Posts Tagged EMR

Don’t Forget Your Risk Assessments!

Don’t Forget Your Risk Assessments!

Many medical practices are planning their Security Risk Assessments for the new year. Whether to better qualify for the 2019 Merit-based Incentive Payment System (MIPS) or to fulfill obligations to comply with the HIPAA Security Rule, a strong strategy now will reap benefits later. It’s a good time to remember what is required when conducting a Security Risk Assessment, as there tends to be confusion around what the Risk Assessment should include.

Here are some helpful reminders as we move through the first quarter of the year:

It’s Not Just a Checklist. A proper Security Risk Assessment is a thorough process where a covered entity under HIPAA should identify, prioritize and estimate the risks to practice operations resulting from the use of or implementation of a specific technology. Once the risks are identified, a plan of mitigation should be created that provides a roadmap for ongoing risk management.

Don’t Just Focus on EMR. While your EMR system, and the safeguards in place to protect EMR data, should absolutely be part of the Risk Assessment process, time should also be spent analyzing and assessing the risk to protected data that sits outside the EMR system. Identify the ePHI in the practice that resides outside the EMR application (e.g. files stored on users’ personal computers, data stored in ancillary systems, copiers and scanners, etc.) and assess the risk associated with this data as part of the assessment.

No Specific Methodology Required. While OCR has provided practices with guidance regarding the Security Risk Assessment Requirement, there is no mandatory process or method by which a practice must follow to comply with the requirement. However, most security professionals recommend following accepted industry frameworks, such as those provided by the National Institute of Standards and Technology (NIST).

Revisit Previous Risk Assessments to Show Progress. When conducting a new Security Risk Assessment, review past analysis and make an effort to document progress made with regards to risk mitigation. As the spirit of the Security Rule has always been to encourage covered entities to use the Risk Assessment as a starting point for ongoing Risk Management, documenting progress made will show the practice doesn’t simply consider the Assessment a rote exercise but a vital part of managing and mitigating risk on an ongoing basis.

You Don’t Have to Outsource Your Security Risk Assessment. OCR is very quick to point out there is no requirement, neither in the Security Rule nor under MIPS, for covered-entities to outsource their Security Risk Assessment. In fact, OCR has published a free, downloadable tool that practices can use to help with efforts to fulfill requirements (https://www.healthit.gov/topic/security-risk-assessment-tool). However, OCR does go out of its way to explain the time commitment and skillset required to adequately evaluate and utilize the tool, and encourages all covered-entities to seek professional assistance when considering using these resources to self-perform the Security Risk Assessment.

A thorough Security Risk Assessment must stand up to an auditor or investigator, especially in the event of a security incident. A lack of proper Risk Analysis is cited in many investigative findings that have also carried large financial penalties. Take the time to consider how your practice will approach the Security Risk Assessment in 2019, and consider it as an opportunity to genuinely look at where you might be vulnerable and how the Assessment can be used as a springboard for true Risk Management.

References:

https://www.healthit.gov/topic/privacy-security/security-risk-assessment-tool

https://www.cms.gov/Medicare/Quality-Payment-Program/Resource-Library/2018-Cost-Performance-Category-Fact-Sheet.pdf

https://www.healthit.gov/topic/privacy-security/top-10-myths-security-risk-analysis

Nic Cofield is Director of Client Services with Jackson Thornton Technologies LLC (JTT). JTT is one of the Southeast’s leading providers of managed IT services, cybersecurity services/consulting and IT Risk Assessments to health care providers. JTT is wholly owned by Jackson Thornton CPAs & Consultants, which is a partner with the Medical Association.

Posted in: Management

Leave a Comment (0) →

After EMR Implementation, Surgeons Spend Less Time Interacting with Patients

After EMR Implementation, Surgeons Spend Less Time Interacting with Patients

Implementing an electronic medical records (EMR) system at an orthopaedic clinic may have unanticipated effects on clinic efficiency and productivity – including a temporary increase in labor costs and a lasting reduction in time spent interacting with patients, reports a study in September 19, 2018, issue of The Journal of Bone & Joint Surgery. The journal is published in the Lippincott portfolio in partnership with Wolters Kluwer.

Even after an initial learning period, introducing a new EMR system may affect several aspects of clinic workflow, according to the paper by Daniel J. Scott, MD, MBA, of Duke University, Durham, N.C., and colleagues. They write, “Healthcare systems and policymakers should be aware that the length of the implementation period is approximately six months and that implementation may alter the time that providers spend with patients.”

Introducing EMRs Could Have ‘Negative Trade-Off’ for Patient Care

The researchers used time-driven activity-based costing methods to evaluate how a new EMR system affected costs and productivity at two outpatient orthopaedic arthroplasty (joint replacement) clinics. The analysis included detailed observations of 143 patient visits before implementation of the EMR system, and again at two months, six months, and two years after implementation.

At two months after EMR implementation, total labor costs had increased significantly, from $36.88 to $46.04 per patient visit. The cost increase was related to increases in the time that attending surgeons spent per patient, from 9.38 to 10.97 minutes, and in the time that certified medical assistants spent on patient assessment, from 3.4 to 9.1 minutes. For surgeons and medical assistants combined, the time spent documenting patient encounters more than doubled: from 3.3 to 7.6 minutes.

By six months after implementation of the EMR system, total labor costs were similar to costs in the pre-implementation period. From six months to two years, labor costs remained stable. Average weekly patient volume decreased for one of the surgeons studied, but remained stable for the other surgeon.

However, the increases in time spent on documentation persisted, even after the initial learning period. This was accompanied by a significant reduction in time spent interacting with patients, from 14.65 to 10.03 minutes.

Electronic medical records systems are rapidly being adopted throughout the US healthcare system, in part due to increased regulation. “EMR implementation can be costly and typically requires workflow redesign,” Dr. Scott and coauthors write. The study is the first to assess the impact of EMR systems in orthopaedic practice.

“This could suggest that providers ultimately were able to spend less time with patients as documentation requirements increased,” Dr. Scott and coauthors write. “If so, this could represent a negative trade-off for patient care and leave patients less satisfied, a trend worthy of further study.”

Posted in: Advocacy

Leave a Comment (0) →

Phishing Schemes Can Paralyze Your Medical Practice

Phishing Schemes Can Paralyze Your Medical Practice

“Phishing” occurs when emails are sent to individuals or entities in an attempt to fraudulently gain access to personal information or introduce malware into the computer system. These emails are often disguised to look familiar to the recipient. The perpetrator may disguise their communication to appear to be from a colleague, family member or friend. They may also attest to be from a reputable source, like your bank, PayPal or other legitimate websites. They request that you click on a link or open an attachment. Fraudulent links will generally request that you update your information by entering your username or password. Some may ask for other types of personal information like address, date of birth, social security number or credit card information. Fraudulent attachments may contain malware, the most common being ransomware, which has had a significant impact on the health care industry.

What Is “Spear Phishing”?

Spear phishing is a specific kind of phishing that customizes its attack to specific individuals. For instance, the perpetrator may study an individual’s social media profiles and send them an email that appears to be from a co-worker or organization that they belong to. Just as with normal phishing exercises, the goal is for the target individual to click on a fraudulent link or attachment that will either provide the perpetrator with personal information or provide an opportunity to introduce malware into their computer system.

How Are Phishing Schemes Impacting Health Care Entities?

The threat of phishing activities to health care entities has steadily increased. Perpetrators are learning that the types of identifying information that health care entities attain and maintain are the exact types of identifiers they need to participate in a wide range of fraudulent activity from filing false tax returns to credit card fraud. These identifiers include data that health care professionals work with daily, like date of birth, social security numbers and health plan information.

When health care professionals fall victim to these phishing schemes it can threaten their entire organization. With the widespread use of Electronic Medical Records (EMRs), compliance professionals are seeing ransomware attacks on the rise as entity administrators attempt to recover their vital data.

Reduce Your Risk

  • Ensure that your entity has a clear and documented policy which addresses how employees should handle email communications. Some entities forbid accessing personal emails on work equipment while others set specific parameters. Your entity should determine the process that works best for your workforce and enforce that policy.
  • Train your staff on how they can identify phishing schemes and educate them on the threat that these schemes pose to your organization.
  • Ask your Information Technology (IT) personnel to send phishing emails to employees to test the number of employees who fall for phishing schemes after training.
  • Consider purchasing cyber insurance to protect your entity in the event of an attack.

Identify Phishing Activity

  • Often these fraudulent emails will have email links that are misspelled. For example, instead of customerservice@regionsbank.com, it may have customerservic@reggionsbank.com.  Those variations are small and often overlooked.
  • Be careful about the information that you share on social media. Try not to post personal information like your address, phone number and birth date.
  • Be suspicious about sites that attempt to redirect you to other similar looking websites.
  • If you think an email looks suspicious, contact your supervisor or HIPAA Security Officer so that it can be investigated properly.

Report Phishing Attempts

If you believe that you or someone that you know may have been the victim of a phishing attempt, there are a number of authorities that receive these reports and act to minimize their impact.

  • You may file a report with the Federal Trade Commission (FTC). Reports can be sent electronically at FTC.gov/complaint.
  • Reports can be made to APWG at reportphishing@apwg.org. This is an anti-phishing workgroup that analyzes and fights cybercrimes.
  • Always notify your IT support staff or your HIPAA Security Officer when you believe that you have received a fraudulent email so that they can investigate the email and take action to minimize the threat.

If you have questions regarding phishing and malware, or if you believe that it is time to update your entity’s policies and procedures, please consult a health care compliance expert.

Article contributed by Samarria Dunson, J.D., CHC, CHPCattorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama. Find more of Ms. Dunson’s contributions on her partnership page

Posted in: HIPAA

Leave a Comment (0) →

Report: EMR Industry Must Reckon with Physician User Frustration

Report: EMR Industry Must Reckon with Physician User Frustration

ROCKVILLE, MD – A new study by health care market researcher Kalorama Information has found that physician frustration over the use of EMR systems will be a trend for vendors to deal with. Previously, incentives paid to providers to buy and use electronic medical records were enough for a market boost, but now user frustration is driving vendor switches and contributing to implementation costs. Kalorama has covered EMR for a decade and has issued a new report: EMR Market 2017: Electronic Medical Records in an Era of Disruption.

Kalorama based its findings on attendance at the 2017 HIMSS conference, and from vendor and end-user consults.

“During the HIMSS 2017 conference, discussions revolved around physician dissatisfaction with EMRs,” said Mary Ann Crandall, author of the report. “Physicians still feel that vendors are missing the mark when addressing the needs of physicians.”

Physicians have repeatedly complained that EHRs are difficult to use. Many EHR interfaces are awkward and non-intuitive creating more problems than solutions. Physicians are not convinced that EMRs will cut costs or help to provide better and safer care. One of the reasons for this may be that vendors do not seem to be in touch with what physicians need in their individual practices. Furthermore, EHRs often get in the way and slow users down because of the way they are configured or are not convenient to use. Most EHRs are not designed to help physicians juggle the simultaneous tasks they all face, like answering a question about one patient while in the middle of writing a prescription for another. In addition, because most of the programs that are on the market were developed many years ago before today’s sophisticated interface tools were developed, it compounds the problems.

“Furthermore, physicians get tired of having to sign into multiple hospital systems to locate data on their patients. Smartphones, iPads and the Internet are so intuitive and well integrated that they make EHRs look even worse,” said Crandall in the report.

A survey of nearly 3,000 physicians reported that most physicians do not like the Affordable Care Act and many of them do not like EMRs. Only 30 percent of the physicians surveyed think that EMRs will have a positive effect on the quality of care. One big reason for the sour feeling it that  Medicaid and Medicare reimbursement continues to fall, and Medicaid will cover many of the 32 million uninsured individuals targeted to be insured under the law. The survey also did not show a lot of support for accountable care organizations, which is an emerging payment model authorized in the reform bill.

Crandall said physicians feel that there needs to be a concentrated effort to focus on evidence, accuracy, how it is integrated with the physician’s EMR and how it is integrated within the practice. According to Michael Hodgkins, AMA CMIO, physicians are spending twice the amount of time on deskwork and EHR maintenance, including 38 hours a month spent on EHRs after work hours. This is creating dissatisfaction and contributing to burnout for physicians. Michael Hodgkins further stated that physicians just want to provide high-quality care, but EHR work seems to get in the way. At the same time, practice sustainability and changing reimbursement models that favor scale and shift risk to the providers is leading many practices to merge or sell out altogether.  Simply, physicians are overwhelmed with platforms, apps, regulations and computer work.

Several vendors are listening to the physician complaints and are attempting to make changes. Kalorama reported in April that Allscripts is developing separate workflows for mobile devices and desktop computers, and will focus on touch speech recognition and other non-keyboard interfacing techniques that will help to improve physician perception.

Kalorama notes that while there are a few leaders in the EMR market, there isn’t much brand and mind share and few favorites among physician users. Greater detail on these trends are included in Kalorama Information’s report, EMR 2017: Electronic Medical Records in an Era of Disruption.

Posted in: Management

Leave a Comment (0) →

Between Doctors & Patients…Technology in the Treatment Room

techintreatmentroom_banner

Editor’s Note: This article was originally published in the Spring 2016 issue of Alabama Medicine magazine

Love them or hate them, electronic records are here to stay.

Electronic health records, or EHRs, are an evolution of the electronic medical records, or EMRs, that some medical practices use internally. EMRs are a digital version of the paper charts containing the medical and treatment history of the patients in one medical practice. EMRs have advantages over paper records in that they allow physicians to track patient data over time, identify which patients are due for preventive screenings and check ups, and monitor overall quality of care within the practice.

EMRs, however, are not built to travel easily outside the medical practice should the physician need to send the patient to another physician. This is where EHRs are intended to pick up and be more effective. EHRs are built to share patient information between medical practices, laboratories, hospitals and other health facilities. Should your patient be seen in the emergency room, EHRs are supposed to allow you to view those charts and results, including all the physician’s notes, labs and any films.

That’s how the system is supposed to operate. While the EHR systems work well for some, mostly larger practices and specialty physicians, they cause more problems than they solve for others, particularly smaller practices and family care physicians.

The surgeons with Alabama Orthopaedic Specialists, PA, in Montgomery, began looking for a solution to their charting issues in 2006, long before federal regulations started to trickle down concerning electronic records. Finding the best solution for the practice didn’t happen
overnight. It was a process, according to practice manager Ron O’Neal.“It took a little while for us to discover exactly what this would mean to the practice…the good and the bad…and it needed to be something everyone was on board with,” O’Neal explained. “It took time for us to come up with a checklist of everything we wanted and needed our EHR to do. It was important we found a system that would work for our practice instead of our practice working for that system, so we took our time.”

“It took a little while for us to discover exactly what this would mean to the practice…the good and the bad…and it needed to be something everyone was on board with,” O’Neal explained. “It took time for us to come up with a checklist of everything we wanted and needed our EHR to do. It was important we found a system that would work for our practice instead of our practice working for that system, so we took our time.”

Michael Davis, M.D., a surgeon with Alabama Orthopaedic Specialists, helped lead the search to find the perfect EHR for the group and agreed with O’Neal that while the search for the best system may have seemed long, it was for a good reason.“Historically we had paper charts. So, when a patient would be seen by one of our physicians yesterday and referred to me today didn’t really have any idea why they were seeing me and would expect me to know why they were here. It would take time for me to collect the paper chart, if everything was there, and sometimes re-interview the patient. That took a lot of time. If you don’t have to filter through all those notes to get to the bottom of the problem when someone else already has, you save a lot of time. You’re not duplicating tests and x-rays, and patients aren’t exposed to more tests or irradiated more than once just because you can’t get your hands on those results,” Dr. Davis said.

“Historically we had paper charts. So, when a patient would be seen by one of our physicians yesterday and referred to me today didn’t really have any idea why they were seeing me and would expect me to know why they were here. It would take time for me to collect the paper chart, if everything was there, and sometimes re-interview the patient. That took a lot of time. If you don’t have to filter through all those notes to get to the bottom of the problem when someone else already has, you save a lot of time. You’re not duplicating tests and x-rays, and patients aren’t exposed to more tests or irradiated more than once just because you can’t get your hands on those results,” Dr. Davis said.For Dr. Davis, having the EHR in hand can make explaining a complicated procedure a bit smoother when the tool can be used to illustrate the nuances of a surgical procedure by showing the patient his or her x-rays, MRIs, and other test results. But, the EHR is just that…a tool, which Dr. Davis is quite mindful of making sure doesn’t become an intrusive object in the treatment room.

For Dr. Davis, having the EHR in hand can make explaining a complicated procedure a bit smoother when the tool can be used to illustrate the nuances of a surgical procedure by showing the patient his or her x-rays, MRIs, and other test results. But, the EHR is just that…a tool, which Dr. Davis is quite mindful of making sure doesn’t become an intrusive object in the treatment room.

Yet, Dr. Davis and O’Neal agreed EHRs work better for specialties than with family practices when considering the diagnostic possibilities family physicians face with their patients. What’s streamlined in a specialty is often wide ranging in family practice.

Maarten Wybenga, M.D., a family physician in Prattville, hasn’t made the switch from paper charts to EHRs and doesn’t have any plans to in the immediate future. For Dr. Wybenga, e-prescribing and electronic billing are sufficient to keep the federal mandates at bay.

“I’m always going to be ‘pro-the-patient.’ I never jump on the bandwagon when something new comes out. I want to read the research, see how it works first before I start using it with my patients. It’s the same with technology in the medical office,” Dr. Wybenga said. “I’ve wanted to stand back and watch it a little rather than jump right in. When things started getting interesting with electronic records, we talked about it. Should we do this, or should we wait and see what’s going to happen? Should we give it a year or two? As we watched the technology arena grow and grow, the software companies exploded. There were just too many offering too much. We keep watching, but I’m just not satisfied, and I haven’t made that decision. To this day, we’re still on handwritten medical records.”

According to Amy Wybenga, Dr. Wybenga’s practice manager and immediate past president of the Alliance to the Medical Association of the State of Alabama, the number of reasons against using EHRs in the practice simply outweighed the positive outcomes.“No one could give us a good, sound reason of what benefit it would be to us or our patients if we changed over. For our practice, the negative reasons definitely outweigh the positive reasons,” Wybenga said. “We would have to cut down on the number of patients we could serve for at least a year because it could take up to that long for us to switch everything over, and it would slow us down too much. Being a family practice in a rural area, there’s just no way we can cut back on the number of patients we see. Those patients have to be seen. Why would we go to a system that would slow us down even more, something that we can’t share with anybody, would still have to print off information to fax or email to other doctors because it won’t communicate with other systems…where’s the benefit?”

“No one could give us a good, sound reason of what benefit it would be to us or our patients if we changed over. For our practice, the negative reasons definitely outweigh the positive reasons,” Wybenga said. “We would have to cut down on the number of patients we could serve for at least a year because it could take up to that long for us to switch everything over, and it would slow us down too much. Being a family practice in a rural area, there’s just no way we can cut back on the number of patients we see. Those patients have to be seen. Why would we go to a system that would slow us down even more, something that we can’t share with anybody, would still have to print off information to fax or email to other doctors because it won’t communicate with other systems…where’s the benefit?”

For one gastroenterologist who just started a new practice in January using paper charts, Bradley Rice, M.D., of Huntsville, who is also a member of the Association’s Board of Censors, is working to make the transition to EHRs a seamless one for his staff and patients. “I actually try to use the computer a small amount of time while in the room with a patient. I talk with the patient and take notes on a sheet I have designed,” Dr. Rice noted. “I prefer to speak with the patient instead of talking to them while looking at a computer, so I wait until the end of the appointment to then work on the computer, then escort them up to the check-out area. My goal is to make sure the patient feels comfortable and understands that I am there to meet with them instead of focusing on the computer in the room.”

“I actually try to use the computer a small amount of time while in the room with a patient. I talk with the patient and take notes on a sheet I have designed,” Dr. Rice noted. “I prefer to speak with the patient instead of talking to them while looking at a computer, so I wait until the end of the appointment to then work on the computer, then escort them up to the check-out area. My goal is to make sure the patient feels comfortable and understands that I am there to meet with them instead of focusing on the computer in the room.”

Dr. Rice and his staff have seen both sides of the EHR coin and agree with Dr. Davis and O’Neal that the initial setup of a system can be difficult and costly. It takes time to scan and input data into a new system, but once the system is online, it can help with documentation and accountability.

Interoperability was one of the initial selling points for EHRs from the Office of the National Coordinator for Health Information Technology. Fully functioning EHRs are designed to “talk” to other systems. However, many physicians are finding this may not be the case, and after years of voicing complaints through their medical societies and associations, their concerns seem to be getting through.

Department of Health and Human Services Secretary Sylvia Burwell recently announced the nation’s top five health care systems and companies, which provide EHRs covering more than 90 percent of hospital patients, have agreed to principles designed to improve patient access to health data and eliminate the practice of data blocking. These groups have also agreed to adopt federally recognized, national interoperability standards by 2018.

To unlock the data and make it useful to physicians, the companies have agreed to:

  • Implement application programming interface (API) technology so smartphone and tablet apps can be created, facilitating patient use and transfer of health care data.
  • Work so physicians can share health data with patients and other physicians whenever permitted by law, while not blocking such sharing either intentionally or unintentionally.
  • Use the federally recognized Fast Healthcare Interoperability Resources data standard.

In late 2015, the Medical Association led a coalition of nearly 40 Alabama specialty and county medical societies in asking to the Alabama Congressional Delegation to support the Patient Access and Medicare Protection Act, which granted the Centers for Medicare & Medicaid Services the authority to expedite applications for hardship exemptions from Meaningful Use Stage 2 requirements for the 2015 calendar year. President Obama signed the bill. Because CMS didn’t publish the MU Stage 2 final rule until Oct. 16, physicians weren’t informed of the requirement until fewer than the 90 required days remained in the calendar year, leaving most in a penalty-assured lurch. CMS extended the deadline for physicians to apply for MU hardship exemptions to EHR incentive program. The new deadline is now July 1, 2016. The extension is being granted “so providers have sufficient time to submit their applications to avoid adjustments to their Medicare payments in 2017.” The new application forms and instructions to file a hardship exemption are on the CMS website.

Because CMS didn’t publish the MU Stage 2 final rule until Oct. 16, physicians weren’t informed of the requirement until fewer than the 90 required days remained in the calendar year, leaving most in a penalty-assured lurch. CMS extended the deadline for physicians to apply for MU hardship exemptions to EHR incentive program. The new deadline is now July 1, 2016. The extension is being granted “so providers have sufficient time to submit their applications to avoid adjustments to their Medicare payments in 2017.” The new application forms and instructions to file a hardship exemption are on the CMS website.

For physicians contemplating switching from paper charts to EHRs, Dr. Rice and his office staff offer these tips:

  1. Always remember, “Treat the patient, not the computer”
  2. Think about the big picture in terms of technology and how the flow and setup will affect the office. For example, how many screens, what type of computers, scanners, etc., should I choose? Who will be using these computers? Laptops vs. desktop computers in treatment rooms? A personal analysis needs to be conducted of what type of layout/format fits your practice.
  3. Choose a good program that has excellent technology support. Make sure to choose the correct computers and equipment necessary for the EHR program that is chosen for your practice.

Article by Lori M. Quiller, APR, director of communications and social media

Posted in: Uncategorized

Leave a Comment (0) →