Guest post by James Bindseil, president and CEO, Globalscape.
Health IT has reached a pivotal crossroad: On one end, consumers’ expectations for more timely care and instant access to health files and records continue to skyrocket; on the other, security and compliance risks are more complex and threatening than ever before.
This leaves health providers in a precarious position: should they prioritize security and compliance, or productivity and care?
In a perfect world, the answer would be all four. Unfortunately, today’s health IT landscape — which is going through a rapid and significant transformation to keep up with evolving compliance mandates, new demands around access to patient files, changing government policies, sophisticated security threats and new technologies — is far from perfect.
One of the most pressing issues lies within the policies and technologies provided by today’s IT teams. In fact, in many instances, the policies and tools implemented by IT to keep patient data safe and secure often end up having the opposite effect: they make it incredibly difficult for providers to deliver fast and efficient care in a secure, compliant manner.
For example, let’s imagine a day-in-the-life of a hospital care provider, who faces immense pressure to deliver top-notch care to as many people, and in as little time, as possible. On day one, an off-duty doctor is called at home to provide his take on the best care plan for a specific patient. How will he review the pertinent information while working remotely? In another scenario, the doctor is running from patient to patient, and is unable to take the necessary time to record his actions. Taking the work home on a USB drive seems like the best option. The next day, the hospital needs to quickly share files with the patients’ previous provider to care for an urgent medical issue.
What must be done before you walk out of the office for the last time before the stroke of midnight Jan. 1, 2015? It’s a simple question with many possible responses. Each healthcare organization, based on its needs and priorities likely has a fix what it needs to do, though, perhaps those things are not necessarily what it wants to do. Like people, the final couple weeks of the year are different for everyone and practices are no different.
So, if you’re making a list and checking it twice, here are a few suggestions that you might want to add to it to be well prepared for the new year, based on your practice’s business needs, of course.
Review the ONC Federal Health IT Strategic Plan
At Health Data Consortium, we have three must-do items before we close the door to 2014. First, we urge the health IT community to review the recently released ONC Federal Health IT Strategic Plan 2015-2020. Public comments are open until February 6, but don’t let your response get lost in the start of the year flurry. Second, we are preparing for the arrival of the 114th Congress and the opportunity to share Health Data Consortium’s public policy platform for 2015. Our platform will have an emphasis on the key issues that affect data accessibility, data sharing and patient privacy – all critical to improving health outcomes and our healthcare system overall. Finally, on January 1 we’ll be only 150 days from Health Datapalooza 2015. We are kicking off the new year and the countdown to Health Datapalooza with keynote speakers and sessions confirmed on a daily basis. We’re already making the necessary preparations to gather the innovators who are igniting the open health data revolution. As 2014 comes to a close, we look forward to hit the ground running in 2015.
Ideally, turn off not only your lights, but everything — I mean every piece of digital technology and every way digital technology can connect to your organization. That is the only way to assure there are no accidents, glitches, failures or breaches. Here are some other things you can do:
• Fill every open position you can. Have positions and people identified and include backups. The only thing worse than not having a position to fill is having one to fill and leaving it open.
• Address mobility, medical devices and patient engagement, and not just from a security perspective — this is everyone who provides access, information or uses these devices or systems.
• Address the culture and have a plan to include every individual in the organization, if the technology touches them, from BYOD to analytics to privacy to cloud storage.
IT, regardless of the industry, is ultimately about people. In healthcare, it is also about the data itself, which represents your patients. It has to be there, it has to work, it has to be secure.
— David Finn, CISA, CISM, CRISC, is a member of ISACA’s Professional Influence and Advocacy Committee, and the Health Information Technology Officer for Symantec
I remember when the Health Insurance Portability and Accountability Act (HIPAA) passed. I was working for a leading practice management software vendor. Everyone was overwhelmed by what was involved. We developed a huge amount of education and information for our customers. Some people wondered if the healthcare industry could make such a major change.
Today, HIPAA is ubiquitous. Many practices take it for granted. They are not concerned about a breach because they believe they have done everything they need to do. In a recent study by MedData Group of physicians top practice management priorities for 2015, HIPAA didn’t even make the list.
“We instigated HIPPA when it came out, and it is in place and second nature to us,” said Joann Lister, a provider at a family medicine practice in Texas. “We have all worked at the hospital so we had plenty of training on the rules. Our physical space and computers are confidential. Our practice management and EHR software, Kareo, always goes back to login when we are done in a room so the next patient does not see anything. We have limited personnel so it is easier to know that everyone honors the HIPAA rules.”
The question is: Have practices gotten too complacent with HIPAA? With the latest changes to HIPAA in 2014, have they followed through on making changes and updates? The data and experience of industry experts and consultants suggests that there may be a problem with HIPAA compliance.
“The last analysis we did for a practice had 41 pages of regulations that required implementation,” recalled practice management consultant Rochelle Glassman, CEO of United Physician Services. “Most practices do not know what the complete requirements are. They believe that if they have the patients sign the privacy form that is all they need to do. This year there were updates that included the new HITECH Act and the HIPAA Omnibus rule. I can guarantee that many practices have not updated their HIPAA program to include the changes because they do not even know they exist.”
It should come as little surprise to me that no matter the healthcare sector — long-term care, ambulatory or in patient, for example – most of the worries faced are the same or very similar. Many of the same levels of attention is given to many of the highly complex usual suspects – interoperability, health information exchange, accountable care, HIPAA and even mandates like meaningful use. The murmurs of those working here are often similar and there is a fairly deep collective holding of the breath in regard to advancements or developments in these areas regarding the blowing winds of how these and other issues sway constituents throughout the marketplace.
The general sentiment of individuals, those leading large hospitals and multi-location care facilities, who express their opinions and concerns to organizations like HIMSS, to name one, are the same as the concerns voiced by many of the attendees at PointClickCare’s annual user meeting, to name one, in Orlando Nov. 2-5, 2014. These same sentiments also are expressed at variety of other meetings of the minds throughout the US in similar constituent groups or with vendor and other allegiances.
Educational and work sessions held at these gatherings always have the same look and feel; the same as those expressed at PointClickCare’s Summit 2014. Engagement, connection, care; ACOs, HIEs, and managing their relationships; EHRs, interoperability, and managing this relationship and the flow of information (or doing so when the information does begin to flow); and change management strategies that provide guidance and advice for … managing change.
The information exchanged in venues such as these and the sessions themselves are valuable, of course, and needed to fill an enormous information void. Most importantly, these healthcare education sessions draw together folks seeking guidance and those needing insight, as well as provide a dash of leadership at times when much seems to be lacking. Finally, these educational sessions – quick and concise as many of these sessions may be – alleviate fear during a scary and tumultuous time in healthcare.
Health IT pain points seem to be lingering long despite the never ending promises and hope eternal new technology innovation seems to offer. Every sector has its prickles, no doubt, and much is left to overcome in healthcare, but given the complexity and the copious amount of change and development here, it’s of little surprise that pain is being felt.
What may be surprising, though, is that like patient engagement, there seems to be a different type of pain, and severity of pain, depending on who you ask.
With that, for greater clarity, I decided to ask some of health IT industry insiders what they’re pain points were and why. Their responses follow:
Dr. Trishan Panch, chief medical officer, Wellframe
One of the biggest pain points for hospitals is that we’ve come across a health system’s inability to scale care management resources. They are effective in improving outcomes when patients are engaged, but because of limitations around existing models (i.e. human interaction via phone or in-person) only a small proportion of the patient population can be engaged. That’s why organizations are turning to technology solutions to scale care management resources to reach more people.
One of the biggest pain points for physicians today is the lack of interconnectivity between different IT systems. Participation in the meaningful use program has helped create some common standards for communication but, for a variety of reasons, these have not yet lead to widespread, effective clinical data sharing. Few physicians can operate in the ecosystem of a single electronic medical record, since they often work in systems that are different, from practice, various hospitals and other places of care.
Interoperability is a pain point in healthcare IT, particularly when it comes to transitions in senior care. Connecting the care delivery ecosystem to provide safer transitions of care is critical to long-term care. While some individuals may require short-term rehabilitative care, others may need home-based care, assisted living or long-term and hospice care. As seniors move through these different stages or between acute care and post-acute care, these transitions pose challenges for healthcare providers. Ideally, all the information that clinicians need to treat the individual will be available when he arrives at his new destination. However, this is not always the case. Healthcare providers, both long-term and acute, must invest in an infrastructure that supports seamless transitions of care; interoperability plays a vital role. Connecting healthcare providers across the care continuum will allow for better health outcomes, help reduce unnecessary hospital re-admissions, as well as keep healthcare costs down.
There are various statistics about the negative impact paperwork has upon providing healthcare. The AHA has estimated it adds at least 30 minutes to every hour of patient care provided. A main pain point continues to be the ability for IT to implement efficient EHR systems. At the core of any EHR system are its image capture capabilities. It must be simple to use throughout the workflow process. This includes image capture, editing, saving and sharing. The capture, or scanning, must be speedy. Editing features must be clear in how to use. This minimizes learning curves at the start. It also optimizes the speed of processing documents during the life of its use. Easy saving to local or network locations should also enable simple and secure sharing too. When one, some or all of these areas stall, it can cripple the realization of benefits from digital document management.
Guest post by Martin Edwards, MS, CHC, CHPC, compliance officer, Dell Healthcare.
Patient portals offer an unprecedented opportunity to engage consumers, provide a customized care experience and potentially change behavior. Yet they also introduce new security concerns for both patients and providers.
A question we often hear from healthcare providers regarding security is: How much protection against negligence does meeting the HIPAA requirements really provide? That question is particularly germane to patient portals, which create an additional entry point and more risk to the security of protected health information (PHI). The laws and regulations in these cases can be confusing.
Fortunately for providers, “safe harbor” is offered in those cases where the provider can prove that they have properly encrypted all devices that contain PHI. Under the HIPAA security rule, as long as PHI is encrypted according to National Institute for Standards and Technology (NIST) guidelines, it is no longer considered “unsecured” and providers are effectively exempt from improper disclosure being considered a “breach.” Thus, the HIPAA breach notification rule doesn’t apply, and, by extension, the provider can avoid potential fines from the Office for Civil Rights (OCR). Since most breaches of PHI reported to the U.S. Department of Health and Human Services (HHS) to date have related to the theft or loss of unencrypted mobile devices, encrypting the data is a primary defense against data loss and against the consequences of improper disclosure.
While patient portals add risk, they also confer many benefits to healthcare organizations, including enhanced patient-provider communication and empowerment of patients. Some studies have found that portals can also enable better outcomes for patients. These benefits are behind the HIPAA privacy rule’s “right of access,” which allows individuals to examine and obtain a copy of their PHI. Meaningful use requirements also require eligible professionals to exchange secure emails with at least 5 percent of their unique patients. Since portals are an ideal way to meet this requirement, organizations seeking to comply with Stage 2 criteria have an incentive to adopt them.
Prime allows users a way to make sure their friends, family and emergency contacts have access to their health by granting them full access at every hospital they visit. With Prime, users can stop worrying about keeping everyone up to date, and “tell the people that need to know, what they need to know.” Verifying that all HIPAA requirements are met, Prime secures information with bank-level security: All information is protected by state-of-the-art encryption. Access to the information is always monitored, and every member of the Prime team has been fully HIPAA trained.
Prime’s free mobile app helps patients aggregate their healthcare information from multiple sources into a single view on the go. Prime helps patients and their loved ones achieve a better healthcare experience by putting all their health information in one place.
Prime empowers people to take control of their personal health records on the go. Users can apply information from multiple sources into a single view giving them complete access to important data. The end result is individuals and their loved ones achieve a better healthcare experience. Prime is a free, HIPAA-complaint mobile app available for download in the Apple App Store. The company launched out of Techstars in 2014. We have helped users connect to more than 50,000 personal health records.
The recent theft of 4.5 million medical records by Chinese hackers coupled with the news that as-yet unidentified hackers were able to penetrate the U.S. government’s health care portal have ignited consumer concerns about the safety of health care records – and rightly so. No patient should have to worry that his or her protected health information (PHI) may fall into the hands of thieves.
The medical industry experiences more security breaches than any other U.S. industry today, serving to undermine public confidence in electronic health records and the industry at large. Last year alone, more than 7 million patient health records were breached, up 138 percent over the previous year, according to a February report by IT security consultant Redspin. Theft or loss of unencrypted portable computing devices (i.e., laptops) or digital media containing PHI was the leading cause of PHI data breach, impacting 83 percent of records breached. Unauthorized access and hacking incidents impacted less than 7 percent of records breached.
It’s reassuring to see the industry break new ground in studying security flaws and addressing vulnerabilities. For example, the Health Information Trust Alliance (HITRUST) teamed with the Department of Health and Human Services (DHHS) last spring to lead CyberRX, a series of no cost, industry-wide exercises designed to simulate cyber attacks on participating health care organizations and help them identify weaknesses in preparedness. Two important findings emerged:
Organizations that participate in cyber exercises are better prepared for a cyber attack, regardless of the maturity and comprehensiveness of their information security program.
More preparation exercises like CyberRX would benefit health organizations by helping them to evaluate their programs, refine policies and procedures, and develop and implement effective communications among internal departments, the industry at-large, and government.
HIMSS released the following infographic that summarizes the findings of 25 years of health IT from its annual leadership surveys. It’s a pretty good depiction of how health IT has changed in the last quarter century. Looking back on the past twenty five years in healthcare, something are fairly interesting. For example, physicians in 1993 said they would not adopt their use in healthcare until they became easier to use. The sentiment still remains, to a certain degree, especially in regard to systems like electronic health records.
Another interesting factoid, is that in 1994, 14 percent predicted that digital patient information would be shared nationwide in one to three years.
Finally, the number of health IT priorities that has changed in the course of the last 25 years is either alarming or inspiring, based on the level of change in the space and how quickly things continue to change. However, the number of changes and their frequency remind me of a dog on a trail stalking down one scent after another without a real sense of purpose – Y2K, HIPAA, patient safety, reducing medical errors, financial survival, meaningful use, etc.
By Stephen Cobb, senior researcher, ESET North America.
The benefits of making health records available electronically would seem to be obvious. For a start, faster access to more accurate patient information – which is one of the promises of EHRs (electronic health records) and HIEs (health information exchanges) – could save lives. The author of a recent report on the many thousands of lethal “patient adverse events” that occur in America every year, Dr. John T. James, pointed to “more accurate and streamlined medical recordkeeping” as a top priority in the effort to reduce these deadly medical errors. Yet headlines about healthcare facilities exposing confidential patient data to potential abuse have been all over the media this year. So, will security issues and privacy concerns stymie EHR adoption or slow down HIE rollouts?
Today, more than half of all Americans probably have at least some part of their medical record stored on computer. In January, the CDC reported that roughly four out of five office-based physicians are now using some type of EHR system, up from one in five in 2001. A few months later, in a Harris poll sponsored by ESET, only 17 percent of adult Americans said that, to their knowledge, their health records were not in electronic format.
During that same survey of 1,734 American adults, we asked “are you concerned about the security and privacy of your electronic patient health records” and 40 percent said they were. Slightly more of them, 43 percent said they were not. However, if we take out the 17 percent whose records were not in electronic format, the “concerned or not?” question breaks down as 48 percent Yes, versus 50 percent No, a statistical tie.