The American Heart Association, Verily Life Sciences, and AstraZeneca have awarded their $75 million “One Brave Idea” research award to a single researcher, Calum MacRae, MD, chief of cardiovascular medicine at Brigham and Women’s Hospital (MA), who will work with MIT engineers to analyze data from the Framingham and Million Veterans studies to learn more about how heart disease begins.
The Surgeon General’s office confirms that hackers have stolen the personal information of its staff, including 6,600 medical professionals that report to the Surgeon General.
After increasing his stake in CHS, Chinese billionaire Tianqiao Chen says that the health systems recently enacted ‘poison pill’ defense is unnecessary. A spokesperson states “We believe it is important to reiterate our previously stated position of being a passive investor in the company. We have no intention to influence or control the company and have communicated this to the company on various occasions.”
Geisinger Health System has paid out $400,000 in reimbursements as part of a money-back guarantee to patients who say that their experiences were not met with kindness and compassion.
October 5, 2016Readers WriteComments Off on Readers Write: Guaranteeing MACRA Compliance at the Point of Care
Guaranteeing MACRA Compliance at the Point of Care By David Lareau
MACRA will affect every physician and every clinical encounter. Current systems have been designed to produce transactions to be billed. MACRA will require that clinical conditions have been addressed and documented in accordance with quality care guidelines. The only way to ensure that happens is to do it at the point of care.
The challenge is that physicians need to address all conditions, not just those covered by a MACRA requirement. One approach is to just add another set of things to do, slowing doctors down and getting in their way. This is the transactional approach — just another task.
Most current systems have different tabs that list problems, medications, labs, etc. Users must switch back and forth looking for data. The data cannot be organized by problem since the systems lack any method for correlating information based on clinical condition. Adding another set of disconnected information to satisfy quality measures will only make it worse for users.
A better approach is to integrate quality care requirements for any condition with all the other issues the physician needs to address for a specific patient and to work it into a physician’s typical workflow. A well-designed EHR should have a process running in the background that keeps track of all applicable quality measures and guidelines for the patient being seen. The status of all quality measures must be available at any point in the encounter in a format that ties all information together for any clinical issue.
This requires actionable, problem-oriented views of clinical data, where all information for any clinical issue is available instantly. Physicians need to be able to view, react to, and document clinical information for every problem or issue addressed with the patient. This includes history and physical documentation, review of results, clinical assessments, and treatment plans as well as compliance with quality measures.
Guaranteeing MACRA compliance at the point of care can be accomplished by using a clinical knowledge engine that presents all relevant information for any clinical issue so that MACRA quality measures are seamlessly included as part of the patient’s overall clinical picture, not as just another task to be added on to the already burdensome workflows of current systems.
Readers Write: Telemedicine Is Just Medicine By Teri Thomas
Telemedicine. MHealth. Remote healthcare. What’s the best term for a given use case? A large portion of my job is focused on it, yet my answer is, “I don’t much care what term you use.”
Well, I guess I care a little if I see confusion getting in the way of progress. Don’t get me wrong — I’m glad that nobody has been saying “mMedicine” yet (would that be like, “mmm…medicine” or “em-medicine?”) I don’t love “virtual health” as it makes me wonder if I watch lots of exercise shows and raw food infomercials, could I get virtually healthy?
Defining telemedicine as a subset of telehealth related to direct care at a distance vs. provision of healthcare-related services at a distance, while correct—who cares? Consider if when indoor plumbing was new, people discussed “s-water” (out of a stream), vs. “i-water” (from in the home). I guess i-water would be better than p-water from pipes (it’s OK to giggle a little — be a middle-schooler for a minute). We care about perhaps three factors:
Is it modified/sparkling/flavored?
Do we have to pay for it (bottled water vs. tap water)?
Is it clean enough to drink?
Medicine is medicine. Healthcare is healthcare. It’s care: good, bad, and a ton in the middle. Yet I hear murmurs like, “Telemedicine isn’t good quality healthcare.” That’s like saying tap water isn’t good enough to drink because you’ve spent time in Flint.
Good quality care isn’t determined by the location of the provider or patient. Care can be done very well without requiring the patient and the clinician to be in the same room. It can also be done very poorly. Probably the majority of it — just like when the doctor and patient are together in a room — is not perfect, not bad, and mostly OK.
Not every type of visit is appropriate over video, but many types are. In dermatology, providers have been using photos for decades. Camera cost and image resolution have dramatically improved so that even inexpensive systems can provide more image detail than a physician with the sharpest of vision. Stethoscopes, lights, cameras, video connections, telephones—all are tools to help us practice medicine better. Sometimes the tools work great and are helpful and sometimes not.
If the Internet connection is slow or the battery dies, quality is impacted. But think for a minute about the impact on quality of care for the physician who had an extra-complex first appointment and is running an hour or more behind. The patients are stacking up and getting upset about their wait times. The clinic day is lengthening. The pressure to catch up mounts. Finally, consider the patient taking off work, driving to a clinic, parking, sitting in a waiting room with Sally Pink Eye, feeling at bored at best and anxious and angry at worst about their wait times.
How high of quality will that encounter be compared to the patient connecting with the provider from home or work? The patient didn’t have to drive, and even if waiting, likely they were in a more comfortable environment with other things to do.
Keep in mind that if the patient were physically there in the dermatology office and the lights went out or the dermatologist’s glasses were suddenly broken, it would be very hard to provide a quality exam. For a remote derm visit, if you can ensure reliable “tool” quality (history from the patient and/or GP, high enough resolution video/images, clear audio), why should there be a care quality concern? Yet these kinds of “visits” — heavily image-focused encounters — are still traditionally accomplished by asking a patient come to the provider.
Thank you to Kaiser and other telemedicine leaders for providing us with the validating data: remote visits can be done with high quality, lower costs, and positive quality care and patient satisfaction outcomes. On behalf of patients who are increasing expecting more convenient care, healthcare providers who are hesitant — please invest in video visit technology and seek opportunities to provide more convenient care for your patients. Payers, please recognize that this is in everyone’s best interest and start financially rewarding those providers.
Teri Thomas is director of innovation for an academic medical center.
October 5, 2016Readers WriteComments Off on Readers Write: What Hospitals Can Learn from the Insurance Industry About Privacy/Insider Threat Risk Mitigation
What Hospitals Can Learn from the Insurance Industry About Privacy/Insider Threat Risk Mitigation By Robert B. Kuller
The drumbeat of hospital PHI breaches marches on. Every day there seems to be another news article on a hospital being hit with a ransomware attack. Hospital CEOs and bards are placing ever-increasing demands on their CIOs to pour technology and resources into preventing these perimeter attacks.
Who can blame them? They don’t want to have to appear before the media and explain why the attack wasn’t prevented given the current high threat environment, how many patients records were affected, and how they will deal with the aftermath of the breach.
Even though these perimeter attacks are no doubt high profile, there is a larger threat that is not being given high enough attention by CEOs or their boards and certainly not the same level of technology and resources to deal with it — privacy and insider-borne threats. According to a recent study by Clearswift, 58 percent of all security incidents can be attributed to insider threats (employees, ex-employees, and trusted partners).
The primary causative factors were identified as inadvertent human error and lack of awareness or understanding. Only 26 percent of organizations are confident they can accurately determine the source of the incident. There are plenty more statistics to throw around, but suffice to say, insider threat is a major problem and represents a large part of hospital breaches even though they do not routinely get the same level of media coverage.
Let’s take a quick review of what the hospital landscape looks like in terms of dealing with insider threat today. Most privacy staff are very small, usually about two people. They are charged with identifying potential breaches; investigating those identified potential breaches to determine actual breaches; interfacing with department heads; internal, and regulatory reporting on actual breaches; putting together a breach reaction plan; assisting with staff education; and preventing future breaches. With a typical 400-bed hospital exceeding five million EHR transactions per day — all of which need to be reviewed — any reasonable person would conclude that is a very high set of expectations for such a small staff.
The vast majority of hospitals continue to use inferior, outdated technology because of severe budget limitations that are applied to the privacy function, while tens of millions of dollars are spent on perimeter defenses. The capabilities of these systems are very limited and basically dump tens of thousands of audit logs entries into Excel spreadsheets that need to be reviewed by the privacy staff. Cutting edge, behaviorally-based systems with advanced search engines, deep insight visualization, and proactive monitoring capabilities are available, but not regularly adopted.
Privacy/insider threat is primarily viewed as a compliance issue. Many hospital CEOs and boards justify giving low priority and resources to this area by looking at the potential fines that OCR will levy if their hospital’s PHI is breached. In fact, the fines are relatively low; breaches have to break the 500-record threshold (although OCR recently announced an effort to delve into breaches below this threshold); you have to be found guilty of not doing reasonable due diligence; and you are given multiple chances at correcting bad practices prior to fines being assessed. Combine this with an overreliance on cyber risk insurance and you have a potential for disaster.
The actual risk profile should start first and foremost with loss of hospital reputation. A hospital brand takes years and millions of dollars to build. One privacy breach can leave it in ruins. The second risk is patient loss and the associated costs of replacing those patients. A recent poll by Transunion showed that nearly seven in 10 respondents would avoid healthcare providers that had a privacy breach. The third major risk is lawsuits, legal costs, and settlements. Settlement costs are large and juries generally rule against institutions and for the damaged plaintiff. Fourth would be compliance.
There also seems to be a misunderstanding of cyber risk insurance. Like other insurance, it will not reward bad practices or flawed due diligence on behalf of the policyholder. Insurers will do a pre-audit to make sure that the risk they are undertaking is understood, that proper prevention technologies are in place, and that best practices are being documented and followed. Once a breach has been claimed, they will generally send out another team of investigators to determine if the items mentioned above were in place and best efforts were maintained during the breach. If they weren’t, this could lead to a denial or at least a prolonged negotiating process. Premium costs will also be reflective of level of preparedness and payouts generally do not cover anywhere near the full costs of the breach.
Prior to coming back to the hospital industry, I spent six years in the disability insurance industry, where top management and Boards take both insider threat and the actual risk matrix of PHI breach very seriously. I believe the hospital industry can learn a valuable lesson from the disability industry. This lesson can be summarized as
Take the real risk matrix seriously.
Put the proper amount of technological and human resources in place in alignment with the actual risk profile.
Buy the best technology available, update it as frequently as possible, and get proactive rather than reactive.
Educate and remind your staff constantly of proper behavior and the consequences of improper behavior (up to and including being terminated).
Don’t overly rely on cyber risk insurance.
Review the CISO’s reporting structure (avoid natural conflicts of interest with the CIO) and have them report to the board for an independent assessment of privacy/insider threat status on a regular basis.
As difficult and expensive as hospital data security is, it is both mandatory to protect patients and part of the price of admission to the market. Although we are in a constant battle to stay one step ahead of the bad guy, we often find ourselves one step behind. That, I’m afraid, is the nature of the beast.
Let’s place privacy/insider threat on an equal footing with the real risks associated with it. It simply makes sense to do so, from the patient, risk, financial, and fiduciary perspectives.
Robert B. Kuller is chief commercial officer for Haystack Informatics of Philadelphia, PA.
Comments Off on Readers Write: What Hospitals Can Learn from the Insurance Industry About Privacy/Insider Threat Risk Mitigation
UK researchers working to capture MRI scans of the brains of 100,000 people and then combine the data along with detailed health questionnaires from each person have released an early data set from the first 5,000 subjects to participate in the study.
The World Health Organization is developing an app to guide less skilled clinicians through labor-related clinical emergencies in sub-Saharan Africa in an effort to reduce child and maternal death rates.
While campaigning for his wife, Bill Clinton drew immediate attention when he described the ACA as a “crazy system where all of a sudden 25 million more people have health care and then the people who are out there busting it, sometimes 60 hours a week, wind up with their premiums doubled and their coverage cut in half. It’s the craziest thing in the world.” He went on to reiterate that “the people that are getting killed in this deal are small businesspeople and individuals who make just a little too much to get any of these subsidies.”
Private equity firm Warburg Pincus will acquire Intelligent Medical Objects, according to an FTC pre-merger filing.
Reader Comments
From The Truth: “Re: lying on contracts. I know a major EMR vendor who does it.” Only one? However, allow me to take the other side of the argument: a client who rightly insists on a properly detailed set of terms and conditions with appropriate non-performance penalties makes vendor lying pointless. My experience is that while salespeople might on occasion embellish the truth, skate to where the puck is going in describing offerings that technically might not actually exist, and sometimes speak in soothing but non-binding generalities, wise customers include everything they expect in their contracts. Hospital people are often so exhausted by their product selection process and so loath to restart it that they subconsciously align themselves with their vendor in treating the contract as a relief-inducing ceremonial formality than what it really is – the only tangible manifestation of all that prep work and the sole protection against an undesirable future state. Don’t be that football player who spikes the ball and commences a showily choreographed celebratory dance before the ball has actually crossed the plane of the goal line.
From In the Know: “Re: eClinical Works. Has lost two huge customers in their own back yard that are switching to Epic – the physician networks of Boston Children’s Hospital and Mount Auburn Hospital.” Unverified.
From Twice Bitten: “Re: Streamline Health. Laid off half its financial management and scheduling team (the 13 year in a row KLAS winner).” Unverified. Streamline Health acquired patient scheduling system vendor Unibased Systems Architecture in early 2014. USA’s product has always ranked high in KLAS but is pretty low profile, both in terms of existing customers and in STRM’s promotional material.
From Freddie Kroger: “Re: [publication name omitted]. They just gave a big splash to their EHR satisfaction results. Note the small print: they received only 340 responses.” That didn’t stop them from running a bunch of brashly written articles that tried to sound authoritative but were embarrassing given the complete lack of statistically defensible methodology. They got even fewer responses than the 400 last year that fueled a ridiculous salvo of pointless articles and overly cute graphics. The survey also seems to confuse inpatient and ambulatory EHRs and fails to distinguish among multiple EHRs offered by a single vendor. It’s a worthless survey other than for fueling clickbait. I ended my critique of last year’s version by listing factors to ponder in deciding whether to trust a survey’s results:
How did you choose your pool of potential survey respondents? Was random sampling of a known population used?
How did you invite participation?
What was your survey’s sample size and response rate?
What were the characteristics of your survey’s non-respondents?
What is the motivation of those who responded? (unsatisfied people are more likely to respond in most cases).
What were the demographics of your respondents?
How did you prevent ballot box stuffing?
What did your survey instrument look like? Were your questions clear, unbiased, and appropriate for those surveyed? Did the sponsoring organization create bias (unintentional or otherwise) in the choice and wording of questions?
Does your survey report include raw data that prove its conclusions? What type of statistical methods did you apply in analyzing the responses?
Do your conclusions overreach the underlying data in trying to gain publicity with catchy headlines and graphics that aren’t supported? Do your published results state the limitations of the survey?
HIStalk Announcements and Requests
Thanks to Jenn for covering for me as I took a few days off. I’m happy nobody missed me so I could enjoy my little vacation without feeling too guilty. I love traveling with my Chromebook for instant-on connections with a fantastic keyboard instead of an on-screen one. It has fully replaced my tablet and laptop for traveling, other than using the tablet as a Kindle reader on planes.
I was unfortunately imprecise in last week’s poll question, where I was interested in learning how providers view the resumes of salespeople, but my poor wording suggested I was also cultivating the opinions of those in a sales hiring role. Nonetheless, I’ll go with the most important salesperson attributes as voted: (a) a lifetime career in health IT; (b) a healthcare professional degree; and (c) consulting experience. Since earning a non-healthcare graduate degree ranked low, nothing important on my list is easily undertaken by someone already in sales who wants to make a better LinkedIn first impression, which means that professionalism, honesty, and interpersonal skills rule the day. I’m an outlier in that military service ranks #1 on my list, especially if the person either graduated from one of the service academies, served as an officer, or deployed overseas.
New poll to your right or here: what speaker tendency annoys you the most when attending a conference session or webinar? Early returns suggest the same problems that we vigorously coach against when we help people make their planned webinar better.
Welcome to new HIStalk Platinum Sponsor Dimensional Insight. The Burlington, MA-based data analytics and business intelligence solutions vendor offers the award-winning (Best in KLAS in BI/Analytics for five years) Diver Platform, an end-to-end enterprise reporting and analytics system that provides actionable, role-based business intelligence. Capabilities include diabetes management, MU compliance, quality reporting, population health, payroll analysis, product line analysis, reimbursement management, asset utilization, EHR reporting, staffing requirements forecasting, and strategic planning. Specific solutions include Physician Performance Advisor, which brings all KPIs into a single application; Surgery Advisor for OR management; Meaningful Use Advisor that allows measuring, analyzing, and attesting from a single app; and GL Advisor for allowing finance departments to answer their own questions using data integrated from multiple systems such as accounting, payroll, and time and attendance. See the case studies. Thanks to Dimensional Insight for supporting HIStalk.
I found this just-published Dimensional Insight customer testimonial from Henry Mayo Hospital (CA) on YouTube.
Welcome to new HIStalk Gold Sponsor Kyruus. I like the company’s description of what it does as “precise demand-supply matching,” which advocates that as an alternative to standardizing medical practices into a one-size-fits-all model, we should instead “understand, measure, and embrace the heterogeneity” in identifying patient outliers and matching them with doctors who are best at managing their condition. I had marginally fond, acetone-fumed memories of organic chemistry classes in reading the origins of the company’s name, which is derived from the word “chiral” and features two U’s to represent using big data to unleash physician potential. The company’s ProviderMatch helps access centers and networks (and even patients themselves) connect patients with the right doctor, taking into account doctor expertise, insurance acceptance, locations, availability, demographics, and business rules to enable real-time provider search, scheduling, and referral instead of the creaky and nearly worthless “doctor finder” webpages offered by most hospitals. The company’s executive roster boasts folks with impressive backgrounds. Customers include Beaumont, Keck Medicine of USC, MedStar Health, MercyHealth, Partners HealthCare, Providence and Swedish. Thanks to Kyruus for not only supporting HIStalk, but for putting up an interesting and passionate website.
I found this Kyruus video called “The Patient Access Journey” on YouTube.
Listening: new from Metallica, which sounds just like Metallica. They aren’t the most musically amazing group and aren’t likely to extend their loyal fan base with this offering, but they stick to their Flying-V knitting nicely and remain intense on stage.
Webinars
October 13 (Thursday) 2:00 ET. “Glycemic Control During Therapeutic Hypothermia.” Sponsored by Monarch Medical Technologies. Presenter: Tracey Melhuish, RN, MSN, clinical practice specialist, Holy Cross Hospital (FL). Using therapeutic hypothermia (TH) as a method of care can present risks of hyperglycemia, hypoglycemia, and blood glucose variability. Maintaining safe glucose levels during the cooling and rewarming phases of TH reduces the risks of adverse events. Tracey Melhuish, author of “Linking Hypothermia and Hyperglycemia,” will share best practices for optimal glucose control during TH and the success Holy Cross Hospital sees while using a computerized glucose management software.
October 25 (Tuesday) 1:30 ET. “Data Privacy/Insider Threat Mitigation: What Hospitals Can Learn From Other Industries.” Sponsored by HIStalk. Presenters: Robert Kuller, chief commercial officer, Haystack Informatics; Mitchell Parker, CISSP, executive director of information security and compliance, Indiana University Health. Cybersecurity insurers believe that hospitals are too focused on perimeter threats, ransomware, and the threat of OCR audits instead of insider threats, which are far more common but less likely to earn media attention. Attendees will learn how behavior analytics is being used to profile insiders and detect unusual behaviors proactively and to place privacy/insider risk within the risk management matrix.
October 26 (Wednesday) 1:00 ET. “How to Create Healthcare Apps That Get Used and Maybe Even Loved.” Sponsored by MedData. Presenter: Jeff Harper, Founder and CEO, Duet Health. Patients, clinicians, and hospital employees are also consumers who manage many aspects of their non-medical lives on their mobile devices. Don’t crush their high technology expectations with poorly designed, seldom used apps that tarnish your carefully protected image. Your app represents your brand and carries high expectations on both sides. This webinar will describe how to build a mobile healthcare app that puts the user first, meets their needs (which are often different from their wants), creates "stickiness," and delivers the expected benefits to everyone involved.
Contact Lorre for webinar services. View previous webinars on our HIStalk webinars YouTube channel.
Acquisitions, Funding, Business, and Stock
Infor systems integrator Avaap acquires Falcon Consulting, which offers Epic consulting services that are ranked #1 in KLAS.
Consumer health site Sharecare, founded by TV huckster Dr. Oz, acquires BioLucid, which offers the You 3D human body simulator. The product might even accurately depict that portion of Dr. Oz’s anatomy from which his medical claims originate (it’s conveniently located right next to his wallet).
Wolters Kluwer will acquire patient engagement systems vendor Emmi Solutions for $170 million.
The innovations group of the ProMedica health system (OH) partners with app development technology vendor Kaonsoft to form Kapios health, which will apparently commercialize apps developed by ProMedica.
Cerner tells the Kansas City business paper that it will expand its revenue cycle management business “aggressively.”
Decisions
Cooperstown Medical Center (ND) will go live on Epic on November 2016 under the Community Connect program of Altru Health System.
Keefe Memorial Hospital (CO) went live on CPSI’s EHR and revenue cycle systems in June 2016, replacing systems from CPSI-acquired Healthland.
University Medical Center of Southern Nevada will replace McKesson Horizon with Epic in 2017.
These provider-reported updates are provided by Definitive Healthcare, which offers powerful intelligence on hospitals, physicians, and healthcare providers.
Spok hires Andrew Mellin, MD, MBA (RedBrick Health) as chief medical officer.
Announcements and Implementations
In Africa, the World Health Organization is completing development of a phone-based app that will help non-specialists manage pregnancies, hoping to reduce child and maternal death by applying the knowledge gleaned from the hospital records of 10,000 pregnant women in a “patients like me” model.
Varian Medical Systems releases its 360 Oncology care management platform that supports virtual tumor board meetings, care coordination, trials management, and patient engagement.
Providence Hospital North Houston (TX) goes live on Wellsoft’s EHR. It’s a micro-hospital, a small facility that offers full services but with only a handful of inpatient beds intended for short stay, often built by a large health system that can’t justify developing a full-sized hospital in an otherwise attractive geographic area. Advisory Board has a nice overview of the concept, which is pretty fascinating. That handful of beds might be enough even for larger areas if hospitals can ever be financially convinced to manage the health of the populations they claim to serve instead of feeding their never-ending edifice complex.
FormFast launches Connect, which guides patients through their healthcare experience by making sure they read and complete forms and checklists before and after each care event, such as for pre-admissions or post care follow up.
VMware adds smart glasses management features to AirWatch, the first unified endpoint management solution to extend into wearables.
Carevive Systems will offer a CME/CNE-accredited symposium on applying the IOM care management plan to patients with non-small cell lung cancer on October 26 in Philadelphia.
Government and Politics
Non-profit Maryland insurer Evergreen Health switches to a for-profit company as it brings in private equity investors to avoid its imminent shutdown, leaving intact only five of the 23 non-profit insurance co-ops funded by the Affordable Care Act. The insurer blames ACA’s risk adjustment program, which resulted in the company’s receiving a $23 million bill for not having as many expensive patients as other insurance companies. Its website (and perhaps its mission) might need an update since it continues to declare that, “for far too long, health insurance carriers have put profits ahead of people.”
Former President and would-be First Gentleman Bill Clinton, stumping on behalf of his wife, calls the Affordable Care Act “the craziest thing in the world” that has provided insurance for 25 million more people, but with premiums doubled and coverage halved because those individuals have no leverage with insurers since they aren’t part of a big risk pool. He advocates Hillary Clinton’s proposal to allow middle-class consumers who aren’t eligible for federal insurance subsidies to buy into Medicare and Medicaid.
Meanwhile, UnitedHealth Group’s startup Harken Health, which offered relationship-based, lower-cost ACA insurance plans and healthcare services, pulls all of its offerings from the marketplace and fires its founding CEO, citing huge losses due to – like even the less-hip insurance companies — unexpectedly older and sicker enrollees.
The DEA will require opiate drug manufacturers to decrease production by 25 percent next year, with the federal government trying yet again to impose a war on drugs by limiting the supply instead of the demand. The main result will be to drive up the street price and shift more addicts to impure street products that will in many cases kill them.
The US Surgeon General warns the 6,600 medical professionals of the Public Health Service that their information has been accessed by hackers.
An illegally operating medical marijuana dispensary in Canada exposes the identities of 500 of its customers when a now-fired employee uses CC: instead of BCC: in sending them a mass email.
Johnson & Johnson warns users of its Animas OneTouch Ping insulin pump, which the user controls via a Wi-Fi remote control, is susceptible to hacking, assuming the would-be hacker can get within 25 feet of it.
Innovation and Research
A UK-based project is studying 100,000 people in matching their brain imaging results to their demographic and medical history to identify early markers of age-related brain problems
Other
A fifth Texas man pleads guilty for his involvement in a scam in which the co-conspirators created a company called Cerner LLC and sold Summit Medical Center (OK) a new MRI machine. You might wonder how a surgery center’s due diligence could be insufficient to the point of not being aware that Cerner doesn’t sell MRI machines.
The mainstream press is amused that a hospital charged a father $39.95 to hold his newborn. They should be outraged that if he was a cash-paying customer, he would have been stuck with a $13,000 bill since he wouldn’t get the $5,600 discount extended to his insurance company.
In case you didn’t know, non-profit healthcare is a pretty big business.
Here’s some nicely dry wit from Acting CMS Administrator Andy Slavitt.
Medicomp Systems is hosting a sold-out training program in Bangkok, Thailand this week in which customers will learn how to integrate the company’s Quippe documentation tools into their EHRs.
Healthegy names Health Catalyst as its Digital Healthcare Innovator of the Year.
Optimum Healthcare IT launches a new website and branding.
Aprima will exhibit at the Patient-Centered Medical Home Congress October 7 in Chicago.
Audacious Inquiry releases a new video on “How to Reduce Hospital Readmissions.”
CompuGroup Medical releases a newly rewritten version of its Labdaq Teleios laboratory information system that includes best practices rules, an interactive performance dashboard, and an interface monitoring tool.
Bernoulli will exhibit at the American Association for Respiratory Care Congress 2016 October 15-18 in San Antonio.
Besler Consulting releases a new podcast, “Revenue recovery opportunities from class action settlements.”
CapsuleTech will exhibit at HIMSS Middle East October 12-13 in Riyadh, Saudi Arabia.
CTG’s Angela Rivera is featured in the San Diego Business Journal.
Cumberland Consulting Group Principal Taylor Ramsey speaks at the South Carolina HFMA Women’s Leadership Conference.
EClinicalWorks will exhibit at IPHCA’s 2016 Leadership Conference October 5-7 in St. Louis.
The Connecticut Technology Council and Marcum name Evariant to the Marcum Tech Top 40 list.
Two locations of Sutherland Healthcare Solutions earn URAC Credentials Verification Organization Accreditation, recognizing the company’s commitment to quality and best practices in the areas of credentialing, provider data management, claims administration, and population health solutions.
GE Healthcare creates a Centricity Partner Program.
A Journal of Diabetes Science and Technology study demonstrates Glytec’s superiority in meeting ADA guidelines.
HCS will exhibit at the NJ HFMA Annual Institute October 5-7 in Atlantic City.
Healthwise will exhibit at AdvancedMD Evo16 October 11-12 in Salt Lake City.
The last 43 hours has been some of the most agonizing time I’ve spent in the IT trenches in recent memory. I’ve been working with a client on a small CMIO augmentation project, mostly helping them get organized from a governance and change control standpoint. It’s a mid-sized medical group, roughly 80 physicians, but none of them want to take time away from patient care to handle the clinical informatics duties. I suspect that this is because they’re mostly subspecialists and there’s no way the group would be willing to compensate them for the time they would miss from their procedural pursuits.
Until I arrived on the scene, the IT resources would just build whatever the physicians wanted, regardless of whether it made sense for everyone. This in turn led to a whole host of issues that is impacting their ability to take the upgrades they need to continue participating in various federal and payer programs.
I’ve been spending eight hours a week or so with them, mostly on conference calls as they work through a change control process. Much of my work has been in soothing various ruffled feathers and in trying to achieve consensus on issues that have to happen regardless, but I hope to get them in a good place where they can be well positioned for the challenges of shifting to value-based care. Nothing at their site has been on fire from an operational standpoint, and other than telling the IT team to stop building whatever people ask for, I haven’t had much interaction with them.
I stayed up late Saturday night working on a craft project (curse you, Pinterest), so I was awake when they called me in the wee hours of Sunday morning. It was the IT director. I could immediately tell he was in a panic. It took several minutes to calm him down. I was able to figure out that something had gone very, very wrong with their ICD code update.
Hospitals and providers have to update their codes every October 1 to make sure they have valid codes that can actually be sent out to billers. Most cloud-based vendors do the updates themselves and push it out to their clients, while non-cloud vendors that I have worked with provide a utility that allows the client to update their systems. Usually it’s no big deal, except for the vendors who are habitually late sending out their update packages and whose clients are cringing on September 30.
This particular client is on a non-cloud format and had planned to run the utility on their own. Although they had a solid plan with a lead resource and a backup resource, they never really anticipated having to use the backup resource. On the evening of the 30th, the lead resource became seriously ill and wasn’t able to do his duties. They decided to wait it out a day since they weren’t open on the weekend and see if he could handle it later in the weekend. When he was admitted to the hospital with appendicitis, it was clear that they would have to engage Plan B.
Although the backup resource had gone through the documentation, he had never run the utility or even seen it run. Apparently there was some confusion with a downtime playbook. Users were supposed to be dropped from the system before the backup cycle started and then were to be allowed back on the system after the code update was complete.
Somehow the users weren’t forced to exit and ended up being on the system while the backups started. Once the analyst realized users were still on the system, he attempted to halt the backups, but instead, the ICD update was started. I’m not sure what happened next, but the bottom line is that the database became unresponsive and no one was sure what was going on. To make matters worse, the fail-over process failed and they couldn’t connect to secondary/backup database either.
A couple of analysts had tried to work on it for a while and couldn’t get things moving, so they tried to reach the IT director, who didn’t answer. I can’t blame him since it was now somewhere near 1:00 a.m. After working their way through the department phone list, somehow I got the call. I’m not a DBA or an infrastructure expert, but I’ve been through enough disaster recovery situations to know how to keep a cool head and to work through the steps to figure out what happened. Since crossing to the IT dark side, I’ve had more late night phone calls for database disasters than I’ve had for patient care issues, but the steps are surprisingly similar.
Things were a bit worse than I expected since they couldn’t tell if the transaction logs had been going to the secondary database since we couldn’t connect to it. Even worse, I looked at the log of users who were on the system when it crashed and the senior medical director had been in, potentially documenting patient visits for the day. It took me at least 20 minutes to talk people down and get them calm before we could make a plan. The next several hours were spent working through various steps trying to get access to the secondary database to preserve patient safety. It was starting to look like a network switch might also have given up the ghost.
What surprised me the most was that they really didn’t have a disaster recovery plan. There were bits and pieces that had clearly been thought through, but other parts of the process were a blank canvas. Although there are plenty of clinical informatics professionals who are highly technical, it’s never a good sign when the physician consultant is calling the shots on your disaster recovery.
We engaged multiple vendors throughout the early morning as we continued troubleshooting issues. The IT director finally responded to our messages around 8:00 a.m. I realize it was Sunday morning, but he was supposed to be on call for issues due to the ICD code update and he frankly didn’t respond.
By 4:00 p.m. things were under control, with both the primary and recovery systems up and appearing healthy. My client created a fresh backup and decided to go ahead with the ICD code update. We weren’t sure how much of it had actually run given the aborted process from the night before. It appeared to be running OK initially, but after a while, it appeared that the process was hung. By this point, the team was stressed out and at the end of their proverbial ropes and there wasn’t any additional bench to draw from.
I finally persuaded them to contact the EHR vendor, thinking they would have had resources available since this was the prime weekend for ICD code updates even though my client was now more than a day late. It took several hours to get a resource to contact us back and then we had to work through the various tiers of support. Eventually midnight rolled around again and things still weren’t ready, increasing the anxiety as the team knew they’d have billing office users trying to access the system starting at 5:00 a.m.
Once we arrived at the correct vendor support tier (aka, someone who knew something), the team was run through checklist after checklist trying to figure out what was going on and whether we should continue to let it run or whether we should try to stop it.
The IT director finally made the decision at 6:00 a.m. that the practices should start the day on downtime procedures, and thank goodness they had a solid plan for that part of the disaster recovery game. The practices were given access to the secondary database in a read-only capacity for patient safety purposes and each site was said to have a “lockbox” with downtime forms. The group subscribes to a downtime solution that creates patient schedules, so they were quickly printed in the patient care locations along with key data for the patients who were already on the books for the day. Anyone who presented as a walk-in could be accessed through the secondary database.
At least on downtime procedures, users weren’t assigning any ICD codes to the patient charts since the utility hadn’t completed yet. It was restarted a couple of times and finally got its act together, completing around 4:00 p.m. Monday. After an hour or so of testing, we were able to let users back in the primary system to start catching up on critical data entry and billing.
Most of the day, though, was extremely stressful, not only for the IT team, but for everyone in the patient care trenches. It was also stressful for the patients since the group has a high level of patient portal adoption and there is no backup patient portal. Anyone who sent messages or refill requests or tried to pay their bills today was simply out of luck.
When an event like this hits your organization, all you want to do is just get through it. That’s not the hard part, though – the challenge is just beginning with the post-event review and attempts to determine the root cause of various breakdowns. It usually takes at least a couple of days to untangle everything and the work is not yet over. I’m happy to report that the analyst with the appendicitis did well in surgery and was discharged home before the EHR system was back online. I’m not sure having the primary analyst would have made a difference in this situation. I hope he continues to make a speedy recovery.
You never know when something like this is going to happen in your organization, and if you haven’t prepared for it or practiced you plan, you need to do so soon if not today. Similar to the practice of medicine, sometimes the most routine events can have significant complications.
Are you ready for a downtime? Is your disaster recovery plan solid? Email me.
Community Health Systems (TN) has enacted a ‘poison pill’ stockholder protection agreement as Chinese billionaire and activist investor Tianqiao Chen increases his stake in the company to 9.9 percent.
Researchers from UCLA and Google’s Verily Life Sciences lab have miniaturized a microscope that can track biochemical reactions through the skin. Researchers see applications in remote patient monitoring and medication adherence.
Drew Harris, MD and director of health policy and population health at Thomas Jefferson University’s College of Population Health publishes an op-ed calling for an increased focus on analytics in medial, nursing, and health professional schools as providers continue to generate more data but struggle to generate meaningful intelligence from it.
Business Insider profiles Nat Turner and Zach Weinberg, founders of Flatiron Health, which secured a $130 million Google investment in its oncology clinical decision support software.
October 3, 2016InterviewsComments Off on HIStalk Interviews Michael Poling, SVP/GM, Infor Healthcare
Mike Poling is SVP/GM of healthcare for Infor of New York, NY.
Tell me about yourself and the company.
I’m general manager of healthcare at Infor. We’re a $3 billion software company. Healthcare is about $500 million of that. I came from Lawson Software and was previously at Siemens. My entire career has been in the healthcare IT industry.
As a vendor of an integration solution, what are the opportunities and challenges in an era where everybody wants interoperability?
In the world of acute care consolidation as well as extending care outside the walls of a hospital, data itself and the integration of data becomes mission critical in terms of analyzing patient outcomes married to cost. Everybody wants to understand what their cost is relative to delivering care as well as the satisfaction ratings that are wrapped around it. Data becomes the center of importance.
Does a new level of sophistication exist where health systems are aware of the incremental cost involved with delivering a particular service or a product?
Yes. There’s a need for healthcare to report on lines of business — both in terms of profitability, revenue as well as cost — because of where the industry is in terms of the switch from fee-for-service to more of a bundled fee for delivering care. It’s mission critical for my customers to understand where they’re making money and where they’re not. Line-of-business reporting has become mission critical for them.
What are the staffing, recruiting, and productivity challenges that health systems are dealing with given that a high percentage of their cost involves labor?
Going back to what I said before around the lines of business, you want to make sure that you’re focusing the right talent and the right job to perform the right service. That, married along with where a hospital can continue to remain profitable, is very important. It takes certain skills. If you take it to a specialty hospital, like a children’s hospital as an example, nurses and doctors who deal with children have a certain skill set, a certain mental approach, and a certain soft skill. That goes across the board, depending on what type of care that you’re delivering.
Specializing and understanding what certain behaviors are relative to delivering care and making sure that since 60 to 70 percent of the hospital’s expenses are related to labor, you want to make sure that you’re hiring the right people, that you’re onboarding them, that you’re keeping them for a long period of time to reduce those expenses.
Is the idea of clinical staffing based on patient acuity still controversial?
The industry is still hanging on to the idea. I would say that nobody’s mastered that. Having the right person at the right bedside with the right supplies and with the right skill, but also then maximizing your workforce productivity — that’s still nirvana or utopia.
There are products in the market that help with that, but getting to the point where you enter things in like seasonality as well as population health and population management to predict hospital inpatient stays as well as outpatient care delivery needs — that’s where we still need some assistance in the healthcare industry.
Floating nurses to cover other areas based on workload needs appeared to worsen patient outcomes because they weren’t as familiar with the workflows and relationships in those areas. Have hospitals improved that situation to give them more workforce flexibility?
It’s the reason that you’re seeing the world of the minute clinics and delivering care in mall settings as well as in the retail space. There’s a need to push those types of resources out to the population. That trend is going to continue, where you have more skilled labor outside of the acute care setting and putting them in those remote settings.
There’s a balance to that as well. You need to have people that continue to deliver family practice medicine, but specialize in some of the things that you’re talking about. The US is going to continue to have the need to push services out into the population. Balancing that with the costs that we’ve been talking about is the real challenge.
Do hospitals have the necessary expertise to run freestanding EDs, urgent care clinics, and population health management programs?
That’s a very good question. What I see is that there are more executives who are coming outside of healthcare into the healthcare world, as well as more physicians who are getting into IT-related services. The reason for that is that if you come from a manufacturing or retail world and understand things like distribution, workforce management, and the distribution channel, that’s different from somebody who has been in healthcare their entire career.
If you layer on top of that the care delivery path aspects that a doctor or nurse understands, that adds that layer of knowledge as well as flow to what needs to be delivered to remote locations that are delivering care.
How do hospitals use technology to help them continue to offer money-losing services by funding them from profitable lines of business?
There’s certainly a technology aspect to what you’re talking about. What I see is that there are more referral networks that are being built through affiliations, through relationships, through of course ownership and consolidation. You make decisions as a hospital what you can and you can’t do. Then you build affiliations around things that you need to deliver.
Labor and delivery is a good example of that. Heart would be another good example of that. If you have somebody who needs critical care related to a heart condition, you want to have an affiliation, a brother or sister hospital that you can send that person to given the time available to do that. I see that as driving the need for technology.
Building the referral network drives the need to then share information between those facilities to get integration. Certainly resource sharing as well as supply sharing. Twenty or 25 percent of a hospital’s expenses are supply related, so you have to make sure you’re maximizing those as well. The technology is needed to accomplish the things I talked about.
Some hospitals choked in the late 1990s and early 2000s by trying to implement SAP, which was then mostly known as an enterprise resource planning system for manufacturing. What’s the status of ERP in healthcare and how has that evolved from yesterday’s materials management systems?
I laughed when you said SAP. I had a couple of personal friends who left Lawson when I was there to go run the SAP healthcare practice. I know exactly what those challenges were.
What ERP is turning into for healthcare specifically is sitting adjacent to the electronic health record and enabling a healthcare institution to be able to capture the cost components that we’ve been talking about. Analyzing that and looking at lines of business reporting.
ERP has become the need to start to drive the analytic, which we believe starts right with setting up the general ledger and setting up how you’re going to look at the lines of business and then reporting from those. Controlling labor, controlling cost, as well as measuring the cost. ERP in healthcare has become a central strategy to being able to do those things.
The pendulum swung hard to the left to implement EHR systems in the past. It’s now swinging back to the right. Once those EHR systems are implemented, now you need to implement and maximize the other side, which is where an ERP system comes into play.
Do hospitals expect their EHR and ERP vendors to share information bi-directionally?
Absolutely. They’re looking for plug-in integration points. From my side, they want my system to immediately talk to Cerner, Epic, or Allscripts. Give me something that’s going to plug right in where I don’t have to build point-to-point integrations, because we know what integrations need to happen. We know where the data needs to reside and where it needs to get to. That’s what we’re being asked to do and what we’re delivering.
There’s a push for hospitals to implement customer relationship management systems for both business and population health management purposes. How are hospitals addressing that need?
Most of the time when we get into that conversation with a customer, we drop the “C” part of CRM and talk about relationship management, which seems to resonate. Their relationships with their patients …you immediately go there with population management, measuring customer satisfaction or patient satisfaction, making sure that you’re engaging the patient on an ongoing basis. Once they’re discharged, make sure that they’re following their instructions for their medications, those types of things. That relationship that you have with the patient certainly is important.
The other relationships that are important … I talked before about the referral network. The physician referral process and physician referral relationship is extremely important. One physician referring to another physician that’s in the network of the hospital that has built, either through acquisition or through affiliation, this network that they want to continue to feed. The relationships between the physicians become strategic and important as well to making sure that you’re keeping the patients inside of your health network.
We see those two huge needs as relationship management going forward. Of course then you can take the relationship management to the population health to that next step, being able to look at recurring patterns in your population for certain patients and patient outcomes via that relationship management.
Comments Off on HIStalk Interviews Michael Poling, SVP/GM, Infor Healthcare
National Coordinator for Health IT Vindell Washington, MD and his predecessor Karen DeSalvo publish an article in Health Affairs looking back on the health IT achievements that the last seven years have brought.
The president of 25-hospital Oschsner Health System (LA) discusses how EHRs and disease registries are being used to help the organization target and engage with at risk populations as it moves away from fee-for-service reimbursement.
NEJM announces a data analytics contest in which contestants are asked to analyzed a data set of clinical trials data in search of new scientific or clinical discovery.
Robin William’s wife publishes an article in the Journal of the American Academy of Neurology about Lewy body disease, the debilitating condition that led to her husband’s 2014 suicide.
Former and current National Coordinators Karen DeSalvo, MD and Vindell Washington, MD take to Health Affairs to detail the “health IT transformation” seen across the country since the HITECH Act was passed in 2009. A few stats:
96 percent of hospitals and 78 percent of physicians use certified EHRs.
84 percent of academic literature review studies showed that certified EHRs had a positive or mixed-positive effect on care quality, safety, and efficiency.
80 percent of hospitals electronically exchanged lab results, radiology reports, clinical care summaries, or medication lists with providers outside their organization in 2015.
84 percent of providers reported in 2015 that their EHR met or exceeded their expectations.
90 percent of hospitals had digital health data they needed from outside sources or providers available at the point of care – double the national average.
The duo, who both have fond memories of caring for patients in Louisiana, emphasize that continued transformation will require federally recognized standards, combating data blocking, and creating an ROI around interoperability.
Last Week’s Most Interesting News
Aetna announces plans to offer an Apple Watch subsidy through large employers and select individual customers to ramp up its wellness and care management programs.
InstaMed announces a $50 million investment from Carrick Capital Partners.
Former Tuomey Healthcare (SC) CEO Ralph Cox will personally pay a $1 million fine to settle Stark Law allegations that he illegally compensated doctors in exchange for unnecessary patient referrals to the hospital.
The FDA approves Medtronic’s artificial pancreas that automatically monitors a patient’s blood sugar levels and then administers the appropriate insulin dose.
Hilary Clinton outlines in NEJM her plans for improving healthcare, which includes improving ACA, working to “integrate our fragmented healthcare delivery systems,” and helping to increase research and innovation.
Webinars
October 13 (Thursday) 2:00 ET. “Glycemic Control During Therapeutic Hypothermia.” Sponsored by Monarch Medical Technologies. Presenter: Tracey Melhuish, RN, MSN, clinical practice specialist, Holy Cross Hospital (FL). Using therapeutic hypothermia (TH) as a method of care can present risks of hyperglycemia, hypoglycemia, and blood glucose variability. Maintaining safe glucose levels during the cooling and rewarming phases of TH reduces the risks of adverse events. Tracey Melhuish, author of “Linking Hypothermia and Hyperglycemia,” will share best practices for optimal glucose control during TH and the success Holy Cross Hospital sees while using a computerized glucose management software.
Contact Lorre for webinar services. View previous webinars on our HIStalk webinars YouTube channel.
Acquisitions, Funding, Business, and Stock
Safety Net Connect and private equity firm Gary Comer Inc. acquire Chicago-based patient engagement and care coordination technology company VCareConnect for an undisclosed sum.
Senior care services provider US CareNet forms a new company, HC360 Technologies, after purchasing the chronic care and transitional care management technology used in its NavCare care management division.
Announcements and Implementations
Miami Children’s Health System adds ambulatory business office services including RCM to its existing Millenium EHR partnership with Cerner.
Cohen Veterans Network (CT) selects Netsmart’s MyEvolv CareRecord to help it provide free mental healthcare to veterans and their families. The network, which launched in April, have opened five Steven A. Cohen Military Family Clinics across the country and plans to open 20 more over the next five years.
Community Health Partnership (CO) will implement ClientTrack case management software from Eccovia Solutions to better assist its membership of 25 organizations coordinate medical and behavioral healthcare.
Technology
Drchrono develops a “native” iPad and iPhone app for e-prescribing of controlled substances.
Government and Politics
The Dallas Morning News spotlights the refusal of the Texas Department of State Health Services to release data related to pregnancy and maternal death rates to reporters and other organizations looking to gain a better understanding of why the state’s death rates doubled between 2011 and 2012. The department has even refused – without explanation – to release a data record layout, akin to a table of contents that shows what data it collected and how it’s stored. “It’s ridiculous,” says Texas-based lawyer and open records expert Joe Larsen. “We have a clear public health problem, and the people really need to know what in the world is going on here, and they’re stymied by this," he said. "A record layout is not software. It’s not code. It’s not source code. Period. I liken it to the key of a map. It’s actually public information itself.”
Marin Medical Practices Concepts notifies 5,000 patients that their medical records were lost during a recovery process stemming from a ransomware attack in July. After patient files were held for 10 days, the California-based billing and EHR company decided to pay an undisclosed ransom amount, which successfully unlocked the files. MMPC attributes the lost files to a faulty backup, adding that the recovery was done during a system upgrade.
Urgent Care Clinic of Oxford (MS) notifies patients seen before August 2 of a likely ransomware attack initiated in early July, noting in their letter that, “The hackers held the server for ransom before turning control back over to the Urgent Care staff.” The clinic shut down their server’s remote access shortly thereafter, implying that the hackers (thought to be of the Russian variety) snuck in via remote desktop access.
Martin Army Community Hospital (GA) alerts patients of a possible HIPAA breach that took place at Fort Benning between January 2011 and December 2013. The breach stems from “criminal activity involving identity theft by an employee in the laboratory shipping section.” The employee, who was tried for the crime and is now serving time, apparently used information from discarded lab specimen labels to file fraudulent tax returns.
Other
Ochsner Health System (LA) SVP David Carmouche highlights EHRs, registries, and new compensation models as integral to its population health activities and overall move away from fee-for-service:
“We’re leveraging electronic health records, which connect all of our systems. We have created some 20 registries identifying groups of patients with certain diseases and conditions, and we’re reaching out to them proactively, to make sure they’re getting the care they need, when they need it. We’re realigning physician compensation for Ochsner-employed physicians, moving away from fee-for-service payment to higher payment for high-value, high-quality care. We’re looking at physician preference items, trying to consolidate down to one or two knee implants, or one or two cardiovascular implants, so that we can get better pricing from manufacturers. The best way to keep costs down will be to provide high quality care, so patients can go home quickly and recover fully.”
The system went live on Epic in 2011, and three years later became the first provider to integrate Epic with Apple’s HealthKit.
Scientific American takes a long-form look at the ways in which the FDA (and, increasingly, other federal agencies) manipulates the media, denying access and offering not-so-true findings to some news organizations, while enforcing restrictive rules like the “close-hold embargo” on others. “By using close-hold embargoes and other methods, the FDA, like other sources of scientific information, are gaining control of journalists who are supposed to keep an eye on those institutions,” writes Charles Seife. “The watchdogs are being turned into lapdogs.”
Sponsor Updates
Forward Health Group CEO Michael Barbouche is featured in a Wisconsin State Journal article on Wisconsin healthcare technology.
The HCI Group launches a new “Monday Morning Podcast” series.
Using NEJM as a podium, Hilary Clinton outlines her plans for improving healthcare, which includes improving ACA, working to “integrate our fragmented healthcare delivery systems,” and helping to increase research and innovation.
HHS announces the winner of its “A Bill You Can Understand” design challenge. The challenge awarded two prizes, one for the bill that is easiest to understand, and another for the design that best improves the overall approach to the medical billing system.
There has been a lot of chatter in the physician lounge recently about the “Pick your Pace” options for Medicare-related quality reporting next year. Of course, most of the chatter has been either from hospital administrators or from physician leaders of larger groups, since many smaller and independent physician groups may not even be aware of what is about to happen. I was part of a lively exchange this week around the fact that the program has to be budget neutral. To recap, the four options are: 1) Test the quality payment program (no penalty); 2) Report for part of the calendar year (small incentive); 3) Participate for the full year (modest incentive); and 4) Participate in an Advanced Alternative Payment Model (5-percent incentive). The devil may be in the details since it’s unclear how no penalty and small incentives can balance out to be budget neutral. Where is the incentive money going to come from?
It’s also not clear what the actual “test” process in option 1 is going to entail. Unless you’re just starting on your EHR journey, most organizations should be able to report for at least part of the year without significant difficulty. The data may not be of great quality, depending on how well you’re using your EHR, but you can still report it out. We’ll have to wait for the final rule, however, to see what the reporting requirements end up looking like. The partial-year option is going to be attractive to a great number of providers whose EHRs may not be ready for full-year reporting, so I expect to see the most questions on that option.
For providers that are in the thick of trying to comply with all the federal requirements, the 2015 Annual Quality Resource and Utilization Reports (QRURs) were released this week. The QRURs show what a provider’s payment adjustment will be for 2017 based on analysis of quality and cost domains. I attended the Medicare Learning Network call on the topic today. If I didn’t already know a considerable amount about the Value Modifier payment adjustment and the PQRS payment adjustment, I might be more confused after attending the call. The call began with a presenter essentially reading slides to the audience. There were constant references to the appendix, and fortunately the slides were available for download at the beginning of the call so that attendees could follow along.
I’m still mystified by the fact that it takes 21 months to analyze and release the data. We’re talking about using data from 2015 to determine how providers are paid in 2017. Although there was a Mid-Year QRUR that was released in the summer, it didn’t fully illustrate how payment adjustments might be applied. Regardless, the Mid-Year QRUR has little utility to encourage providers to modify their behavior in order to avoid adjustments, since it’s a look-back document. When trying to modify behavior, it’s most useful to provide real-time or at least fairly immediate feedback. Under the CMS construct, the feedback loop is delayed. Does it really take 21 months to aggregate and interpret the data? Or maybe the delay is intentional, as providers move deeper and deeper into a state of learned helplessness.
After about 15 minutes on the call, I felt my brain going numb as the presenter reviewed all the steps needed to access the QRUR. Providers or their designees have to go through the process of requesting an Enterprise Identity Management (EIDM) account which has multiple steps and sub-steps. The acronym soup became less savory as we learned about Provider Transaction Access Numbers (PTAN), which have to be obtained from the Medicare Administrative Contractor (MAC). Once you go through all the related steps and click your heels a couple of times, you can either view or download the presentation.
The presenter tagged-out to a second presenter who went through a table explaining the different sections of a “hypothetical” QRUR. Again, it was basically someone reading a slide to the audience – actually showing the various exhibits and sections while talking about them would have been useful. They did eventually go through some of the specifics, but I wonder how many attendees were following especially if this was the first time they were seeing this material. As the talk moved into discussion of the various quality and cost composite scores, and the need for a statistically significant deviation from the mean to be categorized as more (or less) than average, I wondered how many people attending the webinar understood those statistical terms.
Having spent my final two years at Big Medical Center working on a provider attribution project, I was eagerly awaiting the discussion of how Medicare beneficiaries were assigned to their respective Taxpayer Identification Numbers (TIN). This attribution drives the cost composite score found in the QRUR. Not only is CMS looking at spending per beneficiary, they are also looking at per capita costs for beneficiaries with various chronic conditions including diabetes, chronic obstructive pulmonary disease, coronary artery disease, and heart failure. They didn’t go into anywhere near the detail I expected for a provider to actually understand how the attribution was done. There are detailed elements involving whether a given TIN provided the majority of primary care services during the year, whether primary care services were received from subspecialists in the TIN, and more. None of that was covered.
Heading into the discussion of the “Informal Review Process” that providers can use to disagree with Value Modifier calculated for their TIN, the presenter became flustered due to a missing slide and rather than vamping her way through it, actually paused the presentation while they tried to sort it out. When she restarted, she actually re-read some scripted comments. I felt bad for her – we’ve all been on the downside of presentations that don’t go as planned. She then went into a discussion of various tables in the appendix, which again weren’t on the screen. Apparently, providers can download them in Excel and use them to analyze their own data, even de-identifying it by removing specific columns. It would have been good to see a screenshot of the data format to go along with the discussion.
Once she finally made it to the discussion of the review process, things were back on track. The review period began September 26 and is open for 60 days. The review has to be requested using the EIDM system and the process includes a Multi-Factor Authentication (MFA) step. Users have to remember to use the same MFA device type that they selected to use when they first created their accounts. Depending on how long ago one’s account was created, this may be a challenge. Users can then request the review, which leads to an additional three steps that weren’t shown in the webinar. Users can download a quick reference guide from the CMS website for more information on the reviews, although the link wasn’t shown in the webinar. As a side note, there were a couple of times at the beginning of the webinar where the speaker gave Web addresses verbally but with no link or text shown. Especially with a webinar platform, is there any reason why a link shouldn’t be shown on the screen and provided in the deck that was given to attendees? Another unusual statement (given by two different speakers) was that users should disable their popup blockers and should not connect wirelessly or via VPN but should connect via a wired connection. In this day of mobility and multi-platform device use, it felt like CMS is out of touch with how people use devices to receive information.
They opened the call to Questions and Answers and the first one seemed to challenge them, about whether the adjustment would be provided on a claim-by-claim basis or at the end of the year. Eventually they arrived at the per-claim answer. They answered the second question (about beneficiary attribution) by referring users to yet another website. I finally figured out why they wanted popup blockers disabled when a poll popped up asking how many people were viewing the session with me. There were also polling questions on whether I had difficulty accessing the webinar and whether I was satisfied with the webinar platform used. The questions continued, including one from a group who had discrepancies in the data from their QRUR. She was instructed to submit informal review for both QRUR and PQRS, and the latter has to be done through a different process that the group had difficulty explaining. They had to pause while they conferred, agreeing to look it up and provide it later.
That only served to underscore how complicated these programs are and how challenging it will be for provider groups of all sizes to try to keep up. Staying current with software and enforcing end-user behavior is hard enough, but this adds an entirely different layer of challenges for practice operations and management teams. I had to duck out for another call but am looking forward to seeing the rest of the Q&A in the transcript.
How is your organization coping with the QRUR? Email me.
Aetna announces plans to offer an Apple Watch subsidy through large employers and select individual customers to ramp up its wellness and care management programs, and will provide its own 50,000 employees Apple Watches free of charge.
HIStalk Announcements and Requests
This week on HIStalk Practice: Dr. Gregg pontificates on the proper way for vendors to apologize for unexpected downtime. Enjoin VP James Fee, MD describes how physician engagement efforts can improve clinical documentation. Malvern Family Medical Clinic Owner Shawn Purifoy, MD offers insight into the benefits of joining an ACO and the struggle to remain independent. Medecision William Gillespie, MD lists three population health must-haves for primary care. Midwest Nephrology Associates Owner Gary Singer, MD digs into the benefits of Carequality’s Interoperability Framework.
This week on HIStalk Connect: Sirono Chief Revenue Officer Peter Longo discusses the problem with hospital billing and keys to successful patient payments.
Webinars
October 13 (Thursday) 2:00 ET. “Glycemic Control During Therapeutic Hypothermia.” Sponsored by Monarch Medical Technologies. Presenter: Tracey Melhuish, RN, MSN, clinical practice specialist, Holy Cross Hospital (FL). Using therapeutic hypothermia (TH) as a method of care can present risks of hyperglycemia, hypoglycemia, and blood glucose variability. Maintaining safe glucose levels during the cooling and rewarming phases of TH reduces the risks of adverse events. Tracey Melhuish, author of “Linking Hypothermia and Hyperglycemia,” will share best practices for optimal glucose control during TH and the success Holy Cross Hospital sees while using a computerized glucose management software.
Contact Lorre for webinar services. View previous webinars on our HIStalk webinars YouTube channel.
Announcements and Implementations
Vidyo launches a clinical design service to help providers integrate telemedicine into their workflows.
PatientPing and Vermont Information Technology Leaders deem their care coordination technology collaboration a success at the six-month mark. Since going live, 400 provider locations in New England have been “pinged,” letting them know that their patients have been seen at local hospitals. PatientPing has recorded 62,000 notifications on 12,000 Vermont citizens.
UAB Medicine will replace its connectivity software with Orion Health’s Rhapsody Integration Engine – a project that will include rewriting 300 interfaces.
Cypress Creek ER (TX) selects Wellsoft’s EDIS for its third freestanding ER, set to open mid-October. Angleton ER (TX) will go live with Wellsoft technology when it opens in December.
NewCrop adds specialty medication prescribing software from AssistRx to its e-prescribing software.
Acquisitions, Funding, Business, and Stock
Former Tuomey Healthcare (SC) CEO Ralph Cox will personally pay a $1 million fine to settle Stark Law allegations that he illegally compensated doctors in exchange for unnecessary patient referrals to the hospital.
MedWand Digital Health secures a “major investment” from sensor technology-focused Maxim Ventures, which the Las Vegas-based startup will use to work towards anticipated 2017 FDA approval of its diagnostic device for virtual consults.
People
Wendy Deibert (The VirtualEngine) joins Vidyo as VP of clinical services.
Teladoc adds the new role of COO to CFO Mark Hirschhorn’s responsibilities.
Greg Alexander (Evolent Health) joins Lumeris as national VP of market operations.
The Chartis Group promotes Michael Topchik to head of the new Chartis Center for Rural Health.
Michael Bain, MD (Qualified Emergency Specialists) will head Cincinnati-based TriHealth’s new clinical informatics department as CMIO.
Technology
Dr. Oz lends his gravitas to San Francisco-based wearables startup IBeat, becoming an investor, partner, and advisor to the company as it launches its heart-monitoring smartwatch via an Indiegogo campaign. For a mere $5,000, buyers can purchase the “Meet Dr. Oz Special,” which includes VIP access to this show, a two-night hotel stay in New York City, two watches and monitoring services, plus a signed book and scrubs. Oz was not involved in last month’s seed funding round of $1.5 million.
Government and Politics
HHS and AARP announce the winners of their “A Bill You Can Understand” contest. Designs from Los Angeles-based RadNet, which won in the easiest-to-understand category, and San Francisco-based Sequence, which won in the overall approach category, will be tested or implemented in six healthcare facilities – including Cambia Health Solutions – across the country. (Jenn talked with CHS President and CEO Mark Ganz about the challenge as part of “The Hypocrisy of a Simpler Patient Bill.”)
Hillary Clinton takes to the New England Journal of Medicine to outline her vision for universal, quality, affordable healthcare. Her short op-ed hints at healthcare IT among her four goals: “I am also committed to expanding access to high-quality data on cost, care quality, and health delivery system performance to help patients and doctors make informed choices, and entrepreneurs build new products and services.” Donald Trump has thus far declined the same editorial opportunity.
ONC awards seven organizations $1.5 million to improve the flow of health data for patients and providers, particularly data related to medication management, laboratory data, and care coordination. The funding comes via the office’s High Impact Pilot and Standards Exploration Award programs.
HIMSS presents Acting Assistant Secretary for Health and former national coordinator Karen DeSalvo, MD with the Federal Health IT Leadership Award during its National Health IT Week festivities.
Privacy and Security
HITRUST connects and begins bi-directional sharing of cyber threat indicators with the Department of Homeland Security’s Automated Indicator Sharing Program. The information exchange corresponds with HITRUST’s new CyberAid program, which helps smaller organizations select security solutions and contribute to the exchange.
The New Jersey Spine Center notifies patients of a July 27 ransomware attack that resulted in the provider paying an unspecified dollar amount to unlock all of its digital patient records. Files were reinstated on August 1.
Royal Cornwall Hospitals Trust in England suffers multiple ransomware attacks over the past year.
Australia Health Minister Sussan Ley apologizes to physicians for the accidental leaking of Medicare data, discovered after University of Melbourne researchers attempted to decrypt some of the data, thus inadvertently revealing sensitive information.
Research and Innovation
The FDA approves Medtronic’s artificial pancreas that automatically monitors a patient’s blood sugar levels and then administers the appropriate insulin dose.
An American Telemedicine Association/Wego Health survey of 429 patients finds that just 22 percent have taken advantage of video visits in the last year, with the average patient engaging in between one and four virtual consults. Of that percentage, as many patients requested telemedicine services as their providers initially offered it. I’m not sure that “strong demand,” as tweeted above, is warranted with these results.
Other
Seems like #HIMSSanity has already begun.
British researchers have created a 3D-printed replica of the human body to help train surgeons, particularly when it comes to making that initial slice.
Sponsor Updates
Fortified Health Solutions will exhibit at the HIMSS Southern California Annual Privacy & Security Forum September 30 in Newport Beach.
Frost & Sullivan recognizes Orion Health with the 2016 European Frost & Sullivan Award for Product Leadership.
The FDA approves Medtronic’s artificial pancreas that automatically monitors a patient’s blood sugar levels and then administers the appropriate insulin dose.
Aetna announces plans to offer an Apple Watch subsidy through large employers and select individual customers to ramp up its wellness and care management programs, and will provide its own 50,000 employees Apple Watches free of charge.
An AMA survey of 1,300 physicians finds broad-based optimism for digital health innovations, but note that liability coverage, data privacy, workflow integration, and improved ease of use are all issues that need to be overcome before digital health tools will deliver at full capacity.
September 28, 2016NewsComments Off on Safeguarding Smartphones in an Era of Escalating Vulnerabilities
HIPAA-related security concerns mount as smartphones become more ubiquitous across enterprise healthcare environments. By @JennHIStalk
Ransomware headlines seem to reign supreme in healthcare news, and yet industry insiders know that the greater potential for cyberattack and financial loss resides in just about every person’s pocket (or pocketbook). Catholic Health Care Services of the Archdiocese of Philadelphia’s $650,000 settlement with OCR for HIPAA violations this summer is a prime example of the vulnerability of mobile smart devices. The settlement stemmed from the theft of a smartphone containing the PHI of 412 nursing home residents. Acting as a business associate, CHCS provided IT and management services to six SNFs, and was thus responsible for protecting resident PHI under HIPAA. OCR found that, in addition to a lack of encryption and password protection, CHCS also neglected to develop a risk analysis and accompanying plan for risk management.
While the organization’s lack of cyber safeguards and subsequent fine made headlines, it’s probably a safe bet to assume that other similar entities are operating without the appropriate security safety nets.
Getting on the MDM Hamster Wheel
Smartphone security “is a moving target,” says Alex Brown, director of strategy at healthcare communications company Voalte. “Today, there seems to be two layers of what people are looking into when it comes to smartphone security – applications on the device and the content of those applications. If your application has PHI sitting in it all the time, than you have a much higher risk than with an app that has PHI on it only when it’s connected to a server.
“Not every healthcare organization has the expertise to deploy security,” he adds, “which is why providers rely so much on vendors to make sure that they’re really keeping up to date with best practices around mobile device management.”
Brown finds that in today’s world of escalating cybersecurity concerns, constant dialogue with hospital customers about the importance of up-to-date MDM is a must. Hospitals are now faced with managing almost daily updates from Apple and Google, he explains, which, for many, has taken some getting used to.
“It’s an important piece that not a lot of sites think about,” Brown says. “It’s constantly moving. I like to refer to the smartphone space as a hamster wheel of updates. It can be a little daunting to get on it, and once you’re on it, you really have to keep up. If you don’t, that’s where you can introduce risk. The CHCS settlement was a gut check for other providers in the sense that they hopefully are now asking themselves, ‘Are we checking all the boxes constantly? Are there new boxes that we can now check?’”
Great Vendor Expectations
Parkview Medical Center (CO) CIO and Vice President of IT Steve Shirley has seen his fair share of cybersecurity practices, having spent 30 years in banking IT and nearly eight in healthcare. “In banking, we were mandated and audited on our vendor management programs. I routinely went onsite at vendor locations to audit their data centers, review their SaaS70 reports, and determine the overall security posture of the firm. We looked at their financials and did a significant amount of work to ensure the vendor was not only financially strong and stable, but secure, and that our data was safe.”
Shirley adds that security in the financial industry is at a higher level of maturation than in healthcare for obvious reasons. “They have to protect identities and money,” he explains. “Now that health data is under attack, we need to raise security to a higher standard. At Parkview, we’re heavy users of smartphones. The challenge is that in the BYOD world, other than our MDM strategy and provisioning, we don’t have a lot of control over what devices come in the door. And so we expect the highest level of security from our vendors. We include vendor management in our RFPs and require BA agreements for any vendor dialing into our system in any way. This is in addition to the standard requirement when the vendor has access to our data for things like analytical activity.
“When we implement new solutions,” he adds, “we collaborate with them to plan and design for security, whether at the mobile device level or system level. When we partnered with PatientSafe Solutions to roll out PatientTouch on the iPhone for services ranging from bedside medication verification to care team texting and communications, we brought in all of the vendors involved to develop a system that was not only reliable and functional, but also secure across all connections and access points. Six companies were involved: PatientSafe, their wireless vendor, our IT team and wireless vendor, Cisco, and Apple all participated in ensuring the system worked seamlessly and securely.”
Sticks Will Get the Cybersecurity Job Done
With regard to the CHCS breach, Shirley isn’t shy about sharing his opinion. “In the banking industry, I learned that we all mean to do good, but the movement of the day is so fast and furious that things tend to fall by the wayside,” he says. “And so the government stepped in with punitive measures for not meeting security or other standards. Y2K was a great example. The FDIC threatened to close banks if they didn’t have an appropriate Y2K strategy. I pray every day my hospital doesn’t get attacked and a breach occurs. As regretful and tough as the fine is, it’s a necessity because it creates an industry wakeup call for those who haven’t realized healthcare is under attack.
“It seems that while people understand that systems like servers, desktops, laptops, etc. are highly susceptible to attack if not properly protected, there’s a perception that smartphones are different,” he explains. “We, both industry and our consumers, need to get serious about understanding that a smartphone is a device that has access through the Internet and is thus vulnerable.”
Grace Hua, director of product management, clinical communications at PatientSafe, is of a like mind in her belief that hospitals should demand that vendors provide technology support and safeguards for clinician end users. “This should be a wakeup call not only for BAs, but for the industry as a whole,” she says in reference to the CHCS news. “BAs need to fully understand the importance of the data they are potentially putting at risk, and the implications of theft or security breach, as that data now has a dollar value tied to it. Hacking is now just as profitable in healthcare as other industries.”
Increasing Staff Awareness
When it comes to safeguarding smartphones and patient PHI, Shirley and his team are taking proactive measures to keep CHCS-type incidents at bay. Higher-level efforts include membership in security organizations like the SANS Institute and making sure that new technology deployments include a project milestone for evaluating and understanding potential security risks, and then developing a plan to mitigate them.
“This seems so intuitive,” he says, “but I think it is sometimes not the highest priority in the deployment of healthcare systems. Examples of this include installation of modalities for radiology that have communications facilities onboard, or even simple things like network printers.”
Shirley is especially excited about boots-on-the-ground efforts at Parkview. “We have a network security engineer who, in addition to his technical role, is responsible for security education. He regularly visits units during their daily huddles to give security tips like how to create strong passwords or how to validate that the person on the phone is authorized to receive information. Throughout the hospital, we use our digital wallboards to deliver security messages to everyone onsite. Our employee and physician newsletters have standing articles about safety. We’re also putting together a security video that will be required viewing for all employees. The effort has been huge in the last year to increase staff awareness.”
A Rising Tide Lifts All Cybersecurity Practices
Shirley is happy to report that his colleagues at neighboring institutions are paying just as much attention to securing mobile devices. “Two years ago, I would have said healthcare organizations are not paying enough attention to cybersecurity protection,” he says. “Now, I’m seeing new and extreme efforts every single day. Recently, a competitor healthcare system went to two-factor authentication for external access, and I think that’s awesome. At Parkview, we’ve implemented MDM for all of our devices. We don’t store data on laptops or mobile devices, and we don’t deploy any mobile hardware that hasn’t been encrypted. I think the industry understands healthcare is under threat and there are many points of potential vulnerability we need to address. It’s absolutely becoming more of a focus.”
Comments Off on Safeguarding Smartphones in an Era of Escalating Vulnerabilities
InstaMed announces a $50 million investment from Carrick Capital Partners, which it says will be used to “drive the growth of the InstaMed Network, accelerate go-to-market strategy, and drive further innovation in healthcare payments technology.” The new round brings InstaMed’s total funding to $126 million since its 2004 formation.
Former Tuomey Healthcare (SC) CEO Ralph Cox will personally pay a $1 million fine to settle Stark Law allegations that he illegally compensated doctors in exchange for unnecessary patient referrals to the hospital.
"most people just go to Epic" that's a problem because then EPIC becomes a monopoly in healthcare, if it isn't…