David Finn, health information technology officer for Symantec, discusses healthcare technology security, HIPAA and meaningful use and the most pervasive security issues health IT faces in the months and years ahead.
What issues do healthcare leaders face from a security perspective?
Well, that is part of the problem right there. Healthcare leaders are inundated with new requirements and market changes. So, there is Meaningful Use, ICD-10, ACO, HIE, new privacy and security requirements – – all in a relatively short time frame – – to name a few. On top of that, you are likely doing that with decreasing reimbursement, a difficult labor market and limited capital budgets. Security, while mandated, frequently falls to the bottom of the list because it doesn’t directly impact care or add to the bottom line. That is a short-sighted view of security. Security needs to be strategic to the business of healthcare, not just IT.
Why? What can they do about this?
Much of this has been driven by HITECH and the Affordable Care Act. So, there are regulatory components and that, in turn, has driven many changes in the healthcare market. Providers now have to do a lot of these things just to keep their heads above water – – not to mention the statutory requirements. The most important thing is to get started … you may not be able to do everything all at once. You do have to understand what needs to get done and then prioritize those things for your organization and get started.
How are HIPAA changes affecting care, coordination, tech implementation and the ability of physicians to do their jobs?
HIPAA has been around a long time and, frankly, if the industry had dealt with these things effectively starting back in 2003, which was the compliance date for the Privacy Rule and then 2005 when the Security Rule became the law, we’d be in much better shape today. Unfortunately, the incentives and drivers were not aligned to make that happen. Don’t get me wrong, a lot of things got started and don’t forget technology is very different than it was 10 years ago – – mobility, virtualization, cloud. We also have a much larger installed-base of EHRs across the entire continuum of care. So, now we have tools that really can aid the physicians and other clinicians in getting things done faster, wherever they are, at their convenience, but we’ve lagged in a lot of the security issues around those new technology tools. And, unfortunately, often systems are put in without proper attention to workflow or process improvement. Organizations that hurried to get some of these things in are now going back to “fix” them.
How is/will meaningful use impact healthcare? Are there security issues?
While the debate is still raging, few would argue that better access to information for providers and patients is a good thing. Meaningful use – capturing and using the right clinical data – over time, will improve the quality of care and outcomes and should reduce costs. It will not happen overnight. Yes, when you have confidential, legally protected information, you have security issues.
How has the push toward EHRs changed the security of healthcare? In what ways?
As healthcare has digitized, it has increasingly become a target for the “bad guys.” We not only keep names, addresses and dates of birth all together to make it easier to care for and bill patients, we also include social security numbers, credit cards and insurance accounts. And every time you share that information (between providers, with an HIE, a drugstore, registries, schools and more) you create another potential point for that data to go astray or someone to maliciously take the information. In the “paper days” a doctor might take home a dozen charts to review; today a jump drive can contain hundreds of thousands of patient records. When all the charts could be locked in a room at night at least you knew where most of them were and they were safe. Information now lives on networks – – in databases, in Word documents, spreadsheets. It can get cut and pasted from an EHR screen into an email and sent anywhere. While many of the issues are the same, the scope and scale of the problem is sometimes hard to imagine. It was horrible for those dozen patients if the doctor’s car was broken into and charts taken, but when you have breaches of hundreds of thousands or even millions of patient records, it can be very difficult to manage and address. And this doesn’t even begin to address the cost issue around a data breach.
In relation to security, what are some of the most pervasive issues physicians face? What are they more surprised by?
Well, mobility is here to stay and yet most organizations don’t even have policies around mobile devices. Social media is a growing concern, whether you are a large healthcare system or a single-physician practice. The underlying problem is not knowing where that patient data is. Nearly everyone is surprised when you start to show them how that information comes into your organization or practice, where it goes and who uses it and how it may leave the organization. There are tools to help you find, manage and track the data, but most people are still focused on the EMR, the PCs that clinicians use. The issue is the data and the problem is the data is everywhere.
What are some of the most overlooked security protocols?
First, is encryption. If you are focused on the data, the best thing to do is encrypt it. That said, encryption is not a panacea and just encrypting everything is not a good answer. Things like laptops, tablets, smart phones, backup tapes, jump drives – – those really need to be encrypted. The other thing is understanding your data and there are tools, like Data Loss Prevention tools, that help you find the data;who created it, how it is being used and so on. If you don’t understand the data, you can’t really protect it appropriately.
Is the health IT market overly paranoid when it comes to security and breeches?
Based on the number of records breached since 2009 — 20+ million — I’d say the IT market needs to do something. Being paranoid about breaches is one thing, actually managing your data and mitigating potential breaches is another. It is time for the industry to take the issues of privacy and security seriously, assess the problem, develop a plan, get the money and start fixing it. Healthcare has to realize this isn’t a technology issue – – this is an enterprise issue and it starts with your people.
How will health IT security change in the months or year ahead? What trends can we expect? What’s irrelevant? What’s not?
I think you will see privacy and security being addressed as part of a system implementation or a process improvement initiative instead of something you try to do after the fact. If you do it afterwards, the security is never is good and always costs more. You’ll see more training and policies that address mobility, social media. I think as enforcement picks up and fines increase, healthcare will recognize that this not just a technology problem. I think you’ll see a lot more training and awareness around privacy and security. More investment in tools that monitor data and in that sense are monitoring workforce behavior around patient data – – regardless if it is on email, the EHR, web sites – – it is still the patient’s data. You’ll also see more focus on identities and authentication, it is likely coming in future regulations, but the other part of protecting the data is making sure only the right people get it.
Here is what is irrelevant: 1) Policies that are not enforced or cannot be enforced; 2) Enforcing policy and procedure inconsistently; 3) Thinking this is an IT or security problem when it is an enterprise wide, cultural issue.
Anything else you’d like to mention that I haven’t asked?
First, I think now that we have all these EHRs up and running and are collecting all this data digitally, the industry is just figuring out how to use it to drive improvement. So, big data, analytics, informatics – whatever you want to call it – will be a huge driver. Big data comes with some unique security and data management issues.
The next tidal wave in health information technology that we are not doing a good job addressing, yet, is the medical devices. These are often patient-touching devices ranging from anesthesia machines to smart-pumps, which may deliver controlled substances or chemotherapy to pacemakers. More care is being driven to the home and remote home-care is a growing area. Yet, these devices tend to run old operating systems, can’t take the newer protective software, yet they are on hospital networks, connect to the Internet and are unmanaged in terms of information technology. Many of them store and transmit patient data and the issue just isn’t getting the focus it needs.
David Finn, CISA, CISM, CRISC is the Health Information Technology Officer for Symantec. Prior to that role he was the Chief Information Officer and Vice President of Information Services for Texas Children’s Hospital, one of the largest pediatric integrated delivery systems in the United States. He also served as the Privacy and Security Officer for Texas Children’s. Prior to that Finn spent seven years as a healthcare consultant with IMG/Healthlink and PwC. Serving last as the EVP of Operations for Healthlink.
Texas Children’s Hospital won the ECRI Institute 2007 Health Devices Achievement Award, and because of Finn’s departmental support, TCH also was awarded recognition for Employee Support of the Guard and Reserve. Finn also received the Symantec Visionary Award in 2008 for Security. He has presented nationally and internationally on such topics as project management, professional leadership and staff development, and privacy and security. He has contributed to or written articles on IT Management, Disaster Recovery and Security for such as journals as CIO Digest and Baseline.
Guest post by James D. Brown, CTO, StillSecure and Andrew Hicks, Director, Healthcare Practice Lead, Coalfire
In January, the U.S. Department of Health and Human Services (HHS) announced updates to the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security rules. These new rules will took effect on March 26 and business associates have until September 23, 2013, to reach compliance. Under HIPAA, a business associate is defined as a person or entity that performs certain functions or activities that involve the use or disclosure of electronic protected health information (ePHI) on behalf of, or provides services to, a covered entity. So what exactly do these new rules mean for our partners and clients?
First, it is important to note that the new rules are really just formalizing and strengthening many of the changes that were announced in the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH Act), which clearly defines when HHS needs to be notified of a breach, as well as increases the penalties applied around non-compliance.
James D. Brown
Also, the biggest change that should be noted is that the regulations between business associates and subcontractors (for example a health information organization and its cloud service provider), are now assumed to be held to a business associate agreement (BAA). In the past, subcontractors could choose to opt out of signing any agreement, which essentially limited liability should HHS come knocking. Under new regulations, it is clear that any healthcare provider that comes in contact with actual ePHI must sign a formal business associate agreement, making each and every subcontractor liable during a breach.
Stated differently, this means that anyone who deals with ePHI should carefully read the new rules and understand how they will be directly liable for compliance. We will start to see a shake out in the business associate companies – healthcare facilities should closely examine whether a business associate agreement is signed just to win business, or is signed by a company that actually will be accountable for HIPAA requirements and take them seriously throughout the course of the relationship.
It is also important to note that under the new regulations, it is crystal clear that business associates are directly liable for compliance and can be fined, along with the actual health care provider as a covered entity.
Here are the top five issues that organizations need to be aware of:
1. Not knowing that they need to be compliant. Many people do not realize that shredding companies and office cleaning crews that may see patient data without realizing it are now liable. Anyone that has access to ePHI, regardless of their position and how far removed they are from the covered entity, is in full scope now.
2. Lack of solid inventory of where data lives. Data is constantly being transmitted back and forth via applications, web servers and file servers. However, many organizations lack a comprehensive inventory of where all of this data lives. This makes it difficult to accurately assess the risk of data storage. Participants must be able to control physical access to patient information and proactively protect against inappropriate access to the data at every exchange point. This is impossible to achieve without a solid inventory.
3. Risk analysis and data classification. Under HIPAA, there is a clear requirement that companies need to complete a thorough risk assessment of the storage, processing and transition of ePHI data. This risk to data needs to be clearly defined and any controls that are in place need to be outlined.
4. Controlling the flow of ePHI data via mobile devices. While there is not a requirement within HIPAA that addresses mobile devices, iPads, iPhones, and Androids frequently hold ePHI data. Organizations need to implement corporate BYOD policies and have controls in place including passwords and remote capabilities to protect this data.
5. Encryption. There seems to be a lot of confusion around encryption as many people translate this addressable specification as being optional. Some organizations see “encryption” and after evaluating what it entails, decide that it costs too much money or translates as optional. If there is a security breach, HHS officials will first ask if the data was encrypted. If the answer is no, the investigation can easily lead to fines, penalties and negative publicity. We recommend that our partners and clients conduct a thorough risk assessment to document all controls that are in place surrounding data that may be at risk. This documentation serves as a road map for developing action items based on priority or level of risk. When a breach occurs, organizations need to demonstrate their due diligence to show that all risks were acknowledged. We cannot stress enough how thorough this documentation should be. We have seen documentation ranging from 20 to 100+ pages; anything less than that will be insufficient.
We continue to see these issues every day. The bottom line is that organizations should thoroughly read through the new rules and engage with third-party vendors to make sure that they are covered and can avoid paying penalties. Those interested in exploring a third-party solution should ensure that their prospective vendor provides a suite of proven network security and compliance technologies, compliance data center policies and procedures, and round-the-clock analyst coverage to monitor and manage networks.
James D. Brown is responsible for overall product and services strategies, and architecture and implementation of StillSecure’s product suite. James has tremendous experience in both public and private cloud security and helped create the industry’s first comprehensive Cloud Security Services Platform that supports physical, virtual and multi-tenant environments. Brown has more than 20 years of experience in the network security, IT, telecommunications, and human resources industries.
Andrew Hicks, director, healthcare practice lead, Coalfire, has over 10 years of experience in IT governance including responsibilities specific to the IT security, risk management, audit, business continuity, disaster recovery and regulatory compliance spaces. His experience and understanding of business processes and technology has allowed him to excel in the areas of policy development, internal control design and testing, project management, system development reviews, and risk mitigation.
Guest post by Dan Tully, executive vice president, Conduit System.
IT is not a sink hole. IT is not a cost center. IT is not a fad. This is especially true when it comes to healthcare. In fact, carefully calculated IT investments can produce a range of strategic and operational benefits for healthcare/hospital administrators, practice managers and more, which include enabling advanced technology and accelerating innovation.
How you ask?
IT Investment Affects the Bottom Line
Strategic investment into IT operations is a foundation for building revenue. To understand how, one must look no further than your average mid-sized healthcare operation and how process can be improved:
Administration
Fluid output from nurses stations; simplified statistic, biometric and medication reporting; linking of disparate department systems
Human Resources
Streamlining the hiring processes; simplified expense report and vacation request procedures; compliance with complicated regulatory measures
Finance
Reliable monitoring of capital investments improved data and measurement capabilities; compliance with healthcare-related finance ruling
The up-front and hidden costs of downtime caused by unforeseen disaster can also be mitigated through proper investment in IT outsourcing. Organizations and practices operating on disk-to-disk backup are at a significant disadvantage compared to those employing more modern technology.
Implementing cloud-based solutions that combine local caches of files with full-time cloud backup boast advanced performance levels and functionality. It also allows for unlimited data growth, little to no network performance lags and true disaster recovery as the data can be pulled from the cloud and reconstituted anytime, anywhere.
Big Picture, Big Results
Average IT staffs are tasked with keeping the proverbial ship afloat on a daily basis. With an investment in managed IT services, on-site and high-level staff can focus on the above-mentioned projects that ultimately fuel growth and provide return on investment. If your operation needs to embark on a replacement/upgrade project that requires the complete attention of your IT staff, contract engineers and support teams can handle the daily minutiae. An added bonus? Relieving the burden can promote happiness, motivation and creativity among full-time employees.
Investment in IT Allows You to Focus on What You Do Best
Let’s face it – IT is a necessity. It’s essential no matter what part of the healthcare industry you belong. Overall investment in IT operations and support allows top officials to focus on what they do best: manage operations and improve patient outcomes. There’s certainly nothing trendy about that.
Increasing operational efficiency will be critical for healthcare providers this year in anticipation of the full implementation of the Affordable Care Act in 2014.
The law will mean thousands of previously uninsured patients will now have healthcare coverage, which is expected to sharp increases in visits to physician offices. This influx of patients will mean that physician offices will have to operate as efficiently as possible to control costs while handling the new demand.
Physicians and staff won’t have the time to search through paper files, which are inefficient in the best of times and will become only more so as the number of files grows along with the number of patients.
If a patient needs his or her records for a lab, hospital or another medical facility, referral to another physician or for some other reason, he wants to know to be able to have the records quickly and know that they are stored safely.
The growing files also mean storage issues for paper documents. Physical space isn’t an issue for electronic storage.
“Productivity has increased 100-fold,” since installing Digitech’s ImageSilo ECM says John Herndon, manager of IT, patient accounts at the University of Illinois at Chicago Medical Center. “We’re able to access information in almost real time. The reporting structure is excellent. I like the audit trail – especially in healthcare, that’s extremely important. The ability to follow the document allows us to stay in control.”
The inefficiencies of paper documents from a business perspective are essential from a business perspective of running a physician or medical practice. ECM is critical from a compliance standard as well for medical practitioners who want to take advantage of the government incentives offered for converting to electronic health records.
Medicare, Medicaid Considerations
To continue to participate in Medicare and Medicaid healthcare record (EHR) incentive programs, eligible medical professionals as well as eligible hospitals and critical access hospitals must meet the government’s “meaningful use” requirements.
Eligible professionals can receive up to $44,000 through the Medicare EHR Incentive Program and up to $63,750 through the Medicaid EHR Incentive Program “to implement, upgrade or demonstrate meaningful use of certified EHR technology,” according to the federal government’s Centers for Medicare and Medicaid Services.
Implementation of an ECM system enables a medical provider to achieve compliance for Stage 2 of meaningful use requirements and to be prepared for implementing Stage 3.
However, simply moving to electronic files is only part of the solution. Just as a physician and his or her staff don’t have them time to be shuffling through paper records, most also don’t have the technical expertise or the desire to install and maintain hardware and software.
Go to the Cloud
So the answer is an ECM system that is deployed via the cloud, using Software-as-a-Service. Such a deployment means that the medical office doesn’t need to install and additional hardware, and any software patches or other updates are handled by the supplier. This means that there are no capital expenditures (e.g., computer, server or additional storage capacity) to get started. The physician or medical office pays for the on-demand service on an as-you-go basis, meaning the user can deduct the cost as an operating expense as incurred for tax purposes, rather than capitalizing and depreciating expenses over several years.
Another important factor is that since a cloud-based solution isn’t housed on site, there’s no fear of losing data in the event of a natural disaster or a power outage. Make sure that the provider has redundant, geographically distributed data sites. This ensures that in the case of a regional disaster, like Hurricane Sandy that the records are still intact and easily retrievable through an Internet browser. Similarly, the provider should have sufficient capacity and systems to provide a 99.9 percent up time guarantee.
Other Considerations
In evaluating ECM solutions, it is also critical that a healthcare provider scrutinize some other elements of the offering. It should work seamlessly and integrate easily with other commonly used applications, like Microsoft Office. Similarly, it should enable the user to view hundreds of different types of files.
The solution should include encryption capabilities and multiple layers of security to ensure patient privacy and data integrity. Extensive audit trails, security controls and easy implementation of records retention of records retention and destruction capabilities are necessary to meet government and industry regulations.
Extensive, full-text search capabilities that support synonym, fuzzy logic, natural language and other functionality are critical to making the retrieval of records truly fast and efficient.
Conclusion
ECM is essential for medical providers to handle the flood of new patients expected from full implementation of the Affordable Care Act in 2014. By installing such a system in 2013, providers have the time to learn how to best benefit from the efficiencies of an electronic system before the onslaught of new patients comes in 2014. A cloud-based solution relieves the technical and capital expense complications and enables a medical provider to start using ECM immediately.
One thing recently became increasingly important to Metro Imaging and Radiology, an independent radiology practice with five locations throughout St. Louis, Missouri: meeting meaningful use.
In 2012, Metro Imaging added an electronic health record after having used NextGen’s billing system for several years. Along with the EHR, the chain added the Anoto digital pen.
With more than 100,000 annual patient visits, the practice sought a viable solution to help streamline the intake process and reduce some practice inefficiencies, like scanning and filing paper patient forms.
“We knew it was going to be difficult to reach meaningful use, and we needed something that was going to be very efficient,” said Christine Keefe, chief financial officer at Metro Imaging. “We couldn’t have anything that slows us down too much.”
The Anoto pens seemed like the best solution. The pen stays charged for 10 hours and can hold 200 pages filled out top to bottom.
The practice was sold on the pen because of its ability to capture the information being entered onto paper forms, especially the patient intake forms. According to Keefe, the pens were only considered based on a recommendation from it NextGen representative, but since implementing it, they have completely done away with any manual scanning of patient forms.
On top of that, the clinic has completely gotten rid of paper (except for the patient in take forms used at the front of house) and it no longer keeps papers files.
The first week following implementation was the most difficult, she said, but since everything has settled back to normal and there have been no hiccups. The EHR was probably a more significant change than adding the pens. After all, the patients rarely notice there’s something different about the slightly larger ball points.
The pen captures the data entered into the fields of the paper forms by the patient through a small camera on the pen. It snaps 70 images per second as a patient enters the required data, storing until the pen is docked on a charging station, at which point it downloads all of the information contained into the practice’s EHR through a USB port.
“A great thing about the pen is that you can dock it, ignore it and by the time you’re done doing other things, everything is downloaded and you can use it again,” Keefe said.
An immediate benefit, other than reducing the amount of manual input required of clinical staff is that the forms that are used by the practice are customized and capture data in a structured manner.
Staff that previously focused on transcription, scanning and filing now have had their resources reallocated to claims and billing administration and patient relations. For example, staff has more time to follow up with patients and address any billing and claims issues that come up.
The practice currently uses 25 pens; five per practice. Each costs $385 and there is a $1,000 license fee. Additionally, the practice pays a regular maintenance fee. The pens can be used for hours without re-charging and can capture multiple people’s records without needing to be docked.
The pens are also Bluetooth-enabled and can transmit information wirelessly back to a healthcare setting, making them appropriate for home health workers and others that work outside the four walls of the practice.
They are the ideal technology too, since today more than 80 percent of physicians still rely on traditional pen and paper to capture patient information. Finally, digital pens offers a simple, alternative way to capture data and transfer it into an EHR, especially for physicians concerned about a computer or tablet PC getting in the way of their patient’s experience.
“We like the flexibility the pens have created for us,” said Keefe, “anything to cut down on work at the front desk.”
Metro doesn’t use them in the clinical setting yet, Keefe said, but there has been some interest in bringing them into the exam room. If things continue to go as smoothly as they have, that decision would be like hand meeting glove.
Dr. Juergen Fritsch, co-founder and chief scientist of M*Modal Inc., discusses the company, how it is used in the care setting, the market trends and where it is going.
What is M*Modal?
M*Modal is a leading healthcare technology provider of advanced clinical documentation solutions, enabling hospitals and physicians to enrich the content of patient electronic health records (EHR) for improved healthcare and comprehensive billing integrity.
As the largest clinical transcription service provider in the U.S., with a global network of medical editors, M*Modal also provides advanced cloud-based speech understanding technology and data analytics that enable physicians and clinicians to capture and include the context of their patient narratives in a single step into electronic health records, further enhancing their productivity and the cost-saving efficiency and quality of patient care at the point of care.
Why is it disruptive and important to the community?
M*Modal’s technologies are disruptive because they empower physicians with the ability to make informed decisions at the point of care, one of the most critical factors in reducing healthcare costs and improving patient outcomes.
M*Modal’s solutions are important because they are designed for healthcare by healthcare experts. As such, the solutions understand multiple dialects, accents and cadences, pull from a repository of more than 200,000 physician voices in the cloud and are only medically focused.
What is its potential?
M*Modal has the potential to transform the way the entire healthcare industry leverages advanced clinical documentation technologies and services, ensuring that all stakeholders across the healthcare spectrum, from the patient to the coders on the back end, benefit from the advanced clinical documentation workflows available in today’s and tomorrow’s healthcare settings.
Who’s using it? Why? What is the ROI?
M*Modal provides hospitals and physicians with the healthcare industry’s most advanced clinical documentation solutions. These stakeholders use our solutions to enhance how healthcare professionals capture and manage clinical documentation for improved quality, cost savings, reimbursements, compliance and patient care. Examples include enriching electronic health records for patient care quality and comprehensive billing integrity.
In terms of ROI, our technologies can identify documentation deficiencies and address them via closed-loop workflows, which improve the quality of the clinical patient note and increase the efficiency of documentation processes. Our advanced clinical documentation tools drive adoption of electronic health record systems, saving providers time & expenses.
How did it start? What is it doing to advance?
M*Modal grew out of research performed at Carnegie Mellon University in the late ’90s. The company’s founders developed a radically new technology for understanding conversational human interactions on the telephone. The technology proved to be an even better match for dictated clinical notes as created by healthcare professionals throughout the United States and elsewhere. Today, M*Modal processes millions of hours of verbal healthcare documentation for more than 200,000 physicians each year.
To advance our impact we are also focused on forging partnerships. We just announced several new partnerships with major industry players such as 3M, Optum and Intermountain Healthcare and we have established partnerships with top providers of electronic health record systems, including Epic, Allscripts and Merge. We are constantly working with partners to develop and address industry challenges as they arise.
How is it used in the care setting?
Our advanced speech and natural language understanding technology is used in a wide variety of clinical and administrative healthcare workflows, for example enabling physicians to interact with their clinical systems via voice anytime, anywhere, using their preferred device. This enables instant access to critical information for patient care, allowing providers to spend more time with the stakeholder that matters most – patients.
Additionally, hospitals and practices are using our solutions to analyze vast amounts of unstructured clinical documentation, identify documentation deficiencies and close care gaps. Traditional electronic health record systems do not provide this level of insight and so our solutions fill a critical need that becomes more and more important as we progress from a fee-for-service to a value-based reimbursement and accountable care model.
Tell me something about transcription tools that nobody seems to know.
Our advanced speech and natural language understanding technology has made the process of turning dictated physician notes into structured clinical documents roughly twice as fast as a traditional transcription workflow. On top of that, transcription services are slowly but steadily evolving to also include data validation services. That trend will continue as hospitals seek to lower their cost and free-up physicians to spend more of their time caring for patients rather than dealing with technology.
Should patients care about speech recognition?
Many patients are already familiar with speech recognition technology through their use of off-the-shelf consumer products that some of them are using at home. In my view, it is less the speech recognition technology that they should care about, but the significant advances that we have made in the past few years around computers understanding natural human language. That technology together with the vast and ever growing amounts of “big data” that are being created in healthcare is allowing physicians and other care providers unprecedented insights into healthcare outcomes and ultimately will be a key driver of improved healthcare.
What do you see as the most important health IT trends currently affecting the market? Why?
The most important health IT trends that’s affecting the market today is the move toward a more outcome- and prevention-based reimbursement models. Rather than paying for services provided, the market will shift rapidly toward paying fixed budgets to manage different types of diseases, particularly the costly chronic ones such as heart disease, diabetes, etc. Healthcare information technology is adjusting to this and is developing new solutions that are focused on personalized medicine to prevent diseases rather than just supporting the treatment of them once they occur.
Where are we going as a market?
As I noted earlier with the new outcomes-based focus, I would say that we are rapidly moving toward a more sustainable healthcare cost model, with a much improved focus on disease prevention and personalized treatment plans.
What is the number one complaint you hear regularly from caregivers?
By far the number one complaint is that outdated, inefficient technology is bogging them down, requiring them to spend more time in front of the computer, leaving less time to take care of their patients. In part, this stems from the fact that many hospitals have bought into decades-old electronic health records systems with inefficient workflows that slow down physicians, particularly in today’s world of increasing data capture requirements. But there is also a generation of newer information technology on the market now — such as speech and natural language understanding technology — that actually help improve physician productivity while also providing better insights into their patient population. The bottom line is: physicians and hospitals need to closely follow the healthcare IT market to identify the tools that can drive their efficiencies and improve their outcomes.
What are caregivers most excited about?
Many care givers are excited about mobile devices — mostly about tablets like the iPad Mini. It allows them to do many of their tasks more efficiently while on the go, even sharing a lot of information effectively with their patients. Virtual assistant technology is also of great interest to many physicians, particularly in combination with mobile devices. You will see many new mobile apps hitting the market in the next few years that will allow care givers to verbally ask complex questions about their patients’ health record and get answers within seconds.
What piece of regulation would you like to see abandoned? Adopted?
I’d like to focus on pieces of regulation that I would like to see adopted more readily or more expediently. The key ones for me are interoperability standards and the respective regulation found in the ARRA HITECH Meaningful Use program. Almost every other industry has embraced interoperability. You can get cash at virtually any ATM in the world — but you can’t transfer your electronic patient health record from one EHR provider to the next (at least, not without major effort). We need to change that, and we need to do it quickly. Regulation can help with that.
Dr. Juergen Fritsch is co-founder and chief scientist of M*Modal Inc. where he leads research efforts in the fields of speech and natural language understanding for clinical documentation. His work focuses on building and improving a medical language understanding system that is based on standardized medical ontologies and vocabularies while employing statistical algorithms to learn from vast amounts of linguistic data. He has published more than 20 peer-reviewed papers and has been granted five patents on original speech recognition and natural language processing research. Juergen received his Ph.D. (1999) and M.Sc. (1996) degrees in computer science from the University of Karlsruhe, Germany.
In light of recent reports that nearly 220,000 hospitals, office-based physicians and other eligible professionals have received more than $12 billion in federal incentive payments, I thought I’d highlight the top questions as featured on CMS.gov’s FAQ section.
But, a little perspective first. According to Modern Healthcare, to this point, 3,757 hospitals, or 75 percent of the 5,011 U.S. hospitals that are eligible to receive federal funds under the program, have received an EHR incentive payment.
Also, “215,500 physicians and other EPs, or 41 percent, of the 527,200 total physicians and other professionals deemed eligible to participate, have been paid. Some 85 percent of hospitals and 70 percent of physicians/EPs are registered under the programs, the CMS reports.”
So, back to the original story: CMS.gov’s Frequently Asked Questions and the answers. If you’re not aware of the resource, it serves a broad base audience with a smattering of questions and responses. For example, there a variety of topics including billing, e-health, data navigation, EHR incentive programs, well, you get the point.
Here’s a short list of some questions and their answers:
How and when will incentive payments for the Medicare Electronic Health Record (EHR) Incentive Programs be made? For eligible professionals (EPs), incentive payments for the Medicare EHR Incentive Program will be made approximately eight to 12 weeks after an EP successfully attests that they have demonstrated meaningful use of certified EHR technology. However, EPs will not receive incentive payments within that timeframe if they have not yet met the threshold for allowed charges for covered professional services furnished by the EP during the year. Payments will be held until the EP meets the threshold in allowed charges for the calendar year ($24,000 in the EP’s first year) in order to maximize the amount of the EHR incentive payment they receive. Medicare EHR incentive payments are based on 75 percent of the estimated allowed charges for covered professional services furnished by the EP during the entire calendar year. If the EP has not met the threshold in allowed charges by the end of calendar year, CMS expects to issue an incentive payment for the EP in March of the following year (allowing two months after the end of the calendar year for all pending claims to be processed).
What is CMS? The Centers for Medicare & Medicaid Services (CMS) is a branch of the U.S. Department of Health and Human Services. CMS is the federal agency which administers Medicare, Medicaid, and the Children’s Health Insurance Program. Provides information for health professionals, regional governments, and consumers. Additional information regarding CMS and it’s programs is available at http://www.cms.hhs.gov/.
When eligible professionals work at more than one clinical site of practice, are they required to use data from all sites of practice to support their demonstration of meaningful use and the minimum patient volume thresholds for the Medicaid EHR Incentive Program? CMS considers these two separate, but related issues. Meaningful use: Any eligible professional demonstrating meaningful use must have at least 50% of their of their patient encounters during the EHR reporting period at a practice/location or practices/locations equipped with certified EHR technology capable of meeting all of the meaningful use objectives. Therefore, States should collect information on meaningful users’ practice locations in order to validate this requirement in an audit.
How do physicians join or leave a group? If both the physician and the group are already enrolled with the same carrier, the physician and the group together are required to complete a CMS 855R showing the date the physician joined the group and reassigned benefits to the group. If a physician leaves a group, the physician or the group should complete the CMS 855R, showing the date the physician left the group. When leaving the group, the CMS 855R does not need to be signed by both the physician and the group. If either the physician or the group have not enrolled with the carrier, they must first complete the appropriate CMS 855 for either an individual (CMS 855I) or group (CMS 855B) before the reassignment can be effective.
Your smartphone a medical device? There’s a possibility that this could happen as Washington and its players continue to evaluate whether in the Food and Drug Administration should regulate mobile apps technologies, including health-related apps.
Based on the interpretation of the current administration’s perspective of mobile health innovation and regulation and how those innovations benefit patients will likely determine whether regulation, and ultimately, taxes are assessed on them.
Mobile health apps can range from an iPhone app that monitors diet to mobile or wireless technologies used in hospitals and home-care settings.
Obviously, developers and those producing the apps want more clarification on the issue. As expected from a federal agency, the FDA has issued draft guidance in 2011 according to Modern Healthcare about how it plans to oversee mhealth apps, but nothing final has been released. So, what we’ve seen may not ultimately be what we get.
Some people believe health apps will help solve the overwhelming cost crisis in healthcare; thus, shackling them with additional oversight, taxes and regulation will stifle a burgeoning industry. As such, according to Modern Healthcare, there needs to be “’predictable, transparent and risk-based regulation,’ the value of interoperability, and reimbursement policy that aligns stakeholders.”
I couldn’t have said it better myself, and I agree with the fear that some lawmakers have about a concern that FDA regulation of smartphones, tablets and apps could mean those technologies are subject to the medical device excise tax, a 2.3 percent tax on the sales of certain devices that went into effect in January.
The tax is part of the Patient Protection and Affordable Care Act and is considered the device industry’s contribution to financing healthcare reform.
In a March 1 letter to FDA Commissioner Dr. Margaret Hamburg (PDF), the House committee leading testimony asked the FDA to clarify whether the smartphones and mobile health apps will be subject to the tax. No response as yet. Not surprising. Additionally, leadership also requested that the agency provide information about when it plans to issue final guidance on how it plans to oversee mobile medical apps.
“Most Americans have no idea that their smartphone, tablet or the mobile apps that have become part of their daily lives could be subject to added red tape or a new tax under Obamacare,” Energy and Commerce Committee Chairman Fred Upton (R-Mich.) said in a news release.
According to the Washington Post, “In 2012, Congress gave the FDA the green light to define which medical apps would require its attention. The agency has asked for comment on a proposal that would give it regulation authority over accessories to existing medical devices, such as apps that show MRI scans, as well as apps and accessories that transform mobile devices into regulated medical devices, such as attachments or apps that turn smartphones into heart monitors.”
For those with an interest at stake here, they should feel some level of concern, no matter the side of the isle they happen to sit. Further regulation, and definitely taxation (especially at the app user level), will destroy the momentum gained by these tools to the market since they’ve been developed.
In the very least, the seemingly unending and elusive patient engagement game that plays on may find itself put on pause as this has the potential to once again remove personal control of tools designed to help manage and improve one’s health and to regulate it.
In many ways this seems like a sin tax. High taxes are used to get people to quit bad behavior, like smoking. When the prices gets too high, they (ideally) quit.
