Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Eyes Wide Shut – Managing Multi-EMR Meaningful Use Stage 2 Is Hard

Posted on October 2, 2013 I Written By

Mandi Bishop is a hardcore health data geek with a Master's in English and a passion for big data analytics, which she brings to her role as Dell Health’s Analytics Solutions Lead. She fell in love with her PCjr at 9 when she learned to program in BASIC. Individual accountability zealot, patient engagement advocate, innovation lover and ceaseless dreamer. Relentless in pursuit of answers to the question: "How do we GET there from here?" More byte-sized commentary on Twitter: @MandiBPro.

Most discussions on Meaningful Use (MU) seem to focus on a single healthcare provider organization (acute or ambulatory), with a single EMR, and a single Medical Record Number (MRN) pool generating unique patient identifiers. Even in that context, the complaints of the difficulties of successfully implementing the technology and obtaining the objectives are deafening. How daunting might those challenges seem, multiplied across a large integrated delivery network (IDN), attempting to make enterprise-wide technology and operational process decisions, in alignment with MU incentive objectives?

Imagine you are an IDN with 9 hospital facilities, sharing a single EMR. You also have 67 ambulatory practices, with 7 additional EMRs. You’ve made the progressive choice to implement a private health information exchange (HIE) to make clinical summary data available throughout the IDN, creating a patient-centric environment conducive to improved care coordination. To properly engage patients across the IDN and give them the best user experience possible, you’ve purchased an enterprise portal product that is not tethered to an EMR, and instead sources from the HIE. And because you’ve factored the MU incentive dollars into the budget which enabled these purchasing decisions, there is no choice but to achieve the core and select menu measures for 2014.

It is now October 2013. The first quarter you’ve chosen to gather Stage 2 attestation data starts on April 1, 2014. All your technology and process changes must be ready by the data capture start date, in order to have the best opportunity to achieve the objectives. Once data capture begins, you have 90 days to “check the box” for each MU measure.

Tech check: are all the EMRs in your IDN considered Certified Electronic Health Records Technology (CEHRT) for the 2014 measures?

Your acute EMR is currently 2 versions behind the newly-released MU 2014-certified version; it is scheduled to complete the upgrade in November 2013. Your highest-volume ambulatory EMR is also 2 versions behind the 2014-certified version, and it cannot be upgraded until March 2014 due to vendor resource constraints. Your cardiology EMR cannot be upgraded until June due to significant workflow differences between versions, impacting those providers still completing Stage 1 attestation. One of your EMRs cannot give you a certification date for its 2014 edition, and cannot provide an implementation date for the certified version. The enterprise portal product has been 2014-certified as a modular EMR, but the upgrade to the certified version is not available until February 2014.

Clearly, your timeline to successfully test and implement the multitude of EMR upgrades required prior to your attestation date is at risk.

Each EMR might be certified, but will it be able to meet the measures out of the box?

Once upgraded to the 2014 version, your acute EMR must generate Summary of Care C-CDA documents and transmit them to an external provider, via the Direct transfer protocol. Your ambulatory EMRs must generate Transition of Care C-CDA documents and use the same Direct protocol to transmit. But did you purchase the Direct module when you signed your EMR contract, or maintenance agreement?

Did you check to see whether the Direct module that has been certified with the EMR is also an accredited member of DirectTrust?

Did you know that some EMRs have Direct modules that can ONLY transmit data to DirectTrust-accredited modules?

You determine your acute EMR will only send to EMRs with DirectTrust-accredited modules, and that you only have a single ambulatory EMR meeting this criteria. That ambulatory EMR is not the primary target for post-acute care referral.

You have no control over the EMRs of providers outside the IDN, who represent more than 20% of your specialist referrals.

Your 10% electronic submission of Summary of Care C-CDA documents via Direct protocol measure is at risk.

Is your organization prepared to manage the changes required to support the 2014 measures?

This is a triple-legged stool consideration: people, process, and technology must all align for change to be effective. To identify the process changes required, and the people needed to support those processes, you must understand the technology that will be driving this change. Of all the EMRs in your organization, only 2 have provided product specifications, release notes, and user guides for their 2014-certified editions.

Requests for documentation about UI, data, or workflow changes in the 2014 versions are met with vague responses, “We will ask product management and get back to you on that.” Without information on the workflow changes, you cannot identify process changes. Without process change recognition, you cannot properly identify people required to execute the processes. You are left completely in the dark until such time as the vendors see fit to release not only the product, but the documentation supporting the product.

Clearly, your enterprise program for Meaningful Use Stage 2 health IT implementation and adoption is at risk.

What is the likelihood that your Meaningful Use Stage 2 attestation will be a successful endeavor for the enterprise?

As a program manager, I would put this effort in flaming red status, due to the multitude of risks and external dependencies over which the IDN organization has zero control. I’d apply that same stoplight scorecard rating to the MU Stage 2 initiative. There is simply too much risk and too many variables outside the provider’s control to execute this plan effectively, without incurring negative impacts to patient care.

The ONC never said Meaningful Use would be easy, but does it have to be this hard?

Domain Controlled Networks and Management Servers

Posted on July 8, 2010 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Trent Peters from Umbrella Medical Systems added an interesting comment on my previous post about Domain Controlled Networks and HIPAA that I thought really added to my original post. Plus, Trent goes into a nice list of other benefits of having a “Management” server in an office. It gets a little technical for some of my readers I’m sure, but is valuable if you’re office is embarking on this adventure.

Here’s Trent’s comment:

This is an interesting question and can be argued either way, but again it comes down to what’s “reasonable and appropriate”. A little background, my company is a IT Consultant group that works specifically in the healthcare arena offering services to medium-sized and small healthcare organizations, we have plenty of EMR implementation experience. Over 95% of our clients are in a domain environment and we always push for an Active Directory environment if one is not present. However, in the small offices (1 – 2 providers) this can be difficult because of the initial cost and the fact it’s “server” based. Many small offices will choose a “hosted” emr solution for the low up front cost and adding on the extra 5 -7K is not a valid option as the cost outweighs the benefits (from their perspective). The other 5% simply do not have the same security and manageability as the domain environments.

Any networks Security solution is only as strong as the weakest link. While not having a domain controller doesn’t necessarily equate to not being HIPAA compliant, it sure helps secure the environment to IT best practices. We call the Domain / Active Directory server the “Management” server because it provides more functions than just AD. For instance, WSUS patch management to make sure all computers have the latest security patches and don’t have the updates that may conflict with the EMR (some EMR software are not compatible with IE8 or SQL 2005 SP3, etc), centralized backup and client folder redirection for non-EMR critical data, centralized monitoring platform for servers (hardware + software), workstations, UPS, networks, VPN, etc, centralized AntiVirus protection is also important to notify the support team of malicious software and vulnerabilities. Group Policies is a big part of the overall security that can manage (if properly configured) all aspects of the network including password policies, computer and user permission rights, power setting, audit controls, etc. There are many benefits to a DC / Management and is the choice to achieve IT best practices (I believe MS recommend 3+ computers to be on a domain environment, although this is aggressive).

It’s nice to be able to bundle server roles (such as SQL or FAX) in order to justify the management server, but generally it comes down to cost. We hold our HIT practices to the highest standard, so our rule is that if the organization has +5 computers, you must have a Domain Controller / Management Server in order to qualify for our full support program. We can’t justify the extra effort required to properly manage the environment without it. In those rare cases where a small organization choses to not invest in a Domain Controller when we feel it’s required, then unfortunately we wish them the best of luck and turn down their business.

EMR Question and Answer: Domain Controlled Networks

Posted on June 22, 2010 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I got the following question from Brandon about the need to have a domain controlled network in order to comply with HIPAA.

I am currently trying to implement an EMR system in a small practice. I am trying to convince the parties involved that it is necessary to transition to a domain controlled network for security reasons even though this type of network is not required for our EMR system or its server. My understanding of HIPAA is that simply having a firewall does not qualify as a “secured network”. Am I right on this?

You are correct that just having a firewall does not likely qualify as a “secured network.” However, that doesn’t necessarily mean that you need to have a domain controlled network to meet the HIPAA security standards. You could still manually apply the domain security policies on to individual computers and achieve the same level of security.

Of course, the key word in that statement is the word “manually.” If you have less than 10 computers, then this probably isn’t a huge deal and can be done manually. Once you pass 10 computers (or somewhere in that range) you probably want to consider using active directory to manage the security policies on your computers. It’s much easier to apply policies on a large number of computers using active directory. Plus, you can know that the policy was applied consistently across your network.

You also shouldn’t ignore the other benefits of a domain controlled network. I’ve written previously about the benefits of things like shared drives as a nice companion to an EMR. Active Directory makes adding these shared drives trivial. It’s also a nice benefit to have a universal login that’s managed by the domain and can work on every computer in the office.

Plus, if your EMR runs on SQL Server and you buy a nice but inexpensive server with Windows Small Business Server, then you already have the software for active directory. So, it’s really an easy decision to use it. I’ve implemented it at a site with 5 computers and it’s been a great thing to have even if it’s a bit of overkill.