Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Galaxy Will See You Now

Posted on May 27, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This post is sponsored by Samsung Business. All thoughts and opinions are my own.

We all know how dramatic our lives have changed thanks to technology. Many of us remember the impact a computer in every home had on our lives. Now we’re seeing that same transformation happening as we all start carrying a smartphone in our pocket. Each of these technologies has opened up new worlds of possibilities in our personal lives and also for healthcare. I think we’ll see a similar transformation with the introduction of voice recognition and AI (Artificial Intelligence).

When we start talking about AI, most of us probably think about the movies they’ve seen where AI was on display. Hollywood’s use of AI in movies often makes it so it doesn’t feel very real. However, if you have a smartphone, then you’ve probably used AI. I know my first real experience with AI was on my Samsung Galaxy S3. I remember my wife and I going on a date and we spent the majority of our date asking “Galaxy” various questions. We got surprisingly good answers including easy access to the show times for the movie we ended up seeing.

Most of us have had this type of experience with AI on our smartphone. It’s pretty magical, but I must admit that I didn’t use it that often when it was just on my phone. There were a few cases it was really useful like when I was driving and needed directions to a gas station. The hands-free access to information was extremely powerful, but it wasn’t part of my daily experience. However, that changed for me when I introduced an always on AI solution in my home. Now it’s become a daily part of me and my family’s life.

How does this apply to healthcare? It’s becoming very clear that the home is the healthcare hub of the future. Think about having always on tablets, smart TVs, and other devices positioned throughout your home where you can easily access your health information, medical knowledge, and healthcare providers. That’s powerful. Plus, those devices and attached sensors are starting to easily monitor you, your environment, and your health. This two way connection creates an extremely powerful combination that will change the way we view healthcare.

Certainly there are practical examples of home health services that exist today including monitoring recently discharged patients, monitoring seniors, connecting patients with doctors, and much more. We’re seeing all of these connected home health services happen more and more every day. Just what we’ve already begun to implement will improve the healthcare we provide dramatically. However, we’re just starting to explore what AI and new technologies can do for healthcare. The best is still to come.

How long will it be before we can sit at home and we can ask our tablet or smart TV “Galaxy, how’s my blood pressure doing today?” Or “Galaxy, can you schedule me a telemedicine visit with my doctor to discuss my prescription refill?” Not to mention Galaxy proactively reaching out to you to motivate healthy decision making.

What’s so incredible is that executing these ideas and many more aren’t that farfetched given the powerful technology that exists today. We still need to connect a few dots, but it’s all extremely doable from a technical perspective.

What’s going to be harder is the cultural shift and change of mindset. However, that’s happening already and it will accelerate over time. I’m sure my kids wouldn’t think twice about asking our TV or tablet for a doctor’s appointment and then having the doctor streamed right to the TV or their tablet. They probably wonder why it’s not already possible.

Even while we wait for this more automated AI future, there are still big home health things happening on smartphones and tablets. Each of those things is a building block to this exalted future. I’m ready for Galaxy to see me now. In fact, in some ways he already does. Are you ready?

For more content like this, follow Samsung on Insights, Twitter, LinkedIn , YouTube and SlideShare.

Healthcare Execs Want To Collect More From Patients

Posted on May 26, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Every healthcare provider wants to get paid, of course. However, collecting the ever-growing portion of revenue that patients owe is tough, and getting tougher. That being said, the majority of providers recognize that they have a big problem and are working to boost the volume and speed of patient payments, a new study finds.

The study, which is sponsored by claims management and patient payments vendor Navicure in affiliation with Porter Research, connected with 300 of professionals, including practice administrators (36%), C-suite executives (25%) and billing managers (35%). Forty-one percent of organizations had 1 to 10 providers, 31% had 11 to 50 providers, 12% had 51 to 100 providers and 17% had more than 100 providers.

In responding to the survey, 63% of survey respondents said that patient payment processes were a high priority for their leadership teams. Their challenges in collecting from patients included patients’ inability to pay (31%), difficulty educating patients about the financial responsibility (26%) and slow-paying patients (25%).

It’s not surprising that collecting patient payments is a priority for many organizations. The study found that patient payment revenue made up 11% to 20% of total revenue for almost a third of organizations that responded. Twenty percent of organizations said patient payments accounted for 21% to 30% of total revenue, and for 23%, patient payments accounted for more than 31% of total revenue.

More than half (57%) of respondents said they educate patients about their financial responsibility, but only 42% said they always estimate the patient’s cost at the time of service. What’s more, few have implemented steps that might streamline payment. Sixty-two percent do not offer credit card on file programs, 52% don’t have automated payment plans in place, and 57% don’t send electronic statements to patients.

To address these issues, Navicure recommends that providers make several changes in their patient payment processes. These include viewing patients’ eligibility information prior to or at the time of service, collecting copays and outstanding balances, creating care estimates and enrolling patients in any available payment plans.

While the survey doesn’t address this issue directly, it also doesn’t hurt to make bills more readable. I’ve read accounts of some hospital billing departments and medical office staffers spending hours on the phone with patients going over charges. Not only does this frustrate the patients, and undermine their relationship with your organization, it wastes a lot of time. Cleaning up bill formats can go a long way toward smoothing out routine payment issues.

On that note, it probably makes sense to roll out patient-friendly billing technologies. More than 70% of respondents who have replaced paper statements with online bill payment and e-statements would recommend this technology to a peer, and 42% of respondents using automated payment plans were very or completely satisfied.

Ultimately, however, collecting more from patients probably calls for changes in policy, the research suggests. While 35% ask for a partial deposit before service, and 26% collect all of what a patient owes before service, 18% of respondents said they didn’t collect anything before prior to service, and 21% said they didn’t charge until claims were processed.

Can Healthcare Ransomware Be Stopped? Yes, It Can!

Posted on May 25, 2016 I Written By

The following is a guest blog post by Steven Marco, CISA, ITIL, HP SA and President of HIPAA One®.
Steven Marco - HIPAA expert
As an Auditor at HIPAA One®, my goal is to dot every “i” and cross every “t” to ensure a comprehensive HIPAA Security Risk Analysis.  The HIPAA One® Security Risk analysis is a tool to guarantee compliance, automate risk calculations and identify high-risk technical, administrative, physical and organizational vulnerabilities.

Recently, I was on-site for a client named “Care Health” (name changed to protect their identity). Care Health had invested in the highest level of our SRA (Security Risk Analysis) to cover all aspects of security and protection from Ransomware, malware, and the proverbial “sophisticated malware.”

The HIPAA One® HIPAA Security Risk Analysis and Compliance Interview process guided Care Health through a series of HIPAA citation-based questions and required users to upload documents to demonstrate compliance.  These questions directly addressed the organization’s security controls in place to protect against ransomware and cyber-threats.  You can see a sample of the citation-driven controls HIPAA One required for malware and malicious software below:

Technical Audit Controls 164.312(b)
HIPAA One® Requirement:  Upload screenshots of the systems configuration page(s) detecting malware network communications or ePHI/PII going out/in.
Client Controls:  End-user education on malware and phishing. Cisco IPS/IPS module active to block critical threats and WebSense Filter for deep-packet web-traffic inspection.

Administrative Protection from Malicious Software 164308(a)(5)(ii)(B)
HIPAA One® Requirement:  Provide a document showing a list of all servers, workstations and other devices with updated AV Software versions.
Client Controls: BitDefender Enterprise deployed on all workstations and laptops.

Administrative Procedures to guard against malicious software 164.308(a)(5)(ii)(B)
HIPAA One® Requirement:  Please upload a list of each server and sample of PC devices containing server name, O/S version, Service pack and the most recent security updates as available by the software vendor.  Verify critical security patches are current.
Client Controls:  Microsoft Security Operations Center combined with an exhausting change-management process to test new patches prior to release.

HIPAA Citation:  Administrative Training program for workers and managers 164.308(a)(5)(i) for the HR Director role.
HIPAA One® Requirement: Please upload a screen capture of the HIPAA training system’s grades for individual employees and detail the training/grading system in notes section.  Go through training and verify it efficiently addresses organization’s Policies and Procedures with real-world threats.
Client Controls:  Training that is due and required before bonuses, pay-raises or schedule to work are awarded.  Workforce and IT Helpdesk are trained to forward any calls regarding suspicious activities to the HIPAA Security Officer (HSO).

HIPAA Security Risk Analysis Tool

Back to the Ransomware attack…One day during the project, two staff members’ in the Billing department were going about their daily tasks, which involved working with shared files in a network-mapped drive (e.g. N: drive).  One of them noticed new files were being spontaneously created and the file icons in the network folder were changing. Being attentive, she noticed one was named ransom.txt.

Acting quickly, she contacted the IT Helpdesk who were trained to triage all security-related service-desk requests immediately to the HIPAA Security Officer(HSO).   The HSO logged-into the N: shared drive and found Care Health files were slowly being encrypted!

How do you stop a Ransomware attack?
The Security officer ran Bitdefender full-scans on the Billing department computers and found nothing.  He then installed and ran Windows Defender, which has the most current malicious software removal utilities on Server 2012 and found Tescrypt.  Installing Windows Defender on the two desktops not only detected this, but also removed it.

This Ransomware variant had somehow infected the system and was encrypting these files.  The quick-acting team at Care Health recognized the attack and stopped the Tescrypt variant before patient data were compromised.  Backups were used to restore the few-dozen encrypted files on the network-drive. It was a close call, but Care Health was ready and the Crisis Averted.

Upon a configuration review of all of Care Health’s security appliances, WebSense had been configured to allow “zero-reputation” websites through.  Zero-reputation websites are new sites without a known reputation and are commonly used by hackers to send these types of attacks. At Care Health, the Ransomware apparently came from a valid website with an infected banner ad from a zero-reputation source. The banner ad was configured to trigger a client-browser download prior to the user being allowed to see the valid web page.  This forced visitors to this website to download the executable virus from the banner-ad and unknowingly installing the Ransomware on their local computer.  When downloaded, the Ransomware would start encrypting files in high-lettered network-drives first.

Lesson Learned
Ransomware is here to stay and attacks are rising.  Healthcare organizations need to have policies and procedures in place to prevent these attacks and a comprehensive user training and awareness program.  The HIPAA One® software is one of the most secure ways to implement a HIPAA Security Compliance Program.  But a risk analysis is only one step… Ultimately, organizations must build top line end-user awareness and training programs. So like at Care Health, the employees know to quickly report suspicious activities to the designated security officer to defend against Ransomware, Phishing and “sophisticated malware attacks”.

To learn more about stopping Malware and using HIPAA One® as your HIPAA Security Risk Analysis accelerator, click to learn more, or call us a 801-770-1199.

HIPAA One® is a proud sponsor of EMR and HIPAA.

Steps In Integrating Patient-Generated Health Data

Posted on May 24, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As the number of connected health devices in use has expanded, healthcare leaders have grappled with how to best leverage the data they generate. However, aside from a few largely experimental attempts, few providers are making active use of such data.

Part of the reason is that the connected health market is still maturing. With health tracking wearables, remote monitoring set-ups, mobile apps and more joining the chorus, it might be too soon to try and normalize all this data, much less harvest it for clinical use. Also, few healthcare organizations seem to have a mature strategy in place for digital health.

But technical issues may be the least of our problems. It’s important to note that providers have serious concerns around patient-generated health data (PGHD), ranging from questions about its validity to fears that such data will overwhelm them.

However, it’s possible to calm these fears, argues Christina Caraballo, senior healthcare strategist at Get Real Health.  Here’s her list of the top five concerns she’s heard from providers, with responses that may help put providers at ease:

  • Fear they’ll miss something in the flood of data. Add disclaimers, consent forms, video clips or easy-to-digest graphics clarifying what consumers can and can’t expect, explicitly limiting provider liability.
  • Worries over data privacy and security: Give consumers back some of the risk, by emphasizing that no medium is perfectly secure, including paper health records, and that they must determine whether the benefits of using digital health devices outweigh the risks.
  • Questions about data integrity and standardization: Emphasize that while the industry has made great process and standardization, interoperability, authentication, data provenance, reliability, validity, clinical value and even workflow, the bottom line is that the data still comes from patients, who don’t always report everything regardless of how you collect the data.
  • Concerns about impact on workflow: Underscore that if the data is presented in the right framework, it will be digestible in much the same way as other electronic medical data.
  • Resistance to pressure from consumers: Don’t demand that providers leverage PGHD out of the gate; instead, move incrementally into the PGHD management by letting patients collect data electronically, and then incorporate data into clinical systems once all stakeholders are on board.

Now, I’m not totally uncritical of Ms. Caraballo’s article. In particular, I take issue with her assertion that providers who balk at using PGHD are “naysayers” who “simply don’t want to change.” While there are always a few folks fitting this description in any profession, the concerns she outlines aren’t trivial, and brushing them off with vague reassurances won’t work.

Truthfully, if I were a provider I doubt I would be comfortable relying on PGHD, especially biometric data. As Ingrid Oakley-Girvan of Medable notes, wearables giant Fitbit was hit with a lawsuit earlier this year alleging that its heart rate monitoring technology is inaccurate, and I wouldn’t be surprised other such suits arise. Digital health trackers and apps have transitioned from novelty to quasi-official medical device very quickly — some might say too quickly – and being cautious about their output just makes sense.

Nonetheless, PGHD will play a role in patient care and management at some point in the future, and it makes sense to keep providers in the loop as these technologies progress. But rushing them into using such data would not be wise. Let’s make sure such technologies are vetted before they assume a routine role in care.

Healthcare Has Found the New World But Hasn’t Even Settled the 13 Colonies Yet

Posted on May 23, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I was having a conversation recently about healthcare analytics. During that discussion I came up with what I think is the perfect analogy for where we are in the development of healthcare analytics solutions. I’d also include things like health sensors and genomics in this broad definition since the data from these efforts are all going to work to inform various healthcare analytics and clinical decision support solutions.

With that in mind, I think when it comes to these solutions for healthcare, it’s almost like Columbus has discovered a new world. A few other explorers have set foot on land in North or South America and so we know there’s a whole other world of discovery out there. However, from an exploration perspective we’ve barely landed. We know there’s a lot of possibility, but we don’t have any idea the full expanse of what’s still out there. Does this sound like healthcare analytics to you?

Continuing the analogy, we haven’t even settled the 13 colonies let alone discovered the midwest or even considered that the entire west is there with all of its unique possibilities. No, we’re just starting our exploration of what’s possible in healthcare now that we have so much more health data. We see a lot of promise and potential, but we still have to discover where there’s a gorgeous paradise and where there’s a worthless desert.

I love the analogy of explorers since there’s so much discovery that’s still possible in healthcare. All these new sensors and technology are like new boats that can take us new places that we would have never thought possible.

That said, this type of exploration is not for the faint of heart. Much like explorers, some are going to die searching for gold in the new world and die without ever finding it. However, those explorers that die trying lay the framework for all the others that come after. Their failures will help future healthcare explorers to avoid the challenges their predecessors faced.

In many ways, this is why I’m so excited about healthcare and the technology that’s going to facilitate all this new exploration. Some of the discoveries we’ll find are going to require as dramatic a culture shift as it was for the old world to believe Christopher Columbus when he said the world wasn’t flat. That’s going to be painful for many, but it’s going to happen.

Healthcare Data Standards Tweetstorm from Arien Malec

Posted on May 20, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

If you don’t follow Arien Malec on Twitter, you should. He’s got strong opinions and an inside perspective on the real challenges associated with healthcare data interoperability.

As proof, check out the following Healthcare Standards tweetstorm he posted (removed from the tweet for easy reading):

1/ Reminder: #MU & CEHRT include standards for terminology, content, security & transport. Covers eRx, lab, Transitions of Care.

2/ If you think we “don’t have interop” b/c no standards name, wrong.

3/ Standards could be ineffective, may be wrong, may not be implemented in practice, or other elts. missing

4/ But these are *different* problems from “gov’t didn’t name standards” & fixes are different too.

5/ e.g., “providers don’t want 60p CCDA documents” – data should be structured & incorporated.

6/ #actually both (structured data w/terminology & incorporate) are required by MU/certification.

7/ “but they don’t work” — OK, why? & what’s the fix?

8/ “Government should have invested in making the standards better”

9/ #actually did. NLM invested in terminology. @ONC_HealthIT invested in CCDA & LRU projects w/ @HL7, etc.

10/ “government shouldn’t have named standards unless they were known to work” — would have led to 0 named

11/ None of this is to say we don’t have silos, impediments to #interoperability, etc.

12/ but you can’t fix the problem unless you understand it first.

13/ & “gov’t didn’t name standards” isn’t the problem.

14/ So describe the problems, let’s work on fixing them, & abandon magical thinking & 🦄. The End.

Here was my immediate response to the tweetstorm:

I agree with much of what Arien says about their being standards and the government named the standards. That isn’t the reason that exchange of health information isn’t happening. As he says in his 3rd tweet above, the standards might not be effective, they may be implemented poorly, the standards might be missing elements, etc etc etc. However, you can’t say there wasn’t a standard and that the government didn’t choose a standard.

Can we just all be honest with ourselves and admit that many people in healthcare don’t want health data to be shared? If they did, we’d have solved this problem.

The good news is that there are some signs that this is changing. However, changing someone from not wanting to share data is a hard thing and usually happens in steps. You don’t just over night have a company or individual change their culture to one of open data sharing.

The Future of Healthcare Rests on the Backs of Our Ability to Influence Behavior

Posted on May 19, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This morning I was pondering the future of our healthcare system and the constantly changing and shifting world of healthcare reimbursement. Some observations are undeniable. Our current system is flawed and not sustainable. Something has to change.

As I look at all the changes happening in healthcare, I came to one major realization. Every program to reduce the cost of healthcare rests on the back of our ability to influence patients’ choices.

The future of health insurance companies hinges on their ability to change patients’ behavior. Looking at ACOs and MACRA, doctors reimbursement is going to be tied directly to the choices their patients make (or don’t make). Employers that are looking to lower their healthcare costs are going to invest in programs and technologies that ensure their patients are making healthy choices.

While many healthcare IT companies fall short of this goal, we do see some that are going to play a major role in influencing patient behavior. Take something as simple as a patient portal. Can access to your medical records influence your behaviors? Can access to your doctor or a nurse through a patient portal help influence the decisions you make? Absolutely. Do they go far enough? Absolutely not, but they’re a start.

Take a look at telemedicine. Will easy access to a doctor change our behavior? Could telemedicine mean that we choose to be seen by a doctor earlier as opposed to delaying a visit to the doctor because it’s too painful to schedule an appointment and go into the doctor? Absolutely. Plus, telemedicine is just one simple example of how we’re making a visit easier. Online self scheduling could influence this as well. A whole new wave of messaging apps and provider communities are forming which allow us to get “health care” remotely.

As I’ve written before, my fear is that most healthcare IT companies don’t go deep enough into the behavior change and instead focus mostly on process optimization. Behavior change is a surprising byproduct for some, but is certainly not their intention. In fact, that’s true for most of the examples I describe above.

It becomes more and more clear to me every day that the real breakout companies in healthcare are going to be those who figure out how to influence patients’ behavior. That includes influencing them the 98% (or whatever the correct stat is) of time that patients spend outside of the exam room. Every reimbursement effort is going to be focused around it.

The real challenge for these companies is going to be tracking and quantifying the value they created. It’s hard to track attribution when it comes to a patient’s health. It’s so complex that it’s easy to incorrectly assess who or what is responsible for a patient’s improved health. Plus, it’s extremely hard to quantify the benefit of these behavior changes. A company focuses on influencing patients’ behaviors is also going to have to get really good at tracking the benefit of that influence and attribution of what influenced the patient.

These are extremely challenging opportunities. Healthcare is full of them. I already see some companies heading down this path. I’m excited to see which ones really break through.

Can Using Simple Metrics Help Drive Long-Term EHR Adoption? – Breakaway Thinking

Posted on May 18, 2016 I Written By

The following is a guest blog post by Lauren Brown, Adoption Specialist at The Breakaway Group (A Xerox Company). Check out all of the blog posts in the Breakaway Thinking series.
Lauren Brown - Healthcare IT Expert
Gaining clinical, financial, and operational value from Electronic Health Record (EHR) applications has become a top priority for most health organizations across the country. Gone are the days of simply focusing on implementation that, in many cases, led to dissatisfaction and low adoption rates by staff. Previously, dissatisfied customers began looking to switch applications in hopes of gaining better results. However, studies show that switching EHRs does not solve the dissatisfaction problem. In fact, only a reported 43% of physicians are glad they made the switch to a new application, and 49% reported lower productivity as a result of the switch.

Recently, there has been a shift towards optimizing these new technologies and focusing on how to get the most out of their chosen application. It is essential for organizations to establish an optimization plan in order to achieve long-term, measurable results. Utilizing a metric-driven optimization approach gives healthcare organizations the opportunity to maximize their EHR investment and uncover opportunities for adjustments that substantially bolster technology integration.

Metric-driven optimization analyzes performance data and uses this information to drive continuous performance improvement throughout the organization. The U.S. Department of Health and Human Services suggests focusing metrics on how the system performs, how it will affect the organization, and how users experience the system. The ultimate goal is to execute well-designed strategies to help organizations identify and reduce workflow inconsistency, maximize application performance, and improve patient care.

So what are the keys to a metric-driven optimization approach?

Incorporate metrics early

Initial training serves well in focusing on application basics. But adoption occurs at a varying pace, so it’s important to continually monitor training and create a plan for late adopters. During training, staff will likely remember only a small portion of the information they are taught; if optimization occurs too late in the process, users do not learn best-practice workflow. This can result in workaround habits that become difficult to change. The use of metrics early in the process will help to monitor EHR adoption and focus on areas of opportunity. Metrics allow you to identify individuals who are struggling with their education and intervene.

Utilize system data found through metrics

Often, healthcare organizations try to mimic processes and workflows from past applications or paper records. This method can get you through the initial implementation, but it is not sustainable for long-term adoption. Before implementation begins, it’s important to analyze and document best practice procedures. In order to get the most out of the system once it’s in place, you’ll want to examine staff performance and analyze key workflows. The insights you gain will help ensure that productivity and stability continue to increase over time.

Capturing the right data allows you to identify inconsistencies and application issues that would have otherwise gone unnoticed. Developing and reporting metrics shows the value of optimization efforts and helps support staff moving forward. Existing workflow issues, if not addressed, will become more visible with technology. Utilize the technology to eliminate redundant, time-consuming processes. Look at your EHR as the leverage you need to create change to promote consistency and transformation across the organization.

Metric-driven optimization is an ongoing process

The need for optimization is an ongoing effort – not a one-time event. Incorporating metrics into the long-term roadmap as a continuous project will allow you to respond to changes in a timely fashion. Comprehensive metrics regarding how end users will be able to reach proficiency in the EHR application is an important element in ensuring adoption success. The more metrics are shared the more value an organization can gain from optimization efforts. Changes, including system upgrades and new employees, can continue to challenge optimization efforts that were previously made. They often require both functional and cultural changes in processes that impact many different groups across an organization. Data regarding these changes are key to ensuring those who will be impacted are aware and have the ability to adopt for the life of the application.

By taking a metric-driven optimization approach, healthcare organizations improve their use of technology and achieve long-term adoption. Instead of simply installing an EHR, the application is leveraged to enhance performance and push organizations to exceed expectations with patient care.

How has the use of metrics improved your organization’s technology adoption?

Xerox is a sponsor of the Breakaway Thinking series of blog posts. The Breakaway Group is a leader in EHR and Health IT training.

Joint Commission Now Allows Texting Of Orders

Posted on May 17, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

For a long time, it was common for clinicians to share private patient information with each other via standard text messages, despite the fact that the information was in the clear, and could theoretically be intercepted and read (which this along with other factors makes SMS texts a HIPAA violation in most cases). To my knowledge, there have been no major cases based on theft of clinically-oriented texts, but it certainly could’ve happened.

Over the past few years, however, a number of vendors have sprung up to provide HIPAA-compliant text messaging.  And apparently, these vendors have evolved approaches which satisfy the stringent demands of The Joint Commission. The hospital accreditation group had previously prohibited hospitals from sanctioning the texting of orders for patient care, treatment or services, but has now given it the go-ahead under certain circumstances.

This represents an about-face from 2011, when the group had deemed the texting of orders “not acceptable.” At the time, the Joint Commission said, technology available didn’t provide the safety and security necessary to adequately support the use of texted orders. But now that several HIPAA-compliant text-messaging apps are available, the game has changed, according to the accrediting body.

Prescribers may now text such orders to hospitals and other healthcare settings if they meet the Commissioin’s Medication Management Standard MM.04.01.01. In addition, the app prescribers use to text the orders must provide for a secure sign-on process, encrypted messaging, delivery and read receipts, date and time stamp, customized message retention time frames and a specified contact list for individuals authorized to receive and record orders.

I see this is a welcome development. After all, it’s better to guide and control key aspects of a process rather than letting it continue on underneath the surface. Also, the reality is that healthcare entities need to keep adapting to and building upon the way providers actually communicate. Failing to do so can only add layers to a system already fraught with inefficiencies.

That being said, treating provider-to-provider texts as official communications generates some technical issues that haven’t been addressed yet so far as I know.

Most particularly, if clinicians are going to be texting orders — as well as sharing PHI via text — with the full knowledge and consent of hospitals and other healthcare organizations — it’s time to look at what it takes manage that information more efficiently. When used this way, texts go from informal communication to extensions of the medical record, and organizations should address that reality.

At the very least, healthcare players need to develop policies for saving and managing texts, and more importantly, for mining the data found within these texts. And that brings up many questions. For example, should texts be stored as a searchable file? Should they be appended to the medical records of the patients referenced, and if so, how should that be accomplished technically? How should texted information be integrated into a healthcare organization’s data mining efforts?

I don’t have the answers to all of these questions, but I’d argue that if texts are now vehicles for day-to-day clinical communication, we need to establish some best practices for text management. It just makes sense.

OCR Cracking Down On Business Associate Security

Posted on May 13, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

For most patients, a data breach is a data breach. While it may make a big difference to a healthcare organization whether the source of a security vulnerability was outside its direct control, most consumers aren’t as picky. Once you have to disclose to them that the data has been hacked, they aren’t likely be more forgiving if one of your business associates served as the leak.

Just as importantly, federal regulators seem to be growing increasingly frustrated that healthcare organizations aren’t doing a good job of managing business associate security. It’s little wonder, given that about 20% of the 1,542 healthcare data breaches affecting 500 more individuals reported since 2009 involve business associates. (This is probably a conservative estimate, as reports to OCR by covered entities don’t always mention the involvement of a business associate.)

To this point, the HHS Office for Civil Rights has recently issued a cyber-alert stressing the urgency of addressing these issues. The alert, which was issued by OCR earlier this month, noted that a “large percentage” of covered entities assume they will not be notified of security breaches or cyberattacks experienced by the business associates. That, folks, is pretty weak sauce.

Healthcare organizations also believe that it’s difficult to manage security incidents involving business associates, and impossible to determine whether data safeguards and security policies and procedures at the business associates are adequate. Instead, it seems, many covered entities operate on the “keeping our fingers crossed” system, providing little or no business associate security oversight.

However, that is more than unwise, given that the number of major breaches have taken place because of an oversight by business associates. For example, in 2011 information on 4.9 million individuals was exposed when unencrypted backup computer tapes are stolen from the car of a Science Applications International Corp. employee, who was transporting tapes on behalf of military health program, TRICARE.

The solution to this problem is straightforward, if complex to implement, the alert suggests. “Covered entities and business associates should consider how they will confront a breach at their business associates or subcontractors,” and make detailed plans as to how they’ll address and report on security incidents among these group, OCR suggests.

Of course, in theory business associates are required to put their own policies and procedures in place to prevent, detect, contain and correct security violations under HIPAA regs. But that will be no consolation if your data is exposed because they weren’t holding their feet to the fire.

Besides, OCR isn’t just sending out vaguely threatening emails. In March, OCR began Phase 2 of its HIPAA privacy and security audits of covered entities and business associates. These audits will “review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standard interpretation specifications of the Privacy, Security, and Breach Notification Rules,” OCR said at the time.