Technology Tightrope: Balancing Digital Advances With ... Tightrope CME-CDE Program_2... ·...
Transcript of Technology Tightrope: Balancing Digital Advances With ... Tightrope CME-CDE Program_2... ·...
Technology Tightrope: Balancing DigitalAdvances With Patient Safety and Risk Concerns
2
Today’s Program
MaryAnn earned her RN degree from St. Mary’s School of Nursing in Rochester, Minnesota. Shecompleted her bachelor of science degree in health education from the University of New Mexico andher master of science degree in healthcare administration from the University of St. Francis in Joliet,Illinois.
MaryAnn is a member of the American College of Healthcare Executives (ACHE), and she has servedon the Board of Directors of the Voluntary Hospitals of America (VHA) Southwest, the New MexicoHospital Association, and numerous community agencies.
Today’s speaker is MaryAnn Digman, RN, MSHA, Senior PatientSafety & Risk Management Consultant, Medical Protective([email protected])
MaryAnn brings a wealth of education and more than 25 years ofprogressive clinical and operational healthcare leadership experience toher responsibilities at Medical Protective.
Her previous roles in large integrated systems, academic medicalcenters, community hospitals, and rural healthcare in public, not-for-profit, and investor-owned systems — and her experience as aCOO/CEO ― are invaluable to her clients as they develop effective business strategies.
3
Designation of continuing education credit
Medical Protective is accredited by the Accreditation Council for ContinuingMedical Education (ACCME) to provide continuing medical education forphysicians.
Medical Protective designates this live activity for a maximum of 2.0 AMA PRACategory 1 Credits™. Physicians should claim only the credit commensuratewith the extent of their participation in the activity.
The Medical Protective Company is designated as an ApprovedPACE Program Provider by the Academy of General Dentistry. Theformal continuing dental education programs of this programprovider are accepted by AGD for Fellowship/Mastership andmembership maintenance credit. Approval does not implyacceptance by a state or provincial board of dentistry or AGDendorsement. The current term of approval extends fromOctober 1, 2015, to September 30, 2018. Provider ID 218784.
The Medical Protective Company designates this continuing education activityas meeting the criteria for up to 2 hours of continuing education credit. Doctorsshould claim only those hours actually spent in the activity.
4
Disclosure
Medical Protective receives no commercial support frompharmaceutical companies, biomedical device manufacturers, orany commercial interest.
It is the policy of Medical Protective to require that all parties ina position to influence the content of this activity disclose theexistence of any relevant financial relationship with anycommercial interest.
When there are relevant financial relationships, the individual(s)will be listed by name, along with the name of the commercialinterest with which the person has a relationship and the natureof the relationship.
Today's faculty, as well as CE planners, content developers,reviewers, editors, and Patient Safety & Risk Solutions staff atMedical Protective have reported that they have no relevantfinancial relationships with any commercial interests.
5
Objectives
At the conclusion of this program, you should be able to:
• Explain why selection, training, and competency aretop risk concerns for all new technologies.
• Understand risks associated with social media/electronic communication and identify key areas forconsideration in the developmentof social media policies.
• Cite barriers and risks associatedwith telehealth, and describeseveral strategies that can helpaddress telehealth liabilityconcerns.
6
Specific areas for review
Data security Electroniccommunication
Electronichealth records
Telemedicine Newtechnologies
7
Why talk about data security?
• Stolen health information is more valuable thanstolen social security numbers.
• Increasing numbers of healthcare providers arereporting privacy breaches.
• Growing automation and adoption ofEHRs exacerbates the risk of privacybreaches.
“An Evolving Risk.” Healthcare Risk Management Review, Annual 2014/15
8
Privacy and security risks
Email and texting — Is it encrypted and secure?
General internet use
Social media posts
Staff-owned electronic devices (laptops, tablets, smartphones)
Flash drives/disks
Charts/media taken out of office/facility
Failure of back-up devices
9
Cyber/privacy cases: Volume by allegation type
50%
25%
7%
6%5%
3%
4%Breach of Confidentiality
Altered/Misplaced/Stolen/DestroyedRecords
Noncovered Claim
Breach of Contract or Warranty(Vendor Breach of PHI)
Malware/Virus
Identify Theft
Other
Data source: MedPro Group claims data, 2011−2014.
Three-fourths of all cases related to cyber liability/privacy issues arise out of breach ofconfidentiality (disclosure of personal health information) or theft of patient records(either paper or electronic). Breach of contract/warranty cases involve failure of vendors toprovide protection against “hacking” into system servers.
Three-fourths of all cases related to cyber liability/privacy issues arise out of breach ofconfidentiality (disclosure of personal health information) or theft of patient records(either paper or electronic). Breach of contract/warranty cases involve failure of vendors toprovide protection against “hacking” into system servers.
Three-fourths of all cases related to cyber liability/privacy issues arise out of breach ofconfidentiality (disclosure of personal health information) or theft of patient records(either paper or electronic). Breach of contract/warranty cases involve failure of vendors toprovide protection against “hacking” into system servers.
The “Other” category includes unique scenarios, such as stealing ofpatient lists for new business, attaching incorrect patientidentification to billing records, etc.
10
Case study: Postsurgical pictures on Instagram
Scenario Successful augmentation procedure performed byplastic surgeon; patient consented via Facebookmessage to physician office posting “after” pictures onInstagram.
CaseOverview
Within 2 hours of photo being placed on Instagram,claimant contacted physician office and asked that it beremoved.
Outcome Claim filed, even though photo was immediatelyremoved; alleged violation of rights, negligence, breachof fiduciary duty, breach of contract, and infliction ofemotional distress.
Key Issue Consent did not include all required HIPAA elements.
11
Cyber/privacy cases: Volume by location/origin of case
• Half of all cases originate in an office or on office property.
• Actual cyber-based (Internet) occurrences account for another 15% of cases.
Data source: MedPro Group claims data, 2011−2014.
The “Other” category includes unique scenarios, such as a newspaperarticle revealing PHI, patient’s home, civil litigation, etc.
54%
10%
10%
9%
8%
5%
2%2% 1%
9%
Office/Office Property
Cyber: Office/Practice Website
Vehicle
Patient's Chart
Noncovered Claim
Cyber: Malware/Virus
Cyber: Vendor
Provider/Staff Home
Hospital
Other
12
Cyber/privacy cases: Volume by risk indicator (contributing factor)
Data source: MedPro Group claims data, 2011−2014
The “Other” category includes miscellaneous scenarios, such as a patientbringing suit against a provider for reporting the patient to welfare services.
• The percentage of failure to follow policy/procedure cases is increasing. This is attributed tobreaches occurring within an office setting due to failure to adhere to HIPAA requirements.
• Theft of property (e.g., computers) continues to be a factor seen most often when a laptop orbriefcase containing PHI is stolen.
27%
27%9%
8%
8%
7%
6%4%
1%
3%
Failure to Follow Institutional Policy/Procedure
Theft of Property; Unsecured Property
Communication (i.e., Verbal Disclosure of PHI inPublic Area)Cyber: Malware/Virus Protection/EHR SystemCrashInformed Consent: Failure to Obtain or Lack of
Failure to Monitor Clinical Staff
Noncovered Claim
Documentation Missing/Lost/Destroyed
No Factors (Unfounded Claim)
Other
13
The importance of encryption
• Encryption is a method used to makeinformation unreadable by third parties.
• A key, like a decoder ring or code, is used todecrypt the information to make it readableagain.
Rashid, F. Y. (2013, December 7). Majority of mobile apps have serious securityflaws. PC Magazine. Retrieved from http://securitywatch.pcmag.com/mobile-apps/318686-majority-of-mobile-apps-have-serious-security-flaws
14
Being proactive — Security Risk Assessment Tool
http://www.healthit.gov/providers-professionals/security-risk-assessment-tool
15
Risk assessment process after a breach
Minimally, four factors must be considered in the riskassessment:
The nature and extent ofthe PHI involved, includingthe types of identifiers and
the likelihood of re-identification
The unauthorized person(s)who used the PHI, or towhom the disclosure was
made
Whether the PHI wasactually acquired or viewed
The extent to which risksassociated with the breach
have been mitigated
16
Technology, communication, and documentation
17
Range of technologies and applications
Email and texting
Websites, blogs, and RSS feeds
Social media
Skype and FaceTime
EHRs and patient portals
An “app” for this and an “app” for that
18
Key risk areas
Technology maintenance, upgrades, and monitoring
Education and/or training
Privacy, security, and compliance — including permanence of information
Policies and procedures
Quality and control of content
Provider−patient relationship, including medical advice
19
Use of social media in communication
• Quick dissemination of information
• Utilizes contemporary marketing methodologies
• Mechanism for reaching atremendous number ofpeople
• Recruiting and backgroundchecks
• Development of personalsupport and information-sharing groups
20
AMA Social Media Guidelines
• Patient privacy and confidentiality must be maintainedin all environments.
• Personal use of Internet/social networking — useprivacy settings and all safeguards.
• Monitor personal Internet presence.
• Maintain appropriate boundaries in provider−patientrelationship.
• Separate personal and professional content.
• Give peers feedback, report to appropriate authorities.
• Recognize that online actions and content may damagereputation and undermine public trust.
21
What about online reviews of your practice?
Options to consider:
• Do nothing.
• Ask the webmaster toremove the post.
• Do NOT engage in anonline debate!
• If you do respond, do not respond to onlinecomments. It’s okay to script language toindicate you are committed to providing excellentpatient care and encourage anyone withconcerns to contact your office directly.
22
Risk of board investigation
Study published January 15, 2013, in the Annals ofInternal Medicine:
• Surveyed 70 state medical and osteopathicboards.
• Participants assessed hypothetical vignettes ofonline physician behavior.
• Asked to classify each — likelihood of triggeringan investigation, possible sanctions, etc.
Greysen, S. R., et al. (2013, January 15). Online professionalism investigations by state medical boards:First, do no harm. Annals of Internal Medicine, 158(2):124-130. Retrieved fromhttp://annals.org/article.aspx?articleid=1556363
23
Investigation likely — High consensus
81%Misleading informationabout clinical outcomes
79%Using patient images
without consent
77%Misrepresenting
credentials
77%Inappropriately
contacting patients
24
Investigation likely — Moderate consensus
73%Depicting alcohol
intoxication
65%Violating patientconfidentiality
60%Using discriminatory
speech
25
Investigation likely — Low consensus
46%Derogatory speech
toward patients
40%Showing alcohol usewithout intoxication
16%Providing clinical
narratives withoutviolation of
confidentiality
26
What the AMA says about email
Email should be used to
supplement a provider−
patient relationship and
is frequently a way for
patients to ask more
detailed questions.
27
Email checklist
Do you have a signed release and acknowledgement from thepatient that includes:
Requirement that for emergent or urgent concerns,communication will be via phone or in person?
Notice of the provider’s right to refuse to make decisionsor conclusions based on information obtained online?
Notice that email communication is retained in thepatient’s healthcare record?
Notice that the patient has read and accepted thepractice’s “online patient policies,” which include holdharmless language and terms of use?
Email server encryption requirements, and a waiver ifpatients opt not to use an encrypted service?
28
Case study — Texting
Scenario Academic medical center used smartphones to enterorders.
CaseOverview
Resident was in the process of discontinuing warfarin; atthe same time, she received a party invitation via textmessage. The disruption caused her to forget todiscontinue the medication.
Outcome Three days later, the patient had a bleeding crisis thatrequired surgery.
Key Issue Did personal use of mobile technology cause thedistraction, which resulted in the adverse outcome?
29
Risk issues with text messages
May reside on a mobile device and with acarrier indefinitely
Potential for exposure to unauthorizedthird parties due to theft, loss, or recyclingof the device
May be accessed without any level ofauthentication
Interception and decryption of textmessages possible with inexpensiveequipment
Information outside the health record
30
Risk mitigation for texting
Establish a policy that prohibits or limits texting and establishesretention guidelines
Train providers and staff on appropriate use
Conduct inventory of all mobile devices, including personal
Protect ePHI through passwords and encryption on all devices
Delete data completely prior to retirement of any device
Require health record annotation if texting is used for decision-making
31
Electronic Health Records
• EHRs — although intended to enhance communication anddocumentation — also are fraught with risks, such as:
o System interface issues — hardware, softwareapplications, data flow (i.e., between order entry andpharmacy)
o Clinician communication pitfalls — including problemssending and receiving referral/consult information, aswell as possible uncertainty as to whether theinformation was received
o Overuse or inappropriate use of the cutting and pastingfunction
o Alert fatigue
o Process lapses, such as failure to review information forcontent and accuracy prior to finalizing documentation
32
EHR errors as a risk factor — By case type
33
EHR errors as a risk factor — By location
34
EHR errors — By clinical severity outcome
35
EHR risk strategy
Identify functions within the EHR that create highrisk for your practice, such as:
• Test tracking
• Drug interaction andallergy alerts
• Cancelled appointmentsand “no shows”
• Medication prescribingprocess
Consider developing a performance improvementplan to help mitigate these risks.
36
Patient portals
• Secure online website giving patients 24-hour access to PHI,including:
o Prescription requests
o Discharge summaries
o Diagnostic test results
• Terms of use should be clear
• Access should be via encrypted, password-protected loginprocess
• EHR audit trail should be utilized — validate who accessedpatients’ records and when
• Goal should be to enhance provider−patient communicationand to improve patient outcomes
http://healthit.gov/providers-professionals/faqs/what-patient-portal
37
Telemedicine
38
Definition of telemedicine
“Telemedicine is the use of medical informationexchanged from one site to another via electroniccommunications to improve a patient’s clinicalhealth status.
Telemedicine includes a growing variety ofapplications and services using two-way video,email, smartphones, wireless tools, and otherforms of telecommunications technology.”
American Telemedicine Association. (n.d.). What is telemedicine? Retrieved fromhttp://www.americantelemed.org/about-telemedicine/what-is-telemedicine
39
Benefits of telemedicine
• Improved access
• Cost efficiency
• Improved quality
• Patient satisfaction
• Convenience
• Market share
40
Telemedicine — Other considerations
• When to see patients via telemedicine technology
• Scheduling
• Guidelines for patients on how to use the technology
• Systems must beHIPAA-compliant
• Licensing
• Provider reluctance to use
• Reimbursement
• Informed consent
Crane, M. (2014, July 25). Exploring telehealth models. Medical Economics, 91(14), 17−20. Retrieved fromhttp://www.modernmedicine.com/sites/default/files/images/digital/ME/me072514_ezine.pdf
41
Types of technologies
Delivered through secure networks, email, landline, andwireless communication . . . telephone, satellite, Internet, andVPN:
• Videoconferencing
• Store-and-forward imaging
• Patient monitoring centers
• Mobile technologies (delivered via smartphone, tablets,etc.)
• Internet e-health patient services or professionaleducation
• Robotic services (monitoring, surgery, etc.)
American Telemedicine Association. (2013, July). State Medicaid best practice: Store-and-forwardtelemedicine. Retrieved from http://www.americantelemed.org/docs/default-source/policy/state-medicaid-best-practice---store-and-forward-telemedicine.pdf?sfvrsn=6
42
Reimbursement
Medicare
Restrictions on types of services and geographic location.
Medicaid
Telehealth reimbursement and other policies vary fromstate to state.
Commercial Payer
Reimbursement varies; however, the number of privatepayers who are covering telehealth services is increasing.
43
State licensing board regulations
• State regulations vary; somestates address telemedicinedirectly, others indirectly, andsome not at all.
• In the absence of direct orindirect guidance, doctors canassume that they likely need a license in the state wherethe patient is located.
• Even doctors practicing within one state may need aspecial telemedicine license or permit, depending on statelaw.
44
Risk issues
Clinical
• Provider−patientRelationship
• Patientassessment
• Medical advice
• Patient education
Admin
• Documentation
• Billing
• Patientidentification
• Privacy/security
• Maintenance oftechnology
Regulatory
• State and federalregulations
• Informedconsent
• Clinical decision-making
• Qualityimprovement
• Writtenagreements,MOUs, contracts
45
Credentialing
• CMS regulations, TheJoint Commission
• Credentialing byproxy
• Requirements
• Ensure that providersat distant sites arelegally allowed to provide services to theoriginating site’s patients
46
Online prescribing
• Provider–patient relationship
• Adequate physical exam
• Accuracy of patient history
• State licensing boardrequirements
• Federal regulations
• Majority of legal actions thathave been brought againsttelehealth providers arerelated to online prescribing
47
Informed consent
• Telemedicine-specific:
o Names of all involved healthcare providers, as well as
credentials and location
o Plan for ongoing care (who is responsible)
o Security/privacy measures
o Risks associated with use of
telehealth services (e.g.,
technical problems)
o Alternative plan in case of
emergency/malfunction
• Should be documented in the patient’s medical record
48
Privacy/security of PHI
• Transmission of data for telehealth services mustcomply with HIPAA and HITECH standards, aswell as any relevant state laws (same duty as in-person care)
• Safeguards must be in place at every point in theprocess (originating site, transmission medium,distant site).
• Providers must be aware ofapproved vs. nonapprovedtechnologies for telehealth
• Policies/protocols forconfidentiality
49
Risk strategies
Ensure that telehealth providers are properly credentialed.
Ensure that communication from telehealth providers ispromptly reviewed and acted upon.
Develop and implement standardized clinical protocols.
Ensure that complications and adverse events associatedwith telehealth services are reported as part of thepractice’s incident report policy.
Gauge patient and provider satisfaction with telehealth programusing surveys or questionnaires.
50
Risk strategies
Ensure that technology used to facilitate telehealth interactions isfunctional and used appropriately by providers and patients.
Follow available telehealth standards to reduce risks of errorand lost data.
Provide staff training on telehealth technologies, scope ofservice, maintenance, and policies/protocols.
Understand the requirements related to the telehealthtechnology being used.
Implement privacy and security safeguards for the transmissionof patient health information.
51
Malpractice liability
Little information available
Increased use, more questions
May involve acts of commissionor omission
May involve numerousdefendants
Potential for vicarious liability
Potential for miscommunication
Provider−patient relationship
52
New technologies
• Embrace or avoid?
• Where are you on the adoption continuum?
• If you take the leap, do your due diligence!
53
Examples of new technologies
EHR/CPOE/bigdata
GeneticsRoboticsurgery
54
Pressure to purchase and use new technologies
• Increase revenue/profit
• Competitive advantage
• Appeal for youngerdoctors, staff
• Patient demand andgrowing market pressure
• Marketing thatoverpromises results butfails to define risks
55
General risk management concerns
Lack of awareness regarding learning curve,path to proficiency (volume)
External pressures, i.e. patients, hospitals,etc.
Patients unaware of risks, lack of informedconsent
Overestimation of benefits
No universally accepted guidelines on how totrain or length of training
Because the technology is so new, standardsof care have not yet been established
56
Training, competency, and credentialing
• Initial training for doctors and staff
• Proctoring/oversight
• Proficiency — How many is enough?
• Credentialing
• Ongoing training and competency testing
57
Risk strategies
Better training/documentation of training
Procedure for oversight/proctoring
Development of screening criteria
Use history/physical exam to evaluate each potential candidateand identify risks and benefits
Disclosure of risks to patients/patient options — informed consentdiscussion
Documentation of any special actions taken reduce risk
58
Due diligence and planning before implementation
• Is your entire team (staff, office, etc.) on board withimplementation of this new technology?
• Will this technology help you move forward, i.e.,increase market visibility, enhance encounters withyour patients, streamline communication?
• Were all end-users involved in the decision-makingprocess?
• Does this technology blend in well with existingpolicies/procedures (e.g., social media policy, patientportal access, etc.) or will new policies and proceduresneed to be developed?
59
Final warnings
• Pause, think, and think somemore about use of varioustechnologies in your practice.
• Patient perception is thefoundation of litigation.
• The only thing that lastsforever is electronic media.
• The only thing that doesn’t last forever iselectronic media that can’t be preserved.
60
The joy of technology
Technology is a moving target.
In the time it took us to present this program,telemedicine evolved in another new direction.
61
What questionsdo you have?
62
Disclaimer
The information contained herein and presented by thespeaker is based on sources believed to be accurate at thetime they were referenced. The speaker has made areasonable effort to ensure the accuracy of the informationpresented; however no warranty or representation is madeas to such accuracy. The speaker is not engaged inrendering legal or other professional services. If legaladvice or other expert legal assistance is required, theservices of an attorney or other competent legalprofessional should be sought.