Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Compromise Assessments & Penetration Testing in Healthcare

Posted on June 21, 2017 I Written By

The following is a guest blog post by Steven Marco, CISA, ITIL, HP SA and President of HIPAA One®.
Steven Marco - HIPAA expert
As healthcare providers continue to embrace technology, are patients being left vulnerable? If a recent incident involving patient portals is any indication, then the answer is a resounding “yes.”

True Health Diagnostics, a Frisco, TX-based healthcare services company recently became aware of a security flaw in their patient portal after an IT consultant logged in to view their test results and accessed other patient’s records by accident.  Upon investigating the issue it was determined that because True Health uses sequential numbers on their patient record PDF files, users of the patient portal could easily alter a digit in the URL and therefore view the medical information of other patients (also known as Forceful Browsing).

This recent event should serve as both a reminder and a warning to healthcare organizations using patient portals that in order to prevent a similar disclosure, implementing (and testing!) safeguards is necessary. There are two different actions an organization can take to either understand the scope of a breach and/or assess their level of security to prevent a disclosure.

Compromise Assessment: Due-Diligence Task

A compromise assessment is a due-diligence task used to verify that an organization hasn’t experienced a security breach. Essentially, it answers the question: “Have we been breached?”

Completed by a group of whitehat hackers or IS professionals, the goal is to access an organization’s various systems and verify if/when they were comprised and estimate the damage/exposure that has/could be done on their customer’s data. By gaining an understanding of the extent of the breach, the organization can in turn create a plan to remedy the issue and notify the appropriate parties of the disclosure.

Penetration Testing: Proactive Approach

In simple terms, conducting a penetration test is a proactive approach to finding any security deficiencies before a breach occurs or hackers find a way in. A penetration test answers to the question “How secure are we?”

By performing an authorized simulated attack, organizations can gain a much greater understanding of their security infrastructure. Although penetration testing alone will not ensure a network is compliant or secure, it will identify gaps between the existence threats and controls that an organization has in place.

Penetration testing has many other benefits, including:

  • Revealing where procedures may be failing – Especially if insecure services are being used for administration or if critical security patches are missing due to inadequate configuration and change management processes/procedures.
  • Exposing poor password policy – Including the use of default or weak passwords, password reuse and use of incremental passwords.
  • Justification to management – For approval of additional security technologies. For example: Showing upper management that penetration testers were able to hack into the system and email the entire customer database.
  • Acts as a “second set of eyes” – Critical if using an independent provider when hosting ePHI/PII.

Interested in more details on penetration testing? Check out HIPAA One’s penetration testing blog post.

About Steven Marco
Steven Marco is the President of HIPAA One®, leading provider of HIPAA Risk Assessment software for practices of all sizes.  HIPAA One is a proud sponsor of EMR and HIPAA and the effort to make HIPAA compliance more accessible for all practices.  Are you HIPAA Compliant?  Take HIPAA One’s 5 minute HIPAA security and compliance quiz to see if your organization is risk or learn more at HIPAAOne.com.

Jabba the Hutt EHRs Are Alive And Well

Posted on June 19, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

If you follow @ehrandhit on Twitter, then you might have noticed that we’ve set it up to tweet out links to articles from Healthcare Scene’s database of 11,000+ blog posts. Sometimes I see these tweets and I remember amazing posts like the one I saw today about Jabba the Hutt EMR.

Here’s the concept of the Jabba the Hutt EMR as I described it back in 2011:

Many long time readers of EMR and HIPAA will know I like to call big, bulky, old EMR software systems, Jabba the Hutt EMR. I think comparing these old legacy EMR software to Jabba the Hutt is a great comparison. For those that don’t know Star Wars that well (and I’m no expert), Jabba the Hutt was a very powerful figure. Although, over time he’d grown so big that he wasn’t very nimble (to say the least). So, despite his power and prestige, there was little to admire about him.

Does that sound a bit like some legacy EMR software? They’re big and powerful figures in the industry. However, their software has grown to the point that it’s clunky and not very nimble. Getting something changed on it is difficult and it’s built on a platform that makes it hard to add new features. Thus, they are Jabba the Hutt EMR.

I love that I had “long time readers” in 2011, but I digress. Does this still sound like a lot of the EHR vendors out there? The cynic might suggest it’s every EHR vendor. Good thing I’m not cynical.

In that post I went on to list things that might be characteristics you could look for to identify the Jabba the Hutt EMR software. It has some good ones, but I think it’s time to update the list. Here’s an updated list that you might find beneficial (and a little entertaining).

You might be a Jabba the Hutt EHR if…
you’re part of every interoperability organization, but not actually interoperable.

You might be a Jabba the Hutt EHR if…
it costs as much for consultants to implement your software as your software.

You might be a Jabba the Hutt EHR if…
you hard coded 16 RXNorm codes to pass certification.

You might be a Jabba the Hutt EHR if…
you EHR certification is your EHR innovation plan.

You might be a Jabba the Hutt EHR if…
your programmers have never spent time in a clinic or hospital observing users.

You might be a Jabba the Hutt EHR if…
you’re afraid to talk to the media.

You might be a Jabba the Hutt EHR if…
your patient portal is your patient engagement strategy.

You might be a Jabba the Hutt EHR if…
HL7 and FHIR are your API strategy.

You might be a Jabba the Hutt EHR if…
you put AI and machine learning in a press release after implementing basic slicing and dicing analytics.

As I said in 2011, the more of these your EHR has, the more likely they’re a Jabba the Hutt EHR. I’m sure many of you could add to the list. Please do so in the comments.

Inspector General Says CMS Made $729 Million In Questionable EHR Incentive Payments

Posted on June 16, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A new report from the HHS Office of Inspector General has concluded that over a three-year period, CMS made roughly $729.4 million in EHR incentive payments to providers who didn’t comply with program requirements.

To determine whether the incentive program was functioning appropriately, the OIG audited payments made between May 2011 to June 2014.

After sampling payment records for 100 eligible professionals, the agency found 14 EPs, who received payments totaling $291,022, who didn’t meet incentive criteria.  The auditors found that the 14 had either failed to meet bonus criteria or didn’t provide proof that they had.

Then, the OIG used the data to extrapolate how much CMS had spent on invalid payments, which is how it arrived at the $729 million estimate. In other words, given the margin of error across the sampled incentive payments, the OIG assumed that 12% of all incentive payments were in error. (The analysis also concluded that CMS mistakenly paid $2.3 million to EPs switching between Medicare and Medicaid programs.)

Not surprisingly, the OIG has recommended that CMS recover the $291,000 in payments made to the sampled providers. It also suggested that the agency review EP payments issued during the audit period to see what other errors were made. Of course, the ultimate goal is to get back the approximately $729.4 million the agency may have paid out in error.

In addition, the OIG  called on CMS to review a random sample of self-attested documentation from after the audit period, to determine whether additional inappropriate payments were made to EPs.

And to make sure the EPs don’t get payments under both Medicare and Medicaid incentive programs for the same program year, the report urged CMS to conduct edits of the National Level Depository system.

As part of this report, the OIG noted that allowing providers to self-report compliance data leaves the incentive payment program open to fraud, and recommended keeping a closer eye on these reports. CMS seems to have had at least some sympathy for this argument, as it apparently agreed partly or fully with all of the OIG’s suggested actions.

One side effect of the OIG report it brings back attention to the Meaningful Use program, which has been eclipsed by MACRA but still clings to life. Eligible providers can still report either Modified Stage 2 or Stage 3 in 2017, the main difference being you need a full year of data for Stage 2 but only 90 days for Stage 3.

But MACRA does change things, as its performance standards will test providers in new ways. This year, providers have a chance to get situated with either the MIPS or APM track, and those who jump in now are likely to benefit.

Meanwhile, the future of Meaningful Use remains fuzzy. To my knowledge, the agency has no immediate plans to restructure the current incentive program to audit provider reports in depth. In fact, given that providers are more concerned about MACRA these days, I doubt CMS will bother.

That being said, it’s fair to assume that incentive payouts will get a bit more attention going forward. So be prepared to defend your attestation if need be.

Hands-On Guidance for Data Integration in Health: The CancerLinQ Story

Posted on June 15, 2017 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site (http://oreilly.com/) and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

Institutions throughout the health care field are talking about data sharing and integration. Everyone knows that improved care, cost controls, and expanded research requires institutions who hold patient data to safely share it. The American Society of Clinical Oncology’s CancerLinQ, one of the leading projects analyzing data analysis to find new cures, has tackled data sharing with a large number of health providers and discovered just how labor-intensive it is.

CancerLinQ fosters deep relationships and collaborations with the clinicians from whom it takes data. The platform turns around results from analyzing the data quickly and to give the clinicians insights they can put to immediate use to improve the care of cancer patients. Issues in collecting, storing, and transmitting data intertwine with other discussion items around cancer care. Currently, CancerLinQ isolates the data from each institution, and de-identifies patient information in order to let it be shared among participating clinicians. CancerLinQ LLC is a wholly-owned nonprofit subsidiary of ASCO, which has registered CancerLinQ as a trademark.

CancerLinQ logo

Help from Jitterbit

In 2015, CancerLinQ began collaborating with Jitterbit, a company devoted to integrating data from different sources. According to Michele Hazard, Director of Healthcare Solutions, and George Gallegos, CEO, their company can recognize data from 300 different sources, including electronic health records. At the beginning, the diversity and incompatibility of EHRs was a real barrier. It took them several months to figure out each of the first EHRs they tackled, but now they can integrate a new one quickly. Oncology care, the key data needed by CancerLinQ, is a Jitterbit specialty.

Jitterbit logo

One of the barriers raised by EHRs is licensing. The vendor has to “bless” direct access to EHR and data imported from external sources. HIPAA and licensing agreements also make tight security a priority.

Another challenge to processing data is to find records in different institutions and accurately match data for the correct patient.

Although the health care industry is moving toward the FHIR standard, and a few EHRs already expose data through FHIR, others have idiosyncratic formats and support older HL7 standards in different ways. Many don’t even have an API yet. In some cases, Jitterbit has to export the EHR data to a file, transfer it, and unpack it to discover the patient data.

Lack of structure

Jitterbit had become accustomed to looking in different databases to find patient information, even when EHRs claimed to support the same standard. One doctor may put key information under “diagnosis” while another enters it under “patient problems,” and doctors in the same practice may choose different locations.

Worse still, doctors often ignore the structured fields that were meant to hold important patient details and just dictate or type it into a free-text note. CancerLinQ anticipated this, unpacking the free text through optical character recognition (OCR) and natural language processing (NLP), a branch of artificial intelligence.

It’s understandable that a doctor would evade the use of structured fields. Just think of the position she is in, trying to keep a complex cancer case in mind while half a dozen other patients sit in the waiting room for their turn. In order to use the structured field dedicated to each item of information, she would have to first remember which field to use–and if she has privileges at several different institutions, that means keeping the different fields for each hospital in mind.

Then she has to get access to the right field, which may take several clicks and require movement through several screens. The exact information she wants to enter may or may not be available through a drop-down menu. The exact abbreviation or wording may differ from EHR to EHR as well. And to carry through a commitment to using structured fields, she would have to go through this thought process many times per patient. (CancerLinQ itself looks at 18 Quality eMeasures today, with the plan to release additional measures each year.)

Finally, what is the point of all this? Up until recently, the information would never come back in a useful form. To retrieve it, she would have to retrace the same steps she used to enter the structured data in the first place. Simpler to dump what she knows into a free-text note and move on.

It’s worth mentioning that this Babyl of health care information imposes negative impacts on the billing and reimbursement process, even though the EHRs were designed to support those very processes from the start. Insurers have to deal with the same unstructured data that CancerLinQ and Jitterbit have learned to read. The intensive manual process of extracting information adds to the cost of insurance, and ultimately the entire health care system. The recent eClinicalWorks scandal, which resembles Volkswagon’s cheating on auto emissions and will probably spill out to other EHR vendors as well, highlights the failings of health data.

Making data useful

The clue to unblocking this information logjam is deriving insights from data that clinicians can immediately see will improve their interventions with patients. This is what the CancerLinQ team has been doing. They run analytics that suggest what works for different categories of patients, then return the information to oncologists. The CancerLinQ platform also explains which items of data were input to these insights, and urges the doctors to be more disciplined about collecting and storing the data. This is a human-centered, labor-intensive process that can take six to twelve months to set up for each institution. Richard Ross, Chief Operating Officer of CancerLinQ calls the process “trench warfare,” not because its contentious but because it is slow and requires determination.

Of the 18 measures currently requested by CancerLinQ, one of the most critical data elements driving the calculation of multiple measures is staging information: where the cancerous tumors are and how far it has progressed. Family history, treatment plan, and treatment recommendations are other examples of measures gathered.

The data collection process has to start by determining how each practice defines a cancer patient. The CancerLinQ team builds this definition into its request for data. Sometimes they submit “pull” requests at regular intervals to the hospital or clinic, whereas other times the health care provider submits the data to them at a time of its choosing.

Some institutions enforce workflows more rigorously than others. So in some hospitals, CancerLinQ can persuade the doctors to record important information at a certain point during the patient’s visit. In other hospitals, doctors may enter data at times of their own choosing. But if they understand the value that comes from this data, they are more likely to make sure it gets entered, and that it conforms to standards. Many EHRs provide templates that make it easier to use structured fields properly.

When accepting information from each provider, the team goes through a series of steps and does a check-in with the provider at each step. The team evaluates the data in a different stage for each criterion: completeness, accuracy of coding, the number of patients reported, and so on. By providing quick feedback, they can help the practice improve its reporting.

The CancerLinQ/Jitterbit story reveals how difficult it is to apply analytics to health care data. Few organizations can afford the expertise they apply to extracting and curating patient data. On the other hand, CancerLinQ and Jitterbit show that effective data analysis can be done, even in the current messy conditions of electronic data storage. As the next wave of technology standards, such as FHIR, fall into place, more institutions should be able to carry out analytics that save lives.

E-Patient Update:  I Was A Care Coordination Victim

Posted on June 12, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Over the past few weeks, I’ve been recovering from a shoulder fracture. (For the record, I wasn’t injured engaging in some cool athletic activity like climbing a mountain; I simply lost my footing on the tile floor of a beauty salon and frightened a gaggle of hair stylists. At least I got a free haircut!)

During the course of my treatment for the injury, I’ve had a chance to sample both the strengths and weaknesses of coordinated treatment based around a single EMR. And unfortunately, the weaknesses have shown up more often than the strengths.

What I’ve learned, first hand, is that templates and shared information may streamline treatment, but also pose a risk of creating a “groupthink” environment that inhibits a doctor’s ability to make independent decisions about patient care.

At the same time, I’ve concluded that centralizing treatment across a single EMR may provide too little context to help providers frame care issues appropriately. My sense is that my treatment team had enough information to be confident they were doing the right thing, but not enough to really understand my issues.

Industrial-style processes

My insurance carrier is Kaiser Permanente, which both provides insurance and delivers all of my care. Kaiser, which reportedly spent $4 billion on the effort, rolled out Epic roughly a decade ago, and has made it the backbone of its clinical operations. As you can imagine, every clinician who touches a Kaiser patient has access to that patient’s full treatment history with Kaiser providers.

During the first few weeks with Kaiser, I found that physicians there made good use of the patient information they were accumulating, and used it to handle routine matters quite effectively. For example, my primary care physician had no difficulty getting an opinion on a questionable blood test from a hematologist colleague, probably because the hematologist had access not only to the test result but also my medical history.

However, the system didn’t serve me so well when I was being treated for the fracture, an injury which, given my other issues, may have responded better to a less standardized approach.  In this case, I believe that the industrial-style process of care facilitated by the EMR worked to my disadvantage.

Too much information, yet not enough

After the fracture, as I worked my way through my recovery process, I began to see that the EMR-based process used to make Kaiser efficient may have discouraged providers from inquiring more deeply into my particulalr circumstances.

And yes, this could have happened in a paper world, but I believe the EMR intensified the tendency to treat as “the fracture in room eight” rather than an individual with unique needs.

For example, at each step of the way I informed physicians that the sling they had provided was painful to use, and that I needed some alternative form of arm support. As far as I can tell, each physician who saw me looked at other providers’ notes, assumed that the predecessor had a good reason for insisting on the sling, and simply followed suit. Worse, none seemed to hear me when I insisted that it would not work.

While this may sound like a trivial concern, the lack of a sling alternative seemed to raise my level of pain significantly. (And let me tell you, a shoulder fracture is a very painful event already.)

At the same time, otherwise very competent physicians seemed to assume that I’d gotten information that I hadn’t, particularly education on my prognosis. At each stage, I asked questions about the process of recovery, and for whatever reason didn’t get the information I needed. Unfortunately, in my pain-addled state I didn’t have the fortitude to insist they tell me more.

My sense is that my care would’ve benefited from both a more flexible process and more information on my general situation, including the fact that I was missing work and really needed reassurance that I would get better soon. Instead, it was care by data point.

Dealing with exceptions

All that being said, I know that the EMR alone isn’t itself to blame for the problems I encountered. Kaiser physicians are no doubt constrained by treatment protocols which exist whether or not they’re relying on EMR-based information.

I also know that there are good reasons that organizations like Kaiser standardize care, such as improving outcomes and reducing care costs. And on the whole, my guess is that these protocols probably do improve outcomes in many cases.

But in situations like mine, I believe they fall short. If nothing else, Kaiser perhaps should have a protocol for dealing with exceptions to the protocols. I’m not talking about informal, seat-of-the-pants judgment call, but an actual process for dealing with exceptions to the usual care flow.

Three weeks into healing, my shoulder is doing much better, thank you very much. But though I can’t prove it, I strongly suspect that I might have hurt less if physicians were allowed to make exceptions and address my emerging needs. And while I can’t blame the EMR for this experience entirely, I believe it played a critical role in consolidating opinion and effectively limiting my options.

While I have as much optimism about the role of EMRs as anyone, I hope they don’t serve as a tool to stifle dissension and oversimplify care in the future. I, for one, don’t want to suffer because someone feels compelled to color inside of the lines.

Legal Ramifications of EHRs Selling Data

Posted on June 6, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Prompted by an engagement with prominent healthcare lawyer, Matt Fisher (@Matt_R_Fisher), on Twitter, Healthcare Scene decided to sit down with Matt to talk about the challenging topic of EHR vendors selling patient data. As a basis for the discussion, I suggested to Matt that EHR vendors were selling the EHR data and so we should dive into the details of when they are legally allowed to sell EHR data and when they are not.

That’s exactly what we did in my video interview with Matt Fisher below. Turns out there are a lot of little nuances to when and how an EHR vendor can sell patient data and HIPAA is only one of them. Plus, Matt and I also talk a bit about how a doctor and a patient can try and find out when and where their patient data is being sold. Learn about all the details in this video:

Is there anything you would add to the discussion? Were there any details or questions you think we missed? Let us know in the comments and we’ll do our best to get the answers.

eCW (eClinicalWorks) Settles Whistleblower Lawsuit for $155 Million

Posted on May 31, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

In many of my press panels and other discussions at the Healthcare IT Marketing and PR Conference, I’ve argued that there’s very little “Breaking News” when it comes to healthcare IT. Today is an example where this is not true. The news just broke that EHR vendor, eCW (eClinicalWorks), has settled a whistleblower lawsuit against them for $155 million.

The suit was filed by Brendan Delaney, a software technician formerly employed by the New York City Division of Health Care Access and Improvement, by his law firm Phillips & Cohen LLP against eClinicalWorks. eClinicalWworks and three of its founders (Chief Executive Officer Girish Navani, Chief Medical Officer Rajesh Dharampuriya, M.D., and Chief Operating Officer Mahesh Navani) are jointly liable for the payment of $154.92 million. Separately, Developer Jagan Vaithilingam will pay $50,000, and Project Managers Bryan Sequeira, and Robert Lynes will each pay $15,000. As a whistleblower, Delaney stands to receive $30 million of the settlement.

Here’s the summary of the complaints against eCW from the Justice Department’s press release about the settlement:

In its complaint-in-intervention, the government contends that ECW falsely obtained that certification for its EHR software when it concealed from its certifying entity that its software did not comply with the requirements for certification. For example, in order to pass certification testing without meeting the certification criteria for standardized drug codes, the company modified its software by “hardcoding” only the drug codes required for testing. In other words, rather than programming the capability to retrieve any drug code from a complete database, ECW simply typed the 16 codes necessary for certification testing directly into its software. ECW’s software also did not accurately record user actions in an audit log and in certain situations did not reliably record diagnostic imaging orders or perform drug interaction checks. In addition, ECW’s software failed to satisfy data portability requirements intended to permit healthcare providers to transfer patient data from ECW’s software to the software of other vendors. As a result of these and other deficiencies in its software, ECW caused the submission of false claims for federal incentive payments based on the use of ECW’s software.

Most people are writing about how eCW didn’t fully integrate the RxNorm codes, but instead hard coded the 16 codes that the certification process used. That’s embarrassing so it’s not a surprise that so many people are sharing that part of the story. However, I think the bigger part of the violation is probably around the data portability requirements. I bet a lot of EHR vendors are sweating right now as they look at the way they implemented those requirements. Not to mention the EHR audit logs which are poor in many EHR. Plus, the scariest claim is eClinicalWork’s inability to reliably record diagnostic imagine orders or perform drug interaction checks. Those are patient safety issues and exist in many EHR software.

If you want to dig into the weeds like I did, then you can see the government complaint against eClinicalWorks that was filed May 12, 2017 and the final settlement agreement with eClinicalWorks. Even more insightful was looking at the original complaint from Delaney against eClinicalWorks. Comparing the original whistleblower complaint to the government complaint against eClinicalWorks is very interesting. You’ll see that the government didn’t grab on to everything that was originally filed by Delaney. I imagine that’s a standard legal practice to file as many areas as possible and see what the government decides to use. It seems like Phillips & Cohen have represented a number of whistleblowers so I’m sure they were expert at this.

Girish Navani, CEO and Co-Founder or eClinicalWorks, offered this statement about the settlement:

“Today’s settlement recognizes that we have addressed the issues raised, and have taken significant measures to promote compliance and transparency. We are pleased to put this matter behind us and concentrate all of our efforts on our customers and continued innovations to enhance patient care delivery.”

Looking at the bigger picture, I’m certain that every EHR vendor is going through their EHR certification process and looking at all the statements they’ve made to make sure they’re not going to be in a similar situation. Not to mention the anti-kick back laws that were mentioned in the settlement. I’m sure there are other EHR vendors that are in violation of both of these items just as much as eCW.

Former ONC National Coordinator, Farrzad Mostashari seems to agree with me. Farzad tweeted, “Wow!! I hope this changes the attitude of the EHR vendor space more broadly.” Then, he later tweeted, “Let me be plain-spoken. eClinicalWorks is not the only EHR vendor who flouted certification /misled customers
Other vendors better clean up.”

Farzad then nailed it when he tweeted “There are a LOT of doctor’s office staff looking at their EHR today and wondering if there’s $30M worth of false promises hidden there”

I do wonder if Farzad Mostashari feels a little guilty of the role he played in this process since he oversaw such a porous EHR certification process. I’ve been against EHR certification for a long time because I thought it provided so little value to providers. The fact that it can be gamed by 16 codes being hard coded is a perfect example of why EHR Certification is a waste. Although, one could argue that without EHR certification, this suit would have never happened and maybe eClinicalWorks could still be selling the same product today.

I do find this quote from the US Attorney’s Office for the District of Vermont press release a little over the top (which I think is common on these things):

“Electronic health records have the potential to improve the care provided to Medicare and Medicaid beneficiaries, but only if the information is accurate and accessible,” said Special Agent in Charge Phillip Coyne of HHS-OIG. “Those who engage in fraud that undermines the goals of EHR or puts patients at risk can expect a thorough investigation and strong remedial measures such as those in the novel and innovative Corporate Integrity Agreement in this case.”

Another topic I haven’t seen anyone else cover is the impact that this settlement will have on eCW’s customers that used eCW to attest to meaningful use. Technically it shows that eCW wasn’t appropriately certified, so that means that they weren’t using a certified EHR and therefore shouldn’t have been eligible for meaningful use incentives. I asked one friend about this and he suggested that CMS had previously said that it would not hold eligible providers and eligible hospitals responsible for EHRs that calculated the meaningful use measures the wrong way. So, we’ll probably see this same approach with eCW users that got EHR incentive money on what we now know was not appropriately certified.

I was also intrigued by the Corporate Integrity Agreement (CIA) that eClinicalWorks entered into with HHS-OIG. There are a lot of details and oversight that eCW will get from OIG, but it also required eClinicalWorks to “allow customers to obtain updated versions of their software free of charge and to give customers the option to have ECW transfer their data to another EHR software provider without penalties or service charges. [emphasis added]”

Free updates is pretty clear and ironic since not wanting to update all their clients is one possible hypothesis for why they didn’t really push the proper upgrades. Hopefully all eCW users will do it now or they might be facing their own violations for using outdated software that has known clinical issues. However, the kicker in the CIA detail above is that eClinicalWorks has to give customers the option to have eClinicalWorks transfer their data to another EHR without penalty or service charges. I wonder how many will take them up on this requirement and what the details will be. I still wish this was required of all EHR vendors, but that’s a story for another day.

How many EHR vendor marketing groups are putting together their eClinicalWorks Rescue Plan to take in the downtrodden eCW users? I’m not sure these will be as successful as other EHR switching marketing efforts like those we see when an EHR is being shut down.

I’m sorry to say that I think this is likely only the beginning of such lawsuits. In fact, it’s probably already woken up a lot of potential whistle blowers. Hopefully it’s woken up a lot of EHR vendors as well.

Health IT Usability Comic and a Little Rant – Fun Friday

Posted on May 26, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This comic reminds me of healthcare IT and EHR government regulations lately. See if you can relate to this great Dilbert comic.

For healthcare I might change the wording to say…

“Your certification and regulation requirements include four hundred features.”

“Do you realize that no doctor is able to use a product with that level of complexity?”

“Good point. How can I certify “Easy to use?””

I’m reminded of the keynote I saw the US CIO give. He said that one of the biggest challenges is taking regulation off the books. I’d love to see HHS and ONC see how many regulations they could remove as opposed to continuing to create new regulations.

If they’re not sure where to start, let me give them an idea. If you’ve required the collection of data which you haven’t ever used, that regulation is gone. That should do away with 3/4 of the healthcare regulations.

P.S. Sorry to take a Fun Friday and make it not so fun. I couldn’t help myself.

Both US And International Doctors Unimpressed With Govt Telehealth Adoption

Posted on May 25, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A new survey by physician social network SERMO has concluded that both US and foreign physicians aren’t impressed with national and local telehealth efforts by governments.

The US portion of the survey, which had 1,651 physician respondents, found that few US doctors were pleased with the telehealth adoption efforts in their state. Forty-one percent said they felt their state had done a “fair” job in adopting telehealth, which 44 percent said the state’s programs were either “poor” or “very poor.” Just 15 percent of US physicians rated their state’s telehealth leaders as doing either “well” or “very well” with such efforts.

Among the various states, Ohio’s programs got the best ratings, with 22 percent of doctors saying the state’s telehealth programs were doing “well” or “very well.” California came in in second place, with 20 percent of physician-respondents describing their state’s efforts as doing “well” or “very well.”

On the flip side, 59 percent of New Jersey doctors said the state’s telehealth efforts were “poor” or “very poor.” New York also got low ratings, with 51 percent of doctors deeming the state’s programs were “poor” or “very poor.”

Interestingly, physicians based outside the US had comparable – though slightly more positive — impressions of their countries’ telehealth efforts. Thirty-eight percent of the 1,831 non-US doctors responding to the survey rated their country as having done a “fair” job with telehealth adoption, a stronger middle ground than in the US. That being said, 43 percent said their country has done a “poor” or “very poor” job with adopting telehealth programs, while just 19 percent rated their countries’ efforts as going “well” or “very well.”

As with state-by-state impressions in the US, physicians’ impressions of how well their country was doing with telehealth adoption varied significantly.  Spain got the best rating, with 26 percent of physicians saying efforts there were going “well” or “very well.” Meanwhile, the United Kingdom got the worst ratings, with 62 percent of doctors describing telehealth efforts there as “poor” or “very poor.”

Of course, all of this begs the question of what doctors were taking into account when they rated their country or state’s telehealth-related initiatives.

What makes doctors feel one telehealth adoption program is effective and another not effective? What kind of support are physicians looking for from their state or country? Are there barriers to implementation that a government entity is better equipped to address than private industry? Do they want officials to support the advancement of telehealth technology?  I’d prefer to know the answers to these questions before leaping to any conclusions about the significance of SERMO’s data.

That being said, it does seem that doctors see some role for government in promoting the growth of telehealth use, if for no other reason than that that they’re paying enough attention to know whether such efforts are working or not. That surprises me a bit, given that the biggest obstacles to physician telehealth adoption are generally getting paid for such services and handling the technology aspects of telemedicine delivery.

But if the study is any indication, doctors want more support from public entities. I’ll be interested to see whether Ohio and California keep leading the pack in this country — and what they’re doing right.

Seven Factors That Will Make 2018 A Challenging Year For EMR Vendors

Posted on May 24, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Unless they’re monumentally important, I generally don’t regurgitate the theories researchers develop about health IT. But this time I’m changing strategies. While their analysis may not fit in the “earth shattering” category, I thought their list of factors that will shape 2018’s EMR market was dead on, so here it is.

According to a report created by analyst firm Kalorama Research, a number of trends are brewing which could make next year a particularly, well, interesting one for EMR vendors. (By the by, the allegedly Chinese curse, “May you live in interesting times” probably wasn’t Chinese in origin — it seems to have been minted in the 19th century by a British politician named Joseph Chamberlain. But I digress.)

According to Kalorama publisher Bruce Carlton, many forces are converging, including:

  • Frustrated physicians: Physician rage over clunky EMRs may boil over next year. No one vendor seems positioned to scoop up their business, but of course many will try.
  • Hospital EMR switches: While hospitals have been switching out EMRs for quite some time, defections may climb to new levels. Their main objective: Improve workflows.
  • Emerging technologies: Trendy approaches like dashboarding, blockchain and advanced big data analytics will begin to be integrated with existing EMR technologies. Or as the report notes, “the Old EMR doesn’t cut it anymore.”
  • IT staff shortages: It takes a pretty seasoned IT pro to run an EMR, but they’re hard to find, especially if you want them to have a lot of relevant experience. But without their expertise, provider organizations may not get the most out of their systems. This may spell opportunity for vendors offering better service, the report says.
  • Breach of the day: With each cybersecurity breach, EMRs get negative coverage, and the effects of this bad PR are accreting. Tales of ransomware, a particularly lurid form of cybercrime, are only making things worse.
  • Many EMR vendors remain: Despite a barrage of M&A activity in the sector, there are still over 1,000 vendors in the EMR space, Kalorama notes. In other words, competition for EMR customers will still be brisk, particularly given that no one vendor – even giants like Cerner and Epic – owns more than one-fifth of the market (This assertion comes from firm’s own market estimates.)
  • New Administration, new goals: To date the White House hasn’t proposed specific changes to health IT policy, but one clue comes from the appointment of an HHS Secretary who dislikes the meaningful use program. Anything could happen here.

In addition to the factors cited by Kalorama, I’d suggest one other trend to consider. As I’ve noted above, Kalorama argues that customers will demand EMRs that incorporate sexy new technologies, perhaps more so than in the past. I’d go further with this projection. From what I’m hearing, a consensus is emerging that EMR architectures must be completely deconstructed and rethought for today’s data.

With important data flows emerging from wearables, apps, remote monitoring devices and the like, it may not makes sense to put a big database at the center of the EMR platform anymore. After all, what’s the point of setting up an enterprise EMR as the ultimate source of truth if so much important data is being generated by mobile devices at the network edge?

Anyway, that’s my two cents, along with Kalorama’s predictions. What do you think 2018 will look like for EMR vendors, and why?