Blog

Patient engagement and design in the art of medicine

Patient engagement is controversial for many physicians because it interferes with the traditional values that arise from the several hundred-year old guild of medicine. Per the NEJM Catalyst Insights Council, patient engagement is characterized as patients interested in participating in choices about their health care, taking ownership of those choices, and having an active role in improving their outcomes. Given the current epidemiology of chronic diseases, it is not surprising that many patients have low levels of engagement as well as health literacy. As someone who is preoccupied with the diagnosis and treatment of diseases, it is difficult for me to view any problem solving from the patient’s lens; yet, I know through the literature and intuitively that how patients feel impacts their outcomes. The following are a few of the things I have learned and will work on as I improve my ability to deliver care:

  • Time = effectiveness. Opinions of clinicians and leaders in patient care have determined that increased patient time with a health care team lends to increased engagement. A basic concept in human dynamics is that the mere exposure to someone over time is enough to start an unlikely relationship. Tack onto that high quality communication and understanding nuances of healthcare literacy, and you have a more engaged patient. In modern medicine, this would be accomplished through a multidisciplinary team effort. This task is challenging given the constraints of our current healthcare system. Could I increase time with patients through mobile technology? If there was an automated way for me or another care team provider to connect with patients via text or a quick phone call at specific intervals, I would be able to increase exposure and augment time.
  • Shared decision making is key. Another finding of the NEJM Catalyst is that shared decision making is one of the most effective strategies in improving engagement. We learn about this academically through the interpretative model (as opposed to paternalistic, etc.) of provider-patient relations; but this is also just common sense. I like to think this gives patients a sense of control, a sense of choice in a matter, where frankly, a lot make be out of your control. We are also better able to accept the consequences of the decisions we make, rather than the ones that are placed upon us. One of the reasons that UNICEF has been effective in helping children around the world is from the core guiding principle that children inherently have rights. American political views are reflected in the current model of access, but I would like to practice medicine with the belief that patients have inherent rights. It is a slippery slope because patients’ actions can be counterproductive to their health – but my preference is still to protect patient autonomy.
  • Technology needs an engagement strategy. The concept of remote monitoring with wireless devices doesn’t appear to improve chronic disease management or outcomes. Technology alone cannot solve a dilemma in a people’s “business”. I would opt to use adaptive technologies that improve my relationship and sense of connectedness to the patient over technology that would offer mostly education or content to the patient. The idea of people taking ownership for a difficult problem is non-trivial. It requires motivation at a level that is primarily internal. How do you access that in people? In the self-help world, the most effective motivational coaches tend to elicit a hyper-emotional state in people along with placing a high premium on discipline. I think it’s logical to work on building a relationship, connecting, allowing a safe space for vulnerability, and witnessing the struggle to achieve begin from that foundation. While patient engagement is primarily a patient responsibility, I think providers have a responsibility to elicit patient activation as this directly affects outcomes.
  • Design thinking would take physicians to the next level. When Indra Nooyi became the CEO of Pepsi, one of her top priorities was to explore her staff’s beliefs on the concept of design. She asked business executives to take photographs of anything that they believed constituted design. After such an abstract request, she noticed that not only did people not care to complete the assignment, that some had even hired professional photographers to complete the task. My interpretation of this story is that she believes that there is an artistic aspect in the most unsuspecting of transactions. According to IDEO, human-centered-design is about building a deep empathy with the people you are designing for. In the process of being inspired, ideating, and implementing, a design researcher explores the texture and what matters most to a person before execution of a solution. How is this any different from delivering empathetic, tailored care to a patient? What we do well in medicine, some of the time, is already done at a higher level of sophistication in the real world outside of our clinics and hospitals. While design-centric thinking may lead to innovations in healthcare, for the provider I think the greatest advantage is that you amplify the relationship you have with the patient and increase overall engagement.  

Whether it’s the creation of something that didn’t exist before or making decisions that are influenced by intuition, everyone is at one level involved in artwork. Improving patient engagement particularly with design-centric thinking would bring more value and meaning to the art of medicine, a skill I look forward to building throughout my career.

Posted in: Behavior Change, Healthcare transformation, patient engagement

Leave a Comment (0) →

Comprehensiveness + Comprehension: effect of technology on discharge instructions

Whether patients are leaving the emergency department or being released from an extensive hospitalization, they need discharge instructions in order to solve their initial problem, better self-manage, and coordinate the appropriate follow-up. These instructions are typically written and are also articulated to the patient. We know that due to varying levels of health literacy, or the degree to which individuals have the capacity to process and understand basic health information needed to make appropriate health decisions [1], a patient is especially vulnerable during the process of discharge in terms of overall understanding and appropriate follow through. Can technology empower patients operating from a position of weakness in this transition?

  • According to the 2013 study entitled Information Technology Improves Emergency Department Patient Discharge Instructions Completeness and Performance on a National Quality Measure, researchers were able to show that electronic discharge instructions were more complete than paper-based information. The electronic discharge instructions had 97.3% compliance to a CMS quality measure while the paper-based discharge instructions were at 46.7%. This compliance is more than doubled with electronic discharge documentation (relative risk 2.09, 95%CI 1.75-2.48) [2]; however, there were no statistically significant differences in documentation of patient care instructions nor diagnosis between paper-based and electronic formats.
  • In a 2015 study entitled Readability of patient discharge instructions with and without the use of electronically available disease-specific templates, patient readability of a web based discharge module, which has diagnosis-specific templated discharge instructions, was assessed. Patients had better readability with electronic templated discharge instructions than those that were clinician-generated (p< .001). Furthermore, the primary reason doctors created discharge instructions by themselves was due to lack of disease specific template availability.

The most exciting time in medicine is now, where the application of information technology during vulnerable transitions can provide a patient more complete information that he/she can actually act upon. Taken together, these studies suggest enhancement of both comprehensiveness and comprehension; the former very important for the primary care physician who will assume care of this patient status post hospitalization and the latter important for the patient’s overall health literacy necessary for improvement. The next logical extension is to have web based applications assist a patient in the transition from the hospital to the outpatient setting, something that innovative companies like Wellpepper are doing.

References

  1. Nielsen-Bohlman, L.; Panzer, AM.; Kindig, DA. Health literacy: A prescription to end confusion. National Academies Press; Washington, DC: 2004.
  2. Bell EJ et al. Information Technology Improves Emergency Department Patient Discharge Instructions Completeness and Performance on a National Quality Measure: A Quasi-Experimental Study. Appl Clin Inform. 2013; 4(4): 499–514.
  3. Mueller SK et al. Readability of patient discharge instructions with and without the use of electronically available disease-specific templates. J Am Med Inform Assoc. 2015; 22(4): 857-63.

Posted in: Healthcare Technology, Patient Satisfaction

Leave a Comment (0) →

Falls Challenge

How might we enable older adults to live their best possible life by preventing falls? We have entered a challenge with AARP and IDEO to bring our proven falls solutions to the masses. Along side our partners at Harvard and Boston University, we believe that using mobile technology to enhance and scale a proven falls prevention program will lead to better life by increasing access to care and decreasing costs.

The challenge started with over 220 submissions and recently weeded down to the top 40. We’re thrilled to have made the first cut. Our method is proven and we invite you to participate in the next round to refine our idea and help achieve greater impact.

Click here to check out our entry!

 

 

Posted in: Aging, Clinical Research, Healthcare Technology, Outcomes, Physical Therapy, Research, Uncategorized

Leave a Comment (0) →

Exposure at a digital health startup

Physicians typically endure years of training by being put in a pressure cooker with no safety valve. They persist through sheer brute force and discipline within a highly regulated, high barrier to entry industry. The high stakes culture of medicine often lends to emotional immaturity and an inability to relate to most of the world around. Ironic and sad, given that one of the core principles in patient care is to demonstrate empathy towards the human condition. The information asymmetry that exists between patient and provider further puts more onus on the physician to have character and compassion. In addition to being out of touch with reality, physicians also grapple with the changing times. Technological advancements and accessibility of information through technology has influenced the way physicians learn and practice medicine. Physicians who are uncomfortable with technology tend to find it harder to keep up with the latest innovations and research that affects patient care.

I chose to do a rotation at a digital health startup because of the fear of being disconnected and clueless. Plus there are a few other beliefs of mine that I wanted to more fully explore during my time at Wellpepper:

  • Understanding patients in the aggregate is important. Understanding what patients want, feel, and expect is not just an interesting data set, but is essential for me in providing optimal care. While a physician still deals with a patient one on one and the experience is influenced by patient characteristics, knowing the context in where the patient is coming from provides the best chance for an optimal encounter.
  • Technology that enhances the patient-physician relationship is a top priority. The physicians I have respected the most have tier 1 communication skills and relationships with their patients. A good relationship can literally bend the physics of the situation (e.g. that’s why doctors who have good bedside manner don’t get sued).
  • Technology that promotes value based care is the current landscape. It is no longer around the corner. Every stakeholder in healthcare is interested in improvement of care from an outcomes and cost perspective. Current practices in medicine are rapidly adapting in order to keep up.
  • Betting against yourself is a great strategy for growth. Based on the culture of medicine, it has always been more important for me to implement care that is standardized and in service of saving a patient’s life rather than considering how he/she feels. Something as simple as a patient having to give five histories within the same hospital admission is normal to me and also has value due to the difficulties in eliciting accurate information. But what if I considered that a patient doesn’t want to hear the same question repeatedly and that ultimately effects his/her perception of care? What if their lives were saved but they didn’t believe that anyone truly cared for them in the hospitalization? Would this be a meaningful experience, or a shallow one sided win? Challenging the way I think, the way I was indoctrinated into thinking and behaving, is something I look forward to in this process.

In summary, I chose to do a rotation at Wellpepper because I have a growth mindset. I want to consciously be a part of the most exciting time in medicine, where the hard work of innovative and creative minds improve patient lives.

Posted in: Behavior Change, Healthcare motivation, patient engagement, Patient Satisfaction

Leave a Comment (0) →

Home Sweet Home

Our goal at Wellpepper has always been to make sure patients have a top-notch experience with our Partners. What better experience can patients have than being in the comfort of their own home while rehabilitating from a joint replacement? An article was recently published in the New York Times that really hits home for us. Not only is in-home therapy more cost-effective than inpatient rehabilitation, but it significantly decreases the risk for adverse events.

More and more studies are showing that patients are generally happier and actually prefer being at home during their recovery from a joint replacement. A study published earlier this year in Australia found that inpatient rehabilitation did not provide an increase in mobility when compared to patients participating in a monitored home-based program.

Don’t get me wrong, inpatient rehabilitation is extremely valuable to have. In fact, we are starting to see more patients interact with their Wellpepper digital treatment plans in an inpatient setting and then continuing once discharged home.

Rehabilitation is not a one size fits all solution and much depends on a patient’s general health and attitude. The ability to be flexible and innovative in providing treatment is crucial when evaluating a patient’s needs for rehabilitation. With Wellpepper digital treatment plans, we enable health systems to bring the expertise and personalization of inpatient rehabilitation to their patient’s mobile devices, so that they may recover from their surgery in the comfort of their own homes.

Posted in: Behavior Change, Healthcare motivation, Healthcare Technology, patient engagement, Patient Satisfaction, Physical Therapy

Leave a Comment (0) →

T2 Telehealth aka ATA 2017 aka ATA 23: Part 2, How Did We Get Here and Where Are We Going?

This was my second trip to Orange County Convention Center this year, so it was hard not to compare and contrast the annual American Telemedicine conference to HIMSS, the biggest health IT conference. As well, it was my third time at the ATA conference, back after skipping in 2016, and the gap made it easier to reflect on previous years as well.

The ATA annual is almost 10 times smaller than HIMSS, which makes it a lot less exhausting and easier to focus. There’s not a feeling that for every second you’re talking to someone you’re missing out on talking to someone else equally as interesting and valuable. (There is no shortage of interesting people, just a more manageable group.) The size also makes it a bit easier to talk to people as they’re not rushing off to walk a few miles across the convention center to the next session.

The first year I attended, 2014, the tradeshow floor was full of integrated hardware and software solutions, and Rubbermaid was even a vendor selling telemedicine carts. It was almost as though the iPad hadn’t been invented.  It was the year that Mercy Virtual launched their services as a provider of telestroke and telemonitoring for other health systems. A provider as a vendor caused a bit of a stir on the tradeshow floor.

By the next year, the integrated hardware and software vendors were dwindling, but talks were largely still given by academics and were focused on pilot projects that while showed success, talks often ended with a plea for thoughts on how to scale the program.

ATA evolved out of an academic conference and that’s still quite prevalent in the presenters who are often from academic medical centers, and reporting on studies rather than implementation. Data was important in all sessions, but measurement of value was inconsistent. In addition to academic medical centers, most leaders in telehealth seemed to be faith-based not-for-profits, like Mercy and Dignity, and as well as rural organizations where the value was clear.

That said, a welcome addition to this year’s content was two new tracks on Transformation and Value. I spoke in the Value track at ATA, along with Reflexion Health and Hartford Healthcare about the value of telerehab in total joint replacement, and we were able to share data points from real patient implementations, in addition to clinical studies. (If you’re interested, in the Wellpepper segment, get in touch.)

Although, harkening back to the day 1 keynote, the definition of value depended on the business model of the telemedicine platform being implemented. There’s no question that telestroke and neurology programs, and telebehavior programs deliver value especially in rural areas without direct access. At Wellpepper, we’ve seen definite results in post-acute care, both in recovery speed and readmissions.

In other sessions the value was not as clear and no one was able to fully refute the study that when offered the choice, patients used telemedicine in addition to in-person visits, thus driving up costs. In fact, the director of telemedicine for a prominent healthcare organization confirmed that patients were using televisits for surgical prep when they could have just read the instructions given to them. (Or interacted with a digital care plan like Wellpepper.)

As with every technology conference the voice of the patient was absent, with the exception of head of Mercy Virtual Randall Moore, MD who started all his presentations by introducing us to patient Naomi who was able to live out her life at home, attend bingo, and enjoy herself due to the benefits of the wrap-around telemedicine program that Mercy put In place. Oh, and it cost a lot less than the path of hospital admissions she’d been on previously. Sounds like triple aim, and what we all need to aspire to.

So, based on the keynotes, the sessions, and the show floor, I’d characterize this year’s conference as a world in flux, like what’s going on elsewhere. There was a sense of relief that the ACA had not been repealed. HIMSS took place before the proposed repeal and replace plan died, and there was a lot more fear and uncertainty. Vendors and providers alike are looking to strengthen the value chain. Unlike HIMSS, there was a lot less hype. Machine learning and AI were barely mentioned except in keynotes possibly because telemedicine is still largely a world of real-time visits, and extracting meaning from video is a lot harder than from records. We see promise, people want to do the right thing, but it’s not clear which direction will help us ride out the storm.

 

Still trying to figure out what this has to do with Telemedicine. Look better on realtime visits?

Posted in: Healthcare Disruption, Healthcare Legislation, Healthcare motivation, Healthcare Policy, Healthcare Technology, M-health, Prehabilitation, Rehabilitation Business, Telemedicine

Leave a Comment (0) →

T2 Telehealth aka ATA 2017 aka ATA 23: Part 1, The Eye of the Hurricane

While there is a focus on transformation, value, and outcomes going on, if the keynotes are any indication it may be a rough road ahead for telemedicine.

“It’s the 23rd year for the American Telemedicine Association conference, why are we still talking about how to get paid?”, admonished Pamela Peele, PhD economist and Chief Analytics Officer of UPMC during the opening keynote of the annual conference of the American Telemedicine Association.

Pamela Peele at ATA2017

Pamela Peele at ATA2017

“Especially since, as this audience knows, telemedicine is the best thing since sliced bread?

Why indeed? Well, it’s complicated. The problem is that each person in the value chain, the payer, the physician, the healthcare organization, the patient, and the patient’s closest adult daughter (aka primary caregiver), only see the value of one slice of that loaf of bread, and we collectively as purveyors of telemedicine have to sell the entire loaf. There’s no clear solution to this problem. However, with unsustainable costs of healthcare, and increasing consumerization we have got to figure it out. The taxpayer is bearing the brunt of the costs right now, and Peele characterized the shift of baby boomers to skilled nursing facilities as a hurricane we are unprepared for. One way out is to keep people at home, and for that we need Medicare to fund a cross-state multi-facility study to determine efficacy, value, and best practices. Fragmentation of trials is keeping us from wide scale adoption.

The Adaptation Curve

The Adaptation Curve

“We have got to figure it out” was also the theme of best-selling author and New York Times columnist Tom Friedman’s keynote promoting his new book “Thank-You For Being Late.” Friedman claimed to be more right than the rightest Republican and suggested abolishing corporate taxes and at the same time more left than the leftist Bernie Sander’s supporter suggesting we need an adaptable safety net. His major thesis is that we are undergoing 3 climate changes right now: globalization, climate, and technological. To survive and thrive in this new world, we need to adapt and evolve, and take our cues from Mother Nature, not from some sort of top-down regulation. Like Peele on the previous day, Friedman also sees a hurricane coming and suggests that the only way to survive is to find the eye of the storm not by building a wall.

Adapting and evolving will come in handy with the harder times for healthcare investment ahead predicted by the venture investing panel in the day 3 keynote. Tom Rodgers of McKesson Ventures, and Rob Coppedge of the newly formed Echo Health Ventures pulled no punches, as they tossed of tweet worthy statements like “Don’t tell me you’re the SnapChat of healthcare” and “it seems like there are only 3 business models for telemedicine.” The later was Coppedge’s comment on walking the tradeshow floor. (The models are direct to consumer, platform, and as a combined technology and service.) Rodgers had no love for direct to consumer models or anything that targeted millennials who he deemed low and inconsistent users of services. Platform vendors were advised to surround themselves with services: video was seen as a commodity.

So where does that leave us? Value, value, value. The challenge is that the value is different depending on the intervention, the patient, the payer, and the provider. Preventing readmissions, aging at home, decreasing travel costs, all provide benefits to one or more of the key stake holders. Can we figure out how to reimburse based on slices of value? How do we get together to realize that value? And how do we do it before the hurricane hits?

Posted in: Behavior Change, Healthcare Disruption, Healthcare Policy, Healthcare Research, Healthcare transformation, Telemedicine

Leave a Comment (0) →

Telehealth 2.0: Our picks for Orlando

File-2016-3478-2017_ATATradeshow_1920_25I am really looking forward to heading to Orlando for the American Telemedicine Conference, aka Telehealth 2.0. Seattle has been under a rain cloud this entire year, and I want to see the sun. I’m also looking forward to sharing our findings in using asynchronous mobile telehealth for remote rehabilitation with patients recovering from total joint replacement. I’ll be speaking with our colleagues from Hartford Health, Reflexion, and Miami Children’s Hospital on Sunday during the first breakout sessions. Hope to see you there!

In addition to the topics about legislation and regulations, it’s great to see these sessions on value, quality, and new treatment models. Here are some of Wellpepper’s picks for the conference.

Sunday

Monday

Tuesday

Now with all this great content, networking and a talk to prepare, when will I see the sun?

Posted in: Adherence, Behavior Change, Health Regulations, Healthcare Disruption, Healthcare Legislation, Healthcare Policy, Healthcare Research, Healthcare Technology, patient engagement, Telemedicine

Leave a Comment (0) →

Wellpepper Security Bulletin April 14, 2017: Unplanned Critical Maintenance

Update 4/16/17: Issues have been mitigated, maintenance is now complete.


On April 14, a batch of Windows-targeting exploits, including several suspected 0-day exploits, were released by Shadow Brokers. We have no reason to believe that any Wellpepper systems were targeted or affected. Most of the exploits target the SMB file sharing protocol, which our firewalls block. Additionally, most of Wellpepper’s infrastructure is Linux-based, and is unaffected. However, we do have some Windows systems (fully patched) in our environment that support non-critical functions. Out of an abundance of caution, we are temporarily suspending these systems until the risks are better understood and properly mitigated as needed. 

As a result, the following features will be offline until further notice:

  1. Uploading images or videos attached to secure messages
  2. PDF Export in the iPad Clinic App

We are working hard to deploy workarounds for these issues where possible. All other Wellpepper functions, including sending/receiving secure messages, and image/video upload for tasks are operating as expected.

Currently, there is not comprehensive information on these exploits. We will be monitoring news sources and updating as information is available.

  

We will update this blog entry by April 17th with additional information on any impact. If you have any questions about your Wellpepper deployment, please contact Wellpepper Support.

 

Mike Van Snellenberg, Wellpepper CTO

Posted in: Security, Wellpepper Support

Leave a Comment (0) →

Wellpepper attends Episodes of Care Summit at Cambia Grove

Last week, Wellpepper CEO, Anne Weiler and I attended a half-day Episodes of Care Summit put on by Cambia Grove. It was great to see payers, providers and technologists come together to focus on initiatives that directly impact the patient experience. Here are some of our takeaways:

Horizon BCBS of New Jersey is an episodes of care pioneer

Focus on retroactive bundles before proactive. Episodes of care and bundled payments are often used interchangeably. An episode of care typically refers to a payment made retrospectively while a bundled payment typically refers to a payment made prospectively. Horizon BCBS of New Jersey first launched retrospective pilots in 2010 (total hip and total knee replacements). In this model, savings are shared with the physician or practice once quality benchmarks and patient experience thresholds are met and costs come in below budget. After 7 years of scale and success, Horizon is now launching more immediate, risk-based, prospective initiatives in 2017.

Drive success through quality. Horizon piloted with over 200 quality metrics with member-specific, risk-adjusted financial targets. Metrics are key in driving success. Identify 3-5 standard quality metrics and 2-4 episode-specific metrics.

Community involvement is imperative

It’s great to see continued focus on community involvement in innovation and healthcare. The Bree Collaborative is an excellent example of bringing together community and industry leaders to identify and promote strategies that directly impact patient outcomes, quality and affordability. Wellpepper firmly believes in the work that the Bree Collaborative is doing. In fact, our total joint and lumbar fusion care plans follow Bree recommendations.

The Episodes of Care Summit held breakout sessions that mapped out the ideal episode of care/bundle experience through the lens of people, process and technology. Think of people, process and technology as a three-legged table. Remove one leg and the table falls. If the three legs are not the same size, the table does not function properly. Effort needs to be allocated equally across people, processes and technology to drive behavior change. Reimbursement seemed to take a precedence in every conversation rather than the patient’s needs or the provider’s care. Until this mindset is fixed, it’s hard to focus on what healthcare is really about. Dr. Hugh Stanley, from the Bree Collaborative did an excellent job bringing the focus of the conversation back to the patient.

Memorable quotes from breakout sessions:

  • “Patients need to be at the center of episodes of care.”
  • “We need to capture patient satisfaction in real time.”
  • “I’m blown away I can get more info on a dog bed than a provider.”
  • “We need to rebuild the patient deductible and copay mindset.”
  • “The payer community has a responsibility to share information to publicize data that drives provider readiness.”
  • “Creating episodes vs bundles benefits providers and ultimately patients.”

Posted in: Healthcare Policy, Healthcare Technology, Healthcare transformation, patient engagement, Patient Satisfaction, Uncategorized

Leave a Comment (0) →

Using AWS with HIPAA-Protected Data – A Practical Primer

When we started building the Wellpepper platform four years ago, we thought carefully about how to build for privacy and security best practices as well as HIPAA compliance, since we work with customers in the healthcare industry. We chose to build the system entirely on Amazon Web Services (AWS), and learned a few things in the process about building HIPAA compliant applications on AWS. Hopefully this will be helpful to others considering AWS as the home for their healthcare online service, whether you’re a software company hoping to sell to healthcare systems (as a “Business Associate” in HIPAA terminology) or an internal development team at a health system (a “Covered Entity”).

It’s Not Rocket Science

As you probably already know, the Health Insurance Portability and Accountability Act (HIPAA) is made up of several parts. Usually when IT people talk about “HIPAA compliance”, they are talking about the Title II Security Rule which governs privacy and security practices for electronic protected health information (ePHI).

Many of the requirements in the HIPAA Security Rule are simply best practices for security and data privacy that have been written into law. Things like encrypting traffic travelling over a network. Anyone building good, secure software, should be following these principles anyway. You need to be informed of the requirements, and you need to make sure you establish ongoing practices for maintaining security and privacy, but it’s not rocket science. In fact, your health system (or healthcare customers) may actually have more stringent or additional data security requirements to what is required by HIPAA.

Our experience is that HIPAA isn’t a major departure from what we would have built anyway.

Stay Up To Date

HIPAA was established in 1996, with the final Security Rule being published in 2003. In some cases, the guidance has not kept up with current threats and practices in 2017. If you are developing healthcare software, you should be applying industry best practices in combination with the HIPAA requirements. Your ultimate goal needs to be protecting patient data, not just regulatory compliance. Invest in training yourself and your team and staying current. Some resources we found helpful:

Take Responsibility

Compliance usually isn’t at the top of an engineering team’s list of fun things, so it’s tempting to look for solutions that can abstract away the responsibility. There are a few online healthcare platform-as-a-service hosters that make claims in this direction. Be wary of these. No service can remove your responsibility for compliance.

We decided that using AWS infrastructure services was the best level of abstraction. This let us build new services, host data, and install 3rd party applications in our VPC with high confidence that we were living up to our promises to protect patient data.

In addition to thinking about your software solution, compliance also covers your business practices and policies for things like training, background checks, and corporate device security – securing your people. These are often overlooked areas that are really important, since security researchers complain that people are the weakest link in the security chain. As with your software design, the application of commonsense practices and good documentation will go a long way.

There is no single group that certifies systems as HIPAA compliant. However, HHS can audit you at any time, whether you’re a covered entity or a business associate. You should do your own internal assessments against the HIPAA Security Rule both when you are building new capabilities, and on an annual basis. Augment this with external third party reviews. You’ll want to be able to show summarized reports of both your internal process and a stamp of approval from an external auditor.

HHS produces a tool called the SRA tool which you might find useful in performing security rule assessments: https://www.healthit.gov/providers-professionals/security-risk-assessment-tool. We used this for a couple years, but now just use an Excel Spreadsheet to evaluate ourselves. Bonus: this is probably what your auditor will want to see.

This Risk Toolkit from the HIPAA Collaborative of Wisconsin is a good starting point, and looks very similar to the spreadsheet we use: http://hipaacow.org/resources/hipaa-cow-documents/risk-toolkit/ (look at the Risk Assessment Template).

Share the Responsibility

AWS certifies a subset of their services for HIPAA compliance. This includes restrictions on how these services are used, and requires that you enter into a Business Associate Agreement (BAA) with AWS. This agreement establishes the legal relationship needed to handle ePHI, and ensures that you’ll be notified in the unlikely event that there is a data breach.

When you sign a BAA, you enter into a shared responsibility model with AWS to protect ePHI. AWS largely covers physical security for their facilities and networks. You can view their SOC audit results on request. You own the security for your applications and anything else from the OS on up. For example, if you use Elastic Compute Cloud (EC2) instances, it’s your responsibility to keep those instances patched.

AWS occasionally adds new services to their HIPAA-certified services, so you’ll want to check occasionally to see if there are new services you might be able to take advantage of.

Draw a Bright Line Around Your ePHI

At any time, you should be able to quickly say exactly which parts of your system (which servers, which network segments, which databases, which services) have or store ePHI. These systems are inside your bright line defense perimeter, are subject to HIPAA regulations including breach notifications. That means if you lose data on one of these systems, you need to notify your patients (or if you are a Business Associate, notify the Covered Entity so that they can notify the patients).

EC2, Simple Storage System (S3), Elastic Load Balancing (ELB), when used in accordance with guidelines can be HIPAA compliant. Make sure you read the guidelines – there are usually certain restrictions on usage in order to be covered. Many of AWS’ platform-as-a-service offerings are currently not offered under the AWS HIPAA umbrella (for example Kinesis and Lambda). You can still use these services, just not with ePHI.

Many modern systems designs make use of 3rd party framworks and SaaS offerings for things like analytics, monitoring, customer support, etc. When you are holding and conveying ePHI, you will need to be careful about which dependencies you take. For example, in one of our recent product updates we were considering using an external web & mobile analytics platform to better understand our traffic patterns. We walked through our use cases and decided that while none of them required us to send any ePHI to the analytics platform, the risk of accidentally sending some piece of protected data was too high. So we came up with a different plan that allowed us to keep PHI within our safe boundary and under our direct control. Many of your decisions will be grey-area tradeoffs like this.

Secure at Rest and Over the Wire

This is often the first question we see on any healthcare IT security review. How do you protect data at rest and over the wire? Use strong SSL certs with robust SSL termination implementations like ELB. If you terminate your own SSL connections, they need to be well patched due to evolving threats like Heartbleed, POODLE, etc. You may choose to do further application-level encryption in addition to SSL, but SSL should usually be sufficient to satisfy the over-the-wire encryption requirements.

For at-rest storage, there are many options (symmetric/asymmetric) that will depend on what you are trying to do. As a baseline, AWS makes it incredibly easy to encrypt data with AES-256 both in S3 or in the Elastic Block Store (EBS) drives attached to your EC2 instances. There’s almost no reason not to use this, even if you are using additional encryption in other layers of your architecture. AES-256 is usually the “right answer” for IT reviews. Don’t use smaller keys, don’t use outdated algorithms, and especially never try to roll your own encryption.

Good guidance in this area is easy to find:

Logging and Auditing

A key HIPAA requirement is being able to track who accessed and changed patient records and verify the validity of a record. Even if you don’t make this available through a user interface, you need to log these actions and be able to produce a report in the case of an audit or a breach. Keeping these logs in encrypted storage in S3 is a good way to do this. You’ll want to restrict who has access to read/write these audit logs as well.

In addition to automatic audit trails generated by your application-level software systems, remember to carefully keep track of business-process events like granting someone access to a system or revoking access. AWS CloudTrail can help track system changes made to AWS resources like servers, S3 buckets, etc.

Authentication

All healthcare applications will need a way to identify their users and what permissions those users have. HIPAA is not specific about authentication systems beyond being “reasonable and appropriate” (164.308(a)(5)(ii)(D)), but does require that you have good policies in place for this. Here you should follow well-established security best practices.

For starters, you should try not to build your own authentication system. In purpose-built systems, you may be able to integrate into an existing authentication system using oAuth, or SAML (or maybe something more exotic if you’re plugging into some legacy healthcare application). In patient-facing applications, you may be able to integrate with a patient portal for credentials – this is something that will probably show up on your requirements list at some point anyway. If neither of these apply, you may be able to use another identity provider like AWS’ Identity and Access Management (IAM) system to manage user credentials. We briefly tried using consumer-facing oAuth using Facebook, but quickly found that consumers are (rightly) worried about privacy and chose not to use this method.

If you find that you need to build an authentication system, be sure to follow current best practices on things like how to store passwords securely, as well as other tricky areas like password resets.

Since Wellpepper is often deployed standalone before being integrated into other back-end systems, we offer a built-in username + password authentication system. One silver lining to building this ourselves is the ability to build meaningful password complexity rules, especially for patients. Some of the traditional healthcare systems have truly draconian rules that are not only user un-friendly, but actively user-hostile. Thankfully, the best practices in this area are changing. Even the draft NIST password recommendations, updated in August 2016, trade some of the human-unfriendly parts of passwords (multiple character classes) for more easily memorable, but still secure ones (length). Also, consider the difference between health-system password requirements for clinicians with access to thousands of records and those for patients who only access a single record.

Once your users are authenticated, they will need to be authorized to access some set of resources. As with authentication, if you can delegate this responsibility to another established system, this is probably the best approach. If you are adding unique resources with unique access control rules, you will need to make sure that your authorization mechanisms are secure and auditable.

Conclusion

Creating a HIPAA-compliant service doesn’t have to be a big scary problem, but you do want to make sure you have your ducks in a row. If you’re reading this blog post (and hopefully others!), you’re off to a good start. Here are some additional resources that we found handy:

Posted in: Data Protection, Health Regulations, Healthcare Policy, Healthcare Technology, Uncategorized

Leave a Comment (0) →

Wellpepper Receives Seattle Business Magazine’s 2017 Leaders in Healthcare Gold Award for Achievement in Digital Health

We are honored to have been named the Gold Award winner for outstanding achievement in digital health from Seattle Business Magazine’s 2017 Leaders in Health Care!

Thank you to our amazing team and partners!

 

Posted in: Healthcare Technology, Healthcare transformation, M-health, patient engagement, Press Release, Seattle, Uncategorized

Leave a Comment (0) →

SEATTLE BUSINESS MAGAZINE HONORS 18 INDIVIDUALS AND ORGANIZATIONS AT THE 2017 LEADERS IN HEALTH CARE AWARDS

SEATTLE (March 2, 2017) – Eighteen of Washington’s most accomplished health care leaders were recognized at Seattle Business magazine’s 2017 Leaders in Health Care Awards gala March 2 at Bell Harbor International Conference Center in Seattle.

“In this time of great turmoil in the health care industry, it’s more important than ever to recognize the institutions and individuals who are doing so much to make Washington state among the best places in the nation to receive health care,” said Leslie Helm, executive editor of Seattle Business magazine.

Judges selected gold and silver award honorees in 11 categories. The awards program was supported by presenting sponsor West Monroe and supporting sponsors Seattle Cancer Care Alliance and MacDonald-Miller.

The award winners are:

OUTSTANDING MEDICAL CENTER EXECUTIVE — SEATTLE GOLD: Norm Hubbard, Executive Vice President, Seattle Cancer Care Alliance, Seattle SILVER: Cynthia J. Hecker, Executive Director, Northwest Hospital & Medical Center, Seattle

OUTSTANDING MEDICAL CENTER EXECUTIVE — OUTSIDE SEATTLE GOLD: Preston Simmons, Chief Operating and Administrative Officer, Western Washington Market, Providence Health & Services, Everett SILVER: Bryce Helgerson, President, Legacy Salmon Creek Medical Center, Vancouver

OUTSTANDING MEDICAL GROUP EXECUTIVE GOLD: Dr. Albert Fisk, Chief Medical Officer, The Everett Clinic, Everett

OUTSTANDING MEDICAL DIRECTOR/CHIEF MEDICAL OFFICER GOLD: Dr. Jeffrey Tomlin, SVP & Chief Medical and Quality Officer, EvergreenHealth, Kirkland

OUTSTANDING MEDICAL DIRECTOR/CHIEF MEDICAL OFFICER GOLD: Dr. Peter McGough, Medical Director, UW Neighborhood Clinics, Seattle

ACHIEVEMENT IN COMMUNITY OUTREACH GOLD: Pacific Medical Centers, Seattle

ACHIEVEMENT IN DIGITAL HEALTH GOLD: Wellpepper, Seattle SILVER: SCI Solutions, Seattle

INNOVATION IN HEALTH CARE DELIVERY GOLD: Navos, Seattle/Burien SILVER: Genoa, Tukwila

ACHIEVEMENT IN MEDICAL TECHNOLOGY GOLD: Seattle Genetics, Bothell

ACHIEVEMENT IN MEDICAL RESEARCH GOLD: Dr. Oliver Press, Acting Director, Clinical Research Division, and Acting SVP, Fred Hutchinson Cancer Research Center, Seattle SILVER: Dr. Jane Buckner, President, Benaroya Research Institute at Virginia Mason, Seattle

MEDICAL GROUP PERFORMANCE (in partnership with Washington Health Alliance) GOLD: Group Health Cooperative, Seattle SILVER: Virginia Mason Medical Center, Seattle

JUDGES’ AWARD Dr. Paul Ramsey, CEO, UW Medicine

—-

Read more about the Leaders in Health Care Awards 2017 at seattlebusinessmag.com.

ABOUT SEATTLE BUSINESS: Seattle Business is an award-winning monthly magazine read by thousands of business executives across the state. It delivers insight into the key people, enterprises and trends that drive business in the Pacific Northwest, providing perspective on the region’s ever-changing economic environment.

Posted in: M-health, patient engagement, Press Release

Leave a Comment (0) →

HIMSS 2017 Recap: What’s Hot and What’s Hype

Wellpepper had a great HIMSS 2017 Conference with a very busy booth in the Innovation Zone, a panel on the current state of innovation, and a talk on Delivering Empathy Through Telehealth. Here are a few of our thoughts on the conference compiled from our team.Empathetic Care Through Telehealth

Cognitive and AI: Hype

Starting with Ginni Romety’s keynote, Cognitive and AI were definitely the buzzwords of the conference. Everyone is excited about the promise but it seems like the current status is not ready for takeoff. First, there’s a lot of work to get data out of the EMR, and second, no one seems quite sure what the killer use case is going to be. Immediately before HIMSS, MD Anderson announced that after a $62M investment they weren’t seeing value in IBM Watson and were pulling out of the program. That did not stop them from co-presenting with Mayo Clinic and Watson at the conference. The main use case seemed to be shortening the time to identify cancer patients for clinical trials from 30 minutes to 8 minutes. Another example, which just highlights the sorry state of clincial technology, was to use Watson on top of Epic to help staff figure out how to use features. During the session, Mayo CIO Christopher Ross referred to Watson as a toddler. While all of this was disappointing, it’s heartening that for once healthcare is on trend with the rest of the tech world, and possibly pointing to an accelerated evolution of health IT.

IMG_0611Patient Engagement: Hot

In 2016, patient engagement was also hot, but this year, we’d also say it was real. Buyers visited our booth with checklists of capabilities they wanted to see. Pilots were completed last year, and now they are making platform decisions for patient engagement. We’ve noticed this ourselves in the past 6 months, we’ve seen the patient engagement purchase decision elevated to the C-suite, and the decision being made based on capabilities that will address the needs of all patients and all service lines.

Interoperability: Hot

Compared to the previous year, we saw a lot more talk about interoperability, whether that was EMRs building out APIs and developer programs, the CommonWell Alliance, or talk about how block-chain could be used to both secure and transfer healthcare data. Understanding that data needs to flow with the patient, and also that a heck of a lot of data is being created outside the EMR (in patient engagement solutions for example), is driving a greater commitment to interoperability in the industry.

Healthcare Investment: Hot

The Sharks said so, so it must be hot. The HIMSS Venture+ Investment forum this year had a much more diverse set of pitches than previously, including a social venture. and was won by DiaCardio, a woman-led company from Israel automating evaluation of heart ultrasound.

The Affordable Care Act: Prognosis Unclear

Make no mistake, the potential repeal of the ACA is looming heavy even in health IT. Health systems Boehner, HIMSSare concerned about impact on Medicare and Medicaid revenue. While bundles and value-based care have been quite positively received, the current uncertainty is putting a hold on capital expenditures. (Did we mention that Saas can be accounted for as operating expense?) Possibly the most entertaining speculation on the ACA came from former house speaker John Boehner and former governor Ed Rendell. Rendell suggested that we repeal Obamacare and replace it with the Affordable Care Act. Boehner mused that repealing without a plan would place all the blame and problems with the current system firmly on the sitting government, and recommended that it not be repealed.

The Takeway?

We’re still optimistic. IT is increasingly having a seat at the table within healthcare. Although not all EMR implementations have been seen as a success for clinicians, we are seeing a shift to an expectation of better software for both patients and providers, for data to move smoothly, and the promise of insights and better care when that data can be analyzed and acted on. We’re already looking forward to HIMSS 2018 Las Vegas.

Posted in: big data, Clinical Research, Interoperability, patient engagement

Leave a Comment (0) →

HIMSS17 Checklist

HIMSS17 is only a few days away and we at Wellpepper have our checklist complete!

  • Coffee
  • Chocolate
  • Wellpepper swag bags
  • iOS and Android devices
  • List of partners, colleagues and friends to meet with
  • Wellpepper CEO, Anne Weiler‘s awesome sessions on the books

Venture+ Forum

Designing Empathetic Care Through Telehealth for Seniors

The “P” is for Participation, Partnering and Empowerment

Importance of Narrative: Open Notes, Patient Stories, Human Connections

Emerging Impacts of Artificial Intelligence on Healthcare IT

  • Twitter account primed to follow the following hashtags:

#Engage4Health

#HITcloud

#WomenInHIT

#EmpowerHIT

#Connected2Health

#Aim2Innovate

#PutData2Work

#HX360

#HITventure

#IHeartHIT

See you there!

Posted in: Healthcare Technology, patient engagement

Leave a Comment (0) →

HIMSS17 Sessions of Interest

We are thrilled to attend a number of sessions at HIMSS17 with topics pertaining to Wellpepper’s Vision and Goals!

Patient Engagement

Sessions that impact our ability to deliver an engaging patient experience that helps people manage their care to improve outcomes and lower cost:

Insight from Data

Sessions that impact our ability to derive insight from data to improve outcomes and lower cost:

Clinical Experience

Sessions that impact our ability to deliver more efficient experience for existing workflows and are non-disruptive for new workflows:

 

Posted in: big data, Healthcare Technology, Interoperability, M-health, patient engagement

Leave a Comment (0) →

Our Picks for HIMSS17

himss17-exhibitor-ad-design-300x250-copyHIMSS17 is right around the corner and we at Wellpepper have a lot to be excited about! By empowering and engaging patients, deriving insight from the data we collect, and delivering new value to clinical users without major disruption to existing clinical workflows, we can continue to improve outcomes and lower costs of care. At HIMSS17, we look forward to connecting with friends, partners, colleagues and industry leaders to continue the journey towards an amazing patient experience.

Sessions that we look forward to:

Our CEO and co-founder, Anne Weiler, will be speaking at 2 sessions:

  • Anne will be a featured speaker at the Venture+ Forum, where former competition winners will be sharing how their business has grown, lessons learned and plans for the future. Since being named a winner of the 2015 Venture+ Forum Pitch competition, Wellpepper has continued to bridge the gap between the patient and care team and we are excited to share our progress and vision.
  • Anne will also be presenting a session titled, Designing Empathetic Care Through Telehealth for Seniors, which will explore the role of design-thinking in design empathetic applications to deliver remote care for seniors based on studies completed by Boston University and researchers from Harvard Medical School.

Patient engagement expert Jan Oldenburg, who was featured in our August 2016 webinar, will be speaking at 2 sessions:

  • Jan will be presenting a session titled, The “P” is for Participation, Partnering and Empowerment. This session will highlight what it takes to create a truly participatory healthcare system that incorporates patients and caregivers, using digital health technology to reinforce and support participatory frameworks.
  • Jan will also be presenting a session titled, Importance of Narrative: Open Notes, Patient Stories, Human Connections. This session will focus on how Open Notes enhance the patient’s narrative of their journey through their condition and how this both strengthens the patient-physician relationship and empowers patients to take charge of their illness and wellness.

Christopher Ross, Chief Information Officer at Mayo Clinic will be leading a session on Emerging Impacts of Artificial Intelligence on Healthcare IT. This session will discuss how the advancement of Artificial Intelligence (AI) and Machine Learning (ML) are having a profound impact on how insights are generated from healthcare data.

Posted in: big data, M-health, patient engagement

Leave a Comment (0) →
Page 1 of 13 12345...»
Google+