You’ve no doubt heard it. The healthcare industry has the dubious distinction of having had the three of the top six IT related security breaches this year. This article in the Healthcare Finance News quotes figures published by the Ponemon Institute, a research organization. According to the article, there’s been a 32 percent increase in frequency of data breaches, in other words, the frequency has increased by almost a third.And it has cost the industry $6.5 billion.

But a similar story in the NY Times shows us how woefully inadequate our existing data protection laws are (This story also quotes the numbers from the same Ponemon Institute study). An employee from a Massachussetts eHealth Collaborative lost a laptop containing 13,687 records. Each of those records contained some combination of a patient’s name, SSN, birthdate and other identifying information. Now, by law, healthcare organizations are required to report breaches involving 500 or more patients and the Department of Health and Human Services.

However, says NYT, Micky Tripathi, the non-profit’s president and CEO, soon figured out “just how many ways there were to count to 500. The law requires disclosure only in cases that “pose a significant risk of financial, reputational or other harm to the individual affected. His team spent hours poring over a backup of the stolen laptop files. Of the nearly 14,000 patient records on the stolen laptop, most records did not warrant disclosure. In 2,777 cases, for instance, a record listed only a patient’s name.”

The NYT story also points out another strange loophole that came to the aid of the non-profit – the entities responsible for protecting patient health are the providers, not contractors such as Mass. eHealth.

“In the eyes of the law, Mr. Tripathi’s nonprofit is a contractor that acts on behalf of health providers. The legal burden of protecting patient data actually falls on his clients: the physicians and hospitals who entrusted his nonprofit with their files.”The laws create a perverse outcome,” he says. “It was our fault, but from a federal perspective, it wasn’t our breach.”"

So of the 14,000 or so patients affected, Micky Tripathi’s non-profit only needed to notify 998 people. Of these, only one organization had patients more than 500 in number, requiring a mugshot report on the HHS wall of shame, and an offer of free credit monitoring from Mass eHealth.

In the end, the cost of credit monitoring services to Mass eHealth was a mere $6000 though the article says the non-profit ended up spending close to $300,000 in the aftermath. I wonder if this includes the cost of the necessary sleuthing involved and so on. If this is the case, the numbers are incidental expenses; the money spent directly on the breach itself was a fraction of that.

Compare this to the $1 million fine incurred by Mass. General Hospital for the loss of 192 patient records left by a negligent employee on a subway train.

With these numbers in mind, here are my takeaways from these stories:
- Who is responsible for what breach is not clear enough. I had to re-read the definition for covered entities to make sure that Mass eHealth doesn’t fall under it. If the law takes such a lax attitude to IT contractors – who BTW provide the bulk of the IT infrastructure at many hospitals – where’s the incentive for anyone to do things differently?
- There’s a crazy penalty structure in place. A hospital losing 192 records resulted in a million dollar fine. A non-profit losing 998 records incurred $6000 in expenses. So if you’re a hospital, you’re better off with contractor negligence than your employees/equipment being the responsible party.
- Rules can be creatively interpreted.
- There’s not enough negative fallout for data breaches for healthcare/HIT organizations to do things differently. Say, if in addition to the notice on the HHS wall of shame and fines, there were other repercussions like, I don’t know, a digital time-out of sorts for both contractors and healthcare organizations, maybe healthcare and IT would begin to care more.

John’s Comment: This is definitely an interesting case. With the new HITECH laws I can’t imagine how this doesn’t fall under the Business Associate agreement which would require that they follow the HIPAA laws just like any provider. The article does say that contractors aren’t responsible, but that seems like bad legal advice given by the contractor’s lawyer. I’m not a lawyer, but I’ll have to email a healthcare lawyer friend of mine to have him comment on this case as well.

It’s also worth noting that all of the breaches mentioned above have been through laptops or other devices left behind. None of the major breaches have been a hacker getting into an EMR or EHR system. Everyone likes to blame the EHR software for privacy issues, but so far they haven’t happened. They will one day, but the bigger privacy issue is still unsecured devices and human breaches (ie. staff looking at inappropriate records).

I thought this blog post on the 3M blog made a good point about ACO’s finally having some action behind them thanks to the Pioneer ACO awards that were announced recently. Until now, we’ve basically just had people talking to each other about the idea of an ACO, how an ACO should take shape, etc etc etc. It’s nice to see us starting to move beyond discussion of ACO models and now starting to see some real people and companies that have to start taking some ACO action to see what they can create.

I have a feeling that much of this initial ACO work is going to be like most startup companies: failures. In the startup world, it’s just expected that at least 9 of 10 companies will fail. That’s part of the algorithm of innovation that has worked so well in the entrepreneurial environment we know as tech startup companies. I imagine we’ll see the same with a bunch of these ACO models in healthcare as well.

One major problem I do have with this comparison is that the ACO programs that we see now aren’t entrepreneur or market driven, but instead are driven by some sort of government money. This means that those that participate have a bunch of perverse incentives.

The blog post mentioned above provides some interesting suggestions on how to improve healthcare. In response I offered these thoughts in their comment section:

The suggestions you make are reasonable and interesting, but they seem to ignore the idea that what people are really going to do with ACO legislation is find the simplest way to extract the most amount of money out of the regulation. There will be some exceptions, but this is how it works with most government programs.

I imagine some will see this as a bit cynical. I personally just see it as realistic. If we want to talk about real solutions we have to talk about the stark realities that face us and not the idealized models that could happen “IF…” ACOs are no different. Enough with the IFs and let’s talk about action.

I’ve blogged before about the importance of decreasing the digital divide in this country in order to truly move healthcare interoperability forward. As I mentioned last month, “Only those patients who have access to these digital healthcare technologies will begin to clamor for them at their next doctors’ visits. Only patients’ whose doctors in turn have reached out to them via email, text or social media regarding the switch to electronic medical records, development of health information exchange and the benefits to care these will hopefully bring will be ready and willing to go with the digital flow.”

When news came across my somewhat cluttered desk of Emdeon’s initiative to provide electronic health record (EHR) technology to physicians in New Jersey’s underserved communities, I first thought, “Yes! That’s what I’m talkin’ about!” Then I put on my journalist/blogger hat and thought, “Will this truly change anything in these particular communities, or is this just good PR?”

A quick bit of background: Emdeon is partnering with the U.S. Department of Health and Human Services’ (HHS) Office of Minority Health, New Jersey Health Information Technology Extension Center (NJ-HITEC), the state’s REC, and the HIMSS Latino Community. Through the initiative, Emdeon will donate Emdeon Clinician licenses to 100 healthcare providers who practice within medically underserved areas and/or healthcare provider shortage areas, as designated by the Health Resources and Services Administration (HRSA), according to a recent Emdeon press release. The company will waive the license fee for these physicians for one year.

The same press release also mentions “EHR adoption is lower among providers serving Hispanic patients who are uninsured or rely on Medicaid, and is lower among providers serving uninsured, non-Hispanic black patients than among providers serving privately insured, non-Hispanic white patients.”

The initiative sounds like a great idea, but the one-year stipulation got me thinking (a bad habit, I know). What will these physicians, who presumably can’t really afford this technology now, do after their year is up? I reached out to Miriam Paramore, Senior Vice President – clinical and government services at Emdeon, to learn more about the ins and outs of the program.

How did the initiative come about?
Miriam Paramore: During the fall of 2010, leaders from the Office of Minority Health (OMH) and Health Information Technology issued a public, written request to health IT vendors, asking them to pay special attention to healthcare providers within underserved communities. This initiative is known as The Alliance to Reduce Health IT Disparities. Emdeon is serving as a private partner with the OMH to offer access to health IT products and services to providers within undeserved communities in New Jersey. We were thrilled to volunteer and to work within these communities.

Has Emdeon ever done anything like this before?
We’re happy to do part of this effort with HHS and it is the first time we’ve partnered with them.  We have great empathy for the challenges of the physicians in underserved communities and we want to help.

What sort of challenges do small physician practices in underserved communities typically encounter?
In addition to challenges like poverty and health disparities amongst their patient population, providers in underserved communities and smaller practice offices face expensive costs associated with on-boarding EHRs. Emdeon created the Emdeon Clinician solution as an affordable EHR “lite” solution for these small practice physicians or those working in underserved communities. They now have an affordable, easy-to-use solution that will help them to qualify for federal HITECH stimulus dollars without unnecessary disruption and expense of a full-blown EHR system.

How will you work with these 100 physician practices to ensure they are able to continue using the donated EHR after the year-long license expires?
Once the 12-month period expires, providers will be able to continue using Emdeon Clinician for only $99 per provider, per month. Emdeon usually has a $500 implementation and training fee [that, for this program,] has been discounted to a one-time fee of $200 for the providers participating in this project. This is a considerable discount and the fee would only have to be paid once. We will begin outreach to these providers in advance of the expiration date so they are aware of the opportunity to remain with Emdeon Clinician for the low fee following the initial 12-month period.

How will Emdeon work with NJ-HITEC and the HIMSS Latino Community throughout this year to ensure that these practices receive continued training and support?
Emdeon has taken the lead with managing this initiative between all partners with monthly meetings to monitor progress. We have a dedicated project manager, who has mapped a process with the internal team to assist with implementing these physicians as soon as possible. Our custom phone number (1-855-840-7120) connects interested providers directly with a dedicated clinical sales executive who can assist them throughout the enrollment process.

The NJ-HITEC and HIMSS Latino partners are assisting in the recruitment of providers who practice within medically underserved areas for this program from their vast networks across New Jersey communities. These partners are working cooperatively with Emdeon to create a strategy that focuses upon identifying and recruiting providers within underserved communities who are willing to adopt EHRs, especially those interested in qualifying for federal incentive dollars.

How many practices do you anticipate being eligible, and how many do you expect will apply?
While we aren’t sure how many will apply, the HHS OMH recognized that the counties of Camden, Essex and Passaic have the largest percentage of underserved communities. Through our collaborative efforts with the OMH, HIMSS Latino and NJ HITEC, we hope to reach many of those physicians within those counties to take advantage of the 12-month program.

How will Emdeon and its partners determine if this program is a success?
Together with our partners, we believe success will be donating all 100 licenses to providers in underserved communities. The reporting element of this project will help OMH understand the progress of EHR adoption in the context of how long implementation takes in its entirety.

So it seems that Emdeon and its partners certainly have their ducks in a row when it comes to aiding and abetting these physicians before, during and even after the program is technically over. I’ll be interested to see if this model will, in fact, be successful, and if it can be supported in other underserved areas across the nation.

For more information on participating in the program, check out: http://www.emdeon.com/newjersey/

Casinos can teach the healthcare industry a thing or two about influencing customer behavior. So says this interesting feature in California Healthline this week.

Think about it – if it’s your first time, and you lose 500$ straight off the bat, you’re not likely to head to the nearest ATM to withdraw more cash. The people who run casinos understand this, the article quote California Healthcare Foundation CEO Mark Smith as saying. That’s why casinos have loyalty card systems in place – so they can not only know what you’re doing, and to influence your behavior in a way that benefits the casino.

A casino doesn’t necessarily want a first-time customer to lose money right away, he said, because that customer becomes unhappy and won’t come back. “So if you’re a first-time customer and you’re down 150 bucks, someone in the casino will slide up to you and ask you how you’re doing,” Smith said. “And maybe get you a comp meal or a drink.” The casino intervenes before customers reach the decision point to leave.

For the healthcare industry, the holy grail is patient data. If there is enough patient data, the innovators can come along, interpret it, and hopefully healthcare providers can nudge patient behavior enough to make a change in overall health.

The most interesting thing about the article, to me personally, was reading about how data that has been made publicly available can be used for interesting uses. The article talks how data made public by the National Oceanic and Atmospheric Administration fuels such varied things as the Weather Channel, mobile weather apps and so on.

And guess what? All that can happen to healthcare as well. Much public health information is available for access by the general public, and part of the job of HHS has been to make innovators aware that public health data is now available. The article talked about Bing using Hospital Compare data to provide users with hospital comarison statistics.

I followed some of the links on the article and finally ended up at the Health.Data.gov site, where as promised, a treasure trove of data is publicly available – just waiting for the right technogeek to come along and do something cool with it. Could that innovator be you? Go check it out!

From MinnPost.com, a post on Sen. Al Franken’s second hearing as chairman of the Senate Subcommittee on Privacy, Technology and the Law. Franken’s take was that federal agencies tasked with enforcing digital privacy are not doing so. While we might be aware on some subliminal level about the lack of enforcement, when presented in sheer numbers, the statistics are shocking.

According to the MinnPost article:

“Total, there have been 364 “major breaches” of 18 million patient’s private data since 2009, Franken said. Meanwhile, enforcement of data privacy laws have been lax — out of the 22,500 complaints the Health and Human Services Department has received since 2003, it’s levied only one fine and reached monetary settlements in six others. Of the 495 cases referred to the Department of Justice, only 16 have been prosecuted.”

Here on the HHS website, you can see all the breaches affecting 500 or more people (sort by Breach Date to see recent breaches). Even with all the rules around reporting, effectively, given the lack of enforcement, hospitals and care organizations stand to gain the most in this lax enforcement landscape. I’d be curious to know the process of fining and reaching settlements, whether it is proportional to the amount of data stolen/lost. More importantly, I’d like to know what organizations are doing differently if data thefts have been identified – the worst thing for an organization would be to pay the fine, and continue with the same faulty processes that led the breach in the first place.

John’s recent post about ONC trained participants finding it difficult to find jobs struck a chord. A different post over at HIMSS had me thinking in overdrive.

Dr. Noam Arzt has a post on Meaningful Use and public health reporting. In it he discusses the problems faced by providers in submitting health information to public health bodies in ways that are also Meaningful Use Stage 1 compliant.

Health records in provider offices are sometimes stored in disparate silos that are cannot/do not communicate with one another. As Dr. Arzt explains with an immunization records example, there is no demonstrable Meaningful Use if an uncertified system makes the data submissions to public health.

Of course, adding additional functionality to the EHR system with a simultaneous revamping of uncertified system to provide Meaningful Use share data with one another is one (costly) solution. Getting the secondary data system certified is another one. A third approach, which Dr. Arzt touches on, is for Health Information Exchanges to act as/provide for certified intermediaries that bridge the data flow between an uncertified system and one that is Meaningful Use certified.

Here’s what HHS had to say about the subject a month ago:

If an intermediary performs a capability specified in an adopted certification criterion and a provider intends to use the capability the intermediary provides to satisfy a correlated meaningful use requirement (submission to public health according to adopted standards), the capability provided by the intermediary would need to be certified as an EHR Module

This intermediary need can be filled, especially by innovative software vendors or those looking to break into the EHR IT industry. From plain data conversions to web services, IT companies have plenty of tricks up their sleeve to assist HIEs. The technology is there, all we need are savvy techies (companies, people) to see the opportunity this presents and act on it.

Here’s some interesting and potentially important news. According to some recent news items, it seems that Mayo Clinic investigators are putting the finishing touches on a suite of tools which can identify and sort medical data contained in any electronic medical record.

Mayo investigators are working under a federal grant, the $60 million Strategic Health IT Advanced Research Projects (SHARP) program, which is funded by the ONC.

According to a piece in Government HealthIT, the researchers have used natural language processing tools to isolate health data from about 30 digital medical records of patients with diabetes.  So far, so good. When the extracted data is run through specialized systems developed with IBM’s Watson Research Center, the 30 patient records “explode” into 134 *bilion* individual pieces of information, Government HealthIT reports.

Unfortunately, none of the sources I have explain what specific data pieces make up this total, which sounds extremely high to me. If we’re talking about just 30 patients, it’s hard for me to imagine that mundane details of care represent even multiple thousands of data points, unless you’re dealing with decades of care. (Perhaps the information involved includes the coding needed to extract the data — readers, can you clarify this for me perhaps?)

While I can’t testify as to how realistic the Mayo researchers’ claims are, I have to think that if they’re on target, something very big is in the works.  After all, to date I’ve heard little of tools that can effectively, fluidly extract clinical data from an entire EMR-based patient chart regardless of format or data organization. Concepts like natural language processing are far from new, but it seems they haven’t been up to the job.

Not only would  such capabilities allow virtually any set of institutions to share data, a giant leap in and of itself, they would also allow providers to do unprecedented levels of clinical analysis and ultimately improve care.

On the other hand, it’s not clear how practical this approach will be. If it only takes 30 records to generate that much data, just imagine how much data a single mid-sized hospital would have to wrangle!  If I’m reading things right, this technology may remain stuck at the research stage, as it’s hard to imagine most institutions could manage terabytes of new data.

Still, there’s clearly much to learn here. I’m eager to find out whether Mayo’s SHARP technology turns out to be usable in everyday clinical life.

Does the title of this post make anyone else cringe? It sounds like government at its best (or worst depending on how you want to look at it) to me. I remember when I once heard the famous investor, Carl Icahn, talk about he could go into any company slash the staffing and maintain the same productivity. His point being that so many larger companies have a lot of people who don’t produce much value. Government is very similar in people and rules and regulations. However, they don’t get someone like Icahn who comes in and cuts out those that aren’t producing.

You’d think with this analysis that I’d then be excited about the massive Review of Rules and Regulations that HHS is undertaking as reported on in this article by Health Leaders Media. I do think that it’s good to do reviews and trim down regulations. My problem is that I’ve rarely seen someone in government do a review which ended up with stuff chopped out.

I’m not completely blaming HHS and the people that work there. The ones that I’ve met personally have been incredibly bright and thoughtful individuals. They hate all the red tap as much as the rest of us. The problem is that in many ways they’re tied in what they can actually do. Part of it is politics. Part of it is legislative requirements that are handed down to them.

I think the best indication that this massive review of rules and regulations isn’t going to yield the tens of millions of hours and billions of dollars in costs savings is the 89-page “Preliminary Plan for Retrospective Review” (PDF) that was released by HHS. A mere 89 page document to propose the preliminary plan for review (that’s sarcasm for those that missed it). I can’t help but wonder how many pages of additional documentation will be produced from this review. Maybe we should ask that they eliminate 1 page of regulation for every page of review that they produce. Then, we might yield some interesting results.

I know I’ve been gaining a much larger understanding of the regulation and rule making process thanks to the HITECH act. Considering the large effort that many people have put into that process, it makes me wonder what types of results a review of the HITECH regulations and rules would actually produce. Needless to say I’m skeptical of the benefits.

Reminds me of what my friend who works for the US government told me: “Am I doing something that’s important and valuable? Absolutely! Could it be done for about half the cost? Definitely.” Too bad we don’t have Icahn like take over of government that could easily cut out the waste in government.

There are a TON of meaningful use resources for those physicians and clinics interested in showing meaningful use of an EMR in order to get the EMR stimulus money. Here’s one such resource that I thought gave a nice summary of what’s required. Here’s a small sample of the content they offer about meaningful use:

Core Set Measures

• Use CPOE (Computerized Physician Order Entry) to order medications for more than 30% of all unique patients with at least one medication in their medication list.
• Enable drug-drug and drug-allergy interaction check functionality on the EHR for the entire reporting period.*
• Maintain an up-to-date problem list of current diagnoses for 80% of all patients. If there are no problems, indicate no problems are known.
• Maintain an up-to-date list of active medications for 80% of all patients.
• Maintain an up-to-date problem list of medication allergies for 80% of all patients.
• Generate and transmit prescriptions electronically for 40% of prescriptions written by the provider.
• Record demographics for at least 50% of patients.*
• Record and chart changes in vital signs for at least 50% of patients.*
• Record smoking status for 50% of patients 13 and older.*
• Report ambulatory clinical quality measures to CMS.*
• Implement one clinical decision support rule relevant to the provider’s specialty.
• Provide at least 50% of patients with an electronic copy of their health information, upon request, within 3 business days.*
• Provide at least 50% of patients with clinical summaries of their office visit within 3 business days.*
• Perform at least one test of the certified EHR technology’s capacity to electronically exchange key clinical information.*
• For the EHR and its related IT network, conduct a security risk analysis and implement security updates as necessary; correct security deficiencies.*

Menu Set Measures

• Enable drug-formulary checking functionality and have access to a formulary for the EHR reporting period.*
• Incorporate clinical lab-test results into the EHR as structured data for at least 40% of all lab test results.*
• Generate at least one report listing patients with a specific condition.*
• Send reminders to 20% of all patients, 65 years or older, per patient preference for follow-up care.*
• Provide at least 10% of all unique patients timely access to health information within 4 business days of the information being available to the provider.*
• Provide patient-specific education resources to at least 10% of all unique patients.*
• Perform medication reconciliation at least 50% of the time for patients transitioned from another setting of care.
• Provide a summary care record for at least 50% of patients for patients being transitioned to another setting of care.
• Perform at least one test of the certified EHR’s capability to submit electronic data to immunization registries.*
• Perform at least one test of the certified EHR’s capability to submit syndromic surveillance data to public health agencies.*

*These functions may be performed by nursing, administrative or IT staff

It is expected that EHR vendors will provide the capability to generate much of the above mentioned information within their software and they will also assist physicians in conducting data exchange testing.

In another great comment from BobbyG (who works for a REC), he talks about the realization that states have the option to opt out of doing the Medicaid part of the EMR stimulus if they want. The following is the full explanation of the discovery and why they’d make such a decision. Plus, it highlights the challenge of understanding all the regulations around the HITECH act.

Here’s just one example of the difficulty you run across. Yesterday we were on a CMS conference call MU incentives presentation in which they said that states’ participation on the Medicaid side was “voluntary.”

We all went “WHAT?! How did we miss that?”

Sure enough: on the CMS website you see “The Medicaid EHR incentive program is voluntarily offered and administered by States and territories. States can start offering their program to eligible professionals (EPs) as early as 2011″

“voluntarily”, “can start”

Not “shall” or “must”.

Now, we knew from the IRF that (paraphrasing here) “there is no statutory basis for the manner via which states disburse incentive payments” but it somehow escaped us that states could simply opt out entirely.

I went back to the ARRA legislation itself (on the assumption that the FR cannot, beyond operational implementation mechanics, mandate additional requirements not in the legislation). Beginning on page 375 you see “Subtitle B—Medicaid Incentives SEC. 4201. MEDICAID PROVIDER HIT ADOPTION AND OPERATION PAYMENTS; IMPLEMENTATION FUNDING.”

You get to page 380 and then only see stuff about the administrative and reporting “requirements” for states getting the “FFP” money (Federal Financial Participation).

And that’s it.

I searched ARRA from beginning to end and found NO explicit wording that states’ Medicaid participation is “voluntary.” You just have to infer it from the Section 4201 language.

What is one potential adverse upshot? Your REC could be signing up a boatload of providers coming in on the Medicaid side, and if your state opts out, well you now have what’s known as “Reputation Risk” writ large (not to mention a torpedo below the waterline in your Ops plan and its milestone payments assumptions).

Why would a state opt out? Because they are only federally funded for 90% of their “reasonable” administrative expenses for the EHR incentive program. They have to find the other 10%. My state (NV) is currently wrestling with a three BILLION dollar budget gap. Similar relative woes exist elsewhere in statehouses (can you say KAHL-EE-FOR-NEEYA?).

You better know where your state stands before recruiting Medicaid providers if you’re a REC or a consultant or VAR, etc.