This article appears in the December 2012 issue of HealthLeaders magazine.
As adoption of EMRs and CPOE continues, an old debate heats up: How do providers strike a balance between standardizing order sets and customizing care for each patient?
The payoff for more standardized order sets is more reliable care, better outcomes, and greater physician satisfaction.
"Order sets are one of the first lines of clinical decision support within an electronic health record," says Howard Landa, MD, chief medical information officer of the Alameda County Medical Center, an Oakland, Calif.–based system with 475 licensed beds on three hospital campuses, and several ambulatory care centers.
"Order sets basically are groupings of orders used to standardize andexpedite the ordering process for a common clinical scenario," says R. Dirk Stanley, MD, MPH, chief medical informatics officer at Cooley Dickinson Hospital, a 140-bed acute care facility based in Northampton, Mass. He has formed an ad hoc group of New England providers to try to share and standardize order set technology (see related story, page 45).
Landa says order sets represent the distillation of the science in evidence-based medicine into instructions that can be aligned with a given patient's conditions and history. But because electronic health records are also the new focus of doctor-patient interactions, the order set can be seen as a threatto the traditional supremacy of the doctor's opinion during the treatment of care.
"Clinical decision support is not alerts and reminders," Landa says. "Clinical decision support is the building of a system that facilitates the care of an individual patient based on their conditions and history."
Putting a list of questions together formed around evidence-based medicine isn't that difficult to do, Landa says. "Everyone knows you give antibiotics to people who have infections, and for this infection here are the best antibiotics."
Landa says the aggregation of order sets also adds other vital information: "What are the patient's allergies? What's the patient's kidney function? What has the patient responded to before? What do we have in our formulary? What is specific about our patients versus someone in another state? And then eventually we're going to get down to genomic data and say, 'Okay, this person has this particular genetic makeup, therefore they will respond much better to drug A than drug B.' And that's when we're going to be completely lost, because no one's going to be able to keep track of that stuff."
For some providers, achieving shared order sets requires a journey that gets doctors talking to each other about topics rarely broached.
"Docs don't talk to one another," says Marc Chasin, MD, MMM, CPE, system vice president and chief medical information officer at St. Luke's Health System in Boise, Idaho. "You could be in an office for 20 years with a partner and not really talk for those 20 years. You're just doing your thing."
Chasin arrived at St. Luke's, a nonprofit system that serves Idaho and eastern Oregon with six hospitals and other facilities, in 2010. "I looked at all the docs in the ambulatory environment and divided them up by specialty and by geography," Chasin says. "I started getting them together, with the sole topic of trying to come up with an order set for certain disorders. My intention was, it was a bit nice if I had an order set. But my greater intention was to get them talking, so they could figure out that they're more alike than they're different."
Most critically, Chasin says, "you have to get critical mass in engaging your clinicians. If it's done by the hospital, it's not going to work."
One hospital that tried that top-down approach was Maimonides Medical Center in Brooklyn, N.Y. In June 2010, the hospital changed EMRs from an older system to Allscripts Sunrise Clinical Manager and at that time built a host of admission order sets, says Zachary S. Lockerman, MD, MBA, FACG, director of clinical information technology and physician practice integration at Maimonides, a 711-bed nonprofit that had FY2010 total operating revenue of just under $1 billion.
"These order sets were very large, very cumbersome, and didn't really promote efficiency," Lockerman says. "Many are not used. There are a few generic admission order sets that are used, but the bulk of orders are probably placed outside of those order sets."
Compounding the problem, because they were designed as admission order sets, these order sets were not stackable, he says.
"If you have a patient who comes in with multiple diagnoses, you can only pick one order set," Lockerman says. "So our typical patient who comes in with pneumonia, CHF, a urinary infection from a nursing home, and a decubitus, you had to pick the one that covered most of the orders."
If instead the physician decided to use admission order sets for three conditions, there would be a lot of check boxes to uncheck, crippling efficiency, Lockerman says.
Lockerman would like to replace these order sets with a new tiered set, with admission-level order sets, floor-level order sets, and disease management order sets. "Those should be very small and very focused, and should only have best practices in them, not all the choices that we have now,"
he says.
The new tiered order sets will be easy to build and maintain, and will be stackable, Lockerman says. "If the patient has four diagnoses, you could pick each focused order set that will have just the things that they need or should always be done. A pneumonia order set would have community-acquired, hospital-acquired, penicillin-allergic, and nonpenicillin-allergic branches." The EMR "should actually pretty much pick them for you, and then what cultures and maybe one or two other things that are in there, that are required, but not have all the extraneous stuff in them."
Right now, planning for these new disease management order sets at Maimonides is "in the conceptual stage."
Part of the chicken-egg challenge of building these order sets is engaging physicians in the early use of some form of the order sets to garner meaningful feedback on needed improvements.
"We came to our clinical leaders, whether it was a division leader, department leader, or the residents in the trenches, and we asked them what they wanted in the order sets," Lockerman says. "Not having lived with this system, they couldn't answer the question. They thought they could, but not knowing how the system functions and really having a sense of how they were going to live and breathe within this system, they were not in a position to really answer the question."
Lockerman's advice is to respect the learning curve and gradually grow order sets and their adoption.
Another strategy, if the provider hasn't implemented an EMR yet, is to start with existing paper-based order sets, which can provide a gentler transition into EMRs than implementing new order sets at the same time as the EMR, says Alameda County Medical Center's Landa.
"We took a system that essentially took our paper order sets and 'electronified' them so the physicians would use an electronic system to create the orders, but at the end of the ordering session, it just drops them to paper," Landa says. "We handed that paper to the nurses the same way we did with paper order sets before, so it didn't really impact their processes dramatically, but it still allowed for us to use the electronic tools without necessitating all of the overhead."
Well-implemented order sets can also smooth the way for other meaningful use of electronic medical records by physicians. "Doctors are not really good at conforming," says Landa. "We like doing what we want to do. So by giving them real benefit—the tools actually speeded their process—they were willing to do the little bit of extra work that they knew they needed to do but didn't always get to. By having an order set that addressed everything they needed in one place, [physicians] went along and didn't buck against the decision support as physicians often do."
Reprint HLR1212-6
This article appears in the December 2012 issue of HealthLeaders magazine.
As the year comes to a close, I've got simplicity on my mind.
The data tsunami is just beginning to hit healthcare. As I wrote almost a year ago, just enough technology should be our goal. But we also need to identify just enough data. That will be a much more difficult goal to achieve.
Big data is everywhere we turn. But big data requires big technology to analyze and make actionable. As one vendor quipped, what we really need is small data, the data that matters most.
The clinical quality measures coming down in Meaningful Use Stage 2—and now out for public comment, Meaningful Use Stage 3—are healthcare's version of the Amazon wish list, and if we're not careful, they will overwhelm fledgling efforts to find that actionable data.
The end of the year is a great time to pause and ask ourselves whether we are trying to gather too much data too fast, without having a real action plan.
What are some of the things we need to do the most? Some of these things are so rudimentary; they are hardly being discussed at all.
Take just one example: Electronic medical records. Electronic health records. Are they one and the same?
Again and again I see these terms used interchangeably, casually. I quote providers every week using one, or the other, or sometimes both. HealthLeaders editor Bob Wertz pointed this out, and I had to pause.
Healthcare technology is a complicated beast. We make it more complicated if we're using two terms where one will do.
It turns out that the Department of Health and Human Services' Office of the National Coordinator decided on a single term nearly two years ago. In a nutshell, EMR is the older term, dating from a time that the technology often represented little more than scanned images of paper documents.
EHR, the newer and preferred ONC term, encompasses the total health of the patient represented in a digital format, at least according to the ONC.
But in a phone call I had just yesterday morning, a doctor, who I won't name here, used the two terms interchangeably within the first few minutes of our conversation. I made a mental note, then when we were done talking about something unrelated, I brought this to his attention.
His response was that when he's sitting in front of a computer, he usually refers to it as the EMR, but when away from the computer and discussing care issues, it's usually an EHR.
This might seem like the smallest of peccadilloes to you and me, but to the public, it is one more reason to be fearful and suspicious of technology. If the pros can't agree on what to call something, who can blame them?
As technology finally makes its way into healthcare, the next great challenge is to simplify its use and even how we talk about it. The science behind medicine is an incredibly rich collection of ideas and language. But while we pour money into the science and the technology, we must also make it understandable to the beneficiaries, especially if they are to become part of the care team, which they must.
Simplifying is never easy. The EMR vs. EHR conundrum may remain unsolved, for example.
"The way I see it, the EMR is a subset of the EHR," says Rasu B. Shrestha, MD, MBA, vice president of medical information technology at the University of Pittsburgh Medical Center.
"At UPMC, we have several EMRs (one for inpatient, one for outpatient, one for our affiliate physicians and yet another one for our oncologists). I generally refer to the individual systems as EMRs, and the composite of all of the EMRs, along with the systems associated with the EMRs (such as the imaging platforms, interoperability solutions, labs, registries, etc.), together can be referred to as the EHR."
Shrestha notes that this is similar to the definitions offered up by the ONC in January 2011, which in the midst of its pronouncements left the door open wide enough for the EMR term to live on for some time to come.
So simple, yet so complex.
Again and again, the words we use to describe healthcare and the technology being deployed are loaded—with ambiguity, double meanings, and potholes waiting to trip up the next set of policy makers.
In 2013, another such word will be "identity." There is an effort, much needed, to uniquely identify patients as the healthcare system moves from fee-for-service to population health and accountable care. But no one can agree on which set of unique identifiers should be used to determine that unique identification.
Should it be one factor or two? Biometric or token-based? Can someone be anonymous yet unique? Identity technology mavens talk about "relying parties." How can we translate tech talk like that into something that doctors and patients can understand?
Do you own your identity, or is it something that someone else is entrusted with? It depends on how you define the word identity.
It's the adoption of health IT that allows caregivers and patients to become better owners of their data. But our headlong rush to adopt this technology is about to run into some profound hurdles that will make EMR vs. EHR look like a child's game.
Whether you rely on the Pareto principle (a.k.a. the 80/20 rule) or just KISS, we need to always remember what problem we're trying to solve.
Can the hospital quickly identify all the patients who are bedridden, or all the pregnant moms? If not, why not? We need to demand simplicity and power from our technology, not more complexity. We have to identify where the worst practices are happening. If our IT systems can't do that, how good are they really?
The challenge of simplifying all technology, including the crucial analytics technology featured in our December roundtable highlights, is the challenge of 2013. "We have to figure out ways to make this easier," says Joe Kimura, MD, MPH, medical director of analytics and reporting systems at Atrius Health.
Over the past year, I've spent hours listening to the recorded meetings of the ONC Health IT Policy and Standards Committees and various subcommittees and tiger teams. One such meeting happened on June 7, the Quality Measures Workgroup Clinical Quality Public Hearing.
Speaker after speaker, including Kimura, sounded a clarion call for simplicity amidst the technology tsunami. It is recommended listening, and since there's also a transcript, recommended reading as well.
In our annual HealthLeaders 20, we profile individuals who are changing healthcare for the better. Some are longtime industry fixtures; others would clearly be considered outsiders. Some are revered; others would not win many popularity contests. All of them are playing a crucial role in making the healthcare industry better. This is the story of Richard Merkin, MD.
This profile was published in the December, 2012 issue of HealthLeaders magazine.
"We noticed that when we identify high-risk patients, we could intercede and prevent a lot of unnecessary care... and hopefully reallocate some of those healthcare care dollars into cure dollars."
If you're trying to solve complex problems in medicine today, it doesn't seem like the thing to do would be to assemble a community of math whizzes who've never met each other, and ask them to team up, compete with each other, and outguess the medical community. But that's just what Richard Merkin, MD, CEO of the Heritage Health Prize is doing.
Start with cash: The $3 million Heritage Health Prize, a data-mining, predictive-modeling competition to reduce avoidable hospital visits, launched in April of last year. Add a tech-powered online community that, this past September included more than 1,500 participants assembled into 1,300 teams that had submitted more than 22,000 entries.
"We noticed that when we identify high-risk patients, we could intercede and prevent a lot of unnecessary care," Merkin says. "It became obvious that if we could identify with greater specificity and sensitivity, then we could really transform healthcare in the world, particularly starting in the United States, and hopefully reallocate some of those healthcare care dollars into cure dollars."
Using historical claims data, competitors predict which patients will be admitted to a hospital within the next year. They can tweak their algorithms once a day, and accuracy rankings are displayed on the leaderboard at www.heritagehealthprize.com.
Unnecessary care, like beauty, is sometimes in the eye of the beholder. To Merkin, telltale signs include patients who skip medications, or those living alone, who might end up going to an emergency room on the weekend, where the ED physicians might not have those patients' medical history, and if overly cautious, might run extra tests and admit patients for overnight observation.
The more such inefficient care can be found, healthcare providers can reallocate resources to call those patients on a daily or weekly basis and preclude some of that unnecessary care.
"Sometimes we have what we call high-risk physicians, who might only have 100 or 150 patients in their practice," Merkin says. "These would be all either complicated medically, socially, or suffering from mental illness." Such physicians could reach out to the patients, even giving patients their home number or a cell phone and saying to call any time. "It's almost like a concierge type of medicine, and just by having access to a doctor more often, and the doctor being more part of that person's life, we've noticed that hospitalizations, which is the most expensive portion of healthcare today in America, have come down considerably."
Insurance companies have tried to figure out how to predict readmissions for years, but "they haven't necessarily included mathematicians and sophisticated data miners," Merkin says. "They may be able to identify a very small percentage of high-risk patients."
Even with the expansion of the care team to include social workers and dietitians, the patterns that predict readmission continue to elude caregivers, Merkin says. With the Heritage Health Prize, "the same kind of people that put us on the moon, the same kind of people that put Curiosity's rover on Mars, those are the kinds of people that are now working on these kinds of problems."
The history of prize-based scientific breakthrough stretches long back in time before the prize Charles Lindbergh won by flying nonstop between New York and Paris in 1927. In many cases, the winners of such prizes are building new industries, Merkin says.
Every six months, to encourage contestants, Heritage Health Prize awards some intermediate progress prize money. This also serves as a way of introducing contestants to each other and helping build the healthcare problem-solver community, Merkin says.
One of the perils of big data is the potential that data, having had its personally identifying elements stripped away, can be analyzed such that it becomes again attributable to individuals, threatening their privacy. With HIPAA concerns in mind, Merkin contacted experts who had helped Netflix overcome such concerns during its own data-mining competition. "Our No. 1 issue was keeping the privacy concern at the forefront," he says.
Any science or technology has potentially good and bad uses. When the final prize is awarded in April 2013, the science developed in its service will be made available to research institutions. "We want to make sure that people do not use it for any adverse purposes, so we were concerned initially that anyone could use it not for the betterment of mankind."
This won't be the last time Merkin takes the plunge into such initiatives. He brainstorms with agencies such as the National Institutes of Health and visionaries such as Craig Ventner on new challenges. One puzzle: How to store the genomic data of all 7 billion human beings on the planet. "I think that's equivalent to 25% of all the data that's ever been stored, so now they need new storage devices," he says.
Merkin's even talking to the Centers for Medicare & Medicaid Services, the Food and Drug Administration, and National Institutes of Health about additional opportunities that would help the agencies and regulatory processes perform more efficiently.
Merkin's interests may extend beyond healthcare, but they still train on the tough challenges. Sitting on the Jet Propulsion committee of CalTech's Jet Propulsion Lab, he was one of those experts who signed off on the sky-hook scheme that safely landed Curiosity on Mars. "A lot of the experts said that would never work."
Merkin delights in proving the experts wrong.
"Who would have thought that two bicycle mechanics would have flown over Kitty Hawk?" he says. "There's so much talent out there, and particularly now with technology and the Internet, there's going to be a billion people that didn't have access to education that are going to be able to solve problems and change the world."
In our annual HealthLeaders 20, we profile individuals who are changing healthcare for the better. Some are longtime industry fixtures; others would clearly be considered outsiders. Some are revered; others would not win many popularity contests. All of them are playing a crucial role in making the healthcare industry better. This is the story of Aurelia Boyer, RN, MBA.
This profile was published in the December, 2012 issue of HealthLeaders magazine.
"I try to find the right doctor or nurse or administrator—to partner with them—to make those kinds of things really happen, and I think it energizes the IT staff, because they're pushed closer to the actual hospital business than they would otherwise."
The demands keep coming: Decrease length of stay. Reduce admissions. Produce good quality measures for all to see, even as an industry struggles to agree upon which quality measures are most important.
But given a visionary CIO with a passion for data accuracy, accompanied by some physician champions, progress is possible. At New York-Presbyterian Hospital, astute use of data aggregation cut the number of deep-vein thrombosis (DVTs) resulting from venous thromboembolisms (VTEs) by nearly 50% in a 12-month period.
"It's not as simple as you think it's going to be when you start," says senior vice president and CIO Aurelia Boyer RN, MBA. "How are we going to decide who's at risk for DVTs? With a great advocate in a particular physician, we started looking at those things using Amalga."
Amalga, created by Microsoft and now offered through Caradigm, the company's joint venture with GE Healthcare, supports patient-centric analytics, a unified view of data across disparate systems, and perspectives both from the individual patient and across a population of patients.
Among the surprises: more upper-extremity DVTs than expected. Another analysis with a different group of physicians dealing with congestive heart failure resulted in a savings of $1.5 million, Boyer says.
"We were trying to prove that Amalga could do something for us in real time," she says. Typical analysis of quality measures was more retrospective. The secret to moving the needle on DVT was to catch problems before the patients left the hospital, she says.
"It's a multistep problem," says Boyer. "We had to find advocates who really wanted to say, 'What's in the EHR? How do we collect that data? Do we have the exact right data? Once we have the exact right data, do we make sure all the users fill it out perfectly?' "
Another quality improvement effort looked at external wound infections. "You wanted to look at chest tube drainage," Boyer says. "What became very clear, the nursing notes had to be very well filled out in order to have the right data. So if you said it was this kind of chest tube, everybody had to use the exact same words and the exact same criteria, and then we had to show the doctors the data every week, all the time."
So even when a physician documents a patient as being not at high risk for complications, if the data shows otherwise, the mandate is to "do something about that right now, today, not after the patient's discharged," such as being placed on an anticoagulant, Boyer says.
A physician or a service line administrator can champion the change in thinking, but one option not available is to put another layer of people on the problem, Boyer says. "We're working very hard to make it part of your everyday work, so that you do it right the first time, and we don't have to do this collecting of data later," she says.
"It is a culture change to say we can manage these things, and I think we are," Boyer says. It's the same thinking behind New York-Presbyterian's aspirations to be a Level 3 patient-centered medical home. Using a combination of EHR data and analytics, the hospital is targeting diabetes patients and several other diagnosis groups to reduce readmissions and emergency department visits.
As a registered nurse, Boyer has moved up through the management hierarchy of New York-Presbyterian during her 18 years at the institution. "Whether it's as a director of nursing and being administrator on call and having more and more responsibility, I have a fairly process-oriented view of the hospital," she says. "And I actually do this job really to have that impact."
Boyer also represents the kind of CIO who moves more into traditional CMIO roles than usual. "I may be more clinically focused," says Boyer. "I really interact with my IT team about patient care all the time. I'm doing some great desktop work with the guys, asking, 'Do you really understand how the clinicians use this desktop?' Then I try to find the right doctor or nurse or administrator—to partner with them—to make those kinds of things really happen, and I think it energizes the IT staff, because they're pushed closer to the actual hospital business than they would otherwise."
This article appears in the November 2012 issue of HealthLeaders magazine.
Securing the healthcare enterprise is a many-layered endeavor. Electronic locks on doors keep out intruders and help track who is coming and going. Network access control technology acts as the locks on the computer networks behind the doors. Firewalls and anti-malware technology keeps at bay the vandalism of the wild public Internet. But like some 1960s spy movie, one of the biggest threats comes from the ordinary comings and goings of authorized personnel, and the information they carry.
To address this risk, healthcare leaders turn to a layer known as data-loss prevention, or DLP.
"For what it's doing for our organization, the cost of DLP is really minimal, as compared to the benefits," says Shane Molacek, CIO of Valley County Health System, which operates a 16-bed critical access hospital located in the north central town of Ord, Neb., some 180 miles from Lincoln.
Molacek uses technology that scans each email being sent from Valley County for protected health information, which under HIPAA must be protected from unauthorized disclosure.
"IT's job is to make sure that the doors stay open and that we don't have either breaches in content or information that shouldn't be getting out of here," Molacek says.
When Molacek arrived at Valley County about three years ago, it was building a $27 million facility to replace a critical access hospital built in the 1970s. DLP was on a list of to-dos that started with implementing a disaster recovery strategy. "The fact that we hadn't suffered any kind of PHI loss or any HIPAA breach to any level really was caused more by dumb luck than by anything we had put in place," he says.
Drawing upon previous experience performing risk assessments, Molacek acquired backup appliances and an offsite disaster recovery service provider. Flash drives became read-only thanks to software acquired from GFI EndPoint Security, Molacek says.
For DLP, he chose a combination encryption and monitoring solution from ZixCorp, which Molacek and others characterize as providing an increasingly common platform among healthcare providers.
That commonality matters. From its origins in the Internet more than 30 years ago, the basic email in use does not bring along an agreed-upon layer of security present in every computer and device that creates and reads email.
Instead, software such as Zix works by encrypting sensitive email, then sending a recipient a pointer to a secure Web portal where he or she can open that email securely.
It's a necessary inconvenience to these recipients, and as electronic medical records proliferate, more and more patients are familiar with the ritual of visiting secure email portals. But if the emails are flowing from provider to provider, or provider to payer, and so on, the inconvenience becomes a nightmare. ZixCorp and others who would provide secure email are able to offer their customers an alternative, provided that sender and recipient share the same DLP security layer. Each system can recognize that the other is using similar security technology and arrange it so the emails in question flow straight into the recipient's mailbox, rather than being sent to a separate portal.
ZixCorp has added so many partners, "it makes that process easier; the likelihood is that we're going to have a partner that just delivers end to end, mailbox to mailbox," Molacek says. Currently Zix boasts more than 32 million members in its ZixDirectory, which the company bills as "the world's only shared email encryption community."
So far, electronic medical record software being rapidly adopted by providers does not offer this provider-to-provider capability, Molacek says.
Data-loss prevention offers some set-and-forget features. But even at Valley County, Molacek has a HIPAA compliance officer who scrutinizes information and sets policy for any data exchange that would break PHI, HIPAA, or Payment Card Industry guidelines.
Email and computers' data ports used to be the primary concern of DLP managers, but the advent of cloud computing put emphasis on the potential for new services to be a source of data breach. One strategy employed at many institutions is to simply block newer cloud-based data exchange services such as Dropbox. "We do not feel comfortable at this time to allow access to any online storage," says Hussein Syed, director of IT security at Barnabas Health in Livingston, N.J. "We have no relationship with those entities."
Employing DLP technology from Symantec, Syed is able to set custom policies as needed. The software can scan for medical record numbers that fit a particular profile: so many digits, with leading characters such "MR." But that can be just the start of a process as his staff works to educate others at the health system about proper handling of PHI or PII (personally identifiable information) not just during transmission, but also as the data is made available for any number of analytical tasks.
Barnabas Health has nearly 18,500 employees, 4,700 of whom are physicians. "We continuously sit down with the business units and try to talk to them and say, 'Look, we're watching all this happening. Do you really have a need for a Social Security number to be moved around in this manner? Do you really need date of birth or address or insurance information of a patient if you're doing all this analysis,'" Syed says.
"In many cases they just decide when they get the data from the system, they redact it in a form that it's not identifiable data. If they really need it for financial reasons, like a lot of collections and billing, then we just tell them you can't put it on your local computer. It has to be on a locked-down file share, where it's protected," he says.
That sort of policy can also reduce data breach exposure in one of the most common breach categories today: the theft or loss of a laptop.
"You can't just install a product and let it do all the tricks," Syed says. "Somebody has to be assigned to it on a part-time or full-time basis, to continually look at the data and see what decisions need to be made in terms of data at rest or data in motion."
Syed estimates that DLP tools perform 40% of what needs to be done to enforce HIPAA regulations. "The other 60% is really policy, education, and perseverance in making sure it keeps working."
At Barnabas, software known as the Symantec Endpoint Agent sits on each staffer's PC. If it's an independent physician who is affiliated with Barnabas and is using his or her own PC, that physician would access PHI through a virtual Citrix software session, which would handle the DLP duties, Syed says.
Part of DLP's configurability can also cut down on alert fatigue, already a concern with electronic medical records. Different thresholds can be set and adjusted so the DLP only triggers an alert when a predetermined amount of sensitive information is moving, Syed says.
A broad theme among DLP users is to get staff to think before they share. For instance, at Texas Health Resources, providers are advised to include the word "secure" in the email subject line, and that email will be encrypted and sent securely, says Chief Security Officer Ron Mehring.
If they don't put that word in the subject line, and the DLP technology detects PHI in the message, the provider is notified that he or she has violated the policy, Mehring says. "They now have to interact with the privacy and security offices to resolve that issue, and now that becomes somewhat of a distraction for them," he says.
Texas Health Resources serves a geographic area of north Texas larger than the state of Maryland. The system includes 25 hospitals (17 of which are acute care), more than 21,100 employees, 5,500 physicians with staff privileges, and 3,800 licensed hospital beds. "We have pretty good service management processes in place where they interact with our overall set of IT processes to resolve those issues, and we try to resolve them pretty quickly so escalation works, but you've got to have a structure around it. DLP can't exist in a vacuum. It's got to integrate real cleanly into your overall IT service management practices."
Don't let technology dictate your goals, Mehring says. "I can't imagine a single shortcut when it comes to DLP," he says. "It's a tough solution. You've got to have the dedicated staff for it. You've got to have the talent, and you've got to have the support."
Smaller organizations can take fewer steps, he says. "Encrypt everything," he says. "Make sure users know not to keep data on devices."
Mehring also challenges the coalescence of DLP standards around vendor-specific solutions. "My challenge to vendors is, 'Why are you making me do that?' " he says. "When vendors do that to us they put us in a box, and it's
not appropriate."
A vendor-independent solution is transport-layer security standards, and they are emerging now. "How do I get a transaction from Point A to Point B in a secure manner, and how do I ensure it's going to the right person?" Mehring asks.
Auto-negotiation of transport-layer security, irrespective of vendor or service provider, is something Texas Health is able to achieve today, with some exceptions. "The underlying protocol does that, so my email servers are set up to auto-negotiate transport-layer security," he says. "As long as the other system has that ability to do the same and configure the same, it'll negotiate that secure transport.
"Every once in a while we get a health system that pops up where they're using a different system in a different configuration, and we have to take a kind of a one-off approach in how we're going to get data to them securely," Mehring says.
Data-loss prevention's next hurdle is fast approaching, however, as providers widely embrace health information exchanges.
"Our data-loss prevention systems are really kind of a very internal function," Mehring says, adding that "health information exchanges imply the sharing of information. Just moving DLP into that environment will be extremely difficult.
"We're going to be relying on a lot of nontechnical ways to control information in those environments. If we're using vendors to provide the health information exchange capabilities, they're building in robust technologies to control information as it sits in the exchanges. I think we're going to be relying on a lot of that," Mehring says. "Of course you are passing out information to folks that really kind of goes beyond the trust boundary and trust negotiated through participation agreements and things like that, which are all very nontechnical approaches."
Those nontechnical approaches include strong information security and privacy policies, standards, procedures, and training, built using a risk-management approach, Mehring says.
And the DLP technology solution, as good as it is, also has to evolve to cope with the evolution of the cloud-based services the network providers use. Providers can bring their own devices to Texas Health, and may have data network access through a carrier's 4G network rather than the internal healthcare network, bypassing network policy blocking Dropbox and its ilk.
"If they really wanted to, staff could go ahead and screen-capture that data and things like that, where we might not have full control of that device to control that interaction," Mehring says. "That happens quite often. I think most health systems are struggling with that today, on how much authoritative control they can take over these personal devices, which we do in many cases. When they're accessing data definitely they have the ability to potentially move that data onto their device. We'll take active control of that through our security solutions.
"But of course there's always the devices that kind of come and go. They come in, they access data, and then they go away, but they never really became a formal part of the actual infrastructure. We try to get in the middle of that interaction in all cases through our internal DLP solution and interrogate that transaction before it leaves, but like I said, there's always things like shadow IT or the shadow transaction, right? Everyone struggles with that, I think."
Reprint HLR1112-7
This article appears in the November 2012 issue of HealthLeaders magazine.
What are we to make of recent allegations that technology may be facilitating an uptick in Medicare fraud?
As the fiscal cliff looms, Medicare can ill afford a crisis. But that's just what CBS News' 60 Minutes December 2 broadcast set out to document.
The report opened with an estimate, derived from a 2009 Institute of Medicine statistic, that $210 billion per year—10% of all health expenditures—goes towards unnecessary tests and treatments, much of it paid out via Medicare and Medicaid.
In the report, former physicians working for Health Management Associates, which is the fourth-largest for-profit hospital chain in the U.S., accuse the corporation of systematically setting quotas for its doctors to admit more and more patients regardless of medical condition.
With 70 hospitals in 15 states, HMA has thrived by buying small, struggling hospitals in non-urban centers. Under fee-for-service reimbursements, the more empty beds hospitals fill, the more revenue they generate.
Scott Rankin, MD, interviewed by 60 Minutes, worked in the emergency department of the Carlisle Regional Medical Center in Carlisle, Pa. "In a relatively rural, limited resource community hospital, your admission rate out of the emergency department is somewhere in the neighborhood of 10%," Rankin told interviewer Steve Kroft. "And they wanted 20."
According to more than 100 people interviewed by 60 Minutes over the course of a year-long investigation, HMA institutionalized these corporate goals through computer software that HMA had installed in every emergency room. According to Jeffrey Hamby, a former emergency room doctor at HMA's Summit Medical Center in Van Buren, Ark., this software had been customized by HMA to order a battery of predetermined tests once a patient's chief complaint and age were recorded. Rankin said these tests were ordered even before the patient was seen by the treating physician.
When doctors decided to send an emergency room patient home, the computer would often intervene, Hamby said. "The minute I hit home, it says 'qualcheck,' and then it comes up with a warning. This patient meets criteria for admission. Do you want to override?" The ex-employees also allege that the software generated printed reports, some of which 60 Minutes displayed, evaluating each doctor's performance and productivity. Doctors who hit corporate admission goals received praise from company managers, and those who didn't "knew it," said Kroft.
The broadcast also quoted Paul Meyer, former director of compliance for HMA and a 30-year veteran of the FBI, accusing HMA of Medicare fraud based on his audit of four hospitals in Texas, Florida, and Oklahoma.
Even before the broadcast aired, HMA took the offensive, holding a November 30 webcast for analysts. In short, the company denies allegations of requiring emergency room physicians to meet any admission quotas. HMA further says that 60 Minutes did not produce a single patient who it could say was admitted unnecessarily.
So what does this ruckus mean for Medicare? I want to make several points.
First, the authorities, including the Justice Department, will have the final judgment on this matter. I have no doubt that HMA has the resources to keep this dispute unresolved for years, if they so choose.
Second, it seems unlikely that upward of 100 employees would speak to 60 Minutes just because of their general unhappiness with the company or its technology. Some doctors do chafe at having software trying to override their judgment, but in a world of evidence-based medicine and team-based care, a certain amount of that won't be denied. The challenge is determining which of HMA's software algorithms, if any, were business-driven rather than in the best interest of patients.
Third, this episode brings to mind accusations of voter fraud caused by voting machines that lack a paper trail. HMA was able to argue that the documents produced by 60 Minutes were not HMA documents. Much like a voting machine that produces no paper record, many electronic medical records may not produce a sufficiently protected audit trail. Stories of pop-ups on screens urging admission of patients can be plausibly denied.
One would hope that the end result of all this won't be an overly cumbersome and costly new set of government regulations. After all, the days of fee-for-service medicine are numbered. Once the financial incentive to admit disappears, this avenue of fraud is scheduled to be shut off. That's a good thing, because the thought of generating a paper trail for all EHR transactions is mind-boggling.
But since fee-for-service isn't exactly going away tomorrow, how much taxpayer and insurance money is at risk of being wasted before that day arrives? What interim steps need to be taken to minimize that waste?
Whatever the merits of the 60 Minutes report, bringing these allegations to light is appropriate. During a conference call held last week by the Patient-Centered Primary Care Collaborative, Paul Grundy, the organization's president, commented that "There's just so much data now that's becoming available that it's going to be increasingly hard to do the kinds of things that you saw on 60 Minutes. If there's one thing I could say to hospital systems like that, you're either part of the problem or you're part of the solution, and increasingly, if you want to insist on being part of the problem, you're going to get caught. You're going to go out of business. It's criminal."
HMA says its admission rates show no spike from industry averages. While time and the courts will weigh in on that matter, I think it remains to be seen if the data now out there is sufficient to catch fraud. My experience with software over the past three decades says that there are lots of devious ways to engineer fraud into a system. The question is whether CMS and the Justice Department have sufficient resources to smoke it out.
Farzad Mostashari, the national coordinator for health information technology at the Department of Health and Human Services, recently weighed in on allegations of upcoding, i.e., billing for care that wasn't delivered. "It doesn't matter if you do it on paper, if you do it through voice, whether you do it through transcription service, or you do it through an electronic health record. That's fraud and we take that very seriously," Mostashari said at a policy meeting of the Office of the National Coordinator.
But when fraud has the potential to be perpetrated on such a massive scale, aided and abetted by technology, can the regulators keep up?
Editor's Note: A prior version of this article attributed certain comments to Paul Grundy, MD, president of the Patient-Centered Primary Care Collaborative. His actual remarks were made about hospital systems generally and were not specific to HMA or any particular hospital system. IBM confirms that HMA hospitals continue to be available for use by its employees under its health plans.
HIMSS' mHealth Summit began yesterday in Washington, D.C., and runs through tomorrow. Because it's in the capital, government policymakers are likely to be dazzled by slick vendor presentations and lofty statements about what mobile health technology can do now and will be doing soon.
Meanwhile, outside the Beltway, healthcare providers ponder all the promise and peril of putting sensitive patient information on an ever-proliferating array of gadgets, the vast majority of which merely have garden-variety security, authorization, and authentication controls. After the petabytes of data breached by lost or stolen laptops is subtracted, the good news is that so far, mHealth doesn't seem to account for very many scary stories of health data exposure. But that could change.
Looking over the mHealth Summit agenda, I was struck by the fact that the elephant in the room—government regulation—has no session devoted to it.
There is a clue, however. Another session is titled, "Pushing the Limits of Mobile Health—Can We Have Health and Healthcare Without Doctors?"
Two answers. First, of course we had health, ill health, and healthcare before there were doctors. I'm pretty sure no one wants to go back to that.
But more to the point, I'm sure mHealth will provide, and probably already has, examples of disease diagnosis and treatment that do not involve doctors. There are laws against practicing medicine without a license, of course. Lack of enforcement of these laws is due to the fact that no one apparently is being harmed by these apps.
The question has to be, will the mHealth apps of the future be accused of enabling medical practice without a license. Will someone suffer serious bodily harm or die because of an app?
I wish I could say with confidence that that day will never come. However, apps are getting smarter every month. I wish I could say the same about people, but despite the knowledge-spreading effect of social networks, there are too many examples of bogus science being spread that way to expect social networks alone to help the average patient to keep up with what's medically proven and what is quackery.
In other words, it's probably not a question of if healthcare apps will be regulated, but when, and which ones, and how much.
Drugs and medical devices go through rigorous discovery, testing, and clinical trial phases before doctors can begin prescribing them. The healthcare IT system must police itself or the same kind of requirements will be imposed, at some point, on some or all of the technology rushing to market. I do not hold out faith that the free market alone will be sufficient to do all the necessary policing.
Healthcare regulators are becoming technology regulators
If an adverse event happens, that free market could contract suddenly, and some of it could even go underground. Ironically, recent changes in the way technology gets distributed could make it easier for the FDA or other agencies to take action, but also to encourage that underground.
Windows 8, now shipping, has joined Apple's iOS and Google's Android in a new model of software distribution. These platforms' app stores make it easy for centralized control to be exercised over what apps run on these devices. If an app is shown to be the cause of an adverse event, we may witness the spectacle of the FDA ordering the removal of that app from the app store, and that would be that.
But would consumers try to jailbreak their phones to run banned healthcare apps? Stranger things have happened.
Now you may be shaking your head at this point, given that most healthcare apps are read-only or accept only a limited amount of input. If a patient or caregiver incorrectly enters a blood pressure or blood sugar reading into an app, the problem lies with them, and not with the app.
But that's today's apps. Tomorrow's apps will talk to an array of devices and sensors, some possibly inside the human body. Will all those devices and sensors be FDA-approved? Should they be? Many of them will require regular recalibration. Who will be managing that? Human beings are fallible. Can the technology be made self-calibrating? Or will the burden fall upon healthcare providers, who may find that their ACO status requires them to keep home health care devices in tune?
Then there's the dilemma of the regulators, if they suddenly find themselves charged with regulating 1s and 0s instead of just drugs and devices. To some extent, though, they already are in the software business.
Software technology is so malleable that it's unlikely that the clinical trial methodology we've used for drugs and devices could easily be adapted, or scaled, to regulate something like an app. Human factors often determine whether or not an app gets used correctly or not.
Perhaps, in the end, we'll just trust the technology as we do in so many other areas of life. Think of how modern jetliners couldn't fly without complex software systems managing the details. Self-driving cars have been sighted in my neighborhood in California. An amazingly tricky landing on Mars seemed like a piece of cake thanks to technology. Why shouldn't we trust more and more apps to manage our health?
Probably because nothing is more personal than one's health and well being. While the average app won't have the scientific might of the Jet Propulsion Laboratory behind it, we're going to be scrutinizing these apps even more closely. The trials are under way. They're just not happening in the clinic.
I'm here to say that healthcare should be thankful it has come late to part of the technology party.
Why? Because healthcare doesn't have to play by the so-called rules that existed a few years ago. Healthcare can challenge the assumptions that drove decisions a short while ago and take advantage of cloud computing technology that overturns the conventional wisdom—and price structure—of IT services.
Want an example? Recently, I spoke to QualSight, a healthcare provider you probably haven't heard of, even though it serves more than 75 million health plan members.
Chicago-based QualSight launched eight years ago to connect independent ophthalmologists to healthcare plan sponsors to provide their members laser vision correction services. Today, the ophthalmologists operating out of 800 locations let QualSight boast of being the nation's largest Lasik services manager.
Surprise number one: The main third-party vendor QualSight uses to process credit cards for payments is PayPal, the eBay subsidiary.
That's right, PayPal is big business now.
Like others who deal with credit card information, PayPal requires QualSight to comply with the Payment Card Industry (PCI) standard. With 800 practices, QualSight could have implemented its own virtual private network (VPN). But instead, QualSight is using a cloud-based, HIPAA-compliant VPN and database server to securely serve transactions through the cloud. Instead of going with the usual Oracle or MySQL database, QualSight uses open-source PostgreSQL.
The key to making all this work, apparently, is to find just the right cloud hosting vendor, which in QualSight's case is FireHost. "We've been with FireHost for probably a year and a half by now, and I've been very happy," says Carlos Navarro, manager of IT at QualSight.
In January 2010, QualSight was running its own instance of the database from its offices. Such on-premise operation is another assumption of many healthcare providers today.
Then came the hackers.
"Nobody was here in the office," Navarro says. "There was an attempt to hack us from China. We determined that later, there were 15,000 attempts, and they successfully did penetrate. However, no damage was done."
[Editor's note: The hacking attempts did not actually penetrate or compromise QualSight's network in any way.]
The intrusion made QualSight consider the possibility of perhaps its database elsewhere.
Before the evaluation was complete, fate intervened one more time. A major power outage in Chicago took QualSight's services offline for six hours.
"We lost a lot of data, and at this point, the company decided we need to select a cloud vendor very quickly," Navarro says.
FireHost's security stood out. Navarro hasn't regretted the decision.
"The applications ... are shared between 800 practices, and most of the information that they're entering is completely HIPAA," he says. "We're talking about patients. We're talking about patient social security numbers. We're talking about outcomes of surgeries. We're talking information that's very delicate."
The switch over to the cloud was accomplished in a single weekend. "There were some changes that were required on our end, programming changes, just to make it compatible, but we did this over a weekend, so the practices never noticed anything," Navarro says.
Like other providers I've talked to about the cloud, Navarro takes solace in the kind of penetration testing that a cloud provider such as FireHost can attempt on a monthly basis—testing that a healthcare provider can hardly claim as a core competency. "This is all part of the service," he says.
The average healthcare executive can be forgiven for forgetting that the software powering today's systems is a patchwork quilt of updates, security fixes, and bug workarounds. The CIOs reading this, however, know all too well that it becomes less practical every day for this cost to be shouldered entirely by your average hospital or healthcare provider.
Remember this when you're watching IT assumptions from the past decade crash and burn all around us: Every organization that's switched to the cloud seems to have its own version of the hackers-from-China story or the power outage story.
Remember this when you have to hire outside consultants to test your firewall's open ports, and then wonder how long it's been since the last test. Three months? Six months? Would your auditors be happy? Is not doing this testing often enough meeting the spirit and letter of the HIPAA law?
A lot of CIOs tell me they don't like the lack of transparency of cloud services. There's a reason they call it the cloud. What goes on inside there is, well, cloudy.
That doesn't dissuade Navarro. "I am not sure about all the details inside that makes the cloud tick," he says. "We get a report on a daily basis ... where we can see at any time and go historically back, I think three months or so, any intrusions or attempts of intrusions, which is phenomenal. We can see our backups. We can see reports on our vulnerability tests. We can see basically any information, anything that's eventually protecting our data."
Cloud vendors have to be very, very good at managing and applying all these fixes, or they'll be out of business in a real hurry.
Maybe, in a few years, this wheel will turn again and the pendulum will swing away from hosted applications. But I doubt it. Cloud technology just makes sense. Obviously, your mileage may vary. But as long as the cloud vendors say what they mean and mean what they say, the cloud will proliferate.
How are healthcare CIOs preparing for the possibility of the federal government going over the fiscal cliff? I spoke last week with Bruce Smith, CIO of Advocate Health Care, the largest integrated healthcare system in Illinois, about the post-election landscape.
"We've got strong cost management processes in place," he says. "Actually, we put those in place regardless of the fiscal cliff. We're making the assumption going down the road—if you look at where Washington's at and what's coming out there—there are going to be reductions in healthcare spending, so we know there's a good possibility that we are going to be under more economic pressure."
Chicago-based Advocate is big, with more than 250 sites of care, 10 acute-care hospitals, and a children's hospital with two campuses. In the grand scheme of things, the recent election was barely a blip on a six-year-old mission to build electronic medical records and digitize as much clinical information as possible to make it available anywhere, anytime.
"There were probably a few things that we altered in terms of the quality indicators," Smith says. "We changed some processes to collect that information, and maybe a couple of other access things, but for the most part I think we were pretty much on track with what came out of Meaningful Use."
Not that Smith ignores what's going on in Washington—far from it. "Probably the big things that will impact us coming up in the next couple of years will be the development and the maturity of the ACO process, and then of course what's going to happen when the [health insurance] exchanges come into play," he says.
One year into Advocate's ACO agreement with Blue Cross Blue Shield of Illinois, "We saw costs go down, so it benefitted both Blue Cross and Advocate, and I think there's further discussion now about how to make that product and that process even more effective in the coming years," Smith says. Advocate also joined the Medicare Shared Savings Program in May.
All inpatient hospitals run Cerner electronic medical record software out of a data center based in Kansas City. For outpatients, the Advocate Medical Group runs Allscripts. Advocate Physician Partners, which coordinates care between Advocate Health Care and more than 2,000 physicians on the medical staffs of Advocate hospitals, is deploying eClinicalWorks. That's right—three EMRs.
"I know you might ask the question, Why would you do that?" Smith says. "What it does is it gives our independent physicians the option of staying independent. They select if they use the software [and] they work with the vendor. If they choose to leave Advocate Physician Partners, they can do so and take the data with them. It remains under their control, as opposed to the Medical Group, in which everything is in one shared database."
Advocate is also producing a Web layer over those three record systems. "Our Web layer product pulls the three of them together and displays the information to make it look like one common record," he says.
When I mention Meaningful Use Stage 2, Smith seems confident Advocate can hit the Meaningful Use Stage 2 adoption deadlines set by CMS for 2014, despite talk around the healthcare IT industry of vendors being unable to make it happen.
"We have some concern, although a lot of it's not necessarily the vendor, either. It's our own internal processes," Smith says. "It's like most things we do: If you plan it and you work hard at it, you can make it happen. So far, I will say our vendors have been very good. I think Cerner's been particularly good to work with. They've delivered on everything we've needed. The stuff they've delivered on has been good quality, so I'm pretty confident in that area.
"I probably have a little bit more concern about Allscripts. So we're just going to have to kind of see how that works out. But overall, we think we're positioned pretty well. When we look at what Washington's trying to do, which is trying to get the industry to get with the times and automate, I think it's very worthwhile, and we certainly appreciate all the money that we've gotten and what we're going to get through the Meaningful Use process."
Outsourcing its data center to another company saved Advocate $15 to $20 million in capital expense, and offered "significant savings both in capital and operating expense" over the ten-year period of the agreement, Smith says.
Smith saves his choicest words for ICD-10.
"It's a little bit like being a zebra in the herd that's being circled by lions," he says. "You know somebody's going to get eaten. You just hope it's not you. I guess that's kind of how we all look at ICD-10. It's something that probably needs to be done. Nobody wants to do it. The cost of doing it is extremely high. My guess is it's going to take the deadline to really flush the whole thing out. We do have processes in place now that are doing the planning for it.
"The big deal is going to be, How do you get your physician population educated enough to use the new coding. I think that really is where the real challenge is. If they delay it another year, that would be fine with me. If they don't and it's the law, then we're going to comply with it."
Smith foresees a "consultant frenzy" nearer to the ICD-10 conversion date, one that will rival similar scrambles during the Y2K and HIPAA transitions.
The impact of technology reaches all the way into the executive level at Advocate. "If you look at the members of the C-suite, I think probably they'd prefer to talk about building new hospitals and new wings and new buildings, because that's kind of what they've always done," he says. "But I think you're seeing more and more the understanding of the importance and the significance of the technology investments, so there's no question it gets much more attention at a much higher level than it ever did before."
Lest anyone get the wrong idea, social media can do harm as well as good. Social media's power is awesome, but as the brilliant superhero Spiderman says, with great power comes great responsibility.
If you read my column last week, you know that clinicians and patients, speaking in their authentic voices, can trump formulaic marketing materials. But the need to employ a metric ton of common sense and discretion is greater than ever.
The challenge for health leaders is to instill that common sense and discretion into every employee, since social media is nonhierarchical by its nature, and tweets, blogs and Facebook posts don't work if they need to be preapproved (and they won't scale either).
The wake-up call for social media in healthcare probably occurred five years ago in Boston. Ivy League-educated pediatrician Robert P. Lindeman, MD, on the witness stand, confessed that he was also a blogger known as Flea. Lindeman was defending himself in a malpractice suit involving the death of a patient.
Incredibly, Lindeman had been blogging details of the case under the online identity of Flea, and that revelation cost him dearly, according to the Boston Globe, which reported that Lindeman ended up paying a substantial settlement in the case.
According to Bryan Vartabedian, MD, news of this prompted medical bloggers online at the time, to shut down their online activities. "Even the ones who were doing everything just right, wiped their presence, did a scorched earth policy and took themselves right off" the Web.
Vartabedian spoke at the same Association of American Medical Colleges meeting where the Mayo Clinic's Farris Timimi MD spoke and informed my column last week. Vartabedian is assistant professor of pediatrics at the Baylor College of Medicine, and an attending physician at Texas Childrens Hospital. He's also been present in the health blogosphere since 2006, and writes about the intersection of medicine, social media, and technology at 33charts.com.
Physicians "are being completely redefined" by a number of forces, social media being one of them, Vartabedian says.
"Patients are changing dramatically, and they in turn are changing us," Vartabedian told the AAMC crowd. "The encounter with the physician is slowly emerging as a smaller and smaller piece of a patient's quest to get better."
Instead of patients going to doctors who then find information, information is now finding patients, who then take that to doctors, Vartabedian says. And now, technology that patients carry with them is generating more information. In the next two years, patients' very behavior will increasingly be recorded and fed to big data systems for analysis, he says.
I can relate. Last month, as part of a competition at the Health 2.0 conference in San Francisco, I and three other journalists received FitBits, which we wore for the next three days, in a competition for charity.
The FitBit has become the newest executive accessory of choice in Silicon Valley, and has effectively become the iPod of the quantified self movement, in terms of ubiquity. It clips onto a belt or other part of your clothing, and passively records the daily number of steps taken and floors climbed, and from that and other information about you can calculate the number of calories burned.
So at a time when we marvel at the power of the phones we carry around, even smaller devices are starting to accompany us, and social media lets us share our most personal data with whomever we wish.
A survey last year by the American College of Surgeons showed that 20 percent of surgeons were using Twitter. "Half of those surgeons were using it only rarely, which you and I know means they weren't using it at all," Vartabedian says. But what the survey didn't reveal is what the active surgeon-Tweeps are using it for: doctor-to-doctor dialogues? Doctor-to-patient? Telling jokes? In any event, more of them are using their real names than before.
Several social media networks exist for doctor-to-doctor communications: QuantiaMD, Doximity, and Sermo. Then there are what Vartabedian calls "doctors in the wild" using Twitter and Facebook.
"It is increasingly becoming difficult to separate your personal and professional lives online, despite how you may try," Vartabedian says. But we all must realize that anything we post on Facebook, no matter how limited its scope to a restricted set of friends, "lives on at the pleasure of the person who receives it."
Vartabedian also points out that clinicians "are still way worse in the elevator than we are online" about revealing PHI, and remember than anything overheard there is Twitter fodder.
Speaking to the great responsibility point, Vartabedian contends physicians are complicit in the controversy surrounding the unproven, but social media-fueled association between the MMR vaccine and autism. "There are 65,000 pediatricians in the American Academy of Pediatrics," he says.
"If all of us just once a year had created a small piece of content, be it a blog post, even a comment, we would have ruled the search engines, and none of this really ever would have happened."
"When we think about social media, and when your institution talks to you about social media, almost invariably it will be viewed from the perspective of risk. All we see is the risk associated with it, and all your orientation and your programs, everything will center on risk and nothing will center on opportunity."
As a way forward, Vartabedian is working with the AAMC in the early stages of developing a toolkit to improve social media training in medical schools. If you are interested in helping him, please contact the AAMC.
