Diss2w9 | Operations Management homework help

en-English-ProtectingPatientDataI.pdf

FEMALE SPEAKER: I'm the chief information officer at a suburban community hospital. A few weeks ago, we experienced a serious security breach that compromised A patient's privacy. As you can imagine, the fallout from this incident is highly charged. [music playing] I've been meeting with OUR hospital staff to understand and analyze what happened and why, so that I can make recommendations to our IT subcommittee of the board to prevent this problem from happening again. That's why I asked to meet with our Director of Graduate Medical Information, to gather information and to problem solve. Thanks for meeting with me. I know you're busy. MALE SPEAKER: You got that right. Everybody knows what happened, Lisa. Do we really need to go through this? FEMALE SPEAKER: I understand it's upsetting, but it'll help me understand your point of view, OK? No one's blaming anyone here, Roger. I just want to focus on the facts. But first, I want to know how you're doing. MALE SPEAKER: Are we going to talk about blame? How about blaming the chief of medical staff for not training our interns and residents on privacy law? He's the one who should be taking the fall for this. FEMALE SPEAKER: Roger, I can see you're upset. But try and calm down. At some level, we're all accountable. Let's focus on what happened. MALE SPEAKER: Last month, a woman named Winnie Noble was admitted to the hospital when someone broke into her house, stole her purse, and stabbed her. When she was brought into the ER, her primary care physician happened to be on duty here that night, Dr. Moore. You know him? FEMALE SPEAKER: I do. MALE SPEAKER: The officer that brought her in said that whoever attacked her might have been cut himself, since there was a trail of blood leading away from the house. So Dr. Moore took X-rays, ran a CT scan, did a full blood workup, including an HIV test. He followed protocol. FEMALE SPEAKER: Go on. MALE SPEAKER: Turns out that the patient's daughter is dating a guy named Pete Dexter. He just started working as an intern here at the hospital. He was interested in the results of Dr. Moore's tests, so he used his iPad to connect to her medical records using our wireless network. And he found out that the patient had, in fact, contracted HIV from the attack. So this is what you

wanted to hear, right? This is where you want to start pointing fingers, right? FEMALE SPEAKER: Roger, I just want the facts. What do you know about what happened next? MALE SPEAKER: Everything happened. Pete went on Twitter and set a tweet to his girlfriend offering condolences that her mother had contracted HIV. The next thing you know, the diagnosis goes viral. Now everyone knows Ms. Noble is HIV positive. And the patient and the daughter want to know how the hell we could let this happen. We, like it's my fault. I can't believe an intern would do something like this. FEMALE SPEAKER: Thank you for explaining things through your perspective. Now I want to ask you something that I'm asking everyone on the staff, not just you. I'm asking you because I value your opinion. I want to know what role you're going to take in analyzing what happened in this case and how you can help us work toward a resolution. I told you the situation was highly charged. A security breach of patient information is a serious mistake. And the scene that you just watched contains serious mistakes, as well. Now it's your turn. Imagine you're the Director of Graduate Medical Education and I called you into my office to discuss this incident. What would you have done differently than Roger? What communication tools would you have used in answering my questions?

en-English-InteroperabilityStandardsandSecurity.pdf

[music playing] NARRATOR: To maximize the benefits of informatics for the health care community, various health information systems must be able to communicate efficiently and securely. Dr. Stuart Speedie, Dr. Ken Majkowski, and Dr. Donald Rucker describe challenges of information exchange and identify standards that are guiding the industry toward greater interoperability. And Stephanie Reel outlines steps organizations can take to safeguard sensitive clinical and administrative information. STUART M SPEEDIE: A provider of health care, regardless of where they are located, if they have to take care of a patient they should be able to have access to all of the relevant information about that patient or to make the best possible medical decisions for the patients. The patients are taken care of in a variety of different settings. They may go to their primary care physician for most of their basic care. That primary care physician maintains-- in these days, we hope-- an electronic medical record. If they are in an auto accident, they will go to the hospital or the emergency room. And they might well get admitted to the hospital. Then they become part of another electronic medical record system in the hospital. They may need to have outpatient surgery at some point, perhaps by an orthopedic surgeon, in order to repair the damage as a result of that accident. If that takes place in a surgery center, then there's another medical record that's being created for that patient. Now ideally, all of those different electronic medical record systems at the various locations should be able to share the information about the patient. And so from those various sources you build a complete and coherent picture of the patient's medical condition based upon the observations and reporting of all of the professionals involved. So that's the goal that we're trying to do. The hows of doing it-- that turns out to be a much more interesting and admittedly difficult situation involving focusing on standards, on how we have standards for information exchange, and how we also set agreements to protect privacy, and how we secure that information, and how we make sure that it doesn't go to the wrong parties in that kind of exchange of information. So all of those

factors come into play when we think about, if you will, exchanging information between hospitals. We tend to think of an electronic medical record as a single system. In most health care organizations, there are many such systems. And some might support the radiology department and storing and transmitting x-rays. Others might support the pharmacy department in terms of keeping track of medications. There's a whole host of those systems. Those systems have to also communicate with each other in order to do the kinds of information exchange within an institution. There, it's a matter of working with the different vendors and making sure that there are proper standards in place so that the information that is generated by one system is able to be understood by the system that's receiving it and vice versa. And that's really the key when we talk about the notion of interoperability. KEN MAJKOWSKI: Can one system talk to another system? Can many systems talk to many other systems? Interoperability has a lot of different meanings. And it really needs to be phased in over time. So when we talk about interoperability in e-prescribing, we're able to get, for example, payer data in real time to a physician's application so that decisions can be made about the prescription. We can also talk about interoperability of that same physician's application able to transmit that prescription to literally 47,000, 48,000 pharmacies across the United States, wherever that patient might want that prescription transmitted, and to do all of this electronically. We can take an electronic prescribing interoperability to the next step and say, is that e-prescribing application interoperable with the patient's electronic medical record? So when the physician writes the prescription to be sent electronically, does that same prescription then go into the electronic medical record, so that it's documented that that patient had that drug prescribed? And then even take it a little bit further. If it's an enterprise system, that system is being used not only in a physician's office but maybe in a hospital system as well. Because that physician is employed by that hospital system. When that patient is admitted to the hospital, are all those records then available to the hospital system when the patient is being treated there as well? So we can continue to take interoperability even further. Now that it exists in

that patient's EMR, when that patient is being seen in a different hospital system across town, can it be transferred to a different hospital system? And that's what health information exchanges are attempting to do. And to take it even further, the national health information network which has been proposed is, let's take the patient who is being seen by a physician and has information in their EMR in St. Paul, Minnesota, but is vacationing in Phoenix, Arizona and needs to go to an emergency room in Phoenix, Arizona. How fast can you get that patient's records to that emergency room in Phoenix, Arizona? Now we're really starting to talk about true interoperability. It's not just a single system talking to a single system, but a system being able to talk to all systems. [music playing] There are many challenges to interoperability. There are many moving parts. The way to try to overcome some of those obstacles is by using technical standards. And people are saying, are there standards for the delivery of this specific information? In electronic prescribing we're very, very lucky. We have some very good technical standards that have been in use for six or seven years. They have been tested in CMS e-prescribing pilots-- there's five different pilots-- in the late 2000s. And these pilots have looked at the standards and said, yes. These are practical and useful and appropriate standards for e-prescribing. Now if we think about interoperability of all medical records, we have to start talking about technical standards for laboratory, for imagery, for documentation, for a variety of things. And all those are being worked on by various committees and organizations, both government and private, across the country. In e-prescribing there is a standards organization referred to as NCPDP, or the National Council for Prescription Drug Programs, which has created technical standards for the pharmacy industry. So we use something called the NCPDP script standard to transmit things like medication history and electronic prescriptions between physicians and pharmacies and between payers and physicians. DONALD W RUCKER: We're talking about extraordinarily complex biological workflows. And in those very complex workflows, can you represent everything uniformly, let's say, in just the United States? And the answer to that, somewhat

obviously, but somewhat not obviously, is probably not. Right? There are simply so many differences. That is not a simple thing to automatically say, everything will interoperate. Hospital software is about embedded workflows. Office medical software is about embedded workflows. All enterprise software is about embedded workflows, no matter what you have. And so your degree of interoperability-- your degree of standards-- have to reflect on some level the richness of those embedded workflows. There are some areas that we have clearly been able to very successfully standardize. And so if you look at standards out there now-- for example, HL7, Health Level 7, is probably the workhorse standard for clinical communication. So if you're doing lab ordering and lab result transmission, those would be HL7 standards. And radiology and radiology information systems and PACS systems-- again, the Picture Archiving and Communication Storage-- the DICOM standards, D-I-C-O-M, that have been a combination of the radiology community and the National Electrical Manufacturers Association-- so the manufacturers of this equipment-- have been very successful standards. And then of course all these sit on the wire standards. And those are the ones you know-- internet protocols, HTTP. Those are the basic ones that are out there. Now there are some richer standards being developed-- for example, the Continuity of Care Documentation standards that are part of the HITSP, the Health IT Standards Program that Health and Human Services has funded. Those standards are currently evolving. So that's standards to allow sharing of medical problem lists and medication lists and allergy lists. So they're an evolution. They're of course richer standards. Because as you might imagine, the name of disease might not be exactly the same for everybody. So congestive heart failure might be one person's idea of heart failure. Somebody else may subcharacterize congestive heart failure into diastolic failure and systolic failure. A cardiologist may subcategorize congestive heart failure into exactly what the valve is, what the etiology is, and what the ejection fraction is. Well it sounds like it's one disease. But they're really very different levels of characterization. So the communications you build

up-- these richer standards-- is a challenge. [music playing] STUART M SPEEDIE: When we talk about the exchange of information between organizations, there are a number of legal ramifications in addition to the technical ramifications of simply moving information from one system to another. And those legal ramifications are actually governed, first of all, by the HIPAA regulations-- the Health Information Portability and Accessibility Act that was passed about a decade ago. And that has subsequently been updated by the ARRA or the stimulus bill. That has changed some of the components of that regulation. But fundamentally, what that says is that each organization has a legal responsibility to protect the information of that patient and to assure its appropriate use, regardless of where that use might be. As a result, it's not simply a matter of exchanging a data file from one organization to another. The organizations have to have a legal agreement between themselves in order to exchange that information to make sure that the patient is properly protected. So that adds another layer onto the technical issues of information exchange. STEPHANIE L REEL: One of the responsibilities that information technology professionals have-- and in particular CIOs have-- is to protect the assets of the organization. And those assets may include financial information, administrative information, or in our case, they certainly include patient-related information. And we take the protection of those assets very, very seriously. We know that our patients trust us with the most sensitive information about their life and death experiences, life-altering experiences. They trust us with their health. And they trust us with their health information. Several years ago, Johns Hopkins was cited for a theft of clinical information. A couple of workstations were stolen from our campus. And they included on them clinical information associated with a clinical research protocol. After many, many, many hours stressing over what could have been and should have been done differently, we developed what we fondly came to refer to as a 12-step plan for how to protect information that resides on workstations, resides on portable media, as well as fixed media-- to ensure that we were doing everything possible to protect our patients and to

protect the information assets of the organization. Our 12-step plan can be easily boiled down to three components. We said, first and foremost, we will educate. We will educate the user community as to the risks associated with this huge repository of information that they have the ability to help manage and maintain. The second step was another E. It was the E of environment-- that it was everyone's responsibility to create an environment that was conducive to privacy and security. That meant we would each allow ourselves to be held accountable for the environment within which we work. So that may be physical security. It may be virtual security. It may mean that as we share information with others, we take great pains to ensure that it is shared appropriately. It means that we would create less paper. Because paper has its own set of vulnerabilities. So we encouraged less printing of information. And the third E was a very tactical one. It was encryption. So education, environment, and encryption became the three legs of our stool, if you will, associated with information security. So we embraced a very aggressive program associated with encrypting information. So information that would reside on any portable device would be encrypted. So should it be misplaced, lost, or stolen, there'd be a great deal of difficulty in anyone being able to access it. And in fact, if information is encrypted, you're also protected a bit from possible penalties in litigation that might follow. So it became important to us that we use this three-pronged approach in all aspects of protecting our assets. [music playing]

en-English-ProtectingPatientDataI.pdf

FEMALE SPEAKER: I'm the chief information officer at a suburban community hospital. A few weeks ago, we experienced a serious security breach that compromised A patient's privacy. As you can imagine, the fallout from this incident is highly charged. [music playing] I've been meeting with OUR hospital staff to understand and analyze what happened and why, so that I can make recommendations to our IT subcommittee of the board to prevent this problem from happening again. That's why I asked to meet with our Director of Graduate Medical Information, to gather information and to problem solve. Thanks for meeting with me. I know you're busy. MALE SPEAKER: You got that right. Everybody knows what happened, Lisa. Do we really need to go through this? FEMALE SPEAKER: I understand it's upsetting, but it'll help me understand your point of view, OK? No one's blaming anyone here, Roger. I just want to focus on the facts. But first, I want to know how you're doing. MALE SPEAKER: Are we going to talk about blame? How about blaming the chief of medical staff for not training our interns and residents on privacy law? He's the one who should be taking the fall for this. FEMALE SPEAKER: Roger, I can see you're upset. But try and calm down. At some level, we're all accountable. Let's focus on what happened. MALE SPEAKER: Last month, a woman named Winnie Noble was admitted to the hospital when someone broke into her house, stole her purse, and stabbed her. When she was brought into the ER, her primary care physician happened to be on duty here that night, Dr. Moore. You know him? FEMALE SPEAKER: I do. MALE SPEAKER: The officer that brought her in said that whoever attacked her might have been cut himself, since there was a trail of blood leading away from the house. So Dr. Moore took X-rays, ran a CT scan, did a full blood workup, including an HIV test. He followed protocol. FEMALE SPEAKER: Go on. MALE SPEAKER: Turns out that the patient's daughter is dating a guy named Pete Dexter. He just started working as an intern here at the hospital. He was interested in the results of Dr. Moore's tests, so he used his iPad to connect to her medical records using our wireless network. And he found out that the patient had, in fact, contracted HIV from the attack. So this is what you

wanted to hear, right? This is where you want to start pointing fingers, right? FEMALE SPEAKER: Roger, I just want the facts. What do you know about what happened next? MALE SPEAKER: Everything happened. Pete went on Twitter and set a tweet to his girlfriend offering condolences that her mother had contracted HIV. The next thing you know, the diagnosis goes viral. Now everyone knows Ms. Noble is HIV positive. And the patient and the daughter want to know how the hell we could let this happen. We, like it's my fault. I can't believe an intern would do something like this. FEMALE SPEAKER: Thank you for explaining things through your perspective. Now I want to ask you something that I'm asking everyone on the staff, not just you. I'm asking you because I value your opinion. I want to know what role you're going to take in analyzing what happened in this case and how you can help us work toward a resolution. I told you the situation was highly charged. A security breach of patient information is a serious mistake. And the scene that you just watched contains serious mistakes, as well. Now it's your turn. Imagine you're the Director of Graduate Medical Education and I called you into my office to discuss this incident. What would you have done differently than Roger? What communication tools would you have used in answering my questions?

en-English-InteroperabilityStandardsandSecurity.pdf

[music playing] NARRATOR: To maximize the benefits of informatics for the health care community, various health information systems must be able to communicate efficiently and securely. Dr. Stuart Speedie, Dr. Ken Majkowski, and Dr. Donald Rucker describe challenges of information exchange and identify standards that are guiding the industry toward greater interoperability. And Stephanie Reel outlines steps organizations can take to safeguard sensitive clinical and administrative information. STUART M SPEEDIE: A provider of health care, regardless of where they are located, if they have to take care of a patient they should be able to have access to all of the relevant information about that patient or to make the best possible medical decisions for the patients. The patients are taken care of in a variety of different settings. They may go to their primary care physician for most of their basic care. That primary care physician maintains-- in these days, we hope-- an electronic medical record. If they are in an auto accident, they will go to the hospital or the emergency room. And they might well get admitted to the hospital. Then they become part of another electronic medical record system in the hospital. They may need to have outpatient surgery at some point, perhaps by an orthopedic surgeon, in order to repair the damage as a result of that accident. If that takes place in a surgery center, then there's another medical record that's being created for that patient. Now ideally, all of those different electronic medical record systems at the various locations should be able to share the information about the patient. And so from those various sources you build a complete and coherent picture of the patient's medical condition based upon the observations and reporting of all of the professionals involved. So that's the goal that we're trying to do. The hows of doing it-- that turns out to be a much more interesting and admittedly difficult situation involving focusing on standards, on how we have standards for information exchange, and how we also set agreements to protect privacy, and how we secure that information, and how we make sure that it doesn't go to the wrong parties in that kind of exchange of information. So all of those

factors come into play when we think about, if you will, exchanging information between hospitals. We tend to think of an electronic medical record as a single system. In most health care organizations, there are many such systems. And some might support the radiology department and storing and transmitting x-rays. Others might support the pharmacy department in terms of keeping track of medications. There's a whole host of those systems. Those systems have to also communicate with each other in order to do the kinds of information exchange within an institution. There, it's a matter of working with the different vendors and making sure that there are proper standards in place so that the information that is generated by one system is able to be understood by the system that's receiving it and vice versa. And that's really the key when we talk about the notion of interoperability. KEN MAJKOWSKI: Can one system talk to another system? Can many systems talk to many other systems? Interoperability has a lot of different meanings. And it really needs to be phased in over time. So when we talk about interoperability in e-prescribing, we're able to get, for example, payer data in real time to a physician's application so that decisions can be made about the prescription. We can also talk about interoperability of that same physician's application able to transmit that prescription to literally 47,000, 48,000 pharmacies across the United States, wherever that patient might want that prescription transmitted, and to do all of this electronically. We can take an electronic prescribing interoperability to the next step and say, is that e-prescribing application interoperable with the patient's electronic medical record? So when the physician writes the prescription to be sent electronically, does that same prescription then go into the electronic medical record, so that it's documented that that patient had that drug prescribed? And then even take it a little bit further. If it's an enterprise system, that system is being used not only in a physician's office but maybe in a hospital system as well. Because that physician is employed by that hospital system. When that patient is admitted to the hospital, are all those records then available to the hospital system when the patient is being treated there as well? So we can continue to take interoperability even further. Now that it exists in

that patient's EMR, when that patient is being seen in a different hospital system across town, can it be transferred to a different hospital system? And that's what health information exchanges are attempting to do. And to take it even further, the national health information network which has been proposed is, let's take the patient who is being seen by a physician and has information in their EMR in St. Paul, Minnesota, but is vacationing in Phoenix, Arizona and needs to go to an emergency room in Phoenix, Arizona. How fast can you get that patient's records to that emergency room in Phoenix, Arizona? Now we're really starting to talk about true interoperability. It's not just a single system talking to a single system, but a system being able to talk to all systems. [music playing] There are many challenges to interoperability. There are many moving parts. The way to try to overcome some of those obstacles is by using technical standards. And people are saying, are there standards for the delivery of this specific information? In electronic prescribing we're very, very lucky. We have some very good technical standards that have been in use for six or seven years. They have been tested in CMS e-prescribing pilots-- there's five different pilots-- in the late 2000s. And these pilots have looked at the standards and said, yes. These are practical and useful and appropriate standards for e-prescribing. Now if we think about interoperability of all medical records, we have to start talking about technical standards for laboratory, for imagery, for documentation, for a variety of things. And all those are being worked on by various committees and organizations, both government and private, across the country. In e-prescribing there is a standards organization referred to as NCPDP, or the National Council for Prescription Drug Programs, which has created technical standards for the pharmacy industry. So we use something called the NCPDP script standard to transmit things like medication history and electronic prescriptions between physicians and pharmacies and between payers and physicians. DONALD W RUCKER: We're talking about extraordinarily complex biological workflows. And in those very complex workflows, can you represent everything uniformly, let's say, in just the United States? And the answer to that, somewhat

obviously, but somewhat not obviously, is probably not. Right? There are simply so many differences. That is not a simple thing to automatically say, everything will interoperate. Hospital software is about embedded workflows. Office medical software is about embedded workflows. All enterprise software is about embedded workflows, no matter what you have. And so your degree of interoperability-- your degree of standards-- have to reflect on some level the richness of those embedded workflows. There are some areas that we have clearly been able to very successfully standardize. And so if you look at standards out there now-- for example, HL7, Health Level 7, is probably the workhorse standard for clinical communication. So if you're doing lab ordering and lab result transmission, those would be HL7 standards. And radiology and radiology information systems and PACS systems-- again, the Picture Archiving and Communication Storage-- the DICOM standards, D-I-C-O-M, that have been a combination of the radiology community and the National Electrical Manufacturers Association-- so the manufacturers of this equipment-- have been very successful standards. And then of course all these sit on the wire standards. And those are the ones you know-- internet protocols, HTTP. Those are the basic ones that are out there. Now there are some richer standards being developed-- for example, the Continuity of Care Documentation standards that are part of the HITSP, the Health IT Standards Program that Health and Human Services has funded. Those standards are currently evolving. So that's standards to allow sharing of medical problem lists and medication lists and allergy lists. So they're an evolution. They're of course richer standards. Because as you might imagine, the name of disease might not be exactly the same for everybody. So congestive heart failure might be one person's idea of heart failure. Somebody else may subcharacterize congestive heart failure into diastolic failure and systolic failure. A cardiologist may subcategorize congestive heart failure into exactly what the valve is, what the etiology is, and what the ejection fraction is. Well it sounds like it's one disease. But they're really very different levels of characterization. So the communications you build

up-- these richer standards-- is a challenge. [music playing] STUART M SPEEDIE: When we talk about the exchange of information between organizations, there are a number of legal ramifications in addition to the technical ramifications of simply moving information from one system to another. And those legal ramifications are actually governed, first of all, by the HIPAA regulations-- the Health Information Portability and Accessibility Act that was passed about a decade ago. And that has subsequently been updated by the ARRA or the stimulus bill. That has changed some of the components of that regulation. But fundamentally, what that says is that each organization has a legal responsibility to protect the information of that patient and to assure its appropriate use, regardless of where that use might be. As a result, it's not simply a matter of exchanging a data file from one organization to another. The organizations have to have a legal agreement between themselves in order to exchange that information to make sure that the patient is properly protected. So that adds another layer onto the technical issues of information exchange. STEPHANIE L REEL: One of the responsibilities that information technology professionals have-- and in particular CIOs have-- is to protect the assets of the organization. And those assets may include financial information, administrative information, or in our case, they certainly include patient-related information. And we take the protection of those assets very, very seriously. We know that our patients trust us with the most sensitive information about their life and death experiences, life-altering experiences. They trust us with their health. And they trust us with their health information. Several years ago, Johns Hopkins was cited for a theft of clinical information. A couple of workstations were stolen from our campus. And they included on them clinical information associated with a clinical research protocol. After many, many, many hours stressing over what could have been and should have been done differently, we developed what we fondly came to refer to as a 12-step plan for how to protect information that resides on workstations, resides on portable media, as well as fixed media-- to ensure that we were doing everything possible to protect our patients and to

protect the information assets of the organization. Our 12-step plan can be easily boiled down to three components. We said, first and foremost, we will educate. We will educate the user community as to the risks associated with this huge repository of information that they have the ability to help manage and maintain. The second step was another E. It was the E of environment-- that it was everyone's responsibility to create an environment that was conducive to privacy and security. That meant we would each allow ourselves to be held accountable for the environment within which we work. So that may be physical security. It may be virtual security. It may mean that as we share information with others, we take great pains to ensure that it is shared appropriately. It means that we would create less paper. Because paper has its own set of vulnerabilities. So we encouraged less printing of information. And the third E was a very tactical one. It was encryption. So education, environment, and encryption became the three legs of our stool, if you will, associated with information security. So we embraced a very aggressive program associated with encrypting information. So information that would reside on any portable device would be encrypted. So should it be misplaced, lost, or stolen, there'd be a great deal of difficulty in anyone being able to access it. And in fact, if information is encrypted, you're also protected a bit from possible penalties in litigation that might follow. So it became important to us that we use this three-pronged approach in all aspects of protecting our assets. [music playing]