It has only been about two generations since traveling medicine shows were common forums for medical information. Phony research and medical claims were used to back up the sale of all kinds of dubious medicines. Potential patients had no real method to determine what was true or false, let alone know what their real medical issues were.
Healthcare has come a long way since those times, but similar to the lack of knowing the compositions of past medical concoctions and what ailed them, today’s digital age patients still don’t know what is in their medical records. They need transparency, not secret hospital –vendor contracts and data blocking, like the practices being questioned by the New York Times. One patient, Regina Holliday resorts to using art to bring awareness to the lack of patient’s access to their own medical records.
There are many reasons patients want access. Second opinions, convenience, instant access in a medical emergency and right of ownership—I paid for them, I own them. Other reasons patients need to view their records is for accuracy and validity. Inaccurate record keeping has even caused the EHRI Institute to cite incorrect or missing data in EHRs and other health IT systems as the second highest safety concern in its annual survey, outlining the Top Ten Safety Concerns for Healthcare Organizations in 2015.
Healthcare system executives, from CIOs to CEOs are very aware of the increasing requirements from patients asking for their records and the various state and federal laws that come into play. However, they are also aware that by making it too easy for patients to access records they risk liability and HIPAA issues. They also don’t want to provide documents that can easily enable cost comparisons or raise questions about charges.
Consumers Uniting
Riding the wave of interest in accessing personal medical records are organizations like Get My Health Data. Org. The organization was founded in June 2015 as a collaborative effort among leading consumer organizations, healthcare experts, former policy makers and technology organizations that believe consumer access to digital health information is an essential cornerstone for better health and better care, coordinated by the National Partnership for Women & Families, a non-profit consumer organization. On July 4 it launched #DataIndependenceDay to create awareness for the HIPAA law which states that patients must be granted access to their health information with very few exceptions. An update to those laws that was finalized in 2013 extends these rights to electronic health records.
Despite the introduction of personal health records (PHRs), Blue Button technology and product introductions from blue chip technology leaders, such as Microsoft and Google, there has been no significant, unifying technology to ignite pent up demand for their medical records by consumers. This lack luster interest and ongoing interoperability issues might be the unifying force to drive many consumers to consider Personal Health Information Exchanges (PHIEs) as an alternative to EHRs and Health Information Exchanges (HIEs) that unnecessarily duplicate data and risk HIPAA violations.
Will PHIEs Ignite the Patient Record Access Movement?
Frost & Sullivan, in its research report, “Moving beyond the Limitations of Fragmented Solutions Empowering Patients with Integrated, Mobile On-Demand Access to the Health Information Continuum”, identifies personal health information exchange (PHIEs). They are described as providing individual patients, physicians, and the full spectrum of ancillary providers with immediate, real-time access to medical records regardless of where they are stored by using an open API.
The PHIE can provide access to the entirety of an individual patient record, regardless of the number of sources or EHR systems in which the patient data resides. This technology is made possible through fully interoperable integration servers that can access any EHR system with available APIs and portray the integrated data in a viewable, secure and encrypted format on a mobile device.
By leveraging the powerful simplicity of open APIs, PHIE technology can also access medical records in a way that is much more comprehensive than the closed EMR portals commonly used by doctors’ offices. Despite their pervasive use, these portals are cumbersome and expensive for patient’s use. The portals also include the same lack of interoperability that plagues hospital EHR systems.
Guest post by Ryan Howard, CEO and founder, Practice Fusion.
How many doctors have you seen in your lifetime? Don’t know or remember? You’re not alone – the average American patient will see nearly 19 different doctors during their lifetime. Nineteen different offices. Nineteen different medical charts. Nineteen different phone numbers. Nineteen different calls to track down your records. Now, can you even remember your last five doctors?
The future: Imagine this, you visit your doctor – or any doctor for that matter – and they quickly pull up your medical history. Vaccinations when you were a child? Check. Currently on a hypertensive medication? Check. Pre-disposed to a medical condition? Yep, that’s in there, too. No more arriving 20 minutes early to the doctors’ office to fill out the industry-average seven pages of paper forms. Your records – past and present – are already being reviewed by your trusted provider.
Beyond the sheer convenience, the accuracy and completeness of having your entire medical history available at the fingertips of your provider can impact your well-being and scope of care. Can you accurately remember all procedures you’ve had? And when? Or all the medications you’ve ever taken? With dates? Imagine if you were a senior. Not just daunting, but nearly impossible. Instead of going over just snippets of what you actually remember, your doctor is empowered to holistically review your entire medical history with the potential to make more informed decisions about your health.
Seem like a pipedream? If you were to ask a mere decade ago, most would have agreed. As recently as 2007, 88 percent of physicians were still charting on paper. And those physicians on an EHR system – who were paying a premium – were almost exclusively using a localized, server based platform with no connectivity. For cost perspective, according to HealthIT.gov, the average upfront cost of implementing an EHR is $33,000 per provider plus an on-going fee of $4,000 yearly, a cost-prohibitive amount for most private practices.
Fast forward to 2009 and the passage of the HITECH Act which provided billions of dollars of incentives for providers to implement an electronic health record. In addition to the incentives, new vendors appeared on the market who provided electronic health record platforms completely free-of-charge, allowing providers to reinvest the incentives in their practice as additional staff, new equipment, etc.
Guest post by Michael Simpson is the CEO of Caradigm.
It’s been five years since the HITECH Act was enacted as part of ARRA, and while there’s still a lot of debate about the technical details, rules and timelines involved with electronic health record (EHR) adoption and meaningful use, it’s clear that the focus on EHRs – and incenting hospitals and professionals to use EHRs in a meaningful way – represents a critical, foundational step in transforming health care in this country.
After all, meaningful use targets the right goals – goals that every hospital, health system and healthcare professional supports, including improved quality, safety and efficiency of care; reduced disparities; more engaged patients and families as core members of the care team; improved care coordination and population health; and more secure patient health information.
More important, the stages of meaningful use drive a set of progressively more advanced capabilities that are fundamental to achieving those goals. Digitizing data was the first critical step, and the good news is that according to a recent HHS press release, about 60 percent of all hospitals have adopted an advanced EHR, leaving the paper world behind. The next steps are sharing that data – securely – among providers and patients, reporting on quality to understand and improve it, using clinical decision support at the point of care, and many other capabilities critical to transforming care and outcomes. If providers and professionals meet meaningful use requirements, we should see more transparency, greater efficiency, reduced waste and more healthy people in our communities over time.
Stage 2 Challenges
It’s a long and challenging journey, and while hospitals and health systems are making good progress against Stage 1 requirements, very few are prepared for Stage 2. In fact, according to survey data from the American Hospital Association, fewer than 6 percent of hospitals have met the criteria for Stage 2, and only 10 percent have met the requirement for patients to be able to view, download and transmit their health information online.
Why are providers getting stuck as they try to move to Stage 2? Because as the requirements become more demanding – e.g., using clinical decision support, generating patient lists, protecting patient health information, engaging patients – these organizations need a new set of technology capabilities to meet those requirements. These capabilities leverage and extend the functionality and benefits of the EHR.
Moreover, to reach the ultimate goals targeted by Meaningful Use — improved quality, efficiency, outcomes and population health — providers will need to aim even higher than meeting the requirements of meaningful use stages, strategically using data from EHRs and myriad other systems across the care continuum to enable a new level of capabilities.
NueMD, provider of cloud-based medical practice management software for small practices, in partnership with Porter Research and the Daniel Brown Law Group, surveyed practices and business associates about HIPAA compliance and how small practices and billing companies are coping. The survey of about 1,200 healthcare professionals, conducted during October 2014, found medical practices and billing companies are struggling to comply with regulations under the Health Insurance Portability and Accountability Act.
“Understanding HIPAA can be difficult for practices and billing companies, especially if they’re already scrambling to keep up with changes like ICD-10 and meaningful use,” said Caleb Clarke, sales and marketing director at NueMD, in a statement. “With audits looming, we wanted to get a sense of where the industry stands and provide resources to help those who may be struggling.”
NueMD surveyed practices and billing companies in all 50 states; most of the practices were small and made up of one to three providers.
In a nutshell, the survey found that:
66 percent of respondents were unaware of HIPAA audits (a staggering number)
35 percent of respondents said their business has conducted a HIPAA-required risk analysis
34 percent of owners, managers and practice administrators reported that they were “very confident” that their electronic devices that contain PHI were HIPAA compliant
24 percent of managers, owners and practice administrators at medical practices reported that they’ve evaluated all of their business associate agreements
56 percent of office staff and (non-owner) care providers at practices said they’ve received HIPAA training in the last year
HIPAA is one of the primary and most comprehensive government regulations that affect the daily activities of each healthcare organization every day.
Signed into law in 1996, the law outlines policies to protect sensitive patient data and penalties for those who don’t comply. Recent updates under the HITECH act introduced several changes that affect the responsibilities and liabilities of covered entities and business associates.
Enforcement of breaches is occurring at a more rapid pace. HITECH extended certain HIPAA security and privacy requirements and set the stage for greater enforcement, including:
Widening the scope of the law, requiring health information exchanges to be business associates of healthcare entities, and applied HIPAA privacy and security requirements directly to the HIEs.
Greater penalties for noncompliance.
Redirecting civil monetary penalties back into enforcement activities instead of into the general fund. This provides additional funds for future enforcement and incentivizes proactive enforcement activities.
Adding breach notification requirements to entities that operate personal health records or otherwise maintain personal health information for purposes other than healthcare delivery or payment.
Opening the way for enforcement by states’ attorneys general.
Also, the HITECH Act incentivizes a more aggressive pursuit of HIPAA, which means it’s more likely that healthcare organizations will now be audited more regularly.
Guest post by Reed Liggin, founder and president, RazorInsights.
Since the Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law in February 2009, rural, community and critical access hospitals are turning to electronic health record (EHR) systems to receive significant incentive payments based on meeting meaningful use regulations. However, the impact on workflow makes achieving a return on investment (ROI) after implementation challenging. Additionally, the burden is placed on these hospital’s small IT departments to meet federally mandated deadlines such as meaningful use.
According to a 2014 HIMSS Analytics survey, 83 percent of healthcare providers are using cloud services. Compared to server-based networks, the cloud is especially beneficial to rural hospitals because of the lower upfront, implementation and maintenance costs, resulting in increased ROI. The cloud system’s pay-as-you-use method removes the need for expensive hardware, and the accessibility and security of patient records improves efficiency and patient care, allowing hospitals to prove they are meaningfully using EHR technology.
Implementation and Maintenance
Because of budgetary restraints, rural hospitals typically have outdated technology and some areas do not even have computers. Recently, I visited a hospital with only one computer on each floor and no EHR system in place at all. Because of this, these hospitals must implement user-friendly healthcare technology that is easily implemented across the network– even for clinicians with limited or no experience in a high-tech environment. This type of easy-to-use EHR systems not only improves patient care, but also helps hospitals qualify for federal incentive payments. However, time is running out. Hospitals only have one more year to receive incentives for being MU compliant. After this timeframe they not only won’t receive payments, but they will be penalized financially for not meeting regulations, which is especially detrimental to smaller hospitals.
Cloud-based solutions allow hospitals to deploy EHR systems quickly and at a lower cost. While server-based EHR systems can cost $40, 000 or more, a cloud network does not require any hardware to be installed on-site. Therefore, upfront, implementation and maintenance costs are much lower than a server-based solution. Less hardware means less opportunity for failure – thus, maintenance costs decrease drastically as the lifespan of a cloud-based system is much longer than a physical server solution.
Guest post By Barry P. Chaiken, MD, FHIMSS, chief medical information officer at Infor.
In many ways healthcare is like a symphony orchestra. Although information technology can enhance care planning, assist in medication administration and reduce duplicative testing, it cannot replace the people required to deliver care services to patients. Nurses are needed to administer medications, therapists are needed to provide treatments, and physicians are needed to diagnose illnesses and provide treatment plans. On average, hospitals devote close to 70 percent of their budget to labor costs. Until robots replace humans in the delivery of patient care, selection of the proper skill mix and number of professionals remains a significant factor that determines cost in provider organizations.
Although information technology cannot replace the staff delivering care to patients, it can assist organizations in choosing the best talent available, help develop that talent and determine the best way to utilize the skills of these professionals.
To identify the best talent, information technology tools allow the extraction of an employee’s “behavioral DNA” – the measurement of behavioral, cognitive and cultural traits. Organizations then compare this prospective employee’s “DNA” to the “DNA” of existing high performing employees within the organization in an effort to identify individuals who possess a high probability of excelling within the organization.
Guest post by Randy Hickel,manager of worldwide healthcare business development, Printing and Personal Systems Group of HP.
Mobility and BYOD trends in healthcare are a hot topic. With more healthcare businesses transitioning work processes to mobile platforms for increased collaboration and productivity, data security can be a major concern.
It’s clear that advanced mobile technologies allow healthcare employees – who are constantly on the move – to connect from anywhere, anytime; however, mobility can pose several challenges. By engaging with a health IT mobility expert, healthcare organizations can plan and build the appropriate infrastructure to manage various mobile devices, secure data and promote fluidity between paper and digital documents.
Prepare your IT infrastructure for BYOD
Personal devices in the workplace are quickly becoming the norm, rather than a trend, even in the healthcare industry. Administrative and medical staffs more frequently use personal devices, such as smartphones or tablets, to connect to work networks or enterprise systems. According to the Pew Research Center, in January 2014, 58 percent of American adults had smartphones and 42 percent had tablets. And for the first time ever, Americans used smartphone and tablet apps more than PCs to access the Internet.
Mobility focused IT experts can help healthcare organizations develop a mobile printing strategy that manages the growing number and diversity of mobile devices in the workplace, ensuring that staff can print securely using their mobile devices.
Guest post by Kim Lennan serves as director of healthcare markets for Hexis Cyber Solutions.
The cost of IT security data breaches in the highly regulated healthcare industry is staggering, as it tops even the likes of financial services market. No one is immune. Nearly 94 percent of medical institutions report that their organizations have been victims of a cyber attack, according to findings by the Ponemon Institute. With the update last year to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and HITECH Act of 2009, signs of increasing expenses are again a reality. The annual cap on fines for security breaches has also skyrocketed from a maximum of $25,000 per year to $1.5 million.
With breaches in healthcare spanning from insider, nosey-neighbor snooping, to external, cyber-threats, such as malware, there is an obvious urgency for detection and remediation solutions that engage not only the hardened perimeter, but also the soft center, spanning all the way out to the ancillary systems which at once stood alone, but are now networked and part of the entire electronic healthcare ecosystem.
Establishing a single, integrated, active defense approach to bolster your security posture and mitigate insider breach, as well as cybercrime in healthcare, begins with a motion to break down internal barriers. Organizations need technology and organization leaders who champion a bridging the gap between the two influential and liable, yet often un-collaborating services providers responsible for protecting these domains: Privacy and compliance and enterprise IT security.
Coordinating the effort to monitor networks and applications to achieve a greater understanding of risky behavior is a giant step toward detecting early indicators of compromise and strengthening the weak links in your security practice. We recommend an assessment of the often overlooked, non-standard variety of electronic data carriers, which can fall into the category of the “Internet of Things,” those medical device end-points, video surveillance systems, x-ray machines and call contact systems. These must be treated as part of the entire electronic ecosystem to achieve a greater degree of data protection. They carry patient health information (PHI) and even intellectual business property, and are largely unprotected by traditional intrusion detection solutions. While often perceived as immune to breaches, they represent readily available ports of entry for an attacker.
A unified approach to end-user education and monitoring for early breach detection that fosters risk mitigation requires tight coordination between privacy and IT security. The challenge is in how. Functional groups are often siloed and share very little information with each other. This becomes a major issue in the event of a breach, as neither side is able to understand the full spectrum of the threat without the others’ data. Let’s take a look at a couple of examples.