short-term and long-term opportunities in various locations, a consultant staffing firm might be the answer.

The rise of a contingent workforce and gig economy will only continue to grow, and with it, much opportunity. A consultant or contractor has more freedom than a regular employee to circulate within their professional community and to take more jobs in more challenging environments. For healthcare facilities, a contingent workforce means acquiring the right HIT skills and expertise needed without the overhead costs associated with payroll benefits and administration. No doubt, a win-win situation for both.

Frank Myeroff is president of Direct Consulting Associates of Cleveland, OH.

Readers Write: Automate Infrastructure to Avoid HIPAA Violations

Automate Infrastructure to Avoid HIPAA Violations
By Stephanie Tayengco

Every other week, news of HIPAA violations comes to light, bringing attention to the challenges of maintaining privacy in the ordinary course of doing business and providing care.

Take, for example, a recent HIPAA violation settlement. Illinois-based healthcare system Advocate Health Care agreed to pay a $5.5 million OCR HIPAA settlement in August after it was found that the company failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI. Earlier this summer, The Catholic Health Care Services of the Archdiocese of Philadelphia agreed to pay $650,000 for failing to implement appropriate security measures and address the integrity and availability of ePHI in its systems.

It is unclear in both cases whether infrastructure configurations were directly to blame. However, addressing the infrastructure-related elements of HIPAA and HITECH take considerable time and effort, time that could be spent addressing the critical application and mobile device-level security standards that result in the vast majority of violations. To refocus engineers away from time-consuming infrastructure compliance, the practices of infrastructure automation and continuous compliance are the key.

Reduce the chance for human error

The foundation for compliant IT infrastructure is implementing strong standards and having guardrails in place to protect against changes that are inconsistent with those standards at the server, operating system, and application level. This is the next evolution of compliance — building a system that can self-correct errors or malicious changes and maintain continuous compliance.

In a recent survey, IT decision-makers shared that 43 percent of their companies’ cloud applications and infrastructure are automated, highlighting that while companies already recognize the tremendous value of system automation, they can do even more.

The road to automation must begin with an IT-wide perception shift — that manual work introduces risk. Any time an engineer is going into a single piece of hardware to perform a custom change, error is possible and system-wide conformity is threatened. This does not mean replacing engineers with robots. It means tasking engineers with creating the control systems. This is an equally challenging (but far less boring) technical task for engineers, but it creates more value.

Part of this control system will be configuration management at the infrastructure level and for application deployment automation. Equally important is the operational shift to train engineers not to make isolated changes to individual machines  and instead to use the control system in place and implement changes as code. Code can be easily changed and tested in non-production environments. Code can be versioned and rolled back. Software deployment tools provide an audit trail of changes and approvals that can be easily read by auditors.

Invest in transparency

One of the main causes that can lead to non-compliance is a lack of transparency, usually in one or both of two key areas:

• Lack of transparency into where critical data resides
• Lack of transparency into current state of system configurations (i.e., how/where data is encrypted, who has access to that data, how privileges are maintained, etc.)

Many companies rely on manual processes and spreadsheets to track the configuration of their systems. In a cloud environment that changes frequently, this can be a real headache.

The single biggest change to make today is to improve the visibility of data criticality and system configurations is to implement configuration management. Rather than rely on manual documentation after the fact when changes are made, configuration management tools allow describing a desired state and creating and enforcing it across the infrastructure. Ideal configurations are coded in a single place, providing the current state of all systems at any time. This is a huge leap forward and it is applicable for operating either on bare metal or in the public cloud. Making long-term investments in operational transparency can help avoid HIPAA headaches.

Focus on mission-critical apps, not infrastructure

As healthcare companies improve IT operations, they should be focused on developing or delivering great patient-centered applications and services, not infrastructure maintenance and compliance.

Migrating to the cloud is the first step. Migrating to a public cloud platform like Amazon Web Services (AWS) provides the benefits of a government-grade data center facility that has already been audited for HIPAA and HITECH compliance. Signing a BAA with Amazon means that a portion of the physical security standards is taken care of (note: regular assessments are still required). That is a huge reduction in risk and cost burden right off the bat.

In addition, the cost of change is significantly reduced in the cloud. Adding, removing, or changing infrastructure can mean a few days of work, not months. That means systems engineers can focus on improving software delivery and the configuration management system, not on manually configuring hardware.

Just one word of caution. Beware of any cloud vendor or service provider that describes the cloud as “no maintenance.” It is true that cloud systems are more efficient to maintain, but maintenance is still necessary. The IT team will focus more of their time on maintenance tasks that are more critical to the business, like building a new testing ground for an application development team or refining the code deployment process, not on undifferentiated data center tasks.

It is only a matter of time before the industry witnesses its next HIPAA violation. Automating infrastructure can significantly reduce the cost and effort of maintaining infrastructure compliance, and can refocus IT on higher-impact areas such as device security.

As health IT evolves, expect to see these two key of technologies — cloud and automation — driving the next wave of efficiencies in health IT.

Stephanie Tayengco is SVP of operations of Logicworks of New York, NY.

Readers Write: The Patient Experience Is Clinical

The Patient Experience Is Clinical
By Mark Crockett, MD

As quickly as healthcare began to focus on patient experience, the law of unintended consequences kicked in. While well received as a tool to help improve care, this situation unintentionally gave rise to a consumer culture around patient treatment. Today’s value-based care arrangements call for providers to take a fresh look at patient experience.

While patients certainly deserve to be treated with dignity and listened to carefully, the top patient experience expectation is receiving safe, quality care. “Patient experience [is] not about making patients happy over quality,” says James Merlino, MD of the Association for Patient Experience. “It’s about safe care first, high-quality care, and then satisfaction.”

The best way to deliver on this expectation is for providers to view these issues of safety, risk, and compliance as a cohesive whole, thus enabling patients to receive the safe, quality care they expect, in the caring and supportive environment they deserve.

The Beryl Group defines patient experience as “the sum of all interactions, shaped by an organization’s culture, that influences patient perceptions across the continuum of care.”

That’s a big job. Most providers lack the tools to make that happen. Where to start?

It begins with developing provider/patient and provider/organization relationships that encourage collaboration.

In 2013, a British Medical Journal review of 55 studies found that patient experience is “positively associated with clinical effectiveness and patient safety, and supports the case for the inclusion of patient experience as one of the central pillars of quality in healthcare. Clinicians should resist sidelining patient experience as too subjective or mood-oriented, divorced from the ‘real’ clinical work of measuring safety and effectiveness.”

What the BMJ study revealed, and my own anecdotal evidence bears out, is that if a patient experience is positive, the patient feels empowered and can enter into a therapeutic “alliance” with the provider. Patients are motivated to follow treatment plans and are less likely to withhold information if they don’t feel intimidated—or worse, ignored—by their provider and the hospital where treatment was rendered. This supports swifter diagnoses and improved clinical decision-making and leads to fewer unnecessary referrals or diagnostic tests.

Many hospital CFOs don’t need the BMJ study to know a positive patient experience is a clinical indicator that ties to financial outcomes. As outlined in the chart (Figure 1), patient experience is directly associated with a hospital’s Star Rating and patient outcomes:

Creating a positive patient experience, and better clinical outcomes, begins with an understanding of what patients expect from providers. The primary expectation of any patient is, first and foremost, safety. To the unfamiliar, hospitals are scary places. Patients no doubt have read or heard stories (or watched doctor shows on TV) of medical errors and medication mix-ups or of being treated by an unqualified caregiver. Hospitals and other healthcare settings must communicate clearly that theirs is a safe place where patients can trust their caregivers.

If patients believe they are in a safe, trusted environment, their next expectation is, of course, to get better. To be healed. This requires consistent excellence across a wide variety of performance areas. Finally, patients expect to be treated with courtesy and respect.

How do we establish patient experience as one of the pillars of quality healthcare? Not surprisingly, it’s a judicious combination of technology, effective communication, and employee engagement and physician alignment.

Most patients assume all clinicians are highly qualified and fully credentialed. A robust credentialing platform helps providers deliver on that assumption. Other examples of technology impacting patient experience is the ease of electronically submitting information to a Patient Safety Organization. Participating in a PSO not only enables federal protection under the Patient Safety and Quality Improvement Act (PSQIA) but enables the organization to share and learn from peers as it relates to patient safety initiatives that most certainly impact patient experience.

Effective communication improves not just patient satisfaction, but also physician satisfaction. It boosts patient adherence and compliance and reduces medical errors and malpractice claims. The benefits of a culture that encourages open, honest, and direct communication among patients, providers, and staff go directly to the heart of patient experience.

There is a tremendous benefit to incorporating digital rounding (levering mobile technology to gather information in real-time during the rounding process) into a health system’s employee engagement strategy to generate information from patient rounding, safety rounding, and leader rounding. There is much to be learned from the voices of providers, patients, and employees.

For example, although nurses and physicians generate an equal number of complaints, nurses are three times more likely to have positive reports as compared to MDs. However, physician complaints have higher severity and fewer resolutions.

Patient feedback gathered through a rounding process identifies critical focus areas including peer review events, compliance events (particularly in infection control), and patient and employee safety issues.

For one healthcare system, more than 50 percent of all peer review cases at its 30 facilities actually began in patient relations. In addition, validation audits from compliance organizations (specifically CMS) often stem from a patient complaint. Another reason to centralize data gathered from the feedback of patients, providers, and employees is to identify patterns that allow organizations to transform risk management from a reactive process to a proactive component of healthcare delivery.

Patient experience is clinical. It matters to value-based care and has direct impact on an institution’s long-term financial survival. Organizations that sideline patient experience, or simply meet the minimum standards required, do so at their peril.

Mark Crockett, MD is CEO of  Verge Health of Charleston, SC.

Readers Write: No Easy Answers For Scheduling Physician On-Call Coverage

No Easy Answers For Scheduling Physician On-Call Coverage
By Suvas Vajracharya, PhD

Recent criticism of on-call scheduling practices in the retail sector means that it may be time for healthcare operations leaders to review on-call scheduling practices for their physician teams.

In recent weeks, the retail sector has experienced close scrutiny for on-call arrangements with their staff. According to Reuters, New York Attorney General Eric Schneiderman and “his counterparts in seven states, including California and Illinois, have sent letters to a number of companies in the last year requesting information about their scheduling practices.” In response, employers like Aeropostale and Walt Disney have begun discontinuing the practice of keeping hourly workers on call for last-minute shift changes to avoid further legal disputes.

In healthcare, on-call coverage is regulated under the Emergency Medical Treatment and Active Labor Act (EMTALA). Most medical institutions choose to pay on-call physicians to ensure appropriate coverage under these rules. According to a 2012 SullivanCotter report, nearly two-thirds of healthcare organizations provided call pay to at least some physicians, up from 54 percent in 2010. However, the EMTALA regulations are excessively vague and “in a manner that best meets the needs for the hospital’s patients” can be interpreted in ways that leave physicians feeling like they’re receiving an unfair deal.

“In the MGMA’s 2013 Medical Directorship and On-Call Compensation Survey, primary care physicians reported a median on-call rate of $100 to $150 per day,” according to an article in Medical Economics.

From the physician perspective, these rates may not fairly balance the sacrifices they are making to provide on-call coverage during their days off — if they are receiving compensation at all. For retail employees, state officials concluded workers can be harmed by “unpredictable” schedules that can increase stress, strain family life, and make it harder to arrange child care or pursue an education. Fundamentally, to be on call as either a retail employee or a physician requires foregoing activities and flexibility with free time.

With physician burnout on the rise, heavy variation in the frequency of calls and a wide range in the number of physicians participating in call rotation, health leaders should invest proactively in finding fair on-call strategies to ensure the hospital’s access to physicians and to prevent turnover. How do we fairly compensate a physician for remaining in close proximity to the hospital and being physically and mentally capable of providing direct patient care at a moment’s notice? How do we weigh the difficulty of taking calls on holidays or weekends or being on primary call versus backup call?

Providing adequate on-call coverage remains a constant challenge for most healthcare institutions. Making it a program that is seen as fair and respectful of physician staff can be a crucial first step. Using scheduling technology instead of a manual process not only removes the sense that personal bias may be influencing how on-call hours are assigned, but also provides transparency across teams and flexibility for swaps. Scheduling technology with advanced algorithms based on artificial intelligence can also ensure that on-call schedule enforces work patterns in harmony with circadian rhythm of physicians who need to work at any hour.

Healthcare operations leaders should want to follow the lead of companies like Gap, who proactively change their policies to stay ahead of on-call criticism. Small policy changes can dramatically reduce risk for healthcare operations and improve physicians’ professional satisfaction.

Suvas Vajracharya, PhD is founder and CEO of Lightning Bolt Solutions of South San Francisco, CA.

Readers Write: Future Health Solution

Future Health Solution
By Toby Samo, MD

Health information technology (HIT) has made significant advances over the last two decades. While adoption is not necessarily a good marker for successful EHR usage, adoption of office-based physicians with EHR has gone from about 20 percent to over 80 percent and more that 95 percent of all non-federal acute care hospitals possess certified health IT. HIT implementation has led to improvements in quality and patient safety.

However, many of the goals of increased HIT implementation have been stymied by social and technical roadblocks. A “one type fits all” approach may help reduce training and configuration costs, but there are many approaches to patient care and unique workflows between specialties and among individual users.

Most EHRs are burdened with three major legacy issues:

1. Technology. Present EHR systems are mostly built on what would now be considered old technology. Some of the ambulatory products and small acute care products have moved onto cloud-based architecture, but most are client-server. While hosting instances of a product reduces the technical expertise needed by the client and can lead to better standardization of implementation, it does not necessarily deliver the advantages of a native, cloud-based architecture.
2. Encounter-based. EHRs have been built on the concept that interactions with patients (or members or clients) are associated with a specific encounter. This functions well for face-to-face visits and for specific events, but is limiting where longitudinal care is required.
3. User experience. The user experience has for the most part taken a back seat to functionality in HIT software development. A quick view of most HIT systems shows the interface to be cluttered and does not draw the user’s attention to the areas that need the most attention. Most users access only a small percentage of the functionality that is present within the system, but vendors continue to add functionality rather than clean up the interface.

Platforms have revolutionized the way business is conducted in many industries. Numerous examples have made household names out of companies like Airbnb, Uber, Facebook, YouTube, Amazon and many more. A platform is not just a technology, but also “a new business model that uses technology to connect people, organization, and resources in an interactive ecosystem.”

There is a need for a HIT platform that would support the multitude of components necessary to move the delivery of HIT into the next generation. The future health solution needs to use contemporary technology that will have the flexibility to adapt to ever-changing requirements and use cases of modern healthcare. Some of the characteristics of the future health solution are:

• Open. One of the biggest complaints of users and regulators is the closed nature of many HIT systems. The future health solution needs to be built as a platform that is able to share and access not only data, but also workflows and functionality through APIs
• Apps and modules. A modular structure will enable components to be reused in different workflows and encourage innovation and specialization.
• True, cloud-based architecture. Cloud computing delivers high performance, scalability, and accessibility. Upfront costs are reduced or eliminated and minimizes the technical resources needed by the client. Management, administration, and upgrading of solutions can be centralized and standardized.
• Multi-platform. Users expect access to workflows on their smartphones and tablets. Any solution must develop primary workflows for the mobile worker and ensure that the user interface supports these devices
• Scalable (up and down). To meet the needs of small and large organizations, the future health solutin will need to scale to accommodate changes in client volumes.
• Analytics, reporting, and big data. HIT systems have collected massive amount of data. The challenge is not just mining that data, but presenting the information in a way that can be quickly absorbed by the individual user.
• Searchable at the point of use. All the data that is being collected needs to be readily accessible. Using universal search capabilities and the ability to filter and sort on the fly will facilitate the easy access to information at the point of care.
• Privacy and security. The core platform will need to be primarily responsible for the security and privacy of the data. The other modules built on the platform will need to comply to the platform security and privacy practices, but will not need to primarily manage these issues.
• Interoperable. Need to adopt all present and future (FHIR) standards of data sharing. The open nature of the platform will facilitate access to data.
• Internationalization and localization. Internationalization ensures that the system is structured in such a way that supports different languages, keyboards, alphabets, and data entry requirements. Localization uses these technical underpinnings to ensure that the cultural and scientific regional differences are addressed to help with implementation and adoption.
• Workflow engine. Best practices can change and can be affected by national and regional differences. An easy-to-use workflow engine will be a necessity to help make changes to the workflow as needed by the clients.
• Task management. Every user has tasks that need to be identified, prioritized, and addressed. Therefore, a task management tool that extends beyond a single module or workflow will be needed.
• Clinical decision support. Increasingly sophisticated decision support needs to be supported, including CDS, artificial intelligence, and diagnostic decision support. These capabilities need to be embraced by the platform, allowing external decision support engines to interface easily with the other modules.
• Adaptable on the fly by the end user. Allowing the end user with proper security to make changes to templates and workflows would help improve adoption.
• User experience. Probably the most significant barrier to adoption of HIT is the user experience. Other industries are way ahead of healthcare in the adoption of clean, easy-to-use interfaces. It is vital that a team of user experience experts be integrally involved in the development process. All user-facing interactions, screens, and workflows need to be evaluated by user experience experts who can recommend innovative ways the user interacts with the system and how information is displayed.

The HIT industry has hit a wall that is preventing it from developing innovative products that use the newest technology and have an exemplary user experience. A new platform has the potential to support a robust, flexible, and innovative series of products that can adapt to meet the needs of the various healthcare markets globally. Such a project would have to build slowly over time, as does any disruptive technology. The legacy systems and other HIT systems that exist do not have to be excluded, but rather can be integrated into this new platform.

Identifying technology that, at its core, has the privacy, security, data management, and open structure could lead to the next generation of healthcare management systems. While some of these characteristics are obvious to developers and users alike, it is the sum of the parts that is important. Integrating most if not all of these characteristics into a single model is what can lead to enhancing the value of HIT and the delivery of care.

Toby Samo, MD is chief medical officer of Excelicare of Raleigh, NC.

Readers Write: Are You Ready for the Quality Payment Program?

Are You Ready for the Quality Payment Program?
By Kory Mertz

With the start of the New Year, the first performance period for the Quality Payment Program (QPP) has officially started. The QPP, part of the MACRA legislation, was passed with strong bipartisan support in Congress and sends a clear signal of the federal government’s accelerating effort to move to value-based payments.

QPP creates two new tracks for Eligible Clinicians (ECs), as program participants are called: the Merit-based Incentive Payment System (MIPS) and the Alternative Payment Models Incentive Program.

MIPS

MIPS consolidates and sunsets three programs focused on ambulatory providers: the Physician Quality Reporting Program, the Value-Based Payment Modifier, and the Medicare EHR Incentive Program for eligible professionals. In 2017, ECs can receive a maximum payment adjustment of plus or minus 4 percent based on their performance in four categories. ECs who are new to Medicare or who bill less than $30,000 or see fewer than 100 Medicare beneficiaries during a year will be exempt from MIPS.

In response to significant feedback from the provider community, the Centers for Medicare and Medicaid Services (CMS) has simplified the requirements and made 2017 a transition year to help ECs get used to participating in MIPS. Providers have three general approaches they can take:

Alternative Payment Models Incentive Program

The second track of QPP is focused on increasing EC participation in Alternative Payment Models (APM) (i.e. Accountable Care Organizations, bundled payments, etc.) by offering a 5 percent bonus and exemption from MIPS for ECs who participate in an Advanced APM and meet certain participation thresholds. In 2017, ECs must have at least 25 percent of their Medicare payments or 20 percent of their Medicare patient panel in a CMS Advanced APM to receive the bonus and MIPS exemption. ECs who meet lower payment or patient thresholds have the option to be exempt from MIPS. CMS maintains the list of qualifying Advanced APMs here.

Moving Forward

The overarching framework created in the legislation and initial rulemaking completed by the Obama Administration will continue unchanged in 2017. The Trump Administration will have a chance to put its own twist on the QPP in 2017 by filling in the program implementation details through sub-regulatory guidance (much like CMS has done with the Meaningful Use program) and in 2018 and beyond through rulemaking to establish future program requirements. If Representative Tom Price is confirmed as the Secretary of the Department of Health and Human Services, he may accelerate efforts to reduce provider burden and simplify the QPP.

As providers prepare to participate in the first year of QPP and HIOs prepare to support providers’ success, they should keep the following in mind.

• While APMs have gained significant attention in recent years, CMS anticipates that the vast majority of providers will participate in MIPS in the early years of the QPP.
• Providers just beginning to think about the QPP requirements should  generate reports to determine which providers are likely to be an EC during the performance period and which will fall under the low volume exclusion; map out the existing TIN/NPI structure of the organization to help support decision making around group versus individual reporting; and undertake a scan across the organization to determine existing Advanced APM participation by ECs. If an organization participates in an Advanced APM, a report should be generated based on all participating providers to determine if participants will qualify for a bonus and MIPS exemption under the APM track.

HIOs have the opportunity to position themselves to support providers’ success in QPP. HIOs should ensure they have functionality that aligns with program requirements, including:

• Implement certified tools to collect and submit electronic quality measures to CMS to support ECs and help them achieve bonus points for the quality performance category.
• Support ECs success with a variety of ACI measures including HIE (send and receive); view, download and transmit; and submitting information to public health and clinical data registries. A key consideration in determining which measures to support include the existing exchange environment the HIO operates in, if certified technology is required to meet the measure, whether the HIO’s technology meets the requirements (i.e. providing machine readable C-CDAs), and the ability to provide ECs necessary audit documentation.
• Support improvement activities. For example, “Ensure that there is bilateral exchange of necessary patient information to guide patient care that could include one or more of the following: Participate in a Health Information Exchange if available; and/or use structured referral notes.” A key consideration for supporting improvement activities is whether the HIO has the ability to provide ECs with necessary audit documentation.

Kory Mertz is senior manager of Audacious Inquiry of Baltimore, MD.

Readers Write: Integrating EHRs and PDMPs: A Trend for 2017

Integrating EHRs and PDMPs: A Trend for 2017
By Connie Sinclair, RPh

The opioid epidemic will continue to be a big story in 2017 and the statistics get grimmer by the minute. We just learned from the government that more than 33,000 people died from opioid overdoses in 2015, making it the deadliest year ever.

In response, states will continue to enact legislation to mandate prescribers to use the Prescription Drug Monitoring Program (PDMP) and will encourage making electronic health records (EHRs) more interoperable with PDMPs by integrating access into prescriber workflows. For example, Massachusetts and Ohio are subsidizing statewide projects to facilitate the integration of the state PDMP into EHR solutions used by providers. PDMP usage has been associated with fewer overdose deaths and lack of integration into prescriber workflow has been shown to be a barrier to utilization, so we anticipate more states will follow suit.

While PDMP and EHR integration is an important policy goal, making it a reality has been easier said than done. PDMPs are independent, state-run databases of controlled substance prescriptions that have been reported from pharmacy dispensers. They are operational in all states except Missouri. Because PDMP systems have evolved outside the health IT ecosystem, significant barriers to interoperability have resulted. In contrast to electronic prescribing, for example, there is not a standard method to exchange and integrate the prescription drug data available in PDMPs into EHRs.

That is changing. In 2013, the Office of the National Coordinator (ONC) created a pilot initiative to bring together the PDMP and health IT system communities. The goal was to standardize the data format, transport, and security protocols to exchange controlled substance history information between PDMPs and EHRs as well as pharmacy systems. 

These actions are beginning to bear fruit. These pilots have recently concluded and seven of 10 participating vendors are now moving PDMP functionality into production, leveraging the pilot’s final implementation guide. Appriss has indicated that many EHRs are indeed integrating to their PDMP gateway. 

It is clear that 2017 will see increased legislative movement to require EHRs to integrate with PDMPs and prescriber workflows. The ONC pilots have shown a technical path forward. Now is the time for forward-thinking EHRs to capitalize on that progress and get ahead of the legislative curve. It will create competitive advantage, serve as a tremendous value-add to prescribers, act as a proactive means to improve patient care, and potentially save lives.

Connie Sinclair, RPh is director of the Regulatory Resource Center of  Point-of-Care Partners of Coral Springs, FL.

Readers Write: Seven HIT Talent Trends to Watch in 2017

Seven HIT Talent Trends to Watch in 2017
By Frank Myeroff

Here are seven talent trends that are shaping the HIT workforce.

1. C-level title of chief robotics officer rises. Expect more than half of healthcare organizations to have a chief robotics officer (CRO) by 2025. Since healthcare is an industry where robotics and automation play a significant role, the CRO will have a similar status to that of the CIO today within the next few years. The CRO and their team will manage the new set of challenges that comes with Robotics and Intelligent Operational Systems (RIOS). They will translate how to use this technology and how it is linked to customer-facing activities, and ultimately, to organizational performance.
2. Talent raids to acquire HIT leaders. Top-tier HIT talent is a core factor in the success of any healthcare organization. Yet there is an insufficient talent pool from which to acquire IT leadership. This labor shortage is causing those on the front lines to talent poach from other healthcare organizations. Right now, the competition for highly qualified and experienced leaders is at an all-time high due to several factors including an underinvestment in leadership development and tighter operating margins that influence workforce strategies.
3. Videoconferencing for telehealth grows in popularity and jobs. While not exactly new, videoconferencing is gaining popularity in healthcare due to the advances in HIT infrastructure and communication as well as the need to serve the aging population and those residing in remote areas. Healthcare practitioners are increasingly adopting these interactive video applications to offer better access to healthcare as well as deliver improved patient care at reduced prices. Additionally, patients are finding benefits to using this real-time, two-way interaction since it enables healthcare providers to extend their reach of patient monitoring, consultation, and counseling. The most popular HIT professionals sought after in videoconferencing are implementation specialists and telehealth directors.
4. Burgeoning cybersecurity job market. Healthcare organizations of all sizes are in the hunt for skilled cybersecurity professionals. Just about every day there’s a story regarding a data breach incident within the healthcare industry. Many of these incidents could be attributed to unfilled cybersecurity jobs. Since the current demand is greater than the supply, a career in this sector can mean a six-figure salary, job security, and upward mobility. The cybersecurity industry as a whole is expected to grow from $75 billion in 2015 to $170 billion by 2020, according to Forbes.com. In addition, the demand for the cybersecurity workforce is expected to rise to 6 million by 2019 with a projected shortfall of 1.5 million.
5. Working remotely fully takes off. Working from anywhere and at any time will become a normal every day thing. By 2020, it is expected that 50 percent of workers in the US will be working either from home or another remote location. Having virtual employees is not only a way to get things done round the clock, without commuting, and with hard-to-find skill sets, but is also a way to meet the needs of employees who don’t live near the organization.
6. Boomerang employees more common. Boomerang employees are employees who leave an organization only to return back to that same employer sometime later. Rehiring these former workers are on the rise. With HIT talent at a premium, it only makes sense. HIT Managers know that hiring back someone they know is easier than recruiting new blood plus it saves money on training and development. In addition, there’s an immediate ROI.
7. 3D technology careers wide open. Everyone is talking about 3D printing these days. It is expected to be the top medical innovation in 2017 for the reason that it could change everything for transplants and prosthetics through customization. As the 3D industry continues to evolve in 2017, the job market is wide open. In fact, jobs are appearing faster than candidates can be recruited. Young HIT professionals, especially software developers, should see this market as having huge potential for beginning a new career.

Frank Myeroff is president of Direct Consulting Associates of Cleveland, OH.

Readers Write: The Six Bedrocks in a Post-Trump Healthcare Landscape

The Six Bedrocks in a Post-Trump Healthcare Landscape
By Steve Levin

With a Trump administration and Republican-led Congress on the horizon, a shift in the direction of national healthcare policy is a near certainty. But the exact nature and timing of that change might be, unfortunately, less clear. Based on the principles outlined by Trump’s team themselves, the history of appointees, and conversations with clients and industry pundits, it feels as if there are some bedrock themes to orient efforts while Washington turns over and argues its way forward.

1. Expect more creativity from payers. Multiple factors are at play here. Moving the locus of health insurance requirements from federal levels to the individual state organizations will promote flexibility. The pullback on the individual mandate means that the days of Bronze, Silver, Gold, and Platinum plans will go the way of the floppy disk drive. Couple this with increased incentives for consumers to set up HSAs and take control of their health insurance purchase means that payers can let loose their product design teams for new solutions to meet the range of consumer challenges.
2. Consumers will end up paying for a larger share of their healthcare. There is simply no money left in the checking accounts of government—federal, state, or city – or employers to fund the growth in healthcare costs. Add on more plan innovations, the disappearance of the individual mandate, and Medicaid expansion being reined in and the future for the consumer is pretty clear. If we have insurance, we are going to be paying more in the form of co-payments, co-insurance, and deductibles. More procedures will go from covered to un-covered. Many consumers will end up on the far end of the insured continuum —namely, uninsured.
3. Bundles and risk-based reimbursement will march forward. Over the past several years there have been pilots, tests, and more pilots and tests comparing and contrasting fee-for-service to something along the lines of pay-for-value. CMS has led the charge. While the incoming leadership has historically been less bullish on all the pilots and innovations, the results to date do suggest bundles can create positive care integration and control total costs. Readmission penalties, while still rough, are raising an issue that organizations know they need to tackle. Certainly the current risk programs are not polished and perfect, but they are driving integration around the patient and toward higher value at an overall lower cost. So build out those teams of contract modeling talents; continue the march toward building your own insurance solution; and figure out how you can process those contracts amid clinical workflows and revenue cycle in volume.
4. Time to become patient relationship experts. Combine items 1, 2, and 3 and a fourth bedrock principle emerges—specifically, figuring out how providers manage the patient relationship both clinically and financially before, during, and after treatment. This relationship will become of paramount importance. Moving forward, the patient is going to control a great deal of our cost structure and cash flow. Providers need to be proactive to shape patient decisions.
5. Extracting more value from every budget dollar will be table stakes. Every scenario comes back to the same operational mandate— lower operating costs and improve the impact of every activity. Eliminate the 20 to 30 percent of processing work that is predictably of no value or impact. The double whammy in my reading of the future is that every activity is more expensive when the counter party is the patient themselves and not a commercial or government payer. It is simply more expensive to manage patients than a large business partner. So regardless of how Washington reshuffles ACA, healthcare processes need to be more efficient at every turn.
6. Time to get more ROI from those EHR investments. Organizations spent millions on big-iron electronic health records and went through the agony of stabilizing processes. Now it is time to actually optimize those platforms using the higher quality information at hand. Using predictive analytics to reduce low and no-value efforts (see point five), optimizing insourcing and outsourcing logic, and targeting high-cost patient engagement processes are just examples of how these bedrock systems can begin to finally drive financial improvement.

Only time will tell what Washington actually decides and when those decisions truly have bearing on the thousands of hospitals and millions of patients. However, while the exact policies and processes are TBD, the six bedrock items listed here are most likely enabling and contributing regardless of the final rules and regulations.

Steve Levine is CEO of Connance.

Readers Write: How Trumpcare Could Win Big

How Trumpcare Could Win Big
By E. Todd Bennett

Government involvement in the healthcare industry has increased under HITECH, the Affordable Care Act (ACA), and now MACRA. The phrase, “large-scale change happens when customers demand it, suppliers agree on it, or the government mandates it,” certainly applies to healthcare and has played out in these legislative acts. These federal government initiatives, except MACRA (since the quasi-final rule was only recently published), have failed to improve quality and bend the cost curve in a broad and dramatic way to put the United States healthcare system unequivocally in a worldwide leadership position.

On the cusp of a new administration, it’s important to understand why these legislative acts aren’t dramatically improving healthcare quality and reducing costs.

Overall, incentives seem misdirected with the healthcare industry goals related to cost and quality. In fact, the definitions of the goals seem too fuzzy or missing altogether. For instance, we do not know the specific cost and quality goals to target for a total knee replacement or the defined cost and quality outcomes related to lifestyle-related chronic disease.

Instead of incenting attainment of specific cost and quality outcomes, existing regulation has incented the intermediate activities, behaviors, and organizational structures that some legislators and industry leaders believe will aid in reaching the outcomes. Even when the intermediate actions seem productive, the lack of compelling results leads to a conclusion that the actions are, at best, incomplete. The right combination of processes to achieve the desired cost and quality outcomes is not always clear, and in the absence of evidence-based clarity, practitioners need maximum flexibility to act in accordance with their training and experience.

By shifting to incentives based on optimal quality and cost outcomes, the Trump administration has an opportunity to reduce administrative burden from government agencies, reduce the compliance burden from healthcare organizations and practitioners, and create a competitive and innovative environment that is truly driven to achieve world-leading healthcare quality and cost-of-care goals.

Let me explain with some examples.

HITECH

While a digitized and connected ecosystem and at least aspects of electronic health records (EHRs) are surely part of the long-term solution to higher quality and lower costs, incenting adoption of EHRs and telling providers what stepwise features constitute Meaningfully Use is an industry-wide micro-management mandate. This movement to automate so many processes may be ineffective, inefficient, or both. The EHR is a tool— a complicated and expensive one – and like other tools available to providers, it has the potential to enhance certain clinical and administrative activities and/or become a source of frustration and waste.

Shifting incentives from Meaningful Use of EHRs to attainment of a desired combination of higher quality outcomes for care and lower cost gives providers the option to select and de-select the technologies that impact cost and outcomes the most. Providers who use EHRs or certain features may have a clear advantage, and if so, competition among providers would spur increased adoption of those features. In this scenario, the government defines the optimal quality/cost outcome at population and/or episode levels along with incentives for attainment and foregoes defining which EHR functionality is most important; the market will decide which technological features should be meaningfully used to help them achieve the goal.

ACA

Take the ACA’s formulation of Accountable Care Organizations (ACOs). ACOs use incentives and penalties to drive a more coordinated care delivery environment with the potential to reduce unnecessary care, increase patient safety, and lead to higher quality outcomes. An ACO has the best opportunity to impact quality and cost when patients get their care within the ACO network, but when patients go outside the ACO network of practitioners, care coordination wanes, reducing the opportunity to optimize quality and cost.

Unless incentives to coordinate care extend to every doctor who cares for a given member and not only to doctors who participate in the constrained provider organization, ACOs will continue to have blind spots that prevent their impact to the degree desired. The structure of the ACO and the incentives to coordinate care are not the ultimate goals, and even brilliantly coordinated care in the absence of other behaviors will fail to produce higher quality and lower cost. If healthcare providers are convinced of the benefits of coordinating care, they will facilitate care coordination regardless of whether the patient sees an in- or out-of-network provider and using whatever technology they deem appropriate. Once again, this reduces government involvement in managing care, reduces administrative and technical complexity for providers to what the provider deems appropriate, and creates a competitive and innovative environment where reaching the ultimate goal is rewarded.

MACRA

Incenting practitioners who treat Medicare patients with a potential bonus valued at less than a tenth of their total reimbursement from Medicare, using quality metrics reported two years prior to the incentive payment, and thinking that it will change practitioner behavior seems aspirational. Incentivizing process metrics and clinical practice improvement activities seems to have merit, but clinicians seem better positioned to define the process metrics and improvement activities themselves and incent their care delivery teams to operationalize them. Meanwhile, the federal government seems best suited to craft a measurement system for an optimal combination of quality and cost outcomes and a timely incentive program to reinforce those behaviors.

Resetting legislation and the associated rules to motivate our nationwide healthcare system to be the world-recognized leader requires understanding of granular outcome goals, prescribing fewer actions around how provider organizations function to give room for innovation, and aligning incentives that facilitate competition and reward successful attainment of the ultimate cost and quality goals.

If Trumpcare — whether a revision of Obamacare or something wholly different — can shift the role of the federal government to defining targets and driving the healthcare industry with incentives to reach them, American ingenuity, resourcefulness, and competitiveness will take over like never before and attainment of quality and cost containment goals will follow.

E. Todd Bennett is healthcare market leader for LexisNexis Risk Solutions.

Readers Write: Not Just Ransomware: Common EHR Threats You Need to Know

Not Just Ransomware: Common EHR Threats You Need to Know
By Robert Lord

It is no secret that data breaches are becoming more common and increasingly more expensive. New threats to patients’ electronic health records (EHRs) are constantly emerging, forcing healthcare organizations to be on the lookout for potential dangers so they can eliminate threats quickly. It is important for organizations to understand the array of potential threats to the EHR, allowing them to make decisions on how to best protect this sensitive data.

After talking with healthcare stakeholders inside hospital systems, the federal government, etc., and distilling themes that continually come up, I thought it would be useful share what I’ve learned.

Think Twice Before Opening That Email — Phishing and Social Engineering

Phishing scams represent a very real danger to EHRs, but they are often overlooked by healthcare organizations because they assume such threats cannot break through their security. Phishing scams are email or social engineering attacks that try to appear legitimate in order to get healthcare employees to release patients’ sensitive medical information. Such attacks often use email or website scams to either target patients’ information directly or to obtain an employee’s username and password, thereby gaining access to that organization’s entire EHR.

Just recently, a phishing email disguised as official OCR Audit communication about Phase 2 Audits went out to healthcare organizations. Thankfully, it was only a misguided attempt at marketing for a cybersecurity firm, but it could have been much worse. In December 2014, an employee of Seton Healthcare Family opened a scam email. The resulting breach released the medical record numbers, Social Security numbers, insurance information, demographic information, and clinical data of 39,000 patients.

Nevertheless, even if phishing attacks are not the cause of a breach, they can still represent a threat. After the massive breach of Anthem Inc., for example, affected patients began receiving scam emails that promised them free credit monitoring, thus demonstrating that phishing attacks remain a threat even in the wake of a data breach.

Star-Studded HIPAA Violations Can Be Costly — VIP Patient Privacy

The temptation to peek at the medical record of a celebrity or public figure represents a real threat to patient privacy. VIP patients deserve the same right to privacy as the general public, and steps need to be put in place to guarantee that their sensitive information is kept safe and the treating medical facilities out of the headlines.

In 2011, UCLA Health System came to a settlement with the federal government, agreeing to pay $865,000 after two unnamed celebrities alleged that UCLA employees had viewed their medical records without authorization. Two years before that, in 2009, California health regulators fined Kaiser Permanente $250,000 after some of its employees looked at the medical record of Nadya Suleman, the famous mother of octuplets. Unfortunately, there are many other examples of employees being fired or healthcare organizations being fined because they did not protect the privacy of their VIP patients.

The Family Doesn’t Need to Know Everything — Snooping Threat

The desire for relatives, friends, or even co-workers to snoop into patients’ records often result in messy – and costly – data breaches. In 2013, a nurse accessed the records of her nephew’s partner without authorization and saw that her nephew’s partner had given birth to a baby and put the child up for adoption five years earlier. The nurse then announced the news at a family funeral. After the victim sent a complaint to the hospital, the nurse was terminated and gave up her Florida nursing license.

A similar lawsuit involving Aspen Valley Hospital District and a former employee is currently ongoing. A former employee of the hospital, who was also a patient there, alleged that several employees of the hospital violated his privacy when they disclosed that he had HIV “as a piece of conversational gossip over drinks.” The unnamed patient is currently seeking an apology, compensatory damages, punitive damages, and attorney fees from the hospital. These are but two examples of how devastating these seemingly small breaches can be to the affected patients.

The Biggest Threat to Patient Privacy is Hiding in Plain Sight — Insider Threat

Some of the most dangerous threats to EHRs are criminal insiders. In this type of attack, an employee of a healthcare organization steals patient information from the inside, using his or her access to do so. Earlier this year, Jackson Healthcare Systems found out how dangerous these threats can be the hard way. In February, the health system reported that one of their employees had gone “rogue” and stolen the information of 24,000 patients over the course of five years. The stolen information included names, birth dates, home addresses, and Social Security numbers. As the Jackson Healthcare Systems example demonstrates, these breaches are so dangerous because they are so difficult to detect. In this case, it took five years before the organization was able to identify and eliminate the insider threat.

Business Associates and Contractors

Business associates and contractors within healthcare organizations represent a growing vulnerability for the EHR, especially in recent years. The US Health and Human Services (HHS) established the Omnibus Rule in 2013, which required the business associates of healthcare organizations to adhere to the HIPAA Rules. Unfortunately, there is still much work to be done to address this vulnerability.

In July of this year, Catholic Health Care Services, a business associate for six skilled nursing facilities, agreed to pay $650,000 for HIPAA violations after a mobile device was stolen. The data breach affected 412 patients. Moreover, this is not an isolated incident; according to a report from Protenus and DataBreaches.net, 30 percent of all data breaches in the first eight months of this year involved a business associate of a healthcare organization. In other words, 4.5 million patients have been affected by data breaches of third parties thus far in 2016.

Lost and Stolen Devices

One final threat to EHR is lost and stolen devices, including laptops and mobile devices. If the information on the lost device is not encrypted or the encryption is not working, all someone has to do is open the device and look at the information for a breach to occur. And if the device was stolen, the criminals do not even have to decrypt the information for them to be able to use it.

One example from this year involves Seim Johnson, an accounting and consulting services company. In February 2016, Seim Johnson reported to HHS that a laptop had been stolen. The encryption on the laptop malfunctioned, exposing the private information of almost 31,000 patients. And these types of breaches are becoming increasingly frequent, with Verizon’s 2015 Data Breach Investigation Report stating that 45 percent of all healthcare data breaches are the result of stolen devices.

Knowledge is Power

As more and more healthcare organizations make the switch from paper to electronic health records, it will become increasingly important for organizations to be able to protect their patient records. Of course, this also means that threats to EHR will become more varied and more sophisticated. Healthcare organizations must be well informed about the different types of threats that exist so they can put security measures in place to effectively combat them, and ultimately protect the privacy of their patients.

Robert Lord is co-founder and CEO of Protenus of Baltimore, MD.

Readers Write: 5 Common Clinical Information Blind Spots

5 Common Clinical Information Blind Spots
By Sandra Lillie

The growth rate of data moving into VNAs is exploding – expected to reach 1.4 billion objects by 2017 – and approximately 75 percent of these objects will be non-DICOM assets. To date, many hospitals don’t have a formal strategy addressing how to identify, import, and manage non-DICOM images and video as part of core image management and security efforts. This puts the organization at risk of exposing PHI (protected health information).

Moreover, these assets often aren’t included in or accessible from the EHR (electronic health record). These holes in the health record provide clinicians with an incomplete picture of the patient that can negatively impact diagnoses, treatment plans, and ultimately, outcomes.

With increased scrutiny being placed on the healthcare organizations to tighten up security efforts to protect patient data, and an industry-wide movement toward greater interoperability and patient-centered care, the need to establish centralized insight and control of non-DICOM assets has never been more important. However, this can be a significant challenge because of all the systems, devices, and media throughout an HDO (healthcare delivery organization) on which these images reside.

The departmental nature of care delivery in the past has created a plethora of locked and blocked silos that contain critical clinical images an organization may be unaware even exist. Identifying and consolidating these assets as part of an enterprise imaging strategy allows for the deployment of a more complete EHR while reducing costs locked in departmental system solutions. The key is to identify areas throughout the HDO where the largest numbers of unconnected and potentially valuable non-DICOM images are likely to reside. Bringing these images into the fold first can address some the biggest risk areas while adding the most clinically relevant patient information to the health record.

The following are five of the biggest sources of non-DICOM blind spots in hospitals and health systems.

1. Visible light images and video. This source is fairly convoluted because of all the areas of the hospital where visible light images and video are captured and stored. However, they are all important, whether they’re endoscopy or colonoscopy images from gastroenterology; ureteroscopy or cystoscopy images from urology; or laparoscopy images from OR/surgery. It’s vital to identify all of the producers of visible light images and video throughout the hospital and implement technology solutions that allow those assets to be captured and imported in their native formats from a wide range of video scope systems and processors.

2. Dermatology and plastic surgery. Many dermatology and plastic surgery departments have specialized imaging systems that capture high-definition (and sometimes 3D-rendered images) of everything from routine skin conditions to complex reconstructive surgery. These images are important pieces of the clinical narrative that are often missing from a patient’s electronic health record because of the isolated and proprietary nature of many of these systems.

3. Ophthalmology. Ophthalmology departments also routinely leverage specialty systems that capture images of the retina, cornea, and other features of the eye. A complete picture of a patient’s eye health can only be obtained by including images from these specialty systems in an overall enterprise imaging strategy.

4. Mobile devices. The healthcare industry today is increasingly mobile. Clinicians at the point of care (especially in emergency rooms) routinely capture images of wounds, allergic reactions, skin anomalies, and more in the exam room on their smartphones and tablet devices. Capturing, consolidating, and managing these photos as part of an enterprise imaging strategy can be challenging, particularly in healthcare environments that have adopted a BYOD (bring your own device) mobile policy. A technology that can be installed on mobile devices to encrypt and route medical images from these devices to a central PACS, VNA, or EHR while ensuring no image data is saved to the device camera roll is essential.

5. CD/DVD media. This is another convoluted source of non-DICOM (and potentially even DICOM) images and video. Practically any medical department that leverages imaging in some way, shape, or form has (at one point or another) stored old patient images on CDs or DVDs. These images are likely rarely, if ever, accessed by clinicians and are completely disconnected from the EHR. It is important that the pertinent historical imaging data contained on this media is imported into an enterprise imaging platform and reintroduced to the patient record.

These five sources of medical imaging clinical blind spots are just a sample of the areas to keep in mind in pursuing an end-to-end enterprise imaging strategy. As the industry moves further down the path toward delivering true personalized medicine, other emerging areas – such as pathology and genomics – will be important to consider in an effort to produce and maintain a comprehensive patient record for clinical use.

Furthermore, HDOs also sometimes forget that additional unstructured information (such as documents) exist within other departmental systems and provide another source of important clinical information. A well-articulated and focused enterprise imaging and healthcare content management (HCM) strategy with a reputable partner capable of delivering the necessary interoperability requirements can put an HDO on the path for delivering a truly comprehensive EHR.

Sandra Lillie is industry manager for enterprise imaging for Lexmark Healthcare.

Readers Write: The Next Phase for Recovery Audits

The Next Phase for Recovery Audits
By Nicole Smith

Healthcare providers have reveled in the abatement of audits by recovery auditor contractors that have been silent during the last two years of legal challenges and the procurement process resulting in a tremendous reduction — and in some instances, a pause — of recovery audits. During this down time, the Centers for Medicare and Medicaid (CMS) has been working tirelessly to procure new audit contracts – which they have now done — while dealing with post-award protests and growing concerns from the provider community about the administrative burden audits impose, as well as the methodology in which the contractors had been auditing.

CMS has said multiple times that it is committed to maintaining the integrity of the Medicare program, but its latest priority has been reducing provider burden. With contracts finally awarded to Cotiviti LLC, Performant Recovery, Inc. and HMS Federal Solutions performing post-payment audit reviews for Medicare Part A and Part B, CMS added a new fifth region that will be dedicated to identifying improper payments for durable medical equipment and home health and hospice providers. The fifth region was awarded to Performant Recovery, Inc.

Providers can expect to see some program enhancements that will improve the provider experience once the new contractors resume auditing. Providers should familiarize themselves with the upcoming changes and revise their workflow to efficiently handle Medicare audits.

While recovery audits can impose a tremendous administrative burden on a provider and can have a negative financial impact on a health organization, developing a plan to manage the audit process may prove to be beneficial for providers. For a process that has been largely paper-based up to this point, CMA implemented changes the past two years to streamline the audit submission process after contractors issued more than 2 million requests annually. Thus, CMS recognized the need to develop an electronic process so that providers and health systems could process their responses to audit contractors electronically without paper.

The Electronic Submission of Medical Documentation (esMD) program was developed as part of strategic plan to transform business operations and uphold their commitment to modernize business processes, streamline medical documentation submissions, and sustain enrollment gains in the Medicare program.

Providers have long since felt that the contingency fee basis in which recovery auditors were reimbursed encouraged auditors to target and deny a high volume of high-dollar claims, resulting in false denials and leaving the burden on the provider to appeal the decision – all while the monies paid were recouped. The appeals process can take years and tremendously impacts organizational revenue. CMS revised the way in which auditors will be reimbursed.

Now, recovery auditors will not receive their contingency fee until after the second level of appeal is completed. Additionally, auditors are required to maintain a 95 percent accuracy rate and an overturn rate of less than 10 percent at the first level of appeal. Failure to comply will result in corrective action for the recovery auditor. This is one of the most notable changes that directly addresses concerns of the provider community.

Further testament to CMS’s apparent commitment to minimize provider burden is the ability for providers to electronically file level one and level two appeals through a CMS Certified Health Information Handler (HIH) for esMD. These new esMD use cases alleviate providers from the overwhelming costs of printing, mailing, and tracking of supporting audit documentation while also helping to ensure timely filing, which historically has contributed to denials for providers as well.

Through the updated RAC contract, CMS also will require recovery auditors to provide detailed information about current recovery audit issues. This information is expected to be posted and reviewable on the auditor website for all the see, creating an added level of transparency for the entire process. Providers can proactively prepare for the identified issues by reviewing Medicare billing rules and making sure they are billing in compliance and have all the necessary support documentation in the event of an audit. If providers remain focused on compliance and timely filing recovery, audits should have little impact on the provider – at least that’s the hope.

In addition to the administrative burden of managing Medicare audits, providers have often felt that they had no direct line of communication with CMS regarding the audit process if they encountered an issue related to an audit. Frustration often grew quickly as providers tried in vain to contact someone at CMS while attempting to address any issues they may have had. From my experience with the program, providers often felt bounced around when trying to locate the appropriate person to speak with. To alleviate this problem, CMS created a new position, a provider relations coordinator, designated as the single point of contact for the provider community. The provider relations coordinator is meant to create a streamlined communication outlet for concerns with the recovery audit program.

With the return of the recovery audits on the horizon, providers should use this time to review their internal processes for handling audits and closely monitor regulatory requirements and changes in compliance policies and procedures to develop best practices for their audit program. The program, based on the developments spoken of here, are meant to ensure a more democratic, effective audit process for every party. It is my belief that the program will be less combative, less of a financially-driven attack on health systems by audit contractors, and more of a process designed to right any accidental billing wrongs and return legitimate overpayments to CMS, an equitable approach for all.

Based on the program updates, health systems will have a voice now and will be able to engage CMS directly, if needed, to mitigate any potential overzealousness the previous iteration of the program seemed to create. Perhaps now the audit process will more resemble the image of a negotiating table rather than one where an aggressive takeover seems to be occurring, as was an often-expressed sentiment of those working in the care space.

While program changes may continue, and with all signs indicating that the recovery audit program is here to stay, having a solid plan with proven best practices will minimize the administrative burden. Nevertheless, the news from Washington is good and likely portrays better things to come.

Nicole Smith is VP of operations and government services for Vyne of Dunwoody, GA.

The Election Lesson Learned is to be Healthily Skeptical of Analytics

The Election Lesson Learned is to be Healthily Skeptical of Analytics
By Mr. HIStalk

It was a divisive, ugly election more appropriate to a third-world country than the US, but maybe we can all have a Kumbaya-singing moment of unity in agreeing on just one thing – the highly paid and highly regarded pollsters and pundits had no idea what they were talking about. They weren’t any smarter than your brother-in-law whose political beliefs get simpler and louder after one beer too many. The analytics emperors, as we now know, had no clothes.

The experts told us that Donald Trump was not only going to get blown out, but he also would drag the down-ballot candidates with him and most likely destroy the Republican party. Hillary Clinton’s team of quant geeks had it all figured out, telling her to skip campaigning in sure-win states like Wisconsin and instead focus her energy on the swing states. The TV talking heads simultaneously parroted that Clinton had a zillion “pathways to 270” while Trump had just one, an impossible long shot. The actual voting results would be anticlimactic, no more necessary to watch than a football game involving a 28-point underdog.

The (previously) respected poll site 538 pegged Trump’s chances at 28 percent as the polls began to close. Within a handful of hours, they gave him an 84 percent chance of winning. Presumably by Wednesday morning their finely tuned analytics apparatus took into account that Clinton had conceded and raised his chances a bit more, plus or minus their sampling error.

This morning, President-Elect Trump is packing up for the White House and the Republicans still control the Senate. Meanwhile, political pollsters and statisticians are anxiously expunging their election-related activities from their resumes. They had one job to do and they failed spectacularly. Or perhaps more accurately, their faulty analytics were misinterpreted as reality by people who should have known better.

Apparently we didn’t learn anything from the Scottish referendum or Brexit voting. Toddling off to bed early in a statistics-comforted slumber can cause a rude next-day awakening. Those darned humans keep messing up otherwise impressive statistics-powered predictions.

We talk a lot in healthcare about analytics. Being scientists, we’re confident that we can predict and maybe even control the behavior of humans (patients, plan members, and providers) with medical history questionnaires, clinical studies, satisfaction surveys, and carefully constricted insurance risk pools. But the election provides some lessons learned about analytics-powered assumptions.

• It’s risky to apply even rigorous statistical methods to the inherently unpredictable behavior of free-will humans.
• Analytics can reduce a maddeningly complex situation into something that is more understandable even when it’s dead wrong.
• Surveyors and statisticians are often encouraged to deliver conclusions that are loftier than the available data supports. We humans like to please people, especially those paying us, and sometimes that means not speaking up even when we should. “I don’t know” is not only a valid conclusion, but often the correct one.
• Be wary of smoke-blowing pundits who suggest that they possess extra-special insight and expertise that allow them to draw lofty conclusions from a limited set of data that was assembled quickly and inexpensively.
• Sometimes going with your gut works better than developing a numbers-focused strategy, like it did for Donald Trump and for doctors who treat the patient rather than their ICD-10 code or or lab result.
• Confirmation bias is inevitable in research, where new evidence can be seen as proving what the researcher already believes. The most dangerous bias is the subconscious one since it can’t be statistically weeded out.
• A study’s design and its definition of a representative sample already contains some degree of uncertainty and bias.
• Sampling errors have a tremendous impact. We don’t know how many “hidden voters” the pollsters missed. We don’t know how well they selected their tiny sampling of Americans, each of whom represented thousands of us who weren’t surveyed. Not very, apparently.
• Response rates and method of outreach matter. Choosing respondents by landline, cell phone, email, or regular mail and even choosing when to contact them will skew the results in unknown ways. Most importantly, a majority of people refuse to participate entirely, making it likely whatever cohort they are part of leaves them unrepresented in the results.
• You can’t necessarily believe what poll respondents or patients tell you since they often subconsciously say what they think the pollster or society wants to hear. The people who vowed that they were voting for Clinton might also claim that they only watch PBS and on their doctor’s social history questionnaire declare their unfamiliarity with alcohol, drugs, domestic violence, and risky sexual behaviors.
• Not everybody who is surveyed shows up, and not everybody who shows up was surveyed. It’s the same problem as waiting to see who actually visits a medical practice or ED. Delivering good medical services does not necessarily mean effectively managing a population.
• Prediction is best compared with performance in fine-tuning assumptions. The experts saw a few states go against their predictions early Tuesday evening, and at that moment but too late, applied that newfound knowledge to create better predictions. Real-time analytics deliver better results, and even an incompetent meteorologist can predict a hurricane’s landfall right before it hits.

It’s tempting to hang our healthcare hat on piles of computers running analytics, artificial intelligence, and other binary systems that attempt to dispassionately impose comforting order on the cacophony of human behavior. It’s not so much that it can’t work, it’s that we shouldn’t become complacent about the accuracy and validity of what the computers and their handlers are telling us. We are often individually and collectively as predictable as the analytics experts tell us, but sometimes we’re not.

Readers Write: Don’t Get Stuck in the Readmissions Penalty Box

Don’t Get Stuck in the Readmissions Penalty Box
By Lisa Lyons

The Hospital Readmissions Reduction Program (HRRP) requires the Centers for Medicare and Medicaid Services (CMS) to reduce payments to inpatient hospitals with relatively high 30-day readmission rates. CMS applies up to a three percent reduction for “excess” readmissions using a risk-adjusted ratio that compares a hospital’s performance to the national average for sets of patients with specified conditions.

Payment adjustments for FY 2017 (based on performance from July 2012 through June 2015) will be applied to all Medicare discharges starting October 1 of this year and running through September 30, 2017. Payment reductions for FY 2017 will be posted on the Hospital Compare website this October.

Total HRRP penalties are expected to reach $528 million for FY 2017, up sharply from about $420 million in FY 2016, with more than half of the nation’s hospitals affected, according to a Kaiser Health News analysis. The average penalty will spike in similar fashion, from 0.61 percent in FY 2016 to 0.73 in FY 2017.

The situation calls for a thorough understanding of the readmissions penalty environment and a strategic mindset for taking action.

Prior to FY 2017, CMS measured excess readmissions by dividing a hospital’s number of “expected” 30-day readmissions for heart attack, heart failure, pneumonia, hip/knee replacement, and COPD by the number that would be expected, based on an average hospital with similar patients.

For FY 2017, CMS expanded the list of cohorts to include coronary artery bypass graft (CABG) procedures. The agency also added to the existing pneumonia cohort: the assignment criterion now includes cases where the principal diagnosis of non-severe sepsis includes secondary diagnosis of pneumonia and aspiration pneumonia. This creates a bigger set of patients from which a hospital could have readmissions — in fact, it may expand the pneumonia cohort by 50 percent in many hospitals.

Complicating matters, excess readmissions found in any of the six cohorts will result in an overall penalty. A hospital gets no credit for making readmissions improvements along the way.

At the same time, all hospitals are working on readmissions, so the average of excess readmissions is decreasing. That means it’s harder than ever for hospitals to stay under the penalty bar.

Also, due to HRRP’s reporting cycle, an excess readmission stays in CMS’s data for three years.

These factors make it hard for hospitals to know if they have passed the tipping point for readmissions penalties before notification from CMS — which typically happens just four months prior to penalties being imposed. In practical terms, there’s not enough time to impact results.

Further, analyzing CMS data is challenging for most hospitals because:

• CMS data is retrospective. CMS calculates fiscal year penalties by looking back at data over a range of two to five years. As such, current improvements to readmission reduction programs will not be seen right away.
• CMS data includes readmissions from “non-same” hospitals. Most hospitals can’t view cases where a patient initially admitted to their facility ended up being readmitted in another facility.
• CMS data only includes readmissions among the Medicare patient population. Many commercial payers have instituted pay-for-performance programs, which should also be analyzed. Limiting your view to the Medicare HRRP program will only reveal part of your overall readmissions.
• CMS’s Measure Methodology for Readmissions can’t be easily replicated. CMS risk-adjusts each qualifying patient using Medicare Part A and Part B data for a full year prior to admission, and 30 days post-discharge. Since hospitals don’t have access to this information, they can’t replicate the methodology to calculate their excess readmissions.

Fortunately, with the right data, there’s a way to emulate the CMS methodology to help estimate the volume of excess readmissions that will be attributed to your hospital. You can do so well before receiving your hospital-specific reports from CMS.

Here are four ways advanced analytics can help position hospitals to be more proactive in managing their readmissions:

1. Purchase de-identified Medicare Part A and B claims data from CMS. Advanced analytics makes it possible to match historic claims data with known patients in your hospital information systems. In this way you can see longitudinal care histories for the patients you are discharging today. Algorithms can also predict the rate of non-same hospitalization from current readmission data, effectively filling in the blanks on readmissions that occur outside your hospital. That may give you up to two years advance notice regarding which readmissions will be counted as excessive. With that knowledge, you can do something about readmissions before the end of the evaluation period.
2. Know how many readmissions will put you in jeopardy of incurring penalties. This is the previously mentioned tipping point. Surprisingly, for many hospitals, only a few excess readmissions per month can send them to the penalty box. Predictive analytics identify patients at greatest risk for unplanned readmissions. Look for algorithms with a high degree of accuracy in matching the CMS dataset to your own database to single out cases that were identified in the assignment criteria. Once you’re able to identify trends, you can fix the issues.
3. Since CMS measures readmission back to any hospital, partner with other hospitals in your region to which you commonly refer patients back and forth. Concentrate on areas of improvement in either coordination or quality of care.
4. Analyze clinical conditions across the board among your hospital’s patient population, not just within the six CMS-defined cohorts. Taking a broader view establishes more effective data patterning to help determine if a systemic problem exists. Dashboards and pre-formatted reports signal where to drill down for more detail (for example, whether you discharged the patient to home or a different care setting).

Government policy statements clearly indicate Medicare payments becoming more heavily weighted on quality or value measures, and HRRP will be part of that determination.

What’s more, CMS has proposed that the readmission measure itself be expanded to count excess days associated with readmissions — taking into account ED patients and those assigned to observation status — rather than singular readmission events for inpatients. Expect increased involvement of care management and quality teams in this area, and another layer of potential penalties.

Don’t wait to react to how these measures will impact your hospital’s operations and finances. Now’s the time to implement data analytics tools to intelligently manage your hospital’s readmission risk with a high degree of accuracy.

Lisa Lyons is director of advanced analytics and population health and interim VP of consulting at Xerox.