*

* *

It’s no secret that technology has become the fulcrum upon which much of society has been leveraged.

*

From printers to computers to the Internet to cellphones to answering machines to fax machines, and on and on.

* It’s highly likely that you got into this industry because you wanted to help people * It’s highly likely that you didn’t get into this industry to have to deal with technology and its challenges * But that’s where your industry went

We’re going to spend the next while taking a look at technology as it relates to the A&D field

* * What are some of the ways this transformation into technology immersion has: * Helped or facilitated your job?

* Hindered it, created new challenges or frustrated you?

* * The Health Information Technology for Economic and Clinical Health Act, abbreviated HITECH Act, was enacted under Title XIII of the American recovery and Reinvestment Act of 2009.

* Set meaningful use of interoperable EHR adoption in the health care system as a critical national goal and incentivized EHR adoption.

* Starting in 2015, hospitals and doctors will be subject to financial penalties under Medicare if they are not using electronic health records.

* The main components of Meaningful Use are: * The use of a certified EHR in a meaningful manner, such as e prescribing.

* The use of certified EHR technology for electronic exchange of health information to improve quality of health care.

* The use of certified EHR technology to submit clinical quality and other measures.

* *

Core Requirements:

* Use computerized order entry for medication orders.

* * * * * * * * * * * Implement drug-drug, drug-allergy checks.

Generate and transmit permissible prescriptions electronically.

Record demographics.

Maintain an up-to-date problem list of current and active diagnoses.

Maintain active medication list.

Maintain active medication allergy list.

Record and chart changes in vital signs.

Record smoking status for patients 13 years old or older.

Implement one clinical decision support rule.

Report ambulatory quality measures to CMS or the States.

Provide patients with an electronic copy of their health information upon request.

* * Provide clinical summaries to patients for each office visit.

Capability to exchange key clinical information electronically among providers and patient authorized entities.

* Protect electronic health information (privacy & security)

* *

Menu Requirements

: * * * Implement drug-formulary checks.

Incorporate clinical lab-test results into certified EHR as structured data.

Generate lists of patients by specific conditions to use for quality improvement, reduction of disparities, research, and outreach.

* Send reminders to patients per patient preference for preventive/ follow up care * Provide patients with timely electronic access to their health information (including lab results, problem list, medication lists, allergies) * Use certified EHR to identify patient-specific education resources and provide to patient if appropriate.

* * * Perform medication reconciliation as relevant Provide summary care record for transitions in care or referrals.

Capability to submit electronic data to immunization registries and actual submission.

* Capability to provide electronic syndromic surveillance data to public health agencies and actual transmission.

* * Before texting, email became the most ubiquitous method of communication on the Internet—maybe even on the planet.

* It’s built into almost everything: phones, tablets, home appliances, and cars to name a few.

* Email addresses have become our IDs; it’s how we sign up for things, receive notices, and occasionally communicate with each other * But it was not designed with any privacy or security in mind.

* It was not designed to be the center of our digital lives; it was designed when the Internet was a much smaller place to store and forward messaging between people using different kinds of computers.

* * There 4 basic places where your email can be compromised: * On your device(s) * On the network you’re using * On the server you’re using * On your recipient’s device(s) * The first and last seem obvious in a variety of ways; networks offer a little tougher means of keeping people out, but if you’re sending email to someone who uses the same service as you, say Outlook.com, you are still easily compromised.

* If you send the email to someone on a different network, then where the two networks connect is the vulnerable point.

* Servers are where your email is stored. All of your email.

As plain text.

* If a hacker gets in there, they’ve pretty much got everything, plus all attachments.

* * Email is stored in multiple places around the Internet. It gets copied to: * Sender’s computer in the “Sent Mail” box * To the server that sends the email * To the server that receives the email * To the recipients computer when he/she downloads the email.

* The backups to the email * Burned to CD * Backup servers

*

Encryption to the rescue! (Sort of…)

* Encryption basically scrambles the plain text into gobbledegook that is unscrambled at the other end.

* Encrypting messages * Encrypting network connections * While your text and attachments are scrambled, your header info (address, recipient address, subject, date, and more) are not. This still paints a pretty detailed description of the email * While secure email can still be hacked, it provides much more protection than unsecured *

*

HIPAA and Email

* HIPAA email security applies specifically to protected health information (PHI), not just personal information * PHI is health information of an identifiable individual that is transmitted by electronic media, maintained by any electronic medium, or transmitted or maintained by any other form or medium.

* All administrative, financial and clinical information on a patient is considered PHI.

* Privacy key point: Controlling use/disclosure of oral, written and electronic PHI in any form * Security key point: Controlling the access to electronic forms of protected health information * It’s important to note that there are no policemen for HIPAA; the only way HIPAA gets policed is through litigation (and nobody wants that).

* One of the best ways to protect yourself/your agency is to have a good written Technology Plan

* * Encrypted email clients (Pro versions): * Hushmail PC only $35/year per person * VauntletMail * ShazzleMail PC/Mac/Linux PC/Mac/Linux Free Negotiated * Enigmail Thunderbird plugin Free * CryptoHeaven PC/Mac?Linux

Varies by # of users * SendINC PC/Mac/Linux Varies by # of users

* * Telephonic transmission of scanned printed material (both text and images), normally to a telephone number connected to a printer or other output device.

* * The original document is scanned with a fax machine (or a telecopier), which processes the contents (text or images) as a single fixed graphic image, converting it into a bitmap, and then transmitting it through the telephone system in the form of audio-frequency tones.

* Since the 1980s most machines modulate the transmitted audio frequencies using a digital representation of the page which is compressed to quickly transmit areas which are all-white or all-black.

* In many business environments, freestanding fax machines have been replaced by users on paper or via an email.

fax servers and other computerized systems capable of receiving and storing incoming faxes electronically, and then routing them to * All forms of faxing must adhere to the same HIPAA PHI rules as email.

* Advantages of old-style faxing: * Speed of transfer and receipt * Sends as a PDF, so no viruses * Less vulnerable to interception * Sender gets notice of receipt * Receiver has a physical copy * Don’t need to know how to use a computer * * Disadvantages of old-style faxing: * Must have a fax machine and/or scanner * Fax machine maintenance costs * Lack of mobility * Need for paper

* * Internet faxing, efax, or online faxing uses the Internet Protocol to send a fax, rather than using only phone networks with a fax machine.

* As modems came into wider use with personal computers, the computer was used to send faxes directly using faxing software. Instead of first printing a hard copy and then sent via fax machine, the document can now be printed directly to the software fax and sent via the computer’s modem; receiving an efax is basically the same.

* Efaxing can also occur via VoIP, fax servers/gateways, and using email (although a newer fax machine is needed to receive an email-sent fax).

* *

Advantages of Efaxing:

* Although Internet-delivered, the messages is converted to a PDF file and so are less likely to harbor viruses.

* Faxes don’t get blocked by spam filters like email does.

* No busy signal with which to contend * Faxes are natively encrypted and can’t be hacked or decoded.

Emails on the other hand can be intercepted and read if not encrypted.

* Email and file attachments can be great for every day communication but are not stamped image of a document.

generally accepted for legal documentation because attached files do not provide a time * It’s easier to send large files through online fax than email because online fax does not fall under any file size caps put in place by email hosts.

* Paperless; can send multiple faxes simultaneously; no additional machine needed; can send and receive from anywhere with Internet access, with mobile phones and tablets.

* It goes to the email box of a computer, so it can get noticed faster.

* *

Disadvantages

of Efaxing:

* It has no inherent technology advantage over email, scanner, or graphic file formats.

* Scanner required to convert paper documents to digital.

* Computer of the receiver must be turned on.

* Document is no longer readable by computer applications.

* Monthly subscription fees to efaxing companies.

* Time-limited storage capacity.

* Switching from traditional fax machine to Internet fax machines can be problematic for some.

* * Physicians, nurse practitioners, and others allowed to prescribe medications have traditionally used a pad to illegibly write out a person’s prescription. The person could then take it to a pharmacy to have it filled. Or lose it. Or copy it.

* The future seems to be Eprescribing, especially since the HITECH ACT promotes adoption be defining eprescribing as one meaningful use of an Electronic Medical Record (EMR).

* Standards for transmitting, recording, and describing prescriptions have been developed by the National Council for Prescription Drug Programs, in particular the SCRIPT standard, which describes data formats.

* * Adoption of e-prescribing technology has accelerated in the United States, in large part, due to the arrival of Stage 2 of meaningful use. One of the Stage 2 core measures is: "Generate and transmit permissible prescriptions electronically (e-Rx.)" * In order to meet this measure, practices must prescribe and transmit at least 50 percent of permissible prescriptions electronically.

* A June, 2012 report from the National Coordinator for Health IT found that 48 percent of U.S. physicians use e-prescribing systems. National growth in e prescribing over the period September 2008 through June 2012 increased over 40 percent, with individual states increasing adoption anywhere from 28 percent to 70 percent

* * The basic components of an electronic prescribing system are: * Prescriber - typically a physician * Transaction hub * Pharmacy with implemented electronic prescribing software * Pharmacy Benefit Manager (PBM) * The PBM and transaction hub work closely together.

The PBM works as an intermediate actor to ensure accuracy of information, although other models may not include this to streamline the communication process.

* * A "qualified" e-prescribing system must be capable of performing all of the following functions: * Generating a complete active medication list incorporating electronic data received from applicable drug plan(s) if available * Selecting medications, printing prescriptions, electronically transmitting prescriptions, and conducting all safety checks using integrated decision support systems (safety checks include: automated prompts that offer information on the drug being prescribed, potential inappropriate dose or route of administration, drug-drug interactions, allergy concerns, or warnings of caution) * Providing information related to the availability of lower cost, therapeutically appropriate alternatives (if any) * Providing information on formulary or tiered formulary medications, patient eligibility, and authorization requirements received electronically from the patient's drug plan

* * Review patients' current medication list and medication history information within the practice.

* Work with an existing medication within the practice, this can involve viewing details of a medication, remove a medication from the active medication list, change dose, etc., for a medication or renew one or more medications * Prescribe or add new medication and select the pharmacy where the prescription will be filled.

* The information is then sent to the Transaction Hub, where information on the patient eligibility, formulary, and medication history/fill status is sent back to the prescriber.

* Patient-specific information capabilities (e.g., current patient medication list, access to patient historical data, patient identification)

* * System systems) integration capabilities (e.g., connection with various databases, connection with pharmacy and pharmacy benefit manager * Educational capabilities education, provider feedback) (e.g., patient

* * E-prescribing offers clinicians a powerful tool for safely and efficiently managing their patient's medications.

Compared to paper-based prescribing, e-prescribing can enhance patient safety and medication compliance, improve prescribing accuracy and efficiency, and reduce health care costs through averted adverse drug events and substitution of less expensive drug alternatives.

* This is of key importance because in 2000, the Institute of Medicine identified medication errors as the most common type of medical errors in health care.

* * Benefits to Eprescribing: * Powerful tool for safely and efficiently managing their patient's medications.

* Enhances patient safety and medication compliance * Improves patient safety and quality of care * Illegibility from handwritten prescriptions is eliminated, decreasing risk of med errors * Decreased time on clarifying phone calls * Reduced time faxing prescriptions to pharmacies * Automated renewal request and authorization * Increased patience convenience and med compliance * Better cost drug substitutions * Greater prescriber mobility * Improved drug surveillance/recall ability

* * Limitations: * Costs associated with purchasing, implementing, supporting and maintaining such a system may be beyond the means of most small clinical practices, and noted to be one of the greatest implementation barriers.

* Many underestimate the challenges pertaining to change management when transitioning from paper-based prescriptions to e-prescribing.

* The inability to effectively use clinical decision support systems due to the erroneous triggering of pop-up alerts with ill-defined software.

* Integrity of data input - accidental data entry errors.

* Security and privacy errors/concerns * System downtime

*

‘I am not a case, and you are not my manager’

* If you’ve been doing addiction counseling for a while, you’re probably attempting to manage a fairly large caseload, and have spent more time than you like maintaining case files in a paper format.

* You go to the file drawer, look up the file (hoping you filed it alphabetically), and pull it out of the drawer.

* You open the file with a flick of the tab * Do a quick review hoping you’re getting all the info you need for your next encounter with this person * And BOOM! You’re off.

* You have to really hope that you’ve accessed everything you need, that you actually remembered to go back in and include the notes from the last encounter because you were too busy to last time, and that anyone else who has interacted with this person also included everything in the file.

* But this is the only way you’ve done it; it’s familiar…

* * Imagine a complex puzzle. Imagine having to remember how each piece fits, over and over. And imagine that the solution to the puzzle is constantly changing. If you could feed all of that puzzle information into a computer program, you wouldn’t have to figure it out each time. Everyone who looks at the puzzle would know how to assemble it, the puzzle would be put together faster, and the chance for errors would be greatly decreased.

* * Health history is like a complex puzzle.

Every time you have to remember health information for doctors’ offices, insurers, emergency rooms, pharmacies, etc., it’s like trying to reconstruct a changing puzzle over and over again. Information that you have to repeatedly recall and write down is inherently inaccurate. No matter your age, your recall is not perfect.

* Take going to the doctor, for instance.

The more doctors you see, the greater the chance of inaccuracy. With paper charts, each of your doctors may have slightly different information that they are basing your treatments on.

* *

To quote one Harvard Medical School publication, "Such a structure [paper] is inherently costly to administer--the share of US dollar." expenditures devoted to administration is variously estimated at one-fourth to one-fifth of the health

* * EMRs are changing the healthcare paradigm. Are you fighting the future?

* The successful implementation of an EMR allows a provider to operate on a new plateau. New-found efficiency includes: * Reduction of documentation time * Immediate access to patient data * Improved cash flow * Streamlined clinical work flow * Increased reimbursement * Detailed real-time aggregate reporting * Inpatient facilities experience automated medication ordering and administration that drastically improve safety processes.

* Believe it or not, despite all the techno-garble, EMRs truly enhance quality of care and ultimately reduce the cost of care delivery.

* * An EMR allows organizations to collect data only once. The impact of this on a once paper-based system is profound.

* A well-designed, EMR-based clinical work flow moves a patient through the preadmission, intake, treatment, and discharge processes without requiring data entry to be repeated.

* A major service to addiction treatment providers is group therapy: EMRs allow entry of group notes in a process that populates all group attendee notes with required documentation. Clinicians no longer are forced to hunt for all attendee charts or to open each chart to make the note.

* * EMRs mitigate the risk of required or essential data being missing or buried within progress notes. * EMRs require clinicians to collect important data elements prior to closing a document. This automated function allows for increased charting supervision without further human intervention, ensuring data will be complete and available when needed. * The data can be used in standardized instruments to provide measurable outcomes. * Clinicians ultimately view the EMR as a tool for their services, rather than as an obstacle.

* *

Components of an excellent EMR:

*

Outpatient Front Desk Staff:

* Able to do fee collection, print receipt, and check in to group within one minute per client * Check-in generates group roster and batch of auto-filled service notes for the clinician * Easy scheduling function * Able to quickly look up: * Client info by name, by client number, by health plan number * Client payer source * How much client owes, including co-pays * Dates of previous service episodes

* *

Components of an excellent EMR (cont.):

*

Clinical Forms:

* Forms you use and/or State’s forms * Easy to access and use * Enforces the Golden Thread * Information entered into the assessment automatically flows into the service plan, which feeds the service notes and discharge summary * Automated documentation audit checks * Documentation compliance reporting * Automatic prompt for service plan and assessment updates * Message sent to direct supervisor on non-compliant records (past due date, incomplete)

* *

Components of an excellent EMR (cont.):

*

Clinical Audits:

* Able to easily call up files from a specific program and time period for internal audits * Ease of access for county, state, federal, managed care, and CARF auditors * Able to permission access only those files auditors are allowed to see: permission by specific files, by program, by payer source, by time period.

*

Eprescribing:

* Integrated with the rest of the EHR * Drug-to-drug interactions and allergy warnings

* *

Components of an excellent EMR (cont.):

*

Billing and Revenue Management:

* Documentation linked to billing * Eligibility verification * Authorization management * 837 Processing and 835 Remittance * Billing suspense mechanism if billing does not meet standard criteria (billable diagnosis, exceeding pre-authorized limits, no service note, etc.) * Able to talk with billing vendor * Full billing reports by cost center, including aged accounts receivable report, 3 rd party payments report

* *

Components of an excellent EMR (cont.):

*

Reporting Capabilities

* Utilization by program by month/year by payer source * Outpatient Show/No Show by individual session, by group, by clinical contact, by clinician * Length of stay * Productivity report by clinician by month/year * Productivity report by cost center by month/year * Case load report by clinician and by program * Referral source by program by month/year by payer source * Reports linked to charting capability * Able to easily/create write new reports

* *

Components of an excellent EMR (cont.):

*

Scheduling:

*

Outpatient:

* View multiple schedules in the same window * Rapid scheduling of reoccurring events like groups * Color coding to easily see openings, appointments, and tentative schedules *

Residential/Detox:

* Current clients admit, planned discharge date, actual discharge date * “White board” for scheduled clients, by payer group *

Technology

* Cloud based * Certified as meeting meaningful use criteria

* *

Components of an excellent EMR (cont.):

*

Cost Accounting:

* Cost Center * Type of Staff * Service Class * Program * Individual/Group * Staff * Type of Service * Client * Hourly, monthly, and annual

* *

Components of an excellent EMR (cont.):

*

Implementation & Training:

* Includes structured training and implementation plan * At least initial training and follow-up training for all staff * Help desk functions: FAQ’s, tutorial, on-line training, monitored users group * Training plan for new staff * Plan for uploading current database *

Expense

* Initial Instillation and Training Expense * On-going charges * Lost productivity * Hardware costs * Disruptions in billing

* * Telemedicine is the use of telecommunication and information technologies to provide clinical health care at a distance.

* The definition sometimes includes all aspects of healthcare, including preventative care, while other definitions use it for clinical services only.

* Sometimes referred to as “telehealth” or “eHealth.” * These technologies eliminate distance barriers and can improve access to services that might not otherwise be consistently available otherwise.

* Permits communications between patient/client and staff with both convenience and fidelity as well as allowing the transmission of medical, imaging, health informatics data from one site to another.

* A growing number of HIPAA-compliant technologies are available.

* * The use of telemedicine can assist in reducing such barriers as: * Clinician shortages * Misdistribution of providers * Rural/urban underserved populations * Aging population * Travel time, cost, and hardship * Delayed treatment * Language barriers * Clinical education programs * Administrative meetings

* * For the person receiving counseling services, this can mean: * Reducing barriers to access * Reducing delays in receiving services * Able to stay in touch briefly and frequently * Increase positive healthcare outcomes * Can take a more active role in their recovery * Able to attend online 12-step and other meetings

* * For the A&D Professional, telemedicine can: * Make themselves more available to clients at different hours * Increases efficiency * Reduce delay in providing services * Increase the number of positive outcomes * Receive ongoing training and education * Allow counseling to multiple locations

* * Potential barriers: * Telecommunication Costs * Telecommunications training * Clinicians not championing distance counseling * Clients not having proper equipment * Might not be convenient * Program sustainability * Interstate licensing * Potential PHI compromised via electronic storage and transmission

* * Not only does your data fall under HIPAA regulations, it also falls under 42 CFR, Part 2, which we will cover in a session tomorrow. If it’s digitized, it also falls under 21 CFR, Part 11.

* 42 CFR, Part 2, covers records of the identity, diagnosis, prognosis, or treatment of any patient, which are maintained in connection with the performance of any program or activity relating to drug abuse, alcoholism or alcohol abuse education that is conducted, regulated or assisted by the Federal government must be confidential.

* 21 CFR, Part 11, covers the security and validation of a healthcare entity’s data system using and storing Personal Health Information PHI.

* We will be covering 42 CFR, Part 2, in a session tomorrow, so let’s look at 21 CFR, Part 11.

* * The FDA regulates 21 CFR, Part 11.

* In 2006, the FDA did about 4200 inspections worldwide and sent out 500 warning letters * It sued many companies * It was sued by many companies * The FDA loses approximately 50% of all suits in which it engages concerning 21 CFR, Part 11, so it doesn’t necessarily like to go to court

* *

What has been happening:

* Increased FDA inspections * Increased use of electronic signatures * Increased use of hybrid systems * Confusion leading to too much/inappropriate validation * Replacement of legacy systems * System not in use today or not validated to today’s standards * Increased security * Industry standards for 21 CFR, Part 11, have evolved

* *

You need to be aware of:

* Code of Federal Regulations (CFR) * Published by the Government Printing Office and in the Federal Register * They are equal to federal laws * They take a long time to create or change * Court rulings * Interpretations change over time * Guidance documents * Not binding * More specific than regulations * Do not specifically detail regulations * May actually differ from regulations

* *

For an entity’s compliance:

* There needs to be SOPs * Policies * Work instructions * All must be controlled documents * Companies must adhere to their own documents even more than the federal regulations

* *

What triggers an FDA inspection of an entity’s system:

* Part of a regularly scheduled inspection * Insufficient validation documentation * Failures * Problems with similar systems at other companies * Attitudes * Complaints * Use of electronic records, including hybrid systems * Electronic submissions

* *

Part 11 compliance has an excellent return on investment (ROI):

* Cost of compliance is low compared to costs for potential losses; Allows for Disaster Recovery * Reduces labor costs by increasing employee efficiency and effectiveness * Cost of compliance saves money by making the organization more productive * Use of eRecords is less expensive than the use of paper records: creation, organization, searching, retention… * Use of eSignatures is much more secure than handwritten signatures

* * Electronic Records can be used in place of paper records provided they are trustworthy and reliable. * All electronic data is an electronic record. “Electronic record means any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.” Subpart A 11.3 * Part 11 applies to newly installed and existing legacy systems. There is no “grandfather” exemption. * If it isn’t documented it didn’t happen! * Interpretation is based on industry standards

* *

Security: Current Concepts:

* Authentication: fraud - you are not who you said you are. * Authorization: unauthorized access - you should not have access because you have not been granted access. * Privacy: observation and snooping - someone can see what you are working on. * Data Integrity: Alteration - someone has changed the data.

* *

Security Threats:

* Natural disasters: hurricanes, floods, earthquakes, tornadoes, lightening… * Environmental: long-term power outages, accidents, fire… * Hacker-Cracker * Terrorist * Industrial espionage * Insiders

* *

Security Threats—Motivations:

* Unintended mistakes * Challenge * Ego * Rebellion * Monetary * Revenge * Blackmail * Exploitation

*

Security Threats—Results:

* Destruction * Improper Disclosure * Alteration * Regulatory * Legal * Negative publicity * Highly expensive *

* *

Security:

* Access limited to authorized individuals (roles and privileges defined by data owners) * No users with “God” role, no IT people with user system administrator role * Password minimum length (8 characters) * Password makeup requirements (no words in dictionary, alphanumeric) * Password change frequency (90 days) * Password reuse frequency (1 year)

* *

Security (cont.):

* Passwords are not displayed when entered, ** * Passwords are not remembered by browsers and applications * Password only known by individual user, not shared * Password encryption (upon entry, storage) * Password cannot be copy and pasted * Passwords are not emailed or written down * Temporary passwords are unique * Temporary passwords must be changed at next login * Temporary password expires (24 hours)

* *

Security (cont.):

* User name appears on screen * User name is unique * User name identifies a person, not generic * User name is not deleted, just inactivated. Therefore, it cannot be reused. * Automatic logout after inactivity (10-20 min) * OS screen saver with password (10-20 min) * Auto lockout after too many failed login attempts; email notification to system administrator/security staff (3-5 attempts) * Logging of all user access activity; login, logout, lockout * When logging into a system from a second location both users are notified

* *

Security (cont.):

* Auto lockout of inactive accounts (30 days) * Last login displayed when logging in * The network is secure with respect to user access, Internet access, malware protection, and physical security * Removable media, including laptops and PDAs, have confidential data encrypted * Device checks confirm that once data starts from a device, another device doesn’t take over

* *

Data Transfer:

* Limited and controlled delete capabilities * Data transferred outside of the intranet firewall is encrypted * Data taken off site is encrypted (laptops, removable media) * The system must include operational system checks to enforce correct sequencing of events and validity of input data * Date format dd-MMM-yyyy (10-Jan-2015)

* *

Audit Trails:

* Audit trail records the creation, modification, or deletion of electronic records * Record user name, date, time, previous data, new data, and reason for change (if required by predicate rules) * Users can access audit trail * Indication of changed data is known to the user by on screen indication, not just in audit trail * All computers must be synchronized to a standard time source * Application aware that data integrity has been compromised; database encryption, record checksums, backend changes written to audit trail.

*