A peeve: The auto-logoff in Health IT

John Halamka wrote a blog post today that addressed some issues of the negativity that are affecting health IT. I wish I could be as positive as Dr. Halamka. Unfortunately, I am just not wired that way. My world view tends to be that of a critic. In this post I will take up a long-held pet peeve concerning an element of technical security used to protect HIT.

Last week John Moehrke wrote a blog about privacy and security in Meaningful Use Stages 1 and 2. His third point concerned inactivity timeouts or auto-logoffs. This seems like a good idea at first glance but inexpert implementation can cause a real barrier for users of HIT. I will provide two examples from my immediate experience. The hospital where I work has what would be classified as a HIMSS Stage 2 or Stage 3 EHR. There is a physician portal that encompasses a number of applications. Separate time outs are built into the portal and some of the applications and they do not communicate with each other. Today, I was reviewing the past medical treatments for a complex patient in ChartMaxx. I was right in the middle of scrolling through one of the medical documents for this patient when a time out window popped up (no prior warning was given). I was required to log into the application again with my username and password. This took me completely out of the patient's chart and the document I was reading even though I was in the act of reading the document and actively scrolling. I had to reenter the patient's medical record number, locate the instance of treatment I was reviewing and then reopen the document. In my opinion this is not efficient care. I know it is a waste of my time. Someone did not consider clinician workflow when the auto-logoff was designed. But that is not the only example of problems I run into frequently with HIT applications at my hospital.


In the hospital, radiographs are electronically accessed via a PACS system. The PACS requires separate credentials (username and password) to access the system from those either to use a computer workstation or the physician portal. PACS also has its own auto-logoff utility. It is set to time out after a few minutes of inactivity. This might be fine for a clinical area where the screens are close to area of high patient and visitor and patient traffic but it can create a lot of problems when surgeons use images in a long operating room case in which they need to review x-ray images. I like to log on to the system, access my patient's images that I will use in surgery and put them up on the screen so that I can refer to them while the OR team runs a patient safety checklist before the start of surgery to help in the process that confirms that we are operating at the correct site. Perhaps you can imagine my consternation when 15 minutes later, I have washed my hands, placed the surgical drapes and am about to start surgery when the program has timed out and all the carefully selected images are gone, and now I am scrubbed. Having a few minute auto-logoff for the OR, probably the most controlled environment in the hospital, does not make sense.


There are some solutions. 1) All users should be trained and re-trained about the importance of logging out when they are no longer using a computer that provides access to protected health information. If compliance were 100 percent then auto logoff would not be necessary. 2) The auto logoff could be designed so that this feature could be configured by users (not administrators of the IT system) to allow adjustment based on clinical requirements and an assessment of the risk of data breach at the workstation's physical location. 3) There are proximity controls based on infrared sensors or smartcard technology that can be used to control or limit access to user terminals.


There is not a perfect solution for every situation. Some approaches certainly are more user-friendly. Blanket application of a single time-out or auto-logoff policy is guaranteed to frustrate clinical users. A flexible approach, based on a risk assessment strategy, makes the most sense to me.

Recommendations for HIMSS 12: my favorite activities

Attendees to HIMSS 12 in Las Vegas, NV in February should do some advanced planning in order to garner the most benefit from the conference. A good place to start is the dynamic HIMSS 12 brochure. For comprehensive information refer to the conference website. This post will cover my personal favorites based on attending the last few national meetings.



This year HIMSS takes place from Monday, February 20 through Friday, February 24. Monday is devoted to preconference Workshops and Symposia (Nursing Informatics Symposium is on Sunday afternoon.) I have found it very worthwhile to attend one of these sessions. Subject areas cover a wide field in health IT so everyone should be able to find one that is apropos. My difficulty has always been narrowing the choices. For example, this year I would love to attend: Physician's IT Symposium, HIE Symposium, Privacy and Security Workshop and Secondary Use of Data Symposium. I wish HIMSS would record (video and audio) these sessions and make them available for a reasonable charge after the conference. The full meeting gets underway on Tuesday.


Each day's activities kickoff with Keynote speakers taking the floor in the largest meeting room. HIMSS often makes a big production of these early morning sessions. Consider bringing earplugs or some cotton to preserve your hearing. This year's speakers will include innovators, government officials (the National Coordinator for Health IT, Dr. Mostashari), and other talented individuals. I think it's worth braving the crowds to attend these informative and entertaining sessions. Following this I usually head for one of the many educational sessions that run throughout the mornings and afternoons. I look for sessions with acclaimed experts in a field. This is a good chance to match a face with one of the names you have seen in print or heard on a webinar. Continuing education credits are available for most professionals and CPHIMS participants. You can claim your credits and print certificates at one of the computer kiosks spread around the convention corridors. Another way to build up CE credits is to stop off and listen to a few of the eSessions. The presentations are often less than 30 minutes. I take advantage of these vignettes to multitask- learn something new while resting my feet after standing and walking a bit too much. Of course, no convention would be complete without a visit to the trade show.


You can spend hours walking the floors of the exhibit floor, learning about the latest and greatest vendor offerings for health IT. You will have to be efficient because the exhibit floor will only be open for two and a half days this year. One area I never miss is the Interoperability Showcase. Each year it gets bigger and better. This is the place to see the potential of HIT actually working in real life use case demos. Most of us just imagine the possibilities. If you are interested in health information exchange, interoperability, privacy and security, IT enabled patient care devices, or the various federal health initiatives, plan to spend at least an hour here. The Interoperability Showcase is usually located somewhat off the beaten path at one extreme end of the exhibit hall but is absolutely worth the time and effort it takes to visit.


Not all activities are carefully organized. I like to spend some time in the HIMSS Bookstore, looking through indices and scanning chapters before I decide to buy a publication. The Bookstore is easy to find as it is always located in a high traffic area. If you are looking for a job or considering career advancement in health IT then visit HIMSS JobMine, University Row, and the Career Services Center for information, contacts, and ideas. Topic-focused knowledge centers are new this year. These should be worthwhile checking out. I am especially interested in dropping in on the Mobile Health knowledge center. I am predicting that this will be one of the busier sites at HIMSS 12. We don't seem to be able to get enough of mHealth at this point.


Last but not least, there are networking and socializing opportunities. I look forward to the Physician Community breakfast and Arizona HIMSS Chapter reception. If you register for HIMSS 12 you can go to the opening reception. This is a great way to launch your week at the convention and meet some new friends. So, make you plans now, leave some flex time for extemporaneous activities, and see you in Las Vegas.

HIT Outlook for 2012: A crystal ball.

Now that we are in the last month of 2011 it is time to look forward to 2012. Here are my choices for what I think will be the hot topics in health information technology for the coming year.


1. Meaningful Use Stage 2 NPRM. I know it seems like Stage 1 started just yesterday but the plans for new requirements in Stage 2 are quite mature. The Federal Advisory committees have made their recommendations to the Secretary of Health and Human Services and the NPRM should be published in the first half of 2012. Mostly this should be a modulation of Stage 1 requirements with some items shifting from menu to core and the performance percentages ratcheting upwards toward 100 percent. There will be some new electronic quality measures to report. The good news for everyone is that implementation of Stage 2 has been delayed from 2013 to 2014. Watch for the number of hospitals and eligible providers qualifying Meaningful Use Stage 1 incentives to increase. In my opinion, the number of those who have met all the requirements of Stage 1 to date is disappointing. There have been 8,001 eligible providers and 302 eligible hospitals that have passed the gauntlet successfully through the end of Sept. 2011. Judge the level of participation for yourself. There will be more reports available on best practices and lessons learned to help those aiming to qualify for Stage 1 in 2012. I think the challenge is greatest for smaller practices and organizations that lack the IT resources to achieve meaningful use.


2. Preparation for ICD 10. Preparations for ICD 10 should ramp up significantly in 2012. Those who wait until later will be way behind the curve and could face drastic financial consequences. The costs and work needed to implement ICD 10 by the health care system in the US are astronomical but cannot be avoided. Many providers will need to significantly modify how they document clinical care if their coding (and by association, their income) is to be accurate. Coders will need to train on what amounts to a totally new code structure. The need for coders to learn and understand additional medical and procedural terminology cannot be minimized. Multiple IT systems will have to be upgraded to accommodate the new codes. Finally, cooperation between all elements of the health care community will need to be expedited in order to pull off the monumental changes that are required.


3. Health Information Exchange Initiatives. The vision of improved health care for the US through HIT cannot be realized without robust health information exchange. Stage 1 Meaningful Use requirements primarily were for tests of HIE capabilities. I expect Stage 2 requirements to be more demanding. Efforts to achieve broader adoption of health information exchange have been hindered by a number of factors including: lack of sufficient HIE infrastructure, reluctance of providers to share information, low adoption rates for EHRs, complex governance issues, and a paucity of models that demonstrate financial sustainability independent of government grants. Earlier this year, I expected that there would be an explosion in the use of the Direct Project specifications. This apparently has not occurred. I think that HIE will make significant progress in 2012 as the State HIE projects move from the drawing board to actual implementations. Developments in provider directories, digital certificate management, consumer consent assurance, workflow optimization, and EHR capability toward interoperable exchange of clinical summary documents through CDA should all be watched because these capabilities will speed HIE adoption. Also, watch for progress on the query health initiative. I think there are a lot of challenges for this project, not the least of which are yet to be developed specifications, lack of infrastructure for large scale HIE, and patient identity management issues, especially given the lack of national unique patient identifiers. On the horizon are mobile computing apps that may circumvent issues related to interoperability, lack of HIE infrastructure, and disparate silos of clinical information through use of cloud computing that can transform relatively unwieldy data to easy to manage webpage applications.


4. Mobile computing. It's not too late to jump on the mobile computing bandwagon but the front of the train representing mobile applications has already left the station. There has been an explosion in the use of mobile devices and applications by clinicians and patients alike. The actual potential of the technology has yet to be imagined. I think mobile apps and cloud computing will revolutionize how we collect and use data in the health care field. The FDA is hovering near the forefront to apply some braking action through its regulatory powers and represents a risk that developers must take into consideration. Security and privacy requirements are especially important but already many solutions are available through proper use of technology, policy, and thorough user training and monitoring.


5. The Learning Health Care System. I thought this was a bit of a silly term when I first heard of it. After all, how can a system learn? It is really people who learn. But this is part of the Federal Health IT Strategic Plan 2011-2015 so I think I'll adopt it. As professionals in the health care field, each of us should commit to and invest in life-long learning. We should benefit from a growing volume of information in 2012 as reports are returned from the projects developed under federal grant programs such as the Beacon Community, State Level HIE grants, SHARP grants, and HIT workforce development efforts. Look for useful feedback drawn from the experiences of the Regional Extension Centers. And this just scratches the surface of information sources. Try to attend one of the meetings of national organizations such as HIMSS, AHIMA, AMDIS, and others this coming year.