Part two of a two-part series where Physicians Practice looks back at the top health IT issues of the year. More practices looked to the cloud in 2015.
Physicians Practice is looking back on the top five health IT issues that had a major effect on practices and healthcare providers in 2015. Part one focused on meaningful use and ICD-10. In part two, cloud and server-based EHRs; HIPAA; and secure messaging comes into focus.
Cloud vs. Server-Based EHRs
Despite some consolidation in the EHR market in 2015, there were more viable cloud-based EHR options from vendors such as CareCloud, Practice Fusion, and athenahealth. “Five years ago, there weren’t really cloud-based products out there, so no one was considering it” said Mark Anderson, CEO of consultancy AC Group Inc. in Montgomery, Texas. “Security was a big issue,” he said, “so was speed, but that has largely been resolved now.” One huge advantage for the cloud-based vendors, he said, is that upgrades are painless and by and large invisible to end-users, whereas they tend to be disruptive and cause interface headaches in the client/server world.
That was the experience of Tim Dudley, family physician of DTC Family Health in Greenwood Village, Colo. When their three-physician practice had a client/server-based EHR, “every time there was an upgrade it was fairly problematic,” Dudley said, noting that there are a lot of platforms that pull together “best of breed” applications. “Every time there is an upgrade the connections between those best of breed systems falls apart, and sometimes it is hours to get back up and sometimes days to get everything properly linked up. That was extremely frustrating.” DTC switched to a cloud-based platform four years ago where everything is hosted together on a single platform.
“I never have to worry about IT issues,” Dudley added. Working with this cloud-based EHR, the practice has never missed a meaningful use attestation. “If it looks like we are sketchy on any one indicator, they will proactively reach out to us and offer to help.”
Anderson said the cloud-based systems still appeal more to smaller practices that don’t need to customize as much. Plus, if you have a 50-physician practice, you have an IT staff in-house and it may be more expensive to let somebody else host the system for you. “These cloud-based systems are designed for practices that can’t afford their own IT staff,” he added.
HIPAA, Privacy and Security
Although there were no new significant federal privacy and security regulations rolled out in 2015, many practices continue to struggle with their responsibilities in terms of risk assessments and patient communications. In a survey of more than 1,000 practices sponsored by software vendor NueMD, only 58 percent of respondents said they had a HIPAA compliance plan, and only 45 percent said their practice has a formal policy for breach notifications. The most frequent data breach issue continues to be lost devices, especially laptops with large data files on board. (And remember, any loss of data must be presumed to be a breach unless the practice can show there is a low probability the information will be used improperly.)
Other issues practices grappled with, according to James Hook, director of consulting services for the Fox Group LLC in Upland, Calif., include lack of encryption of files and failure to do a risk assessment. The federal Health & Human Services Office for Civil Rights audit program did not really get off the ground in 2015 due to a lack of resources. But the signs are that 2016 could be different. The OCR audit tool examines every aspect of compliance with the Security Rule, looking for policies and procedures and evidence of training.
“OCR gives organizations a very short time frame to respond to requests for materials for desk audits,” Hook said. “If the request goes to the wrong person in the organization, the deadline may be missed and a more extensive audit initiated. Practices should make sure everyone knows who the privacy officer and security officer are, so a letter gets routed to the appropriate person.”
Robert Tennant, senior policy advisor of the Medical Group Management Association (MGMA), said the organization’s members still find HIPAA a bit challenging, “not so much on the privacy side. They can get their arms around that in terms of policies and procedures,” he said. “It is the security side that is more challenging for practices. It is getting into areas they are not comfortable with: encryption, virtual private networks, remote access, and portable devices. All those things are trouble areas in a practice.”
In 2015, there were challenges on several fronts for physicians regarding secure messaging: There was the Stage 2 of meaningful use requirement that 5 percent of patients send secure messages and there were growing pains in using Direct secure messaging with other providers in transitions of care.
Steven Waldren, a family physician and the director of the Alliance for eHealth Innovation at the American Academy of Family Physicians (AAFP), said providers with younger, urban professional patients find it easer to adopt secure messaging, whereas physicians in rural communities and those with elderly populations have more significant challenges. “We don’t have really good data yet as to what makes a practice successful or not,” he said.
But MGMA’s Tennant said practices that have found good portal software and embraced secure messaging have increased their effectiveness. The portal products, however, “range from reasonably good to extremely bad for both physicians and patients,” he said. You have to make it easy and secure, and that has been the challenge for the industry.”
Tennant called Direct secure messaging between clinicians “an elegant communication solution,” but it is not seeing quite enough uptake yet. “We have dozens of members who are Direct-enabled, but say they can’t find anybody in their area to take a Direct message. Give it two to three years and there will be a whole lot more folks using this system.”