Search the KHIT Blog

Sunday, December 18, 2011

The twisty politics of HIT

..."Shortly before the passage of the 2009 federal economic stimulus package, Gingrich criticized the legislation as a "big politician, big bureaucracy, pork-laden bill." However, at the same time, Gingrich praised a provision of the stimulus package that allocated $19 billion to promote the use of health IT. He said, "I am delighted that President Obama has picked this as a key part of the stimulus package."

Under the stimulus package, health care providers who demonstrate meaningful use of certified electronic health records can qualify for Medicaid and Medicare incentive payments...
"I am delighted that President Obama has picked this as a key part of the stimulus package."

Right, Mr. Gingrich. Insofar as it was then politically convenient, 'eh? (Click here or the image above for the link.)

Apropos of the forgoing. Monday morning news:


...Regulatory pressure is building on the industry to achieve the goals of Presidents George W. Bush and Barack Obama to provide most Americans with access to an electronic medical record by 2014. An early fissure as a result of that pressure comes as Dr. Farzad Mostashari, head of the Office of the National Coordinator for Health Information Technology, supports a federal advisory committee's recommendation in June that the CMS extend by one year the compliance deadline for Stage 2 meaningful use for some early adopters of health information technology...

Once we get the total head count and subsequent relative proportions of "early adopters" (those who attested in 2011), we'll have a better picture of how this all might shake out going forward. Pushing back Stage 2 was a good and necessary idea, IMO.

Also noteworthy in the Modern Healthcare article:
Breaches and privacy lapses make headlines again in 2011 as healthcare organizations suffer record data losses during the year. In September, in its report to Congress, the Office for Civil Rights at HHS says there have been more than 30,500 breaches, most with fewer than 500 records, since it began counting them in late 2009. By year's end, the office's public “wall of shame” lists 372 major breaches (involving 500 or more records each) totaling nearly 18 million records. Military healthcare payer Tricare Management Activity and its data backup services vendor, Science Application International Corp., tops the wall with the largest breach of the year at 4.9 million records.

I guess as the penetration of HIT increases, we should expect an increase in PHI breach incidents. Which brings to mind the following (click to enlarge):

HIPAA Security Rule Toolkit

The NIST HIPAA Security Toolkit Application is intended to help organizations better understand the requirements of the HIPAA Security Rule, implement those requirements, and assess those implementations in their operational environment. Target users include, but are not limited to, HIPAA covered entities, business associates, and other organizations such as those providing HIPAA Security Rule implementation, assessment, and compliance services. Target user organizations can range in size from large nationwide health plans with vast information technology (IT) resources to small health care providers with limited access to IT expertise...
I've installed it and have been kicking the tires. 492 questions (some of them conjunctive clause compound questions) spanning the gamut of 45 CFR 164.3. More on this shortly.
___

DEC 19th P.M. UPDATE

The NIST HIPAA toolkit is a bear. Lots of compound questions, e.g., the first 13 questions:
164.308(a)(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.
  1. Has your organization developed, disseminated, reviewed/updated, and trained on your Risk Assessment policies and procedures?
  2. Does your organization's risk assessment policy address: purpose, scope, roles and responsibilities management commitment, coordination among organizational entities, training and compliance?
  3. Has your organization disseminated your Risk Assessment policies and procedures?
  4. Has your organization disseminated its Risk Assessment procedures to the work staff/offices with the associated roles and responsibilities?
  5. Has your organization defined the frequency of your Risk Assessment policy and procedures reviews and updates?
  6. Has your organization reviewed and updated your Risk Assessment policy and procedures in accordance with your defined frequency?
  7. Has your organization identified the types of information and uses of that information and the sensitivity of each type of information been evaluated (also link to FIPS 199 and SP 800-60 for more on categorization of sensitivity levels)?
  8. Has your organization identified all information systems that house ePHI?
  9. Does your organization inventory include all hardware and software that are used to collect, store, process, or transmit ePHI, including excel spreadsheets, word tables, and other like data storage?
  10. Are all the hardware and software for which your organization is responsible periodically inventoried, including excel spreadsheets, word tables, and other like data storage?
  11. Has your organization identified all hardware and software that maintains or transmits ePHI, including excel spreadsheets, word tables, and other similar data storage and included it in your inventory?
  12. Does your organization's inventory include removable media, remote access devices, and mobile devices?
  13. Is the current information system configuration documented, including connections to other systems, both inside and outside your firewall?
OK, and then the last section, first subsection:
164.316 POLICES AND PROCEDURES AND DOCUMENTATION REQUIREMENTS

164.316(a) Standard: Policies and procedures. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in subsection

164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart
  1. Does your organization have policies and procedures for administrative safeguards, physical safeguards, and technical safeguards?
  2. Does your organization have in place reasonable and appropriate policies and procedures that comply with the standards and implementation specifications of the HIPAA Security Rule?
  3. Does your organizations security policies and procedures take into consideration: 1) your organization's size, complexity and the services you provide. 2) your organization's technical infrastructure, hardware and software capabilities, 3) the cost of your organization's security measures, 4) the potential risks to day-to-day operation including which functions, and tools are critical to operations?
  4. Does your organization have procedures for periodic revaluation of your security policies and procedures, and update them when necessary?
  5. Does your organization change security policies and procedures at any appropriate time, and document the changes and implementation?
My take on this is that it would take a provider/organization 2-5 days to get thoroughly and forthrightly through it. And, really, this is just about the ePHI "Security" piece. "Privacy" is a different -- and potentially much more difficult -- issue. I wrote about the Security stuff back in June, and I continue to work on the privacy issues more recently for our HIE.
___

MEANINGFUL USE CORE 15:
WHAT ARE YOU PEOPLE THINKING?


So, my wife and I are devoted Mac snobs at home. Consequently, I was thrilled to recently see an iPad app get certified for meaningful use.

The product looks great, and I'll bet it's quite functional.


HOWEVER...

I was not happy to see this regarding the Meaningful Use Core 15 criterion ("Protect Electronic Health Information"):
We've taken care of this one for you!

All of the items below are done automatically through drchrono.com (web) drchrono EHR (iPad)

Access Control: Each user must have a unique identifier. Assign a unique name and/or number for identifying and tracking user identity and establish controls that permit only authorized users to access electronic health information. §170.302(o)

Emergency access: Plan for emergency access for authorized users. Emergency access. Permit authorized users (who are authorized for emergency situations) to access electronic health information during an emergency. §170.302(p)

Automatic log-off: Turn on session timeouts.

Automatic log-off: Terminate an electronic session after a pre-determined time of inactivity. §170.302(q)

Audit log: Maintain audit logs.
(1) Record actions. Record actions related to electronic health information in accordance with the standard specified in §170.210(b).
(2) Generate audit log. Enable a user to generate an audit log for a specific time period and to sort entries in the audit log according to any of the elements specified in the standard at 170.210(b).

Integrity - Provide integrity check for recipient of electronically transmitted information. §170.302(s)
(1) Create a message digest in accordance with the standard specified in 170.210(c).
(2) Verify in accordance with the standard specified in 170.210(c) upon receipt of electronically exchanged health information that such information has not been altered.
(3) Detection. Detect the alteration of audit logs.

Authentication - Verify user identities and access privileges. Verify that a person or entity seeking access to electronic health information is the one claimed and is authorized to access such information. §170.302(t)

Encryption - Use encryption where preferred. §170.302(u) General encryption. Encrypt and decrypt electronic health information in accordance with the standard specified in §170.210(a)(1), unless the Secretary determines that the use of such algorithm would pose a significant security risk for Certified EHR Technology. §170.302(v) Encryption when exchanging electronic health information. Encrypt and decrypt electronic health information when exchanged in accordance with the standard specified in §170.210(a)(2).

Accounting of disclosures - Record PHI disclosures. §170.302(v) Record disclosures made for treatment, payment, and health care operations in accordance with the standard specified in §170.210(e).

Conduct a security risk analysis and implement security updates.

Gotta love the last little orphan sentence. OK, everything associated with
§170.nn has to do with the NIST EHR Certification specs, and nothing to do with complying with MU Core Measure 15:
Conduct or review a security risk analysis per 45 CFR 164.308(a)(1) of the certified EHR technology, and implement security updates and correct identified security deficiencies as part of its risk management process.
Beyond having a CHPL blessed system, it's the last item that counts for MU.

I emailed them regarding this and gave them more than a week. Silencio. Nada. Zip. Zilch.

This is not the first time I've encountered this precise misinformation from an EHR vendor.

So, what if you got audited? "Well, they told us we were automatically in compliance..."

"Conduct or review a security risk analysis per 45 CFR 164.308(a)(1) of the certified EHR technology, and implement security updates and correct identified security deficiencies."

So, who cares?
Digital Data on Patients Raises Risk of Breaches
By NICOLE PERLROTH
NY Times. Published: December 18, 2011


One afternoon last spring, Micky Tripathi received a panicked call from an employee. Someone had broken into his car and stolen his briefcase and company laptop along with it.

So began a nightmare that cost Mr. Tripathi’s small nonprofit health consultancy nearly $300,000 in legal, private investigation, credit monitoring and media consultancy fees. Not to mention 600 hours dealing with the fallout and the intangible cost of repairing the reputational damage that followed...

Shall we tally up an estimate of the entire cost of not having corrected "identified security deficiencies" per HIPAA 45.CFR.164.3 et seq?
___

ERRATA: HEDIS 2011 THOUGHTS


I blogged a bit about the 2010 HEDIS measures last year. I've been reading the 2011 report lately. Notwithstanding the new stratification of HMOs vs PPOs (and vs Medicaid as well), I can't really see that a whole lot has changed with respect to the major chronic indices. e.g.,

Overall, we still see the aggregate nil Pearson-R "quality vs cost" proxies' scatter. And, even where there are enticing (wish-fulfillment?) wafts of quadrant differentials, the small composite "N's" ought give one pause.

Maybe we'll make tangible progress on these fronts in the next few years (we must if we are not to go BK as a society). IMO there are two concomitant (and intertwined) "fronts" -- care delivery process improvements (X-axis) and clinical outcomes improvement (Y-axis). The latter of which is to a significant extent moreso a moving target.

"Value," my friends: Outcomes Quality / Cost. Hope it doesn't become this decade's Powerpoint / Seminar / Consulting / Book Sales cliche. (But, then, They Had Me at Deming.)
___

12/11 "PIONEER ACO" announcement

Interesting. Healthcare Partners of Nevada is one of the 32 announced today. We already work with them via our new HIE.

CMS MEANINGFUL USE PAYMENTS UPDATE

I played around a bit today with an app free trial that converts PDF tables to Excel files. CMS has updated its payments-to-date data (it says "November 2011" but it's not clear whether it's begin or end of month), so I downloaded the new PDF and converted it (click to enlarge).


I added the 4 "pct" columns on the right, and sorted the data down by aggregate payment rank. The top 12 states account for 2/3 of the money. Texas, with ~8% of U.S. population, is now at 16.4% of the cash -- and nearly 3/4 of theirs is Medicaid.

Be fun to also drop in the Census data to do comparative "per capita."

We'll see how all of the Medicaid Year One "A/I/U" free money crowd does in 2012 when they have to actually meet the MU criteria, for an entire calendar year attestation.

They have other tables that break things out by EPs vs Hospitals (Medicare, Medicaid, and aggregate), which would tell us where the bulk of the money is going vis a vis those strata (like we don't already know).

I may buy that utility -- if they have a Mac version.
___

MORE TWISTY POLITICS:
THE LOOMING MEDICARE REIMBURSEMENT CUTS

27.4% reduction ensues on January first absent Congress passing the "Doc Fix" in the tax cut renewal bill. The health press is fairly abuzz.


Another quick little Excel screen-scrap cut & paste. The 2012 estimate is mine for these two CPT codes, btw. Just an estimate. The whole Medicare SGR formulation is inscrutably complex (and uniformly hated by primary care docs).


Who will blink first, Boehner or Obama?
___

HOLIDAY CODA

I'm off 'til the 30th. To all of my awesome REC colleagues (both within our office walls and across the RECs), I wish you a joyful and safe Holiday season.


My dear friend, the breathtakingly talented Lenny Lopez on vocal.

Monday, December 12, 2011

Facts © ™ ®

...So on the one hand, we have the push from the government and insurers to have electronic medical records and health outcomes research (HITECH Act), the Sentinel Initiative for postmarketing surveillance of electronic medical records for adverse events, and Medicare reimbursements linked to “meaningful use” (i.e., providing data) of the EMR. On the other hand, we have the specter of HIPAA and more draconian penalties for breaches of personal privacy...

- Judy Stone, MD, Molecules to Medicine: Pharma Trumps HIPAA?

Which "facts" about you can be "owned" by you or others (or no one at all)? i.e., what data/information can be legitimately considered "property," the "title" to and controlling use of which will be defended and enforced by the society at large?
According to traditional copyright principles, the only copyrightable elements of a factual work are the author’s presentation, selection, and arrangement of facts. The underlying facts themselves cannot be copyrighted. In the past, this approach was sufficient to protect factual works against the most opportunistic forms of copying by competitors. Because facts were usually displayed narratively or in tables, authors generally made enough decisions concerning presentation, selection, and arrangement to protect their factual works against wholesale appropriation.

But the rise of electronic and on-line databases has cast doubt upon the validity of the traditional approach. These databases collect and display facts in a pure form, allowing the user to extract them as she sees fit. By dispensing with conventional modes of presentation, selection, and arrangement, they can easily fail to satisfy traditional standards for copyrightability, leaving them with virtually no legal protection against copying. [Michael Steven Green, PhD, Copyrighting Facts (pdf), Indiana Law Journal Vol 78]

Well, more broadly, it goes to the "value" of the facts to various parties. I have blue eyes. Who cares? I am 5'10" and weigh 173 lbs. With those two metrics you can quickly calculate my BMI (Body Mass Index -- mine is 24.8), which is of some economic interest to health insurors and others. I am typing this post in my study located at geocoordinates N36º 2.4018' W115º 8.5265'. Who might want to know that?

What about my blood pressure, my lipids panel results, my PSA? My DNA?
Data ownership refers to both the possession of and responsibility for information. Ownership implies power as well as control. The control of information includes not just the ability to access, create, modify, package, derive benefit from, sell or remove data, but also the right to assign these access privileges to others (Loshin, 2002).

...Scofield (1998) suggest replacing the term ‘ownership’ with ‘stewardship’, “because it implies a broader responsibility where the user must consider the consequences of making changes over ‘his’ data”.

According to Garner (1999), individuals having intellectual property have rights to control intangible objects that are products of human intellect. The range of these products encompasses the fields of art, industry, and science. Research data is recognized as a form of intellectual property and subject to protection by U.S. law.

Importance of data ownership:

According to Loshin (2002), data has [sic] intrinsic value as well as having added value as a byproduct of information processing, “at the core, the degree of ownership (and by corollary, the degree of responsibility) is driven by the value that each interested party derives from the use of that information”...

Considerations/issues in data ownership

Researchers should have a full understanding of various issues related to data ownership to be able to make better decisions regarding data ownership. These issues include paradigm of ownership, data hoarding, data ownership policies, balance of obligations, and technology. Each of these issues gives rise to a number of considerations that impact decisions concerning data ownership

Paradigm of Ownership – Loshin (2002) alludes to the complexity of ownership issues by identifying the range of possible paradigms used to claim data ownership. These claims are based on the type and degree of contribution involved in the research endeavor. Loshin (2002) identifies a list of parties laying a potential claim to data:
  • Creator – The party that creates or generate data
  • Consumer – The party that uses the data owns the data
  • Compiler - This is the entity that selects and compiles information from different information sources
  • Enterprise - All data that enters the enterprise or is created within the enterprise is completely owned by the enterprise
  • Funder - the user that commissions the data creation claims ownership
  • Decoder - In environments where information is “locked” inside particular encoded formats, the party that can unlock the information becomes an owner of that information
  • Packager - the party that collects information for a particular use and adds value through formatting the information for a particular market or set of consumers
  • Reader as owner - the value of any data that can be read is subsumed by the reader and, therefore, the reader gains value through adding that information to an information repository
  • Subject as owner - the subject of the data claims ownership of that data, mostly in reaction to another party claiming ownership of the same data
  • Purchaser/Licenser as Owner – the individual or organization that buys or licenses data may stake a claim to ownership [Data Ownership, Responsible Conduct in Data Management]

It all gets rather complex rather quickly. And, nowhere as complex as with respect to personal health information.

Some recent thoughts on this:
...While banks tend to keep information internally, health care data is handled by many more organizations, said Tom Srail, Cleveland-based senior vp with Willis North America Inc. “The nature of the health care business requires the sharing of that same information,” he said.

Patrick Moylan, New York-based senior associate with Dubraski & Associates Insurance Services L.L.C., said health care institutions are increasing their Internet activity with partners that include physicians, health plans and pharmacies.

Having “more people in the line of that chain that have the potential to handle sensitive data simply increases the risk that data will be accessed by accident, or by a third party,” with the potential that it could be used fraudulently, he said.

The sheer breadth of personal information that health care institutions hold complicates the issue.

“More than any other industry, the health care industry really has all of a complete set of information security and privacy exposures to contend with,” said Mr. Economidis.

Mr. Srail said retailers may have credit card numbers and financial institutions may have Social Security numbers, but health care entities “have all that as well as protected health care information,” so “it really can be problematic for those organizations when that data is lost and troublesome to its customers.”

“There's so many ways that the information gets compromised” and “just when you think you've got it figured out, you've got a twist in it,” said Lynn Sessions, counsel at law firm Baker & Hostetler L.L.P. and a former risk manager at Texas Children's Hospital, both in Houston.

Robert Parisi, senior vp at Marsh Inc.'s FINPRO practice in New York, said, “hospitals tend to be less secure than banks, and you've got a situation that obviously can be fairly risky and financially troubling to any medical center.”

Meanwhile, a black market for stolen medical identities has developed among people who are underinsured or have no insurance, observers say.

By some estimates, medical information is twice as valuable as more traditional identity information, said Mr. Silvestri. “That becomes a motivation for the criminal element to actually target that so they can sell it to the black market,” he said...

"Twice as valuable"? I'd never thought of it that way. Makes sense upon reflection, though. No one can really profit from the fact that I have blue eyes. But, other information about me can indeed have commercial value to others (particularly if they are of the sort not directly observable but instead only explicable via intermediary measurement/assay -- ranging from the simple arithmetic of BMI to the complex methods of DNA analytics).

Continuing:
...Federal law pulls health care institutions in opposite directions, said Mr. Srail. On one hand, it “wants health care to be open and portable and interactive” and to facilitate the process so the patient has choices in his health care with accessible medical information. On the other hand, however, “everything has to be kept secret” with no privacy breaches.

In addition, state laws, while similar, also differ from each other and federal law. HIPAA, for example, requires notification of data breaches within 60 days, while several states have a 45-day notification period, said Ms. Sessions.

Another complication is that hospitals must abide by the laws of the jurisdiction where their patient is a resident, even if it is in another state. Because the patients' resident state is the determining factor, Texas Children's Hospital, for instance, which has patients from all 50 states and foreign countries, must comply with all these jurisdictions' statutes, said Ms. Sessions...

My Nevada HIE Privacy and Security Task Force attorneys are gonna love that last paragraph.

Yeah, they'll probably love this too. On Dec 7th 2011 the California Office of Health Information Integrity (CalOHII) issued a patient consent/privacy report entitled "Research and Background For Patient Consent Policy Recommendation White Paper," (large PDF) wherein across pp 154-157 is a table of various states' PHI/HIE privacy policies to date. On page 156 is the reference to Nevada:


Click to enlarge. In the "Education" cell on the right is a link to my July 12th, 2011 blog post,
in which I voiced concerns regarding some of our facile assumptions made regarding Nevada HIE privacy policy.

Interesting. Nice to know that someone is reading my stuff.

___

Dec 15th O/T UPDATE

Yet another interesting blog to read.

Dear friends and colleagues,

This is a watershed moment for the U.S. healthcare system. Costs continue to climb, tens of millions of Americans lack insurance, and there is unacceptable variation in quality. Politicians from across the ideological spectrum are proposing potentially far reaching policy changes. Some of the proposals are promising; too many others seem fraught with danger. After 25 years as a researcher, teacher, and policy analyst, I continue to be disappointed by the lack of basic understanding of health economics among those who are most vocal about effecting change. No one has done more to shape my thinking about the links between economics and policy than my friend and colleague, William White, who is the director of the Sloan Program in Health Administration at Cornell University’s School of Human Ecology. Over the past two decades, we have had long conversations about virtually every aspect of our healthcare system, from the rise of HMOs in the 1980s to current trends in consumer driven healthcare.

Will and I have decided to put our conversations into a blog and share them with our friends at Kellogg and Human Ecology. We have even asked some of the nation’s top economists to take a look. We will respond to the best of your comments as time allows. We promise not to grade them!

There is a lot at stake in the upcoming years. We hope that this free exchange of ideas can help bring about positive change in our healthcare system.

Sincerely,

David Dranove
Walter McNerney Distinguished Professor of Health Industry Management
Kellogg School of Management

I've read Dr. Dranove's stuff for a while now (mostly at The Health Care Blog), but had never seen this blog. Lots of great new material to read, I would guess.
___

More to come...


Sunday, December 4, 2011

Meaningful Use Reimbursements Update


CMS just released the most recent data (PDF) on Meaningful Use reimbursements to date (actually to Nov 7th).

Notice the dark green Lone Star splotch. Texas EPs and hospitals have thus far gotten 20% of the $1.24 billion thus far paid out nationally ($247.5 million in TX). Of that, 83% went to the Medicaid side ($205.6 million).

Texas comprises ~8% of U.S. population.

On the Medicaid side all you have to do for Year One Stage One is attest to “A/I/U” — Adopt / Implement / or Upgrade to a CHPL Certified system. You don’t have to report on any MU measures, which is why vendors such as Practice Fusion are touting the “free money” aspect of it.

Maddeningly to me, CMS has yet to report on the relative proportions of EHR vendors whose clients have attested to date. We ran that all the way up the internal ONC/CMS flagpole and got blown off — they’ll release those tabulations in “Q2 or Q3 or 2012.”

No HHS-vendor opacity politics there, ‘eh? I'd like to see relative percentages of successful attestations to date by vendor, broken out by Medicare vs Medicaid (and further stratified by MU "registrations" to date).

Just sayin'.

DEC 15th UPDATE

CMS is now happily touting that they are going to exceed $2 billion in MU incentive payments in 2011. As reported by GovernmentHealthIT.com
  • Almost 30 percent of eligible providers and 60 percent of hospitals have now registered for the incentive programs.
  • Total incentive payouts under Medicare and Medicaid are now over $900 million each through November,
  • Thus, total payouts for 2011 will easily exceed $2 billion – of which close to a third of total incentive payouts for 2011 occurred in November alone.
This was to be expected. After all, a huge year-end bubble of 2011 MU attestors will complete their 90-day attestation period by 12/31 and file for the year one money.

(More broadly, I'm hearing that HHS is frantically shoveling money out the door for a breadth of initiatives, probably to get funding "obligated" to help immunize the money from looming deficit-hawk budget cuts.)

The article continues:
Still there are cautionary signs.

As we noted earlier, year 1 requirements under Medicare and under Medicaid are substantially less burdensome than subsequent years. While eligible providers have registered for one or other of the programs, only 4 percent have actually qualified for incentives. Also, interoperability-related criteria were among the least popular menu objectives. In addition, 2012, not 2011, is likely to be the pivotal year.

The pace must pick-up and be sustained if meaningful use is to reach its full potential, particularly for interoperability to coordinate care among providers. We expect the proposed rules for Meaningful Use Stage 2 by the end of January, if not sooner. Now that HHS has announced that providers will not have to meet Stage 2 criteria until January 2014, providers have an extra year under Stage 1 criteria without new interoperability requirements.

One observation for now. Pushing back stage 2 means that early adopters (2011 MU attestors) will spend 3 years in stage 1, during which they will have collected the bulk of the reimbursement money (~86% for Medicare EPs -- e.g., $18k, $12k, and $8k respectively, or $38k of the total $44k five year potential).

Draw your own conclusions as to the risk this might pose to the program's subsequent stages.

PROVIDER CONCERNS: "WILL THEY CUT OFF THE MONEY IN 2012?"

Some of our staff have fielded this question. My $0.02 response to the REC team:
Chief amid the most plausible speculation is the Obama veto hole card should some HIT incentives clawback legislation even get through the Senate (doubtful, IMO). Moreover, given that the funding was written into HITECH as not contingent on annual appropriations bills going forward, that would seem to insulate the money even further. Given all the acrimonious front-burner stuff facing the Hill at the moment for 2012, I am guardedly optimistic that MU money will still flow in 2012.

I think it’s safe to say there will not be any mounting of a 2/3 veto override vote regarding any emergent clawback legislation (very low probability in any event, given Senate rules) – the most overt of which has been H.R. 408, which has gone nowhere in a year (the salient recission clauses of which are SEC 301, 302 – btw, which are identical in its equivalent Senate Bill 178).

The Senate is key. The House is principally “all sound and fury, signifying nothing.” Now, in that regard, Senator Coburn – an MD, no less -- is on record favoring killing MU money (and, he has an actual vote, unlike all these Beltway HIT pundits). Nonetheless, I’m not seeing any traction on his proposal thus far.

Deven McGraw is a good cite as well, I would think, given her various insider perches.

One caveat, though: keep tabs on the accruing Poison Pill amendments to otherwise unrelated “must-pass-by-12/31” bills.

Long view big picture: the ROI case is there in any event. So, go after the MU $$$ while they are there; after all, they’re front-loaded to favor those who get in ASAP. Moreover, adroit HIT/HIE will be vital to health care organizational success irrespective of this or that federal initiative (IMO).

I could be wrong, though.

Here's what Senator Tom Coburn -- an MD, no less -- wrote in July:
“Back in Black” pp 215 – 216 Senator Tom Coburn July 2011


“End Federal Subsidies for Health Information Technology

A provision of the 2009 failed Stimulus law (American Recovery and Reinvestment Act) massively expanded the federal government’s role in health information technology. The aims many attribute to the Health Information Technology for Economic and Clinical Health (HITECH) Act sound good: using a variety of policy levers to promote the widespread adoption of health information technology and support digital sharing of clinical data among hospitals, physicians, and other health care stakeholders. However, a closer look at the data shows [sic] that Congressional action was the wrong mechanism to accomplish these goals.

Lawmakers in Congress may have been well-intended when they supported the HITECH Act, but the massive federal intrusion into health information technology is wasteful and duplicative of current business practices. According to the nonpartisan Congressional Budget Office, the use of health information technology was already projected to be widespread by the end of the decade – even without the adoption of the HITECH Act. CBO projected that, without the HITECH Act, two-thirds of physicians, approximately half of hospitals, and at least one in five critical access hospitals would still be robustly using health IT by the end of the decade. Some reports have suggested private sector health information technology in a multi-year period is far more than the federal government is projected to spend on health IT over the next decade. In fact, in a recent survey, more than half of respondents replied they have a fully operational electronic health record in at least one facility in their organization, and only 1 in 50 respondents had not yet begun to plan for the use of an EHR. The facts make it pretty clear that massive federal handouts and mandates are unnecessary to subsidize a behavior that is already being adopted on a widespread basis in the marketplace.

Additionally, the private sector has already developed compelling models for utilizing health information technology. Major health systems like the Mayo Clinic and the Cleveland Clinic all have adopted state-of-the-art health IT systems—without federal involvement. Private enterprises are leading the way in developing completely innovative approaches to health IT. Some are even exploring the development of open software for innovators to write electronic health record applications. Such an “open source” model of current business practices. According to the nonpartisan Congressional Budget Office, the use of health information technology was already projected to be widespread by the end of the decade – even without the adoption of the HITECH Act. CBO projected that, without the HITECH Act, two-thirds of physicians, approximately half of hospitals, and at least one in five critical access hospitals would still be robustly using health IT by the end of the decade. Some reports have suggested private sector health information technology in a multi-year period is far more than the federal government is projected to spend on health IT over the next decade. In fact, in a recent survey, more than half of respondents replied they have a fully operational electronic health record in at least one facility in their organization, and only 1 in 50 respondents had not yet begun to plan for the use of an EHR. The facts make it pretty clear that massive federal handouts and mandates are unnecessary to subsidize a behavior that is already being adopted on a widespread basis in the marketplace. [ did Jonathan Bush ghostwrite this part? – BG ]

Additionally, the private sector has already developed compelling models for utilizing health information technology. Major health systems like the Mayo Clinic and the Cleveland Clinic all have adopted state-of-the-art health IT systems—without federal involvement. Private enterprises are leading the way in developing completely innovative approaches to health IT. Some are even exploring the development of open software for innovators to write electronic health record applications. Such an “open source” model could help increase competition, flexibility and lower costs – all without federal action."

One way or another, we'll know before too much longer.