On the first day of HIMSS 2014 in Orlando, I stepped into a bewildering echo chamber. “We’re doing population health,” repeated everyone, be they physicians at a hospital whose EHR system my company implemented, the IT directors of other hospitals looking to update their EHR system or competing EHR experts. Everyone was interested in buying it, and everyone was interested in selling it. On one particular walk of the floor a colleague quipped, “Will there be a prize for the one millionth person to say ‘population health?’”
Despite this obsessive buzz nobody seemed able to define what population health is. It’s the proverbial elephant described by touch rather than sight. Is it a concept of health or a study of the various factors that affect health? Is it a course of action for the treatment of the population in its entirety or individual patients only?
The Affordable Care Act, which cites population health as an essential component of its mandate, aims to expand access to the healthcare delivery system, improve the quality of care, enhance prevention, make healthcare providers responsible for outcomes, and promote disease prevention at the community level.
All of this is commendable, but, in the end, what is population health? What does it look like? Will we recognize it if we achieve it? A friend of mine on the payer side observes that vendors claim it’s everything and providers don’t know exactly what they want it to be. Put those together and the term becomes meaningless.
There are additional questions about population health that remain unanswered. Is it an outcome, as the ACA approach suggests, or is it a foundation built on big data, analytics, ACO tools, bundled payments, systems consolidations or something else? At every HIMSS booth, the answer to these questions was a resounding “Yes.”
Guest post by Lysa Myers, security researcher, ESET.
Risk assessment is something we all do, every day, in healthcare and in our daily lives. Consider crossing the road. Should you cross at the lights? Can you trust the traffic to obey the lights? Doctors perform risk assessments when prescribing medications or evaluating a patient for an operation. Unfortunately, risk assessment for electronic health records (EHRs) is not fully understood or implemented by some healthcare organizations, especially smaller facilities that lack dedicated IT or security staff. Yet, this type of risk assessment is increasingly important to the success of healthcare-related businesses.
How do you proceed if your organization lacks the expertise to complete an EHR risk assessment? Because this is such a complex topic, the answer to that question could easily fill volumes. But we all have to start somewhere, so I will provide a basic description to steer you in the right direction to do more in-depth research on your own.
How to do an EHR risk assessment
There are four basic steps – the time and effort they require depends upon the size and complexity of your organization, and the thoroughness of your assessment. You may wish to do your assessment in multiple passes over time, getting more in-depth as you go. This turns a huge headache that must be dealt with all at once into something more manageable that can be revisited to keep up with changes as they occur.
According to a letter sent to clients, posted to HISTalk, Matt Hawkins, current Greenway Medical president is leaving the organization to accept an “exciting new leadership opportunity” outside the company.
Details were not released in the letter as to whether Hawkins is staying with Vista Equity Partners, the parent organization of Greenway. Hawkins has been with Vista for several years, including stints leading Vitera Healthcare Solutions and SirsiDynix.
Tee Green, Greenway’s CEO, is expected to take the helm.
I’m not sure if Hawkins’ departure will be felt deeply at the company or if there will be any ripple effect at Greenway since the Vista leadership team pretty much manages daily operations of the organizations it owns. Perhaps the biggest effect this development could have for clients are possible changes in strategy related to the company’s legacy systems, like Intergy and Medical Manager.
Still, this is a pretty interesting development given that the purchase of Greenway and its merger with Vitera and Success EHS is still so current.
For the record, I reported to Hawkins while I was worked at Vitera in its PR department (a Sage Healthcare transplant transitioned over during the Vista transaction), but I was among the 400 to 500 laid off in 2012 as Vista restructured the company into its portfolio.
Hospitals and eligible professionals that have yet to meet their meaningful use requirements are facing a good news/bad news scenario. First the bad news: The clock is ticking, as major deadlines loom. The good news: It’s not too late to hop aboard the MU train, although some running might be required. If you’re among those seeking MU attestation this year, here are key points you need to know.
2014 Certified?
Before you take one more step, make sure your technology vendor is 2014 certified. Regardless of whether you are attesting to meaningful use Stage 1 or Stage 2, all eligible professionals (EPs) and eligible hospitals (EHs)/Critical Access Hospitals (CAHs) are now required to use an ONC 2014 Edition Certified technology to successfully attest to both MU1 and MU2.
You might have been under the impression that Stage 1 corresponds with the 2011 Edition and Stage 2 corresponds to the 2014 Edition. This is not the case, but your confusion is understandable.
What happened? When meaningful use was first introduced, the Centers for Medicare and Medicaid Services (CMS) published MU Stage 1 and the Office of the National Coordinator for Health Information Technology (ONC) published the 2011 Edition Certification; then MU Stage 2 and the 2014 Edition Certification Criteria were released within days of one another.
Two entities have paid the U.S. Department of Health and Human Services Office for Civil Rights (OCR) $1,975,220 collectively to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. These major enforcement actions underscore the significant risk to the security of patient information posed by unencrypted laptop computers and other mobile devices.
“Covered entities and business associates must understand that mobile device security is their obligation,” said Susan McAndrew, OCR’s deputy director of health information privacy. “Our message to these organizations is simple: encryption is your best defense against these incidents.”
OCR opened a compliance review of Concentra Health Services (Concentra) upon receiving a breach report that an unencrypted laptop was stolen from one of its facilities, the Springfield Missouri Physical Therapy Center. OCR’s investigation revealed that Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI) was a critical risk.
While steps were taken to begin encryption, Concentra’s efforts were incomplete and inconsistent over time leaving patient PHI vulnerable throughout the organization. OCR’s investigation further found Concentra had insufficient security management processes in place to safeguard patient information. Concentra has agreed to pay OCR $1,725,220 to settle potential violations and will adopt a corrective action plan to evidence their remediation of these findings.
With a flourish of congressional shenanigans lifted almost word for word from the teleplay of Netflix’s House of Cards, the HHS-mandated 2014 transition to use of the ICD-10 coding classification was brought to a screeching one year “delay.” We are left, once again, with “at least” another year of collecting healthcare information via ICD-9, an awful but omnipresent healthcare coding system. And more concerning, we are left with the impression that diligent and expensive work to comply with rules in a host of other areas, such as meaningful use of electronic health records, could become abruptly irrelevant. The result of the delay is that not only do we have a significant number of long-time objectors to the change to ICD-10, but they are also joined by a surge of rightfully angry and dubious ‘compliers’ who put in time and investment dollars to meet the deadline. But there are also some additional considerations given the amount of time that has passed as we prepare to make the trip.
Is this trip still worth the aggravation and expense?
The major underlying rationale of moving to ICD-10 remains laudable: to provide greater clarity to our understanding of healthcare practices through the use of better industry standard, diagnosis codes. With more granular, relevant and precise core codes at the foundation, medical quality and effectiveness studies utilizing these codes for analysis and program development were to have benefitted dramatically.
Given that our desire to advance healthcare value and improve outcomes through accountable care practices (‘fee-for-value’) we must acknowledge our dependence on much better information collection for analysis than is possible from ICD-9[1]. Significant questions remain however, as to whether the move to ICD-10, using codes predominantly still entrenched to support fee-for-service billing processes will get us where we want to go. While we can hope the enhanced and detailed nature of ICD-10 might yield greater insight into the real value of our activities, this remains a particularly frail hope in light of the way we use the codes as revenue cycle fuel.
Maintaining blood supplies to meet the needs of the hospitals in the region is a key mandate for the Rhode Island Blood Center. The Center collects 250 pints of blood from donors to meet this commitment. To make it easy for donors, more than 3,000 mobile blood drives are held annually throughout the community.
While we have nurses and lab technicians to take care of the donors’ physical needs, it is my job as the IT Systems Manager at Rhode Island Blood Center to take care of their personal information. We gather this information from each donor at the mobile clinics and store it on laptops, so it is essential that we have safeguards in place to ensure the data is properly secured.
Data security is a key concern for the majority of healthcare organizations in the US. And like most organizations, Rhode Island Blood Center must follow regulatory guidelines and protect patient data.
My department is responsible for the IT and telecommunications equipment used at the remote blood drives and the six Center locations. The typical set-up includes a large number of Center-owned laptops where donor information is stored.
While most people arrive at a clinic and see the positive results of a community coming together and helping each other – all I see are laptops loaded with confidential information for which Rhode Island Blood Center is ultimately responsible. I know if even one laptop is lost or stolen, confidential donor information could be at risk.
Data at Risk
Reviewing daily healthcare news, it is clear that data breaches are a huge issue for healthcare organizations across the US, but bad press isn’t the only issue – many organizations face large non-compliance fines and damage to their reputation that can never be restored.
Guest post by Judy Chan, president, HealthPro Consulting.
Burgeoning EHR implementations nationwide attributable to the meaningful use incentive program have created a surge in HIO and electronic health information exchange (eHIE).
Having health information available for electronic exchange is generally accepted as beneficial to patients, providers and payers. Providers can access patient information from other providers when they need it where they need it. Providers are able to avoid duplicating lab tests, scans and x-rays that save the payers dollars. Additionally, patients don’t need to remember what treatments were administered or drugs prescribed and can avoid unnecessary exposure to radiation.
In emergency situations, the benefits of having a patient’s health information available to emergency room staff are obvious. Patients who have experienced referrals in the course of diagnosis and treatment also readily see the advantage of not having to hand-carry all of their medical records from one doctor’s office to the next. The electronic exchange of health information among providers eliminates faxes, paper work and phone calls.
Patient’s perspective
What makes the exchange of health information frightening to patients?
1. Your health information is available to others who have a legitimate need.
2. Consent must be given by the patient to share their information
3. You must trust the distributor of your information
4. You should monitor your data on a regular basis and make corrections when necessary
5. Information could be accidentally released without your permission.
6. Your consent is electronically recorded by multiple systems.
Do these risks sound familiar? They should because they are not very different from the risks that credit rating agencies that have recorded your financial transactions for years.
