Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

HIM Departments Need More Support

Posted on July 16, 2015 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As both a contributor to this blog, and an assertive, activist patient managing chronic conditions, I get to see both sides of professional health information management.  And I have to say that while health data management pros obviously do great things against great odds, support for their work doesn’t seem to have trickled down to the front lines.  I’m speaking most specifically about Medical Records (oops, I mean Health Information Management) departments in hospitals.

As I noted in a related blog post, I recently had a small run-in with the HIM department of a local hospital which seems emblematic of this problem. The snag occurred when I reached out to DC-based Sibley Memorial Hospital and tried to get a new log-in code for their implementation of Epic PHR MyChart. The clerk answering the phone for that department told me, quite inaccurately, that if I didn’t use the activation code provided on my discharge summary papers within two days, my chance to log in to the Johns Hopkins MyChart site was forever lost. (Sibley is part of the Johns Hopkins system.)

Being the pushy type that I am, I complained to management, who put me in touch with the MyChart tech support office. The very smart and help tech support staffer who reached out to me expressed surprise at what I’d been told as a) the code wasn’t yet expired and b) given that I supplied the right security information she’d have been able to supply me with a new one.  The thing is, I never would have gotten to her if I hadn’t known not to take the HIM clerk’s word at face value.

Note: After writing the linked article, I was able to speak to the HIM department leader at Sibley, and she told me that she planned to address the issue of supporting MyChart questions with her entire staff. She seemed to agree completely that they had a vital role in the success of the PHR and patient empowerment generally, and I commend her for that.

Now, I realize that HIM departments are facing what may be the biggest changes in their history, and that Madame Clerk may have been an anomaly or even a temp. But assuming she was a regular hire, how much training would it have taken for the department managers to require her to simply give out the MyChart tech support number? Ten minutes?  Five? A priority e-mail demanding that PHR/digital medical record calls be routed this way would probably have done the trick.

My take on all of this is that HIM departments seem to have a lot of growing up to do. Responsible largely for pushing paper — very important paper but paper nonetheless — they’re now in the thick of the health data revolution without having a central role in it. They aren’t attached to the IT department, really, nor are they directly supporting physicians — they’re sort of a legacy department that hasn’t got as clearly defined a role as it did.

I’m not suggesting that HIM departments be wiped off the map, but it seems to me that some aggressive measures are in order to loop them in to today’s world.

Obviously, training on patient health data access is an issue. If HIM staffers know more about patient portals generally — and ideally, have hands-on experience with them, they’ll be in a better position to support such initiatives without needing to parrot facts blindly. In other words, they’ll do better if they have context.

HIM departments should also be well informed as to EMR and other health data system developments. Sure, the senior people in the department may already be looped in, but they should share that knowledge at brown bag lunches and staff update sessions freely and often. As I see it, this provides the team with much-needed sense of participation in the broader HIT enterprise.

Also, HIM staff members should encourage patients who call to log in and leverage patient portals. Patients who call the hospital with only a vague sense that they can access their health data online will get routed to that department by the switchboard. HIM needs to be well prepared to support them.

These concerns should only become more important as Meaningful Use Stage 3 comes on deck. MU Stage 3 should provide the acid test as to whether whether hospital HIM departments are really ready to embrace change.

An Important Look at HIPAA Policies For BYOD

Posted on May 11, 2015 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Today I stumbled across an article which I thought readers of this blog would find noteworthy. In the article, Art Gross, president and CEO at HIPAA Secure Now!, made an important point about BYOD policies. He notes that while much of today’s corporate computing is done on mobile devices such as smartphones, laptops and tablets — most of which access their enterprise’s e-mail, network and data — HIPAA offers no advice as to how to bring those devices into compliance.

Given that most of the spectacular HIPAA breaches in recent years have arisen from the theft of laptops, and are likely proceed to theft of tablet and smartphone data, it seems strange that HHS has done nothing to update the rule to address increasing use of mobiles since it was drafted in 2003.  As Gross rightly asks, “If the HIPAA Security Rule doesn’t mention mobile devices, laptops, smartphones, email or texting how do organizations know what is required to protect these devices?”

Well, Gross’ peers have given the issue some thought, and here’s some suggestions from law firm DLA Piper on how to dissect the issues involved. BYOD challenges under HIPAA, notes author Peter McLaughlin, include:

*  Control:  To maintain protection of PHI, providers need to control many layers of computing technology, including network configuration, operating systems, device security and transmissions outside the firewall. McLaughlin notes that Android OS-based devices pose a particular challenge, as the system is often modified to meet hardware needs. And in both iOS and Android environments, IT administrators must also manage users’ tendency to connected to their preferred cloud and download their own apps. Otherwise, a large volume of protected health data can end up outside the firewall.

Compliance:  Healthcare organizations and their business associates must take care to meet HIPAA mandates regardless of the technology they  use.  But securing even basic information, much less regulated data, can be far more difficult than when the company creates restrictive rules for its own devices.

Privacy:  When enterprises let employees use their own device to do company business, it’s highly likely that the employee will feel entitled to use the device as they see fit. However, in reality, McLaughlin suggests, employees don’t really have full, private control of their devices, in part because the company policy usually requires a remote wipe of all data when the device gets lost. Also, employees might find that their device’s data becomes discoverable if the data involved is relevant to litigation.

So, readers, tell us how you’re walking the tightrope between giving employees who BYOD some autonomy, and protecting private, HIPAA-protected information.  Are you comfortable with the policies you have in place?

Full Disclosure: HIPAA Secure Now! is an advertiser on this website.

Were Anthem, CHS Cyber Security Breaches Due to Negligence?

Posted on February 19, 2015 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Not long ago, health insurance giant Anthem suffered a security breach of historic proportions, one which exposed personal data on as many as 80 million current and former customers. While Anthem is taking steps to repair the public relations damage, it’s beginning to look like even its $100 million cyber security insurance policy is ludicrously inadequate to address what could be an $8B to $16B problem. (That’s assuming, as many cyber security pros do, that it costs $100 to $200 per customer exposed to restore normalcy.)

But the full extent of the healthcare industry hack may be even greater than that. As information begins to filter out about what happens, a Forbes report suggests that the cyber security intrusion at Anthem may be linked to another security breach — exposing 4.5 million records — that took place less than six months months ago at Community Health Systems:

Analysis of open source information on the cybercriminal infrastructure likely used to siphon 80 million Social Security numbers and other sensitive data from health insurance giant Anthem suggests the attackers may have first gained a foothold in April 2014, nine months before the company says it discovered the intrusion. Brian KrebsAnthem Breach May Have Started in April, 2014

Class action suits against CHS were filed last August, alleging negligence by the hospital giant. Anthem also faces class action suits alleging security negligence in Indiana, California, Alabama and Georgia. But the damage to both companies’ image has already been done, damage that can’t be repaired by even the most favorable legal outcome. (In fact, the longer these cases linger in court, the more time the public has to permanently brand the defendants as having been irresponsible.)

What makes these exploits particularly unfortunate is that they may have been quite preventable. Security experts say Anthem, along with CHS, may well have been hit by a well-known and frequently leveraged vulnerability in the OpenSSL cryptographic software library known as the Heartbleed Bug. A fix for Heartbleed, which was introduced in 2011, has been available since April of last year. Though outside experts haven’t drawn final conclusions, many have surmised that neither Anthem nor CHS made the necessary fix which would  have protected them against Heartbleed.

Both companies have released defensive statements contending that these security breaches were due to tremendously sophisticated attacks — something they’d have to do even if a third-grade script kiddie hacked their infrastructure. But the truth is, note security analysts, the attacks almost certainly succeeded because of a serious lack of internal controls.

By gaining admin credentials to the database there was nothing ‒ including encryption ‒ to stop the attack. The only thing that did stop it was a lucky administrator who happened to be paying attention at the right time. Ken Westin – Senior Security Analyst at Tripwire

As much these companies would like to convince us that the cyber security breaches weren’t really their fault — that they were victims of exotic hacker gods with otherworldly skills — the bottom line is that this doesn’t seem to be true.

If Anthem and CHS going to point fingers rather than stiffen up their cyber security protocols, I’d advise that they a) buy a lot more security breach insurance and b) hire a new PR firm.  What they’re doing obviously isn’t working.

Wearables And Mobile Apps Pose New Data Security Risks

Posted on December 30, 2014 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

In the early days of mobile health apps and wearable medical devices, providers weren’t sure they could cope with yet another data stream. But as the uptake of these apps and devices has grown over the last two years, at a rate surpassing virtually everyone’s expectations, providers and payers both have had to plan for a day when wearable and smartphone app data become part of the standard dataflow. The potentially billion-dollar question is whether they can figure out when, where and how they need to secure such data.

To do that, providers are going to have to face up to new security risks that they haven’t faced before, as well as doing a good job of educating patients on when such data is HIPAA-protected and when it isn’t. While I am most assuredly not an attorney, wiser legal heads than mine have reported that once wearable/app data is used by providers, it’s protected by HIPAA safeguards, but in other situations — such as when it’s gathered by employers or payers — it may not be protected.

For an example of the gray areas that bedevil mobile health data security, consider the case of upstart health insurance provider Oscar Health, which recently offered free Misfit Flash bands to its members. The company’s leaders have promised members that use the bands that if their collected activity numbers look good, they’ll offer roughly $240 off their annual premium. And they’ve promised that the data will be used for diagnostics or any other medical purpose. This promise may be worthless, however, if they are still legally free to resell this data to say, pharmaceutical companies.

Logical and physical security

Meanwhile, even if providers, payers and employers are very cautious about violating patients’ privacy, their careful policies will be worth little if they don’t take a look at managing the logical and physical security risks inherent in passing around so much data across multiple Wi-Fi, 4G and corporate networks.

While it’s not yet clear what the real vulnerabilities are in shipping such data from place to place, it’s clear that new security holes will pop up as smartphone and wearable health devices ramp up to sharing data on massive scale. In an industry which is still struggling with BYOD security, corralling data that facilities already work with on a daily basis, it’s going to pose an even bigger challenge to protect and appropriately segregate connected health data.

After all, every time you begin to rely on a new network model which involves new data handoff patterns — in this case from wired medical device or wearable data streaming to smartphones across Wi-Fi networks, smart phones forwarding data to providers via 4G LTE cellular protocols and providers processing the data via corporate networks, there has to be a host of security issues we haven’t found yet.

Cybersecurity problems could lead to mHealth setbacks

Worst of all, hospitals’ and medical practices’ cyber security protocols are quite weak (as researcher after researcher has pointed out of late). Particularly given how valuable medical identity data has become, healthcare organizations need to work harder to protect their cyber assets and see to it that they’ve at least caught the obvious holes.

But to date, if our experiences with medical device security are any indication, not only are hospitals and practices vulnerable to standard cyber hacks on network assets, they’re also finding it difficult to protect the core medical devices needed to diagnose and treat patients, such as MRI machines, infusion pumps and even, in theory, personal gear like pacemakers and insulin pumps.  It doesn’t inspire much confidence that the Conficker worm, which attacked medical devices across the world several years ago, is still alive and kicking, and in fact, accounted for 31% the year’s top security threats.

If malevolent outsiders mount attacks on the flow of connected health data, and succeed at stealing it, not only is it a brand-new headache for healthcare IT administrators, it could create a crisis of confidence among mHealth shareholders. In other words, while patients, providers, payers, employers and even pharmaceutical companies seem comfortable with the idea of tapping digital health data, major hacks into that data could slow the progress of such solutions considerably. Let’s hope those who focus on health IT security take the threat to wearables and smartphone health app data seriously going into 2015.

Confusing HIPAA Compliance With Security

Posted on October 2, 2014 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Most people  who read this publication know that while HIPAA compliance is necessary, it’s not sufficient to protect your data. Too many healthcare leaders, especially in hospitals, seem satisfied with the song and dance their cloud vendor gave them, or the business associate that promises on a stack of Bibles that it’s in compliance.

I was reminded of this just the other day when Reuters came out with some shocking statistics. One particularly discomforting stat it reported was the fact that medical data is now worth 10 times more than your credit card number on the black market (even if John has argued otherwise). Why? Well, among other things, because medical identity theft isn’t tracked well by providers and payers, which means that a stolen identity can last for months or years before it’s closed down.

Healthcare is not only lagging behind other industries in terms of its hardware and software infrastructure, but the extent to which its executives give a care as to how exposed they are to a breach. Security experts note that senior executives in hospitals see security as a tactical, not a strategic problem, and they don’t spend much time or money on it.

But this could be a deadly mistake. As Jeff Horne, vice president at cybersecurity firm Accuvant, noted to Reuters, “healthcare providers and hospitals are just some of the easiest networks to break into. When I’ve looked at hospitals, and when I’ve talked to other people inside of a breach, they are using very old legacy systems – Windows systems that are 10+ years old that have not seen a patch.”

As if that wasn’t enough, it’s been increasingly demonstrated that medical devices — from infusion pumps to MRIs — are also frighteningly vulnerable to cyber attacks. The vulnerabilities might not be found for months, and when they are, the hapless provider has to wait for the vendor to do the patching to stay in FDA compliance.

So far, even the biggest HIPAA breaches — notably the 4.5 million patient records stolen from hospital giant Community Health Systems — don’t seem to have generated much change. But the sad truth is that unless hospitals get their act together, focused senior executive attention on the issue, and spend enough money to fix the many vulnerabilities that exist, we’re likely to be at the forefront of a very ugly time indeed.

Eyes Wide Shut – Patient Engagement Pitfalls Prior to Meaningful Use Reporting Period

Posted on June 30, 2014 I Written By

Mandi Bishop is a hardcore health data geek with a Master's in English and a passion for big data analytics, which she brings to her role as Dell Health’s Analytics Solutions Lead. She fell in love with her PCjr at 9 when she learned to program in BASIC. Individual accountability zealot, patient engagement advocate, innovation lover and ceaseless dreamer. Relentless in pursuit of answers to the question: "How do we GET there from here?" More byte-sized commentary on Twitter: @MandiBPro.

July 1, 2015 – the start of the Meaningful Use Stage 1 Year 2 reporting period for the hospital facilities within this provider integrated delivery network (IDN). The day the 50% online access measure gets real. The day the inpatient summary CCDA MUST be made available online within 36 hours of discharge. The day we must overcome a steady 65% patient portal decline rate.

A quick recap for those who haven’t followed this series (and refresher for those who have): this IDN has multiple hospital facilities, primary care, and specialty practices, on disparate EMRs, all connecting to an HIE and one enterprise patient portal. There are 8 primary EMRs and more than 20 distinct patient identification (MRN) pools. And many entities within this IDN are attempting to attest to Meaningful Use Stage 2 this year.

For the purposes of this post, I’m ignoring CMS and the ONC’s new proposed rule that would, if adopted, allow entities to attest to Meaningful Use Stage 1 OR 2 measures, using 2011 OR 2014 CEHRT (or some combination thereof). Even if the proposed rule were sensible, it came too late for the hospitals which must start their reporting period in the third calendar quarter of 2014 in order to complete before the start of the fiscal year on October 1. For this IDN, the proposed rule isn’t changing anything.

Believe me, I would have welcomed change.

The purpose of the so-called “patient engagement” core measures is just that: engage patients in their healthcare, and liberate the data so that patients are empowered to have meaningful conversations with their providers, and to make informed health decisions. The intent is a good one. The result of releasing the EMR’s compilation of chart data to recently-discharged patients may not be.

I answered the phone on a Saturday, while standing in the middle of a shopping mall with my 12 year-old daughter, to discover a distraught man and one of my help desk representatives on the line. The man’s wife had been recently released from the hospital; they had been provided patient portal access to receive and review her records, and they were bewildered by the information given. The medications listed on the document were not the same as those his wife regularly takes, the lab section did not have any context provided for why the tests were ordered or what the results mean, there were a number of lab results missing that he knew had been performed, and the problems list did not seem to have any correlation to the diagnoses provided for the encounter.

Just the kind of call an IT geek wants to receive.

How do you explain to an 84 year-old man that his wife’s inpatient summary record contains only a snapshot of the information that was captured during that specific hospital encounter, by resources at each point in the patient experience, with widely-varied roles and educational backgrounds, with varied attention to detail, and only a vague awareness of how that information would then be pulled together and presented by technology that was built to meet the bare minimum standards for perfect-world test scenarios required by government mandates?

How do you tell him that the lab results are only what was available at time of discharge, not the pathology reports that had to be sent out for analysis and would not come back in time to meet the 36-hour deadline?

How do you tell him that the reasons there are so many discrepancies between what he sees on the document and what is available on the full chart are data entry errors, new workflow processes that have not yet been widely adopted by each member of the care team, and technical differences between EMRs in the interpretation of the IHE’s XML standards for how these CCDA documents were to be created?

EMR vendors have responded to that last question with, “If you use our tethered portal, you won’t have that problem. Our portal can present the data from our CCDA just fine.” But this doesn’t take into account the patient experience. As a consumer, I ask you: would you use online banking if you had to sign on to a different website, with a different username and password, for each account within the same bank? Why should it be acceptable for managing health information online to be less convenient than managing financial information?

How do hospital clinical and IT staff navigate this increasingly-frequent scenario that is occurring: explaining the data that patients now see?

I’m working hard to establish a clear delineation between answering technical and clinical questions, because I am not – by any stretch of the imagination – a clinician. I can explain deviations in the records presentation, I can explain the data that is and is not available – and why (which is NOT generally well-received), and I can explain the logical processes for patients to get their clinical questions answered.

Solving the other half of this equation – clinicians who understand the technical nuances which have become patient-facing, and who incorporate that knowledge into regular patient engagement to insure patients understand the limitations of their newly-liberated data – proves more challenging. In order to engage patients in the way the CMS Meaningful Use program mandates, have we effectively created a new hybrid role requirement for our healthcare providers?

And what fresh new hell have we created for some patients who seek wisdom from all this information they’ve been given?

Caveat – if you’re reading this, it’s likely you’re not the kind of patient who needs much explaining. You’re likely to do your own research on the data that’s presented on your CCDA outputs, and you have the context of the entire Meaningful Use initiative to understand why information is presented the way it is. But think – can your grandma read it and understand it on HER own?

One Platform to Connect to All EHR Software

Posted on February 6, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’ve talked for years with people who want to solve the problem of connecting their non-EHR software to all the EHR vendors out there. Entrepreneur after entrepeneur has asked me how they can connect their product to ALL the EHR vendors. It usually ends up being a question like, “Isn’t there just one company we could connect to that will connect us to all the EHR vendors out there?”

I’ve dreamed about this as well. In fact, I recently wrote a post on Hospital EMR and EHR titled “Meaningful Use Drove the Data Gathering” where I suggest things like “EHR data is a treasure trove of opportunity.” and “In the future, EHR vendors will be differentiated more on the marketplace of third party applications they support than on their own in house developed apps.”

The problem is that even if every EHR vendor were to open up their application to third party applications, a startup company doesn’t want to have to integrate with all 300+ EHR vendors out there. Instead, they’d much rather integrate with one company who can connect them to all the other EHR vendors.

While a simple solution to connect to every EHR isn’t available yet, In a recent chat with Thanh Tran, Founder of Zoeticx, he showed me the closest thing to this vision that I’ve seen.

This slide shows what Zoeticx has built so far and a little bit of their vision for the future. When I saw this slide, it looked very much like what I described above.
Zoeticx Data Platform

As the slide shows, it only connects to 4 EHR vendors (5 EHR software) right now. So, they still have a lot of work to do to make this model work across all 300+ EHR vendors. However, it displays a vision of what’s possible if a company like Zoeticx builds the right middleware to connect EHR software to third party software.

After talking with Thanh Tran, you could tell that he lived, breathed, and loved the middleware space. He understood what it took to build a great middleware. For example, Zoeticx has a number of applications that leverage the middleware that they’re building. Some might argue that this makes Zoeticx a product company and not a middleware company. However, those that say this don’t understand what it takes to make great middleware.

By Zoeticx having some applications which leverage their middleware, they accomplish a couple very important things. First, they are essentially “eating their own dog food” and get to see first hand the challenges of building an application that uses their middleware. This will improve the middleware product better than any other technique. Second, Zoeticx applications will serve as essentially a set of demo applications which can be used to demonstrate what’s possible. Without these essentially demo applications, it’s often hard for people to understand how an API like Zoeticx can be used.

Certainly it’s possible that the Zoeticx application business is so good that they don’t go after the middleware opportunity. However, knowing Thanh’s background makes me think that this is an unlikely possibility. He wants Zoeticx to be a middleware company.

Thanh Tran also said something really intriguing about the latest EHR that they connected to their universal patient clinical data model (Zoeticx Patient Clarity). He said that when they added the new EHR, they didn’t have to change the Zoeticx Patient Clarity side of the equation at all. I’ll be interested to see how this plays out as they connect to more and more EHR vendors.

In fact, I believe that’s the next key step for Zoeticx. They need to connect with the other EHR vendors. Although, my guess is that once they get enough momentum behind what they’re doing, then they can provide an API for EHR vendors and other software vendors to create a gateway to Zoeticx. Then, they’ll have something really powerful.

It’s still early for Zoeticx. We’ll see how they do at attracting third party applications to their platform. We’ll see how their gateways to EHR vendors go and how they’re able to scale up the number of EHR vendors they work with. However, their vision gave me some hope that we could have a simple model for entrepreneurs that want to connect their health IT software with multiple EHR software with one integration.

The Good News About Patient Portals …

Posted on January 14, 2014 I Written By

James Ritchie is a freelance writer with a focus on health care. His experience includes eight years as a staff writer with the Cincinnati Business Courier, part of the American City Business Journals network. Twitter @HCwriterJames.

I recently wrote that it’s not clear whether patient portals do much to improve health care.

Now a new study suggests they help in at least one area: medication adherence.

The research involved diabetic patients who were using cholesterol-lowering statin drugs and had registered for online portal access. Among those who started using the system’s online refill function as their only method of getting the medication, “nonadherence” dropped 6 percent.

LDL or “bad” cholesterol also decreased.

The researchers concluded that “wider adoption of online refills may improve adherence.” No decline in nonadherence was seen in patients who didn’t use the online refill function.

The Kaiser Permanente study was published in the journal Medical Care.

The study included plenty of subjects — 8,705 people who used online refills and 9,055 who didn’t. But if there’s a cause-effect relationship at work in this study, you have to wonder in which direction it might run. Might the people who tend to take their medicine as prescribed be more likely to sign up for online refills in the first place?

Still, the study is an intriguing hint that patient portals might be worth at least some of the attention they’re getting. Nonadherence to medication regimens is a huge issue for health care because of both the human toll it takes and the inefficiency it fosters in the system.

Typical nonadherence rates are in the 30-60 percent range, depending on the condition, the medication and other factors, according to Medscape. It’s especially easy to slack off when symptoms disappear.

The study builds on another piece of good news for health IT. Researchers recently found that EMRs can make diabetes care better by rendering care coordination more efficient, as Katherine Rourke wrote here at EMR and HIPAA.

Portals are, of course, experiencing tremendous popularity because they help health care providers to meet Meaningful Use Stage 2 patient-engagement requirements. But, as I wrote earlier, in a review of 46 studies related to portals, researchers didn’t find evidence for much in the way of patient benefits.

Physicians have a major job ahead of them if they’re to make full use of patient portals and receive the available federal incentives. Perhaps this study, modest as its results are, suggests that their efforts will have some benefit for the patients they serve.

 

ROI for EMR: Does It Even Make Sense Now?

Posted on December 20, 2013 I Written By

James Ritchie is a freelance writer with a focus on health care. His experience includes eight years as a staff writer with the Cincinnati Business Courier, part of the American City Business Journals network. Twitter @HCwriterJames.

There’s a new data point to add to the debate over EMR return on investment.

Norton Healthcare Inc. in Louisville, Ky., has experienced a $12 million increase in federal reimbursement since it started using Epic, Louisville Business First reported. The health system, which operates five hospitals and a network of outpatient sites, is three years into a five-year, $200 million implementation.

Sounds like the beginning of some pretty good ROI. Or does it?

It’s hard to say.

ROI for records systems is notoriously hard to pin down. The word is that many hospitals don’t even try. And they might be onto something.

A revenue boost is a good sign. It’s often a result of improved coding and lower claims denial rates, as Colin Konschak of health care consulting firm Divurgent and Garrett Blair of Norfolk, Va.-based health system Sentara Healthcare recently wrote. And of course, there are the federal incentives for using an EMR — for hospitals, as much as $11 million over four years.

There’s also the rise in productivity that EMRs are expected to cause. At first, an EMR can slow down clinicians’ workflow and cost them and their organization money. But in time, the system could increase productivity.

But revenue is only part of the equation. Cost savings are the more important — and harder to calculate — factor.

Here are a few ways, as described by Konschak and Blair, that EMRs can help hospitals to save:

  • Less need for transcription.

  • Reduced use of staff time for copying and filing.

  • Reduced — often by 50-70 percent — use of preprinted forms.

  • Potentially lower malpractice premiums because of more complete documentation.

Many other potential benefits are probably real but are even less straightforward to measure. Features such as clinical decision support and electronic medical administration records, for example, could lead to reductions in medical errors — the types of mistakes the federal government no longer pays for. But measuring the money you saved from the errors you didn’t make is fairly abstract.

Many hospitals do little if anything to measure the return on their EMR investment, according to a study released by Beacon Partners last year. Healthcare Scene’s John Lynn wrote a few months ago that CIOs likely view the systems as a “necessary requirement of being a hospital today,” somewhat like cleaning supplies. So they don’t see the need to measure ROI.

To me, the “investment” part of ROI suggests that you have a choice. You put money into something now with the hope — but no guarantee — of a payoff later.

Building an imaging center on the edge of town or buying a surgical robot would probably be considered investments. Maintaining your buildings or upgrading your phones would not.

Doing something the government is making you do is not an investment. Given the reimbursement penalties that will eventually kick in for organizations that stick with paper, it’s hard to imagine that many hospital executives see EMR adoption as a matter choice.

The idea of ROI for EMR is probably outdated, a holdover from the days when having a system was optional. Hospital leaders are shopping for EMRs with an eye toward getting the best value for their money — just the way they shop for cleaning supplies, furniture or legal services.

You could say that as a society we’ve invested in the idea of EMRs and that we’re hoping for a payoff in terms of better outcomes and lower costs. But that doesn’t predict much about whether any particular hospital or doctor will see a dollar-and-cents ROI.

At Norton in Louisville, it sounds like they’re happy just to be recovering some of what they’re spending.

“It really does improve the continuity of care,” Norton’s chief medical officer, Dr. Steve Heilman, told Business First.

For now, it sounds like Norton is on track.

(Note: I work for Business First as a freelancer but didn’t write the story linked here.)

It’s Not The Health IT You Choose, But The Way You Talk About It

Posted on December 13, 2013 I Written By

James Ritchie is a freelance writer with a focus on health care. His experience includes eight years as a staff writer with the Cincinnati Business Courier, part of the American City Business Journals network. Twitter @HCwriterJames.

With system upgrades taking shape across the country, IT is no longer just another another department in the hospital. More than ever, it’s integral to how healthcare organizations work and get paid.

But you don’t always see this shifting landscape reflected in hospitals’ leadership structures or practices.

That’s unfortunate. Getting the most out of  the billions being spent on health IT will require clear vision and skillful communication at the top levels, according to a December article in the Journal of the American Health Information Management Association.

Doctors, nurses and other team members “must understand the nature of the changes—what the result of the changes will be, how their roles and work will be different, and why change is important,” author Tiankai Wang wrote.

Thoughtful language can go a long way toward minimizing staff resistance and making an implementation successful, explained Wang, a professor of health information management at Texas State University.

Leaders should practice “framing” by promoting the benefits of the technology, such as improved outcomes, lower costs and greater efficiency, Wang wrote. They should also use “rhetorical crafting” by using stories, analogies and other devices to make their message resonate.

Rhetorical crafting, according to Wang, “leverages a ‘show, don’t tell’ approach to frame leaders’ message in a form that will connect more easily with staff and help them to embrace the possibilities of the coming change.”

He also advises using words such as “we” and “should” rather than “you” and “must” when talking about IT changes.

At a more fundamental level, though, IT leadership isn’t always valued in healthcare to the extent that other roles are. In 2013, average total cash compensation for chief information officers was eighth-highest of all hospital titles at about $316,000, Modern Healthcare reported.

And despite the growing importance of health IT, it’s also uncommon for hospital CIOs to be promoted to the roles of chief operating officer, president or CEO.

It does happen, though, as David Raths wrote in Healthcare Informatics. In perhaps the best known example, Cincinnati-based Mercy Health, which operates several hospitals, earlier this year named Yousuf Ahmad, who had previously served as CIO, to the chief executive role. Ahmad had also held other management roles, including president of the system’s physician group.

It’s likely a sign of the front-and-center role that IT is now taking at healthcare organizations everywhere.