EMR Risks

Although the behavior of one EHR vendor was wrong, more serious problems are inflicted by government-run EHR certification criteria

This week eClinicalWorks resolved a lawsuit by agreeing to pay $155 million for falsely claiming it met Meaningful Use (MU) EHR certification criteria.   Although the alleged behavior of eClinicalWorks was wrong, we have much more serious problems inflicted by the government-run EHR certification criteria.  

The business of EHR vendors is to gain clients and earn profits.  Developing innovative tools that help physicians care for patients should be the primary focus of their business.  Instead, vendors are held hostage to government-run certification criteria that are constantly changing and sometimes ambiguous.  While I do not condone the apparent behavior of eClinicalWorks, I am much more concerned about the  certification processes that led to this situation.   

The certification process evolved out of the 2009 HITECH Act that promoted the use of EHR technologies by offering incentive payments to hospitals and physicians who successfully adopted and used EHRs.   This resulted in an unprecedented rush of business for EHR vendors.  While EHR vendors began ramping up resources to meet the demands of the sales cycle and EHR implementations, they were also hit with government-imposed EHR certification criteria--criteria that are still changing frequently and sometimes are ambiguous.  This exponential increase in EHR client demands along with rapidly changing certification criteria crushed EHR vendor resource availability.  This constraint on resources forced them to focus on developing and testing EHR products to meet the specific certification criteria required by the government.  In my opinion, the unintended consequence of overwhelmed EHR vendors is that they then did not have available resources to focus more on:

  1. Improving usability
  2. Identifying and managing patient safety risks inherent to EHR use
  3. Developing innovative tools and functions that actually improve how physicians care for patients 

As a result, EHRs were developed to meet MU EHR certification criteria, but failed to improve poor usability.  EHR products could meet certification criteria, yet fail to adequately address patient safety risks associated with implementation and use.  And the constraint on EHR vendor resource availability remains an impediment to the development of innovative tools and functionalities that EHR vendors really should be focusing on today.

Physicians do benefit from EHR certification by reducing risk during the EHR selection process.  That is why the Certification Commission for Health Information Technology (CCHIT) was created in 2006 as an independent, not-for-profit group.  CCHIT certification was based on a consensus of stakeholders who determined core functionalities that a basic EHR should provide.  I participated in that effort, albeit in a brief, very small way (providing some input on pediatric core criteria).  I recall we were careful to avoid requirements that could hinder EHR product innovation.  CCHIT ceased operations in 2014 after the government created the MU EHR Certification program.  

CCHIT certification was much less prescriptive than what the government imposes today.  Less prescriptive EHR certification was, in retrospect, the right approach to take.  And we did it without government involvement.  Government works at its own hindered pace, and that pace is much slower than what an unencumbered EHR market could accomplish.  I think the government needs to get out of the EHR certification business.   But whether government remains involved or not, the EHR certification process needs to learn from CCHIT and rely more heavily on building consensus of physician stakeholders.  We will do what is best for our patients.    

So, this week one vendor was called out by the government for false claims regarding EHR certification.  But that one vendor is really not the problem.  The real problem is that the development of all EHR products has been, and still is, impeded by the government's EHR certification program.  

Matt Murray, MD

cook children's health care system


Improved Physician Practice Preparedness To Recover from EMR Downtime and Other Technology Risks is Needed

It should not take 3 weeks to restore an EMR system.  

I was not surprised when one of my colleagues told me his EMR unexpectedly "went down", as there are many threats to hardware and software--wind, fire, water, construction equipment, human error and cyber crimes to name a few.  It was the rest of his story that was so disheartening.  As he recalled the struggles that his group endured for three weeks, his facial expression contorted into what I can best describe as that of "helpless resignation".   The complexities of technology had held him and his group hostage for three weeks.   At the time of our initial discussion he was still in the "grieving" stage, so I felt it to be too early to engage in a healthy discussion about IT risk management.   He needed to vent.   I needed to listen.  

And this story exemplifies what drives me to spend time collaborating with the Texas Medical Association (TMA) and others to raise physician awareness about the safe use of EMRs.   I do not have data, but my gut tells me that the majority of physician practices underestimate how vulnerable they are to EMR threats, especially small physician practices who lack internal IT expertise.  Perhaps the recent rise in ransomware attacks will actually be beneficial.  A ransomware attack on a physician office in South Texas earlier this year has led the TMA to increase communications to physicians about the threat of ransomware and other cyber attacks.    

Until recently the focus of preventive strategies against cyber attacks has been to ensure that the privacy and confidentiality of electronic medical records (EMRs) are maintained.   HIPAA stuff.   And this is understandable since privacy breaches are expensive for a practice to manage, and such breaches have the potential to financially hurt patients if their data is used maliciously.  But ransomware attacks are different because they make a physician's EMR unusable until a ransom is paid (or the EMR is otherwise restored).  Unlike privacy breaches, ransomware attacks are disruptive to the daily operations of the practice.  It is a disruption that impairs the ability to take care of patients who are in the office as well as those who call the office.  At the end of the day the physician is left struggling to take care of patients who are sick without access to information that is really needed.  This is a "new normal" that should brightly illuminate the need for improved disaster recovery preparedness and IT risk management for physician practices.    

There are ways to reduce the threat of ransomware attacks and other health IT risks.  A thorough security risk analysis can identify weaknesses that could be targeted by cyber criminals.  Steps can then be taken to reduce the chances of being victimized.  Establishing a habit of continually identifying and managing these technical risks will further reduce the chances of an EMR shutdown.  

But one of the major obstacles is that physicians generally do not have the knowledge, expertise and time to do this themselves.  Another obstacle is that security risk analyses tools are designed primarily for large healthcare systems and do not translate well onto a small physician practice.  That is why the TMA's ad hoc Health IT Committee is currently collaborating with a vendor, a state agency and one small physician practice to hone down a security risk planning tool into something that would be feasible and effective for small physician practices to adopt.  For now physicians have to rely on consultants or train/hire IT staff to identify and manage technology security risks.

Nevertheless, no system can be 100% "downtime-proofed".  So even if a physician practice adopts best practices for security risk management, they must be prepared for a disaster to strike at any time.  After a disaster strikes, maintaining the ability to effectively care for patients must be the first priority.  I have coined the term, "clinical continuity planning", to characterize this planning.  I base the term on a similar commonly used term, "business continuity planning", which is the plan businesses develop to maintain daily operations during technology downtimes and disasters.  A physician office certainly is a business and should have a business continuity plan to maintain economic viability during disasters.  But the life-and-death nature of patient care is so unique that I believe a clinical continuity plan should be developed by each practice and be considered as the first priority in disaster planning.  Business continuity is integrated with clinical continuity and is also vital to the physician practice, but it should be considered as a lower priority.  In the real world this means that when weaknesses in security and downtime planning are identified, clinical continuity weaknesses should be addressed before business continuity weaknesses are addressed.  
 
The most effective protection against a ransomware attack and other types of "downtime" is to have a complete back up of EMR data and an ability to quickly restore the EMR system.  If the practice can do that, they may not have to pay a ransom, and the impact on patient care can be minimized if the back up and restore tools/processes are effective.  
 
With the rise of ransomware attacks I believe the primary focus of health IT risk management for physician practices should be to ensure an acceptable degree of clinical continuity can be maintained during EMR downtimes.  Secondarily, the practice should understand the tools and processes that are in place to back up and restore the EMR in the event of a disaster.  And to make sure they get tested.    The first time a physician discovers that it will take 3 weeks to restore their EMR should not be after a real disaster strikes.   
 
 
mattmurraycook children's
 mgg
 

Keys to Gain Value from EHR Implementation and Use

Many physicians who use an electronic health record (EHR) are having difficulty realizing value in their investment.   A recent KLAS survey found that more than one out of every four physician practices are so dissatisfied with their EHR that they are considering replacing it.    Although many physician practices have earned a financial award by using an EHR to achieve “meaningful use”,  data is lacking on whether or not such efforts actually improve patient outcomes.  

I believe, anecdotally, that I practice higher quality medicine when using an EHR.    But I am a pediatric emergency medicine physician using a hospital EHR to document patient encounters in a children's hospital's emergency department, not a physician in private practice.  On the other hand, my past experience as a a Chief Medical Information Officer (CMIO) and Chief Information Officer (CIO) for my pediatric healthcare system provided opportunities to visit many private physician offices using a variety of ambulatory EHRs and to visit with many EHR vendors.  I met many physicians  who were happy with their EHRs and see the value.  Others I met were unhappy and see no value in their EHR.  Perhaps my most eye-opening experience came when I visited with a group of unhappy physicians who were using the same EHR as some happy physicians I had met one week earlier.   So what gives?

The answer is simple, but the explanation is complex.  

The simple answer is that the value gained from an EHR is dependent on how effectively it is implemented and used.   When well-implemented and well-used, an EHR provides clinical and financial value.   When poorly-implemented and poorly-used, EHRs detract from patient care and are a financial drain.  

The complex explanation might best be explained using examples.  So, based on my past visits with physicians who use various EHRs and on other personal research, I have created an outline of what I think are the key factors that allow physicians to gain value from their EHR.  I am in the process of writing a series of blogs with case studies to help explain each of these factors.  Stay tuned! 

Keys to Gain Value

 

cook children's

 

Dr. Matt Murray

Cook Children's


Health IT-related patient safety risks should inspire Congress to create a national patient safety board

The idea’s time has come. The U.S. healthcare system needs a national, independent entity empowered by Congress to oversee health IT patient safety. Now.

In today's world a health IT-related patient safety issue that is identified by a physician practice or hospital is investigated and managed in a nontransparent manner by the individual provider and the EHR vendor.  

Although the issue may be escalated to a local accountable care organization (ACO) or patient safety organization (PSO) that providers are increasingly becoming associated with, neither the issue nor the results of the investigation are reported to a statewide or national oversight entity. The patient safety data is therefore not collected, aggregated and analyzed at a state or national level. Without such oversight we are missing out on the opportunity to identify known avoidable health IT risks to patient safety and failing to disseminate knowledge on how to manage those risks. For example, if an issue is resolved at the physician practice between the physicians and EHR vendor but is not addressed at other practices that use the same EHR, then patients at those other practices remain at risk. 

I have observed EHR vendors tune in to patient safety issues more keenly in the past decade and sometimes make more visible efforts to ensure identified issues are addressed with all customers and not just the ones who report issues. And let's be clear that a majority of EHR-related patient safety risks are related to how an EHR product is being used or implemented by their clients and not due to inherent technical flaws with the vendor's product. Nevertheless, patient safety should be viewed as a shared responsibility between the physicians, their practices or organizations and the health IT vendors. Identifying and managing patient safety risks is done most effectively when all cooperate in a team effort.

In Texas there had been discussions within the Texas Medical Association about establishing a central, statewide EHR patient safety entity to monitor and manage health IT-related patient safety issues. The data would be rolled up from hospitals, physician practices and patient safety organizations across the state for aggregation and analysis. However, it became evident during those discussions that it would be feasible and much more beneficial to establish governance at a national level.

So why does this need to be a new, independent national agency charged by Congress to oversee health IT patient safety? 

Today there are many government agencies and private entities that I believe could and should contribute to patient safety surveillance and improvements, but none have the expertise, assets and time that are necessary to coordinate a national effort. In addition to the complexity involved with collecting and analyzing data from hundreds of institutions and PSOs, there are hundreds of unrelated EHR vendor products being used. There is not yet any available registry of health IT products, many of which are subdivided into multiple versions that sometimes vary widely in their available functionality. As a result, I strongly agree with the observations and recommendations described in an article by Singh, Classen and Sittig (J Patient Saf, Dec 2011; 7(4): 169-174) calling for a national patient safety board that is an independent government agency structured similarly to the National Transportation Safety Board. This entity would be charged by Congress to oversee HIT patient safety and coordinate with other agencies who can contribute to improvement in patient safety such as the Office of the National Coordinator, the Federal Drug Administration, the National Institute of Standards and Technology, the Agency for Healthcare Research and Quality, the Center for Medicare and Medicaid Services, the National Quality Forum, local patient safety organizations, local healthcare organizations who collect patient safety data, other local EHR patient safety reporting entities and industrial (EHR and HIT) trade associations. All of these entities need to function in a cooperative fashion in order to effectively identify and manage health IT-related patient safety risks.

The recent health IT report from the Food and Drug Administration Safety Innovation Act (FDASIA Health IT Report) proposes a framework to improve health IT-related safety risks including a proposed National Patient Safety Center. 

I am concerned, however, that the proposal does not appear to provide this entity with enough authority to get the job done effectively. A national patient safety entity must have the authority to not only monitor activity and provide learning opportunities for vendors and providers, but also to regulate activities, investigate events, ensure issue resolution and require compliance. I do not see enough "teeth" given to the entity proposed by the FDASIA report. 

The primary focus of a national Health IT Patient Safety Center should be on the dedicated surveillance of HIT-related safety risks and to promote learning from identified issues, potential adverse events (“close calls”) and adverse events. But it must also have the authority to effectively manage identified risks and ensure compliance with best practices for health IT patient safety.


It is time for the U.S. to begin implementing health IT smartly

From a national policy perspective, ICD-11 is not found anywhere on the U.S. dial.   Not even a preliminary roadmap to ICD-11 has been proposed.   I believe this to be a serious risk to our nation’s health IT planning efforts, and this risk has been inherent to U.S. health IT planning for decades.   The recent ICD-10 delay magnifies this strategic flaw.   It is time for CMS to take a deep breath, re-evaluate our national strategy, address the unmitigated strategic risks and determine whether any mid-course corrections are needed before deciding on the new ICD-10 implementation date.  It is time for the U.S. to begin implementing health IT smartly.  

What I see right now is the U.S. planning to achieve a short-term tactical goal of getting off antiquated ICD-9 while the rest of the world is focusing on the long-term strategic goal of developing and adopting the new-century ICD-11.   Unless we take action now, we are destined to be in the same predicament in the 2020s when we will be struggling to get off of last century’s ICD-10.   

But the stakes will be much higher in the 2020s.  

Most physicians and hospitals will be using EHRs, health information exchange will be flourishing, SNOMED-CT will be the common vocabulary used by clinicians and big data analysis will be... well, big.  We will be stuck, though, with an ICD-10 taxonomy that was developed before the Internet came into common use.   We will be clamoring for ICD-11 because it was developed in alignment with SNOMED and for other reasons I and others have previously described.  Delays will likely be encountered.  And we will probably be amnesic about how we got into such a predicament.  

To avoid this we need a U.S. roadmap to ICD-11 before deciding when to implement ICD-10.   We need to determine our long-term goals and then align our short-term tactical plans to those goals.   What if ICD-10 is delayed another year?   Would it then be time to leapfrog to ICD-11?    What if the delay is 2 years?   How about 3 years?   Or maybe to meet our long-term goals it is actually time to leapfrog now.   But without establishing long-term goals and developing a proposed roadmap to ICD-11,  we cannot really make an informed decision. 

Yes, we have to get off ICD-9, but not at any and all costs.   I want the U.S. to change health IT planning efforts from one that risks derailment from ostrich-style decisions to one that smartly develops long-term strategic goals and aligns them to tactical plans.  I want us to be a country that leads the world in the use of health IT to improve quality of care and one that smartly plans to optimize health IT use each decade.

.

MM