Farzad Mostashari recently said that 5 percent of the problem in healthcare now is people while the remaining 95 percent of the problem is systems and IT.
According the national health IT coordinator, as reported by Government Health IT, “It’s systems that let ordinary people do extraordinary things.”
However, the tools that allow us to do extraordinary things contribute to nearly all of the problems physicians and their practices face in healthcare. IT is to blame for healthcare’s problems; not lack of payment reform, overarching government intrusion, lack of research, the fact that doctors are only able to spend about eight minutes with each patient per visit, etc.
With the mandate of electronic health records (EHR) across the nation, hospitals and physicians are researching, evaluating and purchasing EHR Systems. These systems range in price from affordable with minimal investment to the Rolls Royce version.
Many hospitals are investing large capital dollars for EHR programs. Hospitals must choose a vendor that will meet the organization’s needs. Physicians may choose systems that are more narrowly focussed to the needs of their offices and their specialization. In other words, interoperability may be addressed for hospital EHR systems with their more diverse internal users and may not be a major consideration for a non-network physician. Even with anEHR system in place, they do not necessarily make information sharing easier since many of them do not have interoperability outside of their networks.
David Finn, health information technology officer for Symantec, discusses healthcare technology security, HIPAA and meaningful use and the most pervasive security issues health IT faces in the months and years ahead.
What issues do healthcare leaders face from a security perspective?
Well, that is part of the problem right there. Healthcare leaders are inundated with new requirements and market changes. So, there is Meaningful Use, ICD-10, ACO, HIE, new privacy and security requirements – – all in a relatively short time frame – – to name a few. On top of that, you are likely doing that with decreasing reimbursement, a difficult labor market and limited capital budgets. Security, while mandated, frequently falls to the bottom of the list because it doesn’t directly impact care or add to the bottom line. That is a short-sighted view of security. Security needs to be strategic to the business of healthcare, not just IT.
Why? What can they do about this?
Much of this has been driven by HITECH and the Affordable Care Act. So, there are regulatory components and that, in turn, has driven many changes in the healthcare market. Providers now have to do a lot of these things just to keep their heads above water – – not to mention the statutory requirements. The most important thing is to get started … you may not be able to do everything all at once. You do have to understand what needs to get done and then prioritize those things for your organization and get started.
How are HIPAA changes affecting care, coordination, tech implementation and the ability of physicians to do their jobs?
HIPAA has been around a long time and, frankly, if the industry had dealt with these things effectively starting back in 2003, which was the compliance date for the Privacy Rule and then 2005 when the Security Rule became the law, we’d be in much better shape today. Unfortunately, the incentives and drivers were not aligned to make that happen. Don’t get me wrong, a lot of things got started and don’t forget technology is very different than it was 10 years ago – – mobility, virtualization, cloud. We also have a much larger installed-base of EHRs across the entire continuum of care. So, now we have tools that really can aid the physicians and other clinicians in getting things done faster, wherever they are, at their convenience, but we’ve lagged in a lot of the security issues around those new technology tools. And, unfortunately, often systems are put in without proper attention to workflow or process improvement. Organizations that hurried to get some of these things in are now going back to “fix” them.
How is/will meaningful use impact healthcare? Are there security issues?
While the debate is still raging, few would argue that better access to information for providers and patients is a good thing. Meaningful use – capturing and using the right clinical data – over time, will improve the quality of care and outcomes and should reduce costs. It will not happen overnight. Yes, when you have confidential, legally protected information, you have security issues.
How has the push toward EHRs changed the security of healthcare? In what ways?
As healthcare has digitized, it has increasingly become a target for the “bad guys.” We not only keep names, addresses and dates of birth all together to make it easier to care for and bill patients, we also include social security numbers, credit cards and insurance accounts. And every time you share that information (between providers, with an HIE, a drugstore, registries, schools and more) you create another potential point for that data to go astray or someone to maliciously take the information. In the “paper days” a doctor might take home a dozen charts to review; today a jump drive can contain hundreds of thousands of patient records. When all the charts could be locked in a room at night at least you knew where most of them were and they were safe. Information now lives on networks – – in databases, in Word documents, spreadsheets. It can get cut and pasted from an EHR screen into an email and sent anywhere. While many of the issues are the same, the scope and scale of the problem is sometimes hard to imagine. It was horrible for those dozen patients if the doctor’s car was broken into and charts taken, but when you have breaches of hundreds of thousands or even millions of patient records, it can be very difficult to manage and address. And this doesn’t even begin to address the cost issue around a data breach.
In relation to security, what are some of the most pervasive issues physicians face? What are they more surprised by?
Well, mobility is here to stay and yet most organizations don’t even have policies around mobile devices. Social media is a growing concern, whether you are a large healthcare system or a single-physician practice. The underlying problem is not knowing where that patient data is. Nearly everyone is surprised when you start to show them how that information comes into your organization or practice, where it goes and who uses it and how it may leave the organization. There are tools to help you find, manage and track the data, but most people are still focused on the EMR, the PCs that clinicians use. The issue is the data and the problem is the data is everywhere.
What are some of the most overlooked security protocols?
First, is encryption. If you are focused on the data, the best thing to do is encrypt it. That said, encryption is not a panacea and just encrypting everything is not a good answer. Things like laptops, tablets, smart phones, backup tapes, jump drives – – those really need to be encrypted. The other thing is understanding your data and there are tools, like Data Loss Prevention tools, that help you find the data;who created it, how it is being used and so on. If you don’t understand the data, you can’t really protect it appropriately.
Is the health IT market overly paranoid when it comes to security and breeches?
Based on the number of records breached since 2009 — 20+ million — I’d say the IT market needs to do something. Being paranoid about breaches is one thing, actually managing your data and mitigating potential breaches is another. It is time for the industry to take the issues of privacy and security seriously, assess the problem, develop a plan, get the money and start fixing it. Healthcare has to realize this isn’t a technology issue – – this is an enterprise issue and it starts with your people.
How will health IT security change in the months or year ahead? What trends can we expect? What’s irrelevant? What’s not?
I think you will see privacy and security being addressed as part of a system implementation or a process improvement initiative instead of something you try to do after the fact. If you do it afterwards, the security is never is good and always costs more. You’ll see more training and policies that address mobility, social media. I think as enforcement picks up and fines increase, healthcare will recognize that this not just a technology problem. I think you’ll see a lot more training and awareness around privacy and security. More investment in tools that monitor data and in that sense are monitoring workforce behavior around patient data – – regardless if it is on email, the EHR, web sites – – it is still the patient’s data. You’ll also see more focus on identities and authentication, it is likely coming in future regulations, but the other part of protecting the data is making sure only the right people get it.
Here is what is irrelevant: 1) Policies that are not enforced or cannot be enforced; 2) Enforcing policy and procedure inconsistently; 3) Thinking this is an IT or security problem when it is an enterprise wide, cultural issue.
Anything else you’d like to mention that I haven’t asked?
First, I think now that we have all these EHRs up and running and are collecting all this data digitally, the industry is just figuring out how to use it to drive improvement. So, big data, analytics, informatics – whatever you want to call it – will be a huge driver. Big data comes with some unique security and data management issues.
The next tidal wave in health information technology that we are not doing a good job addressing, yet, is the medical devices. These are often patient-touching devices ranging from anesthesia machines to smart-pumps, which may deliver controlled substances or chemotherapy to pacemakers. More care is being driven to the home and remote home-care is a growing area. Yet, these devices tend to run old operating systems, can’t take the newer protective software, yet they are on hospital networks, connect to the Internet and are unmanaged in terms of information technology. Many of them store and transmit patient data and the issue just isn’t getting the focus it needs.
David Finn, CISA, CISM, CRISC is the Health Information Technology Officer for Symantec. Prior to that role he was the Chief Information Officer and Vice President of Information Services for Texas Children’s Hospital, one of the largest pediatric integrated delivery systems in the United States. He also served as the Privacy and Security Officer for Texas Children’s. Prior to that Finn spent seven years as a healthcare consultant with IMG/Healthlink and PwC. Serving last as the EVP of Operations for Healthlink.
Texas Children’s Hospital won the ECRI Institute 2007 Health Devices Achievement Award, and because of Finn’s departmental support, TCH also was awarded recognition for Employee Support of the Guard and Reserve. Finn also received the Symantec Visionary Award in 2008 for Security. He has presented nationally and internationally on such topics as project management, professional leadership and staff development, and privacy and security. He has contributed to or written articles on IT Management, Disaster Recovery and Security for such as journals as CIO Digest and Baseline.
One thing recently became increasingly important to Metro Imaging and Radiology, an independent radiology practice with five locations throughout St. Louis, Missouri: meeting meaningful use.
In 2012, Metro Imaging added an electronic health record after having used NextGen’s billing system for several years. Along with the EHR, the chain added the Anoto digital pen.
With more than 100,000 annual patient visits, the practice sought a viable solution to help streamline the intake process and reduce some practice inefficiencies, like scanning and filing paper patient forms.
“We knew it was going to be difficult to reach meaningful use, and we needed something that was going to be very efficient,” said Christine Keefe, chief financial officer at Metro Imaging. “We couldn’t have anything that slows us down too much.”
The Anoto pens seemed like the best solution. The pen stays charged for 10 hours and can hold 200 pages filled out top to bottom.
The practice was sold on the pen because of its ability to capture the information being entered onto paper forms, especially the patient intake forms. According to Keefe, the pens were only considered based on a recommendation from it NextGen representative, but since implementing it, they have completely done away with any manual scanning of patient forms.
On top of that, the clinic has completely gotten rid of paper (except for the patient in take forms used at the front of house) and it no longer keeps papers files.
The first week following implementation was the most difficult, she said, but since everything has settled back to normal and there have been no hiccups. The EHR was probably a more significant change than adding the pens. After all, the patients rarely notice there’s something different about the slightly larger ball points.
The pen captures the data entered into the fields of the paper forms by the patient through a small camera on the pen. It snaps 70 images per second as a patient enters the required data, storing until the pen is docked on a charging station, at which point it downloads all of the information contained into the practice’s EHR through a USB port.
“A great thing about the pen is that you can dock it, ignore it and by the time you’re done doing other things, everything is downloaded and you can use it again,” Keefe said.
An immediate benefit, other than reducing the amount of manual input required of clinical staff is that the forms that are used by the practice are customized and capture data in a structured manner.
Staff that previously focused on transcription, scanning and filing now have had their resources reallocated to claims and billing administration and patient relations. For example, staff has more time to follow up with patients and address any billing and claims issues that come up.
The practice currently uses 25 pens; five per practice. Each costs $385 and there is a $1,000 license fee. Additionally, the practice pays a regular maintenance fee. The pens can be used for hours without re-charging and can capture multiple people’s records without needing to be docked.
The pens are also Bluetooth-enabled and can transmit information wirelessly back to a healthcare setting, making them appropriate for home health workers and others that work outside the four walls of the practice.
They are the ideal technology too, since today more than 80 percent of physicians still rely on traditional pen and paper to capture patient information. Finally, digital pens offers a simple, alternative way to capture data and transfer it into an EHR, especially for physicians concerned about a computer or tablet PC getting in the way of their patient’s experience.
“We like the flexibility the pens have created for us,” said Keefe, “anything to cut down on work at the front desk.”
Metro doesn’t use them in the clinical setting yet, Keefe said, but there has been some interest in bringing them into the exam room. If things continue to go as smoothly as they have, that decision would be like hand meeting glove.
On its face, the CommonWell Health Alliancee really seems to hit the mark. A collection of the top EHR vendors coming together, sharing a stage and shaking hands; smiling; snapping photos of smiling happy CEOs. All together for one cause, or so the story goes: healthcare data interoperability. According to the “organization’s” website, interoperability is the cornerstone of healthcare’s future.
“Interoperability helps improve quality, reduce costs, enable regulatory compliance and ensure better access to healthcare for millions of people,” and so on and so forth.
Finally, CommonWell’s call to action: moving the healthcare industry beyond just recognizing the importance of interoperability, but moving the industry forward. CommonWell is supposed to be the health IT superhero that moved this giant boulder up the hill and positions it so eloquently on the top.
For those of us who didn’t know this already, CommonWell sums it up: “It’s time for healthcare IT organizations to come together and commit to achieving interoperability for the common good,” and so on and so forth.
So glad it took the giants of the industry to tell us as much.
Okay, so admittedly, this is a step in the right direction. It’s like putting big money behind a good cause. For everyone who has ever worked in the nonprofit trenches who spend their days begging the haves for the have nots, this a dream come true.
Those in the spot light can move us forward to a point where we must be. Allowing private enterprise to bear this mantle means we might finally make the move forward instead of being held back by the shackles of the federal reform and imposition.
After all, wasn’t interoperability a staple of meaningful use; an “industry consortium to adopt common standards and protocols to provide sustainable, cost-effective, trusted access to patient data,” if you will?
Because of meaningful use, we were supposed to be singing in circles by now, discussing all of the advancements we’ve made; our coming together and our ascending to the precipice. Alas, little has been attained through federally funded meaningful use except implementation and wars of words.
We waited, didn’t we? Long enough? Perhaps, perhaps not; depends on who you ask. Farzad Mostashari says we should wait a bit longer for the results to role in. The boys at Allscripts, athenahealth, Cerner, Greenway, McKesson and Relay Health (imagine the feelings of all the other vendor’s CEOs who were left out of this pre-arranged agreement; I guess there’s mincing words anymore) decided private enterprise is the way for things to actually get done.
And while it’s an interesting experiment, I think I agree with some of the other more intelligent folks in the field. Until we see some sort of actual forward movement with this initiative and until there’s some proof of life, this is really nothing more than a stake in the ground. A happy public relations move designed to flex a little corporate muscle on the industry’s largest stage.
Guest post by Rick Little, vice president of Client Services, MedAptus.
Revenue cycle management. Right now you’re probably thinking this term sounds like some fancy business school jargon, so why should you care about it? Isn’t that an accounting issue? What does it have to do with healthcare IT?
Well, a lot actually. Applying health IT resources to revenue cycle management processes is a must-do now as the Affordable Care Act, Meaningful Use and the looming ICD-10 transition swing into full gear. In fact, now more than ever, technology solutions are needed to drive correct coding and billing compliance for an optimized revenue cycle. Without it, your organization will struggle into 2014 and beyond.
Here’s a quick look at how charge capture and management software helped The University of Texas MD Anderson Cancer Center prepare technologically and financially for all that the ACA, ICD-10 and other initiatives may bring.
More than eight years ago MD Anderson identified electronic charge capture as a technology capable of providing financial, administrative, and compliance improvements. MD Anderson Cancer Center is part of the University of Texas system and located in the heart of the Texas Medical Center. One of the largest employers in Houston, MD Anderson has more than 18,000 employees including more than 1,400 physicians, and served nearly 110,000 patients in 2011.
Back in 2004, when the organization identified improving its revenue cycle management as an initiative, here are some of the challenges it faced:
A huge sprawling campus
An in-house developed Electronic Health Record (EHR)
Old legacy systems for scheduling and billing
Limited use of order entry
Beyond automating and streamlining physician charge capture processes, MD Anderson also required its chosen software solution to integrate with its EHR, link together numerous legacy systems and drive reconciliation improvements across its many clinical areas.
MD Anderson began using charge capture and management technology from Boston-based MedAptus with 50 physicians piloting the company’s mobile Professional Charge Capture (Pro) in early 2005. After initial pilot results that demonstrated improved revenue and decreased charge lag, MD Anderson implemented MedAptus’ use across its entire enterprise. Today, more than 1,300 clinicians utilize Pro for their professional charge capture and management.
Since MD Anderson began using charge capture technology, many improvements have evolved out of their implementation. These include:
EHR Charge Entry
A vital component of the charge capture deployment at MD Anderson is integration with the hospital’s proprietary EHR, Clinic Station. Working together, MD Anderson and MedAptus created an interface directly within the EHR allowing providers to easily complete charging and charting tasks via a single sign-on and with the preservation of patient context between the two systems. This real-time, simultaneous entry has reduced errors, improved compliance, decreased time-to-billing and driven personal efficiencies.
Inpatient consultation charges
As MD Anderson evaluated areas for improvement within its revenue cycle processes, inpatient consultation charges stood out as an area for review. To improve capture here, a new interface from the consult scheduling system capable of creating consult visits within MedAptus was implemented. As a result, consult charge opportunities can now be consistently capitalized on by providers and MD Anderson is able to reconcile for anything that may have been missed for appropriate follow-up.
Reconciliation tools
In looking for help with charge reconciliation, MD Anderson needed a solution that provided support staff with full transparency of activity. In general, this staff consists of those tasked with reconciliation and those responsible for charge accuracy (typically coders). Regardless of organizational role, using MedAptus, staff are able to view the number of charges expected, submitted and missing at the provider, specialty and location level. They can also view the status of submitted charges as they are worked and approved by the coder group. Coders leverage the almost one million rules embedded within the MedAptus application which include Medicare edits, NCDs and LCDs as well as MedAptus proprietary and custom rules.
Once charges have been submitted for back-office review, the MedAptus configuration at MD Anderson allows charges to be “stamped” with specific data elements that are important to financial reporting across the MD Anderson enterprise. Prior to MedAptus, administrative staff needed to manually designate fields such as billing areas or revenue centers. Charge management automation has led to better staff productivity and increased accuracy of revenue reporting around this task.
Given all of the areas along the revenue cycle that charge capture and management technology can impact … still wondering why enhancing revenue cycle management processes is an IT challenge?
Rick Little is responsible for the implementation of software products and ongoing customer support services at MedAptus, including the implementation of MedAptus’ software solution at The University of Texas MD Anderson Cancer Center.
Guest post by Chris Giancola, principal consultant at CSC.
Looking into what’s ahead, 2013 will be another year of compliance activities dominating the healthcare landscape. Mandates on the industry, from both the ARRA and ACA, are fully underway and stretching the financial and intellectual resources of healthcare providers and insurers across the country. Here are three major compliance pressures facing the industry this year:
ICD-10 – Though the U.S. Office of Health and Human Services delayed the ICD-10 compliance deadline to October 2014, it did so back in August 2012. This early action by HHS acknowledges the enormous scope of the challenge facing providers, HIT vendors and insurers that stands to impact every administrative process and workflow. Far beyond simply recoding claims, any process involving a diagnosis will materially change because of the higher degree of clinical specificity described by the ICD-10 code set, such as obtaining referrals and lab tests for patients, providing clinical decision support and e-prescribing.
Insurers and providers also will face the challenge of understanding how the code changes may impact their bottom line by determining the financial neutrality of any potential change in diagnoses and payment for treatment of those conditions. Providers relying on vendors with fixed or appointment-style upgrade schedules should consider as early adoption as possible to reduce the potential negative impact of these changes. There also will also be a period of overlap where both ICD-9 and ICD-10 code sets will need to be supported by all participants involved, increasing the complexity of the problems looming on the horizon.
Organizations that are late on their remediation timelines will increasingly look for solutions, like selective outsourcing and alternative technical solutions that will allow them to minimize the implementation risk and operating costs of achieving necessary compliance. But, if the ANSI X12 4010 to 5010 conversion was any indicator, these alternative solutions will be offered at a premium price.
Meaningful Use Stage 2 – Stage 2 makes much of the optional menu set of objectives in Stage 1 a part of the mandatory core set, meaning that those providers who deferred as many of the optional objectives as possible now face challenges in Stage 2 they can no longer avoid. Also, in 2014, penalties for noncompliance with Stage 2 will begin to take effect, and so 2013 will be the year for many providers to buy or build new capabilities, such as web-based and device-accessible portals to satisfy patient engagement objectives and to change clinical workflows to meet Stage 2’s objectives and gather new mandated quality measures.
In Stage 2, Eligible Physicians (EPs) must complete 17 core and three of six menu objectives for a total of 20 objectives. Eligible Hospitals (EHs) and Critical Access Hospitals (CAHs) must complete 16 core and three of six menu objectives for a total of 19 objectives. Though Medicare or Medicaid incentive payments will offset some of the financial impact of implementing electronic health records, the impact to administrative and clinical staff, as well as to previously paper-based workflows, will be nontrivial.
Payment Reform – Many providers have already felt the financial impact of changes to their contracts with insurers that are implementing alternatives to the fee-for-service reimbursement models of the past. Bundled payments to providers for disease-state management will require higher degrees of care coordination and information sharing not only within delivery systems but across disparate organizations and affiliations.
Effectively managing referral networks will be a key success factor in the coming year. New payment contracts also typically require greater degrees of reporting to the insurer to ensure that quality of care is not being compromised, further increasing the burden on providers to gather, harmonize and report on clinical data previously written on paper or buried in unstructured text.
Compliance with these mandates, though not imposed by federal or state regulations, will grow to be a larger challenge as these new payment models mature and they represent a larger portion of providers’ revenue streams.
Chris Giancola is a principal consultant at technology consulting company CSC with a combination of technical skills, project and product management experience, business development successes, and healthcare domain expertise.
