CVS & HHS: Partners in Compromising Your Privacy

On January 16, 2009, the Department of Health and Human Services (HHS) and CVS entered into a resolution agreement requiring CVS to pay a $2.25 million fine and implement a corrective action plan for “potential violations of the HIPAA [The Health Insurance Portability and Accountability Act of 1996] privacy rule.”  Why?  CVS had allegedly been placing prescription bottles and labels into dumpsters that were accessible to the public.  The bottles/labels contained protected health information (PHI), which CVS was required to safeguard under federal law.

Although HHS appears to regard the settlement as a success, given its prominence on the HIPAA enforcement section of HHS’s website, it is nothing of the sort.  The agreement provides that CVS “expressly den[ies] any violation of HIPAA or the Privacy Rule, and further den[ies] any wrongdoing,” while HHS does not concede that CVS is “in compliance with the Privacy Rule.”  HHS did agree with itself, however, releasing an FAQ (accompanying the press release) stating that under its Privacy and Security Rules: “covered entities are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons.”

Why is this old news important?  This week I had a prescription filled at my local CVS pharmacy in Livingston, New Jersey.  While standing at the pharmacy I noticed that all of the filled prescriptions were stored directly behind the counter in plain view of any customer.  Each prescription was inside a small bag to which a customer receipt was attached.  The receipts in the front row of the storage bins were readable from the counter.  The receipts contain protected health information (PHI) that is subject to the Privacy and Security Rules of HIPAA including:

1) Full name,

2) Address,

3) Telephone number,

4) Day and month of birth,

5) Drug name and dosage, and

6) Prescriber.

HHS maintains the authority for civil enforcement of violations of the Privacy and Security Rules promulgated pursuant to HIPAA.  So, why is it that CVS allows the public to view its customers’ PHI in violation of HIPAA even while still subject to the corrective action plan for its prior alleged violations?  Well, I asked the pharmacist on duty.  The pharmacist acknowledged that it was a problem that the PHI could be viewed from the counter.  However, CVS was expecting to remodel and “hopefully” the shelf would be placed farther away to render the PHI unreadable.  Upon requesting the contact information for CVS’s privacy officer, the pharmacist readily provided such information and stated that she would “appreciate” someone actually reporting the apparent violation.

HHS was recently provided with additional enforcement tools under the HITECH provisions of the American Recovery and Reinvestment Act of 2009.  Unfortunately, it does not appear that HHS is serious about enforcing its own regulations or resolution agreements; nor, if the flagrantly violative placement of prescriptions is indicative of mindset,  is CVS serious about HIPAA compliance.

HIPAA Administrative Simplification: Enforcement

By Laura Sunyak

In February of 2009, President Obama signed into law the American Recovery and Reinvestment Act of 2009 (ARRA), and with it enacted the Health Information Technology for Economic and Clinical Health Act (HITECH Act).  The HITECH Act contains regulations that significantly increase the penalty amounts the Secretary of the Department of Health and Human Services (HHS) may impose for violations of rules promulgated under the Health Information Portability and Accountability Act (HIPAA), and encourages corrective action.  In order to incorporate the increased penalty structure into HIPAA, HHS has recently issued an interim final rule designed to strengthen its enforcement power and incorporate the new penalty structure of the HITECH Act into HIPAA.

Prior to the HITECH Act, the Secretary could not impose a penalty of more than $100 for each violation, or $25,000 for all identical violations of the same provision.  A covered entity could also bar the imposition of a civil monetary penalty by simply showing that it did not know that it violated a HIPAA rule.  As a result, enforcement of HIPAA rules has been weak, bordering on nonexistent.  The number of covered entities that were in full compliance with the law was always very low, simply because HHS did not have a sufficient enforcement mechanism in place to deter violations.  If covered entities did change their behavior to become compliant, it was out of a desire to follow the law, not due to fear of prosecution or administrative action.

Before ARRA was signed into law, although there were HIPAA audits that took place, they were few and far between.  Covered entities complained that the requirements were not clear, and so hesitated to attempt to comply. With the enactment of ARRA and the HITECT Act, and the adoption of the interim rule, HIPAA covered entities will have no choice but to take notice and comply, or face much harsher penalties.  The implementation of these acts also transfers authority for enforcement of HIPAA’s security rules from the Centers for Medicare and Medicaid to the Office of Civil Rights which, with 275 investigators and an annual budget of $40 million, is in a better position to bring enforcement actions and recover penalties.  The penalties collected for violations will in turn be used to fund greater enforcement efforts. The interim rule amends 45 CFR part 160, subpart D, which establishes rules relating to the imposition of civil money penalties, to conform several provisions to section 13410(d) of the HITECH Act’s amendments to section 1176 of the Social Security Act, which became effective February 18, 2009. This interim final rule’s amendments distinguish between violations occurring before February 18, 2009, and violations occurring on or after that date, with respect to the potential amount of the civil money penalty and the affirmative defenses available to covered entities.

The interim final rule, effective as of November 30, 2009, modifies the penalties for HIPAA violations occurring after February 18, 2009.  (For an explanation of the meaning of “interim final rule,” click here.  According to this rule, the penalty for unknown violations, where the covered entity did not know of the violation, and would not have known by exercising reasonable diligence, is now between $100 and $50,000.  For violations involving reasonable cause, such as circumstances that would make it unreasonable to comply with HIPAA despite extraordinary care, the penalty is now between $1,000 and $50,000. For violations involving willful neglect, or a conscious, intentional failure or reckless indifference to the obligation to comply with HIPAA, the penalties are further broken down into whether or not the covered entity corrects the violation.  If the violation is corrected within 30 days, the penalty is now between $10,000 and $50,000.  If the penalty is not timely corrected, each violation will be fined $50,000.  The rule also puts into place an annual cap of $1.5 million on all violations of an identical provision.

According to Georgina Verdugo, the director of OCR, the implementation of these tougher enforcement provisions strengthens HIPAA protections and rights related to protected health information, and should encourage covered entities, including health care providers and health plans, to “ensure that their compliance programs are designed to prevent, detect, and quickly correct violations of the HIPAA rules.… such heightened vigilance will give consumers greater confidence in the privacy and security of their health information and in the industry’s use of health information technology.”

The enactment of these tougher enforcement penalties create additional incentives to make sure that covered entities have HIPAA compliance programs in place, which should include training employees to be compliant and ensuring that they are aware of how important it is to report potential violations so that they can be corrected in a timely manner.

When taking into account the lack of enforcement that had occurred prior to the recent HIPAA amendments, the new provisions seem to be a necessary step in enforcing the law and preventing the misuse of protected health information.  With more resources available to track down HIPAA violations, and steeper penalties exacted against entities that violate HIPPA, the new rule is a step in the right direction toward greater protection of protected information.  With the rampant rise of identity theft in this electronic age, consumers can never be too careful in ensuring that information stays in the right hands.

As HHS, acknowledges, this Interim Final Rule is only the first of several steps being taken to implement the HITECH Act’s tougher enforcement provisions.  The remaining provisions, which are not yet effective, will be addressed in the near future.

Breach Notification for Unsecured Protected Health Information

By: Michael R. Spaltro

Gordon Moore, Intel co-founder, famously predicted that the speed of technology will double about every two years. Between 1981 and 1991, “computer processing speed increased tenfold, the instruction execution rate a hundred fold, system memory grew a thousand times, and system storage expanded by a factor of 10,000.” That was just the beginning. Intel has kept that pace for nearly 40 years, now introducing the world’s first 2-billion transistor microprocessor. The development of fundamental computer technology has translated into ubiquitous information technology infrastructure. Deploying information technology within the healthcare industry is significantly complicated by the indispensability of life and health to everything else we do. The privacy of electronic health records (”EHR”) that contain personally identifiable health information (”PHI”) is one area of particular concern.

Health care providers, health care plans, health care clearinghouses, and their business associates across the country are currently using EHRs as an efficient method to locally store patient records.[1] EHRs may contain patient treatment history, social and demographic data, and a multitude of other personal health information (”PHI”).[2] If the underlying computer technology continues to grow at the staggering pace predicted by Moore’s Law, the function of EHRs will expand to “assume a key roll in medical diagnosis and treatment management.”[3] Moreover, the Food and Drug Administration, in collaboration with public, academic, and private entities, is expected to use EHRs to link and analyze medical safety data from over 100 million patients by July 2012.[4] The resulting electronic network of interoperable healthcare data is of a scale never before contemplated in the industry. Personally identifiable health information, such as the data contained across local provider EHRs, health plan claims databases, and Medicare databases, will be remotely transmitted, stored, accessed, and analyzed.

Transmitting EHRs between an originating entity and the entity/infrastructure involved in research, development, and storage of EHRs, creates an increased potential for internal and external breach. Moreover, as EHRs become populated in local and remote institutions across the country, the incidence of breach ostensibly increases. In the event of breach, an individual may be exposed to a number of dangers. EHRs contain personal information of high value to computer hackers, such as social security numbers or payment information.[5] Furthermore, an otherwise legitimate entity could potentially use health information in a less nefarious way that nonetheless breaches individual privacy. How can we legally protect privacy while realizing the benefit of electronic health information technology?

The Health Insurance Portability and Accountability Act (”HIPAA”) shores up unauthorized access to protected health information. The HIPAA Security Rule and Privacy Rule require an entity such as a health plan, health care provider, business associate, or a health care clearinghouse, to safeguard all protected health information. Civil and criminal penalties are enforced against entities that fail to comply. The FDA’s qualified contractors[6] will similarly be subject to HIPAA under the Health Information Technology for Economic and Clinical Health (”HITECH”) Act by 2017.[7] Therefore, the entire electronic network of EHRs will be covered by the Privacy Rule and the Security Rule. Within covered entities, protected health information is to be stored with any security measure that allows an entity to reasonably and appropriately implement all safeguard requirements. The Security Rule approves that a covered entity may use firewalls and other access controls (such as passwords) to safeguard PHI in its electronic form. Without this intangible structure protecting EHRs, unauthorized parties could easily access PHI and PHI could easily flow out to any individual, device, or system that interoperates with EHR databases. The HIPAA Security Rule therefore assures that a covered entity is reasonably protecting an individual’s privacy by safeguarding personal health information.

Firewalls and other reasonable access controls are not impermeable. Earlier this year, an ultra sophisticated hack attack on Google penetrated the multi-billion dollar corporation, causing it to later withdraw from China. Merck & Co. and Cardinal Health Inc. were among others infiltrated in the attack. The extent of information exposed is still not fully understood. Thus, breaches occur even if reasonable and appropriate safeguards are required. The access controls required by HIPAA in the Security Rule are not sufficient to protect a vast network of interoperable EHRs. Further data encryption and/or secure data destruction will eventually be required to protect individual privacy.

Pursuant to the Privacy section of the HITECH Act, Title XIII Division A, Subtitle D, the Department of Health and Human Services (”HHS”) was required to promulgate breach notification for unsecured protected health information rules and regulations (”Breach Rule”). HHS issued a final rule, effective September 23, 2009, requiring all entities and business associates covered under HIPAA to provide notification in the cases of breaches of unsecured protected health information. Presumably, an individual who is made aware that his personal information was compromised is better equipped to mitigate identity theft or other harms that could arise.

The provisions in Section 13402 of the HITECH Act are consistent with HIPAA definitions of a “covered entity” and “protected health information.” The Act defines breach as the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security of that information. In other words, if a firewall or reasonably appropriate access control is breached — a covered entity must report that breach to all of the individuals affected. Importantly, notification of breach is only required for unsecured personal health information. If a covered entity is in the practice of encrypting and/or destroying PHI in accordance with the National Institute of Standards and Technology (NIST), then that entity does not have to report a breach of their firewalls or access controls. It is only necessary to provide notice if “unsecured protected health information that is not secured through the use of technology or methodology specified…” is breached. The rationale is obvious. If a covered entity encrypts PHI in accordance with NIST standards, then the data is unusable in the event of a breach, and notification would be superfluous.

Consequently, a covered entity has two choices: (1) secure all EHRs that contain PHI; or (2) report breaches of PHI. The Breach Rule encourages cover entities to take the former approach. To secure EHRs that contain PHI, an entity must regularly perform two standard procedures. First, the NIST published standards recommend a “one pass” method of data deletion for most applications.[8] When electronic data is deleted, it is only removed from the file system. The “image” of the data physically remains on the hard drive of the device. Software and hardware methods of recovering deleted data are available to the public. Therefore, “deleted” PHI data could be recovered by an unauthorized entity in the event of a breach. The NIST recommends that one data overwrite be performed on the deleted data, as to render it unrecoverable. Depending on the method used and size of the database, data deletion can take up to an hour.

Second, and perhaps less straight forward, the NIST recommends data encryption using one the following four methods: full disk encryption; volume encryption; virtual disk encryption; or file/folder encryption.[9] The capital expenditure necessary to install and maintain encryption software/hardware throughout a covered entity is immense. Furthermore, encrypting millions of EMRs will tax computer processors and networks, and will additionally hamper interoperability. When data is encrypted it losses all functionality, and therefore must be decrypted by the authorized end-user before each use. It would be additionally problematic to transfer encrypted data throughout an electronic network, like that contemplated by the FDA, unless all systems were equip to recognize and decrypt the data. Thus, under either of the encryption methods above, the net result is a loss of productivity and interoperability. Moreover, encrypted data may not be mean secure data. The end-user authorized to access encrypted data will likely decrypt it during the course of a work day. Therefore, so-called encrypted PHI would be exposed to the same daily risks as unsecured PHI. Consequently, the nature of data encryption may not even provide the security and privacy that the Breach Rule contemplates.

While some covered entities are voluntarily choosing to encrypt and secure PHI, the impracticality and cost of data encryption is prohibitive. Covered entities were allowed 180 days to become compliant with the Breach Rule. That period has expired, and most covered entities have not opted to encrypt PHI. Instead, covered entities have put reasonable systems in place to detect breaches, as required by the Breach Rule. The Breach Rule requires notification without unreasonable delay once a covered entity learns of a breach. A majority of states already had breach notification laws in place, and thus covered entities had respective systems in place to detect and report breaches.

Reporting breaches under the Breach Rule still requires some capital expenditure. In some cases, notification to popular media outlets and the Secretary is required. This notification could potentially detract business and invite legal action. Of greater concern, a major breach and broadcast resulting in legal action may dissuade industry players from adopting EHR systems that could potentially reduce medical error and healthcare costs.[10] However, the burden of encrypting PHI is overwhelming, and perhaps ultimately ineffective. Consequently, the Breach Rule has done little to foster the actual security of PHI. In practice, covered entities merely provide notification of breach. It is unclear how this may or may not benefit a patient whose privacy has been breached. Deploying new EHR technology throughout the healthcare industry presents a risk to individual privacy that is not adequately addressed by the Breach Rule and HIPAA.

Privacy concerns should positively correlate with the volume of online EMRs. Pursuant to the FDAAA, 100 million EHRs will be linked within the FDA’s seminal network by July 2012. The sensitive and valuable nature of robust EHR databases will likely attract the attention of unauthorized parties around the world, and should therefore warrant a heightened level of security. Within two years, encryption technology may prove to be significantly smarter, cheaper, and more efficient. The concerns that bar covered entities from adopting data encryption may be lifted. While absolute data security is not likely attainable under any standard, software operating systems that integrate on-the-fly encryption would be ideal and foolproof. Rules and regulations should proportionately reflect advances in computer technology and the quantity of EMRs over the next two years. To protect public privacy and trust in our healthcare system, all PHI should eventually be encrypted by covered entities and their business associates.

---

[1] Hoffman and Podgurski, Finding a Cure: The Case for Regulation and Oversight of Electronic Health Record Systems, 22 Harv. J. L. & Tech 103.

[2] Id. at

[3] Id. at

[4] Food and Drug Administration Act of 2007 (FDAAA), 21 U.S.C. 355(k)(3).

[5] See, Hoffman, surpa note 1, at 113.

[6] 21 U.S.C. 355(k)(3). A qualified contract is similar to a business associate. The FDA contracts with entities that are deemed “qualified” within the meaning of the Act.

[7] See, HITECH, Pub. L. No. 111-5 Section 13401 and 13404.

[8] Special Publication 800-88, available at http://csrc.nist.gov.

[9] Special Publication 800-111, available at http://csrc.nist.gov.

[10] See, Hoffman, surpa note 1, at 104.

Reform Rodeo: Latest News & Interviews; CER; the Constitution; HIT; Robotic Surgery

1. News: Kaiser Health News keeps you up to date by rounding up various stories on the Dems’ latest down-to-the-wire push on health reform. Their coverage of Representative Dennis Kucinich’s (and other reluctant Dems’) endorsement of the bill is here.

2. Betting on Health Care: The New York Times asks health wonks for opinions on the chances of passing health reform. Respondents include Robert Reich, former secretary of labor Gail Wilensky, Project Hope; Paul Starr, professor of public policy;  James C. Capretta, Ethics and Public Policy Center; Karen Davenport, Center for American Progress; Jacob S. Hacker, political science professor.

3. Evidence-based Medicine: A group at the New England Journal of Medicine proposes 5 steps to advance one of the most promising–yet often ignored–means of reforming our health care system: comparative effectiveness research.

4. Deem and Pass: Jonathan Adler at the Volokh Conspiracy discusses the constitutionality of the “deem and pass.” Regardless of its constitutionality, Ezra Klein exposes some factual inaccuracies in recent reporting on the tactic.

5. The Blues: The Pittsburgh Post-Gazette alerts us to a lawsuit by Highmark Inc. against the Pennsylvania Department of Insurance, which claims that the Department exceeded its authority when challenging Highmark’s proposed merger with Independence Blue Cross.

6. Meaningful Use Partial Credit: John Halamka at Life As A Healthcare CIO discusses the aggressive thresholds for meaningful use that have been set in the most recent rules, and what the HIT Policy Committee is doing to assuage those concerns.

7. Wild Card: A new TED talk about the current state of robotic surgery. An article covering the topic can be found here.

CMS and HHS Release New Proposed Rules Governing Health IT – Part 1: Overview of Proposed Rule on “Meaningful Use”

Issues surrounding the implementation of health information technology (HIT) have not garnered anywhere near the amount of attention as issues such as the public plan, the intersection of abortion and health insurance, pre-existing condition provisions, etc. There are a variety of reasons for this.

First, HIT is not as accessible as these other issues. Discussions of HIT often involve the heavy use of acronyms as well as technical jargon that can be intimidating and confusing. This will not likely change in the future. HIT will increase in complexity, especially as variegated computer systems used by providers and hospitals are to be linked together.

A second reason for the lack of coverage of HIT is that there have been few if any significant steps on the federal level towards implementing a national HIT system. As I will discuss below, this is beginning to change, and this change provides for an important New Year’s resolution that all of those interested in health policy should make: stay informed about the changes in the HIT landscape. To make this resolution easier, I will write a series of posts describing the changes.

One of the more recent changes occurred with the passing of the American Recovery and Reinvestment Act (ARRA), and more specifically, portions known as the Health Information Technology and Clinical Health Act (HITECH Act). The HITECH Act initiated, among other things, an incentive-driven paradigm for transforming our health information system. The general idea is that physicians and hospitals will be paid for using HIT. However, in order for this transformation to take place, guidelines must exist such that physicians, providers and vendors of HIT products understand how to operate within this new system.

On December 30^th 2009, CMS and the Office of the National Coordinator of Health and Human Services (ONC), released two rules. ONC released an interim final rule regarding the standards that will govern the Medicare and Medicaid incentive program. Additionally, CMS released their proposed rule on what is considered meaningful use.

The interim final rule regarding the standards can be found here.

The proposed rule regarding meaningful use can be found here.

Meaningful Use

CMS’s proposed rule on meaningful use is important because it defines how physicians and providers must implement HIT in order to qualify for CMS’s incentive payments for the use of such technology.  Much of the proposed rule is based on the HIT Policy Committee’s proposals on Meaningful Use, but comments had been solicited and incorporated from other committees, HIT vendors, and providers. The proposed rule states that incentive payments will begin in 2011, and that there will be two different payment methodologies: one for Medicare and one for Medicaid. Those receiving incentives must choose either the Medicaid or the Medicare plan. Furthermore, the rule states that hospitals and providers that are not meaningfully using HIT will have their payments from Medicare reduced, with the reductions taking effect in 2015.

The HITECH Act amended the Social Security Act, and in doing so, incorporated a broad definition of what constitutes a meaningful user of Electronic Health Records (EHR). Specifically for a provider to be a meaningful user they must:

1. Demonstrate use of certified EHR technology in a meaningful manner;
2. Demonstrate to the satisfaction of the Secretary that certified EHR technology is connected in a manner that provides for the electronic exchange of health information to improve the quality of health care such as promoting care coordination, in accordance with all laws and standards applicable to the exchange of information; and
3. Use its certified EHR technology, submits to the Secretary, in a form and manner specified by the Secretary, information on clinical quality measures and other measures specified by the Secretary.

The proposed rule is an extension of this definition, and aims to provide those EPs and hospitals with the proper information to become a meaningful user.

Specifically, the rule provides for two classes of providers to participate in the incentive system: eligible professionals (EPs) and hospitals.  EPs are defined as non-hospital-based physicians, who either receive reimbursement for services under the Medicare Fee-For-Service program (FFS) or have an employment or contractual relationship with a qualifying Medicare Advantage organization (MA); or healthcare professionals meeting other requirements. (See page 22 of PDF). Hospitals are defined as hospitals that either receive reimbursement for services under the Medicare FFS program or are affiliated with a qualifying MA organization as described in section 1853(m)(2) of the Act; critical access hospitals (CAHs); or acute care or children’s hospitals. (See page 22 of PDF).

Transitioning to the meaningful use of EHRs will be phased in, taking place in three stages. On page 40 of the proposed rule, CMS describes the stages as follows:

Stage 1 (beginning in 2011):  The Stage 1 meaningful use criteria focuses on electronically capturing health information in a coded format; using that information to track key clinical conditions and communicating that information for care coordination purposes (whether that information is structured or unstructured, but in structured format whenever feasible); consistent with other provisions of Medicare and Medicaid law, implementing clinical decision support tools to facilitate disease and medication management; and reporting clinical quality measures and public health information.

Stage 2: Stage 2 expands upon Stage 1 to use HIT for continuous quality improvement at the point of care and the exchange of information in the most structure format possible, such as the electronic transmission of orders entered using computerized provider order entry (CPOE) and the electronic transmission of diagnostic test results such as blood tests and nuclear imaging tests.

Stage 3: Stage 3 focuses on improving the quality, safety, and efficiency of health care, focusing on decision support for national high priority conditions, patient access to self-management tools, access to comprehensive patient data, and improving public health.

The proposed rule that was recently released only describes the specific criteria for Stage 1, with the criteria for Stage 2 and Stage 3 to be released at the end of 2011 and 2013 respectively. In terms of Stage 1 criteria, there is a hierarchy of organizational structure. At the broadest level there are “health outcome policy priorities.” Within each of these policy priorities there is a group of “care goals,” and associated with each group of care goals are the specific “objectives.” CMS has provided a very helpful table which breaks down the hierarchy, including the various objectives. I have extracted the table, which can be accessed here. However, for reference purposes, I have summarized the organization below, and provided the objectives for the first health policy priority. Note that there is a different list of objectives for hospitals, many of which are similar or identical.

The organization is as follows:

Health Outcome Policy Priority 1: Improving quality, safety, efficiency and reducing health disparities.

Care Goals: 1. Provide access to comprehensive patient health data for patient’s healthcare team 2. Use evidence-based order sets and computerized provider order entry (CPOE) 3. Apply clinical decision support at the point of care 4. Generate lists of patients who need care and use them to reach out+ to those patients. 5. Report information for quality improvement and public reporting.

Objectives for Eligible Professionals (EPs): 1. Use Computerized Physician Order Entry (CPOE) 2. Implement drug-drug, drug-allergy, drug-formulary checks. 3. Maintain an up-to-date problem list of current and active diagnoses based on ICD-9-CM or SNOMED CT®. 4. Generate and transmit permissible prescriptions electronically (eRx). 5. Maintain active medication list. 6. Maintain active medication allergy list. 7. Record demographics 8. Record and chart changes in the following vital signs 9. Record smoking status for patients 13 years old or older. 10. Incorporate clinical lab-test results into EHR as structured data. 11. Generate lists of patients by specific conditions to use for quality improvement, reduction of disparities, research, and outreach. 12. Report ambulatory quality measures to CMS (or, for EPs seeking the Medicaid incentive payment, the States) 13. Send reminders to patients per patient preference for preventive/follow-up care. 14. Implement five clinical decision support rules relevant to specialty or high clinical priority, including for diagnostic test ordering, along with the ability to track compliance with those rules. 15. Check insurance eligibility electronically from public and private payers. 16. Submit claims electronically to public and private payers.

Health Outcome Policy Priority 2: Engaging patients and families in their healthcare

1. Care Goal 1: Provide patients and families with timely access to data, knowledge, and tools to make informed decisions.

Health Outcome Policy Priority 3: Improving care coordination

1. Care Goal 1: Exchange meaningful clinical information among professional health care team.

Interestingly, for CPOE, EPs are required to use CPOE for at least 80 percent of all orders whereas hospitals are only required to use CPOE for 10 percent of orders. Why such a discrepancy exists is presently unclear.

In terms of the requirement for reporting clinical quality measures (as described in the original definition of meaningful use in the HITECH Act), the proposed rule adopts different measurements for EPs and hospitals. For EPs, the proposed rule utilizes the quality measures endorsed by the National Quality Forum (NQF) including selected for the Physician Quality Reporting Initiative (PQRI) program that had previously been endorsed by the NQF. For hospitals, the measures are a combination of the NQF measures and those measures from the Reporting Hospital Quality Data for Annual Payment Update (RHQDAPU).

Reporting of these clinical quality measures would be accomplished by one of three methods. The primary method would require EPs or hospitals to log onto a CMS-designated portal and upload the clinical quality data in a specific data structure (as defined by the ONC’s standards). Alternatively, data could be submitted through a Health Information Exchange(HIE)/Health Information Organization (HIO) depending on whether the Secretary can access that network. Another alternative is submission through registries dependent upon the development of the necessary capacity and infrastructure to do so using certified EHRs. See page 169 of the PDF for more details on the uploading process.

As discussed earlier on this blog, one aspect of the transition that remains to be addressed is whether the incentives provided to EPs and hospitals will be sufficient to encourage physicians to take on the initial outlays associated with EHRs. H.R. 3014 ,a bill to provide loans guarantees to solo and small group practices, has been passed by the House and is currently being reviewed by the Senate Committee on  Small Business and Entrepreneurship. Without such measures to spur the initial implementation of EHRs, the incentives or downward payment adjustments may not be sufficient to implement the bold plan set out by CMS.

Reform Rodeo

1. At the New England Journal of Medicine, David Cutler discusses possible reasons why the health care cost curve may bend in the future even without health reform.

2. Matthew Yglesias discusses health reform’s “labor problem.”

3. Ezra Klein points to the findings of a study that may undermine the common assumption that calorie labels in fast food restaurants reduce caloric intake.

4. At ABC Australia, an interesting and moving piece about the consequences of the patenting of the BRCA genetic test.

5. For those interested in the administrative side of health reform, Jacqueline Klosek describes and links to a notification and instruction form that HHS has provided to help covered entities comply with the HITECH Act’s new breach notification rules which are now in force.

6. Wild Card: The Lifehacker blog has a post describing a new “mash up” site called Data Masher that allows users to overlay freely accessible statistics onto maps. One of the “mash ups” available is a U.S. map with high school education and health care coverage overlayed.

7.  In case you missed it: Professor Tim Greaney in The Health Care Blog with a post on Medicare & Health Reform originally posted here on HRW.