Healthcare providers -- especially doctors -- are not known as the most receptive, malleable folks. In fact, in the world of private pilots, it's commonly accepted that doctors are the most dangerous pilots because they have too much confidence in their own abilities. 

So it's no surprise that providers almost universally hate that they've been forced to use EMRs/EHRs. The widespread frustration with the technology would be practically a galvanizing force in the medical world, were it not for the complete impotence we have to actually reject EMRs.

That said, I've always struggled to understand why so many healthcare providers resist the implementation of tools like telemedicine or other telehealth advances. Many of these tools are beautifully designed, save huge amounts of time, and greatly advance care. And yet many providers resist them with a vehemence I find hard to fathom.

But some recent research brought these reasons clearly into focus for me...

Two recent studies look at the adoption of EMRs/EHRs and dig into the true reasons that healthcare providers resist the usage of technology in many contexts.

This study looks at why healthcare providers are so resistant to EMRs/EHRs. The researchers look at the institutional beliefs in the institution of medicine -- the profession, they say, is "based upon main values such as professional autonomy, status role and expertise." These are values that butt directly against the coercive implementation of difficult-to-use EMRs/EHRs in so many settings.

This piece, in turn, surveyed 199 physicians practicing at a large US hospital. They found that -- consistent with our life experience -- healthcare providers largely deeply dislike EMRs/EHRs and see them as infringing on their time with patients and inhibiting of their ability to practice as they wish. No surprises there. However, the researchers go on to summarize, "when faced with a decision between alternate IT systems [for instance, choosing between an EMR and paper records], individual users tend to select and make use of the technology or system that is most readily accessible."

In other words, the physicians were simply trying to navigate their overloaded days by choosing the system that felt most accessible or "easy" to them. The researchers found two dimensions to this perceived accessibility: logical and physical. The physical accessibility had to do with the placement of the computer in the office or exam room, how many computers the practice had, etc. The local accessibility had to do with how difficult it was to log into and use the EMR system. The study concludes, "Both dimensions of accessibility act as barriers to EMR use intentions through their indirect effect on physicians' perceptions of EMR usefulness and ease of use."

I found this particularly fascinating because these two dimensions are the two foundations that we built iClickCare on: 

• Physical accessibility: iClickCare works in a HIPAA compliant way on any iPhone, Android, or web browser. Which means that you can use it on the computer in your office, on your phone in the exam room, on your home computer, or on a floor down from your office in the hospital. This is huge for physician's perceptions of accessibility. (Not to mention making it practical to use in home-based or long term care settings.) 
• Logical accessibility: iClickCare is technology for people who hate technology. Getting a consult on iClickCare is as simple as posting a Facebook update. And the workflow integrates with any other technology or Health IT systems you may be using. 

So if you're exploring implementation of a Health IT system -- whether telemedicine for medical collaboration or something else -- we recommend considering these same dimensions:

• Physical accessiblity: will the system work on multiple hardware pieces (e.g., the "hardware" in everyone's pocket)? Does it require a hardware investment? 
• Logical accessibility: does the system work with providers' existing workflow? Does it make sense with providers' days? How well-designed is the user interface and how hard is it to use? Do providers need to change their schedules to use the system? Will they need to use hardware they are unfamiliar with?

A Bring Your Own Device (BYOD) policy, especially in combination with smart software, can open up the possibilities for technology implementation that providers will really use and really benefit from. We always recommend investing in software, not hardware and using that software on as many devices as providers use already. 

The determinants of technology adoption aren't complicated, but working in harmony with them can be transformative.

 

Download our full white paper on Bring-Your-Own-Device (BYOD) policies here:

Photo by Mia Baker on Unsplash

Healthcare providers tend to feel like they're being pulled in five directions at once.

We're supposed to improve patient satisfaction, use the new EMR/EHR more meaningfully (read: spend more time on the computer), connect deeply with each patient, and increase productivity.

No wonder most of us are burnt out.

Similarly, there are two dramatic trends that are pulling in opposite directions for healthcare -- and unless they use tools to reconcile them, providers are the ones who will feel, even more, torn apart.

I came across an article recently -- published by the consulting megalith McKinsey -- looking at how industries are beginning to change shape. The future, the article argues, will be made up of industries without borders, in which sectors and company lines become more fluid, and the organizations that collaborate best, win. 

I don't naturally apply learning from the business world directly to medicine because I believe medicine is unique. It's not an "industry" in the real sense of the word. It's an art, a calling, a science. 

But the business world is often the first to identify trends, as their profit motive drives them to identify changes before they are blindsided by them. And the changes predicted in the McKinsey piece seem to herald changes that are very much afoot in medicine as well. 

The general idea is that moving forward, organizations will need to collaborate more with each other, share data, and rethink how they draw the lines around what they do.

Current examples of this happening are like Amazon (sells consumer goods, providers digital content, and does logistics -- all in one company) or Apple. McKinsey argues that these blurry lines are just the beginning of what's to come. These shifts are in the works for a few reasons:

• Technology makes it easier for communication to happen.
• Customer (or patient) expectations have shifted. In the past, it was acceptable to tell a patient that you had no way to see their chart from another provider. In the future, this will become untenable.
• Regulatory shifts demand it. In medicine, shifts away from fee-for-service models mean that we can no longer just provide our narrow service and expect to survive. We're expected to manage costs, readmissions, length of stay, and ultimate outcomes from the work we do.

McKinsey says, "As the approaching contest plays out, we believe an increasing number of industries will converge under newer, broader, and more dynamic alignments: digital ecosystems... This new environment will play out by new rules, require different capabilities, and rely to an extraordinary extent upon data."

I believe that we will see a similar dynamic in medicine moving forward. The lines among functions, sectors, and hospital systems are blurring. That's why we see this demand for coordination. We're no longer in a fee-for-service world. Instead, care coordination is explicitly our job, we're held responsible for outcomes and results, and the teams we work on are becoming broader and more complex.

But hospital systems and healthcare providers are not equipped to handle these dynamics. In fact, healthcare has spent the last 20 years moving in the exact opposite direction. We've seen huge consolidation, in which insurance companies become more powerful, hospital systems grow larger, and the siloes we work in become evermore separate. We're asked to become piecework laborers, keeping our head down and performing the task for which we are specialized.

It is more necessary than ever to collaborate and coordinate care but it is also harder than ever because we are separated in the work that we do. That's why healthcare providers feel so torn and overworked; they are being tugged by both of these forces simultaneously. 

We believe that the only resolution of this dynamic is to use tools, like iClickCare to collaborate and communicate within the current medical structure. The demands on you to do healthcare collaboration (HIPAA securely of course) are only going to increase as the lines, among organizations and sectors within medicine, blur. But you won't necessarily be given the tools to do those things. That's why iClickCare is available at the enterprise level or at the individual level -- we believe that in any given organization, it may be the administration or it may be the individual providers that truly chart the course forward amidst these competing demands. 

As Bill Gates is quoted as saying, "I’m a great believer that any tool that enhances communication has profound effects in terms of how people can learn from each other, and how they can achieve the kind of freedoms that they’re interested in.”

It's an exciting time, for sure -- but only if we're equipped with the proper tools. 

 

We have all seen the movie scene:  

It is dark. The opposition is all around us; no one knows precisely where, how many, or how powerful. You are hunkered down.

It is silent. And then, a crack echoes out in the dark as one of your teammates steps on a branch.  Lights go on, flares fill the sky. We've unwittingly caused an attack.

Similarly, your data is encrypted. Your EHR requires two factor authentication. Your team is trying its best to get the work done. And then, crack! A well meaning provider sends a photo of a patient via text.

We're all too aware of what can happen when HIPAA is violated by something as simple as a doctor texting a picture of a patient. Fines for a single HIPAA violation have reached $5 million dollars. The Joint Commission completely rejects texting, even secure texting as safe for data. And the risks for individual providers as well as organizations are sky-high.

But our colleagues continue to text and email patient data and patient photos -- as if the rules (or the consequences) don't apply to them. Hospital administrators are taking dramatic and well-organized precautions against HIPAA breaches. But providers, many times, don't seem cognizant of the costs of their actions. 

So I was really appreciative of a well-researched study that came out recently, by the Ponemon Institute LLC, via their research sponsored by IBM Security. Their study looked at 419 companies in 13 country samples and measured the costs of data breaches. As the authors say, “We define a compromised record as one that identifies the natural person whose information has been lost or stolen in a data breach.” Their findings emphasize just how devastating a breach (including the kind caused by a doctor sending an "innocent" text about a patient) can be for an organization.

Their findings: the average cost of a data breach is $3.62 million. The US is, by far, the most expensive place to have a data breach. The costs are absolutely huge — almost twice the global average.

 

Further, the cost of a data breach in the Health sector is dramatically higher than it is (almost twice) in any other sector:

Of special interest to me is that the study used the data to predict the likelihood that an organization will have a data breach in the next 24 months. Based on the data set and the number of breaches that have occurred, the researchers find that organizations have a 27.7% chance of having a data breach in the next 24 months.

To me, that means that it's not a question of whether your organization will have a data breach -- but when it will have a data breach. And it's not a question of whether your texting of patient data can have a consequence, but simply when you will experience that consequence.

In fact, hackers and malicious attacks get a lot of press, but 28% of breaches are caused by human error.

 

We certainly understand that the day-to-day of medical practice can be overwhelming enough, without having to worry about patient data. But the evidence that this problem is urgent and (in large part) in our hands is too weighty to ignore. 

There is technology that will let you share patient information and patient photos in a secure, HIPAA compliant way. iClickCare is a simple tool to let you do that, using your own smartphone. It's affordable, and it's fast -- and the consequences of doing anything else are simply too large.

 

If you're concerned about HIPAA data breaches in your organization, get the information to keep you safe. Download a free HIPAA checklist and toolkit here:

 

 

 

 

 

 

 

 

 

Top photo by Mareks Steins on Unsplash. Graph photos used courtesy of the Ponemon Institute LLC, via their research sponsored by IBM Security.

"Healthcare is one of three industries facing the highest risk of a cyber-attack in 2017," reports Fierce Healthcare. In fact, every month the healthcare system already faces at least one cyber attack.

It's common for cyber security to feel like an almost insurmountable problem -- especially when even the government is struggling to keep us safe from hackers. Is there anything that a hospital administrator can do to keep its patients, records, and providers safe? We think there is -- and we believe the best place to start is with three fairly simple security tactics.

Nationwide, there are some big threats to cyber security in healthcare that may need a nationwide solution. In fact, it is one HHS's top challenges for 2017. Some of the biggest threats to healthcare cyber security include: ransom-ware, hacking, The Internet of Things, and internet use that just doesn't comply with security standards.

That said, there is significant "low hanging fruit" when it comes to shoring up a hospital's cyber security. In fact, some of the most common and costly issues are simple to prevent. They might not be flashy, or involve a 5-year plan, but they are likely the ways to keep your patients and providers safe from the most common threats they're likely to face. 

Three simple cyber security issues that should be first on every hospital's list to fix:

• BYOD for texting. The fact is, every healthcare provider has a smartphone in his/her pocket. So the question isn't whether a provider is effectively using a "Bring Your Own Device" (BYOD) policy -- it's whether she is doing it in a way that is HIPAA compliant. Texting isn't HIPAA compliant, using your phone's camera roll isn't HIPAA compliant, and storing data on the device is a huge breach. But there are ways to have a BYOD policy that is HIPAA secure.
• "Smart devices" that aren't that smart. 
  For instance, "smart devices" like blood pressure monitors, baby monitors, smart scales, etc. can be entry points for a cyber attack since their security is often much less sophisticated that security on a smartphone or computer. So that costly hardware acquisition plan can have some significant downsides if every single device isn't AS secure as the computers inside the hospital building. Our recommendation remains -- invest in updateable software, and use the (already secure) devices and hardware you have.
• Poor HIPAA compliance.
  The cost of a single HIPAA data breach is now $4M per incident. We still have so many colleagues that say "it's just easier to text or email" with colleagues about patients -- an approach that is obviously not HIPAA compliant and puts the individual provider at personal financial and professional risk. Supporting providers in being HIPAA-smart is probably the single biggest way to stay safe. 

Do we need a nationwide plan to stay safe from cyber attacks, especially when it comes to our healthcare system? Yes. But in the years that will take to form, it's crucial to protect your hospital from the most likely culprits, now.

We published a free whitepaper on using a BYOD while also keeping devices -- and your hospital -- secure. Download it here:

Photo from wocintechchat on Flickr, used under Creative Commons rights.

iClickCare has strong information security baked in, but what about the rest of your life? How are you handling your own desktop and mobile device?
The complex becomes simplified by the Federal Trade Commission in a recent Consumer Information post. We will summarize it here, but it is worth a look. First, the most feared situation is covered: how to recover if your email is hacked. Second, the FTC goes over three areas of personal online security with their extensive resources:

• Online Security
• Tips for Educators and Parents
• Videos and Games

The FTC's recommendations for online security are especially interestng for healthcare providers, as our personal and professional realms can sometimes mix in ways that we don't anticipate. The FTC suggests that you:

• Use security software that updates automatically.
• Remember that Personal information is more valuable than cash.
• Ignore phone calls that scare you by saying you have a virus or need technical repair.
• Make sure that a website is secure before you transmit any financial information. Look at the “S”; for example with iClickCare the address looks like this - https://iclickcare.com/ … Do you see the “S” at the end of “http” and before the “:” ?
• If you have a question about a company, then search for the company name and follow that with one of these words such as “review”, “complaint”, “scam”. Then look for contact information that seems credible and assess the risk.

And of course, always be backing up your files.

One important last note: let’s talk about your camera or smart phone. Back up those as well, but also realize that you may have information there that you may wish not to share. A hacker, kids' pictures, and kidnappers seem like bad elements in a disastrous recipe. Address books and notes are also sources of valuable information which could be abused.

What about clinical pictures? iClickCare separates them from your regular camera roll and they are protected inside the app. Beware that downloading patients photos to your desktop is also a HIPAA compliance risk unless you meet the extensive physical guidelines in the law such as a locked room, entry logs, separate servers, encrypted databases and the like.

But as we often say - take care of yourself. At first, the idea of personal IT security seems too hard. But some of these simple rules make it seem manageable enough to actually do.

If you're interested in taking secure photos in your medical practice, we put together a guide here:

There has been a lot of inspiring news about Olympic records this month, but one record was set recently without such a happy ending. 

We were saddened to read that a new record was set for a HIPAA fine by an individual entity.

Advocate Health Care was part of a $5.55 million settlement with the Office of Human Rights (OCR), which is the Federal agency responsible for the enforcement of HIPAA.

Advocate Health Care has been a leader, growing as an integrated health care system since 1995 -- about the same time as ClickCare was starting. In 2014, they developed a respected and widely used patient portal. They also developed an eICU program with the Arizona Telemedicine Program.

Three HIPAA breaches, self reported, between August 23 and November 1, 2013 -- a mere 9 weeks -- prompted the investigation.

The OCR announcement highlights the intent of this new $5.55 million record fine:

“We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,” said OCR Director Jocelyn Samuels. “This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”

The previous HIPAA fine record was $4.8 million -- and here are the top 10 HIPAA fines before Advocate Health Care's.

We get saddened and frustrated when we hear news of these fines, because we know that the fine money could be spent on innovation, helping patients, and improving care. 

And we know that most HIPAA fines and breaches are completely avoidable. 

For instance, a stolen, institution-provided, iPhone resulted in even a well meaning charity being fined this summer. Catholic Health Care Services of the Archdiocese of Philadelphia was fined $650,000 because the ePHI of 412 nursing home residents was compromised. 

The truth is that iPhones can be safe for ePHI if the correct software is used. Photos of patients should never be saved on your phone's camera roll, but that doesn't mean you can't use your iPhone to securely take and share patient photos. 

The bottom line? Take HIPAA seriously. But don't do it by isolating yourself or giving up on care coordination or medical collaboration. Stay HIPAA compliant even as you do the things you went into medicine to do -- it doesn't have to mean a fine.

We put together a guide to staying HIPAA safe -- download it here:

Texting is one of the easiest ways to communicate. 

That's why so many of our colleagues know texting is in direct violation of HIPAA but text about (and with) patients, anyway. 

At different points in time, The Joint Commission on Hospital Accreditation has looked like it was in support of "secure texting" -- but a recent decision reverses that stance and makes any texting a violation.

Initially, texting was not approved for healthcare collaboration by the Joint Commission. They issued this statement in 2011: "[It] is not acceptable for physicians or licensed independent practitioners to text orders for patients to the hospital or other healthcare setting... This method provides no ability to verify the identity of the person sending the text and there is no way to keep the original message as validation of what is entered into the medical record.”

On May 1, 2016, the Joint Commission revised its position and stipulated components. It announced that health care organizations may allow orders to be transmitted with certain standards in place.

Then in June, it disallowed texting again, with a plan for more study. Standards will be developed by the Joint Commission and CMS.

To us, with the risks and consequences of running afoul of HIPAA, we believe that it's simply too risky to do any texting with Patient Health Information (PHI). 

When there are simple tools like iClickCare that meet criteria for electronic orders as well as healthcare collaboration -- and have never been disallowed -- it just doesn't make sense to risk it. iClickCare also uses texting, but only as a secure notification of a request for collaboration. The order follows once the collaboration is started.

As we have noted frequently, texting and emails are illegal. Secure texting helps to keep PHI secure, but does not help coordinate care or collaborate on behalf of he patient.

Be careful. HIPAA penalties don't take into account intentions -- only regulations. 

 

Our HIPAA checklist is free, and could help you protect yourself. Get it here:

 

You have been there. You look for a better way to collaborate with photos, videos, medical records and conversation. You decide the price is right. You look forward to making things more efficient and better. You will be glad to decrease readmissions and trips from Long Term Care Home and Skilled Nursing Facility and back again. You are eager to start.

Inurement: a word whispered in the back of your mind. You check with legal. The response: don’t help the patient, don’t help the institution, don’t help the provider. Better to look the other way while HIPAA laws are broken left and right.

An unintended consequence of legislation usually called the Stark Law, authored by Rep. Stark of California was to make sure that compensation could not be hidden and that competition was fare. The common case was low rent in exchange for exclusive admissions.

It is increasingly well documented, and increasingly being made obvious by various government entities, that value based healthcare requires sharing of revenue and risk. If a hospital or a physician buys iClickCare for its great advantage and gives it to non salaried by loyal referral sources -- suddenly these legal issues make that look like a "kickback."

Both the US Senate and the American Hospital Association see this interpretation as a big problem and have written about the need for improvement. We thank FierceHealthcare for bringing these recent statements to our attention. We are often frustrated by this as we work to empower providers to take care of patients.

Should you wait? We advise providers not to, because the costs related to poor care coordination and HIPAA compliance issues are just too high to not take action. As for Stark, we can support you in creating different arrangements to keep you legal from Stark and HIPAA -- at the same time.

 

 

 

Irrespective of ROI, irrespective of jail time, irrespective of public shaming, irrespective of patient rights and privacy, we often hear from our colleagues: “I am emailing and texting patient stuff. I asked the patient! After all, I am a medical professional and acting on their behalf."

When I hear this, I feel real fear for my colleagues -- and dismay. The HIPAA rules are clear and the law is being enforced. The fines are big, and a year in jail is not appealing.

That is why we were confused about reports surrounding the recent tragedy in Orlando. Orlando Mayor Buddy Dyer told television reporters that he had asked the White House to waive HIPAA.

We certainly applaud the motivation in terms of caring for people -- but the reality is that even a tragedy of that magnitude, and likely even a White House clearance, would not keep providers safe. We all know that the law has real teeth, not the least being that anyone in a chain of events is liable (the administrator for the doctor, the doctor for the administrator). So how could a waiver be granted? The law becomes both complex and obtuse about the release of patient information to family members and the media. We are very aware of cases where grown children with an admission for psychiatric disease are isolated and essentially jailed while the parents with whom they live are not allowed to learn and intervene. In a chaotic situation, the difficulties compound.

As the dust settled, we found out that indeed, there was no waiver. None have been granted since the Katrina disaster -- and that includes the 9/11 attacks. None was actually needed, as the U.S. Department of Health and Human Services Office of Civil Rights (OCR) outlines that professional discretion is allowed for 72 hours when there is an emergency situation.

Ultimately, it's appropriate that patients' privacy is protected, even in times of uncertainty and emergency -- as so much of medicine exists in.

HIPAA waivers can't -- and likely shouldn't ever -- be granted. Especially when there are legal ways to communicate and collaborate that are easy and fast. It can be simple to stay HIPAA compliant.

The waiver asked for was not necessary. However, it is clear that texting a consult, emailing a picture, and talking about a case in the elevator are all violations.

We understand the problem, we created a solution, and we are doing our best to make it available to everyone because that is truly “care on behalf of the patient”.

Learn more about your HIPAA rights and risks here: 

 

 

The early days of telemedicine and telehealth brought extensive discussion about images. When we started working with nurse practioners in school-based health setting, most people hadn't used a digital camera, much less thought about diagnosing something through a digital image.

To be fair, the quality of those early images was so dramatically far from the images we have now that some discussion was certainly justified. But most discussion was simply based on fear and knee-jerk reactions.

Even today, though, there are concerns about the quality of photos. As this study puts it, "Smartphone cameras are rapidly being introduced in medical practice, among other devices for image-based teleconsultation. Little is known, however, about the actual quality of the images taken."

The results of that study were clear, though.Three different platforms (Apple, Blackberry, Android) were compared to a Canon professional its a 35 mm lens. Assessment was by lay people and common pictures, thus reducing clinical bias. The iPhone exceeded the function of the professional camera. And when comparing digital cameras to in-person appearance, two conclusions were drawn:

• The camera did just as well as viewing with the naked eye; or,
• The camera was superior.

It's not hard to think about why this might be when you remember trying to see something in a squirming child or fidgety elder, for example. It is easier to have the subject “hold still” with a 1/100th of a second exposure and quiet unhurried study than struggling to pinpoint a small rash on a moving target.

Many studies documented the equivalency or superiority of digital images in the five years before and after the turn of the century. The obvious specialties were radiology (now exclusively digital), wound care, dermatology, plastic surgery and pathology.

Chase Jarvis said: “The best camera is the one with you." And we always say: The best camera is the one in your pocket. With the advent and advances of smartphones since 2010, we have made several design decisions. One of the major ones was the use of the iPhone and later, the iPad, as an input device -- for exactly this reason -- it is always with you and you already know how to use it.

Our one caveat is that you should never use the camera roll in your smartphone for medical photos. With iClickCare, the camera roll is within the application, password protected, and separate from the routine pictures of vacation and kids. And that, or something similar, is the only HIPAA secure way to take medical photos on a smartphone.

If you're using photos for medical collaboration or care coordination, you can get our ebook on medical iPhone photography here: