In part I of this CIO roundtable, five hospital and health system CIOs discuss the progress and difficulties in achieving interoperability, the most vexed aspects of meaningful use and the ongoing challenge of preserving information security.
Participants include:
Bobbie Byrne, MD, System Vice President and CIO of Edward Hospital (Naperville, Ill.) and Vice President and CIO of Edward-Elmhurst Healthcare (Naperville and Elmhurst, Ill.)
Susan Heichert, Senior Vice President and CIO of Allina Health (Minneapolis)
Maria Russo, Senior Vice President and CIO of Tanner Health System (Carrollton, Ga.)
Mary Anne Leach, Senior Vice President and CIO of Children's Hospital Colorado (Aurora)
Dave Garret, Senior Vice President and CIO of Novant Health (Winston-Salem, N.C.)
Interoperability
Question: What are your thoughts on the current state of interoperability in healthcare, and where do you see it going?
Dr. Bobbie Byrne: A lot of discussion on interoperability has focused on technical standards and actually getting one system to simply talk to another. On that front, I think things are going fine. In the last six months in our organization, we exchanged almost 30,000 messages through the Direct Protocol with about 85 percent going to other Epic hospitals.
However, I have two major concerns with current interoperability plans. The biggest concern is that we need to get far more sophisticated in the way that patient-specific information is shared, and it needs to be far more tailored to the specific physician. Secondly, we still do not have the financial models in place. Hospitals are paying for service where the benefits accrue to others, especially to insurance companies. Of course, this also gives better patient care, which is why we are enthusiastic participants, but this is not a good long-term model.
Susan Heichert: There has been a lot of focus on interoperability in the industry, and I think people are
looking at it from different angles because they have different needs within their organizations. Some have a lot of EHR systems within their organization and they're trying to create interoperability internally. Some organizations — like us — are working on interoperability with external organizations.
From an organizational perspective, in the future we need standards to continue to mature as incentives are put in place to continue sharing information. We must share information to be successful and provide the best care for the patient. The work is happening, but it won't happen overnight.
Maria Russo: I am so pleased with the progress made on interoperability in healthcare. Interoperability is opening up a new highway of information sharing and is really going mainstream. It will be imperative for healthcare to continue to embrace interoperability to keep pace with our patients' needs and demands. As meaningful use and other regulations mature, so will the need to share information across diverse platforms. Those healthcare organizations that embrace interoperability, deploy systems that take advantage of interoperability between one another and share data between organizations will be the long-term leaders of the industry. Interoperability will be the standard in the future.
Mary Anne Leach: I think we've come a long way on interoperability, but we still have quite a ways to go. I would say some EHR vendors are still playing catch-up and some HIE vendors are still maturing, but I think there are some driving forces now that will help us get over the hump — not just through meaningful use but because of the need to manage care more cost effectively. In the near term, I envision we’ll be ingesting discrete data from multiple HIE vendors, sources and organizations into our EHR, and we’ll be coordinating quality care more cost-effectively across our region.
Dave Garrett: There remains a considerable amount of variation and complexity in approaches to interoperability for health systems. Not only do we have a federal level health information exchange, there are state designated HIEs as well as numerous regional and local HIEs — including EMR companies and some health systems with their own private HIE.
Meaningful use requirements dictate we must share data with not only the vendor a health system uses but also a different vendor. ACOs place demand on the need to ingest data from other health systems and physician practices. In addition, the regulatory challenge is always there — legislation that leads to unintended challenges for a provider.
Several state-designated and local HIEs have failed over the last few years, and I suspect more will fail as they find it difficult to sustain a viable financial model. I anticipate more legislative action at the federal and state level forcing aspects of interoperability.
Information security
Q: What measures is your organization taking or planning to take to tighten security and prevent data breaches?
Dr. B.: In short, we are doing every reasonable idea we can think of to prevent a breach with a nice cross-functional team working together. It starts with staff education because that is always the biggest vulnerability. We have encrypted everything we can — not only laptops but also PCs and backup tapes, and the like. We have outside assessments (and surprise tests) of our vulnerability. We also have breach insurance in place. It has to be a big fear of every CIO.
S.H.: We continuously assess where our biggest risks are and we take steps to mitigate those risks. This process is ongoing. We put something in place, and then we have to come up with something new to defend against new threats. It's the same for all businesses.
We educate our employees to safeguard information, and we take steps when we see inappropriate access. We use external experts to test our defenses and recommend additional efforts. Security is strategically extremely important to our mission.
M.R.: There is a now famous line that states, "It is not if you will be breached, but when." Unfortunately, this statement represents the current cyber state we all find ourselves having to deal with today. With the ever increasing value placed on medical and patient health information and the increasingly savvy cybercriminal, Tanner's IT security team has upgraded to the next generation firewalls, put mobile device management in place and augmented antivirus software with software to detect types of traffic entering our environment. Our IT security team is constantly looking at tools to see how we can continually tighten security and thwart cyber criminals.
M.A.L.: We take security very seriously, and in children's health this matter is especially concerning to us. We have a very aggressive security posture, including a director of IT security and other staff in corporate compliance that design, maintain, and audit our security functions. We also have a really great security partner (consulting firm); they help us stay abreast of evolving security technologies, standards, and threats. And finally, we ask all of the vendors we work with to comply with the NIST 800-53a security standards.
CIOs across the industry take security very seriously. It's not just the privacy aspect, but the integrity of the brand and the organization that must be protected. Our consumers expect this, and we are very careful and diligent.
D.G.: The size and breadth of breaches in the financial sector continue to outweigh those in healthcare, yet the potential breaches in healthcare are disturbing. Novant Health takes the security and protection of our systems very seriously. We have adopted a framework supported by several national firms and standards organizations. This framework includes the training of team members across the organization. As important as tools and technology are, people and processes are just as important.
Meaningful use
Q: What are your thoughts on the difficulties experienced by so many health systems and hospitals to attest to meaningful use requirements and the subsequent Medicare reimbursement cuts?
Dr. B.: Like many CIOs who were big champions for MU, I believe it has gone off the rails. While we have been able to meet all our Stage 1 and Stage 2 meaningful use requirements on time, we had some unintended consequences.
For example, we had one service line (not primary care) that previously gave influenza immunizations for their patients as a convenience. When they saw the requirements for increased documentation around immunizations required for the registries, they stopped giving immunizations all together and claimed the exception under MU. I understand why this was done. These patients all have alternative mechanisms for influenza vaccination through their primary care doctors, and the increased documentation was onerous. I couldn’t help but believe that it was a decrease in service to the patient. I would also add that it is a huge compliance burden to gather and maintain all of this documentation. Changing systems has all sorts of other challenges. I hope this program ends after Stage 3.
S. H.: For the organizations that began their EHR journeys as the meaningful use program began, it's been difficult for them to focus resources exclusively on meaningful use. There are key stages you go through with a big project like EHR implementation that include implementation, stabilization and optimization. If you try to go through those at the same time you're trying to reach meaningful use objectives, it's very difficult.
It was a big effort to get through Stage 1, and when Stage 2 came along, the bar was raised so significantly it was like a leap up, not a step up. When you're focused on one area and then suddenly the rules and expectations change and it is unclear what counts and what doesn't, it makes achieving MU difficult. Also, it's unfortunate that the program is pass-fail. Some systems have done really good work, but even if they achieve 90 percent of the objectives, they still don't get recognition. I think we should be using incentives to create a "No Healthcare System Left Behind" project that can help hospitals and systems across the board identify issues and objectives together and ways to overcome them to make sure everyone gets to Stage 2.
M.R.: Tanner is extremely proud to have met meaningful use Stage 2. Our business community partnered with IT to collaborate on how to accomplish this critical milestone for the organization. Given the challenges that we encountered on our road to meaningful use Stage 2 and beyond, I completely understand why so many health systems experienced and are experiencing so many challenges in their quest for attesting for meaningful use. Many factors come into play for health systems as they attempt to meet the federal regulations mandated, such as the strength of the vendors chosen, the alignment and collaboration between clinicians, physicians, and the non-clinical hospital systems teams, and the effectiveness of the processes needed to support meaningful use.
Many health systems can find meeting meaningful use to be overwhelming, especially if they are struggling financially. Time, resources and money play an intricate role in the equation for meaningful use and, increasingly, health systems are running out of all these items. Meaningful use regulations challenged health systems to look at how efficient and effective they are in the delivery of patient care in preparation for the Medicare cuts to come. The Medicare reimbursement cuts will result in closures of many facilities that are struggling to hold on if they are not prepared to be profitable on these Medicare rates.
M.A.L: I think the penalties are really unfortunate. We are lucky we are a Medicaid hospital so we won't be penalized, but we are still participants in the meaningful use program and are pushing ourselves forward. Stage 2 has set a higher bar and some organizations are really struggling. We have achieved broad adoption of EHRs across the country and we are getting more use and value out of certain capabilities, but there are areas in which we cannot control all of the moving parts, such as getting our children and families to access and use their electronic health record.
Our federal programs should rethink the penalties so organizations are given a little more leeway in achieving the criteria. The meaningful use program is well intended, and is realizing many positive benefits, but it is having negative unintended consequences. If it's too difficult or expensive, organizations will just stop doing it. They will drop out of the program or invest fewer resources, and this won't help anyone. We should be making it easier for organizations to achieve the criteria and support them in doing that.
D.G.: First, Novant Health believes meaningful use is the right thing to do for our patients. The difficulty for many providers is the sheer number of changes going on in the industry. Meaningful use is one of them. Consider the extraordinary effort to complete the ICD-10 changes, only to have its implementation delayed. In several states, Medicaid expansion has not occurred as anticipated. Additional demand on the systems brought about by the ACA coupled with lower reimbursements forces many providers to refocus their resources. It is not surprising some aspects of meaningful are not moving as fast as many would like.
EHR implementation
Q: When did your hospital or health system implement its current EHR system? How has this affected interoperability and communication among providers in your network?
Dr. B.: We implemented Epic across the enterprise, starting with Edward ambulatory in 2012 and two of our hospitals (Edward and Linden Oaks) in 2013. We merged with Elmhurst Memorial also in 2013 and converted the ambulatory physicians to Epic in 2014. We are currently working on a plan to move Elmhurst Memorial to Epic.
The benefits to a single patient record are so wide and deep that it is almost hard to list them all. It is now a part of our culture and the expectation is that we have "everything" in Epic. At the beginning of course, change is hard but we took a surround and support model. We had many people to support clinicians not only at go-live but ongoing. This team carries phones 24 hours a day, 365 days a year so they are available immediately to a physician or clinician who needs help navigating Epic.
S.H.: We implemented Epic beginning in 2004 through 2007. We have 12 hospitals and 90+ clinics and home care, and all of those groups were part of our implementation. We've acquired new hospitals and clinics since then, so implementation never really ends. We also have 10 affiliate hospitals and clinics on Epic, hosted by Allina. We have pure interoperability with the affiliates because we all use a single database. From the perspective of improving outcomes, that's what everyone is trying to get to, but is obviously not realistic for all sites.
We are using Epic tools to exchange information with other systems with different vendors. Sometimes they are more or less prepared to send or receive information, and we often have trouble with other systems not following standards, but we will continue to be more and more interoperable across systems as vendors get better at following standards.
M.R.: Tanner implemented its current acute-based EHR in 1999 and its current ambulatory EHR in 2012.
Our EHR systems have improved interoperability within each area (acute and ambulatory) and I do believe that communication among providers has been positively impacted due to having these EHRs within our environment. With more impetus on electronic records, access to patient information has increased. The physician community is thirsty for their patient data to be available both within the walls of the organization and remotely. The more that we can provide this electronic information to the physician community, the more demand there will be.
M.A.L.: We've been on our journey with Epic since 1997. We implemented the last of computer physician order entry in 2007, and our providers just expect it now. For us, it's not a matter of adoption but of optimization and interoperability.
Now we're focusing on optimizing clinical workflow, including helping providers be more efficient, safer and provide higher quality care. We've received a lot of support from our providers, and our EHR has also fostered team communication both inside and outside the system.
Now, we really need to transform the way we care for patients and leverage all of the technology we have now — mobile, social and intelligent computing. It's time to think differently about how to automate those processes and redesign care.
D.G.: Novant Health completed our Epic ambulatory EHR implementation three years ahead of schedule in July 2013. We have completed three of five waves of our Epic acute EHR installation. The fourth wave will go live March 14.
The system has improved many aspects of care for our patients, including interoperability and communication between providers and patients. Our physicians and clinicians have adapted extremely well to the changes brought with a new EHR. They were significantly engaged before, during and after our implementation process, making adaption easier.