When Compliance Dashboards and Annual Audits are Not Enough

Post by Christine Roecker

Senior Program Manager

Compliance officers can review data, search audit logs, and monitor areas of concern with most IAM products on the market.  In fact, in 2015 it was reported that eighty-two percent of organizations undertake enterprise-wide compliance risk assessment and two-thirds of those organizations conduct assessments annually, if not more frequent.[1]  However, risk assessment processes can be labor-intensive, complicated, and expensive, while barely breaking the surface of vulnerabilities and risk. Without the right tools in place, it would be a nearly impossible task for a compliance officer to know the intricate details of every position in the hospital and, further, every position’s dependencies on medical software applications.

Caradigm Provisioning Identity Management is more than just a compliance and identity management dashboard.  It also offers the checks and balances to manage and protect a hospital’s infrastructure, as well as the staff’s and patient’s PHI.  Using Caradigm Provisioning Identity Management’s compliance task feature, a review task can be scheduled or run ad-hoc to generate a real-time data report. The report can be assigned to managers across the organization to confirm their direct reports’ access permissions within assigned applications.  Imagine taking any set of data you wish to have reviewed – orphaned accounts, mismatched access, inactive users – and assign it.  The process is simple, intuitive, and deeply connected to the existing needs of the IT infrastructure given that it is all built into the same tool.

There is still a gap left in this periodic review process: “If access reviews are performed every six to 12 months, as is common in most organizations, what happens in-between the reviews? People change roles or leave the organization. Projects end. Yet those privileges remain longer than is necessary, even if good certifications result in accurate revocations every six months.”[2] With the ability to see user creation, modification and removal, review tasks can be created and assigned to managers to confirm inaccurate or lingering permissions and accounts that are no longer necessary. If a manager forgets to complete their task, reminder emails can be automatically sent. If a manager cannot review all tasks at one time, he or she can simply save their progress and come back to complete it at a more convenient time.  Further, the compliance task administrative view will let IT and compliance staff quickly determine which managers are out of compliance on their review.  Tasks can easily be reassigned and escalated if necessary to ensure all are completed in a timely manner.  In the future, if access needs to be reviewed, a manager can simply search for the review task and pull up the audit, comments, and complete access for a user.

Who has time to set aside months to prepare for auditors and their requested documents? With Caradigm Provisioning Identity Management, a compliance team can grant auditors access to read-only compliance task administrative dashboards and let them review full historic audit logs, user access reports and entitlement records, including the data output that was review, comments, timestamps and acknowledgements for the report in question.  This information can be easily shared and accessed, without any additional work by staff – allowing hospital teams to stay focused on their workloads and daily responsibilities.

Pairing the information revealed by Caradigm Provisioning Identity Management with Caradigm Single Sign-On & Context Management audit data, a user can find mismatched access privileges, unauthorized access to patient data, as well as inactive accounts. The power of an integrated identity management and access management solution allow compliance and security officers to have an easy view into potential risk areas within the organization and allow remediation with just a few clicks. Healthcare IT is rapidly changing to support continual risk assessment tasks, such as: monitoring for protocol breaches, maintaining role and application access, and facilitating frequent managerial review across the organization. A hospital’s IT compliance teams should seek and support the integration of tools that provide stronger monitoring and protection across the organization, saving them previous time in the process.

[1] https://www2.deloitte.com/content/dam/Deloitte/us/Documents/regulatory/us-aers-reg-crs-2015-compliance-trends-survey-051515.pdf

[2] http://techspective.net/2016/05/24/closing-loopholes-identity-governance-minimize-risk/

What to Look for in an Identity Governance and Administration Solution for Healthcare

Post by John Lammers

Vice President and General Manager of Identity and Access Management, Caradigm

In my previous post, I discussed the unique challenges that healthcare organizations face in the arena of identity governance and administration. In this follow-up post, we will review what to look for when choosing a solution for your healthcare organization.

First, let’s review what we mean by identity governance and administration. Gartner’s Magic Quadrant Report for Identity Governance and Administration[i] defines this as a set of identity management capabilities including: managing identity life-cycles, managing entitlements, and handling access requirements.

There are many supporting capabilities that are required to go from a set of point technologies to a fully-integrated solution for your organization, for instance: workflow orchestration, data validation, auditing, and reporting. In the healthcare IT environment, reach is quite important as well given that healthcare organizations utilize many disparate systems to provide the best possible patient care. Integrating those systems into a common process while automating as much of the identity management and identity governance activity as possible is essential, both to guard against breaches and to ensure that clinicians have secure and appropriate access to the applications they need from day one.

The following are identity governance challenges presented by the healthcare environment and what you can look for in a solution to address each of these.

Complex Staff and Identity Lifecycles

If you’re a typical hospital, change is your new normal. You have visiting specialty practitioners, students who come and go in waves and roles changing regularly. In recent years, we’ve seen a 70% increase in merger and acquisition (M&A) activity.[ii] All of this adds up to complex staff and identity life cycles. To mitigate the one-off and not-so-one-off changes, a strong solution is needed to support your organization’s control.

What to look for:

  • Workflow capabilities that help you orchestrate all of the activities within your processes
  • Unification of the human and automated parts of the process, so that you avoid identity management activity happening outside of and invisible to your process
  • Support for large inflow or outflow of staff in a short time
  • Support for staff members with changing roles or multiple roles

Flexible and Scalable Role Requirements

We see it over and over in our work with healthcare organizations. Different specializations, different sites, different systems and processes. It all adds up to a need for strong role management.

What to look for:

  • Ability to handle large numbers of roles
  • Ability to model your organizations roles and policies
  • Ability to detect outliers and inconsistency in roles
  • Ability to take action to resolve inconsistencies

Diverse and Continuously Evolving Technology Ecosystems

Healthcare IT organizations strive to deliver the highest quality, most capable systems to clinical staff. Taking advantage of innovative and best-of-breed tools leads to a diverse and continually evolving ecosystem of technologies. It’s critical that your identity management and identity governance solution encompass all your systems. One-off approaches to access control, auditing, and provisioning/de-provisioning accounts leads to situations where a clinical user has access to some of the applications they need; or when leaving the organization, have their access removed from some of those applications. This results in lost visibility, but also the potential for lost productivity and even security breaches. You need a solution that puts all your systems under a single identity governance process, and because that’s always easier said than done, the solution needs to give you a way to cover the basics right away, and then deepen integration (i.e., add automation) as time allows and based on ROI.

What to look for:

  • Ability to integrate with multiple HR systems
  • Ability to integrate with diverse IT support management ticketing systems
  • Flexible integration with of a diverse set of EHR (Electronic Health Record) systems, including systems that don’t provide easy remote access, such as systems without APIs, pre-accessibility era web applications, native apps, and even green screen systems
  • Facilities allowing you to handle operations manually and automate on your own timetable, while incorporating manual operations within a single, unified identity management process
  • Tools that put automation in the hands of your staff by making it easier to integrate applications
  • Services available to augment the capabilities of your staff

Scale and Criticality

Scale and high-availability matter to everyone, but every organization is unique in its specific needs. You need options that cover your scenarios today and will flex to accommodate changing needs.

What to look for:

  • Ability of the vendor to articulate their approach to high availability
  • Flexibility in the approach to disaster recovery and to services to guide you as you build your disaster recovery plan
  • Horizontal scaling (more capacity at a single location)
  • Geographical scaling (distributing capacity so that it’s near the users)
  • Throughput scaling (ability to handle bursts of high demand on the system)
  • A history of operating at scale in real production environments

Proactive Risk Mitigation and Breach Defense

No one wants to be in the news as the organization that just experienced a breach. No one wants to sideline valuable employees digging out information in response to an audit. Healthcare organizations must integrate risk mitigation into their day-to-day operations, and your identity governance solution can facilitate that.

What to look for:

  • Risks presented in a way compliance officers and managers can understand
  • Ability of take immediate action on a risk
  • Ability to leverage data to cross-check access that should be happening with access that’s truly occurring
  • Ability to integrate with complementary products, such as Fair Warning
  • Ability to create your own reports to surface risks unique to your organization
  • Audited workflow for all account actions
  • Support for scheduled, system-mediated and audited reviews of user privileges by managers and compliance staff


Over these last two posts, we’ve discussed the special challenges that identity management and identity governance present for healthcare organizations and what you should consider when evaluating solutions. Formulating your strategy for identity management and identity governance requires that you solve a multi-dimensional problem. At Caradigm, we address healthcare identity holistically. The importance of this approach is that we’re able to ensure that each aspect of the solution works with and complements the others. We have two decades of experience in healthcare identity and have assembled the industry’s only single-vendor identity and access management suite that covers the entire scope of identity management, secure access, and identity governance. To learn more about Caradigm’s solution to healthcare identity and access management, visit us at https://www.caradigm.com/en-us/solutions-for-population-health/identity-and-access-management/.

[i] https://www.gartner.com/doc/3615131/magic-quadrant-identity-governance-administration

[ii] http://www.beckershospitalreview.com/hospital-transactions-and-valuation/hospital-m-a-activity-jumps-70-in-5-years-8-findings.html

Evaluating an Identity Governance and Administration Solution for Healthcare

Post by John Lammers

Vice President and General Manager of Identity and Access Management, Caradigm

In this post, we’ll explore the unique challenges that healthcare organizations face in the arena of identity governance and administration and in a follow-up post we will review what to look for when choosing a solution for your healthcare organization.

Before we discuss challenges, let’s lay out what we mean by identity governance and administration. Gartner’s Magic Quadrant Report for Identity Governance and Administration[1] defines this as a set of identity management capabilities including: managing identity life-cycles, managing entitlements, and handling access requirements.

Accomplishing these objectives effectively requires more than just these goal-centric capabilities. There’s a set of supporting capabilities that you need to enable your organization to accomplish identity governance and administration effectively: for instance, workflow orchestration, mechanisms to certify the correctness or appropriateness of the data, and a rich set of auditing, reporting, and analytics capabilities. In the healthcare environment, where change is the norm, it is key to automate and unify as much of this as possible.

Gartner’s Magic Quadrant for Identity Governance and Administration and the Healthcare Providers Context

Many people rely on Gartner for guidance when searching for technology providers and the go-to report is Gartner’s Magic Quadrant, which ranks customers along two axes: ability to execute and completeness of vision. But did you know that the Magic Quadrant for Identity Governance and Administration only evaluates horizontal technology vendors? This means that, if you’re only looking at the Magic Quadrant, you’re missing companies that focus solely on a single vertical, such as healthcare.

Recognizing the unique needs of the healthcare vertical, Gartner has included a “Healthcare Providers Context” section in their Magic Quadrant Report for Identity Governance and Administration, and Caradigm is included as a “notable vendor”—the only one on the list that focuses exclusively on healthcare. This section of the report discusses the regulatory and integration challenges that set healthcare apart and provides guidance on what to look for when evaluating identity governance and administration solutions in a healthcare context. At Caradigm, we believe that our choice to focus solely on healthcare is our strength and one of the key differentiators of Caradigm Identity and Access Management.[2]

What Makes Healthcare Unique?

The nature of a healthcare organization’s workforce, processes, and information systems presents unique challenges. On top of this, healthcare organizations face an evolving regulatory environment, an ever-increasing threat from data breaches, and the cost of compliance and continual risk assessment.

Complex Staff and Identity Lifecycles

Change has become the new norm for healthcare organizations. In recent years, we’ve seen a 70% increase in merger and acquisition (M&A) activity.[3] Even outside of M&A activity, many healthcare organizations have staff members that come and go or change roles over time. For example, it’s common in teaching hospitals to have a large number of staff entering or leaving the organization or changing roles over a short span of time. Similar issues can be observed in the use of specialty practitioners. All of this adds up to complex identity life cycles in the healthcare space.

Flexible and Scalable Role Requirements

Healthcare isn’t an industry where you can cover your organization with a half-dozen roles. Organizations can have hundreds or even thousands of roles representing different specializations and different parts of the business. Just as M&A activity complicates identity lifecycles, it can result in an explosion of roles until the organizations involved reconciles them.

Diverse and Continuously Evolving Technology Ecosystem

Healthcare organizations are notorious for being late adopters of technology. But they’re also known for finding a way to react to emerging needs without disrupting reliable, critical systems. The result is a diverse technical landscape. A survey of accountable care organizations found that nearly 60% used multiple EHRs, and nearly 40% of medical practices have replaced or are considering replacing their existing EHR.[4] The mix of old and new systems means that your identity management solution must integrate with a wide breadth of technologies. Initiatives to standardize on large, increasingly-capable EHRs has reduced the number of applications in use, but most organizations continue to utilize many applications due to the value of specialty applications and best-of-breed approaches in areas strategic to the organization.

Proactive Risk Mitigation and Breach Defense

Healthcare continues to be hit hard by data breaches, and while incidents of hacking dominate the news, the most frequent cause of breaches is not hacking but inappropriate access by insiders.[5]

Against this backdrop, it’s critical that your organization have measures in place to guard against this. Rapid and complete de-provisioning of accounts is essential, as is conducting periodic reviews of the privileges assigned to roles or individuals and taking a proactive approach to detecting and remediating anomalies.

Selection of a Technology Partner is Key

A strong identity governance and administration strategy enables you to evolve your organization while maintaining compliance and preventing breaches. Selection of a technology partner is key, and looking to industry analyst reports and rankings can be great first step. For an industry as unique and complex as healthcare, it’s essential to read the fine print before shortlisting your vendor search. In a follow-up post, I will review some of the key features and functions of the capabilities needed to safeguard your organization and establish a quality identity governance and administration strategy for your teams.

[1] https://www.gartner.com/doc/3615131/magic-quadrant-identity-governance-administration

[2] https://www.caradigm.com/en-us/solutions-for-population-health/identity-and-access-management/

[3] http://www.beckershospitalreview.com/hospital-transactions-and-valuation/hospital-m-a-activity-jumps-70-in-5-years-8-findings.html

[4] https://www.healthcare-informatics.com/news-item/survey-acos-challenged-health-it-integration-few-use-single-ehr

[5] http://www.hipaajournal.com/largest-healthcare-data-breaches-of-2016-8631/


MIPS and the Business of Healthcare

Post by Vicki Harter, BA, RRT

Vice President, Care Transformation

At this year’s Healthcare Information and Management Systems Society (HIMSS) conference, representatives from the Centers for Medicare & Medicaid Services (CMS) held multiple sessions where they reinforced the message that the Quality Payment Program and value-based programs are moving forward. Jean Moody-Williams, deputy director of the center for clinical standards and quality at CMS said “As we build the program, our goal is to achieve a 90 percent participation rate by all clinicians. That includes small practices as well.”[1] Other CMS officials touted tangible results that value-based care has been delivering, such as a “17 percent reduction in hospital acquired conditions across all measures from 2010 to 2013, to savings of $37 million from providers participating in the advanced ACO Pioneer program.”[2]

As about nine out of ten providers are expected to fall under the Merit-Based Incentive Payment System (MIPS) track of the Medicare Access and CHIP Reauthorization Act (MACRA), many providers are asking themselves whether they should fulfill MIPS’ minimum requirements or strive for more. Said another way, should their organization strive to be a MACRA All-Star? Is it worth it to commit the effort and investment required to max out potential bonuses?

There are four main inputs to consider as you create your data-driven strategy for performing under MIPS. The first is the amount of Part B Reimbursements that you are expecting currently, how much you have received in the past, and how much you expect to receive in the future. That is going to drive your bonus potential as a practicing system, which is the second input to consider. Your bonus potential is going to help you understand the amount of resources that you have available to make the necessary changes in your care team. This third factor is critical in driving your organization’s MIPS strategy as you may decide to change the workflows of your nurses and physicians or add a data analyst to help you take care of the populations that are now transforming your practice. And finally, consider the amount of data analytics you have in your practice. In the past, where have you performed? Where do you stand to gain? How much of a gap do you have to close to become a MACRA All-Star?

Providers should think about these key inputs they will need to evaluate for their MIPS strategy. What is my Medicare Part B Revenue today? What impact does MACRA have on it? Do I need to get ahead of payment rates that will remain basically flat? How many resources will be impacted by MACRA reporting requirements this year, next year, in two years? Can I earn a bonus that makes a difference to my business?

If you’d like to continue the discussion, please send a note here.

[1] http://www.diagnosticimaging.com/articles/cms-seeks-make-macra-manageable-small-practices

[2] http://www.healthcarefinancenews.com/news/despite-some-good-parts-ahip-says-gop-healthcare-bill-concerning-insurers

Have You Adopted Electronic Prescriptions for Controlled Substances?

Post by Jaimin Patel

Vice President IAM Program Management, Caradigm

When regulations for Electronic Prescriptions for Controlled Substances (EPCS) were introduced in 2010, more than 12 million people reported using prescription painkillers non-medically, and the number of painkillers being prescribed could have medicated every American adult for a month straight. [1] In response to the volume of both the abuse and prescribing of controlled substances, the Drug Enforcement Agency (DEA) set several regulatory requirements for healthcare practitioners and organizations that want to prescribe controlled substances by electronic means.

Initially, many providers were concerned about the strict security mandates. To be able to prescribe controlled substances electronically, the DEA requires a secure, auditable chain of trust for the entire process. In addition, the financial and IT resources required to implement the appropriate solutions for EPCS can be challenging for smaller organizations.

With only 1% of e-prescribers being enabled for EPCS as of December 2013, adoption was a concern as prescription abuse remained a prominent societal issue. [2] In 2014, almost 50,000 people died of drug-induced causes in the United States. [3] In 2015, opioids alone killed more than 33,000 people. [4] The unavoidable reality of opioid abuse in society led to additional state laws and regulations following the DEA mandate in 2010, which resulted in broader EPCS adoption. As of September 2016, 20.2% of e-prescribing providers were enabled for EPCS. [5]

Caradigm offers an integrated and comprehensive solution for EPCS workflows that is a seamless extension of our industry-leading Identity and Access Management (IAM) portfolio. Caradigm’s Multi-Factor Authentication (MFA) solution for EPCS offers a variety of integrated authentication options ranging from biometric fingerprints, hard & soft token authentication, as well as mobile authentication. These options allow your organization to implement the best authentication solution to meet your prescribers’ needs.

The DEA requires identity proofing for prescribers that access EPCS controls within an electronic medical record (EMR). Caradigm Provisioning Identity Management ensures that appropriate checks and balances are applied for an organization before granting a prescriber EPCS rights within an EMR. Further, when the prescriber no longer needs EPCS privileges, Caradigm Provisioning Identity Management can seamlessly update these permissions in the EMR while notifying appropriate members in the organization. This integrated solution ensures that no unauthorized access is granted for prescribers.

Caradigm’s EPCS solution has been deployed at number of sites where users are benefiting from integrated Single Sign-On for fast and efficient access into their applications and MFA for EPCS workflows.

Overall, it’s hard to argue that EPCS is anything but a positive for the healthcare industry, and any organizations that have not adopted a solution for EPCS should act now. E-prescribing is a tool that increases efficiency, prevents the likelihood of fraud, and reduces the risk of controlled prescription errors. For additional information, please visit our EPCS page.

[1] http://www.cdc.gov/VitalSigns/PainkillerOverdoses/index.html

[2] http://www.ajmc.com/journals/issue/2014/2014-11-vol20-sp/adoption-of-electronic-prescribing-for-controlled-substances-among-providers-and-pharmacies

[3] https://www.cdc.gov/nchs/data/nvsr/nvsr65/nvsr65_04.pdf

[4] https://www.drugabuse.gov/related-topics/trends-statistics/overdose-death-rates

[5] https://www.healthit.gov/opioids/epcs


Embedding Evidence-Based Medicine into Transitions of Care

Post by Vicki Harter, BA, RRT

Vice President, Care Transformation

Population health is a journey over time and provider organizations understand they must begin with the most impactful programs. Providers have to prioritize and focus initial efforts to quickly bend the needle on patient outcomes such as reducing readmissions. When organizations ask me where others are seeing tangible initial success, I often tell the following story.

An outpatient care manager at one of Caradigm’s existing customers shared with me that the value of population health technology became clear for her after getting a real-time alert one day that one of her patients was in the ED. She called the ED and was told that the patient’s blood glucose levels were extremely high, and the ED nurse thought the patient should be admitted. However, the care manager informed the nurse that the patient’s numbers were actually the patient’s baseline, and recommended that the patient did not have to be admitted, which saved an unnecessary admission. The outpatient care manager was able to devise and implement an effective plan of care to address a variety of contributing barriers to care, and the patient outcome was improved.

This story is about taking the right action, in the right time frame, in the right care setting. In other words, how do you embed best practices into workflows to reduce variation in care? How do you help patients move through a confusing and disjointed healthcare system that can be overwhelming to navigate? Transitions of care is an area central to population health that for many organizations is an excellent place to focus your population health efforts. The following are a few best practices to think about as you develop your strategy.

Facilitate access to primary care

Coordinated care is a proven value for high-risk patients, however, it is often a challenge for patients to access primary care soon after being discharged. Some organizations have found it effective to enroll high-risk patients into a Patient Centered Medical Home (PCMH) as a standard practice to get them better connected to primary care, a care coordinator and other community resources. Another approach is to partner closely with primary care clinics and even embed a care manager, a transition focused mid-level practitioner or social worker into the clinic to specifically serve high risk transitions patients. Even offering telephonic transitions of care support to coordinate scheduling for patient can help.

Standardize interdisciplinary care

When multiple levels of clinicians partner effectively with defined pathways and shared information, it’s amazing to see the impact. For example, psychiatrists and social workers going to a PCP’s office to speak to patients. Pharmacists calling physicians to say a prescription ordered is far more expensive than other options. Home health that directs patients back to lower acuity centers if needed, and works with patients to prevent unnecessary ED stays. Some provider organizations have had success identifying non-employed physicians interested in adding home visits as an additional revenue opportunity. Population health is truly a team sport and technology can help support transparency and care traffic control, making patients more confident in a team based delivery model.

Embed practices into workflows

After establishing your care protocols and pathways, care management tools can help ensure they’re followed consistently. Intelligent plans of care can have pathways embedded in the patient care plan, assuring that steps aren’t missed. Role-based tasking can help a team of clinicians take the right steps, in the right sequence, all while working at top-of-license. As mentioned in the story earlier, alerts can let the appropriate care team member know when a patient has a change in status, whether an ED visit, observation stay or inpatient admission. Lastly, as it is common for patients to be managed in multiple EMRs, technology can play a big role in streamlining medication review and in overall information sharing by aggregating data from multiple EMRs. Performing standardized readmissions assessments can help determine root cause, support an automated plan of care to mitigate barriers and perhaps even identify patterns or discharge practices of care that require change.

Improving transitions of care, supports long term success in advancing quality, patient experience of care as well as managing the cost of care. Organizations should be thinking about strategies for scaling, risk stratification, solving for social determinants and reducing variations in care. Wherever your organization is today, if you focus on meeting patients where they’re at and guiding them through what is a complex healthcare system, you will have succeeded in a foundational strategy for long term success.

What a Trump Presidency Could Mean for Population Health

Post by Neal Singh

Chief Executive Officer, Caradigm

Based on President-elect Trump’s campaign promises, the healthcare industry could experience significant changes. His commitment to “repeal and replace” the Affordable Care Act (ACA) is at the center of the conversation, and raises a number of questions. Can it actually be repealed? What is the impact for value-based programs currently underway such as the Medicare Shared Savings Program, bundled payments and MACRA? What should healthcare providers do now? This post will address these questions and my opinion on what it means for the future of population health.

1) A complete repeal of the ACA faces challenges

President-elect Trump has indicated[1] that he supports some parts of the ACA such as forcing insurers to cover people with pre-existing health conditions and allowing parents to cover children on their plans into their mid-20s, so it is hard to determine this early the full extent of the changes to come. In addition, Republicans support some aspects of value-based innovations. There are about 283 million insured lives in the US[2] including about 20 million covered under Obamacare.[3] Even if the ACA was to be fully repealed, there are nearly three hundred million lives for whom the fundamentals of economics and quality of care necessitate the move towards value based care.

2) Value-based healthcare will continue because it has bi-partisan support

MACRA passed with overwhelming bi-partisan support in both the House of Representatives (392-37) and the Senate (92-8).[4] Bundled payments[5] and ACOs[6] also have bi-partisan support. The reason for this is that both sides of the aisle recognize the clear need for healthcare payment reform. Amongst all the contentious legislative arguments that exist today, there is no debate around the fact that healthcare costs are on an unsustainable growth trajectory. There is consensus that the government has to continue making providers more accountable for reducing costs, improving quality and increasing patient engagement and satisfaction.

3) Expect some changes to the mechanics of value-based programs

While the top-level themes in healthcare payment reform are unchanged, I do think we can expect changes in the mechanics of some value-based programs. Republicans, including President-elect Trump’s nominee to head Health and Human Services, Rep. Tom Price (R-Ga), have expressed concerns about the power and budget controlled by The Center for Medicare & Medicaid Innovation (CMMI)[7], so CMMI’s role could be impacted. Specific programs like the MSSP ACO program could be structured differently in the future although that would have to take place after current three-year contracts with the government expire. Republicans could push for new Medicare and Medicaid reform, which would impact beneficiaries and could drive more formation of Medicare Advantage plans or lead to Medicaid ACOs. No one today knows exactly how current programs are going to evolve, but the reality is that programs must evolve to address cost and quality concerns.

4) “No regrets” strategies for healthcare

Although healthcare faces uncertainty, there are certain priorities for organizations that will apply. So-called “no regrets” strategies for healthcare include driving more consistent, efficient and coordinated care, integrating IT systems, accurately forecasting patient risk, lowering your cost structure, and building deeper relationships and loyalty with patients. Everyone needs to operationalize these capabilities now so they can manage large scale Medicare and Medicaid populations effectively in the future. These are capabilities that take years to refine, which is why some healthcare organizations view the building of these best practices as market differentiators that will ensure their long-term success against regional competition.

Population health is already making a difference for patients. Our customers are seeing tangible improvements in patient outcomes and cost reduction through lower utilization while developing deeper relationships with their patients. They’re even benefiting financially through the generation of significant shared savings. This is an incredible time of innovation in healthcare that I believe is going to accelerate even more as healthcare organizations build off their early successes and learnings.


[1] http://www.nytimes.com/2016/11/12/business/insurers-unprepared-for-obamacare-repeal.html?_r=0

[2] http://www.census.gov/content/dam/Census/library/publications/2015/demo/p60-253.pdf

[3] http://talkingpointsmemo.com/dc/nejm-obamacare-progress-report

[4] http://www.entnet.org/content/permanent-repeal-sgr-formula

[5] https://www.premierinc.com/premier-lauds-introduction-of-bipartisan-bundled-payment-legislation/

[6] https://www.brookings.edu/blog/health360/2015/03/23/how-early-accountable-care-efforts-shaped-payment-reform-in-the-aca-and-bipartisan-reform-ever-since/

[7] http://www.jdsupra.com/legalnews/will-republicans-embrace-cmmi-s-11849/

What Are The Key Population Health Management Capabilities?

Post by Michelle Vislosky

Senior Population Health Market Executive, Caradigm

Like a Rubik’s Cube, the functionality and performance metrics for population health management can be difficult to define, align, and deploy. The Institute for Healthcare Improvement Triple Aim for healthcare proposes three linked goals for population health management: 1) Improving the individual experience of care 2) Reducing per capita cost of care and 3) Improving the health of populations. However, with legislation and payment models still evolving, so too are the requirements to perform population health management. It’s challenging to determine what are the key population health management capabilities required to achieve the Triple Aim.

The health care industry has a number of population health management models, but they are often defined by the current capabilities of providers, payers, and vendors, rather than what is needed. Additionally, the models do not easily translate to the required business models required by the various value based payment arrangements and their combinations. Further complicating matters is the overlapping responsibility for the overall health improvement of individual patients and populations by both the public and private sector, including payers, providers, and community organizations.

The HIMSS Clinical & Business Intelligence (CB&I) Committee creates practical and unbiased tools and resources to help healthcare organizations use clinical and business intelligence to execute population health management initiatives. In 2017, the CB&I Committee’s Population Health Task Force will create a HIMSS population health management model that identifies the various population health domains and their capabilities and map these to the payment arrangements. The payment arrangements will include the current payment models from CMS, commercial payers, employer-based, and provider owned health plans. The model would be the fifth dimension to the HIMSS Healthcare Value suite: http://www.himss.org/ValueSuite.

Once finalized, the HIMSS population health management model will contain a set of resources with content relative to each population health management domain available on the HIMSS website. Like a Rubik’s Cube, it will be able to define the population health capabilities required if deploying a specific payment model or combination. These population health management model resources will include domain summaries such as sharing of “best practices” via blogs and white papers, ROI templates and examples, sample RFP language, and Lunch n’ Learn sessions, (short 20 minute recorded webinars). The model will help to develop education resources and pathways for career development. It could also be used in the future as a means of highlighting and mapping the vendors at the annual HIMSS meeting that offer those population health management capabilities. HIMSS will also share and collaborate with affiliates and the industry at large to further refine the population health management model as the requirements of the Accountable Care Act evolve.

If you are interested in learning more or participating in the development of the HIMSS population health model, you can sign up at www.himss.org/ClinBusIntelCommunity.

Compliance Isn’t Enough: Improving Governance, Risk Management, Compliance

Post by Jaimin Patel

Vice President IAM Program Management, Caradigm

Change is the new normal in healthcare, which can come in many forms. Mergers and acquisitions, the formation of accountable care organizations and clinically integrated networks, having new groups of physicians arrive at a teaching hospital, or even the replacement of an EMR are just a few examples. From an IT perspective, the impact is that you constantly have new clinicians needing access as quickly as possible because it impacts patient care. IT and security professionals also understand that access has to be granted and managed in a manner compliant with the HIPAA Security Rule. However, with the increase in motivated and persistent security threats, healthcare as an industry has to move beyond the notion that our goal is only HIPAA compliance.

I recently heard Mac McMillan, CEO of CynergisTek, talk about this at the Caradigm Customer Summit where he stressed that compliance with HIPAA does not equal security. McMillan explained that HIPAA was designed to protect the privacy and security of certain health information. It was not intended to cover all forms of information or to be a complete standard for data protection.

A major part of the problem is that the HIPAA Security Rule, initially conceived in 2001, pre-dates many of today’s technology advancements. It did not envision cloud computing, mobile devices, networked medical devices, wearables, population health applications and many other advancements seen since that time. It also pre-dates many of today’s evolving threats such as cyber-extortion (e.g. ransomware), cyber-espionage, hacktivism, and specific threats such as phishing and zero day attacks. Consequently, if healthcare organizations are focused solely on compliance, then their security is inadequate.

McMillan called on healthcare organizations to think and act differently when it comes to data security and privacy. It’s about greater due diligence, day in and day out and aligning with your organization’s broader Governance, Risk Management and Compliance strategy. For identity and access management risk, greater security can involve improvements such as the following:

  • Employing a role-based security model to enable more precise granting of access
  • Automating provisioning and deprovisioning so that role changes are made efficiently and accurately
  • Using analytics to proactively search for potential risk such as orphaned accounts or mismatched entitlements
  • Streamlining workflows to evaluate and remediate threats faster across many applications
  • Performing audits more efficiently by empowering managers to review and attest to their direct reports’ entitlements

When I speak to healthcare organizations, I recommend that they consider getting the tools in place now so they can be prepared for when change hits their organization. It’s going to happen eventually. Having the right tools not only makes your organization more secure, it makes your staff far more efficient, and will deliver to your clinicians timely and accurate access. There’s not many IT projects that can claim this trifecta of wins for your organization. If you’d like to learn more about the value provisioning and identity management tools can bring to your organization, please download this whitepaper here.

How Bundled Payments is Driving Care Transformation and Patient Engagement

Post by David Lee

Product Marketing Manager, Caradigm

Bundled payments was one of the most discussed topics at the recent Caradigm Customer Summit, our annual gathering of industry leaders to share best practices in population health and information security. Matt Stevens, Senior Director with The Advisory Board highlighted bundled payments in his presentation as a program that CMS believes will push the needle in reducing cost variability while improving outcomes for high volumes of patients. He said more mandatory bundles (e.g. cardiac, expansion of Comprehensive Care for Joint Replacement) could be coming and that the intersection between bundled payments and MACRA is only likely to grow as it could become tied to the Advanced Alternative Payment Model (APM) track in the future. Matt recommended that hospital systems prepare to deliver both a broad clinically integrated network as well as excellence in individual bundles that can be decoupled and offered to patients in ways that offers them greater value.

We also heard a number of provider organizations (St. Luke’s University Health Network, United Surgical Partners International, Genesis HealthCare and Greenville Health System) explain why bundled payments is one of the most important pieces of their overall value-based strategy. The bundled payment program drives operational learning and experimentation so that expertise and care process improvements can be built, which then trickles down to other parts of the organization and to multiple populations of patients (e.g. Medicare, commercial populations). As that expertise grows, workflows improve and patient quality metrics improve (e.g. reduced readmissions, lower utilization), Our customers said this helped them gain confidence to scale their programs and also engage in additional value-based initiatives.

Another key aspect of bundled payments discussed was that it pushes providers to develop a high-touch patient engagement model. We heard from everyone that developing patient relationships is not easy, and that they take time. Not only is it a major change for patients to communicate more frequently with providers, the conversations are also different. For example, providers are now discussing with patients why it could be beneficial in certain situations to recover in their own homes rather than stay in a skilled nursing facility. We also heard one customer say that patients often hang up on them during a follow-up call thinking it’s a solicitation call. In this shifting dynamic, providers are trying to establish the groundwork for deeper patient relationships earlier in the care process so they can set the right expectations ahead of time.

Overall, it was exciting to hear that the bundled payments program is having a meaningful impact on patient outcomes and is helping organizations achieve financial success in value-based initiatives. We heard throughout the Caradigm Customer Summit that population health is where healthcare has to go to improve the health of the highest-risk patients. Bundled payments is a key program that will help healthcare providers advance down the path to population health. If you’d like to learn more about how Caradigm is supporting bundled payment initiatives through its enterprise care coordination software, then please send us a note here.