Good morning. Good morning, everyone. Welcome to our session. Shall we get on and start on time? I think it'll be good for all of us, and that way we'll have enough time for Q&A at the end, and for our online folks, too. All right. Hey, good morning, everyone. So today we're going to be talking about employee health medical records in the age of COVID-19. The title of our talk is Opportunities, Pitfalls, and How to Move Forward in a Fast-Changing Environment. We have a panel of speakers today. My name is Samit Batra. I'm formerly with UC Davis Health, and then we have a number of other speakers, Kenji Saito, who many of you already know, Marcia Issacari, Arthur Sanchez, and Rosalind Connick from UCSD as well. So just so you're aware, we are going to be asking poll questions throughout the talk. So if you have the opportunity to log into PollEV.com and then enter the code HEATHERHODGE417, you'll be able to answer the poll questions throughout the talk. And then we obviously have a live audience and a virtual audience. So we're going to save questions until the end, both for live and anyone entering questions virtually. So as far as for myself, I have nothing to disclose. And what we'll be talking about today is employee health and occupational health medical records and the challenges faced especially by health systems during COVID-19. I'm going to be reviewing the landscape of employee health EHR options, both pre-COVID and a little bit now in the post-COVID era. And we'll be turning it over to Kenji to give an overview of relevant regulations and data privacy issues with employee health medical records. And then Marcia and the team from UCSD will be reviewing a case study of a health system migrating from a standalone employee health medical record to an integrated system. And then we're going to review some of the preliminary findings we have of a survey that we put out a few months ago to ACOM members about their employee health medical records and their needs moving forward. And like I mentioned before, we'll have some time for Q&A at the end. So prior to COVID, you know, most health systems would rely on a standalone employee health medical record for a number of reasons. Usually those are centered around data privacy concerns. So keeping employee records separate from patient care records, having occupational health-specific functions, you know, medical surveillance, specific exam requirements, all of the pre-employment post-offer clearance processes that were required, specific OSHA record-keeping rules around how long you had to keep data and what type of data you had to hold on to, reporting to whether local public health, state public health authorities, OSHA. And some systems had to do it by choice because their patient care records were still on paper, but they needed a digital system to track their employee health functions. And some systems would only provide medical surveillance, didn't really provide much clinical care. So it made sense to have a digital database for record-keeping services. And usually they would use a standalone product for this. However, with standalone system, there's a number of challenges, right? So there's a lack of data integration with your patient care EMRs. There's limited clinical functionalities oftentimes compared to patient care EMRs. So things like e-prescribing, patient portals, you know, those sorts of modern tools that we use a lot of weren't really there for most standalone employee health medical records. It can be prohibitively expensive to have a standalone product, especially if you're relying on third-party IT support and customization. And you had lack of visibility when that product was housed within employee health. So the C-suite, IT, human resources, all sorts of stakeholders wouldn't really be able to see that data, use that data for anything. And it always kind of had to come through your employee health department. And then another challenge is obviously if you ever wanted to migrate from one standalone system to another, that can be prohibitively expensive and time-consuming to take that historical data and transfer over. Some health systems that did manage to integrate their employee health medical records within their larger patient care EMR had issues as well. Obviously data privacy being a big one with inappropriate access from employees accessing each other's medical records. Having that kind of on one system was an issue. Having, you know, a lack of specific occ health clinical functions within the system or record-keeping functions, which often would require either workarounds or customizations. And sometimes when you were on the patient care medical record, you didn't really get the support from your hospital or health systems IT department or the vendor really to create those occ health specific functions and requirements. So many health systems would rely on two systems within the employee health department. So using the general patient care medical record to do work comp, DOT exams, and then using a standalone system for more for record-keeping purposes, you know, post-offer testing, vaccinations, et cetera. And some employee health departments have never made the transition to digital and still are on paper today. So when COVID-19 hit in March of 2020, you know, employee and occ health departments at health systems were asked to do a lot in a short amount of time. Farther away. It's okay. So, you know, you were asked to manage employee testing and screening for, you know, thousands of employees, manage contact tracing, isolation, quarantine requirements, communicating with employees, supervisors, your human resource department, other leadership in the hospital, communicating with local public health authorities, state and regulators, clinical partners, administering vaccines and tracking mandate compliance, and obviously adjusting to fast changing regulations. So telling people to isolate for five days or 10 days or 14 days, which would constantly change. And when you're using a digital tool to try to manage that, obviously that requires significant customization. And then this is all on top of all the core services we were providing prior to COVID-19. So obviously that was quite a lift for employee health departments. So at this point, we're going to pause. Hopefully some of you were able to log into the polling software and we're going to just ask the audience if your EHR system met your COVID-19 needs. And please put your selection in and we'll review in just a moment. If you're not able to log in, I did put it into chat as well in the app. So if you want to go to the SwapCard app, you can just click on that link. If you can't get to the slides here, you can also text if it's easier. You can see the text of 22333 and use the Heather Hodge 417 code and that should work. Is everyone able to log in okay or any issues? Is there a way to skip that? Okay, let me check real quick. Yeah, let me try. Sorry, technology is great when it works, right? So I'm seeing that it's saying we have 22, then the number of results are going up. Okay, great. So do we have a way to show it in real time? If you advance the slide, if you advance it one, you should have to get the results right away. I hope it didn't. Okay. Yeah, we'll come back to it then. Sorry, everyone. I'll see if I can get through work by the time we get back to it. All right, so moving on. There were additional challenges, obviously, created by COVID-19 for employee health and Ock Health medical record system. So managing mass employee testing. So if you were going to have to enter testing orders for thousands of employees, batching those orders, reviewing them, and then also responding to those positive results within the framework of your employee health system, medical record system, that was challenging. Managing daily screening surveys and entry requirements, which were constantly changing as well. Communicating results to employees and supervisors in real time. Managing these changing quarantine and isolation periods as they change throughout the pandemic. Using the tool to try to assist with contact tracing. And then administering your mass vaccination programs and reporting to your state registries were all challenges that we faced, and I'm sure many of you faced, with your employee health medical record systems. Larger ones included creating viewable dashboards. So the C-suite would often want to know how many people are testing positive, how many people are out at the moment, how many people are going to be returning. With every wave, these numbers would only get larger and larger, and if you didn't have that visibility to your stakeholders, it was often very difficult to communicate what the situation on the ground was with staffing and so forth. Obviously, if you were doing any patient care and taking care of your employees who fell ill with COVID-19, you had to coordinate with your other clinical partners, be able to view and enter external medical records. You had to work with workers' compensation insurers, public health authorities, regulatory bodies such as Cal-OSHA or OSHA. Then tracking vaccination records, inputting vaccination records for people who got their vaccinations outside of your system, managing medical exemptions and mandate compliance. All these things were very challenging on these standalone systems that did not integrate with broader patient care networks. So oftentimes, employee health providers, myself included, we had to utilize third-party solutions to try to get some of our core tasks done. So whether that was trying to use the patient care EMR to do batch ordering, to review results, to communicate with employees, to upload results to state registries, to use third-party software for surveys such as RedCap, Qualtrics, those sorts of commonly used surveys, using third-party software to create viewable dashboards for leadership and integrating that with your EMR systems such as Tableau, and then using our external solution to manage the input of records. Sometimes as simple as having people email you their records, right? Emailing you their outside vaccine records and inputting that into your system manually. Those things are very time consuming and the process of creating those workarounds is very challenging throughout the pandemic. So I think whether you were on an integrated system, a standalone system, or you had two systems as some people do, nothing was perfect. And with COVID-19, what I think everyone I've worked with and talked to who had similar challenges, we all realized that integration is key to be able to handle the next pandemic and to be able to really manage these sort of events better in the future. So there's going to be a greater need for integration, data sharing, and communication. However, we always have to keep in mind the regulatory and privacy concerns and the reasons we were separate in the first place. And so some of my colleagues will be talking a little bit about the regulatory and privacy concerns. We'll talk through a case study of how one health system went through an integration where they merged their employee health record into their greater patient care EMR. And then we'd like to review some of the preliminary findings from our survey of ACOM members about what their challenges are and what they'd like to see in their health record systems moving forward. So with that, I will hand it over to Kenji to talk about employee privacy regulations. Thanks, Yamit. So I don't know why the polling results didn't come up, but I can share with you what I see on my slides. So about 30% of you agree that your EHR system met your COVID-19 needs. About 43% disagree. So pretty close. It's kind of a surprise. And the rest of you were neutral at 27%. So that was the results of that. So let's discuss why that is at the end. But I'm going to go back and talk about some of the digital privacy regulations and just get a framework. Full disclosure, I am a lawyer, but I'm not here as a lawyer today. So don't get me in trouble. A lot of disclosures I need to disclose here. And you can probably just read that through the disclaimers. So let's talk about privacy. So let's see if this works now. What kind of words come to mind when you see or hear the word privacy? If you type this into the URL you read earlier, the poll EV, it should pop up immediately. And if it doesn't, then, oh, good, it works. Bureaucracy. I assume that's what it meant. It's okay. Spelling doesn't count today. Fear. Complication. That's usually the words we hear, right? Especially around privacy. They think it's very complicated. Anybody outside the U.S. in here? International folks? Wonderful. Where at? Australia. Where at over here? Guatemala. Wow. Wonderful. Latin America. Welcome. So it's interesting, right? Because if you look at other countries, is it as complicated as the U.S.? Probably not. Why? Because they pretty much regulate it and they tell us exactly what they mean. In the U.S., how do we know what privacy means? Who dictates it in the U.S.? Nobody knows, right? This is why we talk about bureaucracy. We're talking about complications. And there's a lot of ethical questions that people don't like answers to. Even when we write letters to OSHA, right, they give you letters of interpretation. Those interpretation letters are for who? Specifically for that employer. It's not for everybody to use. And they say it at disclaimer. If you read the bottom, it's only for that employer and in specific this instance only. And you talk about the EEOC, another regulatory body that looks at privacy issues, right? They help with ADA, AD triple A. We'll talk about those too if you don't know what they are. It's about the American Disabilities Act. So when HR personnel files mixed with occupational files become an issue because privacy and confidentiality in those cases are very different. So when you think about privacy, there's a reason why everybody here thinks it's a little confusing, because it's true. You know, there's all this bureaucracy. There's a lot of people who wrote it are not physicians. So they don't understand the clinical implications when they write different policies. And we'll talk about that too. So I will share this with you if you want to. I'll be happy to print this out at the end so you can see what kind of words people are using and get an idea of what the brainstorming session. We'll talk about this at the end as well, because I want to come back to an idea of what this means for us, because I think this is going to be very important. And there's going to be a slide deck to help you give you the URLs for the different privacy issues, because I can't go through all this. This is like a semester of law school. But I'll try to summarize as much as I can. But there'll be links on here so you can go to each of the sites to understand what these regulations that actually pertain to privacy is going to be. And I'll talk about HIPAA, ADA, HFOA, and what GINA and EEOC are, and the 21st Century Cures Act. Has anybody heard of that before? Good. At least part of us do. Maybe 25% of us. And I think that's really important. So let's talk about HIPAA first. I think HIPAA, we all know what it means. We kind of understand, we think we think how to apply it. But in reality, it's really complicated. It's really a risk-based approach, because if you're a covered entity or not a covered entity, what is personal health information? What are some of the identifiers? I mean, there's 18 different categories for PHI, right? Did everybody know that? People just think, oh, that one thing is, that's it. There's 18 different criteria. So there's a whole semester in law school dedicated to HIPAA. So I'm not going to be able to go through, and there's specialization of this, too. There's privacy lawyers out there that talk about these cases. So just in general, I just want to make sure people are aware, this regulation is out there, and it regulates the information and the use of that information. How do you kind of transmit that as well? ADA, I think, is very important for us to know. Because, you know, actually, how many people do accommodation requests, return to work, clinical evaluation? So you definitely need to know ADA and ADAAA, right? ADA basically tells you that you can't discriminate against a disability. And back in 1990, to get something qualified as a disability was very challenging. Because people are like, what do you mean? You know, in medical, it's different. You know, if it's an impairment, that's different. So people didn't know, and nothing became a disability. So the law, even though it was there, the regulation, in reality, in practice, nobody knew what that meant. So nobody actually qualified under the ADA. And that's why we had the ADAAA, which is the ADA Amendments Act that kicked in later on and said, okay, well, now we're going to swing the pendulum 100% the other way. Almost everything qualifies as a disability, so don't try to use that as an escape route and not have the ADA apply. The complication you have here now is, who's going to regulate this? And that's why you have the EEOC coming in and talking about, well, we're going to regulate this, because we're going to tell you HR professionals, if you're going to have personnel files talking about this employee performance measurements, you can't mix that with medical records. What's considered medical? How many people do pre-placement exams? Are they usually pre-offer or post-offer? Do you know why? That. Because the EEOC told us, the one few time they actually tell you, you can't do this. And if you can actually go to the EEOC website, you can sign up for their newsletter. They actually publish what they kind of say, this is what regulation is going to be, this is what we expect you to do, and this is what best practices are. There's a lot going on in the well-being space right now, too, on some of the regulations. They're looking at interpreting what that means, because there's a lot of interface between that and HR versus what we do in medical. So I think it's a really good idea if you go to that website and understand what these terminology mean and who's going to regulate you. So are you familiar with information blocking? Has everybody heard that terminology? Great. How many of us do, actually? Let's see. No. Most of us don't. Some of us nodded our heads. I'm not surprised, right? And there's a reason why, because April of last year, 2021, this law actually came into fruition. So as of April of last year, I think it was April 21, this regulation is saying you can't block information being transmitted from a healthcare entity to their patients or people. They didn't even say patients. So that's why it applies to OEM, because we take care of patients, right? We take care of claimants. We take care of employees. And this is more ethics, but I think there's a distinction between the three. If you're interested, we could probably do a talk on that next year to differentiate, because there's a big distinction between those three and how you care for it and which law to kick in. So it's really important. So let's talk about this. This is my suspicion. In law school, they always teach you never to ask a question if you know the answer to it beforehand. I kind of took a risk and assumed that you didn't know, so it's a good thing, because now let's talk about this. So the 21st Century Cures Act basically said you can't hinder the process of transmitting information that pertains to that patient or that person to get them, and they had to provide it in electronic format. So it's quite interesting. So you can Google it, and you'll find it, and there's a link to it. But April 5th of 2021 is when they say healthcare providers, right? That's all healthcare providers. They're not saying entities at all. So even if you don't work for a hospital, this still applies to you, because some people are like, well, I don't work for a clinic. I work for a company, ABC, and I make widgets. I'm not a healthcare provider, but you are if you have a medical license or if you're a healthcare provider, meaning you're an advanced practice provider. So it applies. It applies to health IT particularly and different people known as actors, and this is very similar to the idea if you're an actor, that's all that matters. The ONC can regulate you. So that's pretty much very important. So what do you think is a primary exchange method you offer to share your patient data or claimant's data or employee data? Are you doing it on paper still, say, after records or something? Are you giving it a CD? That's probably more pertaining to radiology. Email? Do you have online portals? How many people are, what was that? With the person asking for the data. So employee, claimant, patient, hospitals, patients, employee clinics, probably surveillance exams. Some people might ask for their occupational health data, especially if you're in states that, say, employers can't dictate care, meaning, for example, in Maine, the first 10 days the employer can actually direct care after that. They can go anywhere they want. So they ask for records, I'm going to my primary care, they can't stop me because my state allows me to do that. So different states have different regulations, so you need to understand that. So the question is how do you transmit that data to that person who asked you for that information? So paper and email seems to be the common, right? And we'll talk about email because this is quite an interesting case about HIPAA and email. Do you think it's okay to email patients, employees? Employees are okay? So HIPAA applies to emails in a unique way. When HIPAA was written, they didn't know about electronic transmission, right? I mean, the internet was sort of coming into fruition, and it hasn't been updated since then, but people interpret it to mean, yes, email is a form of transmission of communication. Do you think you could send...actually, I had a good question about Gmail, Outlook. Can you send those to patients? So you can't, but, and I'm going to give you a lawyer answer, yes. It depends why, because if you actually have a business associate agreement with Google or a business associate agreement with Microsoft, and they have encrypted email, so if you're in private practice, I know this is a cost savings for a lot of folks using Gmail, like, well, there actually is a form now. You can make an agreement with Google directly or with Microsoft, and they'll encrypt your email for you and make it HIPAA compliant, but you have to sign that BAA with them. Of course, they're going to charge you for it, though. But for private practice folks, it's actually relatively inexpensive. So let's find out what this means. So 66% of the survey that was done last year, end of last year, see that 66% of us still use paper to transmit information to the patient or to the employee, and 32% rely on CDs. So it's quite interesting. If you do provide copies of records to patients, do you charge them or to people? So it's free, very charitable. Does it cost much to do it? Yeah, because it takes time, right? And if you have to redact, because some people don't redact and you forget. And this is why, especially if you work for a large employer, a good idea for privacy purposes is actually go through risk management, or they actually have people now hire because of the 21st Century Cures Act, they're expecting people to redact information if it's not pertinent to what's being released. And if you don't have one, find someone to dedicate to do that, because you can get in trouble if you're sending information up that wasn't supposed to be released, and especially if they're asking for records going to different entities, it becomes a little more challenging too. So most people either do it for free or they don't know. Interesting. So let's see what the survey says. So 15% charge about $25 or more for patient records, and the reason is it takes administrative time, right? It takes some time for some time for people to go and redact things. So it is fair, and it's allowed. So, and I don't know if any of these practice managers are here, but anybody who's in charge of finance, it's always good to not do things for free. If you can bill for it, you bill for it. So it's more sustainable that way for the practice overall. But they're saying, yes, you can charge about $25, and the ONC was okay with that. And It's interesting that people are aware of the rules going in last year, but they weren't really sure how to implement it. We saw that because in our survey we split between email and paper. We don't know what it means, and people are doing it for free. OSHA had a comment on there, too. They haven't really said too much about this, but they're just saying if it's surveillance data, employees need to be provided that. You need to have a designated representative to do that. People might come and say, what was my spirometry three years ago? What was my hearing audiogram ten years ago? It's challenging, right? You know we're supposed to keep our records to termination plus 30 years for OSHA, so they're going to ask for those records potentially. Now with this new ONC rule kicked in as of April last year, you better have it. If it's archived, you better get it out quickly and provide it in an electronic format. If you don't, there's several penalties. There's a lot of privacy going on right now in different states. I just want to give you a quick sort of tracking system. California is always a hot spot. I feel like California is its own state of mind. It's not really a state. You do what they want there, and their privacy rules are going to be very unique, so pay attention to it. Some of these propositions out in the legislature right now, they're being voted on. Virginia has some interesting Consumer Data Protection Act coming into play as well, and there's a website that we can give a link to. I'll put it in a chat when I get back to my computer. You can see different privacy rules being introduced in the state legislatures. You don't tend to forget, because you think about HIPAA, you think about EEOC, you think about GINA, which is genetic information protection, but you don't think about the states. The states actually can go above and beyond what the federal government requires. The feds give you a minimum, this is what the privacy confidentiality rules are, and the states can go above and beyond. All these legislations you see on this site is actually above and beyond what HIPAA, what GINA, what other privacy rules might apply. Keep that in mind. Overall to me, this is why I love risk management, is you need to understand if there's a hazard out there, and if there's an exposure risk there, that's how you kind of mitigate those risks, and you need to work with those folks. There's a lot of information that can't be exchanged, or if it does need to be exchanged in the right way, but now we know you can't block those information to get out to the person asking for the information. We actually had some licensing questions, because doctors get complaints now from patients or just citizens of that state to the licensing board, and the licensing board now are taking a stand saying, hey doctor, why didn't you give your patient this record? Your excuse can't be why I told the admin or told my MA to do it, because it's on your license, and when the patient's asked you for your records, you better be ready to provide it, and you can't block that information going to that patient. Be aware, states are looking into this, so there's always a risk for that. I'm going to pass it over to Dr. Iskari to go more into details about what UCSD has done to integrate this. Well, good morning, everybody. Coming up right after Kenji, that was my idea, so I thought a couple of things maybe nobody knows about Kenji. Well, Kenji and I, we go back quite some time. We got trained together, and also Kenji is a sushi master chef, and he's a second generation at least, right, Kenji? So if someone wants to stand up, do a little stretch, and see if all the laws get settled in their head, feel free to do so. So what I'm going to talk, I'm going to go over how was our journey. Not only COVID hit San Diego fast, but also the response from our leadership was that they really asked us to do the integration, otherwise we could not be as aggressive on managing the COVID. So not conflict of interest, I just want to make everybody aware of the roles that I play. Oh, this is shaky. Not me. So not only I work with UCSD, but I also work with the UC office of the president, and that's with the other, like UC Davis, UCSF, UCLA, and UC Irvine, Berkeley, and we also have the legal council for that in addition to us, and quite engaged with the ACLM. I'm part of the national steering committee for EPIC, and I don't get paid. All right. Okay. So quick learning objectives. So one is to identify unique challenges surrounding EHR integration. Again, this is a unique experience for UC San Diego employee health and occupational medicine. Two, to identify potential EHR solutions to mitigate risk. I think Kenji fill us up in a lot of what we should be watching for. And identify stakeholders and experts needed to engage. You know, for you to integrate, you need a big village for that. Just a quick update. Oops, I keep forgetting on this thing. Oh, okay. About UC San Diego health. So we're in San Diego, close to the beach, but we are, we have a campus that with about 20,000 kids on campus employee with high research, biotech research, and inside a biotech hub, the third in the country. With that, we have about 20,000 healthcare workers and 1,300 physicians. We have two sites. One we call the La Jolla that's next to campus, and then another one south, plus 50 clinics spread out through San Diego County. Okay. Just a quick update here. So to see how is the life of our day at UCSD. So we have all this population. In addition to that, we also have a commercial line that's about a third of our volume. And we have five locations. So three full sites, and we have a two sites just for surveillance only. All right. So this was the ask. We wanted to pretty much retire all legacy systems. So one, our employee health database, we had a lot of homegrown database. So we have the off shelf EHR, plus we have a vaccine database. We have the EPINET. I think the health system is familiar with that. Plus we have partial use of the health system EHR that was already within the other departments integrated. Plus we had a 30, 40 year old, very, very old compliance data that we have the data for all the immunization, all the TB on that. And they also for mass exposure. How we communicated, a lot of the things Kansas does not do and do. So we did not have the capability to do inside the large EHR port, and our off shelf did not have much capacity. So it's pretty much was I share phone calls, emails, and then for telemedicine for that very short period of time, we actually did on Zoom and DocuSign to get all the consents because we just plainly did not stop despite how COVID was. We just switched to telemedicine. And as any occupational medicine know, a lot of questionnaires, a lot of stuff in paper and fax. The challenge, well, to transition all that, the multiple legacies into integrated EHR enterprise, and their enterprise was already running for 10 years, so pretty robust. So we have to actually merge our department that was working kind of their own way to the new system. Also, top of the line, respect all the employee privacy and compliance. We'll go over the timeline. That took longer than the actual implementation. Again, there were several tools and several asks to make sure we could do all what we needed to do COVID. At UC wide, we have mandatory COVID vaccination. And we have really deadlines and you're not supposed to show up to work unless you have a valid extension. So pretty strict process on that. Also, we had mandatory testing. And we have embedded return to work if you're tested. So our lab will be testing 5,000 easily a day. And also, internal operation workflow and the reporting requirement. So the challenges. Well, Kenji went through that. So the reason there's a line under that, when you see the slides on the handout, they actually have a link for the references. And that was given by our legal team. Alrighty. So just going again, what we needed, what was our challenge? What were our system needs? Operation readiness. We are transitioning a team used with five systems to go work in only one with a lot of historic data. I was kind of married with like a lot of luggage. I have to have 10 kids. Employee health, the compliance, that's the 30-year-old reporting system, bringing also to the wedding, like your grandma. And integration with the other system. You know, we have two large med centers that's constantly being audited. And we want to make sure that, you know, we had dashboards and everything ready. We have a commercial line. So the first fee schedule, make sure that's integrated. Because not only we do our internal employee health, we do also for campus and we do for commercial. So, but again, most, most important, protecting employee privacy. So going about the integration needs. One is we had, it was very important for us, and that's something that COVID allows, is to integrate the UC path. That's the HR portal. So now I think, you know, universities sometimes it's really hard to know exactly who, how many people exactly are working there. Now, you know, they start working, go through UC path, and that automatically gets uploaded into EPIC. Because we have mandatory testing, everybody is in EPIC. Sorry, I shouldn't have said EPIC, EHR. Okay. I'll carry on that. So the other one is that we have a lot of dashboards. We use the daily, we have also daily symptom screenings. And then at the end, we have a supervisor dashboard because we want the supervisor first frontline to make sure, you know, all the employees are under compliance. And so we have the symptom screening, plus all the tests come in quadrics. Everything then goes on Tableau, like huge visualization boards, and then the registry, vaccination registry. Communication, we really, really want to get out of email, faxes, stickers, and all that, especially managing COVID. Like Dr. Batra said, you know, you're getting like 20, 30, 50, 100, 200 positives. And, you know, it's like at least going on and on and on. So it's really fast-paced. And with an employer portal, you know, we wanted to make sure we're communicating when they're returning to work and stuff like that. The telemedicine, you know, we really needed something better than Zoom. And again, very important, the staff interdepartment communication, because COVID got much larger than our department. So then we partnership with the infection disease, then they got a couple fellows, and actually infection disease got, so we had the testing team, the resulting team, the return to work team. And then, so we have to really integrate all these teams working together and reporting productivity report, regulatory report, surveillance, and the COVID. I have a few slides on that. All right. It did take a village for that. Most important, our leadership was very, very involved. And the lucky part is that our current CMO was actually our CIO. So now he's a CMO CDO, Chief Digital Officer. So he's super vested on that. And, you know, I believe that's the big key for success, get your senior leadership engaged and seeing the value, because it's an investment. We got all the operation folks, and then we got the executive board, then we got the functional boards, and we had, we made sure that there was someone from compliance, and that person was also an analyst, but will report to compliance. So every single step, my answer was like, make sure compliance is okay, because I don't have an extra million dollars. And, you know, and with that, we developed quite a lot of stuff. We developed within our EHR, e-consent. So we could then, you know, very fastly send the work clearances. And, you know, it breaks down to all the folks, and even within each box, you know, you're counting about a couple of people, and we have reporting team and so forth. Okay, the methodology, the timing. So I started actually, you know, talks in 2015. So I started working, and it's like, oh, you're going to change your EHR. So thank you on my first month. But it did take quite a bit for, again, the understanding the risk, everybody aligned on the compliance, all the legal, for UCF, the president to be supportive of that. And we already were in kind of on the process to get into the new EHR, but it was very, very clear early with COVID that the electronic systems that we had was just not enough for the speed and the volume that we wanted to act. So then we, first we did our flu vaccine. I'll talk a little bit to the end. Some fun stuff happened right away. And then we've launched on fall the internal employee health, meaning the UCSD employee health with the firewall. And then lastly, in December, we did like everything went live, meaning the occupational medicine workers comp, internal and external. Okay, so protecting patient employee health. I want to talk a little bit about the firewall. So, you know, I have the medical record, and then it goes to, you know, to the health practitioner, right? So all the information go there, and then there is a firewall. So what we do limit is that, for example, let me just go over this part here. So for the employee health firewall is that you do not want to go there as an employee health practitioner knowing, oh, they have diabetes, they have seizures, this and that. And so what we do is that we hide all past medical history, except for allergies, because it was important for us to have that. The other, but, so we don't see any of that, but what, and going, for example, your family practitioner looking to our department, you are not going to be able to see our drug testing. You're not going to be able to see why they visited us, because they could have been seen by a pre-placement, post-offer, but he could also have been there for fit for duty. So the drug test is also all hidden, and even like the appointment there was a drug testing, but we would then share, that was very important for us to share, all the vaccination, and all the titers, and all the x-rays, and then the respirator clears, because it's important for the patient to have that, and again, they have right at the fingertips before the flu, they have to go to a homegrown system, so that became really, really useful. But, you know, it's a pretty comprehensive EHI, and we work quite hard, and we were really strict, it's like, it has to be that way, and we did a lot of test drives on that. Okay, next. All right, so here you can see here the configuration of the firewall. As maybe you guys are familiar with this EHR, there's a limited storyboard. There's a lot of stuff meeting, and if you can't see, the tabs has all different names, right? We kept the rooming, planning, and the wrap-up, but we have the employee health, and it has some dashboard, the exposures, we do the COVID, and all other exposures on that, and it became so much easier. So the other thing that we were able to do is that we created like a picture of what is the status they are on. We call compliance, meaning that they are vaccinated, tested, and the fun part is, like, that COVID helped is that this little box here on the bottom right is, and the user is just the user that they're working on that, but, you know, on, what's the name of this person? Campus EHS. So Campus EHS was hired on January 14th, and is a professor at the health science. So, and this comes from, directly from UCPath. Going on the next slide, you will have, again, the configuration of sensitive notes, the employee health, so the top left is the view of an employee health that we can see, but then, again, we cannot see all the other appointments they had, and then on the bottom right is a primary care view. So as you can see, it is quite different. All right. So the next one is, again, just a snap picture. We have eight providers, right? Keep on losing count, but, you know, there's so stuff changing rapidly, even with COVID return to work, everything changing so rapidly, or is mandate to those, oh, now we need three of those. So despite, you know, we meet and train, and it's very hard for the provider to not miss a little thing, and this little thing becomes a big deal. So with that, with our, we're creating a more standardized process. It's almost like you're walking them through, so errors was, sorry about it. So errors decrease quite a bit with that, and we could move really fast. So just another quick snap picture here. I'm managing here and there because I cannot read exactly what's there, is, you know, from the onboarding checklist, what then gets into compliance is snapshot, and because we do a very fast onboarding, pretty much onboard within two days, then we have nurse working on that on standard orders. All right. So let's change now about COVID, right? Again, UC San Diego, very early on, and, you know, it's UCSD style to be very aggressive, very bold on whatever they do. So very quickly, it's like we're going to test everybody, and we're going to try to not have any outbreaks. You know, we didn't go in the newspaper or anything like that, but I believe it was because we were so aggressive on testing and so aggressive on vaccinating, and luckily our lab was, you know, the capacity is fantastic, and you can have the test really consistent less than 24 hours. So we didn't want to stop anybody from being tested, and so pretty much we have a QC code, and you just, you can get in through your usual EHR login, but you also can get in through your usual UC, you know, login. So you can get in two ways to our EHR, and that immediately you get connected to do. There are 10 sites that you can go drive through. You can go to the hospital. You know, they're self-collect, but the neat part is that you can go to a bunch of drive-through, and actually you're supposed to go. Sometimes, most of the times are mandatory. When it's like now, it's not mandatory, but if some people want to do it every day, some people would do it, right, Arthur? We don't stop at that, but again, it was very important that it was very, very convenient to do that, and the students actually have a vendor. They just go there, put a dollar. They could not do it for free, so now they do dollars for the students to put the dollar in the machine to get the test. They will swab it, put it in, and then they will collect later, so a lot of the students are doing through a self-collected, through a vending machine. The positive results, so what we did, too, working with infection disease is that because we know they're all UCSD employees, then we can filter them, and all positives will go to the resulting team. Then the resulting team will then do the contact tracing, and the contact tracing changed the parameters a couple times, and then it will send us for us to return to work in occupational medicine, and then with that, we'll do on the return to work. December got really complicated, but thanks for being already in the system, we were able to very quickly change the way we were doing, so we kind of, you know, day 10, we assume you're good and we send some mass notifications. So we really use a lot at the portal because everybody expected to be part of the patient portal. The other one is because you're mandatory as in March 30th, if you're not meant, you could be let it go. Then you could also sign a consent so we could integrate your results. And then a bunch of other integration that we have on the dashboard and so forth. Let me start speeding up a little bit. Very quickly, so I cannot share the numbers, but we are able to break just for COVID. I'm hoping the future to do that also for flu. So we can break it down by union. And actually with that, we could even note that the Hispanic population that certain unit composed the majority of certain unit had the lowest vaccination rate. And this is like change every day. This is the supervisor board. Again, on the right is the daily symptoms, if they got all the vaccines. And this come to me on a daily basis. So if Arthur is not doing good and stuff like that, I call him. Okay, very quickly on the onboarding process. So our onboarding, the clinic was taking 60 minutes plus because of the stack of paperwork and we do fit as we're like do it all. With integration, because all the questions now are pretty much on the iPad or the answer before the results are really easy for them to bring. We actually bump by 22 minutes, the onboarding time. The nice thing is that we onboard every year 450 house staff residents and is going super smooth. They love it, that they can do all electronically. And I just wanna remind you all that, we're serving the millennials. So this is really important that we provide what they want, right? Another one about the flu. So when COVID hit, it's like how are we going to do our usual mass clinics that is like first day 5,000 people? How are we going to social distance? How are we going to do that? So we transitioned to the new HR. Actually, we expanded tremendously to the peer to peer model. And also we were able to give access to the drive through that are used for patients. And in that, it completely changed. I will see the graphs on that. So we practically don't even have mass vaccination anymore. And the drive through, and again, it's very easy. And this is one nice email. Oops, this is a nice comment, live comment that we got that they didn't have to drive, especially on staff shortage. So this was really cool to have. Outcomes, schedule efficient, the portals, the standardization, the reduced duplication of data. And you guys can read it through. As Kenji may know too, I'm a very strong believer of lean philosophy. So when I look at this, it's like waste, waste, waste, waste, waste, waste. And a lot of that got eliminated. And just a granular of what got integrated and interfaced. So our recipe for success, as I mentioned, lean HR. We had a very short timeframe. So we were building, testing, and implementing. So three words, three boxes, I think it's key for change. I believe in lean and agile methodology, but an engagement, engagement with your leadership, keeping people updated, and engagement with your team. And also now you have a second team, you have the EPIC team. So now we become buddies, right? But it's the engagement. They're all believing that they're doing something important and something that will impact 40,000 people. And we also, you know, despite busy schedule, took time to meet the providers so they could see what was coming and they could give opinion, what they would like to have it done. And it was a really good time because what they thought that the system could do, it was a little bit more than likely. They wanted to fly us, no, we just have a car. So it was, you know, on a very fast paced environment. And I'll pass to Arthur. So my name is Arthur Sanchez. I'm one of the nurse practitioners at UCSD OCMED. And I want to talk to you a little bit about how we streamlined our bloodborne pathogen exposure process. And I have nothing to disclose. And I want to talk a little bit about our shortcomings, right? So our injury to treatment process was pretty cumbersome. We noticed that we had tons of loss of worker productivity and by gosh, paper forms, questionnaires, and archaic databases. And quite frankly, quite a few dissatisfied injured workers and providers. And we want to talk about how we fix the process, right? But we really have to understand what a cluster this was, right? If you look at this little snag it from Google Maps, you can see with our old system, how much an employee, how much driving they're doing just to go to our clinic, lab, pharmacy, and then back to work. And I think it says 25 minutes on there. And that's at like 11 o'clock at night. So you can figure what that looks like Monday through Friday, right? So how do we fix it? And we really realized two things. Number one is we need to improve accessibility and we need to make it easy, right? So because of COVID-19, telehealth has become a big thing. So we said, heck, why don't we leverage telehealth in taking care of these bloodborne pathogen exposures? We also realized we have onsite pharmacies in our hospitals and we have discharge pharmacies. The majority of our patients that have exposures are working in the hospital. So why not leverage that? And same thing with our onsite labs, right? They're there, they're available. And then we wanna make things easy. And I think Dr. Zakari spoke about portals and apps, right? So the patient-facing portal, and of course your smartphone apps, right? Those are huge. Getting rid of paper, paper socks. And there's scanning and all these other things that are attached to paper. So let's try to get rid of it where we can. Avoid duplicate questions. And again, when you're on paper and you have multiple, multiple, multiple questionnaires, you ask the same thing sometimes multiple times and you don't realize that. And then of course we wanna standardize. Standardize provider documentation, standardize how we're treating these patients. So if you look at this, this is our Needlestick and Sharp Object Injury Report. And quite frankly, it's three pages long. It's written in the smallest possible font. And I think it's intended to torture you a little bit. I mean, it's exhausting just looking at it, right? So we took, there we go. That's our Needlestick and Sharp Object Injury, essentially questionnaire. And we ask it, it's a little longer than this, just a little snagget of it. But this is what the patient would see if they did this on a desktop. But this is also available in tablet form in clinic, as well as through their smartphone if they wanna go that route. And of course, when you fix the process, right? Happy workers and happy providers. We talk a lot about the system level, but we don't really think about who are the people that are gonna be taking it, you know, who are the people that are really gonna be using this. So let's talk about what changed. And for the worker, convenience, right? And convenience comes by form of not having to travel. You know, we saw 25 minutes at 11 o'clock at night. But let's look at that Monday through Friday, right? The note, eliminate waiting, right? So we know that when the patient has to come into clinic, they're gonna sit, they're gonna fill out forms, and then they're gonna go to a patient room, they're gonna sit, they're gonna wait, they're gonna leave, they're gonna go to the lab, they're gonna wait to get their labs drawn, and then they're gonna go to the pharmacy and wait and wait, et cetera, et cetera. And then we realized that when we sent our patients to community pharmacies, we actually had issues with getting them pep in a timely manner. And one of the things that, one of the reasons for that is sometimes they just didn't carry the medications. We know these are expensive, and often they didn't know how to deal with workers' comp. So by transitioning and taking advantage of these on-site pharmacies that we already have, well, guess what? They have the medications, their unit dose, they're ready to go, and they know how to deal with our work comp patients when we prescribe medication. And then, of course, text message and email reminders. So we found that with our previous EMR, we didn't have a good way to remind the patients to follow up, hey, you need labs drawn, whatever, and we're able to do that now. And then, of course, for the providers, predefined order sets. And this isn't necessarily something new, but having predefined order sets is huge, and having the ability to make changes as things change is really important as well. Straightforward templates. We found that documenting our exposures was kind of a pain for the providers, and everybody did their own thing. Well, we said, let's standardize this, let's make it easy. Easy access to vaccine and titer records. Again, this is huge. Sharing of that information that we have. Having titer availability, vaccine information, we pull from state registry, from our local registry, as well as other health systems, we have that information sharing that we can take advantage of. And for the provider, confidence that when you send your patient to this discharge pharmacy, they are gonna be able to get those PEP medications. It's never worried, oh my gosh, are they on the medications? You know, you can rest assured they're gonna get their medications. And communicate directly with the patients. So we didn't have a great way, I know Kenji talked about email, right? But that's really not ideal. We really wanted to take advantage of communicating with the patients directly through our EHR. And that comes into play when you have a follow-up visit, and maybe you just wanna go over some lab results, and you just wanna let the patient know, hey, labs are negative. See you in, you know, whatever, month, two months, whatever it is. So these are all things that we were able to leverage through our integration. And again, what you see on your left there is how we standardize our order sets. And something kind of funny about this was we noticed that a lot of our ER docs would not order the correct labs. And kind of an unintended thing that happened was we shared this order set with our ER docs, and then magically, all of a sudden, everything was being ordered correctly. Go figure. And then we wanna talk about provider documentation, right? So we went ahead and we created our own templates, and it really is just the nitty gritty, just what we need, so we can get, you know, that visit taken care of and out the door. And data reporting, right? Data reporting, we keep talking about data reporting. And part of our transition, getting rid of paper, was automating our data entry process. So that's been huge, right? We don't have to transcribe from these paper forms into another database or anything like that. Single source of truth. Again, moving away from the multiple archaic databases and MS Access and all these other crazy things that we were using. And again, this goes hand in hand with, we have everything available in a report format directly from the EMR, or we can take that into Tableau, or we can just get a raw data dump in Excel and we can use pivot tables and do whatever we want with that data. So again, limitless possibilities. And this is kind of an interesting slide because this looks at the number of just sharps injuries in our health system since 2019. And while there is a decrease in the number of needle stick injuries, and we're pretty excited about that, we don't necessarily think that there was a decrease. We think this had something to do with COVID and the lack of procedures, elective procedures and stuff like that. But if you look in the last five months, approximately 44% of our needle stick injuries, and these are new needle stick injuries, are cared for via telehealth. And we think this is really exciting because this is just new injuries. We're not really looking at the number of followups and whatnot that are also being done through telehealth. And the interesting part of all this is it all goes back to saving time, increasing productivity and really just making it easy for the patient and the provider. So with that, I yield the floor to Rosie. All right, everyone, home stretch. So I'll be sharing some preliminary results from this lengthy, lengthy EHR survey that you may or may not have filled out. If you have it, the link is right there and so is the QR code and it will be on the next slide as well. Thank you to all who participated. It means a lot to us. I have nothing to disclose. So this was approved by the UCSD IRB and it was distributed to members of the ACOM Special Interest Section. So MCOH, Health Informatics, Pharma, Private Practice, Finance, Practice Management, Corporate Work and Fitness Disability from February 1st through March 27th. Again, QR code, no excuses. So let's see, here are the preliminary results. So we had 39 people who responded. One person did not use an EHR and then there were 35 physicians and three advanced practice providers. 26 of the physicians were occupational medicine boarded, five were family medicine, and then two were internal medicine, one family medicine, one ortho, one family medicine. And then of the occupational medicine physicians, 50% were dual boarded. Maybe a future topic for a Sappington lecture. So here are the services that were provided. As you can see here, they provided, employee health was provided both internally in 31%, externally in like 8%, and in both cases in about 50%, for the 50% of the people, and then wasn't provided by 10%. And for the occupational medicine services, 32% of the respondents provided internally, about 22% externally, and then 43% provided it to both where about 3% didn't provide it to either. So here the, like on the EHRs themselves, as you can see here, primary system was used for either occupational medicine clinical practice in almost 80% of the cases or for internal employee health tracking systems in about 50% of the cases. Most of them were commercial products, either with minimal customization in 42% of the cases, or with significant customization in 34% of the cases. There's a bimodal distribution here in the length of time used, as you can see. So either people use it for zero to three years in 32%, or 10 years or more in the other 32%. Which we found kind of interesting. And then about 55% of people used more than one. The most common combination was having a combined occupational medicine and non-occupational medicine electronic health record, with the occupational medicine being the primary in 69%, and the non-occupational medicine being the primary electronic health record in 31%. And then 45% used only one EHR, with about 60% having an occupational medicine-specific EHR. And then 24% having a non-occupational medicine-specific EHR. From the survey data, these were the top desired EHR functionalities. Clinical notes in 42%, ordering images or labs in 34%, having medical surveillance or electronic questionnaires in 32%, or receiving and viewing tests as well. 29% responded generating reports like population health or OSHA, and occupational medicine forms such as DOT. Work status orders for 26%. Employer compliance tracking, 24%. And infectious exposure management and contact tracing, especially important during COVID. Interfacing with EHR for 21%, and telemedicine in 18%. There were some other options. These were just the top. So, looping back to Dr. Batra's question with COVID impact and EHR needs. So, 60% of people almost responded that COVID did not really impact their EHR needs. And if it did impact, more people responded that it impacted it negatively than positively. And then as far as the current EHR meeting COVID related needs, it's slightly flipped from the responses that we gave. So, about 40% agreed that the current EHR was meeting COVID related needs, whereas for us it was 30%. And then 40% disagreed. So, we have three more polling questions and we'll be done. So, here we go. So, what compliance concerns regarding your primary EHR do you have? And this might be a little difficult to read, but generating legally required reports, performing legally mandated surveillance, communicating with external stakeholders, generating federal or state mandated forms, operational inefficiencies or redundancies, reliance in scanning documents and paper charting, reliance on multiple electronic systems, and possible data gaps, errors, and omissions, other or none. Why wasn't this turned down last time? Interesting. It's actually working. Interesting. Yeah, it looks like, yeah, it looks like operational inefficiencies as redundancies have been a major problem, as well as reliance on multiple electronic systems and possible data gaps, errors, and omissions, which. All right, I'm gonna move on to the next one. So, have you taken any measures to improve your digital privacy and compliance with your primary EHR system? So, digital firewall between employee health records and patient care settings, like Dr. Isakari was talking about, having a break the glass function, complete separation of EHR systems, having a blanket release of information, use of separate employee EHR systems or databases for privilege information, other or none, I don't know. And a special thank you to Dr. Isakari-san for walking around and handing out the QR codes. Future physician. OEM, we're gonna recruit you. So, a lot of, especially patient care systems, like for general patient care, if you access an employee's chart and you're also an employee, it'll ask you to put in a password and log in so that they can track that you've accessed that record. So, it's called breaking the glass to enter, basically. And you can be audited and cited for those things if you're doing it inappropriately. Yeah, and it's retroactive, right? So, it's not being proactive, because by the time it's broken, it's too late, it's already happened. And this happens usually in, for those working in LA or New York, you have movie stars or someone famous coming through. They designed this a while back, but now we're utilizing it in a very different way. Sometimes you also have it in the pediatric health care system, if you're not. People who work in the health system will try to access their child's records inappropriately, and so forth. All right, interesting. There's a lot of none or I don't know. And then, breaking the glass, complete separation, blanket release. All right, and then, what confidentiality or privacy concerns regarding your EHR do you have? So, inappropriate visibility of information to external employers. Inappropriate visibility of information to internal supervisors, managers, or HR. Inappropriate protected health information visible to staff in my department. Inappropriate chart access by coworkers or managers. Inappropriate visibility of job-related health information to non-occupational medicine providers or other. All right. I am surprised about none. Yeah. That's interesting. So, we actually published a paper in JOEM a couple years ago about the perception of privacy amongst employees working in the same health institution, and there was huge concerns, and it kind of made sense, and it just validated it, that especially if you're a nurse and you're treating a colleague, what are your sense of privacy there, and do you wanna go to your own primary care doctor to be outside of your health system? Do you want your medical records to be available, and even though there's a break the glass or other firewalls or protections, do you wanna share that data with your colleagues? And we saw that the perception there was, no, I don't want that. But sometime when you're in a health plan, and you have to get their own insurance, because, for example, if you work at a large health institution, you have to pretty much use in-network sources within that same institution, there's a benefit plan, you just need to design an alternative access to those healthcare providers to go outside the health system to access a primary care doctor. And they didn't take that into account because, you know, as part of benefits now that I work in HR, you know, it unfortunately comes down to some of the dollars and cents around designing health plans. And you can't go out of network because you just can't afford that care. So we need to figure out how we do that for health care providers. I think that's going to be unique. That's why I'm kind of surprised that the majority of us here have no concerns, which is great. That's where we want to eventually head to. So we also asked this question in the survey about how satisfied you are with your current digital privacy. And actually, most people are pretty satisfied with their current measures, like 60 percent of them. And I want to give some special acknowledgments. Thank you very much to the health informatics section, which sponsored us for this talk and gave me the travel grant award. Thank you to the medical center occupational health, which also sponsored this session. And then pharma section, corporate section, private practice and finance practice management sections, and fitness and disability sections, which has allowed us to post this survey on their forums. Thank you so much. So we have time for Q&A. This is the best part of it. So if we have microphones, please go to a microphone. We do have our virtual colleagues to care for. I want to make sure they can hear the question, and we'll answer those as well. So please come to the mic. And while you're doing that, I'll answer some questions we got online with Dr. DeWald. Great question. Her question was, is a global EHR still possible in the age of countries having their own privacy rules, including where servers can be located? Great question. And there's still answers that needs to be met by regulators. The best example you have is the General Data Privacy Act in the EU, the European Union. We enacted that a while back to look at all general data. And we kind of correlate that to HIPAA in a lot of different ways in the U.S. But the best, I guess, practices right now is to basically look at the most heavily regulated and use that as your floor in your company. And then basically you're protected, because now if you're going to go to different countries, at least you know what the most strictest guideline is. So we kind of use HIPAA in the U.S. or GDPR in the EU, which is a little stricter. Its best practice is just accept the GDPR, even though in the U.S. we haven't done that yet. We can look at the credit card industry. We've done this way before we have, right? You don't want your money or bank account or credit card transactions to be easily accessible. So there's privacy rules there with the Service Operability Consortium, SOX2, basically, you need to look it up, SOC2 is another standard that a lot of companies globally are using as standards. So when you're looking at vendors, make sure you ask that privacy, whether they can meet GDPR, they can meet SOX2, and different kind of regulated and heavily regulated privacy rules there, too. So great question. Yes, Melanie. Kudos. I have to say, when I first heard, Marsha, that you guys were exploring this, I had my fingers crossed for you, but I had skepticism that this could be done. And I think this is a tremendous leap forward. I just want to thank you so much. And I think this session has just scratched the surface, so I'm going to only ask one question. I have about 12. I'm going to give everybody else time. So one of the things that occupational health traditional tracking systems allow us to do really more efficiently, this is an operational question, not a big level privacy question, is when there is something you didn't expect, and you need to quickly identify a group of workers, so crested Norwegian scabies exposure in the ICU, or there's a MRSA outbreak and you decided you're going to do surveillance testing on a cohort of people, these are things that are not identified by HR data feed from HR to identify who those people are. You need to manually group those people for testis, exposure, whatever. And then on the occupational health side, you need quick access to see everyone that's been identified in that group and determine if the appropriate action has been taken, notification, et cetera, which means you need the flexibility to quickly create those groups on the fly, and then you need visibility into them. So I'm just interested in how you do that, how nimble has this system been for you to create those exposure groups or new surveillance program, you need a new diphtheria toxin program, whatever. And then how do you view that? Is that tableau? Are you viewing them as a group within the EHR? So, okay. We are still working on the metrics, but we started doing because of the animal care. So we have, so we're going to do registries. And the other thing is that the way we built in a way that we can then pull, you can pull reports very easily, but for example, define data, the idea is to start creating registries. One thing is like, for example, the TB with the waiver, right? Now we don't need to do any TB. So then we create a rule. Everybody had a TB test, a POS-TB, or anybody who had a chest X-ray in the department, then we automatically put them in the surveillance for the TB. So a registry for surveillance. So you can create rules based on like example or a test. For example, I created a rule to everybody that someone in the department had ordered chest X-rays. So is each new pertussis exposure a new registry group? On each new pertussis, so we didn't have a pertussis cases, but what we can do is that we can then get all the results and we are able to push to which department they work. But usually for pertussis, we'll have to work with the infectious disease department that will do their person-to-person evaluation, but the EHRs also be able to pull forensics. So they're able to pull anybody that touched, for example, is from a patient, they're able to pull everybody that touched or enter anything in the chart. So we're looking into that, the possibility on trimming down the USP-100. Yeah. Thank you so much. I know it's really complex. I don't want to give other people time. Thank you. Great. Great. We'll switch to an online real quick too. There was a question about the servers being in which countries and I agree with Dr. Ramirez, China, Turkey does require data to be stored in that country and I think that's a really good point to bring out is if you're looking at a global EHR or some sort of rules about privacy, make sure you consider what it is going on in that country. And Latin America actually has specific very outline regulations on what you can do, what you can't do, where it needs to be stored. EU is a little more unified, but if you look at the Middle East and Africa, it's just a wild, wild west right now. So you got to be very careful where the data is being stored. Yes. One of the things that I'm struggling with explaining to other non-OCHMED providers is the fact that when we do occupational and environmental medicine, one, you're not necessarily establishing a patient-physician relationship, but that some of the medical record is actually under the ownership of the client or the employer. I wasn't sure if you guys, I know that's a very big question, but from a privacy standpoint, especially considering these new laws that are coming into place, can we still say that? I mean, is that still true? If I have somebody come in and they are doing a return to work fit for duty, the employer is paying for that. I'm not establishing a patient-physician relationship. If I do an IME, I'm not establishing a patient-physician relationship. They're being sent to me. So what access do I now need to give to that individual in consideration of these new legislations? Thank you. What state are you in? I technically cover 34 states. So that's the other fun part. Yes, it's going to be very fun for you because you might have 34 different answers. Because the question then becomes, where is that patient or claimant from? Where is the TPA who's paying you from? And where are you physically sitting and licensing as well? So do you have a medical license in all 34 states or do you have a compact licensure? I have 375 clinics across 34 states and I'm the VP of OCMED. So I am super seeing that. So we have some providers that are licensed in all 50 states. Because licensing boards are looking at this as well, so you might have 50 license boards ask you. So the safest way to look at that is, because of the Cures Act, is that you do need to find a way to provide all the information you have in your access to provide it to them. But check it with your legal counsel because different states have different, actually more rigorous requirements. And some of them are saying you have to provide it in a certain format and some of them say you have to redact different information. Because the challenge there is if you receive, for example, an x-ray that wasn't in your health health system, imaging or lab data, it's like, this is actually not my record to give out. Exactly. The Cures Act, however, says it doesn't matter because you're supposed to provide all that electronically and now you got to figure out, is it a HIPAA, is it a GINA, is it a EEOC kind of concern or is it going to be a Cures Act concern? So the Cures Act really threw a whole big wrench into the operations piece because now technically you're responsible for providing whatever information you have in your possession to this person asking for it. I know, it's a nightmare. And this is why I get really scared sometimes. That really does make me want to cry a little bit. I'm just going to say that. Information blocking, unfortunately. A whole new set of nightmares. You know, it's quite interesting because in the U.S., technically when all these rules go through, it's supposed to go through an Administrative Procedures Act, right? It's supposed to go through rulemaking. You have to go through a budget analysis. And somehow this kind of bypassed all that and the budget analysis didn't take into account your situation, right? Saying, I have 34 different jurisdictions I've got to worry about and you're telling me now I can provide information for everything I have in my database regardless of where it's sitting because it's in my possession, I have to provide it to this employee in X amount of hours and if I don't, I could be penalized? And this is why I think, you know, we need to be aware what's down the line. Keep track of these legislations because, you know, we need to get active in saying, hey, this might impact your business in a way, either have an advocate or a lobbyist there to advocate on your behalf because otherwise, these legislation rules are going to pass through and you're going to be responsible financially to make this happen and make it sure you're legit and legal in that jurisdiction as well. Sorry, question. Yeah. And looking at the cures, if you, you know, dig a little bit, there's not much, actually there's nothing about occupational medicine. So at the concept of government's affair, it did bring it up that we may need to have them add some Q&A in regards to occupational medicine because it does, like, for example, say you have to share family history, well, we don't want that, right? But they're also, you know, as a protected entity, it doesn't matter if you are not their doctor, if you're still a doctor and that documentation, you're to share with the person when they ask you. But again, it's quite complicated, but legally we identified the need for clarification. Absolutely. And hopefully we'll get some interpretation letters back from them, but we haven't yet because it's so new. And the challenge is, like I said, it was just active last year and they actually was extended because initially it was like October of the previous year, but because of the pandemic, they extended to April and there was a request to extend it longer and they said, nope, this is it. So, so far I haven't read about any penalties being assessed yet or any kind of audits that came through, but nobody wants to be the first, right? Nobody wants to be a test case either. So yeah, I always encourage people to say, define yourself first of all, are you an actor under that legislation and your legal counsel can help you figure that piece out because that's going to be the easiest. But unfortunately it's going to be a very easy test saying, yes, you are an actor from what I'm hearing. So yeah. I wish I've had a news for you, but. Great presentation. Amazing. Amazing on the EMR merger. That was phenomenal. Thank you so much. That's encouraging. Yes. I have a question online real quick. Does the U.S. require patient health care data to be stored in the U.S.? Not yet. There are talks about it being held here, but the best practices is to have it here because we have more stringent rules. And I think it's a good practice, especially in the locality, because it's going to be heading in that direction is whatever country you're going to be servicing in, have a data agreement in that country, because I suspect that in the near future, most countries will move in that direction, not only for economic purposes too, but have the jurisdictional control over the privacy and confidentiality of those records. Yes, in person here. Thank you for the presentation. I think telehealth was mentioned a few times, and I want to say Zoom was said one time. So with televideo health, there was, my understanding is it's still in place, a relief from enforcement for some of the privacy requirements for that, specifically televideo health. Some smaller organizations had to pivot quickly, and we didn't have assets that met the requirements previous. Do you see any changes in those privacy requirements now that we've gone through a long period of time without enforcement, and or when do you see that enforcement maybe coming back? Thanks. And I know that's an HHS thing, I don't know. What have you heard, I guess? You guys seem to- No, again, we don't do a step without checking with our compliance. And then with Zoom, the platform was HIPAA compliant and everything. But for us, is that we wanted them to sign a release of records, too. So that's why we use the docu-sign, so they will sign, because then we have to write the work status and stuff like that. So that's something that we added, because we felt it was very important to have a release of record when we release work status. But yeah, I don't think in anything really reverted on the telehealth, it's just here to stay. And actually, another thing that I just worked with UCSD is what we call the new normal. So we had a couple markers, actually interesting was like the amount of COVID in the sewage of UCSD, the number of infections at the San Diego County. And with that, we're going green, yellow, and red. And one of the main thing is that how much telemedicine we'll do. When we are starting getting on red, we're supposed to be 80% telemedicine. And on yellow, you have to transition to. So in the near future, the new normal, you have to be able to provide telemedicine. Come join our health informatics section, there's going to be a robust discussion about that as well. Yeah. There's a meeting tonight. Tonight. Thank you. So I'm sorry, Dr. Ramirez. I don't understand your question in the queue, in the live discussion chat. Can you just rephrase that for me? That would be great. The other question was around OSHA surveillance exams. Are clinics required to maintain exposure sampling data as part of the EHR for the employee? So under OSHA 1910.1020, it does require you to maintain it, but it does not say that it has to be in an electronic format. So I know some clinics, especially on-site clinics, keep them in paper still, but I always encourage if you can, move over electronic. Right now, it doesn't say it has to be electronic. Yes, the question here on the floor. So good morning. Thank you for taking my question. So I'm an IT architect for the EHR, and I'm working with my providers, and many of them are directing me to put in those guardrails, similar to the screenshots that you showed. But I'm also struggling, as I hear the guardrails and putting these provisions in place, then I hear total worker. I'm hearing, talking about mental well-being, wellness, and the social determinants of health. So how do I do that, and provide some clarity, because it's kind of blurry for me at this point, where it's kind of teetering in what I would call primary care with occupational health, and where is that balance to meet those privacy needs? Well, we go back to what Kenji shared, the EEOC and ADA. I think the riskiest part is that you are evaluating someone to, pretty much you're going to decide, should this person be accepted at work, or be kept at work? That having that additional information, like they have seizures, or they're poor diabetes, or they got admitted for something else, and being evaluated to a clinic that you can see it all, to another clinic who cannot see anything else, it will create a disadvantage on that. That was one of the main things about the firewall. So the rule that we do is this. We do also do wellness, too, is that information that it's essential for them to be healthy. But if we collect that data for the wellness, then we'll have a special release of information that that information that's not relevant to work will be kept inside employee health for wellness with their consent. So I think it's very important for them, for the patient to be aware where their data is. The other thing is that I think some of the, for example, wellness programs that we provide, it might conflict with their own personal insurance that they have and stuff like that. So again, with release of records, you can do whatever you want, practically. You can send the notes to your employer, if you know. But I will lean on doing the release of records. But the main thing for us is having a safe environment that our employee health environment is safe. So for example, I can do send mass vaccination, I can get mass results and stuff like that. And then I also can expand, for example, I will have between 10 to 30, 40 people working in the employee health, but they're not going to see their coworkers' records and stuff like that. Yeah. I think it's part of the architecture. It's really important to consider the consent piece, because if they allow it, it's good to have it. We have a lot of population health management experts, and I think it's really good to have that information available and make sure the easiest way is to get consent, because sometimes you run into troubles with ERISA. Is anybody familiar with ERISA? So it's a regulatory policy, especially if you have a health plan. You can jeopardize your health plan if you don't follow the rules of that plan as well. So you got to be careful. There's all these regulations that really apply when you're looking at different data, especially on social determinants of health. Hopefully that's changing, especially if you're part of a patient-centered medical home. And if you need more information, Dartmouth has been a leader in this. Dr. McClellan was just here, so if he comes back, Bob McClellan is the person you want to talk to, because he'll tell you what Dartmouth did and how he was able to incorporate all that data into their EMR system as well and actually use that data to show how social determinants of health affect everything we see. So it's very great. Yes, next question. So I'm wondering, with your break the glass and having the employee health record and then the other side of the house record, where are you housing your occupational health, like your workman's comp and your bloodborne pathogen exposure? Are you housing it on the employee health side, so that you have to break the glass to see it, or is it housed on the regular side? Just to start, we did have a break the glass pre-integration. I personally don't believe in break the glass. I don't think it's sufficient. I know the large HR do talk that's sufficient. I don't think so. So for me, break the glass is actually moot point. But how we believe is that in the employee health environment, we do take the pre-placement stuff. If they become the bloodborne pathogen, though, because it involves testing, involves possibly going to ED, involves medication, it was very important, it is very important for us that if someone is also could be treating this person, knows the medications, know the care we're doing, and so what if it falls on a pseudo-worker's comp, so it gets on the general, on the mainframe EHR. But we have two release of records. We have one release of records that they allow us to be in their mainframe for the non-employee health, and then the one that we're going to send the information of medical clearance to the employer. Okay. Thank you. Quick question. On your break the glass, did you consider having like a separate service area so that the employee health record was not even visible to the system unless your provider of record was in the correct service area to see that there was a record? We have a, it's change of context, you know, so depend of how we get into the EHR, you have a total different view. So then we have the employee health view when we're doing our employee health, you know, that I showed the slides, but I don't understand. We don't break the glass. We just log differently. I think it depends on the context, right? Like Marcia was saying, how you log in. So there's employee health, and then there's the general medical record. So what your role is when you log in, it'll look completely different to you. So some data might, as an employee health person logging in, you'll see certain things that the general, you know, side won't see. So there's not a break the glass function. It's completely firewalled now, correct? Yeah. You got it. So it's separated. Thank you. And yeah, and if you wanted to jump to another one, then they sign a related record. Right. Yeah. Yeah. Last question. Good morning. I'm Jim Medeiros. My question's about what Kendra mentioned earlier about upgrading the Gmail service to something that's HIPAA compliant, the G Suite. One of the clinics I work at uses that, and we share information internally, but that way you have end-to-end encryption because both the user or the sender and the receiver are on that system. But how does that work if you're sending it to, like, a third-party authorized individual or to the patient? You wouldn't have that encryption on that end, or is there a workaround? Yeah. So there's actually an encryption, too, and you have to pay for that service. And I always recommend it. But you'd always get the waiver for that, too, so get the record release, because they're waiving some of that information. Best practice, however, is make sure when you do do it that way, if you're going to be sending it throughout email through encryption, is don't put anything in the subject line that is confidential, because PHI, even though it's encrypted, the subject line usually is not. So the best way to do it is to encrypt it in the email, but the better way of doing it would be having an online portal. I mean, that's the most secure way to do it thus far. And I think, what was Google's Dropbox, no, not Dropbox, Google Docs, Google Drive is working on a mechanism for that as well, so that they can send people a link, log in, create your portal, and download it that way, and that's usually a little safer. Okay. Thanks. Great. Well, I hope that was helpful. We have a health informatics section meeting tonight. I know there's questions about whether it's going to be virtual or not. I think as of right now, it's not able to be virtual, but that's different. We'll put something in the chat tonight, or we have a secretary here today, so we'll ask the health information section. Thank you again. Thank you.

employee health

medical records

COVID-19

data sharing

communication

privacy regulations

EHR system

patient privacy

efficient workflows

pandemic

data integrity

security

occupational health settings