Accenture: Most Consumers Want Access to EHRs, but Don’t Have It

accenture logoAccenture released the following infographic that illustrates the key findings of its recent survey (also featured in a recent post: Patient Willing to Switch Doctors for Access to Electronic Health Records) that suggests that most consumers want access to EHRs, but don’t have it.

The Accenture Consumer Survey on Patient Engagement explores whether doctors are delivering on the growing patient demand for access to EHRs and other electronic capabilities.

According to the info below, more than half of global users would switch to a doctor using EHRs with Brazil, France, Singapore and Spain registering well more than 50 percent of all patients willing to switch. In the US, the number of switchers hoovers at around 41 percent.

Continue Reading

Office of the National Coordinator’s Needs More Planning; Until then Move On

I’m a cynic and I’m snarky. They are character traits earned from my days as a reporter at the newspaper. Constantly being pitched the greatest new thing meant to change the world when rarely these things lived up to their promise made me this way.

It takes a lot to impress me.

This, of course, won’t do it.

By “this” I mean the

The latest offering from the Office of the National Coordinator for Health Information Technology (ONC), the site is being billed as a place for public input to update the Federal Health IT Strategic Plan.

According to the site, the plan outlines goals and strategies for the nationwide shift to electronic health records and information exchange, and for creation and spread of new health information technologies. “On this site, you can learn about these issues and be part of the public discussion that will shape the new plan. Whether you’re a patient, consumer, provider, insurer or IT developer, you should have a voice in this process.”

The rest of the site focuses on a variety of topics in discussion board fashion (think late ‘90s comment-based webpage) where consumers, the general public and anyone else with an opinion of any kind can respond to the seeded ONC topic.

Some of the topics include:

The list goes on, with a few sparse comments to support the topics addressed, and some questions and responses.

The rest of the site features some meager announcements and a bit more info about

I’ve been a supporter of many of’s work and have featured it multiple times on this site for the availability of their information and the organization’s outreach to the public and the HIT community, but is a limp attempt at a public information movement.

I’ve got to hand it to ONC for trying to engage the public in an information and educational campaign, but this effort wreaks of propaganda. For the most part, the comments are thin and generic and the “conversation” here seems someone staged.

This sure seems to resemble the acts of a start up site looking to generate page views and buzz. Certainly, there are people interacting with the site, but it comes off as fluff; a bit too polished if you will.

Call it the cynic in me, but at present, this effort just isn’t enough to make me think it’s going to drive any real change. Perhaps as it grows and evolves it will be worth a lot more, but in its current, state, not so much.

HIT Thought Leader Highlight: David Finn, Symantec

HIT Thought Leader Highlight: David Finn, Symantec
David Finn

David Finn, health information technology officer for Symantec, discusses healthcare technology security, HIPAA and meaningful use and the most pervasive security issues health IT faces in the months and years ahead.

What issues do healthcare leaders face from a security perspective?

Well, that is part of the problem right there. Healthcare leaders are inundated with new requirements and market changes. So, there is Meaningful Use, ICD-10, ACO, HIE, new privacy and security requirements – – all in a relatively short time frame – – to name a few.  On top of that, you are likely doing that with decreasing reimbursement, a difficult labor market and limited capital budgets. Security, while mandated, frequently falls to the bottom of the list because it doesn’t directly impact care or add to the bottom line. That is a short-sighted view of security. Security needs to be strategic to the business of healthcare, not just IT.

Why? What can they do about this?

Much of this has been driven by HITECH and the Affordable Care Act. So, there are regulatory components and that, in turn, has driven many changes in the healthcare market. Providers now have to do a lot of these things just to keep their heads above water – – not to mention the statutory requirements. The most important thing is to get started … you may not be able to do everything all at once. You do have to understand what needs to get done and then prioritize those things for your organization and get started.

How are HIPAA changes affecting care, coordination, tech implementation and the ability of physicians to do their jobs?

HIPAA has been around a long time and, frankly, if the industry had dealt with these things effectively starting back in 2003, which was the compliance date for the Privacy Rule and then 2005 when the Security Rule became the law, we’d be in much better shape today. Unfortunately, the incentives and drivers were not aligned to make that happen. Don’t get me wrong, a lot of things got started and don’t forget technology is very different than it was 10 years ago – – mobility, virtualization, cloud. We also have a much larger installed-base of EHRs across the entire continuum of care. So, now we have tools that really can aid the physicians and other clinicians in getting things done faster, wherever they are, at their convenience, but we’ve lagged in a lot of the security issues around those new technology tools. And, unfortunately, often systems are put in without proper attention to workflow or process improvement. Organizations that hurried to get some of these things in are now going back to “fix” them.

How is/will meaningful use impact healthcare? Are there security issues?

While the debate is still raging, few would argue that better access to information for providers and patients is a good thing. Meaningful use – capturing and using the right clinical data – over time, will improve the quality of care and outcomes and should reduce costs. It will not happen overnight. Yes, when you have confidential, legally protected information, you have security issues.

How has the push toward EHRs changed the security of healthcare? In what ways?

As healthcare has digitized, it has increasingly become a target for the “bad guys.” We not only keep names, addresses and dates of birth all together to make it easier to care for and bill patients, we also include social security numbers, credit cards and insurance accounts. And every time you share that information (between providers, with an HIE, a drugstore, registries, schools and more) you create another potential point for that data to go astray or someone to maliciously take the information. In the “paper days” a doctor might take home a dozen charts to review; today a jump drive can contain hundreds of thousands of patient records. When all the charts could be locked in a room at night at least you knew where most of them were and they were safe. Information now lives on networks – – in databases, in Word documents, spreadsheets. It can get cut and pasted from an EHR screen into an email and sent anywhere. While many of the issues are the same, the scope and scale of the problem is sometimes hard to imagine. It was horrible for those dozen patients if the doctor’s car was broken into and charts taken, but when you have breaches of hundreds of thousands or even millions of patient records, it can be very difficult to manage and address. And this doesn’t even begin to address the cost issue around a data breach.

In relation to security, what are some of the most pervasive issues physicians face? What are they more surprised by?

Well, mobility is here to stay and yet most organizations don’t even have policies around mobile devices. Social media is a growing concern, whether you are a large healthcare system or a single-physician practice. The underlying problem is not knowing where that patient data is. Nearly everyone is surprised when you start to show them how that information comes into your organization or practice, where it goes and who uses it and how it may leave the organization. There are tools to help you find, manage and track the data, but most people are still focused on the EMR, the PCs that clinicians use. The issue is the data and the problem is the data is everywhere.

What are some of the most overlooked security protocols?

First, is encryption. If you are focused on the data, the best thing to do is encrypt it. That said, encryption is not a panacea and just encrypting everything is not a good answer. Things like laptops, tablets, smart phones, backup tapes, jump drives – – those really need to be encrypted. The other thing is understanding your data and there are tools, like Data Loss Prevention tools, that help you find the data;who created it, how it is being used and so on. If you don’t understand the data, you can’t really protect it appropriately.

Is the health IT market overly paranoid when it comes to security and breeches?

Based on the number of records breached since 2009 — 20+ million — I’d say the IT market needs to do something. Being paranoid about breaches is one thing, actually managing your data and mitigating potential breaches is another. It is time for the industry to take the issues of privacy and security seriously, assess the problem, develop a plan, get the money and start fixing it. Healthcare has to realize this isn’t a technology issue – – this is an enterprise issue and it starts with your people.

How will health IT security change in the months or year ahead? What trends can we expect? What’s irrelevant? What’s not?

I think you will see privacy and security being addressed as part of a system implementation or a process improvement initiative instead of something you try to do after the fact. If you do it afterwards, the security is never is good and always costs more. You’ll see more training and policies that address mobility, social media. I think as enforcement picks up and fines increase, healthcare will recognize that this not just a technology problem. I think you’ll see a lot more training and awareness around privacy and security. More investment in tools that monitor data and in that sense are monitoring workforce behavior around patient data – – regardless if it is on email, the EHR, web sites – – it is still the patient’s data. You’ll also see more focus on identities and authentication, it is likely coming in future regulations, but the other part of protecting the data is making sure only the right people get it.

Here is what is irrelevant:  1) Policies that are not enforced or cannot be enforced; 2) Enforcing policy and procedure inconsistently; 3) Thinking this is an IT or security problem when it is an enterprise wide, cultural issue.

Anything else you’d like to mention that I haven’t asked?

First, I think now that we have all these EHRs up and running and are collecting all this data digitally, the industry is just figuring out how to use it to drive improvement. So, big data, analytics, informatics – whatever you want to call it – will be a huge driver. Big data comes with some unique security and data management issues.

The next tidal wave in health information technology that we are not doing a good job addressing, yet, is the medical devices. These are often patient-touching devices ranging from anesthesia machines to smart-pumps, which may deliver controlled substances or chemotherapy to pacemakers. More care is being driven to the home and remote home-care is a growing area. Yet, these devices tend to run old operating systems, can’t take the newer protective software, yet they are on hospital networks, connect to the Internet and are unmanaged in terms of information technology. Many of them store and transmit patient data and the issue just isn’t getting the focus it needs.

David Finn, CISA, CISM, CRISC is the Health Information Technology Officer for Symantec.  Prior to that role he was the Chief Information Officer and Vice President of Information Services for Texas Children’s Hospital, one of the largest pediatric integrated delivery systems in the United States.  He also served as the Privacy and Security Officer for Texas Children’s. Prior to that Finn spent seven years as a healthcare consultant with IMG/Healthlink and PwC.  Serving last as the EVP of Operations for Healthlink.

Texas Children’s Hospital won the ECRI Institute 2007 Health Devices Achievement Award, and because of Finn’s departmental support, TCH also was awarded recognition for Employee Support of the Guard and Reserve. Finn also received the Symantec Visionary Award in 2008 for Security.  He has presented nationally and internationally on such topics as project management, professional leadership and staff development, and privacy and security. He has contributed to or written articles on IT Management, Disaster Recovery and Security for such as journals as CIO Digest and Baseline.

HIPAA Risks Associated with Using Tools Like Skype During Patient Communication

Skype and unbridled communication between caregivers and their patients has opened a great many opportunities for care to be offered the world round, from a variety of locations within our own communities to remote and unconventional places in other areas of the world.

In a nutshell, Dr. DeShan spends several months in Russia each year leading an international medical mission where he serves some of Moscow’s most needy, as well as delivers care to some of the world’s remote people through journeys into the wilderness.

When he’s in Moscow serving patients, she’s able to stay connected to his practice in Midland Texas, where he’s a partner at a thriving OBGYN. Aside from relinquishing a few of his daily duties, such as delivering, he’s able to maintain a full patient load and he does that in part using the web and tools like Skype to maintain contact with them and with his practice.

Personally, I believe the work DeShan is doing is fascinating. He’s using his talent and skill to follow his passion and his calling in life. His practice and his patients are in support of his work and in no way does he keep it from them. Those patients that were not comfortable with interacting with him part time through the web were assigned to other practitioners.

However, I’ve always wondered if Skype is a tool that can be trusted for such work. Despite his good deeds, I always wondered he’s in HIPAA compliance.

According to a recent article in Medical Office Today, I’m not the only one. According to the article, “Notwithstanding the fact that Skype is ubiquitous, its use may be inappropriate for healthcare providers as web-based platforms raise a number of significant HIPAA privacy and security issues:

Also, according to the piece, HIPAA and its resulting regulations pertaining to privacy and security require covered entities such as healthcare providers to protect the confidentiality of protected health information and guard against unauthorized access, use, and disclosure of such information.

Among other things, the HIPAA rules require:

“The use of web-based platforms, especially those that are proprietary, makes it difficult for healthcare entities to meet many of their HIPAA obligations,” the article states. “As a consequence, telehealth providers carry a higher risk of potentially violating HIPAA rules when they use services such as Skype.

According to the Health Information and Trust Alliance, the organization recommends against the use of Skype and similar platforms for communications involving health information, concluding that web-based platforms are not secure, and are an inappropriate way by which to communicate with patients, especially when the communication involves health information. Their view was confirmed late last year when a security flaw was discovered in Skype that put users’ personal information at risk of disclosure.

“All of this does not mean a healthcare professional should not use Skype to communicate to patients, only that they be aware of the increased risk of violating HIPAA and think long and hard prior to using such technology.”

However, should a provider insist on using Skype, there are some steps they should consider to better protect themselves from potential HIPAA liability (all good tips, according to the magazine):

Only HIPAA-compliant technologies can truly protect a physician and a patient. These steps may help. In the long run, though, as I’m sure Dr. DeShan would agree, don’t let the cost of the work keep you from doing it.

Implementing an Electronic Health Record Does Not Ensure Practice Productivity or Profitability

A new report suggests that the average physician lost just as much as would have been gained had he or she received the full meaningful use incentive payment for the last five years — $44,000 – by implementing an electronic health record, which basically makes the whole thing null and void.

There’s a caveat, though. The practice that has implemented and is using the EHR, needs to make a few changes to the way the practice runs or else the saving is lost. Somewhat of a no brainer, according to study that’s published in Health Affairs, only 27 percent of practices achieved a positive five-year return on investment by implementing the electronic systems.

The trouble, according to the survey, is that practices “failed to make operational changes to realize the benefits of EHRs such as doing away with paper records after implementation of the electronic systems, adoption, as well as dictation, billing services and positions or staff members who were performing services no longer required after EHR adoption.

A reduction in the required workforce at the practice after the implementation of an EHR is a common problem. I’ve spoken with several practice leaders who cited it as such, and in many cases, staff whose positions were eliminated because of the software have been re-assigned to other areas. There are only a few practices in which I’ve spoken where employees were laid off because of the systems. I expect this number to grow as more systems come online.

According to MedPage Today, which published the results of the study, the study sought “pre- and post-adoption financial cost/benefit data from practices such as total revenue, total operating costs and total labor costs. Researchers also asked for information on areas that were impacted by EHRs, such as the cost of paper medical records, dictation services, and billing services.”

Their results of the study showed that the average physician lost $43,743 over five years. Primary care practices fared better than specialists. Practices that saw a positive return on EHR investment increased revenue by more than $114,000 per physician over five years, results showed. In comparison, practices with a negative return on EHR investment saw revenue increase by an average of only $9,200 per physician in five years.

“Even when adding federal incentives to use EHRs, the majority of doctors would have lost money,” MedPage Today reports.

Other results from the study include:

This is a bit surprising: Practices with a practice management system prior to EHR implementation in place to help with billing functions benefited less on average.

Seems like some of the unexpected consequences of EHR use are finally working their way to the top and a bit of the actuality of the situation is coming out; just because a system is implemented, doesn’t mean everything is going to be great. “Wide usage of EHRs was supposed to help doctors increase revenue through improved billing and efficiency gains that would allow them to see more patients per day. However, doctors have complained that EHRs are cumbersome and cause physicians to spend more time documenting patient visits,” the magazine states.

Training Cited as Key Concern Regarding State of EHR Implementations in Healthcare Industry

A straightforward piece of news from TEKsystems Healthcare Services, a provider of workforce planning, human capital management and IT services to the healthcare industry, showing the following results a joint survey with HIMSS Analytics regarding health organizations’ readiness pertaining to the implementation of electronic health record (EHR) systems.

According to TEKsystems, the survey shows insights into the status of EHR implementations, the challenges healthcare organizations face and areas of improvement; TEKsystems and HIMSS Analytics surveyed 300 single and multi-hospital organizations and health professionals throughout the United States. Key findings include:

Current State of EHR Implementations

Achieving end user adoption

“Achieving meaningful use and truly improving the quality of patient care can only happen if end users fully adopt a new EHR system in an acceptable timeframe. Organizations expect their people to adapt quickly, yet many do not plan for end user training until late in the effort,” says , TEKsystems vice president of healthcare services. “Upfront training strategy development would allow for the identification of key competencies and performance indicators. As organizations transition from implementation to day-to-day operations, any deficiencies in the ability to meet the targets can be pinpointed to either a specific user group, department or globally as indicated by analytics and aligning remediation accordingly. Developing an effective adoption strategy is a critical step that needs to be detailed earlier in the process and carried throughout the life of the initiative. That includes finding the appropriate resources necessary for building, integrating and conducting the training.”

Bringing in the right people and skills

“The supply of HIT talent is not keeping pace with the demand –  from clinical trainers, builders and consultants to project and program managers. Finding the necessary resources can be a daunting task for many organizations, but one that is essential to achieving a successful EHR implementation,” continues Kriete. “That includes finding the right principal trainers and scaling to meet the overall training and adoption needs.

Conducting an impactful training experience for the end users

“The importance of effective training cannot be overlooked. To avoid these outcomes, organizations must proactively build a customized training program that is led by educators with clinical and technical EHR experience. The training cannot simply be ‘off-the-shelf.’ It should align with the overall organizational goals, workflows, technical requirements and end-user job roles” states Kriete. “One method for ensuring a training program is effective and builds confidence within an organization is to engage end users, those using the system on a day-to-day basis, in the development of the curriculum.”

“In addition to leveraging end users in this process, efforts should be taken to combine synchronous and asynchronous learning methods to foster a learning environment that meets the needs of the adult learner and their hectic schedules and a learning environment that is not bound by space or time” says Von Baker, TEKsystems healthcare practice director.

Including end users in the process

“This study shows the majority of executives and decision makers are engaged in the implementation process, but unfortunately, this is not the case with end users. Giving end users the opportunity to provide feedback during the development of and during the training boosts their sense of ownership and increases their confidence in the system post-implementation,” comments Baker.

Continuing to support end users after go-live

“The work does not stop once the implementation is complete. Providing post go-live support is critical to ensure the end users fully adopt the system. Best practice is to create performance support tools for end users to have ready access to how-to reference guides when the needs arise – self service.  The right blend of performance support tools depends on the organizations culture, internal drivers (i.e. varied workflows, varied specialties, and geographically dispersed facilities), and available technology. Underestimating the amount and degree of post go-live support can cause a decrease in productivity and performance and increase end-user frustration,” concludes Baker.

About TEKsystems Healthcare Services

TEKsystems Healthcare Services is dedicated to providing workforce planning, human capital management and IT services to the healthcare industry. Utilizing its suite of services, including EHR Implementation Support, ICD-10 Support and Data Services for BI, Reporting and Data Warehousing, they help healthcare organizations accomplish critical initiatives related to meaningful use, compliance, analytics, network transformation and revenue cycle management.

Better, Safer Healthcare Stories Are Inspired By Technology