Search the KHIT Blog

Monday, September 23, 2013

HIPAA Omnibus: no more excuses, compliance date is today

Should HIPAA auditors show up on your door today, you had better have done your risk analysis and performed and documented everything pertaining to the HIPAA Omnibus Final Rule as it bears on your Covered Entity or PHI Business Associate operation. Enforcement begins today, September 23rd, 2013. Since HHS's intent is to have the HIPAA auditing and enforcement effort be "self-funding" through fines and monetary penalty settlements -- particularly in light of the chronic budgetary/deficit woes in Congress -- you will come to rue the day you decided to blow this off.

apropos of the "breach" component: below, a recent visual depicting the distribution of PHI breaches.

Half of it "physical theft." The totemic exemplar dope leaving his laptop containing thousands of records of unencrypted PHI in the rental car. Still happens all the time. Forbid -- and enforce the prohibition of that practice and you've just reduced your risk exposure by half.


Well, that didn't take long.

On Sunday, less than two days after the iPhone 5S went on sale, a German hacker collective became the first to claim victory over the gadget's much-buzzed-about Touch ID fingerprint security system. And they did it pretty much the same way Bane's flunkies breached the biometric passcode on Bruce Wayne's stock exchange account in "The Dark Knight Rises," — using a copy of Batman's fingerprints (created by Catwoman after she did some light dusting around Wayne Manor).

Even before the Chaos Computer Club, one of the largest and well-known hacker collectives, crowed victory via the tried-and-true "fake finger" method, Apple's first foray into biometric security wasn't getting a lot of respect. Amid concerns over privacy — Sen. Al Franken, D-Minn., asked if Apple might share stored fingerprints with third parties or the government, the way tech companies do with other customer info — and hacking, the jokes kicked in. A cat's paw, a nipple and a crowd-sourced bounty to the first person to hack Touch ID are likely just the beginning of a running gag at Apple's expense...
So much for iPhone 5 fingerprint verification technology as a potential component of HIPAA-related BYOD security policy.


From a comment under THCB's Why Can’t We Do Better Than This?
Rob says- You have heard of the iPad,iTouch, iPhone? Now you have the iPatient! Most of the problem comes from our new slavish devotion to hospital EMR systems. Common sense? Sorry, not in the algorithm. Spend 8 minutes with the patient? No, no, no, thats just face time. What about the other 30 minutes the doc spends with the computer AFTER he sees the patient? Where do you think that time comes from? No communication? Orders can be entered remotely in real time responding to minute to minute changes in the patients condition! Its all documented in the computer. As long as the documentation is there why do we need to talk to the patient ? We have recorded our thought process for posterity in the computer. Its all there, but that takes time! These residents have to sign out and turn over these patients to other doctors several times a day. Now THATS communication! Actual communication with the patient is to be discouraged as it will only stand in the way of processing the patient through the system efficiently and documenting a timely discharge so our outcome metrics are in parallel with national benchmarks! Nurse education at 1 AM! You betcha! Wake the patient up to give them a sleeping pill? Of course! Wouldn’t want the computer to score that as a medication error would you? Computer documentation insists that all of it it be performed in a timely fashion. Physicians and nurses in the real world now spend more time with the “iPatient” than they do with the actual real patient. Please don’t stand in the way of improved outcomes, efficiency, cost savings and improved patient safety with your petty complaints. Waiting until EMR’s were sufficiently advanced that they improved the physician patient experience until implementation is absurd! Perhaps if someone did a time motion study and saw how much time these computer systems take away from direct patient care, all those talking heads in ivory towers would get it. BTW, c’mon pretty hard to believe that one of the nations most reputable hospitals does not have a radiologist to read head CTs at night. Really?


While the Congressional Clown Car Federal Shutdown Show is grabbing all of the headlines, serious work continues.
September 24, 2013

The Honorable Kathleen Sebelius, Secretary
U.S.  Department of Health and Human Services
200 Independence Avenue, SW
Washington, DC 20201

Dear Madam Secretary:

The Electronic Health Records (EHR) Meaningful Use Incentive Program has played a significant role in advancing the adoption of health information technology across the country. However, given the feedback from stakeholders on the timing of Stage 2 of the program, we respectfully request an extension of Stage 2 by one year for providers who need extra time to meet the new requirements. Providers who are ready to attest to Stage 2 in 2014 should be able to do so consistent with current policy.

Starting in 2014, eligible hospitals and eligible professionals participating in the EHR incentive program for Medicare will have to progress to new Stage 2 regulatory standards in order to demonstrate growth in the use of EHR technology. All eligible hospitals and professionals will have to demonstrate achievement of Stage 2 meaningful use objectives for any quarter-based 90-day period of either Fiscal Year 2014 for hospitals or Calendar Year 2014 for physicians in order to avoid penalties in 2016. This requirement applies to those who began Stage 1 in 2012 or earlier. However, even providers that began Stage 1 in 2013 or will attest for the first time in 2014 will have to use 2014 Edition Certified EHRs to satisfy the revised set of Stage 1 objectives.

Therefore, based on a wide range of feedback from providers, vendors, and other stakeholders, we identify three key problems with the current timeline for Stage 2.

First, we are concerned that the regulatory structure of the program has created significant time pressure in 2014, and progressing to Stage 2 may not be feasible for all participants. In one year, over 500,000 hospitals and physicians are required to upgrade their existing technology to demonstrate new standards of “meaningful use” by the end of 2014 in order to be eligible for the corresponding incentive payments. Further, the vendors are under tremendous time pressures to ensure their products are certified for the 2014 Edition criteria and have sufficient time to upgrade their products for each hospital or physician client. This time pressure has raised questions about whether such a short period for Stage 2 is in the best long-term interest of the program. 

Second, we are concerned that the onset of Stage 2 may further widen the digital divide for small and rural providers who lack the resources of large practices and may not be vendors’ top priorities. Even if certified products are available to them, simply receiving the software update does not satisfy meaningful use requirements for a hospital or eligible provider. They also need assistance learning how to use the new technology and time to address how they will achieve the new standards of meaningful use. 

Third, an artificially aggressive Stage 2 timeline may have serious unintended consequences such as stifling innovation and increasing medical errors. Innovation in health information technology could be hampered, since vendors do not have the time to introduce administrative flexibility into their EHRs to best serve diverse practices. Medical errors could be increased inadvertently, because rushing through upgrades could introduce new risks in the technology that could cause errors or patient safety problems. 

If the goal is to improve care by achieving broad and meaningful utilization of EHRs, providing sufficient time to ensure a safe, orderly transition through Stage 2 is critical to having stakeholder buy-in, a necessary component of long-term success. 

We are not suggesting a delay of Stage 2 and the progress we have seen to date.   Providers who are ready to transition to Stage 2 should do so and should receive incentive payments in 2014 and 2015 consistent with current policy.   However, providers that are not yet ready to transition to Stage 2 should have a one-year extension before they must demonstrate Stage 2 meaningful use, consequently mitigating the threat of penalties while still abiding by the statutory deadlines. 

In future efforts, continued focus on achieving interoperability is critical. We believe that for this program to ultimately be successful, heeding stakeholder feedback on the current progress to achieving interoperability is imperative. It is critical to continue holding vendors accountable for providing products that advance the ability for unaffiliated providers to share information. 

We appreciate your attention to this request, and urge you to move quickly with a decision so stakeholders have the clarity and certainty they need to plan. We look forward to your response by October 8, 2013. 


Senators Lamar Alexander, (R-Tn), John Thune (R-SD), John Barrasso (R-Wyo.), Richard Burr (R-N.C.), Saxby Chambliss (R-Ga.), Dan Coats (R-Ind.), Tom Coburn (R-Okla.), Mike Enzi (R-Wyo.), Johnny Isakson (R-Ga.), Mark Kirk (R-Ill.), Jerry Moran (R-Kan.), Lisa Murkowski (R-Alaska), Rob Portman (R-Ohio), Jim Risch (R-Idaho), Pat Roberts (R-Kan.), Pat Toomey (R-Penn.), and Roger Wicker (R-Miss.).
NOTE: The senators’ request is supported by the American Medical Association, the American Hospital Association, the National Rural Health Association, and the College of Healthcare Information Management Executives.

Interesting that there is no call to suspend or kill the Meaningful Use initiative now.

October 8th? Will the federal government be doing business on October 8th?


HealthLeaders: A lot of people are asking for your advice for the next coordinator. I want to focus on two particular pain points. One is the possibility of a government shutdown and how that would impact the office. The other is just the continuing heartburn that the sequester has caused.

Mostashari: What can I say? I took over as national coordinator on April 8, 2011. It was the day the government was supposed to shut down. So my first act was to assemble all the folks at ONC and talk about the fact that they may need to go home, leave your Blackberrys, and you're not going to get paid until we don't know when. That did not come to pass. We have limped through with continuing resolutions and then sequester cuts without really an ability for the department to rebalance how we budget. Things are frozen at the same relative proportions between initiatives for years. That's like passing a household budget where your kid's in school now, but you still have to keep your budget for diapers. You can't increase your budget for school supplies. It's crazy. But despite that, what I would say to the next national coordinator on that is to lean on the community, and to tap into the desire that everybody has to help us succeed.
Here we go again, 'eh?

More to come...

No comments:

Post a Comment