Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

The Most Interesting Things in Healthcare Are At the Intersections

Posted on October 31, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Today my mind is reeling from everything I’ve seen and heard over the past couple weeks as I’ve talked to literally hundreds of incredible people. I’m currently at the MGMA Annual conference in San Francisco and tomorrow I’ll head to the CHIME Fall Forum in Phoenix. This is the crazy fall health IT conference where I could go to a conference every day of the week and still not attend them all. They’re invigorating, but also overwhelming at times.

However, as I sit here processing everything I’ve heard, I’m reminded of something I once heard (sorry that I don’t remember who first said it) that seems even truer today:

The most interesting things in healthcare lie at the intersections.

It’s such a simple, but powerful idea. There are so many things happening in healthcare. Some improve the way an organization runs. Some improve the quality of the data we have in healthcare. Some make coders more efficient. Some provide new revenue streams. etc etc etc.

All of these are good things, but the most powerful thing is when technology and behavioral science or technology and new business models or technology and some other aspect of technology cross paths. In fact, some of the best innovations don’t even include technology, but the inclusion of technology in these lists is my own personal bias. The intersection of different fields is where the real magic is going to happen. It won’t be enough to just be technology.

With that in mind, where do you see the greatest intersections happening in healthcare? Where should they be happening more?

The Pain of Recording Patient Risk Factors as Illuminated by Apixio (Part 2 of 2)

Posted on October 28, 2016 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site (http://oreilly.com/) and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

The previous section of this article introduced Apixio’s analytics for payers in the Medicare Advantage program. Now we’ll step through how Apixio extracts relevant diagnostic data.

The technology of PDF scraping
Providers usually submit SOAP notes to the Apixio web site in the form of PDFs. This comes to me as a surprise, after hearing about the extravagant efforts that have gone into new CCDs and other formats such as the Blue Button project launched by the VA. Normally provided in an XML format, these documents claim to adhere to standards and offer a relatively gentle face to a computer program. In contrast, a PDF is one of the most challenging formats to parse: words and other characters are reduced to graphical symbols, while layout bears little relation to the human meaning of the data.

Structured documents such as CCDs contain only about 20% of what CMS requires, and often are formatted in idiosyncratic ways so that even the best CCDs would be no more informative than a Word document or PDF. But the main barrier to getting information, according to Schneider, is that Medicare Advantage works through the payers, and providers can be reluctant to give payers direct access to their EHR data. This reluctance springs from a variety of reasons, including worries about security, the feeling of being deluged by requests from payers, and a belief that the providers’ IT infrastructure cannot handle the burden of data extraction. Their stance has nothing to do with protecting patient privacy, because HIPAA explicitly allows providers to share patient data for treatment, payment, and operations, and that is what they are doing giving sensitive data to Apixio in PDF form. Thus, Apixio had to master OCR and text processing to serve that market.

Processing a PDF requires several steps, integrated within Apixio’s platform:

  1. Optical character recognition to re-create the text from a photo of the PDF.

  2. Further structuring to recognize, for instance, when the PDF contains a table that needs to be broken up horizontally into columns, or constructs such the field name “Diagnosis” followed by the desired data.

  3. Natural language processing to find the grammatical patterns in the text. This processing naturally must understand medical terminology, common abbreviations such as CHF, and codings.

  4. Analytics that pull out the data relevant to risk and presents it in a usable format to a human coder.

Apixio can accept dozens of notes covering the patient’s history. It often turns up diagnoses that “fell through the cracks,” as Schneider puts it. The diagnostic information Apixio returns can be used by medical professionals to generate reports for Medicare, but it has other uses as well. Apixio tells providers when they are treating a patient for an illness that does not appear in their master database. Providers can use that information to deduce when patients are left out of key care programs that can help them. In this way, the information can improve patient care. One coder they followed could triple her rate of reviewing patient charts with Apixio’s service.

Caught between past and future
If the Apixio approach to culling risk factors appears round-about and overwrought, like bringing in a bulldozer to plant a rosebush, think back to the role of historical factors in health care. Given the ways doctors have been taught to record medical conditions, and available tools, Apixio does a small part in promoting the progressive role of accountable care.

Hopefully, changes to the health care field will permit more direct ways to deliver accountable care in the future. Medical schools will convey the requirements of accountable care to their students and teach them how to record data that satisfies these requirements. Technologies will make it easier to record risk factors the first time around. Quality measures and the data needed by policy-makers will be clarified. And most of all, the advantages of collaboration will lead providers and payers to form business agreements or even merge, at which point the EHR data will be opened to the payer. The contortions providers currently need to go through, in trying to achieve 21st-century quality, reminds us of where the field needs to go.

The Pain of Recording Patient Risk Factors as Illuminated by Apixio (Part 1 of 2)

Posted on October 27, 2016 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site (http://oreilly.com/) and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

Many of us strain against the bonds of tradition in our workplace, harboring a secret dream that the industry could start afresh, streamlined and free of hampering traditions. But history weighs on nearly every field, including my own (publishing) and the one I cover in this blog (health care). Applying technology in such a field often involves the legerdemain of extracting new value from the imperfect records and processes with deep roots.

Along these lines, when Apixio aimed machine learning and data analytics at health care, they unveiled a business model based on measuring risk more accurately so that Medicare Advantage payments to health care payers and providers reflect their patient populations more appropriately. Apixio’s tools permit improvements to patient care, as we shall see. But the core of the platform they offer involves uploading SOAP notes, usually in PDF form, and extracting diagnostic codes that coders may have missed or that may not be supportable. Machine learning techniques extract the diagnostic codes for each patient over the entire history provided.

Many questions jostled in my mind as I talked to Apixio CTO John Schneider. Why are these particular notes so important to the Centers for Medicare & Medicaid Services (CMS)? Why don’t doctors keep track of relevant diagnoses as they go along in an easy-to-retrieve manner that could be pipelined straight to Medicare? Can’t modern EHRs, after seven years of Meaningful Use, provide better formats than PDFs? I asked him these things.

A mini-seminar ensued on the evolution of health care and its documentation. A combination of policy changes and persistent cultural habits have tangled up the various sources of information over many years. In the following sections, I’ll look at each aspect of the documentation bouillabaisse.

The financial role of diagnosis and risk
Accountable care, in varying degrees of sophistication, calculates the risk of patient populations in order to gradually replace fee-for-service with payments that reflect how adeptly the health care provider has treated the patient. Accountable care lay behind the Affordable Care Act and got an extra boost at the beginning of 2016 when CMS took on the “goal of tying 30 percent of traditional, or fee-for-service, Medicare payments to alternative payment models, such as ACOs, by the end of 2016 — and 50 percent by the end of 2018.

Although many accountable care contracts–like those of the much-maligned 1970s Managed Care era–ignore differences between patients, more thoughtful programs recognize that accurate and fair payments require measurement of how much risk the health care provider is taking on–that is, how sick their patients are. Thus, providers benefit from scrupulously complete documentation (having learned that upcoding and sloppiness will no longer be tolerated and will lead to significant fines, according to Schneider). And this would seem to provide an incentive for the provider to capture every nuance of a patient’s condition in a clearly code, structured way.

But this is not how doctors operate, according to Schneider. They rebel when presented with dozens of boxes to check off, as crude EHRs tend to present things. They stick to the free-text SOAP note (fields for subjective observations, objective observations, assessment, and plan) that has been taught for decades. It’s often up to post-processing tools to code exactly what’s wrong with the patient. Sometimes the SOAP notes don’t even distinguish the four parts in electronic form, but exist as free-flowing Word documents.

A number of key diagnoses come from doctors who have privileges at the hospital but come in only sporadically to do consultations, and who therefore don’t understand the layout of the EHR or make attempts to use what little structure it provides. Another reason codes get missed or don’t easily surface is that doctors are overwhelmed, so that accurately recording diagnostic information in a structured way is a significant extra burden, an essentially clerical function loaded onto these highly skilled healthcare professionals. Thus, extracting diagnostic information many times involves “reading between the lines,” as Schneider puts it.

For Medicare Advantage payments, CMS wants a precise delineation of properly coded diagnoses in order to discern the risk presented by each patient. This is where Apixio come in: by mining the free-text SOAP notes for information that can enhance such coding. We’ll see what they do in the next section of this article.

What to Expect When You are Expecting: The Challenges of Technology Adoption Across A Dispersed Organization – Breakaway Thinking

Posted on October 26, 2016 I Written By

The following is a guest blog post by Mark Muddiman, Engagement Manager at The Breakaway Group (A Xerox Company). Check out all of the blog posts in the Breakaway Thinking series.
Mark Muddiman
Imagine you have just installed your new clinical information system. Everyone has been waiting for months and excitement has peeked; the big day is right around the corner. Go live is coming and all the organizational sites are prepared for the new workflows and application. The application goes live and suddenly everyone needs help, support is inundated, and it becomes apparent that the expectations were not aligned to the reality of preparedness.

All too often this is a common scenario for organizations that are dispersed over large geographic areas. Adopting healthcare technology is difficult in a singular location, but certain challenges are uniquely amplified when an organization is dispersed. What challenges can you expect related to adoption and learning, and what can you do to ensure you are prepared?

Expect a greater emphasis on change management
As HIMSS reports, individual sites may fight the loss of autonomy as everyone is brought to a standard application or workflow. Each location has developed their own way of using the legacy application, and they must now learn new procedures and processes in addition to a new application. Multiple locations present multiple groups to manage at a distance, without the ability of physical project team members to be present at all locations throughout the adoption process.

Expect deviations from best practice and follow-up learning
Medical Economics recommends that learning continues beyond the initial go live. Staff will deviate from the best practice workflows as they forget less common tasks, and learn to navigate and use the application in different ways. Deviation from workflows introduces inefficiencies, dependency for support, and impedes the ability of staff to rotate between locations because the experience differs. Anticipate a need to provide follow up learning that reinforces best practices and helps avoid poor use of the application.

Expect each location will need onsite support
During go live, staff will often forget where to start and need a source to turn to when they forget a step in the new application and workflow they are using. However, it is very expensive and likely impractical to have a project team available at each location. Instead, providing assistance through super users and clinical champions along with easily referenced education materials will provide accessible onsite support for most issues.

What can you do?

Bring local leadership into decision making
Regional and local leaders can clarify the unique needs and constraints of their site when selecting applications and designing workflows. Whether equipment varies at each site or there are different service offerings, there are multiple benefits of involving local leadership. It allows leadership to determine the appropriate level of standardization that still respects the unique needs of each site, consequently removing the necessity to deviate from the standard workflow. Involving local and regional leaders engages them, provides a sense of ownership and cooperation in the project, and will help reduce resistance to change. It is imperative leadership is aligned at all levels, engaged in the adoption process, and supportive of the approach if adoption is to succeed.

Implement and ensure metrics are utilized
Metrics serve as key indicators to progress, knowledge retention, and proficiency, but in dispersed locations metrics also serve as indicators that would otherwise be filled with in-person observation. Metrics show whether a location is developing poor workflow practices or struggling with the change; subsequently metrics indicate whether a site needs additional support or learning. New metrics may be employed, such as surveys to gain feedback from multiple sites that could otherwise be obtained from a meeting or observation.

Follow up with each location often
Some sites will likely be more vocal in their need of support than others. It’s important to follow up with all sites and provide remedial education if metrics indicate a need to do so. Staff may need refresher training if inefficiencies arise, but there may be a root cause such as an educational or workflow gap that was previously unknown. Because adoption is a long-term commitment, it is important to provide continuous availability of learning while sustaining content to support changes to the application and learning needs.

Employ communication from leadership effectively
Effective communication goes a long way in reducing resistance to change. It also provides a channel for feedback and continuous collaboration. Communication should come from executive leaders to show their support of the adoption initiative, but also from local leaders. Staff can’t stop operations in a healthcare setting to join conference calls, and emails aren’t always read, but local leaders are able to directly communicate with staff. A comprehensive set of communications ensures an aligned message at all leadership levels and improves the ability of messages to reach staff.

While these suggestions may help, there is a proven methodology to comprehensively address challenges. At the Breakaway Group, we work with leadership to support engagement and change management at all levels while providing comprehensive sets of communication. Our experienced teams can provide workflow recommendations and develop education directly from the application that is sustained through the life of the partnership. Real-time data and metrics provide indicators of how each location is performing and undergoing change. Regardless of the organizational structure or of what to expect, we employ a methodology to help any organization achieve successful technology adoption and value realization.

Xerox is a sponsor of the Breakaway Thinking series of blog posts. The Breakaway Group is a leader in EHR and Health IT training.

Time To Treat Telemedicine as Just “Medicine”

Posted on October 25, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Over the last year or two, hospitals and clinics have shown a steadily growing interest in offering telemedicine services. Certainly, this is in part due to the fact that health plans are beginning to pay for telehealth consults, offering a new revenue stream that providers want to capture, but there’s more to consider here.

Until recently, much of the discussion around telehealth centered on how to get health insurance companies to pay for it. But now, as value-based purchasing becomes more the norm, providers will need to look at telemedicine as a key tool for managing patient health more effectively.

Evidence increasingly suggests that making providers available via telemedicine channels can help better manage chronic conditions and avert needless hospitalizations, both of which, under value-based payments, are more important than getting a few extra dollars for a consult.

Looked at another way, the days of telehealth being a boutique service for more-sophisticated consumers are ending. “It’s time to treat telemedicine as just ‘medicine,’” one physician consultant told me. “It’s no different than any other form of medicine.”

As reasons for treating telehealth as a core clinical service increase, barriers to sharing video and other telemedical records are falling, the consultant says. Telemedicine providers can already push the content of a video visit or other telehealth consult into an EMR using HL7, and soon information sharing should go both ways, he notes.

What’s more, breaking down another wall, major EMR vendors are offering providers the ability to conduct a telehealth visit using their platform. For example, Epic is offering telemedicine services to providers via its MyChart portal and Hyperspace platform, in collaboration with telehealth video provider Vidyo. Cerner, which operates some tele-ICUs, has gone even further, with senior exec John Glaser recently arguing that telehealth needs to be a central part of its population health strategy.

Admittedly, even if providers develop a high level of comfort delivering care through telehealth platforms, it’s probably too soon to rely on this medium as an agent of change. If nothing else, the industry must face up to the fact that telemedicine demand isn’t huge among their patients at present, though consumer plays like AmWell and DoctoronDemand are building awareness.

Also, while scheduling and conducting telemedicine consults need not be profoundly different than holding a face-to-face visit — other than offering both patient and doctor more flexibility — working in time to manage and document these cases can still pose a workflow challenge. Practical issues such as how, physically, a doctor documents a telehealth visit while staring at the screen must be resolved, issues of scheduling addressed and even questions of how to store and retrieve such visit records must be thought through.

However, I think it’s fair to say that we’re past wondering whether telemedicine should be part of the healthcare process, and whether it makes financial sense for hospitals and clinics to offer it. Now we just have to figure out where and when.

Don’t Worry About HIPAA – When Your License Is At-Risk!

Posted on October 24, 2016 I Written By

The following is a guest blog post by Mike Semel, President and Chief Compliance Officer at Semel Consulting.
medical-license-revoked
Not long ago I was at an ambulance service for a HIPAA project when one of their paramedics asked what the odds were that his employer would get a HIPAA fine if he talked about one of his patients. I replied that the odds of a HIPAA penalty were very slim compared to him losing his state-issued paramedic license, that would cost him his job and his career. He could also be sued. He had never thought of these risks.

Doctors, dentists, lawyers, accountants, psychologists, nurses, EMT’s, paramedics, social workers, mental health counselors, and pharmacists, are just some of the professions that have to abide by confidentiality requirements to keep their licenses.

License and ethical requirements have required patient and client confidentiality long before HIPAA and other confidentiality laws went into effect.  HIPAA became effective in 2003, 26 years after I became a New York State certified Emergency Medical Technician (EMT). Way back in 1977, the very first EMT class I took talked about my responsibility to keep patient information confidential, or I would risk losing my certification.

While licensed professionals may not talk about an individual patient or client, weak cybersecurity controls could cause a breach of ALL of their patient and client information – instantly.
health-data-encryption
Most certified and licensed professionals will agree that they are careful not to talk about patients and clients, but how well do they secure their data? Are their laptops encrypted? Are security patches and updates current? Do they have a business-class firewall protecting their network? Do they have IT security professionals managing their technology?
psychologist-loses-license-prostitute-takes-laptop
Lawyers have been sanctioned for breaching confidentiality. Therapists have lost their licenses. In one well-publicized case a psychologist lost his license when a prostitute stole his laptop. In rare cases a confidentiality breach will result in a jail sentence, along with the loss of a license.

Cyber Security Ethics Requirements
Lawyers are bound by ethical rules that apply to confidentiality and competence. The competence requirements typically restrict lawyers from taking cases in unfamiliar areas of the law. However, The American Bar Association has published model guidance that attorneys not competent in the area of cyber security must hire professionals to help them secure their data.

The State Bar of North Dakota adopted technology amendments to its ethics rules in early 2016. The State Bar of Wisconsin has published a guide entitled Cybersecurity and SCR Rules of Professional Conduct. In 2014, The New York State Bar Association adopted Social Media Ethics Guidelines. Lawyers violating these ethical requirements can be sanctioned or disbarred.

A State Bar of Arizona ethics opinion said “an attorney must either have the competence to evaluate the nature of the potential threat to the client’s electronic files and to evaluate and deploy appropriate computer hardware and software to accomplish that end, or if the attorney lacks or cannot reasonably obtain that competence, to retain an expert consultant who does have such competence.”

Some licensed professionals argue that their ethical and industry requirements mean they don’t have to comply with other requirements. Ethical obligations do not trump federal and state laws. Lawyers defending health care providers in malpractice cases are HIPAA Business Associates. Doctors that have to comply with HIPAA also must adhere to state data breach laws. Psychiatric counselors, substance abuse therapists, pharmacists, and HIV treatment providers have to comply with multiple federal and state confidentiality laws in addition to their license requirements.

There are some exemptions from confidentiality laws and license requirements when it comes to reporting child abuse, notifying law enforcement when a patient becomes a threat, and in some court proceedings.

While the odds of a federal penalty for a confidentiality breach are pretty slim, it is much more likely that someone will complain to your licensing board and kill your career. Don’t take the chance after all you have gone through to earn your license.

About Mike Semel
mike-semel-ambulance
Mike Semel is the President and Chief Compliance Officer for Semel Consulting. He has owned IT businesses for over 30 years, has served as the Chief Information Officer for a hospital and a K-12 school district, and as the Chief Operating Officer for a cloud backup company. Mike is recognized as a HIPAA thought leader throughout the healthcare and IT industries, and has spoken at conferences including NASA’s Occupational Health conference, the New York State Cybersecurity conference, and many IT conferences. He has written HIPAA certification classes and consults with healthcare organizations, cloud services, Managed Service Providers, and other business associates to help build strong cybersecurity and compliance programs. Mike can be reached at 888-997-3635 x 101 or mike@semelconsulting.com.

Getting the Right Information to Doctors and Patients at the Right Place and the Right Time

Posted on October 21, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

On Tuesday, October 25, 2016 at 1:00 PM ET (10:00 AM PT) I’ll be hosting a live video interview with Denise Basow, MD, President and CEO of Clinical Effectiveness at Wolters Kluwer Health. We’ll be discussing how we can make sure that doctors and patients are getting the right information at the right place at the right time. This is an extremely big challenge, but this discussion should be particularly interesting thanks to Wolters Kluwer’s recent acquisition of Emmi.

The great part is that you can join my conversation live and even add your own comments to the discussion or ask your own questions. All you need to do to watch live is visit this blog post on Tuesday, October 25, 2016 at 1:00 PM ET (10:00 AM PT) and watch the video embed at the bottom of this post or you can watch on YouTube directly. The conversation will be recorded as well and available on this post after the interview.
2016-october-right-info-at-right-place-and-time
We hope you’ll join us live using the video below or enjoy the recorded version of our conversation.


(To Ask Questions, visit the YouTube page)

If you’d like to see the archives of Healthcare Scene’s past interviews, you can find and subscribe to all of Healthcare Scene’s interviews on YouTube.

E-Patient Update: The Patient Data Engagement Leader

Posted on October 20, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As healthcare delivery models shift responsibility for patient health to the patients themselves, it’s becoming more important to give them tools to help them get and stay healthy. Increasingly, digital health tools are filling the bill.

For example, portals are moving from largely billing and scheduling apps to exchanging of patient data, holding two-way conversations between patient and doctor and even tracking key indicators like blood glucose levels. Wearables are slowly becoming capable of helping doctors improve diagnoses, and patterns revealed by big data should soon be used to create personalized treatment plants.

The ultimate goal of all this, of course, is to push as much data power as possible into the hands of consumers. After all, for patients to be engaged with their health, it helps to make them feel in control, and the more sophisticated information they get, the better choices they can make. Or at least that’s how the traditional script reads.

Now, as an e-patient, the above is certainly true for me. Every incremental improvement in the data I get me brings me closer to taking on otherwise overwhelming health challenges. That’s true, in part, because I’m comfortable reading charts, extrapolating conclusions from data points and visualizing ways to make use of the information. But if you want less tech-friendly patients to get on board, they’re going to need help.

The patient engagement leader

And where will that help come from? I’d argue that hospitals and clinics need to create a new position dedicated to helping engage patients, including though not limited to helping them make their health data their own. This position would cut across several disciplines, ranging from patient health education clinical medicine to data analytics.

The person owning this position would need to be current in patient engagement goals across the population and by disease/condition type, understand the preferred usage patterns established by the hospital, ACO, delivery network or clinic and understand trends in health behavior well enough to help steer patients in the right direction.

It also wouldn’t hurt if such a person had a healthy dose of marketing skills under their belt, as part of the patient engagement process is simply selling consumers on the idea that they can and should take more responsibility for their health outcomes. Speaking from personal experience, a good marketer can wheedle, nudge and empower people by turns, and this will be very necessary to boost your engagement.

While this could be a middle management position, it would at least need to have the full support of the C-suite. After all, you can’t promote population-wide improvements in health by nibbling around the edges of the problem. Such measures need to be comprehensive and strategic to the mission of the healthcare organization as a whole, and the person behind the needs to have the authority to see them through.

Patients in control

If things go right, establishing this position would lead to the creation of a better-educated, more-confident patient population with a greater sense of self efficacy regarding their health. While specific goals would vary from one healthcare organization to the other, such an initiative would ideally lead to improvements in key metrics such as A1c levels population-wide, drops in hospital admission and readmission rates and simultaneously, lower spending on more intense modes of care.

Not only that, you could very well see patient satisfaction increase as well. After all, patients may not feel capable of making important health changes on their own, and if you help them do that it stands to reason that they’ll appreciate it.

Ultimately, engaging patients with their health calls for participation by everyone who touches the patient, from techs to the physician, nurses to the billing department. But if you put a patient engagement officer in place, it’s more likely that these efforts will have a focus.

Supply Of mHealth Apps Far Exceeds Demand

Posted on October 19, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

With demand relatively high and barriers to entry low, the supply of mHealth apps available on the two main marketplaces has exploded in recent years. And according to a new report from analyst firm Research 2 Guidance, the number of apps continues to mushroom despite lagging demand.

The report notes that nearly 100,000 mHealth apps have been added to the Google and Apple app marketplaces since the beginning of last year, bringing the total apps available to about 259,000. Also, 13,000 mHealth publishers entered the market since the start of 2015, bringing the total to 58,000, according to the study, which looked at global health app development.

To get a sense of trends, the group’s mHealth App Developer Economics 2016 report compared the number of available apps and publishers with the number of mHealth downloads.

During the past year, researchers found, the total number of mHealth apps climbed a whopping 57%, boosted by the expanding number of health app publishers, the increased importance of publishing across both key app marketplaces in the increase in app portfolios by publishers, R2G found.

Multi-platform publishing seems to be particularly important. Currently, 75% of mHealth publishers are developing apps on both iOS and Android platforms. (An even higher percentage of HTML 5 and Windows Phone developers publish across each other’s platforms, but their numbers are small so they don’t contribute much to the overall market stats, the firm found.)

Meanwhile, the number of health app publishers on major app stores climbed 28% since the beginning of 2015, a torrent of entries that doesn’t seem to be slowing down, the analyst firm concluded. This includes not only veteran publishers but also ongoing entrances by new mHealth publishers.

The problem is, demand is nowhere near keeping up with supply, at least when measuring by the number of downloads. Statistics by the research firm indicate that while demand continued to grow by a solid 35% in 2015, health app downloads are estimated to be only 7% in 2016.

Though such downloads are expected to reach a total of 3.2 billion in 2016, further massive growth seems unlikely, as the growth in use of capable devices that can use and download apps has slowed down in most Western countries, R2G notes.

Given the amount of noise in the mHealth app market, few publishers are likely to have the resources to stand out and grab significant download market share. As the analyst firm notes, only 14% of mHealth app publishers generated more than 100,000 downloads across their portfolio in one year, a number which is climbed only 3% since 2014.

States Strengthen Data Breach Laws & Regulations

Posted on October 18, 2016 I Written By

The following is a guest blog post by Mike Semel, President and Chief Compliance Officer at Semel Consulting.

If your cyber security and compliance program is focused on just one regulation, like HIPAA or banking laws, many steps you are taking are probably wrong.

Since 2015 a number of states have amended their data breach laws which can affect ALL BUSINESSES, even those out of state, that store information about their residents. The changes address issues identified in breach investigations, and public displeasure with the increasing number of data breaches that can result in identity theft.

Forty-seven states, plus DC, Puerto Rico, Guam, and the US Virgin Islands, protect personally identifiable information, that includes a person’s name plus their Driver’s License number, Social Security Number, and the access information for bank and credit card accounts.

Many organizations mistakenly focus only on the data in their main business application, like an Electronic Health Record system or other database they use for patients or clients. They ignore the fact that e-mails, reports, letters, spreadsheets, scanned images, and other loose documents contain data that is also protected by laws and regulations. These documents can be anywhere – on servers, local PC’s, portable laptops, tablets, mobile phones, thumb drives, CDs and DVDs, or somewhere up in the Cloud.

Some businesses also mistakenly believe that moving data to the cloud means that they do not have to have a secure office network. This is a fallacy because your cloud can be accessed by hackers if they can compromise the local devices you use to get to the cloud. In most cases there is local data even though the main business applications are in the cloud. Local computers should have business-class operating systems, with encryption, endpoint protection software, current security patches and updates, and strong physical security. Local networks need business-class firewalls with active intrusion prevention.

States are strengthening their breach laws to make up for weaknesses in HIPAA and other federal regulations. Between a state and federal law, whichever requirement is better for the consumer is what those storing data on that state’s residents (including out of state companies) must follow.

Some states have added to the types of information protected by their data breach reporting laws. Many states give their residents the right to sue organizations for not providing adequate cyber security protection. Many states have instituted faster reporting requirements than federal laws, meaning that incident management plans that are based on federal requirements may mean you will miss a shorter state reporting deadline.

In 2014, California began requiring mandatory free identity theft prevention services even when harm cannot be proven. This year Connecticut adopted a similar standard. Tennessee eliminated the encryption safe harbor, meaning that the loss of encrypted data must be reported. Nebraska eliminated the encryption safe harbor if the encryption keys might have been compromised. Illinois is adding medical records to its list of protected information.

Massachusetts requires every business to implement a comprehensive data protection program including a written plan. Texas requires that all businesses that have medical information (not just health care providers and health plans) implement a staff training program.

REGULATIONS

Laws are not the only regulations that can affect businesses.

The New York State Department of Financial Services has proposed that “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law” comply with new cyber security regulations. This includes banks, insurance companies, investment houses, charities, and even covers organizations like car dealers and mortgage companies who handle consumer financial information.

The new rule will require:

  • A risk analysis
  • An annual penetration test and quarterly vulnerability assessments
  • Implementation of a cyber event detection system
  • appointing a Chief Information Security Officer (and maintaining compliance responsibility if outsourcing the function)
  • System logging and event management
  • A comprehensive security program including policies, procedures, and evidence of compliance

Any organization connected to the Texas Department of Health & Human Services must agree to its Data Use Agreement, which requires that a suspected breach of some of its information be reported within ONE HOUR of discovery.

MEDICAL RECORDS

People often assume that their medical records are protected by HIPAA wherever they are, and are surprised to find out this is not the case. HIPAA only covers organizations that bill electronically for health care services, validate coverage, or act as health plans (which also includes companies that self-fund their health plans).

  • Doctors that only accept cash do not have to comply with HIPAA.
  • Companies like fitness centers and massage therapists collect your medical information but are not covered by HIPAA because they do not bill health plans.
  • Health information in employment records are exempt from HIPAA, like letters from doctors excusing an employee after an injury or illness.
  • Workers Compensation records are exempt from HIPAA.

Some states protect medical information with every entity that may store it. This means that every business must protect medical information it stores, and must report it if it is lost, stolen, or accessed by an unauthorized person.

  • Arkansas
  • California
  • Connecticut
  • Florida
  • Illinois (beginning January 1, 2017)
  • Massachusetts
  • Missouri
  • Montana
  • Nevada
  • New Hampshire
  • North Dakota
  • Oregon
  • Puerto Rico
  • Rhode Island
  • Texas
  • Virginia
  • Wyoming

Most organizations are not aware that they are governed by so many laws and regulations. They don’t realize that information about their employees and other workforce members are covered. Charities don’t realize the risks they have protecting donor information, or the impact on donations a breach can cause when it becomes public.

We have worked with many healthcare and financial organizations, as well as charities and general businesses, to build cyber security programs that comply with federal and state laws, industry regulations, contractual obligations, and insurance policy requirements. We have been certified in our compliance with the federal NIST Cyber Security Framework (CSF) and have helped others adopt this security framework, that is gaining rapid acceptance.

About Mike Semel
mike-semel-hipaa-consulting
Mike Semel is the President and Chief Compliance Officer for Semel Consulting. He has owned IT businesses for over 30 years, has served as the Chief Information Officer for a hospital and a K-12 school district, and as the Chief Operating Officer for a cloud backup company. Mike is recognized as a HIPAA thought leader throughout the healthcare and IT industries, and has spoken at conferences including NASA’s Occupational Health conference, the New York State Cybersecurity conference, and many IT conferences. He has written HIPAA certification classes and consults with healthcare organizations, cloud services, Managed Service Providers, and other business associates to help build strong cybersecurity and compliance programs. Mike can be reached at 888-997-3635 x 101 or mike@semelconsulting.com.