4. Create standards that make the system cost more to purchase and more difficult to use.

When I first started the adventure we call EMR back in 1994 I looked at what some of the barriers to adoption might be. Back in the early days one of the most cited reasons that electronic EMR was not going to be successful was the notion that the Patients would not like it. They would feel it was impersonal and they would be afraid about security. I did a survey on 100 patients coming into our practice and asked a series of questions regarding their thoughts. The findings were surprising. First, the patients resounding love the concept. They thought it would improve health care immensely and they hoped they would not have to answer the same questions over and over again as they were currently doing. Second, they were adamant that they did not want their data stored or transmitted on the internet. This is particularly interesting since the health care information models being promoted today are dependent on the internet and third they did not want their clinical information going to their insurance company. The last one blew me away since all the patients sign an authorization form with the practice to provide all the information to the insurance company. What I found out after some additional interviews it was their Life Insurance carrier they were worried about. They were afraid they wouldn’t be able to get insurance or that their premiums would go way up.

I have provided this back ground for you to indicate that patients want their doctors to be digital and have every thing stored on computers, but they would prefer that the physician keep the information at their site. Most of the standards and regulations that are being promulgated are around sharing the patient information. These regulations include security, confidentiality, and identity theft, authentication of user or dispenser of treatment. Again, it is not that I am against these things I am all for them but they must be structured in a way that improves workflow instead of complicating it. In addition, these regulations are coming from everywhere. The federal government is a significant player, the State government has their own rules, and third party payers have rules and interesting enough they may conflict. Let’s look at a couple of examples.

As I mentioned before under the federal regulations for prescriptions the “dispenser” the person licensed or certified to prescribe medication must and authenticate the medication. In the terms of EMR authenticating is verifying that you as the prescriber are legally liable for the prescription and have the authority to prescribe it. Think about it as signing your name to a check. However, signing one’s name is more difficult in the technology field. Some programs use user name and then a personal identification number (PIN). For example when you go to an ATM machine to get your money you put your card in and you put in your PIN to verify its you. Well the regulations that are coming down with regard to authentication are requesting the same thing. The federal guidelines say that the “dispenser” must send the prescription. They must log on with their user id and they must somehow sign the prescription usually using a PIN number so the two forms of Identification are the Log in and PIN just like when you use the banking on line. However, I know of one state in particular that won’t allow that method. They want a physician to either have a smart card and a PIN (like a credit card and PIN) or they want to have the Dispenser to use biometric methods like a finger print or a retinal scan. Since there are few to no private physician groups that have biometric capabilities per prescription like they want they will allow for the following. A “paper” report gets developed each week that identifies every medication provide to patients on behalf of the physician. The physician must read and verify each one and then sign their name in “ink” on the paper and date it and store it for future verification if needed. So besides all the other checking that physicians have to do the mainstream methods for authenticating one self (User ID and PIN number or Password) are not acceptable. They must print out on paper a report and sign it and store it. It seems kind of odd to create paper to support a paper free electronic system. I already mentioned that e prescribing requires the physician to subscribe to data services to obtain up to date information prior to prescribing. This would be fine if the physician could charge a fee for this service but they can’t unless they make you come into the office. Oh and by the way providers are expecting another fee reduction from Medicare next year.

Recently, it was decided that everyone who allows customers or in this case patients to pay their bill on “account” or over time must follow the federal trade commission rules on “Red Flags” Red Flags are notifications that the practice identifies that may suggest there is a case of identity theft. The practice must but into place an anti identity theft program which should be as sophisticated as it needs to be based on the practice. No guidelines are given or what that means but in theory if you are a small program (defined by doctors and dollars generated I guess) your anti identity program doesn’t have to be that complicated but if you are a large program (20 physicians etc) then it must be more sophisticated. Here some things that the FTC would like to see happen. If someone calls up and wants to change their address you must verify who they are (they must have something like a PIN number that they give to you) prior to you changing their information in the system. It must be logged on what date, what time and who made the change. If someone comes to you for service you will need to check their government picture ID to verify the patient. Unlike the rules of almost every state that says you can never delete anything from a medical record that you have to draw a line through the data and indicate it is no longer valid (usually because if a treatment was given you want some idea of the data that was used to determine the treatment at the time) However, these rules state that if the data in a EMR was part of an identity theft you need to physically remove it from the record and store it in a Jane or John Doe folder tied to the record. (This is so that people don’t make a mistake and treat the real patient inappropriately because of fraudulent data) both reasonable approaches but they conflict so which one do you follow? There is a fair amount of programming that needs to take place that involves audit trails, setting up special screens for tracking, setting up alerts when demographic data does not match etc. The provider will end up paying for those changes in update fees. These FTC Red Flag mandates are on top of the already agreed upon and mandated HIPAA security and patient confidentiality requirements which also require the practice to set up a security program, including policy and procedures, auditing and monitoring program and someone designated on site as the Security Officer. The Red Flag rules state that a senior officer or Executive Level manager must over see the Red Flag program.

As soon as the Red Flag program was announced I was hit with phone calls from my customers asking when we were going to have the changes put in our program to automate these functions for them. Of course if you don’t have an EMR you are exempt from many of these regulations and don’t have to worry about them. Again, I don’t see these regulations as something that encourages adoption but something that slows the process down.