challenges of cost and security when transitioning to electronic health records
DESCRIPTION
TRANSCRIPT
Challenges of Cost and Security When Transitioning to Electronic Health Records
Jamie Jackson
Texas Woman’s University
Management of Health Service Organization 5003-30
Pat Driscoll
April 12th 2011
Table of content:
Introduction______________________Page 3
1 | P a g e
Purpose/Problem_________________Page 5
Methodology____________________Page 7
Data Collection__________________Page 8
Findings/Resolution_____________Page 14
Conclusion___________________Page 15
References___________________Page 16
Appendix____________________Page 18
2 | P a g e
Introduction:
The Health Information Management Systems Society defines Electronic Health Records
as
“The Electronic Health Record (EHR) is a longitudinal electronic record of patient health
information generated by one or more encounters in any care delivery setting. Included in
this information are patient demographics, progress notes, problems, medications, vital
signs, past medical history, immunizations, laboratory data and radiology reports. The
EHR automates and streamlines the clinician's workflow. The EHR has the ability to
generate a complete record of a clinical patient encounter - as well as supporting of EHR
care-related activities directly or indirectly via interface - including evidence-based
decision support, quality management, and outcomes reporting.”
The use of information and communication technologies, such as electronic health record
systems has become increasingly common in all health organizations. In addition the health care
reform passed in March (2010) requires all hospitals/physicians to adopt electronic health
records and track and report patient outcomes. To aid in the adoption of electronic health record
systems the HITECH Act, part of the 2009 economic stimulus package, American Recovery and
Reinvestment Act, passed by the US Congress promises maximum incentive payments for
Medicaid to those who adopt and use “certified EHRs” according to the meaningful use
standards set by the government of $63, 750 beginning 2011. Eligible medical professionals
must begin receiving payments by 2016 to qualify. For Medicare the maximum payments are
$44,000 over 5 years. Those who do not adopt an EHR by 2015 will be penalized 1% of
3 | P a g e
Medicare payments, increasing to 3% over 3 years (currently there are not any penalties for
Medicaid) (Bill, Hethcock, 2010). As a result, most healthcare organizations are transitioning to
an electronic health record.
The 1999 Institute of Medicine report, To Err is Human has also highlighted the fact that
44,000-98,000 people die in the US because of medical error. Most of these deaths happened
because of unreadable physician handwriting that could easily be prevented by electronic health
record. This, along with other benefits the electronic health records possess such as streamlining
clinical workflow and making patient data easier to access is causing federal and state
governments, insurance companies, and other large medical institution to heavily adoption of
electronic health record.
The key to delivering quality care and maximum profitability with EHR’s is by having
synergy achieved by effectively integrating Provider/Patient, Processes, and technology. If In
order to do this, a physician office or other healthcare organization needs to already have an
improved process so that the EHR implementation will have seamless interoperation. Lind Kloss,
Executive VP and CEO of the American Health Information Management Association define the
three essential capabilities of an EHR as follows: to capture data at the point of care, to integrate
data from multiple internal and external sources, and to support caregiver decision making. The
US IOM report, Key Capabilities of an EHR System identified a set of 8 core care delivery
functions that an EHR system should be capable of performing in order to promote greater
safety, quality, and efficiency in healthcare. Those 8 core capabilities are health information and
data, result management, order management, decision support, electronic communication and
connectivity, patient support, administrative processes, and reporting.
4 | P a g e
While adopting an EHR can provide many benefits such as linking healthcare providers
by electronic sharing of clinical information, improvement in patient safety/quality of care
because of better security and reduction in costs there are barriers as well. Some of these barriers
are technical (functionality of use, lack of integration), Financial (initial costs for
hardware/software, maintenance, and training), security, and incompatibility between systems
(the EHR systems and other billing/scheduling systems already in place). During the phases of
implementation—analysis, selection, procurement, installation, training, and maintenance—as
well as after, two main barriers tend to stand out: costs and security which ironically are
considered two of the benefits as well.
The following is an in-depth look at what Baylor medical city of Plano, Children Medical
Center, Medical Center of Lewisville, and Dallas dermatology clinic are doing to maintain the
security and reduced the cost in their organization.
Purpose:
Discuss the challenges of costs and security as they apply to implementing an electronic
health record in various sized healthcare organizations. The causes and effects of these
challenges along with their dual roles as benefits will be analyzed and probable solutions will be
presented.
Problem:
With the unrelenting increase of both cost and demand for electronic health record, the health
care system in the United States has been facing with many challenges. One of the most critical
factors underlying multiple challenges in the current health care arena revolves around cost and
security. The adoption of technologies such as Electronic Health Records is leading to an
increase in system complexity and is the enemy of security and compliance and therefore must
5 | P a g e
be minimized and adequately managed. To work more efficiently, electronic healthcare records
need to be readily available and stored on many devices in different locations including laptops,
removable storage, smart phones, servers and medical equipment. Unfortunately, having
information in various places creates serious information security risks and compliance gaps. In
addition a shared computer often creates an accountability issues related to security and
compliance. When a data security breach occurs on a shared system, it can be difficult to
determine who was involved.
Costs is another issue because when implementing electronic health records there are various
factors to consider—start up cost, software maintenance cost, and training cost. While it has been
pointed out that EHRs can possibly save the health system money, physicians—especially the
ones in small practices may not always benefit financially. EHR prices vary widely based on
what’s included, how robust the system is, and how many providers use it. According to an
online survey, 1/3 of organizations paid between $500 and $3,000 per physician, another third
paid between, $3,001 and $6, 000 per physician, and 33% paid more than $6,000 per physician.
In a 2006 survey lack of adequate funding was cited by 729 health care providers as the most
significant barrier to adopting electronic health records. During the American Health Information
Management Association conference in October 2006, panelists estimated that purchasing and
installing an EHR system will cost over $32,000 per physician and maintenance about $1,200.
Vendor costs account for 60-80% of these costs.
6 | P a g e
Methodology:
The preliminary study began by researching various internet resources and academic
journals to conclude the bases of our purpose, which were challenges of cost and security with
implementation of EMR. We then chose interview sources from six organizations: David
Collins, Director of Health Information Systems at Healthcare Information and Management
Society, Ashley McClellan, COO of Medical Center of Lewisville, Shirley Archambeault, IT
Administrator of Medical Center of Lewisville, Children’s Medical Center of Dallas Systems
Analyst, Bill Duke, Executive Director of Dallas Associated Dermatologist and Melissa Jones,
IT Resource Nurse at Baylor Plano. We chose to focus on the administrative and IT departments
because these two departments would be the most knowledgeable of the challenges pertaining to
cost and security. These various sources also allowed us to compare the challenges of a large
hospital, medium sized hospital, a smaller doctor’s office and a national healthcare organization.
Next, we formatted a questionnaire for the interviews that would permit us to receive the most
detailed answers. From our previous research we found examples of questionnaires, which were
7 | P a g e
formatted in closed ended questions. We felt that these types of examples were not in depth
enough to provide detailed information. The questionnaire focused on the effects on the
organizations stemming from the transition of paper health records to EMR. We then emailed the
questionnaire to those who weren’t available for a face to face interview and met those sources
who were available. When questionnaires were returned an analysis of the information was
performed, comparing each organization’s statements to conclude if the answers given were
similar or if any new data could be obtained.
Data Collection:
Data was collected through questionnaires that were sent out to hospital clinical and IT
administrators, doctors’ office business office managers, and the director from a national
healthcare organization. Healthcare journals and other resources were utilized as well.
Data:
To get a better understanding of electronic health records, David Collins, Director of Health
Information Systems at Healthcare Information and Management Systems Society was
interviewed. Upon speaking with him he states that most of the challenges are fundamental not
technical as many people believe. He says that implementing an electronic health record is more
about making healthcare more efficient versus any of the other benefits. Regarding challenges,
Collins states that financials are a main factor but incentive money from the government is
helping to make it less of a barrier. According to him, because hospitals stand to lose millions if
they don’t comply (especially in regards to Medicare patients) due to loss of incentive money
and decreases in reimbursements they are starting to see that the future benefits far outweigh the
start up costs, particularly in larger organizations. In regards to security, he feels that EHRs are
8 | P a g e
more secure than paper records you can govern access and monitor who is accessing them. He
feels that cost and security challenges can be offset with plenty of training and ensuring that you
have good leadership from the top down that embraces the goals of the organization. Speaking
with Collins enabled us to have a firm foundation of what to look for when interviewing our
other respondents.
Cost:
According to Bill Duke, Executive Director of Dallas Associated Dermatologist, while EHR’s
are much more effective and efficient the only challenge with them is that the cost is tremendous.
Cost has increased because of the new technology and the implementation but the increase in
efficiency can be seen as a tradeoff. Equipment, software, training, and duplication of efforts
(loading all previous paper information into the new software) are some of the causes of the cost
challenges when face with implementation. He also adds that vendors make cost more difficult
by charging for extras such as additional trainings, access to your data, and changing their prices
once they have begun the implementation prices.
9 | P a g e
A systems analyst at Children’s Medical Center was a little bit luckier because they are not a
small practice. Their EHR was purchased with the hospitals capital budget so individual
departments were not directly charged for the software. She stated that a lot of the cost comes
from the downtime as a result of having to pull nurses and physicians for 8 hours of offsite
training as well as using them to help plan, design, and test. One way that she saw that they are
saving money with electronic health records versus paper is that you don’t have to purchase
paper and the physical storage place to keep them because with electronic charts they are stored
on a very small server. They are also able to pull charts and reports quickly which also helps
save time and money. However while these things help save money, they do not offset the costs.
According to the health care quarterly Dallas business Journal Baylor Health Care
System will be spend more than $200 million by 2012 to put the first generation of its electronic
health records system in place. Baylor hopes to receive more than $45 million in federal stimulus
funds to offset the cost. Five hospitals in Dallas-based Baylor’s 26-hospital network are covered
by electronic health records, and installation of the system is under way at two more all of them
will be covered by the end of 2012. The system’s biggest challenge in implementing electronic
health records is connecting Baylor’s network to external organizations, such as public health
departments and the state’s immunization registry (Bill Hethock, 2010).
Speaking with Missy Jones, Informatics Research Nurse/EHR Physician Liaison at Baylor
Regional Medical Center at Plano she states that cost is the main con of EHR implementation
which is due to down time, constant need for upgrades, and the implementation itself. Baylor
Medical Center Plano also addressed implementing electronic health record is an expensive
project and there is constant need to update technology need for down time process.
10 | P a g e
Additionally buying hardware, application software, encryption software, maintaining the portal
access (and the VPN fobs that go with them), and keeping it all up to date is expensive. As they
continue to roll out with the system EHR, the IS (Information Security) support team will need to
continue to grow. Also because they utilize customized software they have a custom application
team that has to be trained to configure it. Maintaining the entire IS staff dedicated to EHR is
costly and expensive. The constraint of having enough equipment, enough people staffed,
enough support staffed, and the dread ‘what happens if it all crashes’ cost money and/or time.
She states that the benefits of an EHR are not seen on the front end but seen over time as patients
revisit and the communication channels between inpatient and outpatient channels are broadened
and optimized. After all she states “The point wasn’t to save money but to improve continuity
and communication in patient care by creating a more transparent record that makes caring for
the patient across the continuum easier and safer.”
Security:
In a March 2009 survey of 1,238 randomly selected adults, 59 percent of respondents didn't think
confidentiality of electronic medical records could be assured. A majority of respondents in the
survey thought it was important for providers to have electronic medical records, but 76 percent
thought it was likely that an unauthorized person would get access to medical records online. The
survey was from the Kaiser Family Foundation, the Harvard School of Public Health and
National Public Radio.
Bill Duke feels that security and cost in regards to implementation go hand in hand. He states
that the biggest concern about security when using EHR is cost because vendors gauge cost,
especially as it relates to security, because they know people have to have it. To help with their 11 | P a g e
security access is defined by security level and is designated by passwords and groups. They use
internal and external sources to maintain their security---internal people manage it and external
people handle it. Some of the security measures they use are passwords, groups, and log in ids—
especially since several people may use the same terminal. Duke states that most security issues
are caused by individual carelessness such as not following protocol, not shredding patient
documents, and sharing patient information in public. He feels that hopefully with the
implementation of an EHR system patient data will be more secure.
Systems analyst at Children’s Medical Center feel that the most significant impact on
reducing cost and maintaining security is that electronic records are easier to safeguard and audit
because employee names, departments, and roles can be extracted into a spreadsheet and
monitored and electronic health records require a password and tracks who has viewed what
whereas these things cannot be done with paper records. To further ensure security each clinical
department has an “EHR User Group” with the goal of ensuring appropriate and efficient use.
Main security concerns are protecting private patient information and ensuring each staff
member has appropriate access (not too much or too little). Security and access is determined by
role—i.e. all physicians have the same access, all nurses have the same access, etc. Also, staff is
held accountable for what happens under their name which makes employees have some
responsibility when it comes to security efforts. Children’s also has an information privacy and
security office that manages all security related issues. There are strict policies including and not
limited to appropriate and acceptable use, electronic communication, faxing health information,
information privacy and security, incidents and complaints, and email encryption. They also
have a strict policy requiring EHR training before a logon and password is even received. These
12 | P a g e
passwords have to be changed every 180 days, be 8 characters, and include upper and lower case
type.
Missy Jones, Baylor Regional Medical Center of Plano, states that fortunately most companies
that engage in work in the medical field are very familiar with HIPAA requirements and
regulations so making sure that vendors are HIPAA compliant security wise is a lesser worry.
One way that they have combated security is by customizing their EHR and having their own
enterprise employees being trained on configuring the system. Some security issues they
currently face are physicians not remembering their logins and having nursing staff log in for
them, having to constantly create and terminate logins for the residents that rotate through, and
user rights within the system. To combat this they emphasize the importance of learning the
system and using your on login information so that access can be tracked. Baylor Regional’s
EHR is maintained by their own security so in addition to password restrictions to the system,
there is a security team that is responsible for who has access to the EHR and what they can see
or do. There is also 28bit encryption software on every machine that is love on EHR. An
application that manages all access request called myID management is utilized as well.
Managers have to log in to this application and request staff access and these requests go to the
security team. She states that it is a yes and no answer when comparing the security of an EHR
system to paper records. With a paper chart, you have to physically be in its presence to see or
use it which is good because it limits access physically but bad because once you are within
proximity to a chart there is nothing to physically keep you out of it nor is there any way to track
who has looked at it. This is not so with electronic health records. You have to log in to view
patient information and this can all be tracked. All in all she feels that electronic health records
are a very secure medium for patient data.13 | P a g e
Michael Matthews, chief executive officer of health-information technology firm MedVirginia,
said security is on everyone's mind. "Many in the field will argue that data is actually more
secure in electronic format than paper," Matthews said. "There are audit trails left every time an
electronic health record is accessed, who accessed it, what results within the record have been
accessed. Whereas with paper records, you have no idea who has looked at it, who made copies,
what has been taken out of it."
Findings:
Through our research it was determined that there were no true monetary savings due to
the purchasing of new technology, software, hiring and ongoing training. Also, if any
savings are seen it is amongst larger institutions that already draw in enough revenue and
patients for the funding and offset of implementation of EHR systems. Furthermore,
while security is a top concern, it is far outweighed by cost no matter the size of the
practice or organization. Most security issues are due to carelessness among staff, lack of
training, and inadequate funding for security. While vendors are a necessity for
implementation, they will also take advantage of the EHR implementation requirements
by finding various methods to supplement their charges which can add unnecessary costs
to implement.
Resolution:
Some possible solutions that we devised that could possibly help organizations with cost and
security challenges of implementation are to make sure you have quality leadership that
14 | P a g e
embraces the goals of the organization as it relates to EHR, make sure you have quality training
and support during all phases of implementation, factor in all additional equipment and software
cost in addition to the EHR product, make sure your organization already has a good security
process in place as well as other departments like billing/scheduling, review and evaluate the
organization as well as several different products/vendors—utilize demos if possible, make sure
the EHR system chosen is already interoperable with the technology already being used, and
look into possible discounts or perks offered by insurers for EHR use.
Conclusion:
This project has provided an opportunity to understand the EHR technology system and
the challenges during implementation as it relates to cost and security. Understanding the
benefits of the technologies and the problems experienced by doctors who use the technologies
can help others make a better decision for their practice.
15 | P a g e
References
AHIMA – The American Health Information Management Association. (2006). “The State of HIPAA Privacy and Security Compliance,” last accessed on Nov. 2008
Aspden, P., Corrigan, J.M., Wolcott, J., and Erickson, S. M. (2003). Patient Safety: Achieving a New Standard for Care. Washington, DC: National Academies Press
Appari, A., and Johnson, M.E. (2009) “Information Security and Privacy in Healthcare: Current State of Research,” forthcoming in International Journal of Internet and Enterprise Management
Barlow, S. , Johnson, J., & Steck, J. . (2004). The economic effect of implementing an emr ioutpatient clinical setting . Journal of Healthcare Information Management , 18(1), Retrievedfromhttp://www.himssehra.org/docs/caseStudies/Allscripts_JHIM_Central%20Utah%20Clinic%2 0Case%20Study.pdf
Berkeyheiser, L. . (2010). Security and privacy challenges to ehr adoption. Advance for Health Information Professionals, Retrieved from http://health-
information.advanceweb.com/Article/Security-and-Privacy-Challenges-to-EHR-Adoption-2.aspx
Berndton, Chad. (2007). The challenge of electronic health records . CRN, Retrieved from http://www.crn.com/news/channel-programs/204200977/the-challenge-of-electronic-health-ecords.htm;jsessionid=3Lyr5ZiQfJj8gw9Dg-b1NQ**.ecappj02
Blair, Jeff. (2003). Ehr trends and challenges: mri's surveys finds workflow and record access among top it-manager concerns. Healthcare Informatics Online , Retrieved from http://www.providersedge.com/ehdocs/ehr_articles/EHR_Trends_and_Challenges.pdf
Boyd, A.D., Funk, E.A., Schwartz, S.M., Kaplam, B, & Keenan, G.M. . (2010). Top ehr challenges in light of the stimulus . Journal of Healthcare Information Management ,24(1), Retrieved from http://www.myhealthtechblog.com/2010/01/complex-challenges-for-ehr-implementations.html
Choi, Y.B., Capitan, K.E., Krause, J.S., and Streeper, M.M. 2006. “Challenges Associated with Privacy in Healthcare Industry: Implementation of HIPAA and Security Rules,”
Journal of Medical Systems, (30:1), pp57–64.
16 | P a g e
Levine, Alla . Electronic health record challenges & opportunities Retrieved from ftp://ftp.drivehq.com/CHCANYS_FTP/File%20Manager/HIT/PCHIC/EHR%20Presentation%20-%20Challenges%20%20Opportunities%20ALevine.pdf
NIST – National Institute of Standards and Technology. 2005. “An Introductory Resource Guide for Implementing the Health Information Portability and Accountability ACT (HIPAA) Security Rule,” NIST Special publication 800-66.
Ponemon Institute LLC, Initials. (2010, November 9). Dgs health law blog [Web log message]. Retrieved fromhttp://www.dgshealthlaw.com/uploads/file/Ponemon_Benchmark_Study_on_Patient_Privacy_and_Data_Security%5B1%5D%281%29.pdf
Ryzinski, T. . (2011). Security challenges of ehr adoption . HealthLeaders Media , Retrieved from http://www.healthleadersmedia.com/page-3/PHY-262449/Security-Challenges-of-E HR-Adoption
The road to ehr implementation is paved with incentives and challenges . (2010). Managed Care Outlook, 23(1), Retrieved from http://www.guidonps.com/ideas-and-resources/articles/healthcare/the-road-to-ehr-implementation-is-paved-with-incentives-and-challenges/
17 | P a g e
Appendix
Question asked of each Health System
1: Are you implementing or have you implemented an EHR system and if so when, what was the
driving force behind doing so, and what steps are or were taken?
2: What do you perceive to be the pros/cons of an EHR/EMR system?
3: s it difficult maintaining HIPAA compliance during implementation or finding vendors that
are HIPAA compliant?
4: Has your organization been following the meaningful use regulations? What are your thoughts
regarding those?
5: How much do you feel that transitioning to an EMR has saved you as far as costs, resources,
time?
6: What main challenges have you faced during implementation as it relates to vendor selection,
costs, security?
7: With the challenges faced, what do you believe caused them, what have been their effects, and
what have you done or are you doing to resolve them?
8: If you compare previously paper practice, how do you rate this new Technology? Is this
practice more effective and efficient?
9: What challenges are you dealing with to making sure this practice work effectively?
10: Is there any ongoing training for your employee?
11: Do you feel it has improved health care quality?
18 | P a g e
12: Can you tell us how quality assurance, performance improvement, patient’s care quality, and
patient safety have been affected?
13: How does the clinical staff (doctors, nurses, etc) feel regarding implementation of an
EHR/EMR?
14: Are they receptive or do they want things to stay the same? Does any particular group have
more opposition or reservations than another and if so why?
15: In what way have you seen the difference in cost?
16: How do vendors promise security with their services?
17: What were the cost challenges you faced when implementing EMR?
18: What concerned you most about the cost it would take to implement EMR in your
organization?
19: What concerned you most about security when using EMR?
20: What was the greatest cost you had when implementing EMR and using it?
21: From a technical point of view how do you track the security and who has access to the EMR
22: Do you believe it is more secure than paper records?
23: How can you compare the cost between paper records and electronic records?
24: What worries you most about the security to the access of these records by individual
working in the office and those outside the office?
25: How is security handle with in-house IT and vendors IT?
26: What types of security and procedures has IT put in place?
19 | P a g e