Vendors lack funds for dedicated staff to build quality measures into their software, NQF vice president says.
The National Quality Forum(NQF) in December released a set of best practices for increased scientific acceptability in electronic health record (EHR) data quality. Produced by an expert panel, it identified the causes, nature, and extent of EHR data quality issues.
The final set of recommendations addresses development and adoption of healthcare performance measures that use EHR data, and a set of practices to mitigate concerns about such measures.
Recently, Sheri Winsper, RN, MSN, MHA, senior vice president, quality measurement at the National Quality Forum, spoke with HealthLeaders about the increasing practice of health systems relying upon EHR data to report quality measures.
HealthLeaders: To what degree can information already contained in EHRs automate or take the place of separately reported quality measures required by the federal government today?
Sheri Winsper: Commonly used structured data are readily available in most electronic health record (EHR) systems which enables automated extraction of data. For example, the United States Core Data for Interoperability (USCDI) is an Office of the National Coordinator for Health Information Technology (ONC) effort to standardized commonly exchanged data.
NQF has identified the ability of EHR systems to connect and exchange data as an important aspect of quality healthcare. Although much progress has been made, EHR systems generally do not yet consistently capture all data needed to enable fully automated data extraction for reporting quality measures. In November 2019, under a contract with Centers for Medicare & Medicaid Services (CMS), NQF convened a multistakeholder Technical Expert Panel (TEP) over a series of Web meetings to better understand the potential of improving quality measurement with the use of EHR data for clinical quality measures. This multistep effort was aimed at identifying challenges and a set of strategies for addressing issues hindering EHR data quality and also focused on how well EHR data can be used to support automated clinical quality measurement. Several opportunities are recommended by the TEP in our final report, including broadening the availability and access to electronic data, as well as more cross-agency interactions and potential federal initiatives around national testing collaborative and test bed efforts. TEP recommendations also address challenges during the NQF measure endorsement process and call for support to help vendors hire dedicated staff members to incorporate electronic clinical quality measures (eCQMs) and EHR-sourced measures into their products.
Sheri Winsper, RN, MSN, MHA, senior vice president, quality measurement, National Quality Forum (Photo courtesy NQF)
HL: What impact has the EHR had on the kind of healthcare performance measures in use today?
Winsper: Using EHRs as a source of data, eCQMs were designed to enable automated reporting of measures using structured data. With the use of structured data, eCQMs have the potential to provide timely and accurate information pertinent to clinical decision support and facilitate timely and regular monitoring of service utilization and health outcomes. Today, NQF has endorsed nearly 540 healthcare performance measures with only 34 of these being eCQMs. Although the number of endorsed eCQMs is relatively low, several measures in NQF’s portfolio are quality measures that rely on data stemming from an EHR, which NQF refers to as EHR-sourced measures. Measures that can be captured without undue burden by relying on data elements available in EHRs or other electronic sources have the potential to be more feasible in terms of implementation for performance measurement.
HL: What role do measures that align across multiple settings of care have in building impactful use cases to further enhance healthcare quality?
Winsper: With respect to EHRs, measures that align across multiple settings of care highlight gaps in structured data needed to measure as patients move through different settings and different stages of measured conditions. Measure alignment across multiple settings promotes continuity of care, communication between providers regarding a patient’s care, and a comprehensive patient record that includes all aspects of care.
HL: What are NQF’s plans to develop specific guidance for EHR-sourced measures?
Winsper: NQF is committed to establishing and communicating reasonable expectations to all stakeholders for EHR-sourced measures. In a new CMS-funded project, NQF will convene a multistakeholder committee to identify best practices to leverage EHR-sourced measures to improve care communication and coordination of quality measurement in an all-payer, cross-setting, fully electronic manner. Scientific acceptability is a critical and complex component of NQF’s measure evaluation criteria and the nuances of EHR-sourced measures are significant enough to warrant its own targeted guidance. Utilizing input from experts in EHR-sourced measures, NQF plans to revisit the need for guidance on how the measure evaluation criteria should be applied to EHR-sourced measures.
HL: What benefit would it bring for CMS to consider grants to fund resources at health IT vendors to understand and incorporate quality measurement into their products, in ways not provided by the meaningful use program?
Winsper: Increased funding, in general, can be a great asset in ensuring compatibility across vendors and healthcare providers. Grants could indeed provide additional incentives that would help bring the patients at the center of focus by reducing the burden of implementing EHR-sourced measures, which in turn could open the door for more providers to participate in federal programs that involve measure reporting. Ultimately, it would also increase the use of EHR- sourced measures in various care settings.
In its final report the TEP offers guidance and recommendations. Examples mentioned by the TEP include: grants that fund experts dedicated to providing support to specialty providers and vendors for implementing and incorporating EHR-sourced measures into EHR systems, or grants to fund dedicated full-time equivalents to provide support for vendors in understanding and incorporating measurement into their products in the post-acute care setting that were not supported under American Recovery and Reinvestment Act /Meaningful Use program funding.
Technology tools help unite remote workforce, while focus on telehealth and cybersecurity create new demands.
With a large percentage of its employees now working outside of their traditional workspace, and a million patient telehealth encounters during 2020, the COVID-19 pandemic presented new challenges for the Information Services Division at University of Pittsburgh Medical Center (UPMC).
The $21 billion nonprofit health system headquartered in Pittsburgh, is the largest nongovernment employer in Pennsylvania. Despite the COVID-19 pandemic, it reported positive financial results for the first nine months of 2020. It also operates UPMC Insurance Services Division, the largest medical insurer in western Pennsylvania, with 3.9 million members.
Ed McCallister is senior vice president and chief information officer of UPMC, a title he has held since 2014. He previously served for 15 years as a director and then vice president of the Insurance Services Division. At present, McCallister leads a team of more than 2,000 professionals in UPMC's Information Services Division.
As 2021 unfolds, HealthLeaders spoke with McCallister about lessons learned from 2020 and the road ahead. Following are excerpts from the interview, lightly edited for space and clarity.
HealthLeaders: What has this past year looked like from your vantage point at UPMC?
Ed McCallister: When we were instructed that folks were going to be working remote for the foreseeable future, it was a game changer. I think it changed the workforce forever. Because we [had] moved from 20 hospitals six years ago, to 40 hospitals, our footprint geographically had grown outside of the western Pennsylvania area. There was a need to have tools that could connect us with our teams that weren't necessarily right here in the Pittsburgh region. About two years prior to the pandemic, we were moving to Microsoft 365. It was extremely fortunate for us.
We were well positioned to meet the needs of sending people home. To give you an idea, we have 92,000 employees. And right now, we have enabled 78,000 to be able to work remotely. That's 85% of our workforce.
Another key stat is we have 66,000 active Teams users per month.
So it's changed big time, but I do feel fortunate that we were in a position where we were able to meet the challenge.
Ed McCallister, senior vice president and chief information officer, UPMC (Photo courtesy of UPMC)
HL: How has the mix you describe changed from one of people who didn't ever come to the facility, to one of people who may be spending some of their day at home?
McCallister: We had people that worked remote prior to the pandemic. It was a much smaller percentage. I had a meeting this morning and we discussed "hoteling" arrangements, [which involve shared workstations in the office]. I think this the future of what the workforce environment is going to be, [versus] having your cube or your office and you had a picture of the family and your dog on the desk. People are hesitant to move into different spaces, so we have the environment cleaned regularly, if a person is going to be onsite. We have to ensure that our workers feel safe when they're coming into the office.
Obviously, our frontline workers are here every day, tirelessly working toward taking care of our patients. I have technology folks, I have a lot of my PC support folks that are onsite, shoulder-to-shoulder with the docs around telemedicine. So it's a different group that is working together after the pandemic than prior to the pandemic. The same employees have been in very different roles and in very different work arrangements. Some those who were [formerly] in the office are now working remote. Some [who] potentially worked remote, like a PC support analyst, are now on site 24/7.
HL: Some people are more productive when they're at home and not being interrupted. I'm also sure that some people who spend all their day in Team meetings, Zoom or whatever, may feel less productive.
McCallister: We use some of the Microsoft tools as part of Office 365 and beyond to do the analytics around what does the workplace look like when somebody was working remote. Initially, I think people thought, "Well, that's kind of 'Big Brotherish.' But that's not what the tool is intended to do. The ability to track and improve the experience that we're not used to, which is a majority of the workforce at home, is extremely helpful. It tries to organize the time within your team.
HL: Early in the pandemic, one of the things we heard was, it's all hands on deck, and we're going to set innovation aside until the pandemic is over. Lately, I get more of a sense that people are trying to find innovations that will address some of the new challenges that we've had in the last year.
McCallister: The pandemic has accelerated innovation in a different way. A good example is telemedicine. In 2020, we did over 1 million ambulatory televisits, and we're averaging about 6,500 a day today, which is down a bit from the peak, which was in April and May. Our CMIO, Rob Bart, has been leading that effort for us and done a phenomenal job of educating doctors and bringing patients along.
HL: What about telemonitoring? Has the pandemic accelerated that as well?
McCallister: I would say not as much, only because the pandemic has created a distance between folks. Our health plan has been involved in some initiatives around home monitoring and wearable devices in being able to monitor weight and blood pressure through some of our wellness programs. With the pandemic, it becomes more challenging because there has to be access to people's homes and having the right arrangements in their home. So I think that telemedicine could absolutely be a launching point.
HL: What else keeps you up at night?
McCallister: A huge focus, and it hasn't gone away, is cybersecurity. That's obvious. The bad guys don't sleep, and guess what, the bad guys don't care about this pandemic. It's real, and we deal with it every day, and we have our cybersecurity team that, again, they don't sleep, so I can't sleep. So that's probably the thing that keeps me up most—the responsibility of securing UPMC patient and employee information.
Editor's note: This story has been updated to reflect that Microsoft 365 was deployed two years prior to the pandemic.
Effect of emergency authorizations, hasty insertion of UV cleaning devices, and remote operation of devices prompt the ECRI Institute to suggest remedies.
The COVID-19 pandemic continues to impact every aspect of healthcare, and a popular annual list of health technology hazards reflects this as well.
Complexity of managing medical devices with COVID-19 emergency use authorization (EUA) are the leading medical technology hazard for 2021, according to the ECRI Institute.
Other top concerns of ECRI's latest such report include reliance on consumer-grade products for important healthcare decisions and hasty deployment of UV disinfection devices, which can reduce effectiveness and increase exposure risks.
Here is the ECRI Institute's Top 10 list of health technology hazards for 2021.
1. Complexity of managing medical devices with COVID-19 emergency use authorization.
Responding to the surge in medical equipment need when the pandemic struck, the U. S. Food and Drug Administration (FDA) temporarily authorized use of hundreds of medical devices not previously approved for use. The ECRI report warns that EUA devices "may not be as safe or effective as devices have been through FDA's normal clearance process."
Healthcare facilities must also monitor each device's status daily to verify that the EUA remains active and unchanged, and leaders must figure out what to do with the devices once the EUA ends, ECRI notes.
2. Fatal medication errors can result when drug entry fields auto-complete after just a few letters
Many medication ordering, storage, and delivery systems let clinicians enter only a few letters of a drug's name before these systems populate the drug selection field with a list of drugs from which to select. With many similar-looking drug names presented as options, risk increases that the user will mistakenly choose an incorrect drug.
"The likelihood of such errors could be significantly reduced if systems are designed or configured to require entry of, at minimum, the first five letters of a drug name before populating search fields," ECRI's report states.
3. Rapid adoption of telehealth technologies can leave patients and data at risk
Rapid expansion of telehealth programs as a result of the pandemic can create problems and challenges. Programs may struggle to provide adequate user training, coordinated patient care, or assure equitable treatment across all populations.
"The solution may involve…modifying or ceasing the use of some of these technologies," ECRI's report states. Modifications could include technology assessment, including cybersecurity risks.
4. Imported N95 masks may fail to protect workers from infectious respiratory diseases
In particular, ECRI warns about some N95 masks imported from China. ECRI testing through December 2020 determined that, of the imported masks tested, more than 60% failed to filter airborne particles as well as claimed.
5. Relying on consumer-grade products can lead to inappropriate healthcare decisions
ECRI says most products such as consumer-grade finger-pulse oximeters, blood pressure cuffs, and glucose monitors have not been through the FDA's U medical device approval process. Users should not rely on these products to make healthcare decisions, as they cannot rely upon the accuracy or reliability of these non-FDA-approved devices, ECRI warns.
Within the healthcare environment, ECRI advises avoiding the use of consumer-grade devices whenever possible. "If such a device must be used, do so only for the time that's necessary and only on the condition that the clinical team knows how to use it and understands how its performance could differ from that of medical-grade equipment."
6. Rapid deployment of UV disinfection devices can reduce effectiveness and increase exposure risks
If not used properly, UV disinfection devices might not deliver a sufficient dosage of UV rays to subdue microorganisms, leaving people at risk of exposure to these microorganisms.
"Surfaces to be disinfected should be in a direct line of sight, and should first be cleaned of soil," the ECRI report states. "In addition, users must take appropriate safety precautions to protect themselves and others from UV light exposure."
7. Vulnerabilities in third-party software components present cybersecurity challenges
Third-party software components that become part of medical devices continue to pose unique cybersecurity challenges, ECRI's report states. Among these are difficulties identifying which devices include the affected software; delays in guidance from vendors auditing their product lines and providing software patches; and challenges applying mitigation to devices in continuous patient use.
8. Artificial intelligence (AI) applications for diagnostic imaging may misrepresent certain patient populations
Risk-benefit assessments of AI technology can help. "A key part of this process will involve verifying that the data used to train the algorithm is sufficiently representative of the organization's patient population," the ECRI report states.
9. Remote operation of medical devices designed for the bedside introduces insidious risks
When medical devices, such as ventilators and infusion pumps, are operated remotely to protect clinicians lacking adequate personal protective equipment, they can introduce persistent risks, ECRI says. Among these are less frequent visual assessment of patients, adverse effects on equipment due to longer tubing sets, tripping hazards when devices are placed in hallways, and greater chance of unauthorized device access or tampering.
ECRI recommends such remote operation only during public health emergencies, only for as long as necessary, and after assessing and mitigating risks.
10. Insufficient quality assurance of 3D-printed patient-specific medical devices
3D-printed patient-specific devices need to have appropriate clinical verification of the design, quality control, and validation of the final product, ECRI's report warns. The individual physician using the device plays a key role in the design process. Healthcare facilities need a written acceptance policy, including control of approval of 3D device use, before such devices are accepted for clinical use, ECRI's report states.
8 million healthcare records were exposed, and common computer security vulnerabilities grew by 6%.
Healthcare accounted for the largest share of publicly disclosed data breaches in 2020, according to a report recently released by cyber-security firm Tenable.
To reach the conclusion in its 2020 Threat Landscape Retrospective, Tenable analyzed public breach disclosures from January to October 2020 to identify trends in breach data.
In the first 10 months of 2020, Tenable found 730 breach events resulting in over 22 billion records exposed. Tenable divided the data between 11 industry categories to determine which sectors were most affected.
Healthcare and education accounted for the largest share of data breaches analyzed (25% and 13%, respectively). By themselves, healthcare breaches alone accounted for nearly 8 million records exposed. Other frequent targets included computer systems maintained by government (12.5%) and technology (15.5%) companies.
By far, the most popular attack vendor in 2020, especially in healthcare and education, was ransomware. Some 46% of the breaches in those sectors were caused by ransomware attacks. Other leading causes of breaches in healthcare included email compromise (24.6%), insider threats (7.3%), and application misconfiguration (5.6%).
Tenable's analysis found that by the first two weeks of April 2020, 41% of organizations had experienced at least one business-impacting cyberattack resulting from COVID-19 malware or phishing schemes.
Vulnerability analysis shows that 2020 saw an 6% increase in common vulnerabilities and exposures (CVEs), growing from 17,305 in 2019 to 18,358 in 2020.
"The SolarWinds advisory in mid-December may have been the most alarming of the alerts issued in 2020 by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), but it was hardly the only one," stated the Tenable report. "CISA and other government entities, including the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA), issued several advisories regarding malicious activity from foreign threat actors."
The report details specific CVEs by vendor and by type of exploit. Copies of the report may be downloaded at the Tenable website.
Carequality and RSNA pilot programs with early adopters will start by midyear.
Traditional electronic medical record sharing has not included images, but that is changing, according to officials at Carequality and the Radiological Society of North America (RSNA).
The catalyst, as so often is the case lately, is COVID-19. Survivors of COVID-19 may have long-term damage to their hearts and lungs. Radiological images, whether in the form of CT scans, MRIs, or images generated by ultrasound waves, offer important clues to properly manage the health of these patients.
Previously, image-sharing between different silos of healthcare information technologies was very much a hit-and-miss proposition.
"We want radiology data treated the same way all other healthcare data is," says David S. Mendelson, MD, professor of diagnostic, molecular and interventional radiology at Mount Sinai Health System in New York, and a member of the RSNA Radiology Informatics Committee.
RSNA Image Sharing Makes Compact Disc Shuffle Unnecessary
It’s not the first time technology was utilized to make image sharing easier. But the last such effort, starting in the early 2000s, produced not a common internet-based exchange, but millions of compact discs, generated by the leading radiological imaging software of the day with patients.
"That was regarded as a great replacement for duplicating film, which was very costly, bulky, and difficult to do," Mendelson says. "CDs still remain the primary way we exchange images outside your local office. If a patient needs to take an image somewhere else, [office staff] usually give you the CD."
And yet, staff members still had to produce those CDs, and transport them from the production site to the patient. Worse, many of those CDs came with proprietary viewing software, which had to be procured and installed by or for patients.
It was an improvement over film duplication, but "human nature being what it was, many complained," Mendelson says. "People in that era in our radiology informatics committee would sit around discussing, why can’t we do what people do with videos, photos, and music on the internet?"
HITECH Act Kicked Off RSNA Image Share via the Internet
Although isolated examples of radiological image downloading could be found among imaging vendors, the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 began to answer the question more broadly.
The National Institute of Biomedical Imaging and Bioengineering, part of the National Institutes of Health (NIH), sponsored what came to be known as the RSNA Image Share. Hosted by RSNA, RSNA Image Share enabled participating radiology sites to share imaging records with patients via secure online accounts.
NIH wanted Image Share to be based on industry standards, according to Mendelsohn. For that reason, RSNA chose standards from IHE International.
Mendelsohn, who also co-chairs IHE International, says RSNA Image Share allowed patients to have full control over their images in an image-enabled personal health record. "We’ve had tens of thousands of patients enrolled over a four-to-five-year period," he says. "We’ve matured this, and validated that it worked."
Patients surveyed who used Image Share told RSNA they appreciated the service and liked it "a lot better than CDs," Mendelsohn adds.
The initial NIH funding for Image Share came to an end, but to keep the initiative going, RSNA looked around for other interested partners, which is when it found Carequality.
Carequality, founded in 2014, has moved from its initial interop startup mode as an initiative of The Sequoia Project to its current status as a distinct corporation that executive director Dave Cassel likens to what the telecom industry has done with cell phone networks.
"You just expect to make phone calls, and not have to think about who the carriers are for anybody you’re calling," Cassel says. "It’s conceptually the same idea here. You still sign up with a carrier, whether that’s your EHR vendor, a regional HIE, or some sort of interoperability service provider, but then once you’ve done that, you are able to exchange with all of the other participants of all of the other networks and services."
In May 2020, Carequality announced that it had exchanged one billion total clinical documents since the first document exchange in July 2016.
Then came the COVID-19 pandemic. The two organizations just revealed that a Carequality pilot program with early adopters of the implementation guide that has completed initial connections in testing. These connections will go live soon and could aid in treatment of pandemic victims whose EHRs, until now, have not included sophisticated medical imaging such as DICOM. Because of Carequality's involvement, these connections will span multiple vendors’ EHRs.
"Our internal goal is to have the final version of the implementation guide supplement formally adopted by the Carequality steering committee for production use," Cassel says. It should be part of the Carequality framework by the end of June, he adds.
Mendelson says the pilot will provide two forms of image exchange transactions—one based on the DICOM image standard, and the other utilizing HL7 FHIR for more Web-based health IT software.
Software vendors are starting with DICOM because they know it so well, Mendelson says.
Cassel says while EHR vendors are planning to embrace this type of exchange as well, the initial wave of implementations more typically will be image‒centric vendors such as Life Image, Inc., Philips, Nuance Communications, Inc., and Ambra Health.
As the image‒centric vendors "go live, and as there is more of a critical mass of participation by the imaging systems, it’ll make more sense as an ancillary activity for the Epics, Cerners, MEDITECHs, and others of the world to find ways to integrate with the exchange that’s occurring between the core imaging systems, in a way that makes sense for EHR users," Cassel says.
Elective surgery backlog calculator and other new tools help University of Colorado Hospital.
Time was, that optimizing capacity management of operating rooms, hospital beds, and infusion stations required combing through EHR reports or spreadsheets built in Excel or visual analytics created in Tableau. Thanks to innovative advancements, that's no longer necessary. LeanTaaS employs predictive analytics technology to simplify such optimizations. Among the 300 U.S. hospitals that use its products are Dignity Health, Penn Medicine, and UCSF Health.
Recently, LeanTaaS founder and CEO Mohan Giridharadas and one of his customers, Jamie Nordhagen, MS, RN, NEA-BC, director of capacity management at the UCHealth University of Colorado Hospital, answered some questions about the challenge of better utilizing these resources.
HealthLeaders: How has your company leveraged technologies like artificial intelligence, machine learning, and predictive analytics to support customers during the pandemic?
Mohan Giridharadas: Our solutions ingest electronic healthcare record data and apply operational constraints (e.g., operating hours, number of operating rooms, special requirements such as robotic surgery, staffing) to derive the most efficient allocation of the resource under consideration. When it became apparent that COVID-19 was going to have a dramatic impact, we worked closely with our customers to introduce new constraints caused by the pandemic into the platform. We also rapidly developed tools such as an elective surgery backlog calculator, a staff survey template, and a nursing hours calculator that we made available at no cost to any hospital or health system. We also conducted several webinars to enable some of our leading customers to share best practices on responding to the crisis with hundreds of participants from across the country.
HL: Heading into 2021, how do you expect hospitals to lean on technology even more? What are some lessons learned from COVID-19 or predictions for the year ahead, when it comes to technology?
Giridharadas: Patient throughput and capacity management remain mission-critical initiatives for hospitals and health systems. What was viewed as a “nice to have” in terms of data-driven decision support tools is now imperative for providers large and small with the agility and resilience needed to meet the challenges of each new wave. In addition, as vaccines roll out over the next two years, hospitals and health systems will need help restoring their patient volumes as quickly and efficiently as possible.
HL: At a time when ICU capacity is strained to the limit, how is this technology helping to manage supply and demand of ICU beds?
Jamie Nordhagen: The LeanTaaS tool has been instrumental in automating patient flow through our Intensive Care Units and opening space for more critical COVID patients. Historically, our bed management system required nurses to manually enter when patients were "ready to move" after physicians wrote downgrade orders for transfer to lower level of care. LeanTaaS has allowed us to leverage a "pull" versus "push" strategy for lower acuity patients in our ICUs and offloaded some of the administrative burden for our bedside nurses.
HL: With so many systems deployed in hospitals (EHRs, ERPs, etc.), what does the single source of truth look like for managing and leveraging hospital resources?
Nordhagen: It has become our single source of truth across departments and clinical disciplines. We utilize the LeanTaaS tool and their predictive modeling to drive our patient flow operations. We have established triggers to open and close our surge areas, staff emergency department boarders, and open and close COVID-dedicated units.
CARES Act funds will boost public health and HIE ability to track adverse events and long-term health outcomes.
Nearly $20 million will be awarded by the Office of the National Coordinator (ONC) for Health Information Technology to support U.S. COVID-19 vaccination efforts.
The funds will increase data sharing between health information exchanges (HIEs) and information systems tracking immunizations.
Money for this comes from the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) signed by President Trump on March 27, 2020.
ONC's Strengthening the Technical Advancement and Readiness of Public Health Agencies via Health Information Exchange, or STAR HIE, will be expanded in this effort to further share vaccination-related data.
These partnerships help public health agencies who need to track and identify high-risk patients not yet vaccinated.
Other related collaboration will benefit from funds ONC awards to the Association of State and Territorial Health Officials, as well as the Colorado Regional Health Information Organization.
ONC officials said the CARES Act funds will better equip public health agencies and clinicians to better administer immunizations to at-risk patients. The funds also enhance their ability to document adverse events, and more effectively analyze long-term outcomes as vaccination numbers rise.
The ability to correlate each patient who has been vaccinated with their clinical data before and after vaccination may provide more detailed insight into possible adverse events and longer-term health outcomes.
The United States currently has 63 immunization information systems: one in each state, eight in territories, and five in cities. These systems are partially funded by the Centers for Disease Control and Prevention's National Center for Immunization and Respiratory Disease.
About 100 HIEs organizations in the U.S. reach 92% of the U.S. population, according to estimates from the Strategic Health Information Exchange Collaborative, a national trade organization for HIEs.
Pandemic drives the need for app-driven collaboration platforms that guard against breaches.
Last March 15, the U.S. Department of Health and Human Services (HHS) waived sanctions against hospitals that did not comply with five provisions of the HIPAA Privacy Rule during the COVID-19 pandemic. Those rules governed:
The requirement to obtain a patient's agreement to speak with family members or friends involved in the patient's care
The requirement to honor a request to opt out of the facility directory
The requirement to distribute a notice of privacy practices
The patient's right to request privacy restrictions
The patient's right to request confidential communications
Tim Tindle, chief information officer and chief information security officer for the clinical communications company Spok, spoke with HealthLeaders about the changed landscape for healthcare security and privacy in 2021. The following responses have been lightly edited for space and clarity.
HealthLeaders: What will likely impact HIPAA–compliant communications in the future?
Tim Tindle: As the pandemic enters our rearview mirror sometime in 2021, we can expect HHS to return to a pre-pandemic posture relative to the five provisions waived on March 15. We’ve seen a decade’s worth of change in just a few months. The pandemic drove our healthcare systems to embrace telehealth and demanded we find new ways to communicate between clinicians, patients, and families. While generic consumer communication applications might be a temporary solution for overwhelmed healthcare workers, they create additional privacy and security risks that will likely only escalate.
Beyond the ability to communicate securely with patients and families, COVID has reinforced the urgent need for health systems to have in place an end-to-end enterprise communication strategy that extends beyond secure messaging. If we are to ever achieve real engagement by patients in their own care, our strategies must include patients and families. The right solutions must facilitate workflows, teamwork, collaboration, and security. All the coming change related to communications will have a significant impact on future HIPAA regulations. Security and privacy controls must evolve as healthcare information, communications, and cyber threats evolve.
HL: How significant will cloud technology be, post-pandemic?
Tindle: We have seen a sudden cloud surge with the rush towards remote work, and this trend will continue long after the pandemic is over. Fortunately, the elastic nature of the cloud allows us to expand and contract based on the needs of teleworkers. We will also see an increase in demand for collaboration platforms, as the pandemic continues to prove how important it is to connect care teams with the people and information they need to make faster clinical decisions. It will be vital to understand how the technology is built, the company’s security practices, and the platform’s continued value stream. The cloud allows additional modern protection with serious reduction around potential ransomware attacks.
HL: What steps should hospitals take now to prepare for the event of a data breach at their organization?
Tindle: Start by assigning a strong cross-functional response team to take responsibility for creating and carrying out a customized response to a specific breach. Next, develop, document, and maintain an incident response plan. This plan should define how to detect a breach, what information to collect and how to do so, and who to notify under what circumstances. While data breaches may seem inevitable, a negative impact on your hospital doesn’t have to be.
HL: To what degree is secure communication in healthcare a given today? How much communication still flows through nonsecure means? What initiatives are underway to reduce or eliminate such communication gaps?
Tindle: As cyber attackers continue to become more and more sophisticated, having robust secure communication is essential for every healthcare system. Surprisingly, many communication channels such as faxes, phone lines, SMS text messages, and email still operate in nonsecure means. The move towards secure communications is essential, specifically solutions that are tailored and built for healthcare. But having a secure app isn’t enough. It’s important that the secure technology is as easy to use as the nonsecure means, like text messaging, and offers much more value to the user in the form of pro-active delivery of critical information the user can manage and act on.
The Sequoia Project kicks off group made of HIEs and health systems with focus on how healthcare interoperability can benefit public health.
Lessons learned from the ongoing COVID-19 pandemic will inform a new task force formed by The Sequoia Project, a nonprofit advocate for nationwide healthcare information interoperability.
Sequoia’s new Emergency Preparedness Information Workgroup will use these lessons to recommend appropriate steps for making information more available to support disaster preparations in the future.
State-related policy and regulatory issues, programmatic challenges, data privacy, funding, resources, and communications are some of the interoperability and health IT challenges where the new workgroup will focus.
The new workgroup will also serve as a forum for states and other stakeholders to share lessons learned and best practices. Ultimately, the workgroup will also suggest recommendations to improve interoperability for disaster prep.
“States and local agencies, such as public health agencies, have had to rapidly adapt to unforeseen circumstances caused by the current pandemic,” said Debbie Condrey, chief information officer of The Sequoia Project and facilitator of the workgroup.
“With this new workgroup, we’re aiming to apply the lessons learned to improve timely access to information to support emergency preparedness for the future,” Condrey said. “We look forward to working together to find solutions to the interoperability challenges facing states during these unprecedented times.”
The initial participants include representatives from California Emergency Medical Services Authority, the California Association of Health Information Exchanges, CommonSpirit, Florida HIE Services, Florida Health, the Georgia Health Information Network, the North Carolina Department of Health and Human Services, the Texas e-Health Alliance, and the Texas Health Services Authority. Several key federal partners will also participate, The Sequoia Project said in an announcement.
Beginning this month, the group will meet monthly. The work output of the group will include:
Lessons learned from response to the COVID-19 pandemic as it relates to health IT and interoperability
Prioritized opportunities to address issues that impede public health access to information for disaster response efforts
Community of practice where public health, Medicaid, and other state entities and federal partners can discuss innovations and blockers to those innovations
More information on The Sequoia Project’s Emergency Preparedness Information Workgroup can be found on the organization's website.
Cyber-security, regulatory change, and risk management top the priorities list.
Five areas top priorities for 2021 healthcare audit and compliance, according to a new report from consulting firm KPMG.
These five priorities are cyber-security risk, regulatory change, harnessing enterprise risk management (ERM) to better anticipate risk, internal controls and finance transformation, and third-party risk.
Ransomware, SolarWinds Orion malware, and malicious targeting of COVID-19 research are behind the recent surge in cyber threats, KPMG said. New tools and techniques are emerging daily to thwart these attacks, which also target the increasing value of data in medical records.
KPMG recommends taking a holistic approach to data governance, examining the processes and protocols overseeing the integrity, protection, availability, and use of data.
Healthcare providers will need to increase their vigilance around compliance activities, due to a recent announcement by the U.S. Department of Health and Human Services of the False Claims Working Group, in conjunction with the U.S. Department of Justice and the U.S. Department of Health and Human Services, Office of the Inspector General, the KPMG report says. Price transparency reporting requirements that started January 1 have significant implications and present risk around data integrity and possible payer dislocation, the report said.
Other regulatory activities in play during 2021 include CARES Act compliance and government auditing, value-based care, Medicare Disproportionate Share Hospital adjustments, the 340B Drug Pricing Program, clinical research billing, and whatever potential changes may emerge from the Biden administration, KPMG said.
Enterprises should continue to harness ERM to better manage and anticipate risk. New tools and techniques, such as data and analytics, artificial intelligence, and sensory repositories, are required to permit stress-testing of risk assessments, scenario testing, and crisis protocols, KPMG says.
Organizations can best prepare for possible unexpected events by detecting risks as they emerge, before they fully materialize. Big data can lead to knowledge gains on emerging issues, the report said.
The shift to remote working and virtual financial reporting processes increase the risk of internal control breakdowns, so KPMG recommends leveraging robotics and cloud technology to automate manual activities.
With the major supply chain disruption caused by the pandemic, KPMG suggests clarifying roles and responsibilities to identify and assess each risk type.