6 Tips to Navigate the Population Health Jungle at HIMSS16

Guest post by Linda Lockwood, solutions director and service line owner, health solutions, CTG.

Linda Lockwood, RN, MBA, PCMH CCE
Linda Lockwood

With HIMSS 2016 fast approaching, the hunt for the perfect Population Health tool will be underway. Whether you’re a HIMSS veteran or a first-time attendee, expect to be caught in a jungle of vendors, each promising the latest and greatest Population Health tools.

HIMSS seems to grow each year, and with so many vendors, solutions and offerings, and the buzz happening during the event, it can be a challenge to carefully evaluate Population Health tools to help inform a decision.

HIMSS can make you excited for the future of your organization, but can also be overwhelming with so many Population Health options to consider. These six tips can help you separate fact from fiction and select a tool that best meets the population health needs of your organization:

Identify organizational goals for population health and match your tool choice to those goals: It’s important to understand what your organizational goals are, as they will drive the selection of tools. If you have not entered into risk bearing agreements, but want to be prepared, perhaps you may want to start off with a tool that supports development of registries and profiles physician performance. You will also want to identify your high risk, high cost patients, and be sure you have the ability to track this performance over time. This information may be available from your financial systems, but you also will need to have the ability to drill down to the device, and supply level—as well as use of medications and supplies including blood products—to identify opportunities for improvement.

How does joining an ACO impact your decision? If you have plans to join an ACO, your needs may include the ability to perform Care Management and Care Coordination and Patient Engagement. You will want to be sure that there is interoperability between the hospital, physician offices and care managers as well as the payers. Reporting becomes critical with an ACO as certain metrics must be reported on a regular basis. As you evaluate tools, ask if they have pre-build reports that include some of the standard measures that a MSSP requires, as well as CMS.

Think about mergers and acquisitions: If you are in the process of a merger or acquiring physicians, you must ensure whatever tool you include has the ability to aggregate data from multiple EHRs and formulate a plan to support interoperability for sharing and exchanging key data. If you are self insured, your organization will have access to data about your population. If you are focusing on wellness and prevention, you will want tools to support patient engagement, health and wellness. Alternately, if have high risk patients, you require Population Health tools to support care coordination, outreach, pharmacy and lab adherence and wellness reminders.

Make data quality a priority: The ability to have accurate, reliable data is crucial with any Population Health or reporting tool. If a data governance system is in place, it’s important to understand what source data you will need to populate the tool. Be sure you know where key data is entered in the system and the common values for that data. In tandem with this, the organization should identify data stewards and business owners. Data governance must have organization-wide commitment, and business owners who are actively engaged.

Continue Reading

HIT Thought Leader Highlight: David Finn, Symantec

HIT Thought Leader Highlight: David Finn, Symantec
David Finn

David Finn, health information technology officer for Symantec, discusses healthcare technology security, HIPAA and meaningful use and the most pervasive security issues health IT faces in the months and years ahead.

What issues do healthcare leaders face from a security perspective?

Well, that is part of the problem right there. Healthcare leaders are inundated with new requirements and market changes. So, there is Meaningful Use, ICD-10, ACO, HIE, new privacy and security requirements – – all in a relatively short time frame – – to name a few.  On top of that, you are likely doing that with decreasing reimbursement, a difficult labor market and limited capital budgets. Security, while mandated, frequently falls to the bottom of the list because it doesn’t directly impact care or add to the bottom line. That is a short-sighted view of security. Security needs to be strategic to the business of healthcare, not just IT.

Why? What can they do about this?

Much of this has been driven by HITECH and the Affordable Care Act. So, there are regulatory components and that, in turn, has driven many changes in the healthcare market. Providers now have to do a lot of these things just to keep their heads above water – – not to mention the statutory requirements. The most important thing is to get started … you may not be able to do everything all at once. You do have to understand what needs to get done and then prioritize those things for your organization and get started.

How are HIPAA changes affecting care, coordination, tech implementation and the ability of physicians to do their jobs?

HIPAA has been around a long time and, frankly, if the industry had dealt with these things effectively starting back in 2003, which was the compliance date for the Privacy Rule and then 2005 when the Security Rule became the law, we’d be in much better shape today. Unfortunately, the incentives and drivers were not aligned to make that happen. Don’t get me wrong, a lot of things got started and don’t forget technology is very different than it was 10 years ago – – mobility, virtualization, cloud. We also have a much larger installed-base of EHRs across the entire continuum of care. So, now we have tools that really can aid the physicians and other clinicians in getting things done faster, wherever they are, at their convenience, but we’ve lagged in a lot of the security issues around those new technology tools. And, unfortunately, often systems are put in without proper attention to workflow or process improvement. Organizations that hurried to get some of these things in are now going back to “fix” them.

How is/will meaningful use impact healthcare? Are there security issues?

While the debate is still raging, few would argue that better access to information for providers and patients is a good thing. Meaningful use – capturing and using the right clinical data – over time, will improve the quality of care and outcomes and should reduce costs. It will not happen overnight. Yes, when you have confidential, legally protected information, you have security issues.

How has the push toward EHRs changed the security of healthcare? In what ways?

As healthcare has digitized, it has increasingly become a target for the “bad guys.” We not only keep names, addresses and dates of birth all together to make it easier to care for and bill patients, we also include social security numbers, credit cards and insurance accounts. And every time you share that information (between providers, with an HIE, a drugstore, registries, schools and more) you create another potential point for that data to go astray or someone to maliciously take the information. In the “paper days” a doctor might take home a dozen charts to review; today a jump drive can contain hundreds of thousands of patient records. When all the charts could be locked in a room at night at least you knew where most of them were and they were safe. Information now lives on networks – – in databases, in Word documents, spreadsheets. It can get cut and pasted from an EHR screen into an email and sent anywhere. While many of the issues are the same, the scope and scale of the problem is sometimes hard to imagine. It was horrible for those dozen patients if the doctor’s car was broken into and charts taken, but when you have breaches of hundreds of thousands or even millions of patient records, it can be very difficult to manage and address. And this doesn’t even begin to address the cost issue around a data breach.

In relation to security, what are some of the most pervasive issues physicians face? What are they more surprised by?

Well, mobility is here to stay and yet most organizations don’t even have policies around mobile devices. Social media is a growing concern, whether you are a large healthcare system or a single-physician practice. The underlying problem is not knowing where that patient data is. Nearly everyone is surprised when you start to show them how that information comes into your organization or practice, where it goes and who uses it and how it may leave the organization. There are tools to help you find, manage and track the data, but most people are still focused on the EMR, the PCs that clinicians use. The issue is the data and the problem is the data is everywhere.

What are some of the most overlooked security protocols?

First, is encryption. If you are focused on the data, the best thing to do is encrypt it. That said, encryption is not a panacea and just encrypting everything is not a good answer. Things like laptops, tablets, smart phones, backup tapes, jump drives – – those really need to be encrypted. The other thing is understanding your data and there are tools, like Data Loss Prevention tools, that help you find the data;who created it, how it is being used and so on. If you don’t understand the data, you can’t really protect it appropriately.

Is the health IT market overly paranoid when it comes to security and breeches?

Based on the number of records breached since 2009 — 20+ million — I’d say the IT market needs to do something. Being paranoid about breaches is one thing, actually managing your data and mitigating potential breaches is another. It is time for the industry to take the issues of privacy and security seriously, assess the problem, develop a plan, get the money and start fixing it. Healthcare has to realize this isn’t a technology issue – – this is an enterprise issue and it starts with your people.

How will health IT security change in the months or year ahead? What trends can we expect? What’s irrelevant? What’s not?

I think you will see privacy and security being addressed as part of a system implementation or a process improvement initiative instead of something you try to do after the fact. If you do it afterwards, the security is never is good and always costs more. You’ll see more training and policies that address mobility, social media. I think as enforcement picks up and fines increase, healthcare will recognize that this not just a technology problem. I think you’ll see a lot more training and awareness around privacy and security. More investment in tools that monitor data and in that sense are monitoring workforce behavior around patient data – – regardless if it is on email, the EHR, web sites – – it is still the patient’s data. You’ll also see more focus on identities and authentication, it is likely coming in future regulations, but the other part of protecting the data is making sure only the right people get it.

Here is what is irrelevant:  1) Policies that are not enforced or cannot be enforced; 2) Enforcing policy and procedure inconsistently; 3) Thinking this is an IT or security problem when it is an enterprise wide, cultural issue.

Anything else you’d like to mention that I haven’t asked?

First, I think now that we have all these EHRs up and running and are collecting all this data digitally, the industry is just figuring out how to use it to drive improvement. So, big data, analytics, informatics – whatever you want to call it – will be a huge driver. Big data comes with some unique security and data management issues.

The next tidal wave in health information technology that we are not doing a good job addressing, yet, is the medical devices. These are often patient-touching devices ranging from anesthesia machines to smart-pumps, which may deliver controlled substances or chemotherapy to pacemakers. More care is being driven to the home and remote home-care is a growing area. Yet, these devices tend to run old operating systems, can’t take the newer protective software, yet they are on hospital networks, connect to the Internet and are unmanaged in terms of information technology. Many of them store and transmit patient data and the issue just isn’t getting the focus it needs.

David Finn, CISA, CISM, CRISC is the Health Information Technology Officer for Symantec.  Prior to that role he was the Chief Information Officer and Vice President of Information Services for Texas Children’s Hospital, one of the largest pediatric integrated delivery systems in the United States.  He also served as the Privacy and Security Officer for Texas Children’s. Prior to that Finn spent seven years as a healthcare consultant with IMG/Healthlink and PwC.  Serving last as the EVP of Operations for Healthlink.

Texas Children’s Hospital won the ECRI Institute 2007 Health Devices Achievement Award, and because of Finn’s departmental support, TCH also was awarded recognition for Employee Support of the Guard and Reserve. Finn also received the Symantec Visionary Award in 2008 for Security.  He has presented nationally and internationally on such topics as project management, professional leadership and staff development, and privacy and security. He has contributed to or written articles on IT Management, Disaster Recovery and Security for such as journals as CIO Digest and Baseline.

Though Much of the 2013 Transformation is Fueled by Government Initiatives, Healthcare is at a Tipping Point


Office of the National Coordinator for Health IT

Guest post by: Lauren Fifield, senior health policy advisor, Practice Fusion

Many HIT vendors will be largely focused on major development efforts to meet 2014 edition certification requirements for meaningful use.  However, as Stage 2 measures aim at improving patient engagement, quality and interoperability, we may be surprised by the new technologies that existing and new companies develop to meet the requirements:

We’ll also see new industry movement toward improved patient safety through provider training, reporting and other efforts.  Thanks to the successful collaboration between vendors and the agencies that help providers achieve meaningful use, we expect the Food and Drug Administration to work with the Office of the National Coordinator for Health IT (ONC) and the Federal Communications Commission (FCC) to engage key stakeholders by addressing the 18-month study mandated in the FDA Safety and Innovation Act of June 2012.

Given the continued and ever-growing provider outcry to address the broken payment system, the Department of Health and Human Services (HHS) may finally develop plans to move to a reimbursement system that relies on quality and outcomes.  With the recent announcement of more than 106 new ACO contracts, growing provider participation in new payment models, and the new possibilities opened up by technology vendors, it may at last be time to put this broken system behind us.

Though much of the 2013 transformation is fueled by government initiatives, the healthcare industry is at a tipping point regardless of any push on Uncle Sam’s part. Patients will soon be expected to pay for more of their care, making consumer health tools, telehealth and personalized medicine more appealing and important. Providers tired of the payment system will partner with technologists and private payers to try alternative models and cash-based business.  And big data might just find a home amid all these new patient, provider and health system innovations.