This ain't your grandma's locker! - PHI in the Cloud

So, recently I was talking to a potential customer about our MAx on Demand offering, which is our SaaS Healthcare Informatics platform and he said that one of the challenges he's been facing is convincing his Sr. Executives that it is safe to host Protected Health Information (PHI) in the cloud. He asked me if I had any arguments for it. Boy, where do I begin? Here is a stab at it.

Not your grandma's locker!

That's right, this is not granny's locker where the key hangs "securely" around her neck! If you have doubts about how sophisticated our data protection capabilities are, take a look:

Companies like ours, take the security of our clients' and their customers' data very seriously. So, there are two high levels of security in place, Physical Security & Network Security.

Physical Security

To access our data center physically, you have to go through a series of checks. If you are an employee, you are given a badge (after background checks of course!). This badge lets you in the parking lot and to the office spaces. You still can't get to the data center. To get to the data center, you have to have biometric access and a secure access code. This will let you into the data center. From the data center, to access your server, you have to have another secure pin that allows you to physically touch the servers. All of your actions are monitored by security cameras and stored.

If you are a visitor to our data center, you have to register with the guard station. You are ID'd and photographed. You will be escorted by an employee during your visit. 

Network Security

Our network security policies and procedures ensure the protection of company wide networks, related devices, and their services from unauthorized intrusion, modification, destruction, or disclosure. Network security provides assurance that a network performs its critical functions correctly, efficiently, and without any interference. Its primary goal is to provide a reliable and secure platform, designed specifically so that users and programs perform only the actions allowed.

Firewalls – Firewalls are utilized to provide dedicated, security specific processing hardware and a complete set of Unified Threat Management (UTM) security features including stateful firewall and web filtering.

Virus Protection – Antivirus software is installed on all Microsoft based servers and workstations. Automatic updates are configured to ensure latest signature download for system protections.

Logging – System logging occurs according to system settings defined by the administrator. Log records can be retrieved as needed. Successful and failed logon activities are logged by domain controllers.

Attck Monitoring - If that is not enough, you can always request 24x7 attack monitoring for your servers!

Disaster Recovery - If a disaster strikes, you can still sleep tight knowing that there is a triple redundant power supply to our data center. Oh, by the way, did I mention that this is a Category 5 hurricane resistant building?

Business Associate Agreements

And if you are still worried about liability, most reputed companies like ours will sign Business Associate Agreements as defined by HHS that makes us adhere to HIPAA laws and liable for breach of Private information: (http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html)

So yeah, we know that you take your data protection seriously, so do we!  

Accountable Care Organizations Explained

Here is a simple, easy to read ACO article on NPR
http://www.npr.org/2011/04/01/132937232/accountable-care-organizations-explained

Predictive Modeling in Healthcare

Ok, so these are my musings over predictive modeling, not a knock on it. (That is the disclaimer). So, as I was sitting around, pretending to watch TV and ignoring the dog who seemed to want to go out and play, I thought about Predictive modeling, in a healthcare setting. Specifically, in a Healthcare Provider setting. I actually asked this question on several groups on LinkedIn and asked folks if they have had success with it. The only person who responded with a success story was Mr. Alex Zverev (you can view his profile on LinkedIn here: http://www.linkedin.com/pub/alex-zverev/1/a01/b03), and the scenarios in which he has had successes here (http://www.linkedin.com/groupAnswers?viewQuestionAndAnswers=&discussionID=90342387&gid=93115&commentID=65616962&goback=%2Egmp_93115%2Eamf_93115_10544349&trk=NUS_DISC_Q-ncuc_mr#commentID_65616962). So here are some of my thoughts.


My primary interest is in the Return on Investment of using predictive modeling. I see quite a few software providers out there touting to have predictive modeling capabilities, but haven't heard of a lot of success stories, especially in a healthcare provider setting. Even lesser information is available on the ROI of implementing a predictive modeling solution.

To me, an ultimate predictive modeling solution would be something that can predict the stock market, which has infinite number of variables to consider. But if it were that simple, everyone would be doing it. On the other hand, in healthcare, people are touting Clinical Decision Support capabilities using predictive modeling. "Which patient of yours is most likely to develop cancer?", for example. In my humble opinion, that again is quite a stretch, because of the number of variables that need to be taken into account, not to mention "objective research" that is available to create the model in the first place. 
For example, it would be easy to say that a smoker of Asian descent between the ages of 18-40 may develop cancer quicker than others. But what if he is a smoker with healthy eating habits and hits the gym 4 days a week? What if that person only smokes three cigs a day? What if he has no genetic predisposition to cancer? To me, this a cool exercise to conduct and eventually, as you gather more and more data and "evidence" really starts supporting your research in cancer, your model becomes much more reliable and this will start generating a measurable ROI, by reducing the cost of treating a patient through early screening and through preventive medicine. 


My thought is that if you are going to do predictive modeling, start with an area with a limited number of variables. Your "bang for the buck" would be realized sooner and it would be greater in that scenario. For example, the scenarios that Alex describes (Capacity Planning and Measured Display Times for Display Stations) have a better chance of an "immediate" ROI than, let's say, a cancer predicting algorithm. Now, if you are reading this, and have had successes with using Predictive modeling in different settings other than the ones described above, please let me know. I'd like to hear your stories.

The Informatics M.U.S.E

Recently, I was talking to a customer and he asked what I thought about a comprehensive informatics platform should contain. Currently, our focus is on Healthcare, but as I thought about it, I realized this applies everywhere. So, I said to him, "you have to have your M.U.S.E.". Ok, I am not talking about the Hollywood version with Sharon Stone, but the informatics version. So what is an informatics MUSE?
Measure
You have heard me harping about this over and over again. What are you measuring? Why are you measuring it? When you measure your business (healthcare or others), you understand your business better. So, measure everything that impacts your customers (internal or external)


Utilize
Alright, the second element for you to have a successful implementation, you need to have utilization modules. For example, in healthcare, you measure OR Utilization. Great, now that you know that your utilization is below 100%, what are you going to do about it? How about a OR scheduling module that allows you to maximize your OR scheduling? Utilize the information that you gathered during your Measuring process.

 SaaS (Software as a Service) it!
That's right, I said SaaS it. The biggest advantages between a SaaS solution for your business versus you buying the tools and technologies and building it yourself is cost savings and a much faster implementation lifecycle. It puts the focus on "information" and not the technology. Apprehensive about your data being hosted elsewhere? Don't be. Most reputable SaaS solution providers have hardened, HIPAA compliant Data Centers, with 24X7 monitoring capabilities.

Evaluate
That's right. Once your implementation is complete, constantly evaluate your data, decisions you make based on the data and evaluate your performance improvements. This'll allow you to revise your strategies on the go and allow you to make decisions as fast as small companies do.

So there, get your MUSE!

CMS releases Sunshine Act guidelines

http://m.healthcarepayernews.com/content/cms-releases-overdue-sunshine-act-guidance

ACO Fact Sheet

National Committee for Quality Assurance (NCQA) recently published a fact sheet on Accountable Care Organizations. Read the Fact sheet here (http://www.ncqa.org/tabid/1312/Default.aspx). This gives you a good overview of why you should consider becoming an ACO.

More Regulation - ACO!

If you are like me, you are probably jumping up and down in joy that there is more regulation afoot (not!). ACO (accountable care organization) regulations came out last week. You can read all 696 pages and sift through the data or I can try to provide you a snapshot. Here you go:


Measurements
Quality measurements reduced from 65 to 33! Well, that is reduced in half. Got to be a good thing. Yes, it is a good thing. The measures are now categorized into 4 domains, namely:
- Patient/Care Giver experience (7 measures)
- Care Coordination/Patient Safety (6 measures)
- Preventive Health (8 measures)
- At Risk Population (12 measures: 7 measures, including 5 component diabetes composite measure and 2 component CAD composite measures)


Pretty Simple, eh? Each domain is given a weightage percent of 25% each and then reported for each of these measures.) In the next blog, we will take a deeper dive into the measurements. And if you want to go straight into implementation, see how Meta Analytix can help you here: http://www.metaanalytix.com/page.php?page=36



Who is eligible?

The newly added section 1899 of the Social Security Act or SSA provides examples of groups of service providers and suppliers that may form an ACO, including 

(i) physicians and other health care practitioners (ACO professionals) in a group practice, 

(ii) a network of individual practices, 

(iii) a partnership or joint venture arrangement between hospitals and ACO professionals, and 

(iv) a hospital employing ACO professionals. ACOs eligible to participate in the MSSP (Medicare Shared Savings Program) will manage and coordinate care for their assigned Medicare fee-for-service beneficiaries.

What are the requirements?
According to the IRS (IRS?? - http://www.irs.gov/pub/irs-drop/n-11-20.pdf), the type of organizations wishing to become ACOs must meet the following criteria.



1) The ACO shall be willing to become accountable for the quality, cost, and overall care of the Medicare fee-for-service beneficiaries assigned to it.


(2) The ACO shall enter into an agreement with the HHS Secretary to participate in the program for not less than a 3-year period (the MSSP( (Medicare Shared Savings Program) agreement period).


(3) The ACO shall have a formal legal structure that would allow the organization to receive and distribute payments for shared savings under § 1899(d)(2) to participating providers of services and suppliers.


(4) The ACO shall include primary care ACO professionals that are sufficient for the number of Medicare fee-for-service beneficiaries assigned to the ACO under § 1899(c). At a minimum, the ACO shall have at least 5,000 such beneficiaries assigned to it under § 1899(c) in order to be eligible to participate in the MSSP.


(5) The ACO shall provide the HHS Secretary with such information regarding ACO professionals participating in the ACO as the Secretary determines necessary to support the assignment of Medicare fee-for-service beneficiaries to an ACO, the implementation of quality and the other reporting requirements under § 1899(b)(3), and the determination of payments for shared savings under § 1899(d)(2).


(6) The ACO shall have in place a leadership and management structure that includes clinical and administrative systems.


(7) The ACO shall define processes to promote evidence-based medicine and patient engagement, report on quality and cost measures, and coordinate care, such as through the use of telehealth, remote patient monitoring, and other such enabling technologies.


(8) The ACO shall demonstrate to the HHS Secretary that it meets patient-centeredness criteria specified by the Secretary, such as the use of patient and caregiver assessments or the use of individualized care plans.


That's about it. If you have questions, feel free to call me. If I am on the golf course, I am not answering my phone!