RFID Tags for Nurses, then Everybody?

The recent City of Ontario v. Quon decision has had a mixed reception among privacy advocates. Though many are disappointed that employees’ privacy rights have once again been narrowed, some have discerned helpful dicta in the case. However, I worry that, whatever the drift of thought among swing justices, economic imperatives and cultural shifts will mean a lot less privacy in the workplace of the future. Health care in particular offers a few interesting bellwethers.

As an opinion piece by Theresa Brown explains, maintaining proper staffing levels in hospitals is becoming increasingly difficult. Surveillance systems are offering one way to address the problem; work can be performed more intensively and efficiently as it is recorded and studied. But such monitoring has many troubling implications, according to Torin Monahan (in his excellent book, Surveillance in a Time of Insecurity):

The tracking of people [via Radio Frequency Identification Tags] represents a . . . mechanism of surveillance and social control in hospital settings. This includes the tagging of patients and hospital staff. . . . When administrators demand the tagging of nurses themselves, the level of surveillance can become oppressive. . . . [because nurses face] labor intensification, job insecurity, undesired scrutiny, and privacy loss. . . . To date, such efforts at top-down micromanagement of staff by means of RFID have met with resistance. . . . One desired feature for nurses and others is an ‘off’ switch on each RFID badge so that they can take breaks without subjecting themselves to remote tracking. (122)

Like the “nannycam” employed by many a wary parent, the nurse-cam may be seen as a way to protect the vulnerable. It may also increase the accuracy of evidence in malpractice cases. On the other hand, inserting a tireless electronic eye to monitor what is already an extremely stressful job may create many unintended consequences, or deter people from going into nursing altogether. Even advocates of pervasive surveillance recognize these difficulties.

The increasing pressure to monitor what happens inside hospitals reminds me of a recent article by Thomas Goetz in Wired (no link yet) on Google co-founder Sergey Brin’s quest to find a cure for Parkinson’s disease. As Goetz describes it, a new form of “high-speed science” depends on rapid accumulation of as much data as possible:

In Brin’s way of thinking, each of our lives is a potential contribution to scientific insight. We all go about our days, making choices, eating things, taking medications, doing things—generating what is inelegantly called data exhaust. . . . With contemporary computing power, that data can be tracked and analyzed. “Any experience that we have or drug that we may take, all those things are individual pieces of information. Individually, they’re worthless, they’re anecdotal. But taken together they can be very powerful.” In computer science, the process of mining such large data sets for useful associations is known as a market-basket analysis.

Goetz has promoted this as a new way to “do science in the petabyte age.”
Read more

The Community Health Data Initiative Launched

[Ed. Note: HRW is pleased to introduce Katherine Matos to the blog. Katherine is a 3^rd year student at Seton Hall Law and the principle inventor on a patent application in the field of medical imaging, resulting from her research as a student at Stevens Institute of Technology, from which she  graduated with degrees in biomedical engineering and history. She has published work in Health Law Outlook and now serves as an Editor. Read more]

On June 2, Health and Human Services (HHS) Secretary Kathleen Sibelius and Institute of Medicine (IOM) President Harvey Fineberg launched the Community Health Data Initiative (CHDI) at the IOM sponsored Community Health Data Forum in Washington.[i] The CHDI resulted from a March 11 roundtable between HHS and IOM regarding HHS health data usefulness in developing consumer-based electronic health care applications.[ii] As one of five HHS Flagship initiatives, the CHDI is a public-private effort to “help Americans understand health and health care performance in their communities — and to help spark and facilitate action to improve performance.”

Ultimately, a network of community health data suppliers (beginning with HHS) and data appliers (private innovators) will work together to create applications that:

“(1) raise awareness of community health performance,

(2) increase pressure on decision makers to improve performance, and

(3) help facilitate and inform action to improve performance.”

U.S. Department of Health & Human Services, HHS Open Government Plan, page 60, April 7, 2010, available at http://www.hhs.gov/open/plan/opengovernmentplan/ourplan_openhhs.pdf.

To begin the process, HHS will launch a new online Health Indicators Warehouse by the end of the year to provide the public with community health data, free of charge or any intellectual property constraint.[iii] “In every science-based endeavor, data are the key to the effective action,” said Dr. Fineberg at the Community Health Data Forum. “We need to make more creative and vigorous use of the data we generate now, and we need to create a demand-and-use cycle that will bring about even better information in the future.”[iv] While the National Center for Health Statistics continues to develop the Health Indicators Warehouse, an interim site with one downloadable data set has been made available on the CDC website.

When completed, hundreds (ultimately, thousands) of measures of health care quality, cost, access and public health will be downloadable in a standardized, structured format. “National, state, regional, and county health performance  on indicators such as rates of smoking, obesity, diabetes, access to healthy food, utilization of health care services” will be accessible in a single location.[v] Also, users will be able to sort data according to age, gender, race/ethnicity and income where available.

HHS is committed to personal privacy protection and confidentially “as a fundamental principle governing the collection and use of data.” In any public data releases, individual identifiable information will be protected. Furthermore, HHS will incorporate new approaches to protect confidentiality while maintaining public access into its data release policies.[vi]

To complete the network, HHS is working with private parties, including technology innovators, researchers, companies, and health advocacy groups to utilize the data and provide feedback.  ”As a nation, we can and should harness the exploding creativity in our information technology and media sectors to help us get the most public benefit out of our data investments,” stated Secretary Sebelius.[vii]

In preparation for the Community Health Data Forum, developers such as Microsoft, Google, and Ingenix created software platforms for the presentation of health data.[viii] The Forum featured demonstrations of Web tools for citizen access to health performance data, dashboards for civic leaders to ascertain and improve community health, an online game for learning local health status facts, an enhanced internet search engine that integrates hospital performance data with search results, and mobile phone applications.[ix]

Finally, White House Chief Technology Officer, Aneesh Copra, announced that the administration would host the 2010 Health 2.0 Developer Challenge with the support of HHS and the CHDI.[x] Health 2.0 will host a series of events including multi-disciplinary “code-a-thons,” culminating in the final Challenge at the Health 2.0 Annual Conference October 6-9, 2010.

References:

U.S. Department of Health & Human Services, HHS Open Government Plan, April 7, 2010, available at http://www.hhs.gov/open/plan/opengovernmentplan/ourplan_openhhs.pdf.

U.S. Department of Health & Human Services, News Release: Putting Data and Innovation to Work to Help Communities and Consumers Improve Health, June 2, 2010, available at http://www.hhs.gov/news/press/2010pres/06/20100602a.html.

Genevieve Douglas, HHS Launches New Data Initiative Focused on Improving Community Health, BNA’s Health Care Daily Report,  June 3, 2010, available at http://news.bna.com/hdln/HDLNWB/split_display.adp?fedfid=17265216&vname=hcenotallissues&fn=17265216&jd=a0c3g8b4c1&split=0.

---

[i] U.S. Department of Health & Human Services, News Release: Putting Data and Innovation to Work to Help Communities and Consumers Improve Health, June 2, 2010, available at http://www.hhs.gov/news/press/2010pres/06/20100602a.html.

[ii] Genevieve Douglas, HHS Launches New Data Initiative Focused on Improving Community Health, BNA’s Health Care Daily Report,  June 3, 2010, available at http://news.bna.com/hdln/HDLNWB/split_display.adp?fedfid=17265216&vname=hcenotallissues&fn=17265216&jd=a0c3g8b4c1&split=0.

[iii] U.S. Department of Health & Human Services, News Release: Putting Data and Innovation to Work to Help Communities and Consumers Improve Health, June 2, 2010, available at http://www.hhs.gov/news/press/2010pres/06/20100602a.html. U.S. Department of Health & Human Services, HHS Open Government Plan, April 7, 2010, available at http://www.hhs.gov/open/plan/opengovernmentplan/ourplan_openhhs.pdf.

[iv] Genevieve Douglas, HHS Launches New Data Initiative Focused on Improving Community Health, BNA’s Health Care Daily Report,  June 3, 2010, available at http://news.bna.com/hdln/HDLNWB/split_display.adp?fedfid=17265216&vname=hcenotallissues&fn=17265216&jd=a0c3g8b4c1&split=0.

[v] U.S. Department of Health & Human Services, News Release: Putting Data and Innovation to Work to Help Communities and Consumers Improve Health, June 2, 2010, available at http://www.hhs.gov/news/press/2010pres/06/20100602a.html.

[vi] U.S. Department of Health & Human Services, HHS Open Government Plan, April 7, 2010, available at http://www.hhs.gov/open/plan/opengovernmentplan/ourplan_openhhs.pdf, page 2.

[vii] Genevieve Douglas, HHS Launches New Data Initiative Focused on Improving Community Health, BNA’s Health Care Daily Report,  June 3, 2010, available at http://news.bna.com/hdln/HDLNWB/split_display.adp?fedfid=17265216&vname=hcenotallissues&fn=17265216&jd=a0c3g8b4c1&split=0.

[viii] Genevieve Douglas, HHS Launches New Data Initiative Focused on Improving Community Health, BNA’s Health Care Daily Report,  June 3, 2010, available at http://news.bna.com/hdln/HDLNWB/split_display.adp?fedfid=17265216&vname=hcenotallissues&fn=17265216&jd=a0c3g8b4c1&split=0.

[ix] U.S. Department of Health & Human Services, News Release: Putting Data and Innovation to Work to Help Communities and Consumers Improve Health, June 2, 2010, available at http://www.hhs.gov/news/press/2010pres/06/20100602a.html

[x] Genevieve Douglas, HHS Launches New Data Initiative Focused on Improving Community Health, BNA’s Health Care Daily Report,  June 3, 2010, available at http://news.bna.com/hdln/HDLNWB/split_display.adp?fedfid=17265216&vname=hcenotallissues&fn=17265216&jd=a0c3g8b4c1&split=0.

Patient Safety and Quality Improvement: Civil Money Penalty Inflation Adjustment

By: Constantina Koulosousas

The Patient Safety and Quality Improvement Rule was amended, effective November 23, 2009, by the Department of Health and Human Services to adjust the maximum civil money penalty amount for violations of the confidentiality provisions. The amount was adjusted for inflation to comply with the Federal Civil Penalties Inflation Adjustment Act of 1990. This amendment was carried out through direct final rule making, as HHS expected no significant adverse comments to the rule.

The Patient Safety and Quality Improvement Act of 2005 created a voluntary program for health care providers to share what is known as “patient safety work product” (PSWP), or any information relating to patient safety events and concerns with each other and Patient Safety Organizations (PSOs). The Department of Health and Human Services is required to maintain a listing of all PSOs.

The Act amended Title IX of the Public Health Service Act for the purpose of improving patient safety and quality of care. As with attorney work product, this information is privileged and confidential. While the program may be voluntary, a knowing or reckless violation of the confidentiality requirements of the Act can result in a civil money penalty of up to $10,000 for each violation, as assessed by the Office for Civil Rights.

The deterrence effect of the civil money penalties had been reduced by inflation. This caused Congress to enact the Inflation Adjustment Act. This Act requires Federal agencies to issue regulations adjusting each civil money penalty found within the Public Health Service Act within their jurisdiction, for inflation. The agencies are required to issue these regulations at least once every four years from July 29, 2005, the date of its enactment. The inflation amount is adjusted through a three-step process.

First, the agency must calculate an increase in the penalty amount by a “cost-of-living adjustment.” “Cost-of-living adjustment” is defined in the act as the percentage for each civil monetary penalty by which the Consumer Price Index for the month of June of the calendar year preceding the adjustment, exceeds the Consumer Price Index for the month of June of the calendar year in which the amount of such civil money penalty was last set or adjusted pursuant to law.

Second, the amount of increase must be rounded based on the size of the penalty as set forth in section 5(a) of the Act. Since the penalty in this case is $10,000, the increase is $1,000, making the final maximum penalty amount $11,000. Finally, the third step requires that a first adjustment be limited to 10 percent of the penalty amount. Accordingly, an $11,000 adjusted penalty is appropriate.

One great benefit of the Act is to make sure that the penalties assessed for such violations provide adequate deterrence to potential violators. This is done by periodically increasing the violation amount to account for inflation over time. Especially now in the wake of the massive health care reform and improvements in the use of Electronic Health Records, it is important to ensure patients that their personal health information remains confidential and that a breach of this confidentiality requirement will result in steep monetary penalties.

On the contrary, many may argue that the increase in the penalty amount is not adequate. Since the Act imposes a 10% cap in addition to a standard chart for calculating the inflation, it may not always be completely in sync with the current economic environment. Further, these penalty amounts are only updated every four years, which leaves a significant gap in time.

Additionally, the slight increase in money penalties assessed will not do much to comfort patients that their health information is protected and confidential. Once the information gets out, there is no amount of money assessed as a violation that can remedy the breach and the damage which may have already been done. Further, to many of the entities involved in such violations, a $10,000 penalty may seem like an insignificant slap on the wrist.

The Act only punishes a “knowing or reckless” violation of the confidentiality provisions, so breaches that occur unintentionally will not subject physicians or PSOs to liability. This mental state requirement is especially important as electronic health record software gets ironed-out, to get rid of any technical issues or glitches that may arise in the course of implementing such a national electronic system.

Conversely, the “knowing or reckless” standard may pose some difficulties enforcing liability under the Act, as it may not always be easy to prove that the confidentiality breach was done with such a state of mind, or even where the disclosure came from.

Breach Notification for Unsecured Protected Health Information

By: Michael R. Spaltro

Gordon Moore, Intel co-founder, famously predicted that the speed of technology will double about every two years. Between 1981 and 1991, “computer processing speed increased tenfold, the instruction execution rate a hundred fold, system memory grew a thousand times, and system storage expanded by a factor of 10,000.” That was just the beginning. Intel has kept that pace for nearly 40 years, now introducing the world’s first 2-billion transistor microprocessor. The development of fundamental computer technology has translated into ubiquitous information technology infrastructure. Deploying information technology within the healthcare industry is significantly complicated by the indispensability of life and health to everything else we do. The privacy of electronic health records (”EHR”) that contain personally identifiable health information (”PHI”) is one area of particular concern.

Health care providers, health care plans, health care clearinghouses, and their business associates across the country are currently using EHRs as an efficient method to locally store patient records.[1] EHRs may contain patient treatment history, social and demographic data, and a multitude of other personal health information (”PHI”).[2] If the underlying computer technology continues to grow at the staggering pace predicted by Moore’s Law, the function of EHRs will expand to “assume a key roll in medical diagnosis and treatment management.”[3] Moreover, the Food and Drug Administration, in collaboration with public, academic, and private entities, is expected to use EHRs to link and analyze medical safety data from over 100 million patients by July 2012.[4] The resulting electronic network of interoperable healthcare data is of a scale never before contemplated in the industry. Personally identifiable health information, such as the data contained across local provider EHRs, health plan claims databases, and Medicare databases, will be remotely transmitted, stored, accessed, and analyzed.

Transmitting EHRs between an originating entity and the entity/infrastructure involved in research, development, and storage of EHRs, creates an increased potential for internal and external breach. Moreover, as EHRs become populated in local and remote institutions across the country, the incidence of breach ostensibly increases. In the event of breach, an individual may be exposed to a number of dangers. EHRs contain personal information of high value to computer hackers, such as social security numbers or payment information.[5] Furthermore, an otherwise legitimate entity could potentially use health information in a less nefarious way that nonetheless breaches individual privacy. How can we legally protect privacy while realizing the benefit of electronic health information technology?

The Health Insurance Portability and Accountability Act (”HIPAA”) shores up unauthorized access to protected health information. The HIPAA Security Rule and Privacy Rule require an entity such as a health plan, health care provider, business associate, or a health care clearinghouse, to safeguard all protected health information. Civil and criminal penalties are enforced against entities that fail to comply. The FDA’s qualified contractors[6] will similarly be subject to HIPAA under the Health Information Technology for Economic and Clinical Health (”HITECH”) Act by 2017.[7] Therefore, the entire electronic network of EHRs will be covered by the Privacy Rule and the Security Rule. Within covered entities, protected health information is to be stored with any security measure that allows an entity to reasonably and appropriately implement all safeguard requirements. The Security Rule approves that a covered entity may use firewalls and other access controls (such as passwords) to safeguard PHI in its electronic form. Without this intangible structure protecting EHRs, unauthorized parties could easily access PHI and PHI could easily flow out to any individual, device, or system that interoperates with EHR databases. The HIPAA Security Rule therefore assures that a covered entity is reasonably protecting an individual’s privacy by safeguarding personal health information.

Firewalls and other reasonable access controls are not impermeable. Earlier this year, an ultra sophisticated hack attack on Google penetrated the multi-billion dollar corporation, causing it to later withdraw from China. Merck & Co. and Cardinal Health Inc. were among others infiltrated in the attack. The extent of information exposed is still not fully understood. Thus, breaches occur even if reasonable and appropriate safeguards are required. The access controls required by HIPAA in the Security Rule are not sufficient to protect a vast network of interoperable EHRs. Further data encryption and/or secure data destruction will eventually be required to protect individual privacy.

Pursuant to the Privacy section of the HITECH Act, Title XIII Division A, Subtitle D, the Department of Health and Human Services (”HHS”) was required to promulgate breach notification for unsecured protected health information rules and regulations (”Breach Rule”). HHS issued a final rule, effective September 23, 2009, requiring all entities and business associates covered under HIPAA to provide notification in the cases of breaches of unsecured protected health information. Presumably, an individual who is made aware that his personal information was compromised is better equipped to mitigate identity theft or other harms that could arise.

The provisions in Section 13402 of the HITECH Act are consistent with HIPAA definitions of a “covered entity” and “protected health information.” The Act defines breach as the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security of that information. In other words, if a firewall or reasonably appropriate access control is breached — a covered entity must report that breach to all of the individuals affected. Importantly, notification of breach is only required for unsecured personal health information. If a covered entity is in the practice of encrypting and/or destroying PHI in accordance with the National Institute of Standards and Technology (NIST), then that entity does not have to report a breach of their firewalls or access controls. It is only necessary to provide notice if “unsecured protected health information that is not secured through the use of technology or methodology specified…” is breached. The rationale is obvious. If a covered entity encrypts PHI in accordance with NIST standards, then the data is unusable in the event of a breach, and notification would be superfluous.

Consequently, a covered entity has two choices: (1) secure all EHRs that contain PHI; or (2) report breaches of PHI. The Breach Rule encourages cover entities to take the former approach. To secure EHRs that contain PHI, an entity must regularly perform two standard procedures. First, the NIST published standards recommend a “one pass” method of data deletion for most applications.[8] When electronic data is deleted, it is only removed from the file system. The “image” of the data physically remains on the hard drive of the device. Software and hardware methods of recovering deleted data are available to the public. Therefore, “deleted” PHI data could be recovered by an unauthorized entity in the event of a breach. The NIST recommends that one data overwrite be performed on the deleted data, as to render it unrecoverable. Depending on the method used and size of the database, data deletion can take up to an hour.

Second, and perhaps less straight forward, the NIST recommends data encryption using one the following four methods: full disk encryption; volume encryption; virtual disk encryption; or file/folder encryption.[9] The capital expenditure necessary to install and maintain encryption software/hardware throughout a covered entity is immense. Furthermore, encrypting millions of EMRs will tax computer processors and networks, and will additionally hamper interoperability. When data is encrypted it losses all functionality, and therefore must be decrypted by the authorized end-user before each use. It would be additionally problematic to transfer encrypted data throughout an electronic network, like that contemplated by the FDA, unless all systems were equip to recognize and decrypt the data. Thus, under either of the encryption methods above, the net result is a loss of productivity and interoperability. Moreover, encrypted data may not be mean secure data. The end-user authorized to access encrypted data will likely decrypt it during the course of a work day. Therefore, so-called encrypted PHI would be exposed to the same daily risks as unsecured PHI. Consequently, the nature of data encryption may not even provide the security and privacy that the Breach Rule contemplates.

While some covered entities are voluntarily choosing to encrypt and secure PHI, the impracticality and cost of data encryption is prohibitive. Covered entities were allowed 180 days to become compliant with the Breach Rule. That period has expired, and most covered entities have not opted to encrypt PHI. Instead, covered entities have put reasonable systems in place to detect breaches, as required by the Breach Rule. The Breach Rule requires notification without unreasonable delay once a covered entity learns of a breach. A majority of states already had breach notification laws in place, and thus covered entities had respective systems in place to detect and report breaches.

Reporting breaches under the Breach Rule still requires some capital expenditure. In some cases, notification to popular media outlets and the Secretary is required. This notification could potentially detract business and invite legal action. Of greater concern, a major breach and broadcast resulting in legal action may dissuade industry players from adopting EHR systems that could potentially reduce medical error and healthcare costs.[10] However, the burden of encrypting PHI is overwhelming, and perhaps ultimately ineffective. Consequently, the Breach Rule has done little to foster the actual security of PHI. In practice, covered entities merely provide notification of breach. It is unclear how this may or may not benefit a patient whose privacy has been breached. Deploying new EHR technology throughout the healthcare industry presents a risk to individual privacy that is not adequately addressed by the Breach Rule and HIPAA.

Privacy concerns should positively correlate with the volume of online EMRs. Pursuant to the FDAAA, 100 million EHRs will be linked within the FDA’s seminal network by July 2012. The sensitive and valuable nature of robust EHR databases will likely attract the attention of unauthorized parties around the world, and should therefore warrant a heightened level of security. Within two years, encryption technology may prove to be significantly smarter, cheaper, and more efficient. The concerns that bar covered entities from adopting data encryption may be lifted. While absolute data security is not likely attainable under any standard, software operating systems that integrate on-the-fly encryption would be ideal and foolproof. Rules and regulations should proportionately reflect advances in computer technology and the quantity of EMRs over the next two years. To protect public privacy and trust in our healthcare system, all PHI should eventually be encrypted by covered entities and their business associates.

---

[1] Hoffman and Podgurski, Finding a Cure: The Case for Regulation and Oversight of Electronic Health Record Systems, 22 Harv. J. L. & Tech 103.

[2] Id. at

[3] Id. at

[4] Food and Drug Administration Act of 2007 (FDAAA), 21 U.S.C. 355(k)(3).

[5] See, Hoffman, surpa note 1, at 113.

[6] 21 U.S.C. 355(k)(3). A qualified contract is similar to a business associate. The FDA contracts with entities that are deemed “qualified” within the meaning of the Act.

[7] See, HITECH, Pub. L. No. 111-5 Section 13401 and 13404.

[8] Special Publication 800-88, available at http://csrc.nist.gov.

[9] Special Publication 800-111, available at http://csrc.nist.gov.

[10] See, Hoffman, surpa note 1, at 104.

Reform Rodeo

1. Duff Wilson of the New York Times discusses the lack of transparency with respect to industry’s payments to doctors.

2. John Halamka gives a nice overview of the various PPACA initiatives–including pilot programs–that involve HIT.

3. A group of lawyers discuss the impact that the recent Supreme Court decision in Citizens United could have on health care.

4. Matthew Holt at The Health Care Blog describes a new poll conducted about PHRs, and some of the results are surprising.

5. Health Affairs has a nice summary of a round table discussion on reforming CMS in the era of Don Berwick.

6. Jason Shafrin of the Health Care Economist gives an overview of a new paper by Basu and Philipson that question some of the common assumptions of the economics of comparative effectiveness research.

Reform Rodeo: Latest News & Interviews; CER; the Constitution; HIT; Robotic Surgery

1. News: Kaiser Health News keeps you up to date by rounding up various stories on the Dems’ latest down-to-the-wire push on health reform. Their coverage of Representative Dennis Kucinich’s (and other reluctant Dems’) endorsement of the bill is here.

2. Betting on Health Care: The New York Times asks health wonks for opinions on the chances of passing health reform. Respondents include Robert Reich, former secretary of labor Gail Wilensky, Project Hope; Paul Starr, professor of public policy;  James C. Capretta, Ethics and Public Policy Center; Karen Davenport, Center for American Progress; Jacob S. Hacker, political science professor.

3. Evidence-based Medicine: A group at the New England Journal of Medicine proposes 5 steps to advance one of the most promising–yet often ignored–means of reforming our health care system: comparative effectiveness research.

4. Deem and Pass: Jonathan Adler at the Volokh Conspiracy discusses the constitutionality of the “deem and pass.” Regardless of its constitutionality, Ezra Klein exposes some factual inaccuracies in recent reporting on the tactic.

5. The Blues: The Pittsburgh Post-Gazette alerts us to a lawsuit by Highmark Inc. against the Pennsylvania Department of Insurance, which claims that the Department exceeded its authority when challenging Highmark’s proposed merger with Independence Blue Cross.

6. Meaningful Use Partial Credit: John Halamka at Life As A Healthcare CIO discusses the aggressive thresholds for meaningful use that have been set in the most recent rules, and what the HIT Policy Committee is doing to assuage those concerns.

7. Wild Card: A new TED talk about the current state of robotic surgery. An article covering the topic can be found here.

Reform Rodeo! The Summit, Speed Dating, and More.

1. Summit!: Fretting about how to get your dose of tomorrow’s “summit”? Don’t worry, CSPAN has got you covered for the Health Care Summit that is kicking off at 10am.

2. Managed Care Meltdown?: Joe Paduda at Managed Care Matters points out that the Anthem rate increases have shown an inability for private insurers to control costs.  What Paduda is missing in his piece is advice to private health insurers about how to manage costs without another “managed care backlash” like we had in the 1990s.

3. The Cost Conundrum’s Conundrum, or Just a Canard?: Maggie Mahar has a beef with the New York Times’ channeling of Dr. Bach’s New England Journal of Medicine article, where Dr. Bach criticized the  Dartmouth Atlas researchers’ methodology by claiming that they failed to risk adjust. Dr. Atul Gawande also believes the criticism is misplaced.

4. Health Care and Reconciliation are BFFs: NPR reports on a somewhat cozy relationship between reconciliation and previous health care initiatives.

5. What do speed dating and OB/GYN docs have in common? Kevin MD discusses how hospitals are utilizing speed dating techniques to match obstetricians with potential patients.

6. HIT, Yeah You Know Me: Dr. John Halamka with a slew of handouts from the HIT Policy Committee’s recent meeting, as well as notes from a recent meeting of the HIT Standards Commitee.

Google Buzz & Your Digital Health Doppelganger

At this point, it is fair to say that everyone has either heard or read about how Google’s latest foray into social networking, Google Buzz, has gotten off to a bumpy start due to privacy concerns. We can only speculate as to why Google failed to appreciate Buzz’s underwhelming privacy protections. Maybe Google was aware of the privacy issues but felt that they were outweighed by the “turn key” social network that would automatically be created by leveraging the user’s own Gmail contact list. Alternatively, Google may have simply not appreciated the privacy issues. Whether Buzz’s threats to privacy justified the immense firestorm that has occurred is besides the point. Regardless of whether the privacy issues are justified or not, as consumers utilize social networking tools to a greater degree, they are becoming more aware of the potential privacy problems, and are becoming more vocal when they disapprove.

One of the more troubling aspects of Google Buzz was that  it automatically created a network of users in your Buzz social network based on the addresses you emailed most in Gmail. Buzz would then automatically start following those contacts. The issue was compounded by the fact that Google made the list of people you were following on Buzz public by default. This automatic follow-and-tell-the-world approach that piggybacked off of Gmail users’ contact list has since been tweaked. Currently, a user joining Buzz is offered suggestions of who to follow, and those whom they choose to follow are not broadcast for the world to see.

A hypothetical within the health care setting may serve to illustrate why this approach was problematic, and will also illustrate why social networking may have profound implications for our “digital health doppelganger.” Under the initial iteration of Buzz, physicians using Buzz who were following the Buzz feeds of their patients would, simply by using the service, make the names of who they were following public to all their other followers.  In other words, a patient could see the names of all the individuals that their physician was following, including any who happen to be patients.  This situation could be disastrous both personally and economically if the individual was being treated by a physician specializing in schizophrenia or HIV/AIDS–diseases that have, for whatever reason, become highly stigmatized and prone to various discriminatory responses. It is therefore clear that myriad privacy and confidentiality issues arise, including questions of whether such information would be considered protected health information under HIPAA. That the disclosure of fiduciary relationships is troublesome is nothing unique to health care: in the legal profession, the mere existence of an  attorney-client relationship can be considered privileged information.

But back to Health IT, an area where  our digital health doppelganger is progressing through its adolescence in a landscape of social networks, electronic health records, and a highly fragmented health care delivery system. A number of general areas of concern arise. Including:

1) the online storage of our personal sensitive health information (e.g. in EHR and PHR databases, and Law Enforcement and “Fusion Centers”).

2) current modes of interfacing with our online health data (e.g. access viz. home computer, mobile phone, kiosks).

3) future modes of interfacing with our online health data (e.g. increasing mobile use, RFID, Smartcards, video playback of encounters).

4) how others will access and use our online health data (e.g. Primary care physician accessing our PHR, Site-wide access by Accountable Care Organizations, targeted advertising in PHRs based on the content found within the PHR service or services it can connect to).

5) how we will interact with the health data of others (e.g. PatientsLikeMe.com, increasing meta-analysis of health data available through future nationwide interoperable EHR systems).

6) how our increasingly digitized health care persona will exist alongside our professional and social personas.

Google and  Microsoft offer immensely useful services, but which concomitantly force us to more deeply analyze these issues, particularly the last issue, which both feeds back, and is affected by, each of the other issues. More than any other company, Google has sought to integrate their products to make communication and organization as seamless as possible. For example, The to-do list in Google Tasks is, not surprisingly, symbiotic with Google Calendar, while the latter service interfaces with Gmail by scanning the content of a user’s email for the tell tale signs of future events, and and offering to add a calendar entry.  For those of you not using Google, the right portion of the picture below illustrates how Google recognizes the contents of the email message, and asks the Gmail user if she wants to add the event to their Google Calendar.

The simple example above makes it easy to imagine similar features being offered in PHRs like Google Health and Microsoft HealthVault–PHRs that are provided by entities that either offer social networking tools alongside their PHRs, or who plan to somehow utilize outside data that is available through other means.  As consumers, we must determine how precocious we want our online health persona to be. It must be noted that there is nothing intrinsically wrong with this integration, and such integration certainly offers many benefits to providing better information to patients and physicians.

However, both Google and Microsoft are unique in that they are introducing personal health records to their users who have already ceded to them an extraordinary amount of highly personal information.  This raises interesting questions that will test our willingness to integrate our social network with our health identity. For example, how should Google Wave–Google’s new hybrid email/chat service–be interfaced with Google Health? Furthermore, what status will a physician-patient conversation thread on Google Wave or Google Buzz be provided? Is it more like a health record or a phone conversation? Would it be acceptable for Google Health to utilize health related information that it recognizes within your Gmail messages? Even though Google has refrained from displaying targeted ads within Google Health, would the reverse be acceptable, whereby Gmail advertisements are determined based on Google Health data?  Would it be inappropriate for Google Health to utilize information about your newly diagnosed diseases  to connect you to health-related social networks such PatientsLikeMe?

Users are likely to forget about Google Buzz’s initial oversights, especially in the short-attention span sphere that is the Internet. This is okay, so long as changes are made to appropriately address such glaring issues. We must, however, ensure that we tackle the much more difficult question of what limits to place on the subtle, yet no less powerful, forces that are altering the breadth of our increasingly digitized and integrated online persona.  For many of us, the personality of our digital health doppelganger is taking shape on our screens and our smartphones. Are we going to like what we see? And perhaps more importantly, will others?

Reform Rodeo

1. Principle or Posturing (or both)? –Kaiser Health News discusses the sudden plea from certain Senators for a reintroduction of the public plan into the Senate’s bill.

2. Starting From Scratch? — The Hill highlights polling indicating that many Americans favor scrapping the health bill and starting over, an option that President Obama has repeatedly said is not an option.

2a. Presidential Preemption? — Interestingly, the New York Times details the possibility of Obama posting his own health reform bill on the Internet ahead of the much-hyped health care summit. Could Obama use his “new” bill as evidence of a “fresh start” to appease Republicans?

3. Back to Basics — Maggie Mahar details the longstanding debate about whether health insurance actually saves lives.

4. Scoop on Standards — Dr. John Halamka, a physician who serves as CIO of Beth Israel Hospital and Chairman of the Health Information Technology Standards Panel (HITSP) at the ANSI, shares his thoughts on the vocabulary standards that will come to be the Esperanto of HIT.

5. HIT Funding — On Febuary 12th, the first $1 billion of federal funding for HIT promised under the HITECH Act was made available, with $10.6 million going to Massachusetts for the creation of a health information exchange.

6. Health Reform “Casualty”: The New York Times reported that former Congressman-turned head of PhRMA Billy Tauzin is resigning.  Betting on the passage of health reform, Tauzin offered billions in concessions to the White House in exchange for, among other things, favorable patent exclusivity periods for pricey biologics.

7. Health 2.0 — The Health Care Blog reports on the purchase of online pain management company ReliefInSite.com by PatientsLikeMe.com–the popular patient web site which claims to be the  “leading online community for patients with life-changing diseases.” Don’t be to surprised to see further growth of similar “Health 2.0″ websites that seek to take advantage of the increasing digitization of health care delivery and research.

8. The Science Behind Reform — Stephen Novella at Science-Based Medicine revisits the question of the effectiveness of colonoscopies.

Things You Wanted to Know About the New HIT Standards But Were Too Afraid to Ask

In a previous post I discussed the interim final rule (IFR) that was recently promulgated by the Office of the National Coordinator for Health Information Technology (ONC).  The previous post discussed two of the four categories of standards in the IFR. This post will look at the final two categories. In order to appreciate the purpose of the final two standards, it is worth recapitulating the basic framework upon which the IFR is based.

The ONC’s framework for the standards is to first start with the meaningful use objectives. From the broad objectives of meaningful use, the ONC establishes certification criteria for these objectives. Based on the certification criteria, the ONC has adopted standards that would allow for an objective determination of whether the criteria has been met.

An example will help: One of the meaningful use objectives is “the capability to exchange key clinical information among providers of care and patient authorized entities electronically.”  To achieve this objective, “Certified EHRs” will have to meet the following criteria: “[The EHR system must] electronically receive a patient summary record, from other providers and organizations including, at a minimum, diagnostic test results, problem list, medication list, immunizations, and procedures and upon receipt of a patient summary record formatted in an alternative standard specified in Table 2A row 1, displaying it in human readable format.”

In order to guide EHR vendors (and purchasers) in fulfilling the above criteria–and likewise the larger meaningful use objective–the ONC has adopted a number of standards that EHRs must utilize in order to be certified. These standards fall into 4 general categories.

1. Vocabulary Standards — The standardized nomenclatures and code sets used to describe clinical problems and procedures, medications and allergies.
2. Content Exchange Standards –  The standards used to share clinical information such as clinical summaries, prescriptions, and structured electronic documents.
3. Transport Standards — The standards used to establish a common, predictable, secure communication protocol between systems.
4. Privacy and Security Standards — Standards relating to authentication, access control, transmission security which relate to and span across all of the other types of standards.

My previous post provided a general overview of the first two standards, the first of which specifies the language of “EHR speak,” while the second specifies standards giving that EHR vocabulary a predictable organization so as to ensure that different EHR systems can interpret the data.

In the previous post I used the analogy of the Bluebook style of citation to explain the content exchange standard and vocabulary standard. As you can see, the following two citations share the same basic organization (e.g. case name in italics, followed by the reporter volume number, name of the reporter, starting page of case, etc).

Wilson v. Mar. Overseas Corp., 150 F.3d 1 (1st Cir. 1998)

Orange County Agric. Soc’y, Inc. v. Comm’r, 893 F.2d 529 (2d Cir. 1990).

The content exchange standard is analogous to the order of the different elements of the citation. Regardless of the case, all Bluebook citations to federal court of appeals cases have this same basic organization. The part that changes is the vocabulary. As you can see in the cases above, two different reporters (publishers) have been used: F.3d and F.2d.  There are still only limited options for the vocabulary of court reporters.  Likewise, even though the organization of a patient’s record will remain constant, it will obviously consist of different terms depending on, among other things, the patient’s diagnosis and test results. The possible terms within the chart are determined by the vocabulary standards.

Essentially, the signifier and syntax standards are meant to save us from constructing a costly high-tech Tower of Babel. A sign (word, letter, number, symbol) displayed in a particular way must have an agreed to and discernible meaning.

With these two standards in mind, a brief overview of the latter two standards is possible.

Transport Standards

Though the data is sitting on server A in a structured format–governed by the content exchange and vocabulary standards discussed above–there is more that needs to occur for the data to be useful. For example, Computer A must “know” how to send a request for that data in a way that Computer B can understand. Likewise, Computer B must “know” how to respond to Computer A’s request, i.e., how to structure the response it will give to Computer A. This is where the third category of “transport standards” becomes important.

Luckily for us, one of the transport standards (SOAP) adopted by the ONC is the same standard used by LexisNexis. This allows us to continue our analogy.

When I log onto LexisNexis, I have the opportunity to enter a citation. The citation must be entered in the same basic order that the Bluebook citation provides. Therefore, utilizing the first case cited above, I would type in:

150 F.3d 1

The name of the parties in the case is not necessary since only one case occurs at a given page (page 1) of a reporter’s (F.3d) volume (150). If I submit that citation and Lexis recognizes it, Lexis will then display the case. The beautiful thing about Lexis (and Westlaw) is that the case data, like the citations, has a specified organization–analogous to the organization specified by content exchange standards. One discrete element common to all Lexis cases is a field listing the parties’ counsel. Let’s say that I am an iPhone application developer and I want to create a simple application that would allow a user with a Lexis account to type in a citation like the one above, and in response the program would output the opposing counsel field (as opposed to the whole case). My application would need to know how to trigger Lexis’s server to go and find that information in the database. Likewise, the Lexis database must know how to package and send that data back to the client application. Thus, the fact that Lexis organizes data like citations and counsel into organized fields with specific vocabulary is not sufficient. Rather, there must be a standard governing the requests of specific information, as well as how that information should be formatted and transmitted. This is the role of the “transport standards.”

The ONC adopted two alternative standards–the SOAP standard and the REST standard–to govern requests and responses between client and server computers. As stated above, the SOAP standard is used by Lexis (and other Internet sites) to allow other applications and services to be able to interact with it. That Lexis uses the same standard as that adopted in the HIT interim final rule helps to illustrate the broad nature of  transport standards. Unlike the content exchange and vocabulary standards that are unique to the practice of health care, the transport standards ensure that services wishing to interact with a server have an agreed upon framework by which to accomplish the interaction.  As becomes obvious from this discussion, ensuring the proper implementation of the transport standards is critical to meeting the meaningful use objective described earlier that dealt with exchanging clinical information among providers. Additionally, having a specified standard for requesting and receiving the data is crucial for personal health record (PHR) services that seek to interface with the databases of health care providers in order to retrieve and display certain information to the consumer of the PHR.

Privacy and Security Standards

The fourth group of standards deals with privacy and security, and for the most part, this part of the IFR is straightforward. The reason for the straightforwardness is that the ONC has decided to model their privacy and security criteria off of HIPAA’s Privacy and Security Rules. Therefore, there are no real surprises. With that said, the HITECH Act does direct the various HIT committees as well as the ONC to look at capabilities beyond those specified in the HIPAA Security Rule. Thus, even though the IFR does not change the privacy and security landscape in any major way, there is no promise that things won’t change in the future.

Specifically,  the ONC has adopted standards for certain aspects of HIPAA but not others. For example, standards have been adopted for the encryption of data, but not for “access control” measures that are used to prevent unauthorized access at computer terminals connected to EHR systems. The ONC’s rationale is that the methods of regulating access are evolving at a rapid pace, whereas there are industry best practices available for encrypting information. As a result, the ONC requires all certified EHR systems to be capable of encrypting their data. This is somewhat remarkable given that HIPAA and HITECH do not require all entities to use encryption. The ONC believes that this capability will spur the use of encryption by making it available to all consumers of certified EHR systems. Furthermore, the implementation of encryption by HIPAA covered entities is important because it acts as a safe harbor, relieving them of the responsibility of having to report a data breach.

As Table 2B shows, the ONC distinguishes between the general encryption of stored data on the one hand and the encryption of transmitted data on the other hand. Please click on the thumbnail below to enlarge the table.

The ONC has stated numerous times that the IFR in no way changes the responsibilities of covered entities or business associates under HIPAA (and HITECH). Rather, it solely concerns the capabilities of certified EHR systems.

An Overview of the New Federal Standards Governing Health Information Technology (Part 1)

Those hoping for health reform have recently had a bad stretch of luck. I am here to report that movement in the reform process is certain in one area: health information technology (HIT). It may not be the sexiest topic in health care, but as David Blumental, the director of the Office of the National Coordinator for Health Information Technology (ONC),  noted in his piece for the New England Journal of Medicine, “[i]nformation is the lifeblood of modern medicine. Health information technology (HIT) is destined to be its circulatory system.” The ONC recently released an interim final rule (IFR) for HIT standards. CMS released a notice of proposed rule making (NPRM) that describes how Electronic Health Records (EHRs) are to be put to “meaningful use.” The context of both of these rules is the incentive-based program that the federal government has created. The goal of this program is to spur the creation of a sustainable and interoperable nationwide network of EHRs.

As opposed to describing every detail of the ONC’s interim final rule, I think it would be more valuable to broadly discuss the general standards that the government has decided upon, and then describe those standards so that the reader has a general idea of what these standards are.

Two Tables are Primary Reference for Understanding the Rule

So what did the ONC determine? The easiest way to tease out the big picture is to refer to two tables (Table 1 and Table 2A) that are buried within the IFR.

The two tables have been extracted from the pdf for ease of reference. Table 1 can be found here (pdf). Table 2A can be found here (pdf).

For the full IFR, it can be found here in pdf or here in html.

Using the tables to decode the IFR

Table 1 has three columns. The column on the left consists of the stage 1 meaningful use objectives that were issued by CMS and which serve to govern the purpose and capabilities of EHRs at a broad level. (For background on CMS’s proposed guidelines for meaningful use, see my earlier post here). The two columns on the right of Table 1 are the ONC’s certification criteria. These criteria have been created in order to support CMS’s meaningful use objectives. The middle column corresponds to the criteria for non-hospital providers–referred to as eligible professionals–such non-hospital-based physicians. The rightmost column corresponds to the criteria for hospitals (referred to as eligible hospitals). These two groups, eligible professionals and eligible hospitals, are eligible in the sense that they are eligible for reimbursement in exchange for the meaningful use of EHR technology.

Table 2 is the final piece of the puzzle, laying out the standards that the ONC has adopted. The standards are the nitty gritty details of the broader certification criteria that support the even broader meaningful use objectives.  Thus, we have a framework for our standards: start with the meaningful use objectives, establish certification criteria for these objectives, and then specify the standards that would allow for an objective determination of whether the criteria has been met.

With these tables in hand, it is possible to delve a bit deeper into the ONC’s vision of HIT.

Three Important Phrases: “Certified EHR Technology”, “Complete EHR”, and “EHR Module”

The regulations utilize the phrases “Certified EHR Technology”, “Complete EHR,” and “EHR Module” in an effort to implement flexible standards that can evolve as the standards continue to evolve. This idea of the rules evolving is a common theme, and it cannot be stressed enough that the ONC has gone through great pains in balancing the predictability of constrained EHR standards with the dynamism of the evolving standards landscape.

Terms

• Qualified EHR: an electronic record of health-related information on an individual that:
  • (A) Includes patient demographic and clinical health information, such as medical history and problem lists; and
  • (B) has the capacity:
    • (i) To provide clinical decision support;
    • (ii) to support physician order entry;
    • (iii) to capture and query information relevant to health care quality; and
    • (iv) to exchange electronic health information with, and integrate such information from, other sources.’
• Certified EHR Technology: A Complete EHR or a combination of EHR Modules, each of which:
  1. Meets the requirements included in the definition of a Qualified EHR; and
  2. has been tested and certified in accordance with the certification program established by the National Coordinator as having met all applicable certification criteria adopted by the Secretary.
• Complete EHR: EHR technology that has been developed to meet all applicable certification criteria adopted by the Secretary.
• EHR Module:  any service, component, or combination thereof that can meet the requirements of at least one certification criterion adopted by the Secretary. Examples:  Interface or other software program that provides the capability to exchange electronic health information; An open source software program that enables individuals online access to certain health information maintained by EHR technology; A clinical decision support rules engine; A software program used to submit public health information to public health authorities; and, A quality measure reporting service or software program.

In order to allow for flexibility, the ONC does not require that “Certified EHR technology” is a complete “turn key” system. Rather, the ONC allows for two different types of “Certified EHR Technology.” On the one hand you have “Complete EHRs” which are  “turn key” solutions in that a complete EHR meets the broad functional requirements of a qualified EHR and all of the  certification criteria listed in Table 1 (see link to Table 1 pdf above). On the other hand, “Certified EHR Technology” may also consist of a combination of modules, as long as the combination of modules meets the broad functional requirements of a “Qualified EHR,” and the modules together satisfy all of the certification criteria. Thus, physicians and hospitals retain flexibility in how they implement technology to achieve meaningful use.

The Adopted Standards

The ONC has grouped the standards into four groups:

1. Vocabulary Standards — The standardized nomenclatures and code sets used to describe clinical problems and procedures, medications and allergies.
2. Content Exchange Standards –  The standards used to share clinical information such as clinical summaries, prescriptions, and structured electronic documents.
3. Transport Standards — The standards used to establish a common, predictable, secure communication protocol between systems.
4. Privacy and Security Standards — Standards relating to authentication, access control, transmission security which relate to and span across all of the other types of standards.

Content Exchange Standards

Table 2A describes the first 2 categories. It is actually most helpful to initially discuss the second category: the content exchange standards. The content exchange standard can be thought of as the rules that constrain the shape and form of the data. In other words, it concerns how the data is structured. A standardization  of the structure is necessary so that different computer systems can predictably send and receive data that is organized in a predictable format. A rough analogy can be made to the Bluebook citation standards which specify the organization of legal citations. Regardless of the court reporter being used, all bluebook citations to federal court cases have the same basic organization (e.g. case name in italics, followed by the reporter, starting page, etc). Whereas a law school journal may only accept the Bluebook standard, the ONC has decided to allow for two standards:  Health Level Seven (HL7) Clinical Document Architecture (CDA) Release 2 (R2) Level 2 CCD or ASTM CCR.  Again, the ONC has sought flexibility in the initial stage of the certification process by allowing for multiple standards to be used. As noted in Table 2A, the ONC will eventually decide on one of these standards. It should be noted that if HL7 is picked, the ASTM standard can be “mapped” onto HL7 so that systems using ASTM can become interoperable with HL7-based systems.

The first standard is referred to as HL7 CDA R2 CCD. Though the name is intimidating, it is not very difficult to explain. HL7 is an international health care standards organization. The Clinical Data Architecture part of the name serves to identify that we are dealing with HL7’s standards regarding the organization of clinical documents that are sent and received electronically. It is necessary to specify CDA because HL7 has released other standards. The R2 refers to the fact that it is a second version of the standard. The CCD stands for Continuity of Care Document, and identifies that the standard deals with a constrained amount of health information–specifically, the information necessary to create a summary of a patient’s medical history.

Vocabulary Standards

To go back to the Bluebook analogy, the Bluebook must do more than specify the organization of the information in a citation. Additionally, it must specify the actual content that can be represented. For example,  the vocabulary of the reporter of a federal appeals case consists of F. or F.2d or F. 3d. Likewise, the vocabulary of EHRs must be standardized. The standards adopted for the vocabulary are listed in Table 2A.  There are a variety of different standards that have been adopted, including ICD-9, SNOMED, and LOINC. Some of these standards are in competition, and as Table 2A shows, the ONC’s position on competing standards will change in Stage 2 of Meaningful Use. For example, the vocabulary for medications will become more restrictive in Stage 2. However, some standards are not in competition, but are independent and describe wholly different aspects of medicine. For example, RxNorm describes medications but says nothing about laboratory test results, which is the domain of the LOINC vocabulary.

Hopefully the above discussion of the ONC’s adopted standards offers a foundation that allows for closer inspection of the IFR. The second part in this series will detail the two additional categories of standards, as well as other salient details of the IFR.

For additional information on the ONC’s rules, the following resources may be of interest:

The ONC’s most recent meeting, including mp3s of the meeting, can be found here.

General information about the ONC’s efforts with respect to the new standards can be found here.

Information about Clinical Data Architecture can be found here.

A solid overview of the new standards can be found here.

Reform Rodeo

1a. Massachusetts: A blog post by Harold Pollock can be found here, discussing why 47 health policy experts have sent a letter urging the House to pass the Senate’s bill in the wake of Scott Brown’s upset victory.

1b. Interesting Poll of Brown Voters: As MoveOn.org’s poll reveals: “Nearly half (49%) of Obama voters who voted for Brown support the Senate health care bill or think it does not go far enough.”

2. Health Care Economics: David Herszenhorn at the New York Times discusses William J. Baumol’s theory of cost disease, and why it should give us pause in expecting too much from health care reform.

3. Health IT: Adrian Gropper M.D. describes the advantages of the OAuth system of linking electronic health record systems.

4. The Science Behind Reform: The NEJM has a short editorial describing the findings of a recent study that underscore the importance of lowering salt consumption; findings that associate reduced salt intake with public health benefits on the level of smoking cessation and weight reduction.

5. Individual Mandate Constitutionality Redux: At the O’Neill Institute, Mark Hall responds to the Constitutional argument that the individual mandate is unconstitutional because it regulates inactivity as opposed to activity.

6. Visualizing Health Care: Comments on  a National Geographic piece apparently spurred National Geographic to discuss why they chose the plot on the top instead of the plot on the bottom.

Click the images below to enlarge:

CMS and HHS Release New Proposed Rules Governing Health IT – Part 1: Overview of Proposed Rule on “Meaningful Use”

Issues surrounding the implementation of health information technology (HIT) have not garnered anywhere near the amount of attention as issues such as the public plan, the intersection of abortion and health insurance, pre-existing condition provisions, etc. There are a variety of reasons for this.

First, HIT is not as accessible as these other issues. Discussions of HIT often involve the heavy use of acronyms as well as technical jargon that can be intimidating and confusing. This will not likely change in the future. HIT will increase in complexity, especially as variegated computer systems used by providers and hospitals are to be linked together.

A second reason for the lack of coverage of HIT is that there have been few if any significant steps on the federal level towards implementing a national HIT system. As I will discuss below, this is beginning to change, and this change provides for an important New Year’s resolution that all of those interested in health policy should make: stay informed about the changes in the HIT landscape. To make this resolution easier, I will write a series of posts describing the changes.

One of the more recent changes occurred with the passing of the American Recovery and Reinvestment Act (ARRA), and more specifically, portions known as the Health Information Technology and Clinical Health Act (HITECH Act). The HITECH Act initiated, among other things, an incentive-driven paradigm for transforming our health information system. The general idea is that physicians and hospitals will be paid for using HIT. However, in order for this transformation to take place, guidelines must exist such that physicians, providers and vendors of HIT products understand how to operate within this new system.

On December 30^th 2009, CMS and the Office of the National Coordinator of Health and Human Services (ONC), released two rules. ONC released an interim final rule regarding the standards that will govern the Medicare and Medicaid incentive program. Additionally, CMS released their proposed rule on what is considered meaningful use.

The interim final rule regarding the standards can be found here.

The proposed rule regarding meaningful use can be found here.

Meaningful Use

CMS’s proposed rule on meaningful use is important because it defines how physicians and providers must implement HIT in order to qualify for CMS’s incentive payments for the use of such technology.  Much of the proposed rule is based on the HIT Policy Committee’s proposals on Meaningful Use, but comments had been solicited and incorporated from other committees, HIT vendors, and providers. The proposed rule states that incentive payments will begin in 2011, and that there will be two different payment methodologies: one for Medicare and one for Medicaid. Those receiving incentives must choose either the Medicaid or the Medicare plan. Furthermore, the rule states that hospitals and providers that are not meaningfully using HIT will have their payments from Medicare reduced, with the reductions taking effect in 2015.

The HITECH Act amended the Social Security Act, and in doing so, incorporated a broad definition of what constitutes a meaningful user of Electronic Health Records (EHR). Specifically for a provider to be a meaningful user they must:

1. Demonstrate use of certified EHR technology in a meaningful manner;
2. Demonstrate to the satisfaction of the Secretary that certified EHR technology is connected in a manner that provides for the electronic exchange of health information to improve the quality of health care such as promoting care coordination, in accordance with all laws and standards applicable to the exchange of information; and
3. Use its certified EHR technology, submits to the Secretary, in a form and manner specified by the Secretary, information on clinical quality measures and other measures specified by the Secretary.

The proposed rule is an extension of this definition, and aims to provide those EPs and hospitals with the proper information to become a meaningful user.

Specifically, the rule provides for two classes of providers to participate in the incentive system: eligible professionals (EPs) and hospitals.  EPs are defined as non-hospital-based physicians, who either receive reimbursement for services under the Medicare Fee-For-Service program (FFS) or have an employment or contractual relationship with a qualifying Medicare Advantage organization (MA); or healthcare professionals meeting other requirements. (See page 22 of PDF). Hospitals are defined as hospitals that either receive reimbursement for services under the Medicare FFS program or are affiliated with a qualifying MA organization as described in section 1853(m)(2) of the Act; critical access hospitals (CAHs); or acute care or children’s hospitals. (See page 22 of PDF).

Transitioning to the meaningful use of EHRs will be phased in, taking place in three stages. On page 40 of the proposed rule, CMS describes the stages as follows:

Stage 1 (beginning in 2011):  The Stage 1 meaningful use criteria focuses on electronically capturing health information in a coded format; using that information to track key clinical conditions and communicating that information for care coordination purposes (whether that information is structured or unstructured, but in structured format whenever feasible); consistent with other provisions of Medicare and Medicaid law, implementing clinical decision support tools to facilitate disease and medication management; and reporting clinical quality measures and public health information.

Stage 2: Stage 2 expands upon Stage 1 to use HIT for continuous quality improvement at the point of care and the exchange of information in the most structure format possible, such as the electronic transmission of orders entered using computerized provider order entry (CPOE) and the electronic transmission of diagnostic test results such as blood tests and nuclear imaging tests.

Stage 3: Stage 3 focuses on improving the quality, safety, and efficiency of health care, focusing on decision support for national high priority conditions, patient access to self-management tools, access to comprehensive patient data, and improving public health.

The proposed rule that was recently released only describes the specific criteria for Stage 1, with the criteria for Stage 2 and Stage 3 to be released at the end of 2011 and 2013 respectively. In terms of Stage 1 criteria, there is a hierarchy of organizational structure. At the broadest level there are “health outcome policy priorities.” Within each of these policy priorities there is a group of “care goals,” and associated with each group of care goals are the specific “objectives.” CMS has provided a very helpful table which breaks down the hierarchy, including the various objectives. I have extracted the table, which can be accessed here. However, for reference purposes, I have summarized the organization below, and provided the objectives for the first health policy priority. Note that there is a different list of objectives for hospitals, many of which are similar or identical.

The organization is as follows:

Health Outcome Policy Priority 1: Improving quality, safety, efficiency and reducing health disparities.

Care Goals: 1. Provide access to comprehensive patient health data for patient’s healthcare team 2. Use evidence-based order sets and computerized provider order entry (CPOE) 3. Apply clinical decision support at the point of care 4. Generate lists of patients who need care and use them to reach out+ to those patients. 5. Report information for quality improvement and public reporting.

Objectives for Eligible Professionals (EPs): 1. Use Computerized Physician Order Entry (CPOE) 2. Implement drug-drug, drug-allergy, drug-formulary checks. 3. Maintain an up-to-date problem list of current and active diagnoses based on ICD-9-CM or SNOMED CT®. 4. Generate and transmit permissible prescriptions electronically (eRx). 5. Maintain active medication list. 6. Maintain active medication allergy list. 7. Record demographics 8. Record and chart changes in the following vital signs 9. Record smoking status for patients 13 years old or older. 10. Incorporate clinical lab-test results into EHR as structured data. 11. Generate lists of patients by specific conditions to use for quality improvement, reduction of disparities, research, and outreach. 12. Report ambulatory quality measures to CMS (or, for EPs seeking the Medicaid incentive payment, the States) 13. Send reminders to patients per patient preference for preventive/follow-up care. 14. Implement five clinical decision support rules relevant to specialty or high clinical priority, including for diagnostic test ordering, along with the ability to track compliance with those rules. 15. Check insurance eligibility electronically from public and private payers. 16. Submit claims electronically to public and private payers.

Health Outcome Policy Priority 2: Engaging patients and families in their healthcare

1. Care Goal 1: Provide patients and families with timely access to data, knowledge, and tools to make informed decisions.

Health Outcome Policy Priority 3: Improving care coordination

1. Care Goal 1: Exchange meaningful clinical information among professional health care team.

Interestingly, for CPOE, EPs are required to use CPOE for at least 80 percent of all orders whereas hospitals are only required to use CPOE for 10 percent of orders. Why such a discrepancy exists is presently unclear.

In terms of the requirement for reporting clinical quality measures (as described in the original definition of meaningful use in the HITECH Act), the proposed rule adopts different measurements for EPs and hospitals. For EPs, the proposed rule utilizes the quality measures endorsed by the National Quality Forum (NQF) including selected for the Physician Quality Reporting Initiative (PQRI) program that had previously been endorsed by the NQF. For hospitals, the measures are a combination of the NQF measures and those measures from the Reporting Hospital Quality Data for Annual Payment Update (RHQDAPU).

Reporting of these clinical quality measures would be accomplished by one of three methods. The primary method would require EPs or hospitals to log onto a CMS-designated portal and upload the clinical quality data in a specific data structure (as defined by the ONC’s standards). Alternatively, data could be submitted through a Health Information Exchange(HIE)/Health Information Organization (HIO) depending on whether the Secretary can access that network. Another alternative is submission through registries dependent upon the development of the necessary capacity and infrastructure to do so using certified EHRs. See page 169 of the PDF for more details on the uploading process.

As discussed earlier on this blog, one aspect of the transition that remains to be addressed is whether the incentives provided to EPs and hospitals will be sufficient to encourage physicians to take on the initial outlays associated with EHRs. H.R. 3014 ,a bill to provide loans guarantees to solo and small group practices, has been passed by the House and is currently being reviewed by the Senate Committee on  Small Business and Entrepreneurship. Without such measures to spur the initial implementation of EHRs, the incentives or downward payment adjustments may not be sufficient to implement the bold plan set out by CMS.

Micro-Chipping (and then pulling the plug on) Grandma as part of HIT and the Public Option

I had the opportunity to speak with one of our Health Law professors from private practice the other day (some professors teach full time, others teach only part time in addition to working full time as attorneys or judges), and he had been practicing (and teaching) health law for decades. He was both amazed and incensed: at our inability as a country to have a reasonable discussion about health care; that a provision to remunerate consultations regarding end of life issues somehow turned into “pulling the plug on grandma” and “death panel” sound bites–from people who should (or do) know better; and that people somehow believe that “rationing” doesn’t exist right now in the for profit health insurance system. “They speak as though their insurance policies are unlimited. They are not. There are insurers denying coverage all the time.”

This article in the New York Times’ Prescriptions won’t make him feel any better. It regards a recent chain email which tells of the impending forced implantation of microchips into patients as part of a government sponsored health plan.

Prescriptions reports:

…fears of death-panel bureaucrats voting to euthanize elderly Americans may pale in comparison to the latest fright point: according to a widely forwarded chain e-mail, the Democrats’ health care bill would require anybody who enrolls in a new government-run health insurance plan “to have a data-receiving microchip implanted in their bodies.”

The assertion would seem to tie together policy points from both the House-passed health care measure, which would create a government insurance plan, or public option, and the economic stimulus measure earlier this year, which approved billions of dollars for health information technology.

The widely distributed email is said to have prompted House Speaker Nancy Pelosi to issue a Myth Buster fact sheet:

Myth: People who enroll in the public health insurance option will be forced under the law to have a microchip implant.

Fact: The Affordable Health Care for America Act does not have any provision requiring any person to have a microchip — or anything else –implanted on their bodies for any reason.

The Times also notes that “Ms. Pelsoi’s office also noted that “PolitiFact — the Pulitzer-prize winning Web site — labeled this claim a ‘Pants on Fire’ lie, its highest degree of untruth.”

Reform Rodeo

1. The HITECH Act’s Breach Notification rules are now in effect. As is noted in the article, many are questioning some of the limitations in the act– which may reduce the Act’s impact on protecting privacy.

2. Eugene Volokh’s blog discusses the constitutionality of an individual mandate.

3. A persuasive article from Fortune Magazine describing how Baucus’ Finance Committee bill will raise taxes on the middle class, and in dong so violate the core tenets of the Obama administration.

4. A nicely compiled listing of the amendments that have been put forward during the Finance Bill’s mark up.

5. A FiveThirtyEight post questions those who presume that health reform is inevitable, raising some sobering thoughts.

6. Under the Obama administration, The FDA has provided a black box warning for the anti-nausea drug Phenergan, presumably in light of the Supreme Court’s recent rejection of the drug manufacturer’s claim that federal regulations preempt state court’s from suing drug manufacturers for defective warnings.

7. In case you missed it: A post from Health Reform Watch by Professor Timothy S. Jost on Health Care Cooperatives was cited by Jacob S. Hacker in an article over at the New England Journal of Medicine’s web site. Hacker’s article, “Poor Substitutes–Why Cooperatives and Triggers Can’t Achieve the Goals of a Public Option,” is well written and well read.

Next Page »