In the past, I've highlighted candidates such as "analytics", "HIE", and "gamification" for the hottest technology concepts of the year, the "Plastics" of 2012. Recently, I've seen a new strong contender - "Computer Assisted Coding"
With ICD10 looming on the horizon, companies such as m-Modal, Dolbey, 3M, and Optum are offering applications that process the structured and unstructured data associated with an inpatient hospitalization or outpatient encounter into suggested ICD9 or ICD10 codes.
Using linguists, informaticians, natural language processing experts, and proprietary algorithms, each company promises to increase the efficiency of coders, provide a audit trail of the logic used to code each case (very useful if CMS/RAC asks for justification), and more accurately code case complexity. Better documentation with accurate coding may even lead to reimbursement increases because the severity of illness of the patient and the nature of the treatment rendered is more completely described.
We're speaking with each of the major vendors of computer assisted coding products to understand their interface requirements, the nature of the clinical data they require as inputs, and their integration into workflow.
Workflow is a tricky question.
Suppose that a patient visits an emergency department after a finger injury. Accurate ICD-10 coding requires laterality (left or right), open or closed fracture, simple or compound etc. If the provider dictates a note that contains the text "fracture of the index finger at the PIP joint" there may not be enough detail to accurately code the injury. Some computer assisted coding products intervene at the documentation point instructing the clinician what is needed to minimally specify the patient's condition or procedure. Others ingest all the inputs from documentation created by caregivers and recommend possible codes. Getting the data in right to begin with generates more accurate codes, but some clinicians will be fatigued by the alerts that prompt them during the documentation process.
I've studied some of the interoperability required to connect EHRs to Computer Assisted Coding products. Some ingest print dumps or PDFs of text documents. Others require HL7 2.x messages (ORU messages for structured data, MDM messages from unstructured data). None yet accept the CCD or Consolidated CDA, although the Meaningful Use 2014 edition will require that EHRs export clinical summaries using CDA standards, not HL7 2.x
ICD-10 has spooked the industry with tales of 50% loss in coder productivity. Computer Assisted Coding may just be the silver bullet.
More to come as we pilot it.
Rabu, 11 Juli 2012
Selasa, 10 Juli 2012
The BIDMC Mobile Device Security Initiative
For several years BIDMC has had an administrative policy requiring special security safeguards for mobile computing devices that connect to the data network. Many of these devices are locally administered or personally owned. Given state and federal regulatory changes, increased use of consumer devices to access/store data, and increased visibility of privacy related incidents, we believe that policy alone is inadequate to assure mobile devices have proper security safeguards.
As part of our Summer of Compliance activities, we are taking active technology and process steps to enhance mobile device security.
Here's an excerpt of what we'll be sending to all staff:
"Below are minimum requirements for mobile devices connecting to the BIDMC network. Rather than rely on policy alone, we will be installing these configurations on devices connecting to our data network. We have already begun phasing in some of these such as passwords on devices using Exchange Activesync and will continue until all mobile devices connecting to the BIDMC network are compliant.
Password protection – The device must require a password or equivalent security feature before it can be accessed.
Timeout – The device must be set to timeout and require re-entry of the password if not used for over 15 minutes.
Anti-Malware Protection – Laptops must have an up-to-date anti-virus software application installed. The device’s operating system and third party applications such as Adobe, Microsoft Office, Java, and others must be properly patched.
Unnecessary Software and Services – Wireless interfaces and applications such as Bluetooth must be disabled when not needed. [
Encryption – The data must be encrypted. Massachusetts law requires this if the device contains information protected under the State’s data privacy regulations. HIPAA provides safe harbor if the entire storage disk is encrypted and there is a pre-boot authentication. In a communication next week, I'll outline our aggressive mobile device encryption program.
Custody – The mobile device should be kept in your possession when traveling or in an uncontrolled environment such as a hotel room. Prevent unauthorized persons from accessing sensitive content stored on the device or using it to access the BIDMC network.
Backup Protection – Protected health information or other confidential BIDMC data should ONLY be backed up using BIDMC data storage resources, e.g. your home directory. Using public Internet cloud storage services to backup BIDMC sensitive information is prohibited. "
I welcome feedback on your experience implementing such policies and technologies. It's clear to me that healthcare organizations have no choice but to reduce personal choice and personal freedom in order to keep our patient data safe.
As part of our Summer of Compliance activities, we are taking active technology and process steps to enhance mobile device security.
Here's an excerpt of what we'll be sending to all staff:
"Below are minimum requirements for mobile devices connecting to the BIDMC network. Rather than rely on policy alone, we will be installing these configurations on devices connecting to our data network. We have already begun phasing in some of these such as passwords on devices using Exchange Activesync and will continue until all mobile devices connecting to the BIDMC network are compliant.
Password protection – The device must require a password or equivalent security feature before it can be accessed.
Timeout – The device must be set to timeout and require re-entry of the password if not used for over 15 minutes.
Anti-Malware Protection – Laptops must have an up-to-date anti-virus software application installed. The device’s operating system and third party applications such as Adobe, Microsoft Office, Java, and others must be properly patched.
Unnecessary Software and Services – Wireless interfaces and applications such as Bluetooth must be disabled when not needed. [
Encryption – The data must be encrypted. Massachusetts law requires this if the device contains information protected under the State’s data privacy regulations. HIPAA provides safe harbor if the entire storage disk is encrypted and there is a pre-boot authentication. In a communication next week, I'll outline our aggressive mobile device encryption program.
Custody – The mobile device should be kept in your possession when traveling or in an uncontrolled environment such as a hotel room. Prevent unauthorized persons from accessing sensitive content stored on the device or using it to access the BIDMC network.
Backup Protection – Protected health information or other confidential BIDMC data should ONLY be backed up using BIDMC data storage resources, e.g. your home directory. Using public Internet cloud storage services to backup BIDMC sensitive information is prohibited. "
I welcome feedback on your experience implementing such policies and technologies. It's clear to me that healthcare organizations have no choice but to reduce personal choice and personal freedom in order to keep our patient data safe.
Senin, 09 Juli 2012
The Blue Button Goes Viral
BIDMC does all 3 but its efforts over the past year have focused on universal viewing of records for providers and patients. (Next year will be the year of statewide pushing of structured data).
On July 5, UnitedHealthcare announced that its 26 million patients (of which 20 million already access personal health records at www.myuhc.com) will have access to view/download
their health data using the Blue Button approach - a PDF or text file containing information from various sources, such as claims data, health screenings and self-entry.
From the press release
"UnitedHealthcare’s support of the Blue Button initiative first began in September 2011, and in March 2012 the Blue Button went live on one website for 500,000 people enrolled in Health Plan of Nevada benefit plans. As UnitedHealthcare rapidly expands the use of the Blue Button, more than 12 million employer-sponsored plan participants will have access by the end of the year and by mid-2013 nearly all 26 million UnitedHealthcare enrollees will be able to access their PHR with the click of the Blue Button.
The Department of Veterans Affairs launched the Blue Button in 2010 to allow simple exchange of a patient’s personal health data in a standard, consistent format. Initially designed for use by veterans, the idea has taken off in the private sector and has been supported by at least one major care provider overseas. Veteran Affairs and Health and Human Services have encouraged the health industry to adopt the Blue Button, and UnitedHealthcare is pleased to do so."
It's clear to me that PHRs are finally approaching the tipping point where patients will expect to have their data available for viewing and download. Clinicians have not universally supported that notion but Meaningful Use 2014 edition is likely to require it as part of attestation. I recently visited my own primary care physician and he provided me a full summary of the visit, including labs, within a few days of the visit, apologizing for the delay.
With United's adoption of a PHR that includes viewing/download capability, it's fair to say that the technology has now gone viral and is unstoppable. My daughter (and her generation) will not experience the silos of data that my generation grew up with. We're making progress.
Jumat, 06 Juli 2012
Cool Technology of the Week
Continuing my series of farm related cool technologies, today's post is about solving a practical agricultural problem. How do you keep water flowing in the barn during the freezing temperatures of winter?
Of course, you could use electrically powered pipe heating tape but what if the power fails on a cold winter night?
For over a hundred years, farms have solved this problem by using a freeze-less yard hydrant such as the Woodford Model W34
The idea is simple.
In Massachusetts the frost line is between 30-35 inches.
At our farm, all water pipes are buried 4 feet or greater, ensuring they never freeze.
A yard hydrant connects to water sources below frost line. When the handle is opened, a 4 foot rod moves a gasket so that water can flow up the hydrant. When the handle is closed, a siphon below the frost line is opened, draining the hydrant. Thus, there is never standing water in the hydrant that can freeze.
Our hydrant has 27 inches above ground and 48 inches below ground. We also created a dry well around the hydrant and siphon to prevent any runoff from accumulating around the pipe.
A simple technology that uses the insulating properties of the ground instead of electricity to keep water flowing in the winter. That's cool!
By the way, a weather station on our barn provides detailed data for Sherborn, Massachusetts to most popular internet weather sites and the National Oceanic and Atmospheric Administration. This winter I'll be able to track the temperatures and ensure our animals and infrastructure are protected from the cold.
Of course, you could use electrically powered pipe heating tape but what if the power fails on a cold winter night?
For over a hundred years, farms have solved this problem by using a freeze-less yard hydrant such as the Woodford Model W34
The idea is simple.
In Massachusetts the frost line is between 30-35 inches.
At our farm, all water pipes are buried 4 feet or greater, ensuring they never freeze.
A yard hydrant connects to water sources below frost line. When the handle is opened, a 4 foot rod moves a gasket so that water can flow up the hydrant. When the handle is closed, a siphon below the frost line is opened, draining the hydrant. Thus, there is never standing water in the hydrant that can freeze.
Our hydrant has 27 inches above ground and 48 inches below ground. We also created a dry well around the hydrant and siphon to prevent any runoff from accumulating around the pipe.
A simple technology that uses the insulating properties of the ground instead of electricity to keep water flowing in the winter. That's cool!
By the way, a weather station on our barn provides detailed data for Sherborn, Massachusetts to most popular internet weather sites and the National Oceanic and Atmospheric Administration. This winter I'll be able to track the temperatures and ensure our animals and infrastructure are protected from the cold.
Kamis, 05 Juli 2012
Our Cancer Journey Week 28
In many ways, the cancer journey was a metaphor for our lives during the same period.
We made the decision to use the cancer diagnosis to fundamentally change our lifestyle. The many steps of that effort are also approaching completion.
In February we bought Unity Farm and prepared our Wellesley home for sale. Just as a cancer journey requires a team, a plan, and incremental progress, selling a home is a major project. We painted, refinished cabinets, and repaired every bit of infrastructure to ensure our 1930's cape was in perfect showing condition. Escrow closes on that sale at the end of July, just as cancer treatment is wrapping up.
To prepare for the transition from one home to another, we rented a storage space and filled it with all our books and Kathy's art supplies. We'll finish the move of its contents to Unity and close the storage space at the end of month.
Kathy examined her professional life and chose to consolidate her studio and art life with the activities of the farm. We packed up her studio and leased the space to another artist.
Kathy and her business partner also decided to close their South End gallery after 3 years in a challenging art market. We'll move the remaining contents of the gallery to Unity.
We're finishing the preparation of Kathy's father's house for an August listing, so he'll be fully moved to Unity just as cancer treatment ends.
Thus, our personal journey - buying/selling property, creating a multi-generational household, closing the studio/gallery, and enhancing the farm to accommodate chickens/guinea fowl, alapca/llama, and 5 tons of hay storage is approaching completion.
When I reflect on the combined medical and personal journeys of the past 6 months, I realized that we've traversed 4 out of 5 of the major live stresses:
*Serious illness (Cancer)
*Job change (Kathy's studio/gallery, my transition from part time Harvard CIO)
*Location change (suburban to farm)
*Move of parent/sale of their home and belongings
Luckily our marriage thrived during these events, so the 5th major stressor - relationship change - was not a factor. We celebrate our 28th wedding anniversary a few days after cancer treatment ends.
Although Kathy's fatigue and numbness continues, we're fast approaching a period of personal and collective recovery from the journey thus far. By August, 2012, our major life stressors will be behind us, the animals will be in place at the farm, and we'll be able to sit on the porch on hot summer nights, reflecting on where we've been over the past 6 months and where we're going. The future is looking very bright.
Selasa, 03 Juli 2012
The Office of Civil Rights Audit Protocol
Recently, the Office of Civil Rights (OCR) published their protocol for HIPAA audits. The scope includes
Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
Security Rule requirements for administrative, physical, and technical safeguards
Breach Notification Rule requirements
For example, there are 77 performance criteria and corresponding audit procedures for the Security rule. Most validate that appropriate processes and procedures are in place.
The OCR protocol provides a useful rubric for assessing the status of an organization's compliance. It's well done.
The protocol is not intended to tell organizations how to develop these policies. Luckily, NIST provides detailed implementation guides including standard practices and best practices.
As part of my Summer of Compliance work, we're using the NIST 800 framework as a means of benchmarking our policies and technologies. Since NIST 800 is exhaustive (everything from password management to IP phone configuration), we needed a focused subset.
NIST 800-66 provides guidance for implementing the HIPAA Security Rule and includes a crosswalk (Appendix D) of the Security Rule requirements against the security controls identified in NIST SP 800-53, Recommended Security Controls for Federal Information Systems. The NIST SP 800 publications that discuss those security controls in greater detail are also referenced including implementation specifications within the Administrative, Physical, and Technical Safeguards sections of the Security Rule.
Compliance is a journey. The OCR audit protocol plus a subset of NIST 800 implementation guides provide a roadmap for compliance success.
Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
Security Rule requirements for administrative, physical, and technical safeguards
Breach Notification Rule requirements
For example, there are 77 performance criteria and corresponding audit procedures for the Security rule. Most validate that appropriate processes and procedures are in place.
The OCR protocol provides a useful rubric for assessing the status of an organization's compliance. It's well done.
The protocol is not intended to tell organizations how to develop these policies. Luckily, NIST provides detailed implementation guides including standard practices and best practices.
As part of my Summer of Compliance work, we're using the NIST 800 framework as a means of benchmarking our policies and technologies. Since NIST 800 is exhaustive (everything from password management to IP phone configuration), we needed a focused subset.
NIST 800-66 provides guidance for implementing the HIPAA Security Rule and includes a crosswalk (Appendix D) of the Security Rule requirements against the security controls identified in NIST SP 800-53, Recommended Security Controls for Federal Information Systems. The NIST SP 800 publications that discuss those security controls in greater detail are also referenced including implementation specifications within the Administrative, Physical, and Technical Safeguards sections of the Security Rule.
Compliance is a journey. The OCR audit protocol plus a subset of NIST 800 implementation guides provide a roadmap for compliance success.
Senin, 02 Juli 2012
Leadership Lessons from Dancing Guy
Last week, a few members of the HIT Standards and Policy Committees were speaking about the future stages of meaningful use and the pace which stakeholders will tolerate.
As we discussed change management strategies, someone mentioned the You Tube video of the Dancing Guy as a model for how groups react to a new idea.
The thesis in this 3 minute is that the leader is not the catalyst for adoption, it's the first follower who validates the leader's ideas and creates a safe environment for others to join.
In college and medical school interviews, I was often asked "are you a leader or a follower"? My answer at the time was "both - it depends on the situation and context".
The Dancing Guy video postulates another answer - you can be a leader by being a follower.
In my experience, this first follower phenomenon rings true.
French historian Alexis de Tocqueville concluded that Americans are a country of joiners. Once a movement starts building, we do not want to be left out.
Early adopters of EHRs were informatics types experimenting with new technology. Once the tipping point (about 20% adoption) was reached, clinicians began demanding EHRs so that they would be seen as equals in the referral community.
Health Information Exchange is still in its infancy, but I'm beginning to see a tipping point there too. Massachusetts goes live with a statewide Direct-based exchange on October 15, 2012. Partners Healthcare, Children's Hospital Boston, Beth Israel Deaconess, Atrius and others have committed to be part of the "golden spike" events, exchanging data as the network is activated. All it took was one influential follower to validate the desirability of participating and immediately other institutions wanted to become early adopters - part of the "in" crowd"
Thanks to the Dancing Guy for giving us the secret for successful HIE adoption. Be a leader by being a follower and soon the entire community will join in.
As we discussed change management strategies, someone mentioned the You Tube video of the Dancing Guy as a model for how groups react to a new idea.
The thesis in this 3 minute is that the leader is not the catalyst for adoption, it's the first follower who validates the leader's ideas and creates a safe environment for others to join.
In college and medical school interviews, I was often asked "are you a leader or a follower"? My answer at the time was "both - it depends on the situation and context".
The Dancing Guy video postulates another answer - you can be a leader by being a follower.
In my experience, this first follower phenomenon rings true.
French historian Alexis de Tocqueville concluded that Americans are a country of joiners. Once a movement starts building, we do not want to be left out.
Early adopters of EHRs were informatics types experimenting with new technology. Once the tipping point (about 20% adoption) was reached, clinicians began demanding EHRs so that they would be seen as equals in the referral community.
Health Information Exchange is still in its infancy, but I'm beginning to see a tipping point there too. Massachusetts goes live with a statewide Direct-based exchange on October 15, 2012. Partners Healthcare, Children's Hospital Boston, Beth Israel Deaconess, Atrius and others have committed to be part of the "golden spike" events, exchanging data as the network is activated. All it took was one influential follower to validate the desirability of participating and immediately other institutions wanted to become early adopters - part of the "in" crowd"
Thanks to the Dancing Guy for giving us the secret for successful HIE adoption. Be a leader by being a follower and soon the entire community will join in.
Langganan:
Komentar (Atom)