Blog | EvriChart

At a time when physicians and hospitals across the country are scrambling to purchase an EHR that will meet Phase 1 meaningful use criteria, a funny little quirk is lurking in the background. What could that be? You guessed it – a tax on the purchase of these EHRs everyone is so clamoring to buy. This possibility is easily overlooked now as the frenzy of hope, doubt and fear are pervasive, but the healthcare reform bill (remember that?) has a provision, a tax, built in of 2.3% on “medical devices”.

The verdict is still out on whether or not an EHR is technically a medical device, but the FDA would like for it to be. And if it turns out that EHRs fall into this category, there will be taxation; money that the government believes to be its own and which will ultimately be passed around and add to the cost for everyone. A few dollars here, a few more there, and nobody gets hurt. After all, the government brought this market to the people. Why, we should be grateful. Wrong.

This EHR movement would have happened independently of any government intrusion or stimulus money. And if it is the right time, then why are so many physicians and facilities opting out and willing to bear the penalties for non-participation? With the metric tons of inherent waste within our nations healthcare system, stimulus money is paltry change by comparison. But let something become successful and “blammo” – tax it, it can afford it. Nausea. Now, NOW there is the distinct possibility that stimulus funds, offered as incentive to ramp up an EHR, are themselves taxable!

At what point to we get to say “Uncle”?

Just how much do you trust someone – anyone? Seriously, do you really know fully what goes on in the hearts and minds of those you know and trust the best? Not to be cynical, but you really don’t, that is why we as humans have few close friends, one spouse (at a time) and still often trust our pets as the “one who truly loves me”. What does this have to do with HITECH privacy and security? A lot, when you consider the interim rule on breach notification known as the “harm threshold”.

The harm threshold is an Interim Final Rule (IFR) that the Office for Civil Rights (OCR) placed in the HITECH Act in September, 2009 which basically says that a covered entity (CE), or business associate (BA), makes the final determination as to whether or not a potential breach is reported to HHS, and to those potentially affected by it. As it currently reads, providers or any entity holding your PHI, must determine that a breach of this information poses harm to the individual(s). If the answer is no, then no reporting of any kind is required. Now, regardless of where you fall in the political spectrum, this is problematic. We certainly don’t need to become deliberately more litigious in this country, nor unnecessarily scare people, but we also don’t need the potential offender making the determination that a particular lost laptop is secure enough, or the local dump is far enough out of the way. Some argue that there will be unwarranted fear spread by the lack of a harm threshold and ultimately the “boy who cried wolf” syndrome sets in. Perhaps.

Some interesting statistics on this topic do come to us from California, which operates with no harm threshold at the state level. The California Department of Public Health (CDPH) receives about 220 notifications of potential breaches each month. Since January 1, 2009, the CDPH has received 3,766 such notifications, 98.7% of which were found to be “substantiated medical breaches” by CDPH. To be sure, not all of these posed harm to patients, but how would you know if not given the opportunity to review for yourself, or having a second set of eyes for review?

Whether the harm threshold survives under HITECH to become a final rule remains to be seen. It is a tough decision with valid arguments on both sides. Perhaps a “run-in” period of reporting everything until we get some solid statistics and experience under our belts? If we can set dates to draw down troops from a foreign battlefield, we ought to be able to set one for removing the harm standard if it proves onerous.

Read article…

Yes, the clock is indeed ticking for EMR adoption by healthcare providers of all sizes and shapes.  Under the ARRA, stimulus money is available for those fortunate enough to have the available funds, IT support and department synergy and expertise (and clairvoyance?) to purchase an EMR platform.  If you are among this group, you make your purchase and you begin plowing ahead, enjoying all of the wonderful things you can now do, estimating your savings, waiting for stimulus money.  But what about the national goal of health information exchange?  Are you interoperable?  Can you send and/or receive results from, say, another EMR three states away?  And, if so, are you sure you are sending exactly the right information to the right place in a compliant manner?  Maybe you are.  And then again, maybe we should put the brakes on a bit until we know for sure.  Healthcare information isn’t analogous to banking information – not by a long shot.

Read article…

At a time when the government claims to be doing all it can to lower healthcare costs, along comes a story.  This is probably not of great interest beyond the walls of most providers, but it should speak to a larger audience.  Here’s the skinny:  RACs (Recovery Audit Contractors) are private entities contracted by CMS (Medicare) to audit medicare payments to hospitals over the last several years.  If a facility is found to have been overpaid for certain medicare services, it must write a check to the government for the overage.  If it is found to have been underpaid, then the government must pay the facility the balance of payment it should have received for the audited services.  Sounds simple enough, right?  Right?  Well, hang on a minute because it isn’t so simple, and the horror stories of horrendous difficulty dealing with the RACs are stacking up.  Remember your last DMV phone call and read on…

I offer the following postulate: The government “reducing the cost” of anything is a laughable notion, no matter how simple the task, or how justified the goal.  Take the following from a facility in Indiana as an example: We are having a terrible time with CGI’s ability to accept faxed documentation. Their fax machine is slow to receive and cannot handle the volume of incoming faxes, therefore most attempts result in “error”. One fax that we were able to get through took two hours to complete. Customer service has informed us that CGI is aware of the problem but there are no plans to increase fax input. I sent an e-mail in mid-March to the CMS RAC project officer and he forwarded it to CGI. A CGI representative emailed me and said she would follow up with me personally but I have heard nothing. This week I sent another e-mail to the CMS RAC project officer and CGI official, but have not received any correspondence in return. If CMS lists faxing as an allowable method to forward documentation to the RACs, then the RAC should be set up to accommodate the volume of incoming faxes. 

You think?!  It gets better.

A second problem is the RAC’s delay in logging the receipt of records on the provider portal of their Web site. Regardless of the method we utilize to forward the documentation, we can’t tell if they received our records because they are always behind in logging the information. This results in extra phone calls to customer service to verify that the records were received. Right now our RAC is still requesting small volumes of records. If the workflow is behind now, what will happen when they are requesting up to 300 records? 

You know what will happen – resources will be sacrificed to call, email, fax or send smoke signals to verify that records have been received.  And that’s just getting the records TO the RAC.  Then comes the analysis and judgement and, you guessed it, the denial of the claim and request for payment.  In the RAC three year “demonstration” period, overpayments outpaced underpayments 96% to 4% respectively.  Moreover, RACs are incentivized to find overpayments and even share in the spoils!  Oh, my.  Of course the facility can appeal the judgement, but there goes more time, effort and….expense.  Who ultimately bears the load, covers the cost, picks up the tab?  You and me.  Ahh, sweet reform.

As with many acronyms and metaphorical references, “cloud computing” and SaaS (Software as a Service) are experiencing identity crises today.  Let me state for the record, and early in this post, that the two terms are not synonymous.  While utilizing the cloud for computer services such as data hosting is technically SaaS, SaaS does not necessarily exist in the cloud.  In fact, with health information, cloud computing is generally a bad idea and often violates HIPAA laws and the new HITECH regulations now strengthening HIPAA.

Lets say you choose to host protected health information (PHI) with a vendor operating in the cloud.  Do you have a guarantee that the data is not accessible by anyone other than a party with a “right” to view the data?  In most cases, the answer is “No”.  Is the data vulnerable to attack due to being hosted on a shared server, meaning side-by-side with other, non-related data?  In may cases, the answer is “Yes”.  While in-house data centers, or vendors hosting only PHI with signed HIPAA privacy and security agreements may also be vulnerable, it isn’t hard to vet these vendors for full compliance with established privacy and security regulations.  HITECH outlines these pretty clearly here. But that isn’t all that HITECH requires.  Along with these standards come a new, highly energized and tiered penalty structure for privacy and security violations.  In addition, all business associates are now required to have a formal Breach Notification Plan and HIPAA policies and procedures including employee training and formal designation of a HIPAA Privacy Officer, among other things.  Does “the cloud” reach this level of readiness, or does it even want to reach it?  The answer is, again, most likely “No”. 

Lest I be criticized for raining on the cloud’s parade, it will find its way and will most likely settle in over data not subject to such strict regulations, and that’s fine.  In the meantime, in-house networks dedicated to hosting PHI will have a more vested interest in becoming HITECH compliant.  Some will meet the regulations with effort and attention and others will decide to opt out of the PHI business.  It will be interesting to watch.  Managing health information is not for the faint of heart any longer.  Let the cloud do what it does, and let those serious about security “to the letter of the law”, assume your (and their) risk.  That’s the smart play…. See article.

I am constantly amazed at the lengths some facilities will go to in an effort to become compliant with health information.  Then I’m equally amazed at the priorities established by these same facilities for choosing “what” PHI to protect and what to essentially ignore. Technology is intoxicating and it seems that we are seduced at every turn by the newest and latest tech-fix, particularly in health care. 

In the meantime, HHS continues to add to, update and publish its list of breaches affecting 500 or more individuals and no technology in the world would prevent 95% of those listed.  “What would?”, you ask.  Common sense comes to mind right off the bat.  Records stolen from a dumpster?  Really?  Medical records stored in a common area under no better conditions than a farm tractor?  Really??  Unencrypted laptops simply walking away?  Granted, there is a little tech involved in encrypting a hard drive, but not so much…

Lets get the basics right first and I suspect that most data breaches will go away.  Mitigation of this liability isn’t really that hard.  Vet your vendors.  Get your paper in order.  Convert and destroy those paper-based medical records allowed by law.  Stop faxing.  Make your vendors prove they are HITECH compliant.  Disable CD/DVD drives and USB ports.  Re-set PCs and laptops to strong, short time-out passwords.  The path to less worry and less exposure isn’t embedded in a high-tech chip, it’s embedded in low-tech common sense.  Read more…

My day typically consists of waking up (which is always a plus) and going in to work at our medical records center.  We store, host or otherwise manage about 15 million medical records for hospitals, clinics and physicians from Oregon to Texas to Florida and New Jersey.  “Rubber meets the road” kind of management.  “What healthcare providers can do today in the e-environment” kind of management, you know?  A hospital without an EHR, much less an EMR, needing an H&P, an operative note, a discharge summary, that kind of thing.  Glamorous?  No.  Important and openly meeting the glaringly gaping holes in our slow and painful baby steps toward providing some semblance of secure, HITECH compliant HIE where it impacts patient care?  You bet.

No, EMRs are not at all where they should be.  They are more riddled with holes than the automobile holding the lifeless bodies of Bonnie and Clyde at the end of their lives.  Everyone agrees with that and pointing them out is, well, worthwhile I suppose as an academic exercise.  But we’re a long way from Kansas, Toto.  And by the way, Toto, you don’t mind if I don’t bring up stimulus treats until we get there do you?  Or at least get pointed in the right direction?

This blog will pull the focus back to the center, to the heartland if you will, of what we see and experience in our corner of the world.  It may not be glamorous, but transferring critical HIE in a HITECH world, little bits at a time, at the right time, feels pretty darned good to us….  Read article

Take a look at the latest security measure that EvriChart, Inc. has implemented. This is a Caterpillar Standby Emergency Generator. It is powered by a Ford V10 engine that runs on propane. We can run our entire facility off of this generator for approximately 72-80 hours. Just last week, a power line went down in town due to high winds, and we were in the dark for less than 10 seconds! Production was backup and running and, most importantly, requests never stopped being filled.

EvriChart has just purchased a new microfilm/microfiche scanner for ClientPortal. This new reader actually scans and uploads digital images directly from your film into your ClientPortal account, which eliminates the need to print and scan charts. The image enhancement feature ensures that the best possible image will be provided – all without the need for paper.

This is especially important when you consider that there are years of medical records stored in this format. Coupled this with the fact that film reading and printing equipment at most facilities is aging, and in many cases nearly impossible to service, and you have a dire situation.

This scanner enables EvriChart to bridge the gap between the 20th and 21st century’s technology.