FOR A-PLUS WRITER ONLY

Information Systems and Health Technology Chapter Objectives After reading this chapter, you should be able to 1. Recognize the key role that information technology plays in the healthcare system. 2. Establish methods to use and protect patient electronic medical records. 3. Apply the technical and managerial competencies needed to direct a healthcare organiza - tion’s information system. 10 © Wavebreak Media/Thinkstock Information Systems and Health Technology Chapter 10 The computer and digital age offers numerous new conveniences and advantages to indi- viduals around the world. Connectivity leads to the ability to communicate in real time with people everywhere. Shopping can be completed at home, travel plans can be made more easily, and a variety of additional benefits accrue from having access to the World Wide Web.

Information technology involves the use of technology in developing, maintaining, and using computer systems, software, and networks for the processing and distribution of data. Healthcare information technology includes all of the technologies used to transmit and manage health information for use by consumers, providers, payers, insurers, and others in the healthcare system (Blumenthal & Glaser, 2007). Information technology and healthcare information technology are both part of a larger concept, known as an information system, which combines hardware, software, and infrastructure, as well as the individuals employed to plan, control, coordinate, and make decisions regarding such technology (Laudon & Laudon, 2013).

Over the past several decades, computers and information technology have transformed count - less aspects of life. Nearly every industry has changed in some way due to the influence of these technologies, and the healthcare profession is no exception. Every aspect of healthcare has been altered or improved through the use of information technologies and more advanced information systems.

A healthcare information technology system fulfills numerous requirements. Consider a patient who has been transported to the hospital by ambulance following an automobile accident. The information technology system would record all of the following:

• The time of arrival • Patient’s status at the time of arrival • Patient’s contact information, such as for a spouse or parent • Patient’s financial status (e.g., type of insurance) • Initial screening information (triage) • Physician placed in charge of the patient • Medical assistants who help with patient care (e.g., nurses, medical specialists) • Tests given and results (e.g., X-ray, blood test, screening for drugs and alcohol) • Recommended course of treatment • Medical services provided • Medicines administered or prescriptions written • Patient’s status at the time of admittance to the hospital or discharge This information could then be used for the purposes of billing any government organization, such as Medicare or Medicaid; health insurance providers; and the patient. Screenings for drugs and alcohol constitute private information; however, if the individual was at fault for causing the accident and was also under the influence of any substance, that information becomes a legal matter with the police. In that case, the patient’s records would be moved into his or her file for future use. Should the patient need care after discharge, the recommended course of care and provider chosen would be also documented. In addition, different types of records are kept for patients with various diseases and other afflictions.

The first section of this chapter investigates the role that information technology plays in health - care. The second section explains the use of information technology in creating patient’s elec - tronic medical records, along with the challenges of maintaining patient privacy and system Health Information Technology Chapter 10 security. The final section identifies the technical and managerial competencies needed to direct information systems in a healthcare organization.

1 0 .1 Health Information Technology The use of information technology to deliver healthcare has evolved over the past several decades.

At first, automation and computerization allowed for more efficient billing of patients, scheduling of patient appointments and the use of a physician’s time, and record keeping of various sorts, including the management of medical inventories. Today, new uses for information technology emerge on a regular basis. Table 10.1 provides a summary of the various applications of comput- ers and digitalization available to medical personnel.

Table 10.1 Applications of information technology Healthcare settings Information technology applications Clinical personnel Off-site emergency care Communicate with hospitals Transmit patient information Laboratory Track orders Record results Radiology Track orders Record results Pharmacy Track prescriptions Record times when medications are provided Clinical data Store clinical information Decisions support Send warnings about potentially harmful situations Archives Store previous medical treatments Store images and results from patient tests Patient records Record the medical care provided Postdischarge care Document patient visits to physical therapy, nursing, respiratory therapy, and home health visits Administrative personnel Patient billing and payment Track charges for medical services Track payments received Insurance billing and payment Track charges for medical services Track payments received Medicare/Medicaid billing and payment Track charges for medical services Track payments received Budgeting Record proposed and enacted budgets Track development and follow-up (continued) Health Information Technology Chapter 10 Healthcare settingsInformation technology applications Administrative personnel (continued) Donation records Maintain records of donors and donations Payments/accounts payable Track payments to other organizations Scheduling attendance of employees Establish work schedules and time-keeping Payroll Track payments to employees Regulatory requirements Communicate regulations Record methods to meet requirements Support personnel Office activities Word processing Spreadsheets Medical inventories Medical supplies Janitorial inventories Janitorial supplies Food service inventories Food supplies As Table 10.1 indicates, information technology touches the three primary areas of activity within a healthcare organization: clinical, administrative, and support.

Information Systems The three areas noted in Table 10.1 designate the areas in which information technology sys - tems are administered. Clinical systems contain data related to every aspect of patient care, from when the individual contacts a healthcare provider to the final resolution of the contact.

Clinical information systems include all aspects of diagnosis, including orders for and results of tests. Physicians can then use information technology to prescribe procedures and medicines.

Current databases provide physicians and others in the healthcare industry with information about potentially dangerous situations, such as drug interactions, the side effects of medicines, and injuries or complications that arise from surgeries and therapies. Each procedure prescribed by a physician is documented and stored by the provider. In many cases, these records are now completely digital, thereby reducing paper storage of past medical histories. The clinical system continues with physician and medical assistant notes related to patient discharge and then tracks the patient through any postdischarge care.

Administrative systems use information technology to record all financial transactions, in terms of both accounts receivable and accounts payable. Quality information technology systems help managers establish budgets for individual departments and the overall organization. Revenues and costs may be tracked, allowing for more effective control systems of financial matters. Not- for-profit health organizations also use information technology to record the names, affiliations, and histories of various donors.

Administrative systems also capture data to assist in compliance with regulatory require - ments. Among the organizations providing resources to help ensure compliance are the Joint Commission, the College of American Pathologists, the American Association of Blood Banks, and numerous for-profit organizations that help develop record-keeping systems and documen - tation programs. Health Information Technology Chapter 10 The third element of information tech- nology provides support. Information technology assists in basic office func - tions, such as sending letters and notices to patients, providers, partners, the gov - ernment, and others. Spreadsheets and other software programs allow manag - ers to combine, summarize, and analyze information across a broad spectrum of healthcare activities. In addition, healthcare managers can track invento - ries of medicines and medical supplies and generate orders in a timely fashion so that the organization has sufficient amounts on hand at all times. The same holds true for janitorial staff and food service supplies.

Administrative Systems and Human Resource Management In today’s modern health systems, infor - mation technology plays an integral part in the human resource management function (Gomez- Mejia, Balkin, & Cardy, 2004). One of the many functions of administrative systems is to serve the needs of human resource management. For example, human resource officers use adminis - trative systems for such matters as establishing work schedules and keeping track of the hours each employee spends on the job. These tasks allow for an efficient payroll method. The system also often includes features to record payroll-related payments to organizations, such as federal and state governments. At the end of the year, the system generates W2 forms for individual employees to use when filing income tax statements.

Many times, job openings are posted on the healthcare provider’s website. Applicants often provide preliminary information electronically. Information technology systems can also be designed to maintain items such as job descriptions for individual positions, as well as postings of all organizational rules and procedures.

In the area of employee safety and discipline, any safety violations and rules infractions can be recorded and stored in employee records, which are managed by the information technol - ogy system. These records may then be used if it becomes necessary to terminate an employee.

Such information also plays a vital role when an organization has been sued for malpractice or negligence.

The Importance of Integration Managing an organization’s clinical, administrative, and support systems requires more than just information technology expertise. The reason is simple: these three activities, all of which are supported by information technology, interact with each other as part of the day-to-day, week- to-week, month-to-month, and year-to-year operation of the facility. As just one example, patient records require the documentation of medical procedures, which then must be transferred to the billing department. Only when the entire system works in concert with a healthcare organiza - tion’s activities will it effectively serve all users, including management, employees, insurance providers, the government, suppliers, and patients. © Jupiterimages/Creatas/Thinkstock ▲ ▲ A variety of clinical applications are available to assist health- care professionals. Health Information Technology Chapter 10 Future of Information Systems Information and digital technologies provide exciting new possibilities for healthcare providers.

Improvements and innovations continue to occur in the areas of patient safety, medical research, efficient and precise diagnostics, efficient billing systems for the medical services provided, the provision of medical care in remote and rural areas, and safeguarding of the medical and phar- macological system from abuse.

In the area of patient safety, physicians and medical organizations can quickly obtain access to a patient’s medical history, includ - ing any allergies, conditions, or complica - tions that could interfere with medical care. Currently, a person who suffers aller - gic reactions to a medicine or has a medi - cal device implanted in his or her body can carry an identification card that signals this basic information to first responders to an accident or emergency. In the figure, digital technology will help dramatically improve the process. For example, patient histo - ries may one day be available on a website that individuals can access at any time and transmit to any medical office. Individual patients may also one day carry electronic medical record cards (something like a credit card) or some other digital storage device, allowing them to have their medical information on hand at any time.

Medical research stands to gain a great deal from future information technologies. Researchers expect to be able to capture more information from a sample of patients who are testing a medi - cine or medical procedure. Research programs can then be adjusted sooner to overcome various complications or variances. Information technology will also allow for more precise measure - ments and recording of research activities, which in turn will help improve the reliability and validity of research programs. Rather than thinking of information technology in terms of data recording and retrieval only, the terminology may soon shift to “knowledge management,” which is a more sweeping concept expressing the connection between computer and digital technolo - gies and healthcare.

More efficient and precise diagnostics will emerge from several sources. The Centers for Disease Control and Prevention has developed the International Classification of Diseases diagnosis sys - tem for use in all U.S. healthcare treatment settings. This system offers standardized coding for both mental and physical medical problems, as well as a coding system for tracking recommended treatments. At a more macro level, clinical terminology and hospital statistics are becoming more standardized across national boundaries. As more universal classifications emerge, fewer errors will be made in diagnoses. In addition, more accurate information can be shared regarding the most advisable treatment and any medical complications to avoid. On its website, the World Health Organization (WHO) provides a substantial amount of information that medical provid - ers can use to identify a patient’s malady. The site also offers recommendations on the most effec - tive treatment agenda ( http://www.who.int).

Advanced genetic information for individual patients will soon become more routinely available.

The net result will be the ability to predict potential later-onset or inherited illnesses, such as © iStockphoto/Thinkstock ▲ ▲ Information technology helps provide medical care to patients in remote and rural areas. Medical Records and Patient Privacy Chapter 10 Alzheimer’s disease, genetic abnormalities, genetic defects, and some mental illnesses. In essence, physicians will be able to get a head start on finding ways to treat patients.

Billing systems are also improved through digital technologies. Current Procedural Terminology (CPT) codes, which have been developed, maintained, and copyrighted by the American Medical Association (AMA), assign numbers to every task and service provided by medical practitioners to patients. CPT codes cover medical, surgical, and diagnostic services. Insurers can use these codes to calculate the amount of reimbursement a practitioner should receive. When all medical organizations follow the same coding procedures, uniformity is ensured.

Medical care in remote and rural areas will greatly benefit from new methods of treating patients through the use of information technology. Devices such as smart phones will carry applications (apps) that can transmit medical information from remote locations. A person may ingest or have implanted a device like a microchip to monitor heart rate, blood pressure, glucose levels, respi - ration rates, and other vital statistics. The information can then be transmitted to a physician’s office located miles away. In some instances, a patient’s history and current circumstances could be sent to a doctor so that the patient could be treated without leaving home.

Information technology for the protection against abuse combines the medical field with govern - ment activities designed to stop individuals from using the system in illegal or unhealthy ways.

For example, in the past, addicts seeking to obtain narcotic drugs would engage in “doctor shop - ping,” a practice in which the addict asks several doctors in different locations for the same drug and fills the prescription at different pharmacies. Currently, many states provide a network of reporting of narcotic purchases from pharmacies, which helps stop this practice. In the future, a national database would help prevent such activity, even when it takes place across state lines (Centers for Disease Control and Prevention, 2012b).

10.2 Medical Records and Patient Privacy Healthcare providers in nearly every circumstance share two common goals. The first relates to money. Managers of not-for-profit hospitals seek to ensure that revenues exceed expenses. Profit- seeking hospitals and healthcare facilities aim to make sufficient profits to continue operations and expand services. Individual practitioners look to generate a quality income. In short, money plays a key role in the healthcare system.

The second goal is to provide quality patient care. A variety of outcomes indicate quality care, from rates of recovery to mortality figures. The list should also include patient satisfaction with the facility, satisfaction of the medical staff with the organization, and community support of the medical practice and system.

Information technology can serve both financial and quality goals. Quality electronic systems can increase efficiencies and cut costs over time, thereby increasing profit or revenue figures.

At the same time, information technology can assist in delivering accurate, effective healthcare practices. This section explains how electronic medical records and safeguarding patient privacy improve efficiency and ensure quality of care.

Electronic Medical Records An electronic medical record (EMR) system provides a digital repository for clinical medical data. The information contained in the system allows convenient and timely access to a patient’s medical records, including all inpatient and outpatient treatments. The purpose of these records Medical Records and Patient Privacy Chapter 10 is to provide healthcare professionals with a method for docu- menting, monitoring, and managing healthcare delivery to the patient. In addition, an EMR documents other elements of health - care, including clinical decision support, a medical vocabulary, and a method for ordering medical tests, drugs from pharmacies, and other patient-support services following discharge (Garets & Davis, 2006). EMRs can serve several key purposes, including:

• Patient safety • Efficiency in delivering medical care • Maintaining records of past medical incidents (documentation) • Reducing costs Patient safety can be enhanced through effective use of EMRs.

Quality EMR systems can keep better records of patient circum - stances, such as allergic reactions to various medicines. They can also facilitate automated drug systems and preset reminders for nurses and medical aides to administer drugs in hospitals and other care facilities (Kohn, Corrigan, & Donaldson, 2000). EMRs also allow improvement of safety issues in terms of pharmaceu - ticals. With access to a patient’s EMR, the pharmacist is better able to advise the individual about other issues, such as taking medicine with or without food, as well as interactions with non - prescription drugs, such as cough medicine, pain relief medicines, and allergy medications.

Efficiencies arise at several stages of a patient’s care. Rather than using paper-and-pencil medical records and updates, a patient’s medical information can be stored electronically. This informa - tion can be accessed on site or in remote locations, such as an accident site or the person’s home.

It can also be retrieved and updated during doctor’s visits and then stored for future visits.

An EMR system also reduces redundancies in filling out paperwork. Strategic alliances find EMR systems particularly valuable, as the patient is not asked to repeat the same medical history and information to each individual provider as part of the intake process. Additional efficiencies emerge from “scheduling interface” systems, which coordinate medical care in separate organi - zations and those served by more than one physician or healthcare professional.

Documentation protects both the patient and the healthcare provider. A physician or healthcare provider can record what medical care was delivered, including orders for medicines from local pharmacies and results of medical tests. The patient has greater assurance, knowing that all treat - ments have been entered into the system. One optimistic goal emerging from such documenta - tion is fewer medical mistakes and consequently fewer lawsuits against physicians and healthcare facilities.

Costs can be reduced by eliminating storage areas for paper files. Rapid retrieval directly from a computer saves time and may lessen the need for support staff to look up information. Although saving money may not constitute the primary reason for establishing an EMR system, it is a valuable side or additional benefit. As the use of EMRs becomes more standard, additional costs savings may emerge from using the EMR system as a method of billing patients and maintaining records of payments. © Lite Productions/Thinkstock ▲ ▲ Electronic medical record systems provide a repository for clinical medi- cal data. Medical Records and Patient Privacy Chapter 10 WEB FIELD TRIP For a more in-depth understanding of the creation of online personal health records, take a look at the Healthcare Information and Management Systems Society (HIMSS) Privacy and Security Toolkit at ht tp: //www.himss.org .

In the “Search” field, type “Privacy & Security Toolkits Personal Health Records.” On the “Results” page, click on “Personal Health Records-” (the form is dated April 1, 2013).

Click on the link to open and read the PDF file entitled “Managing Information Privacy & Security in Healthcare: Personal Health Records,” by Jill Burrington-Brown.

• What would you consider the advantages to be of maintaining a personal health record?

• According to the report, what might be some of the disadvantages of maintaining an online per- sonal health record?

• What are some of the privacy concerns discovered in this study?

• Would you consider creating a personal health record for yourself? Why or why not? EMR Adoption Implementation of EMR systems varies widely among healthcare providers. Hospitals are far more likely to have established systems than individual physician offices. In general, the larger the scope of care provided, the greater the odds that the organization has adopted part or all of an EMR system. The organization that is best known for tracking EMR adoption rates is the Healthcare Information Management Systems Society (HIMSS). As displayed in Table 10.2, adoption rates appear on a scale from Stage 0 to Stage 7.

Table 10.2 U.S. EMR Adoption Model (EMRAM) Stage Cumulative capabilities 2012 Q42013 Q1 7 Complete electronic medical record; continuity of care document transactions to share data; data warehousing; data continuity with emergency department, ambulatory, outpatient 1.9% 1.9% 6 Physician documentation (structured templates), full clinical decision support (variance and compliance), full radiology picture archive and communication systems 8. 2% 9 .1% 5 Closed-loop medication administration 14 .0%16.3% 4 Computerized practitioner order entry, clinical decision support (clinical protocols) 14 . 2%14 . 4% 3 Nursing/clinical documentation (flow sheets), clinical decision support (error checking), picture archive and communication systems available outside of radiology 38.3% 36.3% 2 Clinical data repository, controlled medical vocabulary, clinical decision support, may have document imaging; capable of health information exchange 10.7% 10 .1% 1 Ancillaries (laboratory, radiology, pharmacy) all installed 4.3%4. 2% 0 All three ancillaries not installed 8 . 4%7. 8 % N = 5,458 N = 5, 4 41 Source: Data from HIMSS Analytics ® Database ©2013. Adapted with permission. Medical Records and Patient Privacy Chapter 10 Each year, HIMSS calculates the percentage of healthcare organizations in each stage. Stage 0 implies no activity at all. Stage 1 represents a minimal level of ancillary equipment. Each stage after that indicates greater sophistication in data collection and usage, leading to full collection and storage of patient information in an electronic format that is easier and quicker to retrieve.

Only in Stage 7 is a healthcare provider able to share patient information with outside entities.

Alternatives to EMR Systems Some experts distinguish between electronic medical records and electronic health records. The difference is that the former only shares information within a single healthcare organization, such as a hospital or network of hospitals and satellite medical providers. An electronic health record , on the other hand, can be transferred across organizational boundaries, such as when a hospital shares information with an independent rehabilitation service. This situation would occur in Stage 7 of the EMR adoption model displayed in Table 10.2.

Another format is a personal health record , in which the patient manages and controls personal health information. Personal health records may document regimes such as dietary intake per day, amounts and intensities of workouts or fitness routines, and other attempts at improving one’s health. Various for-profit organizations provide access to personal health record storage via Internet access. A diet center, for example, can store personal information, while also dispensing information and attempting to sell the center’s products and services.

Barriers to EMR Adoption Two primary barriers inhibit healthcare providers from adopting EMR systems. The first is cost.

Such systems require expensive computer technology, including hardware, software, and people with the expertise to install and maintain the system. Given the expenditures required for the equipment and expertise, smaller organizations may not receive an adequate return on their investment. This explains, in part, why the likelihood of adoption rises with increasing orga - nizational size and scope, as costs can be allocated to a larger number of patients and medical services.

The second barrier is privacy. Unfortunately, sophisticated computer hackers (known in the field of information technology as the Black Hat community) use malware that can intrude on patient privacy while creating a method of unlawfully obtaining monies from various organizations and the government. Furthermore, a patient may be concerned that a sensitive condition, such as being HIV positive or pregnant or one that would influence his or her health insurance status, could become available to the wrong parties.

Patient Privacy Patient privacy in the digital age is of such a serious matter that it has prompted landmark health legislation designed to protect it: the Health Insurance Portability and Accountability Act (HIPAA). HIPAA has numerous objectives, one of which is to protect patients from the ongoing threat of medical identity theft.

As with nearly any major innovation, a dark side to the use of information technology has emerged. The problem of identity theft affects individual consumers, the credit card industry, and a variety of additional organizations. A new form of such theft that has recently arisen is medical identity theft, which occurs when someone steals personal information in order to make fraudulent claims against the victim’s health insurance policy. A policy number, Social Security number, or other personal information can be stolen from a medical facility or medical database Medical Records and Patient Privacy Chapter 10 and resold on the black market. This form of theft costs consumers thousands of dollars, creates stress, and may threaten a person’s life and health (Coalition Against Insurance Fraud, n.d.).

Three forms of medical identity theft scams currently occur. In the first, thieves, such as dishonest physicians and other medi- cal personnel who work with insurance companies, bill a person’s health plan for fake or inflated treatment claims. Rings of thieves also work together to obtain stolen patient information on the black market to establish fraudulent clinics so they can file bogus claims against the health policies of victims.

The second scam occurs when medical data are used to obtain prescription drugs for thieves with addiction problems or to sell to others. Dishonest pharmacists may bill a victim’s policy for these narcotics, or nurses may order prescriptions in a patient’s name but buy it for themselves to sell or use.

In the third case, some medical identity thieves use the system to obtain free treatment. They assume the victim’s identity at a hospital or clinic, and the person’s policy receives the bills.

Any type of identity theft creates serious and long-lasting problems. Overcoming these problems can take years and a great deal of money. Among the problems medical identity theft can cause to consumers are damage to credit ratings, loss of healthcare coverage, inaccurate personal medical records, legal complications, and higher health insurance premiums.

The U.S. Federal Trade Commission (2012) notes the following signs of medical identity theft:

• A bill for medical services you did not receive • A call from a debt collector about a medical debt you do not owe • Medical collection notices on your credit report that you do not recognize • A notice from your health plan saying you reached your benefit limit • Denial of insurance because your medical records show a condition you do not have Individual consumers can try to avoid the complications of medical identity theft by carefully examining every explanation of benefits (EOB) document received from a health insurance com - pany, looking at the benefits the policy paid, checking personal medical records and working to correct any inaccuracies, and annually checking a credit score. Anyone who has been victimized should immediately file a police report and notify the Federal Trade Commission.

Protection of Health Information Numerous entities hold vested interests in preventing the theft or disclosure of patient informa - tion, including physicians and other medical professionals; provider organizations; federal, state, and local governments; and patients themselves. Medical information represents both a privacy concern and a financial issue. For this reason, federal legislation and oversight seek to protect © iStockphoto/Thinkstock ▲ ▲ Medical identity theft occurs when someone steals personal information to make fraudulent claims against a victim’s health insurance policy. Medical Records and Patient Privacy Chapter 10 health information for all citizens. Medical providers use a variety of techniques to keep key information secure and make certain only proper persons can attain access to materials. Some of these techniques include palm vein scanners, finger vein scanners, voice-activated programs, and eye verification (through scanning of the veins in the whites of a person’s eye). Protected health information includes the following:• Physical and mental health condition • Healthcare provided by physicians and organizations • Payments for healthcare services This protected information includes any activity in the past or the present, as well as any activi - ties that will take place in the future.

Health Insurance Portability and Accountability Act (HIPAA) In 1996, Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) to help protect the privacy of information connected to the care of a specific patient, or individu - ally identifiable health information. Patient information privacy actions take place under the ele - ments of the act known as the Privacy Rule and the Patient Security Rule. Provisions of HIPAA include a designation of who is covered, the specific information that should be protected, physi - cal and technical safeguards, organizational requirements, documentation rules, relations to state laws, enforcement and penalties for noncompliance, and compliance dates (U.S Department of Health and Human Services, n.d.-b).

The HIPAA Privacy Rule, enforced by the Office for Civil Rights (under the U.S. Department of Health and Human Services), creates a federal protection system regarding personal health infor - mation that is held by various organizations and medical practices. It also grants patients several rights with respect to their personal information. In more general terms, any patient protected by doctor–patient privilege has rights under the HIPAA Privacy Rule. Physicians, medical assistants, office staff workers, and others with access to a patient’s information are forbidden from disclos - ing that information to others without the patient’s consent. Safeguards include specific forms filled out by patients and filed with the medical provider. These forms, which must be stored in a secure location, specify which family members or others can be told about a person’s medical condition. Computer systems restrain nonauthorized personnel from seeing a patient’s records.

Information may not be disclosed by phone or in any other way without securing the proper per - mission of the patient. Those who fail to maintain these safeguards may be reported to the Office for Civil Rights, which can punish such actions in a variety of ways.

The Privacy Rule also attempts to ensure protection of an individual’s health information, while also allowing for the flow of health information that is necessary to provide and promote high- quality healthcare and to protect the health and well-being of the public. The intent of the Privacy Rule is to generate a balance between important uses of the information for protection of the larger population and maintenance of privacy for people seeking care and healing. To help achieve this objective, the language of the Privacy Rule is intentionally flexible and comprehensive in order to cover the various uses and disclosures it addresses.

The HIPAA Security Rule sets national standards for the security of electronically protected health information. The HIPAA Patient Safety Rule regarding confidentiality protects any infor - mation that would identify an individual patient. It also covers information used when analyzing patient safety events with the goal of improving patient safety. The intent of the Patient Safety and Quality Improvement Act (PSQIA) of 2005 is to protect confidential patient safety work prod - ucts. A patient safety work product is information that is sent to a patient safety organization to Medical Records and Patient Privacy Chapter 10 report when an individual has been placed at risk by a healthcare provider’s actions. Such infor- mation—for example, a report documenting a patient’s exposure to a nontreatable virus—might be embarrassing or damaging to the patient; therefore, it should be kept confidential. The PSQIA identifies the conditions for disclosing patient safety work products to various organizations in an effort to safeguard patient well-being. Again, the Office for Civil Rights is in charge of enforce- ment activities. CASE Information Technology and the Department of Veterans Affairs The U.S. Department of Veterans Affairs provides a variety of services to those who have engaged in military service. Among the activities involved, the agency oversees healthcare through Veterans Administration (VA) hospitals; tends to burials and memorials for deceased veterans; and admin - isters benefits to veterans and their survivors in the areas of compensation, education and train - ing, home loans, life insurance, and vocational rehabilitation. In 2012, the total budget for the Department of Veterans Affairs exceeded $61 billion (U.S. Department of Veterans Affairs, 2013). At that time, the department’s primary director was the Secretary of Veterans Affairs, Eric Shinseki.

In 2013, a growing chorus of criticism was directed at the VA. Famous individuals, such as Rachel Maddow and Jon Stewart, along with news organizations including NBC, CBS, and The New York Times , began to highlight one particular problem: the increasing backlog of claims for benefits by returning soldiers. NBC’s Bill Briggs (2012) wrote, “The VA’s benefits-aspiration web page shows the average claims-processing time was 223 days in October 2011, 246 days in April 2012, 257 days in July [2012], and 260 days in August [2012]. In fact, the backlog has doubled in size since 2008, con - gressional members report.” CBS News reported that more than a half million veterans were wait - ing for claims to be processed in 2012 (Martin, 2012).

Social media enhanced the VA’s problem. Returning soldiers began posting photos of themselves on websites such as Facebook. In each photo, the veteran held a sign indicating how long he or she had been waiting for assistance with a claim.

In response, Secretary Shinseki stated that the organization would reduce the waiting period back to 125 days by 2015, which was more than a year and a half down the road. Briggs (2012) reported, “The VA cited four reasons for what it calls ‘claims growth’:

• Increased demand—‘the result of 10 years of war’ and due to many veterans returning ‘with severe, complex injuries’; • in 2010, Shinseki decided the VA claims system should include the recognition of medical condi - tions related to Agent Orange exposure (240,000 claims were processed in 2011 for such expo - sure) as well as ‘Gulf War Illness’; • approximately 45 percent of Iraq and Afghanistan veterans are currently seeking compensation for injuries related to their service—and that marks a ‘historical high’ for the VA following wars.

Those claims include an average of eight to 10 medical issues per claim, more than double the Vietnam era; • the VA says it is doing ‘better outreach’ to veterans ‘to educate them about the benefits they’ve earned.’” Others believed that a major part of the problem was the mountain of paperwork that continued to grow. The VA continued to rely on paper-produced application forms rather than computerized or digitalized methods. The organization had conducted a pilot program for the use of electronic (continued) Managing the Information Technology Department Chapter 10 10.3 Managing the Information Technology Department Managing any unit in an organization requires understanding of and adaptation to a unique set of circumstances, and an information technology (IT) department in a healthcare organization is no exception. The skill set necessary to operate the hardware and software, while also manag- ing people and relationships, demands an individual with numerous technical and managerial competencies.

Technical Competencies To effectively supervise the IT department in a medical setting, a manager must have a wide- ranging set of technical competencies. Initially, two immediate skill sets emerge. The first set includes mastery of a mainframe computer system, the capacity to protect the system, and the ability to audit a system and resolve conflicts of interest. The second set involves the ability to understand medical terminology and medical practice.

Mastery of a Computer System Computer science training includes a variety of skills and knowledge bases. A computer sci - ence student learns how computers work, including hardware systems. Computer training also includes an understanding of basic programs, such as word processing, spreadsheets, and database management. Most computer specialists acquire knowledge in the area of program - ming language, such as Pascal, C++, Java, and COBOL. The next level of training involves sys - tem design and system analysis. Specialties include computer networking, data structures and algorithms, Internet programming, expert systems, and other forms of software engineering (Hall, 2010).

Key elements of these studies for the purposes of medical organizations are in the areas of medi - cal software and system integration. Physicians and other medical professions have specific needs with regard to computer support. These needs must be integrated with the activities of the accounting and billing department, with any group preparing reports for government agencies, and so forth. Additional training and continual updating of information are part of the IT profes - sion, especially in the areas of system integration. forms in the fall of 2012, with positive results in six major cities across the country. Shinseki believed that full application of digital records was the key to reducing the major backlog problem.

At the same time, Representative Jeff Miller, R-Fla., chair of the House Committee on Veterans’ Affairs, complained, “As Congress has said for many years now, VA needs to look at the root of the problem of the backlog—training, management, oversight, and technology—and work forward from those four points to address this problem.” Miller added: “Quick fixes will no longer work, and will continue to make veterans wait months, sometimes years, on end for an answer” (quoted in Briggs, 2012).

1. Is the issue faced by the VA an information technology issue or an information systems problem? 2. Explain the clinical, administrative, and support issues that are part of this dilemma. 3. What role might the development of an EMR system play in solving these problems? 4. How might issues of privacy and security evolve in this situation? Managing the Information Technology Department Chapter 10 System Protection In addition to the challenges posed by med- ical identify theft, an IT manager should be well-versed in other aspects of system protection. The IT system should be set up to defend against attacks that use bots, malware, and viruses. The goals of hackers include not only the theft of information but also the disabling or destruction of an orga - nization’s computer system. These threats are not contained to national boundaries; in fact, the Black Hat community of hack - ers and other criminals who use computers for illegal purposes contain members from around the world (Levine, 2006).

The IT department in a healthcare setting is charged with preventing vulnerability in the system and creating privacy protection for patients, employees, and the overall organization. The term vulnerability expresses the like - lihood that a criminal could overcome the system’s protections and hack in (Tehan, 2005). One response to vulnerability is to develop secure log-on systems and to create effective password- access systems. Medical IT managers oversee access to list servers and address books. As such, medical employees and visiting physicians must have full confidence that the provider’s system cannot be hacked or violated.

Another response to vulnerability, a nondisclosure policy, occurs when medical organizational leaders try to prevent information about system breaches from leaving the organization. A non - disclosure policy includes developing statements that demand complete discretion from any external IT companies or individuals that worked on the problem. In contrast, full disclosure means taking steps to inform all publics of the problem. In either case, the IT system may be shut down until the problem is resolved or a new firewall may be installed to limit traffic to a provider’s website. In healthcare, acting responsibly when an information system has been com - promised may best serve the public’s interests; this is referred to as the “ethical duty to warn” (Baack & Baack, 2009).

The medical IT manager helps ensure that information does not fall into the wrong hands, while also ensuring that those who require information can access it. This requires constant commu - nication with other departments. For example, the human resources manager contacts the IT manager when someone has been terminated or is leaving; the IT manager then makes sure that the individual will not be able to maintain access to the provider’s IT system. Similarly, a medical IT systems manager oversees the process of replacing computers, as one of the more common forms of identity theft occurs when someone fails to properly disable old hard drives and discs (Baack & Baack, 2009).

Audits and Conflicts of Interest Medical IT programmers also conduct the auditing process, which might reveal, for example, that the healthcare provider has failed to back up key data and is thus vulnerable should the infor - mation become lost. The hospital or healthcare provider establishes a chain of command in these © iStockphoto/Thinkstock ▲ ▲ Additional training and continual updating of information are part of the IT profession, especially in the areas of system integration. Managing the Information Technology Department Chapter 10 circumstances so that the system protects the organization’s interests, the patient’s interests, and the well-being of the larger public.

When conducting audits, medical IT managers work to ensure that conflicts of interest do not emerge. Such conflicts could take place between a healthcare provider and various strategic part - ners, such as a pharmaceutical company. For example, doctors constantly receive free samples of drugs and enticements to prescribe those drugs. The IT system helps monitor how these drugs have been administered to sets of patients over time, with the corresponding outcomes noted.

Internal Internet Usage Medical employees should know whether the management team intends to examine how they use the Internet and e-mail systems. Personal e-mails not associated with one’s job raise two issues. First is the issue of whether an employee should be allowed to use the provider’s e-mail address for personal e-mail. If not, the employee may be asked to create or use a separate account for that purpose. Most of the time, a separate e-mail address should be used for personal e-mails.

The second issue concerns the problem of employee’s answering non-job-related or personal mes - sages on company time—an issue faced by managers in numerous organizations. There may be times when an employee has a valid reason for sending or receiving a personal message, such as to check on a sick child or to contact a spouse or partner. Unfortunately, the temptation involves going beyond brief messages to more extended conversations. Text messaging and social media also tend to consume employees’ time and attention. Many organizations do establish guidelines about the use of electronic media on company time, but leave enforcement to IT managers—and employees’ consciences—about whether employees’ use of e-mail and the Internet constitutes “stealing” organizational time.

Individual employees also face personal responsibility when it comes to Internet use on the job, including time spent surfing non-work-related sites. In the past, employees were able to stop working in order to read a newspaper or listen to the radio to find sports scores or take a quick look at news headlines. The argument has been made in court that since individuals previously were able to read the newspaper and make phone calls while on the job, employees should not be sanctioned for using a computer in the same way. However, individual workers who fail to use the Internet responsibly should not be surprised when a medical IT manager takes steps to monitor website visits and sanctions inappropriate use (Baack & Baack, 2009).

Understanding of Medical Terminology and Medical Practices A successful IT manager must be comfortable with medical terminology and the methods used in medical practice. In a large healthcare organization, this includes the clinical, administrative, and support functions mentioned in Table 10.1. Of note, the IT manager needs to understand not only the essentials of these medical activities but also the interrelationships among them and how they are to be documented. The documentation of items that emerge from healthcare inter - relationships includes the following:

• Construction of accurate and useful individual patient records • Documentation of each medical act for the following purposes: ͪBilling ͪPayment to specialists and professionals ͪLegal protection in the event of criminal charges ͪProtection from civil suits ͪInventor y control Managing the Information Technology Department Chapter 10 • Support of medical research • Support of medical statistics regarding effectiveness of care (e.g., survival, recovery rates) • Methods for providing medical information to strategic alliance partners • Methods for providing data for performance evaluations and other human resource man - agement activities • Coordination with other departments, including marketing and fund raising Consequently, the IT manager must be able to understand the basics of medical terminology in order to effectively support the organization’s operation. Three additional circumstances influ - ence the application of these technical competencies:

• The nature of the practice • The size of the organization • The presence of strategic alliances For example, an IT professional work - ing in a teaching or research hospital may be charged with responsibilities that dif - fer from someone serving a community health center, blood bank, pharmacy, or physician’s group. The relationships among medical professionals, the government, suppliers, and patients differ in each of these circumstances.

The size of the organization also influences the degree of sophistication needed to pro - vide effective IT services. An individual physician’s office likely needs the most rudi - mentary form of help, whereas a practicing group, hospital, pharmacy, or other larger organizations demand more intricate and connected systems. IT managers must also adapt to the presence of strategic alliances.

Each form of organization includes a degree of data sharing. Thus, medical IT managers are expected to protect the organization’s system while also accommodating interactions with other organizations. Managerial Competencies In Chapter 1, managerial competencies, including technical, conceptual, and human relations skills, were identified. Each of these competencies clearly applies to medical IT management.

The technical competencies were noted in the previous section of this chapter. Conceptual skills require the IT manager to be able to mesh the activities of numerous departments into one seam - less operation. Human relations skills include the ability to interact not only with other members of the IT department but also with managers in other departments, physicians, top managers, and other organizations. Although the common stereotype may be that someone gifted in the technical aspects of computers may be less skilled when a job requires interactions with other people, healthcare officials in a variety of organizations recognize the importance of people skills © iStockphoto/Thinkstock ▲ ▲ Medical IT managers require the same technical, con- ceptual, and human relations skills needed throughout the organization. Managing the Information Technology Department Chapter 10 CASE New Horizons Dr. Jean Thomsen was about to embark on major change in her medical career. For the past decade, she had run a private medical practice focusing on pediatric medicine. When the oppor- tunity was presented to join forces with two other doctors to form a small practicing group, she leaped at the chance. The group would allow for consolidation of office staff employees and nurses. It would also be possible for the physicians to cover for each other, which would make it easier to schedule vacations and time off.

The practicing group, called New Horizons, would maintain a strategic alliance with a local hospital.

Each physician would have core privileges at the hospital. An agreement was created so that all of the referrals for hospital care would direct patients of New Horizons to the hospital.

Dr. Thomsen’s primary concern was patient records. She had always been able to rely on paper- and-pencil methods and a large filing system and storage area to maintain records of all her past and current patients. She needed to somehow pull that information into the New Horizons system, which involved making PDF files of each paper form for storage at a remote site on a mainframe server. Each record would also be saved in a separate file system at the office using sets of smaller devices. Her office also had the ability to order some tests and electronically transfer prescription orders to most of the local pharmacies.

The hospital had reached Stage 5 of the EMRAM adoption scale for electronic medical records.

This meant that the hospital had achieved the ability to maintain a closed-loop medical administra - tion system. In essence, all parts of the system were integrated in such a way that any professional within the hospital could access patient medical records when needed. The system also included a clinical decision support system, which provided medical protocols for various illnesses, injuries, and medical emergencies. The clinical support system complements other systems, including those established with local pharmacies to prescribe and fill drug orders more efficiently. An additional system contains a centralized medical imaging and storage system for each patient’s history.

From Dr. Thomsen’s perspective, the challenges were significant. The first issue was to make sure that her former system stored all relevant information on the New Horizons system. The second concern was how to integrate the New Horizon system with the system used by the hospital. She was worried that information might be lost, that both systems might be vulnerable in some ways, and that she would not be able to retrieve medical records efficiently when the new practice opened.

1. Was the system that Dr. Thomsen used in her private practice a medical information technology system or an information system? 2. What are the potential advantages and disadvantages of integrating the private practice into a group system and then the hospital’s system? 3. Who should be in charge of integrating the New Horizons system with the hospital system— someone from one of the two organizations or a specialized professional from a separate com - p a n y? W h y? 4. What services would not be available to Dr. Thomsen, New Horizons, or the hospital that would eventually be used when the hospital moved to Stage 5 of the EMRAM scale? Managing the Information Technology Department Chapter 10 in an IT department leadership role. Managerial competencies would then extend to the classic functions noted in Chapter 1:• Plan • Organize • Staff • Direct • Control The first two of these activities are most germane to this chapter. As was noted earlier, the IT department serves staffing or human resource management functions in the areas of record keeping and payroll, as well as other matters. Directing and controlling issues are examined in Chapters 13 and 14.

Medical IT Planning Medical IT planning should be aligned with the overall strategic goals of the entire health - care organization. At the strategic level, medical IT planning begins with a strength, weakness, opportunity, and threat (SWOT) analysis. The organization’s IT team conducts audits designed to identify the strengths and weaknesses of the current system, along with any opportunities and threats in the environment. Any strategic response should be aligned with the healthcare provider’s overall strategic approach. As noted in Chapter 4, three common devices used in the implementation of strategies are budgets, projects, and programs. IT managers in medical facili - ties often engage in these activities.

In terms of budgets, the extensive costs associated with acquiring and maintaining sophisticated computer systems and software require IT managers to plan far in advance for the procure - ment of new hardware and software. The process begins with careful consultation with medical professionals, organizational administrators, and the provider’s top management team, with the goal of ensuring that any new system or equipment will effectively meet the provider’s current and future needs. Budgeting continues with coordinating with the finance department in order to ensure that funding for new systems can be obtained—this is also called “financial feasibility.” Then, the accounting department must be consulted so that the costs of the system can be allo - cated across all units in an acceptable manner. This process includes assessing the life cycle of the technology—that is, how long it will last until it becomes outdated or obsolete.

Project management takes place as an IT system is installed or upgraded. Doing so requires input from the clinical, administrative, and support staff. Each subsystem within the IT system will be analyzed to ensure that it will efficiently and effectively serve the needs of the department.

Project management involves a step-by-step process in which all information is carefully backed up and secured until it becomes clear that the new system can operate without problems.

Program management reflects the coordination activities necessary to integrate the system. This ongoing process includes making sure the various elements in the organization prepare, sub - mit, and receive all required information (billing, patient care records, safety protocols, etc.) in a timely fashion; constantly monitoring against internal and external threats to system security; and resolving technical issues as they arise (Abraham, 2012).

Medical IT and Organizing The IT department’s internal structure, as well as the healthcare organization’s overall structure, should be designed to facilitate four goals, as noted in Chapter 7: Chapter Summary Chapter 10 • Management of complexity • Differentiation and integration • Management of interdependence • Creation and oversight of boundary-spanning activities Complexity involves the number of diverse and autonomous but interrelated organizational com - ponents that have been detailed in this chapter. The IT system accounts for all of these compo - nents as the system is developed and implemented. Differentiation and integration are served by first developing IT systems that effectively provide needed information and analytics across a broad spectrum of activities, including those dictated by the nature of the organization (e.g., pharmacy vs. physician’s office). Then the activities are coordinated among the specialized parts.

Interdependence constitutes one of the most important aspects of the IT department’s role. The system only works when each unit can depend on others for the information to continue the medical process, such as when an emergency room patient moves into the hospital itself to be served by a different staff. Not only do these systems require coordination, but the information regarding service must also be transmitted to the accounting office so that the patient’s bill can be calculated.

Boundary spanning includes careful construction of data files that report all information to be reported to external entities, including the government, insurance companies, strategic alliance partners, accreditation agencies, and others. In this instance, the IT department manager is responsible for bridging both internal and external boundaries in ways that serve the organiza - tion’s interests (Thompson, Strickland, & Gamble, 2005). Chapter Summary Information technology uses technology in the development and maintenance of computer sys - tems, software, and networks for the processing and distribution of data. Healthcare information technology includes all technologies used to transmit and manage health information for use by consumers, providers, payers, insurers, and others in the healthcare system. An information system combines hardware; software; infrastructure; and the individuals employed to conduct planning, control, coordination, and decision making in an organization.

Information technology touches the three primary areas of activity within a healthcare organiza - tion: clinical, administrative, and support. It also plays a key role in the human resource manage - ment function. In the future, IT innovations will take place in the areas of patient safety, medical research, efficient and precise diagnostics, medical care provision in remote and rural areas, and safeguarding the medical and pharmacological system from abuse.

Quality electronic systems can increase efficiencies and cut costs over time, thereby increasing profit or revenue figures. At the same time, information technology can assist in the delivery of accurate, effective healthcare practice. An electronic medical record (EMR) system provides a repository for clinical medical data that allows convenient and timely access to a patient’s medi - cal records, including all inpatient and outpatient treatments. Electronic medical records can improve patient safety, efficiency in delivering medical care, maintenance of records of past med - ical incidents (documentation), and reduction of operating costs. The HIMSS measures adoption rates of EMR systems in the United States. Costs and patient concerns about privacy have slowed some adoption rates. Key Terms Chapter 10 To protect the privacy of individually identifiable health information, Congress enacted the Health Insurance Portability and Accountability Act of 1996. Patient information privacy actions are covered by the Privacy Rule and the Patient Security Rule, while reporting of patient safety incidents is protected by the Patient Safety and Quality Improvement Act (PSQIA). The Office for Civil Rights is in charge of enforcing HIPAA.

Managing an information technology (IT) department in a healthcare organization requires understanding of and adaptation to a unique set of circumstances. The skill set necessary to operate the hardware and software, while also managing people and relationships, demands an individual with numerous technical and managerial competencies.

Managing the IT department in a medical setting requires two skill sets. The first includes mas- tery of a computer system, the capacity to protect the system, and the ability to audit a system and resolve conflicts of interest. The second set involves the ability to understand medical terminol - ogy and medical practice.

Medical IT department managers exhibit technical, conceptual, and human relations skills.

Three common devices are used to implement organizational and departmental strategies—bud - gets, projects, and programs. The IT department’s internal structure, as well as the healthcare organization’s overall structure, should be designed to facilitate the management of complexity, differentiation and integration, and interdependence, while also creating and overseeing bound - ary-spanning activities.

Ke y Te r m s electronic health record a system in which a patient’s medical records can be transferred across organizational boundaries electronic medical record (EMR) a digital repository for clinical medical data healthcare information technology all of the technologies used to transmit and manage health information for use by consumers, providers, payers, insurers, and others in the health - care system Health Insurance Portability and Accountability Act (HIPAA) the law enacted to protect the privacy of individual identifiable health information information system the combin ation of computer hardware, software, and infrastructure, with the individuals employed to conduct planning, control, coordination, and decision making in an organization information technology the use of technology in the development, maintenance, and use of computer systems, software, and networks for the processing and distribution of data personal health record a system in which a patient manages and controls personal health information vulnerability the likelihood that a criminal could overcome a medical system’s information technology protections and hack in. Critical Thinking Chapter 10 Additional Resources American Association of Blood Banks h t t p : //www.aabb.org American Health Information Management Association h t t p : //www.ahima.org College of American Pathologists h t t p : //www.cap.org Healthcare Information and Management Systems Society h t t p : //www.himss.org Health Information Careers h t t p : //w w w.hicareers.com Critical Thinking Review Questions 1. Define information technology and information systems . 2. In what three areas is information technology applied to healthcare organizations? 3. Describe the nature of a clinical information system. 4. Describe an administrative information system. 5. What future improvements are possible with regard to information systems and healthcare? 6. What is an electronic medical record (EMR)? 7. What purposes are served by electronic medical record systems? 8. Define electronic health record and personal health record . 9. What two barriers to EMR adoption are cited in this chapter? 10. What types of protected health information are covered by the Health Insurance Portability and Accountability Act (HIPAA)? 11. Explain the Privacy Rule and Patient Safety Rule aspects of HIPAA. 12. What types of technical competencies are required in medical information technology management jobs? 13. Define the terms vulnerability, nondisclosure , and full disclosure as they relate to medical information technology. 14 . What three managerial skills are useful to medical information technology managers? 15. What activities do managers in medical information technology departments engage in to help implement organizational strategies that affect their departments? Analytical Exercises 1. What three types of medical identity theft take place? How might an effective information system prevent incidents of medical identity theft? 2. Explain all of the relationships that would exist between clinical, administrative, and sup - port systems in a healthcare information system. 3. Many people become frustrated when their medical information is revealed to others. Some health insurers say they have the right to such information because it affects policy rates.

Should a new employee be forced to sign a waiver allowing this information to be shared Critical Thinking Chapter 10 with the insurance company, which in essence denies the individual protection granted by H I PA A ? 4. Using biometrics, it may become possible to implant a chip containing the individual’s medi- cal history. The same implant could also provide security information and record financial transactions with healthcare organizations. If so, which organization should oversee the use of this information—a healthcare provider, the government, or an independent agency?

What potential problems might emerge from such a system? 5. Which of the following should a human resource manager be allowed to record in an employee’s records? Defend your rationale for each.

• Smoker versus nonsmoker • Married, divorced, cohabitating • Political affiliation • Height and weight • Medical problems • DNA information 6. Which of the two competencies do you believe is more important for an IT department manager—technical or managerial? Defend your answer. 7. Relate the concepts of complexity, differentiation and integration, interdependence, and boundary spanning to each of the following:

• Technical skills • Conceptual skills • Human relations skills