Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Patient Portals and Chronic Disease Management

Posted on January 16, 2018 I Written By

The following is a guest blog by Monica Stout from MedicaSoft

Half of all U.S. adults, roughly 117 million people, have one or more chronic health conditions. 1 in 4 people have two or more chronic conditions. As a nation, we need some help addressing the chronic disease epidemic. Many patient portals today give patients access to pieces of their health information – lab results, for example – and some will flag upcoming appointments or refill a prescription, but where are the tools and the data in a portal to actually help patients manage chronic conditions, thereby improving their overall health and wellness? Sadly, many patient portals provide a very narrow view, with few opportunities to link data to actions to results in a way that closes the loop between patients and caregivers. Without a complete view of a patient’s health measures, wellness goals, and plans of action – and the tools to manage them – it is very difficult to connect health and wellness to address the whole patient.

Chronic disease management represents one of the best opportunities for a personal health record to link both wellness and healthcare together to affect positive health outcomes. What does it take to improve and maintain wellness? First, you need patient engagement. You need motivated patients who want to do a good job of actively tracking their conditions and working toward wellness goals. How do you convince a chronically ill patient to do this? Start by offering a tool that’s easy for them to track their data – complete with a workflow and user interface that makes it a breeze to enter and distill information at a glance and when they are on the go. Use technology similar to what patients use in their daily lives on their smart phones and laptops. Give patients tools to understand their health and take action based on how they are doing and what their health goals are! Provide a portal that allows the integration of popular wearable devices and lets the patient decide who should have access (Spouses? Caregivers?) to help them enter and manage their information.

Effectively managing chronic disease requires changing poor habits and forming good habits. Sometimes people need a gentle nudge or a push outside of the exam room. A platform that can send out reminders, gamify the experience, and even call a patient can go a long way in helping steer chronic disease patients in a more positive wellness direction. It’s not all about reminders, either. Texts and calls informing patients when they are doing a good job managing their daily wellness habits can also help.

Beyond helping patients, there’s an added benefit to coupling wellness capabilities with a PHR for providers – it has the ability to not only affect chronic disease factors, but to collect the data providers need to participate in the Quality Payment Program; the Merit-based Incentive Payment System (MIPS) and the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA). To quickly review, the Quality Payment Program allows clinicians to be rewarded financially for providing high-quality and high value care through Advanced Alternate Payment Models (APMs) or MIPS that are based on various measures. These measures can be integrated into the PHR, allowing physicians to track their patient populations, run reports, submit information to the Quality Payment Program, and receive merit payments.

What are your thoughts? Would you use a PHR to manage a chronic condition you are experiencing? Would you encourage your loved ones to use one? As a provider, how do you feel about a PHR making it easier for you to track MIPS/MACRA measures?

About Monica Stout
Monica is a HIT teleworker in Grand Rapids, Michigan by way of Washington, D.C., who has consulted at several government agencies, including the National Aeronautics Space Administration (NASA) and the U.S. Department of Veterans Affairs (VA). She’s currently the Marketing Director at MedicaSoft. Monica can be found on Twitter @MI_turnaround or @MedicaSoftLLC.

About MedicaSoft
MedicaSoft  designs, develops, delivers, and maintains EHR, PHR, and UHR software solutions and HISP services for healthcare providers and patients around the world. MedicaSoft is a proud sponsor of Healthcare Scene. For more information, visit www.medicasoft.us or connect with us on Twitter @MedicaSoftLLC, Facebook, or LinkedIn.

Why Clinicians Need a 2015 Certified EHR

Posted on January 11, 2018 I Written By

The following is a guest blog post by Lisa Eramo, a regular contributor to Kareo’s Go Practice Blog.

What does “2015 Certified EHR” mean to practicing clinicians? The once-flooded EHR market is now whittling down to those vendors equipped to respond to regulatory and industry changes. The Office of the National Coordinator (ONC) for Health Information Technology listed more than 4,000 EHRs with 2014 certification criteria, according to the most recent data from healthIT.gov. And to date, only about 200 EHRs have passed the rigorous 2015 certification criteria.

However, beyond the fact that 2015 is indeed the most recent certification criteria as issued by the HHS, why should medical practices care?  

When vendors certify their EHRs, physicians—and patients—are ultimately the beneficiaries, says Beth Onofri, EHR and industry advisor at Kareo, who led the 2015 Certification process for the Kareo Clinical EHR. Physicians benefit because the technology allows them to easily attest that they’ve met quality requirements specified in the Medicare Access and CHIP Reauthorization Act (MACRA). This includes Advancing Care Information (ACI)-related measures that help physicians boost their payments. ACI accounts for 25 percent of a physician’s performance score that dictates reimbursement under the Merit-based Incentive Payment System (MIPS). Patients benefit because they’re able to access and exchange their own health information more easily than ever before. It’s a win-win all around, says Onofri.

“The 2015 criteria require functionality supporting unprecedented patient engagement, care coordination, and information exchange, all of which bodes well for physicians striving to improve outcomes.”
—Beth Onofri, EHR and Industry Advisor at Kareo

Although using a certified EHR is important, implementing one that’s certified using only the 2015 criteria (not the 2014 criteria or a combination of the two) is a critical piece of the puzzle under MACRA, says Onofri. EHRs certified with the 2015 criteria help pave the way for physicians to receive a bonus in 2018. In addition, the 2015 criteria require functionality that supports unprecedented patient engagement, care coordination, and information exchange, all of which bodes well for physicians striving to improve outcomes.

Still, many physicians aren’t aware of how the 2015 certification criteria can help their practices, says Onofri.

Of the 60 different 2015 certification criteria, Onofri says these five are particularly helpful for practices seeking to improve the quality of the care they provide, ultimately fostering accurate payments under value-based payment reform:

1. View, download, and transmit health information to a third party

The 2015 criteria require a secure method of access (usually through a patient portal) as well as the ability to send information to an unsecured email address of the patient’s choice, says Onofri. The idea is that offering various access options improves overall patient engagement and outcomes.

She suggests creating a brochure that explains to patients how they can access and use the portal, including how to view, download, and transmit their health information. Another idea is to recruit a volunteer who can show patients how to use the portal while they wait in the waiting area. “There needs to be a strong advocate in each practice to make sure that these functionalities are implemented and used,” she adds. “Those practices with an advocate are the ones that will succeed.”

2. Secure messaging

This functionality allows physicians to send messages to—and receive messages from—patients in a secure manner, helping to improve engagement and communication. Practices must define how they’ll use secure messaging, including who will respond and what types of questions they’ll permit (e.g., fulfill appointment requests vs. answering clinical inquiries). “There are a small percentage of doctors who will want to answer their own messages, but there is a larger percentage of doctors who will want their staff to answer the emails and, if necessary, escalate to the provider,” says Onofri.

3. Patient health information capture

This functionality allows physicians to accept patient-generated health data into the EHR. For example, Onofri notes that the Kareo Clinical 2015 Edition EHR allows patients to record their health information at home to easily upload the information to their portal and transmit it securely to the physician for shared decision-making. The idea is that access to more comprehensive health data can help physicians prevent and manage disease—and it could be a game-changer in terms of population health management.

Start small when rolling out this functionality, she says. For instance, encourage patients with high blood pressure to upload their blood readings daily before engaging a second population (e.g., those with diabetes who upload their glucose levels).

4. Transitions of care

This functionality calls for interoperable documents that include key health data (e.g., name, date of birth, and medications) as well as standardized format for exchange. A transition of care summary provides critical information as patients transfer between different physicians at different health organizations or even distinct levels of care within the same organization.

“It’s not uncommon for our providers to send the referral right as they are completing the note with the patient in the room,” says Onofri. “This obviously speeds the care coordination for patients in terms of seeing another doctor.” The only caveat is that practices must compile a list of direct email addresses for physicians to whom patients are frequently referred, she adds.

5. Application programming interfaces (APIs)

“This is one of those requirements that is the foundation of things to come,” says Onofri. “It’s the first step toward interoperability.” API functionality will eventually allow patients to aggregate data from multiple sources in a web or mobile application of their choice.

Physicians who take the time to explore each of these 2015 certification functionalities may be more likely to improve outcomes and reap financial rewards under MACRA, says Onofri. “The improved functionality is there—is your practice taking advantage of it?”

About Lisa Eramo
Lisa Eramo is a regular contributor to Kareo’s Go Practice Blog, as well as other healthcare publications, websites and blogs, including the AHIMA Journal. Her focus areas are medical coding, clinical documentation improvement and healthcare quality/efficiency.  Kareo is a proud sponsor of Healthcare Scene.

Doctors, Data, Diagnoses, and Discussions: Achieving Successful and Sustainable Personalized/Precision Medicine

Posted on January 10, 2018 I Written By

The following is a guest blog post by Drew Furst, M.D., Vice President Clinical Consultants at Elsevier Clinical Solutions.

Personalized/precision medicine is a growing field and that trend shows no sign of slowing down.

In fact, a 2016 Grand View Research report estimated the global personalized medicine market was worth $1,007.88 billion in 2014, with projected growth to reach $2,452.50 billion by 2022.

As these areas of medicine become more commonplace, understanding the interactions between biological factors with a range of personal, environmental and social impacts on health is a vital step towards achieving sustainable success.

A better understanding begins with answering important questions such as whether the focus should be precision population medicine (based on disease) or precision patient-specific medicine (based on the individual).

Specificity in terminology is needed. The traditional term of “personalized medicine” has evolved into the term “precision medicine,” but this new usage requires a more detailed look into the precise science of genetic, environmental and lifestyle factors that influence any approach to treatment.

Comprehending the interactions between biological factors with a range of personal, environmental, and social impacts on health can provide insights into success and we’ve learned that some areas of precision medicine are more effective than others.

Through pharmacogenomics – the study of understanding how a patient’s genetic make-up affects the response to a particular drug – we have identified key enzymes in cancer formation and cancer treatment, which aids in the customization of drugs.

Research shows us that drug-metabolizing enzyme activity is one of many factors that impact a patient’s response to medication. We also know that human cytochrome P450 (CYP) plays an important role in the metabolism of drugs and environmental chemicals.

Therapies that incorporate drug-specific pharmacogenomics are a boon to oncology treatments and a vast improvement over the “shotgun therapy” approach of the past. Today, treatments can be targeted to enzymes and receptors that vary from person to person.

In traditional chemotherapy, a drug developed to kill rapidly growing cancer cells will indiscriminately target other rapidly growing cells such as hair cells, hence the often-observed hair loss. However, a targeted drug and delivery method aimed at only the receptive cells can be a much more effective approach and treatment, while minimizing collateral damage.

Recently, the journal Nature published a study showing the promise this method holds.  In the pilot study, scientists led by Dr. Catherine Wu of Dana-Farber Cancer Institute in Boston gave six melanoma patients an experimental, custom-made vaccine and, two years later, all were tumor-free following treatment.

Looking Beyond Genetics

Precision medicine needs to include more than just genetics.

Factors such as environment and socio-economic status also must be included when approaching disease states and we must undertake a comprehensive overview of a patient’s situation, including, but not limited to, family history.

Cultural dietary traditions can play into disease susceptibility. As an example, the frequent consumption of smoked fish in some Asian cultures increases their risk of gastric (stomach) cancers. Lower socioeconomic status can force acceptance of substandard and overcrowded housing with increased risk of illness ranging from lead toxicity, asbestosis, and Hantavirus to name a just a few.

A patient with a genetic propensity for lung cancer who also smokes cigarettes and has high radon levels in their home is increasing the odds of developing disease due to these combined genetic, behavioral, and environmental factors.

Patient-derived Data and the Diagnosis

In addition to the information now available through state-of-the-art medical testing, patient-derived information from wearables, biometrics, and direct-to-consumer health testing kits, presents patients and physicians alike with new opportunities and challenges.

Armed with newly discovered health data, patients may present it to their doctors with a request that it be included in their health record. Many patients expect an interpretation of that data when they visit their doctor and an explanation of what it means for their present (and future) healthcare.

Doctors can be overwhelmed when unfiltered information is thrown at them. Doctors are not prepared and research has yet to offer definitive support for interpretation of patient-derived data.

Studying hereditary traits can offer some insights from generation to generation. By delving into genomics of individual patients, we get a clearer picture into a person’s risk factor for a certain disease, but often this information provides no immediate solutions. Discovering a genetic indicator for Alzheimer’s, may reflect a higher propensity for the disease, but symptoms may be decades away, if they appear at all.

Pitfalls and Possibilities

There are many concerns about genomic data collection, one of which is whether policies can keep pace with patient privacy and the related ethical questions that inevitably ensue. These questions are consistently surfacing and there is no clear direction on the best course of action.

Clearer policies are needed to delineate who has access to a patient’s genetic records and whether third parties, such as health or life insurance companies, can deny coverage or care based on genomics.

In addition, one cannot ignore the psychological burden associated with knowing your “potential” for a disease, based solely on your genetic testing, when it may never come to fruition. Not to mention, its effect on planning for one’s future decisions relative to career, residence, and relationship commitments.

Even some physicians are reticent to undergo genetic testing for fear of who might gain access to the information and the consequences thereof.

Physicians face an additional conundrum in dealing with patient-supplied information: How to counsel patients when, in some cases, the task should be the responsibility of a community resources representative? In addition, patients who request that certain information not be included in their personal health record, present a problem for a physician justifying a test or a procedure to a payer.

The consumerization of healthcare and patient engagement strategies employed to deliver better outcomes are driving the healthcare industry to open conversations that elevate the level of care delivered to patients. In addition, physicians need to demand more direction and initiate more discussions on how to deal with the opportunities and challenges presented in the era of patient-derived and pharmacogenomics data.

While improving patient-physician communication should always be a priority, discussing how and when to use genetic and patient-derived information is still a work in progress.

Dr. Furst is Vice President Clinical Consultants at Elsevier Clinical Solutions.

6 Unique Anesthesiology Needs Where Traditional EHRs Fall Short

Posted on December 21, 2017 I Written By

The following is a guest blog post by Douglas Keene, MD Chief Medical Officer and Founder, Recordation Perioperative Information Management.

Anesthesiology has traditionally been thought of as a specialty profession limited to the operating room (OR). Over the past few years however, a revolution has been underway as the industry pushes to provide higher quality care at lower costs, motivating anesthesiologists to expand their typical role. Private anesthesiology groups are becoming more involved in the overall operations of the OR to improve the quality of care delivered inside and outside the operating room as well as keep their business’ running.

On average, the OR contributes between 60-70 percent of overall hospital revenue, solidifying the need for more efficient processes within the OR. Fortunately, we live in a world full of valuable insights and methods to capture data that can provide a lens into what’s working and what isn’t when it comes to operations. By further understanding how the operating room is running through specific data capture sets, not only are anesthesiologists, surgeons and other OR providers able to understand how they are performing during each surgery, hospital executives are also able to see quantitatively how their OR operations are performing. To do this however, anesthetists and hospital leaders need to identify a software that can address both hospital and clinical needs to improve outcomes.

There are many challenges decision makers face when it comes to identifying the best platform or solution for their hospitals’ OR operational needs. With so many options available between software systems and EHRs, it can be difficult to identify the best one for your practice, especially when it comes to the OR specifically. Here are a few things to consider when looking to adopt a new solution in your OR:

  • Get Specific: Your software should be designed for the unique characteristics of administering anesthesia in a variety of settings and situations. Since anesthesiology is a very precise specialty where differences in factors like body weight, drug interactivity, cardiac output, age, metabolism, ventilation and timing can influence what type and how anesthesia is administered, the ideal system must be able to capture all this type of data accurately.
  • Interoperability: Anesthesiologists rely heavily on medical devices to help monitor and detect abnormalities in blood pressure, heart rate, oxygen levels, etc. The anesthesiology software being used should integrate along with the other devices in order to pull the crucial information onto one cohesive platform. This will help anesthesiologists focus more on the patient rather than trying to keep up with watching multiple monitors and capturing it all by hand.
  • Data Capture: Anesthesiologists regularly interact with a team of nurses and other physicians (in addition to the patient), so the perioperative suite needs to be able to seamlessly export and import data from other EMR platforms.
  • Up-to-Date Drug Usage: Because the anesthesiologist’s role is to monitor the amount of medications being administered, it’s imperative for there to be a robust alert system to notify the anesthesiologist of any potential adverse drug reactions or allergies prior to any operation.
  • Physician Burnout Reduction: It’s no secret today’s physicians are burnt out from the amount of added work brought on by poorly developed EHR systems. As you look to implement a digital system within your OR setting, be sure to identify a technology that will not create more work for the physician and, at the same time, allow them to put more focus on the patient currently being treated.
  • Program Design: When looking for an OR solution, consider the architecture of the system and whether it is cloud-based or on-site as that will affect the installation and maintenance of the program. Choosing a platform that integrates without hassle is far more likely to be widely accepted by not only anesthesiologists, but other clinicians within the hospital.

There is certainly no shortage of EHR solutions out there, some with or without anesthesiology-specific technology. For hospital decision-makers and anesthesiologists, it’s important to be confident the solution you choose can improve your clinicians and overall OR operations while focusing on patient care.

About Recordation
Recordation is a cutting-edge Healthcare Informatics company revolutionizing how clinicians report and access crucial patient information before, during and after a patient’s operation. Founded by a physician, board-certified in Anesthesiology, Pain Management and Clinical Informatics, Recordation is a by-providers-for-providers company that reduces time spent on data capture, allowing for deep dive analysis of both clinical and operational data. Recordation contributes to a safer OR environment for the patient. The company is headquartered in Wayland, Mass. To learn more about Recordation, please visit the company online at www.recordation.com.

PHRs at Work

Posted on December 20, 2017 I Written By

The following is a guest blog by Monica Stout from MedicaSoft

We live in an age when our employers can offer a myriad of employee benefits – from pet insurance to wellness incentives. There is no shortage in what employers can offer as a benefit to their employees. Some employers, such as the U.S. Postal Service (USPS), are offering Personal Health Records (PHRs) to their employees as part of a package of health and wellness benefits.

Why offer a PHR to employees? PHRs can help people better gather all of their health information in one place – records from doctors and hospitals, lab results, data from personal devices (like FitBit) and apps, etc. They can help people understand what’s in their health records, manage their own health information, share it with people they trust, and plan for an emergency or for when future health needs arise.

All of this is done in one place that is completely under the employee’s control. Employee-owned PHRs can also allow patients to review their health information for accuracy and share information with trusted healthcare providers. Additionally, employer-hosted, patient-controlled PHRs can help employees or patients aggregate and consolidate the portals and health information they have spanning each doctor’s office, hospital, or health system they’ve visited so that all of their information resides in one place.

A common concern or barrier to employee adoption of PHRs is the fear that employers will look at an employee’s private health information. Fret not. Though it is natural to fear that your employer may look at your information, privacy safeguards are in place to prevent that from happening. PHRs like HealthCenter and USPS Health Connect let you control who sees your information, and provide monitoring to track all access.

What do you think? Would you like a PHR offered to you at work? How would it help you better manage your health or the health of your dependents or loved ones?

About Monica Stout
Monica is a HIT teleworker in Grand Rapids, Michigan by way of Washington, D.C., who has consulted at several government agencies, including the National Aeronautics Space Administration (NASA) and the U.S. Department of Veterans Affairs (VA). She’s currently the Marketing Director at MedicaSoft. Monica can be found on Twitter @MI_turnaround or LinkedIn.

About MedicaSoft
MedicaSoft designs, develops, delivers, and maintains EHR, PHR, and UHR software solutions and HISP services for healthcare providers and patients around the world. MedicaSoft is a proud sponsor of Healthcare Scene. For more information, visit www.medicasoft.us or connect with us on Twitter @MedicaSoftLLC, Facebook, or LinkedIn.

Make The Busy Patient’s Living Room Their Waiting Room

Posted on December 14, 2017 I Written By

The following is a guest blog post by Chelsea Kimbrough from Stericycle Communication Solutions, as part of the Communication Solutions Series of blog posts. Follow and engage with them on Twitter: @StericycleComms

Chelsea Kimbrough

Patients are busier than ever before. Between the hours of eight to five, a majority have only limited availability to reach out to their healthcare providers. And after the day’s work is done, other responsibilities – such as their children’s after-school activities or errands – reign supreme. Providing easy-access avenues to securing care is the key to acquiring these patients’ loyalty.

In many ways, I’m the busy patient described above. And when I recently came down with a stubborn cough and began looking for an urgent care that could quickly see me, I experienced what I already knew: many healthcare organizations are unequipped to provide care that caters to digitally-minded patients. There were three key problems with my experience.

Problem: Limited Information Available Online
When initially searching for a local urgent care, I struggled to learn more about what a typical experience looked like at various locations. As a first time, admittedly nervous urgent care patient, I wanted to make an informed decision about where to receive care. However, I found that many websites did not offer the insight I sought. Without more information to go off of, I made my decision based on the health system’s good reputation.

Solution: Beef Up Your Web Presence
Ensuring your website has information for all patient types – especially those who may be less familiar with what your unique experience may include – will provide greater peace of mind, set accurate expectations, and enhance patient satisfaction.

Problem: Inability to Reserve Estimated Treatment Time Online
For many, leaving work to sit in a waiting room isn’t a viable option. And without an easy way to reserve an estimated treatment time or insight regarding how long the wait time may be, making time to seek valuable care can be a challenging task. While I was able to leave work early and spend the afternoon at my chosen urgent care, many others don’t have the same flexibility in their positions.

Solution: Introduce Urgent Care Digital Check-In
Enabling patients to reserve their place in line from wherever they may be creates a more seamless patient experience, enhances their sense of access, and creates greater operational efficiency within your facility.

Problem: Forced to Wait in Waiting Room
Though I was lucky be able to leave work early and wait for care at the facility, I would have much rather waited at home. Unfortunately, the urgent care only allowed patients to wait to be seen from within the waiting room with little way of entertainment; leaving would forfeit the patient’s place in the queue. As someone who has been spoiled with this capability across numerous restaurant, veterinary, and mechanic experiences, I was disappointed to find this feature wasn’t readily provided by the healthcare facility.

Solution: Automatically Notify Patients When It’s Time to Be Seen
More patients than ever have access to convenient communication tools. By digitizing your check-in process, you can enable patients to wait from the comfort of their home and notify them when it’s nearly time to be seen via an automated text message or voice call.

In all, my urgent care experience took over two hours. Had the facility provided access to more information regarding what my experience could include, the ability to reserve an estimated treatment time online, and a convenient reminder when my time to be seen neared, I could have saved over an hour spent sitting in the waiting room. If I had access to these capabilities, I could have spent this time completing important work tasks while relaxing (and keeping my germs) at home.

To learn more about how busy, consumer-minded patients are driving the need for omnichannel experiences in the healthcare industry, check out our recent e-book, OmniWhat?!

The Communication Solutions Series of blog posts is sponsored by Stericycle Communication Solutions, a leading provider of high quality telephone answering, appointment scheduling, and automated communication services. Stericycle Communication Solutions combines a human touch with innovative technology to deliver best-in-class communication services. Connect with Stericycle Communication Solutions on social media: @StericycleComms

HIPAA May be the Least of Your Compliance Worries

Posted on November 21, 2017 I Written By

The following is a guest blog post by Mike Semel from Semel Consulting.  Check out all of Mike Semel’s EMR and HIPAA blog posts.

What requirements have you hidden away?

I visited a new healthcare client last week, and asked if anything in particular made them call us for help with their HIPAA compliance. They surprised me by saying that their insurance company had refused to sell them a cyber-liability/data breach insurance policy, after they saw the answers on our client’s application.

When was the last time you heard about an insurance company not selling a policy? That’s like McDonalds looking you over, and then refusing to sell you a Big Mac.

Our client was scared that they would have to risk the full financial burden of a data breach, which, based on the number of medical records they have, could exceed $10 million.

Everyone knows that HIPAA is a compliance requirement. But it isn’t the only one you should focus on. Use my definition of Compliance, which is, simply, having to do things required by OTHERS.

We personally deal with compliance requirements all the time. We stop at traffic lights. We have our car inspected. We fasten our seat belts. We empty our pockets at airport security. We pay our bills on time. At work, we wear an ID badge, show up on time, and park in an approved space. At home, we take our dirty shoes off before walking on the carpet. There are risks associated with NOT doing each of these things.

It can be a big mistake to focus so much on HIPAA that you forget other compliance requirements, including:

  • Other Federal and State Laws
  • Industry Requirements
  • License Requirements
  • Contractual Obligations
  • Insurance Requirements
  • Lawsuits

You should not take the narrow HIPAA approach, like buying a policy manual, using an online ‘We Make HIPAA Easy’ service, or think hiring out a Security Risk Analysis is going to make you compliant.

When we work with our clients, before we get started we help you identify all your compliance requirements.

OTHER FEDERAL REGULATIONS

Depending on the services you offer, you may be required to comply with other federal regulations, like Title 42, governing substance abuse treatment.

The Federal Trade Commission has come down hard on data breaches, including the controversial closure of a small medical lab. The FTC looks at patients as consumers, and considers a data breach to be an Unfair Business Practice because the organization losing the data failed to protect its consumers, and is in violation of its Notice of Privacy Practices.

STATE LAWS

Forty-eight states, plus DC and Puerto Rico, have data breach laws. Most states protect Personally Identifiable Information (PII), including driver’s license and Social Security numbers. Some states cover medical records, no matter who has them, while HIPAA only covers medical records held by certain types of organizations. Some of the state laws change the reporting requirements after a breach of patient records. For example, California requires patient notification within 15 days, instead of the 60-day maximum permitted by HIPAA.

Most states have separate laws requiring confidentiality of mental health, HIV, substance abuse, or STD treatment records. State attorneys general are willing to cross their state lines to protect the confidentiality of their voters.

We work with our clients to identify the states where your patients come from, not only where you are located. We build an Incident Management program that includes each applicable notification and reporting requirement.

INDUSTRY REQUIREMENTS

Industry requirements include PCI-DSS, the data security standards protecting credit card information. PCI stands for the Payment Card Industry. While not a law, if you don’t comply with PCI you can be prevented from accepting credit cards. What would that do to your bottom line and patient satisfaction?

LICENSING

Licensing requirements protecting patient confidentiality go back long before HIPAA, which became law in 1996. In 1977, 19 years before HIPAA, I became an Emergency Medical Technician (EMT). The first class I took was about maintaining confidentiality. After that, I knew that violating a patient’s confidentiality could cost me my license.

Think about your license, your certifications, even the Code of Ethics in your professional association. If I really wanted to get back at someone for violating my confidentiality, my first complaint would be to their licensing board, even before I submitted a complaint to their employer or the federal government. Losing your license may kill your career, and being investigated by your licensing board will certainly get your attention.

When you are justifying the costs related to Security and Compliance, be sure to quantify the effect on your income, lifestyle, and retirement, if you were to lose your license.

CONTRACTS

Many of our clients have signed contracts with other organizations, that include cyber security requirements as a contractual obligation to do business together. These contracts are often reviewed by attorneys, signed by executives, and then filed away. The requirements are not always communicated to the people on the front lines.

In 2012, Omnicell, a drug cart manufacturer, breached the records of 68,000 patients when an employee’s unencrypted laptop was stolen. The health systems – clients of Omnicell –  announced that Omnicell’s contract with them included a requirement that patient data would only be stored on encrypted devices. The loss of the laptop became a breach of contract discussion, not just a simple data breach.

My guess is that the contract was signed, and then just filed away. I don’t think Omnicell’s purchasing department was told it was supposed to order encrypted laptops for its field technicians. I don’t think its IT department knew it had a contractual obligation to install encryption on all laptops, and I doubt the field tech knew he was violating a contract when he transferred patient data to his unencrypted computer. Worse, no one who was aware of the contract requirements was auditing the company’s compliance.

During a recent client visit, I asked if our client had signed any contracts with their clients. She went through a list that included one of the top health systems in the country. I’m not a lawyer, but I asked to see the contract, because I knew the health system had included cyber security requirements as a contractual obligation with our other clients.

After a few minutes, she returned with the file folder containing the contract. I found the cyber security section, and read it to her. I asked if her company was meeting the requirements in the contract. She said no. I asked her what the future of her business would look like if they lost the business of one of the country’s leading health systems, because they breached their contract. She replied that her business probably would not survive.

We focused our project around meeting the specific requirements of their contract, not the vague and flexible requirements in HIPAA.

INSURANCE

Cyber Liability (also known as Data Breach) Insurance is a popular line of revenue for insurance companies. Unlike malpractice insurance, which assumes you will make a mistake, cyber insurance may only protect you if you are doing all the things you included on your insurance application. It may pay a claim only if you are doing everything correctly, and still suffer a breach. What you answer on the application may come back to haunt you.

In 2013, Cottage Health’s IT vendor accidently published a file server to the Internet, exposing patient information. Patients Googling themselves got back their medical records. The patients filed a class action suit, so Cottage Health brought in Columbia Casualty, their cyber liability insurance provider, to provide legal representation, and settle the claim.

The lawsuit was settled for $4.1 million, which was paid by Columbia Casualty. Columbia told Cottage Health that, even though it was making the payment, it still reserved its rights and would continue investigating the case.

Columbia Casualty then sued its own client, Cottage Health, to get the $ 4.1 million back. It said it determined that Cottage Health had made misstatements when it answered questions on the original policy application, including that it regularly maintained security patches on its devices. Columbia also said it should be excluded from losses because Cottage Health failed to continuously maintain the level of security stated on its application.

The lawsuit said that it did not matter if Cottage Health was mistaken, or had intentionally lied on the application.

As part of our assessments, we review insurance applications. When we work with our clients, we help you implement consistent programs to maintain the level of security you claim on your application.

LAWSUITS

While you don’t comply with a lawsuit, watching court cases can help you understand your risks and how to protect your organization.

Many people think that a HIPAA Notice of Privacy Practices is just a basic brochure you have to include with new patient paperwork. A patient is suing her doctor for negligence after her information was shared without her authorization. She claimed that the practice did not follow its Notice of Privacy Practices, and the Connecticut Supreme Court upheld that HIPAA can be used as a Standard of Care in a negligence suit.

Walgreen’s lost $1.44 million in a lawsuit after a pharmacist breached a customer’s confidentiality. Walgreens proved its pharmacist had received HIPAA training and had signed a confidentiality agreement. The company said it had done everything possible to prevent the breach. The jury disagreed.

By looking at law suits you can see that attorneys are using compliance requirements as the basis for claims. That can be scarier compared to the likelihood is that the federal government will make the effort to go after you.

LESSONS LEARNED

It’s really easy to focus just on HIPAA and think you are compliant. It’s also a mistake.

HIPAA is vague. It is flexible, giving you a lot of freedom to choose how to comply with the regulation. The ‘HIPAA-in-a-Box’ solutions can give you a false sense of Security and Compliance, because they are so narrowly focused.

The Federal Trade Commission can assess stronger penalties than the OCR, the federal agency that enforces HIPAA. The FTC has put businesses on 20-year monitored compliance programs. When we work with our clients, we help you create written evidence that your security policies and procedures are working.

State laws can change your patient reporting requirements. They also protect confidential information you have for your workforce members. Your Incident Management program can’t just focus on HIPAA.

Industry requirements can be very serious. Can you risk not accepting credit cards? Contact the merchant service that processes your cards to make sure you are complying with PCI-DSS.

Verify the reporting requirements of the entities that license your staff. You may have an obligation to report a breach to them, instead of waiting for someone to file a complaint.

Review the contracts you have in your files for cyber security requirements, and note any in new contracts you are about to sign. Make sure everyone in your organization who must comply with the contract requirements know about them.

You can’t buy insurance instead of doing the right things to protect data. However, if you do things right insurance may save you millions of dollars. You should review your policy application every quarter, and demand evidence from your IT department or vendor that you are in compliance with the policy requirements. Too much work? Would you rather have your insurance company fail to pay a multi-million-dollar claim?

Keep repeating to yourself, “Compliance isn’t just about HIPAA” and uncover the rest of your compliance requirements.

About Mike Semel

Mike Semel is a noted thought leader, speaker, blogger, and best-selling author of HOW TO AVOID HIPAA HEADACHES . He is the President and Chief Security Officer of Semel Consulting, focused on HIPAA and other compliance requirements; cyber security; and Business Continuity planning. Mike is a Certified Business Continuity Professional through the Disaster Recovery Institute, a Certified HIPAA Professional, Certified Security Compliance Specialist, and Certified Health IT Specialist. He has owned or managed technology companies for over 30 years; served as Chief Information Officer (CIO) for a hospital and a K-12 school district; and managed operations at an online backup company.

The Power of Combining Clinical & Claims Data

Posted on November 16, 2017 I Written By

The following is a guest blog by Monica Stout from MedicaSoft

Whether the goal is to improve outcomes or increase efficiency, the healthcare industry finds itself searching for more and better data to support its efforts. Clinical data provides substantial details on patient encounters, but it is often difficult to assemble and integrate data from more than one healthcare provider. Claims data is better at following a patient across multiple care providers, but lacks information on patient health status and outcomes. Individually, both sets of data tell helpful stories, from chronicling the cost of care to reflecting how medicine is practiced. Together, clinical and claims data provide a fuller picture of a patient’s interactions with health care systems, the costs involved, and the results achieved. This larger picture provides the information that healthcare providers and insurers can use to guide their actions.

Assembling this data and making it available in a useful framework remains challenging. Data is not always available from providers and payers. When data is available, it is often not standardized (a particular issue with clinical data), making analysis difficult. So, how do organizations avoid investing time and money in efforts that fail to produce meaningful results? How do you make the data useful and improve patient satisfaction, care quality, and drive down system costs?

  1. Better data sharing agreements. Both providers and payers need more stringent data sharing agreements in place as well as insistence that they receive good data from plans.
  2. Address data quality issues head-on. Use real experts armed with specific tools to address any data quality issues within an organization.
  3. Use technology to help. Clinical data platforms can aggregate and integrate data into clinically relevant patient records, and claims data platforms extract relevant information from the complexity of the underlying claims data. Further, new advanced platforms help integrate clinical and claims data to support meaningful analytics.

Bringing together clinical data and claims data in a form that supports a variety of tools and analytics is key to the efforts of both healthcare providers and payers to improve outcomes, quality, and cost. This integrated data approach will yield better results than can be achieved with clinical or claims data alone. Stakeholders can and should leverage both policy and technology to develop solutions that produce meaningful results.

Are you combining clinical and claims data in your organization? What value have you gotten out of doing so? Why aren’t you doing it if you’re not?

About Monica Stout
Monica is a HIT teleworker in Grand Rapids, Michigan by way of Washington, D.C., who has consulted at several government agencies, including the National Aeronautics Space Administration (NASA) and the U.S. Department of Veterans Affairs (VA). She’s currently the Marketing Director at MedicaSoft. Monica can be found on Twitter @MI_turnaround or LinkedIn.

About MedicaSoft
MedicaSoft designs, develops, delivers, and maintains EHR, PHR, and UHR software solutions and HISP services for healthcare providers and patients around the world. MedicaSoft is a proud sponsor of Healthcare Scene. For more information, visit www.medicasoft.us or connect with us on Twitter @MedicaSoftLLC, Facebook, or LinkedIn.

Communication Strategies Must Include Caregivers, Too

Posted on November 9, 2017 I Written By

The following is a guest blog post by Chelsea Kimbrough from Stericycle Communication Solutions, as part of the Communication Solutions Series of blog posts. Follow and engage with them on Twitter: @StericycleComms

Chelsea KimbroughMillions of healthcare-centric communications occur every day between providers, doctors, professionals, patients, and caregivers. These communications are often focused on the patient. This is a great thing, as the patient is the individual in need of care. Frequently, however, communication strategies are developed to meet patients’ needs and don’t truly consider how to best engage caregivers.

At one point or another, most of us will act as a caregiver for a child, spouse, or parent. We may even be responsible for coordinating multiple patient journeys at once. And should that responsibility come, we’ll likely find the best experiences with healthcare organizations that not only provide excellent patient care, but convenient communications.

According to the National Alliance for Caregiving and AARP, 48 percent of caregivers are 18 to 49-years-old. And as this population ages and more young individuals step into the caregiver role, more caregivers will have been raised in homes with Internet access, smartphones, and more. In order to create caregiver-friendly experiences, healthcare organizations should ensure their communication strategies are mobile-optimized, technology-driven, and readily accessible.

Already, caregivers are seeking out ways to simplify communications with healthcare organizations. Instead of making a telephone call to schedule an appointment, many are opting to schedule appointments on behalf of patients online. By providing an easy-to-use online scheduling platform, healthcare organizations can not only ensure busy caregivers can quickly secure an appointment, they can help drive new patient acquisition.

Likewise, appointment reminders – especially those delivered via text message, which are read in the first three minutes by 90 percent of recipients – can be incredibly beneficial for both patients and healthcare organizations. By sending out a strategically timed reminder in a way caregivers are sure to see, healthcare organizations can decrease no-show rates. Here at Stericycle Communication Solutions, we’ve seen no-show rates drop by as much as 80 percent once our appointment reminder solution was implemented – a figure that impacted both the organization’s population and financial health.

A few other ways healthcare organizations can ensure they are ready to meet caregivers’ evolving needs include:

  • Implementing a website that is mobile-friendly and up-to-date
  • Communicating the same information no matter the tool, technology, department, or professional someone may interact with
  • Ensuring the entities listed above have access to the information they need to provide consistent, reliable experiences
  • Answering all phone calls with a live, friendly voice prepared to meet their every need

Caregivers and patients alike want predictable and repeatable experiences no matter the communication channel they choose to interact with. Dubbed “omnichannel” experiences across commercial sectors, healthcare organizations should implement communication strategies and infrastructure that can keep pace with evolving technology and communication preferences. Healthcare organizations that are readily able to introduce new communication channels will be best positioned to secure loyalty and success.

To learn more about how consumer-minded patients are driving the need for omnichannel experiences in the healthcare industry, check out our recent e-book, OmniWhat?!

The Communication Solutions Series of blog posts is sponsored by Stericycle Communication Solutions, a leading provider of high quality telephone answering, appointment scheduling, and automated communication services. Stericycle Communication Solutions combines a human touch with innovative technology to deliver best-in-class communication services. Connect with Stericycle Communication Solutions on social media: @StericycleComms

HIT for HIEs

Posted on October 17, 2017 I Written By

The following is a guest blog by Mike O’Neill, CEO at MedicaSoft. This is the third blog in a three-part sponsored blog post series focused on new HIT for integration. Each month, a different MedicaSoft expert will share insights on new and innovative technology and its applications in healthcare.

Health Information Exchanges (HIEs) have been in the news lately, and for good reason. With major hurricanes devastating Texas, Florida, the British Virgin Islands, and Puerto Rico, accessibility of patient health information rapidly became a major concern. Electronic Health Record adoption has led to most patient data being in electronic form, but it hasn’t necessarily made that data available when and where care is delivered. HIEs can help make that data available; during the recent storms two HIEs were able to spring to action to help clinicians provide care for patients. The ability of the Houston and San Antonio-area HIEs (Greater Houston Healthconnect (GHHC) and Healthcare Access San Antonio (HASA) to exchange information allowed patient records to be accessed remotely – which was absolutely critical during this natural disaster.

If you were on the fence about “the cloud,” this is the perfect case study in its effectiveness. More than ever, HIEs are called upon to assist by making health records available during critical care encounters. HIEs need modern technology to best serve their communities in these instances, going beyond basic connectivity and interoperability to deliver tangible value using the wealth of data they collect –

  1. Organize the data into meaningful health records. HIEs often have access to years of raw data. They may need help organizing it into a clinical data repository, matching patients, and providing a health record that is clinically useful. This is one way we assist HIEs in using the data they’ve collected.
  2. Provide valuable alerts & notifications. These are useful, especially in a crisis, to locate patients, but they can also give patients notice on events they need to follow-up on. This is another layer we build onto HIEs’ data foundation.

Health records that are useful go a long way – beyond individual hospitals, and regions and state lines. To be useful, health records must go where the patients go, wherever that may be.

An emerging approach to meet this need is the Strategic Health Information Exchange Collaborative (SHIEC’s) Patient-Centered Data Home (PCDH) concept among HIEs. PCDH helps providers access real-time health information across regional and state lines, wherever the patient is seeking care. Regardless of where the clinical data originates, it becomes part of the patient’s longitudinal patient record – the PCDH – giving patients control of their data.

About Mike O’Neill
Mike is the CEO at MedicaSoft. He came to MedicaSoft from the U.S. Department of Veterans Affairs (VA) where he was a Senior Advisor and member of the founding team of the VA Center for Innovation. Mike serves as the Chairman of the Board of Directors of the Open Source Electronic Health Record Alliance (OSEHRA). Prior to VA, Mike was involved in the commercialization of new products and technology in startups and large companies. He is a die-hard Virginia Tech Hokie.  

About MedicaSoft
MedicaSoft designs, develops, delivers, and maintains EHR, PHR, and UHR software solutions and HISP services for healthcare providers and patients around the world. For more information, visit www.medicasoft.us or connect with us on Twitter @MedicaSoftLLC, Facebook, or LinkedIn.