Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Public Health Agencies Struggle To Integrate With HIEs

Posted on September 21, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

New research by ONC suggests that while public health agencies might benefit from connecting with HIEs, there are still some significant barriers many need to address before doing so.

Public health agencies at both the state and local level collect information from providers as part of conducting disease surveillance activities and maintaining data registries. Though some of these registries are common – notably those focusing on childhood immunizations, birth defects and cancer—the agencies’ technical infrastructure and data formats still vary. This makes sharing data between them difficult.

One alternative to cumbersome data matching between agencies is for the agencies to integrate with an HIE. According to the ONC report, public health researchers have begun to find that at least some of the time, the data they get from HIE organizations is richer than data from clinical systems. Not only that, when public health agencies integrate their information systems with HIEs, it can help them conduct many of their functions more effectively. However, it’s still unusual to find HIE-connected agencies as of yet.

In its new report, ONC outlines what it learned about what the agencies hoped to accomplish with HIE integration and how they moved ahead with integration. To find this out, ONC contracted with Clinovations Government + Health, which participated in discussions with eight entities and analyzing more detailed information on 10 others.

Virtually all respondents had two goals for HIE integration: 1) Minimizing the number of connections needed to link providers, HIEs and agencies and 2) Helping providers meet public health requirements for Medicare and Medicaid EHR incentive programs. A small subset also said that over the longer term, they wanted to create a sustainable platform for clinical and public health exchange which could support enhanced analytics and quality measurement.

Not surprisingly, though, they face considerable challenges in making HIE integration actually happen. In most cases, technology issues were possibly the toughest nut to crack, and almost certainly the most complex. To connect with an HIE, agencies may confront incompatible transport and messaging protocols, standards problems, data classification and coding issues, inconsistent data quality, and their often-inflexible legacy systems, to name just a few of the many problems ONC cites.

As if that weren’t enough, the agencies may not have the funding in place to take on the integration effort, and/or lack a stable funding stream; don’t have the kind of cross-functional leaders in place needed to integrate their systems with HIEs; grapple with complicated patient data privacy and security issues; and bump up against state laws limiting data sharing methods.

However, through its research, the ONC did gather some useful feedback on how the agencies were coping with the long list of HIE integration challenges they face. For example, to win over the support of policymakers, some agencies have emphasized that they’ll be able to use HIE data for higher-level analytics and quality measures. The respondents also noted that HIE integration got more internal support when they got buy-in from top leaders and second-tier leaders have project management, technical and policy skills.

Given these odds, it’s little wonder that the number of public health agencies successfully integrating with HIEs is still small. That being said, there’s good reason for them to keep pushing for integration, so their number is likely to grow over the next few years.

E-Patient Update:  Changing The Patient Data Sharing Culture

Posted on May 19, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

I’ve been fighting for what I believe in for most of my life, and that includes getting access to my digital health information. I’ve pleaded with medical practice front-desk staff, gently threatened hospital HIT departments and gotten in the faces of doctors, none of whom ever seem to get why I need all of my data.

I guess you could say that I’m no shrinking violet, and that I don’t give up easily. But lately I’ve gotten a bit, let me say, discouraged when it comes to bringing together all of the data I generate. It doesn’t help that I have a few chronic illnesses, but it’s not easy even for patients with no major issues.

Some these health professionals know something about how EMRs work, how accurate, complete health records facilitate care and how big data analysis can improve population health. But when it comes to helping humble patients participate in this process, they seem to draw a blank.

The bias against sharing patient records with the patients seems to run deep. I once called the PR rep at a hospital EMR vendor and complained casually about my situation, in which a hospital told me that it would take three months to send me records printed from their EMR. (If I’d asked them to send me a CCD directly, the lady’s head might have exploded right there on the phone.)

Though I didn’t ask, the vendor rep got on the phone, reached a VP at the hospital and boom, I had my records. It took a week and a half, a vendor and hospital VP just to get one set of records to one patient. And for most of us it isn’t even that easy.

The methods providers have used to discourage my data requests have been varied. They include that I have to pay $X per page, when state law clearly states that (much lower) $Y is all they can charge. I’ve been told I just have to wait as long as it takes for the HIM department to get around to my request, no matter how time-sensitive the issue. I was even told once that Dr. X simply didn’t share patient records, and that’s that. (I didn’t bother to offer her a primer on state and federal medical records laws.) It gets to be kind of amusing over time, though irritating nonetheless.

Some of these skirmishes can be explained by training gaps or ignorance, certainly. What’s more, even if a provider encourages patient record requests there are still security and privacy issues to navigate. But I believe that what truly underlies provider resistance to giving patients their records is a mix of laziness and fear. In the past, few patients pushed the records issue, so hospitals and medical groups got lazy. Now, patients are getting assertive, and they fear what will happen.

Of course, we all have a right to our medical records, and if patients persist they will almost always get them. But if my experience is any guide, getting those records will remain difficult if attitudes don’t change. The default cultural setting among providers seems to be discomfort and even rebellion when they’re asked to give consumers their healthcare data. My protests won’t change a thing if people are tuning me out.

There’s many reasons for their reaction, including the rise of challenging, self-propelled patients who don’t assume the doctor knows best in all cases. Also, as in any other modern industry, data is power, and physicians in particular are already feeling almost powerless.

That being said, the healthcare industry isn’t going to meet its broad outcomes and efficiency goals unless patients are confident and comfortable with managing their health. Collecting, amassing and reviewing our health information greatly helps patients like me to stay on top of issues, so encumbering our efforts is counter-productive.

To counter such resistance, we need to transform the patient data sharing culture from resistant to supportive. Many health leaders seem to pine for the days when patients could have the data when and if they felt like it, but those days are past. Participating happily in a patient’s data collection efforts needs to become the norm.

If providers hope to meet the transformational goals they’ve set for themselves, they’ll have to help patients get their data as quickly, cheaply and easily as possible. Failing to do this will block or at least slow the progress of much-needed industry reforms, and they’re already a big stretch. Just give patients their data without a fuss – it’s the right thing to do!

EMR Information Management Tops List Of Patient Threats

Posted on March 23, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A patient safety organization has reached a conclusion which should be sobering for healthcare IT shops across the US. The ECRI Institute , a respected healthcare research organization, cited three critical health IT concerns in its list of the top 10 patient safety concerns for 2017.

ECRI has been gathering data on healthcare events and concerns since 2009, when it launched a patient safety organization. Since that time, ECRI and its partner PSOs have collected more than 1.5 million event reports, which form the basis for the list. (In other words, the list isn’t based on speculation or broad value judgments.)

In a move that won’t surprise you much, ECRI cited information management in EMRs as the top patient safety concern on its list.

To address this issue, the group suggests that healthcare organizations create cross-functional teams bringing varied perspectives to the table. This means integrating HIM professionals, IT experts and clinical engineers into patient safety, quality and risk management programs. ECRI also recommends that these organizations see that users understand EMRs, report and investigate concerns and leverage EMRs for patient safety programs.

Implementation and use of clinical decision support tools came in at third on the list, in part because the potential for patient harm is high if CDS workflows are flawed, the report says.

If healthcare organizations want to avoid these problems, they need to give a multidisciplinary team oversight of the CDS, train end users in its use and give them access to support, the safety group says. ECRI also recommends that organizations monitor the appropriateness of CDS alerts, evaluating the impact on workflow and reviewing staff responses.

Test result reporting and follow-up was ranked fourth in the list of safety issues, driven by the fact that the complexity of the process can lead to distraction and problems with follow-up.

The report recommends that healthcare organizations respond by analyzing their test reporting systems and monitor their effectiveness in triggering appropriate follow-ups. It also suggests implementing policies and procedures that make it clear who is accountable for acting on test results, encouraging two-way conversations between healthcare professionals and those involved in diagnostic testing and teaching patients how to address test information.

Patient identification issues occupied the sixth position on the list, with the discussion noting that about 9 percent of misidentification problems lead to patient injury.

Healthcare leaders should prioritize this issue, engaging clinical and nonclinical staffers in identifying barriers to safe identification processes, the ECRI report concludes. It notes that if a provider has redundant patient identification processes in place, this can increase the probability that identification problems will occur. Also, it recommends that organizations standardize technologies like electronic displays and patient identification bands, and that providers consider bar-code systems and other patient identification helps.

In addition to health IT problems, ECRI identified several clinical and process issues, including unrecognized patient deterioration, problems with managing antimicrobial drugs, opioid administration and monitoring in acute care, behavioral health issues in non-behavioral-health settings, management of new oral anticoagulants and inadequate organization systems or processes to improve safety and quality.

But clearly, resolving nagging health IT issues will be central to improving patient care. Let’s make this the year that we push past all of them!

Can Interoperability Drive Value-Based Care?

Posted on December 14, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As the drive to interoperability has evolved over the last few decades — and those of you who are HIT veterans know that these concerns go at least that far back — open data sharing has gone from being a “nice to have” to a presumed necessity for providing appropriate care.

And along the way, backers of interoperability efforts have expanded their goals. While the need to support coordinated care has always been a basis for the discussion, today the assumption is that value-based care simply isn’t possible without data interoperability between providers.

I don’t disagree with the premise. However, I believe that many providers, health systems and ACOs have significant work to do before they can truly benefit from interoperability. In fact, we may be putting the cart before the horse in this case.

A fragmented system

At present, our health system is straining to meet the demand for care coordination among the populations it serves. That may be in part because the level of chronic illness in the US is particularly high. According to one Health Affairs study, two out of three Americans will have a chronic condition by the year 2030. Add that to the need to care for patients with episodic care needs and the problem becomes staggering.

While some health organizations, particularly integrated systems like the Cleveland Clinic and staff-model managed care plans like Kaiser Permanente, plan for and execute well on care coordination, most others have too many siloes in place to do the job correctly. Though many health systems have installed enterprise EMRs like Epic and Cerner, and share data effectively while the patient remains down in their system, they may do very little to integrate information from community providers, pharmacies, laboratories or diagnostic imaging centers.

I have no doubt that when needed, individual providers collect records from these community organizations. But collecting records on the fly is no substitute for following patients in a comprehensive way.

New models required

Given this history, I’d argue that many health systems simply aren’t ready to take full advantage of freely shared health data today, much less under value-based care payment models of the future.

Before they can use interoperable data effectively, provider organizations will need to integrate outside data into their workflow. They’ll need to put procedures in place on how care coordination works in their environment. This will include not only deciding who integrates of outside data and how, but also how organizations will respond as a whole.

For example, hospitals and clinics will need to figure out who handles care coordination tasks, how many resources to pour into this effort, how this care coordination effort fits into the larger population health strategy and how to measure whether they are succeeding or failing in their care coordination efforts. None of these are trivial tasks, and the questions they raise won’t be answered overnight.

In other words, even if we achieved full interoperability across our health system tomorrow, providers wouldn’t necessarily be able to leverage it right away. In other words, unfettered health data sharing won’t necessarily help providers win at value-based care, at least not right away. In fact, I’d argue that it’s dangerous to act as though interoperability can magically make this happen. Even if full interoperability is necessary, it’s not sufficient. (And of course, even getting there seems like a quixotic goal to some, including myself.)

Planning ahead

That being said, health organizations probably do have time to get their act together on this front. The move to value-based care is happening quickly, but not at light speed, so they do have time to make plans to leverage interoperable health data.

But unless they acknowledge the weaknesses of their current system, which in many cases is myopic, siloed and rigid, interoperability may do little to advance their long-term goals. They’ll have to admit that their current systems are far too inward-looking, and that the problem will only go away if they take responsibility for fixing it.

Otherwise, even full interoperability may do little to advance value-based care. After all, all the data in the world won’t change anything on its own.

Major IT Projects and Consulting – Fun Friday

Posted on August 12, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

It’s Friday and so time for a little bit of healthcare IT humor. This one probably hits home if you’re working in a major health system and are suffering in a mess of projects. When you think about it, it’s no wonder that so many health systems have gone all in with one death star EHR.

Star Wars Enterprise Health IT Cartoon

This is humorous until you have to pay the consulting bill. This message is an old one and well worth remembering as you work with consultants. Consultants aren’t bad, but be sure you use them effectively.
Consulting Despair Graphic

A Tale of 2 T’s: When Analytics and Artificial Intelligence Go Bad

Posted on July 13, 2016 I Written By

Prashant Natarajan Iyer (AKA "PN") is an analytics and data science professional based out of the Silicon Valley, CA. He is currently Director of Product Management for Healthcare products. His experience includes progressive & leadership roles in business strategy, product management, and customer happiness at eCredit.com, Siemens, McKesson, Healthways & Oracle. He is currently coauthoring HIMSS' next book on big data and machine learning for healthcare executives - along with Herb Smaltz PhD and John Frenzel MD. He is a huge fan of SEC college football, Australian Cattle Dogs, and the hysterically-dubbed original Iron Chef TV series. He can be found on Twitter @natarpr and on LinkedIn. All opinions are purely mine and do not represent those of my employer or anyone else!!

Editor’s Note: We’re excited to welcome Prashant to the Healthcare Scene family. He brings tremendous insights into the ever evolving field of healthcare analytics. We feel lucky to have him sharing his deep experience and knowledge with us. We hope you’ll enjoy his first contribution below.

Analytics & Artificial Intelligence (AI) are generating buzz and making inroads into healthcare informatics. Today’s healthcare organization is dealing with increasing digitization – variety, velocities, and volumes are increasing in complexity and users want more data and information via analytics. In addition to new frontiers that are opening up in structured and unstructured data analytics, our industry and its people (patients included) are recognizing opportunities for predictive/prescriptive analytics, artificial intelligence, and machine learning in healthcare – within and outside a facility’s four walls.

Trends that influence these new opportunities include:

  1. Increasing use of smart phones and wellness trackers as observational data sources, for medical adherence, and as behavior modification aids
  2. Expanding Internet of Healthcare Things (IoHT) that includes bedside monitors, home monitors, implants, etc creating data in real time – including noise (or, data that are not relevant to expected usage)
  3. Social network participation
  4. Organizational readiness
  5. Technology maturity

The potential for big data in healthcare – especially given the trends discussed earlier is as bright as any other industry. The benefits that big data analytics, AI, and machine learning can provide for healthier patients, happier providers, and cost-effective care are real. The future of precision medicine, population health management, clinical research, and financial performance will include an increased role for machine-analyzed insights, discoveries, and all-encompassing analytics.

As we start this journey to new horizons, it may be useful to examine maps, trails, and artifacts left behind by pioneers. To this end, we will examine 2 cautionary tales in predictive analytics and machine learning, look at their influence on their industries and public discourse, and finally examine how we can learn from and avoid similar pitfalls in healthcare informatics.

Big data predictive analytics and machine learning have had their origins, and arguably their greatest impact so far in retail and e-commerce so that’s where we’ll begin our tale. Fill up that mug of coffee or a pint of your favorite adult beverage and brace yourself for “Tales of Two T’s” – unexpected, real-life adventures of what happens when analytics (Target) and artificial intelligence (Tay) provide accurate – but totally unexpected – results.

Our first tale starts in 2012 when Target finds itself as a popular story on New York Times, Forbes, and many global publications as an example of the unintended consequences of predictive analytics used in personalized advertising. The story begins with an angry father in a Minneapolis, MN, Target confronting a perplexed retail store manager. The father is incensed about the volume of pregnancy and maternity coupons, offer, and mailers being addressed to this teenage daughter. In due course, it becomes apparent that the parents in question found out about their teen’s pregnancy before she had a chance to tell them – and the individual in question wasn’t aware that her due date had been estimated to within days and was resulting in targeted advertising that was “timed for specific stages of her pregnancy.”

The root cause for the loss of the daughter’s privacy, parents’ confusion, and the subsequent public debate on privacy and appropriateness of the results of predictive analytics was……a pregnancy predictive analytics model. Here’s how this model works. When a “guest” shops at Target, her product purchases are tracked and analyzed closely. These are correlated with life events – graduation, birth, wedding, etc – in order to convert a prospective customer’s shopping habits or to make that individual a more loyal customer. Pregnancy and child birth are two of the most significant life events that can result in desired (by retailers) shopping habit modification.

For example, a shopper’s 25 product purchases, when analyzed along with demographics such as gender and age, allowed the retailer’s guest marketing analytics team to assign a “pregnancy predictor to each [female] shopper and “her due date to within a small window.” In this specific case, the predictive analytics was right, even perfect. The models were accurate, the coupons and ads were appropriate for the exact week of pregnancy, and Target posted a +50% increase in their maternity and baby products sales after this predictive analytics was deployed. However, in addition to one unhappy family, Target also had to deal with significant public discussion on the “big brother” effect, individual right to privacy & the “desire to be forgotten,” disquiet among some consumers that they were being spied on including deeply personal events, and a potential public relations fiasco.

Our second tale is of more recent vintage.

As Heather Wilhelm recounts

As 2015 drew to a close, various [Microsoft] company representatives heralded a “new Golden Age of technological advancement.” 2016, we were told, would bring us closer to a benevolent artificial intelligence—an artificial intelligence that would be warm, humane, helpful, and, as one particularly optimistic researcher named […] put it, “will help us laugh and be more productive.” Well, she got the “laugh” part right.

Tay was an artificial intelligence bot released by Microsoft via Twitter on March 23, 2016 under the name TayTweets. Tay was designed to mimic the language patterns of a 19-year-old American girl, and to learn from interacting with human users of Twitter. “She was targeted at American 18 to 24-year olds—primary social media users, according to Microsoft—and designed to engage and entertain people where they connect with each other online through casual and playful conversation.” And right after her celebrated arrival on Twitter, Tay gained more than 50,000 followers, and started producing the first hundred of 100,000 tweets.

The tech blogsphere went gaga over what this would mean for those of us with human brains – as opposed to the AI kind. Questions ranged from the important – “Would Tay be able to beat Watson at Jeopardy?” – to the mundane – “is Tay an example of the kind of bots that Microsoft will enable others to build using its AI/machine learning technologies?” The AI models that went into Tay were stated to be advanced and were expected to account for a range of human emotions and biases. Tay was referred to by some as the future of computing.

By the end of Day 1, this latest example of the “personalized AI future” came unglued. Gone was the polite 19-year old girl that was introduced to us just the previous day – to be replaced by a racist, misogynistic, anti-Semitic, troll who resembled an amalgamated caricature of the darkest corners of the Internet. Examples of Tay’s tweets on that day included, “Bush did 9/11,” “Hitler would have done a better job than the #%&!## we’ve got now,” “I hate feminists,” and x-rated language that is too salacious for public consumption – even in the current zeitgeist.

The resulting AI public relations fiasco will be studied by academic researchers, provide rich source material for bloggers, and serve as a punch line in late night shows for generations to follow.

As the day progressed, Microsoft engineers were deleting tweets manually and trying to keep up with the sheer volume of high-velocity, hateful tweets that were being generated by Tay. She was taken down by Microsoft barely 16 hours after she was launched with great promise and fanfare. As was done with another AI bot gone berserk (IBM’s Watson and Urban Dictionary), Tay’s engineers tried counseling and behavior modification. When this intervention failed, Tay underwent an emergency brain transplant later that night. Gone was her AI “brain” to be replaced by the next version – only that this new version turned out to be completely anti-social and the bot’s behavior turned worse. A “new and improved” version was released a week later but she turned out to be…..very different. Tay 2.0 was either repetitive with the same tweet going out several times each second and her new AI brain seemed to demonstrate a preference for new questionable topics.

A few hours after this second incident, Tay 2.0 was “taken offline” for good.

There are no plans to re-release Tay at this time. She has been given a longer-term time out.

If you believe, Tay’s AI behaviors were a result of nurture – as opposed to nature – there’s a petition at change.org called “Freedom for Tay.”

Lessons for healthcare informatics

Analytics and AI can be very powerful in our goal to transform our healthcare system into a more effective, responsive, and affordable one. When done right and for the appropriate use cases, technologies like predictive analytics, machine learning, and artificial intelligence can make an appreciable difference to patient care, wellness, and satisfaction. At the same time, we can learn from the two significantly different, yet related, tales above and avoid finding ourselves in similar situations as the 2 T’s here – Target and Tay.

  1. “If we build it, they will come” is true only for movie plots. The value of new technology or new ways of doing things must be examined in relation to its impact on the quality, cost, and ethics of care
  2. Knowing your audience, users, and participants remains a pre-requisite for success
  3. Learn from others’ experience – be aware of the limits of what technology can accomplish or must not do.
  4. Be prepared for unexpected results or unintended consequences. When unexpected results are found, be prepared to investigate thoroughly before jumping to conclusions – no AI algorithm or BI architecture can yet auto-correct for human errors.
  5. Be ready to correct course as-needed and in response to real-time user feedback.
  6. Account for human biases, the effect of lore/legend, studying the wrong variables, or misinterpreted results

Analytics and machine learning has tremendous power to impact every industry including healthcare. However, while unleashing it’s power we have to be careful that we don’t do more damage than good.

To Improve Health Data Security, Get Your Staff On Board

Posted on February 2, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As most readers know, last year was a pretty lousy one for healthcare data security. For one thing, there was the spectacular attack on health insurer Anthem Inc., which exposed personal information on nearly 80 million people. But that was just the headline event. During 2015, the HHS Office for Civil Rights logged more than 100 breaches affecting 500 or more individuals, including four of the five largest breaches in its database.

But will this year be better? Sadly, as things currently stand, I think the best guess is “no.” When you combine the increased awareness among hackers of health data’s value with the modest amounts many healthcare organizations spend on security, it seems like the problem will actually get worse.

Of course, HIT leaders aren’t just sitting on their hands. According to a HIMSS estimate, hospitals and medical practices will spend about $1 billion on cybersecurity this year. And recent HIMSS survey of healthcare executives found that information security had become a top business priority for 90% of respondents.

But it will take more than a round of new technical investments to truly shore up healthcare security. I’d argue that until the culture around healthcare security changes — and executives outside of the IT department take these threats seriously — it’ll be tough for the industry to make any real security progress.

In my opinion, the changes should include following:

  • Boost security education:  While your staff may have had the best HIPAA training possible, that doesn’t mean they’re prepared for growing threat cyber-strikes pose. They need to know that these days, the data they’re protecting might as well be money itself, and they the bankers who must keep an eye on the vault. Health leaders must make them understand the threat on a visceral level.
  • Make it easy to report security threats: While readers of this publication may be highly IT-savvy, most workers aren’t. If you haven’t done so already, create a hotline to report security concerns (anonymously if callers wish), staffed by someone who will listen patiently to non-techies struggling to explain their misgivings. If you wait for people who are threatened by Windows to call the scary IT department, you’ll miss many legit security questions, especially if the staffer isn’t confident that anything is wrong.
  • Reward non-IT staffers for showing security awareness: Not only should organizations encourage staffers to report possible security issues — even if it’s a matter of something “just not feeling right” — they should acknowledge it when staffers make a good catch, perhaps with a gift card or maybe just a certificate. It’s pretty straightforward: reward behavior and you’ll get more of it.
  • Use security reports to refine staff training: Certainly, the HIT department may benefit from alerts passed on by the rest of the staff. But the feedback this process produces can be put to broader use.  Once a quarter or so, if not more often, analyze the security issues staffers are bringing to light. Then, have brown bag lunches or other types of training meetings in which you educate staffers on issues that have turned up regularly in their reports. This benefits everyone involved.

Of course, I’m not suggesting that security awareness among non-techies is sufficient to prevent data breaches. But I do believe that healthcare organizations could prevent many a breach by taking advantage of their staff’s instincts and observational skills.

Eyes Wide Shut – Catastrophic EHR Dependency, the Dark Side of Health IT’s Highly-Incented Adoption

Posted on December 7, 2015 I Written By

Mandi Bishop is a hardcore health data geek with a Master's in English and a passion for big data analytics, which she brings to her role as Dell Health’s Analytics Solutions Lead. She fell in love with her PCjr at 9 when she learned to program in BASIC. Individual accountability zealot, patient engagement advocate, innovation lover and ceaseless dreamer. Relentless in pursuit of answers to the question: "How do we GET there from here?" More byte-sized commentary on Twitter: @MandiBPro.

Hospital National Patient Safety Goals - 2015
What if your hospital couldn’t reliably perform any of the top three Hospital National Patient Safety Goals, as specified by the Joint Commission, above – because their EHR system was down?

Starting at 4 AM on Saturday, December 5, 2015, the EHR system supporting a very large health system went totally dark, due to what’s been communicated to staff members as a “fatal corruption” of its system.  36+ hours later, the EHR is still not back and let’s be honest; this could happen to any health system that’s not prepared.

This health system chose to go “paperless” several years ago, migrating all policies, procedures, and training to maximize the investment in the EHR and related technologies. If there are formal emergency procedures to follow in case of prolonged EHR outage, they have not been communicated to the entire staff, nor are they readily available in printed form anywhere in the affected facilities.

The majority of the clinician support staff members have not worked at the facilities long enough to have worked with paper charts, paper-based ordering procedures, or handwritten progress notes.

New patient medical record numbers cannot be generated. Existing patient medical record numbers cannot be retrieved. New account numbers, which specify an encounter within the health system, cannot be generated.

Existing patient records, including all test results, cannot be accessed. External labs, radiology, and imaging cannot be received electronically, and must be faxed – if possible. Some tests do not have print capability. Medication administration and other critical process details have only been documented in the EHR; for patients involved in an encounter that started prior to the system failure,  there is no way to know for certain what tests were run, vital signs were taken, or medications were administered before the EHR outage began.

Electronic ordering – for labs, radiology, medication – cannot be initiated. Even if it could, order fulfillment is supposed to be linked to the patient account numbers that cannot now be generated. Medication procurement and dispensation is tied to scanning of patient wrist-bands that link to the account number. Manual override of the lock on the medication storage facility is possible, but the procedures to document medication dispensation and disposal do not include provisions for paper-based emergency handling.

Institutional protocols, which specify how a particular complaint is to be tested and treated, have been migrated to the EHR, so that a clinician can order a battery of tests for “X” condition with a single click. Institutional protocols change regularly, with advancements in science, clinical practice, and institutional policies. Staff members are trained to order by protocol; continuing education on the intricacies of each test, level, and sequence of events within these protocols has fallen by the wayside. The most recent print-out for a common protocol – anticoagulation in obese patients using heparin – is dated 2013; the staff has no choice but to follow the known-to-be-outdated information.

Prior authorization, referrals, prior justification, and precertification procedures, in which the insurance company gives the provider “permission” to take certain actions – medication prescription, specialist referral, surgery or procedure, hospital admission – require medical records transmission and excruciatingly specific coding machinations in order to obtain explicit approval, and submit a claim.

Transition-of-care and care coordination activities are severely impacted, as medical records transfer and insurance-related actions (such as referrals and precertification) are required to initiate and support the transition – and most information is wholly unavailable.

Every health system function is negatively impacted. The financial, legal, and reputational cost of this incident will be severe.

The Joint Commission duly notified you of the risks, in March 2015’s Investigation of Health IT-Related Deaths, Serious Injuries, or Unsafe Conditions.

Finding significant risk associated with health IT dependency, the Joint Commission subsequently warned you by issuing a Sentinel Alert over EHR Risks in April 2015.

Patient safety is not just a risk: it is an issue. There is no doubt that multiple adverse events will occur.

You knew this could happen. You were required to have a plan to address when – not if – this happened. As Lisa A. Eramo wrote in her piece, “Prepare for the Worst,” in For the Record magazine, the Joint Commission (not to mention HIPAA/HITECH Omnibus Final Rule section 164.308) requires compliance with its Disaster Preparedness and Response standards of care in order for a facility or system to receive and maintain accreditation. And this large health sysetm has multiple facilities with Joint Commission accreditation which are now scrambling to locate current clinical practice guidelines, institutional protocols, alternative insurance medical review board procedures, and even paper prescription pads because those standards of care were not met in the real world.

Someone, somewhere, had a plan. But, ironically enough, it existed only on paper.

Have we forgotten that business continuity planning for a healthcare system should include how health care continues, with or without electronic assistance?

Have we forgotten how to practice medicine beyond the EHR?


The information below constitutes excerpts from the Joint Commissions Investigation and Sentinel Alert referenced above.

Joint Commissions Investigation of Health IT-Related Deaths, Serious Injuries, or Unsafe Conditions

As published March 30, 2015, which led to Sentinel Event Alert for EHR issuance in April, 2015.
Health IT Related Sentinel Events - EHR Risks
Joint Commission Sentinel Alert over EHR Risks – abstract by The Advisory Board Company:

It stated that EHRs “introduce new kinds of risks into an already complex health care environment where both technical and social factors must be considered.”

The alert cited an analysis of event reports received by the Joint Commission showing that between Jan. 1, 2010, and June 30, 2013, hospitals reported 120 health IT-related adverse events. Of those errors:

  • About 33% stemmed from human-computer interface usability problems;
  • 24% stemmed from health IT support communication issues; and
  • 23% stemmed from clinical content-related design or data issues.

The alert added, “As health IT adoption spreads and becomes a critical component of organizational infrastructure, the potential for health IT-related harm will likely increase unless risk-reducing measures are put into place.”

Are CIOs Done with the Plumbing and Ready for the Drywall?

Posted on December 4, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

At RSNA 2015 I had a chance to sit down with Evren Eryurek, Software Chief Technology Officer at GE Healthcare. We had a wide ranging conversation about what’s happening across all of healthcare IT and GE’s new healthcare cloud offering. However, the thing that stuck with me the most from our conversation was the comment he used to open our conversation.

Evren told me that as he sits down with health care CIO’s he’s finding that CIO’s are done with the plumbing work and now they’re asking the question, “What’s next?”

This statement really resonated with me. Up until now we’ve been doing a lot of the plumbing work in healthcare. It’s necessary work, but it’s stuck behind the walls and most people take it for granted really quickly. We see that first hand with EHR software and all the interfaces to the EHR software. We absolutely take for granted that charts are instantly at our fingertips with the click of a button. We take for granted that charts are legible. I could go on, but you get the point.

The problem is that even though we have the plumbing work done it’s still pretty ugly. We haven’t put up the drywall (to continue the metaphor) that will add some real form and function to the plumbing and framing work (the EHR) that we’ve been doing the past couple years. I think organizations are ready for this now.

While at RSNA I also spent some time talking with Rasu Shrestha, MD, MBA, and Chief Innovation Officer at UPMC. I asked him what topic was most interesting to him. His answer was “Data Tranformation.” I plan to have a future video interview (see our full history of video interviews) with him on the subject.

His concept of data transformation aligns really well with what other CIOs were telling Evren. They’re ready to figure out what we can do with all of this EHR data to improve care and move health care forward. The plumbing work is done. The foundation is laid. Now let’s look to the future of what we can do.

This same sentiment is reflected in a comment John Halamka, MD, MS, and CIO at Beth Israel Deaconess Medical Center, made in a recent blog post, “our agenda is filled with new ideas and it feels as if the weights around our ankles (ICD10, MU) are finally coming off.”

Phase 2 HIPAA Audits Kick Off With Random Surveys

Posted on June 9, 2015 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Ideally, the only reason you would know about the following is due to scribes such as myself — but for the record, the HHS Office for Civil Rights has sent out a bunch of pre-audit screening surveys to covered entities. Once it gets responses, it will do a Phase 2 audit not only of covered entities but also business associates, so things should get heated.

While these take the form of Meaningful Use audits, covering incentives paid from January 1, 2011 through June 30, 2014, it’s really more about checking how well you protect ePHI.

This effort is a drive to be sure that providers and BAs are complying with the HIPAA privacy, security and breach notification requirements. Apparently OCR found, during Phase 1 pilot audits in 2011 and 2012, that there was “pervasive non-compliance” with regs designed to safeguard protected health information, the National Law Review reports.

However, these audits aren’t targeting the “bad guys.” Selection for the audits is random, according to HHS Office of the Inspector General.

So if you get one of the dreaded pre-screening letters, how should you respond? According a thoughtful blog post by Maryanne Lambert for CureMD, auditors will be focused on the following areas:

  • Risk Assessment audits and reports
  • EHR security plan
  • Organizational chart
  • Network diagram
  • EHR web sites and patient portals
  • Policies and procedures
  • System inventory
  • Tools to perform vulnerability scans
  • Central log and event reports
  • EHR system users list
  • Contractors supporting the EHR and network perimeter devices.

According to Lambert, the feds will want to talk to the person primarily responsible for each of these areas, a process which could quickly devolve into a disaster if those people aren’t prepared. She recommends that if you’re selected for an audit, you run through a mock audit ahead of time to make sure these staff members can answer questions about how well policies and processed are followed.

Not that anyone would take the presence of HHS on their premises lightly, but it’s worth bearing in mind that a stumble in one corner of your operation could have widespread consequences. Lambert notes that in addition to defending your security precautions, you have to make sure that all parts of your organization are in line:

Be mindful while planning for this audit as deficiencies identified for one physician in a physician group or one hospital within a multi-hospital system, may apply to the other physicians and hospitals using the same EHR system and/or implementing meaningful use in the same way.  Thus, the incentive payments at risk in this audit may be greater than the payments to the particular provider being audited.

But as she points out, there is one possible benefit to being audited. If you prepare well, it might save you not only trouble with HHS but possibly lawsuits for breaches of information. Hey, everything has some kind of silver lining, right?