Home  /  Thought Leadership  /  Social Media  /  Blogs  /  Perficient Healthcare IT Solutions Blog
Perficient Healtchare Solutions Blog

Healthcare

Subscribe via Email


 

Subscribe to RSS feed

RSS RSS Feed
Perficient Healthcare Business Solutions

Perficient Healthcare on Twitter

avatar

John Bradshaw

Posts by this author:

avatar

EHRs, Analytics, Utilization and Population Health

by on May 10th, 2012

Spurred on by Meaningful Use, there has been an explosion in the implementation of EHRs over the last several years.  This tidal wave has been sweeping through the healthcare community, sucking up much of the available bandwidth that organizations have to deal with change of this magnitude.  The effect is really no different than what other industries have been through over the last couple of decades beginning with the emergence of ERP systems in the late ’80s, early ‘90s.  The organizations setting up EHRs have the opportunity to look back at the experiences those industries and to glean lessons learned.  One of the biggest is that there will be a second wave, which we are already starting to see.  This second wave is driven by the desire for information and knowledge.  Folks realize that the instillation of technology to support operating standards, policies and business procedures via EHRs provides for a great source of transactional data.  Data that is just waiting to be warehoused, given meaning, aggregated, sliced, diced and analyzed.  The challenge here, and a trap that many fall into, is that the data can seem so close at hand, accessible and, on a small scale, manipulatable, that the cost and effort to deploy analytics solutions to get at the data aren’t that great.   Invariably, after much investment and frustration at the inability to get all of the data, many realize that what they initially focused on was just the tip of the iceberg and that the effort of managing and distributing a large amount of information and knowledge across a large organization requires a great deal planning, time, people and investment.  While not quite as invasive as the rollout of the EHR, the investment in analytics is substantial, must be planned and executed over a period of time.

Avoid the Trap

There are a couple of tell-tale signs that you’ve fallen into the trap.  The first is the 80/20 rule, where you end up spending 80% of your time collecting, cleaning, organizing and making data available, leaving only a small amount of time to analyze and act upon it.  The second sign is the executive dashboard, the situation where a large number of people spend a great deal of time every month, sourcing from the new EHR and other transactional platforms, aggregating, calculating and making available, with very little automation, to a select few (ie., the senior management team).  A dashboard that others in the organization don’t have access to, nor, due to its highly aggregated level, is it of much value to, although I’m sure it’s been a source of many “fire-drills.”   The “fire-drill” being painful in that the lengthy and manual manner, in which the particular dashboard measure is deduced, must be dissected in order to determine was there really an issue or is it related to the calculation and aggregation process.  Then, if there is an issue, where?  Typically, you’re already 45-90 days out from the occurrence of the negative event.

It’s Not Just About the Transactional System

What can health organizations do about this?  First, they must realize that the implementation of the EHR creates both a great source of data and a need within the organization to aggregate that data, combining with other information from across the organization and from third parties.  With this awareness, the EHR effort should be shadowed by one focused on developing a strategy, objectives and plans supported by milestones to deploy analytics in a controlled and deliberate manner.  To successfully do so, it will be quickly realized that there are dependencies that must be addressed.  Such as the need for data governance, inclusion of any master data management activities already underway and the need for an infrastructure that enables the transactional, analytical and other systems and devices to access and exchange data, whether an HL7 transaction, X12 out-going batch file, an EHR feeding the analytics store or a patient portal via SOA.  Third are awareness, education and training.  Analytics unleashed upon the employee population all at once can be analogous to drinking from the fire-hose.  The effective use of analytics is driven by the ability of the organization, department, teams and individuals to clearly articulate a specific need for information, putting into the context of the particular business process(es), activity(ies) and task(s).  Ideally, analytics are doing two things for us; 1) reinforcing that we’re meeting or exceeding the desired performance level, as we all need that periodic feedback that everything is ok and 2) an exception is occurring, which is where we’ve defined what it is to be operating normally and an event or occurrence has arisen that is outside the box, so the appropriate people must be alerted and have the ability to drill down into abnormal event to immediately begin identification and resolution of the issue.

What Does It Mean to Me?

How does all of this relate to Utilization and Population Health?  Over the last few months, there has been a noticeable increase in activity amongst health systems around the desire to understand more about the dynamics of the marketplace they do business in and the population they serve.  They are more aggressively pursuing sources of information outside the organization that can be combined with internal information to begin to paint a picture of not only the morbidity of the local population they serve, but the usage patterns the population is following in seeking out care.  Seeking care isn’t as consumer-friendly as many would hope and most health coverage leaves the choice of access to the consumer.  Health systems can begin to identify and track those patterns of utilization, situations of network leakage, repeat visits, begin to stratify the local population for risk, predict demand on facilities and impact to case-mix.  To the extent the health system is pursuing community outreach and educational programs; this information can be input into designing these programs as well as way to measure their impact.  The outreach and education can occur in conjunction with the PCPs and, potentially, the health insurance companies servicing that same membership.  The unspoken objective of all is to better understand and improve on the outcome of care.

Tags: , , , , , ,
Posted in News, Regulatory Compliance | 1 Comment »

avatar

ICD-10: What’s all the Fuss about?

by on March 15th, 2012

Several of the organizations that represent some of the many stakeholders in the healthcare delivery system have turned up the volume against ICD-10, yet again.  Some of the arguments against it are that there’s too much of a burden due to compliance work already being done on other directives and some have also exclaimed that the more fully defined code sets aren’t needed.  These positions seem to just be generalities and a reaction to the challenge of change.  What comes to mind when I hear such broad statements in support of maintaining the status quo is that the change is underway and we must stay the course.  Think of the old sayings, “It will get worse before it gets better,” “No pain, no gain,” and so on.  Any change, no matter how good the end result will be for us, always begins with difficulty and trepidation about the journey.  If we can get folks to look beyond the initial worries and focus on the opportunity, we will all be better off.

Moving forward

This is not only a time of great change, but I believe we are on the cusp of an evolutionary move forward.  The collective stakeholders will need to work together, contrary to stereotypes, to provide an environment in that will support, encourage and foster movement down this path of improvement.  Clearly, ICD-10 won’t be easy and it impacts each major stakeholder in different ways based upon where they are in the healthcare supply chain.  My greatest area of concern and nexus of ICD-10 is with the quality and quantity of clinical documentation.  Clinical documentation is the primary source for the generation of a bill or claim, amongst other things.  I’m aware of isolated testing efforts to create or “code” bills using the ICD-10 code set.  The results show that more than 40% of the bills cannot be created due to insufficient clinical documentation.  To be fair, the particular efforts referred to were in facility settings and involved both diagnosis and procedure codes.  I don’t know about you, but that’s disconcerting.  Not just about the potential lack of information to code claims, but what does this mean about the usability of the information that is recorded?  Does this mean that documentation standards are really driven by doing no more than is required to file a claim for payment?  Even then, to accomplish that requires a capable and experienced coder who’s familiar with the nuances of the caregivers in their organization.  With respect to usability, how can we meaningfully exchange information across the care delivery system and establish a robust patient record that’s a reference for future care?  While ICD-10 may put a spotlight on this issue, the two issues aren’t tied at the hop.  There’s no reason that improvements in the creation of clinical documentation cannot begin now.  If you look at the root of the generalities being made about ICD-10, it’s really about having to spend more time on creating good clinical documentation.

Collaborative approach

Beyond clinical documentation, the financial performance goals for organizations and individuals incent a focus on short-term, episodic treatment.  The processes and systems we put in place mimic and support that.  For the quality and cost of care to improve, and for Meaningful Use and ICD-10 to succeed, we need the stakeholders to work together and collaborate in a manner they haven’t before.  This collaboration needs to result in not only appropriate pay for current services today, but in the long-term as well.  The goal and focus really should be on the outcome of treatments from the perspective of the patient.  To facilitate this collaboration, which clearly includes the patient, Healthcare Reform has introduced an organizational construct called an Accountable Care Organization.  This can create a context in which it becomes mutually beneficial to all to provide both “reactionary” and preventive treatment and services.

If you haven’t begun thinking about ICD-10, I would suggest you start.  There are analytics solutions that enable you to understand where the biggest impact to your organization will be in the move from ICD-9 to ICD-10.  You can use that information to prioritize work on enhancing standards around clinical documentation for those specific protocols.

Tags: , , , , ,
Posted in News, Regulatory Compliance | No Comments »

avatar

The Importance of Being Earnest about Security in Healthcare, Part 2

by on February 14th, 2012

First, let me start with questions I asked at the close of Part 1.  How does your organization manage security and its risks?  Do you have a governance process in place, is it comprehensive, requirements driven, with the risks communicated, understood and mitigation plans developed and reviewed?  Can you adequately answer these questions?  If you can’t, please read on.  I’ll provide my thoughts and an approach to help you to answer them.

Establish a Baseline

Before you can begin improving and better managing your organization’s security, you must first understand where you are today.  Establishing a baseline enables you to compare your organization to industry standards, regulations and best practices.  It can be difficult to find documented best practices and standards.  In my efforts, I’ve found the work done by and for the federal government to be a good source, particularly in the case of healthcare.

Lay the Groundwork

For security to be effective, it must become part of your organization’s culture.  For many, this is still seen as the domain of IT, yet when you review the HIPAA Security Rule, compliance with the safeguards clearly requires the involvement of many from across your company.  To get started, you need to create awareness at the top.  I’ve found using actual occurrences as examples, such as the one I referred to in Part 1, good teaching aids.  When senior execs understand the size of the potential unplanned expenditures and fines, as well as unwelcomed notoriety, they are much more willing to take notice and action.  In seeking assistance with this educational process, I’ve found the legal, privacy and compliance folks a great help.

In conjunction with the awareness campaign, roll out a governance process led by the establishment of a steering committee comprised of key senior execs.  Make sure to provide them with a basic understanding of security, on-going expenditures to maintain the current state, planned expenditures and with known risks.  Known risks should be quantified, evaluated and have mitigation plans for those with the most exposure.  This enables the committee to better relate to, evaluate, prioritize and manage/accept the risks.  If you are unsure as to the risks and/or have not done a security assessment before, this is a great time to do your first one.

Best Practices

An initial assessment can take four to six weeks as there is a great deal of information gathering required to answer the many questions.  I would suggest using a third-party as they can bring objectivity and won’t be encumbered by any organizational biases.  Ideally the resource should be certified, such as a CISSP.  As to detail of the assessment, that depends on the maturity of your governance and experience conducting assessments.  Typically, confirming/understanding where you are, if there gaps between that and your benchmarks, what the costs are to fill the gaps and what your risk exposure is.  To not bite off too much at once I recommend a progressive approach.  Initially, focus on the HIPAA Administrative, Technical and Physical Safeguards.  You can use them as a benchmark and questionnaire.  As your confidence and compliance grows include the SANS Institutes 20 Critical Security Controls in the next or a future assessment.  They are an amalgamation of a number of the critical NIST SP 800-53, Rev 3, Controls.  Lastly, when you’re ready to take a leadership position in security, focus on the entire set of controls as presented in the NIST SP 800-53, current rev, Recommend Security Controls document.  It can take many years and assessment loops to get to the greatest detail.

Conduct the Assessment

A time limit should be set for each assessment.  The assessment itself should ideally involve your staff researching and answering the specific set of questions in concert with the third party.  They know where to get the detail and it will help that all is fresh in their mind when reviewing the results.  At the completion of the assessment, the third party will consolidate and review the findings, identifying the gaps and presenting their report.  You and your staff will then need to evaluate the risks and develop mitigation plans.  The risks should be prioritized, with the cost and effort to mitigate each defined.  The completed findings would be presented to the steering committee for review and a decision on which risks are acceptable and which must be remediated.  Remediation work would then proceed based upon the prioritization and exposure of the risk.

Ongoing

To keep from inadvertently introducing risk as change occurs, it is prudent to include a step to conduct a gap/impact analysis against your security baseline in any project that will result in changes being made to your organizations technology environment.  Establishing good security governance and practice can be straight forward.  There’s really no special recipe, with the approach being similar to and a subset of other technology governance practices.  Communication and awareness are paramount.  Nothing is perfect and technology is always in motion.  It’s critical that senior management understands the risks, potential outcomes and mitigation costs in order to manage your company’s exposure.

You’ll find links below for those items I’ve referenced above, along with some other items of interest.

Tags: , , ,
Posted in News, Regulatory Compliance | No Comments »

avatar

The Importance of Being Earnest about Security in Healthcare, Part 1

by on January 18th, 2012

In Healthcare, we talk about how important security is, all the while secretly hoping and assuming that, as an organization, we’re in compliance and have all the appropriate safeguards in place.  When discussing compliance, at the very least this refers to the baseline set by the HIPAA Security Rule and the many contractual obligations we have, including Business Associate Agreements (BAA), being a Covered Entity and confidentiality clauses.

Typically, the way security has evolved and grown up in organizations has been piecemeal and bottom-up.  As we deployed new components of our infrastructure, we would integrate them into the environment, adopting it to the standard the individuals doing the deployment understood.  We assumed this approach would ensure the continued safety and protection of our data, intellectual property and other assets.  The challenge with this approach is two-fold.  It assumes the existence of both an enterprise security plan, which all know and understand, and a process by which we periodically review our company’s environment for adherence to that plan.  To further complicate matters, the enterprise security plan should be based upon business, legal and regulatory requirements, published and generally accepted best practices and accepted risk.  The latter refers to management conversations that compare the cost of doing something and the potential future cost of not doing it and dealing with the issue if it arises.

To further illustrate the last point, with the enactment of the HITECH act and clarification of many things relating to both privacy and security, risk management has taken on a greater importance and should be a topic of interest for senior executives.  As an example, there was a recent article about a New England firm which experienced a breach.  An employee’s laptop was stolen from their car.  The laptop in question contained PHI.  The firm ended spending upwards of $300,000 in fees and hundreds of hours of staff time to address the breach.  If one breach is $300,000 plus staff time, how does that compare to the cost of encrypting and monitoring all devices that exist off-premise?

My question to you is how does your organization manage Security and its risks?  Do you have a governance process in place, is it comprehensive, requirements driven, with the risks communicated, understood and mitigation plans developed and reviewed?

In Part 2 of this blog, I’ll provide ideas and suggestions on how to improve the management and governance of Security, allowing it to come out of the closet and become better appreciated, understood and accepted by all.  A well governed and managed Security Plan can become an asset and differentiator when competing for new business, as well as retaining existing.

Tags: , , ,
Posted in News, Regulatory Compliance | 2 Comments »

avatar

When Containing Costs Contains Solutions

by on November 7th, 2011

Perficient has created this series, “Healthcare Analytics and Meaningful Use” to drive discussions around unlocking the true potential of EHRs with analytics. Stay tuned for this four-part series to be published throughout October and November.  We welcome your comments and questions below.

Henry Ford claimed that a good business rule of thumb is to “make the best quality of goods at the lowest cost possible”. In an industry that is experiencing record-breaking numbers of uninsured patients with little or no ability to pay, funding the changes necessary to comply with the HITECH Act and ICD-10 are a challenge.  Integrating systems, implementing EHRs, training and educating employees and developing analytics that serve healthcare organizations are time consuming and expensive feats.

To help soften this blow, the HITECH Act provides incentives and, in the final ruling, a relaxing of the Stage hurdles required to be met in order to qualify for the incentives. Organizations that qualify must keep in mind that in taking the incentives, they are attesting to already having made a good deal of progress down the path of utilizing certified-EHR technologies.  The resulting impact of both HITECH and ICD-10 are enterprise-wide.  Organizations can either react by doing only what is needed to comply or embrace the change and take advantage of the situation for process improvement.

Through deliberate and managed improvement, organizations can generate a Return-on-Investment (ROI).  The increases in efficiencies, efficacy of treatment, human resource utilization, reduction in waste and subsequent quality increases will reduce the cost to deliver.  Given the complexity of the overall effort, establishing a data integration backbone and analytics with a monitoring solution at the beginning will be critical.  With the provision of care never-ending and the complexity of the supporting technologies, the management of change will need to be incremental, a step, module and/or department at a time.  Being able to monitor closely the performance of the organization, with the ability to fine-tune or react quickly, will help to ensure the success of the move to the certified-EHR solutions. By adopting early on and encouraging the use of a common “dashboard” service covering Clinicals, Quality, Finance, Operations and Regulatory, organizations can help create an awareness and understanding that lasts beyond the needed change.

As organizations move beyond this time of change, ubiquitous and appropriate access to analytics for all will continue to drive cost down to a reasonable level and quality ever higher.

Want to learn more?  Register for our upcoming analytics webinar and you will be entered to win one of two Perficient client badges to the February HIMSS Conference in Las Vegas!

Tags: , , , ,
Posted in Business Intelligence, News, Regulatory Compliance | No Comments »