Challenges of cost and Security when Transition to Electronic Health Record Jamie Jackson Texas Womans University Management

of Health Service Organization Pat Driscoll April 12th 2011

Table of content:

Introduction______________________Page 3
1 |Page

Purpose/Problem_________________Page 5

Methodology____________________Page 7

Data Collection__________________Page 8

Findings/Resolution_____________Page 14

Conclusion___________________Page 15

References___________________Page 16

Appendix____________________Page 18

2 |Page

Introduction: The Health Information Management Systems Society defines Electronic Health Records as The Electronic Health Record (EHR) is a longitudinal electronic record of patient health information generated by one or more encounters in any care delivery setting. Included in this information are patient demographics, progress notes, problems, medications, vital signs, past medical history, immunizations, laboratory data and radiology reports. The EHR automates and streamlines the clinician's workflow. The EHR has the ability to generate a complete record of a clinical patient encounter - as well as supporting of EHR care-related activities directly or indirectly via interface - including evidence-based decision support, quality management, and outcomes reporting. The use of information and communication technologies, such as electronic health record systems has become increasingly common in all health organizations. In addition the health care reform passed in March (2010) requires all hospitals/physicians to adopt electronic health records and track and report patient outcomes. To aid in the adoption of electronic health record systems the HITECH Act, part of the 2009 economic stimulus package, American Recovery and Reinvestment Act, passed by the US Congress promises maximum incentive payments for Medicaid to those who adopt and use certified EHRs according to the meaningful use standards set by the government of $63, 750 beginning 2011. Eligible medical professionals must begin receiving payments by 2016 to qualify. For Medicare the maximum payments are $44,000 over 5 years. Those who do not adopt an EHR by 2015 will be penalized 1% of Medicare payments, increasing to 3% over 3 years (currently there are not any penalties for
3 |Page

Medicaid) (Bill, Hethcock, 2010). As a result, most healthcare organizations are transitioning to an electronic health record. The 1999 Institute of Medicine report, To Err is Human has also highlighted the fact that 44,000-98,000 people die in the US because of medical error. Most of these deaths happened because of unreadable physician handwriting that could easily be prevented by electronic health record. This, along with other benefits the electronic health records possess such as streamlining clinical workflow and making patient data easier to access is causing federal and state governments, insurance companies, and other large medical institution to heavily adoption of electronic health record. The key to delivering quality care and maximum profitability with EHRs is by having synergy achieved by effectively integrating Provider/Patient, Processes, and technology. If In order to do this, a physician office or other healthcare organization needs to already have an improved process so that the EHR implementation will have seamless interoperation. Lind Kloss, Executive VP and CEO of the American Health Information Management Association define the three essential capabilities of an EHR as follows: to capture data at the point of care, to integrate data from multiple internal and external sources, and to support caregiver decision making. The US IOM report, Key Capabilities of an EHR System identified a set of 8 core care delivery functions that an EHR system should be capable of performing in order to promote greater safety, quality, and efficiency in healthcare. Those 8 core capabilities are health information and data, result management, order management, decision support, electronic communication and connectivity, patient support, administrative processes, and reporting. While adopting an EHR can provide many benefits such as linking healthcare providers by electronic sharing of clinical information, improvement in patient safety/quality of care
4 |Page

because of better security and reduction in costs there are barriers as well. Some of these barriers are technical (functionality of use, lack of integration), Financial (initial costs for hardware/software, maintenance, and training), security, and incompatibility between systems (the EHR systems and other billing/scheduling systems already in place). During the phases of implementationanalysis, selection, procurement, installation, training, and maintenanceas well as after, two main barriers tend to stand out: costs and security which ironically are considered two of the benefits as well. The following is an in-depth look at what Baylor medical city of Plano, Children Medical Center, Medical Center of Lewisville, and Dallas dermatology clinic are doing to maintain the security and reduced the cost in their organization. Purpose: Discuss the challenges of costs and security as they apply to implementing an electronic health record in various sized healthcare organizations. The causes and effects of these challenges along with their dual roles as benefits will be analyzed and probable solutions will be presented. Problem: With the unrelenting increase of both cost and demand for electronic health record, the health care system in the United States has been facing with many challenges. One of the most critical factors underlying multiple challenges in the current health care arena revolves around cost and security. The adoption of technologies such as Electronic Health Records is leading to an increase in system complexity and is the enemy of security and compliance and therefore must be minimized and adequately managed. To work more efficiently, electronic healthcare records need to be readily available and stored on many devices in different locations including laptops,
5 |Page

removable storage, smart phones, servers and medical equipment. Unfortunately, having information in various places creates serious information security risks and compliance gaps. In addition a shared computer often creates an accountability issues related to security and compliance. When a data security breach occurs on a shared system, it can be difficult to determine who was involved. Costs is another issue because when implementing electronic health records there are various factors to considerstart up cost, software maintenance cost, and training cost. While it has been pointed out that EHRs can possibly save the health system money, physiciansespecially the ones in small practices may not always benefit financially. EHR prices vary widely based on whats included, how robust the system is, and how many providers use it. According to an online survey, 1/3 of organizations paid between $500 and $3,000 per physician, another third paid between, $3,001 and $6, 000 per physician, and 33% paid more than $6,000 per physician. In a 2006 survey lack of adequate funding was cited by 729 health care providers as the most significant barrier to adopting electronic health records. During the American Health Information Management Association conference in October 2006, panelists estimated that purchasing and installing an EHR system will cost over $32,000 per physician and maintenance about $1,200. Vendor costs account for 60-80% of these costs.

6 |Page

Methodology: The preliminary study began by researching various internet resources and academic journals to conclude the bases of our purpose, which were challenges of cost and security with implementation of EMR. We then chose interview sources from six organizations: David Collins, Director of Health Information Systems at Healthcare Information and Management Society, Ashley McClellan, COO of Medical Center of Lewisville, Shirley Archambeault, IT Administrator of Medical Center of Lewisville, Childrens Medical Center of Dallas Systems Analyst, Bill Duke, Executive Director of Dallas Associated Dermatologist and Melissa Jones, IT Resource Nurse at Baylor Plano. We chose to focus on the administrative and IT departments because these two departments would be the most knowledgeable of the challenges pertaining to cost and security. These various sources also allowed us to compare the challenges of a large hospital, medium sized hospital, a smaller doctors office and a national healthcare organization. Next, we formatted a questionnaire for the interviews that would permit us to receive the most detailed answers. From our previous research we found examples of questionnaires, which were formatted in closed ended questions. We felt that these types of examples were not in depth
7 |Page

enough to provide detailed information. The questionnaire focused on the effects on the organizations stemming from the transition of paper health records to EMR. We then emailed the questionnaire to those who werent available for a face to face interview and met those sources who were available. When questionnaires were returned an analysis of the information was performed, comparing each organizations statements to conclude if the answers given were similar or if any new data could be obtained. Data Collection: Data was collected through questionnaires that were sent out to hospital clinical and IT administrators, doctors office business office managers, and the director from a national healthcare organization. Healthcare journals and other resources were utilized as well. Data: To get a better understanding of electronic health records, David Collins, Director of Health Information Systems at Healthcare Information and Management Systems Society was interviewed. Upon speaking with him he states that most of the challenges are fundamental not technical as many people believe. He says that implementing an electronic health record is more about making healthcare more efficient versus any of the other benefits. Regarding challenges, Collins states that financials are a main factor but incentive money from the government is helping to make it less of a barrier. According to him, because hospitals stand to lose millions if they dont comply (especially in regards to Medicare patients) due to loss of incentive money and decreases in reimbursements they are starting to see that the future benefits far outweigh the start up costs, particularly in larger organizations. In regards to security, he feels that EHRs are more secure than paper records you can govern access and monitor who is accessing them. He
8 |Page

feels that cost and security challenges can be offset with plenty of training and ensuring that you have good leadership from the top down that embraces the goals of the organization. Speaking with Collins enabled us to have a firm foundation of what to look for when interviewing our other respondents. Cost: According to Bill Duke, Executive Director of Dallas Associated Dermatologist, while EHRs are much more effective and efficient the only challenge with them is that the cost is tremendous. Cost has increased because of the new technology and the implementation but the increase in efficiency can be seen as a tradeoff. Equipment, software, training, and duplication of efforts (loading all previous paper information into the new software) are some of the causes of the cost challenges when face with implementation. He also adds that vendors make cost more difficult by charging for extras such as additional trainings, access to your data, and changing their prices once they have begun the implementation prices.

9 |Page

A systems analyst at Childrens Medical Center was a little bit luckier because they are not a small practice. Their EHR was purchased with the hospitals capital budget so individual departments were not directly charged for the software. She stated that a lot of the cost comes from the downtime as a result of having to pull nurses and physicians for 8 hours of offsite training as well as using them to help plan, design, and test. One way that she saw that they are saving money with electronic health records versus paper is that you dont have to purchase paper and the physical storage place to keep them because with electronic charts they are stored on a very small server. They are also able to pull charts and reports quickly which also helps save time and money. However while these things help save money, they do not offset the costs. According to the health care quarterly Dallas business Journal Baylor Health Care System will be spend more than $200 million by 2012 to put the first generation of its electronic health records system in place. Baylor hopes to receive more than $45 million in federal stimulus funds to offset the cost. Five hospitals in Dallas-based Baylors 26-hospital network are covered by electronic health records, and installation of the system is under way at two more all of them will be covered by the end of 2012. The systems biggest challenge in implementing electronic health records is connecting Baylors network to external organizations, such as public health departments and the states immunization registry (Bill Hethock, 2010). Speaking with Missy Jones, Informatics Research Nurse/EHR Physician Liaison at Baylor Regional Medical Center at Plano she states that cost is the main con of EHR implementation which is due to down time, constant need for upgrades, and the implementation itself. Baylor Medical Center Plano also addressed implementing electronic health record is an expensive project and there is constant need to update technology need for down time process.
10 | P a g e

Additionally buying hardware, application software, encryption software, maintaining the portal access (and the VPN fobs that go with them), and keeping it all up to date is expensive. As they continue to roll out with the system EHR, the IS (Information Security) support team will need to continue to grow. Also because they utilize customized software they have a custom application team that has to be trained to configure it. Maintaining the entire IS staff dedicated to EHR is costly and expensive. The constraint of having enough equipment, enough people staffed, enough support staffed, and the dread what happens if it all crashes cost money and/or time. She states that the benefits of an EHR are not seen on the front end but seen over time as patients revisit and the communication channels between inpatient and outpatient channels are broadened and optimized. After all she states The point wasnt to save money but to improve continuity and communication in patient care by creating a more transparent record that makes caring for the patient across the continuum easier and safer. Security: In a March 2009 survey of 1,238 randomly selected adults, 59 percent of respondents didn't think confidentiality of electronic medical records could be assured. A majority of respondents in the survey thought it was important for providers to have electronic medical records, but 76 percent thought it was likely that an unauthorized person would get access to medical records online. The survey was from the Kaiser Family Foundation, the Harvard School of Public Health and National Public Radio.

Bill Duke feels that security and cost in regards to implementation go hand in hand. He states that the biggest concern about security when using EHR is cost because vendors gauge cost, especially as it relates to security, because they know people have to have it. To help with their
11 | P a g e

security access is defined by security level and is designated by passwords and groups. They use internal and external sources to maintain their security---internal people manage it and external people handle it. Some of the security measures they use are passwords, groups, and log in ids especially since several people may use the same terminal. Duke states that most security issues are caused by individual carelessness such as not following protocol, not shredding patient documents, and sharing patient information in public. He feels that hopefully with the implementation of an EHR system patient data will be more secure. Systems analyst at Childrens Medical Center feel that the most significant impact on reducing cost and maintaining security is that electronic records are easier to safeguard and audit because employee names, departments, and roles can be extracted into a spreadsheet and monitored and electronic health records require a password and tracks who has viewed what whereas these things cannot be done with paper records. To further ensure security each clinical department has an EHR User Group with the goal of ensuring appropriate and efficient use. Main security concerns are protecting private patient information and ensuring each staff member has appropriate access (not too much or too little). Security and access is determined by rolei.e. all physicians have the same access, all nurses have the same access, etc. Also, staff is held accountable for what happens under their name which makes employees have some responsibility when it comes to security efforts. Childrens also has an information privacy and security office that manages all security related issues. There are strict policies including and not limited to appropriate and acceptable use, electronic communication, faxing health information, information privacy and security, incidents and complaints, and email encryption. They also have a strict policy requiring EHR training before a logon and password is even received. These

12 | P a g e

passwords have to be changed every 180 days, be 8 characters, and include upper and lower case type. Missy Jones, Baylor Regional Medical Center of Plano, states that fortunately most companies that engage in work in the medical field are very familiar with HIPAA requirements and regulations so making sure that vendors are HIPAA compliant security wise is a lesser worry. One way that they have combated security is by customizing their EHR and having their own enterprise employees being trained on configuring the system. Some security issues they currently face are physicians not remembering their logins and having nursing staff log in for them, having to constantly create and terminate logins for the residents that rotate through, and user rights within the system. To combat this they emphasize the importance of learning the system and using your on login information so that access can be tracked. Baylor Regionals EHR is maintained by their own security so in addition to password restrictions to the system, there is a security team that is responsible for who has access to the EHR and what they can see or do. There is also 28bit encryption software on every machine that is love on EHR. An application that manages all access request called myID management is utilized as well. Managers have to log in to this application and request staff access and these requests go to the security team. She states that it is a yes and no answer when comparing the security of an EHR system to paper records. With a paper chart, you have to physically be in its presence to see or use it which is good because it limits access physically but bad because once you are within proximity to a chart there is nothing to physically keep you out of it nor is there any way to track who has looked at it. This is not so with electronic health records. You have to log in to view patient information and this can all be tracked. All in all she feels that electronic health records are a very secure medium for patient data.
13 | P a g e

Michael Matthews, chief executive officer of health-information technology firm MedVirginia, said security is on everyone's mind. "Many in the field will argue that data is actually more secure in electronic format than paper," Matthews said. "There are audit trails left every time an electronic health record is accessed, who accessed it, what results within the record have been accessed. Whereas with paper records, you have no idea who has looked at it, who made copies, what has been taken out of it."

Findings:

Through our research it was determined that there were no true monetary savings due to the purchasing of new technology, software, hiring and ongoing training. Also, if any savings are seen it is amongst larger institutions that already draw in enough revenue and patients for the funding and offset of implementation of EHR systems. Furthermore, while security is a top concern, it is far outweighed by cost no matter the size of the practice or organization. Most security issues are due to carelessness among staff, lack of training, and inadequate funding for security. While vendors are a necessity for implementation, they will also take advantage of the EHR implementation requirements by finding various methods to supplement their charges which can add unnecessary costs to implement.

Resolution:

Some possible solutions that we devised that could possibly help organizations with cost and security challenges of implementation are to make sure you have quality leadership that embraces the goals of the organization as it relates to EHR, make sure you have quality training
14 | P a g e

and support during all phases of implementation, factor in all additional equipment and software cost in addition to the EHR product, make sure your organization already has a good security process in place as well as other departments like billing/scheduling, review and evaluate the organization as well as several different products/vendorsutilize demos if possible, make sure the EHR system chosen is already interoperable with the technology already being used, and look into possible discounts or perks offered by insurers for EHR use.

Conclusion: This project has provided an opportunity to understand the EHR technology system and the challenges during implementation as it relates to cost and security. Understanding the benefits of the technologies and the problems experienced by doctors who use the technologies can help others make a better decision for their practice.

References
15 | P a g e

AHIMA The American Health Information Management Association. (2006). The State of HIPAA Privacy and Security Compliance, last accessed on Nov. 2008 Aspden, P., Corrigan, J.M., Wolcott, J., and Erickson, S. M. (2003). Patient Safety: Achieving a New Standard for Care. Washington, DC: National Academies Press Appari, A., and Johnson, M.E. (2009) Information Security and Privacy in Healthcare: Current State of Research, forthcoming in International Journal of Internet and Enterprise Management Barlow, S. , Johnson, J., & Steck, J. . (2004). The economic effect of implementing an emr i outpatient clinical setting . Journal of Healthcare Information Management , 18(1), Retrievedfromhttp://www.himssehra.org/docs/caseStudies/Allscripts_JHIM_Central%20 Utah%20Clinic%2 0Case%20Study.pdf Berkeyheiser, L. . (2010). Security and privacy challenges to ehr adoption. Advance for Health Information Professionals, Retrieved from http://healthinformation.advanceweb.com/Article/Security-and-Privacy-Challenges-to-EHRAdoption-2.aspx Berndton, Chad. (2007). The challenge of electronic health records . CRN, Retrieved from http://www.crn.com/news/channel-programs/204200977/the-challenge-of-electronichealth-ecords.htm;jsessionid=3Lyr5ZiQfJj8gw9Dg-b1NQ**.ecappj02

Blair, Jeff. (2003). Ehr trends and challenges: mri's surveys finds workflow and record access among top it-manager concerns. Healthcare Informatics Online , Retrieved from http://www.providersedge.com/ehdocs/ehr_articles/EHR_Trends_and_Challenges.pdf Boyd, A.D., Funk, E.A., Schwartz, S.M., Kaplam, B, & Keenan, G.M. . (2010). Top ehr challenges in light of the stimulus . Journal of Healthcare Information Management , 24(1), Retrieved from http://www.myhealthtechblog.com/2010/01/complex-challengesfor-ehr-implementations.html

Choi, Y.B., Capitan, K.E., Krause, J.S., and Streeper, M.M. 2006. Challenges Associated with Privacy in Healthcare Industry: Implementation of HIPAA and Security Rules, Journal of Medical Systems, (30:1), pp5764.

16 | P a g e

Levine, Alla . Electronic health record challenges & opportunities Retrieved from ftp://ftp.drivehq.com/CHCANYS_FTP/File%20Manager/HIT/PCHIC/EHR %20Presentation%20-%20Challenges%20%20Opportunities%20ALevine.pdf

NIST National Institute of Standards and Technology. 2005. An Introductory Resource Guide for Implementing the Health Information Portability and Accountability ACT (HIPAA) Security Rule, NIST Special publication 800-66.
Ponemon Institute LLC, Initials. (2010, November 9). Dgs health law blog [Web log message]. Retrieved fromhttp://www.dgshealthlaw.com/uploads/file/Ponemon_Benchmark_Study_o n_Patient_Privacy_and_Data_Security%5B1%5D%281%29.pdf

Ryzinski, T. . (2011). Security challenges of ehr adoption . HealthLeaders Media , Retrieved from http://www.healthleadersmedia.com/page-3/PHY-262449/Security-Challenges-of-E HR-Adoption

The road to ehr implementation is paved with incentives and challenges . (2010). Managed Care Outlook, 23(1), Retrieved from http://www.guidonps.com/ideas-andresources/articles/healthcare/the-road-to-ehr-implementation-is-paved-with-incentivesand-challenges/

17 | P a g e

Appendix Question asked of each Health System 1: Are you implementing or have you implemented an EHR system and if so when, what was the driving force behind doing so, and what steps are or were taken? 2: What do you perceive to be the pros/cons of an EHR/EMR system? 3: s it difficult maintaining HIPAA compliance during implementation or finding vendors that are HIPAA compliant? 4: Has your organization been following the meaningful use regulations? What are your thoughts regarding those?
5: How much do you feel that transitioning to an EMR has saved you as far as costs, resources,

time? 6: What main challenges have you faced during implementation as it relates to vendor selection, costs, security? 7: With the challenges faced, what do you believe caused them, what have been their effects, and what have you done or are you doing to resolve them?

18 | P a g e

8: If you compare previously paper practice, how do you rate this new Technology? Is this practice more effective and efficient? 9: What challenges are you dealing with to making sure this practice work effectively? 10: Is there any ongoing training for your employee? 11: Do you feel it has improved health care quality? 12: Can you tell us how quality assurance, performance improvement, patients care quality, and patient safety have been affected? 13: How does the clinical staff (doctors, nurses, etc) feel regarding implementation of an EHR/EMR? 14: Are they receptive or do they want things to stay the same? Does any particular group have more opposition or reservations than another and if so why? 15: In what way have you seen the difference in cost? 16: How do vendors promise security with their services? 17: What were the cost challenges you faced when implementing EMR? 18: What concerned you most about the cost it would take to implement EMR in your organization? 19: What concerned you most about security when using EMR? 20: What was the greatest cost you had when implementing EMR and using it?

19 | P a g e

21: From a technical point of view how do you track the security and who has access to the
EMR

22: Do you believe it is more secure than paper records? 23: How can you compare the cost between paper records and electronic records? 24: What worries you most about the security to the access of these records by individual working in the office and those outside the office? 25: How is security handle with in-house IT and vendors IT? 26: What types of security and procedures has IT put in place?

20 | P a g e