Oct
07
2014

As I sit in my home office with the security icon blinking on the screen of my company-issued laptop, it dawns on me how much nearly every profession relies on remote communication.

From banking, to education, and even to matchmaking, people use technology to communicate with others near and far, often making life changing decisions at a distance. The benefits of remote communication include overall efficiency, time savings, money savings, and widespread information accessibility, all of which are desirable factors in the provision of healthcare services. In fact, such benefits are magnified in the context of healthcare, where patients are often unable to travel due to a fragile physical state, and are greatly concerned about costs with what seems to be a flood of medical bills.

So, at a time when remote communication has become an indispensable part of the way our society operates, why is the healthcare industry so slow to adopt telemedicine?

Part of the reason for slow adoption may be that patients are reluctant to make critical health decisions without having an in-person examination by a professional. However, I think the true reason for slow adoption is all about: “Regulation, Regulation, Regulation.” I make the triple incantation in the same way my realtor does when she says “Location! Location! Location!” to emphasize the importance of regulation in the adoption of telemedicine. The three major barriers to adoption at this time are: (1) physician licensure (2) the definition of telemedicine (3) Reimbursement for telemedicine services.

Let’s tackle them one at a time.

Physician Licensure

To begin, it’s important to understand that the regulation of telemedicine services depends on the state where the patient is physically located, not where the healthcare provider is originally licensed. For example, if the world’s leading kidney transplant surgeon is licensed to practice medicine in Utah, and wants to perform a video consultation for a patient who lives in California, the surgeon would be unable to do so without first obtaining a California medical license. Although telemedicine regulations are created to protect patients, they often have the opposite effect by creating barriers to the delivery of high-quality care.

Here’s a look at a few state variances in licensure requirements:

  • California and Florida—require a physician to hold a full-unrestricted license to provide telemedicine services to patients within their state
  • Minnesota, Texas, and Alabama—created unique, shorter, and less expensive telemedicine licensing processes

In an effort to promote communication and unity among states, the Federation of State Medical Boards (FSMB), who I like to refer to as my “Superheroes,” (for their tremendous contributions in the telemedicine world) published their Interstate Medical Licensure Compact on May 5, 2014.The proposal envisions an interstate compact for telemedicine, which would establish an abbreviated licensing process for physicians in participating states who have held a full-unrestricted license for at least five years, without any disciplinary or legal action on their record. Such a compact would be immensely helpful in removing the hurdles that providers face in delivering their services outside of their home state.

Defining Telemedicine

Developing a clear definition of telemedicine is critical for identifying the types of services and reimbursements that are available to patients. Yet telemedicine definitions vary substantially from state to state, making it difficult for providers to track state variances. But worry not my mHealth minions, the Superheroes have come up with a plan to address this aspect of telemedicine too.

On April 26, 2014, the FSMB published their Model Policy for the Appropriate Use of Telemedicine Technologies in the Practice of Medicine. The Model Policy is a guiding document for states in the creation of their own telemedicine laws. According to the Model Policy:

“…telemedicine is not an audio-only telephone conversation, e-mail/instant messaging conversation, or fax. It typically involves the application of secure videoconferencing or store and forward technology to provide or support healthcare delivery by replicating the interaction of a traditional, encounter in person between a provider and a patient.” ii

Limited to specific technology—The definition excludes audio-only, phone, and e-mail consultations, which doesn’t account for people who don’t own computers, or who own computers without video capabilities. It also doesn’t definitively take into account technology such as e-prescribing and secure messaging.

Ambiguous in its discussion of care delivery methods—The definition accepts both real time and store and forward technology for care delivery, but doesn’t emphasize the importance of making both options available to patients and healthcare providers.

As to the second point, there are still certain regulatory bodies that limit the definition of telemedicine to real time-only communications. Even the Medicaid.gov website states that telemedicine is the “two-way, real time interactive communication between the patient, and the physician or practitioner at the distant site.”

So what exactly is store and forward technology, and why should states require its acceptance?

Store and forward technology temporarily stores data in an intermediary location until the receiving party is ready to view the stored message, at which time the transmission is retrieved and the data (audio, photo or video) is displayed.

As telemedicine becomes more widespread, secure messaging will play a role in connecting primary care physicians, specialists, and patients. Imagine developing an embarrassing rash on your face in your 9 a.m. meeting in Maryland, taking a photo with your phone, sending the photo to your dermatologist in Virginia through a secure messaging application such as Akario Backline, the doctor viewing the photograph through the application, and the doctor quickly issuing and sending an electronic prescription for a topical cream to your local pharmacy—just in time for your lunch break! Phew!

In this scenario, and countless others, store and forward technology is much more convenient than having to schedule a real time consultation. Of course, doctors are still responsible for gathering all of the necessary information to treat the patient to the best of their ability. If a photograph or video is unclear, the doctor can still ask for a real time video consultation, or even ask to have the patient come to their office in person. Telemedicine should be defined clearly, and cover all existing and potential future technologies that could benefit patients, and doctors.

Reimbursement for Telemedicine Services

The process of defining telemedicine is closely linked to another sticky subject…money. In the words of the legendary Pink Floyd, “money, so they say, is the root of all evil today.” In this case, I wouldn’t say that it is the root of “all evil” per se, but reimbursement regulations do create challenges for patients and doctors.

There are states that prohibit federal reimbursement of services administered through telemedicine, other states that allow for limited reimbursement, and a handful of states that require telemedicine services to be reimbursed in the same manner as services provided in person. The following examples demonstrate the differences between neighboring state reimbursement laws:

  • Idaho—Reimbursement is available only for mental health and developmental disabilities services. A state like Idaho, which is not populated with much other than potatoes, needs to expand its very limited scope for reimbursement of telemedicine services to provide care to people in rural areas
  • Washington—The law in Washington does not require private insurers to cover telemedicine services at this time
  • Montana—Telemedicine services are treated like all other services for purposes of reimbursement since January 1, 2014iii
  • Oregon—Private insurers must pay for services delivered telemedically the same way they would if the service was delivered in personiv

Preferably all states would follow Montana and Oregon’s examples, but some are not ready to fully commit. One such state is Arizona which has taken a step in the right direction but has not fully committed to the idea of telemedicine.

  • In 2013 Arizona passed a law that requires private health insurers to cover health care services provided through telemedicine, but only in rural areas, and for a small scope of issues, including trauma, burns, cardiology, infectious diseases, mental health disorders, neurological diseases including strokes, and dermatologyv

The barriers that I’ve examined in this post can be remedied through state cooperation and acceptance of real world patient care needs. The antiquated idea that telemedicine is merely a way to bring medical services to rural communities should be discarded. Telemedicine along with the various technologies that have been developed to deploy it, are powerful tools that should be used to benefit patients and doctors.

More importantly, state regulatory bodies must realize that any protections their laws afford by forbidding or limiting telemedicine services, are outweighed by the expertise and level of care patients can access when their potential pool of healthcare providers is exponentially expanded through telemedicine. As with any service, when the consumer has easy access to different sources of information, and more options to choose from, the competitive environment between service providers facilitates a higher overall level of the provision of that service. In the healthcare world this translates to better patient outcomes through the more efficient information exchange between patients and providers, as well as between providers and their colleagues.

So, next time telemedicine calls to say hello, accept the call and embrace the possibilities!


ihttp://cms.fsmb.org/Media/Default/PDF/Advocacy/Interstate%20Compact%20DRAFT%20%28May%205%202014%29.pdf

iihttp://www.healthandwelfare.idaho.gov/Portals/0/Providers/Medicaid/TelehealthPolicy.pdf

iiihttp://leg.mt.gov/bills/2013/sb0299/SB0270_1.pdf

ivhttp://www.ortelehealth.org/content/oregon-private-payer-reimbursement

vhttp://www.azleg.gov//FormatDocument.asp?inDoc=/legtext/51leg/1r/bills/sb1353h.htm&Session_ID=110 

About Vlada Barlow:

Currently serving as Associate General Counsel, Ms. Barlow has been with DrFirst since 2012. A graduate of the George Mason University School of Law, Ms. Barlow practices in the areas of technology and healthcare law, with a focus in healthcare regulation, business development support, risk management, and contract negotiation. Ms. Barlow is a member of the Association of Corporate Counsel, as well as the American Health Lawyers Association, and enjoys attending various tech start-up events in the Washington, DC metro area.

Find all posts by Vlada Barlow

Add a comment
Oct
03
2014

Mandatory Electronic Prescribing Effective March 27, 2015

This is the headline that jumps off of the page on the New York Bureau of Narcotic Enforcement’s (BNE) website, and March 27 is the drop-dead date, no ifs ands or buts. March 27 is only 169 days away, and all physicians, with few exceptions, must go paperless for both legend and controlled substances.

Ever since the BNE adopted state regulations for mandatory electronic prescribing back in early 2014, prescribers have questioned whether or not they need to comply.

Let us assure you, from all our discussions with customers and providers, that all New York practitioners are required to comply with the law and begin electronically sending all prescriptions.

Time’s running out, so if you are not electronically prescribing, now is the time to find a solution that will enable you to e-prescribe both legend and controlled substances. If you don’t have controlled substance e-prescription capability, we suggest you contact your point-of-care vendor (EHR, EMR, eRx company) as soon as possible to find out their plans for supporting all of your electronic prescribing needs.

If your point-of-care vendor doesn’t offer electronic prescribing of controlled substances (EPCS), and many don’t, you should evaluate vendors that do offer EPCS functionality. Surescripts has a list of approved vendors for EPCS as well as legend substances. Of course, DrFirst offers legend drug e-prescribing through its Rcopia® platform and EPCS e-prescribing through its EPCS GoldSM 2.0 software and we encourage you to consider this companion solution.

You may be wondering why so few vendors support both legend drug and controlled substance e-prescribing; it is incredibly challenging to develop a solution that meets the DEA’s requirements for EPCS. Not all vendors are able to meet this bar along with all the other competing priorities such as adding the features needed for Meaningful Use.

Once you’ve gone through the necessary steps to confirm that your current point-of-care vendor has EPCS functionality, found a new vendor, or for some, go paperless for the first time, you will need to complete the following:

  1. Go through the identify proofing process
  2. Receive your two-factor authentication
  3. Gain “access” to use your EHR or e-prescribing solution for EPCS (this is a specific process required by the DEA
  4. Contact the BNE and send them the paperwork
  5. Send a prescription for a controlled drug to an EPCS-enabled pharmacy

Per the I-STOP regulation, all prescriptions must be electronically sent beginning March 27, but if you have a solution now, begin sending all your prescriptions electronically so it becomes a habit, and keep in mind:

  • Check the PMP before you prescribe
  • EPCS prescriptions may only be processed for one patient at a time, per the DEA rules
  • Faxed prescriptions will be invalid after March 27
  • You may keep paper prescriptions in your office for out of state prescriptions or in the case of a network failure (NY state paper prescriptions are limited to a 5-day supply after March 27)

ONE LAST POINT: Time is of the essence, remember that this is a process.

Look for our next blog where we’ll provide more detail on the provider process and requirements for EPCS in NY.

About Michelle Soble-Lernor and Peter Kaufman:

Find all posts by Michelle Soble-Lernor and Peter Kaufman

Add a comment
Sep
19
2014

Increasingly provider compensation and penalties are associated with the quality of care they deliver to their patients and whether those patients heed their advice. Although there is not a quick fix formula to ensure a patient complies with provider guidance, strategies exist to enhance patient engagement and accountability.

Strong patient-provider relationships are associated with better health outcomes (a key focus of the impending Meaningful Use Stage 3 requirements), reduce unnecessary healthcare expenditures, and decrease risk for malpractice claims. Minimizing a provider’s time to support patients between office visits is also important. This often requires the use of 3rd party evidence-based tools and resources.

So how does a provider enhance communications with their patients?

1.  Build Patient Rapport

Some patients may feel uncomfortable sharing their concerns with a provider for lack of understanding, cultural variances with respect to authority figures, or uncertainty about what information is important or necessary to enhance their healthcare experience. As a provider, asking questions to understand the patient health literacy level, personal concerns & behavioral barriers, lifestyle, and other factors will help to guide how you can best deliver information and support. In turn, over time, this communication strategy will create an environment that facilitates an open dialogue and partnership with your patient.

2.  Gather Patient Information

Cultural factors may influence how a patient defines their health status and what limitations/barriers exist to improving self-management of disease. It is important to dialogue with patients to better understand both their health literacy as well as perceived challenges. Equally important is understanding what will motivate patients can vary significantly from patient to patient. The process of neuro-associative conditioning whereby providers can help influence positive behavior by helping patients establish positive anchors for goal achievement (i.e. improving ones health to experience a grandchild’s graduation). Helping patients establish other lifestyle goals is also important to benchmark short-term progress, such as engaging in regular exercise, improving one’s diet, setting goals to eliminate from their regimen over time, etc.

3.  Engage Early

Patients are more impressionable at the time they are diagnosed with a disease or condition versus months and/or year later. Engaging patients early creates the catalyst for a “Teachable Moment” and can have a greater and more sustainable impact on their personal health.

4.  Create an Action Plan

Once you have agreement on the current health status and behavioral motivations & anchors, providers can be better informed to communicate a desired action plan. What are the three to five actions, habits, etc. that patient can do between office visits to help them achieve their health goals? If there are opportunities for quick wins, include them on this list. Acknowledge their successes towards achieving these goals as this will help to build a partnership between the patient and the care team. Whenever possible, help the patient make the connection between their behavior change and the achievement of their goals.

“Give a man a fish and you feed him for a day; teach a man to fish and you feed him for a lifetime.”

Taking a bit of time from the point of encounter to give your patient tools, support, and resources that are culturally relevant and sensitive to their current life stage will help them to be more engaged in their healthcare experience and ultimately protect your financial bottom-line.

About Maria Barhams:

Ms. Barhams joined DrFirst in 2014 as the director of population health after beginning her career at the National Institutes of Health (NIH) as a fellow in 2007. In her public service capacity, she leveraged her background in biology and public health/health services administration in various analyst, administrative, intramural, and extramural functions across the NIH. Most notably, Ms. Barhams supported the revision of clinical guidelines and risk stratification of a rare disease affecting patients with compromised immune systems. These guidelines were later adopted and published by the American Academy of Neurology. Ms. Barhams is passionate about public health and the rapid diffusion of evidence from research into real-world clinical settings to improve patient outcomes and reduce disparities. In her capacity at DrFirst, she supports the realization of this vision via DrFirst's technology solution, Patient Advisor.

Find all posts by Maria Barhams | Visit Website

Add a comment
Aug
26
2014

Several years ago, we embarked on a journey that no other health IT company had taken to date: we participated in a study that dramatically shifted the e-prescribing landscape by adding controlled substances as a capability. I am happy to share that the Agency for Healthcare Research and Quality (AHRQ) released a video about the three-year project.

I’ve talked about our work to bring e-prescribing of controlled substances to market and the current state of the industry in previous blog posts and videos, but I wanted to get into some of the details that surrounded our AHRQ-funded study in Berkshire County, Massachusetts in this post.

Study Background

The DEA issued its Interim Final Rule on electronic prescribing of controlled substances in 2010. Several years before the ruling, we laid the groundwork for electronic prescribing of controlled substances in Berkshire County through an AHRQ-funded study. I had met Donald Burt, MD, a physician at Berkshire Health Systems (BHS), who highlighted some of his grievances with the inability to send controlled substance electronically, which included:

  • Using two systems for prescribing was nonsensical and resulted in disrupted workflow
  • Not only were handwritten prescriptions time consuming, they also put him and other physicians at risk for tampering and diversion
  • Berkshire County had a huge prescription drug abuse problem, exacerbated by an inability to track medications sent. In fact, BHS was funding its own program to monitor all controlled prescriptions

His grievances were not uncommon for physicians then, and today.

The project started to come together when I got Grant Carrow PhD on board. I approached Dr. Carrow, who became the Principal Investigator, to participate in the study because I was impressed with his understanding of the issue as well as his academic background.

At the time of the study, Dr. Carrow was also Director of the Drug Control Program for the Massachusetts Department of Public Health (MDPH). When Dr. Carrow and MDPH agreed to get involved, they put together a high-quality, academically complete project. Dr. Carrow was also instrumental in bringing both BHS and Brandeis University into the study. I am thankful to Dr. Carrow, as his work helped us get AHRQ funding. Other partners included pharmacies, the DEA (who provided a waiver), AHRQ, and Emdeon, the e-prescribing network that transmitted prescriptions between DrFirst and the pharmacies.

Spearheading Industry Transformation

Some people might want to know why we chose Berkshire County to do a pilot study. What better place to do a study on e-prescribing controlled substances than somewhere with a prescription drug abuse problem? Since DrFirst was already communicating with the DEA about possible solutions to e-prescribing of controlled substances, I received the green light from the DrFirst executive team. I then began gathering a team to participate in the study. You can learn more about the project by watching the AHRQ’s video:


 VIDEO: AHRQ Highlights Pioneer Electronic Prescribing of Controlled Substances Study

I hope you enjoy the video, and please feel free to share your thoughts in the comments section.

Where We Stand: E-prescribing of Controlled Substances Today

We’ve come a long way, but we’re still not at 100% of providers sending, and pharmacies accepting, controlled substances. So, where do we stand now?

  • Over 40% of pharmacies nationwide accept controlled substance e-prescriptions
  • 49 U.S. states have now legalized controlled substance e-prescribing
  • New York’s I-STOP deadline March 27, 2015; The law mandates controlled substance e-prescribing

For more information on controlled substances e-prescribing read our The Evolving Landscape for Electronic Prescribing of Controlled Substances white paper.

The AHRQ’s video reminds me, at a time when controlled substance e-prescribing is gaining momentum, of the real transformation we spearheaded and continue to foster.

About Peter Kaufman:

Schooled at MIT, Dr. Kaufman nurtured a strong interest in medical informatics while a Bowman Gray School of Medicine faculty member. After entering private practice he founded PiNK software in 1996 to produce EMR software, later becoming DrFirst’s chief medical officer upon its founding. He lectures nationally on various healthcare IT topics, and as a board certified gastroenterologist, he continues a limited clinical practice. Dr. Kaufman is a member of the Health IT Standards Committee, Privacy and Security Workgroup for ONC (Office of the National Coordinator for Healthcare Information Technology). Representing the American Gastroenterology Association’s (AGA), Dr. Kaufman is a delegate to the AMA and was the co-chair of the Physicians Electronic Health Record Consortium (PEHRC). He has participated on workgroups at CCHIT (stand-alone e-prescribing), HIMSS (e-prescribing), and NCPDP (e-prescribing).

Find all posts by Peter Kaufman | Visit Website

Add a comment
Jun
27
2014

Recently, a colleague and I were talking about how times have changed. My colleague is a physician, recently retired from private practice, though he continues to see patients part time in a teaching environment. He is a key individual who has been and continues to be instrumental in the development of several healthcare IT standards nationwide, and a number of key processes within DrFirst. As usual, our discussions provided me with a valuable insight. “I remember a time, not that long ago,” he told me, “when the only identity proof required by a provider could be found on a wall. My medical school diplomas and post graduate board certifications hung on my office wall for many years, and it was one of the first things patients noticed on their first visit. It was the only identity they cared about, or needed — for at least the average person.” Unfortunately, in today’s complex and interconnected healthcare environment, such a straightforward and seemingly pristine approach is obviously insufficient. Providers must prove their identity and supply credentials outside of their person to person interactions with patients and peers, and often to computer systems, large organizations and professional licensing bodies that require more rigorous and repeatable identity proofing and credentialing processes.

As I have discussed in prior blog posts, the establishment of identity is not a straightforward process. The strength of the assertion about who someone really is and how we connect that assertion to a mechanism or “credential” by which that person may access information, can be fraught with both complexity and mundane redundancy. The process used to establish the identity, irrefutably and irrevocably attach it to a trusted attribute or credential for proof, and then test that credential reliably and without disruption. Once completed, all combine to define the usefulness and “strength” of the identity. When, as an industry, we began to utilize electronic medical records systems, we also created a correspondingly electronic need to restrict and control the means of access to, and security, and distribution of, private medical information, a.k.a. “Protected Health Information” or PHI as defined in the Federal HIPAA Privacy rule over 10 years ago.

This might have been made easier if there was such a thing as a central system in use by all providers. However, such a daydream is long behind us. Despite congressional reluctance to authorize a national patient identifier, we have seen a bit of progress with the establishment of a “National Provider Identifier.” This at least offers a workable though not perfect substitute for the much misused and abused DEA number, originally and exclusively intended to manage the prescription of Controlled Substances. However as an industry, we have spent the better part of the past 30 years envisioning new, improved and ever expanding computer systems and software applications to digitize and manage patients’ medical records. The goal is to more efficiently deal with the explosion of healthcare specialties and services dealing with an increasingly mobile population. Nevertheless, in the current environment, a practicing hospitalist or a physician on multiple clinical staffs may be forced to utilize as many as five or six separate, individual, and mutually exclusive computer systems, each of which independently sets and maintains identity controls and processes for on boarding, including periodic re-assessment. This creates a very heavy burden on everyone involved: the IT department, organizational management, and of course the provider.

What is an identity exchange?

In order to remove the burdens caused by the level of redundancy in on boarding across health care IT systems, we need to separate and consider distinct the three basic components of access: identity, credential, authority. In previous blog posts, I have introduced this requirement as a central component to solving this vexing problem. This blog post will examine the first of those components necessary to establish a secure, reusable, inexpensive framework from which we can begin to repair the current situation.

An identity exchange is a service that creates reusable assertions that might be called upon to identify an individual reliably and inexpensively. Unlike other existing exchange models in practice today, an identity exchange is a set of services, offered under a Trust Mark, that only establishes an identity using one or more knowledge based authentication (KBA) methods or using other established forms of identity proofing. An identity exchange is not meant to provide system access or to evaluate credentials. Its use culminates in reusable assertions that are marked according to their method, level of assurance, origin, provenance, and date of establishment. Subsequently, the assertion itself is bound to some reusable attribute that may be either chosen by the individual or signed by a third party, but is nonetheless unique and durable. It is vital that the resulting identity is thoroughly defined and documented according to accepted guidelines and that it be re-testable, according to a predefined schedule, to assure that it hasn’t changed after it was created.

Most importantly, though, an identity exchange serves one major purpose: to prevent the need to reestablish identity each time a person establishes contact with a new application or system, often characterized as “the relying party.” Since the management of a person’s identity is kept separate from the management of the credentials and the use of those credentials to gain access to particular system assets, it can be considered durable. The identity is not subject to change as access rules or authority change over time. A person’s identity remains intact regardless of how that identity is treated or considered over time. For example, if you are the person known as “Dr. John Public,” and have proven this fact to some level of assurance — within some trust framework’s definition, this fact may be held within the repository of an identity exchange. Doing so will enable applications to leverage this fact repeatedly, rather than cause you to reproduce it on demand each time it is needed.

Now, if the “Exchange” allows you to associate this identity (and the fact it was rigorously proven) with an attribute of your choosing, we can establish a straightforward “index” or “seed” to your identity. The exchange must also protect this index against duplication or use by anyone else. Once claimed by a user, it is irrevocably theirs. For purposes of discussion, let’s call that index attribute “unique name” and for this example, let’s say you set your unique name to “Tiger1234January.” Effectively, that unique name value would be associated with your identity and called upon in order to recall the circumstances under which that identity was proven and the date that that identity might expire. Applications wishing to start a process with the identity exchange would pass the “Tiger1234January” value to the exchange as a means to identify who they were attempting to validate. This is not a proxy for username, as it is the credential, not the unique name that effectively completes this validation. Knowing the value would only start the process, not define a key. If it alone were shared or compromised, there would be no loss of system integrity.

The identity exchange does not grant you access to an application, nor does it validate a credential in order to prove that the entity requesting access is in fact the person who has been given authority to do so. This is where many people get confused. An identity exchange is meant to play a very singular role, and requires that the application performs access management, and that the credential is separately validated through a distinct and different function apart from the identity exchange or the application itself. All three functions must be working together to grant access.

So you may be wondering why I feel it is so important.

Consider that “Identity” gives meaning to access granted by an application. It would be little use to an application administrator if it were impossible for him to associate a human with the authority he is enabling. By giving Dr. John Public access to key information, the application administrator is cognitively associating the person he knows as Dr. John Public with whatever credential he thinks identifies John. However, he is not the only one doing so. The application administrator’s use of an identity exchange releases him and others like him from the responsibility to determine who John actually is, and to make certain that John is not impersonated. It’s also very important to remember that the application or relying party can require its own proprietary policy that must be satisfied by the Identity Exchange steps prior to granting access rights. Consequently, these assertions can be made more formally, rigorously, and with greater levels of assurance, since they will be done only once. This strengthens the security of all systems.

Furthermore, once the relying party’s policy requirements are satisfied, its applications no longer have the need to associate human beings with access controls; they no longer have to store information that can be co-opted in the process of compromising those controls. Remembering that identity, access, and credentials will now be three separately managed processes, there will no longer be a single target for any nefarious individual wishing to fraudulently gain access.

This sets the stage for the emerging standards related to a general need to strengthen identity and credential management in healthcare. Recently, discussions at the IDESG, NSTIC, ONC, and related subcommittees have considered the need to begin a mandate that all healthcare related systems adhere to NIST LOA 3 standards at a minimum. This would effectively mark the end of usernames and passwords for healthcare system access, and will rely instead on more sophisticated credentials and processes to establish identity and associate it with an appropriate credential for each user. While this might be some time coming, it is most certainly more imminent with each breach we hear in the news, and for every person’s privacy that gets compromised either through carelessness or some fraudulent act.

Regardless of this movement, it may be inevitable that providers and their staff be issued multiple credentials for the foreseeable future. However, if we are to establish the level of security necessary to safeguard our information assets in healthcare, and if we are called upon to raise the implementation to one with more rigorous identity controls, an identity exchange will be vital and indispensable to making the entire process tenable for IT, administrative organization, and the providers themselves. Reducing redundancy and identity definition is a crucial step to the acceptance of more rigorously defined identities for providers and their staff.

How would it work?

In short, the identity exchange would amalgamate multiple identity sources, some of which may be emergent at the moment. That is, the traditional identity proofing resources (credit bureaus, information databanks, government entities, etc.) will continue to play a role. However, new resources may also play a role, and include other technologies, possibly even low tech or no tech approaches. It is possible that a combination of social media, and referred identity (the fact that if a large number of already trusted people can agree collaboratively that “Dr. John Public” is who he purports to be) can also be used in the identity proofing process. Another possibility is emerging that a “low trust” identity that has been used hundreds of times over a very long period may build itself into a more reliable “self-asserted” identity.

It is almost certain that some common identifier such as the “unique name” discussed above will be necessary in order to interact with the identity exchange. An application would provide this attribute in order to check the status of an identity that had been previously asserted, or to ask that credentials associated with that identity be verified. Furthermore, this “unique name” would be used within each application in order for access controls to be set. Rather than associate those controls with username as they do now, applications would associate authority and roles with the “unique name” instead.

When asked to authenticate a user, the identity exchange will interact with a credential exchange whose sole responsibility is to validate one or more credentials, such as a two factor authentication device, biometric, or other multifactor mechanism. The credential exchange is signaled using an identifier unique to the identity exchange, such as an internally generated globally unique identifier (GUID), or some other unintelligible value generated by the identity exchange programming.

In this way, the identity exchange will be blinded to the actions of both the application and the credential exchanges to which it connects. In other words, the identity exchange has no way to associate a person with the authority that has been granted to that person by any of the applications that person is using. Similarly, the identity exchange has no way to connect a particular credential to one of those individuals whose identity it manages. Future blog posts will detail the actions of the credential exchange and the application.

What value would it provide?

As I mentioned at the outset, in order to assert more rigorous controls on application access and identity management, we need a mechanism to simplify the process of establishing and maintaining reusable identities. These reusable identities can then be described as “interoperable.” The fact that they will be reusable is a key function, because we wish to reduce the number of redundant identity sources, practices, and general inconvenience facing providers today. Reusable, interoperable identities are vital, and at the center of the principles established by IDESG. The promotion of reusable identities is the first step on the road to establishing more secure and reliable controls, and reducing the costs normally associated with strong credential processes. In the end, we will establish an increase in the de facto security and privacy controls that will likely be required in the coming years, while reducing the vulnerability of all applications universally.

I strongly believe that the time has come to create such an exchange. There is much more to be said about this, and many challenges to face. Healthcare application vendors tend to hold tightly to established means of credentialing, and the concept of the identity exchange will certainly threaten those models. However, just as providers have had to become accustomed to a plethora of new digital systems as well as challenges to their provenance by intervening payers, the systems that serve them must quickly catch up and look beyond the diploma that once was their only identification. If patients can learn to access 21st century information, looking past that sheepskin, so should all healthcare applications.

About Eric Rosenfeld:

Eric Rosenfeld is the Chief Information Officer, having broad responsibility for all Information Technology at DrFirst, including software product development, computer operations, Quality Assurance, and Project Management. Mr. Rosenfeld possesses over 25 years of business and IT experience in companies throughout the health care industry. In March, 2010, he came to DrFirst from BlueCross BlueShield of Tennessee, where he was the Senior Vice President of Information Technology for BCBST’s wellness division. Mr Rosenfeld is an expert in the process of application design and development, project management, and process control.

Find all posts by Eric Rosenfeld | Visit Website

Add a comment
May
15
2014

In this next installment of my blog series on increasing quality in the e-prescribing marketplace I want to focus on the question of provider behavior. As I mentioned in my introduction to this series, there is a tendency to place nearly all of the blame for e-prescribing quality issues squarely on the shoulders of providers, which I believe is largely counterproductive. At the same time, input errors from staff or providers are the primary cause for the overwhelming majority of quality issues in e-prescribing.

Put simply, physicians who are overwhelmed by heavy workloads and the incredible burden may fail to be precise and meticulous in writing prescriptions. One of the things I want to highlight in this series is that there are a number of ways in which the healthcare IT and e-prescribing industry can adjust e-prescribing software and in order to alter outcomes in e-prescribing and improve overall quality in the market place. In this blog, I want to tackle the “elephant in the room” by suggesting a series of strategies aimed at altering provider behavior.

First, however, I do want to call attention to a few things which providers need to do for themselves. The most transcendent of all of these changes needs to be a renewed focus on “self-policing.” Providers must slow down and pay increased attention to their work in e-prescribing if we are going to cut down on the number of needless errors. I understand that patient volumes are already large and are only growing larger as the population ages. In addition, more patients and more prescriptions mean that pharmacists are handling larger volumes of prescriptions. As such, there will be an increased risk of pharmacists not catching errors, leading to adverse reactions and an overall decrease in the quality of care provided by our healthcare system administers. There is no other way to see this picture.

In addition to paying more attention to the scripts that they are writing, it is also important for providers to avoid skipping important workflows in the interest of saving time. Prescriptions should not be renewed without first checking a patient’s current medication history. Alerts to medication reactions and patient allergies should not be quickly passed over by harried providers with a severe case of alert fatigue. The primary impetus for the development of HIT and its widespread standardization across the industry is the development of Clinical Decision Support (CDS), but when providers do not take the time to make adequate use of the features which vendors have built into their systems, CDS is not only ineffective, it is non-existent. To further support CDS, it would be helpful if vendors were more judicious in the number of alerts as a means of cutting down on alert fatigue, but providers also need to pay adequate attention to what could be highly impactful clinical information. There must be responsibility and accountability on both sides.

Finally, providers need to begin adapting to the new methods of script writing which e-prescribing requires. The old days of simply writing whatever one wants down on paper and letting the pharmacist ‘figure it out’ have long passed. Providers need to adapt in the interest of moving the healthcare industry forward. Having worked in the healthcare field for several decades, I am well aware that ‘adapt’ is not a word which providers typically look upon with enthusiasm. Like many professionals, physicians and other providers find process they like, which they then become accustomed to over the course of many years, and are therefore loath to change. But healthcare is going through a massive high-tech revolution, and change is inevitable. Failure to adapt to these changes will only make the healthcare industry lurch forward haphazardly, and providers are the most essential gear in the industry’s broader machine.

Having called attention to the changes which providers absolutely need to make in the way they approach e-prescribing, I now want to address what vendors can do to help support providers in improving e-prescribing quality. To me, these fall into two broad categories: training and feedback.

There is a very real need for more comprehensive training as part of the sale of healthcare IT products. Vendors need to focus on adapting their training programs in order to ensure that providers are being spoken to in “their” language, and that the reasoning for specific workflows is fully explained to the people who will be using them. As an adjunct instructor at two schools of pharmacy, and having attended many healthcare vendor training sessions, I would like to recommend that training sessions be broken down into comprehensible chunks. There is only so much information that the human mind can successfully absorb in one sitting, and most vendors try to get through training as quickly as possible. Making these simple changes will translate into improved product understanding and adoption on the part of providers.

Finally, I believe that vendors need to solicit the input and feedback from providers as they design their products. For a long time, the healthcare IT industry has been guilty of designing and developing products with very little provider input, and then passing these products on to their clients without ever having considered how the products will work within a real healthcare setting. Computer programmers and developers, for all of their wonderful talents, are not doctors—they don’t think like doctors, and they cannot be responsible for fitting products into a clinical setting that is dynamic, fast paced, and difficult. This is one area where I am particularly proud of DrFirst, because as a company we truly strive to put doctors first and foremost in the design of our products.

At essence, providers must be more attentive during the prescription writing process, and comply with workflow best practices. Healthcare IT companies need to consider the provider’s prescribing environment and process when developing products, and then deliver training that speaks to the providers’ needs. I truly believe that if we as an industry can accomplish these things, we will see a dramatic improvement in e-prescription quality.

About Michelle Soble-Lernor:

Michelle Soble-Lernor is DrFirst’s Principle Pharmacist, and works in our Clinical Quality Office. Michelle plays a leading role in ensuring the security, quality, and precision of DrFirst’s interactions with key stakeholders. She earned her BA in Pharmacy and her Master’s in Toxicology at the University of Arizona prior to receiving her MBA in Healthcare Management at Western International University. In addition to her duties at DrFirst, Ms. Soble-Lernor is also an active and influential voice within her pharmacy community, serving as a Clinical Instructor of Pharmacy Practice and Services for the University of Arizona’s pharmacy school, as well as an Adjunct Assistant Professor of Pharmacy Practice at Midwestern University Glendale’s pharmacy school. Ms. Soble-Lernor also continues to work as a retail pharmacist on a limited basis in order to stay abreast of new industry trends and dynamics.

Find all posts by Michelle Soble-Lernor | Visit Website

Add a comment

Subscribe

Whether you're looking for the latest news in healthcare technology, best practices for clinical and patient care, or to stay up to date on the latest federal and state healthcare legislation, you’ve come to the right place. The DrFirst blog is your source of insight, analysis and helpful content, to help you and your patients succeed in the ever-changing healthcare industry.