HITECH Compliance Is About Business Process, Not Technology
By Ron Nelson
For years, HIPAA insisted on data privacy and security protections—and for years, those same requirements were ignored with relative impunity. Last year’s HITECH act changes all that.
But as the manufacturing sector learned a decade ago in the series of debacles that accompanied migrating to ERP systems, complex systems management needs to make business process refinement the primary focus
Physician executives, clinics, and hospitals all have a lot more to worry about with the advent of last year’s HITECH act. Enacted as part of the American Recovery and Reinvestment act of 2009, the Health Information Technology for Economic and Clinical Health (HITECH) act puts real teeth into electronic data privacy and security requirements, and subjects healthcare organizations to greatly heightened liability.
As Physicians News noted last year, the HITECH act significantly raises the bar for health information privacy and security. Previously, for instance, liability a healthcare organization faced for the breach of any given provision generally couldn’t exceed $25,000. Today, that same breach can cost an organization up to $1.5M in fines.
Most important, the HITECH laws are being enforced. This summer, Rite Aid settled a claim for $1M after television cameras caught the organization disposing of prescription pill bottles that still had patient names on them. HealthNet, the California-based insurer, paid the Connecticut Attorney General $250,000 to settle claims that some 500,000 Connecticut residents had their medical records and financial information compromised by the firm. And in the largest healthcare information breach reported to federal authorities so far under the HITECH Act, five AvMed Health Plan customers have filed a class-action lawsuit on behalf of the 1.2 million potentially affected when a laptop with unencrypted contents was compromised.
These weren’t isolated incidents. The Ponemon Institute’s 2009 Annual Study: Global Cost of a Data Breach report studied 130 data breaches and found that the average cost of a single breach in the U.S. in 2009 was $6.75M, with an average cost of $204 per affected record. And Price Waterhouse Cooper, in a study called Behind the Numbers, Medical Cost Trends 2011, asserts that “The mandates of the HITECH Act, passed in 2009, really lit a fire under health systems.”
And risk isn’t limited to fines. Liability from a HITECH breach extends to an organization’s funding, reputation, and new business revenues. Moreover, breaches can trigger litigation from unhappy consumers and partners, and the cost of litigation can exceed even pricey government fines.
Hospitals, clinics, and medical group practices are all scrambling to bring their information technology in line, but the biggest challenge most organizations are struggling with is the complexity of the problem. How best to undertake and manage an enterprise-wide project involving a wide array of complex record systems—from billing and medical history software to communication systems connecting pharmacies, remote workers, and testing labs—all created by different vendors? And this software itself resides not only on a wide array of desktop and handheld units, but travels over public networks in varying protocols.
BLAST FROM THE PAST: HEALTHCARE RELIVES MANUFACTURING’S ERP NIGHTMARE. In the 1990s, the U.S. manufacturing sector lived through a technology migration remarkably similar to that occurring in the healthcare industry today as clinics, hospitals, and individual physicians scramble to move their records to electronic healthcare (EHR) systems in an attempt to comply with federal mandates, qualify for federal funding, connect business units, enable better record management, and realize more efficient business.
Manufacturing companies were sold the promise that by migrating to a single, integrated software system (such as those by SAP, Oracle, Siebel, Trilogy, etc.), they would enable better business communication, eliminate redundant functions and slash overhead, and become streamlined epitomes of efficiency. It didn’t work out that way. Almost every major project in the arena that a major manufacturer undertook for almost half a decade ran significantly over budget, took far more time to implement than imagined, and resulted in far-less-than-forecast benefits.
Sound familiar? The problem, as today’s healthcare businesses are discovering as they move to electronic records today is that once they install an EHR system, they typically find that it doesn’t do all they thought it would, or all they need it to do to support the wide variety of functions required to support physicians. Consultants are called in, the timeline extended, and in a more than a dozen cases we’ve seen, the eventual “finished” EHR system ends up costing some 3x to 5x the cost of the original estimate or base software.
An optimist might say that EHR vendors are optimistic and perhaps naïve, or that their own business has a remarkably untypically complex set of processes to automate; a skeptic might even wonder if vendors of vendors are engaging in a deliberate bait-and-switch.
That may be too cynical a view, but regardless: A successful EHR migration—one that manages the business in a simpler fashion, enables accelerated revenue, and meets federal compliance standards—needs to focus on analyzing and mapping business processes first, before a vendor is selected, and technology is specified and installed.
THE ESSENTIALS OF PROCESS MAPPING. So how do you find the right processes, and appropriately manage both technology migration and corporate culture, in order to realize all the promised EHR benefits? Is it possible to do it in a reasonable amount of time, on a reasonable budget, and in a smooth and compliant fashion?
It is. The key is to devote a bit of time upfront. This may require you invest about 25% more in the process than the single sticker out-of-the-box process of a typical EHR vendor, but you’ll see vastly better ROI by almost every measure of time, budget, and user adoption. Here’s a simple checklist:
- First, develop a written set of requirements. What do you really want from your EHR system? What are your output objectives? What do you want to generate from this process? What are you able to spend to get results?
- Second, put out an RFP and ask for written responses. When vendors see a detailed list of requirements their system needs to meet, and are asked to document that they either immediately can accommodate your needs or else articulate a definite time and budget for customization, they’ll get serious, and many of them will walk away. This step typically eliminate about half of the software vendors approaching you.
- Ask respondents to verify conformance. Tell them you want no rigged demos. You want them to present you with a blank copy of their software, and you want to subject it to real-world user tests. Have a group of capable and ready users ready to load the software, run it through typical tasks, and add new EHR input from the current business flow to see how the EHR handles the problems. How much user testing you’ll need to do depends on how many processes are going to be affected, how many modules of any given system are necessary to support your business, but within a short matter of time—usually a few weeks—you’ll have a very solid understanding of what your finalist candidates can and cannot do, how much customization is necessary, and how long it will take and how much it will cost.
ONGOING MANAGEMENT—KEY TO CONTINUED SUCCESS. Once you’ve selected a vendor, in order to manage implementation smoothly with a minimum of process interruption and the support of employees, it’s critical to enable an ongoing management process. User representatives from key employee sectors should connect regularly with the vendor, typically in quarterly meetings as part of a structured technology program, to develop requests, prioritize future development, and simplify ongoing advancement and future upgrades. A good software vendor will already have a technology program of this sort in place. Check to see, and ask in advance.
Good advance planning will protect you. The risks of federal fines, consumer litigation, loss of new business, and brand damage are very real, and potentially terribly devastating. Risk mitigation, after all, is largely what is driving many EHR migrations, even more than promises of increased efficiency.
But a well planned and managed EHR migration, that carefully assess business processes in advance of vendor selection, will also show ROI in decreased investments of time and money. Better still, the best migrations offer actual competitive advantage. All those EHR efficiency promises can be real. Just be sure to devote real time and thought to business process analysis, mapping, and planning. ?
Ron Nelson is chief operation officer of Palatech Partners, a consultancy with decades of experience in software compliance and process management. Reach him as RNelson@palatechpartners.com, and visit the Palatech site to learn more about healthcare programs that can help your business.