Challenges of Cost and Security When Transitioning to Electronic Health Records

Jamie Jackson

Texas Woman’s University

Management of Health Service Organization 5003-30

Pat Driscoll

April 12th 2011

Table of content:

Introduction______________________Page 3

1 | P a g e

Purpose/Problem_________________Page 5

Methodology____________________Page 7

Data Collection__________________Page 8

Findings/Resolution_____________Page 14

Conclusion___________________Page 15

References___________________Page 16

Appendix____________________Page 18

2 | P a g e

Introduction:

The Health Information Management Systems Society defines Electronic Health Records

as

“The Electronic Health Record (EHR) is a longitudinal electronic record of patient health

information generated by one or more encounters in any care delivery setting. Included in

this information are patient demographics, progress notes, problems, medications, vital

signs, past medical history, immunizations, laboratory data and radiology reports. The

EHR automates and streamlines the clinician's workflow. The EHR has the ability to

generate a complete record of a clinical patient encounter - as well as supporting of EHR

care-related activities directly or indirectly via interface - including evidence-based

decision support, quality management, and outcomes reporting.”

The use of information and communication technologies, such as electronic health record

systems has become increasingly common in all health organizations. In addition the health care

reform passed in March (2010) requires all hospitals/physicians to adopt electronic health

records and track and report patient outcomes. To aid in the adoption of electronic health record

systems the HITECH Act, part of the 2009 economic stimulus package, American Recovery and

Reinvestment Act, passed by the US Congress promises maximum incentive payments for

Medicaid to those who adopt and use “certified EHRs” according to the meaningful use

standards set by the government of $63, 750 beginning 2011. Eligible medical professionals

must begin receiving payments by 2016 to qualify. For Medicare the maximum payments are

$44,000 over 5 years. Those who do not adopt an EHR by 2015 will be penalized 1% of

3 | P a g e

Medicare payments, increasing to 3% over 3 years (currently there are not any penalties for

Medicaid) (Bill, Hethcock, 2010). As a result, most healthcare organizations are transitioning to

an electronic health record.

The 1999 Institute of Medicine report, To Err is Human has also highlighted the fact that

44,000-98,000 people die in the US because of medical error. Most of these deaths happened

because of unreadable physician handwriting that could easily be prevented by electronic health

record. This, along with other benefits the electronic health records possess such as streamlining

clinical workflow and making patient data easier to access is causing federal and state

governments, insurance companies, and other large medical institution to heavily adoption of

electronic health record.

The key to delivering quality care and maximum profitability with EHR’s is by having

synergy achieved by effectively integrating Provider/Patient, Processes, and technology. If In

order to do this, a physician office or other healthcare organization needs to already have an

improved process so that the EHR implementation will have seamless interoperation. Lind Kloss,

Executive VP and CEO of the American Health Information Management Association define the

three essential capabilities of an EHR as follows: to capture data at the point of care, to integrate

data from multiple internal and external sources, and to support caregiver decision making. The

US IOM report, Key Capabilities of an EHR System identified a set of 8 core care delivery

functions that an EHR system should be capable of performing in order to promote greater

safety, quality, and efficiency in healthcare. Those 8 core capabilities are health information and

data, result management, order management, decision support, electronic communication and

connectivity, patient support, administrative processes, and reporting.

4 | P a g e

While adopting an EHR can provide many benefits such as linking healthcare providers

by electronic sharing of clinical information, improvement in patient safety/quality of care

because of better security and reduction in costs there are barriers as well. Some of these barriers

are technical (functionality of use, lack of integration), Financial (initial costs for

hardware/software, maintenance, and training), security, and incompatibility between systems

(the EHR systems and other billing/scheduling systems already in place). During the phases of

implementation—analysis, selection, procurement, installation, training, and maintenance—as

well as after, two main barriers tend to stand out: costs and security which ironically are

considered two of the benefits as well.

The following is an in-depth look at what Baylor medical city of Plano, Children Medical

Center, Medical Center of Lewisville, and Dallas dermatology clinic are doing to maintain the

security and reduced the cost in their organization.

Purpose:

Discuss the challenges of costs and security as they apply to implementing an electronic

health record in various sized healthcare organizations. The causes and effects of these

challenges along with their dual roles as benefits will be analyzed and probable solutions will be

presented.

Problem:

With the unrelenting increase of both cost and demand for electronic health record, the health

care system in the United States has been facing with many challenges. One of the most critical

factors underlying multiple challenges in the current health care arena revolves around cost and

security. The adoption of technologies such as Electronic Health Records is leading to an

increase in system complexity and is the enemy of security and compliance and therefore must

5 | P a g e

be minimized and adequately managed. To work more efficiently, electronic healthcare records

need to be readily available and stored on many devices in different locations including laptops,

removable storage, smart phones, servers and medical equipment. Unfortunately, having

information in various places creates serious information security risks and compliance gaps. In

addition a shared computer often creates an accountability issues related to security and

compliance. When a data security breach occurs on a shared system, it can be difficult to

determine who was involved.

Costs is another issue because when implementing electronic health records there are various

factors to consider—start up cost, software maintenance cost, and training cost. While it has been

pointed out that EHRs can possibly save the health system money, physicians—especially the

ones in small practices may not always benefit financially. EHR prices vary widely based on

what’s included, how robust the system is, and how many providers use it. According to an

online survey, 1/3 of organizations paid between $500 and $3,000 per physician, another third

paid between, $3,001 and $6, 000 per physician, and 33% paid more than $6,000 per physician.

In a 2006 survey lack of adequate funding was cited by 729 health care providers as the most

significant barrier to adopting electronic health records. During the American Health Information

Management Association conference in October 2006, panelists estimated that purchasing and

installing an EHR system will cost over $32,000 per physician and maintenance about $1,200.

Vendor costs account for 60-80% of these costs.

6 | P a g e

Methodology:

The preliminary study began by researching various internet resources and academic

journals to conclude the bases of our purpose, which were challenges of cost and security with

implementation of EMR. We then chose interview sources from six organizations: David

Collins, Director of Health Information Systems at Healthcare Information and Management

Society, Ashley McClellan, COO of Medical Center of Lewisville, Shirley Archambeault, IT

Administrator of Medical Center of Lewisville, Children’s Medical Center of Dallas Systems

Analyst, Bill Duke, Executive Director of Dallas Associated Dermatologist and Melissa Jones,

IT Resource Nurse at Baylor Plano. We chose to focus on the administrative and IT departments

because these two departments would be the most knowledgeable of the challenges pertaining to

cost and security. These various sources also allowed us to compare the challenges of a large

hospital, medium sized hospital, a smaller doctor’s office and a national healthcare organization.

Next, we formatted a questionnaire for the interviews that would permit us to receive the most

detailed answers. From our previous research we found examples of questionnaires, which were

7 | P a g e

formatted in closed ended questions. We felt that these types of examples were not in depth

enough to provide detailed information. The questionnaire focused on the effects on the

organizations stemming from the transition of paper health records to EMR. We then emailed the

questionnaire to those who weren’t available for a face to face interview and met those sources

who were available. When questionnaires were returned an analysis of the information was

performed, comparing each organization’s statements to conclude if the answers given were

similar or if any new data could be obtained.

Data Collection:

Data was collected through questionnaires that were sent out to hospital clinical and IT

administrators, doctors’ office business office managers, and the director from a national

healthcare organization. Healthcare journals and other resources were utilized as well.

Data:

To get a better understanding of electronic health records, David Collins, Director of Health

Information Systems at Healthcare Information and Management Systems Society was

interviewed. Upon speaking with him he states that most of the challenges are fundamental not

technical as many people believe. He says that implementing an electronic health record is more

about making healthcare more efficient versus any of the other benefits. Regarding challenges,

Collins states that financials are a main factor but incentive money from the government is

helping to make it less of a barrier. According to him, because hospitals stand to lose millions if

they don’t comply (especially in regards to Medicare patients) due to loss of incentive money

and decreases in reimbursements they are starting to see that the future benefits far outweigh the

start up costs, particularly in larger organizations. In regards to security, he feels that EHRs are

8 | P a g e

more secure than paper records you can govern access and monitor who is accessing them. He

feels that cost and security challenges can be offset with plenty of training and ensuring that you

have good leadership from the top down that embraces the goals of the organization. Speaking

with Collins enabled us to have a firm foundation of what to look for when interviewing our

other respondents.

Cost:

According to Bill Duke, Executive Director of Dallas Associated Dermatologist, while EHR’s

are much more effective and efficient the only challenge with them is that the cost is tremendous.

Cost has increased because of the new technology and the implementation but the increase in

efficiency can be seen as a tradeoff. Equipment, software, training, and duplication of efforts

(loading all previous paper information into the new software) are some of the causes of the cost

challenges when face with implementation. He also adds that vendors make cost more difficult

by charging for extras such as additional trainings, access to your data, and changing their prices

once they have begun the implementation prices.

9 | P a g e

A systems analyst at Children’s Medical Center was a little bit luckier because they are not a

small practice. Their EHR was purchased with the hospitals capital budget so individual

departments were not directly charged for the software. She stated that a lot of the cost comes

from the downtime as a result of having to pull nurses and physicians for 8 hours of offsite

training as well as using them to help plan, design, and test. One way that she saw that they are

saving money with electronic health records versus paper is that you don’t have to purchase

paper and the physical storage place to keep them because with electronic charts they are stored

on a very small server. They are also able to pull charts and reports quickly which also helps

save time and money. However while these things help save money, they do not offset the costs.

According to the health care quarterly Dallas business Journal Baylor Health Care

System will be spend more than $200 million by 2012 to put the first generation of its electronic

health records system in place. Baylor hopes to receive more than $45 million in federal stimulus

funds to offset the cost. Five hospitals in Dallas-based Baylor’s 26-hospital network are covered

by electronic health records, and installation of the system is under way at two more all of them

will be covered by the end of 2012. The system’s biggest challenge in implementing electronic

health records is connecting Baylor’s network to external organizations, such as public health

departments and the state’s immunization registry (Bill Hethock, 2010).

Speaking with Missy Jones, Informatics Research Nurse/EHR Physician Liaison at Baylor

Regional Medical Center at Plano she states that cost is the main con of EHR implementation

which is due to down time, constant need for upgrades, and the implementation itself. Baylor

Medical Center Plano also addressed implementing electronic health record is an expensive

project and there is constant need to update technology need for down time process.

10 | P a g e

Additionally buying hardware, application software, encryption software, maintaining the portal

access (and the VPN fobs that go with them), and keeping it all up to date is expensive. As they

continue to roll out with the system EHR, the IS (Information Security) support team will need to

continue to grow. Also because they utilize customized software they have a custom application

team that has to be trained to configure it. Maintaining the entire IS staff dedicated to EHR is

costly and expensive. The constraint of having enough equipment, enough people staffed,

enough support staffed, and the dread ‘what happens if it all crashes’ cost money and/or time.

She states that the benefits of an EHR are not seen on the front end but seen over time as patients

revisit and the communication channels between inpatient and outpatient channels are broadened

and optimized. After all she states “The point wasn’t to save money but to improve continuity

and communication in patient care by creating a more transparent record that makes caring for

the patient across the continuum easier and safer.”

Security:

In a March 2009 survey of 1,238 randomly selected adults, 59 percent of respondents didn't think

confidentiality of electronic medical records could be assured. A majority of respondents in the

survey thought it was important for providers to have electronic medical records, but 76 percent

thought it was likely that an unauthorized person would get access to medical records online. The

survey was from the Kaiser Family Foundation, the Harvard School of Public Health and

National Public Radio.

Bill Duke feels that security and cost in regards to implementation go hand in hand. He states

that the biggest concern about security when using EHR is cost because vendors gauge cost,

especially as it relates to security, because they know people have to have it. To help with their 11 | P a g e

security access is defined by security level and is designated by passwords and groups. They use

internal and external sources to maintain their security---internal people manage it and external

people handle it. Some of the security measures they use are passwords, groups, and log in ids—

especially since several people may use the same terminal. Duke states that most security issues

are caused by individual carelessness such as not following protocol, not shredding patient

documents, and sharing patient information in public. He feels that hopefully with the

implementation of an EHR system patient data will be more secure.

Systems analyst at Children’s Medical Center feel that the most significant impact on

reducing cost and maintaining security is that electronic records are easier to safeguard and audit

because employee names, departments, and roles can be extracted into a spreadsheet and

monitored and electronic health records require a password and tracks who has viewed what

whereas these things cannot be done with paper records. To further ensure security each clinical

department has an “EHR User Group” with the goal of ensuring appropriate and efficient use.

Main security concerns are protecting private patient information and ensuring each staff

member has appropriate access (not too much or too little). Security and access is determined by

role—i.e. all physicians have the same access, all nurses have the same access, etc. Also, staff is

held accountable for what happens under their name which makes employees have some

responsibility when it comes to security efforts. Children’s also has an information privacy and

security office that manages all security related issues. There are strict policies including and not

limited to appropriate and acceptable use, electronic communication, faxing health information,

information privacy and security, incidents and complaints, and email encryption. They also

have a strict policy requiring EHR training before a logon and password is even received. These

12 | P a g e

passwords have to be changed every 180 days, be 8 characters, and include upper and lower case

type.

Missy Jones, Baylor Regional Medical Center of Plano, states that fortunately most companies

that engage in work in the medical field are very familiar with HIPAA requirements and

regulations so making sure that vendors are HIPAA compliant security wise is a lesser worry.

One way that they have combated security is by customizing their EHR and having their own

enterprise employees being trained on configuring the system. Some security issues they

currently face are physicians not remembering their logins and having nursing staff log in for

them, having to constantly create and terminate logins for the residents that rotate through, and

user rights within the system. To combat this they emphasize the importance of learning the

system and using your on login information so that access can be tracked. Baylor Regional’s

EHR is maintained by their own security so in addition to password restrictions to the system,

there is a security team that is responsible for who has access to the EHR and what they can see

or do. There is also 28bit encryption software on every machine that is love on EHR. An

application that manages all access request called myID management is utilized as well.

Managers have to log in to this application and request staff access and these requests go to the

security team. She states that it is a yes and no answer when comparing the security of an EHR

system to paper records. With a paper chart, you have to physically be in its presence to see or

use it which is good because it limits access physically but bad because once you are within

proximity to a chart there is nothing to physically keep you out of it nor is there any way to track

who has looked at it. This is not so with electronic health records. You have to log in to view

patient information and this can all be tracked. All in all she feels that electronic health records

are a very secure medium for patient data.13 | P a g e

Michael Matthews, chief executive officer of health-information technology firm MedVirginia,

said security is on everyone's mind. "Many in the field will argue that data is actually more

secure in electronic format than paper," Matthews said. "There are audit trails left every time an

electronic health record is accessed, who accessed it, what results within the record have been

accessed. Whereas with paper records, you have no idea who has looked at it, who made copies,

what has been taken out of it."

Findings:

Through our research it was determined that there were no true monetary savings due to

the purchasing of new technology, software, hiring and ongoing training. Also, if any

savings are seen it is amongst larger institutions that already draw in enough revenue and

patients for the funding and offset of implementation of EHR systems. Furthermore,

while security is a top concern, it is far outweighed by cost no matter the size of the

practice or organization. Most security issues are due to carelessness among staff, lack of

training, and inadequate funding for security. While vendors are a necessity for

implementation, they will also take advantage of the EHR implementation requirements

by finding various methods to supplement their charges which can add unnecessary costs

to implement.

Resolution:

Some possible solutions that we devised that could possibly help organizations with cost and

security challenges of implementation are to make sure you have quality leadership that

14 | P a g e

embraces the goals of the organization as it relates to EHR, make sure you have quality training

and support during all phases of implementation, factor in all additional equipment and software

cost in addition to the EHR product, make sure your organization already has a good security

process in place as well as other departments like billing/scheduling, review and evaluate the

organization as well as several different products/vendors—utilize demos if possible, make sure

the EHR system chosen is already interoperable with the technology already being used, and

look into possible discounts or perks offered by insurers for EHR use.

Conclusion:

This project has provided an opportunity to understand the EHR technology system and

the challenges during implementation as it relates to cost and security. Understanding the

benefits of the technologies and the problems experienced by doctors who use the technologies

can help others make a better decision for their practice.

15 | P a g e

References

AHIMA – The American Health Information Management Association. (2006). “The State of HIPAA Privacy and Security Compliance,” last accessed on Nov. 2008

Aspden, P., Corrigan, J.M., Wolcott, J., and Erickson, S. M. (2003). Patient Safety: Achieving a New Standard for Care. Washington, DC: National Academies Press

Appari, A., and Johnson, M.E. (2009) “Information Security and Privacy in Healthcare: Current State of Research,” forthcoming in International Journal of Internet and Enterprise Management

Barlow, S. , Johnson, J., & Steck, J. . (2004). The economic effect of implementing an emr ioutpatient clinical setting . Journal of Healthcare Information Management , 18(1), Retrievedfromhttp://www.himssehra.org/docs/caseStudies/Allscripts_JHIM_Central%20Utah%20Clinic%2 0Case%20Study.pdf

Berkeyheiser, L. . (2010). Security and privacy challenges to ehr adoption. Advance for Health Information Professionals, Retrieved from http://health-

information.advanceweb.com/Article/Security-and-Privacy-Challenges-to-EHR-Adoption-2.aspx

Berndton, Chad. (2007). The challenge of electronic health records . CRN, Retrieved from http://www.crn.com/news/channel-programs/204200977/the-challenge-of-electronic-health-ecords.htm;jsessionid=3Lyr5ZiQfJj8gw9Dg-b1NQ**.ecappj02

Blair, Jeff. (2003). Ehr trends and challenges: mri's surveys finds workflow and record access among top it-manager concerns. Healthcare Informatics Online , Retrieved from http://www.providersedge.com/ehdocs/ehr_articles/EHR_Trends_and_Challenges.pdf

Boyd, A.D., Funk, E.A., Schwartz, S.M., Kaplam, B, & Keenan, G.M. . (2010). Top ehr challenges in light of the stimulus . Journal of Healthcare Information Management ,24(1), Retrieved from http://www.myhealthtechblog.com/2010/01/complex-challenges-for-ehr-implementations.html

Choi, Y.B., Capitan, K.E., Krause, J.S., and Streeper, M.M. 2006. “Challenges Associated with Privacy in Healthcare Industry: Implementation of HIPAA and Security Rules,”

Journal of Medical Systems, (30:1), pp57–64.

16 | P a g e

Levine, Alla . Electronic health record challenges & opportunities Retrieved from ftp://ftp.drivehq.com/CHCANYS_FTP/File%20Manager/HIT/PCHIC/EHR%20Presentation%20-%20Challenges%20%20Opportunities%20ALevine.pdf

NIST – National Institute of Standards and Technology. 2005. “An Introductory Resource Guide for Implementing the Health Information Portability and Accountability ACT (HIPAA) Security Rule,” NIST Special publication 800-66.

Ponemon Institute LLC, Initials. (2010, November 9). Dgs health law blog [Web log message]. Retrieved fromhttp://www.dgshealthlaw.com/uploads/file/Ponemon_Benchmark_Study_on_Patient_Privacy_and_Data_Security%5B1%5D%281%29.pdf

Ryzinski, T. . (2011). Security challenges of ehr adoption . HealthLeaders Media , Retrieved from http://www.healthleadersmedia.com/page-3/PHY-262449/Security-Challenges-of-E HR-Adoption

The road to ehr implementation is paved with incentives and challenges . (2010). Managed Care Outlook, 23(1), Retrieved from http://www.guidonps.com/ideas-and-resources/articles/healthcare/the-road-to-ehr-implementation-is-paved-with-incentives-and-challenges/

17 | P a g e

Appendix

Question asked of each Health System

1: Are you implementing or have you implemented an EHR system and if so when, what was the

driving force behind doing so, and what steps are or were taken?

2: What do you perceive to be the pros/cons of an EHR/EMR system?

3: s it difficult maintaining HIPAA compliance during implementation or finding vendors that

are HIPAA compliant?

4: Has your organization been following the meaningful use regulations? What are your thoughts

regarding those?

5: How much do you feel that transitioning to an EMR has saved you as far as costs, resources,

time?

6: What main challenges have you faced during implementation as it relates to vendor selection,

costs, security?

7: With the challenges faced, what do you believe caused them, what have been their effects, and

what have you done or are you doing to resolve them?

8: If you compare previously paper practice, how do you rate this new Technology? Is this

practice more effective and efficient?

9: What challenges are you dealing with to making sure this practice work effectively?

10: Is there any ongoing training for your employee?

11: Do you feel it has improved health care quality?

18 | P a g e

12: Can you tell us how quality assurance, performance improvement, patient’s care quality, and

patient safety have been affected?

13: How does the clinical staff (doctors, nurses, etc) feel regarding implementation of an

EHR/EMR?

14: Are they receptive or do they want things to stay the same? Does any particular group have

more opposition or reservations than another and if so why?

15: In what way have you seen the difference in cost?

16: How do vendors promise security with their services?

17: What were the cost challenges you faced when implementing EMR?

18: What concerned you most about the cost it would take to implement EMR in your

organization?

19: What concerned you most about security when using EMR?

20: What was the greatest cost you had when implementing EMR and using it?

21: From a technical point of view how do you track the security and who has access to the EMR

22: Do you believe it is more secure than paper records?

23: How can you compare the cost between paper records and electronic records?

24: What worries you most about the security to the access of these records by individual

working in the office and those outside the office?

25: How is security handle with in-house IT and vendors IT?

26: What types of security and procedures has IT put in place?

19 | P a g e