Marion K. Jenkins, PhD, FHIMSS

I have been in information technology (IT) and automation for over 30 years in a variety of industries, and in healthcare IT for the past decade. So I have seen my share of the good and bad in IT.

In most industries, IT has gained widespread adoption, revolutionized operations, and increased productivity and efficiency. Unit output per worker, and the quality of that output, is measurably better, even in the brick-and-mortar world. Checkout at the grocery or hardware store is so simple and automated that we can do it ourselves - which saves us both time and money. Bar code scanning and price databases have greatly eliminated errors and "Price check on register eight" episodes. When we go to the airport, airline counter kiosks speed us through the check-in process in record time, even though the number of passengers has more than doubled and the number of employees is about one-fourth of what it used to be. Most industries are on their fourth or fifth generation IT systems, wringing the next few percentage points of efficiencies out of their systems.

In healthcare, on the other hand, even five years after ARRA/HITECH promised unprecedented billions of dollars to upgrade EMRs to EHRs, there are still many pundits who argue whether IT even has a place in healthcare. They claim that healthcare is too complicated, too fragmented, and too full of disparate processes and data types to lend itself to digitization and automation. Most healthcare entities are on their first generation systems, and according to two reports from Health Information Management Systems Society (HIMSS) Analytics, fewer than 

 in the US have achieved the highest level of adoption, implementation, and optimization of EHR systems. 

So in consequence, when we go to the doctor's office we are still typically faced with the proverbial clipboard at the check-in desk, and then when we are referred to go to the lab or imaging center or another clinic, we have to manually recreate our health history from memory for the umpteenth time.

Many healthcare software vendors claim their systems reduce costs and improve patient care, and point to statistics and case studies that supposedly prove their point. Early adopters and clinicians from mature, well-run healthcare IT system implementations are featured at national healthcare conferences, with almost rock-star type status. Indeed, I have met many clinicians and staff who work for organizations that have overcome the "digital divide" and have become highly automated, and if you ask them if they would ever go back to paper, they scoff at the idea.


The literature is also full of negative news about IT and EHRs, with headlines and content - much of it anecdotal - about the negative effects of technology in healthcare. If you ask almost any physician if they have had a negative experience with their technology, or know someone who has, the answer will be yes at least 90 percent of the time. And at these same conferences featuring the healthcare technology believers, there is a persistent whisper in the audience of incredulous disbelief. And sometimes during a Q&A session, I've seen the whisper essentially erupt into a debate between believers and non-believers.

But much of this view has to be taken with a grain of salt, as the information is frequently taken out of context or without all the facts.

Indeed there was = an article a few years ago 

, with the primary culprit being lost revenue. But if you read the actual article, it was not based on experience, it was based on a survey of physicians who were 

 to see a drop in productivity. So although it was technically a statistical study, it was based on opinion, not on fact.

Clearly there is a self-fulfilling prophecy concept here. If you expect something to be bad, it probably will be.  

What is the source of the data supporting the naysayers? Are there data to back up the horror stories of physicians leaving in droves, or shutting down their practices, to either avoid going the IT route, or in response to an IT disaster?

It is a fact that there have been many well-publicized IT failures in healthcare. What is not widely appreciated is that across all industries, IT projects have a failure rate that some experts believe could be as well over 10 percent. (A failure in this context generally understood to mean that the implementation failed to meet expectations in all three areas: time, cost, and user requirements. In roughly another significant percentage of cases, the system implementations are not fully successful in one of these key areas, but at least the implementations were somehow rescued rather than abandoned.  

Here are many well-known examples in literature. The industry journal 

, costing companies like Hershey Foods and jeweler Shane Company millions, but none of them were in healthcare.

The literature is also full of root-cause analyses and case studies of these and many other failures, and essentially all of them point to improper executive and organizational buy-in, lack of proper planning, poor user training and implementation, failure to develop requirements and matching them with systems capabilities, and dealing with the impact of changes to the organization.

These are all major factors in healthcare, so for healthcare IT projects to have even half a chance to be successful, it needs executive and organizational buy-in to even start.

So, as a pro-technology, pro-EHR, pro-automation expert, my advice to reluctant physicians and practice executives who are considering an EHR is simple: 

. If you don't believe it will work, it won't work.

On the other hand, with proper buy-in, good user requirements matched with a good vendor product, proper budgeting, planning, and implementation, healthcare IT can be a real game-changer, and can definitely contribute positively to the three pillars of the 

Institute for Healthcare Improvement (IHI) triple aim

: lower costs; better outcomes; and improved health of patient populations.

Articles

The debate over pros and cons of health IT persist, but to find success in your medical practice you need one key element: buy-in from the key players.

Success with Health IT Requires Buy-in, Not Just Budget

The recent conference of the Health Information Management Systems Society (HIMSS) was held in Orlando from February 23-27. HIMSS is mostly comprised of healthcare IT executives and consultants working in and serving the "large market" segment of healthcare, which includes hospitals and large clinics, integrated delivery networks, independent physician associations, and accountable care organizations. HIMSS has about 55,000 members nationwide and over 40 state/regional chapters.

If you have not been to a HIMSS annual conference recently (or never), the numbers are staggering. This year, there were about 38,000 attendees, which was up about 10 percent over last year. There were more than 300 educational sessions, plus another hundred or so breakout sessions, luncheons, and breakfasts hosted by vendor partners as well as state HIMSS chapter organizations and other associated groups like nursing informatics and regulatory bodies.

If past conferences are a guide, the ratio of attendance from exhibitors and consulting companies is interesting - vendor attendees typically outnumber the attendance from provider organizations (i.e. hospitals, etc.) by about 3 to 2. That number is a bit misleading, however, as many of the vendors and consultants who attend are actually doing so on behalf of one or maybe several of their provider organization clients.

There were over 1,200 exhibitors (up about 7 percent over last year). If you spent just five minutes with each one, that would be over 100 hours, not counting walking the exhibit hall floor, which itself is about a mile long. Spending just one additional minute with each vendor would add another 20 hours to your trek. Exhibitors also occupied more space than last year, up by about 20 percent according to reports from HIMSS staff.

Needless to say, the only way to have a good HIMSS annual meeting experience is 1.) Wear comfortable walking shoes; and 2.) Map out your plan ahead of time so you aren’t wandering all over.

The "Best of HIMSS" List (arbitrary categories and selection by this author) 

• Best giveaway: Google Glass and GoPro cameras

• Biggest booth: Cerner, at 13,000 square feet. Cost? Priceless?

• Smallest booth: 10x10. (It’s still several thousand dollars, and many of those exhibitors looked like they were NOT getting their money’s worth…)

• Live attractions that had the absolute least connection to healthcare IT, but seemed to garner the most attention: Slight-of-hand magicians, carnival barkers, sand painters, speed artists, game show setups.

• Most handy attendee "creature comfort": The golf cart shuttles that would take you from one end of the exhibit hall to the other in about 10 minutes (on one ride, a guy "riding shotgun" would stop at various exhibitor booths along the center aisle, and get the rest of us riders the trade show swag of our choosing.)

• Loudest vendor party: Greenway Medical, at the Hard Rock CafÃ© at Universal Studios.

• Most outrageous cab fare: A $73 tab from Universal to the Orlando Airport. Highway robbery.

Under the primary conference theme of "Onward," the subthemes of HIMSS14 included "Innovation," "Impact," and "Outcomes." The focus of vendor exhibits and conference sessions seemed to be usability, optimization, and getting healthcare IT to work for clinicians and actually impacting patient care.

While all vendors certainly showed off their latest systems, devices, gadgets, and software, the underlying theme seemed more focused on making things work, rather than just the dazzle and buzz of the latest and greatest tech gear.

The vendor solutions presented ranged from the broadest-reaching possible, including all-encompassing software and consulting services designed to attempt to handle literally all IT issues across an entire healthcare organization, to extremely narrow niches, such as keyboards that could be used in a sterile environment, or high-performance battery packs for mobile devices.

I have been to many HIMSS conferences, and of course they always offer the latest and greatest. In fact at past conferences the sheer depth and breadth of "what’s new in IT" has seemed overwhelming, almost to the point of leading to technology shellshock among attendees, and gridlock among vendors.

This conference seemed different, at least to me and to several others I talked to. Attendees seemed to be intent on finding solutions, and vendors seemed intent on demonstrating the real-world value of their solutions, tying them into better patient outcomes and provider usability rather than simply the newest tech "bright shiny object."

Mobility, interoperability, security, Telehealth, measurable patient outcomes, etc., were some of the major underlying themes. Vendors who couldn’t somehow tie their solutions into the overall healthcare IT picture - and specifically to the Institute for Healthcare Improvement's Triple Aim of better population health, lower per capita cost, and better patient experience and outcomes - were not perceived as real players on the national healthcare IT stage.

Apparently even the two million square feet of exhibit space in the Orange County Convention Center in Orlando isn’t big enough for HIMSS15. Next year, the conference is moving to the McCormick Place in Chicago, which is about 30 percent bigger. The conference will also be moved from March to April, no doubt out of respect to the Polar Vortex.

Here's some observations from my walkabout with 38,000 of my closest friends in healthcare IT, better known as the HIMSS14 Conference recently held in Orlando.

HIMSS14: One Attendee's In-depth Look at All Things Health IT

 we discussed how "cloud" is ready for prime time in healthcare. That blog contained information on what cloud services are, how they work, and why they are part of most physicians' - and virtually all hospitals' - IT strategies going forward.

This month we address cloud myths and misnomers, concluding with a "cloud checklist" for practices.

Many ads, marketing materials, and salespeople make the cloud sound like it's magically foolproof, implying that going to the cloud makes all your IT troubles magically disappear. Many users don't think about the fact that cloud services contain all the IT hardware, software, and related complexity that is represented with any IT installation. In fact a cloud hosting facility contains massive servers, storage systems, and network gear. The main difference is that a properly designed cloud hosting facility has IT systems with much more computing horsepower, with systems that are designed to support thousands or even millions of users, and it is configured and managed by much more skilled technical resources.  Cloud is not automatically foolproof.

Many people have the opposite opinion than the one above, that cloud is risky. Cloud services can be risky, especially if they are not designed, configured, and maintained properly. And there have been many well-publicized cloud outages. In most cases if you look at the root causes of the major cloud outages, they are traceable to IT principles that were either ignored to begin with, or IT operations that were not followed over time. Properly designed and managed cloud services should be more reliable than onsite IT infrastructure.

Cloud can be cheap. In fact some cloud services are "free." But to borrow and slightly tweak a phrase from Homer’s Odyssey, “Beware of 

 bearing gifts,” you need to watch out for hidden costs.  Many times those free cloud services come with annoying ads and pop-ups, sometimes including spyware, which is designed to track your web browsing habits. If cloud services are free, there is always a catch.  If it is incredibly cheaper than other solutions (including your on-site servers) then something is missing.  Properly designed and configured cloud services can be less expensive, depending on the circumstances, but it's a significant difference then you likely don't have the whole story.

This is obviously the opposite of the myth above, so how can some people think cloud is cheaper while others think it is more expensive? In most cases we have seen, a properly designed cloud infrastructure is less costly than a comparable on-site client/server installation, especially over time. If you are looking at a comparison of the two solutions and cloud is significantly more expensive, you are probably not looking at an apples-to-apples comparison. Cloud services typically have real-time geographic replication, which means you not only have one installation of your servers and data, but a second site that is ideally located several states away. In case of disaster in one data center, you can be up and running within minutes (or less) in the other data center. To properly compare such dual-site cloud services, you have to account for that with an onsite model.  That almost always makes cloud a more attractive option economically.

5. If your EHR is hosted in the cloud, you are HIPAA compliant

There are many cloud hosted EHR solutions out there. Whether an EHR is hosted in the cloud or onsite, HIPAA compliance (with the EHR) is more or less a given. But what is critical to understand is that of the 700+ HIPAA breaches reported by HHS since 2009, not a single one of them involved an EHR. Instead those breaches involved data that had been exported out of an EHR in the form of documents and reports, and stored locally on a server, a workstation, a laptop, or a portable USB drive. So it's not the EHR that needs the benefit of a secure cloud hosting facility, it's all the other items like files, documents, spreadsheets, images, PDFs and the like. A proper healthcare cloud solution should include all elements of a clinic's functions - both clinical and business office.

6. Cloud providers should be "HIPAA-certified."

There is no such thing as a formal “HIPAA certification,” at least not yet.  Cloud providers who claim they are HIPAA certified (as a formal and specific designation) are stating something that's incorrect, and this may indicate their ignorance of the HIPAA Security Rule in general. As the checklist below indicates, a formal HIPAA compliance program is essential, along with the cloud provider's willingness to execute a Business Associate Agreement. 

1. Ask questions and get comfortable and make sure you understand what your are getting … you should be able to get the same comfort level with a cloud provider as  you would with an on-site or internal IT solution. Your cloud provider should be able to explain exactly what services are being provided - but more importantly - exactly how those services are going to be delivered. If they cannot explain the services at a level that you can understand, that is a giant red flag.

2. Insist that your cloud provider provide documentation of their HIPAA compliance program, and insist that they sign a Business Associate Agreement (BAA). If they will not, or if you don't get a comfort level of their understanding of and compliance with HIPAA, do not move forward. A simple outside audit or a claim that they are “HIPAA Certified” is a giant red flag.

3. Check references. This sounds simple but is often ignored. 

4. Find out how long the cloud provider has been offering these types of services. Many cloud providers have started up in the last few years and they do not have extensive history in healthcare IT. Here is nothing inherently wrong with a startup, but you need to understand how much history a cloud provider has with healthcare.

5. Don't assume that just because your EHR is hosted you are HIPAA compliant, and all your applications are covered. You need to have a solution for all business and clinical functions, many of which happen outside of your EHR. In fact there has not been a single breach due to an EHR, whether hosted or onsite. You need to address all documents and reports, such as Word and Excel files, as well as financial systems and e-mail. Speaking of e-mail, Internet service provider (ISP) e-mail such as Gmail, Hotmail, etc., is not - nor can it be made to be - HIPAA compliant.

There are many myths about cloud IT services. Here, we dispel the major ones and provide a checklist for those considering a trip to the cloud.

Cloud Myths and Misinformation Physicians Must Consider

Chances are, you've heard about cloud computing but may not know much about it and how it relates to HIPAA. Here, we answer a few key questions about cloud services.

Cloud hosting has many variants and goes by many names, but it generally refers to the IT model where a medical practice uses computer servers and data-storage systems located in a service provider's data center rather than onsite at the practice. Some people think that since the word "cloud" is used, there is somehow magically no more hardware issues to worry about. On the contrary, a typical cloud-hosting facility has massive amounts of hardware and software systems. 

Cloud is so new, is it right for healthcare?

Cloud hosting is actually not a new concept. In fact, versions of cloud hosting under different names have been around for nearly 30 years. In the early days of massive mainframes, such companies as Boeing Computer Services and Computer Science Corporation offered these services under the terms "timeshare" and "service bureau." Over the years many other labels have been used, including application service provider (ASP), software-as-a-service (SaaS),infrastructure as a service (IaaS), utility computing, and hosting. Finally about five years ago, the label "cloud" finally took hold, and although some of the terms above are still relevant in specialized circumstances, cloud hosting covers the overall concept.

What has made it an attractive solution for healthcare? 

Recent advances in several areas, including server and storage virtualization, and increased bandwidth of broadband services, have made cloud hosting much more attractive. In addition, server architecture - including both processing horsepower and processing (CPUs) - have become massively scalable. And improvements in management software have significantly added to both performance and reliability. These advances in technology have prompted significant changes in the way cloud services can be configured and delivered.

Cloud services are not automatically HPAA compliant. In fact,not only are many cloud providers not HIPAA compliant, they are wholly ignorant of HIPAA principles. The new HIPAA Omnibus rule released earlier in 2013 required all service providers to undergo a HIPAA compliance and remediation program by September 23, 2013. 

(If you are using a cloud provider, you should contact them and request a copy of their HIPAA compliance program documents, and also request that they sign a Business Associate Agreement. If they cannot produce them, or they are reluctant to execute a BAA, you have a major problem.) 

Cloud-hosting services can be made HIPAA compliant, provided proper HIPAA security is built into the platform, along with HIPAA-compliant processes and procedures for its operation. 

Note: There are some common "cloud services" that you may be familiar with or are already using that are definitely not HIPAA compliant.  These include common web mail services from many Internet Service Providers (ISPs) such as AOL, Gmail, Hotmail, etc. These are not - nor can they be made to be - HIPAA compliant. In addition, most of them specifically prohibit any kind of business use, so in using them in conjunction with a medical practice typically violates their "Terms of Use" policies. 

What are the big advantages of cloud over onsite servers, storage, etc.?

Perhaps the biggest advantages are in the ability to grow as the practice’s needs grow, and to avoid the costly and disruptive effects of repeated computer upgrades every few years. Most people understand that new computer systems are obsolete within a few months after they are installed.  So system designers have to anticipate future needs and buy more capacity than they really need, based on anticipated requirements of a few years down the road. Eventually the needs increase and even the "new" equipment becomes underpowered. So in a computer system "lifecycle," for the first few years there is too much capacity, and for the last few years there is too little capacity. Therefore for most of the time, the system is either too big or too small. 

Cloud services allow the computing horsepower - CPU, memory and hard drive space - to be "dialed-up" as needs increase, so it can keep pace with the needs of the practice. And generally that upgrade can be done without the downtime typically associated with a computer system "forklift upgrade."

And a good cloud provider is generally able to offer access to hardware and software tools that would be unaffordable to a typical practice. 

This is critical, and it is important to make sure you understand what is being provided to the practice by a cloud provider. With onsite servers and other infrastructure, you have to have staff (or contract with an IT provider) to maintain your servers and take care of things like data backups, operating system patches, etc.  With cloud hosting, those services are still necessary, and in most cases they can be provided more efficiently than with an onsite model. However not all cloud providers deliver those services automatically, so you need to check and make sure.

No, since there is still hardware, software - and people - involved, there is still the potential for outages and downtime, so you need to do your homework and make sure you understand the risks as well as the advantages.

does that mean I’m good to go as far as HIPAA is concerned?

Not at all. There has never been a reported HIPAA breach from an EHR - either hosted or onsite. The main culprits have been e-mail, files stored locally, and the theft of portable devices like laptops and USB drives. So you need to consider your non-EHR applications, and make sure they are properly secured. This is true whether those applications are running locally or with a cloud provider. One advantage of properly designed cloud services is that they tend to not allow healthcare data to be stored on local devices.

Next month: Cloud myths and misnomers, along with a healthcare cloud checklist

Recent technology advances make cloud hosting an attractive option for healthcare. But HIPAA compliance is not automatic.