The KHIT Blog: The twisty politics of HIT

Sunday, December 18, 2011

The twisty politics of HIT

..."Shortly before the passage of the 2009 federal economic stimulus package, Gingrich criticized the legislation as a "big politician, big bureaucracy, pork-laden bill." However, at the same time, Gingrich praised a provision of the stimulus package that allocated $19 billion to promote the use of health IT. He said, "I am delighted that President Obama has picked this as a key part of the stimulus package."

Under the stimulus package, health care providers who demonstrate meaningful use of certified electronic health records can qualify for Medicaid and Medicare incentive payments...

"I am delighted that President Obama has picked this as a key part of the stimulus package."

Right, Mr. Gingrich. Insofar as it was then politically convenient, 'eh? (Click here or the image above for the link.)

Apropos of the forgoing. Monday morning news:

...Regulatory pressure is building on the industry to achieve the goals of Presidents George W. Bush and Barack Obama to provide most Americans with access to an electronic medical record by 2014. An early fissure as a result of that pressure comes as Dr. Farzad Mostashari, head of the Office of the National Coordinator for Health Information Technology, supports a federal advisory committee's recommendation in June that the CMS extend by one year the compliance deadline for Stage 2 meaningful use for some early adopters of health information technology...

Once we get the total head count and subsequent relative proportions of "early adopters" (those who attested in 2011), we'll have a better picture of how this all might shake out going forward. Pushing back Stage 2 was a good and necessary idea, IMO.

Also noteworthy in the Modern Healthcare article:

Breaches and privacy lapses make headlines again in 2011 as healthcare organizations suffer record data losses during the year. In September, in its report to Congress, the Office for Civil Rights at HHS says there have been more than 30,500 breaches, most with fewer than 500 records, since it began counting them in late 2009. By year's end, the office's public “wall of shame” lists 372 major breaches (involving 500 or more records each) totaling nearly 18 million records. Military healthcare payer Tricare Management Activity and its data backup services vendor, Science Application International Corp., tops the wall with the largest breach of the year at 4.9 million records.

I guess as the penetration of HIT increases, we should expect an increase in PHI breach incidents. Which brings to mind the following (click to enlarge):

HIPAA Security Rule Toolkit

The NIST HIPAA Security Toolkit Application is intended to help organizations better understand the requirements of the HIPAA Security Rule, implement those requirements, and assess those implementations in their operational environment. Target users include, but are not limited to, HIPAA covered entities, business associates, and other organizations such as those providing HIPAA Security Rule implementation, assessment, and compliance services. Target user organizations can range in size from large nationwide health plans with vast information technology (IT) resources to small health care providers with limited access to IT expertise...

I've installed it and have been kicking the tires. 492 questions (some of them conjunctive clause compound questions) spanning the gamut of 45 CFR 164.3. More on this shortly.
___

DEC 19th P.M. UPDATE

The NIST HIPAA toolkit is a bear. Lots of compound questions, e.g., the first 13 questions:

164.308(a)(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.
Has your organization developed, disseminated, reviewed/updated, and trained on your Risk Assessment policies and procedures?
Does your organization's risk assessment policy address: purpose, scope, roles and responsibilities management commitment, coordination among organizational entities, training and compliance?
Has your organization disseminated your Risk Assessment policies and procedures?
Has your organization disseminated its Risk Assessment procedures to the work staff/offices with the associated roles and responsibilities?
Has your organization defined the frequency of your Risk Assessment policy and procedures reviews and updates?
Has your organization reviewed and updated your Risk Assessment policy and procedures in accordance with your defined frequency?
Has your organization identified the types of information and uses of that information and the sensitivity of each type of information been evaluated (also link to FIPS 199 and SP 800-60 for more on categorization of sensitivity levels)?
Has your organization identified all information systems that house ePHI?
Does your organization inventory include all hardware and software that are used to collect, store, process, or transmit ePHI, including excel spreadsheets, word tables, and other like data storage?
Are all the hardware and software for which your organization is responsible periodically inventoried, including excel spreadsheets, word tables, and other like data storage?
Has your organization identified all hardware and software that maintains or transmits ePHI, including excel spreadsheets, word tables, and other similar data storage and included it in your inventory?
Does your organization's inventory include removable media, remote access devices, and mobile devices?
Is the current information system configuration documented, including connections to other systems, both inside and outside your firewall?

OK, and then the last section, first subsection:

164.316 POLICES AND PROCEDURES AND DOCUMENTATION REQUIREMENTS

164.316(a) Standard: Policies and procedures. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in subsection

164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart
Does your organization have policies and procedures for administrative safeguards, physical safeguards, and technical safeguards?
Does your organization have in place reasonable and appropriate policies and procedures that comply with the standards and implementation specifications of the HIPAA Security Rule?
Does your organizations security policies and procedures take into consideration: 1) your organization's size, complexity and the services you provide. 2) your organization's technical infrastructure, hardware and software capabilities, 3) the cost of your organization's security measures, 4) the potential risks to day-to-day operation including which functions, and tools are critical to operations?
Does your organization have procedures for periodic revaluation of your security policies and procedures, and update them when necessary?
Does your organization change security policies and procedures at any appropriate time, and document the changes and implementation?

My take on this is that it would take a provider/organization 2-5 days to get thoroughly and forthrightly through it. And, really, this is just about the ePHI "Security" piece. "Privacy" is a different -- and potentially much more difficult -- issue. I wrote about the Security stuff back in June, and I continue to work on the privacy issues more recently for our HIE.
___

MEANINGFUL USE CORE 15:
WHAT ARE YOU PEOPLE THINKING?

So, my wife and I are devoted Mac snobs at home. Consequently, I was thrilled to recently see an iPad app get certified for meaningful use.

The product looks great, and I'll bet it's quite functional.

HOWEVER...

I was not happy to see this regarding the Meaningful Use Core 15 criterion ("Protect Electronic Health Information"):

We've taken care of this one for you!

All of the items below are done automatically through drchrono.com (web) drchrono EHR (iPad)

Access Control: Each user must have a unique identifier. Assign a unique name and/or number for identifying and tracking user identity and establish controls that permit only authorized users to access electronic health information. §170.302(o)

Emergency access: Plan for emergency access for authorized users. Emergency access. Permit authorized users (who are authorized for emergency situations) to access electronic health information during an emergency. §170.302(p)

Automatic log-off: Turn on session timeouts.

Automatic log-off: Terminate an electronic session after a pre-determined time of inactivity. §170.302(q)

Audit log: Maintain audit logs.
(1) Record actions. Record actions related to electronic health information in accordance with the standard specified in §170.210(b).
(2) Generate audit log. Enable a user to generate an audit log for a specific time period and to sort entries in the audit log according to any of the elements specified in the standard at 170.210(b).

Integrity - Provide integrity check for recipient of electronically transmitted information. §170.302(s)
(1) Create a message digest in accordance with the standard specified in 170.210(c).
(2) Verify in accordance with the standard specified in 170.210(c) upon receipt of electronically exchanged health information that such information has not been altered.
(3) Detection. Detect the alteration of audit logs.

Authentication - Verify user identities and access privileges. Verify that a person or entity seeking access to electronic health information is the one claimed and is authorized to access such information. §170.302(t)

Encryption - Use encryption where preferred. §170.302(u) General encryption. Encrypt and decrypt electronic health information in accordance with the standard specified in §170.210(a)(1), unless the Secretary determines that the use of such algorithm would pose a significant security risk for Certified EHR Technology. §170.302(v) Encryption when exchanging electronic health information. Encrypt and decrypt electronic health information when exchanged in accordance with the standard specified in §170.210(a)(2).

Accounting of disclosures - Record PHI disclosures. §170.302(v) Record disclosures made for treatment, payment, and health care operations in accordance with the standard specified in §170.210(e).

Conduct a security risk analysis and implement security updates.

Gotta love the last little orphan sentence. OK, everything associated with §170.nn has to do with the NIST EHR Certification specs, and nothing to do with complying with MU Core Measure 15:

Conduct or review a security risk analysis per 45 CFR 164.308(a)(1) of the certified EHR technology, and implement security updates and correct identified security deficiencies as part of its risk management process.

Beyond having a CHPL blessed system, it's the last item that counts for MU.

I emailed them regarding this and gave them more than a week. Silencio. Nada. Zip. Zilch.

This is not the first time I've encountered this precise misinformation from an EHR vendor.

So, what if you got audited? "Well, they told us we were automatically in compliance..."

"Conduct or review a security risk analysis per 45 CFR 164.308(a)(1) of the certified EHR technology, and implement security updates and correct identified security deficiencies."

So, who cares?

Digital Data on Patients Raises Risk of Breaches
By NICOLE PERLROTH
NY Times. Published: December 18, 2011

One afternoon last spring, Micky Tripathi received a panicked call from an employee. Someone had broken into his car and stolen his briefcase and company laptop along with it.

So began a nightmare that cost Mr. Tripathi’s small nonprofit health consultancy nearly $300,000 in legal, private investigation, credit monitoring and media consultancy fees. Not to mention 600 hours dealing with the fallout and the intangible cost of repairing the reputational damage that followed...

Shall we tally up an estimate of the entire cost of not having corrected "identified security deficiencies" per HIPAA 45.CFR.164.3 et seq?
___

ERRATA: HEDIS 2011 THOUGHTS

I blogged a bit about the 2010 HEDIS measures last year. I've been reading the 2011 report lately. Notwithstanding the new stratification of HMOs vs PPOs (and vs Medicaid as well), I can't really see that a whole lot has changed with respect to the major chronic indices. e.g.,

Overall, we still see the aggregate nil Pearson-R "quality vs cost" proxies' scatter. And, even where there are enticing (wish-fulfillment?) wafts of quadrant differentials, the small composite "N's" ought give one pause.

Maybe we'll make tangible progress on these fronts in the next few years (we must if we are not to go BK as a society). IMO there are two concomitant (and intertwined) "fronts" -- care delivery process improvements (X-axis) and clinical outcomes improvement (Y-axis). The latter of which is to a significant extent moreso a moving target.

"Value," my friends: Outcomes Quality / Cost. Hope it doesn't become this decade's Powerpoint / Seminar / Consulting / Book Sales cliche. (But, then, They Had Me at Deming.)
___

12/11 "PIONEER ACO" announcement

Interesting. Healthcare Partners of Nevada is one of the 32 announced today. We already work with them via our new HIE.

CMS MEANINGFUL USE PAYMENTS UPDATE

I played around a bit today with an app free trial that converts PDF tables to Excel files. CMS has updated its payments-to-date data (it says "November 2011" but it's not clear whether it's begin or end of month), so I downloaded the new PDF and converted it (click to enlarge).

I added the 4 "pct" columns on the right, and sorted the data down by aggregate payment rank. The top 12 states account for 2/3 of the money. Texas, with ~8% of U.S. population, is now at 16.4% of the cash -- and nearly 3/4 of theirs is Medicaid.

Be fun to also drop in the Census data to do comparative "per capita."

We'll see how all of the Medicaid Year One "A/I/U" free money crowd does in 2012 when they have to actually meet the MU criteria, for an entire calendar year attestation.

They have other tables that break things out by EPs vs Hospitals (Medicare, Medicaid, and aggregate), which would tell us where the bulk of the money is going vis a vis those strata (like we don't already know).

I may buy that utility -- if they have a Mac version.
___

MORE TWISTY POLITICS:
THE LOOMING MEDICARE REIMBURSEMENT CUTS

27.4% reduction ensues on January first absent Congress passing the "Doc Fix" in the tax cut renewal bill. The health press is fairly abuzz.

Another quick little Excel screen-scrap cut & paste. The 2012 estimate is mine for these two CPT codes, btw. Just an estimate. The whole Medicare SGR formulation is inscrutably complex (and uniformly hated by primary care docs).

Who will blink first, Boehner or Obama?
___

HOLIDAY CODA

I'm off 'til the 30th. To all of my awesome REC colleagues (both within our office walls and across the RECs), I wish you a joyful and safe Holiday season.

My dear friend, the breathtakingly talented Lenny Lopez on vocal.

No comments:

Brave New Health

Commonwell Health Alliance

Another important read (pdf)

I love this kind of stuff. It sustains and humbles me. "As politicians, advertisers, salesmen, and propagandists for various political, economic, moral, religious, psychic, environmental, dietary, and artistic doctrinaire positions know only too well, fallible human minds are easily tricked, by clever verbiage... Common language—or at least, the English language—has an almost universal tendency to disguise epistemological statements by putting them into a grammatical form which suggests to the unwary an ontological statement. A major source of error in current probability theory arises from an unthinking failure to perceive this."

Quotes

"An economist is a person who sees something that works in practice and tries to figure out whether it will work in theory."

- J.D. Kleinke, medical economist
___

"The only person who enjoys change is a baby with a wet diaper."

"Every misspent dollar in our health care system is part of somebody's paycheck.

- Brent James, M.D., M.Stat

“We could do healthcare, at markedly higher quality, for everyone in this country, without rationing or denying anybody the care that they need, without having the government dictate how doctors practice or whether hospitals could expand, at half the cost we do it now.”

- Health Care Futurist Joe Flower

Most of the sciences, unlike parts of medical science, are not concerned with the impossible. There is not complementary and alternative physics, or chemistry, or biochemistry, or engineering. These disciplines compare their ideas against reality, and, if the ideas are found wanting, abandoned."

- Mark A. Crislip, MD

"Q: How much alcohol is too much?
A: More than your doctor drinks."

- a physician I once heard speak during a CME presentation

“Just because science doesn’t know everything, doesn’t mean you get to fill in the gaps with whatever fairy tale most appeals to you.”

- Dara O’Briain

'[I]t is one small step from using the computer for "helping" doctors to monitoring them, judging them, dictating to them what to do, and withdrawing payment for computer non-compliance. The use of computer data is a multi-edged sword. It can be used for the "good," facilitating diagnosis and treatment and making it more accurate and up-to-date, and for “evil,” invading privacy, inviting security breechs, and making decisions based on the opinions of remote authorities rather than those present at the patient-doctor encounter.'

- Richard Reece, MD

“[T]here ARE statistics which are non-political. Just because The Washington Post/Fox News reports the temperature is 75 degrees doesn’t mean it’s really snowing and sunscreen is a liberal/conservative plot. Even if you earn a living being ideological.”

- Michael L. Millenson

"It is a generally a fairly convincing argument that people shouldn’t have to be subsidized to undertake a change which is in their best interest.

The reconciliation seems to be that EHR is not supposed to make a doctor’s practice more efficient and higher quality. It is supposed to make the system of care more efficient and higher quality, which is not the same thing. Those of you who took calc recall that maximizing the total of variables is not achieved by maximizing any one variable and this is a perfect example of that.

Those of you have served in combat certainly noticed that too — if everyone works as a team the unit takes fewer casualties. If you try to save your own hide, you might, but at the expense of more casualties overall."

- Al Lewis

"There are two ideas to keep in mind about Bayesian reasoning and how we tend to mess it up. The first is that base rates matter, even in the presence of evidence about the case at hand. This is often not intuitively obvious. The second is that intuitive impressions of the diagnosticity of evidence are often exaggerated."

- Daniel Kahneman, "Thinking, Fast and Slow"

"Physicians apply advanced scientific knowledge, but they must do so without the favorable conditions that experimental scientists create for themselves. Multitasking is forced on physicians, often in chaotic environments and under severe time and resource constraints."

- Lawrence and Lincoln Weed, "Medicine in Denial"

"It’s time to stop the whining about Obama care and acknowledge we already have universal health care. We just pay for it in the stupidest way possible that ensures problems are that much more disastrous and complicated when they’re finally treated."

- Mark Hoofnagle, MD, PhD

"Every act of conscious learning requires the willingness to suffer an injury to one's self-esteem. That is why young children, before they are aware of their own self-importance, learn so easily."

- Thomas Szasz, MD
___

"Of course, one reason that process metrics* are so popular is that processes are much easier to define and measure than outcomes."

- The Skeptical Scalpel
___

"There is an “illusion of validity” for any random data point, a seductive sense that is colored by what we hope will be true. Mountains of pharmaceutical claims are often made from mere molehills of data."

- Danielle Ofri, MD
___

"Joy empowers people. It is a source of energy that enables people to hope and plan and change their lives for the better. Spend some time around someone who is relentlessly negative and how do you feel–drained, right? More and more research shows that joy is not something that just happens to you, like a bolt of lightening out of the blue. Joy is, instead, a habit to cultivate. Negative thinking and despair are the crabgrass of our souls–weeds that take root and spread, sometimes to all areas of life. Joy, in contrast, is a soul’s rose–hardy when cared for, able to put down roots over time and withstand disease and extremes. Like a rose, however, your joy can become blighted from neglect or harsh conditions. We all need to tend to our joy–to prune away the badness, and to know that, even though it may look like a prickly bare root, if you invest time in a joyous outlook, gorgeous things will bloom, even in the harshest conditions."

- Dr. Jan Gurley
___

"'Solutions' exist only in mathematics."

- Karen Martin
___

"The issue of how to regulate clinical software is, in the long run, indistinguishable from the issue of how to regulate medicine. The only difference is that medicine is practiced in the open, without secrecy, subject to peer review, and under a merit-based state license."

- Adrian Gropper, MD
___

"Economist, rope, tree: some assembly required."

- Source unknown

DISCLAIMER:

I write this blog wholly on my own time and my own dime. The views proffered are expressly my own as a concerned and active citizen/taxpayer (in addition to being the result of my substantive experience in the various IT fields), and in no way reflect any policy views of my former employer, notwithstanding that some of the thinking has indeed obviously been spurred by the implications of the work with which I have been doing for them.

FAIR USE POLICY
I cite a ton of news and web sources spanning the breadth of relevant technical and policy domains, sometimes at substantial length. I believe I remain well within the bounds of "Fair Use," as [1] I am not doing any of this for profit, [2] I always provide attribution and links -- which, [3] far from negatively impacting any copyright holders' commercial interests, might actually increase traffic to and interest in their offerings.

Nonetheless, should I post anything of yours regarding which you have any objection, just let me know and I will remove it forthwith.

The KHIT Blog

Search the KHIT Blog

Sunday, December 18, 2011

The twisty politics of HIT

No comments:

Post a Comment