EHR

NEW! IMPROVED! WITH MORE PAPERWORK!


A recent study reveals that for every hour doctors spend caring for patients, they spend almost two hours documenting the care they gave those patients in the EHR.

Patients complain because medical staff spend more time focused on the medical record than on medical care, staring at computers instead of engaging in direct care.

Doctor, remember when you first began your medical studies? Hours upon hours spent studying pathophysiology, pharmacology, anatomy, histology, embryology, biochemistry, and more? All the classroom work, leading to the transition to the clinical education necessary for becoming a physician? And of course, that favorite of all courses, “Paperwork for Physicians?” You don’t recall it? I cannot either. That is too bad.

Many professions require proper documentation of the work done. Medicine is not different in this respect. For years, handwritten charts documented the care and progress of patients. Some practices transcribed the hastily scrawled notes using typewriters; these notes were typically brief, and to the point. Physicians did not spend time waxing eloquent while discussing facts considered irrelevant.

Financial pressures came to bear, requiring more documentation to justify higher pay.  The office visit was associated with tiered payment scale – more complex visits were logically paid at a higher rate. How could the paymasters know a visit was worth a higher payment? There are codes designating a higher level visit, and there evolved checklists intended to guide the coordination of the billing and the supporting documentation. A certain amount of time was associated with a certain level of care, and in that time, a certain number of systems must be examined and that exam documented to justify the time and expense. 

Consider the perverse implication of this system. A doctor performs some incredible feat swiftly and effectively. A life is saved; a disease cured. Yet the reward is tied not so much to the performance, but to the documentation of the feat. Many physicians actually settle, even now, for lower pay, performing some calculus based on time spent documenting care versus rendering care, choosing to care more and write less – or, have more life, but get paid less. Insurance companies will never object to this!

The endless documentation requirements are the flaw in the system that fuel this system still. The goal was, and remains, to render excellent care. Extensive documentation has become the hallmark of better care.  Voluminous charts were superficially seen as indicative of better care, but appearances can be deceiving. Some practices realized that forms and templates could ease the burden. As these gained traction, early medical record software sought to bridge the gap, simplifying and streamlining record-keeping and generating the records so desired by payors and providers alike.

Everyone associated with the medical profession dreamed of a well-organized system of recording information that could easily communicate vital data between providers, improving care. No more time wasted reviewing hastily scrawled and often illegible medical records, with no need to replicate examinations or duplicate tests.

The promise of the early medical record software was somewhat hollow. Systems had steep learning curves, often requiring more time to complete even the simplest of patient encounters. Later systems made some progress, but often the difference was purely cosmetic. Records were more attractive – they looked better, they were consistently organized, so they must be better, right? With each iteration of the systems, the most noticeable improvements were often cosmetic. This cosmetic improvement was crucial – to the lay public, records that looked better were accepted as better, just as complex surgical procedures were often judged by the external scar rather than on the quality of the internal work.

These more attractive, consistent, well organized records were much easier for paymasters, such as insurance companies and, of course, Medicare and Medicaid, to analyze. There is no doubt that the consistency and simplicity of these records could and did simplify the communication of vital information, which is a measure of the success of any such system. 

Information is double-edged. As electronic records became ever more sophisticated, more information was captured. An encounter that once was documented in a paragraph or two soon became immortalized over two or three pages. One week spent in a hospital could generate hundreds and hundreds of pages of medical records – or more. Charts are often more difficult to review due to the enormous amount of information. Vital nuggets of information are sometimes overlooked.

No change is perfect. Yet in a time when we seek to improve care, one unfortunate fact remains: Doctors spend more time documenting the care they render than they spend rendering care.

That is the sad conclusion of a recent study published in the Annals of Internal Medicine. The researchers found that for every hour spent in direct patient care, almost two hours was spent documenting care during the clinic day. That unfortunate ratio does not include after-hours time spent on the same tasks. Even more disturbing is the way time is spent in the examination room. While slightly over half the direct contact time is spent in a “face-to-face” manner, over a third is spent on the electronic health record.

Too often we hear complaints from patients who are upset because their doctor seems to be staring at the computer rather than listening to their complaints or examining them. Doctors,  nurses, and other medical staff likewise dislike the time spent pushing paper, even in the electronic form. This sad state of affairs is unlikely to change in the near future, but practitioners should aspire to maximize patient contact and minimize time spent massaging the EHR. 

The Enemy Within - "Homegrown" HIPAA vulnerabilities

Just yesterday I briefly discussed the electronic vulnerabilities facing hospitals and health practitioners. Much of that note focused on hackers attacking the systems and holding them for ransom.  It is a major problem confronting the healthcare sector, and will continue to be for long to come.

Other threats linger, and this week we learned about one of the potential hazards we must guard against – the hazard that we hire bring to the table ourselves. In short, we can be our own worst enemies.  Such is the case at the University of Mississippi Medical Center and the Oregon Health & Science University.

At the University of Mississippi Medical Center (UMMC), staff allowed a party to “borrow” a hospital laptop while in the ICU. The borrowed laptop was not returned. While that fact is curious enough, this is when it gets really interesting.

The Mississippi hospital had secured its network, but on the laptop there was patient data that was protected with only the minimum “generic” of security safeguards. Apparently, no access tracking software was in place.

One wonders if the laptop itself had location software in place.  In other words, the equivalent of the “find my phone” application we all use (I know I do) to locate phones and tablets may not have been there.  Most of these tracking applications allow a user to wipe all data from a lost device – quite handy in the event a piece of hardware is lost. 

The folks at UMMC compounded the issue when they failed to notify patients’ whose data was breached of the potential exposure. We must ask – if they had no access tracking software in place, how do they know whose data was purloined and whose was not?

The OCR summarized UMMC's failures in its press release:

  • implement its policies and procedures to prevent, detect, contain, and correct security violations;
  • implement physical safeguards for all workstations that access ePHI to restrict access to authorized users;
  • assign a unique user name and/or number for identifying and tracking user identity in information systems containing ePHI; and
  • notify each individual whose unsecured ePHI was reasonably believed to have been accessed, acquired, used, or disclosed as a result of the breach.

The UMMC settled with the HHS Office of Civil Rights, paying a penalty of $2.75M while not admitting any liability.  UMMC is working to overhaul its security standards as well.  Read the entire HHS OCR press release here   You can read the actual text of the settlement here.  

Oregon Health & Science University also felt the ire of the HHS OCR, paying a similar fine for breaches involving unsecured laptops and stolen USB thumb drives.  While OHSU self-reported, the OCR lamented OHSU's failure to respond appropriately to these breaches. 

This settlement underscores the importance of leadership engagement and why it is so critical for the C-suite to take HIPAA compliance seriously.
— HHS OCR Director Jocelyn Samuels, discussing the OHSU settlement

The Oregon facility paid a fine of $2.7M and entered a three-year corrective action plan. Read the HHS OCR's press release here, and you can read the settlement text here.

These two actions underscore the aggressive stance of the OCR in the face of ever more common data breaches. They also demonstrate how we are often our own worst enemies.

And CEOs, Risk Managers, Compliance Officers, and IT professionals - please take these compliance matters seriously.  

For more on how to deal with these issues, contact the Spiers Group today. 

The Unintended Consequence of Your EHR

A secret agent slips into an office under the cover of night. Evading cleaning crews and the impressive security precautions, she identifies her target.  She cleverly hides her trap, then slips out the way she came. No one is the wiser until she triggers the trap later that week.

The stuff of Hollywood? No, the world of healthcare cyber espionage. The world that destroyed Iranian centrifuges with a piece of software surreptitiously slipped onto their network. The world where a seemingly innocuous email, or clinical photograph shared between colleagues, or even an email about an upcoming Continuing Medical Education event could harbor a tiny bit of code that will burrow its way into your electronic health record.

That is right – the electronic health record you are required to have leaves you open to cyber predators.  An article in Politico makes me ask "Aren’t you glad we have modernized?"  Today hospitals and medical practices loom as ripe targets for the same measures that governments use against each other, and that hackers use for their own enrichment.  And here is the scary bit of the equation – is your security as good as that of the Defense Department? The State Department? A major defense think tank?

I am just going to hazard a guess that the answer is no.

Cyber-attacks on medical facilities are increasing in frequency, and are ever more audacious.  The anonymity of the internet makes it possible for an attack to go unnoticed until the attacker wants it known. Often, records are mined for data, which can be sold on the black market. Believe it or not, health records often are sold on the dark net for more than are simple social security numbers. This is but one means of income for these offenders.

Even more audacious, and perhaps more devastating, are those attacks that threaten medical record systems through the use of ransom ware. Hackers shut down a medical record system, then the real payday comes for them.  “Pay us a certain amount of untraceable bitcoins by a certain date or we will erase your medical record. ALL OF THEM.” 

But you have backups. “I can just restore my backup, and the ransom ware will be gone, right?” Well, that might work, but chances are you don't have a back up from last year. Or the year before. And even of you did, you are losing years of data. The folks who use ransom ware are patient. They may wait months or years to trigger the code that will hold your previous records hostage. So that backup from last week? Infected. Last month? The same. Last year? Maybe.

This dark world is treacherous. There is no quick fix. And what is frustrating for so many is that we are forced by regulation into the very arena where we are most susceptible. EHRs are here to stay. And let us not forget all of the gadgets at work in our hospitals that are potential vulnerable to an attack.

The list of medical cyber susceptibilities does not begin nor does it end with electronic medical records. Ventilators, IV medication pumps, radiology equipment, and even implantable devices are all vulnerable to a cyber-attack. Ransoming a record could be devastating, but once in control of these other devices, the nefarious could ratchet up the stakes – “pay up or we kill someone…”

So how do we address this challenge? Some hospitals have already been attacked, and some admit paying the demanded ransom.  Of course, there may be little to protect against the hackers from taking a second bite at the apple, locking down the system ad demanding more money. We as a community are just not sure.

It is certain that the authorities and various regulators, from the DOJ to HHS, as well as segments of the cyber security industry are working to address the issue.  In an ironic twist, some have recognized that a good old-fashioned paper copy of their records is the best insurance they have.

Small practices should not stand idly by thinking this is a problem of scale. No one is too little. Indeed, the smaller the practice, arguably the more susceptible they are to an attack.

If you have an electronic health record, even if part of a closed system, you are vulnerable. 

Here you can read the HHS fact sheet regarding Ransomware. I suggest you download this and review its contents on a regular basis. 

Contact the Spiers Group to discuss measures you can take to protect yourself – or recover from an attack.