Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

What Would A Community Care Plan Look Like?

Posted on November 16, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Recently, I wrote an article about the benefits of a longitudinal patient record and community care plan to patient care. I picked up the idea from a piece by an Orion Health exec touting the benefits of these models. Interestingly, I couldn’t find a specific definition for a community care plan in the article — nor could I dig anything up after doing a Google search — but I think the idea is worth exploring nonetheless.

Presumably, if we had a community care plan in place for each patient, it would have interlocking patient-specific and population health-level elements to it. (To my knowledge, current population health models don’t do this.) Rather than simply handing patients off from one provider to another, in the hope that the rare patient-centered medical home could manage their care effectively on its own, it might set care goals for each patient as part of the larger community strategy.

With such a community care strategy, groups of providers would have a better idea where to allocate resources. It would simultaneously meet the goals of traditional medical referral patterns, in which clinicians consult with one another on strategy, and help them decide who to hire (such as a nurse-practitioner to serve patient clusters with higher levels of need).

As I envision it, a community care plan would raise the stakes for everyone involved in the care process. Right now, for example, if a primary care doctor refers a patient to a podiatrist, on a practical level the issue of whether the patient can walk pain-free is not the PCP’s problem. But in a community-based care plan, which help all of the individual actors be accountable, that podiatrist couldn’t just examine the patient, do whatever they did and punt. They might even be held to quantitative goals, if the they were appropriate to the situation.

I also envision a community care plan as involving a higher level of direct collaboration between providers. Sure, providers and specialists coordinate care across the community, minimally, but they rarely talk to each other, and unless they work for the same practice or health system virtually never collaborate beyond sharing care documentation. And to be fair, why should they? As the system exists today, they have little practical or even clinical incentive to get in the weeds with complex individual patients and look at their future. But if they had the right kind of community care plan in place for the population, this would become more necessary.

Of course, I’ve left the trickiest part of this for last. This system I’ve outlined, basically a slight twist on existing population health models, won’t work unless we develop new methods for sharing data collaboratively — and for reasons I be glad to go into elsewhere, I’m not bullish about anything I’ve seen. But as our understanding of what we need to get done evolves, perhaps the technology will follow. A girl can hope.

The Pain of Recording Patient Risk Factors as Illuminated by Apixio (Part 2 of 2)

Posted on October 28, 2016 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site (http://oreilly.com/) and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

The previous section of this article introduced Apixio’s analytics for payers in the Medicare Advantage program. Now we’ll step through how Apixio extracts relevant diagnostic data.

The technology of PDF scraping
Providers usually submit SOAP notes to the Apixio web site in the form of PDFs. This comes to me as a surprise, after hearing about the extravagant efforts that have gone into new CCDs and other formats such as the Blue Button project launched by the VA. Normally provided in an XML format, these documents claim to adhere to standards and offer a relatively gentle face to a computer program. In contrast, a PDF is one of the most challenging formats to parse: words and other characters are reduced to graphical symbols, while layout bears little relation to the human meaning of the data.

Structured documents such as CCDs contain only about 20% of what CMS requires, and often are formatted in idiosyncratic ways so that even the best CCDs would be no more informative than a Word document or PDF. But the main barrier to getting information, according to Schneider, is that Medicare Advantage works through the payers, and providers can be reluctant to give payers direct access to their EHR data. This reluctance springs from a variety of reasons, including worries about security, the feeling of being deluged by requests from payers, and a belief that the providers’ IT infrastructure cannot handle the burden of data extraction. Their stance has nothing to do with protecting patient privacy, because HIPAA explicitly allows providers to share patient data for treatment, payment, and operations, and that is what they are doing giving sensitive data to Apixio in PDF form. Thus, Apixio had to master OCR and text processing to serve that market.

Processing a PDF requires several steps, integrated within Apixio’s platform:

  1. Optical character recognition to re-create the text from a photo of the PDF.

  2. Further structuring to recognize, for instance, when the PDF contains a table that needs to be broken up horizontally into columns, or constructs such the field name “Diagnosis” followed by the desired data.

  3. Natural language processing to find the grammatical patterns in the text. This processing naturally must understand medical terminology, common abbreviations such as CHF, and codings.

  4. Analytics that pull out the data relevant to risk and presents it in a usable format to a human coder.

Apixio can accept dozens of notes covering the patient’s history. It often turns up diagnoses that “fell through the cracks,” as Schneider puts it. The diagnostic information Apixio returns can be used by medical professionals to generate reports for Medicare, but it has other uses as well. Apixio tells providers when they are treating a patient for an illness that does not appear in their master database. Providers can use that information to deduce when patients are left out of key care programs that can help them. In this way, the information can improve patient care. One coder they followed could triple her rate of reviewing patient charts with Apixio’s service.

Caught between past and future
If the Apixio approach to culling risk factors appears round-about and overwrought, like bringing in a bulldozer to plant a rosebush, think back to the role of historical factors in health care. Given the ways doctors have been taught to record medical conditions, and available tools, Apixio does a small part in promoting the progressive role of accountable care.

Hopefully, changes to the health care field will permit more direct ways to deliver accountable care in the future. Medical schools will convey the requirements of accountable care to their students and teach them how to record data that satisfies these requirements. Technologies will make it easier to record risk factors the first time around. Quality measures and the data needed by policy-makers will be clarified. And most of all, the advantages of collaboration will lead providers and payers to form business agreements or even merge, at which point the EHR data will be opened to the payer. The contortions providers currently need to go through, in trying to achieve 21st-century quality, reminds us of where the field needs to go.

The Pain of Recording Patient Risk Factors as Illuminated by Apixio (Part 1 of 2)

Posted on October 27, 2016 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site (http://oreilly.com/) and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

Many of us strain against the bonds of tradition in our workplace, harboring a secret dream that the industry could start afresh, streamlined and free of hampering traditions. But history weighs on nearly every field, including my own (publishing) and the one I cover in this blog (health care). Applying technology in such a field often involves the legerdemain of extracting new value from the imperfect records and processes with deep roots.

Along these lines, when Apixio aimed machine learning and data analytics at health care, they unveiled a business model based on measuring risk more accurately so that Medicare Advantage payments to health care payers and providers reflect their patient populations more appropriately. Apixio’s tools permit improvements to patient care, as we shall see. But the core of the platform they offer involves uploading SOAP notes, usually in PDF form, and extracting diagnostic codes that coders may have missed or that may not be supportable. Machine learning techniques extract the diagnostic codes for each patient over the entire history provided.

Many questions jostled in my mind as I talked to Apixio CTO John Schneider. Why are these particular notes so important to the Centers for Medicare & Medicaid Services (CMS)? Why don’t doctors keep track of relevant diagnoses as they go along in an easy-to-retrieve manner that could be pipelined straight to Medicare? Can’t modern EHRs, after seven years of Meaningful Use, provide better formats than PDFs? I asked him these things.

A mini-seminar ensued on the evolution of health care and its documentation. A combination of policy changes and persistent cultural habits have tangled up the various sources of information over many years. In the following sections, I’ll look at each aspect of the documentation bouillabaisse.

The financial role of diagnosis and risk
Accountable care, in varying degrees of sophistication, calculates the risk of patient populations in order to gradually replace fee-for-service with payments that reflect how adeptly the health care provider has treated the patient. Accountable care lay behind the Affordable Care Act and got an extra boost at the beginning of 2016 when CMS took on the “goal of tying 30 percent of traditional, or fee-for-service, Medicare payments to alternative payment models, such as ACOs, by the end of 2016 — and 50 percent by the end of 2018.

Although many accountable care contracts–like those of the much-maligned 1970s Managed Care era–ignore differences between patients, more thoughtful programs recognize that accurate and fair payments require measurement of how much risk the health care provider is taking on–that is, how sick their patients are. Thus, providers benefit from scrupulously complete documentation (having learned that upcoding and sloppiness will no longer be tolerated and will lead to significant fines, according to Schneider). And this would seem to provide an incentive for the provider to capture every nuance of a patient’s condition in a clearly code, structured way.

But this is not how doctors operate, according to Schneider. They rebel when presented with dozens of boxes to check off, as crude EHRs tend to present things. They stick to the free-text SOAP note (fields for subjective observations, objective observations, assessment, and plan) that has been taught for decades. It’s often up to post-processing tools to code exactly what’s wrong with the patient. Sometimes the SOAP notes don’t even distinguish the four parts in electronic form, but exist as free-flowing Word documents.

A number of key diagnoses come from doctors who have privileges at the hospital but come in only sporadically to do consultations, and who therefore don’t understand the layout of the EHR or make attempts to use what little structure it provides. Another reason codes get missed or don’t easily surface is that doctors are overwhelmed, so that accurately recording diagnostic information in a structured way is a significant extra burden, an essentially clerical function loaded onto these highly skilled healthcare professionals. Thus, extracting diagnostic information many times involves “reading between the lines,” as Schneider puts it.

For Medicare Advantage payments, CMS wants a precise delineation of properly coded diagnoses in order to discern the risk presented by each patient. This is where Apixio come in: by mining the free-text SOAP notes for information that can enhance such coding. We’ll see what they do in the next section of this article.

Will a Duo of AI and Machine Learning Catch Data Thieves Lurking in Hospital EHR Corridors?

Posted on September 19, 2016 I Written By

The following is a guest blog post by Santosh Varughese, President of Cognetyx, an organization devoted to using artificial intelligence and machine learning innovation to bring an end to the theft of patient medical data.
santosh-varughese-president-cognetyx
As Halloween approaches, the usual spate of horror movies will intrigue audiences across the US, replete with slashers named Jason or Freddie running amuck in the corridors of all too easily accessible hospitals. They grab a hospital gown and the zombies fit right in.  While this is just a movie you can turn off, the real horror of patient data theft can follow you.

(I know how terrible this type of crime can be. I myself have been the victim of a data theft by hackers who stole my deceased father’s medical files, running up more than $300,000 in false charges. I am still disputing on-going bills that have been accruing for the last 15 years).

Unfortunately, this horror movie scenario is similar to how data thefts often occur at medical facilities. In 2015, the healthcare industry was one of the top three hardest hit industries with serious data breaches and major attacks, along with government and manufacturers. Packed with a wealth of exploitable information such as credit card data, email addresses, Social Security numbers, employment information and medical history records, much of which will remain valid for years, if not decades and fetch a high price on the black market.

Who Are The Hackers?
It is commonly believed attacks are from outside intruders looking to steal valuable patient data and 45 percent of the hacks are external. However, “phantom” hackers are also often your colleagues, employees and business associates who are unwittingly careless in the use of passwords or lured by phishing schemes that open the door for data thieves. Not only is data stolen, but privacy violations are insidious.

The problem is not only high-tech, but also low-tech, requiring that providers across the continuum simply become smarter about data protection and privacy issues. Medical facilities are finding they must teach doctors and nurses not to click on suspicious links.

For healthcare consultants, here is a great opportunity to not only help end this industry wide problem, but build up your client base by implementing some new technologies to help medical facilities bring an end to data theft.  With EHRs being more vulnerable than ever before, CIOs and CISOs are looking for new solutions.  These range from thwarting accidental and purposeful hackers by implementing physical security procedures to securing network hardware and storage media through measures like maintaining a visitor log and installing security cameras. Also limiting physical access to server rooms and restricting the ability to remove devices from secure areas.

Of course enterprise solutions for the entire hospital system using new innovations are the best way to cast a digital safety net over all IT operations and leaving administrators and patients with a sense of security and safety.

Growing Nightmare
Medical data theft is a growing national nightmare.  IDC’s Health Insights group predicts that 1 in 3 healthcare recipients will be the victim of a medical data breach in 2016.  Other surveys found that in the last two years, 89% of healthcare organizations reported at least one data breach, with 79% reporting two or more breaches. The most commonly compromised data are medical records, followed by billing and insurance records. The average cost of a healthcare data breach is about $2.2 million.

At health insurer Anthem, Inc., foreign hackers stole up to 80 million records using social engineering to dig their way into the company’s network using the credentials of five tech workers. The hackers stole names, Social Security numbers and other sensitive information, but were thwarted when an Anthem computer system administrator discovered outsiders were using his own security credentials to log into the company system and to hack databases.

Investigators believe the hackers somehow compromised the tech worker’s security through a phishing scheme that tricked the employee into unknowingly revealing a password or downloading malicious software. Using this login information, they were able to access the company’s database and steal files.

Healthcare Hacks Spread Hospital Mayhem in Diabolical Ways
Not only is current patient data security an issue, but thieves can also drain the electronic economic blood from hospitals’ jugular vein—its IT systems. Hospitals increasingly rely on cloud delivery of big enterprise data from start-ups like iCare that can predict epidemics, cure disease, and avoid preventable deaths. They also add Personal Health Record apps to the system from fitness apps like FitBit and Jawbone.

Banner Health, operating 29 hospitals in Arizona, had to notify millions of individuals that their data was exposed. The breach began when hackers gained access to payment card processing systems at some of its food and beverage outlets. That apparently also opened the door to the attackers accessing a variety of healthcare-related information.

Because Banner Health says its breach began with an attack on payment systems, it differentiates from other recent hacker breaches. While payment system attacks have plagued the retail sector, they are almost unheard of by healthcare entities.

What also makes this breach more concerning is the question of how did hackers access healthcare systems after breaching payment systems at food/beverage facilities, when these networks should be completely separated from one another? Healthcare system networks are very complex and become more complicated as other business functions are added to the infrastructure – even those that don’t necessarily have anything to do with systems handling and protected health information.

Who hasn’t heard of “ransomware”? The first reported attack was Hollywood Presbyterian Medical Center which had its EHR and clinical information systems shut down for more than week. The systems were restored after the hospital paid $17,000 in Bitcoins.

Will Data Thieves Also Rob Us of Advances in Healthcare Technology?
Is the data theft at MedStar Health, a major healthcare system in the DC region, a foreboding sign that an industry racing to digitize and interoperate EHRs is facing a new kind of security threat that it is ill-equipped to handle? Hospitals are focused on keeping patient data from falling into the wrong hands, but attacks at MedStar and other hospitals highlight an even more frightening downside of security breaches—as hospitals strive for IT interoperability. Is this goal now a concern?

As hospitals increasingly depend on EHRs and other IT systems to coordinate care, communicate critical health data and avoid medication errors, they could also be risking patients’ well-being when hackers strike. While chasing the latest medical innovations, healthcare facilities are rapidly learning that caring for patients also means protecting their medical records and technology systems against theft and privacy violations.

“We continue the struggle to integrate EHR systems,” says anesthesiologist Dr. Donald M. Voltz, Medical Director of the Main Operating Room at Aultman Hospital in Canton, OH, and an advocate and expert on EHR interoperability. “We can’t allow patient data theft and privacy violations to become an insurmountable problem and curtail the critical technology initiative of resolving health system interoperability. Billions have been pumped into this initiative and it can’t be risked.”

Taking Healthcare Security Seriously
Healthcare is an easy target. Its security systems tend to be less mature than those of other industries, such as finance and tech. Its doctors and nurses depend on data to perform time-sensitive and life-saving work.

Where a financial-services firm might spend a third of its budget on information technology, hospitals spend only about 2% to 3%. Healthcare providers are averaging less than 6% of their information technology budget expenditures on security, according to a recent HIMSS survey. In contrast, the federal government spends 16% of its IT budget on security, while financial and banking institutions spend 12% to 15%.

Meanwhile, the number of healthcare attacks over the last five years has increased 125%, as the industry has become an easy target. Personal health information is 50 times more valuable on the black market than financial information. Stolen patient health records can fetch as much as $363 per record.

“If you’re a hacker… would you go to Fidelity or an underfunded hospital?” says John Halamka, the chief information officer of Beth Israel Deaconess Medical Center in Boston. “You’re going to go where the money is and the safe is the easiest to open.”

Many healthcare executives believe that the healthcare industry is at greater risk of breaches than other industries. Despite these concerns, many organizations have either decreased their cyber security budgets or kept them the same. While the healthcare industry has traditionally spent a small fraction of its budget on cyber defense, it has also not shored up its technical systems against hackers.

Disrupting the Healthcare Security Industry with Behavior Analysis   
Common defenses in trying to keep patient data safe have included firewalls and keeping the organization’s operating systems, software, anti-virus packages and other protective solutions up-to-date.  This task of constantly updating and patching security gaps or holes is ongoing and will invariably be less than 100% functional at any given time.  However, with only about 10% of healthcare organizations not having experienced a data breach, sophisticated hackers are clearly penetrating through these perimeter defenses and winning the healthcare data security war. So it’s time for a disruption.

Many organizations employ network surveillance tactics to prevent the misuse of login credentials. These involve the use of behavior analysis, a technique that the financial industry uses to detect credit card fraud. By adding some leading innovation, behavior analysis can offer C-suite healthcare executives a cutting-edge, game-changing innovation.

The technology relies on the proven power of cloud technology to combine artificial intelligence with machine learning algorithms to create and deploy “digital fingerprints” using ambient cognitive cyber surveillance to cast a net over EHRs and other hospital data sanctuaries. It exposes user behavior deviations while accessing EHRs and other applications with PHI that humans would miss and can not only augment current defenses against outside hackers and malicious insiders, but also flag problem employees who continually violate cyber security policy.

“Hospitals have been hit hard by data theft,” said Doug Brown, CEO, Black Book Research. “It is time for them to consider new IT security initiatives. Harnessing machine learning artificial intelligence is a smart way to sort through large amounts of data. When you unleash that technology collaboration, combined with existing cloud resources, the security parameters you build for detecting user pattern anomalies will be difficult to defeat.”

While the technology is advanced, the concept is simple. A pattern of user behavior is established and any actions that deviate from that behavior, such as logging in from a new location or accessing a part of the system the user normally doesn’t access are flagged.  Depending on the deviation, the user may be required to provide further authentication to continue or may be forbidden from proceeding until a system administrator can investigate the issue.

The cost of this technology will be positively impacted by the continuing decline in the cost of storage and processing power from cloud computing giants such as Amazon Web Services, Microsoft and Alphabet.

The healthcare data security war can be won, but it will require action and commitment from the industry. In addition to allocating adequate human and monetary resources to information security and training employees on best practices, the industry would do well to implement network surveillance that includes behavior analysis. It is the single best technological defense against the misuse of medical facility systems and the most powerful weapon the healthcare industry has in its war against cyber criminals.

Engaging Patients With Health Data Cuts Louisiana ED Overuse

Posted on September 15, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Maybe I’m misreading things, but it seems to me that few health IT pros really believe we can get patients to leverage their own health data successfully. And I understand why. After all, we don’t even have clear evidence that patient portals improve outcomes, and portals are probably the most successful engagement tool the industry has come up with to date.

And not to be a jerk about it, but I bet you’d be hard-pressed to find HIT gurus who believed the state of Louisiana would lead the way, as the achingly poor southern state isn’t exactly known for being a healthcare thought leader.  As it so happens, though, the state has actually succeeded where highfalutin’ health systems have failed.

Over one year, the state has managed to generate a 23% increase in health IT use among at-risk patients, and also, a 10.2% decrease in non-emergent use of emergency departments by Medicaid managed care organization members, thank you very much.

So how did Louisiana’s top healthcare brass accomplish this feat? Among other things, they launched a HIE-enabled ED data registry, along with a direct-to-consumer patient engagement campaign. These efforts were done in partnership with the Louisiana Health Care Quality Forum, which developed statewide marketing plans for the effort (See John’s interview with the Louisiana Health Care Quality Forum for more details).

They must have created some snazzy marketing copy. As Healthcare IT News noted, between August 2015 and May 2016, patient portal use shot up 31%, consumer EHR awareness rose 23% and opt-in to the state’s HIE grew by 3%, Quality Forum marketer Jamie Martin told HIN.

Not only that, the number of patients asking for access to or copies of electronic health data increased by 12%, and the number of patients with current copies of their health information grew by 9%, Martin said.

This is great news for those who want to see patients buy in to the digital health paradigm. Though it’s hard to tell whether the state will be able to maintain the benefits it gained in its initial effort, it clearly succeeded in getting a substantial number of patients to rethink how they manage their care.

But (and I’m sorry to be a bit of a Debbie Downer), I was a bit disappointed when I saw none of the gains cited related to changing health behaviors, such as, say, an increase in diabetics getting retinal exams.

I know that I should probably be focused on the project’s commendable successes, and believe it or not, I do find them to be exciting. I’m just not sure that these kinds of metrics can be used as proxies for health improvement measures, and let’s face it, that’s what we need, right?

Electronic Prescribing Of Controlled Substances Rates Spiking

Posted on September 1, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Back in the day, say a decade ago or so, when e-prescribing itself was a new and big deal, the feds – especially the DEA – didn’t think much of the e-prescribing of controlled drugs like opiates. But a few years later the agency eventually came around. In June of 2010, it released a rule which allowed providers to issue such prescriptions nd pharmacies to receive, dispense and archive these scripts electronically nationwide.

Since then, electronic prescribing of controlled substances (EPCS) has taken off, according to a story in Search HealthIT. In fact, EPCS has been growing rapidly, particularly during 2015, according to national pharmacy IT network Surescripts.

Specifically, the number of ECPS transactions shot up 600% last year, from 1.67 million to 12.8 million scripts issued, according to Surescripts’ 2015 National Progress Report. Part of the reason for this surge is that providers are getting on board at a brisk pace. The number of providers enabled to use EPCS grew 359% last year.

Among the interesting stats to be culled from the Surescripts report is that 32% of drugs prescribed were opioids. This statistic should draw a lot of interest from public officials and enforcement agencies trying to stem the tide of opioid overdoses which killed more than 28,000 Americans in 2014. That’s four times as many who died of this cause in 2010, according to Surescripts’ sources.

A Drop in the Bucket

It’s worth noting that the number of EPCS transactions still pales in contrast to the number of transactions hosted on the Surescripts network that year. The network handled 9.7 billion transactions in 2015, up 40% from the previous year, the company reported. That means the EPCS is still a drop in the bucket overall.

Also, levels of EPCS-enabled pharmacies and physicians vary across the U.S. For example, 91% of pharmacies are EPCS-enabled in New York, the top state for such pharmacies. (A New York State rule requiring every practitioner in the state to e-prescribe all medications went into effect in March.) Other top-ranked states for pharmacy penetration included Massachusetts, California and Texas. On the other hand, only 73% of pharmacies were EPCS-enabled in Georgia and Florida.

Still, with adoption levels seemingly evening out between states – and the gap small enough to close over the next few years – it seems like EPCS is becoming an established practice. Surescripts contends that this is for the best, and argues that EPCS reduces fraud and improper prescribing by making it easier to track such medications. And with states like New York mandating e-prescribing for all providers, the growth in EPCS is likely to stay healthy.

However, for every action there’s a reaction, and the other shoe may not have dropped where EPCS risks are concerned. It may take a few years to find out whether the confidence some have in this approach was merited.

Three Words That Health Care Should Stop Using: Insurance, Market, and Quality (Part 2 of 2)

Posted on August 23, 2016 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site (http://oreilly.com/) and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

The previous part of this article ripped apart the use of the words “insurance” and “market” to characterize healthcare. Not let’s turn to another concept even more fundamental to our thinking about care.

Quality

The final element of this three-card Monte is the slippery notion of quality. Health care is often compared to the airlines (when we’re not being compared to the Cheesecake Factory), an exercise guaranteed to make health care look bad. Airlines and restaurants offer relatively homogeneous experiences to all their clients and can easily determine whether their service succeeded or failed. Even at a mechanical level, the airlines have been able to quantify safety.

Endless organizations such as the National Association for Healthcare Quality (NAHQ) and the Agency for Healthcare Research and Quality (AHRQ) collect quality measures, and CMS has tried strenuously to include quality measures in Meaningful Use and the new MACRA program. We actually have not a dearth of quality measures, but a surfeit. Doctors feel overwhelmed with these measures. They are difficult to collect, and we don’t know how to combine them to create easy reports that patients can act on. There is a difference between completing a successful surgery, caring for things such as pain and infection prevention after surgery, and creating a follow-up plan that minimizes the chance of readmission. All those things (and many more) are elements of quality.

Worst of all, despite efforts to rank patients by their conditions and risk, hospitals repeatedly warn that quality measures underestimate risky patients and therefore penalize the hospitals that do the most difficult and important work–caring for the sickest. Many hospitals are throwing away donor organs instead of doing transplants, because the organs are slightly inferior and therefore might contribute to lower quality ratings–even if the patients are desperate to give them a try.

The concept of quality in health care thus needs a fresh look, and probably a different term. The first, simple thing we can do is remove patient ratings from assessments of quality. The patient knows whether the nurse smiled at her or whether she was discharged promptly, but can’t tell how good the actual treatment was after the event. One nurse has suggested that staff turnover is a better indication of hospital quality than patient satisfaction surveys. Given our fascination with airline quality, it’s worth noting that the airline industry separates safety ratings from passenger experience. The health care industry can similarly leverage patient ratings to denote clients’ satisfaction, but that’s separate from quality.

As for the safety and effectiveness of treatment, we could try a fairer rating system, such as one that explicitly balances risk and reward. Agencies would have to take the effort to understand all the elements of differences in patients that contribute to risk, and make sure they are tallied. Perhaps we could learn how to assess the success of each treatment in relation to the condition in which the patient entered the office. Even better, we could try to assess longitudinal results instead evaluating each office visit or hospital admission in isolation.

These are complex activities, but we have lots of data and powerful tools to analyze it. Together with a focus on changing behavior and environments, we should be able to make a real difference in quality–and I mean quality of life. Is there anything an ordinary member of the health professions can do till then? Well, try issuing Bronx cheers and catcalls at any meeting or conference presentation where someone uses one of the three misleading terms.

Three Words That Health Care Should Stop Using: Insurance, Market, and Quality (Part 1 of 2)

Posted on August 22, 2016 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site (http://oreilly.com/) and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

Reading the daily papers, I have gotten increasingly frustrated at the misunderstandings that journalists and the public bring to the debates of over health expansion, costs, and reform. But you can’t blame them–our own industry has created the confusion by misusing terms and concepts that work in other places but not in health. Worse still, the health care industry has let policy-makers embed the incorrect impressions into laws and regulations.

So in this article I’ll promote the long process of correcting the public’s impressions of health care–by purging three dangerous words from health care vocabulary.

Insurance

The health care insurance industry looks like no other insurance industry in the world. When we think of insurance, we think of paying semi-annually into a fund we hope we never need to use. But perhaps every twenty years or so, we suffer damage to our car, our house, or our business, and the insurance kicks in. That may have been true for health care 70 years ago, when you wouldn’t see the doctor unless you fell into a pit or came down with some illness they likely couldn’t cure anyway. The insurance model is totally unsuited for health care today.

The Affordable Care Act made some symbolic gestures toward a recognition that modern health care should embrace prevention and wellness. For instance, it eliminated copays for preventative visits. The insurance companies took that wording very literally: if you dare to bring up an actual medical problem during your preventative visit, they charge you a copay. Yet the “preventative” part of the visit usually consists of a lecture to stop smoking and go on the Mediterranean diet.

Effective wellness programs jettison the notion of insurance (although patients need separate insurance for catastrophic problems). They keep in regular contact with clients, provide coaching, and sometimes use intelligent digital interventions such as described by Dr. Joseph Kvedar in The Internet of Healthy Things (which I reviewed shortly after its release). There are scattered indications that these programs do their job. As they spread, the system set up to deal with catastrophic health events will have to adapt and take a modest role within a behavioral health model.

The term “insurance” is so widely applied to our healh funding model that we can’t make it go away. Perhaps we should put the word in quotation marks wherever it must be used.

Market

This term is less ubiquitous than “insurance” but may be even more harmful. Numerous commenters have pointed out the difference between health care and actual markets:

  • In a market, you can walk away and refuse to pay for a good that is too expensive. If the price of beef goes through the roof, you can switch to beans (and probably should, for your own health). So the best time to argue with someone who promotes a health care market may be right after he’s fallen from a ladder and is clutching at his leg in agony. Ask him, “Do you feel you can walk away from an offer of health care?” Cruel, but a lesson he won’t forget.

  • A market serves people who can afford it. It’s hard to find a stylish hair dresser in a poor neighborhood because no one can pay $200 for a cut. But here’s the rub: the people who need health care the most can’t afford it. Someone with serious mental or physical problems is less likely to find work or be able to attend a college with health insurance. Parents of seriously ill children have to take time off from work to care for them. And so on. It’s what economists–who have trouble discarding the market way of thinking–call a market failure.

  • In a market, you know what you’re going to pay for a service and what your options are. Enough said.

  • In a market, you can evaluate the quality of a service and judge (at least in retrospect) whether it was worth the cost. I’ll deal with quality in the next section.

The misconception of health care as a market came to a head in the implementation of the Affordable Care Act. Presumably, millions of “young invincibles” were avoiding health insurance because of the cost. The individual mandate, combined with affordable plans on health care exchanges, would bring them flooding into the insurance system, lowering costs for everyone and balancing the burden created by the many sick people who we knew would join. And yet now we have stubbornly rising health care rates, deductibles, and caps, along with new costs in the states where Medicaid expanded Where did this all fall apart?

Part of the problem is certainly the recession, which caused incomes to decline or stagnate and exacerbated people’s health care needs. Also, there was a pent-up need for treatment among people who had lacked health insurance and avoided treatment for some time. This comes through in a study of prescription medication use. Furthermore, people don’t change habits overnight: many continue to over-rely on the emergency room (perhaps because of a shortage of primary care providers).

But there’s another unanticipated factor: the “young invincibles” actually start using health care once they get access to it. An analysis showed that mental health needs among the young are much higher than expected. In particular, they suffer widely from depression and anxiety, which is entirely reasonable given the state of our world. (I know that these conditions are connected to genetics and biology, but environment must also play a role.)

Ultimately, until we get behavioral health in place for everybody, health care costs will continue to rise and we won’t realize the promise of near-universal coverage. Many health care activists–especially during the recent political primary season–call for a single-payer system, which certainly would introduce many efficiencies. But it doesn’t solve the problems of chronic conditions and unhealthy lifestyles–that will require policy action on levels ranging from improvements in air cleanliness to new opportunities for isolated individuals to socialize. Meanwhile, we still have to look at the notion of quality in tomorrow’s post.

E-Patient Update: Is It Appropriate to Trash “Dr. Google”?

Posted on August 1, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Apparently, a lot of professionals have gotten a bit defensive about working with Google-using customers. In fact, when I searched Google recently for the phrase “Don’t confuse your Google search with my” it returned results that finished the phrase with “law degree,” “veterinary degree,” “nursing degree” and even “library degree.” And as you might guess, it also included “medical degree” among its list of professions with a Google grudge.

I first ran across this anti-Dr.-Google sentiment about a year ago, when a physician posted a picture of a coffee mug bearing this slogan on LinkedIn. He defended having the mug on his desk as a joke. But honestly, doc, I don’t think it’s funny. Let me explain.

First, I want to concede a couple of points. Yes, humor means different things to different people, and a joke doesn’t necessarily define a doctor’s character. And to be as fair as possible, I’m sure there are patients who use Web-based materials as an excuse to second-guess medical judgment in ways which are counterproductive and even inappropriate. Knowledge is a good thing, but not everyone has good knowledge filters in place.

That being said, I have, hmmm, perhaps a few questions for clinicians who are amused by this “joke,” including:

  • Wouldn’t people’s health improve if they considered themselves responsible for learning as much as possible about health trends, wellness and/or any conditions they might have?
  • Don’t we want patients to be as engaged as possible when they are talking with their doctors (as well as other clinicians)? And doesn’t that mean being informed about key issues?
  • Does this slogan suggest that patients shouldn’t challenge physicians to explain discrepancies between what they read and what they’re being told?
  • Does this attitude bleed over to a dislike of all consumer-generated health data, even if it’s being generated by an FDA-approved device? If so, have you got a nuanced understanding of these technologies and a well-informed opinion on their merits?

Please understand, I am in no way anti-doctor. The truth is, I trust, admire and rely upon the clinicians who keep my chronic illnesses at bay. I have a sense of the pressures they confront, and have immense respect for their dedication and empathy.

That being said, I need clinicians to collaborate with me and help me learn what I need to know, not discourage and mock my efforts. And I need them to be open to the benefits of new technologies – be they the web-based medical content that didn’t exist when you were in med school, remote monitoring, wearables, sensor-laden t-shirts, mobile apps, artificial intelligence or flying cars.

So, I hope you understand now why I’m offended by that coffee mug. If a doctor dislikes something so elementary as a desire to learn, I doubt we’ll get along.

Attackers Try To Sell 600K Patient Records

Posted on July 22, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

New research has concluded that attackers recently infiltrated U.S. healthcare institutions and stole at least 600,000 patient records, then attempted to sell more than 3 TB of associated data. The attacks, which were discovered by security firm InfoArmor, targeted not only hospitals, but also private clinics and vendors of medical equipment and supplies such as orthopedics, eWeek reports.

According to InfoArmor, the attacker gained access to the patient data by exploiting weak user credentials, and hacked Remote Desktop Protocol connections on some servers with static external IP addresses. The data thief also used a local privilege escalation exploit to access system files for added patching and backdooring, InfoArmor chief intelligence officer Andrew Komarov told eWeek.

And sadly, some healthcare institutions made it pretty easy for intruders. In some cases, data thieves were able to exfiltrate data stored in Microsoft Access desktop databases without any special user access segregation or rights control in place, Komarov told the magazine.

Future exploits may emerge through medical device connections, as many institutions aren’t paying enough attention to device security, he warns.”[Providers] think that the medical device is just a device for their specific function and sometimes they don’t [have] knowledge of misconfigured devices in their networks,” Komarov said.

So what will become of the data?  Many things, and none of them good. Some cyber criminals will sell Social Security numbers and other scammers will use to sell fraudulent healthcare services,. Cyber-grifters who steal a patient’s history of illness and their biography can use them to take advantage of consumers, he pointed out. And to sharpen their con, such criminals can even buy select data focused on geographic regions, Komarov noted in a follow-up chat with me.

To address exploits engineered by remote access sessions, one consulting firm is pitching technology allowing administrators to go over remote sessions with a fine-toothed comb.

Balazs Scheidler, CTO of security vendor BalaBit, notes that while remote access to internal IT resources is common, using protocols such as Microsoft Remote Desktop or Citrix ICA, IT managers don’t always have enough visibility into who’s accessing systems, when they are logging in and from where systems are being accessed. BalaBit is pitching a system which offers “CCTV-like” recording of user sessions, including screen contents, mouse movements, clicks and keystrokes.

But the truth is, regardless of what approach providers take, they simply have to step up security measures across the board. If attackers can access your data through a vulnerable Microsoft Access database, clearly something is out of order. And in fact many cases, it’s just that easy for attackers to get into your network.