Tuesday, July 31, 2012

The Colonoscopy Experience

Today, as Kathy finished her last radiation therapy appointment, I had my first screening colonoscopy - a right of passage for new 50 year olds.

Although a bit of a personal issue, I'm known for my transparency and I'm happy to share the experience so that others approaching 50 know what to expect.

The preparation is the hardest part.   Three days before the procedure, it's recommended that you reduce the quantity of high fiber foods you eat - fruits, vegetables, nuts etc.  For me that was particularly challenging since my entire diet as a vegan (who tends to avoid white flour, white rice, and white sugar)  is high fiber.    I moved to soups and brown rice.   A day before the procedure (really 36 hours), you move to a clear liquid diet - apple juice, broth, and tea.   In my case I drank a cup of vegetable broth and apple juice every 3 hours.  

At 7pm the night before the procedure, the real challenge begins.  The bottle of magnesium citrate reads "a pasteurized, sparkling, laxative".   Sounds so appealing.   The first dose is 15 ounces.   The bottle warns that the maximum therapeutic dose is 10 ounces in 24 hours for adults, but colonoscopy is a special case.   The 15 ounces of laxative is followed by 24 ounces of clear liquids over the next 2 hours.   Keep in mind that you have not eaten any solid food for 24 hours at this point.   Sparkling laxative followed by broth and apple juice is not Chez Panisse 

A few hours after the laxative, the intestinal rumbling begins.    You'll have a rocky night with an urgency to jog to the nearest bathroom every few hours.   By morning the intestinal cramping will have subsided and then you get to repeat the process!  Six hours before your procedure, you'll drink another 15 ounces of mag citrate followed by 24 ounces of clear liquids over 2 hours, then nothing by mouth for the final 4 hours.    Given the 36 hours without solids and 30 ounces of mag citrate there's nothing really left in your body, so you'll move the clear liquids through your system quickly.    You'll arrive for your procedure just as all the cramping has stopped.

The procedure itself is the easy part.   There are multiple sedation options - nothing at all, versed/fentanyl, and propofol/monitored anesthesia

I received propofol, which works quickly and clears quickly.   I have no memory of the anesthesia, but when I awoke I thought I had just come in from chopping wood on the farm.   The nursing staff were very understanding.   In a few minutes, I was walking, dressed and back on the iPhone, doing conference calls and answering email.    I did avoid work with chain saws and signing a new will.

The Boston Endoscopy Center, where I had my procedure, uses an electronic record called Gcare, which captures images and reports.   The BIDMC enterprise systems are fully interfaced to Gcare, so all endoscopy information is immediately available to patients and providers.      By the time I returned home, I had access to all the images above.   The report was simple and to the point

"Medications: MAC Anesthesia
Pain rating: 0/10
Indications: Screening for colon cancer

Procedure: The procedure, indications, preparation and potential complications were explained to the patient, who indicated his understanding and signed the corresponding consent forms. A physical exam was performed. Moderate sedation was initiated by the physician. Continuous pulse oximetry and cardiac and blood pressure monitoring were used throughout the procedure. Supplemental oxygen was used. The patient was placed in the left lateral decubitus position.The digital exam was normal. The colonoscope was introduced through the rectum and advanced under direct visualization until the cecum was reached. The appendiceal orifice and ileo-cecal valve were identified. Careful visualization of the colon was performed as the colonoscope was withdrawn. The colonoscope was retroflexed within the rectum. The procedure was not difficult. The quality of the preparation was good. The patient tolerated the procedure well. There were no complications.

Findings:
Mucosa: Normal mucosa was noted in the entire colon
Impression: Normal mucosa in the colon
Otherwise normal colonoscopy to cecum

Recommendations: Colonoscopy in as long as 10 years as per the recommendation of Medicare. If you develop symptoms such as bleeding, or if a relative develops colon cancer, this interval would change. Get regular checkups with your primary doctor to check for hidden blood in the stool

Additional notes: The efficiency of colonoscopy in detecting lesions was discussed with the patient and it was pointed out that a small percentage of polyps and other lesions including colon cancer can be missed with the test. Degree of difficulty 2 (5 most difficult)

FINAL DIAGNOSES are listed in the impression section above. Estimated blood loss = zero. No specimens were taken for pathology"

Done for another 10 years!

As July draws to close, both Kathy and I are celebrating.  We'll have a high fiber vegan meal and welcome the simpler August ahead of us.

Friday, July 27, 2012

Cool Technology of the Week

I'm not sure if this should be a cool technology of the week or a scary technology of the week.

I've posted frequently about the increasing challenges of malware, BYOD, and hackers.

This week's cool technology is a hacker's network penetration device, packaged to look like a power strip.

The Power Pwn is a fully integrated enterprise-class linux server that includes Ethernet, wireless and Bluetooth connections.  It also has a fully automated NAC/802.1x RADIUS bypass and secure shell access over 3G and GSM cell networks.

All a hacker has to do is place this power strip under a desk within a corporation and then they can identify network vulnerabilities and mine data as they wish.

I've said before that security is a cold war - an escalating battle between hackers and IT departs trying to control them.   The Power Pwn is a powerful new entry to the hacker's arsenal.

Thursday, July 26, 2012

Our Cancer Journey Week 31

Today marks the end of our cancer journey for now, although the followup will be life long.   In 2012,

*Kathy completed chemotherapy with Adriamycin/Cytoxan and Taxol
*Kathy underwent a lumpectomy of her left breast where the tumor was growing
*Kathy received 33 doses of radiation therapy over 42 days
*We sold our home in Wellesley (it closes today), purchased a farm in Sherborn and moved all our belongings, the contents of Kathy's studio, and her father's belongings to a single location.
*We acquired 8 alpaca, 2 llama (if you count our pregnant guard llama), 12 hens, 1 rooster, and 22 guinea fowl

So now, it's time for a breather.   The month of August has no travel, no visiting family/friends, and a little less chaos in our lives.

We will use our August 8 anniversary (32 years together, married 28) to reflect on where we've been and where we're going.    We'll celebrate the trajectory of the past year.   There was good and bad, but we're on a very positive path.

Although Kathy still has numbness in her feet and hands, the rest of her body and her mind is in good shape.   She's designing our blueberry patch and apple orchard.    She's putting the finishing touches on our barn, paddocks, and fences.   Her new beginning as a cancer survivor is mirrored with by a new lifestyle for our entire family.

I'm a strong believer in the karmic notion that everything happens for a reason.   Life is anything but a linear path and you never know what you'll find around the next turn or how one turn will affect another.  

To me success is not measured in fame or fortune, but in relationships you nuture and the difference you make.  Our cancer journey has been all about relationships - spouses supporting each other, family supporting family, clinicians supporting patients, my employer supporting its employee, and the broad community (Massachusetts colleagues,  acquaintances, and fellow cancer patients) offering unconditional optimism.  

So thank you to everyone who has supported Kathy and me since our diagnosis in December of 2011.   By all measure, you've made a difference and strengthened every relationship  while opening new doors for the future.   We are truly blessed to have you around us.  We look forward to the day we can invite all of you to our farm for blueberry picking, apple picking and alpaca watching in celebration of surviving cancer.

Tuesday, July 24, 2012

Separating Professional and Hospital Records

As Patient Centered Medical Homes and Accountable Care Organizations form, the lines between professional and hospital practice become increasingly murky.

CMS has long required that hospital and professional records be separable, so that in the case of audits or subpoenas, it is clear who recorded what.

Today, the BIDMC ACO continues to expand into the community, adding owned hospitals, affiliated hospitals, owned practices, and affiliated practices.

Our strategy to date has been to use our home-built inpatient and ambulatory systems at the academic medical center, Meditech in the community hospitals, and eClinicalWorks in private ambulatory practices which are part of our ACO.

We share data among these applications via private and public HIE transactions - viewing, pushing, and pulling.   

The challenge with emerging ACOs is that professionals are likely to work in a variety of locations, each of which may have different IT systems and each of which serves as a separate steward of the medical record from a CMS point of view.

Our clinicians are asking the interesting question - can I use a single EHR for all patients I see regardless of the location I see them?  

Our legal experts are studying this question.  

I can imagine several answers

For facilities we own and control, we can tag every note created by every professional with a facility code, enabling us to separate out those records created at given location in the case of audit or subpoena.

For facilities that are affiliated but not owned, clinicians can use their favored EHR, but at the end of the encounter, they must create a paper or digital copy of the record and place it int the hospital record of the location which is the steward of the data from a CMS perspective.

Since it is unlikely that every inpatient and outpatient facility we acquire or affiliate with will have the same HIS and EHR applications, it is not realistic to create one physical shared record across all sites.

Instead, data sharing through the HIE, metadata tagging as to the facility/professional that owns each record, and policies regarding what must be done at each site seems like the logical way to go.

As is often the case with challenging workflow and regulatory issues, I welcome the experience of others.   How have you separated professional and hospital records per CMS regulations, but enabled co-mingling of patient data for care coordination and population health?

Monday, July 23, 2012

The BIDMC Laptop Encryption Program

I've been writing about the Bring Your Own Device (BYOD)/Consumer IT challenge for the past several months.  Today, an action plan goes into effect.   Here's the message we sent to employees:

"Information Systems will be conducting an aggressive campaign to ensure every mobile device is encrypted. This initiative applies to all staff and students. The program is mandatory and required for any mobile device used to access BIDMC-related systems, programs or documents, including email, clinical applications and administrative documents such as financial spreadsheets, grant information or staff lists.

Many of you participated in last month’s program regarding smart phone devices used to connect to the Exchange email system using ActiveSync. These devices now require password protection. Look for more information soon on new smartphone encryption and 'auto wipe' requirements.

Securing Laptops and iPads

The next stage of work is encrypting laptops, iPads and other tablet computers. It will proceed in two phases.

The first phase, beginning this week, focuses on institutionally owned laptops and iPad-type tablet computers.   Other versions of tablet computers will be addressed in a later phase.  Service depots will be set up in and around the main campus. The first location will be the Center for Life Sciences (CLS). This building was chosen because it has the largest population of laptops and iPads.  

We appreciate the cooperation of staff of CLS especially because you are the first to undergo this new process. The CLS experience will guide IS planning for the entire medical center.   We will coordinate our encryption program with Research Administration’s research equipment inventory project, eliminating redundant phone calls to investigators.

What You Need to Do

Prepare Your Device – Prior to dropping off the laptop or iPad at the service depot, delete unneeded applications and data. All valuable data and important files, email, applications and other documents stored on the device should be backed up to your network home directory. Do NOT back up the data to an Internet cloud service such as Apple’s iCloud, or DropBox. Storing protected health or personal information on these sites is against corporate security policy. 


Schedule an Appointment - Information Systems will contact staff for which records show you have been issued an institutionally funded laptop or iPad.

Leave the Device - Encrypting a device may require several hours depending on the method used. For this reason, you will be expected to leave the device at the service depot. Every attempt will be made to complete the work within the same business day.


Pick Up the Device - Upon returning the device, depot staff will brief you on what work was done and your on-going responsibilities for maintaining the security of the device. You will be asked to start the device from a cold boot and verify it is in working order.

What IS Will Do


Intake – To qualify under HIPAA/HITECH 'safe harbor', full disk encryption is required. On arrival at the service depot, an initial assessment of the device’s configuration will be done to determine the most appropriate encryption method, e.g. software or hardware based. Some devices have encryption built in, but it needs to be activated. The method used will depend on the make, model and operating system version of the laptop or tablet computer.


Inspection - The service depot staff will scan the device for malware and vulnerabilities.  They will check configuration settings to assure they comply with corporate security policy such as power-on password, inactivity timeouts, and, for iPads, auto wipe. If time permits, depot staff will apply operating system and third party software patches necessary to eliminate security vulnerabilities.  If malware is detected, the device will be cleaned or re-imaged depending on the nature of the malware. The network address of the device will be recorded so I.S. knows it has been inspected when it appears on the data network. When practical, management (Microsoft SCCM for Windows or Casper for Macs) and anti-virus agents (McAfee EPO) will be installed to allow Information Systems staff to keep the device in good security hygiene throughout its life while in use at BIDMC.


Inventory the Device for Research – If your computer is one that still needs to be scanned as part of the bi-annual Research inventory required by federal law, a member of the Research Administration staff will scan the inventory tag while it is at the depot – or apply an inventory tag as needed. We are combining these efforts to make it more convenient for users.


Return - See #4 above.

What is Next?
The dates and locations for other service depot sites will be announced later this month as IS continues to secure laptops and iPads throughout the medical center.

The second phase will extend the program to other models of institutionally owned tablet computers as well as personally owned laptops and tablet computers that are used to access BIDMC-related data. This phase will begin in the fall after work on institutionally owned devices is completed. We will assist in encrypting and, time permitting, patching the devices. Once done, it will be the responsibility of the owner to maintain the encryption and healthy state of the device.

Information Systems will periodically check your mobile device to ensure the safeguards are still in place. Additionally,  staff must attest, each time their password is renewed, that all mobile devices they use for hospital related business, including personal devices, are encrypted.

From this point forward, newly acquired laptop and tablet computers purchased from institutional funds cannot be used to access the BIDMC data network until their encryption status is verified by Information Systems.

Information Systems will monitor the network for rogue laptop and tablet devices that have not been screened for compliance. If a device is discovered that has not been screened, Internet access privileges will be blocked."

As I've told the press, it is no longer sufficient to rely on policy alone to secure personal mobile devices.    Institutions must educate their staff, assist them with encryption, and in some cases purchase software/hardware for personal users to ensure compliance with Federal and State regulations.   Over the next few months, I'll write several posts about our lessons learned supporting personal device security enhancements.

Friday, July 20, 2012

The July HIT Standards Committee Meeting

The July HIT Standards Committee focused on a discussion of maturity and adoptability criteria for standards, a review of recent testimony regarding best practices for electronic identity authentication of providers, an update from ONC on the certification program, and a continuing discussion of the future processes needed to support the S&I Framework.

Dixie Baker presented the Initial Report on Criteria to Assess Maturity of Standards and Specifications.

A robust discussion followed noting that interpretation of readiness is contextual.  Sometimes it is reasonable for standards to include optionality.  Sometimes it is beneficial to require pre-coordination between trading partners.  Sometimes it is reasonable to encourage adoption of emerging but not widely tested standards.   The excellent framework that Dixie presented will be tested with a sample standard - the  HL7 Infobutton implementation guide for knowledge retrieval.   At our next meeting, Dixie will report  on lessons learned from this evaluation and any refinements she would suggest to the maturity/adoptability criteria.

Dixie also presented an overview of a recent hearing on trusted identification for providers.  In a world filled with malware, screen scrapers and keystroke loggers, it is important to consider the vulnerability of username and password as authentication credentials.  The Standards Committee agreed on the importance of accurately identifying and protecting endpoints in healthcare information exchange, however they noted that healthcare workflows require more complexity than just authenticating individual users.   Sometimes organizational credentials (a practice) are needed since a message is routed to a place not a person.   Sometimes delegation is needed when routing a message to the staff supporting a clinician.   We also discussed the workflow impact of two factor authentication.   Strong authentication is part of a multi-layered defense protecting privacy. Significant work will be required to develop a family of solutions supporting the requirements of healthcare.

Next, Carol Bean provided an update on the Permanent Certification program.   The existing temporary Authorized Testing and Certification Bodies (ATCBs) will be replaced by permanent certification and testing organizations.   The certification organizations are accredited by ANSI and authorized by ONC.   The testing organizations are accredited by National Voluntary Laboratory Accreditation Program (NVLAP) , a division of NIST,  and authorized by ONC.   To date, 5 organizations have been accredited as certifiers, and 5 organizations have been accredited as testers.   ONC plans to authorize these organizations in August, so the temporary program can be sunsetted soon.

Jodi Daniel provided an overview of the national progress on health IT.   110,000 clinicians have attested to meaningful use.   Numerous initiatives including BlueButton, Decision Support (HealthE Decisions) and a Cancer patient engagement program have been launched.   The trajectory is good.

Finally, Doug Fridsma presented an update on the S&I Framework projects.

We discussed the success criteria for S&I efforts to date.   We agreed that projects should be aligned with policy goals.   We noted that a formal priority setting process is important to allocate limited resources among many competing projects.  HITSC hopes to advise that process, using such tools as the maturity and adoptability criteria for standards to assess the level of effort and cost needed to close standards gaps, enabling ONC to optimize the portfolio of S&I projects.

We'll continue to the S&I discussion at the next meeting.   As the end of ARRA funding nears there is an opportunity to reconsider how best ONC, HITSC, and S&I can work together to guide the work on standards for the United States.

Thursday, July 19, 2012

Our Cancer Journey Week 30

Today Kathy visited her oncologist to discuss a 5 year course of anti-estrogen (tamoxifen) therapy.    I've said before that Cancer is chronic disease and although the first phase of our journey ends on July 31 after 8 final radiation treatments, the vigilance for reoccurrence and the medications to minimize risk begins thereafter.

Tamoxifen, a competitive inhibitor for estrogen, makes great sense for Kathy because her breast cancer is estrogen receptor positive - estrogen makes it grow.   She'll have to watch for endometrial cancer (The American Cancer Society lists tamoxifen as a known carcinogen, stating that it increases the risk of some types of uterine cancer even though it lowers the risk of breast cancer recurrence) and possible memory changes.   She'll start taking Tamoxifen about 10 days after the end of radiation therapy.

We're preparing to celebrate the end of her treatment phase (chemotherapy, surgery, radiation) and the transition to maintenance and prevention on July 31.    One small complication - having just turned 50, my first ever colonoscopy is scheduled for that day so the champagne may have to wait until August 1.

Starting in August, Kathy's life becomes much easier since she no longer has to commute daily for radiation therapy.    Since Boston has two seasons - winter and road construction - the fatigue of the past 6 weeks has been significantly compounded by sitting in traffic every day for up to 3 hours.

August will be much more settled than the rest of the year thus far.   Treatment will be done, my office schedule will be iighter, my daughter will be away, and our previous home will have closed escrow.   What will we do with all that free time?

Our llama and alpacas will move to Unity Farm the week of August 20 (assuming all our fences are finished, our hay arrives, and the folks transporting the herd will be available).

We just learned that our llama is likely pregnant, so we'll have a mama llama.  The llama gestation period is 11.5 months, so she'll likely have the cria (baby llama) next Summer.   I welcome suggestions for names.   The suggestions I've had thus far are Dolly Llama and Ding Dong (as in 'who put the Mom in Mama Llama Ding Dong?')

This weekend we'll visit the alpaca herd in Maine to learn about toenail trimming, vaccinations, and general health assessment.   I may be an emergency physician but doing procedures on a 150 pound furry camelid will be a learning experience.

After July 31, Kathy will not have another medical appointment until January 29, 2013 when she has a screening mammogram and a followup with her breast surgeon.

Next week will be my last post about this part of the cancer journey.   It has been an emotional, anxiety-filled time for both of us.   We're looking forward to maintaining wellness instead of treating illness.

Wednesday, July 18, 2012

Hospital Disaster Planning

In my role as CIO and a Professor of Medicine, I'm asked many questions about the policies, processes, and procedures of healthcare.   Here's one I was recently asked about Hospital Disaster planning. Meg Femino, BIDMC Director of Emergency Management, prepared the answer.

The question:

Your hospital has been placed on alert for receiving patients from a local explosion at a large factory. Reports from the scene are spotty in terms of numbers killed or injured, and you do not know how many patients you may be getting. News reports are calling for casualties in the 100s, but local fire responders are sending in conflicting reports. You need to know what your ED will be receiving, so you can determine whether to close surgery to elective cases and to go on ED bypass for regular patients. Rumors are swirling inside the hospital and the chain of command about how severe the incident is and what it will do to your ability to function. What thoughts do you have about how to learn what you need to know in order to structure the hospital's preparations and continue regular functioning at the same time? What resources can you tap in order to learn more accurately about the situation at the scene and what you can expect to come to your ED? How would you manage this situation to cause the minimum disruption to regular hospital functioning?

When faced initially with a disaster situation in a health care setting, what do you think your first five steps need to be? Why?

Meg's answer:

This can be a common scenario, early information is always scant, unconfirmed and conflicting. Due to the mechanism of injury (explosion), chances are traumatic injuries will be present. That is what we would base our initial response on until credible information came in. We would immediately implement the following strategies:
* Activate the Emergency Operations Plan and the Incident Command System
* We would report to EMS via our disaster radio how many red (emergent), yellow (urgent) and green (non urgent) patients we can take. This is only a guide for EMS to distribute patients equally if they can, in a large mass casualty, you get what you get.
* Clear as many patients out of the Emergency Department as we could- admitted patients upstairs immediately, discharge others and decision make on the rest
* Alert the trauma teams with numbers expected, injuries, time to ED and any other pertinent information available
* Alert the OR's to hold any currently open rooms, do not start any other cases until we have more information and begin to assemble trauma teams. We know from previous drills we can open 17 OR rooms with staffed teams in 2 hours if we have to, this would involve canceling all non-emergent surgeries.
* We would see how many staffed in-patient beds are available in house and prepare for early discharges if we needed to. I call this the purge to surge.
* Alert the blood bank of potential incoming trauma to prepare for high volume of blood use
* Open the command center and assemble incident command team and begin gleaning information.

How we get information and share information during a citywide event:
* The Boston Hospitals have a emergency manager on call 24/7 for events like this. We would immediately be in touch with him, he liaisons with other citywide agencies and shares this information with hospitals.
* The TV provides information and usually pictures of the scene so we can get a better idea of the scope
* The city utilizes WebEOC which is a software system all hospitals, public safety, public health, EMS and others are linked in to. This system would be active within 15 minutes. Informations is shared here across disciplines and is great for situational awareness. We can also share our situation with others, make resource requests and monitor others.
* Boston also has a medical intelligence center housed at Boston EMS, they would be pushing out information as it comes available. They would be asking our needs and monitoring the situation.
* We (hospital emergency managers) receive information messages from state agencies via the HHAN (Health and Homeland Alert Network), if they activate the state EOC etc.
* We also monitor the disaster radio in the ED, they will update us on how many more patients on scene, where they are going etc.

We flex our incident command team up or down as needed for response and tailor our response strategies to the needs of the event. As far as the five first steps I would say
1. Activation of the Emergency Operations Plan and notification Incident Command- this brings the team approach to the response
2. Preparing the hospital for patient surge
3. Gleaning information and sharing information to establish accurate situational awareness
4. Monitoring of resources- finding the balance with staffing and burn rates of supply. This allows you to continue treating and know when to ccall for more.
5. Stabilizing the event- treating those from the event to return the hospital to normal operations

Tuesday, July 17, 2012

The Return on Investment of Administrative Simplification

Since 1997, the New England Healthcare Exchange Network (NEHEN), a non-profit run by stakeholder board members, has provided community-wide collaborative payer-provider administrative transaction exchange for a fixed subscription fee.

I was recently asked about the return on investment of administrative healthcare information exchange.

The answer is summarized in this presentation.

NEHEN members use the exchange for benefits, eligibility, referral authorization, claim status inquiry, and claims transactions.   There are no transaction fees.

Creative ways in which members use NEHEN include:

*45 days following service, self-pay accounts are passed through NEHEN to re-check for changes in insurance coverage, resulting in assignment of a payer to 15-20% of self-pay accounts
*Bad debt accounts are checked via NEHEN before write-off, resulting in assignment of a payer to 3-4% of bad debt accounts
*The accuracy of demographics and payer information is checked during inpatient hospitalizations so any corrections can be made while the patient is still receiving services.

The end result over the past decade is that denial rates have dropped from  5.5% to 3.25% of submitted claims.  Bad debt is running at 0.6% of net revenue compared to the pre-NEHEN rate of 1.2%.  Administrative write-offs due to delayed billing are at 0.02% of net revenue

Since payers and providers collaboratively run NEHEN without a middleman, the cost of supporting 100 million transactions per year is very low.    For a large academic medical center, the NEHEN annual subscription is approximately $250,000.     If the same transactions were processed by an outsourced revenue cycle vendor (.20 transaction fee) the cost would be about $952,000.   If the same transactions were sent via a clearinghouse (.12 transaction fee), the cost would be about $571,000.

Lower administrative costs for payers and providers, more timely reimbursement, and fewer write-offs have created a return on investment for NEHEN that  has resulted in sustained NEHEN membership for 50+ hospitals, 5000+ physicians, and 4.5M+ health plan members.

The is a clear ROI for administrative transaction exchange and NEHEN will continue to be a  convener of payers and providers for years to come.

Monday, July 16, 2012

Creative Uses of Active RFID

BIDMC implemented enterprise-wide Active RFID asset tracking over 5 years ago.

Initially this was done to reduce theft of wheelchairs, optimize the use of high inventory multi-departmental equipment such as ventilators/ekg machines/iv pumps, and reduce the time searching for devices in the emergency department.  

Over the years, we've deployed thousands of tags and enabled tracking over 2 million square feet of BIDMC buildings.

My staff recently reviewed the utilization of Active RFID technologies to understand how broadly they have been adopted.

Their conclusion - the technology is highly functional, frequently used, and effective.

A few examples:

Radiology tracks lead aprons for JCAHO compliance.

The Emergency Department is using a temperature sensing RFID tag to monitor a refrigerator for JCAHO compliance.

Currently, there are 201 active users of the management software which enables viewing of tracked assets.
Clinical staff relies on that software to locate equipment with limited quantity and high demand - dialysis machines, scanners, and Arctic Sun temperature management systems.

Clinical Engineering continues to use RFID for locating equipment due for preventative maintenance.

As our wireless network has evolved, we've upgraded our access points and geolocation software.  At this point we provide highly accurate location services based on triangulating wifi signal strength.

As with many technologies that are robust and easy to implement, the creative possibilities for geolocation are numerous.   The examples above are just a few of the ways in which we're using the technology to improve quality, safety and efficiency.


Friday, July 13, 2012

Cool Technology of the Week

Today's post is not about current cool technologies, but those that were cool.   I feel nostalgic for my IBM XT with a 5 megabyte hard drive, my Motorola brick phone, my 5 1/4 floppy collection, my Atari console and my Epson dot matrix printer.   There was a time when all of these technologies were uber-cool - only cutting edge technologists were willing to take the risk on early, unproven products.

The Boston Globe recently posted a cool technology retrospective using this classification

Ancient: seen in museums only, unusable, unfixable
Antique: unusable, unfixable
Vintage: usable, old, ironic, cool
Outdated: still available in stores, but barely used

It's amazing how fast cool technologies become outdated technologies.    I was in a meeting of technology leaders yesterday and only one person had a Blackberry, lamenting that his organization had not yet moved on to something more modern.

What's your favorite vintage, formerly cool technology?

Thursday, July 12, 2012

Our Cancer Journey Week 29

Kathy completes radiation therapy on July 31.   On that date she moves from cancer patient to cancer survivor.    I have only two more posts to write about this segment of our journey - Week 30 and Week 31.

At this point, radiation therapy is going well.  Kathy feels bone pain under the radiation site and the skin of her left breast is slightly tender/irritated.   The fatigue of each day limits her nighttime endurance and she longs for sleep at 9pm.   However, being a survivor makes it all worthwhile.

Kathy has been reading several interesting New York Times articles about cancer as she prepares for the next stage - health maintenance and monitoring for recurrence.    The role of survivor comes with its own emotions and responsibilities.

The past 29 weeks have taken their toll.   Kathy still has limited hand strength and can only walk short distances because of the Taxol induced neuropathy.   We could speculate that she did not need the taxol and that adriamycin/cytoxan would have been enough.   We could speculate that new advances in therapy, personalized to the patient's and tumor's genome, will soon eliminate the need for Taxol.   We could speculate that new testing methods would have detected her breast cancer before it became Stage IIIA and required aggressive chemotherapy.

However, all such speculation is unproductive.   She's a survivor and that's what matters. We've both learned that asking 'what if' questions about the past can only lead to frustration.    We live in the here and now, looking forward to a future in which she is cancer free and her neuropathy resolves over time.

Kathy, the survivor, is ordering 5 tons of second cutting Timothy Hay for our alpaca and llama herd which arrives August.   She has plenty of time to plan for the future because she's a cancer survivor.

Wednesday, July 11, 2012

Computer Assisted Coding

In the past, I've highlighted candidates such as "analytics", "HIE", and "gamification" for the hottest technology concepts of the year, the "Plastics" of 2012.   Recently, I've seen a new strong contender - "Computer Assisted Coding"

With ICD10 looming on the horizon, companies such as m-Modal, Dolbey, 3M, and Optum are offering applications that process the structured and unstructured data associated with an inpatient hospitalization or outpatient encounter into suggested ICD9 or ICD10 codes.

Using linguists, informaticians, natural language processing experts, and proprietary algorithms, each company promises to increase the efficiency of coders, provide a audit trail of the logic used to code each case (very useful if CMS/RAC asks for justification), and more accurately code case complexity.    Better documentation with accurate coding may even lead to reimbursement increases because the severity of illness of the patient and the nature of the treatment rendered is more completely described.

We're speaking with each of the major vendors of computer assisted coding products to understand their interface requirements, the nature of the clinical data they require as inputs, and their integration into workflow.

Workflow is a tricky question.

Suppose that a patient visits an emergency department after a finger injury.   Accurate ICD-10 coding requires laterality (left or right), open or closed fracture, simple or compound etc.     If the provider dictates a note that contains the text "fracture of the index finger at the PIP joint" there may not be enough detail to accurately code the injury.   Some computer assisted coding products intervene at the documentation point instructing the clinician what is needed to minimally specify the patient's condition or procedure.   Others ingest all the inputs from documentation created by caregivers and recommend possible codes.   Getting the data in right to begin with generates more accurate codes, but some clinicians will be fatigued by the alerts that prompt them during the documentation process.

I've studied some of the interoperability required to connect EHRs to Computer Assisted Coding products.   Some ingest print dumps or PDFs of text documents.  Others require HL7 2.x messages (ORU messages for structured data, MDM messages from unstructured data).   None yet accept the CCD or Consolidated CDA, although the Meaningful Use 2014 edition will require that EHRs export clinical summaries using CDA standards, not HL7 2.x

ICD-10 has spooked the industry with tales of 50% loss in coder productivity.   Computer Assisted Coding may just be the silver bullet.

More to come as we pilot it.

Tuesday, July 10, 2012

The BIDMC Mobile Device Security Initiative

For several years BIDMC has had an administrative policy requiring special security safeguards for mobile computing devices that connect to the data network.   Many of these devices are locally administered or personally owned.   Given state and federal regulatory changes, increased use of consumer devices to access/store data, and increased visibility of privacy related incidents, we believe that policy alone is inadequate to assure mobile devices have proper security safeguards.

As part of our Summer of Compliance activities, we are taking active technology and process steps to enhance mobile device security.

Here's an excerpt of what we'll be sending to all staff:

"Below are minimum requirements for mobile devices connecting to the BIDMC network.   Rather than rely on policy alone, we will be installing these configurations on devices connecting to our data network.   We have already begun phasing in some of these such as passwords on devices using Exchange Activesync and will continue until all mobile devices connecting to the BIDMC network are compliant.  

Password protection – The device must require a password or equivalent security feature before it can be accessed.  

Timeout – The device must be set to timeout and require re-entry of the password if not used for over 15 minutes.

Anti-Malware Protection – Laptops must have an up-to-date anti-virus software application installed.   The device’s operating system and third party applications such as Adobe, Microsoft Office, Java, and others must be properly patched.  

Unnecessary Software and Services – Wireless interfaces and applications such as Bluetooth must be disabled when not needed.   [

Encryption – The data must be encrypted.   Massachusetts law requires this if the device contains information protected under the State’s data privacy regulations.   HIPAA provides safe harbor if the entire storage disk is encrypted and there is a pre-boot authentication.     In a communication next week, I'll outline our aggressive mobile device encryption program.

Custody – The mobile device should be kept in your possession when traveling or in an uncontrolled environment such as a hotel room.   Prevent unauthorized persons from accessing sensitive content stored on the device or using it to access the BIDMC network.

Backup Protection – Protected health information or other confidential BIDMC data should ONLY be backed up using BIDMC data storage resources, e.g. your home directory.   Using public Internet cloud storage services to backup BIDMC sensitive information is prohibited.  "

I welcome feedback on your experience implementing such policies and technologies.   It's clear to me that healthcare organizations have no choice but to reduce personal choice and personal freedom in order to keep our patient data safe.

Monday, July 9, 2012

The Blue Button Goes Viral

I've described the stages of interoperability as functional, semantic, and process corresponding to the ideas of viewing unstructured text, pushing structured data from point to point, and pulling structured data as needed from any site of care in real time.

BIDMC does all 3 but its efforts over the past year have focused on universal viewing of records for providers and patients.  (Next year will be the year of statewide pushing of structured data).

On July 5, UnitedHealthcare announced that its 26 million patients (of which 20 million already access personal health records at www.myuhc.com) will have access to view/download
their health data using the Blue Button approach - a PDF or text file containing information from various sources, such as claims data, health screenings and self-entry.

From the press release

"UnitedHealthcare’s support of the Blue Button initiative first began in September 2011, and in March 2012 the Blue Button went live on one website for 500,000 people enrolled in Health Plan of Nevada benefit plans. As UnitedHealthcare rapidly expands the use of the Blue Button, more than 12 million employer-sponsored plan participants will have access by the end of the year and by mid-2013 nearly all 26 million UnitedHealthcare enrollees will be able to access their PHR with the click of the Blue Button.

The Department of Veterans Affairs launched the Blue Button in 2010 to allow simple exchange of a patient’s personal health data in a standard, consistent format. Initially designed for use by veterans, the idea has taken off in the private sector and has been supported by at least one major care provider overseas. Veteran Affairs and Health and Human Services have encouraged the health industry to adopt the Blue Button, and UnitedHealthcare is pleased to do so."

It's clear to me that PHRs are finally approaching the tipping point where patients will expect to have their data available for viewing and download.   Clinicians have not universally supported that notion but Meaningful Use 2014 edition is likely to require it as part of attestation.   I recently visited my own primary care physician and he provided me a full summary of the visit, including labs, within a few days of the visit, apologizing for the delay.

With United's adoption of a PHR that includes viewing/download capability, it's fair to say that the technology has now gone viral and is unstoppable.   My daughter (and her generation) will not experience the silos of data that my generation grew up with.   We're making progress.

Friday, July 6, 2012

Cool Technology of the Week

Continuing my series of farm related cool technologies, today's post is about solving a practical agricultural problem.   How do you keep water flowing in the barn during the freezing temperatures of winter?

Of course, you could use electrically powered pipe heating tape but what if the power fails on a cold winter night?

For over a hundred years, farms have solved this problem by using a freeze-less yard hydrant such as the Woodford Model W34

The idea is simple.

In Massachusetts the frost line is between 30-35 inches.  

At our farm, all water pipes are buried 4 feet or greater, ensuring they never freeze.

A yard hydrant connects to water sources below frost line.   When the handle is opened, a 4 foot rod moves a gasket so that water can flow up the hydrant.   When the handle is closed, a siphon below the frost line is opened, draining the hydrant.    Thus, there is never standing water in the hydrant that can freeze.

Our hydrant has 27 inches above ground and 48 inches below ground.   We also created a dry well around the hydrant and siphon to prevent any runoff from accumulating around the pipe.

A simple technology that uses the insulating properties of the ground instead of electricity to keep water flowing in the winter.   That's cool!

By the way, a weather station on our barn provides detailed data for Sherborn, Massachusetts to most popular internet weather sites and the National Oceanic and Atmospheric Administration.    This winter I'll be able to track the temperatures and ensure our animals and infrastructure are protected from the cold.

Thursday, July 5, 2012

Our Cancer Journey Week 28

This phase of our cancer journey ends in 26 days when radiation therapy is completed.   Cancer is a chronic disease requiring continued vigilance for the rest of Kathy's life, but the major milestones for 2012 are drawing to a close.

In many ways, the cancer journey was a metaphor for our lives during the same period.

We made the decision to use the cancer diagnosis to fundamentally change our lifestyle.  The many steps of that effort are also approaching completion.

In February we bought Unity Farm and prepared our Wellesley home for sale.  Just as a cancer journey requires a team, a plan, and incremental progress, selling a home is a major project.   We painted, refinished cabinets, and repaired every bit of infrastructure to ensure our 1930's cape was in perfect showing condition.    Escrow closes on that sale at the end of July, just as cancer treatment is wrapping up.

To prepare for the transition from one home to another, we rented a storage space and filled it with all our books and Kathy's art supplies.   We'll finish the move of its contents to Unity and close the storage space at the end of month.

Kathy examined her professional life and chose to consolidate her studio and art life with the activities of the farm.   We packed up her studio and leased the space to another artist.

Kathy and her business partner also decided to close their South End gallery after 3 years in a challenging art market.   We'll move the remaining contents of the gallery to Unity.

We're finishing the preparation of Kathy's father's house for an August listing, so he'll be fully moved to Unity just as cancer treatment ends.

Thus, our personal journey - buying/selling property,  creating a multi-generational household,  closing the studio/gallery,  and enhancing the farm to accommodate chickens/guinea fowl, alapca/llama, and 5 tons of hay storage is approaching completion.

When I reflect on the combined medical and personal journeys of the past 6 months, I realized that we've traversed 4 out of 5 of the major live stresses:

*Serious illness  (Cancer)
*Job change (Kathy's studio/gallery, my transition from part time Harvard CIO)
*Location change (suburban to farm)
*Move of parent/sale of their home and belongings

Luckily our marriage thrived during these events, so the 5th major stressor - relationship change - was not a factor.   We celebrate our 28th wedding anniversary a few days after cancer treatment ends.

Although Kathy's fatigue and numbness continues, we're fast approaching a period of personal and collective recovery from the journey thus far.    By August, 2012, our major life stressors will be behind us, the animals will be in place at the farm, and we'll be able to sit on the porch on hot summer nights, reflecting on where we've been over the past 6 months and where we're going.  The future is looking very bright.

Tuesday, July 3, 2012

The Office of Civil Rights Audit Protocol

Recently, the Office of Civil Rights (OCR) published their protocol for HIPAA audits.  The scope includes

Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.

Security Rule requirements for administrative, physical, and technical safeguards

Breach Notification Rule requirements

For example, there are 77 performance criteria and corresponding audit procedures for the Security rule.  Most validate that appropriate processes and procedures are in place.

The OCR protocol provides a useful rubric for assessing the status of an organization's compliance.  It's well done.

The protocol is not intended to tell organizations how to develop these policies.    Luckily, NIST provides detailed implementation guides including standard practices and best practices.

As part of my Summer of Compliance work, we're using the NIST 800 framework as a means of benchmarking our policies and technologies.  Since NIST 800 is exhaustive (everything from password management to IP phone configuration), we needed a focused subset.

NIST 800-66 provides guidance for implementing the HIPAA Security Rule and includes a crosswalk (Appendix D) of the Security Rule requirements against the security controls identified in NIST SP 800-53, Recommended Security Controls for Federal Information Systems.  The NIST SP 800 publications that discuss those security controls in greater detail are also referenced including implementation specifications within the Administrative, Physical, and Technical Safeguards sections of the Security Rule.

Compliance is a journey.   The OCR audit protocol plus a subset of  NIST 800 implementation guides provide a roadmap for compliance success.

Monday, July 2, 2012

Leadership Lessons from Dancing Guy

Last week, a few members of the HIT Standards and Policy Committees were speaking about the future stages of meaningful use and the pace which stakeholders will tolerate.

As we discussed change management strategies, someone mentioned the You Tube video of the Dancing Guy as a model for how groups react to a new idea.

The thesis in this 3 minute  is that the leader is not the catalyst for adoption, it's the first follower who validates the leader's ideas and creates a safe environment for others to join.

In college and medical school interviews, I was often asked "are you a leader or a follower"?  My answer at the time was "both - it depends on the situation and context".

The Dancing Guy video postulates another answer - you can be a leader by being a follower.

In my experience, this first follower phenomenon rings true.  

French historian Alexis de Tocqueville concluded that Americans are a country of joiners.   Once a movement starts building, we do not want to be left out.

Early adopters of EHRs were informatics types experimenting with new technology.  Once the tipping point (about 20% adoption) was reached, clinicians began demanding EHRs so that they would be seen as equals in the referral community.

Health Information Exchange is still in its infancy, but I'm beginning to see a tipping point there too.   Massachusetts goes live with a statewide Direct-based exchange on October 15, 2012.   Partners Healthcare, Children's Hospital Boston, Beth Israel Deaconess, Atrius and others have committed to be part of the "golden spike" events, exchanging data as the network is activated.   All it took was one influential follower to validate the desirability of participating and immediately other institutions wanted to become early adopters - part of the "in" crowd"

Thanks to the Dancing Guy for giving us the secret for successful HIE adoption.  Be a leader by being a follower and soon the entire community will join in.