July 2007 — Volume 2, No. 7
In This Issue
- Point-Counter Point: Lessons Learned from the Field
- It’s Not Just About the Technology
- What Does “HIPAA Compliant” Really Mean?
- Tips and Tactics on Communicating with Practice Managers
- News Briefs
- Terms and Definitions
- CCHIT News
- Vendor Update
- Already There...Implemented Health IT
- HIT Dashboard
- Be A HIMSS Member
#
Terms and Definitions
HIMSS Privacy and Security Toolkit: The HIMSS Privacy & Security Toolkit content outlines general principles and provides best practice and examples of how health care providers should manage privacy and security. Sections of the Toolkit identify key activities to integrate into the process of managing information privacy and security. Access the Toolkit at no charge on the HIMSS Web site.
HIPAA Privacy Rule: The Department of Health and Human Services (HHS) issued the patient privacy protections pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The first and only comprehensive federal privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals and other health care providers took effect on April 14, 2003.
Developed by HHS, these standards provide patients with access to their medical records and more control over how their personal health information is used and disclosed. The regulation covers health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions (e.g., enrollment, billing and eligibility verification) electronically.
HHS developed a new Web site in April 2007 with information on HIPAA privacy compliance. The enhanced Health Information Privacy Web site provides comprehensive information about the Privacy Rule. Visit the HIPAA Web site for more information on the act.
Visit the HIMSS Web site to learn more about the HIMSS position on HIPAA, legislative updates and more.
Sources: HHS and HIMSS
Privacy: 1. The right to have all records and information pertaining to healthcare treated as confidential. 2. Freedom from intrusion into the private life or affairs of an individual when that intrusion results from undue or illegal gathering and use of data about the individual.
Security: Means to control access and protect information from accidental or intentional disclosure to unauthorized persons from alteration, destruction or loss.
Source: “Privacy” and “security” definitions from HIMSS Dictionary of Healthcare Information Technology Terms, Acronyms and Organizations, HIMSS, 2006
News Briefs
Keynote Address: Will Privacy and Security Concerns Impede HIT Initiatives? Identifying Issues and Practical Solutions
Bill Braithwaite, former US Department of Health and Human Services advisor, delivers this keynote address at the Fourteenth National HIPAA Summit, held in March 2007.
Salvatore Volpe, MD Rewarded for Quality Efforts
From left to right are: Theodore O. Will, CEO of IPRO; Salvatore Volpe, MD; and Alan Silver, MD.
Salvatore Volpe, MD, PC (Staten Island, NY) was named as a recipient of this year’s “Quality Award.” The Quality Awards, given annually by IPRO, New York State’s Medicare Quality Improvement Organization, recognize health care providers demonstrating a commitment to improving health care services in the state.
“Dr. Volpe has shown that a collaborative, focused effort can lead to real improvements in the quality of care delivered to New York’s Medicare beneficiaries,” says Clare B. Bradley MD, MPH, chief medical officer, IPRO. “Quality improvement is a complex and time-consuming process, and we thank Dr. Volpe for his commitment to the health of New Yorkers.”
In conferring the award at IPRO’s 23rd Annual Membership meeting in June, Dr. Bradley noted that Dr. Volpe received the award because of “his dedication to improving care for Medicare beneficiaries, as reflected in the work he has done to create a patient-focused environment within his practice, and his work as a physician champion in promoting the use of electronic health records and health information technology for quality improvement.”
“Recognition by IPRO is a true honor. I have benefited from the guidance and support of Dr. Alan Silver and Suzanne Columbus and look forward to continued work with IPRO as we continue to promote health information technology as means to improve the quality of care for patients,” said Dr. Volpe.
IPRO is an independent not-for-profit corporation and one of the largest health care quality improvement and evaluation entities in the United States. Visit www.ipro.org for more information.
Salvatore Volpe, MD, FAAP, FACP, CHCQM has 17 years of a primary care practice experience. He is one of the few physicians in the country to have successfully become board certified in pediatrics, internal medicine, geriatrics and quality assurance. He has served as a medical director or associate medical director for several national and regional managed care organizations. Visit www.svolpemd.com for more information.
CCHIT News
Certification Commission Restructures Work Groups
The Certification Commission for Healthcare Information Technology recently restructured its volunteer work groups to address a significantly expanded certification program for 2008.
Building on the success of the ambulatory (office-based) EHR certification program, the Commission is expanding its scope of work to begin addressing some medical specialties and specialized care settings. In addition, the inpatient (hospital-based) certification program will begin in August.
Under the new work group structure, there are two types of volunteer roles: membership in one of five sustaining work groups (Foundation; Ambulatory EHR; Inpatient EHR; Emergency Department EHR; and Networks); or serving on one of five new expert panels (Security; Interoperability; Privacy and Compliance; Child Health; and Cardiovascular Medicine). A roster of the 161 newly selected work group and expert panel members is available on www.cchit.org.
The work groups met July 10 in Chicago for a kick-off meeting. Their first order of business is to develop a survey, or environmental scan, of the industry in order to determine criteria recommendations, existing standards, marketplace availability and the scope of the work to be delivered by July 2008. The survey will be published shortly after the Sept. 10 Commission meeting with a 30-day public comment period to follow.
Call for Commissioners
The Certification Commission is seeking qualified candidates to serve as Commissioners for a two-year term beginning in October. The application period is open until July 31. The 21-member Board of Commissioners oversees and approves the development of certification criteria by the Commission’s work groups and supporting staff, and its composition is designed to ensure representation from a wide variety of stakeholders.
This year, six Commission positions are open, one from each of the following stakeholder groups: health care consumer organizations; health information exchanges; informatics experts; public health agencies; safety net providers; and ambulatory care providers. Candidates will be considered only in those stakeholder areas. Interested candidates should submit their resumes to candidates@cchit.org. The Board of Trustees will review all applications and announce appointments in September.
Inpatient CCHIT Certification Program to Begin
Companies with Inpatient EHR products that are interested in obtaining CCHIT CertifiedSM status will be able to apply for testing August 1, 2007.
In preparation for testing, it is highly recommended that product teams review the available materials, under Preparing for CCHIT Certification. The application period will remain open until August 14.
HIT Dashboard
Visit the HIT Dashboard for More Information on RHIOs/HIEs
Your peers belong.
Your mentors belong.
You belong in HIMSS.
Join or renew today
Point-Counter Point: Lessons Learned from the Field
The Digital Office introduces "Point-Counter Point: Lessons Learned from the Field,” a new feature where readers can share their opinions and lessons learned.
Just read the article, “A Physician Perspective on the E-H-R: It's Not Just about the Money,” by Dr. Steven Spady, DO, MMM that follows here.
If this is a topic you’re passionate about- or if have an opinion you want share - then click on the link at the end of the article, pen your response in under 300 words, and send it to digitaloffice@himss.org. Look for your comments, and others, in the August issue of the Digital Office.
Please note: Comments received will be considered for publication. Derogatory comments of any type, e.g., vendors, professional organizations, individuals, etc., will not be accepted.
A Physician Perspective on the E-H-R
It’s not just about the money
In an interview with Digital Office Editor Joyce Lofstrom, Dr. Steven Spady, DO, MMM, wondered who is finally going to ask the tough questions and what seems to be the barrier to implementing the EMR. His conclusion: it’s not just about the money.
A native of Everson, Wash., Dr. Steven Spady began his medical career with a BS in Nursing and subsequently, a Doctor of Osteopathy degree from the University of Health Sciences-Kansas City.
He was recruited to the Manchester, Ky. area following medical school for public health assistance pay back. He has continued to serve the surrounding counties for more than 23 years in family practice, emergency department medicine and multiple healthcare ventures. In 1998, he received a Masters of Medical Management degree from Carnegie Mellon University.
From a business perspective and in today’s digital world, Dr. Spady finds it interesting that only 12-18 percent of physician practices have adopted the EMR.
“Most providers that I know have many products at home and access numerous digital products for entertainment that are very sophisticated. Could it be that the EMR technology currently available is too complicated, and costly, for 80 percent of the documentation needs of clinical health care?” Dr. Spady also notes that a large percentage of the documentation of healthcare activity is still ‘lead, ink and paper.’
“I wonder what would happen if someone had an EMR product that would shift the paradigm from the physical to digital with an increase in productivity and ROI at the same time?”
He asks: What about a simple, cheap, and digital SOAP note? (A daily progress report in a patient's chart, the SOAP note acronym stands for subjective, objective, assessment, and plan.) “It is almost universally recognized as a starting point for clinical documentation and could be portable, easily interoperable, and consistent with all the traits we are looking for. Would the adoption rate change?”
According to Dr. Spady, “providers have felt for years they are being left out, left behind, and let down. Common logic would tell anyone that nothing positive comes out of a situation where the provider of health care gets less respect, less professional satisfaction, less ROI, and is asked to give more time, incurs more risk, has increasing demands to accept pay for performance and is expected to use EMR technology for less productivity.”
The other push back that he sees from providers adopting EMR technology is a basic human trait: “Who really has the power, control and money.”
When is there going to be honest discussions about these issues and how the US health care system can work through them?
After contemplating the above questions for years, Dr. Spady has realized that “the right data, to the right place, at the right time” will significantly alter how healthcare is delivered clinically and what the positive financial ramifications will be.
He has spent eight years conceptualizing this digital vision and three years as CEO of MedAccess Plus, an ASP modeled, agnostic, Web-based platform that will ultimately “de-silo” many aggregate data repositories. He has also prototyped a Federated XDS PIX/PDQ repository that will work in conjunction with the MedAccess Plus platform.
It is all about “increasing productivity and ROI” for the four integral groups of health care participants and how positively they can interact.
Payers, providers, employers and patients will always be at fiscal odds because of the “opposing stress of the buyer/seller relationship in business. But, if the ultimate goal is a healthy individual, there will have to be some give-and- take from all parties.
Again, who is going to be honest enough to admit that currently it really isn’t about the patient, says Dr. Spady. Instead, he says, “it is power, control and money.”
What do you think? Send your response to the Digital Office
It’s Not Just About the Technology
Organizational Redesign
Chuck Parker
Vice President
Chief Technology Officer/DOQ-IT
MassPro
Waltham, Mass.
Organizational redesign, along with resistance to change, tops the list of reasons why EMR implementations fail.
Not only is there is no better time to address improving efficiency in your practice than before you implement an EMR - if you don’t do it – you are risking project failure. Everyone hears the recommendation - if you automate a poor paper-based process, a poor automated process just happens faster. But, not everyone does something about it.
Before installation of the EMR, the following steps are both time-consuming – BUT essential – to getting the most benefit from your EMR. These steps are:
- Documenting current state workflows
- Evaluating them to remove steps or people from the process (for example), and then
- Defining new workflows that incorporate the use of an EMR
This can be done after the installation, but during this phase, projects tend to get stuck or fail.
Additionally, paper-based processes are filled with ‘paper triggers,’ which is the use of paper to communicate tasks and patient flow. With the elimination of paper charts and other paper forms, your ‘triggers’ are gone. If you haven’t analyzed your current processes and determined how to replace your paper triggers with electronic triggers, you will be in for some surprises – and potentially introduce inefficiencies in your practice.
We strongly suggest that you work with your staff to identify these ‘triggers’ and then, develop a common platform for addressing them. By including your staff, you may potentially learn of activity you didn’t know about.
Do you have to document and evaluate every single process? Probably not – but you should concentrate on five main areas:
- Patient Flow – i.e. the patient visit
- Point of Care Documentation – i.e. how and when you will document the visit (for example: using templates, free text, dictation, voice recognition – in the exam room, in the hallway, in the physician office, at a nursing station, etc.)
- In-office Communication – i.e. how different team members in the practice communicate with each other
- Document Management – i.e. managing paper that comes into the practice via fax, mail, with patients, etc.
- Chart Abstraction and Migration – i.e. how you will migrate from the paper chart to the EMR, and defining interim steps where necessary to move through this migration.
Optional Tools
There are two tools that we recommend for practices to use when doing their redesign work – lists and flowcharts. There are pros and cons with each method.
A simple list of every step in a process:
- Requires no special software or tools
- Is straightforward and easy to understand
- Allows counting of each step so that you can calculate your improvement.
It is not useful, however, when branching logic is necessary (which is often). A flowchart (or Visio diagram) is much more useful because it is easy to see where branching logic is necessary and it gives you a complete picture of the process.
What Does "HIPAA-Compliant" Really Mean?
Patricia A. Trites, MPA
By Patricia A. Trites, MPA
CEO, Healthcare Compliance Resources
The Health Insurance Portability and Accountability Act mandates that even small practices comply with the Privacy and Security Rules in an effort to protect the health information of patients in the electronic world. Unfortunately, HIPAA compliance has in some cases been non-existent, and in others, declining.
A 2006 American Health Information Management Association (AHIMA) survey found, “Three years after federal rules governing privacy of patients’ medical records went into effect, compliance seems to have declined.”1 Phoenix Health Group and HIMSS conduct semi-annual surveys to assess HIPAA compliance and have obtained similar data. Their summer 2006 survey revealed:
- Some 22 percent of providers had not implemented privacy standards.
- Those who did implement the standards still had significant gaps in their programs.
- Almost half of the providers surveyed had not implemented Security policies and procedures.2
For those practices that have the intention to comply, the ability to perform a simple audit of their computerized systems would be a significant step in monitoring both privacy and security compliance. The fact that their systems may not have the capability to (1) audit access or (2) make an audit report easily accessible should be a serious concern to any owner or manager of a practice, not to mention patients.
Electronic health record systems and any integrated components, such as a practice management or lab system, should have the ability to record and report access information (both read and write) that includes who, when, where, etc. This ability will contribute to the integrity of the records and support the compliance functions of the organization. Although practices are supposed to be already performing audits of their systems that contain protected health information, the systems are unable to provide the information.
Many practices believe that the term, “HIPAA compliant” means compliant with all of the regulations. However, in most cases, this description only means that the system has the ability to transmit information in HIPAA-compliant, standardized format. Unfortunately, many current EHR systems do not have the necessary capabilities to comply with the mandated HIPAA Security and Privacy Rules implementation specifications, so it appears that compliance will continue to be an issue for practices for some time to come.
1 Nancy Ferris, Published on April 19, 2006 Government Health IT http://govhealthit.com/article94120-04-19-06-Web
2 US Healthcare Industry HIPAA Compliance Survey Results, Summer 2006. Phoenix Health Systems, http://www.hipaadvisory.com/action/surveynew/results/summer2006.htm
Tips and Tactics on Communicating with Practice Managers
By Cynthia L. Dunn, RN, FACMPE
Senior Consultant
MGMA Health Care Consulting Group
What’s Your Training Plan?
The HIPAA Privacy Rule requires that privacy and security be built in to the policies and practices of health care providers. Despite the intent of the law's purpose and scope, there is a lack of widespread and consistent education for medical practice organizations.
Let’s take a minute and review privacy, confidentiality and security terminology. Jay Eisenberg MD offers these descriptions:
- Privacy is the right to be left alone and refers to individual control over the use and disclosure of information.
- Confidentiality is the status accorded to information that indicates it is sensitive and should be protected.
- Security refers to the administrative, technical and physical safeguards that protect a system and information against unauthorized disclosure.
Consumers are interested in maintaining patient privacy related to their own healthcare; however, many individuals are not knowledgeable on the HIPAA law. The National Consumer Health Privacy Survey 2005 results confirmed that 67 percent of Americans remain concerned about the privacy of their personal health information and are largely unaware of their rights.
The New York Times on Tuesday, July 3, 2007 reported that experts say that many health care providers misunderstand HIPAA, have not trained their staff to apply the law fairly, or are afraid of being fined or jailed, even though no medical provider has been penalized in four years for violating the rule. According to the Times, recent studies have found that some health care providers follow HIPAA regulations "overzealously, leaving family members, caretakers, public health and law enforcement authorities stymied in their efforts to get information."
HIPAA requires all covered health providers - and every other covered entity - to properly and adequately train all employees on policies and procedures regarding protected health information and the security measures necessary to protect the confidentiality, integrity and security of that information.
Do all your new and existing employees receive documented annual education about privacy and security? If not, take the time to establish a reasonable policy and enforce it. Today there are many practical resources available for training regardless of your practice size. Protect your patients, your employees, your practice and yourself. Take a minute and look on line, you will be surprised how easy and accessible training can be.
Cindy Dunn has 30 years of experience in health care, which includes 24 years in management, with 18 of those years as administrator of two private medical practices, and six years in nursing management for a hospital-owned physician practice. She has experience in special project management, executing and completing the construction of a medical office building and ambulatory surgery center, and strategic plan formation and implementation.
Vendor Update
EMR Helps 13-physician Practice Enhance Cash Flow
Next Gen EMR
Falls Family Practice, Cuyahoga, Ohio
Squeezed between rising costs and diminishing reimbursement, physician groups like Falls Family Practice, with 13 physicians in this Ohio practice, are continually looking for ways to reduce expenses and increase profitability. FFP found its solution in NextGen EMR, which it adopted in 2004. The practice has realized a positive cash flow “swing” of $1.2 million per year.
Several factors led FFP to select NextGen EMR. Leadership wanted to work with a financially stable vendor that commanded a significant portion of market share to ensure it would be around to provide long-term support and customize the system for future needs.
FFP physicians were impressed that the EMR system came equipped with a comprehensive menu of pre-built templates. However, physicians weren’t “shoehorned” into rigid workflow processes. The system was easy to customize to reflect work habits of individual physicians.
Return on Investment
FFP estimated that previous monthly expenses associated with paper charts exceeded $46,000:
- $4,000-$5,000 to create new charts
- $16,000 in transcription fees
- $24,000 for 10 staff members to pull and re-file paper charts
- $2,000 in office space to store medical records
Results following EMR adoption have been remarkable. The practice has saved $600,000 a year through staff reductions, elimination of transcription and decreased paper supplies – while increasing revenue another $600,000. In addition, FFP welcomed five new physicians, incurring only the costs of licensing and nursing support, but avoiding investment in front desk and billing personnel, office space or computer equipment.
Physician productivity is up 20 percent, thanks to increased efficiency and patient flow-through. Because care is documented electronically, FFP negotiated a 50 percent reduction in malpractice premiums. It generates supplementary income through participation in clinical research – which depends on integrity of data, achievable through an EMR – and pay-for-performance programs.
"We couldn’t be happier,” Dr. Hugh McLaughlin says. “The EMR has delivered outstanding financial results – and helps physicians deliver outstanding care.”
Already There...Implemented Health IT On Privacy and Security
Tom Landholt , MD
By Tom Landholt, MD
Since the days of the Hippocratic oath, it has been incumbent morally and ethically upon every physician to respect the privacy of patients and to ensure and safeguard their medical secrets.
Now we come to the age of HIPAA, legislation intended to guarantee by the government those same basic rights. Such action is warranted as there are now so many more players involved in the physician-patient relationship: third-party payers, medical suppliers, hospitals and, indeed, the government itself. The routine transfer of data and the diverse intentions of these various groups require an increase in vigilance in regards to an individual’s right to privacy and security.
At the same time, new tools in the form of electronic medical records, online submission of billing data and patient registries (among others) have created many new access points to medical data. The “secrets” of the patient are now contained in various databases and routinely transmitted by both paper and electronic means.
As medical technologies have penetrated into the fabric of the physician-patient relationship, we have seen safeguards intended by HIPAA built into these systems. Early on, in the adoption of the technologies, much feedback was needed from providers so that the implementation of HIPAA did not interfere with the practice of medicine.
Many of the changes prompted by HIPAA actually interfered with the safe practice of medicine and we providers were quick to object. But now, that work has almost been completed; most of the major medical information systems available today meet the standards intended by HIPAA without unduly interfering with the practice of medicine. The advent of national standards such as CCHIT provides a guide for products that have safety, security and usability.
In our two-provider primary care practice here in the Ozarks, we find that we still practice medicine with the concern and responsibility for privacy and security as always. The electronic tools we use in our clinic aid us well in the task. While future vigilance must always be maintained, seeing patients in the era of HIPAA and EMR is now a comfortable task.
Dr. Landholt is a practicing family physician in Springfield, Mo. and has been using EHR since 1995. He is also the Medical Director for HIT at MassPRO, a Massachusetts-based quality improvement organization (QIO).