The number of patient care organizations across the U.S. in which physician mobility is moving forward is growing daily. Among that throng is the 15-physician, three-location Vanguard Medical Group, based in Verona, N.J., and with three patient care locations, in Verona, in Cranford, and in Montville, all in northeast New Jersey. The organization encompasses 15 physicians and 10 mid-level providers, working in the three specialties of family medicine, internal medicine, and geriatrics.
At Vanguard, Thomas McCarrick, M.D. is chief medical officer and CMIO. And in the case of Vanguard, the path towards mobility began with the group’s participation in a groundbreaking patient-centered medical home (PCMH) program with Horizon Blue Cross Blue Shield of New Jersey, which ultimately required Vanguard to become certified as a PCMH; and that necessitated better connectivity. And of course, that led to McCarrick’s developing an increasingly comprehensive strategy and policy around deployment of mobile devices and their securitization, particularly around what’s being called the “BYOD”—“bring your own device”—phenomenon.
It’s all rather subtle and complex, McCarrick notes, because a balance must be struck between the ideal and the practical, with regard to how physicians really practice, and what kinds of policies they can realistically adhere to. McCarrick spoke this spring with HCI Editor-in-Chief Mark Hagland about mobility, and his comments will be included in the July/August cover story of HCI. Below is an excerpt from Hagland’s longer interview with Dr. McCarrick.
Can you share with us how your “BYOD” policy has been developed?
It’s an evolving thing. It started with the EHR [electronic health record]. We started with an EHR eight years ago, from the Austin, Tex.-based e-MDs. At the beginning of this process, we just wanted remote access; we weren’t extracting data out or anything. But in 2010, we got involved with a PCMH program with Horizon Blue Cross Blue Shield of New Jersey, and they invited us to participate in a diabetes program that would require us to become NCQA-certified [certified by the Washington, D.C.-based National Committee for Quality Assurance] as a PCMH. So we had to start identifying those patients and reporting on those metrics. Then in 2011, we were invited into a larger rollout for a PCMH across all disease states, with Horizon. And once we started reporting for these programs, we started having new problems making connections.
Thomas McCarrick, M.D.
And about two years ago, we started a home visit program, in which a geriatrician and geriatric nurse practitioner visit homebound patients to take care of them. And that creates other issues, because you want them to work within the EHR remotely, but they have documents at home, medical directives and such—the patients. So any person who had to do data entry—we decided we needed to own that device, and that it needed to be fully encrypted. The people who visit remotely will have a scanner with them and will scan the advance directive or other documents into the EHR remotely, so there will be data at rest on those devices.
So they have a Lenovo device, and it’s fully encrypted. That’s only a small part of their practice, though. I have a couple who work remotely to call patients and stuff like that, and those devices have to be fully encrypted.
But the physicians, physician assistants, and nurse practitioners who see patients—everyone wants to have a cool new device—tablet or smartphone—and everyone wants access to the office. That’s the challenge we’re facing; we’re working with our IT vendor to make sure those connections are secure; if they’re using remote access, we’re not requiring the device to be encrypted if no patient data sits on the device.
Have you developed formal policies? And does everyone understand those policies?
We’re doing that now. My thinking on it has been changing depending on the issue involved. At one point, I wanted to have every device encrypted; then I realized that that was too much. So we are trying to put together some kind of policy; right now, it’s just in my head. But most importantly, you don’t want to have somebody not understand what your policy is, and then do things that inadvertently subvert it.
In that context, you and your colleagues need to be more mobile, and have embraced mobile devices, right?
Yes, we have to. Everybody in our practice wants to be mobile. They’re using devices in their personal lives already.
What lessons you and your colleagues learned so far?
You have to teach people the HIPAA principles [related to the patient health information security requirements of the federal Health Insurance Portability and Accountability Act of 1996]; because you’ll always find somebody who will undermine those in some unexpected way if they don’t understand. Having policies and rules is not enough. They need an understanding of the principles.
What advice do you have for your colleagues nationwide, CMIOs, CIOs, and other healthcare IT leaders, as they start to work through all of these processes and issues?
I think the advice would be, while security and patient privacy are very, very important, the priority is access to information, because that’s what allows us to take care of patients. People measure the breaches, but don’t keep track of the time when our having better access to patient information has helped to save the lives of patients; so that’s the balance, and it’s not an obvious balance.