Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Inspector General Says CMS Made $729 Million In Questionable EHR Incentive Payments

Posted on June 16, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A new report from the HHS Office of Inspector General has concluded that over a three-year period, CMS made roughly $729.4 million in EHR incentive payments to providers who didn’t comply with program requirements.

To determine whether the incentive program was functioning appropriately, the OIG audited payments made between May 2011 to June 2014.

After sampling payment records for 100 eligible professionals, the agency found 14 EPs, who received payments totaling $291,022, who didn’t meet incentive criteria.  The auditors found that the 14 had either failed to meet bonus criteria or didn’t provide proof that they had.

Then, the OIG used the data to extrapolate how much CMS had spent on invalid payments, which is how it arrived at the $729 million estimate. In other words, given the margin of error across the sampled incentive payments, the OIG assumed that 12% of all incentive payments were in error. (The analysis also concluded that CMS mistakenly paid $2.3 million to EPs switching between Medicare and Medicaid programs.)

Not surprisingly, the OIG has recommended that CMS recover the $291,000 in payments made to the sampled providers. It also suggested that the agency review EP payments issued during the audit period to see what other errors were made. Of course, the ultimate goal is to get back the approximately $729.4 million the agency may have paid out in error.

In addition, the OIG  called on CMS to review a random sample of self-attested documentation from after the audit period, to determine whether additional inappropriate payments were made to EPs.

And to make sure the EPs don’t get payments under both Medicare and Medicaid incentive programs for the same program year, the report urged CMS to conduct edits of the National Level Depository system.

As part of this report, the OIG noted that allowing providers to self-report compliance data leaves the incentive payment program open to fraud, and recommended keeping a closer eye on these reports. CMS seems to have had at least some sympathy for this argument, as it apparently agreed partly or fully with all of the OIG’s suggested actions.

One side effect of the OIG report it brings back attention to the Meaningful Use program, which has been eclipsed by MACRA but still clings to life. Eligible providers can still report either Modified Stage 2 or Stage 3 in 2017, the main difference being you need a full year of data for Stage 2 but only 90 days for Stage 3.

But MACRA does change things, as its performance standards will test providers in new ways. This year, providers have a chance to get situated with either the MIPS or APM track, and those who jump in now are likely to benefit.

Meanwhile, the future of Meaningful Use remains fuzzy. To my knowledge, the agency has no immediate plans to restructure the current incentive program to audit provider reports in depth. In fact, given that providers are more concerned about MACRA these days, I doubt CMS will bother.

That being said, it’s fair to assume that incentive payouts will get a bit more attention going forward. So be prepared to defend your attestation if need be.

E-Patient Update:  I Was A Care Coordination Victim

Posted on June 12, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Over the past few weeks, I’ve been recovering from a shoulder fracture. (For the record, I wasn’t injured engaging in some cool athletic activity like climbing a mountain; I simply lost my footing on the tile floor of a beauty salon and frightened a gaggle of hair stylists. At least I got a free haircut!)

During the course of my treatment for the injury, I’ve had a chance to sample both the strengths and weaknesses of coordinated treatment based around a single EMR. And unfortunately, the weaknesses have shown up more often than the strengths.

What I’ve learned, first hand, is that templates and shared information may streamline treatment, but also pose a risk of creating a “groupthink” environment that inhibits a doctor’s ability to make independent decisions about patient care.

At the same time, I’ve concluded that centralizing treatment across a single EMR may provide too little context to help providers frame care issues appropriately. My sense is that my treatment team had enough information to be confident they were doing the right thing, but not enough to really understand my issues.

Industrial-style processes

My insurance carrier is Kaiser Permanente, which both provides insurance and delivers all of my care. Kaiser, which reportedly spent $4 billion on the effort, rolled out Epic roughly a decade ago, and has made it the backbone of its clinical operations. As you can imagine, every clinician who touches a Kaiser patient has access to that patient’s full treatment history with Kaiser providers.

During the first few weeks with Kaiser, I found that physicians there made good use of the patient information they were accumulating, and used it to handle routine matters quite effectively. For example, my primary care physician had no difficulty getting an opinion on a questionable blood test from a hematologist colleague, probably because the hematologist had access not only to the test result but also my medical history.

However, the system didn’t serve me so well when I was being treated for the fracture, an injury which, given my other issues, may have responded better to a less standardized approach.  In this case, I believe that the industrial-style process of care facilitated by the EMR worked to my disadvantage.

Too much information, yet not enough

After the fracture, as I worked my way through my recovery process, I began to see that the EMR-based process used to make Kaiser efficient may have discouraged providers from inquiring more deeply into my particulalr circumstances.

And yes, this could have happened in a paper world, but I believe the EMR intensified the tendency to treat as “the fracture in room eight” rather than an individual with unique needs.

For example, at each step of the way I informed physicians that the sling they had provided was painful to use, and that I needed some alternative form of arm support. As far as I can tell, each physician who saw me looked at other providers’ notes, assumed that the predecessor had a good reason for insisting on the sling, and simply followed suit. Worse, none seemed to hear me when I insisted that it would not work.

While this may sound like a trivial concern, the lack of a sling alternative seemed to raise my level of pain significantly. (And let me tell you, a shoulder fracture is a very painful event already.)

At the same time, otherwise very competent physicians seemed to assume that I’d gotten information that I hadn’t, particularly education on my prognosis. At each stage, I asked questions about the process of recovery, and for whatever reason didn’t get the information I needed. Unfortunately, in my pain-addled state I didn’t have the fortitude to insist they tell me more.

My sense is that my care would’ve benefited from both a more flexible process and more information on my general situation, including the fact that I was missing work and really needed reassurance that I would get better soon. Instead, it was care by data point.

Dealing with exceptions

All that being said, I know that the EMR alone isn’t itself to blame for the problems I encountered. Kaiser physicians are no doubt constrained by treatment protocols which exist whether or not they’re relying on EMR-based information.

I also know that there are good reasons that organizations like Kaiser standardize care, such as improving outcomes and reducing care costs. And on the whole, my guess is that these protocols probably do improve outcomes in many cases.

But in situations like mine, I believe they fall short. If nothing else, Kaiser perhaps should have a protocol for dealing with exceptions to the protocols. I’m not talking about informal, seat-of-the-pants judgment call, but an actual process for dealing with exceptions to the usual care flow.

Three weeks into healing, my shoulder is doing much better, thank you very much. But though I can’t prove it, I strongly suspect that I might have hurt less if physicians were allowed to make exceptions and address my emerging needs. And while I can’t blame the EMR for this experience entirely, I believe it played a critical role in consolidating opinion and effectively limiting my options.

While I have as much optimism about the role of EMRs as anyone, I hope they don’t serve as a tool to stifle dissension and oversimplify care in the future. I, for one, don’t want to suffer because someone feels compelled to color inside of the lines.

Both US And International Doctors Unimpressed With Govt Telehealth Adoption

Posted on May 25, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A new survey by physician social network SERMO has concluded that both US and foreign physicians aren’t impressed with national and local telehealth efforts by governments.

The US portion of the survey, which had 1,651 physician respondents, found that few US doctors were pleased with the telehealth adoption efforts in their state. Forty-one percent said they felt their state had done a “fair” job in adopting telehealth, which 44 percent said the state’s programs were either “poor” or “very poor.” Just 15 percent of US physicians rated their state’s telehealth leaders as doing either “well” or “very well” with such efforts.

Among the various states, Ohio’s programs got the best ratings, with 22 percent of doctors saying the state’s telehealth programs were doing “well” or “very well.” California came in in second place, with 20 percent of physician-respondents describing their state’s efforts as doing “well” or “very well.”

On the flip side, 59 percent of New Jersey doctors said the state’s telehealth efforts were “poor” or “very poor.” New York also got low ratings, with 51 percent of doctors deeming the state’s programs were “poor” or “very poor.”

Interestingly, physicians based outside the US had comparable – though slightly more positive — impressions of their countries’ telehealth efforts. Thirty-eight percent of the 1,831 non-US doctors responding to the survey rated their country as having done a “fair” job with telehealth adoption, a stronger middle ground than in the US. That being said, 43 percent said their country has done a “poor” or “very poor” job with adopting telehealth programs, while just 19 percent rated their countries’ efforts as going “well” or “very well.”

As with state-by-state impressions in the US, physicians’ impressions of how well their country was doing with telehealth adoption varied significantly.  Spain got the best rating, with 26 percent of physicians saying efforts there were going “well” or “very well.” Meanwhile, the United Kingdom got the worst ratings, with 62 percent of doctors describing telehealth efforts there as “poor” or “very poor.”

Of course, all of this begs the question of what doctors were taking into account when they rated their country or state’s telehealth-related initiatives.

What makes doctors feel one telehealth adoption program is effective and another not effective? What kind of support are physicians looking for from their state or country? Are there barriers to implementation that a government entity is better equipped to address than private industry? Do they want officials to support the advancement of telehealth technology?  I’d prefer to know the answers to these questions before leaping to any conclusions about the significance of SERMO’s data.

That being said, it does seem that doctors see some role for government in promoting the growth of telehealth use, if for no other reason than that that they’re paying enough attention to know whether such efforts are working or not. That surprises me a bit, given that the biggest obstacles to physician telehealth adoption are generally getting paid for such services and handling the technology aspects of telemedicine delivery.

But if the study is any indication, doctors want more support from public entities. I’ll be interested to see whether Ohio and California keep leading the pack in this country — and what they’re doing right.

Seven Factors That Will Make 2018 A Challenging Year For EMR Vendors

Posted on May 24, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Unless they’re monumentally important, I generally don’t regurgitate the theories researchers develop about health IT. But this time I’m changing strategies. While their analysis may not fit in the “earth shattering” category, I thought their list of factors that will shape 2018’s EMR market was dead on, so here it is.

According to a report created by analyst firm Kalorama Research, a number of trends are brewing which could make next year a particularly, well, interesting one for EMR vendors. (By the by, the allegedly Chinese curse, “May you live in interesting times” probably wasn’t Chinese in origin — it seems to have been minted in the 19th century by a British politician named Joseph Chamberlain. But I digress.)

According to Kalorama publisher Bruce Carlton, many forces are converging, including:

  • Frustrated physicians: Physician rage over clunky EMRs may boil over next year. No one vendor seems positioned to scoop up their business, but of course many will try.
  • Hospital EMR switches: While hospitals have been switching out EMRs for quite some time, defections may climb to new levels. Their main objective: Improve workflows.
  • Emerging technologies: Trendy approaches like dashboarding, blockchain and advanced big data analytics will begin to be integrated with existing EMR technologies. Or as the report notes, “the Old EMR doesn’t cut it anymore.”
  • IT staff shortages: It takes a pretty seasoned IT pro to run an EMR, but they’re hard to find, especially if you want them to have a lot of relevant experience. But without their expertise, provider organizations may not get the most out of their systems. This may spell opportunity for vendors offering better service, the report says.
  • Breach of the day: With each cybersecurity breach, EMRs get negative coverage, and the effects of this bad PR are accreting. Tales of ransomware, a particularly lurid form of cybercrime, are only making things worse.
  • Many EMR vendors remain: Despite a barrage of M&A activity in the sector, there are still over 1,000 vendors in the EMR space, Kalorama notes. In other words, competition for EMR customers will still be brisk, particularly given that no one vendor – even giants like Cerner and Epic – owns more than one-fifth of the market (This assertion comes from firm’s own market estimates.)
  • New Administration, new goals: To date the White House hasn’t proposed specific changes to health IT policy, but one clue comes from the appointment of an HHS Secretary who dislikes the meaningful use program. Anything could happen here.

In addition to the factors cited by Kalorama, I’d suggest one other trend to consider. As I’ve noted above, Kalorama argues that customers will demand EMRs that incorporate sexy new technologies, perhaps more so than in the past. I’d go further with this projection. From what I’m hearing, a consensus is emerging that EMR architectures must be completely deconstructed and rethought for today’s data.

With important data flows emerging from wearables, apps, remote monitoring devices and the like, it may not makes sense to put a big database at the center of the EMR platform anymore. After all, what’s the point of setting up an enterprise EMR as the ultimate source of truth if so much important data is being generated by mobile devices at the network edge?

Anyway, that’s my two cents, along with Kalorama’s predictions. What do you think 2018 will look like for EMR vendors, and why?

E-Patient Update:  Changing The Patient Data Sharing Culture

Posted on May 19, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

I’ve been fighting for what I believe in for most of my life, and that includes getting access to my digital health information. I’ve pleaded with medical practice front-desk staff, gently threatened hospital HIT departments and gotten in the faces of doctors, none of whom ever seem to get why I need all of my data.

I guess you could say that I’m no shrinking violet, and that I don’t give up easily. But lately I’ve gotten a bit, let me say, discouraged when it comes to bringing together all of the data I generate. It doesn’t help that I have a few chronic illnesses, but it’s not easy even for patients with no major issues.

Some these health professionals know something about how EMRs work, how accurate, complete health records facilitate care and how big data analysis can improve population health. But when it comes to helping humble patients participate in this process, they seem to draw a blank.

The bias against sharing patient records with the patients seems to run deep. I once called the PR rep at a hospital EMR vendor and complained casually about my situation, in which a hospital told me that it would take three months to send me records printed from their EMR. (If I’d asked them to send me a CCD directly, the lady’s head might have exploded right there on the phone.)

Though I didn’t ask, the vendor rep got on the phone, reached a VP at the hospital and boom, I had my records. It took a week and a half, a vendor and hospital VP just to get one set of records to one patient. And for most of us it isn’t even that easy.

The methods providers have used to discourage my data requests have been varied. They include that I have to pay $X per page, when state law clearly states that (much lower) $Y is all they can charge. I’ve been told I just have to wait as long as it takes for the HIM department to get around to my request, no matter how time-sensitive the issue. I was even told once that Dr. X simply didn’t share patient records, and that’s that. (I didn’t bother to offer her a primer on state and federal medical records laws.) It gets to be kind of amusing over time, though irritating nonetheless.

Some of these skirmishes can be explained by training gaps or ignorance, certainly. What’s more, even if a provider encourages patient record requests there are still security and privacy issues to navigate. But I believe that what truly underlies provider resistance to giving patients their records is a mix of laziness and fear. In the past, few patients pushed the records issue, so hospitals and medical groups got lazy. Now, patients are getting assertive, and they fear what will happen.

Of course, we all have a right to our medical records, and if patients persist they will almost always get them. But if my experience is any guide, getting those records will remain difficult if attitudes don’t change. The default cultural setting among providers seems to be discomfort and even rebellion when they’re asked to give consumers their healthcare data. My protests won’t change a thing if people are tuning me out.

There’s many reasons for their reaction, including the rise of challenging, self-propelled patients who don’t assume the doctor knows best in all cases. Also, as in any other modern industry, data is power, and physicians in particular are already feeling almost powerless.

That being said, the healthcare industry isn’t going to meet its broad outcomes and efficiency goals unless patients are confident and comfortable with managing their health. Collecting, amassing and reviewing our health information greatly helps patients like me to stay on top of issues, so encumbering our efforts is counter-productive.

To counter such resistance, we need to transform the patient data sharing culture from resistant to supportive. Many health leaders seem to pine for the days when patients could have the data when and if they felt like it, but those days are past. Participating happily in a patient’s data collection efforts needs to become the norm.

If providers hope to meet the transformational goals they’ve set for themselves, they’ll have to help patients get their data as quickly, cheaply and easily as possible. Failing to do this will block or at least slow the progress of much-needed industry reforms, and they’re already a big stretch. Just give patients their data without a fuss – it’s the right thing to do!

Direct, Sequoia Interoperability Projects Continue To Grow

Posted on May 15, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

While its fate may still be uncertain – as with any interoperability approach in this day and age – the Direct exchange network seems to be growing at least. At the same time, it looks like the Sequoia Project’s interoperability efforts, including the Carequality Interoperability Framework and its eHealthExchange Network, are also expanding rapidly.

According to a new announcement from DirectTrust, the number of health information service providers who engaged in Direct exchanges increased 63 percent during the first quarter of 2017, to almost 95,000, over the same period in 2016.  And, to put this growth in perspective, there were just 5,627 providers involved in Q1 of 2014.

Meanwhile, the number of trusted Direct addresses which could share PHI grew 21 percent, to 1.4 million, as compared with the same quarter of 2016. Again, for perspective, consider that there were only 182,279 such addresses available three years ago.

In addition, the Trust noted, there were 35.6 million Direct exchange transactions during the quarter, up 76 percent over the same period last year. It expects to see transaction levels hit 140 million by the end of this year.

Also, six organizations joined DirectTrust during the first quarter of 2017, including Sutter Health, the Health Record Banking Alliance, Timmaron Group, Moxe Health, Uticorp and Anne Arundel Medical Center. This brings the total number of members to 124.

Of course, DirectTrust isn’t the only interoperability group throwing numbers around. In fact, Seqouia recently issued a statement touting its growth numbers as well (on the same day as the Direct announcement, natch).

On that day, the Project announced that the Carequality Interoperability Framework had been implemented by more than 19,000 clinics, 800 hospitals and 250,000 providers.

It also noted that its eHealth Exchange Network, a healthcare data sharing network, had grown 35 percent over the past year, connecting participants in 65 percent of all US hospitals, 46 regional and state HIEs, 50,000 medical groups, more than 3,400 dialysis centers and 8,300 pharmacies. This links together more than 109, million patients, Sequoia reported.

So what does all of this mean? At the moment, it’s still hard to tell:

  • While Direct and Sequoia are expanding pretty quickly, there’s few phenomena to which we can compare their growth.
  • Carequality and CommonWell agreed late last year to share data across each others’ networks, so comparing their transaction levels to other entities would probably be deceiving.
  • Though the groups’ lists of participating providers may be accurate, many of those providers could be participating in other efforts and therefore be counted multiple times.
  • We still aren’t sure what metrics really matter when it comes to measuring interoperability success. Is it the number of transactions initiated by a provider? The number of data flows received? The number of docs and facilities who do both and/or incorporate the data into their EMR?

As I see it, the real work going forward will be for industry leaders to decide what kind of performance stats actually equate to interoperability success. Otherwise, we may not just be missing health sharing bullseyes, we may be firing at different targets.

More Vendors, Providers Integrating Telemedicine Data With EHRs

Posted on April 27, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

One of the biggest problems providers face in rolling out telemedicine is how to integrate the data it generates. Must doctors make some kind of alternate set of notes appropriate to the medium, or do they belong in the EHR? Should healthcare organizations import the video and notate the general contents? And how should they connect the data with their EHR?

While we may not have definitive answers to such questions yet, it appears that the telehealth industry is moving in the right direction. According to a new survey by the American Telemedicine Association, respondents said that they’re seeing growth in interoperability with EHRs, progress which has increased their confidence in telemedicine’s future.

Before going any further, I should note that the surveyed population is a bit odd. The ATA reached out not only to leaders in hospital systems and medical practices, but also “telehealth service providers,” which sounds like merely an opportunity for self-promotion. But leaving aside this issue, it’s still worth thinking a bit about the data, such as it is.

First, not surprisingly, the results are a ringing endorsement of telemedicine technology. The group reports that 83 percent of respondents said they’ll probably invest in telehealth this year, and 88 percent will invest in telehealth-related technology.

When asked why they’re interested in delivering these services, 98 percent said that they believe telehealth services offer a competitive advantage over those that don’t offer it. And 84 percent of respondents expect that offering telehealth services will have a big impact on their organization’s coverage and reach.

(According to another survey, by Avizia and Modern Healthcare, other reasons providers are engaging with telehealth is because they believe it can improve clinical outcomes and support their transition to value-based care.)

When it comes to documenting its key thesis – that the integration of EHR and telehealth data is proceeding apace – the ATA research doesn’t go the distance. But I know from other studies that telemedicine vendors are indeed working on this issue – and why wouldn’t they? Any sophisticated telemedicine vendor has to know this is a big deal.

For example, telemedicine vendor American Well has been working with a long list of health plans and health systems for a while, in an effort to integrate the telehealth process with provider workflows. To support these efforts, American Well has created an enterprise telehealth platform designed to connect with providers’ clinical information systems. I’ve also observed that DoctorOnDemand has made some steps in that direction.

Ultimately, everyone in telehealth will have to get on board. Regardless of where they’re at now, those engaging in telehealth will need to push the interoperability puck forward.

In fact, integrating telehealth documentation with EMRs has to be a priority for everyone in the business. Even if integrating clinical data from virtual consults wasn’t important for analytics purposes, it is important to collecting insurance reimbursement. Now that private health plans (and Medicare) are reimbursing for telemedical care, you can rest assured that they’ll demand documentation if they don’t like your claim. And when it comes to Medicare, arguing that you haven’t figured out how to document these details won’t cut it.

In other words, while there’s some overarching reasons why integrating this data is a good long-term strategy, we need to keep immediate concerns in mind too. Telemedicine data has to be seen as documentation first, before we add any other bells and whistles. Otherwise, providers will get off on the wrong foot with insurers, and they’ll have trouble getting back on track.

Patients Message Providers More When Providers Reach Out

Posted on April 26, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A new study has concluded that patients use secure electronic messaging more when their primary care providers initiate and respond to secure messages.

To conduct the study, the research team worked a large database stocked with information on health care transactions and secure messaging records on 81,645 US Army soldiers. The data also included information from almost 3,000 clinicians with access to a patient portal system. The dataset encompassed the 4-year period between January 2011 and November 2014.

The data, which appears in a paper published in the Journal of Medical Internet Research, suggests that current provider-patient exchanges via secure messaging aren’t that common. For example, during the study period just 7 percent of patients initiated a secure message during a given month. Meanwhile, Providers initiated an average of 0.007 messages per patient each month, while responding to 0.09 messages per patient during a month.

That being said, when physicians got more engaged with the messaging process, patients responded dramatically.

Patients who knew their providers were responsive initiated a whopping 334 percent more secure messages than their baseline. Even among patients whose providers responded infrequently to their messages, the level at which they initiated messages to their clinicians was 254 percent higher than with PCPs who weren’t responding. (Oddly, when PCP response rates were at the “medium” level, patients increased messaging by 167 percent.)

In fact, when clinicians communicated more, there seemed to be spillover effects. Specifically, the researchers found that patients messaged PCPs more if that provider was very responsive to other patients, suggesting that there’s a network effect in play here.

Meanwhile, when PCPs were the ones prone to initiating messages, patients were 60 percent more likely to send a secure message. In other words, patients were more energized by PCP responses than clinician-initiated messages.

Of course, for secure messaging to have any real impact on care quality and outcomes, a critical mass of patients need to use messaging tools. Historically, though, providers have struggled to get patients to use their portal, with usage levels hovering between 10 percent and 32 percent.

Usage rates for portals have stayed stubbornly low even when doctors work hard to get their patients interested. Even patients who have signed up to use the portal often don’t follow through, research suggests. And of course, patients who don’t touch the portal aren’t exchanging care-enhancing messages with their provider.

If we’re going to get patients to participate in messaging with their doctor, we’re going to have to admit that the features offered by basic portals simply aren’t that valuable. While most offer patients access to some details of their medical records and test results, and sometimes allow them to schedule appointments, many don’t provide much more.

Meanwhile, a surprising number of providers haven’t even enabled a secure messaging function on their portal, which confines it to being a sterile data receptacle. I’d argue that without offering this feature, portals do almost nothing to engage their typical patient.

Of course, physicians fear being overwhelmed by patient messages, and reasonably fear that they won’t have time to respond adequately. Even though many organizations including the research of Dr. CT Lin has shown this just isn’t the case. That being said, if they want to increase patient engagement – and improve their overall health – secure messaging is one of the simplest tools for making that happen. So even if it means redesigning their workflow or tasking advanced practice nurse with responding to routine queries, it’s worth doing.

AMIA Shares Recommendations On Health IT-Friendly Policymaking

Posted on April 17, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

The American Medical Informatics Association has released the findings from a new paper addressing health IT policy, including recommendation on how policymakers can support patient access to health data, interoperability for clinicians and patient care-related research and innovation.

As the group accurately notes, the US healthcare system has transformed itself into a digital industry at astonishing speed, largely during the past five years. Nonetheless, many healthcare organizations haven’t unlocked the value of these new tools, in part because their technical infrastructure is largely a collection of disparate systems which don’t work together well.

The paper, which is published in the Journal of the American Medical Informatics Association, offers several policy recommendations intended to help health IT better support value-based health, care and research. The paper argues that governments should implement specific policy to:

  • Enable patients to have better access to clinical data by standardizing data flow
  • Improve access to patient-generated data compiled by mHealth apps and related technologies
  • Engage patients in research by improving ways to alert clinicians and patients about research opportunities, while seeing to it that researchers manage consent effectively
  • Enable patient participation in and contribution to care delivery and health management by harmonizing standards for various classes of patient-generated data
  • Improve interoperability using APIs, which may demand that policymakers require adherence to chosen data standards
  • Develop and implement a documentation-simplification framework to fuel an overhaul of quality measurement, ensure availability of coded EHRs clinical data and support reimbursement requirements redesign
  • Develop and implement an app-vetting process emphasizing safety and effectiveness, to include creating a knowledgebase of trusted sources, possibly as part of clinical practice improvement under MIPS
  • Create a policy framework for research and innovation, to include policies to aid data access for research conducted by HIPAA-covered entities and increase needed data standardization
  • Foster an ecosystem connecting safe, effective and secure health applications

To meet these goals, AMIA issued a set of “Policy Action Items” which address immediate, near-term and future policy initiatives. They include:

  • Clarifying a patient’s HIPAA “right to access” to include a right to all data maintained by a covered entity’s designated record set;
  • Encourage continued adoption of 2015 Edition Certified Health IT, which will allow standards-based APIs published in the public domain to be composed of standard features which can continue to be deployed by providers; and
  • Make effective Common Rule revisions as finalized in the January 19, 2017 issue of the Federal Register

In looking at this material, I noted with interest AMIA’s thinking on the appropriate premises for current health IT policy. The group offered some worthwhile suggestions on how health IT leaders can leverage health data effectively, such as giving patients easy access to their mHealth data and engaging them in the research process.

Given that they overlap with suggestions I’ve seen elsewhere, we may be getting somewhere as an industry. In fact, it seems to me that we’re approaching industry consensus on some issues which, despite seeming relatively straightforward have been the subject of professional disputes.

As I see it, AMIA stands as good a chance as any other healthcare entity at getting these policies implemented. I look forward to seeing how much progress it makes in drawing attention to these issues.

No Duh, FTP Servers Pose PHI Security Risk

Posted on April 12, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

The File Transfer Protocol is so old – it was published in April 1971 – that it once ran on NCP, the predecessor of TCP/IP. And surprise, surprise, it’s not terribly secure, and was never designed to be so either.

Security researchers have pointed out that FTP servers are susceptible to a range of problems, including brute force attacks, FTP bounce attacks, packet capture, port stealing, spoofing attacks and username enumeration.

Also, like many IP specifications designed prior before standard encryption approaches like SSL were available, FTP servers don’t encrypt traffic, with all transmissions in clear text and usernames, passwords, commands and data readable by anyone sniffing the network.

So why am I bothering to remind you of all of this? I’m doing so because according to the FBI, cybercriminals have begun targeting FTP servers and in doing so, accessing personal health information. The agency reports that these criminals are attacking anonymous FTP servers associated with medical and dental facilities. Plus, don’t even know they have these servers running.

Getting into these servers is a breeze, the report notes. With anonymous FTP servers, attackers can authenticate to the FTP server using meaningless credentials like “anonymous” or “ftp,” or use a generic password or email address to log in. Once they gain access to PHI, and personally identifiable information (PII), they’re using it to “intimidate, harass, and blackmail business owners,” the FBI report says.

As readers may know, once these cybercriminals get to an anonymous FTP server, they can not only attack it, but also gain write access to the server and upload malicious apps.

Given these concerns, the FBI is recommending that medical and dental entities ask their IT staff to check their networks for anonymous FTP servers. And if they find any, the organization should at least be sure that PHI or PII aren’t stored on those servers.

The obvious question here is why healthcare organizations would host an anonymous FTP server in the first place, given its known vulnerabilities and the wide variety of available alternatives. If nothing else, why not use Secure FTP, which adds encryption for passwords and data transmission while retaining the same interface as basic FTP? Or what about using the HTTP or HTTPS protocol to share files with the world? After all, your existing infrastructure probably includes firewalls, intrusion detection/protection solutions and other technologies already tuned to work with web servers.

Of course, healthcare organizations face a myriad of emerging data security threats. For example, the FDA is so worried about the possibility of medical device attacks that it issued agency guidance on the subject. The agency is asking both device manufacturers and healthcare facilities to protect medical devices from cybersecurity threats. It’s also asking hospitals and healthcare facilities to see that they have adequate network defenses in place.

But when it comes to hosting anonymous FTP servers on your network, I’ve got to say “really?” This has to be a thing that the FBI tracks and warns providers to avoid? One would think that most health IT pros, if not all, would know better than to expose their networks this way. But I suppose there will always be laggards who make life harder for the rest of us!