Tag Archives: Healthcare

Value-based care models hung up on lack of resources

A survey of more than 1,000 healthcare providers finds a lack of resources to be the biggest hurdle when shifting to a value-based care reimbursement model.

A value-based care model pays providers based on patient outcomes rather than the amount of services provided. The Centers for Medicare & Medicaid Services began promoting value-based care in 2008. Support for the initiative quickly followed with legislation, including the Affordable Care Act, which passed in 2010.

Despite the push, the shift to a value-based care rather than fee-for-service model has been slow — but steady. Indeed, data analytics company Definitive Healthcare LLC found that the number of U.S. states and territories with value-based care programs has risen from three in 2011 to 48 in 2018.

This year, the company surveyed more than 1,000 healthcare leaders to determine the state of value-based care, as well as what implementation will look like in 2020.

Value-based care: Barriers and accelerators

Kate Shamsuddin, senior vice president of strategy at Definitive Healthcare, said she was surprised that 25.3% of respondents pointed to lack of resources as the biggest barrier to implementing a value-based care model, given the initiative dates back to 2008.

Definitive Healthcare senior vice president of strategy Kate ShamsuddinKate Shamsuddin

“We would’ve anticipated that the number of resources required to support value-based care would’ve been increasing over time to support the success of these programs and initiatives,” she said. “So that was pretty surprising to see that at the top of the list as a barrier.”

Survey takers also pointed to “gaps in interoperability” and the “unpredictability of revenue stream” as barriers to implementing value-based care programs. “Changing regulations and policies” was another barrier identified by 16.2% of respondents.

Shamsuddin was struck by the “changing regulations and policies” barrier because of the amount of visibility the federal government has provided into policy implementation. Additionally, Shamsuddin said that while changing policies is listed as a barrier, 16.1% of respondents also selected it as a factor that is accelerating the adoption of value-based care.

Almost half, 44.8%, of survey respondents cited “appropriate provider compensation and incentives” as the biggest reason why adoption of a value-based care model moved forward within their organization. In a value-based care model, providers can receive bonuses for performing above-quality care standards. Yet they can also be penalized if their performance falls below those standards.

Shamsuddin said being able to adjust provider compensation and incentives is one way to ensure all stakeholders are “growing in the same direction” when implementing a value-based care program.

“That is one I think we’ll continue to see as an accelerator, especially with healthcare systems being a little bit more, let’s call it experimental, in how they’re willing to move away from the fee-for-service model,” she said.

What CIOs should pay attention to in 2020

As value-based care model implementation evolves in 2020, Shamsuddin said it will be important for healthcare CIOs to keep an eye on federal regulation and policy, which survey takers said was both a barrier and an accelerator.  

Additionally, one of the main areas that will cause change in value-based care program implementation is a growing understanding among providers of how accountable care organizations (ACOs) and bundled payment models such as the Medicare Shared Savings Program work, according to 31.1% of survey respondents.

ACOs and bundled payment models, or alternative payment models that require providers to take on risk and share in the losses and benefits of patient care, will “evolve and become easier to understand,” making it more likely for providers to transition to a value-based care model, according to the survey.

ACOs are associations of hospitals, providers and insurers that assume medical and financial responsibility for their patients; the Medicare Shared Savings Program is a voluntary program that encourages healthcare providers to come together as an ACO. The program provides different participation options to ACOs and allows them to take on varying levels of risk and responsibility for patients.

Consolidation within healthcare will also create what Shamsuddin called a “wild card” in how effective value-based programs will be. When two health systems are thinking about combining, Shamsuddin said it will require healthcare providers to be “open and strategic” around how they’re going to bring in value-based care initiatives during a merger.

Go to Original Article
Author:

ONC urged to slow down for the sake of patient data security

Seven healthcare leadership organizations have called for federal agencies to slow down their work on proposed interoperability and information blocking rules, which are expected to be finalized by the end of 2019. Their major concern is patient data security.

In a letter to the House Committee on Energy and Commerce, healthcare organizations including the American Medical Association (AMA), the College of Healthcare Information Management Executives (CHIME) and the American Health Information Management Association (AHIMA) outlined their concerns with security of healthcare data apps and a lack of security guidelines enabling third-party access to patient data.

They also worry there will be confusion about exceptions to information blocking and are concerned about implementation timelines for regulation requirements.

In February, the Office of the National Coordinator for Health IT (ONC) and the Centers for Medicare and Medicaid Services (CMS) proposed rules that would require healthcare organizations to use FHIR-enabled APIs to share data with healthcare apps. They also seek to define exceptions to information blocking, or unreasonably preventing patient data from being shared. The goal of the proposed rules is to foster greater data sharing and easier patient access to healthcare data.

“The use of APIs and third-party applications has the potential to improve patient and provider access to needed health information,” the letter said. “It also brings us into uncharted territory as patients leave the protections of HIPAA behind.”

The organizations stated that they support the work to improve information sharing through the use of APIs, but they noted it is “imperative that policies be put in place to prevent inappropriate disclosures to third-parties and resultant harm to patients.”

Letter underscores patient data security concern

It’s not the first time ONC has heard concerns about patient data security.

During a U.S. Senate Committee on Health, Education, Labor and Pensions meeting in May, committee chairman Sen. Lamar Alexander cautioned ONC to take interoperability slow and address issues such as privacy concerns when downloading patient data to healthcare apps.

The letter echoes that caution, suggesting that certified APIs should be required to have more security features and provide patients with privacy notices and transparency statements about whether data will be disclosed or sold.  Additionally, the letter notes a lack of security guidelines for providers as they bring third-party apps into their systems, and urges ONC to require API vendors to mitigate threats and security issues that could impact the provider connected to the API.

While healthcare apps and patient data security is the biggest sticking point, healthcare leaders also outlined other areas of concern such as “reasonable timelines” for implementing the final rules, and making exceptions to information blocking clearer. The healthcare leaders asked that ONC provide more examples of actions that would satisfy the exception requirements before the final rules are implemented.

‘Getting it right’

Healthcare leaders then requested ONC continue with the rulemaking process instead of finalizing the rules as they are now, and take more time to work through the issues outlined in the letter.

Lauren Riplinger, vice president of policy and government affairs at AHIMA, said the letter is a formal message to Congress to stress the importance of slowing down and “getting it right.”

She wants the community to “make sure we’re defining things properly, that the implementation periods make sense, and that it’s reflective of the environment and landscape in which we’re currently at as we work toward implementation of these final rules — whenever it gets finalized.”

They say Mars, and this letter says Hawaii. Eventually, everyone will say the moon. That’s where we’re headed.
John HalamkaExecutive director of the health technology exploration center, Beth Israel Lahey Health

In response to the letter, ONC prepared a statement that said the organization is “mindful of the need to balance concerns of incumbent stakeholders with the rights of patients to have transparency and actionable choice in their healthcare.”

John Halamka, executive director of the health technology exploration center at Beth Israel Lahey Health in Boston, said when it comes to rulemaking, it’s better for ONC to ask for Mars and settle for the moon, which he said was the intended goal to begin with.

Because it’s part of the rulemaking process, federal agencies no doubt anticipated pushback from the healthcare community, Halamka said. Ultimately, he believes ONC is headed in the right direction, and the letter asking for the time necessary to work through the details is understandable. Fine tuning of the proposed rules, or sub-regulatory guidance, is crucial, he said. “They say Mars, and this letter says Hawaii,” Halamka said. “Eventually, everyone will say the moon. That’s where we’re headed.”

Go to Original Article
Author:

CIO talks lessons learned from Meditech Expanse upgrade

Healthcare organizations may no longer be shopping for EHRs the way they once were, but that doesn’t make implementation any easier.

It took three years of planning and budgeting before Beth Israel Deaconess Medical Center went live with electronic health record vendor Meditech’s latest product at three community hospitals.

Jeannette Currie, CIO of community hospitals at Beth Israel Deaconess Medical Center in Boston, led the initiative to upgrade to the latest version: Meditech Expanse, a web-based EHR designed for mobility. The effort took a year longer than expected.

At the recent Meditech Physician and CIO Forum in Boston, Currie detailed challenges she faced before and during the implementation at the Beth Israel Deaconess Medical Center (BIDMC) community hospitals — and some of the lessons she learned along the way. Her biggest goal was to create a unified IT culture across the three community hospitals which had, up until this point, operated independent IT shops.

For Maurice Abney, CIO at LifePoint Health in Brentwood, Tenn., who attended the forum, his biggest takeaway was how Currie’s budget changed significantly when planning for an EHR implementation, and how it’s better to plan for spending more rather than less.

This was a confirmation that you need to budget it now so you won’t have to ask for it later.
Maurice AbneyCIO, LifePoint Health

“This was a confirmation that you need to budget it now so you won’t have to ask for it later,” Abney said.

Challenges with EHR implementation

In 2015, BIDMC decided to upgrade the Meditech EHR at three community hospitals and had an estimated go-live date of Oct. 1, 2017. BIDMC’s goal was to reduce the number of outpatient EHRs from multiple vendors used in its community hospitals by migrating the sites to a single EHR from a single vendor. The community hospitals also all used different versions of the Meditech EHR.

BIDMC, now part of Beth Israel Lahey Health following a merger earlier this year, is a healthcare system composed of academic medical centers, teaching hospitals, community hospitals and specialty hospitals that employs more than 4,000 physicians and 35,000 employees. It is now one of the largest health systems in Boston.

As she planned the EHR implementation project, Currie said delays occurred due to added project scope and additional software requirements that were missing from the original plans. Plus, while BIDMC initially planned to upgrade the community hospitals to the Meditech 6.1 platform, an earlier version of the Meditech EHR, the health system changed its mind and decided on Meditech Expanse, the latest EHR version.

Even with budgeting and planning, the go-live date was pushed back a year, and the project’s estimated budget nearly doubled from an estimated $14.7 million to an actual budget of $27.3 million.

Strategies for addressing challenges

As Currie prepared to unify the three hospitals onto one EHR, she encountered four major challenges: resistance to change and getting the hospitals past the idea that the new EHR implementation was a simple update to their existing Meditech EHRs, breaking down the hospitals’ history of separateness, consolidating IT staff and creating a clear pathway for decision-making involving all three entities.

Jeannette Currie, CIO of Community Hospitals at Beth Israel Deaconess Medical Center, speaks at the recent MEDITECHPhysician and CIO Forum.
Jeannette Currie, CIO of Community Hospitals at Beth Israel Deaconess Medical Center, speaks at the MEDITECHPhysician and CIO Forum about leading a MEDITECHExpanse implementation at three community hospitals.

This wasn’t the community hospitals’ first Meditech EHR implementation, but upgrading to Meditech Expanse was complicated by the EHR’s added features and functions, according to Currie. The product introduced new workflows and an entirely new platform. Currie said getting the hospitals past that “upgrade mentality” was challenging.

To address the problem, Currie decided to brand the implementation CommunityONE. Her hope in using the word “community” was to steer the upgrade away from EHR tweaks toward a push to unify the IT culture between the three hospitals, something she said was crucial to the project’s success.

She set a mission statement for the project, which outlined what she was aiming to do and why. The mission statement, “to develop, implement and manage a single patient-focused BIDMC Community Hospital EHR using principles of best practice to support clinical excellence, fiscal accountability and a productive experience,” was repeated and promoted throughout the project.

Identifying the benefits of the Meditech Expanse product was also important, Currie said. The gains included a single patient clinical record accessible across the three hospitals, operational efficiency by having the same EHR available for clinicians working at all three hospitals, working with Meditech to house the hospitals’ data, and the creation of a single IT department for the three hospitals.

Consolidating IT staff was a major hurdle because of varying staffing levels, experience and pay scales, Currie said. She worked to fix pay discrepancies and to clearly define IT responsibilities, something the organization is still challenged with. Currie said employees were chosen from across the three sites to form the community hospitals IT department.  

Currie established guiding principles to lead the major organizational change. They included clear project governance structured to promote the project mission. She wanted to make sure to give an equal voice to each hospital, outline participation expectations and be transparent about decisions.

“We needed all the hospitals to participate in the process to create that future. That adds to the cultural aspect because then people feel ownership about what they’re creating and what their end product will be,” she said.

Decision making was the project’s biggest challenge and one of the biggest drivers behind the extended go-live date, Currie said. Each organization came to the table with “passion” for the way their hospital had operated, and they had to work through how they were going to make decisions as a unified IT culture. 

“We had to learn how to reach consensus,” she said.

Currie said she outlined a clear method for decision making, and built the culture through continuous face time and getting to know each other.

“It was a pain in the butt to drive from Plymouth or some of these other areas in Boston traffic to get together,” she said. “But we really found that that in-person time was what promoted respect … people on these teams became friends and that allowed them to work together and become willing to share this system and respect each other’s perspectives.” 

Lessons learned

On Oct. 1, 2018, Meditech Expanse went live at all three hospitals.

Currie said the launch’s success was due to a strong command structure including local command centers set up at each of the sites that were linked to help identify common issues. The IT team also had frequent huddles, identified emerging issues and had boots on the ground to provide support.

At the center of the success was communication, and keeping a consistent message between the three hospitals, she said.

Go to Original Article
Author:

CIOs express hope, concern for proposed interoperability rule

While CIOs applaud the efforts by federal agencies to make healthcare systems more interoperable, they also have significant concerns about patient data security.

The Office of the National Coordinator for Health IT (ONC) and the Centers for Medicare & Medicaid Services proposed rules earlier this year that would further define information blocking, or unreasonably stopping a patient’s information from being shared, as well as outline requirements for healthcare organizations to share data such as using FHIR-based APIs so patients can download healthcare data onto mobile healthcare apps.

The proposed rules are part of an ongoing interoperability effort mandated by the 21st Century Cures Act, a healthcare bill that provides funding to modernize the U.S. healthcare system. Final versions of the proposed information blocking and interoperability rules are on track to be released in November.

“We all now have to realize we’ve got to play in the sandbox fairly and maybe we can cut some of this medical cost through interoperability,” said Martha Sullivan, CIO at Harrison Memorial Hospital in Cynthiana, Ky.

CIOs’ take on proposed interoperability rule

To Sullivan, interoperability brings the focus back to the patient — a focus she thinks has been lost over the years.

She commended ONC’s efforts to make patient access to health information easier, yet she has concerns about data stored in mobile healthcare apps. Harrison’s system is API-capable, but Sullivan said the organization will not recommend APIs to patients for liability reasons.

Healthcare CIOs at Meditech's 2019 Physician and CIO Forum shared their thoughts on proposed interoperability rules from ONC and CMS.
Physicians and CIOs at EHR vendor Meditech’s 2019 Physician and CIO Forum in Foxborough, Mass. Helen Waters, Meditech executive vice president, spoke at the event.

“The security concerns me because patient data is really important, and the privacy of that data is critical,” she said.

Harrison may not be the only organization reluctant to promote APIs to patients. A study published in the Journal of the American Medical Association of 12 U.S. health systems that used APIs for at least nine months found “little effort by healthcare systems or health information technology vendors to market this new capability to patients” and went on to say “there are not clear incentives for patients to adopt it.”

Jim Green, CIO at Boone County Hospital in Iowa, said ONC’s efforts with the interoperability rule are well-intentioned but overlook a significant pain point: physician adoption. He said more efforts should be made to create “a product that’s usable for the pace of life that a physician has.”

The product also needs to keep pace with technology, something Green described as being a “constant battle.”

There are some nuances there that make me really nervous as a CIO.
Jeannette CurrieCIO of Community Hospitals, Beth Israel Deaconess Medical Center

Interoperability is often temporary, he said. When a system gets upgraded or a new version of software is released, it can throw the system’s ability to share data with another system out of whack.

“To say at a point in time, ‘We’re interoperable with such-and-such a product,’ it’s a point in time,” he said.

Interoperability remains “critically important” for healthcare, said Jeannette Currie, CIO of Community Hospitals at Beth Israel Deaconess Medical Center in Boston. But so is patient data security. That’s one of her main concerns with ONC’s efforts and the interoperability rule, something physicians and industry experts also expressed during the comment period for the proposed rules.

“When I look at the fact that a patient can come in and say, ‘I need you to interact with my app,’ and when I look at the HIPAA requirements I’m still beholden to, there are some nuances there that make me really nervous as a CIO,” she said.

Go to Original Article
Author:

Transition to value-based care requires planning, communication

Transitioning to value-based care can be a tough road for healthcare organizations, but creating a plan and focusing on communication with stakeholders can help drive the change.

Value-based care is a model that rewards the quality rather than the quantity of care given to patients. The model is a significant shift from how healthcare organizations have functioned, placing value on the results of care delivery rather than the number of tests and procedures performed. As such, it demands that healthcare CIOs be thoughtful and deliberate about how they approach the change, experts said during a recent webinar hosted by Definitive Healthcare.

Andrew Cousin, senior director of strategy at Mayo Clinic Laboratories, and Aaron Miri, CIO at the University of Texas at Austin Dell Medical School and UT Health Austin, talked about their strategies for transitioning to value-based care and focusing on patient outcomes.

Cousin said preparedness is crucial, as organizations can jump into a value-based care model, which relies heavily on analytics, without the institutional readiness needed to succeed.  

“Having that process in place and over-communicating with those who are going to be impacted by changes to workflow are some of the parts that are absolutely necessary to succeed in this space,” he said.

Mayo Clinic Labs’ steps to value-based care

Cousin said his primary focus as a director of strategy has been on delivering better care at a lower cost through the lens of laboratory medicine at Mayo Clinic Laboratories, which provides laboratory testing services to clinicians.

Andrew Cousin, senior director of strategy, Mayo Clinic LaboratoriesAndrew Cousin

That lens includes thinking in terms of a mathematical equation: price per test multiplied by the number of tests ordered equals total spend for that activity. Today, much of a laboratory’s relationship with healthcare insurers is measured by the price per test ordered. Yet data shows that 20% to 30% of laboratory testing is ordered incorrectly, which inflates the number of tests ordered as well as the cost to the organization, and little is being done to address the issue, according to Cousin.

That was one of the reasons Mayo Clinic Laboratories decided to focus its value-based care efforts on reducing incorrect test ordering.

To mitigate the errors, Cousin said the lab created 2,000 evidence-based ordering rules, which will be integrated into a clinician’s workflow. There are more than 8,000 orderable tests, and the rules provide clinicians guidance at the start of the ordering process, Cousin said. The laboratory has also developed new datasets that “benchmark and quantify” the organization’s efforts.  

To date, Cousins said the lab has implemented about 250 of the 2,000 rules across the health system, and has identified about $5 million in potential savings.

Cousin said the lab crafted a five-point plan to begin the transition. The plan was based on its experience in adopting a value-based care model in other areas of the lab. The first three steps center on what Cousin called institutional readiness, or ensuring staff and clinicians have the training needed to execute the new model.

The plan’s first step is to assess the “competencies and gaps” of care delivery within the organization, benchmarking where the organization is today and where gaps in care could be closed, he said.

The second step is to communicate with stakeholders to explain what’s going to happen and why, what criteria they’ll be measured on and how, and how the disruption to their workflow will result in improving practice and financial reimbursement.

The third step is to provide education and guidance. “That’s us laying out the plans, training the team for the changes that are going to come about through the infusion of new algorithms and rules into their workflow, into the technology and into the way we’re going to measure that activity,” he said.

Cousin said it’s critical to accomplish the first three steps before moving on to the fourth step: launching a value-based care analytics program. For Mayo Clinic Laboratories, analytics are used to measure changes in laboratory test ordering and assess changes in the elimination of wasteful and unnecessary testing.

The fifth and final step focuses on alternative payments and collaboration with healthcare insurers, which Cousin described as one of the biggest challenges in value-based care. The new model requires a new kind of language that the payers may not yet speak.

Mayo Clinic Laboratories has attempted to address this challenge by taking its data and making it as understandable to payers as possible, essentially translating clinical data into claims data.     

Cousin gave the example of showing payers how much money was saved by intervening in over-ordering of tests. Presenting data as cost savings can be more valuable than documenting how many units of laboratory tests ordered it eliminated, he said.

How a healthcare CIO approaches value-based care

UT Health Austin’s Miri approaches value-based care from both the academic and the clinical side. UT Health Austin functions as the clinical side of Dell Medical School.

Aaron Miri, CIO at the University of Texas at Austin Dell Medical School and UT Health Austin Aaron Miri

The transition to value-based care in the clinical setting started with a couple of elements. Miri said, first and foremost, healthcare CIOs will need buy-in at the top. They also will need to start simple. At UT Health Austin, simple meant introducing a new patient-reported outcomes program, which aims to collect data from patients about their personal health views.

UT Health Austin has partnered with Austin-based Ascension Healthcare to collect patient reported outcomes as well as social determinants of health, or a patient’s lifestyle data. Both patient reported outcomes and social determinants of health “make up the pillars of value-based care,” Miri said.  

The effort is already showing results, such as a 21% improvement in the hip disability and osteoarthritis outcome score and a 29% improvement in the knee injury and osteoarthritis outcome score. Miri said the organization is seeing improvement because the organization is being more proactive about patient outcomes both before and after discharge.  

For the program to work, Miri and his team needs to make the right data available for seamless care coordination. That means making sure proper data use agreements are established between all UT campuses, as well as with other health systems in Austin.   

Value-based care data enables UT Health Austin to “produce those outcomes in a ready way and demonstrate that back to the payers and the patients that they’re actually getting better,” he said.

In the academic setting at Dell Medical School, Miri said the next generations of providers are being prepared for a value-based care world.

“We offer a dual master’s track academically … to teach and integrate value-based care principles into the medical school curriculum,” Miri said. “So we are graduating students — future physicians, future surgeons, future clinicians — with value-based at the core of their basic medical school preparatory work.”

Go to Original Article
Author:

In light of MGH healthcare data breach, experts call for transparency

A recent healthcare data breach at Massachusetts General Hospital underscores the need for greater transparency when it comes to cybersecurity incidents.

Cybersecurity experts describe MGH’s statement on the breach as being light on details. In its announcement about the healthcare data breach, MGH stated that it is notifying nearly 10,000 individuals of a privacy incident that occurred in research programs within MGH’s department of neurology. The statement said that an unauthorized third party “had access to databases related to two computer applications used by researchers in the Department of Neurology for specific neurology research studies.”

The report provided no insight into how the breach occurred. David Holtzman, a health IT expert and an executive advisor for cybersecurity company CynergisTek Inc., other healthcare organizations that could have potentially learned from the incident.

“Healthcare organizations should consider how their experiences can benefit the larger healthcare industry through greater transparency and sharing of information if they suffer a cybersecurity incident,” he said.

A call for more transparency

MGH and its corporate parent, Partners HealthCare, have invested significantly in information security programs and cybersecurity defenses since 2011, according to Holtzman.

David Holtzman, executive advisor, CynergisTekDavid Holtzman

The effort was spurred by a settlement with the Department of Health & Human Services’ Office for Civil Rights related to a 2009 data loss incident. According to the resolution agreement, an MGH employee took home documents containing the protected health information of 192 individuals. The employee left the documents on a train when commuting to work on March 9, 2009. The documents were never recovered.

MGH was charged with a $1 million fine and committed to a corrective action plan to strengthen its information security programs.

It’s MGH’s investment in cybersecurity plus its “good reputation in the healthcare community” that should spur the organization to be more transparent when a cybersecurity incident occurs so that other organizations can learn from the incident and strengthen their own programs, Holtzman said.

He believes details such as whether MGH has evidence that the healthcare data breach was the result of an outside attack as well as the mode of attack would be helpful for other healthcare organizations.

“Was it the type of attack that overwhelmed or pretended to overwhelm the security of the enterprise information system? Was it accomplished through social engineering or an email phishing attack? Or is this the work of a malicious insider,” Holtzman questioned.

Israel Barak, CISO, Cybereason Israel Barak

Israel Barak, CISO for Boston-based cybersecurity company Cybereason Inc., said MGH sets a high standard for cybersecurity across the healthcare industry, and if it can be breached, CIOs and other healthcare leaders should pay attention.

“This should be an indication to the healthcare industry as a whole that we really need to step up our game. Because if this is what’s happening in an organization that sets the high standard, then what can we expect from organizations that look up to Massachusetts General and try to improve based on their example?” he said.

He was also struck by how long it took for MGH to discover the breach in the first place.

This should be an indication to the healthcare industry as a whole that we really need to step up our game.
Israel BarakCISO, Cybereason

According to MGH’s statement, the organization discovered the breach on June 24. Yet, an internal investigation revealed that between June 10 and June 16, the unauthorized third party “had access to databases containing research data used by certain neurology researchers,” two weeks before the breach was discovered.

Data breaches happen frequently in healthcare, but Barak said becoming aware that a breach occurred two weeks after it happened is “a standard we need to improve.”

Takeaways from MGH healthcare data breach

MGH’s statement said the affected research data could have included participants’ first and last names, some demographic information such as sex or race, date of birth, dates of study visits and tests, medical record number, type of study, research study identification numbers, diagnosis and medical history, biomarkers and genetic information, and types of assessments and results. The data didn’t include Social Security numbers, insurance or financial information and did not involve MGH’s medical records systems, according to the statement.

The MGH communications department has no further information on the healthcare data breach other than what’s contained in the statement, according to Michael Morrison, director of media relations at MGH.

CynergisTek’s Holtzman said all data that contains personally identifiable information should have “reasonable and appropriate safeguards to prevent the unauthorized use or disclosure of the information.” Any organization handling sensitive personal information should take a risk-based approach to assessing threats and vulnerabilities to enterprise information systems, he said.

“Take the results of the risk analysis and develop a plan to mitigate and identify threats and vulnerabilities to reduce the risk to sensitive information to a reasonable level,” he said.

Barak said it’s a given that healthcare security systems will get breached, “but the bigger question is, how quickly and how efficiently we can recover from something that happened. What is our cyber resiliency?”

Go to Original Article
Author:

Experts say there’s still a long road ahead for the FHIR standard

A major issue hindering interoperability in healthcare is a lack of data standardization, something federal regulators are trying to change by pushing adoption of the Fast Healthcare Interoperability Resources standard.

FHIR is an interoperability standard developed by Health Level Seven International (HL7) for the electronic exchange of health data. The FHIR standard has gone through multiple iterations and taken five years to develop. It sets a consistent description for healthcare data formats and application programming interfaces that healthcare organizations can use to exchange electronic health records.

In a set of proposed rules for interoperability from the Office of the National Coordinator (ONC) for Health IT and the Centers for Medicare and Medicaid Services (CMS), the agencies would require healthcare organizations to use FHIR-enabled healthcare APIs that would allow patients to download their standardized electronic health information into a healthcare app on their smartphones.

During a panel discussion on the future of interoperability at ONC’s 3rd Interoperability Forum in Washington, D.C., Thursday, panelists including Kisha Hawthorne, CIO of Children’s Hospital of Philadelphia, focused on the reality of using the FHIR standard, and whether the standard will help achieve interoperability in healthcare.

The reality of FHIR standard use today

Will the FHIR standard be a key facilitator of interoperability in healthcare? Panelists agreed that it will — in time. Right now, though, the standard still needs work in the implementation department.

In the provider space there’s a ways to go. But we’re excited and we think it will take hold.
Kisha HawthorneCIO, Children’s Hospital of Philadelphia

Hawthorne said her team at Children’s Hospital of Philadelphia is looking to use the FHIR standard in the provider space to bridge the gaps between the different software vendors with which the organization works.

The hospital uses an Epic EHR, and Hawthorne said that while she thinks vendors like Epic are beginning to implement and use the FHIR standard, she hopes to see that work “fast forward” with Epic and other vendors to make it easier to gather and share, as well as use, data in the provider space. FHIR standard use is something that’s not quite there yet, she said.

“In the provider space, there’s a ways to go,” Hawthorne said. “But we’re excited and we think it will take hold.”

The potential of the FHIR standard is exciting and it will “open a lot of doors,” but the reality is that the standard is immature, said Kristen Valdes, CEO of personal health app b.well Connected Health.

Valdes said that although she thinks the FHIR standard will create a push toward interoperability in healthcare, challenges associated with implementation of the FHIR standard are hindering progress.

A significant number of providers and organizations aren’t “using a fraction” of the implementation guidelines that have been made available for the FHIR standard, she said. While organizations are thinking about the operational impacts of using FHIR on behalf of users, she said there continues to be ongoing debate about the proper HIPAA rules to provide consumers access to their own data, which also hinder its implementation.

“We really have to think about the operational workflows and how it’s going to affect the people who are expected to implement and deploy FHIR,” she said.

The problem with the FHIR standard isn’t the technical aspects of the standard, but the process and people implementing it, said Vik Kheterpal, principal of interoperability product vendor CareEvolution.

As a technology standard, Kheterpal said it makes sense and has already seen relative success in the launch of programs such as CMS’ Blue Button 2.0 program. Blue Button 2.0 uses the FHIR standard for beneficiary data, such as drug prescriptions, primary care cost and treatment. Yet, the problem with the rest of healthcare often lies in misinterpretation of policy when it comes to sharing patient data.

Anil Jain, chief health informatics officer at IBM Watson Health, said he thinks the value of the FHIR standard is real, and organizations already need to think about what’s next once the standard matures.

As use of the FHIR standard grows among healthcare organizations, Jain said it’s important to create businesses cases and models for sharing data that will work using the standard. Otherwise, providers and patients will continue to lack trust in the data, something a standard like FHIR alone won’t give healthcare.

Go to Original Article
Author:

Success of healthcare APIs hinges on data safety, patient awareness

The Office of the National Coordinator for Health IT is steadfast in fostering interoperability through healthcare APIs. But health IT leaders are asking for more nuance: specifically, how APIs can also keep patient data safe.

During ONC’s 3rd Interoperability Forum this week, Don Rucker, national coordinator for health IT, made it clear that the federal agency is dedicated to pursuing greater patient access to data through healthcare APIs, or code that enables software programs to talk to each other.

Earlier this year, ONC and the Centers for Medicare and Medicaid Services proposed new rules on interoperability and information blocking. The proposed rules would require healthcare organizations to use APIs, which ONC hopes will create a market for healthcare apps and inject competition into the mix.

“We are very serious in getting the American public to have the benefits of interoperability on their smartphone,” he said.

Rucker and ONC are focused on the interoperability rule and getting patient data access through apps, as well as keeping data secure. But during the forum, a panel of healthcare experts raised other issues that could affect the use of healthcare APIs.

Patient data safety

We are very serious in getting the American public to have the benefits of interoperability on their smartphone.
Don RuckerNational coordinator for health IT

Based on more than 2,000 comments on the proposed rules from the healthcare community, ONC is taking a harder look at a growing concern: secondary uses of data when healthcare apps store medical records.

Indeed, concerns about patient data safety were voiced even before the comment period on the rules concluded. During a hearing in May held by the U.S. Senate Committee on Health, Education, Labor and Pensions, several Senate members questioned whether patient data would be safe in an app ecosystem.

The community’s worry has to do with end-user license agreements, which users are asked to sign off on when using an app. The agreements are often cumbersome, long and filled with small print that, in part, detail potential secondary uses of data, something a patient could overlook or accept blindly.

The agreements “don’t work in this modern world,” Rucker said, and the agency is working to find more transparent ways of getting patient consent.

Patient awareness

Healthcare organizations are not yet required to use APIs so that patients can download their electronic health information into healthcare apps — nor are they incentivized to make it known when they do. Indeed, another concern the panel raised had less to do with functionality and more to do with awareness.

Philip Parker, CEO at Boston-based Coral Health, said as a tech company with a healthcare app, he works closely with EHR vendors and provider organizations to connect to APIs they have available. One of the issues he sees is lack of patient awareness about the availability of healthcare APIs enabling them to download their data into an app.

“There’s a big gap there where patients aren’t asking for this yet because they don’t know about it, and it makes it difficult,” Parker said.

While ONC’s proposed rule requiring organizations to use healthcare APIs has not been finalized, early adopters have seen dismal results, according to new research in the “Journal of the American Medical Association.”

Researchers studied 12 U.S. health systems with at least nine months of experience using healthcare APIs. From March to December 2018, the study found that only 0.7% of patients who logged into their patient portal also used an API to download their health data into an app.

The study acknowledged that because the capability is new, few applications are able to access and use electronic health information. But it also stressed that there has been “little effort by healthcare systems or health information technology vendors to market this new capability to patients, and there are not clear incentives for patients to adopt it.”

While APIs will be a good way to share information once patients become more familiar with the capability, another challenge is the content, according to panelist Jim Barnett, director of strategic intelligence analysis at AARP. Clinical or claims data doesn’t always make sense to consumers and can be difficult to interpret, he said. “We need more work there,” he said.

Go to Original Article
Author:

No one likes waiting on the phone for a GP appointment. So why do we still do it?

The team behind the services are experts at healthcare, as they also run Patient.Info, one of the most popular medical websites in the UK. More than 100 million people logged on to the site in 2018 to read articles about healthcare, check symptoms and learn to live a healthier life, and more than 60% of GPs in England have access to it.

They also produce a newsletter that’s sent to 750,000 subscribers and around 2,000 leaflets on health conditions and 850 on medicines.

People can access Patient.Info 24 hours a day, seven days a week. It’s the same for Patient Access but web traffic spikes every morning when people want to book appointments to see their GP. To handle that demand, Patient Access runs on Microsoft’s Azure cloud platform. As well as being reliable and stable, all patient data is protected by a high level of security – Microsoft employs more than 3,500 dedicated cybersecurity professionals to help protect, detect and respond to threats, while segregated networks and integrated security controls add to the peace of mind.

“About 62% of GP practices use Patient Access,” says Sarah Jarvis MBE, the Clinical Director behind the service. “They’re using it to manage their services, manage appointments, take in repeat medications, consolidate a patient’s personal health record and even conduct video consultations.

“Just imagine your GP being able to conduct video consultations. If you’re aged 20 to 39 you might not want or need to have a relationship with a GP because you don’t need that continuity of care.

“But imagine you are elderly and housebound, and a district nurse visits you. They phone your GP and say: ‘Could you come and visit this patient’, but the GP is snowed under and can’t get there for a couple of hours. The district nurse is also very busy and must visit someone else.

“Now, with Patient Access, a Duty Doctor can look at someone’s medical record and do a video consultation in five minutes. If the patient needs to be referred, the GP can do it there and then from inside the system. The possibilities are endless, and older people, especially, have so much to gain from this.”

Go to Original Article
Author: Microsoft News Center

Discover how Microsoft 365 can help health providers adapt in an era of patient data protection and sharing

For years, patient data management meant one thing—secure the data. Now, healthcare leaders must protect and openly share the data with patients and with other healthcare organizations to support quality of care, patient safety, and cost reduction. As data flows more freely, following the patient, there’s less risk of redundant testing that increases cost and waste. Legacy infrastructure and cybersecurity concerns stand on the critical path to greater interoperability and patient record portability. Learn how Microsoft 365 can help.

Impact of regulatory changes and market forces

Regulatory changes are a big driver for this shift. Through regulations like the 21st Century Cures Act in the United States, healthcare organizations are required to improve their capabilities to protect and share patient data. The General Data Protection Regulation (GDPR) in the European Union expands the rights of data subjects over their data. Failing to share patient data in an effective, timely, and secure manner can result in significant penalties for providers and for healthcare payors.

Market forces are another driver of this shift as consumers’ expectations of omni-channel service and access spill over to healthcare. This augurs well for making the patient more central to data flows.

There are unintended consequences, however. The increasing need to openly share data creates new opportunities for hackers to explore, and new risks for health organizations to manage.

It’s more important than ever to have a data governance and proactive cybersecurity strategy that enables free data flow with an optimal security posture. In fact, government regulators will penalize healthcare organizations for non-compliance—and so will the marketplace.

How Microsoft 365 can prepare your organization for the journey ahead

Modernizing legacy systems and processes is a daunting, expensive task. Navigating a digitized but siloed information system is costly, impedes clinician workflow, and complicates patient safety goals.

To this end, Microsoft Teams enables the integration of electronic health record information and other health data, allowing care teams to communicate and collaborate about patient care in real-time. Leading interoperability partners continue to build the ability to integrate electronic health records into Teams through a FHIR interface. With Teams, clinical workers can securely access patient information, chat with other team members, and even have modern meeting experiences, all without having to switch between apps.

Incomplete data and documentation are among the biggest sources of provider and patient dissatisfaction. Clinicians value the ability to communicate with each other securely and swiftly to deliver the best informed care at point of care.

Teams now offers new secure messaging capabilities, including priority notifications and message delegation, as well as a smart camera with image annotation and secure sharing, so images stay in Teams and aren’t stored to the clinician’s device image gallery.

Image of phone screens showing priority notifications and message delegation.

What about cybersecurity and patient data? As legacy infrastructure gives way to more seamless data flow, it’s important to protect against a favorite tactic of cyber criminals—phishing.

Phishing emails—weaponized emails that appear to come from a reputable source or person—are increasingly difficult to detect. As regulatory pressure mounts within healthcare organizations to not “block” access to data, the risk of falling for such phishing attacks is expected to increase. To help mitigate this trend, Office 365 Advanced Threat Protection (ATP) has a cloud-based email filtering service with sophisticated anti-phishing capabilities.

For example, Office 365 ATP provides real-time detonation capabilities to find and block unknown threats, including malicious links and attachments. Links in email are continuously evaluated for user safety. Similarly, any attachments in email are tested for malware and unsafe attachments are removed.

Image of a message appearing on a tablet screen showing a website that has been classified as malicious.

For data to flow freely, it’s important to apply the right governance and protection to sensitive data. And that is premised on appropriate data classification. Microsoft 365 helps organizations find and classify sensitive data across a variety of locations, including devices, apps, and cloud services with Microsoft Information Protection. Administrators need to know that sensitive data is accessed by authorized personnel only. Microsoft 365, through Azure Active Directory (Azure AD), enables capabilities like Multi-Factor Authentication (MFA) and conditional access policies to minimize the risk of unauthorized access to sensitive patient information.

For example, if a user or device sign-in is tagged as high-risk, Azure AD can automatically enforce conditional access policies that can limit or block access or require the user to re-authenticate via MFA. Benefitting from the integrated signals of the Microsoft Intelligent Security Graph, Microsoft 365 solutions look holistically at the user sign-in behavior over time to assess risk and investigate anomalies where needed.

When faced with the prospect of internal leaks, Supervision in Microsoft 365 can help organizations monitor employees’ communications channels to manage compliance and reduce reputational risk from policy violations. As patient data is shared, tracking its flow is essential. Audit log and alerts in Microsoft 365 includes several auditing and reporting features that customers can use to track certain activity such as changes made to documents and other items.

Finally, as you conform with data governance regulatory obligations and audits, Microsoft 365 can assist you in responding to regulators. Advanced eDiscovery and Data Subject Requests (DSRs) capabilities offer the agility and efficiency you need when going through an audit, helping you find relevant patient data or respond to patient information requests.

Using the retention policies of Advanced Data Governance, you can retain core business records in unalterable, compliant formats. With records management capabilities, your core business records can be properly declared and stored with full audit visibility to meet regulatory obligations.

Learn more

Healthcare leaders must adapt quickly to market and regulatory expectations regarding data flows. Clinical and operations leaders depend on data flowing freely to make data-driven business and clinical decisions, to understand patterns in patient care and to constantly improve patient safety, quality of care, and cost management.

Microsoft 365 helps improve workflows through the integration power of Teams, moving the right data to the right place at the right time. Microsoft 365 also helps your security and compliance posture through advanced capabilities that help you manage and protect identity, data, and devices.

Microsoft 365 is the right cloud platform for you in this new era of patient data protection—and data sharing. Check out the Microsoft 365 for health page to learn more about how Microsoft 365 and Teams can empower your healthcare professionals in a modern workplace.

Go to Original Article
Author: Microsoft News Center