You have to admit that now is a very interesting time to be in the healthcare field.  This year we saw a $1 Trillion healthcare reform bill get passed.  I don’t believe that anyone has a real understanding of the impact of the bill or its affects on medical practices.  It seems every day more details are revealed of the bill.  It will take years before we see the total impact.

Then you have the ARRA stimulus package which provides $19 Billion in Medicare incentives to doctors that embrace the use of certified EHRs.  This is a huge opportunity for medical practices to implement technology and move from paper charts to EHRs.  But along with the incentives come some significant obstacles.  Medical practices have to use a certified EHR but there is no definition of what that means or who the exact certifying bodies are.  As of today you can not purchase an EHR that is certified and will qualify for the stimulus funds.  Practices not only have to implement certified EHRs but they have to use them in a way that shows “meaningful use”.  Of course the exact rules for meaningful use are not known and many argue that the rules that are being proposed are too rigid and the bar is too high for practices to actually show meaningful use.  Taken altogether, you  have a lot of medical practices that want to cash in on the ARRA stimulus incentives and to implement an EHR but you have uncertainty and obstacles that are keeping them on the sideline.  They are taking the wait and see approach.  Some are even thinking that it may not be worth the effort to attempt to participate in the ARRA stimulus incentives.

One thing for certain is that the medical practices that are moving forward with an EHR implementation are spending a lot of money.  There is no way around it, EHRs are expensive.  The cost of the software, hardware, network, training, staff disruption and all of the other components that go into an EHR implementation all add up.  Of course the hope would be that the costs would be offset by the ARRA stimulus incentives but that is not a guarantee as I mentioned before.

At the same time you have all this uncertainty around healthcare reform and ARRA stimulus, medical practices have to contend with two major economic issues.  The first is the severe recession that we have been in since 2008.  There is no way around it, when the economy is suffering all business including medical practices suffer as well.  I hear from my clients that patient visits are down and that waiting rooms are less filled.  This has a significant and real impact on a medical practice’s cash flow and financial health.  The second economic issue is the proposed cut of 21% in Medicare payments to physicians.  For at least 6 months the looming threat of a 21% cut in Medicare payments have darkened the economic sky for medical practices.  Congress has postponed the cuts several times but have not permanently addressed the situation.  As of today, the 21% cut has been pushed back until November 30, 2010.  Along with postponing the Medicare cut, Congress has given doctors a 2.2% increase until November.  Very few medical practices are rejoicing because in December 2010 they are looking at a 23% cut in Medicare payments followed up by a 30% cut in January 2011.  No one really knows what or when the final outcome will be.

On top of major financial outlays to implement EHRs and the uncertainty surrounding the economy and Medicare reimbursements, medical practices have to deal with many government regulations.  As I have written about often, the looming threat of HIPAA Security Audits are a real concern for medical practices.  Implementing HIPAA Security usually require skill sets that medical practices don’t have.  IT security companies are needed to help with policies and procedures, vulnerability and risk assessments along with implementing new technologies such as email and laptop encryption.  On top of HIPAA Security, medical practices face the “Red Flags Rule”  requiring that certain entities develop and implement written identity theft prevention and detection programs to protect consumers from identity theft.  The Red Flags Rule has been postponed several times and was to go into affect June 1, 2010.  As of now the FTC has agreed to keep physicians exempt from the rule until the outcome of a lawsuit by the American Bar Association.  Once again, the outcome of this regulation is unknown.

When you look at each of the issues a medical practice has to address from healthcare reform to Medicare reimbursement cuts they don’t seem to bad.  Each one taken separately allows a medical practice to address the issue and to make modifications to they way they run their business.  But unfortunately all of the issues are happening at the same time.  A medical practice has to address all of the issues together including major financial outlays, cuts in revenue caused by several factors,  and staying abreast and implementing the latest government regulations.  All the time spent addressing these issues is time not spent on seeing and treating patients.

Have other  industries gone through such dramatic change in such a short period of time?  The changes provide opportunities along with real negative affects.  Medical practices need to be flexible and to adjust to all of these changes.  Some of the changes such as the Red Flags Rule may never occur.  But either way a medical practice needs to be prepared, need to be informed and need to be ready to change their business model to adjust to such dramatic changes.  Strange days indeed.

I have been thinking and posting a lot about HIPAA security lately.   In the meantime Entegration has been involved in a large scale EHR implementation for one of our clients.  The combination of the two activities has allowed me to come up with a theory that is downright scary.  I don’t claim to be Nostradamus and I can’t see the future but I will throw out my theory anyway.  I believe that the ongoing EHR gold rush will put a lot of patient information in electronic form and place it in the hands of inexperienced employees that have not been trained on proper security precautions.  In addition, health organizations will think about security after the EHR implementation and not properly plan security prior to an EHR implementation.  Together these events will lead to a huge amount of security breaches that will compromise patient information and could potentially derail the effort to modernize our health information systems.

As part of the ARRA stimulus package many health organizations from hospitals to solo practices are pushing to implement EHRs to receive the full Medicare reimbursement per doctor.  There will be a big up-tick in the amount of health organizations that go from paper charts to electronic health records.  There will also be a big push to start using existing EHRs to comply with the “meaningful use” standards which will require more functions and modules to be turned on within existing EHRs.  In addition, more employees at health organizations will be required to utilize computers, tablets, laptops and other computing devices to perform their jobs.  Taking all of these events together will mean a lot more patient information will be in electronic form and a lot more people will have access to the electronic information.

Over the years Entegration has been involved in many EHR implementations.  There seems to be a common theme that I have noticed throughout all of these implementations and it is pretty consistent no matter who the EHR vendor is.  Employee training of the EHR is usually a quickly thrown together process where the EHR vendor sends a trainer onsite to teach a series of group classes on how to use the EHR.  These classes range from 1 hour to half of a day depending on the employee job function and responsibility.  After the class is over the employee is sent on their way to start using the EHR.  The training the employee receives is usually focused specifically on how to use the EHR, how to navigate screens, perform functions, etc.  Rarely have I seen training that includes a security overview that discusses protecting patient information on laptops, sending patient information via email or addresses password complexity, etc.

Furthermore, many health organizations that go from paper charts to EHRs also go from simple computer networks to much more complex networks that are required for the EHR.  In the process of implementing the EHR a large amount of computer equipment has to be purchased and installed including servers, desktops, tablets, printers, upgraded Internet connections and various other equipment.  Unfortunately most health organizations that go from paper charts to EHRs do not go through a formal security review prior to the implementation.  These organizations most likely will not concern themselves with the HIPAA Security Rule because before the EHR they don’t have a lot of electronic protected health information (EPHI).  So most likely the organization will have very few if any security policies and procedures. They will probably not go through a formal risk assessment and will not perform vulnerability scans on the newly created complex network.  Employees will not go through training sessions that discuss protecting newly formed EPHI.

What you will have is a lot of health organizations that start putting patient information into EHRs that are used by employees without proper security training.  You will have health organizations that have newly created complex networks without proper security policies and procedures.  These complex networks will not have the proper vulnerability assessments.  Employees will not be trained on best security practices that discuss protecting patient information on laptops and portable devices, they will not have training on sending EPHI via email, or the use of complex passwords.  The networks will not have the proper auditing in place that monitor the event logs to determine if there has been access to information by unauthorized personnel which could be internal employees or threats from external entities.  Data will most likely be backed up but full Disaster Recovery technologies and procedures will probably not be in place.

We have seen a large number of security breaches so far in 2010.  It seems like every week we hear about more and more patient information that has been compromised.  This is happening already even before the big push by a majority of health organizations to implement EHRs.  When all the forces come together will we see the flood gates open and patient information be compromised and data breaches occuring at an alarming rate?  If this does occur will patients lose trust in their doctors and the use of EHRs?  I don’t know the answers to these questions but if my theory is correct we will see a major occurrence of patient information data breaches that will put patient’s information in jeopardy and could potentially damage the effort to modernize our health information systems.

There is a story over at FierceHealthIT that summarizes a healthcare security study commissioned by Kroll Fraud Solutions, Nashville, Tenn.  The study concluded that healthcare organizations take security seriously but may have a false sense of how secure thier organization really is.

Reasons for this may be that organizations continue to view security in silos. Some 87 percent of respondents said they have policies to monitor access to and sharing of electronic health information, but most of the reported breaches had more to do with carelessness than technology–stolen laptops and back-up tapes, as well as improper document disposal.

 

The white paper, commissioned by Nashville, Tenn.-based Kroll Fraud Solutions, says respondents gave their organizations high marks–an average of 6 on a scale of 1 to 7–for compliance with HIPAA, state security laws, CMS regulations and the Federal Trade Commission’s “Red Flags” rule for identity theft, and a score of 5.75 for compliance with new security requirements of the HITECH Act portion of the American Recovery and Reinvestment Act. Despite these high ratings, 19 percent of organizations reported having a data breach in the past 12 months, up from 13 percent in 2008.

The first steps to ensuring that your practice is secure it taking security seriously. It is important to write security policies and procedures. But security is not about going down a list of to-do items and checking each one off. Security is about ingraining best practices into your everyday workflow. Unfortunately security at times gets in the way of how we normally perform our jobs. Security requires a few extra steps at times. You might have to encrypt the file that you are working on before copying it to a USB drive or you may have to send a patient an encrypted email rather than just a standard email. Each one of these actions required a few extra steps but you made sure that the data was secure and protected. 

Security also cost money. There is no way around it. In order to ensure that your data is protected and secure and especially to comply with the HIPAA Security Rule, you have to invest in security technology. Patients want to communicate more and more by email, you will have to eventually invest in email encryption to safely and securely communicate with patients. Data is more and more portable and you have to put in the proper technology to protect it. Portable data can be on laptops, tablets, USB drives, smartphones, etc. Each one of these devices can leave your office and could potentially be lost or stolen. Implementing encryption technology is essential to protecting the data. Unfortunately you may have to implement one or more encryption technologies that are appropriate for each device. 

Security cost money in ways you may not think about. Proper security requires that employees have unique user ids and passwords and only have access to the information that they have been granted access. But how do you know if someone is trying to access information that they are not allowed to access? How do you know if someone has hacked through your firewall and is accessing your EMR? Your servers should be setup to log important events that occur on them such as logons, logoffs, invalid password attempts, successful data access, unsuccessfully data access, etc. These server log files can become huge and there is so much information that it is almost impossible to understand what is happening on the servers. You will either have to invest in technology that goes through the server logs and notifies you if some security event is occurring or you will have to invest in an outside IT company to monitor your log files. Either way it is probably not an expense that you have considered. 

Computer networks are constantly changing. There are new programs being added, program updates being applied and security patches being downloaded and applied. Every change to the network has the potential of opening up a hole that someone could find and exploit to access your data. A security best practice is to periodically have a network penetration and vulnerability scan performed on your network. These scans are usually done by outside IT consultants that are very familiar with network security. The network penetration scan tries to access your network from outside of your office. This could be through the Internet, phone lines, wireless access points, etc. The scan looks for holes in your network security that someone could access. The holes could be created by an improperly configured firewall or by having unnecessary services running on the network that could be accessed. Without the network penetration test you would probably have no idea that these security holes existed. The network vulnerability scan looks for security holes on your internal network. Vulnerabilities could be identified by your vendors such as Microsoft or your EMR vendor. The vendors put out security patches that address the security vulnerabilities. A vulnerability scan will check to make sure that the appropriate security patches for your network have been applied. The end result of both the network penetration and vulnerability scan should be a comprehensive report on any issues that have been identified and the recommended steps to address the issues. 

The other big piece of security is training your staff to perform their job functions in a safe and secure manner that protects patient data. It is important to go over the polices and procedures with employees but it is even more important for them to understand the benefits of security. When you start implementing better network security your will be making changes that will directly affect your employees. They need to understand why passwords need to be 8 characters and changed every 60 days (for example). They need to understand why data must be encrypted if it is leaving your network. The good news is that employees already understand security. They understand the need for safe transactions when they are buying something from amazon.com. Training should take what they already understand and apply it to patient information. The bad news is that network security means change. Many employees don’t like change and they like doing things they way they are used to. 

As you can see, security is a challenge for any medical practice. It requires a few extra steps to perform a job function in a secure manner. Security has costs that are both obvious and are hidden. Security means change and change can have a direct impact on your staff. The purpose of this article was not to scare you away from security but to shed some light on what you will be getting into as you implement better network security that protects your patients’ data.

A survey by NaviNet, the largest real-time healthcare communications network, shows some interesting trends in EMR adoption in medical practices with 10 or fewer physicians.  It seems the reduction in administrative overhead and CMS mandates are spurring adoption more than ARRA stimulus incentives.  Cost still remains the largest obstacle in adoption but 33% surveyed said they plan on implementing in the next 12 months.

In August 2009, 9% of small physician practices projected that they would be implementing an EMR in 6 months. Six months later in 2010, 12% are currently implementing.

Reducing administrative overhead continues to be a key driver for IT adoption.

ARRA is becoming a more important driver of IT adoption – In 2010, 27% of small physician practices said ARRA incentives are impacting IT buying decisions while in 2009 that figure was 12%.

Only about one quarter of small physician practices said that they plan

Only about one quarter of small physician practices said that they plan on following CMS’ guidelines for ‘Meaningful Use’ to qualify for incentive payments provided by ARRA.

 Drivers of IT Adoption

Cost still remains the largest obstacle for adoption

Barriers to EMR Adoption

The amount of practices implementing EMRs have increased and 33% of those surveyed planned on implementing in the next 12 months.

Timeline for EMR Adoption

If you haven’t heard about HIPAA yet, you probably have been living under a rock.  If you ask most people about HIPAA, patients and practice staff alike, you will probably get responses back concerning the privacy and protection of health information.  Most practices have implemented the basic required steps to protect patient privacy.  Two of the most common requirements include HIPAA privacy notices that patients are required to sign, and publicly available HIPAA privacy policies.  However, as more and more practices are moving towards electronic health records systems (EHRs), there is a more complex side of HIPAA that many small, midsize and even large practices may not have focused on – the HIPAA Security Rule.

I plan on future articles that go into the HIPAA Security Rule much more in-depth but for now let’s look at the Security Rule at a high level.  The HIPAA Security Rule requires that practices put in place policies and procedures to ensure that electronic protected health information (EPHI) is properly protected.   A good comparison regarding EPHI between the HIPAA Privacy Rule and the Security Rule is stated in the Centers for Medicare & Medicaid Services (CMS) Security 101 for Covered Entities:

Electronic vs. oral and paper: It is important to note that the Privacy Rule applies to all forms of patients’ protected health information, whether electronic, written, or oral. In contrast, the Security Rule covers only protected health information that is in electronic form. This includes EPHI that is created, received, maintained or transmitted. For example, EPHI may be transmitted over the Internet, stored on a computer, a CD, a disk, magnetic tape, or other related means. The Security Rule does not cover PHI that is transmitted or stored on paper or provided orally.

There are three main parts of the HIPAA Security Rule as defined by CMS for small providers:

1. Administrative Safeguards – These provisions are defined in the Security Rule as the “administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”
2. Physical Safeguards – These provisions are defined as the “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
3. Technical Safeguards – These provisions are defined as the “technology and the policy and procedures that protect electronic protected health information and control access to it (the EPHI).”

As I mentioned, I plan on drilling down into each of the main parts of the Security Rule.  For a very good overview from CMS, take a look at the Security Standards: Implementation for the Small Provider document.  The document goes into further detail of each of the three parts and provides questions and examples to help you better understand the concepts and principles.

The Medical Group Management Association (MGMA) has an interesting study on the benefits of electronic registration.  In January, 2009 the MGMA launched an initiative call SwipeIT.

Project SwipeIT is an industry wide initiative launched by the Medical Group Management Association (MGMA) in January 2009 to advance the adoption of standardized patient health-insurance identification (ID) cards containing machine-readable information.

The concept is that the insurance providers will issue patient health-insurance ID cards that contain patient information including demographics, health plan information, co-pays, etc.  The cards will act and function like a credit card.  Each medical practice, hospital, clinic will need to have a card reader that can process the information on the card.  The card reader can then be linked to a practice’s EMR or practice management system which will populate the patient demographic and insurance fields automatically.  The whole process is referred to as electronic registration.

The MGMA study takes a look at the costs of non-electronic registration and calculates the savings that can be realized by implementing electronic registration.  There are enough numbers and calculations in the study to make your head spin but I will highlight a few statistics that are eye opening.

Model Assumptions and Raw Inputs	Values
Number of claims per year for physician professional services	1,160,542,000
Hours saved per year during registration process by implementing electronic registration	95,280,498
Dollars saved per year during registration process by implementing electronic registration	$1,931,753,287
Number of claims per year that must be resubmitted due to payer denial due to incorrect patient demographics from non-electronic registration	57,168,299
Hours per year to resubmit claims denied due to payer denial due to incorrect patient demographics from non‐electronic registration	14,292,075
Dollars saved per year by not having to resubmit claims denied due to payer denial due to incorrect patient demographics from non-electronic registration	$289,762,993
Total savings due to implementing electronic registration (dollars per year)	$2,221,516,280

The MGMA estimates that $2.2 billion per year can be saved by implementing electronic registration.  It should be noted that the study does not estimate the cost to implement the electronic registration including the cost to insurance providers to issue the card, practices and hospitals to purchase and install card readers, EMR and practice management vendors to modify their software to interface with the card readers, etc.  I suspect that a good part of the initial $2.2 billion in savings would go to the implementation costs.  The savings on-going would still be significant.

The MGMA also studied the impact on a typical 6 FTE physician practiced and published their results.  They took conservative and non-conservative estimates on the impact of electronic registration.  The difference in the estimates are described as:

A conservative estimate where only 10% of patients have their insurance cards copied, presumably because of changes in their information.

The non-conservative estimate is where:

(a practice) copies the patient’s insurance card on each visit. This practice may also have a much larger proportion of patients whose information needs updating.

The highlights of the study are listed below:

Conservative estimate	Time
Time saved by Swipe card	7 h/ day	1820 h/ year
Non-conservative estimate
Time saved by Swipe card	23h45m/day	6175h/year

If these numbers are accurate, the need for front desk personnel could be reduced and savings could be realized at a practice.

Electronic registration is an industry wide initiative.  All stakeholders including insurance providers, EMR vendors, medical practices and hospitals would all need to be involved and implement the appropriate technologies.  Until then, the savings highlighted in these studies are only theoretical.

There are literally hundreds of Electronic Medical Records (EMR) systems for sale.  Some have similar feature sets while other differ in their offerings.  There are many articles, blogs, and whitepapers on picking and implementing the best EMR for a practice.  Most of these seem to focus on the software selection, the workflow process, the implementation process and ongoing support of the EMR.  What seems to be missing is the focus on the actual network and computer system that the EMR will be running on.

As a practice goes from paper charts to a full blown EMR implementation, there will be a need to grow the practice’s computer network dramatically.   With the old paper chart model, there may be a couple of computers at the front desk for patient sign in and insurance information collection.  There may also be a few computers for billing and administration.  On the whole, a practice may have a very small or limited computer network. 

On the other hand, once a practice moves toward an EMR implementation the amount of technology required increases dramatically.  The front desk will may need scanners to scan insurance cards, driver’s licenses, etc.    Additionally the front desk may check on insurance coverage which may require Internet connectivity.    Physicians will need tablet computers to enter patient information during a visit.  If a practice decides not to purchase tablet computers then perhaps each exam room will need a computer, laptop or terminal to access the EMR system.  The billing department will need access to the EMR system as well as Internet connectivity to submit insurance claims.  Workgroup or network scanners may be needed to scan old patient records into the EMR or to scan patient’s new paper information i.e. letters, referrals, etc.  Electronic fax servers may be required to send information out of an EMR to another physician’s office or the fax server may be used to receive electronic faxes and attach them to patient records within the EMR. 

In addition to the equipment mentioned above, there is the EMR itself.  The EMR may require a database server and database software such as Microsoft SQL Server.  There may be a need for a network domain controller which stores the user names and network credentials for a practice’s employees.  The EMR database may be backed up to a tape backup unit or by a remote backup service that backs up the data securely over the Internet.  The reliance on the Internet become essential and requires a dependable and fast Internet connection.  These connections can be a T1 from a phone carrier (i.e. Verizon, AT&T, Qwest, etc.), DSL or a Cable Modem.  The Internet connection should be secured via a Firewall which protects a practice’s network.

Once all of the above technology is purchased and deployed a practice may want to roll out Email for both internal and external communication.  Email with patients may require additional email encryption technology.  With all the new computers and employees that now have access to the Internet, the potential for abuse may arise.  Technology to limit employee’s access to the Internet may need to be implemented.  Additional technology to provide Disaster Recovery of the EMR or network may also need to be purchased and implemented.  Remote Access to the EMR may be required which may require additional network technology.

As you can see, a practice may go from a handful of computers to a full blow computer network with a lot of advanced technology.  The network will need to be maintained which may include verifying data backups, security patch deployment, software upgrades, preventative maintenance, etc.  In addition, the HIPAA Security Rule and HITECH Act requires that a network be secure, audited and access to patient information must be available.  These requirements bring along the need for additional technology and network maintenance processes.

We will go into detail about a lot of these technologies in future updates.  A final thought to think about when a practice is evaluating EMRs – Don’t forget about the computer network!