EMRAM 2.0: HIMSS Analytics Raises the Bar in its Push for Hospitals to Reach Stage 7

Oct. 5, 2016
As IT implementation and optimization becomes more sophisticated across provider organizations, HIMSS Analytics plans to launch an updated version of its EMR adoption model.

In 2005, HIMSS Analytics, the research arm of the Chicago-based Healthcare Information and Management Systems Society, created the Electronic Medical Record Adoption Model (EMRAM) as a methodology for evaluating the progress and impact of EMR systems for hospitals in HIMSS Analytics Logic.

There are eight stages (0-7) that measure a hospital’s implementation and utilization of information technology applications. The final stage, Stage 7, represents an advanced patient record environment. The validation process to confirm a hospital has reached Stage 7 includes a site visit by an executive from HIMSS Analytics and former or current chief information officers to ensure an unbiased evaluation of the Stage 7 environments. The model was extended to ambulatory facilities in 2012; the idea is the same as for acute care facilities, which is working toward creating a paperless patient record environment.

After EMRAM was introduced in 2005, healthcare organizations made slow EMR adoption gains. However, after the meaningful use program was signed into law in 2009, EMR adoption accelerated significantly. Indeed, the number of acute-care organizations reaching at least Stage 5 on the scale grew from 3 percent in 2009, to 6 percent in 2013, to 37 percent in 2014, to 67 percent in 2015. As such with so many hospitals reaching these advanced levels of EMR maturity, the need to make more significant changes to the EMRAM model became apparent.

Nonetheless, Stage 7 organizations are still somewhat of a rare breed. According to recent HIMSS Analytics data, during the fourth quarter of 2015, only 4.2 percent of the more than 5,400 U.S. hospitals in the HIMSS Analytics Logic received the Stage 7 Award, and fewer than 8 percent of the more than 34,000 ambulatory clinics in HIMSS Analytics Logic received the Stage 7 Ambulatory Award.

Recently, HIMSS announced that it would make upgrades to its EMRAM model as priorities and goals have certainly changed for providers since the original model debuted 11 years ago. Previously, incremental tweaks have been made, but future upgrades will be much more substantial, says John P. Hoyt, executive vice president, organizational services at HIMSS Analytics. Hoyt recently spoke with Healthcare Informatics about what patient cares organizations should be expecting and why widespread changes are now needed. Below are excerpts of that interview.

John P. Hoyt

Give me some insight into “EMRAM 2.0,” and the need to expand beyond the original model.

Well, the original model was made in 2005, this is its 11th year, so it’s time to adjust it to reflect how the market has changed in a decade. Originally, the model never had anything in there about security, and that has now taken on front and center. We have periodically made changes to Stage 7; we did so in 2014, but we never made changes to other stages because it requires a software change. The score a hospital gets is a derivative of how they answer our survey. If I am going to change Stages 0 to 6, I have to change the survey and change the algorithms. We all know about software change, especially when you know internally that it’s a product that will sunset. Why spend the effort when you are going to kill the thing?

We have known for a few years that the existing older version of the HIMSS Analytics database and application code is going to be rewritten. Making changes to Stage 7 is easy—you make an update to the reviewer’s guide and tell everyone. But we are moving some of those changes from Stage 7 into some of the lower stages where they belong.

As far as what we’re changing, we have also added security, and we have additionally made updates to reflect the current market. What we are moving from Stage 7 to lower stages does require software changes. This summer, I will be working on designing the new questions that go into the questionnaire, designing acceptable answers, then scoring algorithms, and testing that in Germany, Singapore, Sal Paolo, as well as other places.  

When will the new model be deployed?

It will be sometime in 2017. It will not be Jan. 1 or Dec. 31, but sometime in between. It will be up to my successor, John Daniels. We still have to build the questions and test them.

What are the security aspects in the 2.0 model?

In Stage 3 of the model, we will be asking about role-based security, which is sort of like meaningful use Stage 2, as in, do you have it? I will come up with attributes so the respondent can check yes or no. Here’s an example: I was recently in a hospital in China, and they were confused about what [role-based security] meant. In China, IT has too much authority. The [hospital I was at] changed the EMR; it was an old structure, so they ripped out nursing and physician documentation, and physician order entry. They were so proud since they did it with only a month of testing. We are talking about a 1,250-bed hospital with a 64-bed neonatal unit with no weight-based dosing. So the physicians are hand calculating the dosing, and they have pharmacists verifying orders, but the patients’ weight isn’t on the screen so there is no way to verify dosing. I asked them, where is your clinical leadership? It’s a different culture—in the Western culture you get input from clinicians and pharmacists, but they have an authoritarian culture.

I spent six hours with a former CIO who now is in charge of healthcare at Symantec (Mountain View, Calif.-based security vendor), plus another four hours with a CIO who’s at a Stage 7 hospital. This CIO built a security model and sent it to me, just based on what he would do to improve [EMRAM]. Remember, at this point we are gathering information, not saying what is acceptable and not.

For Stage 2, we’re talking about physical data center access. So how do you get into the data center physically? What do you do for Cerner-types who say the data center is in Kansas City, for example? Also, there is a description of an intrusion detection program at Stage 3, so we are distinguishing between intrusion detection and prevention, which is at another stage. Stage 4 is about doctors entering their orders, so the question we want answered is how do you treat patients safely when the system is down? We will be asking for some basic business continuity services when the system is done. Do you have access to labs, problem lists, medication lists, and allergies? And those could be printouts, but you just need access.

Stage 5 security is about portable device security and intrusion prevention security. In Stage 6, you have security risk assessments, so periodically reporting to a government authority. This came from banking and insurance— it is best practice that there is an independent security officer who reports to the audit committee of the board. We won’t have that in a 40-bed hospital in South Dakota, but there’s nothing to say that you couldn’t have a periodic security assessment reporting to the government authority. We will expect that at Stage 6. For Stage 7, there will be an overview of your privacy and security program, and those details will be worked out.

With regards to international hospitals’ EMRAM progress, how do they compare to U.S. organizations?

I have spent time with vendors, hospitals, and groups of CIOs in Europe, Asia, Australia, and of course the U.S. and Canada. International organizations are not as capable as the ones here, but there are exceptions. The best CIOs in Europe are fascinating, and they don’t have a lot of money to play with. They suggested, for example, for Stage 4, that we call it “stair-step.” For instance, at Stage 3 you need to have greater than 50 percent of your nursing wards “live,” and at Stage 4 you have doctors at the keyboard, meaning you need to have 90 percent of nursing documentation live. When you talk about keeping track of near misses with error rates and medication administration, things like that, a lot of these countries don’t do that. It’s just not part of their culture.

Not a whole lot of hospitals (approximately 3 in 10) are beyond Stage 5 of your EMRAM model. Why do you think that is?

You have the closed-loop medication administration in Stage 6, and Stage 7 is pushing organizations to prove that this is enterprise-wide, so it’s been a clinical transformation, and you need the data to prove it. A lot of organizations are not quite there, as they are still in some competitive environments. They may have made it well enough to get meaningful use money, but not well enough to hit Stage 6 or Stage 7 [on this model]. There was a reduction in the number of hospitals that hit Stage 7 in 2015, but people are now starting to focus on the latter stages, whereas in the past they were putting it on the back burner. One vendor told me they are getting three or four calls a week from their clients looking to get into these stages.

Do you think enough strides are being made on the ambulatory side?

In the U.S., we are in such acquisition mode that as far as the ambulatory side goes, hospitals are almost holding companies rather than being systems. Some of them have different brand names for ambulatory facilities, so they don’t have their act together. The exception are those well-to-do Epic clients who ripped and replaced everything all at once, and a couple Cerner clients as well. We have made some changes to the manual for the ambulatory side, but we have not released it yet. I think we have done a better job of defining what we look for in patient engagement, population health, closed-loop care coordination, and orders management. We have done a better job in describing what we want to see.