#StrataRx -- David Harlow's HIPAA and HITECH presentation

Patient Consent to Use of Data: Are We Asking the Wrong Question?

I spoke yesterday at the StrataRx conference in Boston, as part of the data liquidity track. This was sort of a blue sky presentation (as you can tell from the first slide); the thought was to explore the notion of building big data analytics on top of a data store populated by health record information obtained as a result of patient requests. Why? Because doing it that way would bring the data out from under HIPAA and HITECH regulations. Patients could contribute as much or as little of the data as they wish, patients could be compensated for their contributions, and other pesky HIPAA restrictions would fall by the wayside. I used one company's newly-announced service as an example, but there are others in this space as well.

Scanners and HIPAA Compliance

Sponsored by Canon U.S.A., Inc.  “Canon’s extensive scanner product line enables businesses worldwide to capture, store and distribute information.” The ideas below are my own.

A recent HHS OCR HIPAA settlement with a New York area health plan seemed to come out of left field: A CBS news investigative reporting team bought a copier formerly leased by the health plan and found protected health information (PHI) of about 350,000 individuals on the copier’s hard drive. This led the health plan to self-disclose to the OIG, and to agree to a fine north of $1 million and a correction plan.

Clearly, HIPAA and related state privacy rules require that a health care entity wipe hard drives of all PHI, or destroy them – the rules require the use of a variety of administrative, technical and physical controls to keep personal health data private and secure. The health plan in this case fell down on the job; it hadn’t even included the copier hard drives in its required self-analysis of risks and vulnerabilities.

Ponemon Institute study finds outdated communications technologies cost U.S. hospitals $8.3 billion a year

I spoke with Sean Kelly, CMO of Imprivata, a health IT company with single sign-on and secure SMS solutions that commissioned the study, entitled The Economic & Productivity Impact of IT Security on Healthcare (PDF).

The audio file of my interview with Sean Kelly (about 20 minutes long) is available for download/podcast, or may be played here:

Sean Kelly - Imprivata - Cost of Outdated Technology

Sean Kelly - Imprivata - Cost of Outdated Technology

A full transcript is available as a PDF (Sean Kelly - Imprivata - Interview) and is reproduced below. 

From the presser:

Economic and Productivity Impact of Outdated Communications Technology

• Clinicians estimate that only 45 percent of each work day is spent with patients; the remaining 55 percent is spent communicating and collaborating with other clinicians and using EMRs and other clinical IT Systems.

• According to the study, clinicians waste an average of 46 minutes each day due to the use of outdated communications technologies. The primary reason is the inefficiency of pagers (as cited by 52 percent of survey respondents), followed by the lack of Wi-Fi availability (39 percent) and the inadequacy of email (38 percent).

• The Ponemon Institute estimates that this waste of clinicians’ time costs each U.S. hospital $900K per year, and based on the number of registered hospitals in the U.S., this translates to a loss of more than $5.153 billion annually across the healthcare industry.

• Similar deficiencies in communications lengthen patient discharge time, which currently averages 102 minutes. About 37 minutes of this is due to waiting for doctors, specialists or others to respond with information necessary for the patient’s release. The Ponemon Institute estimates that this lengthy discharge process costs the U.S. hospital industry more than $3.189 billion annually in lost revenue.

• Sixty-five percent of respondents believe secure text messaging to communicate with care teams during the discharge process can cut discharge time by 50 minutes. 

Effects of Regulations on the Delivery of Patient Care and Technology Adoption

• Fifty-one percent of survey respondents say HIPAA compliance requirements can be a barrier to providing effective patient care. Specifically, HIPAA reduces time available for patient care (according to 85 percent of respondents), makes access to electronic patient information difficult (79 percent) and restricts the use of electronic communications (56 percent).

• Additionally, 59 percent of survey respondents cite the complexity of compliance and regulatory requirements as the primary barrier to achieving a strong IT security posture.

While health IT did not create the need for clinicians to spend time reviewing and updating patient records, the promise of health IT -- to make things easier for clinicians, better for patients and more efficient and cost-effective for all of us -- is a matter for the future.  As the saying goes, "The future is already here -- it's just not evenly distributed." Kelly makes the case for SSO and secure SMS, and the Ponemon study provides a snapshot evoking the scope of the opportunity.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

 

HealthBlawg :: David Harlow’s Health Care Law Blog

Interview of Sean Kelly
Chief Medical Officer, Imprivata

May 7, 2013

David Harlow: This is David Harlow with HealthBlawg and I have with me today Sean Kelly, the Chief Medical Officer of Imprivata, which is providing some interesting new services and has news about a recent study which was conducted regarding communications systems that are in place in hospitals today and how that helps or hurts our healthcare system. Sean, thank you very much for speaking with us today.

Sean Kelly: My pleasure, David.

David Harlow: So Sean in an nutshell what can you tell us about this new study and what it may mean for folks looking at this from the hospital perspective?

Sean Kelly: Sure, the study was conducted by the Ponemon Institute and it’s entitled Economic and Productivity Impact of IT Security on Healthcare. It explores essentially the impact of security in people’s perception of how their workflow happens in the hospital both with regard to HIPAA compliance and security issues as well as with efficiency and convenience and the ability to take care of patients. Some of the higher level points that came out of the study are that doctors and other caregivers including nurses and other people who have direct patient contacts feel like they spend really less than 45% of their time actually caring for patients and in direct patient care, face-to-face contact. They also feel that outdated technology leads to at least 45 minutes a day of wasted time. The economic impact of this amount of time being wasted with outdated technologies can amount to a significant amount per hospital -- probably close to $1 million per hospital per year in the United States, and when you add all that up that over $8.3 billion per year in the US alone. This is probably a problem with economic impact around the globe as well although this study was conducted on participants in the United States alone.

There is a lot of subjective information that came back as far as people’s information and opinions about what the cause of some of these delays were. Specifically they cited the inefficiency of pagers, the lack of WiFi availability and inadequacy of e-mail as well as the fact that text messaging wasn’t allowed. They felt that a lot of these things led to the inefficiency and inconvenience at work as opposed to what they’re used to in their consumer life.

I’m a practicing emergency physician as well as the Chief Medical Officer at Imprivata and I can tell you that there is a lot of promise and potential that comes with technology and there is also a lot of difficulties with it as well. Traditionally in healthcare we’ve seen a lot of tension between security concerns and convenience and we see this at Imprivata since we provide a single sign on solution addressing some of the pain points around the fact that providers are required to log on and authenticate just about every time they touch protected health information. This is a reasonable thing to ask providers to do because you really want to have an audit trial – it’s required by HIPAA to be compliant it’s very necessary and proper to have good security barriers in place because you really want to make sure patients’ private information is protected and it’s really the right thing to do.

The problem is a lot of these systems inherently can be difficult. In my life as a practicing doctor on a typical shift in the emergency department I might log on and off of systems hundreds of times per shift for multiple patients and try to navigate back and forth between my electronic medical record and the PACS system to look up X-rays and other radiologic findings I might go to other clinician applications such as Up-to-Date or epocrates or other websites and for every one of these jumps between and navigating around the system I might need to log in or log out or try to boot something up or close it down and every one of those points can cause delay -- not just in the time but also in cognitive disruption of my thought process, and so it’s really important to make sure that we have sort of a latest and greatest technology to allow us to do our jobs as physicians.

David Harlow: Right -- so it sounds like the single sign on solution would address something like that, that problem that you describe in the emergency department. And my understanding is that you’re talking also about another solution in terms of trying to ease the pain and reduce the time that’s spent on these various tasks in the day in the life in the hospital, is this a texting solution?

Sean Kelly: Yeah, I think it’s important for people to understand that healthcare is still reliant on some outdated technology -- specifically pagers -- and just to give you an example of what a typical workflow might be in a hospital, is that to page a colleague, whether it’s a nurse that you need to try to find out something or order not necessarily something you do through the EMR but if you just want to find out Room 7 has had a recent vital sign performed or oxygen saturation level or something you might page the nurse and the pager system as it currently exists might be unidirectional and so I would go to a desktop, have to log on, open up an application, look at what nurse is on call for a patient that’s on duty at that time, send the page out to that person who may or may not contact me back and that unidirectional message flow can get lost out there, it’s hard to know, there is no read receipt, I’m not sure if it’s delivered or read -- there is no easy way to just text me back and say well, yes, that was performed or no, it was not performed but I’ll do it, or actually the result is 97% on room air.

And that kind of inability to just quickly send a message out, have it come back, complete the workflow in the current state of affairs in most places makes it difficult, especially when I walk into the hospital and in my pocket is this very efficient tool that I’m used to using all the time in my consumer life, where I can text message back and forth and get a quick reply, finish my thought process, move on to the next step. When I’m trying to discharge a patient from the hospital or from the emergency department there are many, many different points in that workflow that can lead to delay and in this study for example they found that it may take over 100 minutes to get a patient discharged from a hospital of which 37 minutes or more might be spent just trying to contact physicians and hear back from them that it’s okay to discharge a patient, or there might be one last minute thingthey need to clear up and this kind of operational flow issue would be very ideally solved with the text messaging platforms.

David Harlow: Right. So these issues aren’t new but I guess what you’re suggesting is that there is a solution just beyond our reach or maybe now just within our reach, but the problem as you state it is not a new problem. There has always been a need for people to be reviewing records, consulting with colleagues in the course of caring for an inpatient and it’s been traditionally a paper process but now with Meaningful Use starting to take hold, do you see an improvement on that front? Are these numbers based on a recent survey? Is there an older survey to compare these against? It just seems to me that there has been some improvement over time and perhaps things are better than they were but not quite as good as they could be.

Sean Kelly: Yes it’s a very good point you raised. I think it is a double-edged sword there are lot of things that have certainly improved with the advent of electronic medical records and computers are good at a lot of things. For example, when we’re about to discharge someone home, it’s very nice to be able to take their current medication list and when you write a new prescription the computer is very good at cross checking the drug- drug interactions or looking up their past listed allergies or reminding me that they’re due for their flu vaccination, and so from a population health standpoint and even from a patient care standpoint there are a lot of things that technology does for us, and you’re right, though, that the problem has been in existence for a while where we’re trying to figure out all these different moving parts and be as efficient as possible -- that problem has been around.

Now we have tools that we can use to help solve those problems so that we can bring technology to bear. The issue in the past couple of years with acceleration of adoption of a lot of different technologies, as healthcare starts to finally catch up to a lot of the rest of the world, the issue is this again this tension between security and convenience or efficiency, and the problem is that since we’re required to make sure that we’re absolutely compliant from a HIPAA standpoint we traditionally haven’t been able to use things like SMS texting because it’s not HIPAA compliant or secure and above all else we have to make sure we hit that threshold. So the solution we created was really due to feedback from hospitals saying we want this tool but it needs to be ironclad secure, and so we as a healthcare security company set about working on this as a solution to help address the pain that’s out, to say doctors and nurses want security and efficiency. If there is a tool that works they will do the right thing and use it, but it has to actually work and it has to actually be secure enough to satisfy the security officer at the hospital in order to be enabled on a hospital-wide basis and okayed for use by endpoint clinicians.

David Harlow: My readers and I are at varying levels of sophistication when it comes to the technical details behind this but I wonder if you could delve in a little bit and explain how the product or service achieves this level of security?

Sean Kelly: Sure, and my specific role is Chief Medical Officer and so I’m also not a security officer, I’m a workflow person and I understand workflow from the clinician’s perspective, but what we have done is we’re in conjunction with a lot of our partner hospitals to work with their security officers to make sure that we are compliant with their needs to be HIPAA compliant, and the long and the short of that is that instead of using just an SMS text platform where messages and pictures and everything else lives on the server or on the phone itself and is not HIPAA compliant what we’ve done is create a protected area within an app. So this is essentially an app that you download to the phone, users are enabled by the hospitals it syncs to their active directory and you can immediately enable or disable users on to the system and it’s configured in such a way that everybody that the hospital wants to be visible to each other on this network within this app can be visible to one another but if you’d like to remove somebody you can erase them immediately and all the Protected Health Information or PHI along with their conversations just go away -- no longer visible for that person, it lives within the app.

David Harlow: And then do the conversations reside on a hospital server of some sort?

Sean Kelly: So the conversations reside in the cloud on a server that is accessible only to the hospital. It’s encrypted so that the hospital is the only one who can see the protected health information within it. We will see usage stats and we will know messaging information about how much is being used and by whom in the hospital but we won’t see any of the information within that -- that’s encrypted and only visible to the hospital users themselves -- to the admin and to the end users within the hospitals, and for greater detail on the security measures involved I’d be happy to let readers or you hook up with people on our end that are experts, but our basic strategic process has been: let’s pick the information security officers that we know around the country and the world that are the most strict, make sure it meets their needs because if it meets their needs as to hospital IT then it will certainly meet the needs of the others who are less stringent out there and as long as it meets their needs and we’ve gone through that due diligence and we sign business agreements stating that we’re HIPAA compliant as a vendor, then hospitals are comfortable as per their policy to enable users on this, and then on the other end we want to make sure that we are creating the best user experience and the user satisfaction in a very healthcare centric way for the end users specifically physicians, nurses, administrators, other caregivers within the hospital.

David Harlow: Okay. You mentioned earlier that you’re focused on this from a workflow perspective and I’m wondering if there are other changes to workflow in your typical hospital - if there is such a thing - that could be looked at in order to alleviate some part of this problem that you’re trying to solve?

Sean Kelly: Yeah, I think the possibilities are certainly exciting. Once you have a platform in place that allows for control of your desktop and easier access in and out of systems throughout the desktop -- which is part of our core offering with single sign on and authentication and sort of a trust fabric of authentication -- and you have endpoints involved where you’re reaching out and those messages that get out sent out to endpoints like mobile devices and you’ve got providers within the network able to now have secure messaging back and forth now things get really interesting because you can really accelerate the provider’s ability to provide good care because you’re making their workflow much more efficient, and so this is where we’re actually the fun just gets started once people start to use it because then they realize, okay well there are these Meaningful Use guidelines or there are these problems as an Accountable Care Organization where we need to really enhance communication between our facilites when we do interfacility transfers, or we really need to make sure we prevent congestive heart failure readmissions and we think that the best way to do that is to facilitate communications between our case managers and our primary care doctors and our cardiologists so here is a package of communications that we could enable using CorText which is the secure messaging platform, along with some of our ability to automate which applications pop up when someone signs on in the cardiology unit and you could picture a hospital now structuring because they have just enough of these different secure collaboration communication tools to really create an interesting package that can be used as a template by different hospitals to address a particular clinical problem and just like someone comes up with a really good stethoscope and then it’s up to the caregivers to figure out how they’re going to best use it to care for a patient -- technical tools in a way are similar. We’ve created a very secure way of communications I don’t know that we’re going to try to tell doctors and nurses and hospitals this is how you should use it -- we can say here are examples of how we think it can be used work with us to tell us how it could be the most valuable to make your jobs easier and make your patients lives better so that’s sort of the goal.

David Harlow: Right - sounds good. Well it’s an exciting time and that’s a very interesting tool, set of tools that you’re developing. I thank you for taking the time to share with us today. This is David Harlow and I’m speaking with Sean Kelly, Chief Medical Officer of Imprivata. We’ve been talking about CorText, their secure texting service and related products as well. Thank you for listening on HealthBlawg.

Response to ONC RFI on advancing interoperability of EHRs and HIE

At last weekend's #healthfoo I proposed that one unconference session be devoted to preparing a comment letter responding to the ONC RFI on Advancing Interoperability and Health Information Exchange.

We discussed three possible sub-regulatory changes (which is what ONC asked for), and reiterated the value of a specific regulatory change that would not require a new rulemaking process, because it may be incorporated into the final rule on patient access to lab results (draft rule released in 2011, no final rule yet).

Specifically, we proposed:

• Leverage existing regulatory requirements by building meaningful use of EHRs and HIE into the lexicon of the health care facility surveyor; a Meaningful User should be cited with a deficiency specifically citing the EHR use or misuse or non-use if proper meaningful use would have eliminated the root cause of the deificency.
• Advance provider directories to support HIE by using the attestation process to link a provider's Direct address with other contact information in the National Plan and Provider Enumeration System (NPPES, NPI system).
• Increase patient access and use of EHR information by developing patient education programs as well as improving usability of the patient interface.
• Increase standards-based electronic exchange of lab results; see Keith Boone's reg change proposal and my reply to Farzad Mostashari's tweet ("Lawyers: Would this work?") about Keith's post.

Here is the Health Foo letter to ONC on its EHR interoperability RFI.

The discussion that yielded this comment letter followed hard on the heels of a discussion about Meaningful Use Stage 3 facilitated by Claudia Williams of ONC, so we certainly hope that ONC is listening.

(Click on the image above to see Regina Holliday's painting, Open Doors, painted over the course of the unconference.)

I was also involved in the preparation of the ONC comment letter filed by the Society for Participatory Medicine, which covers most of the same ground, and also promotes adoption of Blue Button Plus as a means to empower patients to a degree that current systems do not allow.

These letters are addressed both to ONC and to CMS, in response to their joint request for information. This collaboration within HHS is encouraging, and it may well point to greater interest in leveraging EHRs within CMS. 

David Harlow
The Harlow Group LLC
Health Care Law and Consulting 

 

Electronic Exchange of Lab Results: A social-media-prompted response to the ONC RFI on interoperability

The final question posed in the recent request for information posted by ONC reads as follows:

What specific HHS policy changes would significantly increase standards based electronic exchange of laboratory results?

Keith Boone, aka @motorcycle_guy, self-proclaimed GE standards geek and fellow member of the Society for Participatory Medicine, blogged about his thoughts on the subject in a post entitled: Promoting Laboratory Result Exchange through CLIA. Farzad Mostashari, aka @Farzad_ONC, the National Coordinator of Health IT, tweeted a link to Keith's post, asking lawyers whether this would work:

Lawyers: would this work? “@motorcycle_guy: [MG] Promoting Laboratory Result Exchange through #CLIA goo.gl/fb/cQh3k #hie” @jodidaniel

— Farzad Mostashari (@Farzad_ONC) March 15, 2013

Jodi Daniel (Director of the Office of Policy Planning at ONC) and Keith (among others) retweeted the request, and Keith tweeted it directly to me, so I thought I'd weigh in on the question.

Keith observes in his post that labs do not receive any meaningful use incentive payments for making their reports standards-compliant, and suggests that other incentives might be useful:

Currently, laboratories covered under CLIA do not receive incentives for using standards specified under meaningful use. One of the requirements of clinical laboratories under CLIA is the production of a test report that meets requirements under 42 CFR 493, subsection 1291.

One possible way to promote use of the standards would be to providing a deeming clause in subsection 1291 such that if transmission of test results is performed with Health Information technology that has been certified to conform to the criteria in 45 CFR 170, subsection 314(b)(6) [ . . . ] could be an incentive for laboratories to use those standards.

I have a three-part response:

1.    ONC, in its RFI, specifically requested suggestions for sub-regulatory policy changes that could catalyze interoperability of EHRs. Keith's suggestion is a regulatory amendment.  However, since Farzad and Jodi have expressed an interest in this suggestion, and since there is a long-pending proposed rulemaking process out there connected to lab test results (see Lab Results for All! Of Data Liberation, Participatory Medicine, and Government 2.0), this flaw is not fatal, and the recommended change could be made through that rulemaking. In fact, it could help move that rulemaking along (it's been stalled since late 2011) by identifying a mechanism through which the lab test results may be communicated.

2.    The basic suggestion, which is to deem compliance with one standard to be compliance with another standard, is a reasonable one - assuming that the meaningful use standard for lab results applicable to inpatient EHRs (LOINC v. 2.40 + HL7 v. 2.5.1 + S&I Framework Lab Results Interface) referenced in 45 CFR 170.314(b)(6) is substantially equivalent to the lab test report standard in 42 CFR 493.1291. I would ask Keith to confirm that the two are substantially equivalent, or to explain in layman's terms the differences and why they are unimportant. 

3.    Related to item 2, the practical question remains: Given that labs are not provided a financial incentive by HHS to comply with interoperability standards, will the proposed deeming clause make it easier for them to do so? Are the meaningful use standards easier to meet than the lab test report standard? In other words, is the deeming clause enough of an incentive to motivate labs to conform to the meaningful use standard for lab results? I would want to know more about the current compliance profile of the clinical lab community. If labs are complying with the existing CLIA regulation lab test report standard, then perhaps we would want to flip the deeming around so that compliance with 42 CFR 1291 (CLIA) is deemed to satisfy 45 CFR 170.314(b)(6) (Meaningful Use). I'd be interested in feedback on this point from the clinical labs out there and the health care providers that deal with them on a regular basis on the issue of data transfer.

If the proposed change could increase the number of labs that are meaningful use standards compliant, and the labs could therefore significantly increase standards based exchange of lab results, then that would be a win.

I look forward to continuing the conversation with Keith and others and submitting a joint comment on the RFI to Farzad and Jodi. While they've asked for input via Twitter -- which I think is fantastic -- I assume they need to receive the input the old fashioned way so it can be made part of the record and all that.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting  

ONC releases RFI on catalyzing interoperability of EHRs at HIMSS13

Farzad Mostashari, National Coordinator for Health IT, announced the release of an ONC RFI at HIMSS today, entitled "Advancing Interoperability and Health Information Exchange," in order to identify ways in which ONC may accelerate interoperability of EMRs without any additional statutory or regulatory authority.

Per the summary of the ONC RFI:

HHS seeks input on a series of potential policy and programmatic changes to accelerate electronic health information exchange across providers, as well as new ideas that would be both effective and feasible to implement. To further accelerate and advance interoperability and health information exchange beyond what is currently being done through ONC programs and the EHR Incentive Program, HHS is considering a number of policy levers using existing authorities and programs.

There has been much discussion of interoperability at HIMSS, and there are probably at least as many perspectives on how to use the term as there are blind men's descriptions of an elephant. This ONC initiative dovetails nicely with private sector activities promoting interoperability (e.g.,CommonWell Health Alliance and Verizon SUMS) though clearly all parties are coming at the issue from different persectives, with differnt motivations, and on different timelines. 

From the presser:

The goals build on the significant progress HHS and its partners have already made on expanding health information technology use. EHR adoption has tripled since 2010, increasing to 44 percent in 2012 and computerized physician order entry has more than doubled (increased 168 percent) since 2008."The 2014 standards for electronic health records create the technical capacity for providers to be able to share information with each other and with the patient," said Dr. Mostashari. "Through the RFI, we are interested in hearing about policies that could provide an even greater business case for such information sharing."

In addition to seeking public input, the RFI also discusses several potential new policies and ideas to accelerate interoperability and exchange of a patient’s health information across care settings so that they can deliver better and more affordable care to their patients.

The full announcement, courtesy of HIBCtv: 

Farzad Mostashari - ONC press conference at #HIMSS13

 

ONC wants to encourage data sharing over data hoarding, and is asking broadly for input and ideas on how to improve the exchange of electronic health information through changes in payment policy, tweaks to existing programs, focus on provider sectors with low uptake of EHRs, leverage conditions of participation for post-acute care providers, attention to patient access and use of their data in managing their care, and improvements in standards for electronic exchange of information and standards based electronic exchange of lab results.  

The RFI calls more specifically for responses in the following ten categories:

1. What changes in payment policy would have the most impact on the electronic exchange of health information, particularly among those organizations that are market competitors? 

2. Which of the following programs are having the greatest impact on encouraging electronic health information exchange: Hospital readmission payment adjustments, value-based purchasing, bundled payments, ACOs, Medicare Advantage, Medicare and Medicaid EHR Incentive Programs (Meaningful Use), or medical/health homes? Are there any aspects of the design or implementation of these programs that are limiting their potential impact on encouraging care coordination and quality improvement across settings of care and among organizations that are market competitors?

3. To what extent do current CMS payment policies encourage or impede electronic information exchange across health care provider organizations, particularly those that may be market competitors? Furthermore, what CMS and ONC programs and policies would specifically address the cultural and economic disincentives for HIE that result in “data lock-in” or restricting consumer and provider choice in services and providers? Are there specific ways in which providers and vendors could be encouraged to send, receive, and integrate health information from other treating providers outside of their practice or system?

4. What CMS and ONC policies and programs would most impact post acute, long term care providers (institutional and HCBS) and behavioral health providers’ (for example, mental health and substance use disorders) exchange of health information, including electronic HIE, with other treating providers? How should these programs and policies be developed and/or implemented to maximize the impact on care coordination and quality improvement?

5. How could CMS and states use existing authorities to better support electronic and interoperable HIE among Medicare and Medicaid providers, including post acute, long-term care, and behavioral health providers?

6. How can CMS leverage regulatory requirements for acceptable quality in the operation of health care entities, such as conditions of participation for hospitals or requirements for SNFs, NFs, and home health to support and accelerate electronic, interoperable health information exchange? How could requirements for acceptable quality that involve health information exchange be phased in over time? How might compliance with any such regulatory requirements be best assessed and enforced, especially since specialized HIT knowledge may be required to make such assessments?

7. How could the EHR Incentives Program advance provider directories that would support exchange of health information between Eligible Professionals participating in the program. For example, could the attestation process capture provider identifiers that could be accessed to enable exchange among participating EPs?

8. How can the new authorities under the Affordable Care Act for CMS test, evaluate, and scale innovative payment and service delivery models best accelerate standards-based electronic HIE across treating providers?

9. What CMS and ONC policies and programs would most impact patient access and use of their electronic health information in the management of their care and health?
How should CMS and ONC develop, refine and/or implement policies and program to maximize beneficiary access to their health information and engagement in their care?

10. What specific HHS policy changes would significantly increase standards based electronic exchange of laboratory results?

I would encourage interested stakeholders to participate in this Government 2.0 example of crowdsourcing sub-regulatory guidance over the next six weeks (the comment period closed April 21).

David Harlow
The Harlow Group LLC
Health Care Law and Consulting 

Interoperability Unbound: CommonWell Health Alliance unveiled at HIMSS

Today, six EHR companies announced their formation of the CommonWell Health Alliance to promote seamless interoperability of electronic health records.

From the presser:

Top health care information technology (HIT) companies Cerner, McKesson, Allscripts, athenahealth, Greenway Medical Technologies® and RelayHealth announced today the launch of the CommonWell Health Alliance™, planned to be an independent not-for-profit organization that will support universal, trusted access to health care data through seamless interoperability. This historic effort is aimed at improving the quality of care delivery while working to lower costs for care providers, patients and the industry as a whole.

The Alliance intends to be a collaborative effort of suppliers who are focused on achieving data liquidity between systems, in compliance with patient authorizations. The Alliance will define, promote and certify a national infrastructure with common platforms and policies. It also will ensure that HIT products displaying the Alliance seal are certified to work on the national infrastructure.

...

Elements of the Alliance’s national infrastructure will be tested in a local pilot within the next year. Early components will include the following core services:

• Cross-entity patient linking and matching services: Help developers and providers link and match patients as they transition through care facilities, regardless of the underlying software system
• Patient consent and data access management: Foster HIPAA-compliant and simple patient-centered management of data sharing consents and authorizations
• Patient record locator and directed query services: Help providers deliver a history of recent patient care encounters, and, with appropriate authorization, patient data across multiple providers and episodes of care

E-Patient Dave greeted this news warmly at e-patients.net. As I commented over there:

Promoting greater interoperability of electronic health records is one of the goals of the meaningful use regulations. Unfortunately, because of a combination of factors the standards for interoperability leave something to be desired, both in the stage 2 regulations and in the draft stage 3 standards. One factor is the tight deadline under the law for achieving meaningful use, and the other is the determination of the federal government to get as many folks qualified for meaningful use incentive payments as possible — both factors tend to reduce the strength of the criteria against which EHR systems are judged.

The Direct project and other initiatives can already point to some success in this arena.

More meaningful success in this arena, however, has been left up to individual EHR vendors. The development of this new alliance is not, strictly speaking, in response to a regulatory requirement or deadline. So the question arises: Why now? The answer is that the EHR vendors must see a competitive advantage in banding together in this way, and this changed view of the world may be credited, in part, to the demands of patients (and clinicians) for interoperable EHRs and all the benefits that are supposed to flow from their ubiquitous appearance.

Let’s not forget that one revenue stream for cloud-based EHR vendors may be the licensing the use of de-identified patient data (license fees to be shared with, or perhaps retained entirely by, providers). And let’s not forget that one source of the growth in our collective knowledge, and improved evidence-based medicine, will be the licensed use of such data by third parties who aggregate and analyze data extracted from EHRs.

Bottom line: it appears to me that the EHR vendors are acting based on a multiplicity of motives; it is gratifying to know that at least one of these motives is related to market demands generated by consumers.

This is a promising step, but in some respects it appears to be a defensive maneuver directed at a dominant "big iron" EHR vendor notably absent from the group (Epic). There will probably still be work to be done by interoperability standards committees beyond the Alliance.

Update 3/5/2013: Verizon announced its Secure Universal Messaging Service (SUMS) at HIMSS. It is essentially a secure email-like system that allows for sharing of attachments. The security is also applied at the user registration level: you need an NPI or DEA number to get an account. The service is in beta now. Like Direct, it leaves something to be desired in terms of robust functionality; on the other hand, it's here now and it appears to work.

What do you think?

Interestingly, one of these vendors (athenahealth) also announced at HIMSS an HIT Code of Conduct, calliing on all vendors to meet its provisions as a way to respond to National Coordinator for Health IT Farzad Mostashari's recent challenge to the industry to go beyond what is required by regulation in building the health IT of the future. Specifically, the presser identifies the following core elements: 

• Empower Data Portability and Provider Choice
• Build a True Nationwide Information Backbone
• Protect Patients
• Prevent Fraud
• Drive Meaningful Use

Other vendors at HIMSS announced the formation of the imPatient Movement, advocating for data portability.

Again, these developments are all driven by the evolution in the national conversation about health IT and a growing recognition of the need for patient-centric solutions.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting 

Meaningful Use Stage 3 – Society for Participatory Medicine Comments on Proposed Objectives

The Health IT Policy Committee of the Office of the National Coordinator of Health IT released its proposed Stage 3 objectives for Meaningful Use.  "Eligible Providers" that meet these objectives share in the federal electronic health record incentive program under the HITECH Act.  (Learn more at HealthIT.gov; here's some more background on the Stage 1 Meaningful Use regs.)

The Committee wrote that it saw the release of these draft objectives as an opportunity “to begin to transition from a setting-specific focus to a collaborative, patient- and family-centric approach.”

The Society for Participatory Medicine filed comments on the draft Meaningful Use  Stage 3 objectives, saying: "We endorse the proposals that further this goal, and offer some focused recommendations intended to ensure that the final regulations are in fact designed to help achieve this goal."

One of the key issues presented in this draft is the opportunity afforded to patients to correct misinformation in their medical records.  The Society's comment:

We feel that patients should be involved in amending, reconciling, and correcting errors in their medical records. Making this possible will require EHRs that support patient assistance, patient portals or other mechanisms for patients to do this online, and workflow tools for both providers and patients. We propose that ONC establish additional working groups or technical expert panels to study these issues and establish relevant standards.

The Society also responded to the Committee's request for information on the use of patient-generated data, endorsing its use, and noting that: "The patient is the most highly qualified expert on his or her own health, and his or her own experience of the health care system."

I invite you to peruse the proposal and comment letter linked to above. Again, the perspective on these matters espoused by the U.S. government agency is that we need to focus on enabling provider-patient collaboration. The Society approves.

A special thanks to Adrian Gropper, M.D., of the Society's Public Policy Committee, and to the members of the Society's Executive Committee, for their contributions to the review and comment process.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

This post first appeared on e-patients.net, the blog of the Society for Participatory Medicine. David Harlow chairs the Society's Pulic Policy Committee.

Data Breach Analysis 2009-2012 - HITECH Experience Reviewed by HITRUST

In the first three years that the HITECH data breach notification rules have been in effect (September 2009 - September 2012), almost 500 breaches affecting more than 500 individuals have been reported.  As of this spring, over 57,000 data breaches affecting fewer than 500 individuals have been reported.

HITRUST Analysis of U.S. Healthcare Breach Data (infographic) (report)

Courtesy of HITRUST (Health IT Trust Alliance)

The key takeaways:

• Most data breaches are accounted for by theft or loss (2/3 of breaches, over 4/5 of breached records); the balance are accounted for by unauthorized access or disclosure, incorrect mailing, hacking and improper disposal 
• Hacks are on the rise, and given the likely underreporting of all breaches and the ease with which theft and loss of devices and records are detected, chances are that security improvement efforts are not being targeted appropriately
• The weak link for most data breaches are laptops, paper records and mobile media (3/4 of breaches, 2/3 of records); the balance are from desktop computers, network servers and system applications
• The trend in number of data breaches over time is encouraging, but there have been upticks in late 2011 and early 2012 
• Hospitals, health plans and business associates are getting better at securing their data over time; physician practices are getting a little worse, particularly in smaller practice which, since they are often linked to community hospital EHRs, expose the hospitals as well
• Government sector breaches account for a large percentage of the whole (check out the OIG report on CMS data breaches under HITECH for a glimpse of one sliver of this problem)

The full report is worth reading.  Also: see more from HealthBlawg on HIPAA, HITECH and data breaches.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting 

MGMA 2012 Annual Conference - Small Steps, Big Changes

I spent a couple days this week at the annual meeting of the Medical Group Management Association, in San Antonio.  I had the opportunity to speak about health care social media to an engaged crowd (see synopsis here), and to attend a number of other interesting sessions.  As always, the hallway conversations, chats with vendors in and around the trade show booths, and the twitter back channel were among the most interesting parts of the experience. This meeting is larger than most that I tend to go to -- over 5000 attendees -- and there was quite a variety to the sessions -- ranging from the typical education sessions in parallel tracks, to general sessions with speakers who are as much performers as anything else, to presentations by sponsors/exhibitors both on-site and off-site. I encourage you to dip into the #MGMA12 tweetstream to get the full effect, and a better sense of the variety of what was on offer in San Antonio. 

Some folks with greater intestinal fortitude and more staying power than I can lay claim to -- including @IngaHIStalk -- made it to all of the vendor parties Monday evening. I was happy to make it to one, where Jonathan Bush of athenahealth was in fine form, braying as usual about the strength of his company's offerings and financial performance, and even donning WWF garb as athenaLibre to take on "The Meaningful Abuser."

One of the key takeaways from the meeting for me is confirmation of the introduction that I often include when I speak at outside of the Boston area -- I'm from the future.  Many basic assumptions that I have about the way health care works, the direction it's headed, and the things government does to it along the way are not necessarily built in to everyone's baseline thoughts about the health care environment.  National health reform is based in large part on the Massachusetts experience to date, and Part 3 of Massachusetts health reform is just getting underway, with a move towards limits on the growth of the health care spend (Mass. GDP +1%), ACOs for all, and an abandonment of fee-for-service reimbursement. These developments are necessary because we must all focus on improving quality while reducing cost. We will first begin to control the rate of growth in health care reimbursement, and then reimbursement levels will be heading inexorably downward. We can't wait until the health care spend cracks 20% of GDP. In order to address these hard truths, many theories and services and products are cropping up -- and they were all on offer at MGMA 2012.  

All the companies whose names begin with a lower-case "e" or are invented words were there to pitch their visions of integrated electronic management of the physician practice: including its patients, patient records, business intelligence, billing and collections. Meaningful use of certified electronic health records is just the tip of the iceberg.

They, and payor representatives, and a cadre of consultants, were there to highlight the many different ways in which practices need to get a handle on their patients, their patients' needs, their chronic and acute conditions, and the management of their care.  After all, doing so will contain costs, improve quality, reduce the need for hospitalizations, etc. Many tools and techniques were discussed to hep achieve the goal of improved communications with patients, which can improve the care that is delivered (and also to do things like reduce missed appointments, which add unreimbursed costs to the system), and improve patient compliance with physician recommendations for the lifestyle changes that are the key to reducing cost, improving quality, and improving health.

The American Hospital Association, American Medical Association, and Blue Cross Blue Shield Association representatives all said the things you might expect them to say (check out the tweetstream).  

Most practices represented at the conference seemed to be interested in maintaining their independence, even as speaker after speaker detailed the growth in numbers of hospital-owned practices (numbers bandied about ranged from 20% to 50% -- the twitterati, both on-site and off-site -- were able to confirm for me within minutes, with citations, that the 50% figure is closer to the mark; thank you @JMLineberger and @Cascadia).  One session, however, focused on the notion of increasing physician-hospital alignment through mechanisms other than practice acquisitions, and included several testimonials from the floor regarding the success of IPAs and PHOs from all over the country.  Speaking of alignment, I attended a good session on physician-hospital alignment presented by a representative of CHRISTUS Health, who was able to speak about her experience in building successful physician-hospital relationships.  (Again, check out the tweets for more detail.) It is a truism, but one of the general session speakers focused on the need to build trust as a prerequisite for physicians and hospitals to be able to work together productively. In general, many of the presentations and exhibitors were focused on the small, practical steps that practices need to take in order to succeed in the rapidly-changing current environment.

Some of my exhibit hall and hallway conversations with other speakers, attendees and vendors focused on the need for pathways to alignment other than practice acquisitions by hospitals, acquisitions by or mergers with other practices.  The proliferation of cloud-based software solutions brings sophisticated tools within reach of smaller practices, and enables them to participate "virtually" in the latest innovations in health care -- such as Accountable Care Organizations, both in the Medicare realm and in the commercial realm, by bringing powerful analytical resources to bear on the issues central to success in shared savings programs, including knowing one's costs and margins, and one's patients' profiles, and communicating with patients via text message, email, voice mail, per patient preference.  Since most physicians in the US (and among the MGMA's 13,000 members) are in groups of 10 or fewer physicians, the availability of these tools is a critical development.

I'll close with mention of two of the smaller companies whose services caught my eye in the exhibit hall -- MD Clarity and RegisterPatient.  Each is focused on a core offering with related items either already in the market or in the pipeline.  Each addresses a pain point in the experience of the physician practice, in a way that I have not seen elsewhere.

In my presentation about the risks and benefits of using social media in the health care realm, I asked (rhetorically) whether anyone in the room would want to have their patients post a prescription refill request on their practice's Facebook page, and suggested that if they didn't want that to happen, they should address the issue of waht's OK and not OK to post in policies and procedures accessible to visitors to the Facebook page.  Well, RegisterPatient has built a Facebook app for prescription refills, and for making appointments, replicating the functionality of its own website, and also sets up Facebook pages for its clients (often small practices without websites), where the app may be accessed as a "tab."  Kudos to this firm for addressing this need and for working on related needs of the small practice.

MD Clarity brings me full circle, back to the latest piece of health reform in Massachusetts.  One section of the new law requires that, if asked by a patient before an elective visit or procedure, a health care provider must tell the patient the cost of the service to the patient (including the rate paid by the patient's insurance company, if applicable, and patient copays and deductibles) - within four business days.  (As an aside, let me just marvel at the notion that a significant sector of the nation's economy does not regularly quote prices or rates in advance of purchases, and in fact cannot do so on less than four business days' notice. As an aside to that aside, let me note that the American Hospital Association, in response to the draft Meaningful Use Stage 2 regulation which sought to establish a 36-48-hour timeline for making medical records available to patients upon request, replied that a 30-day timeline would be more reasonable. Some of us think that as soon as someone other than the clinician making the entry has access, the patient should have access.) MDClarity allows a provider to provide the cost figures to a patient in real time, at the point of service.  A provider's payor contracts can be configured on this system, and patient enrollment, eligibility, deductible, copay and other infomation can be called up in real time. The information pulled by this product enables practices to improve the accuracy and timeliness of their billing and collections, and enables them to comply with laws such as the price transparency mandate in Massachusetts.

My story about MGMA 2012 ends here, but the bigger story about physician practices working towards success in an ever-changng environment continues.  Stay tuned.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting