Search the KHIT Blog

Sunday, April 29, 2012

Policies and Procedures


Let us recap, shall we? (from my prior post)
Appendix A
CORRECTIVE ACTION PLAN
V. Corrective Action Obligations
The Covered Entity agrees to the following:
A. Policies and Procedures
1. The Covered Entity shall develop, maintain and revise, as necessary, written policies and procedures (“Policies and Procedures”) that (i) address the Covered Conduct specified in paragraph 2 of the Agreement and (ii) are consistent with the Federal Standards for Privacy of Individually Identifiable Health Information (45 C.F.R. Part 160 and Subparts A and E of Part 164, the “Privacy Rule”) and the Federal Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Part 160 and Subparts A and C of Part 164, the “Security Rule”). The Policies and Procedures shall include the minimum content set forth in section V.C. below. The Policies and Procedures required under this CAP may be in addition to, and may be incorporated into, any other policies and procedures required by the Privacy and Security Rules.
2. The Covered Entity shall provide the Policies and Procedures to OCR within sixty (60) calendar days of the Effective Date for review and approval. Upon receiving any recommended changes to such Policies and Procedures from OCR, the Covered Entity shall have thirty (30) calendar days to revise such Policies and Procedures accordingly and provide the revised Policies and Procedures to OCR for review and approval.
3. The Covered Entity shall implement the Policies and Procedures within thirty (30) calendar days of OCR’s approval.
B. Distribution and Updating of Policies and Procedures
1. Within thirty (30) calendar days of OCR’s approval of the Policies and Procedures, the Covered Entity shall distribute such Policies and Procedures to all members of the workforce who use or disclose protected health information (PHI). The Covered Entity shall distribute the Policies and Procedures to any new member of the workforce who uses or discloses PHI within fifteen (15) calendar days of the workforce member’s beginning service.
2.    The Covered Entity shall require, at the time of distribution of such Policies and Procedures, a signed written or electronic initial compliance certification from all members of the workforce who use or disclose PHI. Such compliance certification shall state that the workforce member has read, understands, and shall abide by such Policies and Procedures.
3. The Covered Entity shall assess, update, and revise, as necessary, the Policies and Procedures at least annually (and more frequently if appropriate)...
DEFINITION
Policies and Procedures

A set of policies are principles, rules, and guidelines formulated or adopted by an organization to reach its long-term goals and typically published in a booklet or other form that is widely accessible.

(The "what" and the "why." - BG)

Procedures are the specific methods employed to express policies in action in day-to-day operations of the organization. Together, policies and procedures ensure that a point of view held by the governing body of an organization is translated into steps that result in an outcome compatible with that view.

(The "how" (which tools/methods/tasks/documentation), the "who," and the "when." - BG)

From businessdictionary.com (annotated)
Visual analogies.

Policies enable us to steer (the "what") safely (the "why").
Procedures are the operative gears in the Policy drive train (the "methods," the "who," the "when")
Are we clear?

Update: from "6 things to know about an OCR/HIPAA audit," points 5 and 6:
5. It's all about clean, clear documentation. "One of the things about auditors that makes them happy is good, complete documentation upfront," said Apgar. Having good documentation, he said, will also make them less likely to want to "look under the rug … If you don't have that, they'll get suspicious and turn a little nastier." From a bottom line perspective, said Apgar, organizations should expect a letter from OCR, requesting information within 10 business days. "And that's 10 days since the letter was sent, not 10 days since you receive it," he said. "If you're the CEO, it takes a while for the letter to percolate down, so now you're way behind the 8 ball." Therefore, it's key to have documentation prepared ahead of time, paying attention to programs, policies, procedures, incident response plans and risk analysis. "That all needs to be centralized, so you can quickly grab it and make it available to the auditors," said Apgar.

6. Know auditors can look at anything and everything. The last thing that's important to know, said Apgar, is whether the auditor can look or review patient information. "And the answer is yes, they can because they're working on behalf of the OCR and are in contract with them," he said. "Under the HIPAA regulation, if the secretary, meaning OCR, is investigating or auditing, then they have the right to see anything and everything." In the end, said Apgar, if you're information is up-to-date and in-line with HIPAA rules, you're good to go. "It needs to be current, accurate, complete and not only implemented, but enforceable," he said.
Point #5. It is customary in any regulated field that once you have been notified that you are to be examined, auditors will request copies of your policies and procedures for review prior to the onsite visit.

OK, what would you think were you to run across something like this in a P&P document?
PRIVACY POLICY

It is the policy of XYZ to require that all Participants in the Health Information Exchange (HIE) comply with state and federal laws and regulations related to the use and disclosure of Protected Health Information (“PHI”), as well as with the privacy & information security policies of.

Each Participant shall, at all times, comply with all applicable federal and state laws and regulations that protect the confidentiality and security of PHI and establish certain individual privacy rights, including but not limited to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its accompanying regulations, 45 C.F.R. Parts 160 and 164; and Subtitle D of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act provisions of the American Recovery and Reinvestment Act of 2009 (“ARRA”), 42 U.S.C. §§ 17921-17954.

It is the policy of XYZ to ensure that appropriate operational, physical, and technical safeguards exist to prevent the unauthorized use or disclosure of PHI. In the same way the Covered Entities (CEs) and providers currently have the responsibility to safeguard PHI contained in records and systems within their facilities, they shall have the responsibility not to inappropriately use or disclose PHI obtained through XYZ.

The Board of Directors XYZ of shall have primary responsibility for overseeing the execution and revision of privacy and information security policies, ensuring that audits occur, and that results and corrective actions are reported to the Board.

The Board shall oversee the activities of XYZ to evaluate compliance by Participants with this policy and enforce its terms.

This policy applies to all Participants that have entered into Participation Agreements with XYZ that may provide, make available, or access PHI through XYZ.  Participants shall have responsibility for ensuring compliance with this policy at their sites.

PROCEDURES
1. Each Participant shall use reasonable efforts to stay abreast of any changes or updates to, and interpretations of, such laws and regulations to ensure compliance.

2. Each Participant shall, at all times, comply with all applicable policies.

3. XYZ policies may be revised and updated from time to time upon at least 45 days prior written notice to Participants. Each Participant is responsible for ensuring it has, and is in compliance with, the most recent version of the policies.

4. Each Participant is responsible for ensuring that it has the requisite and appropriate internal policies for compliance with applicable laws and policies.

5. In the event of a conflict between policies and a Participant’s policies, the Participant shall comply with the policy that is more protective of patient confidentiality and security.
"Procedures?" Seriously?

1 - 5 are policy statements (#2 is particularly, redundantly rich) . None of them tell me who does what, how and when. An audit here would not get off to a good start.

BY THE WAY


Click to enlarge."BA's'" beware. You are now to be accorded the same level of OCR scrutiny and face the same liabilities as CE's. The Final Rule comprising the procedural and focal regulatory details will soon be released, but, as of Feb 17th, 2009, it's clearly been the Law.

NICE NEW BLOG ANNOUNCED 

Ober|Kaler Launches OberHITblog.com

[PR Newswire] Health Information Technology Blog covers privacy and security of medical information along with health care information technology issues

BALTIMORE, April 30, 2012 /PRNewswire/ -- The law firm of Ober|Kaler announced today the launch of its Health Information Technology and Privacy blog, OberHITblog.com. The blog provides guidance to health care providers and facilities as they move into a new electronic era of privacy and security concerns under HIPAA and the HITECH Act. Ober|Kaler lawyers Jim Wieland, Sarah Swank, Paul Kim and Josh Freemire are the blog's authors...
 I met Jim Wieland at HIMSS12 while covering the HIPAA/OCR session.

Added to my blogroll
___

NEW BOOK BY DR. TOUSSAINT


My copy arrived at the office Friday. I'm about halfway through it. I will be citing some excerpts shortly. A great read, structured in a way that you can flip back and forth to topics of priority interest. He makes some claims and proffers that give me pause. They've not yet published a Kindle version, or I'd already be citing passages. Their pdf "Exec Summary" can be viewed here. A summation screen snip of mine:


(Click to enlarge)

Much more to come.

BTW, I heard last week via back channels that I have an "entertaining and sometimes outspoken" blog. Well, I'm glad [1] someone is reading it (though it's not why I write it), and, [2] that it's found to be "entertaining."

Read perhaps "radioactively irreverent and otherwise too often off the reservation"?

The comment was from one of the people involved in attempting to establish a "REC Trade Association" (which I mentioned in my prior post). I understand that they are "now up and running."

I reached out to the identified principals (one of whom is a former ONC Project Officer) via email to voice my support of the initiative.

Nada. Nein. Nyet. Zilch. Zero. Silencio.

I then Googled six ways to Sunday to see what might pop up on the web. Uh,


OK, well, that was unfortunate for a first result. Sort of an unintentional Santorum.
(I know what they're calling the new venture, inclusive of the acronym and logo, btw, which only makes the nil search results all the more puzzling. Pretty short REC lobbying leash here.)
We'll see what happens. I will not divulge what I've been told.
___

HEATHCARE 'WORKFORCE" ISSUE


Source article by the author. Also, listen to this interview.


From the Salon piece:
Approximately 15 percent of all healthcare workers and 25 percent of all physicians in the United States were born and educated elsewhere. This means that 1.5 million healthcare jobs are “insourced,” occupied by foreign-born, foreign-trained workers brought into the United States on special visas earmarked for healthcare jobs. This number is 50 percent greater than the total number of jobs in the U.S. auto-manufacturing industry. It’s amazing to consider that in 2008 and 2009, the auto industry, which makes up just 3.6 percent of the U.S. economy, received a $97 billion bailout. If we estimate that each of these 1.5 million insourced healthcare jobs has an average wage of $60,000, that’s $90 billion a year in wages going to people brought into the United States to work rather than training Americans to do the same jobs.

The healthcare industry makes up 16 percent of our economy. Yet even in these days of close to 10 percent unemployment, we do not invest enough money in our young people to train them for jobs in healthcare — an already understaffed industry that will have to serve an additional 32 million people once the provisions of the 2010 health-reform law take full effect. Instead, when faced with pressure from hospitals and nursing homes for more healthcare workers, the federal government grants visas to import nurses, physicians, pharmacists, physical therapists, and many other types of healthcare workers from countries that can ill afford to lose them...
Part of our REC work is that of HIT workflow development liaison with the domestic institutions involved with healthcare education. I will certainly apprise my contacts of this.

MAY 1ST UPDATE

I searched out Dr. Tulenko's email address and reached out to her. She responded forthwith and offered to call me to discuss some of these healthcare workforce issues. We did so today, and had the most delightful conversation. I will be reviewing her new book when it comes out.


From the Amazon.com blurb:
For years, opponents of outsourcing have argued that offshoring American jobs destroys our local industries, lays waste to American job creation, and gives foreigners the good jobs and income that would otherwise remain on our shores. Yet few Americans realize that a parallel dynamic is occurring in the healthcare sector--previously one of the most consistent sources of stable, dependable living-wage jobs in the entire nation.

Instead of outsourcing high-paying jobs overseas--as the manufacturing and service sectors do--hospitals and other healthcare companies insource healthcare labor from developing countries, giving the jobs to people who are willing to accept lower pay and worse working conditions than U.S. healthcare workers. As Dr. Tulenko shows, insourcing has caused tens of thousands of high-paying local jobs in the healthcare sector to effectively vanish from the reach of U.S. citizens, weakened the healthcare systems of developing nations, and constricted the U.S. health professional education system...
What a Sheet she has.

Kate Tulenko, MD, MPH, MPhil

I look forward to adding this one to my increasing reading list.
___

NECESSARY AND DESERVED PROPS

My cube mate Kevin Jones.


We hired Kevin out of the CSN HIT program. He's a retired US Navy nuke sub "Corpsman" -- basically the medical officer on a Boomer. The following came across my inbox today at work.
From: Bill Berliner
Sent: Monday, April 30, 2012 1:06 PM
To: Kevin Jones
Cc: Erick Maddox; Keith Parker; Kevin Kennedy
Subject: EMR - meaningful use kudos

At the Nevada State Medical Association state convention this weekend I was approached by Dr Fathie. She sang the praises of Kevin, as a wonderful help in getting to Meaningful Use. She said Kevin was a calming influence in a sometimes stormy situation. Well done Kevin. BILL
Bill Berliner is one of our Medical Directors, a man I hold in the highest regard. I personally know this characterization to be the case. My response to Bill's and Dr. Fathie's kudos was simply
To: Keith Parker‎; NV HIT Forum‎; Bill Berliner
Cc: Deborah Huber‎; Sharon Donnelly
I am not surprised.
Nice to see acumen and effort recognized. Very nice.
___

ON "EMINENCE BASED MEDICINE"
From Medscape Internal Medicine
Why Doctors Keep Doing Treatments That Don't Work
Joseph M. Smith, PhD, MD; Gary Wolf

Editor's Note:

Joseph Smith, MD, PhD, Chief Medical and Science Officer for West Wireless Health Institute in La Jolla, California, was interviewed by Gary Wolf, a contributing editor at Wired magazine, at a panel discussion in San Diego called "Quantified Self and the Future of Personal Health." The panel also included Eric J. Topol, MD,Director of the Scripps Translational Science Institute and Chief Academic Officer for Scripps Health, and Larry Smarr, founding Director of the California Institute for Telecommunications and Information Technology. The following is a transcript of the discussion with Dr. Smith.
__
Gary Wolf: Joe, of the panel here, you are the most directly engaged in how healthcare is managed today, because when you talk about lowering costs, you talk about lowering the cost of the healthcare system that we have today. For instance, to lower costs you have to address people who are patients or potential patients and see people as consumers or participants in the healthcare system.

What do you see as the big wins in lowering costs, in terms of new knowledge? We can lower costs by making the paper move faster in the system and such, but what new knowledge is available to us through these systems? What diseases or treatments or systems in the body do you think will produce the biggest payoff in the next few years?

Joseph M. Smith, PhD, MD: It's a tough question. People smarter than myself have previously said that prediction is difficult, particularly when it involves the future. I wouldn't want to definitively predict specific events, but there are some obvious opportunities and what seems like an unavoidable trajectory toward them.

You have talked rather generously about evidence-based medicine. Most of medicine isn't evidence-based. The overwhelming majority is more "eminence-based," to steal from my colleague to the right [Eric Topol]. We do things because we have always done them. That is going to be less tenable, and you will be put under more and more scrutiny about "Why is that? Why is this happening to me?" or "Why, doctor, are you doing that as opposed to this?" You peel back the level that says, "Well, actually, there isn't any evidence to support that. That was merely my historical preference as opposed to my data-driven wisdom and decision-making." That will put pressure on what we do and will ask us to answer some of the questions about dominant practices that are founded largely by history.

Gary Wolf: I am going to put you on the spot: What dominant practices? Name a couple.

Dr. Smith: If you go to your doctor at the moment with lower back pain, there is a pretty good likelihood that you will get some imaging for that, and there are pretty good data that say that no subsequent decisions hinge on the observations made in that imaging, or that those decisions will happen at some incredibly low likelihood. But it goes much deeper than the instances of known waste. We do a lot of things, as Eric [Topol] pointed out, that are population-based when we fully know that 30%-40% of the people to whom we provide such therapies derive no benefit but experience all the costs and all the adverse consequences. All it takes is understanding the genetic determinants, the historical determinants, or the epigenetic determinants that say, "In you, this therapy won't work, so skip it." The opportunity to take potentially life-saving therapies and give them only to the 30%-50% of a cohort that deserves them, by virtue of having some positive impact, saves half of the expense.

Estimates of known waste are $700-$800 billion a year. The things we don't yet know are larger because we are doing things that are in the guidelines. But when you peel back a layer, those guidelines are derived largely from apocryphal suggestions in remote history, right? So, there is a tremendous opportunity, as we put pressure on the system, to justify why we do what we do.

Importantly, we have a system with a bandwidth limitation living at the doctor. We can't keep up with the onslaught of information. We can't keep up with the patients we have to see. We are not really good at even figuring out which of the patients we are responsible for need to be seen at a particular time. We realize that "maybe I shouldn't be making those decisions because I can't comprehend all the diseases that my patients have. They are presenting information I don't yet know how to interpret." Maybe we need to offload that to smart systems.

Every other technologically sophisticated endeavor in which humans have participated has had the opportunity to use massive information technology and smart algorithms. You can take your car in and the mechanic no longer says, "Let me see what's wrong with your car." No -- they plug in a chip and say, "Look at that. It turns out that one cylinder is off by a little bit. Let me fix that for you." Why can't we do that with ourselves? We have to do it to ourselves because we are bandwidth-limited at the moment, and so we have to move to that type of system. It offers a great opportunity for saving.
 Interesting. "Estimates of known waste are $700-$800 billion a year." Yeah. See "Potent Medicine." Also, "[i]mportantly, we have a system with a bandwidth limitation living at the doctor. We can't keep up with the onslaught of information."

See "Medicine in Denial."

e.g., from my other Medical Director today, Dr. Jerry Reeves:
I bet you will enjoy this interview with Larry Weed as well. 

http://xnet.kp.org/permanentejournal/sum09/Lawrence_Weed.html

He was a major influence on me early in my career. The Air Force Medical Corps has been using his problem knowledge couplers for years.

Jerry
Indeed, doc. I am all over all things Weeds'.

(Hmmm... that could be misconstrued...)
___

MY REC BLOG WORD CLOUD

I have precisely no idea what this signifies.


___

COMPLETELY OFF-TOPIC ('cause it's my blog)

My grandson signs with St. Olaf today.


He's been courted by the gamut of colleges and universities across the country. 3.8 GPA, a mow-down machine on the field. Former nationally-ranked in the USTA in his tennis age division.

His grandmother and I are very happy with this decision. We were not real high on the Div I meatgrinder. St. Olaf coughed up, big-time. We are quite grateful.
___
 
MAY 3RD UPDATE

Some really good stuff here. Added this blog to my blogroll.


to wit:
Thursday, February 3, 2011

Charting Requirements Interfere with Patient Care
Yesterday’s column on the burden of nurse documentation in the New York Times by Theresa Brown, RN was spot on. She details many of the rather onerous charting requirements mandated by myriad regulatory agencies and insurance companies. She laments the fact that the documentation is so time consuming that it takes away from her mission to care for the patient. She says that nursing has always been guided by the dictum “If it isn’t charted, it isn’t done,” and points out that charting everything a nurse does during a shift is impossible in reality.

The problem has been compounded by the electronic medical record which makes it easy to insert pop-ups and drop-downs so that anything some bureaucrat fancies can be added to the chart. Of course, the nurse still has to login and get past a number of screens before she finally reaches the section she wants. Here’s the bad news. Other than the bureaucrats and operatives from the Quality Assurance Improvement department, NO ONE READS THIS USELESS INFORMATION. It simply clutters up an already very “busy” electronic chart...
More to come...

Saturday, April 21, 2012

Just in case you thought OCR wasn't serious

News Release
FOR IMMEDIATE RELEASE
April 17, 2012
Contact: HHS Press Office   
(202) 690-6343

HHS settles case with Phoenix Cardiac Surgery for lack of HIPAA safeguards
Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, Arizona, has agreed to pay the U.S. Department of Health and Human Services (HHS) a $100,000 settlement and take corrective action to implement policies and procedures to safeguard the protected health information of its patients...
From the settlement memorandum (pdf):
C. Covered Conduct

OCR’s investigation revealed the following conduct occurred (“Covered Conduct”):
(a) From April 14, 2003 to October 21, 2009, Covered Entity did not provide and document training of each workforce member on required policies and procedures with respect to PHI as necessary and appropriate for each workforce member to carry out his/her function within the Covered Entity.

(b) From September 1, 2005 until November 1, 2009, Covered Entity failed to have in place appropriate and reasonable administrative and technical safeguards to protect the privacy of protected health information (PHI). These failures contributed to and are evidenced by the following acts or omissions:

(i)    From July 3, 2007 until February 6, 2009, Covered Entity posted over 1,000 separate entries of ePHI on a publicly accessible, Internet-based calendar; and

(ii)    From September 1, 2005 until November 1, 2009, Covered Entity daily transmitted ePHI from an Internet-based email account to workforce members’ personal Internet-based email accounts.

(c) From September 1, 2005 until November 30, 2009, Covered entity did not implement required administrative and technical security safeguards for the protection of ePHI. These failures contributed to and are evidenced by the following acts or omissions:

(i)    From September 1, 2005 (when Covered Entity began sending ePHI by email) until April 16, 2009, Covered Entity failed to identify a security official; and

(ii)    From September 1, 2005 (when Covered Entity began sending ePHI by email) until November 30, 2009, Covered Entity failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of the ePHI held by the covered entity.

(d) From September 1, 2005 until December 3, 2009, Covered Entity failed to obtain satisfactory assurances in business associates agreements from the Internet-based calendar and from the Internet-based public email providers that these entities would appropriately safeguard the ePHI received from Covered Entity.    This failure is evidenced by the following acts and omissions:

(i)    From September 1, 2005 until November 1, 2009, Covered Entity permitted the entity providing the Internet-based email account to receive, store, maintain and transmit ePHI on the Covered Entity’s behalf without obtaining satisfactory assurances in a business associate agreement with the entity; and

(ii)    From July 3, 2007 until December 3, 2009, Covered Entity permitted the entity providing the Internet-based calendar application to receive, store, and maintain ePHI on its behalf without obtaining satisfactory assurances in a business associate agreement with the entity...
__
Appendix A
CORRECTIVE ACTION PLAN
V. Corrective Action Obligations
The Covered Entity agrees to the following:
A. Policies and Procedures
1. The Covered Entity shall develop, maintain and revise, as necessary, written policies and procedures (“Policies and Procedures”) that (i) address the Covered Conduct specified in paragraph 2 of the Agreement and (ii) are consistent with the Federal Standards for Privacy of Individually Identifiable Health Information (45 C.F.R. Part 160 and Subparts A and E of Part 164, the “Privacy Rule”) and the Federal Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Part 160 and Subparts A and C of Part 164, the “Security Rule”). The Policies and Procedures shall include the minimum content set forth in section V.C. below. The Policies and Procedures required under this CAP may be in addition to, and may be incorporated into, any other policies and procedures required by the Privacy and Security Rules.
2. The Covered Entity shall provide the Policies and Procedures to OCR within sixty (60) calendar days of the Effective Date for review and approval. Upon receiving any recommended changes to such Policies and Procedures from OCR, the Covered Entity shall have thirty (30) calendar days to revise such Policies and Procedures accordingly and provide the revised Policies and Procedures to OCR for review and approval.
3. The Covered Entity shall implement the Policies and Procedures within thirty (30) calendar days of OCR’s approval.
B. Distribution and Updating of Policies and Procedures
1. Within thirty (30) calendar days of OCR’s approval of the Policies and Procedures, the Covered Entity shall distribute such Policies and Procedures to all members of the workforce who use or disclose protected health information (PHI). The Covered Entity shall distribute the Policies and Procedures to any new member of the workforce who uses or discloses PHI within fifteen (15) calendar days of the workforce member’s beginning service.
2.    The Covered Entity shall require, at the time of distribution of such Policies and Procedures, a signed written or electronic initial compliance certification from all members of the workforce who use or disclose PHI. Such compliance certification shall state that the workforce member has read, understands, and shall abide by such Policies and Procedures.
3. The Covered Entity shall assess, update, and revise, as necessary, the Policies and Procedures at least annually (and more frequently if appropriate).
4. The Covered Entity shall not involve any member of its workforce in the use or disclosure of PHI if that workforce member has not signed or provided the written or electronic certification as required by this section V.B.
C. Minimum Content of the Policies and Procedures
The Policies and Procedures shall, at a minimum, include:
Administrative Safeguards (45 C.F.R.§§164.308 and 164.530(c))
1. An accurate and thorough risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI when it is created, received, maintained, used or transmitted by the Covered Entity, including, but not limited to, when ePHI is a) posted to an Internet-based electronic calendaring system, b) transmitted over an Internet-based electronic communications system, c) accessed remotely, or d) transmitted to or from or stored on a portable device. To satisfy this obligation, Covered Entity shall submit documentation of its most recent risk assessment completed since its initial risk assessment of December 2009.
2. A risk management plan that implements security measures sufficient to reduce risks and vulnerabilities to ePHI identified by the risk assessment to a reasonable and appropriate level, including, but not limited to, when ePHI is a) posted to an Internet-based electronic calendaring system, b) transmitted over an Internet-based electronic communications system, c) accessed remotely, or d) transmitted to or from or stored on a portable device. To satisfy this obligation, Covered Entity shall submit its risk management plan developed after completing its most recent risk assessment pursuant to subsection 1, above. Covered Entity’s risk management plan must implement security measures sufficient to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level for ePHI in text messages that are transmitted to or from or stored on a portable device.
3. Identification of a security official who is responsible for the development and implementation of the Policies and Procedures required by this CAP and the Security Rule.
4. Satisfactory assurances that each business associate that receives, maintains, stores or transmits ePHI on behalf of the Covered Entity and has access to said ePHI will appropriately safeguard the ePHI in a written contract that meets the applicable requirements of the Security and Privacy Rules (see 45 C.F.R. §§164.314(a) and 164.504(e)).
Technical Safeguards (45 C.F.R. §§164.312 and 164.530(c))
5. Technical safeguards for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights pursuant to the Covered Entity’s information access management policies, including, but not limited to, remote access to the Covered Entity's electronic information systems.
6. Technical security measures to guard against unauthorized access to ePHI transmitted over an electronic communications network, including a measure to encrypt or otherwise adequately safeguard ePHI transmitted to or from or stored on a portable device, regardless of whether the portable device is owned by the Covered Entity or a workforce member. Covered Entity must submit evidence to satisfy this obligation that includes text messaging of ePHI.
Training of Workforce (45 C.F.R. §§164.530(b) and 164.308(a)(5))
7. Training of all workforce members of the Covered Entity, including management, who use or disclose PHI on the Covered Entity’s Privacy and Security Rule policies and procedures, as necessary and appropriate to carry out their functions within the Covered Entity. The training must include, but not be limited to, security awareness for all workforce members, including security reminders, procedures for guarding against malicious software, log-in monitoring, safeguarding passwords. Covered Entity must provide documentation that it has completed a Privacy and Security Rule training since 2009 that includes additional training addressing its revised policies and procedures on the use and transmission of ePHI by text messaging, in accordance with section D.1., below.
D. Training
1. Within sixty (60) calendar days of OCR’s approval of the Policies and Procedures identified in section V.A., the Covered Entity shall provide specific training on the Policies and Procedures to all workforce members who use or disclose PHI and shall provide such training to each new member of the workforce within fifteen (15) calendar days of the workforce member’s beginning his or her service.
2. Each workforce member attending the training shall certify, in electronic or written form, that the workforce member received the training on the Policies and Procedures and the date such training was received. The Covered Entity shall retain the training certifications and the training course materials for six (6) years.
3. The Covered Entity shall review the training annually and update the training to reflect any changes in Federal law or OCR guidance, revisions to the Policies and Procedures, or any issues discovered during audits or reviews.
4. The Covered Entity shall not involve any member of its workforce in the use or disclosure of PHI if that workforce member has not signed or provided the written or electronic training certification as required by this section V.D.
E. Reportable Events
If the Covered Entity determines that a member of its workforce has violated the Policies and Procedures required by section V.A.1., the Covered Entity shall notify OCR in writing within thirty (30) calendar days. Such violations shall be known as “Reportable Events.” The report to OCR shall include the following information:
1. A complete description of the event, including the relevant facts, the persons involved, and the provision(s) of the Policies and Procedures implicated; and
2. A description of the Covered Entity’s actions taken to mitigate any harm and any further steps the Covered Entity plans to take to address the matter and prevent it from recurring.
VI. Implementation Report
Within sixty (60) calendar days after receiving OCR’s approval of the Policies and Procedures required by section V.A.1., the Covered Entity shall submit a written report to OCR summarizing the status of its implementation of the requirements of this CAP. This report, known as the “Implementation Report,” shall include:
A. The following documentation that the Covered Entity has implemented the Policies and Procedures required by section V.A.1.:
1. Copy of most recent risk analysis;
2. Copy of most recent risk management plan and evidence that its implementation has been completed;
B. An attestation signed by an owner or officer of the Covered Entity attesting that the Policies and Procedures have been distributed to all appropriate members of the workforce within 30 days of OCR’s approval and that the Covered Entity has obtained all of the compliance certifications required by section V.B.2.;
C. A copy of all training materials used for the training required by this CAP, a description of the training, including a summary of the topics covered, the length of the session(s) and a schedule of when the training session(s) were held;
D. An attestation signed by an owner or officer of the Covered Entity attesting that all members of the workforce who use or disclose PHI have completed the training required by this CAP and have executed the training certifications required by section V.D.2.;
E. A summary of Reportable Events (defined in section V.E.) that have occurred since the Effective Date of this CAP and the status of any corrective and preventative action(s) relating to all such Reportable Events;
F. An attestation signed by an owner or officer of the Covered Entity listing each of the Covered Entity’s locations (including mailing addresses), the name under which each location is doing business, the corresponding phone numbers and fax numbers, and attesting that each location is in compliance with the obligations of this CAP; and
G. An attestation signed by an owner or officer of the Covered Entity stating that he or she has reviewed the Implementation Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful.
VII.  Document Retention
The Covered Entity shall maintain for inspection and copying all documents and records relating to compliance with this CAP for six (6) years.
VIII.  Breach Provisions
The Covered Entity is expected to fully and timely comply with all provisions contained in this CAP.
A. Timely Written Requests for Extensions. The Covered Entity may, in advance of any due date set forth in this CAP, submit a timely written request for an extension of time to perform any act required by this CAP. A “timely written request” is defined as a request in writing received by OCR at least five (5) business days prior to the date such an act is required to be performed.
B. Notice of Breach and Intent to Impose CMP. A breach of the CAP by the Covered Entity constitutes a breach of the Agreement. Upon a determination by OCR of a breach of this CAP, OCR will notify the Covered Entity of the breach thereof (this notification is hereinafter referred to as the “Notice of Breach”).
C. Covered Entity’s Response. The Covered Entity shall have thirty (30) calendar days from the date of receipt of the Notice of Breach to demonstrate to OCR’s satisfaction that one of the following conditions applies:
1. The Covered Entity is in compliance with the obligations of the CAP cited by OCR as the basis for the breach; or
2. The alleged breach has been cured; or
3. The alleged breach cannot be cured within the thirty (30) calendar day period, but that (i) the Covered Entity has begun to take action to cure the breach; (ii) the Covered Entity is pursuing such action with due diligence; and (iii) the Covered Entity has provided to OCR a reasonable timetable for curing the breach.
D. Imposition of CMP. If, at the conclusion of thirty (30) calendar day period, the Covered Entity fails to meet the requirements of section VIII to OCR’s satisfaction, OCR may proceed to impose a civil money penalty (CMP) pursuant to 45 C.F.R. Part 160 for any violations of the Privacy and Security Rules related to the Covered Conduct set forth in paragraph 2 of the Agreement and for any other act or failure to act that constitutes a violation of the Privacy or Security Rules. OCR shall notify the Covered Entity in writing of its determination to proceed with the imposition of a CMP.
__
Well, there it is, in black and white.

I blogged about the Meaningful Use Core 15 compliance issue nearly a year ago.

Beyond the nominal $100,000 fine, I have to wonder how much this is going to cost this one CE in total. Moreover, let's say, for the sake of argument using E-Z round numbers, that the cost will be double the $100k (just to this clinic). $200k would otherwise pay for roughly 2,400 level 99213 Part-B visits, or perhaps 4,000 HbA1c tests, etc. Add up all of these OCR fines, and that's a lot of actual health care delivery opportunity cost.

I also have to wonder how many small outpatient CE's could pass an OCR/HIPAA audit without monetary settlement sanction (or worse), Meaningful Use Core 15 compliance "attestation" notwithstanding.

Stuff like this doesn't help matters, either:


I first ran across this last year, after seeing a breathless press release regarding Dr. Chrono's ONC-CHPL certification. Given my affinity for Apple platforms, I surfed straight to their website.

I immediately apprised them both via their website comment page and via their Facebook page of this glaring misstatement, one that help could land their more-willingly-in-denial CE clients in OCR HIPAA hot water. Their MU Core 15 page irrelevantly lists all of the NIST specs for certification of the product. None of which has the first lick to do with the ePHI Security compliance requirements of 45 CFR 164.3xx (moreover, it should be stressed that these requirements extend to all CEs, not just those applying for Meaningful Use money).

I revisited their site, and snipped out and annotated the foregoing this morning perhaps an hour ago. Nothing has changed. Under the "How to make it happen" link, all you see is this:
drchrono Notes
posted this on June 11, 2011 07:05 pm
Access control: It is necessary for all users to consistently sign in with their own unique ID in order to accomplish.

Emergency access: Permit authorized users (who are authorized for emergency situations) to access electronic health information during an emergency. Click here for more information.

Automatic log-off: Terminate an electronic session after a predetermined time of inactivity. Click here for more information.
Yeah. Right. Are you people kidding us? I'm having bit of a Clinic Monkey Moment.

Sure would love to have a copy of their customer list.


Read the OCR Phoenix Cardiac Surgery enforcement settlement again. Draw your own conclusions. Maybe ring up Drs. Tibi and Fang. Wonder whether their EHR vendor told them "hey, we've got this one covered for you."


See my December 18th, 2011 post for more about my concern on this stuff. Take particular note of this section.
HIPAA Security Rule Toolkit

The NIST HIPAA Security Toolkit Application is intended to help organizations better understand the requirements of the HIPAA Security Rule, implement those requirements, and assess those implementations in their operational environment. Target users include, but are not limited to, HIPAA covered entities, business associates, and other organizations such as those providing HIPAA Security Rule implementation, assessment, and compliance services. Target user organizations can range in size from large nationwide health plans with vast information technology (IT) resources to small health care providers with limited access to IT expertise...
I've installed it and have been kicking the tires. 492 questions (some of them conjunctive clause compound questions) spanning the gamut of 45 CFR 164.3...
...My take on this is that it would take a provider/organization 2-5 days to get thoroughly and forthrightly through it. And, really, this is just about the ePHI "Security" piece. "Privacy" is a different -- and potentially much more difficult -- issue.
So, were you to go through all of this, say, with the help of a credible consultant** and correct all of your adverse risk analysis findings to be comfortably and defensibly in compliance (you will in fact uncover a number of them), you're looking at perhaps $5 - $10k total cost for a small shop like Phoenix Cardiac.

You can pay it now, or you can pay it later, by maybe a factor of 20 or more.
** REC "sustainability" prospect here? We are not charged with signing off on MU Core 15 compliance (though that's probably what a lot of REC clients wishfully want or think). We just provide the requisite information and free tools. Biz Opp here, no?
UPDATE

What Can We Learn About HIPAA From Phoenix Cardiac Surgery?

Phoenix Cardiac Surgery probably never thought they would be a poster child for HIPAA safeguards, but this 5-physician cardiothoracic practice in Prescott, Arizona has become famous for something no medical practice wants to be famous for – not protecting their patient information...

What Can We Learn?
You won’t escape the notice of the HHS just because you are a small practice. Every practice, hospital, facility, healthcare entity and anyone that has access to Protected Health Information (PHI) must be compliant with the HIPAA Privacy and Security Rules.
Patients are paying attention and want their information protected! Patients will not hesitate to report a practice if they feel their privacy is being breached. Let your patients know that you take their privacy seriously and what you are doing in your entity to protect their privacy.
Physicians are not exempt from responsibility. Most physicians do not want to use the hospital or practice network email – they want to use their personal Gmail, Yahoo, Hotmail or AOL account for office business. This is a bad habit. Emails to and from the physicians announcing meetings and reminding them of tasks are fine, but it is easy to forget and use personal email to hand off patients, discuss appointments and ask for refill approvals. Non-secured email services are NOT the right way to send any patient information.
Understand your technology. This is why the risk assessment is so important – you must identify any process or technology you are currently using that has the potential for PHI to be accessed inappropriately. Understand and mitigate your risk!
UPDATE

Equally notable, if not moreso, was the earlier HHS announcement concerning their $1.5 million enforcement settlement with Blue Cross-Blue Shield of Tennessee (pdf). Different HIPAA violation particulars, but BCBST got similarly CAP'd. (Corrective Action Plan)
___

REGARDING REC SUSTAINABILITY

We had a nice informal staff Q&A chat with our congenial CEO Mark Bennett the other day. I asked about the "sustainability" thing, and the possibility of continued REC federal funding, as some have argued for in the HIT press of late. He replied vaguely that there was a "REC Association" forming to essentially lobby for that (he's a past President of AQHA, the "trade association" for QIOs like mine, so he's in the loops on things like this).

I need names, email addresses and phone numbers.

(4-23 update: got 'em, thanks to Sharron Donnelly)

This article I found is instructive.:
Regional Extension Centers: Where are they and where are they going?

Federal funding for RECs runs out after four years (2013), at which point the RECs are expected to be self-sustaining. Yet as with Health Information Exchanges, it appears that sustainability is a real issue for RECs, and fee schedules for REC services reflect their challenge in remaining viable. As reported by eHi, 67% of the 21 reporting RECs indicate they charge a11 flat-fee while 16% said they charge either a per-hour fee or use a subscription model with tiered services.

So what does all this mean for health centers? Is aligning with a Regional Extension Center as a resource for EHR selection and meaningful use qualification a “no-brainer’ for community health centers with limited resources?

As previously noted, RECs typically elect to support a small number of EHRs, or in some cases a single recommended EHR. We know that health centers have unique functional requirements for EHRs, and HIT in general, and therefore the adoption of an EHR, even if it has already been selected by the REC, needs to be vetted very carefully. Health centers should conduct careful and informed due diligence to be sure the REC supported product meets the center’s needs.

Further, to date, community health centers report varied experience with RECs. Of those health centers responding to the recent HIT readiness survey, 40% were receiving some form of technical assistance from Regional Extension Centers.12 Responding to the question, “How helpful is this REC collaboration in advancing your efforts to achieve Medically Underserved (MU) status?” – one half of those engaged with RECs reported that the REC was either “helpful” (23.7%) or “very helpful” (25.2%). Over a quarter reported that their REC participation was “not helpful yet, but potentially helpful” (26.7%13). With little data to go on, it is unclear that RECs can help expedite and smooth the path to MU qualification. That being said, RECs can be a resource for both EHR selection and meaningful use qualification.

The purpose of RECs is to help provide assistance to a broad range of providers and help level the playing field toward EHR adoption and meaningful use. Primary care associations and/or health center controlled networks are also a significant resource.

RECs will have to develop sustainable models in order to remain relevant once federal funds run out. The fee-for-service model intended by some RECs to achieve sustainability will add a cost burden for health centers and other providers. This necessitates new models focused on collaboration and partnerships with vendors and with state agencies and entities that can provide both support and expertise.

While it appears that RECs may need to mature further, foster tighter relationships in order to support providers locally and make available IT people who can “look at the dirt,” they are one resource that can assist health centers in making their way down the MU path.
"RECs typically elect to support a small number of EHRs, or in some cases a single recommended EHR."

Not us. We are assiduously "vendor neutral." Insofar as such a policy obligates us to support clients using perhaps 40 or more certified EHRs, it carries its own liabilities.

In the aggregate, I think the RECs are doing the very best that they can, given their marching orders.

You have to ask: what would be the upshot of ONC itself being put on a two-year sustainability performance leash?

Asked and Answered.

"Federal funding for RECs runs out after four years (2013), at which point the RECs are expected to be self-sustaining."

Color me skeptical. I see the potential prospect of myriad Monster.com Moments.
___

SPEAKING OF MU ATTESTATIONS

The latest from ONC, CMS, and Healthdata.gov:



Nearly $4.5 billion disbursed so far. Hospitals thus far have gotten the bulk of the money. No surprise there.

MONDAY 4-23 UPDATE

Here's how NextGov.com headlined the latest the news:


Catchy. Hey, "Raking IT In"!


I downloaded the Healthdata.gov export file and cranked around in it. Snippet above (click the image to enlarge). Eight vendors account for half of attestations to date (out of nearly 600 with one or more attestations thus far). Thirty vendors account for 75%. 

Dr. Chrono is down at number 180 on the list with 20 attestations. Be interesting to see whether any of them get called up for an OCR HIPAA audit. I am thus far unable to determine whether any Dr. Chrono users are REC clients.

My understanding is that this 2012 round of OCR HIPAA audits (administered via contract to KPMG) comprise a mix of complaint-initiated and random CE and BA selection. They are not revealing the exact selection process.
___

Apropos of nothing, really, Google "Ober Kaler Regional Extension Center blog"


My blog citation is the first result. From my coverage at HIMSS12. They contacted me to ask if they could use my photos. Absolutely.

Nice.
___

CODA

Sunday afternoon, April 22nd. I can't help it. The Power of Photoshop Compels Me...


Thirty minutes or so putzing around in Photoshop and online while watching the Sudden Death OT Boston Bruins NHL playoffs win in an EyeTV window on my iMac.

apropos, April 24th update:


Also
As More Docs Use Digital Records, So Will Consumers
HITECH Act is prompting widespread adoption of e-health records, but there's more to "Meaningful Use" than what's in the government's programs.
...Without doctors using EHRs, you're not going to get buy-in from patients to use personal health records to manage their own health. When patients are relatively healthy, encounters with healthcare providers are few and far between. Starting a PHR to track very occasional vaccinations or even to record a yearly exam isn't a high priority for a lot of people unless it's super easy to do. That means having data available from healthcare provider to load into a digital record, not typed by hand by the patient. And it also means giving patients a reason to visit a PHR more than once a year, if that.

Chronically ill patients certainly have good reason to use PHRs to manage prescriptions, medical appointments, and lab results, and to refer to discharge instructions after a hospitalization. But again, if PHRs are too hard to use--and if there's no data that's available to be loaded into them--few patients will use them.

"Widespread consumer adoption of PHRs remains elusive," said Lynne Dunbrack, program director at IDC Health Insights. "Uptake and reasons expressed for not using a PHR have remained remarkably consistent for the past five years," she said in an email interview with InformationWeek Healthcare.

According to an IDC Health Insights' Connected Health Consumer Survey conducted in 2011, only 7% of respondents reported ever having used a PHR, and less than half of these respondents (47.6%) are still using one to manage their family's health, she said.

When asked why they did not use a PHR, about 51% of respondents indicated that they were not exposed to the concept of a PHR. In 2006, when a similar IDC Health Insights survey was conducted, approximately 7% of respondents indicated that they used a PC-based or Web-based PHR, and a little more than half (51.9%) were unaware of PHRs.

But as more doctors use EHRs, its likely more patients will use PHRs. "If you take into consideration patient portals, which provide a patient view into their electronic health records and are a form of tethered PHRs, consumer use will begin to increase modestly as physicians attempt to encourage their patients to use the patient portal to meet the Stage 2 meaningful use measurement objectives," said Dunbrack.
Just ideas...
___

NEW ADDITION TO MY BLOGROLL


Nurses are the linchpins of our health care delivery system.

Saturday, April 14, 2012

Oink


So, yesterday, I happened across a news item pertaining to PPACA expenditures to date, as tabulated by the Kaiser Foundation's very nice "ACA Federal Funds Tracker" interactive website (e.g., do a mouse-over within the state by state map; pretty handy). You can also "export data" to an Excel sheet, which I did.

Below is my excerpted and annotated snip of one of the gems therein. I added in a column of census population data and one for percentages (click the image to enlarge).


What happens in DC stays in DC, per capita, anyway. I was originally just interested in the funding to date for Nevada (and, tangentially, our other two service areas, Utah and New Mexico).

So, PPACA per capita funding in DC is ~eleven times that of Nevada? Good work, Harry (but, then, we could be Florida). And, the DC proportion going to the "private sector"? 82.2%

Two words come to mind: Beltway Banditos.

That'll buy a lot of bowties.

This kind of stuff is red meat for right-wingers.

According to the Kaiser data, ~$12.06 billion has been disbursed to date spanning a breadth of initiatives authorized within PPACA (PDF table of the legislative sections here). Cynics would say they're shoveling money out the door pronto to get the funds obligated in advance of the SCOTUS ruling on the constitutional fate of PPACA in June. We've heard a similar thing with respect to "obligating" ARRA / HITECH funds because budget-cutting concerns more generally.

BTW, my cleaned-up and census-addended copy of the data export can be downloaded here (.xlsx).


$12.06 billion? Yeah, a lot of money.

But, it's also a month or so in Iraq and Afghanistan, where we spent ~$138.4 billion in 2011.
___

OOPS

I went to a HIMSS "health care quality improvement" presentation this week after work. This was, well...


The topic was some stuff about the arguably useful nexus between "Management Engineering" (I guess "Ops Management" has become passe in the lexicon) and "IT" for heath care improvement. The presenter became a bit agitated and mildly irritated when I voiced a concern about "Six Sigma," after he'd extolled the standard schtick about "reducing defects to less than 3.4 per million" (you know, the whole 'area in the tails outside ± 6 standard deviations' thing).


Gotta love those smooth Guassian curves. But, beyond the Chebyshev caution, I am reminded of some of "Abelson's Laws"


I let it pass that I was sitting there observing a production sample error rate of ~2.4% (i.e., in terms of words, 1/42). Dunno, I'm just a bit Old School, I guess.


Again, from Toussaint and Gerard's "On The Mend"
"Lean transformation is all about Dr. Deming’s Plan Do Study Act (PDSA), otherwise known as the scientific method. There is no simple formula to copy and no quick path to success. Instead you must perform your own experiments— tailored to the mission and circumstances of your organization. And then you must honestly study the results and act on your findings, including sharing them with the healthcare community."

The late W. Edwards Deming, in his own words:
"[T]he aim of leadership should be to improve the performance of man and machine, to improve quality, to increase output, and simultaneously to bring pride of workmanship to people. Put in a negative way, the aim of leadership is not merely to find and record failures of men, but to remove the causes of failure: to help people to do a better job with less effort." Out of the Crisis, page 248.
___

IF IT AIN'T BROKE...ENTER "DMAIC"


It's a "Six Sigma" thing (above with my PDSA overlay).
  • Design
  • Measure
  • Analyze
  • Improve
  • Control
OK. Whatever works, in terms of being "scientific" about things.

So, related to this subject, as is my erratic episodic wont, I stepped in it the other day during a staff meeting, during which I voiced my skepticism regarding Six Sigma. Whereupon our HIE manager announced to the group that she was going to Six Sigma training next week. She took vocal issue with my opinion. There was discomort around the conference table. We Made Fairly Nice, neither really backing down, and dropped it, but, oops.

She's not my Sup, but, nonetheless, we're ostensibly One Big Happy Agile Entrepreneurial Family now. My Oak Ridge Octagon-bred epistemological irascibility doesn't help matters. Uhhh...

Some candid cautionary language from a Six Sigma proponent site:
As with everything there are some arguably negative sides to Six Sigma.

Critics say Six Sigma is really nothing new – it has existed long before the term was ever coined. The other controversial aspect is the over-hyped and over-priced consultants. Some argue that Six Sigma does not result in any new breakthroughs in the manufacturing process and thus it can only somewhat improve an existing process but not add anything new or revolutionary to it that could potentially have much higher impacts on the company’s bottom line.

Six Sigma is mainly applied to larger organizations. Preferably ones with more than five hundred employees. Smaller ones will not achieve any significant results from implementation of the methodology and could actually end up losing money on the initiative. This is due to the serious infrastructural requirements and since the improvement will result in relatively small effects. While a big corporation can save very huge amounts of profits. Take for example GE whose announcements in 1998 of $350 millions saved made a huge wave for implementing Six Sigma.
Laudable for the frankness. It speaks to my concern.

But, WAIT! There's MORE!


Yet another new "methodology" is launched (above, again, with my PDSA overlay). "The Lean Startup



Registered Trademark (Service Mark, actually), no less (do I owe him a royalty for citing the phrase here?).


This Bay Area 2.0.1 Wunderkind freely admits to having simply read up on and appropriated some Taylor, and Deming et al (PDSA, TQM -- but, he omitted Shewhart) and Toyota Production System (Lean) ideas and triangulated them with his own software entrepreneur experiences to come up with this new "methodology."
The first step in a lean transformation is learning to tell the difference between value-added activities and waste. That foundational idea, so clearly articulated in books like Lean Thinking, is what originally led me to start using the term lean startup. I admit that I haven't always done such a good job emphasizing this connection; after all, there's an awful lot to the lean startup theory, and I'm always struggling with how best to explain it fully.
 Yeah. I get it. From his USPTO application:
Business consulting services, namely, advising about and designing, developing and implementing business fundamentals, strategies, and solutions, and identifying and creating business models, for new and existing companies; Providing a website featuring information about business fundamentals, strategies, solutions, and models.
Educational services, namely, providing lectures, classes, seminars, workshops, webinars, and webcasts in the field of business fundamentals, strategies, solutions, and models for new and existing companies; Providing a blog featuring information, discussion, and forums about business fundamentals, strategies, solutions, and models.
From some "3's" amid his Amazon.com reviews:
He's built a whole brand around the name--including a video series, a conference, and now this book--and attracted press coverage that's described it as a "radical new theory" (Wired).

Mr. Ries must mention at least a dozen times throughout the book (and sometimes several times a chapter) something along the lines of "My experiences are now part of the entrepreneurship curriculum at several business schools, including Harvard Business School, where I serve as an entrepreneur in residence. I've also told these stories at countless workshops, lectures and conferences." It's one thing to tell stories in a book to demonstrate principles and tactics, it's another to constantly remind the reader about the great stories and advice he/she is getting by reading the book.
I tend to sample the effusive bandwagon-ish 5's and the 4's (given a sufficient volume of comments), and read all of the 3's, 2's, and 1's when considering new stuff to put in the Cognitive Crack Pipe that is my Kindle.

In his own words, from the Amazon "Look Inside" preview.


Well, that pretty much covers the territory.


Dubiety and snark aside, he indeed is a very astute young man (an"award winning careerist" to boot). If you have 1:11:45 to spend, check out his Lean Startup talk at the London School of Economics. I certainly found it worth my time.


SPEAKING OF NEW BOOKS


I have read and cited a lot of Joe Flower's work on this blog. I call him "Sensei." I can't wait to get my hands on this book. apropos of "Lean" -
Cut waste. It is obvious that hospitals and health systems need to “go lean,” finding much more cost-effective ways to do every process. But in the Next Health Care, it is even more important to stop doing unnecessary procedures. Under a fee-for-service system, waste is not waste, it’s revenue. Put an implanted defibrillator in someone who does not need it, and you get paid. Under a risk-based contract like an AQC, waste is waste. Do something expensive, unnecessary and risky for the patient, and it costs your bottom line.

Move fiercely upstream. When you assume financial risk for the health of a population, everything headed your way is not a revenue stream, it’s a cost. There is no doubt that everything coming your way will be easier and cheaper to deal with if you can get to it sooner. You must become your customer’s friend, using real people (not just robo-nags and websites) and working through naturally trusted pathways in customers’ schools, workplaces, churches, bars, police athletic leagues and local hangouts. At the same time, you will need to become world class in tracking, characterizing and understanding your customers and potential customers. This is miles beyond marketing research. It’s population health management on steroids. The skill set is in its infancy, but it includes tracking on individual and aggregate levels; mining and understanding the now very deep literature on prevention, incentivized wellness and healthy communities; geographic information systems to “geocode” the data onto neighborhoods, workplaces, churches and other community connections; predictive modeling to suggest what interventions will have the best effect; and tracking the return on investment of particular interventions. The skill set will have to include the ability to create targeted, flexible responses, to “mass customize” interventions and resources to individuals and to micro-populations (such as the residents of a particular convalescent home, or employees on a particular site, or all of your customers who have a particular condition). All of this is new, and there will be an extraordinary premium on getting it right.
___

More to come...