December 3, 2014 1:31 PM
Posted by: adelvecchio
, fax technology
, HIPAA compliance
Guest post by Yvonne Li, co-founder of SurMD
As most healthcare practitioners and administrators know all too well, the use of fax machines is deeply engrained in the day-to-day information workflow across the healthcare system. In fact, the 2012 National Physicians Survey reported that the fax machine, based on decades-old technology, was a dominant method by which doctors communicate with colleagues, patients, insurance companies and pharmacists.
Using paper-based fax machines to transmit protected health information (PHI), and other sensitive data, can present serious security risks for healthcare providers and their patients. Faxing documents to the wrong number, having a fax machine located in a non-secure area, or theft of a fax machine hard drive are just some of the scenarios that have resulted in security breaches.
In addition to security concerns, traditional fax machines can be inefficient and unreliable. With the increase in EHR adoption, many practices are hiring extra employees just to receive and enter fax data into the EHR system. While the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 seeks to close both security and inefficiency gaps, among other ambitious goals, healthcare still has a long way to go before it can ditch the fax machine.
Given the long road ahead, one has to wonder if the fax machine will ever entirely disappear from healthcare. The short answer is yes.
To shed some light on this issue, let’s take a closer look at fax use in healthcare, why it continues to endure, and how Internet fax can help organizations evolve beyond traditional fax machines that still permeate the healthcare ecosystem.
Fax technology — then and now
Fax, short for facsimile, involves the transmission of scanned printed material over phone lines, typically to a telephone number connected to a printer or other device. Although fax reliance peaked in the 1980s, which is also when it took off in healthcare offices, its invention dates all the way back to 1843.
Yes, that machine you are using to transmit vital health information came to being in the mid-nineteenth century! Though to be fair, fax technology has evolved considerably since those early days, and continues to be modernized and reframed by digital technology and the Internet.
Today, healthcare professionals use fax to transmit radiology and pathology reports, prescriptions, doctor’s notes, insurance claims and billing information, just to name a few. Internet fax technology can even integrate with EHR systems now and form an avenue through which patient data can be sent to other physicians and patients, although these capabilities have yet to be widely implemented.
Old habits die hard
In talking to physicians and technology experts from a number of physicians’ offices, many of them don’t have the time or resources to redesign their information workflow and eliminate their use of the fax. It is so deeply engrained across the entire health system that wholesale changes would need to occur before fax usage can be significantly minimized or eradicated. For example, fax senders cannot yet eliminate faxing because the recipient may request fax-only delivery.
That’s not to say healthcare professionals are enamored with these machines. Although there may be a comfort level associated with their use, many of the typical complaints that plague fax machine dependence in other industries also surface in healthcare environments. These gripes range from unreliable transmissions that need constant verification, to unwieldy reams of paper in which important data commonly gets lost among less valuable information.
Fax use and HIPAA
Despite its dated roots, and the myriad complaints, fax machines can be HIPAA-compliant as long as appropriate security safeguards are followed. In short, HIPAA regulations do not prevent covered entities (health providers, plans and clearinghouses that transmit health information electronically) from faxing PHI.
It’s the covered entity’s responsibility to ensure their fax practices comply with HIPAA privacy rules. These include the “minimum necessary” rule, which limits information in the fax to the minimum amount necessary in certain instances, as well as the implementation of administrative, technical, and physical security policies to protect PHI.
Unfortunately, these rules are not always followed. In a recent blog post, academic physician Sachin H. Jain, M.D commented that fax machines sit open and accessible to a wide range of individuals in most healthcare settings–suspending any expectation of privacy and security.
For obvious reasons, fax machines must be located in secure, non-public areas to prevent unauthorized personnel from viewing faxes. Office staff should always verify the recipient’s fax number and use a cover sheet that does not include PHI.
Sending a fax to the wrong number is one of the most common errors, as evidenced by a number of reported breaches. Last year, Oakland, Calif.-based West Coast Children’s Clinic had to notify patients of a HIPAA breach after it faxed a patient’s PHI to an incorrect fax number. The data included the patient’s name, date of birth, developmental and psychological treatment history, family history, educational history, testing results and prescribed treatment.
What are the lessons to be learned? Make sure security safeguards are in place when using the fax machine to transmit PHI, and confirm your staff is properly trained to whenever handling and transmitting patient information.
The move to Internet fax
Internet fax, which uses Internet Protocol rather than phone networks and replaces paper with digital transmissions, has emerged as a popular alternative to the traditional fax. Internet fax is typically provided as a hosted service, whereby health providers can subscribe to a third-party entity that converts emails and other content to faxes.
Typically no human interaction occurs, thereby eliminating forgotten, lost or misused faxes that might be lying around. This change in workflow reduces risk and offers added convenience and efficiency over traditional fax machines. For healthcare providers that aren’t ready to eliminate fax altogether, moving to secure Internet fax can be a valuable step toward mitigating the inefficiencies and security risks posed by traditional fax machines.
To comply with HIPAA privacy rules, the Internet fax service provider has to follow security measures and other factors pursuant to HIPAA regulations. Electronic PHI data, for example, needs to be encrypted during transport as well as when it is being stored.
The Internet fax service provider also needs to sign a business associate agreement, which authorizes them to become a business associate and create, receive, maintain or transmit electronic PHI on the covered entity’s behalf. Most agreements also hold fax service providers accountable to safeguard PHI–sharing the responsibility with the health provider.
Go beyond fax — look to the cloud
In addition to Internet fax capabilities, some healthcare data management products offer additional capabilities including cloud-based storage, retrieval and other forms of secure file transfer. Cloud-based solutions make data management and recovery far easier than on-site servers, enabling practices to scale as data volume grows –a key consideration as EHR adoption climbs.
Practices can leverage integrated data storage, retrieval and file transfer solutions to securely store, backup and instantly retrieve data whenever it is needed, while also choosing their method of transmitting files. With SurMD’s SurLink, users can send documents, medical images and other files either through a secure link with an email notification or through a fax number. The user receives notification after the file transmits successfully, with a log of all transmission activity automatically updated for tracking purposes. With digital fax, all activity can be tracked which adds the benefit of accountability.
If you are considering a cloud-based data management product, be sure to look for a HIPAA-compliant vendor and ask how to encrypt patient data. Despite its importance, encryption remains a sore spot for health providers. Data should always be encrypted both when it is being stored, as well as when it is being transferred from provider to patient and from provider to provider.
Healthcare still has a long way to go before it stops using the fax machine. Eventually, the sun will set on this relic of the past, and it will go the way of the dinosaur. Until then, healthcare organizations can deploy integrated data management products with Internet fax to migrate from paper to digital fax. This move will provide added efficiencies and security protections when transferring sensitive patient information.
About the Author: Yvonne Li is a technologist and business development executive. She is an expert in cloud storage, healthcare data exchange, Internet business models, SaaS and content engagement platform design. She is the co-founder of SurMD, a cloud storage technology company and has launched a line of HIPAA- compliant cloud services. Li currently serves as VP of Business Development, at SurMD, and can be followed on Twitter at @mySurMD.
 “Frequently Asked Questions about HIPAA,” American Medical Association (Sept. 2013).
 Jain, “A Health Care Resolution for 2014: Let’s Retire the Fax Machine,” Forbes.com (April 12, 2014).
November 13, 2014 3:00 PM
Posted by: adelvecchio
Internet of Things
, Patient engagement
, patient privacy
, Privacy and security
Guest post by Roberta Katz, director, healthcare solutions, EMC, @Roberta_Katz, @EMCHealthcare
Based on the amount of data currently being produced, the digital universe is projected to double in size every two years and multiply tenfold between 2013 and 2020 — from 4.4 trillion gigabytes to 44 trillion gigabytes. A recent IDC study, “The Digital Universe of Opportunities: Rich Data and the Increasing Value of the Internet of Things,” revealed how the emergence of wireless technologies, smart products, and software-defined businesses will play a central role in expanding the volume of data.
At a 48% percent annual growth rate, the healthcare “digital galaxy” is growing even faster than the overall “digital universe.” In fact, more healthcare data is being generated than ever before, coming from cloud, big data, mobile, social media and electronic medical record sources. Healthcare providers need to be able to harness the useful, high value data produced during a patient care episode to gain insight into their patients’ conditions. This is particularly important as the population — with its higher rate of chronic diseases — continues to age, and advanced tools such as medical imaging, tracking devices, and sensors are used to remotely monitor patient physiological measures.
Because privacy and security of patient information is so critical at the point of care, trust between patients and providers is integral as it intersects across IT, patient engagement, and safer patient care delivery. Along with other industries, healthcare providers are working to balance security and privacy while they more efficiently manage, analyze, and share patient data for coordinated care.
To gain further understanding of these issues, The 2014 EMC Privacy Index surveyed 15,000 people in 15 countries to measure the relationship between online privacy and convenience. The U.S. ranks tenth among these 15 countries in its willingness to sacrifice privacy in return for greater convenience online, with 40% of Americans ready to give up some privacy for greater convenience.
The privacy irony
The Privacy Index illustrates the complexity of the privacy debate, providing three examples of how respondents are conflicted when it comes to choosing privacy or convenience.
- We want it all paradox: Consumers say they want all conveniences and benefits of digital technology, yet say they are unwilling to sacrifice privacy to get them.
- Take no action paradox: Although privacy risks directly impact many consumers, most say they take virtually no special action to protect their privacy — instead placing the responsibility on those handling their information such as government, healthcare organizations, and businesses
- Social sharing paradox: Users of social media sites claim they value privacy, yet they say they freely share large quantities of personal data — despite expressing a lack of confidence and trust in those institutions to protect their information.
These same conflicts are present in healthcare.
- We want it all paradox: A patient may like the convenience of telehealth, but may not always be open to allowing access to these services on their personal or home devices.
- Take no action paradox: Some patients endanger the privacy of their sensitive health information by using the same password for multiple sites and accounts, and sometimes leave important medical records out in the open.
- Social sharing paradox: How often has a patient shared a personal diagnosis or hospital experience on a social media site?
The Privacy Index dives even deeper into the healthcare privacy debate.
People value easier access to their medical records, but only 47% are willing to give up confidentiality. Patients see the value and benefits of technology and may be more open in a healthcare setting, but they remain hesitant.
What’s contributing to this reluctance? A MeriTalk report, “Rx: ITaaS + Trust,” found that in the last year, 61% of global healthcare organizations experienced a security-related event in the form of a security breach, data loss, or unplanned downtime at least once. U.S. hospitals with 100 or more beds have spent more than $1.6 billion annually as a result of security incidents.
A recent hacker breach of HealthCare.gov shows that healthcare organizations can be targets for criminals. While no patient information was stolen, the incident should give consumers and the industry pause as outside threats will only make security more difficult.
Despite growing awareness of security breaches, compared to the five other personas examined in the Privacy Index (social me, financial me, citizen me, employee me, and consumer me), the medical me collectively has the highest confidence in healthcare organizations’ ethics (61%) and the second highest confidence in skills (62%). And, only 28% expressed concerns about future privacy. Part of this is explained in a recent Journal of AHIMA article, “Trusted Health IT and IT-as-a-Service: A Prescription for Change.”
As IT is a key enabler in delivering safer patient care at lower cost, many healthcare organizations are beginning to implement hybrid cloud models and IT as a Service, preparing to become the IT service provider of choice within their own networks and beyond.
For patients, this means a better sense of security knowing their healthcare provider is building a trusted hybrid cloud framework for coordinated care, which helps ensure the right data goes to the right caregiver at the right time.
About the author:
Roberta Katz is director of healthcare solutions at EMC where she focuses on helping healthcare organizations move their IT strategies forward as they invest in EMR and advanced medical imaging initiatives, cloud-based platforms, trusted IT, and big data and analytics solutions. Roberta has more than 25 years of health IT industry expertise in developing solutions to help improve patient care delivery, at the point of care, leveraging IT technologies.
October 8, 2014 11:24 AM
Posted by: adelvecchio
, EHR implementation
, EHR selection
Guest post by Kathleen Myers, M.D., FACEP, founder and chief medical officer of Essia Health
Amid the many changes to the practice of medicine over the last 10 years, the most dramatic impact at the point of care has been integrating new information technologies and systems, especially the EHR. Introducing a new or upgraded EHR system is a major undertaking for any hospital, clinic or medical practice. A successful EHR implementation goes beyond selecting the right IT vendor and system. At-the-elbow physician support has become an essential component of successful EHR go-lives, ensuring physician engagement and satisfaction, and letting them focus on patient care while meeting the new technology requirements.
At-the-elbow support is in-person technical expertise provided by external EHR specialists to physicians at their place of work — be it their office, an examination room or even the operating room — before, during and after EHR go-live. EHR specialists embrace the way that physicians learn best, in real time.
There are three key reasons hospitals should consider externally sourced at-the-elbow support for EHR go-live: physician buy-in, patient satisfaction and productivity.
Physician buy-in: Training doesn’t equal support
It goes without saying that physician buy-in is crucial to successful EHR implementations and upgrades. Anecdotal information suggests go-lives that have minimal assigned provider support or support from internal staff are associated with significant provider frustration, challenges with implementation and, on rare occasion, failure.
Many health systems focus their time on selecting the right EHR software but don’t think about ensuring the effectiveness of the software by providing support to physicians — support that goes far beyond computer lab training. Most physicians don’t learn well from cookie-cutter classroom curriculum. It’s not their environment. They want to engage in conversation about the EHR when they’re in an actual patient care environment.
Without buy-in from physicians, the whole go-live — or even the profitability of the hospital or health system itself — can be affected. Surgeons, for example, are an important group from which to gain buy-in in the months leading up to a go-live, given the influence they have over where their patients have their surgeries. If orthopedic surgeons don’t feel involved in the process or adequately supported on the EHR itself, they can make every CEO’s worst nightmare come true and take their total hip, knee and other elective surgeries to another nearby hospital.
The process of gaining buy-in begins with thoughtfully looking at each subgroup of medical staff, and then helping them develop the content and tools they’ll need to care for patients. At-the-elbow support can help them develop these tools. It also includes asking them simple questions like, “What are you worried about?” and “How can we help you?”
Quality patient care: More support means less waiting
When physicians are learning to use an EHR, it means one thing for patients: waiting. Waiting to be admitted, waiting for medication and to be discharged, et cetera.
“I have not run ‘on time’ since we implemented our EHR,” is a common complaint among physicians. When physicians receive at-the-elbow support, they quickly become more comfortable and confident with the new EHR system. This means they can return to their pre-go-live baseline faster, so tasks don’t take longer than they used to before the EHR was implemented. Physicians that are not fumbling with the computer can better interact with their patients, enabling them to provide more focused care throughout the go-live and beyond.
Productivity: Keeping long term drop-off at bay
Though a short term drop-off in productivity is a natural consequence of an EHR go-live, with the right level of physician support, hospitals can make sure the drop isn’t a sustained one.
An orthopedic surgeon with a once-a-week operating room time block might have conducted five knee surgeries in eight hours before the go-live, but the hospital might suggest that the number of cases be scaled down to three to provide time to learn how to use the EHR system. With at-the-elbow support, surgeons can normally get back to their full case load in two to three weeks. Without it, they may never return to their pre-go-live baseline.
At-the-elbow support: The basics
At-the-elbow support begins after physicians complete basic computer lab or online EHR training. A key difference with at-the-elbow support versus training is that it is conducted in a patient care environment, instead of a training playground. In this environment, physicians can see how patient flow will work and what EHR tools they will need to be successful.
The process involves several one-on-one individual or small group meetings with an EHR specialist before the go-live, where workflows are reviewed and tools are developed. The orthopedic surgeon, for example, would build pre-op, intra-op, post-op and discharge note templates for every common case, as well as customize order sets, before the EHR goes live. These sessions also help them get faster on the EHR as they build their skills. When their first case is scheduled after go-live, an EHR specialist joins the surgeon in the operating room and will be there every step of the way, from the time the patient arrives for surgery until they’re in the post-anesthesia care unit recovering. The EHR specialist remains in close vicinity to the physician so assistance can be provided immediately.
Implementing an EHR is a big investment in time, money and human resources. Planning the right level of provider support is critical to realize a strong financial return on an EHR investment. Without provider support, an EHR system implementation may result in physician frustration, a long term drop-off in productivity and patient dissatisfaction. At-the-elbow support before, during and after an EHR go-live can optimize the provider and patient experience and help technology be an asset, not just a requirement.
Kathleen Myers, M.D., FACEP, is an emergency physician and founder/chief medical officer of Essia Health. She can be reached at Kathleen.email@example.com
September 25, 2014 11:39 AM
Posted by: adelvecchio
, EHR integration
, EHR systems
, Google Glass
, Google Health
, wearable devices
Guest post by Zach Watson, content manager, TechnologyAdvice
Gathering reliable physiological data from patients has been one of the main targets of healthcare innovators for some time now. Now that EHRs are used by a majority of office-based physician practices, the foundation for such a data infrastructure is in place.
Two obstacles have historically blocked the implementation of patient-generated health data: lack of automation in processes and lack of patient adoption.
To acquire the necessary physiological data, providers need patients to adopt wearable health hardware on a widespread scale. In theory, wearable technology will record valuable health data such as blood pressure, heart rate, and glucose levels and deliver it into a patient’s record inside the EHR through a direct HIPAA-compliant protocol.
Until recently, wearable devices like Nike’s FuelBand and the Fitbit remained niche products used by fitness fanatics or early adopters — and not by the chronically ill population that providers need to collect data on. Additionally, these wearables weren’t able to directly integrate with electronic medical software systems. This meant a third-party application such as Microsoft’s Healthvault was needed in order to store and transfer the information.
If a process isn’t intuitive, users aren’t going to adopt it. This is true with wearable devices on the consumer side, and patient-generated data on the provider side. Just like a great deal of healthcare IT, the capabilities existed, but not in a scalable or connected fashion.
Major developments from Apple and Google, introduced in the last year or so, may finally make wearable devices the bridge to EHRs for which providers have been longing. Changes to payment models and a shift to quality-based reimbursement mean that device integration with EHRs is quickly becoming integral to truly preventive treatment plans.
Google Glass makes waves in the OR and exam room
Google tried and failed to create a bridge between patients and providers with Google Health. The release of Google Glass has quickly catapulted them back into the healthcare arena. While many fitness devices are strictly consumer-facing, Google Glass is gaining the most traction with providers; they that are using it everywhere from the exam room to the operating room.
Outside of the operating room, Google Glass allows physicians to record an unprecedented amount of information during a patient exam. Glass’ software connects to databases via Bluetooth, so physicians can utilize the hardware to capture photos and record videos that can be streamed directly into the patient’s record.
Further, by recording simple procedures like changing dressing on a wound, physical therapy, or proper dosing for medications, providers can easily create rich educational content that can be shared through a patient portal. Several EHR providers, such as iPatientCare, Inc. and drchrono, have already developed, or are developing, apps that integrate with Google Glass.
Google Glass is also playing a larger role in the operating room as physicians use the hardware to apply information from a patient’s health record during surgical procedures. Homero Rivas, M.D., Stanford University’s director of innovative surgery, recently used a Glass app called MedicAR to overlay the anatomy of a human model with stills from magnetic resonance imaging (MRI) to increase his precision during the operation. If the MRIs are stored in the EHR, this makes another compelling case for the integration of wearable devices.
Google has even developed contact lenses that can measure a patient’s glucose levels through the moisture in their eyes. These lenses could be especially useful for diabetic patients that have a history of poorly managing their condition. If a patient’s blood glucose level becomes dangerous, providers would receive an alert through their EHR to contact and advise the patient.
Glass has more immediate potential for providers, but the contact lenses do foreshadow what wearable devices could look like in the not-too-distant-future.
Apple Health unifies disparate data sources
While Google Glass is finding a home in the operating room, Apple’s new Health app is being positioned as a unifying health data platform for patients. Health and its companion development platform HealthKit provide patients with a hub to integrate data from all their health applications, eliminating data fragmentation.
In terms of development, a number of major healthcare players seem to be buzzing about the possibilities of Health and Healthkit. The Cleveland Clinic is reportedly testing the Health beta and giving Apple feedback, while Kaiser Permanente is said to be quietly piloting several apps developed on the HealthKit platform. Apple is also in talks with EHR market leaders, including Allscripts Healthcare Solutions, Inc. Apple’s already announced a partnership to integrate directly with Epic’s MyChart personal health record.
Of course, integrating with every EHR would be a lofty undertaking, but if Apple partners with some key players, Health could become a foundational communication element between wearable devices and EHRs. Peter McClennen, president of population health management at Allscripts is clearly on board with wearable device integration.
“That technology wave, if you look at other industries, is very clear. Every watch, every phone, everything is connected. It’s about keeping people healthy in a more productive model of health delivery,” McClennen said in a Q&A with EHRintelligence.com.
But what about Apple’s hardware? The tech giant already has deals with Nike, and other prominent devices are likely to follow, though the hope is that the iPhone’s large user base will quickly come to view their phone as a hub for everything health-related.
Other, smaller organizations are innovating around EHR integration as well. Bay Area-based startup Augmedix is reportedly working on a Glass app for transcription purposes. No doubt others will follow on both Apple and Google platforms.
Integrating wearable devices with EHR software will create more than just a bridge between devices. It could bring the EHR, and therefore the healthcare provider, into an ecosystem of technology in which the patient is a central figure and active participant. Now that some technology behemoths are in the EHR integration game, the potential for healthcare seems huge.
About the author: Zach Watson is content manager at TechnologyAdvice. He covers healthcare IT, business intelligence software, and emerging technologies. Connect with him on Google+.
September 18, 2014 10:58 AM
Posted by: adelvecchio
, secure messaging
, secure text messaging
Guest post by Jose Barreau, M.D., CEO and co-founder of Doc Halo
As new technology erases many of the fears that providers had about data privacy, text messaging is growing as a form of communication in healthcare.
With a secure texting system such as the Doc Halo app, physicians exchange information about their patients while staying compliant with HIPAA and other regulations. That’s good news for providers and patients alike because it improves the quality and efficiency of healthcare, but it’s really only the beginning. Much more opportunity awaits.
Text messaging has become one of the most popular ways to communicate in nearly every walk of life. Over time, the medium will become central to many of the interactions that patients have with the healthcare system.
Here are a few emerging uses of texting in healthcare:
One key to excellent healthcare is open communication between providers, staff members,
and patients. The brief moments they spend face-to-face in an exam room allow for only a snapshot of how the patient is doing and how well their treatment is working. Continuing dialogue outside of the clinic leads to more comprehensive care, but hectic schedules on both sides often make that difficult to achieve by phone call. Text messaging is a quick and convenient way for doctors and staff to answer questions, provide guidance and check patients’ progress. Recent analysis done by the University of Connecticut found that patients who texted with their providers were more apt to follow their medication routines. Current secure texting technology enables healthcare providers to take part in this type of exchange while avoiding the risk of a HIPAA violation.
Text messaging is not limited to one-on-one communication. Healthcare providers can use multi-recipient texting to help large groups of people at once. Such communication has the power to promote behavioral changes, such as guiding patients to choose healthier foods or avoid tobacco. A study published in the Journal of Adolescent Health found that texting may be a good way to reach teens with messages of violence prevention.
Texting as part of public health communication does not need to consist strictly of one-way exchanges. It can be geared toward back-and-forth discussion. That concept has led to a new spin on an old concept: the text crisis hotline. As the New York Times reported earlier this year, “Texting has become such a fundamental way to communicate, particularly among people under 20, that crisis groups have begun to adopt it as an alternative way of providing emergency services and counseling.” Advantages of text hotlines over telephone versions include privacy and the ability for users to save conversations to review later. Texting is being used by groups operating hotlines for depression, suicide and other issues.
One challenge of conducting clinical research trials is recruiting enough participants. Another is keeping them involved over the weeks, months or years it can take to complete the study. Text messaging can help in both cases. It’s an excellent way to reach out initially, and it allows researchers to unobtrusively keep in touch with patients and provide them reminders of what steps to take next or when to return to the clinic or lab.
Texting in healthcare is currently focused on providers communicating with each other. That’s an important use, but it represents only part of what texting will eventually mean for the industry and the people who depend on it.
The future of texting will be far broader as physicians and others use it to increase patients’ engagement with the healthcare system. Efforts now underway will unlock the medium’s potential to improve care.
About the author:
As chief executive officer of Doc Halo, Dr. Barreau leads Doc Halo’s development team and operations. He is one of the original founders of the ‘Doc Halo’ HIPAA-compliant, real-time secure text messaging communication system. The desire to exchange information quickly and securely with his healthcare colleagues led to the development of the Doc Halo app. Dr. Barreau is Board-Certified in internal medicine, hematology and medical oncology. He completed his fellowship in hematology – oncology at the University of Cincinnati in Cincinnati, Ohio and sub-specializes in breast cancer treatment. As the medical director of one of Cincinnati’s largest cancer centers, Dr. Barreau works to expand the use of multidisciplinary clinics, which will improve the quality of cancer care through better physician-to-physician communication. Among his many Awards and Recognitions include the recognition as a ‘2013 Health Care Hero’ award presented by the Cincinnati Business Courier.
August 19, 2014 12:26 PM
Posted by: adelvecchio
Black Hat 2014
, healthcare security
, Medical devices
Guest post by Mac McMillan, CEO of CynergisTek, Inc.
I’ve recently read several blogs and other pieces in the press proffering the theme that the healthcare industry somehow dodged a bullet at this year’s hacker conferences. If you believe that then you don’t really understand the healthcare IT landscape.
I agree there did not seem to be much focus on medical device security compared to years past, when the hacks of implanted cardiac defibrillators and insulin pumps helped raise the visibility of patient safety. Still, there wasn’t much presented at Black Hat 2014 that won’t be an issue for healthcare. I would have liked for the folks at Black Hat to have kept pressure on medical device security because it is one issue that both providers and consumers need to be resolved.
Healthcare is an industry that is absolutely reliant on its systems and networks. Nearly all processes in hospitals today are automated or supported by some form of technology. More than 95% of patient information is digitized, and just like businesses in many other industries, healthcare providers’ operations hinge on complex interdependencies with supply chain vendors that rely on the Internet, software as a service, hosted services, cloud solutions and more. So, if you understand healthcare, you know that almost everything that went on at Black Hat applies to healthcare in some way. Let’s look at some of the highlights.
Researchers at this year’s Black Hat conference exposed weaknesses in Google Glass that could allow a hacker to capture passwords. Last time I checked we have physicians walking around some of our hospitals testing these newfangled spectacles to learn how they can be used to support care delivery. These glasses can capture patient information directly, presenting privacy and security challenges. Understanding any security issues associated with these devices is absolutely relevant to healthcare. As with any new device, we must fully explore how it can assist or improve the doctor-patient experience. We must also be sure to make any new technology safe to use by evaluating both its capabilities and associated risks.
Another session presented a new method of anonymously performing screen scraping of information with virtual desktop infrastructure (VDI) technology. Not relevant to healthcare? Think again. Many healthcare entities are turning to virtual solutions to reduce the risk of compromising patient information. Many have completed or are in the process of VDI implementations. So threats to VDI are absolutely relevant to healthcare. We are going to see more and more virtualization in the healthcare space as entities identify the risk of desktops. Again, understanding these risks is important and Black Hat provided — if nothing else — a reminder that any technology is exploitable. Presentations at the event also showed that hackers are still out there, and it’s important to be aware of their presence. VDI is no exception.
I can go on and on, and talk about the sessions that discussed compromising active directories through Kerberos, USB controller chip flaws, free cloud botnets, mobile device management solution weaknesses, or a host of other topics. But why bother, no one in healthcare uses these technologies. We’re still using cans and strings. This reminds me of a conversation I had with a CISO at a hospital this past week that highlighted how narrow some peoples’ vision is with respect to security issues. It dealt with medical device security and the fears that some healthcare professionals have — worries that most outside of the IT department totally miss.
As I said earlier, the headlines are always about devices and their potential for harming patients, because that’s what gets people’s attention. The real problem is with insecure medical devices; those running a version of Windows XP susceptible to a zero-day hack for instance, deployed by the hundreds in hospitals networks today — the same networks that also hold EHR, radiology, laboratory and financial systems, etc. All of those would be at risk if a hacker were to work their way onto their network and launch an attack. This would harm the whole network and possibly put the hospital through the embarrassment of being used to hack others. Finally, it would inadvertently affect the patients connected to or relying on the hospitals’ devices.
So were the sessions presented at Black Hat this year relevant to healthcare? You bet they were, even if not directly relevant in some cases. Indirectly, they were a reminder that diligence in maintaining awareness and keeping up with what’s going on in the security world is important to understanding risk.
August 5, 2014 11:50 AM
Posted by: adelvecchio
, cloud ehr
, data exchange
Guest post by Zach Watson, content writer, TechnologyAdvice
Where providers once questioned the security of the cloud and its compliance with HIPAA standards, they’re now accepting the relief it provides by allowing vendors to handle the majority of the security infrastructure for data and applications. In 2011, around 41 % of healthcare providers were using cloud computing in their practice or facility, according to the Centers for Disease Control and Prevention. Only a year later, MarketsandMarkets predicted that cloud computing would grow at a 20% rate in healthcare until 2017.
As a result of subsiding security concerns, cloud adoption has risen among electronic health record vendors as well. Vendors who offer providers an EHR platform deployed exclusively in the cloud have realized significant growth, as evidenced by Practice Fusion’s, Inc.’s rise to the top five in market share, and athenahealth Inc. penetrating the top 10.
As cloud-based EHRs become more prominent, it behooves providers to consider whether the cloud’s improved accessibility will ease interoperability between different EHR systems. Since many providers are attesting to stage 2 of the meaningful use program, interoperability should be top of mind. In order to qualify for these federal incentives, providers have to be able to share clinical data across “geographical, organizational, or vendor boundaries.”
The vendor boundary poses the greatest challenge. Many first-generation EHRs were deployed in a client/server model, which basically works in a closed network, where a server located in a physician’s office fulfills client requests on one network. Additionally, many of these on-premise EHRs store clinical information in disparate formats, making it difficult to transport data, though not impossible.
The disparate data formats employed by these systems has made it difficult to implement a standard for data transportation. The CMS admits that stage 2 interoperability includes data in many formats and exchange standards. Data standards are fundamental to interoperability, because providers exchanging data must have an understanding about the way clinical information will be structured in order to make sending and receiving an intuitive process.
Semantic differences and proprietary data storage have led to the rise of Health Level 7 (HL7), a text-based standard that client/server systems can use to communicate. It has been around since 1987 and works well with the majority of modern information infrastructure. However, clinical data must be converted into HL7, which still needs to happen at the organizational level, undermining the simplicity of the exchange.
It shouldn’t come as a surprise that the sharing of clinical summaries, i.e., text-based data, is more common among providers than the sharing of lab results. Even at the vendor level, HL7 adoption is not ubiquitous, which affects the transfer of data and software architecture.
Until recently, the EHR market was inundated with client/server systems; will the uptick in cloud-based adoption have a positive effect on interoperability?
Ostensibly, the answer should be yes. Cloud computing came to the fore in the business world as a method to store, share, and access data — making data democratization simpler than previous client/server deployments. However, cloud-based EHRs are still subject to the same data standards as on-premise systems. Sure, access and permissions can be granted more easily, but cloud-based systems would still use HL7 and other standards to exchange data, just like client/server models.
In fact, interoperability among different cloud computing applications remains a viable concern in industries outside of healthcare, albeit in a different manner. Outside of healthcare, businesses are more worried about vendor lock-in, or not being able to transfer their data from one cloud provider to another should they choose to switch. In healthcare, data transfer holds a greater implication: improving the quality of care delivered to patients through improved coordination among providers.
Certain cloud-based applications such as patient portals can provide patients with greater access to their healthcare records, though patient portals still necessitate oversight on the part of the patient. Effective interoperability would entail the automatic transfer of necessary information to the doctor a patient is referred to.
While interoperability can be achieved, it’s still mostly occurring on same-vendor systems. Certain cloud EHRs have made great strides in improving interoperability, but that is more often the result of focused collaboration between two entities rather than widespread acceptance of particular standards.
Other industries such as telecommunications, cable, and banking agreed upon a standard method for exchanging data because they saw a competitive benefit to doing so. Meaningful use stage 2 requirements attempt to create a competitive benefit by requiring clients of EHR vendors to share data across systems. Cloud-based EHRs may have an advantage because their systems are theoretically constructed with interoperability in mind, though they are still subject to the obstacles of exchange standards.
As it stands now, interoperability is slowly becoming more common. A cloud-based system alone is not enough to facilitate intuitive data transfer, though cloud vendors may be more capable of helping providers construct a plan for reaching that goal.
About the author:
Zach Watson is a content writer at TechnologyAdvice. He covers healthcare IT, business intelligence, and gamification. Connect with him on Google+.
July 17, 2014 11:22 AM
Posted by: adelvecchio
Coding and documentation
, ICD-10 delay
, ICD-10 migration planning
, ICD-10 transition
Guest post by Minnette Terlep, vice president of business development and chief compliance officer, Amphion Medical Solutions
The one-year delay in the transition to ICD-10 is considered by some healthcare professionals to be a significant setback in the progress healthcare systems had made toward implementing the expanded code set. The ICD-10 delay will likely create a financial burden for those that heeded vows from the Centers for Medicare and Medicaid Services (CMS) that there would be no further delays. Many existing preparations were rendered largely useless because of the “use or lose it” nature of the skills so carefully honed in ICD-10 training programs.
However, setting industry-wide disappointment aside, there are actually a number of ways in which healthcare organizations can use the delay to their advantage. For example, they can make use of the extra time to put together a detailed plan that will mitigate the anticipated effects on productivity and the data fog that will hover during the first few months after ICD-10 becomes the law of the land. The delay also allows providers that were behind schedule a chance to conduct critical gap analyses.
Perhaps the best way to make the most of the extra year is to conceptualize strategies to counter the delay’s effect on the coder shortage, which many industry experts place at 30% nationwide. The delay will likely worsen the problem because, in preparation for the expected 2014 transition date, most new coders were trained exclusively on ICD-10 codes — skills that don’t easily apply to ICD-9.
And it will get worse before it gets better.
The aging workforce has bumped the average age of today’s coder up to 58 and the largest segment of the Baby Boomer generation is rapidly approaching retirement age. Many older coders have indicated they will retire or choose other employment rather than invest time and effort into learning the new ICD-10 code set.
Hospitals can leverage the ICD-10 delay by identifying ways to mitigate the impact the shortage has on their ability to keep up with current and future coding needs. The American Health Information Management Association recommends a multi-faceted approach that combines some or all of the following steps to create a customized program.
- Retraining outpatient coders in ICD-9: Hiring quality inpatient coders is a far more difficult task than hiring their outpatient counterparts. Thus, hospitals have identified retraining their outpatient coders as a worthwhile investment.
- Transitioning transcriptionists to ICD-9 coders: Transcriptionists can readily be cross-trained as coders because of their familiarity with patient records and clinical terminology. This creates a valuable resource that can be tapped to manage fluctuations in volume and planned or unplanned staff shortages — particularly as demand for transcription service declines in the wake of speech recognition technology implementations.
- Retraining new graduates: Most new graduates are coming out of coder training programs ready to operate in an ICD-10 environment. The problem, for at least the next year, is that organizations are still coding under ICD-9. Incorporating ICD-9 training programs into recruitment efforts gives these new graduates the short-term skills they need until they can apply their ICD-10 knowledge and makes them more experienced for when ICD-10 is implemented.
- Outsourcing: Finding qualified coders can be a daunting task. Hospitals have to use good business sense to determine if recruitment and training is where they want to put their energy and resources. For this reason, outsourcing is an appealing option for many facilities that don’t have access to a pool of qualified coders.
While each hospital has different needs, they all share a common challenge: finding enough coders to support current ICD-9 and future ICD-10 needs. Healthcare organizations that take advantage of the extra time created by the ICD-10 deferment and implement strategies to minimize the impact the ongoing coder shortage has on their facilities will benefit in the long run.
Minnette Terlep, B.S., RHIT, is vice president of business development and chief compliance officer for Amphion Medical Solutions. She can be reached at Minnette.Terlep@amphionmedical.com.
July 9, 2014 1:55 PM
Posted by: adelvecchio
Accountable Care Organizations
, HIPAA privacy rule
Guest post by Rebekah Johnson, senior compliance manager, West Corporation
Technology has become so woven into the fabric of our society that it often overshadows face-to-face communication. It’s so prevalent in healthcare that patients have come to expect their doctors to use technology to communicate with them between office visits, hence the rise of patient engagement technologies. In 2012, a Medical Group Management Association study reported that approximately 44% of healthcare practices were using notifications technology to automate appointment reminders. Today, mHealth is the fastest growing area in the health IT space. However, along with mass adoption of healthcare technology comes the necessary evil of compliance — which can be a crippling force that works against patient engagement.
When there are more pages of regulations for Medicare than in the Internal Revenue Service code, it’s no wonder healthcare professionals are struggling to keep up with regulations. Add HIPAA and its steep requirements for protecting sensitive patient data, and you’ve got a big case of compliance overload in the healthcare industry.
The compliance challenge makes it difficult for healthcare providers to maximize the technology investments they’ve made. There are thousands of healthcare providers that have automated appointment reminder systems in place. Most want to use that same technology platform to engage patients between doctor visits to drive improved health outcomes. When it comes to patient engagement, these same healthcare providers stop at simple appointment reminders because they don’t know what types of patient communications fall within the limits of HIPAA regulations.
The good news is, healthcare providers have a fairly open field when it comes to patient engagement technologies — they just need to understand the rules. For simplicity, compliance dos and don’ts should be considered in relation to messages that reach and engage patients and lead to better health outcomes.
Keep in touch with patients to reduce missed appointments
Today, it’s quite common for healthcare providers to reach out to patients with communications that remind them to make and keep appointments, or pay their bills. In fact, this strategy has resulted in a more than 30% reduction in missed appointments, industry-wide. It’s also been proven to reduce past-due accounts and increase monthly collections and by more than 25%.
When this type of message is generic in content, privacy and security considerations are not a concern, and the patient communications can be delivered via interactive voice response, text, email or mobile applications.
The most common compliance culprit for these messages is including information about the purpose of the appointment, such as, “This message is to remind you of your appointment for a biopsy of your left breast on Friday, November 2, at 3:00 PM.” These messages are fine when it comes to engaging patients. However, when patient details are included, it’s important the message be delivered using a secure mobile application with features that protect the privacy of the patient. Alternatively, the healthcare provider can simply remove the test details. Patients are open to receiving this type of communication via SMS or email — in fact, that’s often exactly the type of communication they prefer to receive from their healthcare provider. In that instance, it’s simply a matter of getting the patient’s permission and documenting her preferences so you can communicate in this fashion while remaining compliant.
Engaging patients to increase accountability
While payers and providers are usually in the spotlight when it comes to accountable care, the most successful models will be the ones that place a strong focus on patient accountability, said Kevin Pho, M.D. “All patients across the care continuum need to be participants in their own care, and providers should be implementing strategies to encourage this accountability both at the point of care and, more importantly, once the patient goes home,” he wrote.
To achieve success, healthcare professionals need to go beyond reminding patients to keep appointments and pay their bills. Healthcare providers must communicate with patients between visits and offer information that will help them understand the state of their health, their personal role in becoming healthier, and hope that will help patients stick with treatment plans between appointments. This is precisely the level of support Americans are asking for from their healthcare providers.
The TeleVox Healthy World report titled, “Technology Beyond the Exam Room,” found that 85% of United States healthcare consumers feel that high-tech engagement, from sources such as email, text messages and voicemails, is as helpful, if not more helpful, than in-person or phone conversations with their healthcare provider. More than 35% of patients who don’t follow exact treatment plans say that they would be more likely to follow directions if they received reminders from their doctors via email, voicemail or text.
Moving from simple appointment reminders to engaging patients at this level is where healthcare providers begin to feel crippled by compliance. Fortunately, when taking patient engagement up a notch, a little knowledge goes a long way toward remaining compliant. In the case of HIPAA regulations, the most important thing for healthcare providers to remember is that the same rules apply regardless of whether the communication is a text message reminding the patient of an upcoming appointment or an email intended to educate the patient about his health and encourage him to follow his treatment plan.
Healthcare providers don’t need to worry about non-compliance of HIPAA privacy and security when communications contain generic information. However, messages that reveal past or present health conditions can cause compliance concerns. The workaround is being diligent about capturing, documenting and using patient engagement preferences and permissions. With diligence comes a policy that enables compliance officers, in many cases nurses, to quickly and easily approve and deliver patient engagement communications based on the patient’s unique preferences and permissions. A policy should provide communications guidelines that include clear examples of messages or pre-approved scripts by the healthcare professional. It also should include examples of messages that may require a closer compliance review prior to delivery.
It’s also a good idea to have a formal procedure for capturing and documenting patient engagement preferences. It could be as simple as having the patient complete an electronic questionnaire on a tablet while waiting to be greeted by the doctor. This intake form should ask patients to share their preferences for receiving various types of communications. The way patients prefer to receive communications from their provider will likely change based on the information being delivered. For example, patients often want their doctors to email educational tips or information that will help them live a more healthy life, but they may prefer to receive a phone call to remind them about an upcoming appointment.
[Activating positive patient behaviors requires providers not only understand what information their patients require to stay on track, but how their patients want that communication to be delivered — via voice, automated messages, text or email.]
Activating improved health outcomes
With the industry’s movement toward accountable care, it’s no longer enough to prescribe a treatment plan. It’s increasingly important for healthcare providers to focus on encouraging patients to follow treatment plans. This requires ongoing reminders and alerts to take medication, check blood sugars, eat right, and exercise. In fact, research shows patients welcome activation emails, text messages and voicemails from their healthcare providers that tell them to do something specific, such as take medication, schedule a routine medical screening, or get a flu shot. Almost half of American adults are currently treating a disease or chronic illness, such as a heart problem, diabetes or cancer. That’s more than 100 million opportunities for healthcare providers to deliver communications that drive patients to follow their treatment plans.
In the near future, two-way communication between patients and providers will be the norm. So, overcome the compliance challenge today by putting the power of preference in the hands of the patient.
This article is intended to provide general information about the subject matter covered. It is not intended to provide legal advice, opinions, or serve as a substitute for counsel by licensed legal professionals.
About the author: Rebekah Johnson, CIPP/US, is a senior compliance manager for West Corporation. In this role, she develops and maintains compliance operations concerning the privacy and security of client information, including personally identifiable information, PHI, sensitive and financial data. Rebekah’s experience also includes managing West Notification, Inc.’s U.S.-European Union Safe Harbor certification.
 “2012 Performances and Practices of Successful Medical Groups,” Medical Group Management Association, 2012.
 “Implementing Strategies to Encourage Patient Accountability”, www.kevinmd.com/blog, January 2012.
 “Technology Beyond the Exam Room: How Digital Media is Helping Doctors Deliver the Highest Level of Care, TeleVox Software, December 2012.
 “Chronic Diseases: The Leading Causes of Death and Disability in the United States,” Centers for Disease Control and Prevention, 2012.