Mastering IT matters, Part 3
To keep IT running, focus on post-EMR continuity, compliance and your IT director
By Peter J. Polack, MD, FACS
Getting Your IT House in Order: Part 3
In the second installment of this series, we dealt with how to implement an EMR system — or getting it up and running. In Part 3, we turn to the issue of keeping it running. For Ocala Eye, this task involved more than one staff position. The task also required us to engage outside services to backfill for competencies and experience that our director lacked and to create a redundancy in key management functions.
Here, I discuss the skills required for IT management and the additional priorities beyond the “care and feeding” of an EMR.
To keep our EMR system running vs. getting it running, Ocala Eye needed an IT director. Our goal was to put an IT management system in place so that we didn’t rely too much on the expertise of a director who walked out the door at 5 p.m. Such a system put us at risk because we were not documenting everything that was known about how our systems should be managed. We chose to address this risk by adopting an IT management framework of best practices, which are described in this article.
Understand that IT management goes beyond EMR. An EMR is a single software application. Patient appointment scheduling, HR and time card, billing and revenue cycle management may or may not be part of your EMR. In our case, the primary applications that ran our practice included an administrative IT stack (scheduling, practice management and billing) and the clinical IT stack (electronic medical record). In addition, we had medical devices, an ASC and general business applications (Word, Outlook, and so on), all of which ran our practice to some extent.
Accordingly, IT staffing must embrace not only EMR, but specialized skills for the systematic management of enterprise IT (infrastructure, software, managed services). Your practice depends on your technology infrastructure — regardless of size — as you move into technology-enabled workflows. A single server or a peer-to-peer workgroup is still an enterprise IT footprint.
The first order of business is to establish day-to-day IT operations management, which requires process documentation. Proper documentation, or lack of it, is your biggest risk and your greatest single point of failure.
For all IT management processes, the director is the “process owner” who assigns activities to “process participants.” The manager may possess less technical expertise than the participants. For example, the IT director knows which security processes need to be in place, but a technical process participant implements and oversees their day-to-day execution. (See the online version of this article for a list of activities and responsibilities commonly performed by IT directors.)
The selection of an IT director does not relieve you from IT accountability. As a partner or owner, you ultimately bear all risk and responsibility (for example, HIPAA violations flow upward to the board of directors and individuals with fiduciary responsibility).
Below is a list of activities and responsibilities commonly performed by IT directors.
• Facilitate the IT strategy development process
• Align the IT risk management with company goals, resources
• Break down the strategy to plans, initiatives
• Create a strategic IT budget, ROI
• Manage the strategy execution process
• Manage the IT project portfolio
• Balance the capacity of internal resources
• Stand up and manage a “virtual IT department” should you need one
• Manage the IT technical roles, responsibilities
• Manage the day-to-day processes, operations
• Make everybody accountable
• Establish and manage strategic service provider partnerships
• Manage the IT budget
• Manage weekly communication and key stakeholder reporting
• Information security and regulatory compliance — manage the IT security standards & IT security compliances, raise the skills and awareness of the staff on IT security
• Oversee continuous process improvement
• Conduct process evaluations, recommendations including proactive evaluation of potential solutions
• Workflow analysis
• Increase the personal and team productivity
• Enhance the external and internal collaboration and communication
• Enable other core processes — marketing functions, operation functions, finance and accounting functions, management functions, clinical functions
• Measure and manage the increase in efficiency from IT investments
Continuity, compliance and meaningful use
Post-EMR implementation shifts the core competencies required by your IT director into three make-or-break capabilities:
1. Compliance management. Your IT director must put multiple regulatory mandates and protocols in place. A short list includes HIPAA, Medicare, PCI-DSS and OSHA federal mandates. In addition, your IT director must show processes and documentation that prove you oversee and enforce state privacy and consumer fraud laws. Other potential tasks include producing proof of training and assessing for compliance gaps along with in-progress remediation and periodic reviews.
2. Practice continuity and disaster recovery. In addition to daily backups, continuity also includes managing interruptions. Your IT director must define scenarios for potential interruptions so that your practice does not cease operations entirely as the situation devolves.
Depending on the risk tolerance, the length of time that you can sustain an IT outage or interruption will vary. Also, not all practice functions are equally critical. Some can be offline for hours or days, some for only minutes. Only you and your partners can decide your level of risk tolerance. The IT director recommends the windows of time before you return to normal operations and gives options for meeting these continuity requirements.
3. Meaningful use (MU) attestation. MU centers on your practice becoming a meaningful user of your technology for which you will be reimbursed. The IT director is not your in-house specialist for how your EMR produces the confirmation and data reporting needed for MU. But, your IT director plays a huge role in the risk analysis requirement that is part of the HIPAA security rule.
The hybrid management model
Your practice may need to add specialized talent to help IT run smoothly. In this case, you will need to transition from an “in-house” model into a hybrid model whereby service providers are responsible for some possibly critical functions.
The management decisions your IT director makes regarding a hybrid model requires an understanding of vendor selection and the difference between outsourcing and out-tasking. Outsourcing generally refers to a hand-off to a sole-service provider and usually includes all IT functions, even management functions if you engage a virtual Chief Information Officer (vCIO). Out-tasking is more of an a la carte activity delegation for specific IT functions.
Delays in hiring an IT director may put you at risk during an out-tasking negotiation. For example, without an IT director, a partner may veto critical activities or trivialize complicated IT activities because you have not suffered an incident … yet. Not knowing what you don’t know and a willingness to maintain the status quo because “it’s not that bad yet” is akin to walking around blind without a cane.
Most often, this hybrid management model is adopted as a “managed services agreement” with one vendor (a managed services provider [MSP]) as the primary contractor who may or may not add some contractor services to backfill any lacking bench strength. Because continuity includes more than hardware and network uptime, an MSP may need help with other IT systems like database administration, phones, Internet, pagers and/or chat and e-mail. Conversely, MSPs may have deep general talent but no EMR, practice management, billing or scheduling applications experience. A properly written and robust request-for-proposal process will greatly reduce your risk of engaging the wrong MSP.
Finally, as you look at your IT director’s contributions, assess whether the IT director:
1. Is a manager first and foremost, not a technician
2. Is a facilitator between technical talent and practice managers and partners
3. Is a trend-watcher and futurist
4. Is a systems thinker as well as a critical thinker
5. Manages project portfolios, not just projects
This is a short list useful for evaluating their management capabilities and differentiating between geek talent and management talent. OM
Resources link: http://bit.ly/om-it-manager-article-resources
| GENERAL SECTION | SCORE | |
|---|---|---|
| At what level do you think IT is supporting your practice? | ||
| It provides us with the necessary IT infrastructure to work. (0) | ||
| It provides us with a huge competitive edge in the marketplace. (1) | ||
| What do you think the complexity of IT and the related management activities will be? | ||
| It is going to be more complex. (1) | ||
| It is going to be less complex. (0) | ||
| How much does the IT ecosystem impact my practice? | ||
| The impact of the IT ecosystem to my practice will be higher. (1) | ||
| The impact of the IT ecosystem to my practice will be lower. (0) | ||
| IT TECHNOLOGY SIDE | ||
| Do you know which decisions need to be made to maximize business continuity? | ||
| Yes, I make educated decisions in this area. (1) | ||
| No, I am not aware of which decisions need to be made. (0) | ||
| How do you evaluate the accountability level of the people and companies related to your IT? | ||
| Everybody is very accountable and responsible. (1) | ||
| We have accountability and responsibility challenges. (0) | ||
| Do you think your service providers, your users and your managers are on the top of the game? | ||
| Yes, we are a very tech savvy practice. (1) | ||
| No, I am not sure we have the needed competencies at every level. (0) | ||
| IT MANAGEMENT SIDE | ||
| Do you have the proper IT strategy to drive your practice in the future? | ||
| Yes, we have a solid concept and strategy. (1) | ||
| No, we do not have a proper concept and strategy. (0) | ||
| Do you have proper tools, processes and methods to execute your IT-related plans? | ||
| Yes, we execute the IT projects flawlessly. (1) | ||
| No, we have a hard time executing what we have planned. (0) | ||
| Do you have an organizational chart of your hybrid IT department? | ||
| Yes, we do. (1) | ||
| No, we do not have one. (0) | ||
| Do you have the necessary processes for continuous IT improvement and automation? | ||
| Yes, we do have solid processes for increasing our operational efficiencies.(1) | ||
| No, we do not really have a continuous improvement program. (0) | ||
| RESOURCES / QUALIFIED MANAGER | ||
| Do you have a qualified person who is responsible for all the IT-related management activities (IT strategy, operational plan, budget, reports, policies, alignment, project management, vendor management, etc.)? | ||
| Yes, We Have A CIO/VCIO (Virtual CIO, A CIO As A Service). (1) | ||
| No, the CEO/CFO/CIO or other C-level executive managers have this responsibility. (0) | ||
| IT MANAGEMENT FRAMEWORK | ||
| Do you have a proper IT management framework with processes and tools to manage IT efficiently? | ||
| Yes, we use an IT management framework. (1) | ||
| No, we do not use an IT management framework. (0) | ||
| MEASUREMENT | ||
| Do you use an assessment tool to measure your current competitive state and to set future targets? | ||
| Yes, we are using adequate assessment and measurement tools. (1) | ||
| No, we do not use adequate assessment and measurement tools. (0) | ||
About the Author | |
| Peter J. Polack, MD, FACS, is co-managing partner for Ocala Eye, a multi-subspecialty ophthalmology practice in Ocala, Fla. He is also founder of Emedikon, an online practice-resource for physicians and administrators. His e-mail is ppolack@ocalaeye.com. |
![]({"src":"/media/0srhapz0/102016.jpg","focalPoint":null,"crops":[{"alias":"thumbnail","width":1110,"height":700,"coordinates":null}]})