Guest post by Joe Cernik, vice president business development, eMedApps.
CMS and ONC recently announced an initiative (read: funding) to connect a variety of providers to health information exchanges, expanding the list of eligible providers to include long-term care, behavioral health and substance abuse treatment providers. Meant to increase the sustainability of HIEs and support improved access to the right patient data at the right time, the increased funding supports categories of providers that have been slow to adopt HIE technology.
The intent of increased funding for HIEs translates to better, more comprehensive access to patient data, improved patient care and reduced costs.
From a recent CMS blog post: ‘The great promise of technology is to bring information to our fingertips, connect us to one another, improve our productivity, and create a platform for the next generation of innovations. Technology, when widely distributed and available, enables providers to improve patient care by distributing information and best practices leading to better experiences of care for individuals in the health care system.” *
What does expanded funding for HIE connectivity mean for patients and providers?
One organization making the most of the initiative is the Massachusetts League of Community Health Centers, the statewide primary care association representing and serving the needs of the state’s 49 community health centers (CHCs). This organization partnered with eMedApps (infographic author below), to define a programmatic approach to onboarding CHCs to the IHE and extending the value of the funding increase.
Ellen Hafer, MTS, MBA executive vice president and chief operating officer for the Massachusetts League of Community Health Centers, shared her insight and experience connecting disparate providers to the Mass HiWay: “Health information exchange is critical as I envision it for quality of care in the short run now as well as the long run. Much of those benefits revolve around connecting disparate aspects of the care continuum at the community-health level. Community Health Centers (CHCs) are often independent organizations who serve as primary care providers, social support agencies and economic engines transforming their communities, one patient at a time. Many offer integrated care, but it’s across the spectrum of clinical specialties like behavioral health or oral health and not necessarily the full complexity of medical specialties. The information connection to behavioral health and substance abuse treatment in high risk populations extends the care continuum where it’s needed.”
Reports state that only 39 percent of physicians share data using a health information exchange (HIE). There is even a lower number of only 14 percent who electronically share data with ambulatory care providers or hospitals outside their organization. While these numbers may seem astounding to some with Stage 2 fast approaching — the reason is clear. Because even though providers want to share health information electronically they are hindered by EHRs that can’t communicate with one another, lack information-exchange infrastructure, and the high expense of setting up electronic interfaces and health information exchanges.
Below are the top reasons why EHR sharing remains low for adoption:
Lack of Interoperability. The majority of providers and physicians have acknowledged lack of EHR interoperability and exchange infrastructure as major barriers to health information exchange. They have also identified the cost of creating and maintaining interfaces and exchanges as a major barrier.
Lack of Advanced Technology. Over the last few years, various HIE systems have been developed, but many have failed for technological and organizational reasons. High-level issues must be addressed to implement an HIE successfully, including disparate EHR and HIS systems. Most previous HIE research focused on high-level issues and evaluating impact on healthcare delivery, ROI, Syndromic Surveillance, etc.
Lack of Security and Streamlining. Quantitative measures are crucial to the long-term sustainability of HIEs. Interoperability of patient data doesn’t effectively address concerns on privacy, productivity, workflow and costs. Streamlining HIE access through integration with electronic health records to minimize workflow interruption, and keeping costs reasonably low for providers, may increase participation.
Lack of Affordability and Productivity. The cost and loss of productivity are major barriers to HIE adoption. While there are many compliant products on the market, not all of them provide cost savings and lead to efficiency or increased productivity.
The purpose of EHR and HIE is to make patient specific information available at the point of care to improve the delivery and quality of care. Interoperability of patient data no doubt has many advantages, including improved care coordination, elimination of paperwork, reduction in duplicate tests and reduction of medical errors. It is imperative to develop a long-term plan for standards and interoperability that will support competing public and private-sector Interoperability efforts. We should also encourage clear regulation on compliance with federal privacy and security laws. There should also be national benchmarking to share best practices and lessons learned. There should be significant cooperation among primary-care providers, medical specialists, long term care providers and hospitals to outline common information sharing needs promoting a value-based care.
Guest post by Egor Kobelev, software delivery manager — healthcare, DataArt.
There are a lot of organizational and technical challenges health information exchanges (HIEs) struggle with while trying to deploy and maintain their platforms. One of the most complex organizational and administrative challenges is to achieve sustainability. While that is often an ultimate goal for HIEs, there is a huge amount of smaller technical challenges to meet, and the way those challenges are responded to often makes a difference for future HIE sustainability.
One of those typical tasks in the industry is a patient look up and mapping. There is a well-known issue when it comes to any sort of health data integration – the lack of a global unique patient identifier. Thousands of existing healthcare providers and payers use their own internal identifiers and there is no easy way to establish a relation between these. Social Security Numbers or similar national identifiers, while useful in some of scenarios, are not suitable for the purposes of healthcare record identification, primarily because of the risks of HIPAA rules violation.
The good part of the story is the amount of talks regarding a National Patient Identifier (NPI). For instance, HIMSS is proactively driving the initiative of introducing NPI, so that eventually patient mapping, which is currently a challenge, will be routine. However, the reality is that we are pretty far away from having NPI legislated and deployed in healthcare organizations nation-wide. At the same time, as many as 8 percent to 14 percent of patient records have errors caused by mismatching patient identifiers, which in turn causes hundreds of millions of dollars in spending to repair and reconcile the records. So, while we are waiting for NPI to come, what would be a solution which is HIPAA compliant, provides high accuracy, throughput, and minimizes manual interventions at the same time?
David Finn, health information technology officer for Symantec, discusses healthcare technology security, HIPAA and meaningful use and the most pervasive security issues health IT faces in the months and years ahead.
What issues do healthcare leaders face from a security perspective?
Well, that is part of the problem right there. Healthcare leaders are inundated with new requirements and market changes. So, there is Meaningful Use, ICD-10, ACO, HIE, new privacy and security requirements – – all in a relatively short time frame – – to name a few. On top of that, you are likely doing that with decreasing reimbursement, a difficult labor market and limited capital budgets. Security, while mandated, frequently falls to the bottom of the list because it doesn’t directly impact care or add to the bottom line. That is a short-sighted view of security. Security needs to be strategic to the business of healthcare, not just IT.
Why? What can they do about this?
Much of this has been driven by HITECH and the Affordable Care Act. So, there are regulatory components and that, in turn, has driven many changes in the healthcare market. Providers now have to do a lot of these things just to keep their heads above water – – not to mention the statutory requirements. The most important thing is to get started … you may not be able to do everything all at once. You do have to understand what needs to get done and then prioritize those things for your organization and get started.
How are HIPAA changes affecting care, coordination, tech implementation and the ability of physicians to do their jobs?
HIPAA has been around a long time and, frankly, if the industry had dealt with these things effectively starting back in 2003, which was the compliance date for the Privacy Rule and then 2005 when the Security Rule became the law, we’d be in much better shape today. Unfortunately, the incentives and drivers were not aligned to make that happen. Don’t get me wrong, a lot of things got started and don’t forget technology is very different than it was 10 years ago – – mobility, virtualization, cloud. We also have a much larger installed-base of EHRs across the entire continuum of care. So, now we have tools that really can aid the physicians and other clinicians in getting things done faster, wherever they are, at their convenience, but we’ve lagged in a lot of the security issues around those new technology tools. And, unfortunately, often systems are put in without proper attention to workflow or process improvement. Organizations that hurried to get some of these things in are now going back to “fix” them.
How is/will meaningful use impact healthcare? Are there security issues?
While the debate is still raging, few would argue that better access to information for providers and patients is a good thing. Meaningful use – capturing and using the right clinical data – over time, will improve the quality of care and outcomes and should reduce costs. It will not happen overnight. Yes, when you have confidential, legally protected information, you have security issues.
How has the push toward EHRs changed the security of healthcare? In what ways?
As healthcare has digitized, it has increasingly become a target for the “bad guys.” We not only keep names, addresses and dates of birth all together to make it easier to care for and bill patients, we also include social security numbers, credit cards and insurance accounts. And every time you share that information (between providers, with an HIE, a drugstore, registries, schools and more) you create another potential point for that data to go astray or someone to maliciously take the information. In the “paper days” a doctor might take home a dozen charts to review; today a jump drive can contain hundreds of thousands of patient records. When all the charts could be locked in a room at night at least you knew where most of them were and they were safe. Information now lives on networks – – in databases, in Word documents, spreadsheets. It can get cut and pasted from an EHR screen into an email and sent anywhere. While many of the issues are the same, the scope and scale of the problem is sometimes hard to imagine. It was horrible for those dozen patients if the doctor’s car was broken into and charts taken, but when you have breaches of hundreds of thousands or even millions of patient records, it can be very difficult to manage and address. And this doesn’t even begin to address the cost issue around a data breach.
In relation to security, what are some of the most pervasive issues physicians face? What are they more surprised by?
Well, mobility is here to stay and yet most organizations don’t even have policies around mobile devices. Social media is a growing concern, whether you are a large healthcare system or a single-physician practice. The underlying problem is not knowing where that patient data is. Nearly everyone is surprised when you start to show them how that information comes into your organization or practice, where it goes and who uses it and how it may leave the organization. There are tools to help you find, manage and track the data, but most people are still focused on the EMR, the PCs that clinicians use. The issue is the data and the problem is the data is everywhere.
What are some of the most overlooked security protocols?
First, is encryption. If you are focused on the data, the best thing to do is encrypt it. That said, encryption is not a panacea and just encrypting everything is not a good answer. Things like laptops, tablets, smart phones, backup tapes, jump drives – – those really need to be encrypted. The other thing is understanding your data and there are tools, like Data Loss Prevention tools, that help you find the data;who created it, how it is being used and so on. If you don’t understand the data, you can’t really protect it appropriately.
Is the health IT market overly paranoid when it comes to security and breeches?
Based on the number of records breached since 2009 — 20+ million — I’d say the IT market needs to do something. Being paranoid about breaches is one thing, actually managing your data and mitigating potential breaches is another. It is time for the industry to take the issues of privacy and security seriously, assess the problem, develop a plan, get the money and start fixing it. Healthcare has to realize this isn’t a technology issue – – this is an enterprise issue and it starts with your people.
How will health IT security change in the months or year ahead? What trends can we expect? What’s irrelevant? What’s not?
I think you will see privacy and security being addressed as part of a system implementation or a process improvement initiative instead of something you try to do after the fact. If you do it afterwards, the security is never is good and always costs more. You’ll see more training and policies that address mobility, social media. I think as enforcement picks up and fines increase, healthcare will recognize that this not just a technology problem. I think you’ll see a lot more training and awareness around privacy and security. More investment in tools that monitor data and in that sense are monitoring workforce behavior around patient data – – regardless if it is on email, the EHR, web sites – – it is still the patient’s data. You’ll also see more focus on identities and authentication, it is likely coming in future regulations, but the other part of protecting the data is making sure only the right people get it.
Here is what is irrelevant: 1) Policies that are not enforced or cannot be enforced; 2) Enforcing policy and procedure inconsistently; 3) Thinking this is an IT or security problem when it is an enterprise wide, cultural issue.
Anything else you’d like to mention that I haven’t asked?
First, I think now that we have all these EHRs up and running and are collecting all this data digitally, the industry is just figuring out how to use it to drive improvement. So, big data, analytics, informatics – whatever you want to call it – will be a huge driver. Big data comes with some unique security and data management issues.
The next tidal wave in health information technology that we are not doing a good job addressing, yet, is the medical devices. These are often patient-touching devices ranging from anesthesia machines to smart-pumps, which may deliver controlled substances or chemotherapy to pacemakers. More care is being driven to the home and remote home-care is a growing area. Yet, these devices tend to run old operating systems, can’t take the newer protective software, yet they are on hospital networks, connect to the Internet and are unmanaged in terms of information technology. Many of them store and transmit patient data and the issue just isn’t getting the focus it needs.
David Finn, CISA, CISM, CRISC is the Health Information Technology Officer for Symantec. Prior to that role he was the Chief Information Officer and Vice President of Information Services for Texas Children’s Hospital, one of the largest pediatric integrated delivery systems in the United States. He also served as the Privacy and Security Officer for Texas Children’s. Prior to that Finn spent seven years as a healthcare consultant with IMG/Healthlink and PwC. Serving last as the EVP of Operations for Healthlink.
Texas Children’s Hospital won the ECRI Institute 2007 Health Devices Achievement Award, and because of Finn’s departmental support, TCH also was awarded recognition for Employee Support of the Guard and Reserve. Finn also received the Symantec Visionary Award in 2008 for Security. He has presented nationally and internationally on such topics as project management, professional leadership and staff development, and privacy and security. He has contributed to or written articles on IT Management, Disaster Recovery and Security for such as journals as CIO Digest and Baseline.
Lack of healthcare interoperability continues to throw its weight in the road of progress, stopping much traffic in its tracks.
But you know that already, don’t you; you work in healthcare IT. That electronic health records lack the ability to speak with their counterpart systems is no surprise to you. In fact, it’s probably caused you a great deal of frustration since the first days of your system implementation.
From my perspective, things are not going to change very soon. There’s not enough incentive for vendors to work together, though they can and in many cases are able to do so. The problem, though, is that vendors are not sure how to charge physicians, practices, hospitals and healthcare systems for the data that is transferred through their “HIE-like” portals that would connect each company’s technology.
The purpose of this piece is not to diverge into the HIE conversation; that’s a topic for another day. However, this is a piece about what have recently been listed as the biggest barriers physicians face when dealing with the concept of interoperability.
The magazine cites a study in which more than 70 percent of the physicians said that their EHR was unable to communicate electronically with other systems. This is the definition of a lack of interoperability that prevents electronic exchange of information, and ultimately will fuel health information exchanges.
It is notable that 30 percent of physicians said that their EHRs are interoperable with other systems. That makes me wonder if this is a verified fact or perception only verified by a marketing brochure.
Another barrier, according to the report, is the cost of setting up and maintaining interfaces and exchanges to share information. According to this statement, physicians are worried about the cost of being able to transmit data, too, which puts them in line with vendors, who, like I said, are worried about how they can monetize data transfer.
An interesting observation from the piece: “Making progress on interoperability will be essential as physicians move forward with different care delivery models such as the patient-centered medical home and the medical home neighborhood.”
What amazes me about this conversation is that given the purported advantage employees gain from the mobile device movement and how BYOD (bring your own device) seems to increase a staff’s productivity because it creates an always-on mentality. I don’t think it’s a stretch to think the same affect would be discovered if systems were connected and interoperable.
An interoperable landscape of all EHRs would allow physicians and healthcare systems to essentially create their own always on, always available information sharing system that would look a lot like what we see in daily lives with the devices in the palm of our hands.
Apparently, everyone wants and interoperable system; it’s just a matter of how it’s going to get paid for. And moving the data and the records freely from location to location opens up the health landscape like a mobile environment does.
Simply put, this is one issue that seems to resemble our current political landscape: a hot button issue that needs to be addressed but neither side wants to touch the issue because no one wants to or is able to pay for it.
One of the problems with this approach is that if we wait long enough, perhaps interoperability also will be mandated and we’ll all end up on its hook.
So, let’s take a lesson from the mobile deice world and allow for a greater opportunity to connect healthcare data to more care providers on behalf of the patients and their outcomes.
Some of the most concise, yet useful, information about health information exchanges must come from Medicity. In a “primer” page (that might be written for the HIE novice) there’s quite a nice bit of information about the importance of the technology.
Obviously, Medicity is biased, as HIE is what it does, but I admit that after reading some of the points Medicity makes about the importance of HIEs, I’m sold (though I already was).
Let’s dig in.
As we know, health information exchanges help connect healthcare providers with information they likely would not have through paper records, and in many cases, not even with electronic health records as the EHRs are often fragmented or don’t depict the entire health scenario of a patient.
As noted by Medicity, HIEs help create efficiencies in the care setting in many ways, primarily by helping make information available across many platforms and even across many care locations.
Additionally, and I’m paraphrasing here: HIEs help reduce duplicate testing of patients; help create a more complete picture of a patients’ care and prior treatment protocols; and they help eliminate costs and fees associated with redundancies.
The best case I can make for an HIE (probably for an EHR, as well) is a story from a former colleague. Her mother was diagnosed with an aggressive form of cancer. At best, she was given months to live. However, after multiple specialist visits, redundant tests, labs and scans delivered the same information as the previous test, the woman died just a few weeks after initial diagnosis.
Moral of the story is this: according to my colleague, for every specialist she and her late mother visited, each one requested the same tests as the previous doc because the doc didn’t have an accurate, or complete, record. To make matters worse, the records were paper. My former colleague said the task of trying to assemble a complete care record was beyond arduous, not to mention difficult to construct given the red tape each practice had in place as the gate keeper of the records it kept.
If only the information had been in a single repository, perhaps her mother wouldn’t have wasted so much time on taking the same tests and she could have received the care she needed, my colleague said. I agree.
So does Medicity, which operates on the belief that HIEs change all of that. Simply and clearly put, HIEs “break down silos and make information available” to providers at virtually any location that’s connected to the HIE when the information is needed and required.
HIEs, like EHRs I suppose, can change and possibly save lives. Interestingly enough, at least to me, is that HIE’s lag in favor or in the very least have a history of not being able to generate the support they need to thrive (perhaps survive?).
As the government continues to place more importance on the availability of health information through exchanges and electronic records, the market will find a way to monetize HIEs (probably the biggest hurdle vendors face when considering whether to develop technologies to support them).
There are now, though, several vendors with their own HIE-like devices that can function within their EHRs the same way their patient portals work. They are able to trasmit data to other users of their company’s specific technology.
As these vendors continue to develop their own HIEs, and try to sell them, it will be interesting to see which technology – private or public – will be adopted by the healthcare community.
Patient engagement will continue to become more popular as consumers take greater ownership of their care and begin to discover that their health information should actually be easier to access because of electronic health records and patient portals. However, patients must have reason to engage for this trend to become less of a trickle and more of a flood.
Healthcare technology is meant to allow more access to, and increase the availability of, patient’s health information. At least that’s one of the desired outcomes of the push (meaningful use and federal incentives) to lure physicians to adapt the systems.
Sterling Lanier, CEO of Tonic Health, succinctly sums up lack of patient engagement in a recent editorial published by For the Record magazine.
In it, he states that healthcare, like government, is filled with vernacular and jargon – HIEs, EHRs, ACOs, HIT, et al. – and the more these terms continue to be used, the less likely patient consumers are going to interact and engage with the healthcare community, and to take ownership of their own care outcomes.
As Lanier notes, and as I have often thought, to bring patients into the conversation, they have to be treated like consumers and they must have a reason to “buy” into the system. In this case, consumers must “buy” the information given to them. If they buy and own it, they’ll want more of it, or so goes the prevailing thought.
But simply speaking in terms the natives will understand isn’t enough. Consumers need to better understand how the technology they encounter at the doctor’s office helps produce better care outcomes. They may need some education and certainly they need some engagement once the systems are in place and being used during the visit.
Though patients will interact with the EHR less frequently than other technology they encounter, such as the patient portal (which they can actually use and interact with on their own), that doesn’t mean the EHR should be ignored during the interaction or treated as a foreign concept. In most cases, let’s remember, healthcare is actually behind many other consumer markets so consumers are actually more versed in the use and capabilities of similar systems outside their doctor’s office. Besides, we’re like children with devices and must test drive things like smart phones, televisions and computers as we learn to use them; we like to get our hands on the technology to try it out to satisfy our child-like need to see with our hands.
Even though patients can’t “touch” their EHRs, we can watch the information we provide our doctors being entered into the system; we can speak with our caregivers as they toggle and tab; and we can engage clinicians as they review our profiles and medical records. As a patient of a doctor with an EHR, I ask questions about the system: what it does, who makes it, why it was chosen and if it layout closely resembles the clinics’ past paper charts. I feel better about the little details and doing so makes me feel as though my doctor is listening to me during the visit.
Asking me these questions engages me more in my healthcare, and more than likely, engages my doctor in my care and outcomes.