HIT's buzzword "kool aide" could be dangerous to your health?

The Health Care Blog: JSK (national treasure) on data liquidity, and how it fits into Health 2.0. There are lots of "buzz words" now being thrown about in the healthcare space purporting to give solutions to "age old" information technology problems that other industries have struggled with for years, with some progress, and much pain, as a result of unintended consequences. HIT, although starting to open up to input from "outsiders," still appears to live mostly in its own isolated universe. So when you hear words/phrases like "data liquidity" and "substitutability" be sure that you do not "willy nilly" drink to much of this "kool aide."

For example, "substitutability" is a nice word and certainly monolithic EHR apps that want to "be everything to everybody" leave lots to be desired. The problem is that when you have too much interchange of moving parts then when something goes wrong (which it always does) then who owns the problem? This is where all the "finger pointing" starts between the vendors and the customer is always left holding the bag, usually having to "prove" to a particular vendor that the problem lies with them.

In addition, since nearly all "substitute vendors" will almost by definition be business associates, this expands the legal requirements placed upon the covered entity (CE). The more business associates (BA) the more BA contracts that are required, and with BAs now civilly and criminally liable under HITECH/HIPAA, CEs should expect these contractual negotiations to be significantly more than simply having BAs "signoff" on boilerplate agreements. 

The devil will be in striking the appropriate balance between the "number of cooks" in the software kitchen and the additional complexity that results because of it. There are simply no easy answers to health care's wicked problem.

If you would like more information regarding this changing landscape, sign up for our FREE HITECH/HIPAA Compliance Newsletter. The archived copies of our monthly newsletter are available without a subscription.

HITECH/HIPAA: Haven't Heard of HL7 Yet?

HL7 Version 2.5 Approved as International Standard | News | Healthcare Informatics.Well if you haven't heard of this standards setting organization yet, you will soon. They are working on the standards which provide the "glue" for the NHIN to work.

In other words, if we want "interoperability" between EHRs (which we do otherwise what is the point?) then all of these products will have to talk the same language. That language is likely to be the HL7 XML messaging standards. Evidently, the ISO has just blessed HL7 2.5 as an international standard:

Ann Arbor, Michigan, USA – September 21, 2009 – Health Level Seven® (HL7®), the global authority for interoperability and standards in healthcare information technology with members in 57 countries, today announced its Version 2.5 messaging standard has been approved as an international standard by the International Organization for Standardization (ISO).

HL7 Version 2.5 allows interoperability between electronic health record systems, practice management systems, laboratory IT systems, dietary, pharmacy and billing systems. It serves as a vehicle for disparate healthcare IT systems, applications and data architectures operating in diverse-system environments to communicate with each other. It is designed to support a central patient care system, as well as a more distributed environment where data resides in departmental systems.

This is a much bigger deal than most in the healthcare industry are aware of. The pieces of this puzzle are coming together and they have nothing to do with "healthcare reform" and everything to do with the HITECH Act that was signed into law in February 2009. It is already a done deal. All this brouhaha over healthcare reform, while important in its own right, does not change the HITECH Act in the slightest.

In order for HL7 to function as the "lingua franca" of EHR communications then it will have to support the privacy and security standards mandated by HITECH (e.g. encryption as recently addressed in HHS' Interim Final Rule on Breach Notification). There is a freight train coming and headed directly toward the healthcare industry, and nothing is in its it way to slow it down. It's a trojan horse that is already inside the city walls.

If you would like more information regarding this changing landscape, sign up for our FREE HITECH/HIPAA Compliance Newsletter. The archived copies of our monthly newsletter are available without a subscription.

HITECH / HIPAA Compliance Frameworks?

This podcast that we did in collaboration with the World Heath Care Congress covers, among other things, a number of organizational frameworks required to effectively cope with your EHR/HITECH/HIPPA implementation initiatives. Notice that we are using the plural form of initiative. There is simply no way that one monolithic project will ever be successful. In fact, that is the most likely recipe for failure (see the September Issue of HITECH/HIPAA Compliance Newsletter for reasons why the healthcare industry must adopt agile methodologies).

The authors of the HIPAA Survival Guide will be presenting at the World Health Care Congress Leadership Summit on HITECH and HIPAA Compliance Management for Providers.The title of our presentation is: "Meaningful Use Under HITECH: Why HIPAA is No Longer a Paper Tiger."

Click on the images below to view a larger version

Health 2.0 is coming to a theatre near you?

This is an article that Esther Dyson wrote a couple of years ago (September 2007) after attending a Health 2.0 conference. A lot has changed since then, but many things will take time (lots), innovation (good 'ole American ingenuity), and a significant amount of hard work by smart and dedicated people, before we can claim anything like progress. Here's the money quote from the article:

In the same way, the companies here are empowering consumers (or patients) giving them the tools to talk to one another, to question their doctors, to monitor their own conditions... But they can't simply dissolve a hairball, as someone described the health care system earlier in the day. They need to take on the calcified mess at the bottom of the drain - or to be more anatomical about it, they are clearing the capillaries and buffing the nerve endings, but at the center of everything there's a calcified heart pumping blood/information/money in the wrong direction through a tangled mass of arteries that misdirects resources to tumors and useless vestigial organs.

The hairball is being dissolved as we speak. We will get health reform in the U.S. because some of our best and brightest are working on the problem, and they're not in it just for the money. These are people that want to see an improved healthcare system in the U.S,.because if we don't get one we are all going to die a death of a thousand cuts. At 16% of GDP, healthcare costs are out of control and U.S. healthcare quality lags, in general, the rest of the developed world. 

It is a matter of economic survival in a world economy wherein a sick America won't otherwise be able to compete. It is the right thing to do as well. It is a legacy that we owe our children and grandchildren. It is as basic as the First Amendment, the right to vote, and equal protection under the law. Our healthcare system, as it exists today, is un-American, a relic of days long past. It is time for people of good conscious, across the political spectrum, to stand up and be counted.

Electronic health records are a step in the right direction. Health 2.0 depends, to a large degree, in moving our healthcare system to the twenty first century. But that won't be enough, the industry is going to need lots of help if the vision is to be realized. Given those on the front lines some relief from absurdly priced malpractice insurance is also a must have requirement. We are collectively asking a lot of our providers, we should be prepared to give them something of significance in return.

Living in Internet Time: This is not your daddy's healthcare industry!

The soon to be Japanese PM learns an important lesson in globalization. Most politicians and corporate leaders bandy about the word globalization and pretend to understand what this word means in an age where the distance between any two points on the network is zero. The Levin Institute poses the following questions for readers to ponder regarding what globalization means:

What Is globalization? Is it the integration of economic, political, and cultural systems across the globe? Or is it Americanization and United States dominance of world affairs? Is globalization a force for economic growth, prosperity, and democratic freedom? Or is it a force for environmental devastation, exploitation of the developing world, and suppression of human rights?

While these questions attempt to get at what passes for conventional wisdom regarding globalization, they all miss the mark. In a world where news travels at the speed of light, you can (and should) expect anything said (or done) in public to be instantly available as front page news (i.e. depending on its relevancy at a particular point in time) everywhere and anywhere. This is a lesson recently learned by a Honduran diplomat, by Yukio Hatoyama, by George Allen, and by countless others.

In short, globalization is mostly about a new public communications grammar and transparency. It is still early in web years and many people that you might otherwise think should be sophisticated enough to "grok" this brave new world, don't.

What does the mean to the healthcare industry as it undergoes transformational reform and nothing short of an electronic revolution? Well, for one thing it should be a wake up call to healthcare executives that privacy and security breaches are likely to make national (and likely international) news. These issues pose radically different regulatory governance issues,and most of the "pain" will come from the ensuing public relations disaster and not from the potentially millions of dollars in fines for non-compliance.

This is not your daddy's healthcare industry! Living in Internet time means that we already left Kansas a couple of lifetimes ago. If you would like more information regarding this changing landscape, sign up for our FREE HITECH/HIPAA Compliance Newsletter. The archived copies of our monthly newsletter are available without a subscription.

HITECH/HIPAA and Medical Transcription Services

As an indicator of how pervasive the HITECH Act's Privacy Provisions (Subtitle D) are (i.e. regarding HIPAA compliance) there is an entire industry that it had not even occurred to us would be impacted in a significant way.

Providers of medical transcription services have long been recognized as HIPAA "business associates(BAs)," but since HIPAA was more or less a paper tiger, these businesses were free to do what most covered entities did, simply not treat the statute/regulations with a degree of seriousness (or in some cases, except for the bare minimum requirements, simply ignore the statute altogether).

The HITECH Act changes all that. BAs are now "on the hook" for both civil and criminal penalties with respect to non HIPAA compliance. Medical transcription businesses need to review their BA contracts with their clients and better understand their potential liability under the Act. This post by  Raj of the MT Herald provides an excellent foundational summary of what medical transcription businesses should be thinking about.

In short, the HITECH Act's scope is expansive and the extent of its reach is yet to be defined, but one thing is certain, the number of business associates potentially impacted is just starting to surface.

If you would like more information regarding EHR implementations, and related compliance issues, sign up for our FREE HITECH/HIPAA Compliance Newsletter. The archived copies of our monthly newsletter are available without a subscription.

HITECH / HIPAA: The Security Rule Dissected (Part 3)

Part 2 of the this series discussed the Administrative Safeguards of  the HIPAA Security Rule ("SR" or "Rule"). This post will review the SR's Technical Safeguards ("TS").This is where the real fun starts.

There is good news and bad news with respect to the TS. The good news is that many (but not all) of the requirements encompassed by the TS will be implemented using commercial-off-the-shelf (COTS) software and hardware. The bad news is that these requirements are highly technical and therefore a fair amount of time is required just to understand what it is you are being asked to do. If you are still reading this post then the other bad news is that you are likely the one that has been charged with making it happen. Read on, this post was written with you in mind.

One way to think about the difference between the TS and the AS is that the latter has to do with the "what" and the former with the "how." There is still an analytical process to go through when implementing the TS but in addition to that, you are actually "doing the stuff" required to ensure that ePHI is protected from a technical perspective. That said, do not be surprised if there appears to be some overlap between the AS and the TS, there a few bright lines mixed in with varying shades of gray.

An organization might be tempted (most will be tempted) to simply turn the SR implementation over to IT staff. The CIO may even feel like implementation of the SR can be turned over to a technical manager. Resist the temptation to do this. How the SR is implemented could make the difference between having to notify HHS, the media, and all individual patients impacted during a breach, or simply doing a "post mortem" as to why the breach occurred.

Remember that section 13402 of the HITECH Act only requires notification in the case of breach with respect to unsecured PHI. If the PHI has been secured as per recent HHS guidance (see HHS' Interim Final Rule on Breach Notification) then no notification is required because the information breached would be "unreadable, unusable or indecipherable."

HIPAA compliance is now a boardroom issue. Both strategic and tactical decisions must be made during the SR implementation cycle. I would not want to be the chief compliance officer (CPO) or general counsel that elected to take a simplistic approach and now has to explain to the CEO why the organization has a public relations disaster on its hands.

The Technical Safeguards

The approach taken to discuss the TS borrows heavily from the following NIST document: Implementing the HIPAA Security Rule, which demonstrates that "we're from the government and we're here to help" may not be such an oxymoron after all.  A number of government agencies are required to comply with HIPAA and NIST's objective in this document was to assist them in this process.

As mentioned in the September issue of the  HITECH/HIPAA Compliance Newsletter there are numerous high quality resources available on the Internet that should be leveraged. In many cases the wheel has already been invented, what is left to do is to put the pieces of the puzzle together in a manner that works for your organization.

There are five standards that make up the TS. They are contained in section 164.312. The standards are presented and then a link is provided where additional information information regarding the respective standard can be found. The objective here is to provide additional commentary and "visualization" without losing sight of the forest for the trees.

1. Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4).

Read More...

2. Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

Read More...

3. Standard: Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.

Read More...

4. Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

Read More...

5. Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

Read More...

If you would like to get a feel for the complexity and the level of rigor required to implement these standards then I would encourage all readers (i.e. especially if you happen to be a "CXO") to click "Read More..." on each individual standard.

Remember that the TS is just a subset of the SR, and not the largest one at that. In short, I just wanted to take another opportunity to highlight the point (as if I haven't beat this horse to death) that this is NOT the old HIPAA you have come to know and love. This is a brand new ball game with different umpires and different rules of engagement.

If you would like more information regarding EHR implementations, and related compliance issues, sign up for our FREE HITECH/HIPAA Compliance Newsletter. The archived copies of our monthly newsletter are available without a subscription.

Don't miss it! The World Health Care Congress Leadership Summit on HITECH & HIPAA Compliance

It's now official, Deborah and I will be presenting at The World Health Care Leadership Summit on HITECH & HIPAA Compliance Management, November 9th in Alexandria, VA. You can view the Summit Agenda here.

If you haven't already, sign up for the FREE HITECH / HIPAA Newsletter to receive a discount code for the conference. Hope to see you there!

For information visit the HITECH/HIPAA Survival Guide where the full text of the HITECH Act and HIPAA Regulations is now available.

Our topic is Meaningful Use Under HITECH: Why HIPAA is No Longer a Paper Tiger, scheduled November 9, 2009 - 4:15 to 5:30 pm.

We will cover:

• The convergence between policy, law and technology: Breaking down the silos and painting a holistic picture for adherence and compliance
• Starting with regulations, ending with practical guidance: How your compliance strategy and EHR strategy can (and should!) more forward together
• Moving ahead by working smarter: Methodologies and practical guidelines for best practices in compliance and HIT adoption under HITECH's meaningful use definition
• Determining organizational requirements for meaningful use and reporting requirements to CMS and other governing bodies for ensured compliance
• Technology assessment and business impact: How will EHR adoption impact business processes, workflow and healthcare professionals with respect to the delivery of care?

Click on the images below to see a larger version.

 

About the presenters:

Online Regulatory Compliance: New Sheriff in Town?

FTC Enforces US/EU SafeHarbor Program For First Time : Privacy Law Blog. This is yet one more indication that when it comes to online businesses complying with applicable law, and in particular complying with their own Terms of Use, its a whole new ball game. We have been writing about the regulatory freight train that is coming and it looks like this FTC enforcement action is a harbinger of similar actions to come.

It may have been (and it was) the wild, wild west on these "Internets" for the last 15 years but it looks like Wyatt Earp and the boys are "fixin" to try and clean it up. As an Internet Lawyer, there is almost not a day that goes by where I don't get contacted from a business or consumer that got scammed on the Internet. In many instances there is simply nothing that can be done about it because the cost of pursuing the action far outweighs the amount of the transaction.

This change in regulatory enforcement does correspond to a new party in power, but it is a much bigger issue than that. The truth is that, like the world financial system, the global communications infrastructure represented by the Internet is far too important to global business for the status quo to remain unchallenged.

The rule of law, and the order imposed because of it, is good for the global business community. The "industrialized world" (this term seems rather quaint now in the communications age) and powerful corporations all stand to benefit from additional regulation.

Simply put, big business will make more money in an orderly environment than in one that is chaotic. This change in regulatory enforcement will have a huge impact on the healthcare industry as it moves to electronic records. The HITECH Act transforms HIPAA from a paper tiger into an electronic beast.

This is not your daddy's healthcare industry any more. Most of the country is obsessed with the healthcare reform debate and have not snapped to the fact that the change in the regulatory regime is already law. It became law the moment President Obama signed ARRA in February 2009. The freight train is coming and there is nothing in its way.

If you would like more information regarding the changing regulatory landscape then sign up for our FREE HITECH/HIPAA Compliance Newsletter.

HIPAA Regs Full Text Now "Clickable!"

The HIPAA Survival Guide (HSG) online now has the full text of the HIPAA Regulations available in a "clickable" format. What does that mean? You can think of it as a point and click navigation for the regulations in a Wikipedia like format. Each time another section of the regulations is referenced in the section you are reading you can "point and click" to the referenced section.

Now that the HITECH Act's meaningful use definition makes compliance with HIPAA mandatory (i.e. if a provider or facility wants to get paid their EHR incentives) many more stakeholders will need to become HIPAA literate. The HSG makes the education process easier by making the regulations more visible and "digestible."

Don't get me wrong, if you want to become literate you still need to do the work, but you don't have to crawl through paper documents or 100 page PDF files. If you want to learn more about the background of the HSG click here.

If you would like stay current on HSG updates then sign up for our FREE HITECH/HIPAA Compliance Newsletter.