Readers Write: Not Just Ransomware: Common EHR Threats You Need to Know

Not Just Ransomware: Common EHR Threats You Need to Know
By Robert Lord

It is no secret that data breaches are becoming more common and increasingly more expensive. New threats to patients’ electronic health records (EHRs) are constantly emerging, forcing healthcare organizations to be on the lookout for potential dangers so they can eliminate threats quickly. It is important for organizations to understand the array of potential threats to the EHR, allowing them to make decisions on how to best protect this sensitive data.

After talking with healthcare stakeholders inside hospital systems, the federal government, etc., and distilling themes that continually come up, I thought it would be useful share what I’ve learned.

Think Twice Before Opening That Email — Phishing and Social Engineering

Phishing scams represent a very real danger to EHRs, but they are often overlooked by healthcare organizations because they assume such threats cannot break through their security. Phishing scams are email or social engineering attacks that try to appear legitimate in order to get healthcare employees to release patients’ sensitive medical information. Such attacks often use email or website scams to either target patients’ information directly or to obtain an employee’s username and password, thereby gaining access to that organization’s entire EHR.

Just recently, a phishing email disguised as official OCR Audit communication about Phase 2 Audits went out to healthcare organizations. Thankfully, it was only a misguided attempt at marketing for a cybersecurity firm, but it could have been much worse. In December 2014, an employee of Seton Healthcare Family opened a scam email. The resulting breach released the medical record numbers, Social Security numbers, insurance information, demographic information, and clinical data of 39,000 patients.

Nevertheless, even if phishing attacks are not the cause of a breach, they can still represent a threat. After the massive breach of Anthem Inc., for example, affected patients began receiving scam emails that promised them free credit monitoring, thus demonstrating that phishing attacks remain a threat even in the wake of a data breach.

Star-Studded HIPAA Violations Can Be Costly — VIP Patient Privacy

The temptation to peek at the medical record of a celebrity or public figure represents a real threat to patient privacy. VIP patients deserve the same right to privacy as the general public, and steps need to be put in place to guarantee that their sensitive information is kept safe and the treating medical facilities out of the headlines.

In 2011, UCLA Health System came to a settlement with the federal government, agreeing to pay $865,000 after two unnamed celebrities alleged that UCLA employees had viewed their medical records without authorization. Two years before that, in 2009, California health regulators fined Kaiser Permanente $250,000 after some of its employees looked at the medical record of Nadya Suleman, the famous mother of octuplets. Unfortunately, there are many other examples of employees being fired or healthcare organizations being fined because they did not protect the privacy of their VIP patients.

The Family Doesn’t Need to Know Everything — Snooping Threat

The desire for relatives, friends, or even co-workers to snoop into patients’ records often result in messy – and costly – data breaches. In 2013, a nurse accessed the records of her nephew’s partner without authorization and saw that her nephew’s partner had given birth to a baby and put the child up for adoption five years earlier. The nurse then announced the news at a family funeral. After the victim sent a complaint to the hospital, the nurse was terminated and gave up her Florida nursing license.

A similar lawsuit involving Aspen Valley Hospital District and a former employee is currently ongoing. A former employee of the hospital, who was also a patient there, alleged that several employees of the hospital violated his privacy when they disclosed that he had HIV “as a piece of conversational gossip over drinks.” The unnamed patient is currently seeking an apology, compensatory damages, punitive damages, and attorney fees from the hospital. These are but two examples of how devastating these seemingly small breaches can be to the affected patients.

The Biggest Threat to Patient Privacy is Hiding in Plain Sight — Insider Threat

Some of the most dangerous threats to EHRs are criminal insiders. In this type of attack, an employee of a healthcare organization steals patient information from the inside, using his or her access to do so. Earlier this year, Jackson Healthcare Systems found out how dangerous these threats can be the hard way. In February, the health system reported that one of their employees had gone “rogue” and stolen the information of 24,000 patients over the course of five years. The stolen information included names, birth dates, home addresses, and Social Security numbers. As the Jackson Healthcare Systems example demonstrates, these breaches are so dangerous because they are so difficult to detect. In this case, it took five years before the organization was able to identify and eliminate the insider threat.

Business Associates and Contractors

Business associates and contractors within healthcare organizations represent a growing vulnerability for the EHR, especially in recent years. The US Health and Human Services (HHS) established the Omnibus Rule in 2013, which required the business associates of healthcare organizations to adhere to the HIPAA Rules. Unfortunately, there is still much work to be done to address this vulnerability.

In July of this year, Catholic Health Care Services, a business associate for six skilled nursing facilities, agreed to pay $650,000 for HIPAA violations after a mobile device was stolen. The data breach affected 412 patients. Moreover, this is not an isolated incident; according to a report from Protenus and DataBreaches.net, 30 percent of all data breaches in the first eight months of this year involved a business associate of a healthcare organization. In other words, 4.5 million patients have been affected by data breaches of third parties thus far in 2016.

Lost and Stolen Devices

One final threat to EHR is lost and stolen devices, including laptops and mobile devices. If the information on the lost device is not encrypted or the encryption is not working, all someone has to do is open the device and look at the information for a breach to occur. And if the device was stolen, the criminals do not even have to decrypt the information for them to be able to use it.

One example from this year involves Seim Johnson, an accounting and consulting services company. In February 2016, Seim Johnson reported to HHS that a laptop had been stolen. The encryption on the laptop malfunctioned, exposing the private information of almost 31,000 patients. And these types of breaches are becoming increasingly frequent, with Verizon’s 2015 Data Breach Investigation Report stating that 45 percent of all healthcare data breaches are the result of stolen devices.

Knowledge is Power

As more and more healthcare organizations make the switch from paper to electronic health records, it will become increasingly important for organizations to be able to protect their patient records. Of course, this also means that threats to EHR will become more varied and more sophisticated. Healthcare organizations must be well informed about the different types of threats that exist so they can put security measures in place to effectively combat them, and ultimately protect the privacy of their patients.

Robert Lord is co-founder and CEO of Protenus of Baltimore, MD.

Readers Write: 5 Common Clinical Information Blind Spots

5 Common Clinical Information Blind Spots
By Sandra Lillie

The growth rate of data moving into VNAs is exploding – expected to reach 1.4 billion objects by 2017 – and approximately 75 percent of these objects will be non-DICOM assets. To date, many hospitals don’t have a formal strategy addressing how to identify, import, and manage non-DICOM images and video as part of core image management and security efforts. This puts the organization at risk of exposing PHI (protected health information).

Moreover, these assets often aren’t included in or accessible from the EHR (electronic health record). These holes in the health record provide clinicians with an incomplete picture of the patient that can negatively impact diagnoses, treatment plans, and ultimately, outcomes.

With increased scrutiny being placed on the healthcare organizations to tighten up security efforts to protect patient data, and an industry-wide movement toward greater interoperability and patient-centered care, the need to establish centralized insight and control of non-DICOM assets has never been more important. However, this can be a significant challenge because of all the systems, devices, and media throughout an HDO (healthcare delivery organization) on which these images reside.

The departmental nature of care delivery in the past has created a plethora of locked and blocked silos that contain critical clinical images an organization may be unaware even exist. Identifying and consolidating these assets as part of an enterprise imaging strategy allows for the deployment of a more complete EHR while reducing costs locked in departmental system solutions. The key is to identify areas throughout the HDO where the largest numbers of unconnected and potentially valuable non-DICOM images are likely to reside. Bringing these images into the fold first can address some the biggest risk areas while adding the most clinically relevant patient information to the health record.

The following are five of the biggest sources of non-DICOM blind spots in hospitals and health systems.

1. Visible light images and video. This source is fairly convoluted because of all the areas of the hospital where visible light images and video are captured and stored. However, they are all important, whether they’re endoscopy or colonoscopy images from gastroenterology; ureteroscopy or cystoscopy images from urology; or laparoscopy images from OR/surgery. It’s vital to identify all of the producers of visible light images and video throughout the hospital and implement technology solutions that allow those assets to be captured and imported in their native formats from a wide range of video scope systems and processors.

2. Dermatology and plastic surgery. Many dermatology and plastic surgery departments have specialized imaging systems that capture high-definition (and sometimes 3D-rendered images) of everything from routine skin conditions to complex reconstructive surgery. These images are important pieces of the clinical narrative that are often missing from a patient’s electronic health record because of the isolated and proprietary nature of many of these systems.

3. Ophthalmology. Ophthalmology departments also routinely leverage specialty systems that capture images of the retina, cornea, and other features of the eye. A complete picture of a patient’s eye health can only be obtained by including images from these specialty systems in an overall enterprise imaging strategy.

4. Mobile devices. The healthcare industry today is increasingly mobile. Clinicians at the point of care (especially in emergency rooms) routinely capture images of wounds, allergic reactions, skin anomalies, and more in the exam room on their smartphones and tablet devices. Capturing, consolidating, and managing these photos as part of an enterprise imaging strategy can be challenging, particularly in healthcare environments that have adopted a BYOD (bring your own device) mobile policy. A technology that can be installed on mobile devices to encrypt and route medical images from these devices to a central PACS, VNA, or EHR while ensuring no image data is saved to the device camera roll is essential.

5. CD/DVD media. This is another convoluted source of non-DICOM (and potentially even DICOM) images and video. Practically any medical department that leverages imaging in some way, shape, or form has (at one point or another) stored old patient images on CDs or DVDs. These images are likely rarely, if ever, accessed by clinicians and are completely disconnected from the EHR. It is important that the pertinent historical imaging data contained on this media is imported into an enterprise imaging platform and reintroduced to the patient record.

These five sources of medical imaging clinical blind spots are just a sample of the areas to keep in mind in pursuing an end-to-end enterprise imaging strategy. As the industry moves further down the path toward delivering true personalized medicine, other emerging areas – such as pathology and genomics – will be important to consider in an effort to produce and maintain a comprehensive patient record for clinical use.

Furthermore, HDOs also sometimes forget that additional unstructured information (such as documents) exist within other departmental systems and provide another source of important clinical information. A well-articulated and focused enterprise imaging and healthcare content management (HCM) strategy with a reputable partner capable of delivering the necessary interoperability requirements can put an HDO on the path for delivering a truly comprehensive EHR.

Sandra Lillie is industry manager for enterprise imaging for Lexmark Healthcare.

Readers Write: The Next Phase for Recovery Audits

The Next Phase for Recovery Audits
By Nicole Smith

Healthcare providers have reveled in the abatement of audits by recovery auditor contractors that have been silent during the last two years of legal challenges and the procurement process resulting in a tremendous reduction — and in some instances, a pause — of recovery audits. During this down time, the Centers for Medicare and Medicaid (CMS) has been working tirelessly to procure new audit contracts – which they have now done — while dealing with post-award protests and growing concerns from the provider community about the administrative burden audits impose, as well as the methodology in which the contractors had been auditing.

CMS has said multiple times that it is committed to maintaining the integrity of the Medicare program, but its latest priority has been reducing provider burden. With contracts finally awarded to Cotiviti LLC, Performant Recovery, Inc. and HMS Federal Solutions performing post-payment audit reviews for Medicare Part A and Part B, CMS added a new fifth region that will be dedicated to identifying improper payments for durable medical equipment and home health and hospice providers. The fifth region was awarded to Performant Recovery, Inc.

Providers can expect to see some program enhancements that will improve the provider experience once the new contractors resume auditing. Providers should familiarize themselves with the upcoming changes and revise their workflow to efficiently handle Medicare audits.

While recovery audits can impose a tremendous administrative burden on a provider and can have a negative financial impact on a health organization, developing a plan to manage the audit process may prove to be beneficial for providers. For a process that has been largely paper-based up to this point, CMA implemented changes the past two years to streamline the audit submission process after contractors issued more than 2 million requests annually. Thus, CMS recognized the need to develop an electronic process so that providers and health systems could process their responses to audit contractors electronically without paper.

The Electronic Submission of Medical Documentation (esMD) program was developed as part of strategic plan to transform business operations and uphold their commitment to modernize business processes, streamline medical documentation submissions, and sustain enrollment gains in the Medicare program.

Providers have long since felt that the contingency fee basis in which recovery auditors were reimbursed encouraged auditors to target and deny a high volume of high-dollar claims, resulting in false denials and leaving the burden on the provider to appeal the decision – all while the monies paid were recouped. The appeals process can take years and tremendously impacts organizational revenue. CMS revised the way in which auditors will be reimbursed.

Now, recovery auditors will not receive their contingency fee until after the second level of appeal is completed. Additionally, auditors are required to maintain a 95 percent accuracy rate and an overturn rate of less than 10 percent at the first level of appeal. Failure to comply will result in corrective action for the recovery auditor. This is one of the most notable changes that directly addresses concerns of the provider community.

Further testament to CMS’s apparent commitment to minimize provider burden is the ability for providers to electronically file level one and level two appeals through a CMS Certified Health Information Handler (HIH) for esMD. These new esMD use cases alleviate providers from the overwhelming costs of printing, mailing, and tracking of supporting audit documentation while also helping to ensure timely filing, which historically has contributed to denials for providers as well.

Through the updated RAC contract, CMS also will require recovery auditors to provide detailed information about current recovery audit issues. This information is expected to be posted and reviewable on the auditor website for all the see, creating an added level of transparency for the entire process. Providers can proactively prepare for the identified issues by reviewing Medicare billing rules and making sure they are billing in compliance and have all the necessary support documentation in the event of an audit. If providers remain focused on compliance and timely filing recovery, audits should have little impact on the provider – at least that’s the hope.

In addition to the administrative burden of managing Medicare audits, providers have often felt that they had no direct line of communication with CMS regarding the audit process if they encountered an issue related to an audit. Frustration often grew quickly as providers tried in vain to contact someone at CMS while attempting to address any issues they may have had. From my experience with the program, providers often felt bounced around when trying to locate the appropriate person to speak with. To alleviate this problem, CMS created a new position, a provider relations coordinator, designated as the single point of contact for the provider community. The provider relations coordinator is meant to create a streamlined communication outlet for concerns with the recovery audit program.

With the return of the recovery audits on the horizon, providers should use this time to review their internal processes for handling audits and closely monitor regulatory requirements and changes in compliance policies and procedures to develop best practices for their audit program. The program, based on the developments spoken of here, are meant to ensure a more democratic, effective audit process for every party. It is my belief that the program will be less combative, less of a financially-driven attack on health systems by audit contractors, and more of a process designed to right any accidental billing wrongs and return legitimate overpayments to CMS, an equitable approach for all.

Based on the program updates, health systems will have a voice now and will be able to engage CMS directly, if needed, to mitigate any potential overzealousness the previous iteration of the program seemed to create. Perhaps now the audit process will more resemble the image of a negotiating table rather than one where an aggressive takeover seems to be occurring, as was an often-expressed sentiment of those working in the care space.

While program changes may continue, and with all signs indicating that the recovery audit program is here to stay, having a solid plan with proven best practices will minimize the administrative burden. Nevertheless, the news from Washington is good and likely portrays better things to come.

Nicole Smith is VP of operations and government services for Vyne of Dunwoody, GA.

The Election Lesson Learned is to be Healthily Skeptical of Analytics

The Election Lesson Learned is to be Healthily Skeptical of Analytics
By Mr. HIStalk

It was a divisive, ugly election more appropriate to a third-world country than the US, but maybe we can all have a Kumbaya-singing moment of unity in agreeing on just one thing – the highly paid and highly regarded pollsters and pundits had no idea what they were talking about. They weren’t any smarter than your brother-in-law whose political beliefs get simpler and louder after one beer too many. The analytics emperors, as we now know, had no clothes.

The experts told us that Donald Trump was not only going to get blown out, but he also would drag the down-ballot candidates with him and most likely destroy the Republican party. Hillary Clinton’s team of quant geeks had it all figured out, telling her to skip campaigning in sure-win states like Wisconsin and instead focus her energy on the swing states. The TV talking heads simultaneously parroted that Clinton had a zillion “pathways to 270” while Trump had just one, an impossible long shot. The actual voting results would be anticlimactic, no more necessary to watch than a football game involving a 28-point underdog.

The (previously) respected poll site 538 pegged Trump’s chances at 28 percent as the polls began to close. Within a handful of hours, they gave him an 84 percent chance of winning. Presumably by Wednesday morning their finely tuned analytics apparatus took into account that Clinton had conceded and raised his chances a bit more, plus or minus their sampling error.

This morning, President-Elect Trump is packing up for the White House and the Republicans still control the Senate. Meanwhile, political pollsters and statisticians are anxiously expunging their election-related activities from their resumes. They had one job to do and they failed spectacularly. Or perhaps more accurately, their faulty analytics were misinterpreted as reality by people who should have known better.

Apparently we didn’t learn anything from the Scottish referendum or Brexit voting. Toddling off to bed early in a statistics-comforted slumber can cause a rude next-day awakening. Those darned humans keep messing up otherwise impressive statistics-powered predictions.

We talk a lot in healthcare about analytics. Being scientists, we’re confident that we can predict and maybe even control the behavior of humans (patients, plan members, and providers) with medical history questionnaires, clinical studies, satisfaction surveys, and carefully constricted insurance risk pools. But the election provides some lessons learned about analytics-powered assumptions.

• It’s risky to apply even rigorous statistical methods to the inherently unpredictable behavior of free-will humans.
• Analytics can reduce a maddeningly complex situation into something that is more understandable even when it’s dead wrong.
• Surveyors and statisticians are often encouraged to deliver conclusions that are loftier than the available data supports. We humans like to please people, especially those paying us, and sometimes that means not speaking up even when we should. “I don’t know” is not only a valid conclusion, but often the correct one.
• Be wary of smoke-blowing pundits who suggest that they possess extra-special insight and expertise that allow them to draw lofty conclusions from a limited set of data that was assembled quickly and inexpensively.
• Sometimes going with your gut works better than developing a numbers-focused strategy, like it did for Donald Trump and for doctors who treat the patient rather than their ICD-10 code or or lab result.
• Confirmation bias is inevitable in research, where new evidence can be seen as proving what the researcher already believes. The most dangerous bias is the subconscious one since it can’t be statistically weeded out.
• A study’s design and its definition of a representative sample already contains some degree of uncertainty and bias.
• Sampling errors have a tremendous impact. We don’t know how many “hidden voters” the pollsters missed. We don’t know how well they selected their tiny sampling of Americans, each of whom represented thousands of us who weren’t surveyed. Not very, apparently.
• Response rates and method of outreach matter. Choosing respondents by landline, cell phone, email, or regular mail and even choosing when to contact them will skew the results in unknown ways. Most importantly, a majority of people refuse to participate entirely, making it likely whatever cohort they are part of leaves them unrepresented in the results.
• You can’t necessarily believe what poll respondents or patients tell you since they often subconsciously say what they think the pollster or society wants to hear. The people who vowed that they were voting for Clinton might also claim that they only watch PBS and on their doctor’s social history questionnaire declare their unfamiliarity with alcohol, drugs, domestic violence, and risky sexual behaviors.
• Not everybody who is surveyed shows up, and not everybody who shows up was surveyed. It’s the same problem as waiting to see who actually visits a medical practice or ED. Delivering good medical services does not necessarily mean effectively managing a population.
• Prediction is best compared with performance in fine-tuning assumptions. The experts saw a few states go against their predictions early Tuesday evening, and at that moment but too late, applied that newfound knowledge to create better predictions. Real-time analytics deliver better results, and even an incompetent meteorologist can predict a hurricane’s landfall right before it hits.

It’s tempting to hang our healthcare hat on piles of computers running analytics, artificial intelligence, and other binary systems that attempt to dispassionately impose comforting order on the cacophony of human behavior. It’s not so much that it can’t work, it’s that we shouldn’t become complacent about the accuracy and validity of what the computers and their handlers are telling us. We are often individually and collectively as predictable as the analytics experts tell us, but sometimes we’re not.

Readers Write: Don’t Get Stuck in the Readmissions Penalty Box

Don’t Get Stuck in the Readmissions Penalty Box
By Lisa Lyons

The Hospital Readmissions Reduction Program (HRRP) requires the Centers for Medicare and Medicaid Services (CMS) to reduce payments to inpatient hospitals with relatively high 30-day readmission rates. CMS applies up to a three percent reduction for “excess” readmissions using a risk-adjusted ratio that compares a hospital’s performance to the national average for sets of patients with specified conditions.

Payment adjustments for FY 2017 (based on performance from July 2012 through June 2015) will be applied to all Medicare discharges starting October 1 of this year and running through September 30, 2017. Payment reductions for FY 2017 will be posted on the Hospital Compare website this October.

Total HRRP penalties are expected to reach $528 million for FY 2017, up sharply from about $420 million in FY 2016, with more than half of the nation’s hospitals affected, according to a Kaiser Health News analysis. The average penalty will spike in similar fashion, from 0.61 percent in FY 2016 to 0.73 in FY 2017.

The situation calls for a thorough understanding of the readmissions penalty environment and a strategic mindset for taking action.

Prior to FY 2017, CMS measured excess readmissions by dividing a hospital’s number of “expected” 30-day readmissions for heart attack, heart failure, pneumonia, hip/knee replacement, and COPD by the number that would be expected, based on an average hospital with similar patients.

For FY 2017, CMS expanded the list of cohorts to include coronary artery bypass graft (CABG) procedures. The agency also added to the existing pneumonia cohort: the assignment criterion now includes cases where the principal diagnosis of non-severe sepsis includes secondary diagnosis of pneumonia and aspiration pneumonia. This creates a bigger set of patients from which a hospital could have readmissions — in fact, it may expand the pneumonia cohort by 50 percent in many hospitals.

Complicating matters, excess readmissions found in any of the six cohorts will result in an overall penalty. A hospital gets no credit for making readmissions improvements along the way.

At the same time, all hospitals are working on readmissions, so the average of excess readmissions is decreasing. That means it’s harder than ever for hospitals to stay under the penalty bar.

Also, due to HRRP’s reporting cycle, an excess readmission stays in CMS’s data for three years.

These factors make it hard for hospitals to know if they have passed the tipping point for readmissions penalties before notification from CMS — which typically happens just four months prior to penalties being imposed. In practical terms, there’s not enough time to impact results.

Further, analyzing CMS data is challenging for most hospitals because:

• CMS data is retrospective. CMS calculates fiscal year penalties by looking back at data over a range of two to five years. As such, current improvements to readmission reduction programs will not be seen right away.
• CMS data includes readmissions from “non-same” hospitals. Most hospitals can’t view cases where a patient initially admitted to their facility ended up being readmitted in another facility.
• CMS data only includes readmissions among the Medicare patient population. Many commercial payers have instituted pay-for-performance programs, which should also be analyzed. Limiting your view to the Medicare HRRP program will only reveal part of your overall readmissions.
• CMS’s Measure Methodology for Readmissions can’t be easily replicated. CMS risk-adjusts each qualifying patient using Medicare Part A and Part B data for a full year prior to admission, and 30 days post-discharge. Since hospitals don’t have access to this information, they can’t replicate the methodology to calculate their excess readmissions.

Fortunately, with the right data, there’s a way to emulate the CMS methodology to help estimate the volume of excess readmissions that will be attributed to your hospital. You can do so well before receiving your hospital-specific reports from CMS.

Here are four ways advanced analytics can help position hospitals to be more proactive in managing their readmissions:

1. Purchase de-identified Medicare Part A and B claims data from CMS. Advanced analytics makes it possible to match historic claims data with known patients in your hospital information systems. In this way you can see longitudinal care histories for the patients you are discharging today. Algorithms can also predict the rate of non-same hospitalization from current readmission data, effectively filling in the blanks on readmissions that occur outside your hospital. That may give you up to two years advance notice regarding which readmissions will be counted as excessive. With that knowledge, you can do something about readmissions before the end of the evaluation period.
2. Know how many readmissions will put you in jeopardy of incurring penalties. This is the previously mentioned tipping point. Surprisingly, for many hospitals, only a few excess readmissions per month can send them to the penalty box. Predictive analytics identify patients at greatest risk for unplanned readmissions. Look for algorithms with a high degree of accuracy in matching the CMS dataset to your own database to single out cases that were identified in the assignment criteria. Once you’re able to identify trends, you can fix the issues.
3. Since CMS measures readmission back to any hospital, partner with other hospitals in your region to which you commonly refer patients back and forth. Concentrate on areas of improvement in either coordination or quality of care.
4. Analyze clinical conditions across the board among your hospital’s patient population, not just within the six CMS-defined cohorts. Taking a broader view establishes more effective data patterning to help determine if a systemic problem exists. Dashboards and pre-formatted reports signal where to drill down for more detail (for example, whether you discharged the patient to home or a different care setting).

Government policy statements clearly indicate Medicare payments becoming more heavily weighted on quality or value measures, and HRRP will be part of that determination.

What’s more, CMS has proposed that the readmission measure itself be expanded to count excess days associated with readmissions — taking into account ED patients and those assigned to observation status — rather than singular readmission events for inpatients. Expect increased involvement of care management and quality teams in this area, and another layer of potential penalties.

Don’t wait to react to how these measures will impact your hospital’s operations and finances. Now’s the time to implement data analytics tools to intelligently manage your hospital’s readmission risk with a high degree of accuracy.

Lisa Lyons is director of advanced analytics and population health and interim VP of consulting at Xerox.

Readers Write: Address the Disruption in Provider Data Caused by Clinically Integrated Networks and Value-Based Care

Address the Disruption in Provider Data Caused by Clinically Integrated Networks and Value-Based Care
By Tom White

Hospitals that became health systems and are now morphing into clinically integrated networks (CINs) are facing increasing struggles managing their expanding patchwork of providers. These include credentialed and referring physicians, APRNs, nurses, other licensed professionals. Their provider count has often grown by five to 10 times.

Not only are there more providers, but also they are working in a wider variety of outpatient care settings. This has been a boon for consumers, as there are now many new retail healthcare locations on neighborhood street corners, but this poses an increasing challenge from a provider data perspective. Who is providing the service? What is their affiliation in the ACOs, next gen ACOs, CINs, or narrow networks? Are they sanctioned?

These problems rise from the emergence of the retail healthcare economy. The resultant growth in provider data is creating obvious and not-so-obvious consequences caused by disruptions in the provider data management process, affecting the accuracy of the provider data.

Poor provider data management tends to hurt healthcare organizations much more than they realize, especially in the context of today’s emerging retail healthcare economy and value-based reimbursement market. For hospitals and providers to succeed in these circumstances it is imperative to drive out unnecessary costs, and outdated or inaccurate provider data is a hidden source of significant costs.

As hospitals and health systems develop new alliances, it is critical to know what providers are included in a CIN, including their roles and affiliations. Efforts to collaborate over large patient populations and control value-based payments require in-depth and proprietary knowledge of provider affiliations, practice scope, and their economic models. This information is mission critical for success. Using a system that manages provider data in these areas should be a business imperative for every health system executive.

Licensed healthcare provider data management programs have historically been managed by numerous, fragmented systems across the healthcare ecosystem. Many healthcare leaders believe that electronic medical records (EMR) systems and their health information exchange (HIE) modules, credentialing, and other modern back-office IT systems have made provider data more accurate, secure, and accessible. Perhaps this is so with patient data, but this is not the case with provider data. These enterprise IT systems provide numerous benefits and may even provide a repository for some provider data, but they are not inherently designed for ongoing management of this business-critical data.

Let’s think for a minute about some specific areas in which provider data plays a vital role. Do CINs know who their providers are? How do they take these new provider networks and build the tools for consumers and providers to search and find them? Simple natural language searching (think Google searches) is how the entire world except for healthcare works. Having accurate provider data who are in-network with modern search tools should be a goal for all health systems and CINs.

Accurate provider data is critical to ensure that provider search tools can be the foundation of a successful referral management program. Potential patients that visit the hospital website and search for a local, in-network doctor or a specialist expect that the information they are presented with is accurate and current. If not, a bad customer experience could mean the loss of a patient, a loss of trust, and perhaps worst of all, a bad online review by the patient.

Physicians who use these search tools to identify specialists they can refer their patients to is a critical aspect of referral management. The range of critical data that is relied upon now goes beyond simple contact information and insurance plan participation. It might include physician communication preferences, licensing data, internal system IDs, exclusionary lists, and other sensitive internal information. This information changes frequently, but users don’t have time to ponder these facts. Inaccurate information wastes time and hurts patient satisfaction.

Inaccurate provider data causes billing delays that hurt cash flow and increases days A/R. Invoices sent to the wrong location or faxed to the wrong office are common in healthcare. Never mind issues stemming from inaccurate or incomplete address information.

Beyond clinical and financial performance gains from having more accurate information on providers is that this data can then be used in consumer and physician outreach programs across the health systems, whether part of a CIN or ACO. Hospitals are businesses, too. Historically many of their patients may be admitted through the ED, but increasingly are referred by in-network physicians or come through another outpatient service. The hospital’s marketing department may want to reach out to a network of physicians within a 200-mile radius to encourage referring patients to their facilities or simply promote a new piece of equipment or innovative procedure that’s now available at their facility. The marketing department might do searches to find these physicians and contact them. Having accurate provider ensures that these efforts are productive and efficient.

A tool is required that makes it easy for the appropriate teams in the health system to curate and update their health system provider data to create a single source of truth. This should include all credentialed and referring providers from across the entire healthcare organization, including acute, post-acute, outpatient, and long-term care environments.

While health systems can develop data governance models that require all departments to verify the accuracy of their provider data and to specify how it should be shared, this is seldom a success. Most organizations don’t know exactly who is in their pool of licensed providers and historically there has not been an IT system that can provide this comprehensive capability.

Healthcare leaders have to take a proactive approach to provider data management and can no longer afford to deny the critical role this information plays in today’s increasingly complex and challenging healthcare system. In a fee-for-service world where practitioners are paid for whatever work they perform, it may not be as critical to have accurate provider data. But in today’s value-based care market, accurate provider data is critical for running an efficient, competitive, and profitable healthcare system.

Thomas White is CEO of Phynd Technologies of Dallas, TX.

Readers Write: Ready or Not, ASC X12 275 Attachment EDI Transaction Is Coming

Ready or Not, ASC X12 275 Attachment EDI Transaction Is Coming
By Lindy Benton

As electronic as we are in many aspects of business – and life in general – oftentimes healthcare providers and payers are still using paper for claim attachment requests and responses. With the ASC X12 275 attachment electronic data interchange on the horizon, the need for utilizing secure, electronic transactions will soon be here.

Let’s look at the claim attachment process.

1. A claim attachment arises when a payer requests additional information from a provider to adjudicate a claim. This attachment is intended to provide additional information or answer additional questions or information not included in the original claim.
2. In many instances, the process for sending and receiving attachments is still largely done via a manual, paper-based format.
3. Paper-based transactions are slow, inefficient, and can bog down the revenue cycle. Additionally, paper transactions are prone to getting lost in transit and are difficult if not impossible to track.
4. The ASC X12 275 transaction has been proposed as a secure, electronic (EDI) method of managing the attachment request while making it uniform across all providers and payers.

The ASC X12 275 can be sent either solicited or unsolicited. When solicited, it will be when the claim is subjected to medical or utilization review during the adjudication process. The payer then requests specific information to supplement or support the providers request for payment of the services. The payer’s request for additional information may be service specific or apply to the entire claim, the 275 is used to transmit the request. The provider uses the 275 to respond to the previously mentioned request in the specified time from the payer.

Both HIPAA and the Affordable Care Act are driving the adoption of these secure, electronic transaction standards. HIPAA requires the establishment of national standards for electronic healthcare transactions and national identifiers for providers, health insurance plans, and employers. In Section 1104(b)(2) of the ACA, Congress required the adoption of operating rules for the healthcare industry and directed the secretary of Health and Human Services to “adopt a single set of operating rules for each transaction” with the goal of creating as much uniformity in the implementation of the electronic standards as possible.

Providers and payers will be required to adopt these standards at some point and it will happen sooner rather than later, so it’s time to be prepared.

The final specifications and detail for the EDI 275 transaction were supposed to be finalized in January 2016, but that has yet to happen. Both the American Health Association and American Medical Association have urged the Department of Health and Human Services to finalize and adopt the latest 275 standard, so with that kind of backing, it’s only a matter of time until the 275 transaction standard gains momentum and comes to fruition.

EDI 275 is coming. The question is, will you be ready?

Lindy Benton is president and CEO of Vyne of Dunwoody, GA.

Readers Write: Exploring the EMR Debate: Onus On Analytics Companies to Deliver Insights

Exploring the EMR Debate: Onus On Analytics Companies to Deliver Insights
By Leonard D’Avolio, PhD

Late last month, a great op-ed published in The Wall Street Journal called “Turn Off the Computer and Listen to the Patient” brought a critical healthcare issue to the forefront of the national discussion. The physician authors, Caleb Gardner, MD and John Levinson, MD, describe the frustrations physicians experience with poor design, federal incentives, and the “one-size-fits-all rules for medical practice” implemented in today’s electronic medical records (EMRs).

From the start, the counter to any criticism of the EMR was that the collection of digital health data will finally make it possible to discover opportunities to improve the quality of care, prevent error, and steer resources to where they are needed most. This is, after all, the story of nearly every other industry post-digitization.

However, many organizations are learning the hard way that the business intelligence tools that were so successful in helping other industries learn from their quantified and reliable sales, inventory, and finance data can be limited in trying to make sense of healthcare’s unstructured, sparse, and often inaccurate clinical data.

Data warehouses and reporting tools — the foundation for understanding quantified and reliable sales, inventory, and finance data of other industries – are useful for required reporting of process measures for CMS, ACO, AQC, and who knows what mandates are next. However, it should be made clear that these multi-year, multi-million dollar investments are designed to address the concerns of fee-for-service care: what happened, to whom, and when. They will not begin to answer the questions most critical to value-based care: what is likely to happen, to whom, and what should be done about it.

Rapidly advancing analytic approaches are well suited for healthcare data and designed to answer the questions of value-based care. Unfortunately, journalists and vendors alike have done a terrible job in communicating the value, potential, and nature of these approaches.

Hidden beneath a veneer of buzzwords including artificial intelligence, big data, cognitive computing, data science, data mining, and machine learning is a set of methods that have proven capable of answering the “what’s next” questions of value-based care across clinical domains including cardiothoracic surgery, urology, orthopedic surgery, plastic surgery, otolaryngology, general surgery, transplant, trauma, and neurosurgery, cancer prediction and prognosis, and intensive care unit morbidity. Despite 20+ years of empirical evidence demonstrating superior predictive performance, these approaches have remained the nearly exclusive property of academics.

The rhetoric surrounding these methods is bimodal and not particularly helpful. Either big data will cure cancer in just a few years or clinicians proudly list the reasons they will not be replaced by virtual AI versions of themselves. Both are fun reads, but neither address the immediate opportunity to capitalize on the painstakingly entered data to deliver care more efficiently today.

More productive is a framing of machine learning as what it actually is — an emerging tool. Like all tools, machine learning has inherent pros and cons that should be considered.

In the pro column is the ability of these methods to consider many more data points than traditional risk score or rules-based approaches. Also important for medicine is the fact that machine learning-based approaches don’t require that data be well formatted or standardized in order to learn from it. Combined with natural language processing, machine learning can consider the free text impressions of clinicians or case managers in predicting which patient is most likely to benefit from attention sooner. Like clinical care, these approaches learn with new experience, allowing insights to evolve based on the ever-changing dynamics of care delivery.

To illustrate, the organization I work with was recently enlisted to identify members of a health plan most likely to dis-enroll after one year of membership. This is a particularly sensitive loss for organizations that take on the financial responsibility of delivering care, as considerable investments are made in Year 1 stabilizing and maintaining the health of the member.

Using software designed to employ these methods, we consumed 30 file types, from case management notes, to claims, to call center transcripts. Comparing all of the data of members that dis-enrolled after one year versus those that stayed in the plan, we learned the patterns that most highly correlate with disenrollment. Our partner uses these insights to proactively call members before they dis-enroll. As their call center employs strategies to reduce specific causes of dissatisfaction, members’ reasons for wanting to leave change. So, too do the patterns emerging from the software.

The result is greater member satisfaction, record low dis-enrollment rates, and a more proactive approach to addressing member concerns. It’s not the cure for cancer, but it is one of a growing number of questions that require addressing when the success of an organization is dependent on using resources efficiently.

The greatest limitation of machine learning to date has been inaccessibility. Like the mainframe before it, this new technology has remained the exclusive domain of experts. In most applications, each model is developed over the course of months using tools designed for data scientists. The results are delivered as recommendations, not HIPAA-compliant software ready to be plugged in when and where needed. Like the evolution of computing, all of that’s about to change.

Just hours after reading the Gardner and Levinson op-ed, I sat across from a primary care doc friend as she ended a long day of practice by charting out the last few patients. Her frustration was palpable as she fought her way through screen after screen of diabetes-related reporting requirements having “nothing to do with keeping [her] patients healthy.” Her thoughts on the benefits of using her organization’s industry-leading EMR were less measured than Drs. Gardner and Levinson: “I’d rather poke my eyes out.”

I agree fully with Drs. Gardner and Levinson. The answer isn’t abandoning electronic systems, but rather striking a balance between EMR usability and the valuable information that they provide. But I’ve been in healthcare long enough to know clinicians won’t be enjoying well-designed EMRs any time soon. In the meantime, it’s nice to know we don’t need to wait to begin generating returns from all their hard work.

Leonard D’Avolio, PhD is assistant professor at Harvard Medical School CEO and co-founder of Cyft of Cambridge, MA.

Readers Write: ECM for Healthcare Advances to HCM (Healthcare Content Management)

ECM for Healthcare Advances to HCM (Healthcare Content Management)
by Amie Teske

Industry analysts project healthy market growth for enterprise content management (ECM) solutions across all industry sectors. Gartner’s 2016 Hype Cycle for Real-Time Health System Technologies places ECM squarely along the “plateau of productivity” at the far, right-hand side of the hype cycle curve. This essentially means that ECM software has succeeded the breakthrough in the market and is being actively adopted by healthcare providers.

This is good news for ECM users and technology suppliers, but what’s next for ECM in healthcare? To remain competitive and leading edge, ECM solutions at the plateau must evolve for the sake of customers and the marketplace in order to maintain business success. There is more good news here in that ECM solutions are evolving to keep pace with healthcare changes and demands.

Up to 70 percent of the data needed for effective and comprehensive patient care management and decision-making exists in an unstructured format. This implies the existence of a large chasm between resources and effort expended by healthcare delivery organizations (HDOs) on EHR technology to manage discrete data and the work yet to be done to effectively automate and provide access to the remaining content. ECM solutions are evolving in a new direction that offers HDOs an opportunity to strategically build a bridge to this outstanding content.

Healthcare content management (HCM) is a new term that represents the evolution of ECM for healthcare providers. It is the modern, intelligent approach to managing all unstructured document and image content. The biggest obstacle we must overcome in this journey is the tendency to fall back on traditional thinking, which drives health IT purchases toward siloed, non-integrated systems. Traditional methods for managing patient content have a diminishing role in the future of healthcare. It’s time to set a new course.

An HCM Primer

• HCM = documents + medical images (photos and video. too).
• The 70 percent of patient content outside the EHR is primarily unstructured in nature, existing as objects that include not only DICOM (CT, MRI) but also tiff, pdf, mpg, etc.
• ECM has proven effective for managing tiff, pdf and a variety of other file formats. It is not, however, a technology built to handle DICOM images, which represent the largest and most numerous of the disconnected patient objects in question.
• Enterprise imaging (EI) technologies have traditionally been responsible for DICOM-based content. These include vendor neutral archives (VNA), enterprise/universal viewers, and worklist and connectivity solutions that are unique to medical image and video capture.
• Leveraging a single architecture to intentionally integrate ECM and EI technologies — enabling HDOs to effectively capture, manage, access and share all of this content within a common ecosystem — is referred to as healthcare content management or HCM.

Although the market is ready for HCM and many HDOs are already moving in this direction, it is important to know what to look for.

Critical Elements of HCM

Although it is the logical first step, HCM encompasses much more than simply unifying ECM and EI technologies together into a single architecture to enable shared storage and a single viewing experience for all unstructured content, DICOM and non-DICOM. Just as important is workflow and how all document and image content is orchestrated and handled prior to storage and access. This is essentially the secret sauce and the most difficult aspect of an HCM initiative.

ECM for healthcare workflow is geared to handle back office and clinical workflows associated with health information management, patient finance, accounts payable, and human resources, for example. The intricacies of these workflows must continue to cater to specific regulations around PHI, release of information, etc. All this to say that the workflow component of ECM is critical and must remain intact when converging ECM with EI technologies.

The same goes for workflows for enterprise imaging. EI workflow is optimized to handle image orchestration from many modalities to the core VNA or various PACS systems, medical image tag mapping/morphing to ensure image neutrality and downtime situations, for example.

These workflow features should not be taken lightly as health systems endeavor to establish a true HCM strategy. Do not overlook the need for these capabilities to ease the complexities inherently involved and to fully capitalize on any investment made.

Guidance for HCM Planning

Consider the following recommendations as you plan an HCM approach and evaluate prospective vendors:

• Be wary of an archive-only strategy. A clinical content management (CCM) approach is primarily an archive and access strategy. The critical element of workflow is fully or partly missing. A word of caution to diligent buyers to ask the right questions about workflow and governance of unstructured document and image content before, during, and after storage and access.
• Always require neutrality. Changing standards is a given in the healthcare industry. HCM should be in alignment with the new standards to ensure all document and image content can be captured, managed, accessed, shared, and migrated without additional cost due to proprietary antics by your vendor. An HCM framework must have a commitment to true neutrality and interoperability.
• Think strategically. A deliberate HCM framework offered by any healthcare IT vendor should be modular in nature but also able to be executed incrementally and with the end in mind. Beginning with the end in mind is slightly more difficult. The modularity of your HCM approach should allow you to attack your biggest pain points first, solving niche challenges while preserving your budget and showing incremental success in your journey toward the end state.
• Consider total cost of ownership (TCO). If a common architecture and its associated cost efficiencies are important in wrangling your outstanding 70 percent of disconnected patient content, you cannot afford to take a niche approach. It may seem easier and cheaper to select a group of products from multiple niche vendors to try and solve your most pervasive siloed document and image management problems. Take a careful look at the TCO over the life of these solutions. It is likely the TCO will be higher due to factors which include the number of unique skillsets and FTEs required for a niche strategy.
• Demand solution flexibility and options. Your HCM approach should provide extensive flexibility and a range of options and alternatives that are adaptable to your unique needs. Software functionality is important, but not the only criterion.

Your HCM approach for strategically managing all unstructured patient content should allow you to:

• Start small or go big, solving one challenge or many.
• Establish a common architecture with a unified content platform and viewing strategy for all document and imaging content.
• Enable unique ECM and EI workflows, not simply storage and access.
• Hold one technology partner responsible – “one throat to choke” – for easier overall performance management and administration.

Providers of all shapes and sizes must take a thoughtful and deliberate approach when evaluating document and image management solutions. There is much more involved than simply capture and access. Because this category of technology can enable up to 70 percent of your disconnected patient and business information, you cannot afford to make a decision without carefully considering the impact of HCM on your healthcare enterprise, immediately and over time.

Amie Teske is director of global healthcare industry and product marketing for Lexmark Healthcare.

Readers Write: Guaranteeing MACRA Compliance at the Point of Care

Guaranteeing MACRA Compliance at the Point of Care
By David Lareau

MACRA will affect every physician and every clinical encounter. Current systems have been designed to produce transactions to be billed. MACRA will require that clinical conditions have been addressed and documented in accordance with quality care guidelines. The only way to ensure that happens is to do it at the point of care.

The challenge is that physicians need to address all conditions, not just those covered by a MACRA requirement. One approach is to just add another set of things to do, slowing doctors down and getting in their way. This is the transactional approach — just another task.

Most current systems have different tabs that list problems, medications, labs, etc. Users must switch back and forth looking for data. The data cannot be organized by problem since the systems lack any method for correlating information based on clinical condition. Adding another set of disconnected information to satisfy quality measures will only make it worse for users.

A better approach is to integrate quality care requirements for any condition with all the other issues the physician needs to address for a specific patient and to work it into a physician’s typical workflow. A well-designed EHR should have a process running in the background that keeps track of all applicable quality measures and guidelines for the patient being seen. The status of all quality measures must be available at any point in the encounter in a format that ties all information together for any clinical issue.

This requires actionable, problem-oriented views of clinical data, where all information for any clinical issue is available instantly. Physicians need to be able to view, react to, and document clinical information for every problem or issue addressed with the patient. This includes history and physical documentation, review of results, clinical assessments, and treatment plans as well as compliance with quality measures.

Guaranteeing MACRA compliance at the point of care can be accomplished by using a clinical knowledge engine that presents all relevant information for any clinical issue so that MACRA quality measures are seamlessly included as part of the patient’s overall clinical picture, not as just another task to be added on to the already burdensome workflows of current systems.

David Lareau is CEO of Medicomp Systems of Chantilly, VA.

Readers Write: Telemedicine Is Just Medicine

Readers Write: Telemedicine Is Just Medicine
By Teri Thomas

Telemedicine. MHealth. Remote healthcare. What’s the best term for a given use case? A large portion of my job is focused on it, yet my answer is, “I don’t much care what term you use.” 

Well, I guess I care a little if I see confusion getting in the way of progress. Don’t get me wrong — I’m glad that nobody has been saying “mMedicine” yet (would that be like, “mmm…medicine” or “em-medicine?”) I don’t love “virtual health” as it makes me wonder if I watch lots of exercise shows and raw food infomercials, could I get virtually healthy? 

Defining telemedicine as a subset of telehealth related to direct care at a distance vs. provision of healthcare-related services at a distance, while correct—who cares? Consider if when indoor plumbing was new, people discussed “s-water” (out of a stream), vs. “i-water” (from in the home). I guess i-water would be better than p-water from pipes (it’s OK to giggle a little — be a middle-schooler for a minute). We care about perhaps three factors:

• Is it modified/sparkling/flavored?
• Do we have to pay for it (bottled water vs. tap water)?
• Is it clean enough to drink?

Medicine is medicine. Healthcare is healthcare. It’s care: good, bad, and a ton in the middle. Yet I hear murmurs like, “Telemedicine isn’t good quality healthcare.” That’s like saying tap water isn’t good enough to drink because you’ve spent time in Flint.

Good quality care isn’t determined by the location of the provider or patient. Care can be done very well without requiring the patient and the clinician to be in the same room. It can also be done very poorly. Probably the majority of it — just like when the doctor and patient are together in a room — is not perfect, not bad, and mostly OK. 

Not every type of visit is appropriate over video, but many types are. In dermatology, providers have been using photos for decades. Camera cost and image resolution have dramatically improved so that even inexpensive systems can provide more image detail than a physician with the sharpest of vision. Stethoscopes, lights, cameras, video connections, telephones—all are tools to help us practice medicine better.  Sometimes the tools work great and are helpful and sometimes not.

If the Internet connection is slow or the battery dies, quality is impacted. But think for a minute about the impact on quality of care for the physician who had an extra-complex first appointment and is running an hour or more behind. The patients are stacking up and getting upset about their wait times. The clinic day is lengthening. The pressure to catch up mounts. Finally, consider the patient taking off work, driving to a clinic, parking, sitting in a waiting room with Sally Pink Eye, feeling at bored at best and anxious and angry at worst about their wait times.

How high of quality will that encounter be compared to the patient connecting with the provider from home or work? The patient didn’t have to drive, and even if waiting, likely they were in a more comfortable environment with other things to do.

Keep in mind that if the patient were physically there in the dermatology office and the lights went out or the dermatologist’s glasses were suddenly broken, it would be very hard to provide a quality exam. For a remote derm visit, if you can ensure reliable “tool” quality (history from the patient and/or GP, high enough resolution video/images, clear audio), why should there be a care quality concern? Yet these kinds of “visits” — heavily image-focused encounters — are still traditionally accomplished by asking a patient come to the provider. 

Thank you to Kaiser and other telemedicine leaders for providing us with the validating data: remote visits can be done with high quality, lower costs, and positive quality care and patient satisfaction outcomes. On behalf of patients who are increasing expecting more convenient care, healthcare providers who are hesitant — please invest in video visit technology and seek opportunities to provide more convenient care for your patients. Payers, please recognize that this is in everyone’s best interest and start financially rewarding those providers.

Teri Thomas is director of innovation for an academic medical center.

Readers Write: What Hospitals Can Learn from the Insurance Industry About Privacy/Insider Threat Risk Mitigation

What Hospitals Can Learn from the Insurance Industry About Privacy/Insider Threat Risk Mitigation
By Robert B. Kuller

The drumbeat of hospital PHI breaches marches on. Every day there seems to be another news article on a hospital being hit with a ransomware attack. Hospital CEOs and bards are placing ever-increasing demands on their CIOs to pour technology and resources into preventing these perimeter attacks.

Who can blame them? They don’t want to have to appear before the media and explain why the attack wasn’t prevented given the current high threat environment, how many patients records were affected, and how they will deal with the aftermath of the breach.

Even though these perimeter attacks are no doubt high profile, there is a larger threat that is not being given high enough attention by CEOs or their boards and certainly not the same level of technology and resources to deal with it — privacy and insider-borne threats. According to a recent study by Clearswift, 58 percent of all security incidents can be attributed to insider threats (employees, ex-employees, and trusted partners).

The primary causative factors were identified as inadvertent human error and lack of awareness or understanding. Only 26 percent of organizations are confident they can accurately determine the source of the incident. There are plenty more statistics to throw around, but suffice to say, insider threat is a major problem and represents a large part of hospital breaches even though they do not routinely get the same level of media coverage.

Let’s take a quick review of what the hospital landscape looks like in terms of dealing with insider threat today. Most privacy staff are very small, usually about two people. They are charged with identifying potential breaches; investigating those identified potential breaches to determine actual breaches; interfacing with department heads; internal, and regulatory reporting on actual breaches; putting together a breach reaction plan; assisting with staff education; and preventing future breaches. With a typical 400-bed hospital exceeding five million EHR transactions per day — all of which need to be reviewed — any reasonable person would conclude that is a very high set of expectations for such a small staff.

The vast majority of hospitals continue to use inferior, outdated technology because of severe budget limitations that are applied to the privacy function, while tens of millions of dollars are spent on perimeter defenses. The capabilities of these systems are very limited and basically dump tens of thousands of audit logs entries into Excel spreadsheets that need to be reviewed by the privacy staff. Cutting edge, behaviorally-based systems with advanced search engines, deep insight visualization, and proactive monitoring capabilities are available, but not regularly adopted.

Privacy/insider threat is primarily viewed as a compliance issue. Many hospital CEOs and boards justify giving low priority and resources to this area by looking at the potential fines that OCR will levy if their hospital’s PHI is breached. In fact, the fines are relatively low; breaches have to break the 500-record threshold (although OCR recently announced an effort to delve into breaches below this threshold); you have to be found guilty of not doing reasonable due diligence; and you are given multiple chances at correcting bad practices prior to fines being assessed. Combine this with an overreliance on cyber risk insurance and you have a potential for disaster.

The actual risk profile should start first and foremost with loss of hospital reputation. A hospital brand takes years and millions of dollars to build. One privacy breach can leave it in ruins. The second risk is patient loss and the associated costs of replacing those patients. A recent poll by Transunion showed that nearly seven in 10 respondents would avoid healthcare providers that had a privacy breach. The third major risk is lawsuits, legal costs, and settlements. Settlement costs are large and juries generally rule against institutions and for the damaged plaintiff. Fourth would be compliance.

There also seems to be a misunderstanding of cyber risk insurance. Like other insurance, it will not reward bad practices or flawed due diligence on behalf of the policyholder. Insurers will do a pre-audit to make sure that the risk they are undertaking is understood, that proper prevention technologies are in place, and that best practices are being documented and followed. Once a breach has been claimed, they will generally send out another team of investigators to determine if the items mentioned above were in place and best efforts were maintained during the breach. If they weren’t, this could lead to a denial or at least a prolonged negotiating process. Premium costs will also be reflective of level of preparedness and payouts generally do not cover anywhere near the full costs of the breach.

Prior to coming back to the hospital industry, I spent six years in the disability insurance industry, where top management and Boards take both insider threat and the actual risk matrix of PHI breach very seriously. I believe the hospital industry can learn a valuable lesson from the disability industry. This lesson can be summarized as

1. Take the real risk matrix seriously.
2. Put the proper amount of technological and human resources in place in alignment with the actual risk profile.
3. Buy the best technology available, update it as frequently as possible, and get proactive rather than reactive.
4. Educate and remind your staff constantly of proper behavior and the consequences of improper behavior (up to and including being terminated).
5. Don’t overly rely on cyber risk insurance.
6. Review the CISO’s reporting structure (avoid natural conflicts of interest with the CIO) and have them report to the board for an independent assessment of privacy/insider threat status on a regular basis.

As difficult and expensive as hospital data security is, it is both mandatory to protect patients and part of the price of admission to the market. Although we are in a constant battle to stay one step ahead of the bad guy, we often find ourselves one step behind. That, I’m afraid, is the nature of the beast.

Let’s place privacy/insider threat on an equal footing with the real risks associated with it. It simply makes sense to do so, from the patient, risk, financial, and fiduciary perspectives.

Robert B. Kuller is chief commercial officer for Haystack Informatics of Philadelphia, PA.

Readers Write: The Surgeon General’s Rallying Cry Against the Opioid Epidemic Must Also Be a Call to Arms for Healthcare IT

The Surgeon General’s Rallying Cry Against the Opioid Epidemic Must Also Be a Call to Arms for Healthcare IT
By Thomas Sullivan, MD

In a rare open letter to the nation’s doctors, US Surgeon General Vivek Murthy, MD, MBA sounded a rallying cry to engage their greater participation in the opioid-abuse crisis afflicting our country. Missing from the USSG’s commendable call to arms, though, was mention of the role technology plays in reducing drug diversion and doctor shopping and providing ready access to services to support patients.

Those of us in healthcare IT know that we are critical to this cause. The USSG is talking to our customers, and we know our customers aren’t adopting as quickly as they could the substance abuse-fighting technologies that are widely available to them. This includes a variety of technology solutions such as:

• E-prescribing technology, particularly EPCS to support the electronic prescribing of controlled substances, which is key to helping providers more efficiently deploy and monitor prescription medicines being prescribed or over-prescribed across a practice.
• Medication adherence monitoring technology that lets providers gauge in real time, at the point of encounter, a patient’s level of compliance with drug therapy and provide patients with evidence-based support and services for self-management.
• Clinical decision support that helps doctors avoid adverse drug events and medication errors.
• State-run prescription drug monitoring programs (PDMPs) designed to help law enforcement track the use of controlled substances and help prescribers identify doctor shoppers and others seeking illicit access to controlled substances.

Specific to the opioid abuse epidemic, the most important next step is for physicians to be able to check PDMPs within their normal workflow. Simply said, the integration and availability of PDMP data within e-medication management solutions — e-prescribing, medication history services, medication adherence tools and the like — will result in the greatest use of PDMP data and the best one-two tech-assisted punch we have in the opioid battle.

Over the past two years, policymakers have begun to take action in using EPCS to address this crisis. This past March, New York State took a major step toward this goal when it began requiring e-prescriptions for all controlled substances as well as all non-controlled substances, frequently referred to as “legend drugs.” Known as I-STOP, the Internet System for Tracking Over-Prescribing act, originally passed in 2012, New York’s experience now serves as a case study for other states that wish to modernize their prescribing infrastructure and address opioid abuse.

Maine as well now will require opioid medications to be prescribed electronically via Drug Enforcement Agency-certified EPCS solutions beginning in July 2017. Several other states including Massachusetts, Missouri and Maryland are also considering or working to pass mandatory EPCS requirements for prescribers.

Unfortunately, neither New York nor Maine PDMP data is currently accessible to health IT vendors for integration into the prescribing workflow of providers.

E-prescribing – the direct digital transfer of patient prescriptions from provider to pharmacy – is broadly recognized as an important tool in helping promote patient safety, convenience, and overall efficiency for all stakeholders in the prescription process. E-prescribing is well understood to assist prescribers by allowing patients and doctors to better guard against medication errors, such as drug-to-drug interactions, reduce common errors inherent in paper-based prescribing — including illegible handwriting, misinterpreted abbreviations, and unclear dosages, — and provide critical decision support tools.

Despite the fact that, nationwide, more than 70 percent of doctors transmit most prescriptions electronically, the vast majority of these prescriptions are only for legend drugs. In comparison, less than 10 percent are using EPCS solutions to e-prescribe controlled substances. However, in New York, the I-STOP legislation has driven adoption of EPCS to over an estimated 70 percent. As such, all indications are that the laws passed in New York and Maine mandating use of EPCS and PDMPs will almost certainly prove helpful in curbing opioid abuse, fraud, and diversion and help prevent possible addiction down the line.

However, full adoption of PDMPs will likely never be achieved until the PDMP information is accessible in the doctor’s technology workflow. Ultimately, the opioid-abuse battle needs to be fought through states enabling their respective PDMP data to flow through doctors’ own workflows, as opposed to requiring that physicians and clinicians go outside their familiar software tool and interact with a separate portal in order to access their respective state PDMP databases.

In the case of New York State, the Medical Society of the State of New York conducted a survey that found a large percentage of prescribers believed that forcing mandatory compliance was placing an undue burden on their practices. No doubt, physicians feel overburdened with IT mandates. Improving integration between PDMPs and electronic health records will alleviate some of these burdens and allow for better compliance.

States must work more closely with the healthcare community to remove obstacles that will allow as close to 100 percent compliance as possible. Every state has the opportunity to learn from New York to smooth implementation and drive adoption to make a meaningful impact on the growing opioid abuse epidemic. Leadership in healthcare IT companies must be more vocal about our role and responsibilities in enabling doctors on the ground.

With the US Surgeon General weighing in, those of us in the healthcare IT community must rise up to make our voices heard. The importance of integrating e-medication management tools and EPCS solutions with PDMP data cannot be overestimated. It is the best path toward helping our customers — the doctors — make the right decision, at the right time, with the right data, on the right platforms.

Thomas Sullivan, MD is chief strategy and privacy officer of DrFirst of Rockville, MD.

Readers Write: The Electronic Health Record and The Golden Spike

The Electronic Health Record and The Golden Spike
By Frank D. Byrne, MD

On May 10, 1869, at a ceremony in Utah, Leland Stanford drove the final spike to join the first transcontinental railroad across the US. Considered one of the great technological feats of the 19th century, the railroad would become a revolutionary transportation network that changed the young country.

For the past few years, the healthcare industry and the patients in its care have experienced a similar “Golden Spike Era” through the deployment of the electronic health record (EHR). Others have used this analogy, including author Robert Wachter, MD at a recent excellent presentation at the American College of Healthcare Executives 2016 Congress on Healthcare Leadership.

Why is this comparison relevant? While the Utah ceremony marked the completion of a transcontinental railroad, it did not actually mark the completion of a seamless coast-to-coast rail network. Key gaps remained and a true coast-to-coast rail link was not achieved until more than a year later and required ongoing further improvements.

Similarly, while a recent study indicated that 96 percent of hospitals possessed a certified EHR technology and 84 percent had adopted at least a basic EHR system in 2015, there is still much more needed to achieve optimized deployment of the EHR to make healthcare better, safer, more efficient, and to improve the health of our communities.

Nonetheless, the EHR is one of the major advances in healthcare in my professional lifetime. It is an essential tool in progress toward the Institute for Healthcare Improvement’s “Triple Aim for Healthcare”– better patient experience, lower per-capita cost, and improved population health. We cannot achieve those laudable goals without mining and analyzing the data imbedded in the EHR to generate useful information to guide our actions. Advances in data science are enabling the development of meaningful predictive analytics, clinical decision support, and other tools that will advance quality, safety, and efficiency.

But there is much work to do. Christine Sinsky, MD, vice president of professional satisfaction for the American Medical Association, and others have written with concern about dissatisfied physicians, nurses, and other clinicians who feel the EHR is distracting them from patients care and meaningful interactions with their patients.

“Contemporary medical records are used for purposes that extend beyond supporting patient and caregiver … the primary purpose, i.e. the support of cognition and thoughtful, concise communication, has been crowded out,” Sinsky and co-author Stephen Martin, MD note in a recent article.

Perhaps you’ve also seen the sobering drawing by a seven-year-old girl depicting a doctor focused on the computer screen with his back to her, his patient.

Some of the EHR’s shortcomings may be the result of lack of end user input prior to implementation, possibly due to the implementing organization not incorporating the extensive research gathered by the EHR providers. Further, even if one gets end-user input prior to implementation, there’s always challenges prior to go-live, and it seems to me that optimization after implementation has been under-resourced. And let’s not look at temporary ”fixes” as the best and final answer. I was dismayed recently to see “hiring medical scribes” listed as one of the top 10 best practices in a recent Modern Healthcare poll.

Don’t get me wrong, to have a long game, you must have a successful plan to get through today, and if hiring scribes can mitigate physician dissatisfaction until the systems are improved, so be it. But scribes are a temporary work-around, not a system solution.

As an advisor to an early-stage venture capital fund, I’ve enjoyed listening to many interesting and inspiring pitches for new technology solutions. Initially, my algorithm used to rate these ideas was:

• Is it a novel idea?
• Will enough people or organizations pay for it?
• Do they have the right customer?
• Do they have the right revenue model?

Thanks to the input of physicians, nurses, therapists, and other clinicians, and the work of Dr. Sinsky and others, I quickly added a fifth, very important vital sign: Will it make the lives of those providing care better? Similarly, author, speaker and investor Dave Chase added a fourth element to the Triple Aim, caregiver experience, making it the Quadruple Aim.

When I was in training, we carried the “Washington Manual” and “Sanford’s Antimicrobial Guide” in the pockets of our white coats as references and thought we had most of the resources we needed to provide exceptional care. Now, caregivers suffer from information overload of both clinical data and academic knowledge. Some query Google right in front of their patients to find answers.

In healthcare today, we work within a community of diverse skills and backgrounds, including clinicians, non-clinicians, computer scientists, EHR providers, administrators, and others. To achieve our goal of improving health and healthcare for individuals and communities, we must work together to organize, structure, mine, and present the massive amounts of data accumulated in the EHR. To me, the concept of population health is meaningless unless you are improving health and outcomes for my family, my friends and me. Just as the placement of “The Golden Spike” was only the beginning of railroad transportation becoming a transformational force in American life, the fact that 96 percent of U.S. hospitals possess a certified EHR is just the beginning.

I have been accused of being a relentless optimist, but I firmly believe we can use the EHR to improve the caregiver and patient experience (I believe patients will and should have access to their entire medical record, for example), and fulfill the other necessary functions that Sinsky and Martin describe as distractions from the medical records’ primary purpose: “quality evaluations, practitioner monitoring, billing justification, audit defense, disability determinations, health insurance risk assessments, legal actions, and research.”

Lastly, there is one more similarity to “The Golden Spike.” In 1904 a new railroad route was built bypassing the Utah track segment that included that historic spot. It shortened the distance traveled by 43 miles and avoided curves and grades, rendering the segment obsolete. Already, many EHR tools, applications and companies have come and gone. Many of the tools we use now remain rudimentary compared with what we really need. We must use what we have to learn and continuously improve, and frankly, we need to pick up the pace. The patients, families and communities depending on us deserve no less.

Frank D. Byrne, MD is the former president of St. Mary’s Hospital and Parkview Hospital and a senior executive advisor to HealthX Ventures.

Readers Write: Moving Beyond the App: How to Improve Healthcare Through Technology Partnerships

Moving Beyond the App: How to Improve Healthcare Through Technology Partnerships
By Ralph C. Derrickson

As the pace of change in the US healthcare system increases, we are seeing inspiring progress in access and care delivery driven in part by the adoption of telemedicine and other technology-enabled care models. Health systems are embracing virtual medicine as a way to serve their patients and communities by meeting their budget and lifestyle needs. Health systems are trying to match the consumer experience of other Internet services by delivering new care models that give patients better care, save them time, are easier on their wallets, and keep them within the health systems they already know and trust.

While the prospects for technology are enormous, there are downsides that have to be avoided.

Healthcare isn’t an app. We all use apps to conduct business, purchase products, and get our entertainment fix from our favorite mobile games and streaming media services. The idea that we could put an app in a patient’s hand to diagnose or treat them is very appealing. When that app is offered as part of a comprehensive set of integrated treatment options, there are reasons to be very hopeful. But when it’s offered outside a local health system, it leads to fragmentation, excessive prescribing, and even worse, inappropriate treatment.

Simply aggregating providers using the Internet is bad medicine. App developers and their networks of doctors – who are paid on a per-visit basis – have used technology to bring out the worst of fee-for-service care. The data on telemedicine prescribing rates, visit durations, and management rates is in and it isn’t pretty. If the expectation is that the patient’s needs will be met with a telemedicine visit, it becomes a failure when the patient doesn’t get treatment or a prescription.

There’s no doubt the provider is doing their best to serve the patient, but without a place to send the patient for in-person care, they’re stuck trying their best to meet the patient’s needs. In fact, a study in JAMA Internal Medicine shows that the quality of urgent care treatment varies widely among commercial, direct-to-consumer virtual care companies. Their transactional models for medicine also offer no integrated next step for the patient and no connection to a broader spectrum of care.

Health systems need an approach that runs counter to telemedicine/app developer trends. An integrated virtual clinic enables health systems to extend the service offering in clinically appropriate situations and build on the trust they have earned from patients in years of service to their community. Payment models can come and go, but the patient’s reliance on a doctor in a time of need should never be compromised by the method of access or their payment system.

Health care is challenging. I’ve referred to it as the Three Hopes: I hope it’s not serious, I hope I can see my doctor, and I hope it’s paid for. Countless studies have shown that the proven, most cost-effective health care model is to have access to primary care doctors and great doctor-patient relationships, two qualities that are part and parcel of a strong health system. However, most app-centered telemedicine companies have no connection to a patient’s primary care provider, leading to care fragmentation instead of care continuity.

Through all of this, the greatest institutions of clinical excellence – our health systems – are losing the arms race for patients, especially as the healthcare market continues to consolidate and health systems face fierce competition from their peers to attract and retain patients. Health systems simply don’t have the marketing engines of app-centered telemedicine providers and pharmacies who are fighting tooth and nail for patient acquisition.

Many health systems have yet to figure out how to adapt to a consumer-directed model while continuing to provide quality care. The same patients who want convenience first and foremost are often unable to accurately judge the quality of care received through most telemedicine methods. For health systems and patients to succeed, virtual care must be part of a broader care continuum and tightly integrated within health systems.

Keeping patients within the systems they already know and trust provides an invaluable convenience and allows opportunities to refer patients to appropriate care when an ailment cannot be treated virtually. Those referrals offer a chance to reconnect patients to health systems rather than their using a high-cost option like an emergency department or a quick fix like an app-centered retail clinic.

This is especially important as the industry shifts to fee-for-value reimbursement.

An approach that integrates virtual care within health systems ensures patients get the same quality of care that they would receive from an in-person visit. Patients have a better chance of understanding their own health, as trusted physicians give patients the information they need to become educated healthcare consumers. For health systems, integrated virtual care puts them in the driver’s seat on how care is delivered and managed, whereas an app-centered approach might not meet metrics of quality nor the needs of the patients they already serve.

App-centered telemedicine has no place in our health care system. This approach to addressing the changes in healthcare is robbing patients of the type of care they deserve.

There is no reason for the Three Hopes of healthcare to be points of uncertainty or stress for patients. I see great promise among leading hospitals and health systems who are alleviating this uncertainty with integrated virtual care. They realize they know how best to treat a patient – apps do not. Virtual care that’s integrated into a provider network is best equipped to put quality at the center of care now and in the future.

Ralph C. Derrickson is president and CEO of Carena, Inc.

Readers Write: Moving and Sharing Clinical Information Across Boundaries

Moving and Sharing Clinical Information Across Boundaries
By Sandra Lillie

In Gartner’s recent depiction of the Hype Cycle for Healthcare Technology, Integrating the Healthcare Enterprise (IHE) XDS has now progressed well past early adopters and rapidly toward productivity and optimization. In many regions outside the United States, it is the de facto standard for content management, and within the US, it is receiving increasing consideration for adoption in use cases supporting specialty images, standards-based image sharing and the like.

XDS is a suitable foundation for integration of clinical systems, and as noted earlier, is more widely adopted in EMEA for this purpose. It is capable of moving and sharing clinical information within and between organizations and capable of creating a patient-centric record based on multiple document (types).

XDS centralizes registration of documents, reducing the problem of deciding which system holds “the truth.” Focusing on “standardizing the standards,” XDS supports the moving and sharing of clinical information across boundaries, both within and between enterprises. This is increasingly vitally important in delivering patient-centered care across the care continuum.

Today we also have XDS-I, also referred to as XDS.b for Imaging. It is built upon the XDS.b profile with one key difference – the actual DICOM imaging study stays put in its original location until requested for presentation. This is accomplished by registering the location of the imaging study in the XDS registry while using a vendor-neutral archive that is smart enough to serve as its own XDS-I repository.

DICOM is a standard format for the storage and communication of medical images, such as x-rays. Instead of publishing the document (which would be large in imaging) to the repository, however, the imaging document source (the VNA in this case) publishes a “manifest.” This manifest contains an index of all the images within a study, coupled with a path to the VNA where they can be retrieved. This reduces the amount of data that has to move around, allowing for more efficient image sharing while minimizing the complexity and costs of image storage.

What are the implications to healthcare organizations of using XDS?

• Documents retain their native format, allowing ready viewing by applications.
• Standards support interoperability and sharing of both documents and enterprise image studies.
• IHE conducts annual Connectathons in the United States and Europe to validate interoperability and enable widespread ability for vendors to act as sources and suppliers of content.

Major benefits include:

• XDS enables movement and sharing of clinical information across boundaries, both within and between enterprises. This capability is increasingly important in delivering patient-centered care across the continuum, supporting the organization of documents across time in a patient context, allowing clinicians to realize a more complete picture of the patient.
• XDS offers a lower-cost method for implementing care coordination through a solution that can easily respond to queries for patient-centered documents and enterprise images.
• Use of standards simplifies healthcare IT integrations, requiring less administrative overhead.

Now is the time for US healthcare providers to seriously consider the advantages of XDS. XDS profiles provide an effective alternative for managing clinical content exported from legacy (sunsetted) systems and for supporting healthcare information sharing.

Sandra Lillie is industry manager for enterprise imaging for Lexmark Healthcare.

Readers Write: Why Reverse Mentoring is Beneficial for HIT Employees

Why Reverse Mentoring is Beneficial for HIT Employees
By Frank Myeroff

Reverse mentoring is when seasoned HIT professionals are paired with and mentored by the younger Millennial generation for the reasons of being extremely tech savvy, fast to adopt new technology, and not afraid of trying new things. In addition, it helps to bridge the gap between generations.

Reverse mentoring was introduced in the 1990s by Jack Welch, chairman and CEO of General Electric at that time. While it’s not exactly new, it’s gaining popularity fast. More and more organizations are recognizing the value of reverse mentoring and are developing formalized programs to ensure best practices in order to yield success. They believe that Millennials are well suited as mentors to help maximize HIT use and adoption in order to move organizations forward in this digital age.

Additionally, with the ever-changing landscape of technology and tools used in the HIT field, reverse mentorship can be extremely beneficial:

• Young, fresh talent has a chance to share their skills, knowledge, and fresh perspectives with more senior employees. Hospitals and health systems often look for their HIT professionals to use technology to improve patient care, lower costs, and increase efficiency. This means that the latest technology is routinely sought. Organizations know that tech savvy younger generations will catch on to this quickly, presenting an opportunity for them to share their knowledge with a different generation. Not only HIT systems, but also technology and platforms such as social media could be unique topics for Millennials to share information and ideas on.
• Creates a way for separate generations to build working relationships with one another. Reverse mentorship can help junior HIT employees feel more needed, confident and comfortable communicating with higher-up employees working together on projects or even in meetings. Additionally, this could create more cohesion in the workplace and begin to break down perceived barriers and stereotypes of each generation.
• Gives junior employees a higher sense of purpose in the organization. Implementing a reverse mentorship program gives young HIT professionals a sense of empowerment and the idea that they are making an impactful contribution to the company. This in turn, could help increase retention and help to shape future leaders in the organization.
• Continues to provide ways for senior employees to share their knowledge as well. Although called reverse mentorship, this type of program offers a two-way street for employees of all ages to learn from one another. Experienced professionals in the HIT field are able to share their insights and knowledge, in addition to learning new things.

While reverse mentorship can be extremely beneficial in the HIT industry and especially any industry with a tech focus, there are several conditions this type of relationship depends upon:

• Trust. Each person needs to trust the other and put effort into bettering both careers.
• Open mindedness. In a reverse mentorship, both employees will act as a mentor and a mentee and need to show a willingness to teach, but also a willingness to learn.
• Expectations and rules. It will be important for both parties in the mentorship to communicate what they are looking to get from the relationship as well as staying committed to the process.

Reverse mentorship is an innovative way to bring together generations of employees to share knowledge. In addition, today’s Millennial mentors will be tomorrow’s chief healthcare officers. We will depend on them to lead the IT department and create strategies on how to handle the growing amount of digital data for healthcare workers and new ways to support technologically advanced patient care modalities.

Frank Myeroff is president of Direct Consulting Associates of Cleveland, OH.