Search the KHIT Blog

Wednesday, January 30, 2013

Hats off to Qualis' WIREC

Providers Enrolled with the Washington & Idaho Regional Extension Center Receive Over 25 Million Incentive Dollars
REC-enrolled providers more than twice as likely to receive Medicare Incentive Program payments

Seattle, WA (PRWEB) January 29, 2013

Qualis Health announces that more than $25 million has been paid to healthcare providers enrolled with the Washington & Idaho Regional Extension Center for Health Information Technology (WIREC). The money came through the Centers for Medicare & Medicaid Services (CMS) Electronic Health Record (EHR) Incentive Program.

WIREC provides consulting services to over 3,600 healthcare professionals across Idaho and Washington State. To date, WIREC has more than 3,000 of these providers’ EHRs up and running – and nearly 1,200 have achieved meaningful use. Meaningful use is the set of EHR standards defined by CMS that allows providers to earn incentive payments. WIREC’s on-the-ground health IT coaches deliver customized one-on-one assistance to providers in different stages of EHR implementation and use, offering health IT outreach and education, EHR procurement guidance, workflow redesign, and implementation support. WIREC assists providers in all these areas with the ultimate goal of improving practice efficiency and optimizing patient care...

About the Washington & Idaho Regional Extension Center
Led by Qualis Health, WIREC provides technical assistance, guidance, vendor-neutral EHR adoption services and information to eligible healthcare professionals to help them achieve meaningful use of EHRs and qualify for Centers for Medicare and Medicaid Services incentive payments. Visit WIREC on the web at

About Qualis Health
Qualis Health is a national leader in improving care delivery and patient outcomes, working with clients throughout the public and private sectors to advance the quality, efficiency and value of healthcare for millions of Americans every day. We deliver solutions to ensure that our partners transform the care they provide, with a focus on process improvement, care management and effective use of health information technology. Visit Qualis Health on the web at
Kudos. Our REC is also bi-state (UT and NV), but our EP and EH populations are a good bit smaller. We have enrolled about 1,500 to date. Qualis has always been a stand-out QIO, so the WIREC news comes as no real surprise.


 Government Should Slow Down Race To Implement Electronic Health Records
Zina Moukheiber, Forbes

In an unusual move, vendors of electronic health records (EHRs) are asking the government to delay implementation of their products, and focus instead on making sure requirements already set in motion on EHR use are effective. “The pace is too damn high,” says John Glaser, chief executive officer of Health Services at Siemens Healthcare, a major vendor. “People are just cramming this stuff in.”

Health IT companies pushed hard for the 2009 HITECH Act, which disburses taxpayers’ money to hospitals and doctors to help them purchase EHRs, provided they use them according to rules set by Medicare. Thanks to that law, revenues at companies such as Cerner, Epic, and athenahealth have soared.

But the initial euphoria is slightly waning. Government rules which prescribe a one-size fits all approach for everyone, from recording height (even for, say, an orthopedic surgeon), to implementing five clinical decision support “interventions,” have turned out in some cases to be cumbersome. While the need to digitize patient records is imperative, no one knows whether those rules have measurably improved outcomes, so far. “To keep moving ahead with such an aggressive strategy strikes me as foolish,” says Stephanie Reel, vice provost for information technology and chief information officer at Johns Hopkins University. “We don’t know what’s working, and what’s not working.”...
Hard to disagree with Ms. Reel's assertion.

She continues:
...The biggest casualty might be innovation. For vendors, their electronic health record becomes generic, as they follow government prescriptions to the letter. At Johns Hopkins, the IT department worked daily with a team of 50 doctors to come up with creative ways to improve patient outcome; now IT is too busy meeting government rules. “We’re sacrificing innovation because of requirements to be compliant. The trade off is stark,” says Reel.


Ran across this via LinkedIn, specifically a thread within the HIMSS Group:

Has HIE become “an unmitigated disaster”?
Author Name Kyle Murphy, PhD   |   Date January 14, 2013

The current work being done to facilitate health information exchange among healthcare organizations and providers is an “unmitigated disaster” falling short of supporting healthcare reform, according the President of the Health Record Banking Alliance (HRBA). “The current approach to HIEs does not and will not work. If we want to succeed, we must try something else,” writes HRBA President William Yasnoff, MD, PhD, in a recent contribution to NHINWatch.

In presenting his case against the current approach to HIE, Yasnoff identifies neither funding nor capability but more simply the approach taken by HIEs as the source of the problem. “The problem is that we’re on the wrong path,” he writes. “We’re trying to build institution-centric systems that leave patient information where it’s created and retrieve and integrate it in real time only when it’s needed.”...
Well, I read through the brief HRBA "White Papers" ("briefs"?) and came away just a tad underwhelmed. Long on undeniably laudable cherry pie and ice cream abstractions and concomitantly way short on proposed technical ops detail (including proposed industry consensus or government "standards" -- though, of course, why would you want to play that card at this point?).

Moreover, having worked in risk management in a bank, I reflexively wince at "bank" and "health record" implicit in the same acronym. The mind reels.

My response on this LinkedIn thread:
There are as of today (29-Jan) 1,780 ONC Certified "complete" EHR systems (1,502 ambulatory, 278 inpatient). While I can't "look under the respective proprietary hoods," I rather doubt that any of them have the same underlying RDBMS data dictionaries / schema -- not even close. Comprehensive 'hub" interfaces do not exist, much less individual peer-to-peer interoperable interfaces.

Imagine "Meaningful Use" Certified" wall outlets, each faithfully delivering 120AC at 15-50 amps ("meaningful" std output), but via 1,780 different sizes and shapes of outlets and plugs.

Permit me another fun analogy. Go to Google translate. Enter some random sentence, say, from English to French, then from French to German, then from German to Spanish, then from Spanish to Farsi, Farsi to Japanese, etc, etc, all the way back to English. Try myriad permutations.

Yeah, the HIT interoperability challenge is not that fraught, but it is to a degree.

Remember, opacity correlates with margin. Particularly absent some core required plug & play standard.
I'll have more thoughts on this topic shortly. In sum for now I think the "unmitigated disaster" loaded question (where you lob a charge 'concealed' in a question) is nothing more than attention-seeking hype.


Never ever seen this before:

Delay Stage 3 Meaningful Use Regs, Physicians Say
Medscape Medical News, Robert Lowes

Organized medicine is urging the Obama administration to postpone drafting its stage 3 requirements for earning a bonus in its incentive program for electronic health record (EHR) systems until it studies how the stage 1 criteria have worked — or not worked — in physician offices.

"The stage 1 criteria were theory-based," said Jason Mitchell, MD, director of the Center for Health Information Technology at the American Academy of Family Physicians (AAFP). "Stage 3 needs to be evidence-based."...

"It makes no sense to add stages and requirements to a program when even savvy EHR users and specialists are having difficulty meeting the Stage 1 measures," wrote AMA Executive Vice President James Madara, MD. "An external, independent evaluation is necessary to improve and inform the future of the program."

The AAFP's Dr. Mitchell told Medscape Medical News that HHS needs to examine some of the assumptions that went into the stage 1 criteria.

"Is computerized order entry of drugs, labs, and tests improving safety or efficiency?" he said. "Is it making a difference in terms of outcomes? Are we decreasing the duplication of tests?"

On top of that, no one knows how the stage 2 requirements will affect physician practices, say the medical societies. Regulators should not develop stage 3 until they first assess how stage 2 plays out, wrote William Zoghbi, MD, the president of the American College of Cardiology. Otherwise, physicians will face new regulations that "seek to change behavior rapidly without respect for the potential consequences," Dr. Zoghbi said...
There is a loud chorus of critics out there who have long bemoaned what they view as a lack of demonstration of  HIT efficacy (going well beyond any Meaningful Use Stages).


...AHRQ will study how EHR implementation alters clinical work processes and workflow, including:
1. Map the physician practices to detect changes made to the physical layout as a result of implementing PCMH and health IT.

2. Observe staff. Physicians, nurse practitioners, physician assistants, nurses, medical assistants, pharmacists, case managers and non-clinical office personnel will be observed to outline overall characteristics of clinical workflow before, during, and after health IT implementation. Particular attention will be paid to interruptions and exceptions.

3. Produce before and after time and motion study to quantify staff time observed spent on different clinical activities and the sequence of executing the task.

4. Extract clinical data in logs and audit trails that have been time-stamped from the EHR to reconstruct clinical workflow related to the health IT system. This information validates and supplements the data recorded by human observers.

5. Conduct semi-structured interviews of end users, including staff, non-clinical personnel and management post-health IT implementation to obtain attitudes and perceptions regarding how health IT has changed their workflow, particularly behavioral and organizational factors.

6. Form focus groups made up of the clinical staff, non-clinical personnel, and management team to assure that the research findings, as well as the interpretation of the findings, accurately reflect their experiences using health IT
I added a comment.
"4. Extract clinical data in logs and audit trails that have been time-stamped from the EHR to reconstruct clinical workflow related to the health IT system. This information validates and supplements the data recorded by human observers."
Better late than never, one supposes. I've been arguing this for years. An EHR audit log is essentially an information workflow record that should be mined to analyze routine tasks times-to-completion and variability. Analysis can also reveal the "pain points," i.e., iterative, recurrent "flow" barriers. You then couple these data with data taken regarding concomitant physical tasks to flesh out a more useful picture for systematic improvement activities
The very word 'workflow' has become a cliche. Rolls readily off the tongue with little thought given to what it entails. A more apt analogy might be a traffic copter shot of the jerky stop-&-go freeway traffic of rush hour. In most clinics, it's nearly ALWAYS rush hour.I joked in one jpeg I did for my blog that this was my Primary's office at 8:03 a.m.
See also (freely distributable)
A decade ago I was working in credit risk and portfolio management at a relatively small privately-held issuer of VISA/MC subprime credit cards (roughly a million active accounts). I had free run of most of the internal network. I got to looking at our in-house developed collections call center system (~1,000 collectors assiduously working the phones every day), and knew the source language and data tables architecture, so I started importing the data into SAS and mining them (it was basically a Collections "audit log," though I was the first to audit it, on my own initiative)
I was able to rather quickly show management that their staffing deployment and call volumes were egregiously misaligned. We were typically spending $1,000 to collect $50 (or less), hounding delinquent customers with sometimes up to 140 calls per month, at all hours of the day and night (the classic, hated subprime M.O.).
It was a lava flow of waste. I issued a snarky monthly report on these activities, dubbed "The Don Quixote Report."
On the basis of my rather simple call log analytics we were able to save the bank about $5 million a year in Collections Ops cost, dragging the VP of Collections kicking and screaming all the way (his annual bonus was tied in part to his budget, which was the largest in the company -- he did not become My Friend).
"Workflow" tactics deployed in healthcare remain stuck about 10-15 years behind the times, as they don't drill down into time consumed and error rates. Mining the EHR audit logs might be of great utility here -- though the datetime() stamps are gonna need to be more granular than just down to the second. SQL now supports time capture down to the microsecond, though tenths or hundreds might suffice.
Another barrier here in general might be "once you've seen one audit log data dictionary, you've seen one audit log data dictionary." Recall that we have at this point nearly 1,800 "complete Certified EHR systems." How many differing audit log architectures we have is probably unknown outside of ONC CHPL -- if they even bother to look.
Let's hope this AHRQ study will move us usefully ahead.

More to come...

Monday, January 28, 2013

Meaningless Auditing of Meaningful Use

OK, back in the office today. Jammed up with meetings. One topic that surfaced in the REC staff meeting had to do with one of our early MU Attestors. He got the "Figliozzi Letter" (CMS Meaningful Use desk audit). Notwithstanding that he's one of our REC Golden Boys, a highly esteemed and scrupulous physician in our service area, he's getting jerked around over a couple of minor issues, one of which is utterly absurd.

MU Menu Set Measure 1

He is thus far unable to document to their satisfaction that his Rx formulary functionality has been turned on for "the entire EHR reporting period." Apparently his certified product's audit log doesn't capture that information. Like many, it likely comes "out of the box" with the functionality activated.

Upon a little digging, my pushback email reaction among staff:
It seems that certified EHR systems audit log requirements under the requisite NIST testing specs do not mandate that there be Attestation period logging of administrative functions such as enabling various functionalities -- which is not to say that the lack of it is a good thing. Do we have any idea as to the extent to which various Cert’ed EHRs log admin activity, data that are not specifically protected “electronic health information”? Turning on/off this or that software functionality identifies no patient.

§170.210 Standards for health information technology to protect electronic health information created, maintained, and exchanged. The Secretary adopts the following standards to protect electronic health information created, maintained, and exchanged:
(a) Encryption and decryption of electronic health information.

(1) General. A symmetric 128 bit fixed-block cipher algorithm capable of using a 128, 192, or 256 bit encryption key must be used.

(2) Exchange. An encrypted and integrity protected link must be implemented.

(b) Record actions related to electronic health information. The date, time, patient identification, and user identification must be recorded when electronic health information is created, modified, deleted, or printed; and an indication of which action(s) occurred must also be recorded.

(c) Verification that electronic health information has not been altered in transit. Standard. A secure hashing algorithm must be used to verify that electronic health information has not been altered in transit. The secure hash algorithm (SHA) used must be SHA-1 or higher.

(d) Cross-enterprise authentication. A cross-enterprise secure transaction that contains sufficient identity information such that the receiver can make access control decisions and produce detailed and accurate security audit trails must be used.

(e) Record treatment, payment, and health care operations disclosures. The date, time, patient identification, user identification, and a description of the disclosure must be recorded for disclosures for treatment, payment, and health care operations, as these terms are defined at 45 CFR 164.501.
  • Neither the words “audit” nor the discrete word “ log “ are found therein.
  • Neither the words “audit” nor the discrete word “ log “ are found therein.
45 CFR 164.312 (“Technical Safeguards”
(b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

(c) (1) Standard: Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.

(2) Implementation specification: Mechanism to authenticate electronic protected health information (Addressable). Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.

(d) Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

Q: Is the act of “enable drug formulary” tantamount to the “creation of electronic health information” within the intent and explicit scope of Meaningful Use?
btw, under TEST DATA (Audit log Cert px, pg 6)

“Vendor-supplied test data shall strictly focus on meeting the basic capabilities required of an EHR relative to the certification criterion rather than exercising the full breadth/depth of capability that an installed EHR might be expected to support”

I'm all for documentation (including comprehensive audit logs, which I continue to view as "workflow" records) and rational accountability via auditing (which might have served a salutory purpose on Wall Street just a few years back), I but find this just stupid. I'd like to know exactly what are the MU auditing chops of these Figliozzi people (themselves comprising a HHS contractor) to show and start breaking legs over stuff like this.

LATE AFTERNOON UPDATE: Now they say they'll accept a letter from the Certified EHR vendor attesting on behalf of the EP that the Rx Formulary was enabled.

Yeah. Right. Backstroke, anyone?


I'd like to have them [1] include all usage, inclusive of administrative functions, and [2] be a bit more granular with respect the DATETIME() field. SQL can now trace down to the microsecond.

The MySQL page continues:
MySQL 5.6.4 and up expands fractional seconds support for TIME, DATETIME, and TIMESTAMP values, with up to microseconds (6 digits) precision:

To define a column that includes a fractional seconds part, use the syntax type_name(fsp), where type_name is TIME, DATETIME, or TIMESTAMP, and fsp is the fractional seconds precision. For example:

The fsp value, if given, must be in the range 0 to 6. A value of 0 signifies that there is no fractional part. If omitted, the default precision is 0. (This differs from the standard SQL default of 6, for compatibility with previous MySQL versions.)

Functions that take temporal arguments accept values with fractional seconds. Return values from temporal functions include fractional seconds as appropriate.

Syntax for temporal literals produces temporal values: DATE 'str', TIME 'str', and TIMESTAMP 'str', and the ODBC-syntax equivalents. The resulting value includes a trailing fractional seconds part if specified. Previously, the temporal type keyword was ignored and these constructs produced the string value. See Standard SQL and ODBC Date and Time Literals

In some cases, previously accepted syntax may produce different results. The following items indicate where existing code may need to be changed to avoid problems:

Some expressions produce results that differ from previous results. Examples: The timestamp system variable returns a value that includes a microseconds fractional part rather than an integer. Functions that return a result that includes the current time (such as CURTIME(), SYSDATE(), or UTC_TIMESTAMP()) interpret an argument as an fsp value and the return value includes a fractional seconds part of that many digits. Previously, these functions permitted an argument but ignored it.

TIME values are converted to DATETIME by adding the time to the current date. (This means that the date part of the result differs from the current date if the time value is outside the range from '00:00:00' to '23:59:59'.) Previously, conversion of TIME values to DATETIME was unreliable. See Section 11.3.7, “Conversion Between Date and Time Types”.

TIMESTAMP(N) was permitted in old MySQL versions, but N was a display width rather than fractional seconds precision. Support for this behavior was removed in MySQL 5.5.3, so applications that are reasonably up to date should not be subject to this issue. Otherwise, code must be rewritten.
Capturing EHR audit log data down to even a 10th of a second (and, I would recommend going 2 decimals deep) would indeed require re-writes in code and restructuring of the log tables to add the fractions.

And, what about the SQL NOW() function? Probably gonna get significant EHR developer pushback on these ideas.

Nonethless, if you (correctly, IMO) view audit logs as essentially system workflow records (albeit absent physical task tracking, to be sure), then sufficient granularity is important.

More to come...

Thursday, January 24, 2013

Update from Walnut Creek

Author Name Jennifer Bresnick   |   Date January 24, 2013 
Following open letters to the Office of the National Coordinator provided by the AHA, AMA, CHIME, and ACOEM, HIMSS and the Electronic Health Record Association (EHRA) added their acronyms to the professional organizations responding to the open comment period about Stage 3 Meaningful Use. The EHRA is an EHR vendor association organized under HIMSS, and includes such prominent names as Allscripts, Siemens, Practice Fusion, and Cerner... 
The EHRA joins the AHA and others in urging the government to push back the timeline for Stage 3, suggesting an implementation date three years after Stage 2 comes into effect.  HIMSS states that whatever the final Stage 3 date will be, “we request that the Final Rule be published at least 18 months before the beginning of the required implementation period. This will allow adequate time for developers to make the needed technology changes, for the industry to develop its response, for certification, to occur, and for providers to plan and implement required software and process changes.” 
The two organizations also focus on ensuring that the new standards are clear and achievable for a majority of eligible providers, and don’t put an undue burden on providers with time-intensive data collection processes or other detrimental workflow adjustments...
Props to EHR Intelligence for that update. That's pretty interesting. Whatever gets decided, RECs will be long gone, I would think. Below, a snip from Dr. Mostashari's latest ONC Buzz Blog post.
All the Tools in the Toolbox: How ONC Delivered Value In 2012 
Technical Assistance & Cooperative AgreementsThe Regional Extension Centers (RECs) continue their work to support primary care providers operating in small or medically underserved settings to implement EHR systems and achieve Meaningful Use. To date, the RECs have worked with 132,842 primary care providers in more than 31,000 different practices, which represents approximately 42% of all the primary care providers in the United States. 
The RECs have also worked with over 80% of all the federally qualified health centers and over 70% of the nation’s critical access hospitals. More than 100,000 of these providers are now live on an EHR system and nearly 40,000 have achieved Meaningful Use.
That's it. Nothing on continuing the REC program. But, an otherwise nice, detailed self-congratulatory post.

I'm on vacation in the Bay Area this week, btw. Hence the relative quietude here on the REC blog. Be back at it in force come Monday the 28th. Couple of shots from my downtown SF ramble in the rain.

Saturday the 27th

Cheryl and I had dinner last night with Doc Gurley and her husband Owen Linderholm at a hip restaurant in Rockridge, Guest Chef. Awesome evening with two extremely interesting, fine people.

Above: we were out in the back yard at Cheryl's place Friday afternoon, and this hawk was hovering above in the wind, about 300 feet away (grocery shopping, I guess). This is a C/U crop of a shot I got with my Sony 300 mm lens. Beautiful bird.

More to come...

Thursday, January 17, 2013

HIPAA Omnibus Final Rule FINALLY released

563 page PDF here.
Costs and benefits
This final rule is anticipated to have an annual effect on the economy of $100 million or more, making it an economically significant rule under Executive Order 12866. Accordingly, we have prepared a Regulatory Impact Analysis that presents the estimated costs and benefits of the proposed rule. The total cost of compliance with the rule’s provisions is estimated to be between $114 million and $225.4 million in the first year of implementation and approximately $14.5 million annually thereafter. Costs associated with the rule include: (i) costs to HIPAA covered entities of revising and distributing new notices of privacy practices to inform individuals of their rights and how their information is protected; (ii) costs to covered entities related to compliance with breach notification requirements; (iii) costs to a portion of business associates to bring their subcontracts into compliance with business associate agreement requirements; and (iv) costs to a portion of business associates to achieve full compliance with the Security Rule.
...We are not able to quantify the benefits of the rule due to lack of data and the impossibility of monetizing the value of individuals’ privacy and dignity, which we believe will be enhanced by the strengthened privacy and security protections, expanded individual rights, and improved enforcement enabled by the rule. We also believe that some entities affected by the rule will realize cost savings as a result of provisions that simplify and streamline certain requirements, and increase flexibility, under the HIPAA Rules. However, we are unable to quantify such cost savings due to a lack of data...

I had to split it up into two 1" comb binders. And, off we go...
ii. Summary of Major Provisions

 This omnibus final rule is comprised of the following four final rules:

1. Final modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and certain other modifications to improve the Rules, which were issued as a proposed rule on July 14, 2010. These modifications:

  • Make business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements.
  • Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization.
  • Expand individuals’ rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
  • Require modifications to, and redistribution of, a covered entity’s notice of privacy practices.
  • Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others.
  • Adopt the additional HITECH Act enhancements to the Enforcement Rule not previously adopted in the October 30, 2009, interim final rule (referenced immediately below), such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.
2. Final rule adopting changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on October 30, 2009.

3. Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule’s “harm” threshold with a more objective standard and supplants an interim final rule published on August 24, 2009.

4. Final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on October 7, 2009

Revised NPPs (Notice of Privacy Practices), ~$90 per CE, cost of BAAs and Security Rule BA compliance, hard to say. Nominal average about $345, but (just as with CEs, really), it's a lumpy distribution.

...The director for the Office of Civil Rights at HHS, Leon Rodriguez, called the rule changes "the most sweeping changes (to the HIPAA Privacy and Security rules) since they were first implemented," and given that the rule changes cover fully 563 pages, it's a safe bet that Rodriguez may not be indulging in hyperbole in this. The official publication of the new rule is set to hit January 25, with an effective date of March 26, and a compliance date of September 21, likely to provide time enough to make the necessary system changes to accommodate the rules.
Given that the original HIPAA passed 15 years ago, it's safe to say that some changes were likely necessary. 15 years ago, after all, the Internet was only just getting started in a lot of places, and many were still working with dial-up Internet access, so the landscape has certainly changed to a degree that requires some modification of rules. But at the same time, it's not hard to look at this novel of rule changes--563 pages would take several days just to read--and think that maybe we're going a little overboard. The pressures on the healthcare sector are already massive, and some reports indicate that physicians are actually looking to get out of the medical industry altogether due to increasing quantities of red tape, so maybe the whole thing is going a bit far...
The final rule adopts the proposal to amend § 164.508(b)(3)(i) and (iii) to allow a
covered entity to combine conditioned and unconditioned authorizations for research, provided that the authorization clearly differentiates between the conditioned and unconditioned research components and clearly allows the individual the option to opt in to the unconditioned research activities. We intend this provision to allow for the use of compound authorizations for any type of research activities, and not solely to clinical trials and biospecimen banking, except to the extent the research involves the use or disclosure of psychotherapy notes. For research that involves the use or disclosure of psychotherapy notes, an authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for a use or disclosure of psychotherapy notes. See § 164.508(b)(3)(ii).
Why might the foregoing be of interest?

Ask her parents.

The word "psychotherapy" appears 17 times* throughout the FR. Still assimilating the import.

The point, should you not get it, goes to whether Sandy Hook could have been prevented. Do HIPAA and 42 CFR 2 et al and equivalent (and HIPAA-superceding) state laws and regs put lives materially at risk?

Tough one.

* UPDATE: the word "breach" appears 437 times, the phrase "breach notification" 143 times. The phrase "risk assessment is found 51 times, and the phrase "policies and procedures" 35 times. Also,
  • "compliance," 297 hits;
  • "violation(s)," 291 hits;
  • "penalty," 140 hits;
  • "penalties," 47 hits;
  • "enforcement," 110 hits.
and so on. Like I said, I like to initially zero in on keywords and phrases ("cut to the chase") and review the immediate context surrounding each find. You find that a lot of the verbiage simply goes to comments and responses, followed in each subsection by the setting forth of the "Final rule" for each point of regulation. The comments and responses are certainly interesting, but the rulings are what count as priorities.

Here's an interesting little snippet:
As we have stated in prior guidance, a conduit transports information but does not access it other than on a random or infrequent basis as necessary to perform the transportation service or as required by other law. For example, a telecommunications company may have occasional, random access to protected health information when it reviews whether the data transmitted over its network is arriving at its intended destination. Such occasional, random access to protected health information would not qualify the company as a business associate.  In contrast, an entity that requires access to protected health information in order to perform a service for a covered entity, such as a Health Information Organization that manages the exchange of protected health information through a network on behalf of covered entities through the use of record locator services for its participants (and other services), is not considered a conduit and, thus, is not excluded from the definition of business associate. We intend to issue further guidance in this area as electronic health information exchange continues to evolve.

That latter characterization certainly describes my HealtHIE Nevada HIE. Be interesting to see what comprises "further guidance" down the line.

We are a health information organization that brings together health care stakeholders within a defined geographic area and governs health information exchanges among them for the purpose of improving health and care in the community.

Our vision is to provide secure electronic health information to health care providers to have ready, seamless access to patient health information to support clinical decisions and care coordination for the residents of the Upper Peninsula.
Nice. "The Yoo-Pee" holds a special place in my heart.

apropos of HIE, HRBA

Ran into this organization today (Monday, the 21st, reporting from Walnut Creek), cited in my LinkedIn HIMSS Group:

By providing a safe, secure location to automatically store all your health records, Health Record Banks are community organizations that put you in charge of all your personal, private health information. 
Why are They Needed?Today, whenever you seek care, a record is left behind. Until now, there hasn't been a secure, unified location to store these records so that they can all be used to help guide your care. 
How Do Health Record Banks Work?When you seek care, you give permission for your healthcare professional to access some or all of your up-to-date health records via a secure connection. When care is complete, the new records from that visit are securely deposited—and made available for the future...
Well, yeah, we would hope. More to research on this outfit, courtesy of See
Has HIE become “an unmitigated disaster”? 
The current work being done to facilitate health information exchange among healthcare organizations and providers is an “unmitigated disaster” falling short of supporting healthcare reform, according the President of the Health Record Banking Alliance (HRBA). “The current approach to HIEs does not and will not work. If we want to succeed, we must try something else,” writes HRBA President William Yasnoff, MD, PhD, in a recent contribution to NHINWatch...

Well, I've read the HRBA "White Papers," and have some concerns regarding the dearth of detail therein. Also, reading the word "bank" in relation to health information gives me pause. Maybe it was my subprime risk management experience.

I also have to take issue with the HIE "unmitigated disaster" allusion. Maybe some HIEs are, but I don't think that that's broadly the case.


Mostashari: ONC is more than meaningful use, health IT cheerleader 
Author Name Kyle Murphy, PhD   |   Date January 22, 2013 
The head of the Office of the National Coordinator for Health Information Technology (ONC), Farzad Mostashari, MD, ScM, has respondent a recent news story that characterized the federal agency as primarily a cheerleader for health IT...
Interesting. Original article here.
EHR Vendors Join Chorus Against Federal Deadlines 
Neil Versel 
Now even some vendors of electronic health records (EHRs) are starting to wonder whether the Meaningful Use incentive program is moving too fast. 
The HIMSS EHR Association (EHRA), a group of 40 vendors convened by the Healthcare Information and Management Systems Society (HIMSS), last week asked the U.S. Department of Health and Human Services (HHS) to delay the start of Meaningful Use Stage 3 until three years after a participating provider reaches Stage 2 -- no earlier than 2017. HHS pushed the start of Stage 2 back a year in response to industry-wide concern about the short timetable 
In comments submitted to HHS about Stage 3, the software developers also called on federal officials to shift the focus to interoperability of healthcare information rather than ask providers and their vendors to add capabilities to their EHR systems...
More to come...

Saturday, January 12, 2013

HIMSS13 New Orleans: March 3 - 7!

I'm pretty stoked.
Dear Member of the Media:

Thank you for registering for HIMSS13, scheduled for March 3-7, 2013, in New Orleans.  We have received your registration, and you are confirmed to receive media credentials for HIMSS13.

You can pick up your media credentials on-site at HIMS13 in the HIMSS Press Room, Room 263, at the Ernest N. Morial Convention Center in New Orleans.  The media credentials will not be mailed, but must be picked up in the press room.

The press room will be open Sunday, March 3, through Wednesday, March 6, from 8 a.m. – 5 p.m., on Thursday, March 7, from 8-11 a.m.

The HIMSS Press Room is a working room for members of the media only. You will find computer hook-ups for your laptop and work stations for you to use during the conference. Breakfast and lunch is served every day beginning Sunday, March 3, through Wednesday, March 6. Breakfast only is served on Thursday, March 7.

You will be receiving other updates from us with specifics on media activities at the conference.  We would ask that you hold Monday, March 4, at 10 a.m. for our Annual HIMSS Leadership Survey Media Brunch/CIO panel.  Look for more information on that event in the months ahead.

We are glad you can join us in New Orleans…and we look forward to seeing you there.  If you have questions, you can check with Joyce Lofstrom or Peter McCormack, who are managing HIMSS13 Media registration.

See you in NOLA!

Thank you.
HIMSS13 Media Registration
Given the incredible HIMSS12 activity here in Vegas last year, this should be even better. The Big Dawg is one of the keynoters.



It's a fine report (pdf). Nothing much we didn't already know, though.

It seems like every think tank and foundation in the nation issues one of these every year. I paraphrase in summary:
"Transparency, align incentives for collaboration, innovation, and efficiencies, pay for value rather than volume, leverage information and new technologies, reduce overall and per capita cost..."
"I Pledge Allegiance To The Triple Aim..."

I like to print out read every word of every health policy publication that comes my way (yellow highlighter an red pen at the ready), but there are only so many hours in the day, and I have my own outset triage scan strategy. In this case I begin with Command-F (Ctrl-F on Windoze platforms) and look for the Usual Suspects keywords and phrases, e.g., in this paper (word/phrase and # of hits):
  • information (50)
  • health information (5)
  • technology (13)
  • innovation (24)
  • value (82)
  • high-value (27)
  • transparency (6)
  • collaboration (2)
  • efficiency (3)
  • process (2)
  • workflow & work flow (0)
Obviously there's a bit of overlap in the foregoing.

I look at the surrounding context for each search hit, usually +/- a sentence or paragraph. What I see here are the usual laudatory high-level Motherhood and Apple Pie exhortations.

Zero allusions to "workflow," two irrelevant hits on "process," and this on "efficiency."
Health information technology: Policies and funding to encourage physicians, hospitals, and other providers to use electronic health records and exchange information to improve the efficiency and quality of the care they provide. [pg 21]
Let's go back seven and a half years to reflect on how little things have changed:
Health care's 'Prisoner's Dilemma'
...If health care’s IT problems are a reflection of its broader economic problems, then the strategic conflicts within the health insurance and hospital industries themselves—the two most obvious beachheads for HIT development—are sufficient explanation for why we have no interoperable health care infrastructure. Notwithstanding the happy talk of their advertising, health insurers aim to attract and lock in healthy people and drive away sick ones. The less masqueraded goal of the hospital is to attract and lock in sick people and market to those who are not sick yet. Having an interoperable HIT system that allows patients to shop around, with their fully portable EMRs, for a higher-quality or lower-cost health insurer or hospital works directly against these goals.

For insurers in particular, this strategic conundrum over HIT is a redux of the broader managed care conundrum about prevention, which is essentially the prisoners’ dilemma at the heart of game theory. The prisoners’ dilemma always results in an unfortunate ending: All actors in the game would be rewarded if they cooperated and did the right thing by each other. But none will do the right thing without assurance that the other players will all follow, and so they each do exactly the wrong thing, limiting their own downside and thus creating a suboptimal outcome for all. The best way for a health insurer to use HIT to cope with the prisoners’ dilemma is to design a proprietary system that makes it easy for healthy members to sign up; difficult for sick members who need good information to find it and thus remain satisfied with their plan; and even more difficult for everyone outside the insurer’s own organization (that is, everyone looking to get paid) to navigate it. The worst way to cope with the prisoners’ dilemma is to provide an open, interoperable system that works equally well for all members and can exchange data with all other health insurers.
First-mover disadvantage.

A broader version of game theory bearing on the health care industry—when applied to something as formidable as the development of IT standards and interoperable data exchange systems—confronts all industries that are unable to achieve technical standardization. This impediment is steeped in problems of competitive strategy for all industries and can be summed up in what Michael Porter first identified as “first-mover disadvantage.”This concept explains why Joe’s insurer would not want to build an information system connecting its numerous data systems with the nation’s hospitals. Why would one insurer go to all of the financial and strategic cost of creating a ubiquitous information system that would benefit its competitors? For exactly the same reason that IBM created the Internet. Indeed, IBM did not create the Internet—the federal government did—but IBM and all of its competitors have made a fortune creating things that run on, over, off, and because of the Internet. But suppose for a moment that Joe’s insurer were foolish enough to violate this strategic principle and initiate at its own expense an HIT system that allowed it to exchange data with all of its contracting hospitals, physicians, labs, and pharmacies. First, would it be able to get those providers to go to the expense of connecting with the system? (Or would it have to subsidize them, the way WellPoint had to subsidize physicians to get them to use its e-prescribing system?) Second, would it be able to get those same providers to retool their workflows around the new system? Finally, would it build that system based on open standards that would allow its competitors to exchange the same kind of data with those same providers? The health insurer might be able to answer “yes” to the first two questions, but only if it were willing to answer “yes” to the third, thus burning its own capital and internal resources on behalf of its competitors...
[Sept 2005 Dot-Gov: Market Failure And The Creation Of A National Health Information Technology System, J.D. Kleinke]
Groundhog Day.


I saw where David Bergman had linked this on his ARCH-IT site

ONC FY 2013 Budget Proposal. Search on "REC," "Extension," "Regional," whatever. "Not found."

But, they did take pains to note themselves in some detail.
ONC provides leadership, program resources and services needed to guide nationwide implementation and meaningful use of health IT. The programmatic activities of ONC are carried out by the following offices:

The Office of the Deputy National Coordinator for Programs & Policy
is responsible for: implementing and overseeing grant programs that advance the nation toward universal meaningful use of interoperable health IT in support of health care and population health; coordinating among HHS agencies, offices as well as relevant executive branch agencies; the public health IT programs and policies; developing the mechanisms for establishing and implementing standards necessary for nationwide health information exchange; and, formulating plans, policies and regulations related to the mission of ONC. These activities are carried out by:

  • The Office of Policy and Planning;
  • The Office of Standards and Interoperability;
  • The Office of State and Community Programs; and,
  • The Office of Provider Adoption Support.
The Office of the Chief Scientist is responsible for identifying, tracking and supporting innovations in health IT; promoting applications of health IT that support basic and clinical research; collecting and communicating knowledge of health care informatics from and to international audiences; and, advising the National Coordinator on the educational needs of thefield of health IT.

The Office of the Chief Privacy Officer is responsible for advising the National Coordinator on privacy, security, and stewardship of electronic health information and coordinating ONC’sefforts with similar privacy officers in other Federal agencies, state and regional agencies, and foreign countries. The Office of the Chief Privacy Officer also supports privacy and security efforts in ONC’s programs.

The Office of Economic Analysis, Evaluation, and Modeling utilizes advanced quantitative modeling to simulate the microeconomic and macroeconomic effects of investing in health IT; provides advanced policy analysis of health IT strategies and policies to the National Coordinator; and, applies research methodologies to perform evaluation studies of health IT grant programs. 

The Office of the Deputy National Coordinator for Operations is responsible for activities that support ONC’s numerous programs. These include: budget formulation and execution; contracts and grants management; facilities and internal IT management; human capital planning; stakeholder communications; policy coordination; and, financial and programmatic oversight.

These activities are carried out through:

  • The Office of Mission Support;
  • The Office of Communications;
  • The Office of Grants Management; and,
  • The Office of Oversight.
Also noted:
Stage 1 of meaningful use was focused on data capture and sharing. This includes accelerated adoption of EHRs, capture of critical information in EHRs, and health information exchange. Stage 2 of meaningful use will be focused on demonstrating health system improvement, which includes more widespread adoption, data exchange, and process improvement. Stage 3 of meaningful use will be focused on transforming health care, and population health through health IT.

Well, OK. Best of luck to everyone. We're already finessing assistance requests for Stage 1 Year 2 (and 3 for early adopters). RECs are only chartered for assistance through Stage 1 "M3" -- Milestone 3, Stage 1, Year 1.


Our HIMSS13 co-Keynoter.

I'm sitting here blogging on Sunday night (6 pm PST), got the Globes on in EyeTV in  a window on my Mac.

Man, I want to get an interview with him in NOLA. (Yeah, right.)


The simple truth is that EHR systems do not currently offer cost savings equal to purchase price. With some solutions, there’s an uncrossable chasm between sticker price and ROI...

Purchasing an EHR is not like a buying a car that you just get in and drive away. It’s like buying a car that you have to stop and recalibrate every mile with the assistance of the trained experts in the back seat who charge you a fee every time they have to listen to you speak or look under the hood.
Indeed. From A Tale of Two Studies: What Are the Actual Costs of an EHR?
...While it is generally acknowledged by most (certainly not all, which you know if you’ve spent any time on HIStalk) that the ready availability and automated cross-checking of electronic health records improves care, there is no definitive study showing dramatic clinical improvement, demonstrable return on investment, etc.
Indeed, we now have a number of studies suggesting exactly the opposite:

  • The implementation of an EHR upends organizational structure and often slows down the provision of care.
  • The introduction of an EHR into a dysfunctional organization tends to exacerbate, not alleviate, said dysfunction.
  • Much of the promise of health IT is in interoperability, and the industry is a long way from reaching that goal.
  • Physicians generally dislike most health IT solutions.
  • Patients would rather the doctor look at them instead of the monitor.
This is not to say that healthcare should bring the EHR train to a screeching halt. We know how technology has transformed other industries. We know that paper records are archaic and put patients at risk while asking them to maintain endless patience when the same test has be performed a third time. And we know that electronically is the only way information can be shared in a timely manner...
These complaints have been around for a long time. I've been addressing such issues across the breadth of this blog's publication.

No HIPAA Omnibus Final Rule yet (Jan 14th). In other HIPAA news:

Cloud-based EHRs create medical privacy risks
HIPAA details how data should be protected, but one organization says the law doesn’t offer physicians information specific to Internet-based systems.
By PAMELA LEWIS DOLAN, amednews staff. Posted Jan. 14, 2013.

A patient advocacy group is calling on the government to issue guidance to physicians on how cloud-based technology should be implemented and used so fewer patients are put at risk of data breaches.

Deborah C. Peel, MD, chair of Patient Privacy Rights, sent a letter to the Dept. of Health and Human Services’ Office for Civil Rights in December 2012 asking the agency to help physician practices better understand and prepare for vulnerabilities specific to cloud-based technologies. The patient privacy watchdog and advocacy group, based in Austin, Texas, was founded by Dr. Peel, a psychiatrist.

In 2011, 41% of office-based physicians were using a cloud-based electronic health record system, according to a July 2012 report by the Centers for Disease Control and Prevention. Such systems are attractive to many physicians because of their affordability.
Cloud-based practices typically pay a monthly subscription fee to a vendor who stores their data and allows practices to access records using an Internet connection. The approach reduces the need for expensive hardware and servers associated with stand-alone systems that can cost as much as $30,000 and require a full-time staff to maintain...



Doing another DVD artwork piece for my friends in Adobe Illustrator, CS6.

This young man Ole is ridiculous!



I got an invite to join TCHB LinkedIn Network. Done. Check it out. (May be login firewalled)


No HIPAA Omnibus Final Rule yet. Now, I'm starting to wonder whether they're going to keep it bottled up until HIMSS13.

From The Health Care Blog: CodeRed, David Dranove on "Unleashing the Innovation Monster"

Ironically, the key to unlocking the power of market forces may be a bit more regulation. Of course we need more vigorous antitrust enforcement. But we also need to bring order to the world of electronic medical records. One advantage enjoyed by the integrated firm is the ability to get all of its providers to use the same EMR platform, thereby facilitating the exchange of information that is vital to improving efficiency and quality. Independent physicians are reluctant to adopt EMR, due to the cost, but they also are reluctant to choose a particular EMR system for fear of aligning themselves with a particular hospital that uses the same system. (This would weaken the physician’s bargaining position.) President Bush established a commission to develop EMR standards, but the result was unsatisfactory and incompatible systems continue to coexist. Without enforced compatibility (and either carrots or sticks to assure adoption), the virtual healthcare organization will remain a pipe dream. Even the most visionary healthcare executive will be reluctant to do business with an independent provider if the potential for information exchange is limited.
This is an excellent read. Click the title link. Would love to get J.D. Kleinke's reaction to it. Maybe he'll comment in the article's comments section.

"incompatible systems continue to coexist"

Ya think? As of today there are 1,486 and 277 ambulatory and inpatient "Meaningful Use 2011 CHPL Certified Complete Systems" littering the health IT landscape. A total of 1,763 complete EMR systems, all "standardized" to the narrow Meaningful Use criteria and virtually nothing else that matters to end-users.

But, hey, Differentiation+Opacity = Margin

More to come...