The use of obsolete technology is costing hospitals billions of dollars each year by decreasing physician efficiency and complicating compliance with privacy laws, according to a new study conducted by the Ponemon Institute.
The institute's investigation showed that obsolete tools like pagers and fax machines impede productivity, costing U.S. hospitals $8.3 billion each year collectively. The cost to individual hospitals topped $1 million. The average physician wastes 45 minutes each day as a result of inefficient communication systems.
The study's findings are based on a survey of 577 clinicians, hospital administrators and IT staff. Respondents reported that the continued use of pagers, lack of wireless Internet and inadequacy of email were the main drivers of inefficient communication. These inefficiencies increase the time it takes to discharge patients by an average of 37 minutes, adding more than $3 billion in annual costs to the nation's hospitals.
"It was almost comical because it's gross inefficiency, but it's sad" said Larry Ponemon, chairman and founder of the Ponemon Institute. "Because of that inefficiency a lot of patients aren't getting treated."
A lot of hospitals likely continue to use pagers and faxes and other outdated technology because they are wary of potential security holes that may be introduced by new technology, Ponemon said. Hospitals try to live by the letter of the Health Insurance Portability and Accountability Act (HIPAA) regulations, which often causes them to install rigid security policies that aren't necessarily prescribed by the law. Hospitals typically have more flexibility than they realize, but they act with caution to avoid potential penalties for breaches.
Developing a deeper understanding of HIPAA's privacy and security regulations could enable hospitals to develop more flexible security policies. Until then, they are likely to be stuck with old technology that creates inefficiencies.
"There's a lot of time wasted and effort wasted on outdated technology, such as pagers; and communication methods that are becoming commonplace on the consumer side, we'd love to see them become commonplace in the healthcare sector," said Sean Kelly, M.D., chief medical officer at healthcare security company Imprivata, which sponsored the study.
Larry Ponemonchairman, Ponemon Institute
Kelly said clinicians increasingly are looking for ways to use their own smartphones to communicate with each other more efficiently. But this inevitably raises HIPAA compliance concerns. Sending protected health information (PHI) via text message or unsecure email could lead to violations. Solving this problem is a growing challenge for hospitals
Results from the study show that a majority of respondents view HIPAA compliance as a barrier to patient care. A total of 85% said the privacy law decreases the amount of time they can spend with their patients, 79% said it impedes electronic information access by patients, and 56% said it holds back electronic communication.
But the problem might not be with how HIPAA regulations are written. Inefficient security implementations often are the reason why clinicians view privacy regulations as barriers, Imprivata President and CEO Omar Hussain said. "Personal health information can be very private, and while the regulations get in the way in the sense of how they're implemented, without them I don't think the consumer will accept it," he said, referring to lax security.
IT staff are also dissatisfied with HIPAA compliance measures, but for reasons that differ from those of clinicians. According to the Ponemon study, 59% of respondents said the complexity of compliance and regulatory requirements is a barrier to achieving a strong IT security posture. The reason is that IT staff know what their organization needs, but HIPAA can drive their security efforts in a different direction, Ponemon said. For example, security professionals might feel their hospital needs stronger user authentication or security intelligence tools, but HIPAA stresses encryption.
"So, if you only have $300,000 for [your] security technology investment budget, you basically have to meet those HIPAA requirements and you may not be doing those other things that are really important to strengthening security," Ponemon said. Complying with the letter of the HIPAA laws may improve the security of hospitals with poor security, but it may interfere with efforts of those that already have strong security.
The disconnect between clinicians' displeasure with security measures and the need to guard PHI comes down to a tradeoff between security and accessibility, Imprivata's Kelly said. Hospitals need to find ways to allow appropriate access to data while still protecting it. Doctors don't necessarily want to violate privacy laws, he said, but providing them with inefficient means of communicating, such as pagers, forces them to find other ways. Giving clinicians better tools will make it easier for them to do the right thing.
"Their perception that this is an interference and a barrier is because the systems, in order to be secure, sacrifice efficiency to the point of being difficult to use," Kelly said. "So, the trick is just execution. It's not that things can't be secure and efficient; there's a balance."
Solutions to these problems are available to hospitals. A growing number of vendors are offering secure text messaging services that comply with all provisions of the HIPAA privacy and security rules. However, secure file sharing options are still relatively limited.