Blog | EvriChart

“The reports of my death are greatly exaggerated.” -Mark Twain

We’ve all been told for years that paper medical records are going to be gone any day now, so get ready now. In the meantime, hospitals and clinics across the country continue to produce paper records in record quantities. And until that magical day arrives, there seem to be even fewer options for managing your paper records – the same paper on which your patients lives, and your revenue cycle, clearly still depend. Companies simply seem to have lost interest in this “non-glamorous” topic.

At the same time, requests for records have only increased and intensified in recent years, increasing the need for them to be available when you need them – accurately and safely. This is the core of EvriChart’s service line and why we created ACCESS.

Like Twain himself proclaimed his own death to be exaggerated, EvriChart believes that the demise of the paper medical record was exaggerated as well. Fortunately, we continued to refine our request and retrieval service and develop a few new services as well. All to help solve problems that need to be solved.

Please check back for an upcoming post analyzing the impact of the HIPAA Final Rule on medical records storage.

(Thanks to Lori King for her contribution of this article)

The intensity at which mandatory compliance with HIPAA and HITECH hit has left many HIM professionals feeling like firemen not knowing which flame to point the hose at first.

 As reported recently in the Journal of AHIMA “…between July 8 and March 9. “Theft, of both computers and paper records, was by far the most common type of breach.” In the past, what to do with inactive or old records was a nuisance and little more than an after thought. Today, thinking this way is not a good option – not at all.

 The issue is this: all those paper records whether properly maintained or stored and neglected (the old out of sight out of mind thing) are legally bound to comply with HIPAA, the HITECH Act and health care reform on a level never before conceived.

 Couple HIPAA sections 164.310(a)(1) – 164.310(d)(1), which mandates the physical and environmental security of medical records, with  HITECH’s breach notification requirements and you get the real possibility for endless and truly unforeseeable liability issues. This subject is not only perhaps the most crucial job, but the very foundation for a majority of the services we provide to hospitals, clinics, and physician practices all across the country.

 The great mystery? The purging of medical records. There is no who, what, when, or where on this subject. I’m referring to the active charts that are in need of thinning due to a desperate lack of space within the department, the paper records stored in a “cage” in the basement, or the overflowing boxes in the locked basement to which there are an unknown number keys floating around. Then there are the really ugly records; the ones in an less than desirable off site storage building or those squirreled away in places they (that if we’re completely honest) they have no business being.

 Only vague references and certainly no discussion within the industry about “what are we supposed to do with all this paper and what are my compliance issues with said paper?”.

 The total lack of any information on purging at first perplexed, then shocked and finally left me with the realization that in reality, purging is the dirty job no one wants to do. You might find a blurb deep within the fine print of a web page or two BUT the attitude is “…if we absolutely have to we will, but it’s gonna cost ya”. Most individuals and even most companies I have encountered, think they know how to design and conduct a purge but by the time they realize that they don’t, it’s too late. The mistakes build on themselves and soon become that proverbial snowball rolling down the mountain growing out of control with every roll.

 Believe me when I tell you this is more than just a significant problem; it is a huge problem…. for every facility I walk into, no matter how EHR forward or aggressive their actions may be in moving towards a paperless environment. In a perfect world, paper and hybrid records would no longer exist or the philosophy “destroy the old and in with the new EHR” would prevail. Sadly in my imperfect reality paper is everywhere and there is no guidance as to what to do with all of it.

 My earlier words that a purge is the foundation for everything that comes after, is a philosophy born out of experience. Purging is a very exact and often complex task. The ripple effect, no matter what situation the records end up in, of a professional purge can be the difference between immediate access to a chart to save a life to producing information exonerating a hospital and physician in a malpractice suit. Both of which we’ve been able to do…. solely because of the quality of purge that was done. Each facility’s needs truly are as different as a human fingerprint. No two are even remotely the same and therefore require the attention and expertise in extrapolating what a department needs in order to access stored records just as quickly and efficiently as the charts sitting on the shelf.

 Bottom line? We clean up the messes nobody else wants to and build relationships with clients that enable us to return year after year. That first purge is always the hardest but in establishing a plan and putting a system in place every one after that is a cake walk.

 We love what we do. There aren’t many jobs where the first thing you hear when you walk in is “We are so glad you are here” even if they have never laid eyes on you before.

At a time when physicians and hospitals across the country are scrambling to purchase an EHR that will meet Phase 1 meaningful use criteria, a funny little quirk is lurking in the background. What could that be? You guessed it – a tax on the purchase of these EHRs everyone is so clamoring to buy. This possibility is easily overlooked now as the frenzy of hope, doubt and fear are pervasive, but the healthcare reform bill (remember that?) has a provision, a tax, built in of 2.3% on “medical devices”.

The verdict is still out on whether or not an EHR is technically a medical device, but the FDA would like for it to be. And if it turns out that EHRs fall into this category, there will be taxation; money that the government believes to be its own and which will ultimately be passed around and add to the cost for everyone. A few dollars here, a few more there, and nobody gets hurt. After all, the government brought this market to the people. Why, we should be grateful. Wrong.

This EHR movement would have happened independently of any government intrusion or stimulus money. And if it is the right time, then why are so many physicians and facilities opting out and willing to bear the penalties for non-participation? With the metric tons of inherent waste within our nations healthcare system, stimulus money is paltry change by comparison. But let something become successful and “blammo” – tax it, it can afford it. Nausea. Now, NOW there is the distinct possibility that stimulus funds, offered as incentive to ramp up an EHR, are themselves taxable!

At what point to we get to say “Uncle”?

Just how much do you trust someone – anyone? Seriously, do you really know fully what goes on in the hearts and minds of those you know and trust the best? Not to be cynical, but you really don’t, that is why we as humans have few close friends, one spouse (at a time) and still often trust our pets as the “one who truly loves me”. What does this have to do with HITECH privacy and security? A lot, when you consider the interim rule on breach notification known as the “harm threshold”.

The harm threshold is an Interim Final Rule (IFR) that the Office for Civil Rights (OCR) placed in the HITECH Act in September, 2009 which basically says that a covered entity (CE), or business associate (BA), makes the final determination as to whether or not a potential breach is reported to HHS, and to those potentially affected by it. As it currently reads, providers or any entity holding your PHI, must determine that a breach of this information poses harm to the individual(s). If the answer is no, then no reporting of any kind is required. Now, regardless of where you fall in the political spectrum, this is problematic. We certainly don’t need to become deliberately more litigious in this country, nor unnecessarily scare people, but we also don’t need the potential offender making the determination that a particular lost laptop is secure enough, or the local dump is far enough out of the way. Some argue that there will be unwarranted fear spread by the lack of a harm threshold and ultimately the “boy who cried wolf” syndrome sets in. Perhaps.

Some interesting statistics on this topic do come to us from California, which operates with no harm threshold at the state level. The California Department of Public Health (CDPH) receives about 220 notifications of potential breaches each month. Since January 1, 2009, the CDPH has received 3,766 such notifications, 98.7% of which were found to be “substantiated medical breaches” by CDPH. To be sure, not all of these posed harm to patients, but how would you know if not given the opportunity to review for yourself, or having a second set of eyes for review?

Whether the harm threshold survives under HITECH to become a final rule remains to be seen. It is a tough decision with valid arguments on both sides. Perhaps a “run-in” period of reporting everything until we get some solid statistics and experience under our belts? If we can set dates to draw down troops from a foreign battlefield, we ought to be able to set one for removing the harm standard if it proves onerous.

Read article…

Yes, the clock is indeed ticking for EMR adoption by healthcare providers of all sizes and shapes.  Under the ARRA, stimulus money is available for those fortunate enough to have the available funds, IT support and department synergy and expertise (and clairvoyance?) to purchase an EMR platform.  If you are among this group, you make your purchase and you begin plowing ahead, enjoying all of the wonderful things you can now do, estimating your savings, waiting for stimulus money.  But what about the national goal of health information exchange?  Are you interoperable?  Can you send and/or receive results from, say, another EMR three states away?  And, if so, are you sure you are sending exactly the right information to the right place in a compliant manner?  Maybe you are.  And then again, maybe we should put the brakes on a bit until we know for sure.  Healthcare information isn’t analogous to banking information – not by a long shot.

Read article…

At a time when the government claims to be doing all it can to lower healthcare costs, along comes a story.  This is probably not of great interest beyond the walls of most providers, but it should speak to a larger audience.  Here’s the skinny:  RACs (Recovery Audit Contractors) are private entities contracted by CMS (Medicare) to audit medicare payments to hospitals over the last several years.  If a facility is found to have been overpaid for certain medicare services, it must write a check to the government for the overage.  If it is found to have been underpaid, then the government must pay the facility the balance of payment it should have received for the audited services.  Sounds simple enough, right?  Right?  Well, hang on a minute because it isn’t so simple, and the horror stories of horrendous difficulty dealing with the RACs are stacking up.  Remember your last DMV phone call and read on…

I offer the following postulate: The government “reducing the cost” of anything is a laughable notion, no matter how simple the task, or how justified the goal.  Take the following from a facility in Indiana as an example: We are having a terrible time with CGI’s ability to accept faxed documentation. Their fax machine is slow to receive and cannot handle the volume of incoming faxes, therefore most attempts result in “error”. One fax that we were able to get through took two hours to complete. Customer service has informed us that CGI is aware of the problem but there are no plans to increase fax input. I sent an e-mail in mid-March to the CMS RAC project officer and he forwarded it to CGI. A CGI representative emailed me and said she would follow up with me personally but I have heard nothing. This week I sent another e-mail to the CMS RAC project officer and CGI official, but have not received any correspondence in return. If CMS lists faxing as an allowable method to forward documentation to the RACs, then the RAC should be set up to accommodate the volume of incoming faxes. 

You think?!  It gets better.

A second problem is the RAC’s delay in logging the receipt of records on the provider portal of their Web site. Regardless of the method we utilize to forward the documentation, we can’t tell if they received our records because they are always behind in logging the information. This results in extra phone calls to customer service to verify that the records were received. Right now our RAC is still requesting small volumes of records. If the workflow is behind now, what will happen when they are requesting up to 300 records? 

You know what will happen – resources will be sacrificed to call, email, fax or send smoke signals to verify that records have been received.  And that’s just getting the records TO the RAC.  Then comes the analysis and judgement and, you guessed it, the denial of the claim and request for payment.  In the RAC three year “demonstration” period, overpayments outpaced underpayments 96% to 4% respectively.  Moreover, RACs are incentivized to find overpayments and even share in the spoils!  Oh, my.  Of course the facility can appeal the judgement, but there goes more time, effort and….expense.  Who ultimately bears the load, covers the cost, picks up the tab?  You and me.  Ahh, sweet reform.

As with many acronyms and metaphorical references, “cloud computing” and SaaS (Software as a Service) are experiencing identity crises today.  Let me state for the record, and early in this post, that the two terms are not synonymous.  While utilizing the cloud for computer services such as data hosting is technically SaaS, SaaS does not necessarily exist in the cloud.  In fact, with health information, cloud computing is generally a bad idea and often violates HIPAA laws and the new HITECH regulations now strengthening HIPAA.

Lets say you choose to host protected health information (PHI) with a vendor operating in the cloud.  Do you have a guarantee that the data is not accessible by anyone other than a party with a “right” to view the data?  In most cases, the answer is “No”.  Is the data vulnerable to attack due to being hosted on a shared server, meaning side-by-side with other, non-related data?  In may cases, the answer is “Yes”.  While in-house data centers, or vendors hosting only PHI with signed HIPAA privacy and security agreements may also be vulnerable, it isn’t hard to vet these vendors for full compliance with established privacy and security regulations.  HITECH outlines these pretty clearly here. But that isn’t all that HITECH requires.  Along with these standards come a new, highly energized and tiered penalty structure for privacy and security violations.  In addition, all business associates are now required to have a formal Breach Notification Plan and HIPAA policies and procedures including employee training and formal designation of a HIPAA Privacy Officer, among other things.  Does “the cloud” reach this level of readiness, or does it even want to reach it?  The answer is, again, most likely “No”. 

Lest I be criticized for raining on the cloud’s parade, it will find its way and will most likely settle in over data not subject to such strict regulations, and that’s fine.  In the meantime, in-house networks dedicated to hosting PHI will have a more vested interest in becoming HITECH compliant.  Some will meet the regulations with effort and attention and others will decide to opt out of the PHI business.  It will be interesting to watch.  Managing health information is not for the faint of heart any longer.  Let the cloud do what it does, and let those serious about security “to the letter of the law”, assume your (and their) risk.  That’s the smart play…. See article.

I am constantly amazed at the lengths some facilities will go to in an effort to become compliant with health information.  Then I’m equally amazed at the priorities established by these same facilities for choosing “what” PHI to protect and what to essentially ignore. Technology is intoxicating and it seems that we are seduced at every turn by the newest and latest tech-fix, particularly in health care. 

In the meantime, HHS continues to add to, update and publish its list of breaches affecting 500 or more individuals and no technology in the world would prevent 95% of those listed.  “What would?”, you ask.  Common sense comes to mind right off the bat.  Records stolen from a dumpster?  Really?  Medical records stored in a common area under no better conditions than a farm tractor?  Really??  Unencrypted laptops simply walking away?  Granted, there is a little tech involved in encrypting a hard drive, but not so much…

Lets get the basics right first and I suspect that most data breaches will go away.  Mitigation of this liability isn’t really that hard.  Vet your vendors.  Get your paper in order.  Convert and destroy those paper-based medical records allowed by law.  Stop faxing.  Make your vendors prove they are HITECH compliant.  Disable CD/DVD drives and USB ports.  Re-set PCs and laptops to strong, short time-out passwords.  The path to less worry and less exposure isn’t embedded in a high-tech chip, it’s embedded in low-tech common sense.  Read more…

My day typically consists of waking up (which is always a plus) and going in to work at our medical records center.  We store, host or otherwise manage about 15 million medical records for hospitals, clinics and physicians from Oregon to Texas to Florida and New Jersey.  “Rubber meets the road” kind of management.  “What healthcare providers can do today in the e-environment” kind of management, you know?  A hospital without an EHR, much less an EMR, needing an H&P, an operative note, a discharge summary, that kind of thing.  Glamorous?  No.  Important and openly meeting the glaringly gaping holes in our slow and painful baby steps toward providing some semblance of secure, HITECH compliant HIE where it impacts patient care?  You bet.

No, EMRs are not at all where they should be.  They are more riddled with holes than the automobile holding the lifeless bodies of Bonnie and Clyde at the end of their lives.  Everyone agrees with that and pointing them out is, well, worthwhile I suppose as an academic exercise.  But we’re a long way from Kansas, Toto.  And by the way, Toto, you don’t mind if I don’t bring up stimulus treats until we get there do you?  Or at least get pointed in the right direction?

This blog will pull the focus back to the center, to the heartland if you will, of what we see and experience in our corner of the world.  It may not be glamorous, but transferring critical HIE in a HITECH world, little bits at a time, at the right time, feels pretty darned good to us….  Read article