OIG Study Finds 60 Percent of Hospitals Experienced EHR Disruptions, Highlights Importance of Contingency Plans | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

OIG Study Finds 60 Percent of Hospitals Experienced EHR Disruptions, Highlights Importance of Contingency Plans

July 25, 2016
by Heather Landi
| Reprints
Click To View Gallery

Close to 60 percent of hospitals have experienced an unplanned disruption to their electronic health record (EHR) systems and a quarter of those hospitals experienced delays in patient care as a result, according to a new study released by the Department of Health and Human Services (HHS) Office of Inspector General (OIG).

While recent alleged ransomware attacks at hospitals across the country highlight how disruptions to hospital information systems can disrupt patient care, the OIG study surveyed hospitals in May 2015, before many of the notable ransomware attacks. And, in the study, most hospitals cited hardware malfunctions as accounting for the largest percentage of EHR disruptions, followed by Internet connectivity problems.

The OIG study sought to evaluate how well hospitals are addressing requirements for EHR contingency in light of evolving threats to healthcare information systems. The HHS Office for Civil Rights (OCR) enforces the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Under the HIPAA Security Rule, all covered entities are required to have a contingency plan for responding to disruptions to EHR systems. Contingency plans specify processes to recover EHR systems and access backup copies of EHR data in the event of a disruption.

Disruptions, such as natural disasters or technical malfunctions, can make EHRs unavailable to hospital staff. Prior OIG work found that hospitals experienced substantial challenges responding to the effects of Superstorm Sandy, which included damage to health information systems and curtailed access to patient medical records. And, more recently, cyberattacks on hospitals have similarly prevented or limited access to EHRs.

The study report specifically noted that in 2014 Boston Children’s Hospital suffered a distributed denial of service attack. “Though no data were lost and no patient harm occurred, some of the hospital’s systems lost Internet-based functionality. The hospital relied on its contingency planning and work arounds to continue operating,” the OIG study report stated.

This past January, a hospital in California reported that it suffered a ransomware attack that disabled its network and EHR system for about a week, leading to delayed patient care and the need to divert patients to other facilities. And, the OIG study also noted the suspected ransomware attack at MedStar Health that forced the health system to take computer systems offline throughout its entire system, including 10 hospitals.

While the study found that most hospitals it evaluated were addressing requirements for EHR consistency plans, the OIG study report concluded that “persistent and evolving threats to electronic health information reinforce the need for EHR contingency plans.” And the OIG state that its review, and cyberattacks that have occurred since 2014, underscore its previous recommendation that OCR implement a permanent audit program for compliance.

The OIG study evaluated 400 hospitals that received EHR incentive payments from the Centers for Medicare & Medicaid Services (CMS) by administering an online questionnaire between May and July 2015. The study used four HIPAA-required criteria as well as recommended practices from the National Institute of Standards and Technology (NIST) and the Office of the National Coordinator for Health IT (ONC). OIG researchers also conducted site visits at six hospitals, in order to interview hospital staff and review EHR contingency plans and related documents.

According to the OIG study report, almost all hospitals (95 percent) reported having written EHR contingency plans, and about two-thirds (68 percent) reported that their contingency plans addressed the four HIPAA requirements the agency reviewed, i.e., having a data backup plan, having a disaster recovery plan, having an emergency-mode operations plan, and having testing and revision procedures. And, large hospitals were more likely to report having a written EHR contingency plan than small hospitals.

The study also found that, for the year preceding the questionnaire, 59 percent of hospitals reported unplanned EHR disruptions that made their EHR system unavailable to hospital staff and the majority (74 percent) of these hospitals reported three or fewer disruptions within one year. One-fifth of hospitals with unplanned disruptions reported disruptions that lasted more than eight hours.

As mentioned above, hospitals cited hardware malfunctions as accounting for the largest percentage of EHR disruptions at 59 percent, followed by Internet connectivity problems (44 percent). Other cited reasons for unplanned EHR disruptions included power failure (33 percent), natural disaster (4 percent) and ransomware, although that was cited by only 1 percent of respondents.

Of those hospitals that reported an unplanned disruption, about one-quarter reported an outcome of delayed patient care and 15 percent reported that patients were rerouted due to the disruption, while 1 percent of hospitals reported having lost records.

The OIG study also evaluated hospitals based on whether contingency plans addressed the four HIPAA requirements. Almost all of the hospitals evaluated (99 percent) reported maintaining backup copies of EHR data and 92 percent reported storing backup data offsite. Most hospitals also reported implementing recommended practices such as supplying paper medical record forms for use when the EHR is unavailable and training and testing staff on contingency plans, according the OIG study.

Of the hospital respondents, just over half (57 percent) reported having a read-only EHR system and 32 percent reported having a visually differentiated read-only system.

Of the hospitals that maintained backup copies, almost all reported implementing the recommended practice to back up data at least once per day. “Hospitals may rely on multiple methods to back up data. For example, one hospital we visited told us that it replicated data on a secondary server continuously and backed up data to media―either a tape or disk―every 4 hour,” the study report authors wrote.

With regard to disaster recovery, about three-quarters of hospitals reported having alternate sites, and more than half implemented the recommended practice of having “warm” or “hot” sites to operate their EHR systems when their primary EHR systems malfunction. Almost half of hospitals with alternate sites reported that they can transfer EHR operations within the recommended 8 hours.

In addition, hospitals generally implemented many practices recommended by ONC and NIST for EHR contingency plans. Recommended practices related to backing up, storing, and maintaining data; using paper records; and having alternative power sources (e.g., generators) were among the most commonly implemented (reported by 90-100 percent of hospitals).

When evaluating hospitals on testing and revision of contingency plans, the study found that most hospitals reported reviewing their contingency plans regularly to remain current with system or organizational changes. Eighty-eight percent reported reviewing their EHR contingency plans within the preceding years for any reason, including as part of a regularly scheduled review. Hospitals also reported regularly training staff on how to operate during EHR disruptions. Although most hospitals trained staff on EHR contingency plans in the year preceding the questionnaire, 45 percent of hospitals reported training staff through recommended drills on how to deal with EHR system downtime.

More than half of hospitals reported having policies to review their contingency plans after each planned or unplanned EHR disruption. EHR disruptions allow hospitals to test whether their contingency plans are effective and identify opportunities to improve them. “For example, as a result of activating and reviewing EHR contingency plans, some hospitals reported that they recognized the need to improve communication during EHR disruptions,” the OIG study report stated.

In addition, some hospitals also reported that EHR disruptions allow both clinical and IT staff to become more familiar with EHR contingency plans. For example, during EHR disruptions, clinical staff could practice accessing a read-only system or documenting care on paper records. IT staff could practice transferring the EHR system to an alternate site and bringing the primary system back to functioning status, the study authors noted.

The OIG study also found that OCR considers HIPAA compliance broadly and does not target EHRs when reviewing a covered entity's contingency plans. In fact, HIPAA requirements do not prescribe how covered entities should develop or use contingency plans, the study author noted.

“OIG previously recommended that OCR fully implement a permanent audit program to assess compliance with HIPAA requirements, and recent events underscore the importance of this recommendation. This review provides baseline information on hospitals’ EHR contingency plans and reflects our continued attention to this issue,” the study authors wrote.


The Health IT Summits gather 250+ healthcare leaders in cities across the U.S. to present important new insights, collaborate on ideas, and to have a little fun - Find a Summit Near You!


Allscripts Sells its Netsmart Stake to GI Partners, TA Associates

December 10, 2018
by Rajiv Leventhal, Managing Editor
| Reprints

Just a few months after Allscripts said it would be selling its majority stake in Netsmart, the health IT company announced today that private equity firm GI Partners, along with TA Associates, will be acquiring the stake held in Netsmart.

In 2016 Allscripts acquired Kansas City-based Netsmart for $950 million in a joint venture with middle-market private equity firm GI Partners, with Allscripts controlling 51 percent of the company. With that deal, Allscripts contributed its homecare business to Netsmart, in exchange for the largest ownership stake in the company which has now become the largest technology company exclusively dedicated to behavioral health, human services and post-acute care, officials have noted.

Now, this transaction represents an additional investment for GI Partners over its initial stake acquired in April 2016, and results in majority ownership of Netsmart by GI Partners.

According to reports, it is expected that this sale transaction will yield Allscripts net after-tax proceeds of approximately $525 million or approximately $3 per fully diluted share.

Founded 50 years ago, Netsmart is a provider of software and technology solutions designed especially for the health and human services and post-acute sectors, enabling mission-critical clinical and business processes including electronic health records (EHRs), population health, billing, analytics and health information exchange, its officials say.

According to the company’s executives, “Since GI Partners' investment in 2016, Netsmart has experienced considerable growth through product innovation and multiple strategic acquisitions. During this time, Netsmart launched myUnity, [a] multi-tenant SaaS platform serving the entire post-acute care continuum, and successfully completed strategic acquisitions in human services and post-acute care technology. Over the same period, Netsmart has added 150,000 users and over 5,000 organizations to its platform.”

On the 2018 Healthcare Informatics 100, a list of the top 100 health IT vendors in the U.S. by revenue, Allscripts ranked 10th with a self-reported health IT revenue of $1.8 billion. Netsmart, meanwhile, ranked 44th with a self-reported revenue of $319 million.

According to reports, Allscripts plans to use the net after-tax proceeds to repay long-term debt, invest in other growing areas of its business, and to opportunistically repurchase its outstanding common stock.

The transaction is expected to be completed this month.

More From Healthcare Informatics


Study Links Stress from Using EHRs to Physician Burnout

December 7, 2018
by Heather Landi, Associate Editor
| Reprints
More than a third of primary care physicians reported all three measures of EHR-related stress
Click To View Gallery

Physician burnout continues to be a significant issue in the healthcare and healthcare IT industries, and at the same time, electronic health records (EHRs) are consistently cited as a top burnout factor for physicians.

A commonly referenced study published in the Annals of Internal Medicine in 2016 found that for every hour physicians provide direct clinical face time to patients, nearly two additional hours are spent on EHR and desk work within the clinic day.

Findings from a new study published this week in the Journal of the American Medical Informatics Association indicates that stress from using EHRs is associated with burnout, particularly for primary care doctors, such as pediatricians, family medicine physicians and general internists.

Common causes of EHR-related stress include too little time for documentation, time spent at home managing records and EHR user interfaces that are not intuitive to the physicians who use them, according to the study, based on responses from 4,200 practicing physicians.

“You don't want your doctor to be burned out or frustrated by the technology that stands between you and them,” Rebekah Gardner, M.D., an associate professor of medicine at Brown University's Warren Alpert Medical School, and lead author of the study, said in a statement. “In this paper, we show that EHR stress is associated with burnout, even after controlling for a lot of different demographic and practice characteristics. Quantitatively, physicians who have identified these stressors are more likely to be burned out than physicians who haven't."

The Rhode Island Department of Health surveys practicing physicians in Rhode Island every two years about how they use health information technology, as part of a legislative mandate to publicly report health care quality data. In 2017, the research team included questions about health information technology-related stress and specifically EHR-related stress.

Of the almost 4,200 practicing physicians in the state, 43 percent responded, and the respondents were representative of the overall population. Almost all of the doctors used EHRs (91 percent) and of these, 70 percent reported at least one measure of EHR-related stress.

Measures included agreeing that EHRs add to the frustration of their day, spending moderate to excessive amounts of time on EHRs while they were at home and reporting insufficient time for documentation while at work.

Many prior studies have looked into the factors that contribute to burnout in health care, Gardner said. Besides health information technology, these factors include chaotic work environments, productivity pressures, lack of autonomy and a misalignment between the doctors' values and the values they perceive the leaders of their organizations hold.

Prior research has shown that patients of burned-out physicians experience more errors and unnecessary tests, said Gardner, who also is a senior medical scientist at Healthcentric Advisors.

In this latest study, researchers found that doctors with insufficient time for documentation while at work had 2.8 times the odds of burnout symptoms compared to doctors without that pressure. The other two measures had roughly twice the odds of burnout symptoms.

The researchers also found that EHR-related stress is dependent on the physician's specialty.

More than a third of primary care physicians reported all three measures of EHR-related stress -- including general internists (39.5 percent), family medicine physicians (37 percent) and pediatricians (33.6 percent). Many dermatologists (36.4 percent) also reported all three measures of EHR-related stress.

On the other hand, less than 10 percent of anesthesiologists, radiologists and hospital medicine specialists reported all three measures of EHR-related stress.

While family medicine physicians (35.7 percent) and dermatologists (34.6 percent) reported the highest levels of burnout, in keeping with their high levels of EHR-related stress, hospital medicine specialists came in third at 30.8 percent. Gardner suspects that other factors, such as a chaotic work environment, contribute to their rates of burnout.

"To me, it's a signal to health care organizations that if they're going to 'fix' burnout, one solution is not going to work for all physicians in their organization," Gardner said. "They need to look at the physicians by specialty and make sure that if they are looking for a technology-related solution, then that's really the problem in their group."

However, for those doctors who do have a lot of EHR-related stress, health care administrators could work to streamline the documentation expectations or adopt policies where work-related email and EHR access is discouraged during vacation, Gardner said.

Making the user interface for EHRs more intuitive could address some stress, Gardner noted; however, when the research team analyzed the results by the three most common EHR systems in the state, none of them were associated with increased burnout.

Earlier research found that using medical scribes was associated with lower rates of burnout, but this study did not confirm that association. In the paper, the study authors suggest that perhaps medical scribes address the burden of documentation, but not other time-consuming EHR tasks such as inbox management.


Related Insights For: EHR


HHS Studying Modernization of Indian Health Services’ IT Platform

November 29, 2018
by David Raths, Contributing Editor
| Reprints
Options include updating the Resource and Patient Management System technology stack or acquiring commercial solutions

With so much focus on the modernization of health IT systems at the Veteran’s Administration and Department of Defense, there has been less attention paid to decisions that have to be made about IT systems in the Indian Health Service. But now the HHS Office of the Chief Technology Officer has funded a one-year project to study IHS’ options.

The study will explore options for modernizing IHS’ solutions, either by updating the Resource and Patient Management System (RPMS) technology stack, acquiring commercial off-the-shelf (COTS) solutions, or a combination of the two. One of the people involved in the analysis is Theresa Cullen, M.D., M.S., associate director of global health informatics at the Regenstrief Institute. Perhaps no one has more experience or a better perspective on RPMS than Dr. Cullen, who served as the CIO for Indian Health Service and as the Chief Medical Information Officer for the Veterans Health Administration

During a webinar put on by the Open Source Electronic Health Record Alliance (OSEHERA), Dr. Cullen described the scope of the project. “The goal is to look at the current state of RPMS EHR and other components with an eye to modernization. Can it be modernized to meet the near term and future needs of communities served by IHS? We are engaged with tribally operated and urban sites. Whatever decisions or recommendations are made will include their voice.”

The size and complexity of the IHS highlights the importance of the technology decision. It provides direct and purchased care to American Indian and Alaska Native people (2.2 million lives) from 573 federally recognized tribes in 37 states. Its budget was $5.5 billion for fiscal 2018 appropriations, plus third-party collections of $1.02 billion at IHS sites in fiscal 2017. The IHS also faces considerable cost constraints, Dr. Cullen noted, adding that by comparison that the VA’s population is four times greater but its budget is 15 times greater.

RPMS, created in 1984, is in use at all of IHS’ federally operated facilities, as well as most tribally operated and urban Indian health programs. It has more than 100 components, including clinical, practice management and administrative applications.


Driving Success at Regional Health: Approaches and Challenges to Optimizing and Utilizing Real-Time Support

Regional Health knew providing leading EHR technology was not the only factor to be considered when looking to achieve successful adoption, clinician and patient satisfaction, and ultimately value...

About 20 to 30 percent of RPMS code originates in the VA’s VistA. Many VA applications (Laboratory, Pharmacy) have been extensively modified to meet IHS requirements. But Dr. Cullen mentioned that IHS has developed numerous applications independently of VA to address IHS-specific mission and business needs (child health, public/population health, revenue cycle).

Because the VA announced in 2017 it would sundown VistA and transition to Cerner, the assessment team is working under the assumption that the IHS has only about 10 years to figure out what it will do about the parts of RPMS that still derive from VistA. And RPMS, like VistA, resides in an architecture that is growing outdated.

The committee is setting up a community of practice to allow stakeholders to share technology needs, best practices and ways forward. One question is how to define modernization and how IHS can get there. The idea is to assess the potential for the existing capabilities developed for the needs of Indian country over the past few decades to be brought into a modern technology architecture. The technology assessment limited to RPMS, Dr. Cullen noted. “We are not looking at COTS [commercial off the shelf] products or open source. We are assessing the potential for existing capabilities to be brought into “a modern technology architecture.”

Part of the webinar involved asking attendees for their ideas for what a modernized technology stack for RPMS would look like, what development and transitional challenges could be expected, and any comparable efforts that could inform the work of the technical assessment team.




See more on EHR

betebet sohbet hattı betebet bahis siteleringsbahis