Search the KHIT Blog

Sunday, February 22, 2015

Aging in place

My 89 year old Mother in Law died last night. In her own bed, at home in rural northern Alabama. My late Father in Law also passed away at home, in 2010.

I shot that photo with my iPhone back in December during our holiday visit. It has been a difficult couple of years. She was struggling to recover from spinal surgery in the wake of her latest fall mishap. Medical care (or anything else) is not conveniently nearby. "Aging in place" is mostly easier said than done, particularly in the boonies.

Marguerite had always been fiercely independent and active across the 41 years I knew her. She cultivated a half-acre garden every year during most of that time, putting up three chest freezers worth of vegetables and shelves filled with Mason jars. It's the family home place, formerly a bustling dairy farm started by my wife's late grandfather (they sold the herd after Uncle Hubert died, and Cheryl's cousin Scotty now does mostly large-scale commodities farming on the property). A great place, but really "rural."

When the day came to finally take the car keys away a few years ago, it did not go down well. When the time came to do P.O.A. and then bring in paid home care assistance, that did not go down well either. A couple of my wife's siblings who live nearby had to quietly bear the brunt of her considerable ire.

I am very sad today. My wife has had to cut short a trip to San Diego, and arrangements are in process. We've known this day loomed. Ya hate to lose 'em.

Both of my late parents spent their final years in long-term care, four years for my Mom, seven for my dementia-addled Pop. The cost was huge, both in financial terms (estate taxes were not an issue for me), and loss of their personal dignity.

No easy answers.

Friday, February 20, 2015

If you were in Washington in 2008 and somebody gave you $30 billion to spend on health IT...

A beaut of an interview with Dr. Mark Smith over at THCB:
Bob Wachter, MD: If you were in Washington in 2008 and somebody gave you $30 billion to spend on health IT, would you have spent it the way the government did?

Mark Smith, MD: My sense is that they missed an opportunity to impose or to bring about standards, which would have let the IT people compete on the interface. In other words, if the backbone of the data were standardized, then you could have IT companies not competing on standards, but competing on the beauty of their interface, the intuitiveness of their interaction with providers. What we have instead is competition all up and down the vertical, and that I think is the tragedy.

That’s the magic of HTML, right? Most people have Windows, some people have Macs, some people have Linux – you can choose whatever interface you like. Companies compete on the intuitiveness, the attractiveness, and the beauty of the interface.  Whoever does that well will win.
"[I]f the backbone of the data were standardized, then you could have IT companies not competing on standards, but competing on the beauty of their interface, the intuitiveness of their interaction with providers."
What have I been harping on repeatedly?
One. That’s what the word “Standard” means -- er, should mean. To the extent that you have a plethora of contending “standards” around a single topic, you effectively have none. You have simply a no-value-add “standards promulgation” blindered busywork industry frenetically shoveling sand in the Health IT gears under the illusory guise of doing something goalworthy.

One. Then stand back and watch the private HIT market work its creative, innovative, utilitarian magic in terms of features, functionality, and usability. Let a Thousand RDBMS Schema and Workflow Logic Paths Bloom. Let a Thousand Certified Health IT Systems compete to survive on customer value (including, most importantly, seamless patient data interchange for that most important customer). You need not specify by federal regulation (other than regs pertaining to ePHI security and privacy) any additional substantive “regulation” of the “means” for achieving the ends that we all agree are necessary and desirable. There are, after all, only three fundamental data types at issue: text (structured, e.g., ICD9, those within other normative vocabulary code sets, and unstructured, e.g., open-ended free-form SOAP note narratives), numbers (integer and floating-point decimal), and images. All things above that are mere “representations” of the basic data (e.g., text lengths, datetime formats, Boolean/logical, .pngs, bmps, .tiffs, .jpegs etc)... 

Again, from my February 2014 post We should not prescribe specific functionality for the EHR other than interoperability and security.
- John Halamka
But, hey, what do I know? (And, to be fair, my rant is principally about interop, not UX per se.) Anyway, we're now all in the thrall of HL7® FHIR®, right? Gonna be salvation.

I eagerly await the release of Dr. Wachter's new book "The Digital Doctor: Hope, Hype, and Harm at the Dawn of Medicine's Computer Age."

"While modern medicine produces miracles, it also delivers care that is too often unsafe, unreliable, unsatisfying, and impossibly expensive. For the past few decades, technology has been touted as the cure for all of healthcare’s ills.

But medicine stubbornly resisted computerization – until now. Over the past five years, thanks largely to billions of dollars in federal incentives, healthcare has finally gone digital.

Yet once clinicians started using computers to actually deliver care, it dawned on them that something was deeply wrong. Why were doctors no longer making eye contact with their patients? How could one of America’s leading hospitals give a teenager a 39-fold overdose of a common antibiotic, despite a state-of-the-art computerized prescribing system? How could a recruiting ad for physicians tout the absence of an electronic medical record as a major selling point?

Logically enough, we’ve pinned the problems on clunky software, flawed implementations, absurd regulations, and bad karma. It was all of those things, but it was also something far more complicated. And far more interesting . . .

Written with a rare combination of compelling stories and hard-hitting analysis by one of the nation’s most thoughtful physicians, The Digital Doctor examines healthcare at the dawn of its computer age. It tackles the hard questions, from how technology is changing care at the bedside to whether government intervention has been useful or destructive. And it does so with clarity, insight, humor, and compassion. Ultimately, it is a hopeful story.

"We need to recognize that computers in healthcare don’t simply replace my doctor’s scrawl with Helvetica 12," writes the author Dr. Robert Wachter. "Instead, they transform the work, the people who do it, and their relationships with each other and with patients. . . . Sure, we should have thought of this sooner. But it’s not too late to get it right."

This riveting book offers the prescription for getting it right, making it essential reading for everyone – patient and provider alike – who cares about our healthcare system."

More to come...

Tuesday, February 17, 2015

On ONC's "non-regulatory, market-driven" Health IT fetish, and other related business

My new Harper's arrive in the snailmail the other day. Couple of interesting pieces therein, relevant, IMO, to the high-minded muddleheadedness I see coming out of places like ONC in the wake of the JASON Report.

A couple of JASON gems:
  • Establish an industry-based ecosystem. A Coordinated Architecture based on market-based arrangements should be defined to create an ecosystem to support API-based interoperability.
  • Institute the government as market motivator. ONC should assertively monitor the progress of exchange and implement non-regulatory steps to catalyze the adoption of Public APIs.
"Implement non-regulatory steps"? Seriously? See also my February 1st post Yet another ONC Interoperability "Roadmap" e.g.,
It is now 2015. Lordy. Do I really need to elaborate here? This is a recipe for the ever-so-collegial continuation of stasis, all elaborated reported on episodically in lengthy, aesthetically pleasing pdf documents verbosely re-plowing the same ground. And, the putative upshot will be that (re Figure 1) we will "simplify" and "focus on value" to "empower individuals" through "scalable universal access," all while "maintaining modularity," recognizing that "one size does not fit all," in deference to "considering the current environment" and "building on existing infrastructure" so as to "leverage the market."
Yeah, I know, markets uber alles, with disdain for "regulation" in increasingly full-throated neo-Randian, pitchfork-wielding, populist tool you're-not-the-not-the-boss-of-ME political roar.

Never mind pesky little annoying realities such as "First Mover Disadvantage," "Opacity = Margin," and "Gresham's Dynamic." Never mind the Moral Hazard race-to-the-bottom FIRE Sector Crash of 2008. We're marching euphorically arm-in-arm toward the inevitable hyperefficient, innovative, beneficent, free-market UberTopia. An App in Every Pot.

From my March 2015 (subscriber-paywalled) issue of Harper's:

In Regulation Nation
By David Graeber,

 from The Utopia of Rules, published last month by Melville House. Graeber is the author of Debt: The First 5,000 Years...
When we do discuss bureaucracy, we still use terms established in the Sixties and Seventies. The social movements of the Sixties were, on the whole, left-wing in inspiration, but they were also rebellions against the bureaucratic mind-set, the gray functionalism of both state-capitalist and state-socialist regimes, the soul-destroying conformity of the postwar welfare states. In the face of social control, Sixties rebels stood for individual expression and spontaneous conviviality.
With the collapse of the old welfare states, this kind of rebellion has come to seem decidedly quaint. As the right has adopted the language of anti-bureaucratic individualism, insisting on “market solutions” to every social problem, the mainstream left has limited itself to salvaging remnants of the old welfare state. It has acquiesced to — and often spearheaded — traditionally right-wing attempts to make government efforts more “efficient,” whether through the privatization of services or the incorporation of “market principles,” “market incentives,” and marketbased “accountability processes.”...
At least the right has a critique of bureaucracy. Its origins may be found in the nineteenth century, when liberal thinkers argued that Western civilization was undergoing a gradual, uneven, but inevitable transformation from the rule of warrior-elites to a society of liberty, equality, and enlightened commercial self-interest. In the wake of the French Revolution, absolutist states were giving way to markets, religious faith to scientific understanding, and fixed orders and noble ranks to free contracts between individuals.
The right-wing argument goes one step further. Ludwig von Mises, the exiled Austrian aristocrat and economic theorist who was its greatest twentieth-century exponent, argued in his 1944 book, Bureaucracy, that systems of government administration could never organize information with anything like the efficiency of impersonal market-pricing mechanisms, and that the administrators of social programs would end up destroying the political basis of democracy by forming powerful blocs against elected officials. Even well-meaning bureaucrats would do more harm than good.
The idea that the market is somehow opposed to and independent of government has been used at least since the nineteenth century to justify laissez-faire economic policies, but such policies never actually have the effect of lessening the role of government. In late-nineteenth-century England, for instance, an increasingly liberal society did not lead to a reduction of state bureaucracy but the opposite: an endlessly mushrooming array of legal clerks, registrars, inspectors, notaries, and police officials — the very people who made possible the liberal dream of a world of free contract between autonomous individuals. It turned out that maintaining a free-market economy required considerably more paperwork than a Louis XIV–style absolutist monarchy. The same effect could be seen in America during Ronald Reagan’s presidency, or in Russia after the fall of the Soviet Union, where, from 1994 to 2002, the number of civil servants jumped by some quarter million.
Indeed, this paradox can be observed so regularly that I think we are justified in treating it as a general sociological principle. Let’s call it the Iron Law of Liberalism: Any market reform or government initiative intended to reduce red tape and promote market forces will ultimately increase the number of regulations and bureaucrats, as well as the amount of paperwork, that the government employs. Emile Durkheim was already observing this tendency at the turn of the twentieth century, and fifty years later even right-wing critics like F. A. Hayek were willing to admit that markets don’t really regulate themselves: they require an army of administrators to keep them going.
Still, conservative populists recognized that making a target of bureaucrats was almost always effective, whatever the reality... Americans now generally believe government to comprise two sorts of people: “politicians,” who are blustering crooks and liars but can at least occasionally be voted out of office, and “bureaucrats,” who are condescending elitists and almost impossible to uproot. The right-wing argument tends to assume a kind of tacit alliance between a parasitic poor (in America usually pictured in overtly racist terms) and equally parasitic self-righteous officials who subsidize the poor using other people’s money. Even the mainstream left now offers little more than a watered- down version of this language. Bill Clinton, for instance, spent so much of his career bashing civil servants that after the Oklahoma City bombing in 1995, he felt he had to remind Americans that public servants were human beings, too.
In America — and increasingly in the rest of the world — the only alternative to “bureaucracy” is now “the market.” Sometimes this is taken to mean that the government should be run more like a business, other times that we should get bureaucrats out of the way and let the magic of the marketplace provide its own solutions. “Democracy” has become a synonym for “the market,” just as “bureaucracy” has become one for “government interference.”...
So what are people referring to when they talk about deregulation? In ordinary usage, the word seems to mean “changing the regulatory structure in a way that I like.” In the case of banking, deregulation has usually meant moving away from a situation of managed competition between midsize firms to one in which a handful of financial conglomerates are allowed to completely dominate the market. In the case of airlines and telecommunication firms in the Seventies and Eighties, deregulation meant the opposite: changing the system of regulation from one that encouraged a few large firms to one that fostered carefully supervised competition between midsize firms. In neither of these cases was bureaucracy reduced...
What began to happen in the Seventies, which paved the way for what we see today, was a strategic turn, as the upper echelons of U.S. corporate bureaucracy moved away from workers and toward shareholders. There was a double movement: corporate management became more financialized and the financial sector became more corporatized, with investment banks and hedge funds largely replacing individual investors. As a result, the investor class and the executive class became almost indistinguishable. By the Nineties, lifetime employment, even for white-collar workers, had become a thing of the past...
Bureaucratic techniques developed in financial and corporate circles (performance reviews, focus groups, time-allocation surveys, and so on) spread throughout the rest of society, to education, science, and government. One can trace the process by following its language. There is a peculiar idiom that first emerged in corporate circles, full of bright, empty terms like “vision,” “quality,” “stakeholder,” “leadership,” “excellence,” “innovation,” “strategic goals,” and “best practices.” Much of it originated from “self-actualization” movements like Mind Dynamics, Lifespring, and est, which were extremely popular in corporate boardrooms in the Seventies. But it quickly became a language unto itself, engulfing any meeting where any number of people gather to discuss the allocation of any kind of resources...
"Bright, empty terms" indeed. Recall my January 18th post "Let a thousand banalities bloom."

David Graeber is an utter delight to read. I had the good fortune to buy and read his excellent book "Debt: the first 5,000 years" before I knew who he is. A witty, erudite book comprising the best of the word "scholarship" (his politics aside, he's a social anthropologist). If you want a free Cliff's Notes version, see his piece "To Have is to Owe."

His new book "The Utopia of Rules" will not be available until February 24th. I will get it and read it as soon as it is released.

Interesting snip from the Amazon preview (I Dragon'ed it in):
Here I think it is possible to add a kind of corollary to the Iron Law of Liberalism. History reveals the political policies that favor "the market" have always meant even more people in offices to administer things, but it also reveals that they also mean an increase of the range in density of social relations that are ultimately regulated by the threat of violence. This obviously flies in the face of everything we've been taught to believe about the market, but if you observe what actually happens, it's clearly true in a sense, even calling this a "corollary" is deceptive, because were really just talking about two different ways of talking about the same thing. The bureaucratization of daily life means the imposition of impersonal rules and regulations; in personal rules and regulations, in turn, can only operate if they are backed up by the threat of force.
The "threat of force" need not be one of physical violence. And it need not be that of "government." Private market corporate coercion may be all the more pernicious in light of its lack of practical legal accountability.

Which leads me into the 2nd Harper's article,
The Spy Who Fired Me
By Esther Kaplan

Last March, Jim Cramer, the host of CNBC’s Mad Money, devoted part of his show to a company called Cornerstone OnDemand. Cornerstone, Cramer shouted at the camera, is “a cloud-based-software-as-a-service play” in the “talent-management” field. Companies that use its platform can quickly assess an employee’s performance by analyzing his or her online interactions, including emails, instant messages, and Web use. “We’ve been managing people exactly the same way for the last hundred and fifty years,” Cornerstone’s CEO, Adam Miller, told Cramer. With the rise of the global workforce, the remote workforce, the smartphone and the tablet, it’s time to “manage people differently.” Clients include Virgin Media, Barclays, and Starwood Hotels.

Cornerstone, as Miller likes to tell investors, is positioning itself to be “on the vanguard of big data in the cloud” and a leader in the “gamification of performance management.” To be assessed by Cornerstone is to have your collaborative partnerships scored as assets and your brainstorms rewarded with electronic badges (genius idea!). It is to have scads of information swept up about what you do each day, whom you communicate with, and what you communicate about. Cornerstone converts that data into metrics to be factored in to your performance reviews and decisions about how much you’ll be paid.

Miller’s company is part of an $11 billion industry that also includes workforce-management systems such as Kronos and “enterprise social” platforms such as Microsoft’s Yammer, Salesforce’s Chatter, and, soon, Facebook at Work. Every aspect of an office worker’s life can now be measured, and an increasing number of corporations and institutions — from cosmetics companies to car-rental agencies — are using that information to make hiring and firing decisions. Cramer, for one, is bullish on the idea: investing in companies like Cornerstone, he said, “can make you boatloads of money literally year after year!”

A survey from the American Management Association found that 66 percent of employers monitor the Internet use of their employees, 45 percent track employee keystrokes, and 43 percent monitor employee email. Only two states, Delaware and Connecticut, require companies to inform their employees that such monitoring is taking place. According to Marc Smith, a sociologist with the Social Media Research Foundation, “Anything you do with a piece of hardware that’s provided to you by the employer, every keystroke, is the property of the employer. Personal calls, private photos — if you put it on the company laptop, your company owns it. They may analyze any electronic record at any time for any purpose. It’s not your data.”

With the advent of wireless connectivity, along with a steep drop in the price of computer processors, electronic sensors, GPS devices, and radio-frequency identification tags, monitoring has become commonplace. Many retail workers now clock in with a thumb scan. Nurses wear badges that track how often they wash their hands. Warehouse workers carry devices that assign them their next task and give them a time by which they must complete it. Some may soon be outfitted with augmented-reality devices to more efficiently locate products.

In industry after industry, this data collection is part of an expensive, high-tech effort to squeeze every last drop of productivity from corporate workforces, an effort that pushes employees to their mental, emotional, and physical limits; claims control over their working and nonworking hours; and compensates them as little as possible, even at the risk of violating labor laws. In some cases, these new systems produce impressive results for the bottom line: after Unified Grocers, a large wholesaler, implemented an electronic tasking system for its warehouse workers, the firm was able to cut payroll expenses by 25 percent while increasing sales by 36 percent. A 2013 study of five chain restaurants found that electronic monitoring decreased employee theft and increased hourly sales. In other cases, however, the return on investment isn’t so clear. As one Cornerstone report says of corporate social-networking tools, “There is no generally accepted model for their implementation or standard set of metrics for measuring R.O.I.” Yet this has hardly slowed adoption...

first got interested in the data-driven workforce not long after I moved from a dilapidated apartment in Brooklyn that had a live-in super to a slightly more solid walk-up that does not. I began to notice something frustrating about my UPS deliveries. They never arrived. When I wasn’t home, I’d leave a note asking for packages to be left at the laundromat on the corner. I’d get an attempted-delivery note instead. The same thing sometimes happened even when I was home — I’d find an attempted-delivery note, but no one had rung my doorbell. Packages were routinely returned to sender. Then I learned about UPS’s use of something called telematics.

Telematics is a neologism coined from two other neologisms — telecommunications and informatics — to describe technologies that wirelessly transmit data from remote sensors and GPS devices to computers for analysis. The telematics system that now governs the working life of a driver for UPS includes handheld DIADs, or delivery-information acquisition devices, as well as more than 200 sensors on each delivery truck that track everything from backup speeds to stop times to seat-belt use. When a driver stops and scans a package for delivery, the system records the time and location; it records these details again when a customer signs for the package. Much of this information flows to a supervisor in real time. The Teamsters, the union that represents UPS employees, won contract language that says drivers can’t be fired based solely on the numbers in their telematics reports, but supervisors have found workarounds, and telematics-related firings have become routine.

One warm day last fall I met with a man I’ll call Jeff Rose, who for the past fifteen years has driven a UPS delivery route in a working-class neighborhood in one of New York City’s outer boroughs. He was taking his two o’clock lunch break at a diner on the corner of a modest commercial strip and a leafy residential street. Rose, who asked that I not use his real name, said that telematics was introduced as a safety measure when it was rolled out in New York six or seven years ago. Lists were posted at distribution centers to shame the biggest seat-belt scofflaws. But safety is not the reason given for telematics on UPS investor calls. On those, executives speak instead about the potential for telematics to save the firm $100 million in operating efficiencies, including reductions in fuel, maintenance, and labor...
I am reminded of a book I cited last April and again in June.

Efficient, Lean "market-driven" digital "utopia" or a digital Panopticon dystopia?

Esther Kaplan concludes:
The current mythology of big data,” according to Kate Crawford, who holds research positions at MIT, NYU, and Microsoft, “is that with more data comes greater accuracy and truth.” Big data in the workplace holds out the promise of true equality of opportunity, in which Moneyball-style analytics unearth hidden talent. Yet Kronos’s metrics-based hiring software is currently under investigation by the Equal Employment Opportunity Commission for discriminating against people with disabilities. Even the knowledge-sharing metrics used by companies like Cornerstone to assess elite knowledge workers may reproduce inequity. As Marc Smith, the sociologist from the Social Media Research Foundation, pointed out, “The diversity of your connections is a proxy for your wealth.” In other words, firms that reward their optimally networked employees risk further increasing inequality...

As Zeynep Ton wrote in the Harvard Business Review, companies such as Costco and Trader Joe’s that invest in higher pay, more training, and more convenient schedules bring in far more revenue per employee than competitors that do not. Both companies are Kronos clients. Charles DeWitt, the Kronos executive, said that retailers are better served when they see employees as potential profit centers, and not just as “a big bucket of costs” to be cut. Still, the dominant paradigm remains what Lisa Disselkamp, the Deloitte consultant, calls “the highly optimized system,” one organized around minimizing labor costs. Perhaps you can’t manage what you can’t measure. But the measuring has taken on a life of its own.
You would do well to subscribe to Harper's and read the entire thing. It has given me pause, in light of my obvious affinity for "Lean." What are the proper ethical limits of pursuing the maximization of "operational efficiencies"  -- going all-in "Lean/Six Sigma/Agile" if it entails surveilling and micromanaging the daily lives of the people doing the work? I re-visit my June 20th, 2014 concern:
Recall from Dr. Toussaint's writings? "Manage processes, lead people"? The concerns aired by Simon Head pertaining to HRM, BPR, and CBS reveal evidence that some organizations are moving in the other direction -- using IT to manage people. In healthcare this is precisely the wrong thrust, and will only serve to deepen the cynicism of many critics of HIT and cannot but throw sand in the improvement gears.
What of "Just Culture"? Relatedly, what of a "Talking Stick" ethos? Maybe we don't care, given that the micro-manage-people focus is currently on lower-level workers in retail, fast food, fulfillment centers, delivery services, and lower white collar employee strata, etc.

These UberTopia hustlers won't stop there, though, and, given the increasing cost-reduction imperatives we see loudly touted in healthcare media every day, "Cornerstone OnDemand" et al may well be infiltrating clinical organizations near you in short order to bring in the putative Productivity Treadmill Panopticon.

BTW, see also my prior post "Will Silicon Valley's digerati "solve" healthcare?" Pay specific attention to Evgeny Morozov's iconoclastic book "To Save Everything, Click HERE."

One. That’s what the word “Standard” means -- er, should mean. To the extent that you have a plethora of contending “standards” around a single topic, you effectively have none. You have simply a no-value-add “standards promulgation” blindered busywork industry frenetically shoveling sand in the Health IT gears under the illusory guise of doing something goalworthy.

One. Then stand back and watch the private HIT market work its creative, innovative, utilitarian magic in terms of features, functionality, and usability. Let a Thousand RDBMS Schema and Workflow Logic Paths Bloom. Let a Thousand Certified Health IT Systems compete to survive on customer value (including, most importantly, seamless patient data interchange for that most important customer). You need not specify by federal regulation (other than regs pertaining to ePHI security and privacy) any additional substantive “regulation” of the “means” for achieving the ends that we all agree are necessary and desirable. There are, after all, only three fundamental data types at issue: text (structured, e.g., ICD9, those within other normative vocabulary code sets, and unstructured, e.g., open-ended free-form SOAP note narratives), numbers (integer and floating-point decimal), and images. All things above that are mere “representations” of the basic data (e.g., text lengths, datetime formats, Boolean/logical, .pngs, bmps, .tiffs, .jpegs etc)... 
From my February 2014 post We should not prescribe specific functionality for the EHR other than interoperability and security.”
- John Halamka

More to come...

Saturday, February 14, 2015

Meaningful Use 2014 incentive payments: ONC, get out the Lipstick

Click the image to enlarge. Report detail here (pdf). Pretty ugly. 2014 attestation payments were only 30.2% of the prior year's ($3,007,177,555 / $9,948,115,223).

Increasingly, we're going to be in "reimbursement penalty" mode.
CMS: Meaningful Use penalties to reach $200M
By Heather Caspi | February 13, 2015

Dive Brief:
  • Current CMS data indicate that eligible professionals are facing an estimated $200 million in Medicare reimbursement penalties in 2015 for failure to fulfill Medicare meaningful use obligations. The numbers were announced this week during a HIT Policy Committee meeting.
  • The committee report indicates that the highest breakdown of EPs (34% or 87,000) will see payment adjustments ranging from $1 to $250.
  • The further breakdown shows 21% (55,000 EPs) can expect adjustments from $250 to $1,000; 14% (36,000) can expect adjustments from $1,000 to $2,000; and 31% (78,000) can expect adjustments upwards of $2,000...
Meaningful Use is Still Broken
Washington, DC - AMA: Meaningful Use is Still Broken ~ Steven J. Stack, MD President-Elect, American Medical Association:

"The American Medical Association (AMA) is alarmed by yesterday's announcement that more than three quarters of eligible professionals have still been unable to attest to Meaningful Use.

"The program's one-size-fits-all approach, that has not been proven to improve quality, has made it difficult for physicians to take part. The penalties physicians are facing as a result of the Meaningful Use program undermine the program's goals and take valuable resources away from physician practices that could be spent investing in better and additional technologies and moving to alternative models of care that could improve quality and lower costs.

"They additionally make it harder for physicians to meet Meaningful Use in the future. In order to successfully attest, physicians must spend tens of thousands of dollars for tech support, software upgrades, interfaces and data exchange, often on a recurring basis.

"The AMA continues to work with the Administration to improve the Meaningful Use program and looks forward to seeing how CMS' anticipated new rules address these issues this spring."

Is it Time for a “Simple” Electronic Health Record System?
by Jerome Carter on February 16, 2015
Recently, I participated in a series of emails about creating teaching materials for a course on clinical software design. This may come as a surprise, but there are no books on the topic of clinical software design. Of course, there are plenty of books about clinical software systems, especially EHR systems, but none that describe in detail how to design and build clinical care systems.
One reason for the lack of books is that most clinical software is designed and built by commercial entities. The resulting systems are proprietary and the processes used to build them, trade secrets. In light of the recent statements from the AMA (1) and ACP (2) regarding EHR usability and support for clinical documentation, obviously more needs to be done. A general picture of desirable clinical care system features emerges from those reports and other sources. The ideal systems are modular, recognize that one size does not fit all, have explicit support for workflows, allow for a degree of end-user configuration, support collaboration and communication, and can easily share data. As I have said many times, requirements are wishes until rendered in code. So how do we turn wishes and user complaints into next-generation products? Guess what? No one knows for sure…

Vendors are not withholding features or deliberately building systems that underwhelm users. There is no conspiracy. They are building exactly what has been requested—electronic replacements for paper charts (see Is the Electronic Health Record Defunct?). Meaningful use, while a distraction for sure, does not explain why pre-HITECH EHR systems lacked workflow support or collaboration tools or could not readily share information. Those functions were simply not considered compelling at the time...
Great stuff as always.

Speaking of great stuff, the always-pithy Margalit:
Health care is a massive market…

America is spending $3 trillion on health care every year. Does that number include toothpaste? Surely toothpaste is very important to your health. How about baby powder, diapers, condoms, soap, lip balm, nail clippers, detergents, mops, vacuum cleaners, washing machines, smoke detectors, air filters and air bags? How about everything Nike sells, diet books, your gym membership, bicycles, skateboards, everything Sports Authority carries in its stores, and all Weight Watchers products? And then there is quinoa and edamame, spelt, flax, organic kale chips and those scrumptious gluten-free kelp smoothies. You can also count the entire budget of the EPA, the FAA, the CDC, the FDA and the USDA, and while at it let’s not forget the war on drugs, the war on poverty and the war on terror, and of course education and vacation, sunscreen, traffic lights, firefighters, police and those weirdly bluish ice-melting crystals for your driveway. It sure looks like we are spending all our money on caring for our health.
In America, we spend $3 trillion every year on medical care, not health care. Medical care is what you get mostly from doctors and nurses, mostly in hospitals or clinics, and mostly when you are sick or hurt. Medical care is most often associated with pain, suffering and fear, and is something most people, most of the time, don’t use, don’t need and don’t want. The new thinking says that if we could spend less money on medical care, we could spend more on Bluetooth enabled holographic toothpaste, and that this is a good thing. After all, most of our $3 trillion is spent on a small fraction of sick and elderly citizens, most of whom will never get better anyway. Wouldn’t it be more fun to spend our money on nice things for the majority who is basically healthy, so they can be even healthier, and perhaps forever healthy?...

More to come...

Wednesday, February 11, 2015

Interoperability update. A better model?

Creating an integrated, nationwide electronic network for exchanging information is not a novel idea. There are multiple instances of similar networks that have been designed and implemented at a much larger scale decades ago, and have been financially self-sufficient ever since. The health care industry can learn many lessons from the successful design, implantation and management of the electronic network of information exchange among hundreds of thousands of financial institutions. In the following I provide a summary of the similarities and differences between the financial and health care information exchange networks and briefly discuss the potential strategies that can create a dependable source of revenue by extracting the potential value of health care information from the heaps of available health care data.

All of the three major credit bureaus in the United States are for-profit organizations that, like other private businesses, do not receive any support from the government. These entities collect financial data from various private and public organizations with which consumers have financial relationships. Creditors, banks, public courts, collection agencies, and other data furnishers provide the credit bureaus with real-time and detailed financial data of nearly half a billion credit holders worldwide. The detailed financial data is provided by institutions in different countries which each of them use their own customized information systems. The electronic information network that enables various financial institutions around the world to efficiently exchange financial information has been developed many years ago using information technologies which in today’s standards would be considered very basic and rudimentary. The federal government has not been involved in creating such systems and has not spent billions of dollars as incentives to encourage banks and other financial institutions to exchange their information with each other. Obviously, the coordination and management of such a vast network that connects financial institutions in many different countries with unique cultures, languages and regulations is much more difficult than coordinating a small number of health care providers within a relatively small geographical area here in the United States. If the financial sector could resolve the problem of interoperability decades ago, using an outdated information technology and no governmental support, the health care sector should have been able to address this problem today, with a much more advanced information technology and billions of dollars of government incentives. Information technology, many years ago, has passed the point in which interoperability could be a technical problem. As I discussed above, the current method of the payment system in the health care industry seems to be the major barrier to efficient exchange of health information. The lenders need to have a risk management system and use as much information as possible in order to reduce the risks of their decisions. The existence of interoperable information system in which they can effectively exchange their financial data with each other is vital for their survival. The health care providers are currently not bearing the risks of their decisions; instead, they transfer these risks to insurers and patients. As a result, they do not need to extensively use the patient records as a strategy to mitigate the risks of their decisions. For health care providers interoperable EHR systems and exchanging health care information fits into the category of “expenses on luxury items” rather than “essential business investments”.

The secret to the success of credit bureaus is generating value from the raw financial data. A simple data point about the payment history of a consumer reported by a credit card company may not be valuable on its own. However, when these data points are combined and merged together, analyzed, summarized, and presented as a brief and understandable credit score, significant value will be created. Credit scores help lenders to accurately estimate the risks of their financial decisions. The value of the services of credit bureaus are high enough for financial institutions that they are willing to invest in interoperable information systems which can send their raw data to credit bureaus and in return receive credit scores from them. Each of the three credit bureaus generate well over a billion dollars of annual revenue from selling the results of their analyses of the raw financial data to various types of customers who need these services for financial decision making and marketing purposes. A portion of these revenues would suffice to maintain and expand the whole financial information exchange network.

The health care sector can follow the successful strategies of financial sector...
Link to the full paper here. Well, it's an interesting paper, and he's right to argue that "interoperability" impediments may be more political than technical. But, anyone getting all jiggy over the viability of the model he proffers above should perhaps first Google "credit bureau breaches." to wit,
Equifax, Other Credit Bureaus Acknowledge Data Breach
Robert Westervelt on March 13, 2013
The three biggest credit reporting agencies in the U.S. each have reportedly acknowledged intrusions into their systems following the revelation of personal data, including financial information, of celebrities and prominent figures on a website this week.

Executives at Equifax, Trans Union and Experian acknowledged the breach to Bloomberg in a report published Tuesday. Tim Klein, a spokesman for Equifax, told the news agency that a hacker gained "fraudulent and unauthorized access" to at least four consumer credit reports at the credit reporting agency. Credit reports and sensitive data on Paris Hilton, First Lady Michelle Obama, former Secretary of State Hillary Clinton and FBI director Robert Mueller appeared this week on a website called Exposed...
Bring a Snicker's you're gonna be a while reading the various recent credit bureau breach news stories.
Massive U.S. credit bureau data breach has experts worried
April 9, 2014, Catherine Bilkey and Kathryn Burcham
CHARLOTTE, N.C. — The North Carolina Attorney General's Office is now joining other states investigating a massive data breach at a credit reporting agency that has put 200 million Social Security numbers at risk.

State justice officials told Channel 9 they are concerned about how many residents could fall victim to identity theft because of the breach uncovered at Experian.

Investigators said sometime before March 2012, a Vietnamese man named Hieu Minh Ngo used a false identity to purchase Social Security numbers with a database called Court Ventures, and then sold that information on the international black market.

Experian purchased Court Ventures in 2012, but it is unclear when Experian officials became aware of the breach, and now members of Congress and authorities in multiple states are demanding to know whether Experian and Court Ventures took steps to protect consumer information and if they notified potential victims.

"Experian and Court Ventures are each pointing a finger at the other company, saying they have to notify their customers. Meanwhile the consumer is left the odd person out with all of their vital information exposed," said financial crimes expert Chris Swecker...
So, what will serve more effectively? Centralized ePHI exchange data warehouses such as proffered by Brookings' Niam Yaraghi, or the now exuberantly touted peer-to-peer API model central to the HL7® FHIR® proposal?

Recall an infographic from one of my prior posts.

See also my prior post "Once More Into the (HIPAA) Breach." And, my post "Yet another ONC Interoperability "Roadmap."

A comment I made under Fred Trotter's recent THCB post:
My wife and I are not even Anthem customers, but her employer (where we get our health insurance) has notified them that if we’ve used providers who also take Anthem insurance, we may have been picked up in the hack. That is infuriating. Goes to some of Adrian Gropper’s points above (minimization, and persistence). If I’m not an Anthem subscriber, what right do they have to my personal information from a provider I’ve seen who also contracts with them? I would think that Anthem’s competitors will not be amused to know that they’re mining the data of THEIR customers as well.


From SBM. Another reason to not buy dietary/health supplements. You're mostly getting scammed:
GNC (Herbal Plus brand):
  • Gingko biloba: None found, detected garlic, rice, spruce, asparagus
  • St. John’s wort: None found, detected garlic, rice, and dracaena (a houseplant)
  • Ginseng: None found, detected rice, dracaena, pine, wheat, grass and citrus
  • Echinacea: None found, detected rice
  • Saw palmetto: One sample had the product
  • Garlic: Contained garlic!
Target (Up and Up brand)
  • Gingko biloba: None found, detected rice, garlic and mung bean 
  • St. John’s wort: None found, detected garlic, rice and dracaena 
  • Garlic: Contained garlic! (one test detected no product) 
  • Echinacea: Found in most samples 
  • Saw palmetto: Found in most but not all samples
  • Valerian: None detected, found allium, bean, asparagus, pea family, rice, wild carrot and saw palmetto
Walgreens (Finest Nutrition brand)
  • Gingko biloba: None found, detected rice
  • St. John’s wort: None found, detected garlic, rice and dracaena
  • Ginseng: None found, detected garlic and rice
  • Garlic: None found, detected palm, dracaena, wheat and rice
  • Echinacea: None found, detected garlic, rice and daisy
  • Saw palmetto: contained saw palmetto!
Walmart (Spring Valley brand)
  • Gingko biloba: None found, detected rice, dracaena, mustard, wheat, radish
  • St. John’s wort: None found, detected garlic, rice and cassava
  • Ginseng: None found, detected rice, dracaena, pine, wheat/grass and citrus
  • Garlic: One sample had product
  • Echinacea: None found
  • Saw palmetto: Some samples contained small amounts. Also found garlic and rice
People need to go to jail over this.

The answer is simple – we must limit the amount, duration, and types of information that are stored in the cloud forever.
Lordy. From THCB "Three Lessons Healthcare Executives Can Learn From the Sony Hack"

More to come...

Saturday, February 7, 2015

Once More Into The (HIPAA) Breach...

Should HIPAA be overhauled? Anthem data breach raises alarm for privacy advocates
By Dan Taylor, National Monitor | February 07, 2015

HIPAA, which was passed in the 1990s before the Internet was commonplace, does not require data to be encrypted, which could have prevented the release of information of 80 million people in Anthem’s database.

Insurers have no requirement to encrypt the data of its consumers as part of a federal law from the 1990s — which may mean the law could be in need of some updating for the Internet age after a recent massive data breach of Anthem, the second-largest U.S. health insurer.

Encryption protects data by scrambling it using mathematical formulas, so that anyone who does get their hands on it will not be able to figure out what it says. However, the data of 80 million people that was stolen from Anthem’s database was not encrypted, according to an Associated Press report.

The federal law in question is the well-known Health Insurance Portability and Accountability Act, or HIPAA. While the law encourages encryption, it stops short of mandating it.

This latest data breach could cause the public to lose confidence in the ability of the government to protect data even as it increases the computerization of medical records and tries to increase electronic information sharing among hospitals.

David Kibbe, CEO of nonprofit advocacy group DirecTrust, was quoted in the report as saying that maybe it’s time to update HIPAA.

Kibbe argued that any data that identifies the patient should be encrypted, and that it should make no difference whether that information is transmitted over the Internet or is simply sitting in a company database — the latter being the case with Anthem.

The incident has gotten the attention of federal lawmakers, as the Senate Health, Education, Labor and Pensions committee will take a look at encryption requirements as part of a review of health information security.
Maybe Congress can take a wee bit of time out from its umpty-dozenth Quixotic attempt to "Repeal ObamaCare" and amend HIPAA to require "Encryption at Rest."

Nahhh... "Onerous Regulation" and all that.

ePHI Security is governed in part by 45.CFR 164.312:
§164.312   Technical safeguards.
A covered entity or business associate must, in accordance with §164.306:

(a)(1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4).

(2) Implementation specifications:

(i) Unique user identification (Required). Assign a unique name and/or number for identifying and tracking user identity.

(ii) Emergency access procedure (Required). Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.

(iii) Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

(iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.

(b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

(c)(1) Standard: Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.

(2) Implementation specification: Mechanism to authenticate electronic protected health information (Addressable). Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.

(d) Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

(e)(1) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

(2) Implementation specifications:

(i) Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.

(ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

[68 FR 8376, Feb. 20, 2003, as amended at 78 FR 5694, Jan. 25, 2013]
Emphases mine. The author cited above is correct. There are presently neither federal statutory nor regulatory requirements to encrypt ePHI. Here's essentially all you will find in the new Final Rule.
HIPAA Omnibus Final Rule, pg 5644  Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations

We encourage covered entities and business associates to take advantage of the safe harbor provision of the breach notification rule by encrypting limited data sets and other protected health information pursuant to the Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals (74 FR 42740, 42742). If protected health information is encrypted pursuant to this guidance, then no breach notification is required following an impermissible use or disclosure of the information.
Per 45 CFR 164.3 et seq, it should be noted, in fairness, that "addressable" does not mean "optional" -- just that the CE or BA claiming subclause forbearance must show to the satisfaction of HIPAA auditors that its Policies and Procedures suffice to meet the ends of ePHI protection, in this case breach protection so effective that encryption is not necessary.

Worked out really swell for Anthem here, 'eh?

Also noteworthy here is that states have differing laws and regulations pertaining to privacy, security, and encryption -- important because unlike other areas of federal law ("federal supremacy"), HIPAA is trumped by stricter state laws. I don't have an up-to-date tabulation of those requirements. You'd have to have a WestLaw account via which to search out that kind of detail.

Interestingly, as it relates to my prior post Yet another ONC Interoperability "Roadmap," keyword-search the 166 page ONC Interoperability report for "encrypt" or "encryption."

"Not Found"

Seriously, people?


When my friend Fred Trotter speaks, one has to listen.
It is fine to be outraged at Anthem and I am sure they could have done more, but I can assure you that no insurance company or hospital in the United States is prepared to defend against nation-state level attacks on our infrastructure. In fact, Anthem is to be applauded for detecting and cutting off the attack that it did find. Hackers are much like roaches, if you can spot one, there are likely dozens more successfully hiding in the walls.
From "Anthem was right not to encrypt" on THCB. More...
Encryption is a mechanism that ensures that data is useless without a key, much in the same way that your care is made useless without a car key. Given this analogy, what has apparently happened to Anthem is the security equivalent to a car-jacking.
When someone uses a gun to threaten a person into handing over both the car and the car keys needed to make that care [sic] useless, no one says “well that car manufacturer needs to invest in more secure keys”.

In general, systems that rely on keys to protect assets are useless once the bad guy gets ahold of the keys. Apparently, whoever hacked Anthem was able to crack the system open enough to gain “programmer access”. Without knowing precisely what that means, it is fair to assume that even in a given system implementing “encryption-at-rest”, the programmers have the keys. Typically it is the programmer that hands out the keys...

You see encryption at rest, unlike encryption in transit, comes with significant risks. The first risk is that keys might be lost. Unlike car keys, once encryption keys are lost there is no way to “make new ones”. Of course you could backup your keys, securely, off-site, but that is extra costs, extra steps. Second, if encrypted data becomes corrupted, it is much more difficult to recover than unencrypted data.

In short, there are cases where encryption-at-rest can be dangerous and there are only a few cases where it can be helpful...
While I have been aware that encryption is not without its own problems (e.g., overhead bandwidth burden, and potential errors associated with extra process steps), Fred brings a new vector of thought to the issue.

So, really the onus is back on breach prevention, in Fred's view, given that encryption perhaps gives us a false sense of security. Recall that this goes to the heart of 45 CFR 164.402(2)(iv) (breach notification requirements):
(iv) The extent to which the risk to the protected health information has been mitigated.

Unsecured protected health information means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Public Law 111-5.
"rendered unusable, unreadable, or indecipherable to unauthorized persons," that is the crux, according to Fred. If the Bad Guys get the keys as well as the data, well, point taken. You'd rightfully have to demonstrate that you'd not handed over the keys to be off the hook for breach notification (and all the litigation and punitive regulatory enforcement that might ensue). But, if the Anthem data were unencrypted when filched, then they are usable by the crooks straight away.


Not everyone in THCB comments is amused by Fred's argument:

Fred’s post is misleading in the extreme. The Business of Medicine needs to be held accountable for their practices. Laying the Anthem breach at the feet of the NSA is equivalent to wishing for a police state. A public interest perspective to what’s going on comes to a very different conclusion. There are at least three things Anthem can be held accountable for: encryption, minimization, and persistence.

First, data encryption can be done securely for a bit more money. The keys are kept separate from the data and fetched as needed. In this case, an excess 80 million fetches of the keys would have been noticed earlier, wouldn’t you think? Also, I would like an email from Anthem each time the keys to my data are fetched. How hard would that be? Ahh, but what about the expense? Our US private insurance system has 3X the administrative cost of single-payer. Maybe we need to increase that to 4X so they can afford encryption and accounting for disclosures? Or maybe we should save all that money and let NSA handle the whole thing.

Second, how much data does Anthem need about me? Do they really need my social security number? Why can’t Anthem give me an Anthem ID to use? If a service provider wants to get paid, they need to supply my Anthem ID number, period. Much of the Business of Medicine is still paving the cow path of our paper-based history. I’m old enough to remember the little books of tiny credit card numbers that merchants would be required to check prior to accepting payment. That was before everything got connected. Today, I can buy a cup of coffee with a debit card and the back responds in a second. Why can’t healthcare payments that average 100X that amount be made without reference to my SSN and other personal info?

Third, how long does Anthem need to keep a copy of my data. An hour, a day, three months, three years, forever? The answer obviously depends but in an age when storage cost is effectively Zero relative to my $10,000 health insurance bill, what keeps Anthem and every other actor in the Business of Medicine from storing all of my private data forever?
Privacy comes at a cost. When VIPs go to the hospital or the pharmacy their information isn’t treated the same way as mine. The Anthem breach is a teachable moment for how we’re paying for the most intimate and important information we have. This is not a time to be letting the Business of Medicine and our regulators off the hook.
I have some personal interest in this dustup. We are not Anthem customers, but, nonetheless, my wife's company notified everyone that if we engage providers who take Anthem insurance, we may have been caught up in the hack.



More to come...