As a 200-bed, not-for-profit hospital that isn’t affiliated with a health system, Beaufort Memorial Hospital is something of a rarity these days. For Ed Ricks, being CIO of a standalone brings with it a unique set of challenges — particularly when the organization is faced with a time-consuming CMS audit. In this interview, Ricks talks about the issue he has with post-attestation audits, why Meaningful Use is “backwards,” and how his organization is working to make text messaging secure, instead of taking it away. He also discusses best practices for ending a vendor relationship, what he’s doing with patient portals, and his thoughts on healthcare reform.
- About Beaufort Memorial Hospital
- The Meaningful Use audit challenge — “Some of the requests were almost ridiculous”
- Why up-front auditing might make more sense
- Going with secure messaging from Imprivata
- The art of risk management
- Making technology invisible
LISTEN NOW USING THE PLAYER BELOW OR CLICK HERE TO SUBSCRIBE TO OUR iTUNES PODCAST FEED
When something pops up out of the blue that’s going to take another 40 or 80 hours out of your work week, it’s crazy. I don’t have the luxury that a lot of other people have to pass stuff down.
Everything figures into Meaningful Use, and yet that’s exactly backwards of how you should plan a strategy. We’re trying to do what’s right for our hospital and our community and our patients, knowing all along that we have to make sure we check the right boxes.
They’ll try not to do it, but it’s just too tempting. It’s too efficient and too easy. They text in every other facet of their life, and so it’s just something that’s become the norm. To expect them to not use a tool like that to help them become more efficient in their day-to-day activities at the hospital doesn’t even make sense.
As part of a smart business practice, everyone should do a security analysis or risk assessment at least annually and maintain that. Update that information as you make changes to what you’re doing.
From an IT perspective, we can implement all of these packages, but if nobody uses them, it’s just an exercise in what can IT do and not really something that can improve our business and improve patient care and safety.
Guerra: Good morning Ed, looking forward to talking with you about some of the things you’ve been doing at Beaufort Memorial Hospital. Tell us a little bit about the organization and we’ll go from there.
Ricks: So Beaufort Memorial Hospital, we’re one of the rare breeds. We’re a 200‑bed, not-for-profit community hospital, not affiliated with anybody else today and still strong and staying in business. Although as you know from everybody else, it’s becoming more and more difficult all the time with the way things are changing, but things are going really well here.
Guerra: So there are some different pressures on you. Well it looks like you’ve been very active, certainly doing everything that the big health systems are doing. We can talk about some of the major things you’re doing — I’ve got them here, but why don’t you start with some of the main projects you’ve been up to, and we’ll go from there.
Ricks: Well, like everybody else, the last couple of years we’ve been trying to knock out all the requirements for Meaningful Use — not really because of the money. I think we were on the right track to begin with, which maybe made it a little bit easier for us from a culture perspective to achieve some of those initiatives, but happily, that did work out well. So we did attest for Meaningful Use in fiscal year 2011 and then again in fiscal year 2012.
And possibly you’re hearing this from a lot of my other colleagues, but for those who attested in fiscal year 2011, there are a lot of random audits by CMS on their attestation. I think they’re randomly selecting almost everybody — the way it sounds to me — to go through an audit for your attestation. So just a word of warning for everybody — be prepared for that and make sure you do have and keep all the documentation that helps you generate the information you reported on. I think that’s a big thing. Are you hearing that from other folks in the industry?
Guerra: I have started to hear this ramp up more. There are definitely concerns about audits and I think CHIME just put out a statement about the audit. It’s definitely becoming an issue.
Ricks: It’s just another way to take more of our time away from us. And I think it’s probably relevant, but it’s just so frustrating with a lot of these things. Everyone is looked at like you’re doing something fraudulent when everyone’s just trying in best faith to do the right thing and hopefully save the right documentation and things like that, and I’m sure we’re fine in what we were able to give. But some of the requests were far more detailed and almost ridiculous than I would have ever expected. It’s really curious because I took some of those back to our HIS vendor whose certified software was used, and that was certified by the agency that was mandated. Those questions never came up to the certification process, and yet the hospital was held to that standard a year after the fact when the audit came through, which is kind of ridiculous.
Guerra: Are we talking about a lot of manual work to generate the detail that they want for the audits?
Ricks: To some degree yes, and again, depending on what you may have saved when you went through the process — and we thought we were being very diligent in saving all the things we needed — some of the things were just surprising. We were almost trying to prove a negative in some cases, which you can’t do. And so we just had to submit the information we had and why we designed what we designed, and we’ll see what they come back with. Again, I think we’re fine. It all makes sense to us, but it would have been nice to know that was a standard we were going be held to. We might have prepared differently in advance. I don’t think anybody knew that. Certainly with our HIS vendor, it wasn’t anything that came up with them.
Guerra: Would it have been reasonable, do you think, to expect that you might have known about what the audit procedures would be when you’re attesting so that it’s out there sort at the same time — here’s what we want from you, here’s the attestation process, and here’s some detail on the audit process that may happen to you down the road so you know this is what we’re going to want. Would that have made sense, or is it unreasonable to expect to have had that prior?
Ricks: Well, I’m chuckling here because it absolutely would have made sense, and I don’t see how it’s unreasonable at all. There’s an expectation of what is required from folks beyond submitting the information.I think that to be told you’re going to be held to that standard later on is perfectly appropriate. We had hundreds of pages of documentation on Meaningful Use. It seems like we could have had a page or two on the expectations for the attestation.
Guerra: Yeah, I guess you start to feel like they’re playing ‘gotcha’ — that they know they’re making you jump through some tough hoops just because they want to pull some of that money back, or it’s going to look like they weren’t even checking.
Ricks: Right, right. And I actually like what we all saw last week when the OIG looked at possibly some upfront auditing before people attest. Now that makes more sense to me, because you haven’t sent the information in. You’re validating that you’re doing things the right way and then you can send it. I like the thought of that, to be honest with you.
Guerra: That’s interesting because I believe the CHIME statement was, ‘we’re not in favor of anything that would delay payments,’ but as someone who is looking at possibly going through an audit, you’re saying, I would have been just fine with doing it upfront. It would have been easier.
Ricks: Doesn’t that make sense? And I agree. I don’t want anything that’s delaying the process, and I do think it’s just another level of bureaucracy that we figure out a way to throw into this equation. But if you know in advance that you’re going to meet everything before you do the attestation — and we know that; we feel like we’ve got all the right data. We’re doing the right things and we’ve gotten some good counselor advice along the way. Still, validating that upfront, to me, makes sense.
Guerra: It’s a little nerve wracking, right? Because with something like this, whenever you deal with the government, at least it seems to me, things are so far out of your control. They could come back and they could say, ‘Hey, you didn’t pass the audit. We’re taking the money back.’ And so where do I appeal? What do I do? Well, nothing. You’re so powerless when you deal with this kind of thing it seems.
Ricks: That’s exactly how I feel. Thankfully I’ve never been through it from a personal perspective on task with anything, but I think it would be the same feeling that things are out of your control and you’re just going to have to go along for the ride.
Guerra: So we’ll see what happens with that. Now you said you’re being audited?
Ricks: We were. Well, I guess we are. I don’t have a final ruling on it yet, but we were for our fiscal year 2011 attestation and curiously, most of the folks who I know who also attested in fiscal year 2011 got the same random audit. So I think it’s far more than random.
Guerra: And as you mentioned when you started talking about this, it’s as if you don’t have enough to do. You didn’t have hours of free time in your day that you can now plug in to deal with the audit, right?
Ricks: We all struggle with our limited resources, and again, we’re possibly a little bit different as a community hospital. And so as the VP here, not only do I have IT, but I have some other departments from an operational perspective that are also important and are involved in all the strategies of the hospital.
So time is hard to come by. A lot of times I think that is what’s fun about this job — and you probably hear that from a lot of the colleagues. There’s so much going on and we are an integral part of almost every strategy now on a go-forward basis. It’s always interesting and exciting, but it’s difficult to find the time. And when something pops up out of the blue that’s going to take another 40 or 80 hours out of your work week for a few weeks, it’s crazy. I don’t have the luxury that a lot of other people have to pass stuff down. Certainly there are other folks who helped with this style of an audit, but I am still very intimately involved, just because of the scope that I’ve got to handle for our size. So yeah, at times it’s difficult.
Guerra: This certainly sounds like it would rise to the level of significance of something you should keep your eye on or maybe deal with, right?
Ricks: Yeah, I wasn’t just going to pass the buck on this one.
Guerra: So this meets that level of criteria.
Ricks: Without a doubt.
Guerra: Very interesting. So let’s talk about some of those other projects besides the audit and Meaningful Use. And everything figures into Meaningful Use, so let’s talk about some of those sub-projects and individual projects that you’re working on.
Ricks: It’s frustrating because your statement is so accurate — everything figures into Meaningful Use, and yet that’s exactly backwards of how you should plan a strategy, if you ask me. We’re trying to still do what’s right for our hospital and our community and our patients, knowing all along that we have to make sure we check the right boxes for Meaningful Useand the multiple other regulatory agencies that we work with.
Some things we’re doing actually have relevance, I think, and are the right things — a lot of things on the patient side and a lot of things on the clinical side. But one of the things that we just went through was putting in a secure text messaging application. It’s one of those things where inherently you know you’ve got a problem out there. And I’ve talked to the other CIOs that said, ‘We don’t have a problem with text messaging. We have a policy that protects us.’ That’s just sticking your head in the sand, I think. We have a problem. Physicians and other clinicians have these tools in their pockets and they know how to use them to become more efficient. That’s really one of the things they’re very good at. And I think inherently most people want to do the right thing if they’re given the right tool. We found something that actually worked really well for us so that we could implement a secure text messaging application. And that went really well for us and it was well-received by the clinicians, and so I was happy with that.
Guerra: Let’s talk a little bit more about that. Tell me what they were doing that was of concern. They were texting each other for patient care on their personal devices?
Ricks: Yes, absolutely.
Guerra: So you know it’s going on. No one throws it in your face, but you know it’s happening, so you say ‘this needs to be addressed.’
Ricks: Yeah, that’s right. And these folks all want to do the right thing. If we tell them it’s not right, they’ll try not to do it, but it’s just too tempting. It’s too efficient and too easy. They text in every other facet of their life with their kids and their family or their friends or whatever it might be, and so it’s just something that’s become the norm I think. To expect them to not use a tool like that to help them become more efficient in their day-to-day activities at the hospital doesn’t even make sense. I think giving them a tool that doesn’t detract from the workflow — and really that’s what a lot of our initiatives are — is sort of a way to make the technology more invisible to the clinicians and yet help protect us a little bit more.
Guerra: I believe the product is Imprivata Cortext.
Ricks: It is, yeah.
Guerra: Tell me about the sequence. You know you have an issue, and all of a sudden you discover this product and you go say, ‘Hey, this will let them work the way they are and it will take care of our liability or security issues.’
Ricks: That’s essentially it. I was luckily in the right place at the right time with this one. I knew we had a problem. There are a few other solutions available out there, but we had been talking with some of the Imprivata folks and their administrative team. That was just an application that they saw a need for in healthcare, and they’ve sort of changed their focus to be solely in the healthcare vertical now and fiddle out those niches we all have that are workflow related and security related.
We were actually going to participate in a beta with them for the product, and it was the easiest thing we ever did. It’s funny, I thought we’d try to get 10 or 15 physicians to be a part of this beta pilot and see what happened with it, and just through word of mouth of the physicians, we ended up with over 60 people in our beta group, which was interesting. But it’s just so simple and easy for them to use that it was an easy sell I guess.
Guerra: Let’s talk a little bit about the larger issue there—the idea that there could be ways clinicians are working in your hospital and it can’t continue to go on. You know there’s a problem with it. So you try and find something that makes it possible, but if you can’t, then what? Then you have to figure out how to stop it or you’re just ignoring a big liability. Tell me how that works in your mind.
Ricks: I think that’s the difficult line — it’s all risk management. As part of a smart business practice and also as part of HITECH, everyone should do a security analysis or risk assessment at least annually and maintain that. Update that information as you make changes to what you’re doing. I think it’s a matter of picking apart the greatest risks and dealing with those and knowing what all the risks are, because you can’t ever eliminate them. I think it’s just understanding them — eliminating the ones you can eliminate or at least maybe mitigate to some degree, and then move on from there.
I’d say if you ask me what else we are doing over the last year or year and a half since we talked before, probably the biggest thing we’ve done here is address a very common problem with all the hospitals I’ve ever worked in and most of the hospitals I’ve talked to. We’re a perfect area for a lot of these kiosk workstations or generically logged in PCs so you have clinicians floating through the areas that don’t have the time. They actually log out and log in to the network or windows or whatever the case may be, or they won’t do it. So they may be authenticated to the application, but the desktop itself might be running and you’ve got all these inherent things that are risks associated with that, and traditionally you have a lot of PCs out there that have drives on them with data that could be stored. Some people encrypt all those drives and some people don’t and they just try to manage that risk a little bit.
We put our focus on developing this invisible technology. It really started when we were implementing CPOE and trying to engage the physicians and the other clinicians. From an IT perspective, we can implement all of these packages, but if nobody uses them, it’s just been an exercise in what can IT do and not really something that can improve our business and improve patient care and safety. We put the focus on both sides. On the software end, how does that software actually work with our vendor and how do we develop that to be the most conducive to workflows? How do we eliminate the barrier of the hardware and just access that hardware and have it available to you? We came up with what we’ve branded our invisible solution.
We virtualized all the desktops for these clinicians and put in zero client devices everywhere in our public areas — all of our patient rooms, the nurse stations, places where the physicians sit and document, and things like that. So we completely eliminated the risk of a traditional PC. Everything just runs over the network. We integrated that with a single sign-on at the same time and our RFID badge tap from our employee badges, and so the physicians kind of roam from room to room, tap into that work station, and they get their PC. It follows them around. It’s logged in to every application that we have. They use Dragon; it’s embedded within our documentation with Meditech, and so their PC is already trained for them. Regardless of their hardware independence or location independence, it’s following them around.
That’s actually been really well received. I think it’s really helped our user adoption and that’s really one of the ways I’m measuring the success of what we’re doing — not only by meeting the metrics for Meaningful Use, but by how easily I can engage the clinicians in the process as we go instead of forcing it down their throats.