Health IT Law Blog

EHR vendor loses ONC certification for two of its records systems

Steve Fox and Vadim Schick — Fri, 26 Apr 2013 10:03:20 -0500

This week health care organizations were startled and not a little concerned to learn of the ONC's unprecedented action with regards to a California health software company. The agency is decertifying electronic health records systems which initially met ONC requirements for certification.

Via Modern Healthcare:

For the first time, the Office of the National Coordinator for Health Information Technology at HHS has revoked certifications for two electronic health-record systems, raising troubling questions about how physicians and hospitals should react if the government nixes a system they're already using.

Federal officials require that doctors and hospitals use certified EHR systems in order to receive federal money to defray the cost of converting to EHRs. But on Thursday, the ONC said it decided to revoke certifications for two products on the market after anonymous complaints were lodged about the systems.

EHRMagic, of Santa Fe Springs, Calif., had two of its records systems shot down by the government: EHRMagic-Ambulatory and EHRMagic-Inpatient. Two people familiar with the company interviewed for this story said they were not surprised by the development, since the firm didn't seem able to live up to its promises on the sales side of the operation several years ago.

Calls and e-mails to EHRMagic on Thursday were not returned. Records with the California secretary of state list the 4-year-old company's corporate status as “suspended.”

ONC spokesman Peter Ashkenaz said no healthcare provider has “attested” to using the system, which means that no one had tried to receive federal funding to pay for installation of an EHRMagic system. Since 2011, more than 234,000 organizations and individuals have received a total of $12.7 billion in EHR incentives to install one of the 1,700 systems eligible for payments.

But a blog post Thursday from Carol Bean, director of the certification office at the ONC, makes clear that the office will continue aggressive monitoring for other EHR systems that don't meet the federal requirements. That includes proactive investigations and surveillance by the office, as well as inquiries that stem from tips from the public about shoddy systems.

“We want to be clear,” the blog post says, “the office of certification's role doesn't stop after EHR certification. We are also going to monitor certified EHRs to determine whether they continue to meet our requirements. The doctors, hospitals and other providers that are adopting—and have already adopted—EHRs deserve this and should feel confident that the tools they are using are up to the job of helping their patients get the best care possible.”

Ashkenaz declined to say what a healthcare provider should do if the system it is using ends up retroactively decertified for payments, as EHRMagic's systems were.

Richard Gant, CEO of physician-supply seller Innovative Healthcare Systems in Royal Palm Beach, Fla., said the EHRMagic situation pointed to another major concern about decertification. EHRMagic sells what is known as a “cloud-based” system, meaning that patient information is stored off-site and not physically in a provider's office.

“The biggest issue is, all of your information is on their servers,” he said. “And if they disappear, that information could go away.”

Several years ago, Gant's firm attempted to sell EHRMagic's systems through a sales model that would have allowed it to be installed for free in exchange for eventual federal subsidies. But he said Innovative Healthcare Systems severed its relationship with the EHRMagic after several initial attempts to install it failed, and sales payments were not forthcoming.

“When they weren't paying for anything and they weren't supporting clients of ours, we said goodbye,” Gant said. “I'm surprised they were even around to even be decertified.”

By Joe Carlson

“ONC revokes firm's EHR certifications,” Modern Healthcare (April 25, 2013)

IT staffing shortage a chronic issue for health industry

Steve Fox and Vadim Schick — Mon, 15 Apr 2013 10:09:07 -0500

The healthcare industry continues to face a greater deficit than ever in terms of qualified professionals to fill its ever-expanding information technology staffing needs.

Via Modern Healthcare:

Many U.S. healthcare companies – about 67% -- report that they’re struggling to attract experienced information technology workers, according to a survey.

That’s compared with 10% that said they have problems attracting all workers, according to the "Towers Watson 2013 Healthcare IT Survey" (PDF). Meanwhile, 38% of healthcare companies reported problems with retaining experienced IT workers, compared with 8% reporting problems retaining all types of workers.

The problems may stem from misconceptions about what attracts employees to a healthcare workplace.

What’s clear is that employees are focused on the practical, while employers are focused on the developmental,” said Laurie Bienstock, North American rewards leader at Towers Watson, in a news release. “The good news is that the vast majority of employers are taking steps to close the talent gap, and seek more balance in their employee value proposition and rewards program.”

Employers said that offering ”challenging work” was a top factor that attracted workers, while workers attached more value to the employer’s reputation. Workers also see base salary as a bigger factor than how employers view pay. The survey included answers from more than 100 healthcare providers given earlier this year.

“But focusing on money is only part of the solution,” said Heidi Toppel, a senior rewards consultant in Towers Watson’s hospital industry group, in the release. “Presenting career and growth opportunities remains important as well, and savvy employers will create as comprehensive a program as possible. Our data confirm that IT recruiting in the healthcare industry is a matter of striking the right balance between the practical needs of workers today and the longer-term goal of helping an industry transform itself for a different future.”

Employers are having success with increasing base pay rates, offering retention bonuses while giving workers more educational and training opportunities.

By Ashok Selvam

“Healthcare firms struggle with IT staffing: survey,” Modern Healthcare (April 12, 2013)

Health care digitization enriches software industry

Steve Fox and Vadim Schick — Thu, 21 Feb 2013 11:43:05 -0500

The health IT industry's pitch to Congress, and to the public, was that health care would be transformed through digitization, and that the shift to electronic records would result in huge health care savings. Four years after the passage of ARRA and the HITECH Act, which included $19 billion in EHR incentives, it remains to be seen whether the federal government and the American public will see such benefits as reduced costs and improved levels of health care. Meanwhile, the software industry appears to be the big winner.

For more, see the New York Times article by clicking here: "A Digital Shift on Health Data Swells Profits in an Industry".

Health IT Law Blog Named to a List of Top Health Care Organizations

Steve Fox and Vadim Schick — Wed, 20 Feb 2013 14:00:42 -0500

Our blog is proud to be featured in the Top 100 Health Care Organizations to Watch in 2013. The designation was published by MHAPrograms.org, a website that highlights the most prominent organizations and information resources across health care and health care administration. In addition to highlighting the blog’s authors, MHAPrograms.org specifically noted the diverse topics covered by the Health IT Law blog, including features on ARRA, HIPAA, HITECH Act and the related regulations, as well as privacy and security issues more broadly.

The complete article and list can be found here.

Mostashari urges HIT vendors to conduct themselves ethically

Steve Fox and Vadim Schick — Fri, 15 Feb 2013 20:06:35 -0500

Farzad Mostashari, National Coordinator for Health Information Technology, believes most HIT vendors operate in good faith. At a recent meeting, however, Mostashari stated that he will be testing organized peer pressure as a means of bringing more ethically problematic vendors into line, in order to avoid having to develop onerous additional regulations. He warned that he will impose more regulations if necessary.

See Healthcare IT News article at "Mostashari calls on vendors to play fair".

Family doctor EHR use up although use varies by location

Steve Fox and Vadim Schick — Wed, 06 Feb 2013 17:55:04 -0500

The Annals of Family Medicine reports that although use of electronic health records has not increased significantly in all regions, it has risen dramatically nationwide in the last few years.

Via Modern Healthcare:

The number of family physicians who have adopted electronic health records has more than doubled since 2005, though wide geographic variations exist, according to a report in the Annals of Family Medicine.

Using census survey data from the American Board of Family Medicine maintenance of certification exam and the National Ambulatory Medical Care Survey, researchers predicted that the adoption rate could pass 80% by the end of the year.

In the NAMCS, adoption among family physicians grew to 66.4% in 2011 from 24.8% in 2005. Among physicians undergoing the ABFM's maintenance of certification, adoption increased to 67.8% in 2011 from 28% in 2005.

The study notes “how federal efforts to increase adoption of EHRs have accelerated in recent years.” It adds that the federal government's “triple aim” goals to improve population health and healthcare delivery while lowering costs “will require data sharing and exchange that transects all aspects of healthcare delivery and depend in part on widespread adoption of EHRs, particularly by office-based physicians.”

But geographic variations were identified in both data sets. Utah, at 94.9%, had the highest rate of adoption among family physicians seeking maintenance of board certification; while North Dakota had the lowest rate of adoption, 47.1%. For family physicians in the national ambulatory survey, Hawaii had the highest rate of adoption, 87.6%. North Carolina family physicians had the lowest, 44%.

The researchers wrote that there was “strong regional clustering for adoption.” They speculated that states' commitment varied in their support for health IT funding mechanisms to promote EHR adoption, prescription drug tracking and quality data reporting. Other reasons that could explain the variation included differences in market penetration of health maintenance organizations and the presence of large integrated healthcare organizations.

By Andis Robeznieks

“EHR use up among family doctors, but varies by area,” Modern Healthcare (February 5, 2013)

Breaking: HHS releases final rule on HITECH Act provisions

Steve Fox and Vadim Schick — Thu, 17 Jan 2013 16:33:49 -0500

HHS has announced a long-awaited omnibus final rule that implements a number of provisions of the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, commonly known as the "Stimulus Bill," to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

We will update the blog with more analysis of the final rule, but, in the meantime, you can find the press release here. You can see a copy of the rule via Federal Register here.

Via HHS Press Release:

The final rule also reduces burden by streamlining individuals’ ability to authorize the use of their health information for research purposes. The rule makes it easier for parents and others to give permission to share proof of a child’s immunization with a school and gives covered entities and business associates up to one year after the 180-day compliance date to modify contracts to comply with the rule.

The final omnibus rule is based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and the Genetic Information Nondiscrimination Act of 2008 (GINA) which clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes.

HIPAA Transaction Rules Compliance Enforcement Delayed Until April 2013

Steve Fox and Vadim Schick — Tue, 15 Jan 2013 17:23:54 -0500

The Centers for Medicare & Medicaid Services will postpone the start of HIPAA Transaction Rules compliance enforcement for 90 days, according to a recent announcement.

See CMS press release here. Via CMS website:

Today, the Centers for Medicare & Medicaid Services’ Office of E-Health Standards and Services (OESS) announced that to reduce the potential of significant disruption to the health care industry, it will not initiate enforcement action until March 31, 2013, with respect to HIPAA covered entities (including health plans, health care providers, and clearinghouses, as applicable) that are not in compliance with the operating rules adopted for the following transactions as required by the Affordable Care Act: eligibility for a health plan and health care claim status. Notwithstanding OESS’ discretionary application of its enforcement authority, the compliance date for using the operating rules remains January 1, 2013.

Industry feedback suggests that HIPAA covered entities have not reached a threshold whereby a majority of covered entities would be able to be in compliance with the operating rules by January 1, 2013. This enforcement discretion period does not prevent applicable HIPAA covered entities that are prepared to conduct transactions using the adopted operating rules from doing so, and all applicable covered entities are encouraged to determine their readiness to use the operating rules as of January 1, 2013 and expeditiously become compliant. Although enforcement action will not be taken, OESS will accept complaints associated with compliance with the operating rules beginning January 1, 2013. If requested by OESS, covered entities that are the subject of complaints (known as "filed-against entities") must produce evidence of either compliance or a good faith effort to become compliant with the operating rules during the 90-day period. HHS will continue to work to align the requirements under Section 1104 of the Affordable Care Act to optimize industry’s ability to achieve timely compliance.

OESS is the U.S. Department of Health and Human Services’ (HHS) component that enforces compliance with HIPAA transaction and code set standards, including operating rules, identifiers and other standards required under HIPAA by the Affordable Care Act.

For copies of the operating rules for the eligibility for a health plan and health care claim status transactions, visit the Council for Affordable Quality Healthcare (CAQH) CORE website at http://www.caqh.org. Links to information on the operating rules for eligibility for a health plan and health care claim status are available at http://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/Affordable-Care-Act/OperatingRulesforEligibilityandClaimsStatus.html

Settlement of first small scale HIPAA breach announced by HHS

Steve Fox and Vadim Schick — Thu, 03 Jan 2013 15:36:54 -0500

In a sign that HHS is serious about small data breaches, the Office of Civil Rights (OCR) and The Hospice of North Idaho reached a settlement agreement to resolve allegations of a 2010 breach involving 441 patient records. OCR Director Leon Rodriguez reminded the industry that every covered entity, regardless of size, must implement the privacy and security safeguards - including, e.g., encryption of protected health information on mobile devices - required under HIPAA, as amended pursuant to the HITECH Act.

This settlement comes at the same time as the OCR rolls out its new educational initiative aimed at securing protected data on mobile devices. You can learn more about this initiative here.

Via HHS Press Release:

The Hospice of North Idaho (HONI) has agreed to pay the U.S. Department of Health and Human Services’ (HHS) $50,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. This is the first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals.

The HHS Office for Civil Rights (OCR) began its investigation after HONI reported to HHS that an unencrypted laptop computer containing the electronic protected health information (ePHI) of 441 patients had been stolen in June 2010. Laptops containing ePHI are regularly used by the organization as part of their field work. Over the course of the investigation, OCR discovered that HONI had not conducted a risk analysis to safeguard ePHI. Further, HONI did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule. Since the June 2010 theft, HONI has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program.

“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said OCR Director Leon Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”

The Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to the Secretary of HHS and the media within 60 days after the discovery of the breach. Smaller breaches affecting less than 500 individuals must be reported to the Secretary on an annual basis.

A new educational initiative, Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information, has been launched by OCR and the HHS Office of the National Coordinator for Health Information Technology (ONC) that offers health care providers and organizations practical tips on ways to protect their patients’ health information when using mobile devices such as laptops, tablets, and smartphones. For more information, visit www.HealthIT.gov/mobiledevices.

The Resolution Agreement can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/honi-agreement.pdf

“HHS announces first HIPAA breach settlement involving less than 500 patients:
Hospice of North Idaho settles HIPAA security case for $50,000,” HHS Press Release (January 2, 2013)

HHS Inspector General: Medicare EHR incentive program lacks adequate safeguards against error and fraud

Steve Fox and Vadim Schick — Thu, 29 Nov 2012 15:47:53 -0500

The HHS Inspector General this week reported the results of its recent investigation to “verify the accuracy of professionals' and hospitals' self-reported meaningful-use information, as well as eligibility and payment amounts.” The investigation reviewed payments issued from May through December 2011, a period during which approximately $1.7 billion was distributed to almost 28,000 recipients. The Inspector General’s office concluded that Medicare needs to improve its review process.

Link to report here.

Via Modern Healthcare:

The CMS and the Office of the National Coordinator for Health Information Technology at HHS need to tighten up their oversight of the Medicare EHR incentive payment program, according to HHS' inspector general's office.

The watchdog office, headed by Inspector General Daniel Levinson, offered a couple of recommendations for the agencies in its report, "Early Assessment Finds That CMS Faces Obstacles in Overseeing the Medicare EHR Incentive Program" (PDF). The report is based on audits of EHR incentive payment attestations, reviews of internal CMS and ONC documents about the program and interviews with CMS personnel. The inspector general's office did not focus this time on the Medicaid portions of the program, although a previous report, issued in July 2011, did, focusing on 13 state-run Medicaid EHR incentive programs. The inspector general's office also is conducting "a series of audits of Medicare and Medicaid EHR incentive payments" to "verify the accuracy of professionals' and hospitals' self-reported meaningful-use information, as well as eligibility and payment amounts. No time frame for those audits was included in the report.

The inspector general's review covered the early stages of the Medicare EHR incentive program, from when payments started flowing in May 2011 through December 2011. During that period, the program paid out about $1.7 billion to nearly 27,000 physicians and other eligible professionals and 668 hospitals, the report said.

The inspector general said that the CMS validates the presence of some required information and confirms some calculations provided by hospitals and providers. For example, "The validation checks that self-reported numerators and denominators calculate to required percentage thresholds and that all relevant yes/no measures were checked 'yes,' " according to the report. However, the report continued, the CMS "does not verify that numerators and denominators entered for percentage-based measures reflect the actual number of patients for a given measure or that professionals and hospitals possess certified EHR technology."

One "obstacle" the CMS faces in trying to get independent validation that what the providers are attesting to actually happened is that data from other sources—such as Medicare claims or private insurance data—is either incomplete for the task or unavailable.

The inspector general's office notes that although the CMS is not required to perform prepayment verification, "doing so would strengthen its oversight of the anticipated $6.6 billion in incentive payments" the program is expected to shell out over its lifetime, which runs through 2016.

Regarding post-payment oversight, the inspector general noted that, so far, the CMS "has not yet completed any post-payment audits." But the CMS has said it plans to use EHR-generated reports "to verify the accuracy of self-reported information where possible" and obtain supporting documents in instances where the reports don't cover the audit subject matter—and this is where the ONC comes in for criticism.

The ONC oversees the rule writing, and the testing and certification programs to determine whether EHR technology qualifies for use in the Medicare EHR incentive payment program.

The CMS "cannot use EHR reports to verify all self-reported meaningful-use information because ONC does not require certified EHR technology to be capable of producing reports for all meaningful-use measures," the inspector general's report said. The ONC requires an EHR to write reports on the 30 percentage-based measures but not the 19 yes/no measures users also are required to attest to in order to get paid.

"EHR reports also do not contain information necessary for CMS to verify all percentage-based measures," the inspector general's report said, specifically noting that denominators for many of those measures include data from both paper-based and EHR systems.

The inspector general's office recommended that the CMS beef up its prepayment assessment program, including by focusing on "high-risk" professionals and hospitals, asking them to "submit supporting documentation for prepayment review."

It also recommended that ONC "improve the certification process" to ensure that certification bodies "comprehensively test EHR reports for accuracy as part of the certification process" as well as not rely on "vendor-supplied data" during the testing phase.

The CMS, in an Oct. 9 letter from acting Administrator Marilyn Tavenner, said prepayment audits were not necessary at this time, but concurred with another inspector general's office recommendation to issue a guidance on proper provider documentation required for the program.

In a similar letter to the inspector general's office dated Sept. 25, ONC chief Dr. Farzad Mostashari concurred with the inspector general's office's recommendation of testing a "yes/no" reporting functionality. He said he would ask his two advisory committees, the Health IT Policy and Standards committees, to make recommendations "on the appropriate scope and feasibility of a certification criterion focused on 'yes/no' reports."

Mostashari also said the ONC has “already taken steps” to address a separate inspector general's recommendation that it improve its EHR testing and certification program. Specifically, the OIG recommended that the national coordinator supplant vendor-supplied data used in the initial rounds of its certification tests with a standard data set to be used by all vendors.

Last fall, GE warned customers of two of its EHR systems for ambulatory-care providers that errors had been found in reports to support meaningful-use attestations. That incident was specifically mentioned in the OIG report, which added that the ONC's certification process "did not identify these potential inaccuracies because the vendor-supplied test data did not account for the manner in which some professionals use the products." Similar problems may exist with reports from other EHR products, the OIG report said, but it cited no other examples of report-writing failures.

In his letter, Mostashari said the updated 2014 edition testing and certification rules—which were released in February in conjunction with the CMS' Stage 2 meaningful-use rules—contain "more rigorous testing requirements" that became effective Oct. 4, 2012. He said the ONC "will continue to migrate away from the exclusive use of vendor-supplied data."

In a telephone interview, Mostashari said the GE report-writing problem was "old news." Asked whether he was aware of any other incidents of EHR systems failing to produce accurate test reports, Mostashari said, "It's really a CMS question."

By Joseph Conn

“HHS inspector general: Medicare EHR program needs better oversight,” Modern Healthcare (November 29, 2012)

3.8 million record breach in South Carolina: lessons learned

Steve Fox and Vadim Schick — Wed, 21 Nov 2012 16:36:02 -0500

Hackers recently infiltrated South Carolina's state tax records, absconding with the largest haul to date of Social Security numbers, credit and debit card numbers from a state agency. State officials describe how the theft was worked, and list enhanced security measures that could have prevented the attack.

See New York Times article at "South Carolina Offers Details of Data Theft and Warns It Could Happen Elsewhere".

EHR access lost during Hurricane Sandy

Steve Fox and Vadim Schick — Wed, 31 Oct 2012 12:49:08 -0500

Hurricane Sandy this week tested East Coast health care systems’ electronic infrastructure. Emergency preparedness plans were implemented fairly successfully for most health care facilities, allowing them to continue to operate adequately. Others, however, were negatively impacted, including some which lost access to their EHRs.

It is absolutely critical that health care providers, even in areas which are not prone to massive weather-related disruptions, consider and implement back up plans for their IT systems. The crisis at NYU Langone center in Manhattan demonstrated just how dependent we are on electronic systems and power supply. It is imperative that the IT staff at each healthcare provider organization knows that its important software systems including EHRs are backed up, and that the organization's data - including patient data - is readily available, and is never lost due to a storm or an earthquake.

Via Modern Healthcare:

Power outages across New Jersey, New York and Pennsylvania forced some hospitals to evacuate and others to rely on backup generators in the wake of superstorm Sandy.

The powerful and massive storm, which reached the coast in southern New Jersey around 8 p.m. on Monday, is responsible for at least 35 deaths, the Associated Press reported.

One Manhattan hospital was forced to evacuate 300 patients hours after Sandy's landfall when backup power failed. Evacuation of the New York University Langone Medical Center was complete by late Tuesday morning, a statement from the hospital said.

Meanwhile, plans to evacuate about 200 patients from Coney Island Hospital were underway early Tuesday afternoon, said Evelyn Hernandez, a spokeswoman for New York City Health and Hospitals Corp., which owns the hospital. Backup power was restored on Tuesday to Coney Island Hospital after it lost power during the storm. Most patients who depend on ventilators or other devices were evacuated ahead of the storm, but seven critically ill patients remained at Coney Island Hospital and relied on battery-supported ventilators during the power outage. Those patients were transferred elsewhere Tuesday morning.

In New Jersey, Palisades Medical Center, North Bergen, began evacuating 83 patients Tuesday morning, said Donna Leusner, a spokeswoman for the New Jersey Department of Health. Flood damage knocked out power to Palisades Medical Center, said a spokeswoman with Hackensack (N.J.) University Medical Center, where Palisades patients were transferred by National Guard troops after 9 a.m. on Tuesday. Hackensack University Medical Center was expected to accept 51 patients from Palisades Medical Center, Nancy Radwin, an HUMC spokeswoman said.

Approximately 30 New Jersey acute-care hospitals were operating on backup generators after the storm, said Kerry McKean Kelly, a spokeswoman for the New Jersey Hospital Association.

Eight Pennsylvania hospitals experienced power outages and were operating on backup generators on Tuesday, the state Health Department said.

North Shore-Long Island Jewish Health System reported that Glen Cove (N.Y.) Hospital, Huntington (N.Y.) Hospital, Plainview (N.Y.) Hospital, Syosset (N.Y.) Hospital and its Stern Family Center for Rehabilitation, Manhasset, were operating on backup power, as was one campus of the two-campus Staten Island University Hospital in New York City.

Also, Staten Island University Hospital could no longer access electronic health records after flooding on Monday disrupted power to the building where data is stored. Doctors continued to use paper records on Tuesday.

Other hospitals lost access to EHRs during the storm. Doctors at West Penn Allegheny Health System in Pittsburgh reverted to paper and written orders as the storm came ashore and damaged a data center in Mountain Lakes, N.J. Dan Laurent, a spokesman for the system, said Allegheny General and Western Pennsylvania hospitals, both in Pittsburgh, and the emergency room at Forbes Regional Hospital, Monroeville, could not access electronic medical records between 8:30 p.m. on Monday and 4 a.m. on Tuesday.

By Melanie Evans

“Superstorm Sandy knocks out power at East Coast hospitals, prompting evacuations,” Modern Healthcare (October 30, 2012)

Computer viruses on hospital medical devices: a growing concern; possible solutions

Steve Fox and Vadim Schick — Mon, 22 Oct 2012 17:20:46 -0500

Medical device security experts report increasing issues with computer viruses on hospital medical devices. Problem sources include inconsistent and/or incompatible security measures, as well as outdated operating systems. The Government Accounting Office has sounded the alarm, requesting the FDA to address the matter.

See Forbes article at "Hospital Medical Devices 'Rampant' With Computer Viruses".

Public-private group, eHealth Exchange, to oversee development of health info network

Steve Fox and Vadim Schick — Wed, 17 Oct 2012 14:13:43 -0500

The HHS Office of the National Coordinator for Health Information Technology is passing management of the Nationwide Health Information Network to a coalition of public and private health care organizations.

Via Modern Healthcare:

Following last month's announcement that "now is not the time" for formal regulation of a proposed network of health information exchanges, HHS' Office of the National Coordinator for Health Information Technology said it is transitioning control of that network—known as the Nationwide Health Information Network—to a public-private partnership known as the eHealth Exchange.

According to an e-mailed news release, eHealth Exchange "represents ONC's commitment to support health information exchange innovation in the private sector." The partnership's operations will be supported by Healtheway (PDF), a Richmond, Va.-based not-for-profit organization also founded as a public-private partnership.

These operations include conformance and interoperability testing, on-boarding of new participants in eHealth Exchange, and maintenance of operating policies and procedures, the service registry and digital certificates, according to the release.

In addition, the Chicago-based Certification Commission for Health Information Technology will participate in the effort's compliance testing and will certify that interfaces between exchanges are "consistent across multiple states and systems," according to a CCHIT news release.

More details will be announced at the New York eHealth Collaborative's Digital Health Conference, scheduled for Oct. 15-16 in New York, the release stated.

By Andis Robeznieks

“ONC moves control of health info network to public-private group,” Modern Healthcare (October 11, 2012)

Health education information incomprehensible to many; HHS program to rate EHR-linked education materials for "understandability"

Steve Fox and Vadim Schick — Wed, 10 Oct 2012 17:25:56 -0500

Health education materials provided to health care consumers until now have commonly assumed a fairly high level of “health literacy” – a level which, research has shown, makes the materials inaccessible to about 77 million people. HHS’ new program addressing this issue begins with the development of a system to rate health information as efforts are made to improve the quality of these materials.

Via Modern Healthcare:

HHS' Agency for Healthcare Research and Quality is developing a rating system for the growing amount of health information directed at patients.

The agency's Health Information Rating System, discussed in a Federal Register posting, will focus especially on patient data provided by electronic health records.

The agency's notice stated that health education materials delivered by EHRs “are rarely written in a way that is understandable and actionable for patients with basic or below basic health literacy,” which includes about 77 million people. “Persons with limited health literacy face numerous healthcare challenges,” according to the AHRQ notice. “They often have a poor understanding of basic medical vocabulary and healthcare concepts.”

Agency officials expect the rating system to address that challenge by giving clinicians a method to determine the quality of the data their systems provide or that such resources are even available.

A draft version of the rating system was applied by researchers at AHRQ to sample education materials on asthma and colonoscopy and indicated some of the material had “low understandability or low actionability.” The agency plans to next use consumer panels to test the accuracy of the rating system.

Other related health literature activities planned by AHRQ includes creating a library of patient health education materials, a review of EHR's patient education capabilities and education of EHR vendors and users.

By Rich Daly

“AHRQ developing consumer info rating system,” Modern Healthcare (October 8, 2012)

Sharing EHR notes between providers and patients improves care, patient loyalty among other benefits

Steve Fox and Vadim Schick — Fri, 05 Oct 2012 14:25:39 -0500

According to Annals of Internal Medicine, a new study found no disadvantages to health care providers sharing EHR notes with patients.

Via Kaiser Health News:

Doctors are required by federal law to provide patients with a copy of their medical notes upon request, but few patients ask and doctors generally don’t make the process easy.

When patients were offered online access, however, 90 percent read their doctors’ notes with some impressive results.

A study published in the most recent issue of the Annals of Internal Medicine found that 60 to 78 percent of patients who read their visit notes reported that they were more likely to take their medications as prescribed. And their doctors reported that sharing their notes actually strengthened relationships with patients.

The study included 105 primary care physicians and 13,564 of their patients at Beth Israel Deaconess Medical Center in Massachusetts, Geisinger Health System in Pennsylvania and Harborview Medical Center in Washington, who participated in a project called OpenNotes, in which patients were given electronic access to their files.

Study authors Tom Delbanco and Jan Walker of Beth Israel said they were surprised and delighted to find that patients who viewed their medical notes were more likely to take their medicines correctly. “Medication adherence is one of the greatest problems in health care,” said Delbanco, “yet flipping this switch seems to activate patients.”

As one patient explained, “having it written down, it’s almost like there’s another person telling you to take your meds.”

Patients also reported “an increased sense of control, greater understanding of their medical issues, improved recall of their plans for care, and better preparation for future visits,” the study authors write.

Despite concerns among participating physicians that sharing their notes would increase their workload, few of them reported longer visits or spent more time answering patients’ questions outside of visits.

One concern is that doctors may change the way they write their notes if their patients can read them. Since the same notes are shared with other doctors, this could have a clinical impact. As an example of a minor change, some doctors reported using “body mass index” in place of “obesity” to avoid offending their patients.

Blunt language, however, seems to have motivated some patients. “In his notes, the doctor called me ‘mildly obese,” one patient commented. “This prompted my immediate enrollment in Weight Watchers and daily exercise. I didn’t think I had gained that much weight. I’m determined to reverse that comment by my next check-up.”

At the end of the experiment, nearly 99 percent of the participating patients wanted continued access to their visit notes. And all three participating hospital sites have decided to broaden patient access to their doctors’ notes.

“Our greatest hope is that this will become a standard of care,” said Walker. “We’re at a good time in history because more and more doctors and hospitals are getting electronic health records and putting up secure patient portals,” allowing many patients easy access to their records.

They add, however, that privacy implications could be enormous: 20 to 45 percent of patients reported that they shared their notes with others, including family and friends. A patient could also choose to post their notes on Facebook or Twitter. “The patient-doctor relationship is confidential,” explained Delbanco, “but whether it’s private is now up to the patient.”

By Jenny Gold

“For Patients, What A Difference A Note Makes,” Kaiser Health News (October 2, 2012)

Laptop theft costs Massachusetts provider $1.5 million in HHS settlement

Steve Fox and Vadim Schick — Mon, 01 Oct 2012 13:39:27 -0500

Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates (MEEI) will be paying HHS $1.5 million in installments over three years for a 2010 incident. It is worth noting that OCR also reached a $1.5 million settlement with Blue Cross Blue Shield of Tennessee (BCBST) earlier this year for a breach involving over a million patient records on stolen hard drives. The MEEI data breach, on the other hand, involved only 3,621 patient records.

Regardless of OCR's exact motives for such a high fine for such a significantly smaller scale breach, it is clear that OCR takes compliance with the HIPAA Privacy and Security Rules very seriously, especially in cases where patient data is stored on portable devices. It is also important to keep in mind that, as we pointed out after the BCBST breach, the $1.5 million settlement amount may well be exceeded by the costs and expenses associated with notification and credit monitoring expenses, as well as investigating and correcting this breach by MEEI.

Via Modern Healthcare:

HHS' Office for Civil Rights announced that Massachusetts Eye and Ear Infirmary and its affiliated physician group, Massachusetts Eye and Ear Associates, agreed to pay $1.5 million to settle a HIPAA security-rule violation case.

The $1.5 million settlement with Boston-based Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, collectively known as MEEI, is part of a resolution agreement (PDF) with the Office for Civil Rights. MEEI's alleged violations of the Health Insurance Portability and Accountability Act's security rule stem from the reported 2010 theft of a laptop computer storing 3,621 patient records, according to HHS.

The Office for Civil Rights alleges that the infirmary and the group not only failed to secure data on the laptop but also failed to comply with several other HIPAA security-rule requirements, including performing “a thorough analysis of the risk to the confidentiality” of individually identifiable patient information stored on the portable device and not “adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices.” The term ePHI refers to electronic protected health information.

“In an age when health information is stored and transported on portable devices such as laptops, tablets and mobile phones, special attention must be paid to safeguarding the information held on these devices,” Office for Civil Rights Director Leon Rodriguez said in a news release. “This enforcement action emphasizes that compliance with the HIPAA privacy and security rules must be prioritized by management and implemented throughout an organization, from top to bottom.”

The settlement amount is to be paid in three equal installments of $500,000—the first on Oct. 15 of this year and the next two on the same date in 2013 and 2014.

The 17-page resolution agreement also requires the organization “to adhere to a corrective action plan” and permits an independent monitor to make semi-annual assessments of MEEI's compliance with the plan for three years.

The American Recovery and Reinvestment Act of 2009 required the reporting to HHS of breaches affecting 500 or more individuals and the creation of a public accessible website listing the breaches. There are now 490 such self-reported breach incidents on the list, which is maintained by the Office for Civil Rights. Combined, those breaches exposed the records of more than 21 million individuals, according to the office.

The infirmary is on the list twice. A November 2009 incident involving 1,076 records stemmed from a police investigation into improper use of credit card information that led to the firing of two infirmary employees.

By Joseph Conn

“Mass. provider to pay $1.5 million in HIPAA settlement,” Modern Healthcare (September 17, 2012)

Tagging technique keeps more sensitive portions of an EHR more private

Steve Fox and Vadim Schick — Mon, 24 Sep 2012 16:15:32 -0500

State and federal privacy laws rigorously restrict sharing of mental health and other highly sensitive patient records. A technique called “data tagging” may be key in facilitating health care providers’ compliance with these requirements.

Via Modern Healthcare:

Using off-the-shelf content standards and messaging protocols, the Veterans Affairs Department and the Substance Abuse and Mental Health Services Administration of HHS have successfully demonstrated how to electronically tag mental health and other highly sensitive clinical records to help providers comply with stringent state and federal privacy laws limiting the sharing of those records without patient consent.

Development of the electronic patient-consent management system came in response to the VA's and SAMHSA's own needs to protect the privacy of patients under two federal medical record privacy laws that are more robust than the privacy rule under the Health Insurance Portability and Accountability Act.

The demo was part of a Data Segmentation for Privacy Initiative by the Office of the National Coordinator for Health Information Technology at HHS. It also answers a 2010 call by the President's Council of Advisors on Science and Technology to use metadata tagging to enhance privacy while making medical data more readily available for research. A metadata tag provides information about the underlying data.

Tagging a patient's record at the “granular” or data-element level enables patients to give consent to the exchange of some parts of their medical record—such as a diagnosis code for diabetes and a drug prescription for its treatment—but not other parts, such as the diagnosis of a sexually transmitted disease or a mental health counseling session.

“The bottom line is we're trying to provide patients some ability to control what information is shared and make it easy on them,” said Mike Davis, VA project lead and Veterans Health Administration security architect.

Federal law applying specifically to the VA requires that, under typical circumstances, the VA must obtain a veteran's consent before his or her medical records can be shared outside the organization. The VA also abides by another federal law that bars federally funded alcohol and drug treatment providers from sharing information about such treatment without patient consent. The latter law creates a consent requirement that sticks to and flows with the data, so that each subsequent provider to receive it also must obtain patient consent to disclose it elsewhere.

Privacy laws in several states also contain these sticky provisions, said Joy Pritts, chief privacy officer at ONC, who attended the demo in Baltimore this month during a conference sponsored by Health Level 7. The healthcare standards development organization has produced a classification and coding system to identify and constrain particularly sensitive information; the system was used by the VA and SAMHSA in the demo, as were the ONC's Direct messaging protocols.

In the demonstration, a care summary was exchanged between providers for a patient enrolled in an alcohol and drug abuse treatment program. The VA/SAMHSA system tagged discrete elements of the record “do not re-disclose.”

One missing piece in the automated privacy protection scheme, however, is how to deal with dictated notes containing sensitive patient data. A text document could be constrained by tagging the entire document, Davis said, but that would need to be done by hand, whereas tagging of discrete data can be done by the system, which can sit as a layer between one provider's EHR and another's.

Patients can specify their wishes with computerized consent directives created online at home or on a provider's computer system, he said.

Davis said there is no timeline for rolling out these functions across the VA, but the VA has several pilot sites running where the system is in daily use recording a veteran's simple “yes/no” electronic consent directives for exchange of their records with outside providers.

Pritts said ONC has two additional pilots planned, one with the VA and one with private-sector providers.

“I think this can work for what's called structure data—medications in the medication list, allergies in the allergies list, diagnostic codes in the problem list, lab test results, vital signs—that type of information,” said Daniel Gottlieb, a partner in the Chicago office of McDermott Will & Emery who heads the firm's health information technology and data protection practice.

With the EHR systems used by providers today, “typically the technology doesn't have the capability” to segregate those drugs on a medication list for a common ailment from those drugs to treat another, more sensitive one, such as a psychiatric condition, Gottlieb said.

“That leaves you with two options in the real world,” he said. “One is not to make that medication list available” outside the organization. “Or, you can take the position that providing high-quality care” is the greater good, “and just decide that you're going to accept that legal risk.”

Gottlieb said many providers lean toward the latter, for instance if a patient is taking medication for a psychiatric disorder but also for a chronic condition such as diabetes. “There could be the potential for the adverse reaction between the psychiatric drug and some other drug,” prescribed either in the same hospital or by another provider. “I think most people think avoiding that reaction takes precedent over the privacy concern.”

By Joseph Conn

“Working with the rules: Data tagging allows selective sharing with EHRs,” Modern Healthcare (September 22, 2012)

ONC: no caps on per-provider EHR incentive payments

Steve Fox and Vadim Schick — Fri, 14 Sep 2012 13:51:00 -0500

National Coordinator for Health IT Farzad Mostashari has announced there is no cap on how much individual providers may receive in meaningful use incentive payouts, as long as they meet the requirements for the EHR incentive payments program. According to the ONC, almost seven billion of the approximately twenty billion dollars in incentives allocated under the HITECH Act has already been distributed.

Via Healthcare IT News:

WASHINGTON – There are no set appropriations for how much the federal government can spend on rewarding providers who adopt and use electronic health records under the Medicare and Medicaid meaningful use EHR incentive program, according to National Coordinator for Health IT Farzad Mostashari, MD.

"Whoever qualifies, gets paid; there's no hard cap," said Mostashari, who gave a keynote at the Annual Policy Summit for the Health Information Management and Systems Society (HIMSS) on Wednesday.

Mostashari said the federal government estimates it will pay out around $20 billion in incentives before the program shifts to a penalty in 2015, but there is no fixed budget set in the HITECH Act that mandated the program. The government recently announced it has paid out nearly $7 billion since the program began in 2011.

[See also: "Government EHR incentives near $7B."]

The federal health IT czar said he couldn't imagine health IT advancement – which enjoys widespread bipartisan support – losing the backing of Congress after the election, no matter the party in control.

It would be hard to picture Congress cutting or capping the program after doctors and hospitals have made major investments in health IT "on the good word of Congress," he said.

An attendee of the HIMSS Policy Summit – a sort of pep rally for HIMSS members to promote HIT on the Hill – recommended that Congress all be encouraged to use Blue Button to access their personal health data. This would "crystallize quite clearly" where things stand with regard to health IT today. We need more time and support, the attendee said, and Mostashari and other attendees agreed.

Mostashari praised the meaningful use incentive program, noting that "we've made great steps." He predicted that Stage 2, set to begin in 2014, will bring about even more "incredible progress."

The use of electronic health records is "ultimately about population health," Mostashari said. "You have to care more about the people who didn't walk into your door, than those who did." The meaningful use program is intended to go from measuring quality at the start, to accounting for population health. "That's why doctors are doing what they're doing, [and] that's why we're doing what we're doing," he said of federal regulators.

At a visit to the Cleveland Clinic recently, Mostashari said he observed health data exchanged between the clinic and other local facilities, using compatible coding that transferred the data easily. "They do it all day, every day," he said. "So don't tell us that exchange isn't happening."

[See also: "Stage 2 MU released at last."]

Two years ago, the industry wasn't there, he said of health information exchange. The patient information wasn't packaged and ready to code medications and lab reports in the same record. But things have changed, Mostashari added. He praised the industry and the marketplace for pushing it forward.

The industry came together with a consensus and pilots and working groups, which resulted in the meaningful use Stage 2 rule, Mostashari said. "We're light years ahead of where we could possibly have been in Stage 1," he added, noting that he believes meaningful use Stage 2 will necessitate a push from the industry for health information exchange standards.

It will be important in the near future to tap into "the biggest underused resource – the patient," Mostashari said. Providers will have to "be sticky," and attract patients to their services because patients will no longer be limited to the provider that holds their health information.

Said Mostashari, speaking to doctors as a doctor: "We have to make them want to come to us."

By Diana Manos, Senior Editor

“Mostashari: No cap on EHR incentive payouts,” Healthcare IT News (September 13, 2012)

Cybersecurity risk management by boards and senior executives: 12 recommendations

Steve Fox and Vadim Schick — Wed, 29 Aug 2012 14:00:09 -0500

According to Forbes, a recent Carnegie Mellon study has found that corporate boards “are not actively addressing cyber risk management.” The researchers collected data from corporations worldwide and across all industrial sectors, and found that while boards actively attend to risk management as part of their oversight, “there is still a gap in understanding the linkage between cybersecurity risks and enterprise risk management”.

The study's report, well worth reviewing for its instructive if sometimes disturbing findings, concludes that by implementing the following twelve recommendations, boards and senior management can "significantly improve their organizations’ security posture and reduce risk":

Establish a board Risk Committee separate from the Audit Committee and assign it responsibility for enterprise risks, including IT risks. Recruit directors with security and IT governance and cyber risk expertise.

Ensure that privacy and security roles within the organization are separated and that responsibilities are appropriately assigned. The CIO, CISO/CSO, and CPO should report independently to senior management.

Evaluate the existing organizational structure and establish a cross-organizational team that is required to meet at least monthly to coordinate and communicate on privacy and security issues. This team should include senior management from human resources, public relations, legal, and procurement, as well as the CFO, the CIO, CISO/CSO, CRO, the CPO, and business line executives.

Review existing top-level policies to create a culture of security and respect for privacy. Organizations can enhance their reputation by valuing cyber security and the protection of privacy and viewing it as a corporate social responsibility.

Review assessments of the organization’s security program and ensure that it comports with best practices and standards and includes incident response, breach notification, disaster recovery, and crisis communications plans.

Ensure that privacy and security requirements for vendors (including cloud and software-as-a-service providers) are based upon key aspects of the organization’s security program, including annual audits and control requirements. Carefully review notification procedures in the event of a breach or security incident.

Conduct an annual audit of the organization’s enterprise security program, to be reviewed by the Audit Committee.

Conduct an annual review of the enterprise security program and effectiveness of controls, to be reviewed by the board Risk Committee, and ensure that identified gaps or weaknesses are addressed.

Require regular reports from senior management on privacy and security risks.

Require annual board review of budgets for privacy and security risk management.

Conduct annual privacy compliance audits and review incident response, breach notification, disaster recovery, and crisis communication plans.

Assess cyber risks and potential loss valuations and review adequacy of cyber insurance coverage.

“Boards Are Still Clueless About Cybersecurity,” Forbes (May 16, 2012).

"Governance of Enterprise Security: CyLab 2012 Report -- How Boards and Senior Executives Are Managing Cyber Risks" by Jody Westby, Carnegie Mellon CyLab (May 16, 2012)