Ohio Hospitals' CPOE Costs Extend Beyond Basic System
Implementing computerized prescriber order entry (CPOE) at two Health Alliance hospitals in Cincinnati will mean spending nearly $2 million solely to satisfy an Ohio regulation, said Charles H. F. Youngs III, the health system's CPOE pharmacy consultant and director of the pharmacy practice residency program.
The regulation, part of which dates back to 1996, requires "positive identification" whenever a record must indicate the name of the person who assumes responsibility for a drug-related professional action, such as initiating a medication order in a hospital.
Initially, positive identification entailed a physical means of identification, such as a manual signature on a hard-copy record or the use of a magnetic-card, bar-code, or thumbprint reader. In 1999, the regulation changed to require the use of a private personal identifier, such as a password, whenever a magnetic card or bar code is used to access a mechanical or automated system—similar to the requirements of most automated teller machines.
Built-in security not good enough. Youngs said that the built-in security for Health Alliance's health care information system, LastWord by IDX Systems Corporation, consists of a login and password. That level of security, he learned last summer, does not satisfy Ohio's requirement for positive identification of persons initiating, changing, or stopping medication orders.
For 405-bed University Hospital and 440-bed Christ Hospital to start using the CPOE capabilities of LastWord, Youngs has had to investigate ways of incorporating a method of positive identification, a project that has consumed half of his time since July 2003.
He estimated that the six-hospital health system has spent $60,000–$75,000 just to get two vendors to each take one workstation and show the CPOE team that the firms can do what they say they can do, that is, incorporate a fingerprint-scanner step into the workflow of LastWord.
The need for higher security. Ohio State Board of Pharmacy Executive Director William T. Winsley said positive identification became part of the administrative code around the same time that hospitals started using electronically controlled floor-stock machines. But his concern about security goes back to his early years with the board of pharmacy.
"In 1991, shortly after I came into the office, I signed a letter . . . to a hospital that basically went through how worthless passwords are as a means of security," he said.
While Youngs was unaware of any instances of stolen identity at Health Alliance, he admitted to some bit of sharing by employees. "We do know right now, currently, people do share passwords and user names. So, that is a problem."
Timothy Benedict, assistant executive director of the Ohio State Board of Pharmacy, explained why the agency seems so distrustful and unusual in its regulations.
"Not only are we the licensing and regulatory agency for pharmacists and drugs in the state of Ohio," he said, "but we're also a law enforcement agency. And we spend a significant amount of time with forged documents, with the general public passing bad scripts, with health care professionals forging documents and . . . stealing drugs. And the bottom line is, [with] passwords, nobody could ever take the [witness] stand and say, 'Beyond a reasonable doubt, I know that you had to do that because it was your password.'"
Security by randomness. The Ohio State University Medical Center in Columbus was the first hospital to obtain approval of its positive-identification method for CPOE, Benedict said.
The CPOE system uses what associate pharmacy director Alicia S. Miller calls "the random question," which did not require the purchase of an add-on device for each workstation in the 615-bed facility and physicians' offices and homes.
New physicians select 15 questions from a bank of 75 and enter the answers, Miller said. The questions ask for personal information, she said, such as "Where were you born? How many children? How many sisters? Your favorite color? Favorite food? High school team? et cetera." Then, when the physician wants to order a medication, he or she must correctly answer the 2 questions that the software randomly generates from the set of 15. "Not all the physicians have the same questions," she said.
But that did not mean, at least initially, that the physicians could not answer their 15 questions with the same answer.
"Unfortunately, about two years into live [operation], there was a glitch that we weren't aware of," Miller said. "Actually, the board called us because they heard this rumor on the street. We did not program at the time that each question had to be unique. So the physicians were answering all 15 questions with the same answer."
She said the medical center's programmers modified the software last year so that a physician must provide 15 unique answers. "So even if the answer could be correct for two questions, you cannot answer that second question" with an answer for a previous question, she said. "We now run monthly reports to validate that there aren't any additional creative workarounds."
Miller estimated that the medical center spent about $4000 on external consultants to add the software-based positive-identification method to the CPOE system from Siemens Medical Solutions. A biometrics method, such as a fingerprint scanner, she said, would have cost $50–$100 per device to outfit each of the approximately 700 workstations in the patient care areas. Add to that the cost of the servers to support the biometric devices, and the medical center was "looking at a six-figure cost," she said.
Push for a compromise. "We definitely understand that the board is protecting the patients [by] reducing drug diversion," Miller said. "But we're saying on our side, 'We need to get this technology implemented to improve patient safety.' And this positive identification, is it really creating an additional burden for the physician and providing an additional cost to health care? . . . Can there be a compromise?"
Youngs said he and other representatives of hospitals operating or wanting CPOE have been meeting periodically as part of the Ohio Hospital Association's effort to find a solution to the challenge of positive identification.
The hospital association reported in its May 14 electronic newsletter that the board of directors had received an update on "the roadblocks hospital[s] face in implementing these systems with current Ohio State Board of Pharmacy regulations." With that update, the board pledged to "continue advocating against unnecessary mandates on hospitals working to implement CPOE."
"We are trying to come to some common ground," said Winsley of the state board of pharmacy. "We've had some meetings with not just pharmacy people but pharmacy and information services people combined in the same room where I was also present. In all probability, we're going to have some more of those meetings."
A major step forward. Youngs said a state board of pharmacy inspector met with him on June 28 for about two hours. He demonstrated Health Alliance's proposed use of biometrics as a method of positive identification at the time of order processing, which he said "is the board's gold standard."
"She was pretty impressed with what we had done and is recommending that the board give us 'approvable status' to move forward," he said.
Health Alliance's positive-identification method will work like an electronic shopping cart but with a 20-minute finalize-it-or-lose-it feature. Youngs said a prescriber will first enter orders for a single patient and then, when ready to finalize the process, select "Process Orders" on the screen. The special software added by Health Alliance's vendor, yet to be contracted, will intercept the signal and open a screen informing the user that he or she must now "bioauthenticate," that is, use the fingerprint scanner.
Before the CPOE system goes live, Youngs said, a person from the state board of pharmacy will visit to verify that the fully installed system "works as advertised."
His present tentative plan is to implement CPOE with positive identification on one unit at one hospital in late 2004 or early 2005 and move on from there.
The state board of pharmacy, Youngs said, will allow Health Alliance to roll out CPOE with positive identification unit by unit as long as someone monitors for users bypassing the security feature. Because the CPOE system cannot be turned on for some units and not others, Youngs or his designee must monitor the system for persons who initiate or change medication orders at workstations lacking a biometric device. The monitor will have to contact the prescriber to physically authenticate the orders.