Billions at risk as providers face Stage 2 hurdle

An impressive number of healthcare providers met Stage 1 requirements and qualified for EHR payments in 2011 and 2012 – some 170,000.  Of these providers, who are therefore eligible to continue in the EHR incentive program, only about 4% appear to be on track to meet Stage 2 requirements.  With the December 2014 deadline looming, providers are in danger of losing billions according to data recently released by the Centers for Medicare & Medicaid Services (CMS).

See Modern Healthcare article at “Number of providers facing Stage 2 EHR hurdle puts billions at stake”

Techies invade HIT market: is their unfamiliarity with healthcare industry obstacle or advantage?

Until recently, healthcare software has been developed by IT professionals grounded in the healthcare industry.  The latest arrivals to HIT development come from a range of non-healthcare industries.  The vendor of one new product currently on the HIT market last developed software related to automobile sales, while another previously developed public relations software that helps customers manage their online image.  Some observers worry that the newcomers’ disconnect from the healthcare arena threatens the success of products they may develop, but others say this freedom from preconceptions may lead to bold and successful innovation.

See Modern Healthcare article at "IT entrepreneurs rush into healthcare, but will human touch be missing?"

ONC's EHR security provisions inadequate says OIG

Healthcare providers cannot attest to meaningful use unless they use certified EHR software.  Providers purchasing certified EHR software tend to assume that a certified EHR has been rigorously tested and can be counted on to ensure protection of patient data.  This assumption may not be valid according to a report recently issued by the HHS’ Office of Inspector General.

The report publishes the results of an OIG audit of the ONC’s EHR Certification Program, focusing in particular on structures and procedures for ensuring data security in electronic health records.  The audit primarily reviewed the temporary program the ONC employed prior to 2014.  This earlier, temporary program was carried out by a group of five certification bodies (ACTBs) accredited by the American National Standards Institute and the National Voluntary Laboratory Accreditation Program and the OIG found some troubling flaws in it.  For instance, the OIG discovered that while the program was supposed to perform periodic re-evaluations of EHRs after their initial certification, this did not consistently happen.  This means that some EHRs, which had been, since their initial certification, modified in ways that rendered them no longer compliant, and in some cases seriously non-compliant, remained – and may still remain --  on the lists of certified products.  

The ONC disagreed with the OIG report.  The ONC claimed that since the temporary program has been replaced with the permanent one, which employs the 2014 Edition EHR Certification Criteria, the OIG’s critiques are no longer relevant.  The OIG therefore went back to determine if problems with the temporary program had been corrected in the permanent program and found that many have not been.  Among other concerns the OIG brought to light, the audit found that an EHR may be certified under ONC’s 2014 Certification Criteria – as under the earlier temporary program -- with passwords as short as a single character.  The OIG found another significant issue that has persisted from the temporary program.  If an EHR has been hacked converting it into malware, the ONC certification program is, except in rare cases, is not authorized to decertify the EHR, even temporarily, to prevent sales of the product.  The OIG report contains a set of recommendations addressing these and other concerns.

See Modern Healthcare article at “OIG faults ONC's electronic health record security provisions,” and a copy of the OIG report.


CMS issues final EHR meaningful-use rule - with some flexibility

The Centers for Medicare and Medicaid Services issued a final EHR meaningful-use rule last Friday, consistent with the proposal it published in May.  The rule will grant healthcare providers more time and some flexibility in how they meet requirements for the EHR incentive program.  One of the points on which the rule grants more leniency is that the MU third stage deadline for the first wave of adopters will change from January 1, 2016 to January 1, 2017.  Another is that providers who need the time will have an additional year to use 2011 Edition EHR software before they must implement 2014 software.

See Modern Healthcare article at “CMS finalizes EHR meaningful-use rule, adds some flexibility”

Steve Fox moderates panel in Boston on best practices for working with vendors

Steve Fox, Information Technology Practice Chair and Data Protection/Breach Co-Chair at Post & Schell, will speak  as well as moderate a panel discussion on "Dealing with Vendors:  Best Practices for Contracting and 3rd Party Compliance" in early September 2014 at the Privacy and Security Forum in Boston.

Via Health Privacy Forum:

As outsourcing continues to gain steam in the healthcare, security and privacy officers must be more vigilant than ever that cloud vendors and other business associates who handle PHI comply with HIPAA and make privacy and security a high priority.  Your relationship with your vendors begins with a well-negotiated contract, which is vital to protecting your interests and limiting potential liability in the event of a breach, but it’s only half the battle. 

Just because you have a contract in place, doesn’t mean you can be hands off about privacy and security issues.

In this session, Steven J. Fox, a leading healthcare IT attorney, outlines some of the key terms and conditions that make up the contractual foundation that covered entities need when working with HIT vendors and other business associates.  He'll also cover:

* What due diligence should be performed prior to starting contract negotiations?

* How vendors should share information about privacy & security breaches with your organization?

* How often (if at all) should you audit or monitor a vendor’s privacy & security performance?

* How to make sure a vendor returns, destroys, or appropriately safeguards your data at the end of the business relationship?

Fox will also moderate a panel discussion and examine what providers should expect from their vendor partners when it comes to protecting PHI and what vendors can realistically deliver.

Risks of EHRs accessible only via internet: a cloud downside

The cloud, popular because businesses can pay a monthly fee for computer-related services instead of paying for costly in-house hardware and the staff to manage it, has its drawbacks.  One of these became painfully evident for two days in mid-August.  While the fact has received surprisingly little news coverage, the internet experienced intermittent periods of brownout worldwide on Tuesday and Wednesday, August 12 and 13.  This was understandably alarming to healthcare providers who were unable to access patient records during these periods.  Not all EHR cloud storage providers were affected, and those that were, were able to resolve the problem by the end of Wednesday.  For cloud EHR storage vendors that invest in what are known as “system redundancies,” backup systems activated if primary systems become unavailable, business continued as usual during this period.  Smaller healthcare practices in particular, tending to have smaller budgets to spend on their EHR systems, often choose more affordable EHR programs from vendors with less robust system redundancies in place.  According to the Wall Street Journal, global internet traffic has grown too voluminous for the global routing system currently in place.  While engineers are working to upgrade the routing system, progress on this project is not keeping up with demand and periodic brownouts are likely to continue to occur.  Healthcare providers can protect themselves against the effects of future brownouts in various ways including investing in hybrid EHR storage systems, and including uptime guarantee clauses in their vendor contracts.

For more information see:

“Internet Outage Left Doctors Without Records For Hours – Huffington Post – internet – Google News,” News Journal Online (August 19, 2014)

 “Internet Brownout Exposes Risk of Cloud-Based EHRs,” Medscape (August 22, 2014)

“The 512K 'Crisis' Makes Its Mark:  Network Engineers Were Left Scrambling to Keep Web Customers Connected,” Wall Street Journal (August 18, 2014)

Patent trolls: new developments at federal and state level

While the healthcare industry has become well-acquainted with patent trolls, they are not the only industry that has been hit.  According to a Boston University study, American businesses paid $29 billion in 2011 alone to patent trolls in “licensing fees” in order to avoid litigation.  In response to the expanding activities of patent trolls, more formally known as PAEs (patent assertion entities), efforts have been underway at the federal and state levels to develop mechanisms for protecting businesses.  A patent reform bill which passed the House of Representatives 325-91 in December 2013, and had President Obama’s vocal support, was dropped by the Senate Judiciary Committee in May 2014 shortly before it would have come to a vote on the Senate floor.  Observers say a new bill on the subject is unlikely to appear before 2015.

States are coming up with some creative ideas to address PAE activities.  States are suing PAE’s under existing state consumer protection laws, and are also passing new laws directed at the activities of PAEs specifically.  Some of the new laws include fee shifting measures, requiring a PAE to post bond for the legal fees the target of their lawsuit would incur in order to facilitate their payment of their opponent’s legal fees if the PAE’s suit fails.  Bad faith demand letters tend to share common traits including being so vague regarding the recipient's alleged unlawful behavior that the recipient is unable to determine the validity of the accusation which, in the case of PAE demand letters, is patent infringement.  Measures in some of the new state laws address these letters specifically by legislating how demand letters must be written to be legal, and/or requiring PAEs to submit their demand letters to the state for approval before they may send them out. 

Despite the states' energy around this issue, they are hampered in their efforts by a century-old Supreme Court decision.  In 1912 the Supreme Court ruled that for the most part cases pertaining to patent law fall under the jurisdiction of federal courts.  The case currently in the limelight testing how restrictive the 1912 decision will be for the states is Vermont v. MPHJ.  MPHJ asserts that, pursuant to the 1912 Supreme Court decision, the Vermont state court system in which Vermont filed its lawsuit against MPHJ has no jurisdiction.   The question has gone before the federal courts twice so far in this case.  In April 2014, Judge William K. Sessions III of the U.S. District Court for the District of Vermont noted that what the 1912 Supreme Court ruling actually says is that "Federal courts have exclusive jurisdiction of all cases arising under the patent laws, but not of all questions in which a patent may be the subject-matter of the controversy."  According to Judge Sessions, the Vermont case is about bad faith demand letters rather than about patent issues, and therefore, the state court does have jurisdiction.  In August 2014, the U.S. Appellate Court for the Federal Circuit dismissed MPHJ’s appeal, remanding the case back to state court.  According to observers, MPHJ is likely to file another jurisdictional appeal.

See additional information at:

“Patent-troll fight ends in retreat,” Burlington Free Press (July 7, 2014)

"Patent troll case referred back to Vermont courts,” Brattleboro Reformer (August 15, 2014)

"States go after patent trolls - how far can they go?" ABA Landslide Magazine (July/August 2014)

ICD-10 delay reopens door to broader discussion among providers: is ICD-10 even the right way to go?

The postponement of the deadline for healthcare providers to implement ICD-10 (International Statistical Classification of Diseases and Related Health Problems) would seem to help ensure that the transition to the new coding system will unfold successfully.  However, it is also now allowing time for further discussion in the medical community about whether ICD-10 is the right choice at all.  As Meaningful Use Stage 2 requires adoption of the many times more complex SNOMED (Systematized Nomenclature of Medicine), some practitioners suggest that the community should skip ICD-10 altogether.  Pointing out that ICD-10 is already 25 years old, they suggest the industry’s time would be better spent transitioning to SNOMED, completing ICD-11, and then implementing that once finished.  Others suggest that using two separate, parallel coding systems doesn’t make sense and that one or the other should be chosen and implemented.  Of these, some feel the industry should use SNOMED only, claiming that the ICD coding system is geared so specifically toward facilitating reimbursement that it doesn’t support providers in delivering care.

See Modern Healthcare article at “ICD-10: Is it for clinicians or reimbursement?”

Senate committee concerned by EHR interoperability issues

Members of the Senate Appropriations Committee have become concerned that different brands of electronic health records software, paid for with tax dollars, are incompatible with one another thereby preventing healthcare organizations from sharing data.  A recent Rand Corporation report highlighted this issue and noted that some software is engineered to block sharing of data.  The Senate committee is requesting an investigation into the issue, and in the meantime has drafted a bill asking that the ONC “…decertify products that proactively block the sharing of information….”

See Information Week article at “Senate Committee Seeks EHR Interoperability Investigation” and“Draft Departments of Labor, Health and Human Services, and Education, and Related Agencies Appropriation Bill, 2015” (PDF)

Attorney Steve Fox speaks on "Hidden Risks of Cloud Computing" at American Hospital Association conference

Healthcare IT attorney Steve Fox spoke on risks of cloud computing at the AHA's Leadership Summit held in San Diego this year.  According to attorney Fox, the data which the health care industry handles is growing exponentially, a trend driven in large part by  the increasing use of mobile devices. In his talk he explained that health care providers are adopting cloud and mobile technology for their affordability and convenience, but may be unaware of hidden costs in these new options. Fox asserts that cloud computing presents new challenges for health care organizations in terms of securing the applications and data. Issues with vendors may arise over service levels, security of information, ownership of information that is remotely hosted by a third party and use of hosted data by the vendor. In his presentation Fox provided advice on how to avoid some of the more important pitfalls with cloud computing. He said that technology may provide greater efficiencies, but it must be used responsibly and that patient information which passes through the technology must be responsibly handled as well.