Tag Archives: ONC

Health IT Update – 3/24/2010

1. Networking Event with Jonathan Bush – April 1, 6-8pm @ HBS, Williams Room – RSVP Required

2. Massachusett’s Governor’s National HIT Conference – Health IT: Saving Lives, Reducing Costs & Creating Jobs – April 29-30 (http://mahealthdata.org/Events?eventId=131818&EventViewMode=EventDetails)

3. ONC Releases White Paper on Consumer Consent Options for Electronic Health Information Exchange


1. Networking Event with Jonathan Bush – April 1, 6-8pm @ HBS, Williams Room – RSVP Required

RSVP Required: hit.networking.2010@gmail.com (Include name and organization). Space is limited so reserve your spot quickly!

PHAT and the Health Underground, Boston’s new multi-disciplinary forum for graduate students interested in health IT, invite you to an evening of conversation and networking with Jonathan Bush, CEO of AthenaHealth, on April 1 at the Harvard Business School. Mr. Bush will be sharing the AthenaHealth story and his vision for the future of health IT. Light snacks and drinks provided.

Thursday, April 1, 6-8pm, Williams Room, Harvard Business School

Jonathan Bush, CEO, President and Chairman, AthenaHealth – Jonathan Bush is athenahealth’s Chief Executive Officer, President and Chairman. Mr. Bush co-founded athenahealth in 1997. Prior to joining athenahealth, Mr. Bush served as an EMT for the City of New Orleans, was trained as a medic in the U.S. Army, and worked as a management consultant with Booz Allen & Hamilton. Mr. Bush obtained a Bachelor of Arts in the College of Social Studies from Wesleyan University and an M.B.A. from Harvard Business School.


2. Massachusett’s Governor’s National HIT Conference – Health IT: Saving Lives, Reducing Costs & Creating Jobs – April 29-30 (http://mahealthdata.org/Events?eventId=131818&EventViewMode=EventDetails)

Registration for full-time students is only $150!

This is a one-of-a-kind event which will bring together state leaders such as:

  • Governors,
  • Secretaries of Health and Human Services,
  • Medicaid Commissioners,
  • HIT Coordinators, and
  • key state legislators

along with federal officials and the Massachusetts healthcare community to discuss how we can successfully implement health information technology and health information exchange.

You don’t want to miss the opportunity to hear the remarks from federal and state leaders and to meet and network with people from around the country that are addressing the challenges of HIT policy development and implementation. The program will be held at the Westin Waterfront Hotel, conveniently located near Logan Airport and downtown Boston.


3. ONC Releases White Paper on Consumer Consent Options for Electronic Health Information Exchange

The whitepaper examines issues regarding whether, to what extent, and how individuals should have the ability to exercise control over their health information in an electronic health information exchange environment.  It looks at existing approaches and details policy options, considerations, and analysis.  This whitepaper will serve as input to, and be reviewed by, the HIT Policy Committee’s Privacy and Security Workgroup as it prepares to make recommendations related to consumer consent in an electronic health information exchange environment.  The whitepaper is the first in a series of privacy and security reports developed by George Washington University under contract with ONC.

The whitepaper can be downloaded at http://healthit.hhs.gov/portal/server.pt?open=512&objID=1147&parentname=CommunityPage&parentid=32&mode=2&in_hi_userid=11113&cached=true


Meaningful Use Privacy & Security Concerns

The Privacy and Security requirements of the recently released Meaningful Use NPRM and Certification IFR have received a lot of attention due to their lack of definition. I joined in on the Jan 22 ONC Privacy & Security Workgroup meeting to discuss which topics the workgroup will comment on and send to the HIT Policy Committee. The topics included risk assessments, the phrase “implement security updates as necessary”, HIPAA investigations, privacy and data transparency, and “consumer preference”.

  • Risk assessments – There is still a lot of concern about the lack of clarity surrounding risk assessments. The ONC will need to ensure that education on risk assessments is available, especially targeted at small providers. Most organizations currently think they are HIPAA compliant, but few would feel comfortable if the government performed a HIPAA audit, because there is no guidance as to what the government would audit against. Guidance is needed on the “intended outcomes” of MU Security objective and greater transparency, such as Audit Program Compliance Guidelines, is needed on the audit process that will be used. It is unlikely that any guidance will be available by the time the final rulings are released. Large organizations commonly perform internal or 3rd party security/privacy audits, but this is rare (and not feasible) among smaller providers. Many of the comments related to this topic will not change the objective but how the ONC responds to the need for additional information.
  • “Implement security updates as necessary” – The term “updates” is both a technology (i.e. software update) and business process (i.e. modify password policy) term, and its intended meaning (whether one or the other or both) should be clearly stated. Time requirements were discussed, such as software security patches must be updated within 90 days of release, but this was thrown out due to complications of implementing updates, especially in enterprise settings.
  • HIPAA Investigations – ~5k HIPAA investigations are currently underway. Unclear if these are ~5k different hospitals, individual doctors, multiple investigations per entity, etc. Unclear if an open investigation will prevent an eligible professional or hospital from receiving incentive payments. The “expected” length and cost of investigations will be important to allow providers to make informed decisions. Unclear which HIPAA investigation types are relevant to MU.
  • Privacy and Data Transparency – No objectives or measures for privacy and data transparency are present in Stage 1. The Committee wants to propose these for Stage 2. “Accounting of disclosures” is included in Stage 1 and is already required by HIPAA. The connection between the security/certification piece and the MU/privacy piece is weak. For example, the capability to prevent many breaches is a part of certified EHR, but there are no objectives or measures to guide providers in the use of these certification criteria.
  • “Consumer-preference” – Also referred to as “patient-choice” requirements, consent management, or access control. There was some disagreement as to what the proper language was to discuss  patient preference. Dixie Baker, who is also involved in the Security Standards Workgroup, posted a presentation (available on the ONC website), to address Access Control and its relation to privacy. There is no IFR criteria for access control to help entities manage the patient consent requirement with which they must comply. This discussion was cut short due to time and will probably be completed in private conversation.

Refer to my previous post to join in on future workgroup meetings: https://singularityblog.wordpress.com/2010/01/11/upcoming-hit-policy-standards-committees-workgroup-meetings/

CCHIT Announces MU Stage 1 Certification Program

Today, the Certification Commission for Health Information Technology (CCHIT) announces its Certification Program for Meaningful Use Stage 1, the first in 3 stages of the CMS/ONC health IT incentive program. The press release is available here: http://www.cchit.org/media/news/2010/01/commission-updates-certification-programs-new-hhs-rules.

CCHIT released 3 gap analyses for Eligible Providers, Hospitals, and Security to assist those that were previously CCHIT Certified get into compliance with MU Stage 1. The gap analyses and certification program details are available here: http://www.cchit.org/get_certified.

CCHIT is hosting a public “Town Call” on January 27 at 3PM CT to discuss the gap analyses and ARRA Preliminary Certification programs. For details about connecting to this call, go here: http://www.cchit.org/about/towncalls/hhs-ifr-hit-gap-analysis.

Upcoming HIT Policy & Standards Committees Workgroup Meetings

Thanks to Obama’s transparency policies, most of the ONC committee meetings are open to participation from the public. The links to the right of each workgroup provides audio (listening only) and video. Call 1-877-705-2976 for voice only and the opportunity to talk.

Meaningful Use Interim Final Rule

This morning, the Office of the National Coordinator for Health IT has released the Interim Final Rule on the Meaningful Use definition. How this document can be both “interim” and “final” is beyond me, but that’s the language being used right now. There will be a 60 day commenting period followed by revisions before the final report is published. The Meaningful Use criteria dictates how providers must modify their electronic medical record systems by 2011 in order to receive additional reimbursement through Medicare/Medicaid.

The full report is available at the federal register here: http://www.federalregister.gov/OFRUpload/OFRData/2009-31216_PI.pdf

HIT/Privacy Timeline from Stimulus Bill

From Dr. John Halamka, CIO of CareGroup Health System in Boston, MA (original post here: The Timeline for ARRA Privacy Provisions), a bookmarked PDF-version of the American Recovery & Reinvestment Act that highlights sections relevant to HIT & privacy: http://ecommons.med.harvard.edu/ec_res/nt/A3B4A28D-987B-4271-B003-5A877B4F4E38/arrabookmarks.pdf

The rough timeline is below:

Upon enactment (February 16, 2009)

  • Application of new tiered civil penalties based on the nature of HIPAA violations, up to $50,000 per violation and an annual maximum of $1.5 million (Section 13410)
  • Enforcement by State Attorney Generals for offenses occurring post enactment (Section 13410e)

Within 45 days of enactment (April 3, 2009)

  • Appointment of HIT Policy Committee members (Section 3002b)

Within 60 days of enactment (April 18, 2009)

  • HHS Secretary will issue guidance on methodologies and technologies that render information unreadable (Section 13402)

Within 180 ays of enactment (August 16, 2009)

  • HHS and the Federal Trade Commission will promulgate interim final regulations on notification of breaches. The FTC rules will apply to breach notification by PHRs that are not covered by HIPAA or Business Associate agreements (Section 13402, 13407)

By December 31, 2009

  • HHS must adopt through rulemaking the initial prioritized set of standards which should include the accounting for disclosures (Section 3002b)

Due within one year post enactment (February 17, 2010)

  • The Secretary will appoint a Chief Privacy Officer (Section 3001)
  • The Office of Civil Rights and HHS will launch an education initiative to improve public transparency on the use of health information (Section 13403)
  • The Government Accountability Office will report on best practices for disclosures for treatment and use of electronic informed consent (Section 13424)
  • HHS will report on and provide guidance on de-identification (section 13424c)
  • Covered entities must enter into Business Associate Agreements with PHRs, HIEs, and other services that handle projected health information (Section 13405e)
  • HHS will issue rules on opting out of fundraising solicitations (Section 13406)
  • HHS will report on guidance on the effective technical safeguards for carrying out the HIPAA security rule (Section 13401c)
  • HHS and the Federal Trade Commission will report on privacy and security requirements for PHR vendors and applications

One year post enactment (February 17, 2010)

  • HHS and the Office of Civil Rights clarify application of criminal penalties for non-covered entities (Section 13409)
  • HHS to issue rules on which entities are required to be business associates (Section 13401)
  • Right to restrict disclosures to health plans for services paid for out of pocket (Section 13405a)
  • HHS Secretary required to conduct periodic audits of entities covered by HIPAA (Section 13411)
  • Right of electronic access of records by patients takes effect (Section 13405e)

Within 18 months of enactment (August 17, 2010)

  • HHS guidance on minimum necessary data (Section 13405c)
  • Regulations regarding sale of data prohibition which take effect 6 months post promulgation (Section 13405a)

By 2011

  • Initial deadline for complying with new accounting and disclosure rules for information kept in EHRs acquired after January 1, 2009 (Section 13405c)

24 months post enactment (February 17, 2011)

  • Clarification of ability to pursue civil penalties when criminal penalties are not pursued (Section 13405)

By 2012

  • Regulations for methodology for distributing penalties or settlement money to harmed individuals (Section 13410)

By 2013

  • Extended deadline for complying with new accounting and disclosure rules for information kept in EHRs acquired after January 1, 2009 (Section 13405c)

By 2014

  • GAO will report on the impact of ARRA (Section 13424)
  • Initial deadline for complying with new accounting and disclosure rules for information kept in EHRs acquired before January 1, 2009 (Section 13405c)

By 2016

  • Extended deadline for complying with new accounting and disclosure rules for information kept in EHRs acquired before January 1, 2009 (Section 13405c)

What is an EHR?

There is actually a lot of discussion still taking place about what an electronic health record (EHR) actually is. Earlier this decade, a survey taken at a convention of EHR vendors and hospitals estimated EHR adoption at 60%. This information was used by the Bush administration in 2004 to justify formation of the Office of the National Coordinator for Health IT (ONC) and to set the goal of 90% of Americans having electronic health records by 2014. One decade seemed reasonable given the 60% adoption rate. We now know that the adoption rate among hospitals is closer to 10%, with 10-25% currently in planning or implementation stages.

Part of the problem is in the definition. The survey simply asked if care providers had electronic records. But that could mean patient information, a billing and claims system, electronic order entry, or any number of things. The Institute of Medicine released a report in 2003, Key Capabilities of an Electronic Health Record System, that attempted to solve this, and identified the following core functionalities of EHR:

  1. Health information and data
  2. Results management
  3. Order entry/order management
  4. Decision support
  5. Electronic communication and connectivity
  6. Patient support
  7. Administrative processes
  8. Reporting and population health management

The 4 in bold might be considered the bare minimum. Administrative processes are certainly important to the operations of a hospital, but these are historically separate systems focused on billing and insurance claims. Oddly enough, evidence has shown that providers that initially adopt electronic billing systems are no more likely to adopt EHR than those without it. Treating electronic billing as a first step, then, doesn’t work.