Mary Pat Whaley over at Manage My Practice offers some useful tips for patient customer service.  This is a follow-up to her article on 50 Ways to Attract New Patients to Your Practice.

Some of her tips are easy common sense ideas such as:

Introduce yourself to patients. “Hi, I’m Jane and I am Dr. Smith’s assistant and I’ll be working with you today.”

Providers should always shake hands with patients and others in the exam room.  That first touch is so important!

Send your patients a birthday card.

I especially like some of her technology and social networking tips to improve customer service:

Have multiple ways for patients to complete their registration information – forms mailed to them, online completion, completion in the practice at a computer kiosk, completion at the practice with personal help, or pre-registration by phone.  

Invite patients to become a friend of the practice on Facebook and communicate regularly with your patients keeping them up-to-date on practice news, health news and local events. 

Send patients emails or letters and post on your website any information relating to hot topics in the news – vaccines, radiation exposure, etc.  

Have computers in the waiting area for patients to use. Have Wifi for patients to use their own computers while waiting.  Have instructions available for using the Internet to look up medical information and provide a written list of medical websites that your providers recommend.  Place this information on your website.  

Use your EMR or voice recognition to complete the patient’s medical record and print them a copy of it to take with them when they leave the exam room.  

Make your website a one-stop destination for practice information, health information, practice forms and secure messaging with the practice. 

In this article I discussed the network costs of an EMR implementation.  I would like to drill down further to discuss the broadband and wide area network (WAN) costs of a network for midsize and large medical practices.  The definition of midsize and large medical practices is vague but for illustration let’s assume a midsize medical practice has 4 or more physicians and 2 or more locations (offices).  For a large practice, let’s assume 10 or more physicians and 4 or more locations.

A typical EMR implementation in a practice with multiple locations has the EMR Server(s) in a central location in one of the offices.  The other offices access the EMR across the WAN.  For those that are not familiar with the terminology for WAN, it is simply the network that ties together each of the offices and make all the offices appear like they are on the same network.  Most carriers (Verizon, AT&T, Qwest, etc.) will implement a WAN with an MPLS network.  For simplicity lets say a MPLS network is a private network that no one else but the practice can access and allows 2 or more offices to communicate with each other.  The advantage of an MPLS network is that a 3^rd office can be added and then all 3 offices can communicate with each other.

In a minimal MPLS network implementation with 2 offices, both offices are connected to each other with 1.5 Mbps of bandwidth (the speed of a T-1).  For redundancy, each site has a DSL circuit that functions as a backup in case the primary MPLS circuit goes down.  Let’s take a rough look at the cost for this implementation.  I am only going to discuss the reoccurring monthly costs and not address the setup or equipment costs.

1.5 Mbps MPLS at office #1 (central office with the EMR) – $500-$600/mo

1.5 Mbps MPLS at office #2 – $500-$600/mo

1.5 Mbps DSL at office #1 – $75/mo

1.5 Mbps DSL at office #2  – $75/mo

All together, a practice is looking at approximately $1,250 per month ($15,000 annually) just for the network connectivity between the offices.

Before we move on to the cost of a large practice, let’s take the above example and add a 3^rd office to the practice.  When you add a 3^rd office you add not only another connection to the MPLS network but you add additional traffic on the MPLS network from the 3^rd site.  So now you have 2 offices that are accessing the EMR over the MPLS network.  When I say accessing the EMR I am also referring to scanning images (insurance cards, paper referrals, driver’s licenses, etc.), printing, sending electronic faxes (if implemented), etc.  In this case the requirements for the network start to increase.  A typical implementation would put more bandwidth at the central office with the EMR to accommodate the increased network traffic created by the 3^rd office.

3.0 Mbps MPLS at office #1 (central office with the EMR) – $1,000/mo

1.5 Mbps MPLS at office #2 – $500-$600/mo

1.5 Mbps MPLS at office #3 – $500-$600/mo

1.5 Mbps DSL at office #1 – $75/mo

1.5 Mbps DSL at office #2  – $75/mo

1.5 Mbps DSL at office #3  – $75/mo

The monthly cost is now approximately $2,150 per month ($25,800 per year).  Again, this doesn’t include any equipment or setup costs.

For the costs of a large practice let’s make the following assumptions: we have 4 offices and we need 6.0 Mbps at the central office with the EMR and 3.0Mbps at each of the other offices.

6.0 Mbps MPLS at office #1 (central office with the EMR) – $3,000/mo

3.0 Mbps MPLS at office #2 – $1,000/mo

3.0 Mbps MPLS at office #3 – $1,000/mo

3.0 Mbps MPLS at office #4 – $1,000/mo

1.5 Mbps DSL at office #1 – $75/mo

1.5 Mbps DSL at office #2  – $75/mo

1.5 Mbps DSL at office #3  – $75/mo

1.5 Mbps DSL at office #3  – $75/mo

The total monthly cost is $6,300/month ($75,600/year).

The network communications costs to tie each of the offices together for an EMR implementation can add up quickly.  I want to clarify this article by saying that what was discussed is only one way of implementing the network.  There are many other ways and if you discuss these with the carriers you will hear terminology such as point to point T1’s, site to site VPN, etc.  The backup circuits could be DSL, Cable Modem, T1, 3G wireless, etc.  The bandwidth and associated costs are estimates as well.  Additionally, it should be noted that different EMR systems may have different bandwidth requirements. 

For a multi-office practice, WAN costs can be the first financial hurdle a practice will encounter when planning an EMR implementation.  The WAN is the foundation of every multi-office computer network.   Costs can be substantial, but practices should not take the WAN planning lightly or attempt to cut corners.  A poorly implemented WAN, can lead to a failed EMR implementation.  Would you build your home on top of a cracked foundation and expect it to stand the test of time?

There is a very good article over at AIS’s Health Business Daily that discusses HIPAA and HITECH violations.  With the signing of the HITECH Act as part of the ARRA stimulus bill, the penalties for HIPAA violations have increased dramatically.  The HITECH Act has also increased the enforcement of HIPAA regulations.

A privacy breach due to “willful neglect” that was corrected within 30 days and affected 100 individuals, which would have cost an organization $10,000 in prior years, will now cost a minimum of $1 million

Covered entities (CEs) — and also business associates, who are now subject to civil and criminal penalties as of this month — need to know what actions (or lack thereof) can push them into the “willful neglect” category, which carries the most severe fines. They may be surprised to learn that routine inaction or procrastination by busy organizations could be categorized as enormously costly willful neglect.

The interim final rule regarding enforcement, published in the Oct. 30, 2009, Federal Register, uses the same language as the previous enforcement rule, stating: “Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.”

Where it gets really interesting is the description of “Willful Neglect”

The most obvious demonstration of willful neglect would be when a covered entity has no preventative policies and procedures in place and a breach occurs. Annulis notes that seven years into HIPAA compliance, it’s unlikely that a CE or BA would have no formal protocol.

Greg Young, the privacy officer at Mammoth Hospital in California, however, believes that many small doctors’ offices and clinics still lack policies and procedures because they “don’t feel it’s necessary or don’t want to spend the money. They just want to take care of their patients, not realizing that part of taking care of patients is taking care of their information.”

If you think that just writing policies and procedures will help avoid willful neglect then read on.

“The greatest danger” for an organization, according to former director of OCR Richard Campanelli, now an attorney with Baker & Daniels LLP, is having policies and procedures that no one is enforcing and that employees are not educated about. “A policy on a shelf is not going to be very helpful — it won’t be helpful in protecting privacy and security, and it won’t be helpful in responding to an investigation,” he says. Once a violation occurs, the fact that the policy exists signals to OCR that the organization knows what it should be doing and has chosen not to comply.

The take away from this article is that you need to have policies and procedures in place for both the HIPAA Privacy and Security rules.  These policies and procedures need to be enforced and communicated to all employees.  I would tend to guess that a lot of practices have policies and procedures in place for the Privacy rule.  Practices will need to develop policies and procedures that comply with the Security rule as well.  This is especially true as practices start to create electronic patient health information (ePHI) through the implementation of an EMR, digital x-rays, electronic lab results, billing information, scanned consent forms, etc. The increased use of technology such as laptops, remote access, email, portable disks and smartphones will also require the appropriate policies and procedures. 

Here is a final thought that might keep you up at night.  Imagine a spreadsheet with financial and demographic information of 250 patients that was saved unencrypted on a laptop.  The laptop was taken home by the billing manager and was stolen out of her car.  Did you have a policy and procedure which prevented her from taking the information?  Was it enforced?  Was it communicated to all employees?  Is this an unfortunate HIPAA violation or is this willful neglect? 

I get to have a lot of conversations with physicians, practice administrators and operations staff.  From a high level view it seems like most practices are at a stand still regarding new projects, EMR implementations, EMR conversions, and basically anything else but the status quo.  It is almost like practices are frozen like deer in the headlights.

When you take a step back and look at all the factors it is no wonder this situation exists.  Here are some themes, quotes, and thoughts that I have heard over the past few months.

We are not sure how the proposed cut in Medicare reimbursements of 21% is going to affect our revenue.

Reimbursements from private insurers have slowed down significantly and it is hurting our cash flow.

We are seeing a significant drop in patients and we believe it is recession related.

We have no confidence that we will see any money from the stimulus bill.  There is no definition of what meaningful use is or what a certified EMR is.

How can you do anything if you don’t know what the healthcare reform is going to look like or if it is even going to be passed?

We want to implement a new EMR but our data is locked in our old EMR.  There doesn’t seem to be any tools of getting the data out.

When you put it altogether you get a sense of uncertainty.  The political, economic and technology environments are covered in uncertainty.  Is it any wonder why medical practices are frozen like deer in the headlights?  I would love to hear about your practice, your concerns, and steps you are taking to address the uncertainty.

When I was a freshman at Penn State, I landed a summer internship at Merck & Co., Inc.  Within weeks of working there I knew I wanted to be the Chief Information Officer (CIO) of Merck.

A good definition of a CIO can be found at Answers.com.

A company executive who is responsible for the management, implementation and usability of information and computer technologies. The CIO will analyze how these technologies can benefit the company or improve an existing business process and will then integrate a system to realize that benefit or improvement.

My view of a CIO is a person that is responsible for the overall Information Technology (IT) including:

• Hardware (desktops, laptops, network, wide area network, Internet, firewalls, etc.).
• Software (customer relationship management [CRM] systems, accounting systems, manufacturing systems, etc.).
• Security (policies, procedures and technology to implement and enforce security).
• Support of the entire Information Technology.

A CIO must be involved with the selection of new technologies, the implementation of new technologies and must ensure that any new technology is secure and supportable within the company.

Most of the time a CIO is associated with a large enterprise but as the title of this article states, it is my belief that every medical practice should have a CIO.  Just like in large organizations, a medical practice has information technology needs.  As I mentioned in this article, as a practice implements an EMR the size of their network will grow rapidly.

Whether it is a small, midsize or large medical practice, the need for a CIO exists.  The CIO should understand the details, the workflow and the requirements of the practice.  If the practice is at the point of trying to select an EMR, the CIO should be involved in the selection process.  The CIO should understand what the functional requirements of the EMR should be but should also be concerned with the network, security and support requirements.  In addition, the CIO should be involved with the implementation and coordination of the multiple vendors (software, network, training, Internet Service Provider [ISP], lab vendors, digital x-ray vendors, etc.) to successfully implement the EMR.

Once the EMR has been implemented, the CIO will need to ensure that the system is supportable, secure, and reliable.  The CIO will need to be involved if any of the components of the information technology need to be upgraded or new components need to be added.  The CIO must ensure that an upgrade of one component does not negatively impact the functionality of other components.  The CIO will also need to be involved if there is a problem with one of the IT components. The CIO must resolve the unavoidable vendor finger-pointing that occurs when multiple vendors are involved.

A practice will need to ensure that they are compliant with all government regulations including HIPAA and the HITECH Act.  The CIO should be responsible for ensuring that the policies, procedures and proper technologies are implemented for the practice to be in compliance.  The CIO should also be involved with the monitoring and adherence to the security polices and procedures.

After 16 years, I left Merck and eventually co-founded Entegration, Inc.  For over 10 years I have been the CIO of my client’s medical practices.  I have to admit that it is one of the most rewarding jobs I could have hoped for.

While healthcare providers and their associates–which include third-party administrators, claims processors, attorneys, accountants and software providers–have been required since September 2009 to report breaches of 500 medical records or more if the records include non-encrypted data, some states have been enacting tougher laws. Now, it looks as though the federal government will be upping fines–in some cases up to $1.5 million–related to the leak of personal information, as well.

Beginning in mid-February, penalty ranges now will correspond to what the violator did or did not know. Willful neglect, for example, will cost between $10,000 and $50,000 per violation. There are several other categories of neglect and knowledge.

Of late, there have been a number of large, publicized breaches, including 15,000 compromised records of Kaiser Permanente patients and 450,000 compromised records of Health Net of Connecticut patients.

Source

There are literally hundreds of Electronic Medical Records (EMR) systems for sale.  Some have similar feature sets while other differ in their offerings.  There are many articles, blogs, and whitepapers on picking and implementing the best EMR for a practice.  Most of these seem to focus on the software selection, the workflow process, the implementation process and ongoing support of the EMR.  What seems to be missing is the focus on the actual network and computer system that the EMR will be running on.

As a practice goes from paper charts to a full blown EMR implementation, there will be a need to grow the practice’s computer network dramatically.   With the old paper chart model, there may be a couple of computers at the front desk for patient sign in and insurance information collection.  There may also be a few computers for billing and administration.  On the whole, a practice may have a very small or limited computer network. 

On the other hand, once a practice moves toward an EMR implementation the amount of technology required increases dramatically.  The front desk will may need scanners to scan insurance cards, driver’s licenses, etc.    Additionally the front desk may check on insurance coverage which may require Internet connectivity.    Physicians will need tablet computers to enter patient information during a visit.  If a practice decides not to purchase tablet computers then perhaps each exam room will need a computer, laptop or terminal to access the EMR system.  The billing department will need access to the EMR system as well as Internet connectivity to submit insurance claims.  Workgroup or network scanners may be needed to scan old patient records into the EMR or to scan patient’s new paper information i.e. letters, referrals, etc.  Electronic fax servers may be required to send information out of an EMR to another physician’s office or the fax server may be used to receive electronic faxes and attach them to patient records within the EMR. 

In addition to the equipment mentioned above, there is the EMR itself.  The EMR may require a database server and database software such as Microsoft SQL Server.  There may be a need for a network domain controller which stores the user names and network credentials for a practice’s employees.  The EMR database may be backed up to a tape backup unit or by a remote backup service that backs up the data securely over the Internet.  The reliance on the Internet become essential and requires a dependable and fast Internet connection.  These connections can be a T1 from a phone carrier (i.e. Verizon, AT&T, Qwest, etc.), DSL or a Cable Modem.  The Internet connection should be secured via a Firewall which protects a practice’s network.

Once all of the above technology is purchased and deployed a practice may want to roll out Email for both internal and external communication.  Email with patients may require additional email encryption technology.  With all the new computers and employees that now have access to the Internet, the potential for abuse may arise.  Technology to limit employee’s access to the Internet may need to be implemented.  Additional technology to provide Disaster Recovery of the EMR or network may also need to be purchased and implemented.  Remote Access to the EMR may be required which may require additional network technology.

As you can see, a practice may go from a handful of computers to a full blow computer network with a lot of advanced technology.  The network will need to be maintained which may include verifying data backups, security patch deployment, software upgrades, preventative maintenance, etc.  In addition, the HIPAA Security Rule and HITECH Act requires that a network be secure, audited and access to patient information must be available.  These requirements bring along the need for additional technology and network maintenance processes.

We will go into detail about a lot of these technologies in future updates.  A final thought to think about when a practice is evaluating EMRs – Don’t forget about the computer network!