On a recent visit to observe physicians at a local ED, I watched two doctors with six decades of combined experience reduced to file clerking as they logged into and searched multiple EMR systems, made phone calls, and dug through 60-page faxes to find relevant medical history. If I had known clerks would make $250/hour, I certainly would have reassessed my career choices.

Healthcare costs are high for many reasons, and poor interoperability is definitely one of them. Let’s review:

• X12 EDI standards for insurance information exchange: originated in 1979
• HL7 standards for healthcare data exchange: begun in 1987, ANSI standard since 1994
• DICOM standards for radiology images: first published in 1985
• Bonus – Single Sign-On: has been evolving since the early 80s!

Interoperability standards have been around for decades…

I propose that all healthcare IT contracts and renewals contain a Bill of Rights that codifies industry best practices for interoperability and imposes stiff penalties (AKA market incentives) for noncompliance. Instead of waiting on the billions-of-dollars government incentives to drag the market forward, let’s improve patient outcomes right now. Come up with your own Bill of Rights, share it with other organizations, and let the vendors know that the level playing field of interoperability is where they must all compete.

Look around your doctor’s office, and ask yourself who among these people is protecting your private data. Is it:

• A) The doctor? I hope not! I hope my doctor spends all of her time learning to be the best doctor possible.
• B) The underpaid front desk clerk who just last week took a computer training course to get this job?
• C) The overworked PA or nurse who performs the bulk of routine care? Does he have time to look after your privacy?

The answer is:

• D) None of the Above.

Who is responsible for protecting my data?

The people responsible for your privacy are the ones you do not see because they are not there. Information security is a specific field of knowledge and skills that requires training  and constant practice for proficiency. Have a look here at sample exam topics for a basic certification. You don’t have time to learn all of this. Nor do you have the inclination, and neither do the people who practice and support medicine.

Privacy is expensive!

The bigger problem, though, is that most practices are not aware of the gap between what they know and what the law requires. So, they are not budgeting for or hiring those who have the knowledge to perform a security risk analysis, educate the staff, and secure the technical infrastructure like computers, networks, and mobile phones, and they are also not budgeting for:

• Ongoing training on privacy issues
• Ongoing maintenance of policies
• Ongoing maintenance of IT
• Monitoring for compliance and breaches

This assumes private practices have the funds for such hirings and the time to supervise them. Likely, most do not, and so we will see many more stories like this. As the market becomes aware of these issues through fines and negative publicity, we may see smaller practices decline as they roll up into hospitals or corporations in order to defray the costs of compliance.

• patients
• doctors, nurses, PAs, NPs, and other clinicians
• administrators
• hospitals, private practices, labs, and clinics
• health insurers
• healthcare vendors and manufacturers of drugs, equipment, supplies, software, and services
• investors in hospitals, health insurers, and healthcare vendors
• government
• employers

Each of these players can have radically different incentives, many of which are not primarily focused on patient care. Don’t get me wrong – I am not saying vendors or insurers or employers have evil intent, but the market pressure of increasing shareholder returns is very distracting, and the business of business is difficult, with 1/3 of all new companies failing to survive two years.

Add in patients gaming or abusing the system, government legislation and partisan politics, hospital administrators focused on auditing and compliance, indigent care, and dozens of other factors…

With this incredible diversity of participants and the difficulty of running a successful business in any industry, a better question is “how could healthcare not be complicated?”

They Care About Money

A lot of so-called healthcare companies are simply companies that happen to be in healthcare, and they are not focused on patients and clinicians but instead on taking the biggest slice of the pie in order to propel continuing shareholder returns.

Money is Good, Right?

Yes!

Then Why Complain About Making Money?

The issue is with incentives, the big piles of money in healthcare that drive greedy behavior and short-term profit taking. The best companies grow by creating value with products and services that solve a need in the market.

Before you make a capital investment in an EHR, make sure you know what your vendor’s priorities are: patient outcomes or shareholder wealth? If the answer is “improved patient outcomes that lead to increased revenue and increased shareholder wealth,” then you may have found a great vendor.

courtesy jjvaca/flickr

1. Software development is difficult!

Sure, it looks easy. Just hire a project manager and some developers. But before you write that check, search Google for software project failure, and look at the number of zeroes in the costs. Even the experts who develop software as their main business have trouble delivering projects on time with no major defects.

2. You don’t have enough resources to run a hospital AND manage a capital development project

There is no hospital anywhere that has spare time, so any project you begin at your hospital will take resources away from your primary mission: patient care. Don’t be deceived about development costs and timelines, either. According to the Software Development Cost Estimating Guidebook, “A realistic estimate is based upon a solid understanding of the software development process and the historical data…” – neither of which your organization has.

3. You can’t achieve economies of scale to cover your sunk costs and ongoing maintenance

Again, software is very expensive to develop and maintain and only makes financial sense if you can sell or license it to many customers. Can your hospital afford to increase its operating overhead? How will you measure return on investment for this project? Don’t forget to track patient outcomes, throughput (revenue), and employee satisfaction, both before and after your project. And you have to keep sunk costs and ongoing maintenance LOW because you can only amortize these expenses across your organization instead of a large customer base.

4. Captive users don’t give honest feedback

When you have a problem with vendor-provided software, the solution is simple and painless: pick up the phone! When you have a problem with internally developed software, there is a natural tendency to mute complaints for fear of job security. Will you get honest feedback from users if your multi-million-dollar project has poor usability? Nobody wants to be the person to tell the executive sponsor that their capital investment was wasted.

You are surrounded by air, and it is vital for life. It’s free and plentiful, but I’m going to ask you to breathe through a cocktail straw from now on.

That’s the problem doctors, nurses, and PAs face every day when they need to quickly send and receive vital patient information such as photographs, medical records, and laboratory results to consulting physicians. Even though they are completely surrounded by iPhones, Droids, and high-speed wireless networks, clinicians are forced to breathe through a tiny straw.

Big Problem: Restrictive Security Policies Without Supporting Tools

That tiny straw is your hospital’s communications policy and supporting IT infrastructure. You have a policy for two very good reasons: patient privacy is important, and it’s also mandated by federal law, which is backed by large fines and negative publicity. But doctors often need to work quickly, and that free, plentiful supply of life-savings communication is in their pockets: mobile phones.

Dr. McBride in the emergency department knows Dr. Owen in surgery and has his contact info in her iPhone. When she needs an emergency consult for a critical patient, she pulls out her phone and quickly types a text message with the patient’s name, chart number, and a brief history, including lab results indicating illicit drug ingestion. Dr. Owen receives the message on his phone, reviews the chart and results, and responds with a diagnosis, also via text.

Later that night at a bar, Dr. Owen loses his iPhone and thousands of patient records. Now you are in the news for a breach and a fine, the doctors have been fired, and you have an urgent situation to handle.

Whose fault is this and whose problem is it to fix? Is the doctor at fault for breathing in the plentiful supply of air when you gave her a tiny straw to use for this purpose?

Big Problem: High Incentive to Circumvent Policies

The big obstacle your policies and IT have to overcome is WORKFLOW.  Like water flowing downhill, people naturally flow to the easiest solutions. If your policies and IT services create enough obstacles, people will flow around them to readily available solutions until you ratchet up the penalties so high that all work comes to a halt. And it will come to halt because you didn’t do one critical thing: offer an effective alternative to that plentiful air supply.

Policies are easy to write, but providing effective technical solutions is very hard. We put the policies in place, and then we leave the users to deal with broken workflow resulting in decreasing patient outcomes, revenue, and employee satisfaction.

SMS text messages are especially hard to replace because they are so very, very easy to use – there has never been a more convenient method of instant communication to anyone anywhere, and every one of us has it on our pockets most of our waking lives.

The Hard Task: Think Long-Term

Are your users sipping air through a tiny straw? What effective tools do you have in place that meet your compliance goals but also facilitate efficient workflow?

You can meet your short-term compliance goals by checking the box that says, “Security Policy,” but if you don’t support user workflow, you will pay in the long term with decreasing quality of care, decreasing revenue, and increasing expenses.

Interact with your users to ensure their patient-care needs are met, and use meaningful metrics to measure efficiency before and after policy and IT changes. This sounds obvious in the C-suite, but I assure you it is frequently not happening on the ground. There is a disconnect – make sure it’s not in your organization.

1. 81% of healthcare providers use personal devices to send and receive PHI
2. Personal devices are lost or stolen ALL THE TIME, and most don’t even have basic PIN security enabled
3. All of the phone companies store information about text messages, and Verizon even stores the contents!

This is a big problem, and with so many doctors, PAs, and nurses using personal phones to send emails and texts about patients, we will definitely see major breaches in the news. A little more worrying, though, is that the mobile phone carriers are inadvertently sitting on a LOT of PHI all collected in one place.

This is a hard problem to solve because existing IT solutions simply can’t match the convenience of SMS. It’s a worldwide network in your pocket that can reach anyone at any time, and it takes just seconds to send and receive a message with attachments. Do you have an IT solution that provides this level of convenience?