While most providers agree that an Electronic Health Record will be an inevitable addition to their office environment, there is still considerable confusion over what key features to look for when choosing a product.

Much of the reason for this can be traced to the wide diversity of concerns individual providers rate as important in their unique environments. For example, a family practitioner may focus on issues related to providing quality service in an expeditious manner while a pediatric specialist may want to focus on clinical guidelines. EHR vendors for the most part have not addressed these issues. Instead, they continue to respond to the medical provider community as a whole who believes there is too little benefit (ROI) to justify the costs of overcoming perceived substantial implementation hurdles. Many of these issues have been widely publicized including:

• Lack of standardization for documenting clinical episodes
• Lack of technology standards
• Considerable investment costs
• Perceived as more difficult to use than paper charts (ie. Gets in the way of providing care)
• Requires the clinician to change how care is provided, changed workflows
• Requires learning new systems and processes
• Concerns of security (access) and Privacy (disclosure)

These concerns are quite valid and should be given serious consideration. For example, just this past month a major health system in the northwest reported the theft of over 365,000 medical record charts from electronic files left unprotected in an automobile. The impact of such disclosures supports concerns that conversion to electronic charts may not be worth the potential costs.

Such reasoning ignores the potential benefits that can be gained by a well-planned EHR implementation. These include:

• Immediate access to the patient chart
• Consistency and standardization in the documentation and delivery of care
• Ensure appropriateness of care by following clinical guidelines, and decision support features
• Support for medical alerts such as drug interactions, allergies, and other potentially harmful treatments
• Reduction in errors, intelligent ordering, electronic prescribing, clearly legible notes
• Reduction in paper work
• Electronic claim, eligibility, referral processing, transcription
• Improved speed and quality of care by supporting office processes rather than interfering with them

Providers can reap secondary benefits as well; such as clinical data warehousing that can be analyzed for trends, improved care, or other commonalities. Ultimately, the electronic record can provide life saving information for patients who are under treatment but are unable to supply information for themselves. 

While support for the EHR is gaining momentum, vendors can assist by ensuring their systems include features that are deemed important by the greater majority of provider organizations. These would include:

• Office integration – The EHR should provide seamless integration with office functions such as scheduling, billing, and so on.
• Support instead of interfere with care delivery – The system should assist the provider in capturing and documenting the care episode. Features and functions should mix seamlessly with traditional processes while adding new or enhanced capabilities such as medical alerts, clinical guidelines, decision support or electronic prescribing.
• System should include capability to provide and support Prevention and Education programs, suggest care plans and support disease management programs.
• System should provide seamless integration with or incorporation of the Order Request function. System should also support the electronic acceptance and display of results. Result reporting should include visual cues for non-typical results.
• Provide a permanent Electronic Record – System should provide both immediate retrieval as well as long term storage of patient information (eg. Archival capability).
• The system should incorporate and assist in the standardization of medical information including medical terminology, coding, and transcription (eg. ICD-9-CM, CPT, SNOMED, NDC etc.). System should also include functions to update this information as it becomes available.
• System should support the communications of electronic data using required standards (eg. HIPAA EDI, HL7 etc.)
• The system should meet all regulatory and legislated compliance standards (eg, GLB, HIPAA, ADA and other)
• The system should provide a way of organize, group and report on records (eg. by family, statistical outlier, Clinical categories, Date/Time, etc.)
• The system should allow for future mobility and accessibility of the record (eg. RHIOs, online healthcare etc.)
• The system should ensure the privacy, accuracy, integrity and safety of the record by demonstrating well formed technical architecture and security from inappropriate access.
• The system should include the ability to produce paper copies and reports from the electronic data.

Simply put the system should provide a clear return on the investment. This is a critical element in gaining the ever-necessary support of the clinician. EHR implementation plans should clearly identify all implementation and operational costs while reasonably quantifying derived benefits.

Electronic Health Records Management

Although, considerable attention has been placed on the adoption of Electronic Health Records within provider offices very little press has been given to the management of those same health records. The American Health Information Management Association (AHiMA) defines Electronic Health Record Management as the process by which electronic or digitized health records are created, received and preserved for evidentiary purposes.  The paradigm switch from the paper record to the electronic has created an entirely new environment for the capture and process of clinical information. As such a complete review of how, why, when and where this information is processed is in order.  Controls around key or significant events need to be reviewed and possibly enhanced. For example the simple act of ordering a blood test in the past may have consisted of the doctor checking a paper document and forwarding this to the appropriate location. Controls around this may have included safeguarding the integrity of this document and the provider’s signature. With automated order entry systems new controls over who, when and possibly why a test was order must be designed and implemented. This becomes even more challenging as the order moves from one electronic system to another. The goal of Health Information Management is to ensure the legitimate availability of clinical, administrative, demographic and financial data related to a patient as a pristine and legally binding document. This means tracking health information from inception to ultimate disposition with effective controls along the entire lifecycle. To do this clear delineation of the roles and responsibilities of all parties that may access or impact the record must be assigned. In addition controls, backed by system security functionality, must be implemented to not only ensure appropriate access but to provide traceability and logging of any event or action.

Are you prepared for the National Provider Identifier Standard?
Don’t look now but we are rapidly advancing on the compliance date for the National Provider Identifier (NPI). NPI was added to the suite of HIPAA guidelines with the recording of the final rule on January 23, 2004. All healthcare entities must use the NPI in standard transactions by May 23, 2007 (small organizations have one additional year). The NPI is a ten digit number that will be used in place of other provider Ids such as UPIN, OSCAR or NSC). This number is assigned by the National Plan and Provider Enumeration System hosted by CMS. Providers looking to acquire their NPI can do so by contact CMS. Use of the NPI will also require healthcare entities to evaluate and enhance their systems to house and process this number.

Lessons learned from SOX compliance

It has been a little over a year (1/2 year for companies under $75M capitalization) since the compliance deadlines of the Sarbanes-Oxley Act of 2002 forced US corporations to rethink their financial and business processes. Considered the most sweeping financial rule changes since the Securities Acts of the 1930s, SOX forces business to be accountable for the assessment and auditing of their internal financial controls. This information along with external audits attesting to their validity must then be reported to the SEC. Caught directly in the spotlight is the corporate Information Technology team due to their direct management of the organizations data. Driving the compliance with SOX was specific rules that directly hold the organizations executives responsible for the certification and accuracy of the audits. In turn, executives charged IT directors with the responsibility of evaluating and proving their processes. This included the review and if necessary the implementation of: 

• Formal Processes to manage and audit financial records
• Traceability of access and authorization of any information updates
• Separation of Duties within both business and IT processes
• Security, confidentiality, integrity, and authentication
• Education for the organization of IT processes
  

What has been learned is that most organizations have been found lacking in one or more of the above areas. This has led to considerable investment in both time and money to rebuild business and IT processes to meet the standards. In fact, a recent IBM survey of 900 senior finance executives over half of the respondents complained that SOX efforts were bogging down organizational resources and missing opportunity for growth and profits. Further many respondents report that SOX reporting efforts have done little to unlock information that can be used for business advantage. The survey also report that much of the SOX work done so far has yet to be institutionalized but rather were quick adjustments to meet compliance requirements.  

Conversely, other surveys indicate that, although there is much work to be completed for the SOX adjustments to prove their benefits, most organization leaders believe that the new processes will provide a recognizable return on their investment. Through streamlined processes, reduced redundancy, and elimination of outdated or ambiguous workflows, benefits such as cost reductions and improved efficiency and flexibility will be realized.

Common Control Vulnerabilities within IT Organizations

Whether you are responsible for the management of a hospital electronic medical record application or a major sales organizations customer relationship management system, failure to provide effective controls over system and business processes can have catastrophic impacts. Poor SOX audit results, clinical impacts, compliance or decision support issues, lost opportunity, or simply inappropriate or improper disclosure are all potential outcomes of poor or nonexistent controls. Chief among these are: 

• Invalid, or non-effective security policies
• Inappropriate or ineffective separation of duties, roles and/or responsibilities
• Failure to provide for the logging/tracking/traceability of significant events
• Failure to provide effective auditing of significant events
• Failure to understand systems key functions, features and integrations
• Failure to understand the impact of system changes
• Failure to maintain control of system and data changes
• Failure to maintain effective communication and education for employees on business processes and controls
  

To understand each how your organization stands up to these issues, a period audit of controls needs to be performed, preferably by an outside organization or department that specializes in such audits.