Search the KHIT Blog

Sunday, December 18, 2011

The twisty politics of HIT

..."Shortly before the passage of the 2009 federal economic stimulus package, Gingrich criticized the legislation as a "big politician, big bureaucracy, pork-laden bill." However, at the same time, Gingrich praised a provision of the stimulus package that allocated $19 billion to promote the use of health IT. He said, "I am delighted that President Obama has picked this as a key part of the stimulus package."

Under the stimulus package, health care providers who demonstrate meaningful use of certified electronic health records can qualify for Medicaid and Medicare incentive payments...
"I am delighted that President Obama has picked this as a key part of the stimulus package."

Right, Mr. Gingrich. Insofar as it was then politically convenient, 'eh? (Click here or the image above for the link.)

Apropos of the forgoing. Monday morning news:

...Regulatory pressure is building on the industry to achieve the goals of Presidents George W. Bush and Barack Obama to provide most Americans with access to an electronic medical record by 2014. An early fissure as a result of that pressure comes as Dr. Farzad Mostashari, head of the Office of the National Coordinator for Health Information Technology, supports a federal advisory committee's recommendation in June that the CMS extend by one year the compliance deadline for Stage 2 meaningful use for some early adopters of health information technology...

Once we get the total head count and subsequent relative proportions of "early adopters" (those who attested in 2011), we'll have a better picture of how this all might shake out going forward. Pushing back Stage 2 was a good and necessary idea, IMO.

Also noteworthy in the Modern Healthcare article:
Breaches and privacy lapses make headlines again in 2011 as healthcare organizations suffer record data losses during the year. In September, in its report to Congress, the Office for Civil Rights at HHS says there have been more than 30,500 breaches, most with fewer than 500 records, since it began counting them in late 2009. By year's end, the office's public “wall of shame” lists 372 major breaches (involving 500 or more records each) totaling nearly 18 million records. Military healthcare payer Tricare Management Activity and its data backup services vendor, Science Application International Corp., tops the wall with the largest breach of the year at 4.9 million records.

I guess as the penetration of HIT increases, we should expect an increase in PHI breach incidents. Which brings to mind the following (click to enlarge):

HIPAA Security Rule Toolkit

The NIST HIPAA Security Toolkit Application is intended to help organizations better understand the requirements of the HIPAA Security Rule, implement those requirements, and assess those implementations in their operational environment. Target users include, but are not limited to, HIPAA covered entities, business associates, and other organizations such as those providing HIPAA Security Rule implementation, assessment, and compliance services. Target user organizations can range in size from large nationwide health plans with vast information technology (IT) resources to small health care providers with limited access to IT expertise...
I've installed it and have been kicking the tires. 492 questions (some of them conjunctive clause compound questions) spanning the gamut of 45 CFR 164.3. More on this shortly.


The NIST HIPAA toolkit is a bear. Lots of compound questions, e.g., the first 13 questions:
164.308(a)(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.
  1. Has your organization developed, disseminated, reviewed/updated, and trained on your Risk Assessment policies and procedures?
  2. Does your organization's risk assessment policy address: purpose, scope, roles and responsibilities management commitment, coordination among organizational entities, training and compliance?
  3. Has your organization disseminated your Risk Assessment policies and procedures?
  4. Has your organization disseminated its Risk Assessment procedures to the work staff/offices with the associated roles and responsibilities?
  5. Has your organization defined the frequency of your Risk Assessment policy and procedures reviews and updates?
  6. Has your organization reviewed and updated your Risk Assessment policy and procedures in accordance with your defined frequency?
  7. Has your organization identified the types of information and uses of that information and the sensitivity of each type of information been evaluated (also link to FIPS 199 and SP 800-60 for more on categorization of sensitivity levels)?
  8. Has your organization identified all information systems that house ePHI?
  9. Does your organization inventory include all hardware and software that are used to collect, store, process, or transmit ePHI, including excel spreadsheets, word tables, and other like data storage?
  10. Are all the hardware and software for which your organization is responsible periodically inventoried, including excel spreadsheets, word tables, and other like data storage?
  11. Has your organization identified all hardware and software that maintains or transmits ePHI, including excel spreadsheets, word tables, and other similar data storage and included it in your inventory?
  12. Does your organization's inventory include removable media, remote access devices, and mobile devices?
  13. Is the current information system configuration documented, including connections to other systems, both inside and outside your firewall?
OK, and then the last section, first subsection:

164.316(a) Standard: Policies and procedures. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in subsection

164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart
  1. Does your organization have policies and procedures for administrative safeguards, physical safeguards, and technical safeguards?
  2. Does your organization have in place reasonable and appropriate policies and procedures that comply with the standards and implementation specifications of the HIPAA Security Rule?
  3. Does your organizations security policies and procedures take into consideration: 1) your organization's size, complexity and the services you provide. 2) your organization's technical infrastructure, hardware and software capabilities, 3) the cost of your organization's security measures, 4) the potential risks to day-to-day operation including which functions, and tools are critical to operations?
  4. Does your organization have procedures for periodic revaluation of your security policies and procedures, and update them when necessary?
  5. Does your organization change security policies and procedures at any appropriate time, and document the changes and implementation?
My take on this is that it would take a provider/organization 2-5 days to get thoroughly and forthrightly through it. And, really, this is just about the ePHI "Security" piece. "Privacy" is a different -- and potentially much more difficult -- issue. I wrote about the Security stuff back in June, and I continue to work on the privacy issues more recently for our HIE.


So, my wife and I are devoted Mac snobs at home. Consequently, I was thrilled to recently see an iPad app get certified for meaningful use.

The product looks great, and I'll bet it's quite functional.


I was not happy to see this regarding the Meaningful Use Core 15 criterion ("Protect Electronic Health Information"):
We've taken care of this one for you!

All of the items below are done automatically through (web) drchrono EHR (iPad)

Access Control: Each user must have a unique identifier. Assign a unique name and/or number for identifying and tracking user identity and establish controls that permit only authorized users to access electronic health information. §170.302(o)

Emergency access: Plan for emergency access for authorized users. Emergency access. Permit authorized users (who are authorized for emergency situations) to access electronic health information during an emergency. §170.302(p)

Automatic log-off: Turn on session timeouts.

Automatic log-off: Terminate an electronic session after a pre-determined time of inactivity. §170.302(q)

Audit log: Maintain audit logs.
(1) Record actions. Record actions related to electronic health information in accordance with the standard specified in §170.210(b).
(2) Generate audit log. Enable a user to generate an audit log for a specific time period and to sort entries in the audit log according to any of the elements specified in the standard at 170.210(b).

Integrity - Provide integrity check for recipient of electronically transmitted information. §170.302(s)
(1) Create a message digest in accordance with the standard specified in 170.210(c).
(2) Verify in accordance with the standard specified in 170.210(c) upon receipt of electronically exchanged health information that such information has not been altered.
(3) Detection. Detect the alteration of audit logs.

Authentication - Verify user identities and access privileges. Verify that a person or entity seeking access to electronic health information is the one claimed and is authorized to access such information. §170.302(t)

Encryption - Use encryption where preferred. §170.302(u) General encryption. Encrypt and decrypt electronic health information in accordance with the standard specified in §170.210(a)(1), unless the Secretary determines that the use of such algorithm would pose a significant security risk for Certified EHR Technology. §170.302(v) Encryption when exchanging electronic health information. Encrypt and decrypt electronic health information when exchanged in accordance with the standard specified in §170.210(a)(2).

Accounting of disclosures - Record PHI disclosures. §170.302(v) Record disclosures made for treatment, payment, and health care operations in accordance with the standard specified in §170.210(e).

Conduct a security risk analysis and implement security updates.

Gotta love the last little orphan sentence. OK, everything associated with
§170.nn has to do with the NIST EHR Certification specs, and nothing to do with complying with MU Core Measure 15:
Conduct or review a security risk analysis per 45 CFR 164.308(a)(1) of the certified EHR technology, and implement security updates and correct identified security deficiencies as part of its risk management process.
Beyond having a CHPL blessed system, it's the last item that counts for MU.

I emailed them regarding this and gave them more than a week. Silencio. Nada. Zip. Zilch.

This is not the first time I've encountered this precise misinformation from an EHR vendor.

So, what if you got audited? "Well, they told us we were automatically in compliance..."

"Conduct or review a security risk analysis per 45 CFR 164.308(a)(1) of the certified EHR technology, and implement security updates and correct identified security deficiencies."

So, who cares?
Digital Data on Patients Raises Risk of Breaches
NY Times. Published: December 18, 2011

One afternoon last spring, Micky Tripathi received a panicked call from an employee. Someone had broken into his car and stolen his briefcase and company laptop along with it.

So began a nightmare that cost Mr. Tripathi’s small nonprofit health consultancy nearly $300,000 in legal, private investigation, credit monitoring and media consultancy fees. Not to mention 600 hours dealing with the fallout and the intangible cost of repairing the reputational damage that followed...

Shall we tally up an estimate of the entire cost of not having corrected "identified security deficiencies" per HIPAA 45.CFR.164.3 et seq?


I blogged a bit about the 2010 HEDIS measures last year. I've been reading the 2011 report lately. Notwithstanding the new stratification of HMOs vs PPOs (and vs Medicaid as well), I can't really see that a whole lot has changed with respect to the major chronic indices. e.g.,

Overall, we still see the aggregate nil Pearson-R "quality vs cost" proxies' scatter. And, even where there are enticing (wish-fulfillment?) wafts of quadrant differentials, the small composite "N's" ought give one pause.

Maybe we'll make tangible progress on these fronts in the next few years (we must if we are not to go BK as a society). IMO there are two concomitant (and intertwined) "fronts" -- care delivery process improvements (X-axis) and clinical outcomes improvement (Y-axis). The latter of which is to a significant extent moreso a moving target.

"Value," my friends: Outcomes Quality / Cost. Hope it doesn't become this decade's Powerpoint / Seminar / Consulting / Book Sales cliche. (But, then, They Had Me at Deming.)

12/11 "PIONEER ACO" announcement

Interesting. Healthcare Partners of Nevada is one of the 32 announced today. We already work with them via our new HIE.


I played around a bit today with an app free trial that converts PDF tables to Excel files. CMS has updated its payments-to-date data (it says "November 2011" but it's not clear whether it's begin or end of month), so I downloaded the new PDF and converted it (click to enlarge).

I added the 4 "pct" columns on the right, and sorted the data down by aggregate payment rank. The top 12 states account for 2/3 of the money. Texas, with ~8% of U.S. population, is now at 16.4% of the cash -- and nearly 3/4 of theirs is Medicaid.

Be fun to also drop in the Census data to do comparative "per capita."

We'll see how all of the Medicaid Year One "A/I/U" free money crowd does in 2012 when they have to actually meet the MU criteria, for an entire calendar year attestation.

They have other tables that break things out by EPs vs Hospitals (Medicare, Medicaid, and aggregate), which would tell us where the bulk of the money is going vis a vis those strata (like we don't already know).

I may buy that utility -- if they have a Mac version.


27.4% reduction ensues on January first absent Congress passing the "Doc Fix" in the tax cut renewal bill. The health press is fairly abuzz.

Another quick little Excel screen-scrap cut & paste. The 2012 estimate is mine for these two CPT codes, btw. Just an estimate. The whole Medicare SGR formulation is inscrutably complex (and uniformly hated by primary care docs).

Who will blink first, Boehner or Obama?


I'm off 'til the 30th. To all of my awesome REC colleagues (both within our office walls and across the RECs), I wish you a joyful and safe Holiday season.

My dear friend, the breathtakingly talented Lenny Lopez on vocal.

No comments:

Post a Comment