1

Legal and IT Coordination in a Complex Health System

Presentation to Information Security Compliance Risk Management Institute

Wednesday September 16, 2009

Laird A. Pisto, JDPaul VanAmerongen, CISSP

MultiCare Health System

Integrated Delivery Network: Cradle to Grave & All Points In Between

3

EMR Risk Analysis

Low High

High

Impact

Pro

babi

lity

31

2

Who Regulates MultiCare?

MHS

WISHA

DOJ

FDA

DOT

OSHA

DOL

NRC

OCR

HHS

Federal

State

Other

OPO

J ointComm

Medical Board

Nursing Board

State Survey &Survey Certificates

State Medicaid

SBOH

State Licensure

Labor/J ustice ADA

FBI

FCC

NIOSH

HRSA

FTC

EPA

IRS

SECRegional

Home Health Intermediaries

LocalGovernment

CMSCenter for MedicareMedicaid Services

Congress

Medicare IntegrityProgram Contractors

Federal CircuitCourts

SupremeCourt

DepartmentalAppeals

QIOs

OIG

CarriersIntermediariesRegionalOffices

PRRB

DME RegionalContractors

Adapted from AHA News, May 29, 2000

DEA

DOEPharmacy Board

DOH

HCFA

Recent Legal and Regulatory Change Requirements Federal Rules of Civil Procedure (FCRP) –

Electronic information disclosure

Red Flags – Identification and notification of identity theft

American Recovery and Reinvestment Act of 2009 (ARRA) - Changes to HIPAA

Health Information Technology for Economic and Clinical Health Act (HITECH) - Expands on HIPAA

ONCHIT GOALS – 2008 - 2010

Goal One: Inform Clinical Practice

Goal Two: Interconnect Clinicians

Goal Three: Personalize Care

Goal Four: Improve Population Health

Each of these is fully embedded in HITECH ACT

7

Goals Mirror RisksPatient Safety

Access

Accuracy

Efficiency

Financial Performance

100% Adoption

Do no harm

Know the patient’s story

Effective communication among caregivers

Eliminate steps that do not add value

Reduce length of stay

Innovate to deliver the Ideal Patient Experience

8

Information Security & Change Management

9

Newton’s Third Law of Motion:For every action, there is an equal and

opposite reaction.

Information Security & Sir Isaac Newton:

Newton’s Second Law of Motion:Acceleration is proportional to force.

Newton’s First Law of Motion:Things tend to keep doing what they’re doing.

10

Typical Data Sources For Discovery

11

Clinical Systems Business Systems

ANCILLARY SYSTEMS

MisysLab

EpicRx

PyxisMedicationDistribution

HBSOutpatientRx- Retail

POS

ImageCastRadiology

Pyxis OR Surgical

Supply Station

Epic/ Varian

Oncology

HospiraSmart Pumps

SiemensCardiology

CoPathPathology

EpicHome Health/

Hospice

StrykerSurgery Center

Systems

ProvationGI Lab

DocumentationSystem

GENICU FetalMonitoring

HologicDigital

Mammography

ComputritionNutritionServices

ORSOSSurgery

Scheduling

ANCILLARY SYSTEMS

MeditechLab

MeditechRx

MeditechOR

GECardiology

GELabor &Delivery

MedSelectMedication Distribution

NDCOutpatient Rx-

Retail POS

VSTNutritionServices

SurgiServSurgery Center

Systems

PTcTHome Health/

Hospice

CoPathPathology

FINANCIAL SYSTEMS

REVENUE CYCLE SYSTEMS

LawsonAccounts Payable

LawsonGeneral Ledger

McKessonBudgeting/ Financial Planning

AscentContract

Management

McKessonDecision Support

ePremisClaims

Processing

LawsonPayroll

LawsonHuman

Resources

WorkbrainTime &

Attendance

LawsonRecruitmentManagement

TractManagerContracts

Management

Third MilleniumClaims

Digital Archive

EpicPatientBilling

nCoderCoding

HDXInsuranceEligibility

EpicBed

Management

EpicPatient Access/

Registration

EpicEnterprise

PatientScheduling

EpicPatient

Tracking

EpicClinic PracticeManagement

EpicHIM

AnsosScheduling-

Clinical

VariousScheduling-Non-Clinical

FINANCIAL SYSTEMS

REVENUE CYCLE SYSTEMS

MeditechAccountsPayable

MeditechGeneralLedger

TractManagerContracts

Management

AscentContract

Management

Budget Advisor/ Financial

Budgeting/Financial Planning

Power ManagerDecision Support

ePremisClaims

Processing

E-CabinetClaims

Digital Archive

InfiniumPayroll

InfiniumHR

KronosTime &

Attendance

E-LaborRecruitmentManagement

MeditechPatientBilling

Provider AdvantageInsuranceEligibility

3MCoding

MeditechPatient Access/

Registration

MeditechEnterprise

PatientScheduling

MisysClinical Practice

Management

MeditechBed

Management

MeditechHIM

AnsosScheduling-

Clinical

KronosScheduling-Non-Clinical

Health System Health System SubsidiarySubsidiary

LawsonMaterials

Management

MeditechMaterials

Management

MeditechReporting

HBI/HPMManagement

Reporting

CORE CLINICAL SYSTEMS

MidasCare Manager/

UR

NuanceRadiology Dictation/

Transcription

MedQuistDictation

MedQuistTranscription-

CMT

PhillipsCritical Care-

ClinicalDocumentation

NightingaleConsulting

Nurse Scheduling

QuadraMed- WinPFSNurse

Scheduling

QuadraMed- WinPFSPatient Acuity

EpicOrders/ Results

EpiceMAR

CORE CLINICAL SYSTEMS

MeditechCare Manager/

UR

CrescendoDictation

CrescendoTranscription-

CMT

MeditechE-Signature

MeditechOrders/Results

EpicClinical DataRepository

MeditechClinical DataRepository

HospiraSmart Pumps MISCELLANEOUS SYSTEMS MISCELLANEOUS SYSTEMS

12

Many Become One? Or Not?

SiemensCardiology

QuadraMed- WinPFSPatient Acuity

LawsonPayroll

Business Systems

FINANCIAL SYSTEMS

REVENUE CYCLE SYSTEMS

LawsonAccounts Payable

LawsonGeneral Ledger

Kaufman HallBudgeting/ Financial Planning

Decision Support

ePremisClaims

Processing

LawsonHuman

Resources

WorkbrainTime &

Attendance

Peopleclick(Recruitment)

TractManagerContracts

Management

Third MilleniumClaims

Digital Archive

EpicPatientBilling

3MCoding

HDXInsuranceEligibility

EpicBed

Management

EpicPatient Access/

Registration

EpicEnterprise

PatientScheduling

EpicPatient

Tracking

EpicClinic PracticeManagement

EpicHIM

MISCELLANEOUS SYSTEMS

AnsosScheduling-

Clinical

VariousScheduling-Non-Clinical

FINANCIAL SYSTEMS

REVENUE CYCLE SYSTEMS

TractManagerContracts

Management

AscentContract

Management

Kaufman Hall Budgeting/Financial Planning

ePremisClaims

Processing

KronosTime &

Attendance

Peopleclick(Recruitment)

3MCoding

EpicClinical Practice

Management

EpicBed

Management

MISCELLANEOUS SYSTEMS

AnsosScheduling-

Clinical

KronosScheduling-Non-Clinical

Health System Subsidiary

LawsonGeneral Ledger

LawsonAccounts Payable

LawsonPayroll

LawsonHuman

Resources

EpicEnterprise

PatientScheduling

EpicPatient Access/

Registration

EpicPatientBilling

EpicHIM

LawsonMaterials

Management

Management Reporting

LawsonMaterials

Management

Management Reporting

HDXInsuranceEligibility

Third MilleniumClaims

Digital Archive

ImageCastRadiology

Clinical Systems

CORE CLINICAL SYSTEMS

ANCILLARY SYSTEMS

EpicRx

PyxisMedicationDistribution

HBSOutpatientRx- Retail

POS

Pyxis OR Surgical

Supply Station

Epic/ Varian

Oncology

HospiraSmart Pumps

CoPathPathology

EpicHome Health/

Hospice

StrykerSurgery Center

Systems

ProvationGI Lab

DocumentationSystem

GE QSLabor & Delivery

HologicDigital

Mammography

ComputritionNutritionServices

MidasCare Manager/

UR

Powerscribe

eScriptionTranscription

Epic ED

WinPFS

EpicOrders/ Results

EpiceMAR

CORE CLINICAL SYSTEMS

ANCILLARY SYSTEMS

EpicOR

McKessonCVIS

MedSelectMedication Distribution

NDCOutpatient Rx-

Retail POS

VSTNutritionServices

SurgiServSurgery Center

Systems

MidasCare Manager/

UR

EpicED

CoPathPathology

Health System Subsidiary

EpicRx

EpiceMAR

EpicOrders/ Results

EpicClinical DataRepository

EpicClinical DataRepository

EpicClinical

Documentation

EpicClinical

Documentation

EpicE-Signature

EpicE-Signature

HospiraSmart Pumps

SunquestLab

SunquestLab

RadiantRadiology

EpicHome Health/

Hospice

EpicOR

LawsonPayroll

AscentContract

Management

Powerscribe

Decision Support

eScriptionTranscription

WinPFS

RadiantRadiology

GE QSLabor & Delivery

EmegeonCVIS

Kodak PACSMcKessonPACS

EpicPatient

Tracking

13

And a few more:

Metadata: Friend or Foe?

Provide A Description By

Category

Location Of All Relevant:

Electronically Stored Information

Intentional Design: The Missing Ingredient?

Technologists

GIGO

Replication Or Innovation?

Risk Managers On Design Team?

15

Results of Lack of Intentional Design?

16

Version Control – or Not?

Portability – or Not?

Transparency – or Not?

Access Controls – or Not?

Audit Trails – or Not?

Archiving – or Not?

Print Management – or Not?

17

Is Risk Embedded in Project Oversight?

Go

vernan

ceD

irection

Delivery

18

Living with an EMR:

Training -- never ends

Implementation -- never ends: “Build, Implement, Optimize, Repeat”

Some things are hard!

Users should never worry about hardware, system stability or access to downtime data

CQI at its best: It’s really all about workflow and efficiency and “Process Improvement”

And as we enter budget season:

19

Commiseration Contact #s:Laird A. Pisto Paul VanAmerongen

Associate General Counsel Manager, Information Security

MultiCare Health System MultiCare Health System

PO Box 5299 PO Box 5299

Mail Stop 222J-1-LEG Mail Stop 124-2-IS

Tacoma, WA 98415-0299 Tacoma, WA 98415-0299

253-403-1186 253-459-7482

Laird.Pisto@multicare.org Paul.VanAmerongen@multicare.org