80 million patient records breached in Anthem hack

Health insurance giant Anthem reports that it has been the target of a cyberattack exposing tens of millions of customer records. Anthem, until very recently known as WellPoint, the largest of the Blue Cross Blue Shield for-profit managed health care companies, is based in Indianapolis, and operates New York and California as well as in twelve other states. Anthem states that while neither credit card nor medical information was stolen, the information the hackers did make off with is significant and includes names, dates of birth, social security numbers, employer names, and income data. This latest data breach is the largest to date in the healthcare industry, 20 times the size of the most significant previous breach. Anthem has hired cybersecurity firm Mandiant to assist it in determining exactly what happened and how to improve security for the future. Anthem will be offering services for credit monitoring and identity protection free of charge to affected customers.

See Modern Healthcare article at "Hackers breach Anthem; 80M exposed"

Meaningful use program Stage 3 inches nearer to approval

The draft regulatory language of Stage 3 of the meaningful use program, scheduled to start in 2017, has been submitted for review to the Office of Information and Regulatory Affairs in the Office of Management and Budget.  The rules, submitted to the OMB by the Office of the National Coordinator for Health Information Technology, may reflect some of the discussions that have been taking place in the healthcare industry regarding lessons learned from the program’s roll-out so far.

See Modern Healthcare article at "EHR Stage 3 proposals go to OMB, hint at changes" 


A plus in the operating room, EHRs can cause trouble for providers in the courtroom

Electronic health records have been touted as having – and have proven to have – many benefits for healthcare organizations in terms of cost savings and efficacy of medical treatment.  They are not, however, unalloyedly beneficial in the courtroom.  As might be expected, the most important evidence in malpractice cases is medical records and now that they are digitized these records tend to be in EHR form.  According to defense attorneys, electronic medical records come with their own set of problems for the provider facing a malpractice lawsuit.  One striking issue is the “autofill” feature in EHR templates which automatically populates fields with data that may not be pertinent to the situation at hand.  Other issues include technical glitches, as well as users not using the software correctly.

See Business Insurance article at "Malpractice suits often tap electronic medical records"

Human-computer interactions: what happened during September's Texas Ebola misdiagnosis?

A new report on what went wrong in the processing of the late Thomas Eric Duncan upon his first visit to the emergency room proposes that a combination of human and computer errors was responsible.  A team of medical informaticists reviewed events leading up to the misdiagnosis, reporting their findings in "Ebola U.S. Patient Zero: Lessons on Misdiagnosis and Effective Use of Electronic Health Records."   The report, published October 23 in the online journal Diagnosis, suggests that certain EHR usability issues can contribute to medical errors.  One concern of the researchers is that EHRs are designed to try to “routinize” processing of patient information in a way that may blinder providers when faced with an out-of-the-ordinary situation.

See Modern Healthcare article at “Botched U.S. Ebola diagnosis points to computer, human errors” and Information Week article at “Ebola Misdiagnosis: Experts Examine EHR Lessons”

Medical info now 10 times more valuable than financial data on the black market

Credit card numbers have dropped precipitously in value in recent years as PHI replaces it on the underground market.  Why?  Cyber criminals use the PHI to engage in medical fraud which, because of its complexity, may continue undetected for years.  Theft and misuse of credit cards, on the other hand, is usually detected almost immediately and the cards canceled.  In addition, in part because the financial industry has had many more years to develop sturdy safeguards against data theft, healthcare industry data is relatively easier for thieves to access.

See Reuters article at “Your medical record is worth more to hackers than your credit card”

Billions at risk as providers face Stage 2 hurdle

An impressive number of healthcare providers met Stage 1 requirements and qualified for EHR payments in 2011 and 2012 – some 170,000.  Of these providers, who are therefore eligible to continue in the EHR incentive program, only about 4% appear to be on track to meet Stage 2 requirements.  With the December 2014 deadline looming, providers are in danger of losing billions according to data recently released by the Centers for Medicare & Medicaid Services (CMS).

See Modern Healthcare article at “Number of providers facing Stage 2 EHR hurdle puts billions at stake”

ONC's EHR security provisions inadequate says OIG

Healthcare providers cannot attest to meaningful use unless they use certified EHR software.  Providers purchasing certified EHR software tend to assume that a certified EHR has been rigorously tested and can be counted on to ensure protection of patient data.  This assumption may not be valid according to a report recently issued by the HHS’ Office of Inspector General.

The report publishes the results of an OIG audit of the ONC’s EHR Certification Program, focusing in particular on structures and procedures for ensuring data security in electronic health records.  The audit primarily reviewed the temporary program the ONC employed prior to 2014.  This earlier, temporary program was carried out by a group of five certification bodies (ACTBs) accredited by the American National Standards Institute and the National Voluntary Laboratory Accreditation Program and the OIG found some troubling flaws in it.  For instance, the OIG discovered that while the program was supposed to perform periodic re-evaluations of EHRs after their initial certification, this did not consistently happen.  This means that some EHRs, which had been, since their initial certification, modified in ways that rendered them no longer compliant, and in some cases seriously non-compliant, remained – and may still remain --  on the lists of certified products.  

The ONC disagreed with the OIG report.  The ONC claimed that since the temporary program has been replaced with the permanent one, which employs the 2014 Edition EHR Certification Criteria, the OIG’s critiques are no longer relevant.  The OIG therefore went back to determine if problems with the temporary program had been corrected in the permanent program and found that many have not been.  Among other concerns the OIG brought to light, the audit found that an EHR may be certified under ONC’s 2014 Certification Criteria – as under the earlier temporary program -- with passwords as short as a single character.  The OIG found another significant issue that has persisted from the temporary program.  If an EHR has been hacked converting it into malware, the ONC certification program is, except in rare cases, is not authorized to decertify the EHR, even temporarily, to prevent sales of the product.  The OIG report contains a set of recommendations addressing these and other concerns.

See Modern Healthcare article at “OIG faults ONC's electronic health record security provisions,” and a copy of the OIG report.


New report: EHRs not immune to technical, human error; rigorous monitoring essential

A report just published in the Journal of the American Medical Informatics Association asserts that even if EHRs were not still relatively new, they are not exempt from the glitches all software can be prone to.  Researchers evaluated data from the Veterans Health Administration which oversees a non-punitive, voluntary reporting program to encourage employees to report EHR-related safety incidents.  The researchers focused on a set of almost 350 patient safety incidents that occurred between 2009 and 2013.  The research team found that errors occurred because of both technical problems, and problems with how employees interpreted or used the technology.  Technical problems most frequently related to how information is displayed, to software modifications and upgrades, and to transfer of data between different parts of the EHR system. 

The researchers advise healthcare providers to implement robust programs to track and evaluate technical and human errors that occur in the context of EHR use.  They suggest that providers incorporate the concepts set forth in the SAFER Guides issued in January 2014 by the ONC in setting up their monitoring systems.

For more information see
--- Modern Healthcare article at “Complicated, confusing EHRs pose serious patient safety threats”
--- Journal of the American Medical Informatics Association report at “An analysis of electronic health record-related patient safety concerns,” also available in pdf form
--- the SAFER Guides

Stage 2-ready software delays prompt CMS to postpone Stage 2 deadline

While vendors were able to supply the software needed for healthcare providers to comply with Stage 1 of the EHR incentive program, they are experiencing delays in developing the software needed for Stage 2 meaningful use compliance.  In response to feedback from the healthcare community on this subject, the Centers for Medicare and Medicaid Services and the HHS' Office of the National Coordinator for Health Information Technology propose postponing Stage 2 implementation deadlines one year -- to take effect in 2015 instead of in 2014

Via Modern Healthcare:

For the second time this year, the federal government is pushing back a major health information technology initiative, potentially giving early adopters of electronic health records an extra year to meet more stringent meaningful-use requirements.

The CMS and HHS' Office of the National Coordinator for Health Information Technology issued a proposed rule last week that would give hospitals, office-based physicians and other professionals eligible for the EHR incentive program an additional year to use 2011 Edition software for their systems and continue to meet Stage 1 criteria for meaningful use of the technology.

The proposed rule means providers that entered the program in 2011 could have as many as four years using 2011 software at Stage 1 meaningful use.

The rule also would make official a previously announced delay until 2017 for the start date of what is likely to be the even more difficult Stage 3 meaningful-use requirements now under development.

The new rule comes less than two months after Congress, responding to pressure from physicians and other groups, postponed the nationwide switch to the ICD-10 diagnostic and procedural coding system until Oct. 1, 2015.

Going into 2014, ICD-10 and Stage 2 deadlines were ranked as the two biggest HIT headaches for industry leaders, according to Modern Healthcare's annual IT readers' survey. Now, both have been eased.

“There is a thank you here,” said Russell Branzell, president and CEO of the College of Healthcare Information Management Executives, an association of hospital chief information officers. CHIME lobbied hard to give providers more flexibility with Stage 2. “Our general impression is the proposed rule is a good thing.” But, he added, “it is extremely complex.”

The CMS and ONC rule writers cited the slow delivery and implementation of the upgraded 2014 Edition software needed for Stage 2 as the reason for the delay.

Providers told the CMS in letters, forums, listening sessions and public comments that they were facing long backlogs for installations of updated technology, limiting their ability to attest to meeting the Stage 2 criteria for 2014. Those providers scheduled to step up to Stage 2 this year can remain at Stage 1 if they attest they're unable to advance due to software availability issues.

The proposed rule is subject to a 60-day public comment period, which started Friday when the rule was officially published in the Federal Register. The protracted rulemaking process virtually ensures that hospital leaders will make a decision on Stage 2 without a final rule being in place.

“Even if (CMS and ONC) get the final rule and put it out for adoption, that could be four months,” Branzell said. “So, do you roll the dice and collect data on Stage 1 based on this proposed rule, or do you go and try for Stage 2?”

So far, reactions from Medical Group Management Association members have been positive, said Robert Tennant, the MGMA's senior policy adviser. “It's not everything we were looking for, but it was a good start and recognition that the program parameters were proving challenging for vendors and their customers,” he said. “The extra time is going to allow the momentum to continue.”

One concern, he noted, is that the proposed rule says the program reverts “back to normal” in 2015. But given the need for delays thus far, “we're going to be looking hard at 2015 to make sure the vendors are ready for that year. What we don't want is all of the good effort to stop and the program ends at Stage 1. So I think it's a prudent move, and we appreciate the flexibility,” Tennant said.

Tom Leary, vice president of government relations for the Chicago-based Healthcare Information and Management Systems Society, a trade association for the health IT industry, also expressed relief over the proposed changes. But Leary wondered about the timing of a final rule after the 60-day public comment period for the proposed rule ends in July.

If the CMS issues an interim final rule, it could take effect 30 days from publication, he said. “One of the questions we have in to CMS is the timeline on that,” he said.

By Joseph Conn

“CMS proposes Stage 2 delay,” Modern Healthcare (May 24, 2014)

Rural providers cope with HIT staffing deficits

If compliance with ONC regulations is challenging for healthcare providers in urban areas, with high concentrations of IT professionals, it is especially challenging for rural providers where IT resources in the form of human capital are scarce.  The federal government's 2009 healthcare stimulus package, HITECH, provided funding for a national network of regional extension centers (RECs) designed to assist rural healthcare systems.  While the program is considered very effective, its funding will dry up in 2014.  Rural providers have devised a creative array of strategies to overcome their HIT staffing obstacles.

Via Modern Healthcare:

It took St. Claire Regional Medical Center, in the small town of Morehead in northeastern Kentucky, 2½ months to fill an open position on its computer help desk.

“We just don't see that many people who are even close to being qualified willing to work for the amount of money we're able to pay,” said Randy McCleese, vice president of information services and chief information officer of the 159-bed hospital. “That's part of what we have to deal with in the rural environment.”

The need for qualified information technology professionals to work in hospital and clinic settings has increased enormously in recent years, given the expanded use of technology such as electronic health records. But more than two-thirds of the CIOs surveyed in 2012 by the College of Healthcare Information Management Executives reported shortages on their IT staff. That's an especially big problem for providers in small towns and rural areas, who can't necessarily afford to pay nationally competitive salaries and who can't offer big-city attractions to lure candidates.

These IT staffing shortages create daily inefficiencies for small hospitals such as St. Claire Regional. New computers sit idle because there's no one there to set them up. Software fixes don't always get taken care of in a timely manner. “We really get into a backlog of the things that need to be done,” McCleese said.

To address these challenges in filling their IT staffing needs, small-town and rural providers are adopting a variety of strategies. Some are training current employees, such as nurses, in IT skills, some are partnering with other hospitals to share IT staff, and some are outsourcing IT work to consultants. Many worry that the end of federal funding for IT regional extension centers will cut off a valuable source of technology assistance.

While small-town and rural providers also have trouble filling clinical positions, McCleese, CHIME's board chairman, estimates that a typical nurse opening at St. Claire Regional might generate 10 to 15 applicants, compared with the three he received for the recent help-desk position. “Comparatively speaking, we get a much smaller number for the IT positions,” he said.

McCleese faces competition for IT workers from providers based an hour away in the bigger cities of Lexington, Ky., and Huntington, W.Va. He estimates that his hospital pays salaries that are 25% to 30% lower than in those bigger towns.

National data confirm that disparity. The median annual salary for a medical records and health IT technician averaged across non-metro areas is $31,390, compared with $33,566 for metro areas, according to U.S. Bureau of Labor Statistics data.

Across the country, the need for HIT professionals has boomed. The BLS estimated that an additional 41,100 health information technicians will be needed between 2012 and 2022. The bureau also projected that employment for medical-records and health-information technicians will increase 22% by 2022, much higher than the expected 11% increase in overall employment.

The starting gun for the HIT employment boom—and the associated squeeze in smaller towns and rural areas—was the American Recovery and Reinvestment Act of 2009, which pushed many providers to adopt EHR systems by 2014 through $25 billion in payment incentives and grants for training programs.

“The demand (for HIT professionals) just exploded when the electronic record stuff took hold,” said Mark Sonneborn, vice president of information services at the Minnesota Hospital Association. From February 2009 to February 2012, the number of online job postings in the field almost tripled from 4,850 to 14,512, according to a data brief from HHS' Office of the National Coordinator for Health Information Technology. The ONC does not break out urban and rural job listings.

Brock Slabach, senior vice president for member services at the National Rural Health Association, said the looming end of the EHR incentive payments could hurt HIT efforts at rural hospitals and clinics. “The question will be, can these facilities, with these declining reimbursements, and the incentives ending with the American Recovery and Reinvestment Act, continue to operate these information systems efficiently and effectively?” he asked.

In addition to the stimulus program, the Patient Protection and Affordable Care Act drove the need for IT development and staffing through its focus on population-health initiatives, quality-of-care measures, and preventable readmissions. Another factor is the looming implementation of the ICD-10 coding system.

Implementing EHRs is the heavier lift for Milly Prachar's hospital, however. “It's so far-reaching and really touches all users within the organization,” said Prachar, director of health-information management at Roseau LifeCare Medical Center, a 25-bed critical-access hospital in Roseau, Minn., a town of 2,600 near the Canadian border.

Tight deadlines and finances are one side of the problem, and finding qualified IT workers is the other. Prachar's hospital opted to train one of its nurses in clinical IT rather than recruit an IT specialist. That's a strategy a number of other rural-health facilities are using for their IT needs. “Because of our location—we're pretty remote—we didn't think it would be likely that there would be someone with the knowledge of the organization as well as EHR knowledge that could step into that role,” she said.

But that does not solve the problem of how to deal with the increasing number and scope of IT projects on top of the hospital's usual workload. The result for small town and rural providers is a backlog of work and delays in implementing meaningful use of EHR systems and cost-saving quality measures. It also holds them back from participating in alternative payment and delivery models such as accountable care organizations and bundled payment, which require sophisticated data systems.

“They're not keeping up with health reform,” said Joe Wivoda, a health IT consultant based in Hibbing, Minn. “There's no way in the world that you can do health reform without robust health IT capabilities.”

Chantal Worzala, director of policy at the American Hospital Association, said there are two issues for rural providers in hiring IT talent. One is whether the hospital can afford to pay enough to be competitive with urban hospitals, vendors and consulting firms, and the answer is often no. The second issue is convincing IT professionals to live and work in a small town or rural community.

A key for rural providers in recruiting students for HIT jobs is identifying candidates who want to live in a rural community or small town, said Sunny Ainley, associate dean of continuing education and workforce development at the Center for Applied Learning at Normandale Community College in Bloomington, Minn. “You have to enjoy the rural amenities of living in Minnesota,” she said.

Effectively using social media is one way to reach candidates. “People have a very high trust for social media, so we always recommend to our clients to make sure they have a Facebook page and they're very active,” said Ralph Henderson, president of healthcare staffing at AMN Healthcare. “That takes away some of the issues that, 'I don't know that health care system' or 'I don't know that city very well.'”

He also advises conducting on-campus recruiting at colleges and universities to get to know people early in their careers and establish relationships with them. In addition, he recommends having a strong training program. “The healthcare systems that do a good job of hiring new grads and then setting up training programs for them are the ones that tend to win those competitive wars for talent,” Henderson said. These programs breed loyalty to the hospital as well as the local community.

Hire and train
Another approach is to hire and train, bringing on new employees knowing they'll need skills development to do the job effectively. A related strategy is to develop existing employees' IT skill sets through onsite or off-site training, as Roseau LifeCare Medical Center did with the nurse on its staff.

Other small providers are exploring partnerships with larger hospitals, although Slabach worries this could hurt rural providers in the long run. “If the urban partner doesn't have a real keen sensitivity to rural healthcare, preserving access and maintaining traditional patterns of care, you could see patients being transferred to larger facilities,” he said.

A way around this is the IT cooperative approach, which a few small providers have pursued. The not-for-profit Illinois Critical Access Hospital Network offers IT services to its 53 member hospitals on a fee-for-service basis. “(It's at) far less cost to us than if we A, had hired that individual ourselves or B, if we were working through a third-party consulting firm,” said Harry Wolin, CEO of the 20-bed Mason District Hospital in Havana, Ill.

Even so, consulting firms are finding plenty of work with the boom in IT needs. “Small organizations have limited resources (and) limited availability to reach out to talent because everybody wants to work for a larger organization and make more money,” said Carol LeMaster, senior director of career services and professional development at the Healthcare Information and Management Systems Society. “Typically, it's just easier for them to just hire a consulting organization.”

Educators also are working to connect graduates of their HIT training programs to open positions. Normandale Community College was one of about 81 community colleges that received stimulus funding through the ONC for a program aimed at training HIT professionals to help implement EHRs as demand for these positions soared.

But a key source of support for the smallest rural providers as they strive for meaningful use is about to dry up. The HITECH provision of the 2009 stimulus law funded a nationwide network of 62 regional extension centers, run by the ONC to help rural providers implement EHRs. As of January, 3,427 of the 6,700 providers at critical-access and rural hospitals that worked with the RECs had achieved some level of meaningful use.

The RECs will run out of stimulus funding this year. “That is going to be, in certain parts of the country, really, really hard,” said Mat Kendall, who left his position running the REC program at HHS in March. Seventy-one percent of healthcare leaders surveyed by Modern Healthcare between November and January said they think federal funding for these centers should continue.

Kendall worries that the digital divide between urban and rural providers will widen during implementation of Stage 2 meaningful use of EHRs. The ONC is working with providers and vendors to help them with this process, he said. But “there's nothing we can do about the inability to find (IT professionals).”

By Catherine Hollander

“Rural hospitals get creative in staffing for IT needs,” Modern Healthcare (May 17, 2014)

Montana hospital one of first to sue vendor in court over non-compliant EHR system

Healthcare providers face many challenges in trying to keep up with ever more rigorous requirements for EHR software compliance.  EHR software vendors seem to be struggling, too, in many cases causing their clients to fail the federal EHR certification requirements, thereby losing eligibility for incentive payments.  Montana’s Mountainview Medical Center, which failed the October 1, 2013 certification deadline, is one of the first healthcare providers to take this issue to court.

Via Modern Healthcare:

A small Montana hospital may be among the first of many providers to go to court to resolve their frustrations with electronic health record systems developers that are either lagging or failing to update their software to the new, more stringent testing and certification requirements of the federal EHR incentive payment program.

Mountainview Medical Center in White Sulphur Springs is suing NextGen Healthcare Information Systems in federal court for failing to provide a certified EHR system in a timely manner. 


“That's the most important thing in this whole deal, to be federally certified,” said Aaron Rogers, CEO of the 25-bed Mountainview. “This is a huge, huge deal for every hospital, and we're certainly in that group. Ultimately, the reason there is a lawsuit is because certification was not attained, plain and simple. It didn't meet the criteria that we have to have federally.”

The critical-access hospital argues in the lawsuit that it was promised “a certified electronic health record system as defined by federal law” when it licensed software from NextGen in 2012.

Under new federal requirements that went into effect Oct. 1 for hospitals (and on Jan. 1 for office-based physicians) providers are no longer eligible for EHR incentive payments if they are still using 2011 Edition-compliant software. Thus, even for hospitals and physicians seeking to meet Stage 1 meaningful use for the first time, they must use 2014 Edition software to qualify for incentive payment.

A Modern Healthcare review of the Certified Health IT Product List compiled by HHS' Office of the National Coordinator for Health Information Technology showed that in September just 79 companies, providers and other organizations had software tested and certified to 2014 Edition criteria. That's compared with nearly 1,000 IT vendors whose products were tested and certified to the 2011 Edition criteria initially suitable for Stage 1 of the program. The precipitous drop in the number of vendors with certified products suggests many providers could be left in the lurch after investing substantial sums of money on EHR systems they believed would allow them to meet the federal requirements.

Mountainview's agreement with NextGen, according to a complaint filed last month in U.S. District Court in Helena, said the EHR was to be installed no later than June 1, 2013, but when NextGen failed to meet that date, it asked for and was given an extension until Oct. 1, 2013.

In September, however, the hospital “learned that NextGen did not have an (EHR) that was certified pursuant to the 2014 (Edition) standards” required for use by hospitals after Oct. 1, 2013. The complaint is asking for economic and unspecified compensatory damages, attorney fees and other court costs.

The complaint said Mountainview has already spent “in excess of $441,000 to facilitate” the EHR installation. That includes license fees, hardware and other costs.

Rogers said the hospital has been using electronic lab and imaging systems since 2009, but does not have a complete EHR. It is seeking to meet Stage 1 meaningful use in the 2014 fiscal year.

NextGen's Inpatient Clinicals complete EHR for hospital inpatient use was certified by the Chicago-based Certification Commission for Health Information Technology as meeting the 2014 Edition criteria. But that certification didn't come until Nov. 25, according to a copy of the test results from the Office of the National Coordinator for Health Information Technology. NextGen spokeswoman Michelle Rovner said in an email that, “While we cannot comment on pending litigation, other than to say that we firmly believe the allegations made by Mountainview Medical Center regarding our inpatient application are without merit and we will defend against them vigorously, we confidently stand behind the quality and performance of our products and offerings.”

Rovner said the CCHIT certification means hospitals can use the software to meet both Stage 1 and Stage 2 meaningful use requirements.

According to the database created by the CMS and the ONC, 62 of NextGen's hospital customers have met meaningful-use criteria, giving the company a 1.3% share of the hospital inpatient complete EHR niche. NextGen ranks fourth in the database of 455 vendors of complete EHRs for use by physicians and other eligible professionals in ambulatory care with nearly 17,850 meaningful users.

By Joseph Conn

“Montana hospital sues developer over electronic health-record certification,” Modern Healthcare (January 7, 2014)

Advocate Health Care already facing first lawsuit for July 15 breach involving 4 million EHR patient records

Chicago area Advocate Health Care suffered the country’s biggest health care record breach to date on July 15 – when four unencrypted laptops containing over four million patient records were stolen.  Seven weeks later the legal repercussions to July’s event are already beginning to unfold with last week’s filing of a class-action complaint in Cook County Circuit Court.

Once again, we are reminded both of the repercussions of such a loss and, more importantly, how easy it is to prevent this.  I’m not suggesting that the theft could have been prevented, but if the laptops had been encrypted, then this would have been a non-event (at least as far as the breach notification issue).  No one outside of Advocate would even know about the theft, because Advocate wouldn’t have had to report the loss and it would not have made the news at all.  So the take-away:  encrypt all of your mobile devices, including laptops, thumb drives, smart phones, etc.

Via Modern Healthcare:

The recent massive data breach at Advocate Health Care has already had legal consequences.

Downers Grove, Ill.-based Advocate and a subsidiary, Advocate Medical Group, are facing a state class-action lawsuit filed on behalf of two named plaintiffs and 4 million individuals whose personally identifiable health records were taken along with four desktop computers in a burglary in July. The computers were password protected but not encrypted, according to Advocate.

The five-count, 12-page complaint in Cook County Circuit Court in Chicago alleges negligence, deceptive business practices, invasion of privacy, intentional infliction of emotional distress and consumer fraud, all violations of Illinois law.

According to the class-action complaint, Advocate “continued its use of nonsecure, unencrypted computers and software to maintain the private and confidential patient data” it had collect, in violation of two state privacy laws.

The suit alleges Advocate violated the Illinois Personal Information Protection Act when it “permitted an unauthorized acquisition of computerized data that compromised the security, confidentiality, or integrity of personal information,” and the Illinois Medical Patients Rights Act when it “facilitated and allowed for the unlawful disclosure of patients' private and confidential health information.”

The lawsuit requests a jury trial and judgment of an unspecified dollar amount for actual damages, costs and other relief the court deems appropriate.

The named plaintiffs were former Advocate patients, Pierre Petrich, and her minor daughter, Amara Petrich, of Northbrook, Ill. The suit was filed by Chicago personal injury attorney Robert Clifford.

The suit alleges the plaintiffs' records were part of the massive July 15 data breach at an administrative office of the 1,100-plus physician Advocate Medical Group in Park Ridge, Ill. At just over four million records, it is the largest breach by a healthcare provider since the federal government began requiring public reporting of larger healthcare records breaches in 2009.

Personally identifiable data on the compromised records varied, according to an Advocate spokeswoman, but included patients' names, addresses, dates of birth, Social Security numbers, diagnoses and medical record numbers.

Advocate previously made the federal “wall of shame” list kept by HHS' Office for Civil Rights after the theft of an unencrypted laptop in 2009 carrying 812 patient records.

Thus far, 659 breaches involving records of 500 or more individuals have made the list, accounting for more than 22.8 million records being exposed. Of those involving electronic devices, 48% of the incident reports mentioned theft, 11% loss; and 8% hacking, all of which could have been mitigated by encryption.

The breach is being investigated by the OCR, the chief federal agency enforcing the health information privacy and security rules under the Health Insurance Portability and Accountability Act, and by the Illinois Attorney General's office, for possible HIPAA and Illinois privacy law violations, spokespersons for those agencies have said.

Advocate has faced criticism for not encrypting the data. Encryption is a technique in which software is used to scramble messages or data, rendering them unusable and unreadable to anyone who doesn't have the key, another piece of software code to unscramble the protected information.

An Advocate spokeswoman said an encryption program launched by the organization in 2009 had not reached the four computers in the Park Ridge office.

Advocate's Kelly Jo Golson, senior vice president of public affairs and marketing, in a statement, said “We deeply regret any inconvenience this incident has caused our patients who have entrusted us with their care. Our focus continues to be delivering the highest level of care and service. We are also committed to providing all individuals impacted by this incident with resources to answer their questions and tools to protect their personal information. Although we are unable to comment specifically on active litigation matters, we want to reassure our patients that we do not believe the data was targeted and we have no information that leads us to believe that the information has been misused.”

By Joseph Conn

Advocate Health Care sued following massive data breach,” Modern Healthcare (September 6, 2013)

Health care digitization enriches software industry

The health IT industry's pitch to Congress, and to the public, was that health care would be transformed through digitization, and that the shift to electronic records would result in huge health care savings.  Four years after the passage of ARRA and the HITECH Act, which included $19 billion in EHR incentives, it remains to be seen whether the federal government and the American public will see such benefits as reduced costs and improved levels of health care. Meanwhile, the software industry appears to be the big winner.

For more, see the New York Times article by clicking here:  "A Digital Shift on Health Data Swells Profits in an Industry".

Mostashari urges HIT vendors to conduct themselves ethically

Farzad Mostashari, National Coordinator for Health Information Technology, believes most HIT vendors operate in good faith.  At a recent meeting, however, Mostashari stated that he will be testing organized peer pressure as a means of bringing more ethically problematic vendors into line, in order to avoid having to develop onerous additional regulations.  He warned that he will impose more regulations if necessary.

See Healthcare IT News article at "Mostashari calls on vendors to play fair".

Family doctor EHR use up although use varies by location

The Annals of Family Medicine reports that although use of electronic health records has not increased significantly in all regions, it has risen dramatically nationwide in the last few years.

Via Modern Healthcare:

The number of family physicians who have adopted electronic health records has more than doubled since 2005, though wide geographic variations exist, according to a report in the Annals of Family Medicine.

Using census survey data from the American Board of Family Medicine maintenance of certification exam and the National Ambulatory Medical Care Survey, researchers predicted that the adoption rate could pass 80% by the end of the year.

In the NAMCS, adoption among family physicians grew to 66.4% in 2011 from 24.8% in 2005. Among physicians undergoing the ABFM's maintenance of certification, adoption increased to 67.8% in 2011 from 28% in 2005.

The study notes “how federal efforts to increase adoption of EHRs have accelerated in recent years.” It adds that the federal government's “triple aim” goals to improve population health and healthcare delivery while lowering costs “will require data sharing and exchange that transects all aspects of healthcare delivery and depend in part on widespread adoption of EHRs, particularly by office-based physicians.”

But geographic variations were identified in both data sets. Utah, at 94.9%, had the highest rate of adoption among family physicians seeking maintenance of board certification; while North Dakota had the lowest rate of adoption, 47.1%. For family physicians in the national ambulatory survey, Hawaii had the highest rate of adoption, 87.6%. North Carolina family physicians had the lowest, 44%.

The researchers wrote that there was “strong regional clustering for adoption.” They speculated that states' commitment varied in their support for health IT funding mechanisms to promote EHR adoption, prescription drug tracking and quality data reporting. Other reasons that could explain the variation included differences in market penetration of health maintenance organizations and the presence of large integrated healthcare organizations.

By Andis Robeznieks

EHR use up among family doctors, but varies by area,” Modern Healthcare (February 5, 2013)

HHS Inspector General: Medicare EHR incentive program lacks adequate safeguards against error and fraud

The HHS Inspector General this week reported the results of its recent investigation to “verify the accuracy of professionals' and hospitals' self-reported meaningful-use information, as well as eligibility and payment amounts.”   The investigation reviewed payments issued from May through December 2011, a period during which approximately $1.7 billion was distributed to almost  28,000 recipients.  The Inspector General’s office concluded that Medicare needs to improve its review process.

Link to report here.

Via Modern Healthcare:

The CMS and the Office of the National Coordinator for Health Information Technology at HHS need to tighten up their oversight of the Medicare EHR incentive payment program, according to HHS' inspector general's office.
The watchdog office, headed by Inspector General Daniel Levinson, offered a couple of recommendations for the agencies in its report, "Early Assessment Finds That CMS Faces Obstacles in Overseeing the Medicare EHR Incentive Program" (PDF). The report is based on audits of EHR incentive payment attestations, reviews of internal CMS and ONC documents about the program and interviews with CMS personnel. The inspector general's office did not focus this time on the Medicaid portions of the program, although a previous report, issued in July 2011, did, focusing on 13 state-run Medicaid EHR incentive programs. The inspector general's office also is conducting "a series of audits of Medicare and Medicaid EHR incentive payments" to "verify the accuracy of professionals' and hospitals' self-reported meaningful-use information, as well as eligibility and payment amounts. No time frame for those audits was included in the report.

The inspector general's review covered the early stages of the Medicare EHR incentive program, from when payments started flowing in May 2011 through December 2011. During that period, the program paid out about $1.7 billion to nearly 27,000 physicians and other eligible professionals and 668 hospitals, the report said. 
The inspector general said that the CMS validates the presence of some required information and confirms some calculations provided by hospitals and providers. For example, "The validation checks that self-reported numerators and denominators calculate to required percentage thresholds and that all relevant yes/no measures were checked 'yes,' " according to the report. However, the report continued, the CMS "does not verify that numerators and denominators entered for percentage-based measures reflect the actual number of patients for a given measure or that professionals and hospitals possess certified EHR technology."
One "obstacle" the CMS faces in trying to get independent validation that what the providers are attesting to actually happened is that data from other sources—such as Medicare claims or private insurance data—is either incomplete for the task or unavailable.
The inspector general's office notes that although the CMS is not required to perform prepayment verification, "doing so would strengthen its oversight of the anticipated $6.6 billion in incentive payments" the program is expected to shell out over its lifetime, which runs through 2016.
Regarding post-payment oversight, the inspector general noted that, so far, the CMS "has not yet completed any post-payment audits." But the CMS has said it plans to use EHR-generated reports "to verify the accuracy of self-reported information where possible" and obtain supporting documents in instances where the reports don't cover the audit subject matter—and this is where the ONC comes in for criticism.
The ONC oversees the rule writing, and the testing and certification programs to determine whether EHR technology qualifies for use in the Medicare EHR incentive payment program.
The CMS "cannot use EHR reports to verify all self-reported meaningful-use information because ONC does not require certified EHR technology to be capable of producing reports for all meaningful-use measures," the inspector general's report said. The ONC requires an EHR to write reports on the 30 percentage-based measures but not the 19 yes/no measures users also are required to attest to in order to get paid.
"EHR reports also do not contain information necessary for CMS to verify all percentage-based measures," the inspector general's report said, specifically noting that denominators for many of those measures include data from both paper-based and EHR systems.
The inspector general's office recommended that the CMS beef up its prepayment assessment program, including by focusing on "high-risk" professionals and hospitals, asking them to "submit supporting documentation for prepayment review."
It also recommended that ONC "improve the certification process" to ensure that certification bodies "comprehensively test EHR reports for accuracy as part of the certification process" as well as not rely on "vendor-supplied data" during the testing phase.
The CMS, in an Oct. 9 letter from acting Administrator Marilyn Tavenner, said prepayment audits were not necessary at this time, but concurred with another inspector general's office recommendation to issue a guidance on proper provider documentation required for the program.
In a similar letter to the inspector general's office dated Sept. 25, ONC chief Dr. Farzad Mostashari concurred with the inspector general's office's recommendation of testing a "yes/no" reporting functionality. He said he would ask his two advisory committees, the Health IT Policy and Standards committees, to make recommendations "on the appropriate scope and feasibility of a certification criterion focused on 'yes/no' reports."
Mostashari also said the ONC has “already taken steps” to address a separate inspector general's recommendation that it improve its EHR testing and certification program. Specifically, the OIG recommended that the national coordinator supplant vendor-supplied data used in the initial rounds of its certification tests with a standard data set to be used by all vendors.
Last fall, GE warned customers of two of its EHR systems for ambulatory-care providers that errors had been found in reports to support meaningful-use attestations. That incident was specifically mentioned in the OIG report, which added that the ONC's certification process "did not identify these potential inaccuracies because the vendor-supplied test data did not account for the manner in which some professionals use the products." Similar problems may exist with reports from other EHR products, the OIG report said, but it cited no other examples of report-writing failures.
In his letter, Mostashari said the updated 2014 edition testing and certification rules—which were released in February in conjunction with the CMS' Stage 2 meaningful-use rules—contain "more rigorous testing requirements" that became effective Oct. 4, 2012. He said the ONC "will continue to migrate away from the exclusive use of vendor-supplied data."
In a telephone interview, Mostashari said the GE report-writing problem was "old news." Asked whether he was aware of any other incidents of EHR systems failing to produce accurate test reports, Mostashari said, "It's really a CMS question."

By Joseph Conn

HHS inspector general: Medicare EHR program needs better oversight,Modern Healthcare  (November 29, 2012)

EHR access lost during Hurricane Sandy

Hurricane Sandy this week tested East Coast health care systems’ electronic infrastructure.  Emergency preparedness plans were implemented fairly successfully for most health care facilities, allowing them to continue to operate adequately.  Others, however, were negatively impacted, including some which lost access to their EHRs. 

It is absolutely critical that health care providers, even in areas which are not prone to massive weather-related disruptions, consider and implement back up plans for their IT systems. The crisis at NYU Langone center in Manhattan demonstrated just how dependent we are on electronic systems and power supply. It is imperative that the IT staff at each healthcare provider organization knows that its important software systems including EHRs are backed up, and that the organization's data - including patient data - is readily available, and is never lost due to a storm or an earthquake.

Via Modern Healthcare:

Power outages across New Jersey, New York and Pennsylvania forced some hospitals to evacuate and others to rely on backup generators in the wake of superstorm Sandy.
The powerful and massive storm, which reached the coast in southern New Jersey around 8 p.m. on Monday, is responsible for at least 35 deaths, the Associated Press reported.
One Manhattan hospital was forced to evacuate 300 patients hours after Sandy's landfall when backup power failed. Evacuation of the New York University Langone Medical Center was complete by late Tuesday morning, a statement from the hospital said.

Meanwhile, plans to evacuate about 200 patients from Coney Island Hospital were underway early Tuesday afternoon, said Evelyn Hernandez, a spokeswoman for New York City Health and Hospitals Corp., which owns the hospital. Backup power was restored on Tuesday to Coney Island Hospital after it lost power during the storm. Most patients who depend on ventilators or other devices were evacuated ahead of the storm, but seven critically ill patients remained at Coney Island Hospital and relied on battery-supported ventilators during the power outage. Those patients were transferred elsewhere Tuesday morning. 
In New Jersey, Palisades Medical Center, North Bergen, began evacuating 83 patients Tuesday morning, said Donna Leusner, a spokeswoman for the New Jersey Department of Health. Flood damage knocked out power to Palisades Medical Center, said a spokeswoman with Hackensack (N.J.) University Medical Center, where Palisades patients were transferred by National Guard troops after 9 a.m. on Tuesday. Hackensack University Medical Center was expected to accept 51 patients from Palisades Medical Center, Nancy Radwin, an HUMC spokeswoman said.
Approximately 30 New Jersey acute-care hospitals were operating on backup generators after the storm, said Kerry McKean Kelly, a spokeswoman for the New Jersey Hospital Association.
Eight Pennsylvania hospitals experienced power outages and were operating on backup generators on Tuesday, the state Health Department said.
North Shore-Long Island Jewish Health System reported that Glen Cove (N.Y.) Hospital, Huntington (N.Y.) Hospital, Plainview (N.Y.) Hospital, Syosset (N.Y.) Hospital and its Stern Family Center for Rehabilitation, Manhasset, were operating on backup power, as was one campus of the two-campus Staten Island University Hospital in New York City.
Also, Staten Island University Hospital could no longer access electronic health records after flooding on Monday disrupted power to the building where data is stored. Doctors continued to use paper records on Tuesday.
Other hospitals lost access to EHRs during the storm. Doctors at West Penn Allegheny Health System in Pittsburgh reverted to paper and written orders as the storm came ashore and damaged a data center in Mountain Lakes, N.J. Dan Laurent, a spokesman for the system, said Allegheny General and Western Pennsylvania hospitals, both in Pittsburgh, and the emergency room at Forbes Regional Hospital, Monroeville, could not access electronic medical records between 8:30 p.m. on Monday and 4 a.m. on Tuesday.

By Melanie Evans

Superstorm Sandy knocks out power at East Coast hospitals, prompting evacuations,” Modern Healthcare (October 30, 2012)

Health education information incomprehensible to many; HHS program to rate EHR-linked education materials for "understandability"

Health education materials provided to health care consumers until now have commonly assumed a fairly high level of “health literacy” – a level which, research has shown, makes the materials inaccessible to about 77 million people.  HHS’ new program addressing this issue begins with the development of a system to rate health information as efforts are made to improve the quality of these materials.

Via Modern Healthcare:

HHS' Agency for Healthcare Research and Quality is developing a rating system for the growing amount of health information directed at patients.
The agency's Health Information Rating System, discussed in a Federal Register posting, will focus especially on patient data provided by electronic health records.

The agency's notice stated that health education materials delivered by EHRs “are rarely written in a way that is understandable and actionable for patients with basic or below basic health literacy,” which includes about 77 million people. “Persons with limited health literacy face numerous healthcare challenges,” according to the AHRQ notice. “They often have a poor understanding of basic medical vocabulary and healthcare concepts.” 
Agency officials expect the rating system to address that challenge by giving clinicians a method to determine the quality of the data their systems provide or that such resources are even available.
A draft version of the rating system was applied by researchers at AHRQ to sample education materials on asthma and colonoscopy and indicated some of the material had “low understandability or low actionability.” The agency plans to next use consumer panels to test the accuracy of the rating system.
Other related health literature activities planned by AHRQ includes creating a library of patient health education materials, a review of EHR's patient education capabilities and education of EHR vendors and users.

By Rich Daly

AHRQ developing consumer info rating system,” Modern Healthcare (October 8, 2012)

Sharing EHR notes between providers and patients improves care, patient loyalty among other benefits

According to Annals of Internal Medicine, a new study found no disadvantages to health care providers sharing EHR notes with patients.

Via Kaiser Health News:

Doctors are required by federal law to provide patients with a copy of their medical notes upon request, but few patients ask and doctors generally don’t make the process easy.

When patients were offered online access, however, 90 percent read their doctors’ notes with some impressive results.


A study published in the most recent issue of the Annals of Internal Medicine found that 60 to 78 percent of patients who read their visit notes reported that they were more likely to take their medications as prescribed.  And their doctors reported that sharing their notes actually strengthened relationships with patients.

The study included 105 primary care physicians and 13,564 of their patients at Beth Israel Deaconess Medical Center in Massachusetts, Geisinger Health System in Pennsylvania and Harborview Medical Center in Washington, who participated  in a project called OpenNotes, in which patients were given electronic access to their files.

Study authors Tom Delbanco and Jan Walker of Beth Israel said they were surprised and delighted to find that patients who viewed their medical notes were more likely to take their medicines correctly. “Medication adherence is one of the greatest problems in health care,” said Delbanco, “yet flipping this switch seems to activate patients.”

As one patient explained, “having it written down, it’s almost like there’s another person telling you to take your meds.”

Patients also reported “an increased sense of control, greater understanding of their medical issues, improved recall of their plans for care, and better preparation for future visits,” the study authors write.

Despite concerns among participating physicians that sharing their notes would increase their workload, few of them reported longer visits or spent more time answering patients’ questions outside of visits.

One concern is that doctors may change the way they write their notes if their patients can read them. Since the same notes are shared with other doctors, this could have a clinical impact. As an example of a minor change, some doctors reported using “body mass index” in place of “obesity” to avoid offending their patients.

Blunt language, however, seems to have motivated some patients. “In his notes, the doctor called me ‘mildly obese,” one patient commented. “This prompted my immediate enrollment in Weight Watchers and daily exercise. I didn’t think I had gained that much weight. I’m determined to reverse that comment by my next check-up.”

At the end of the experiment, nearly 99 percent of the participating patients wanted continued access to their visit notes. And all three participating hospital sites have decided to broaden patient access to their doctors’ notes.

“Our greatest hope is that this will become a standard of care,” said Walker. “We’re at a good time in history because more and more doctors and hospitals are getting electronic health records and putting up secure patient portals,” allowing many patients easy access to their records.

They add, however, that privacy implications could be enormous: 20 to 45 percent of patients reported that they shared their notes with others, including family and friends. A patient could also choose to post their notes on Facebook or Twitter. “The patient-doctor relationship is confidential,” explained Delbanco, “but whether it’s private is now up to the patient.”

By Jenny Gold

For Patients, What A Difference A Note Makes,” Kaiser Health News (October 2, 2012)

Laptop theft costs Massachusetts provider $1.5 million in HHS settlement

Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates (MEEI) will be paying HHS $1.5 million in installments over three years for a 2010 incident.  It is worth noting that OCR also reached a $1.5 million settlement with Blue Cross Blue Shield of Tennessee (BCBST) earlier this year for a breach involving over a million patient records on stolen hard drives.  The MEEI data breach, on the other hand,  involved only 3,621 patient records.

Regardless of OCR's exact motives for such a high fine for such a significantly smaller scale breach, it is clear that OCR takes compliance with the HIPAA Privacy and Security Rules very seriously, especially in cases where patient data is stored on portable devices. It is also important to keep in mind that, as we pointed out after the BCBST breach, the $1.5 million settlement amount may well be exceeded by the costs and expenses associated with notification and credit monitoring expenses, as well as investigating and correcting this breach by MEEI.

Via Modern Healthcare:

HHS' Office for Civil Rights announced that Massachusetts Eye and Ear Infirmary and its affiliated physician group, Massachusetts Eye and Ear Associates, agreed to pay $1.5 million to settle a HIPAA security-rule violation case.

The $1.5 million settlement with Boston-based Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, collectively known as MEEI, is part of a resolution agreement (PDF) with the Office for Civil Rights. MEEI's alleged violations of the Health Insurance Portability and Accountability Act's security rule stem from the reported 2010 theft of a laptop computer storing 3,621 patient records, according to HHS.


The Office for Civil Rights alleges that the infirmary and the group not only failed to secure data on the laptop but also failed to comply with several other HIPAA security-rule requirements, including performing “a thorough analysis of the risk to the confidentiality” of individually identifiable patient information stored on the portable device and not “adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices.” The term ePHI refers to electronic protected health information. 

“In an age when health information is stored and transported on portable devices such as laptops, tablets and mobile phones, special attention must be paid to safeguarding the information held on these devices,” Office for Civil Rights Director Leon Rodriguez said in a news release. “This enforcement action emphasizes that compliance with the HIPAA privacy and security rules must be prioritized by management and implemented throughout an organization, from top to bottom.”

The settlement amount is to be paid in three equal installments of $500,000—the first on Oct. 15 of this year and the next two on the same date in 2013 and 2014.

The 17-page resolution agreement also requires the organization “to adhere to a corrective action plan” and permits an independent monitor to make semi-annual assessments of MEEI's compliance with the plan for three years.

The American Recovery and Reinvestment Act of 2009 required the reporting to HHS of breaches affecting 500 or more individuals and the creation of a public accessible website listing the breaches. There are now 490 such self-reported breach incidents on the list, which is maintained by the Office for Civil Rights. Combined, those breaches exposed the records of more than 21 million individuals, according to the office.

The infirmary is on the list twice. A November 2009 incident involving 1,076 records stemmed from a police investigation into improper use of credit card information that led to the firing of two infirmary employees.

By Joseph Conn

Mass. provider to pay $1.5 million in HIPAA settlement,” Modern Healthcare (September 17, 2012)

Tagging technique keeps more sensitive portions of an EHR more private

State and federal privacy laws rigorously restrict sharing of mental health and other highly sensitive patient records.  A technique called “data tagging” may be key in facilitating health care providers’ compliance with these requirements.

Via Modern Healthcare:

Using off-the-shelf content standards and messaging protocols, the Veterans Affairs Department and the Substance Abuse and Mental Health Services Administration of HHS have successfully demonstrated how to electronically tag mental health and other highly sensitive clinical records to help providers comply with stringent state and federal privacy laws limiting the sharing of those records without patient consent.

Development of the electronic patient-consent management system came in response to the VA's and SAMHSA's own needs to protect the privacy of patients under two federal medical record privacy laws that are more robust than the privacy rule under the Health Insurance Portability and Accountability Act.

The demo was part of a Data Segmentation for Privacy Initiative by the Office of the National Coordinator for Health Information Technology at HHS. It also answers a 2010 call by the President's Council of Advisors on Science and Technology to use metadata tagging to enhance privacy while making medical data more readily available for research. A metadata tag provides information about the underlying data.

Tagging a patient's record at the “granular” or data-element level enables patients to give consent to the exchange of some parts of their medical record—such as a diagnosis code for diabetes and a drug prescription for its treatment—but not other parts, such as the diagnosis of a sexually transmitted disease or a mental health counseling session.

“The bottom line is we're trying to provide patients some ability to control what information is shared and make it easy on them,” said Mike Davis, VA project lead and Veterans Health Administration security architect.

Federal law applying specifically to the VA requires that, under typical circumstances, the VA must obtain a veteran's consent before his or her medical records can be shared outside the organization. The VA also abides by another federal law that bars federally funded alcohol and drug treatment providers from sharing information about such treatment without patient consent. The latter law creates a consent requirement that sticks to and flows with the data, so that each subsequent provider to receive it also must obtain patient consent to disclose it elsewhere.

Privacy laws in several states also contain these sticky provisions, said Joy Pritts, chief privacy officer at ONC, who attended the demo in Baltimore this month during a conference sponsored by Health Level 7. The healthcare standards development organization has produced a classification and coding system to identify and constrain particularly sensitive information; the system was used by the VA and SAMHSA in the demo, as were the ONC's Direct messaging protocols.

In the demonstration, a care summary was exchanged between providers for a patient enrolled in an alcohol and drug abuse treatment program. The VA/SAMHSA system tagged discrete elements of the record “do not re-disclose.”

One missing piece in the automated privacy protection scheme, however, is how to deal with dictated notes containing sensitive patient data. A text document could be constrained by tagging the entire document, Davis said, but that would need to be done by hand, whereas tagging of discrete data can be done by the system, which can sit as a layer between one provider's EHR and another's.

Patients can specify their wishes with computerized consent directives created online at home or on a provider's computer system, he said.

Davis said there is no timeline for rolling out these functions across the VA, but the VA has several pilot sites running where the system is in daily use recording a veteran's simple “yes/no” electronic consent directives for exchange of their records with outside providers.

Pritts said ONC has two additional pilots planned, one with the VA and one with private-sector providers.

“I think this can work for what's called structure data—medications in the medication list, allergies in the allergies list, diagnostic codes in the problem list, lab test results, vital signs—that type of information,” said Daniel Gottlieb, a partner in the Chicago office of McDermott Will & Emery who heads the firm's health information technology and data protection practice.

With the EHR systems used by providers today, “typically the technology doesn't have the capability” to segregate those drugs on a medication list for a common ailment from those drugs to treat another, more sensitive one, such as a psychiatric condition, Gottlieb said.

“That leaves you with two options in the real world,” he said. “One is not to make that medication list available” outside the organization. “Or, you can take the position that providing high-quality care” is the greater good, “and just decide that you're going to accept that legal risk.”

Gottlieb said many providers lean toward the latter, for instance if a patient is taking medication for a psychiatric disorder but also for a chronic condition such as diabetes. “There could be the potential for the adverse reaction between the psychiatric drug and some other drug,” prescribed either in the same hospital or by another provider. “I think most people think avoiding that reaction takes precedent over the privacy concern.”

By Joseph Conn

Working with the rules: Data tagging allows selective sharing with EHRs,” Modern Healthcare  (September 22, 2012)

ONC: no caps on per-provider EHR incentive payments

National Coordinator for Health IT Farzad Mostashari has announced there is no cap on how much individual providers may receive in meaningful use incentive payouts, as long as they meet the requirements for the EHR incentive payments program.  According to the ONC, almost seven billion of the approximately twenty billion dollars in incentives allocated under the HITECH Act has already been distributed.

Via Healthcare IT News:

WASHINGTON – There are no set appropriations for how much the federal government can spend on rewarding providers who adopt and use electronic health records under the Medicare and Medicaid meaningful use EHR incentive program, according to National Coordinator for Health IT Farzad Mostashari, MD.

"Whoever qualifies, gets paid; there's no hard cap," said Mostashari, who gave a keynote at the Annual Policy Summit for the Health Information Management and Systems Society (HIMSS) on Wednesday.

Mostashari said the federal government estimates it will pay out around $20 billion in incentives before the program shifts to a penalty in 2015, but there is no fixed budget set in the HITECH Act that mandated the program. The government recently announced it has paid out nearly $7 billion since the program began in 2011.

[See also: "Government EHR incentives near $7B."]

The federal health IT czar said he couldn't imagine health IT advancement – which enjoys widespread bipartisan support – losing the backing of Congress after the election, no matter the party in control.

It would be hard to picture Congress cutting or capping the program after doctors and hospitals have made major investments in health IT "on the good word of Congress," he said.

An attendee of the HIMSS Policy Summit – a sort of pep rally for HIMSS members to promote HIT on the Hill – recommended that Congress all be encouraged to use Blue Button to access their personal health data. This would "crystallize quite clearly" where things stand with regard to health IT today. We need more time and support, the attendee said, and Mostashari and other attendees agreed.

Mostashari praised the meaningful use incentive program, noting that "we've made great steps." He predicted that Stage 2, set to begin in 2014, will bring about even more "incredible progress."

The use of electronic health records is "ultimately about population health," Mostashari said. "You have to care more about the people who didn't walk into your door, than those who did." The meaningful use program is intended to go from measuring quality at the start, to accounting for population health. "That's why doctors are doing what they're doing, [and] that's why we're doing what we're doing," he said of federal regulators.

At a visit to the Cleveland Clinic recently, Mostashari said he observed health data exchanged between the clinic and other local facilities, using compatible coding that transferred the data easily. "They do it all day, every day," he said. "So don't tell us that exchange isn't happening."

[See also: "Stage 2 MU released at last."]

Two years ago, the industry wasn't there, he said of health information exchange. The patient information wasn't packaged and ready to code medications and lab reports in the same record. But things have changed, Mostashari added. He praised the industry and the  marketplace for pushing it forward.

The industry came together with a consensus and pilots and working groups, which resulted in the meaningful use Stage 2 rule, Mostashari said. "We're light years ahead of where we could possibly have been in Stage 1," he added, noting that he believes meaningful use Stage 2 will necessitate a push from the industry for health information exchange standards.

It will be important in the near future to tap into "the biggest underused resource – the patient," Mostashari said. Providers will have to "be sticky," and attract patients to their services because patients will no longer be limited to the provider that holds their health information.

Said Mostashari, speaking to doctors as a doctor: "We have to make them want to come to us."

By Diana Manos, Senior Editor

Mostashari: No cap on EHR incentive payouts,” Healthcare IT News (September 13, 2012)

EHR hackers turn to extortion

Hackers recently struck a small medical practice in suburban Chicago, encrypted the facility’s digital medical records, and then demanded a ransom payment in exchange for allowing the facility to regain access to its records.  Medical industry observers note that this is not the first instance of this new type of criminal hacking activity.

This case should serve as a reminder to healthcare providers that, in addition to significant concerns regarding securing patient data from unlawful access, use or disclosure, such organizations should make sure that their patient data is backed up and accessible through more than one channel, in order to avoid a "hostage" situation like the one described below.

Via Bloomberg News:

As more patient records go digital, a recent hacker attack on a small medical practice shows the big risks involved with electronic files.

The Surgeons of Lake County, a medical facility in the northern Illinois suburb of Libertyville, revealed last month that hackers had burrowed deeply into its computer network, infiltrating a server where e-mails and electronic medical records were stored, Bloomberg.com reported on its Tech Blog.  

Unlike many other data breaches, the hackers made no attempt to keep their presence a secret. In fact, they all but fired a flare to announce the break-in, taking the extreme step of encrypting their illicit haul and posting a digital ransom note demanding payment for the password.

The doctors turned the server off and notified the authorities, refusing to pay.

“This story is so ironic -- most people worry that their health records will be spread all over their local newspaper,” said Dorothy Glancy, a professor at Santa Clara University’s law school who specializes in digital privacy. “But in this case, the doctors -- in fact, nobody -- can access these records.”

The Surgeons of Lake County isn’t the first health care provider to be targeted by extortionists. The incident, which was spotted by privacy blogger Dissent Doe in a federal database of health-related breaches, showcases an unsettling new strain of opportunism that is emerging as criminals try to exploit the industry’s shift to digital medical records.

Data Breach
The attackers’ choice of tactics, particularly the use of encryption, indicates a level of sophistication and targeting that suggests they knew what they were doing, said Rick Kam, president of ID Experts, a Portland, Oregon-based company that makes data-breach prevention technology and specializes in health care.

Based on the number of practices moving to electronic health records, “many more” of these types of breaches should be expected, Kam wrote in an e-mail.

Until now, medical-data blackmail has been a niche crime, largely because of the difficulty and risk involved. Spam and online bank fraud are easier ways for fraudsters to make money.

One case involved Express Scripts (ESRX), the large prescription- drug benefits manager, and a threat it received in 2008. Someone sent the St. Louis-based company personal information on about 75 of its members, including identification numbers and prescription records, and demanded an unspecified sum. The company refused to pay, and eventually told 700,000 customers that their information could have been exposed.

Patient Confidentiality
In 2003 and 2004, health care facilities came under fire for outsourcing their transcription chores when several California hospitals were blackmailed by their own workers in India and Pakistan.

The spiraling cost of health care and lack of insurance for millions of people have made medical identity theft a growing risk. Security and privacy risks are also emerging with the creation of “health information exchanges,” vast databases that states are setting up to handle electronic medical records.

It’s unclear whether the Illinois surgical center’s records were backed up or have been recovered. The organization declined to comment.

“Safeguarding every patient’s personal information is a top priority at the Surgeons of Lake County,” Scott Otto, the center’s president, said in a statement. “We are devoting significant people and technological resources to help protect patient confidentiality.”

For all of the benefits of making health records electronic, this incident highlights a downside, said Santa Clara University’s Glancy.

“This is a warning bell,” she said. “Maybe they’re the canary in the coal mine that unpredictable things can happen to data once it’s digitized.”

By Jordan Robertson

"Hacking Expecting [sic] To Increase As More Facilities Institute EHRs," Bloomberg News (August 10, 2012)

Majority of health care providers have entered electronic age

Over half of U.S. doctors now use electronic medical records, and half of the remainder plan to start in the coming year, a new poll has found.

Via HealthDay:

TUESDAY, July 17 (HealthDay News) -- A majority of U.S. physicians have now adopted an electronic health record system as part of their routine practice, a new national survey reveals.

The finding is based on responses provided by nearly 3,200 doctors across the country who completed a mail-in survey in 2011. The survey was conducted by the U.S. Centers for Disease Control and Prevention's National Center for Health Statistics as part of an ongoing three-year effort (continuing through 2013) designed to assess perceptions and practices regarding electronic health record systems.

Specifically, the poll found that 55 percent of U.S. doctors have embraced some type of electronic health record system. And roughly 75 percent of those who have done so reported that the type of system they took on meets the criteria of playing a "meaningful" role in their practice, according to the terms of 2009 federal legislation (entitled the Health Information Technology for Economic and Clinical Health Act) designed to promote the use of electronic health records.

What's more, 85 percent of those doctors who now have an electronic health record system in place said they are either "somewhat" or "very" satisfied with its day-to-day operations (47 percent and 38 percent, respectively). And three in four said patient care has improved as a result of electronic health record adoption.

The poll also indicated that among those who have yet to embrace an electronic health record system, almost half said they plan to do so in the coming year.

Physician age seems to have played a role in how likely a doctor was to have already brought an electronic health record system into their practice, the findings showed. While 64 percent of those under the age of 50 have done so, the poll revealed that the same was true of only 49 percent among those aged 50 and older.

Office size also seems to matter, with larger physician practices being more likely to have incorporated an electronic health record system into their administrative infrastructure. Specifically, 86 percent of offices with 11 or more physicians on site had taken on such a system, compared with roughly 60 percent to 62 percent of those with two to 10 physicians and just under 30 percent of single-doctor practices.

But although some kinds of specialists (such as surgeons) were somewhat less likely to have implemented an electronic health record system, race, gender and physician location did not seem to play a role in the likelihood that a doctor's office would or would not bring the technology into their workplace.

Eric Jamoom, of the health care statistics division of the U.S. National Center for Health Statistics, and colleagues published their findings July 17 in the NCHS Data Brief.

More information

For more on electronic health records, visit the U.S. National Library of Medicine.

-- Alan Mozes

SOURCE: U.S. Centers for Disease Control and Prevention, news release, July 17, 2012

Copyright © 2012 HealthDay. All rights reserved.

U.S. Doctors Embracing Electronic Health Records: Survey,” HealthDay (July 17, 2012)

HHS awards over $650 million in EHR incentive payments

HHS released the first numbers regarding its Meaningful Use incentives program, established by the HITECH Act of 2009. Unsurprisingly, most eligible professionals and hospitals receiving funds this year qualified for incentive payments under Medicaid, rather than Medicare, because Medicare has a higher threshold for receiving such payments. Medicare requires the eligible professional or hospital to achieve and demonstrate meaningful use, while Medicaid mandates only adoption, implementation or upgrade of existing systems. 

Nevertheless, the extent of the disparity was somewhat surprising: only about 6% of eligible hospitals and 3% of eligible professionals qualified for meaningful use incentives under Medicare.  Via Modern Healthcare:

So far, Medicaid program payments for hospitals, physicians and other eligible professionals that have adopted, implemented or upgraded to a certified EHR system have totaled $389 million. Only $264 million has been paid under the Medicare program, which has a higher eligibility threshold, requiring providers to demonstrate that they are meaningfully using their certified EHR system.

 Through Aug. 31, 2,054 hospitals have registered with the CMS to receive Medicare incentive payments. Hospitals that registered as dual-eligibles need to attest to having met meaningful-use targets under the Medicare portion of the program. But only 114 of the registered hospitals—less than 6%—have attested to being meaningful users. They have split about $226 million in Medicare EHR incentive payments.

Similarly, for the same period, 71,378 physicians and other "eligible professionals" have registered with the CMS under the Medicare EHR program, but only 2,129—or about 3%—have shared in $38.3 million in Medicare EHR payments. Unlike hospitals, professionals can't participate in both the Medicare and the Medicaid incentive programs. They must choose one.

According to the CMS, 15 hospitals have been paid solely under state-run Medicaid programs; they have received $32.9 million. In addition, 294 hospitals registered as dual-eligibles have been paid $262.2 million by Medicaid. There have been 4,463 physicians and eligible providers paid $93.9 million under Medicaid, according to the CMS.

You can find the CMS summary and charts relating to EHR incentive payments by clicking here.

"CMS: $653 million in EHR incentives paid," Modern Healthcare (September 22, 2011).


iPad EHR app certified for meaningful use

In a sure sign of the times, Drchrono, which offers a free electronic health record platform on the iPad, became the first iPad app to receive official ONC-ACTB certification. According to Healthcare IT News, "the drchrono EHR platform has been awarded ambulatory certification (ONC-ATCB) as a Complete EHR by San Luis Obispo, Calif.-based InfoGard, an Office of the National Coordinator (ONC) Authorized Testing and Certification Body (ATCB)". The app tracks a provider's use of the EHR and offers them key metrics to report to CMS, and includes many other features, such as billing and e-prescribing. 

This is a huge step for a mobile EHR app, but its maker's regulatory hurdles may not be over.  Last week, we reported on the FDA potentially regulating the market of mobile healthcare devices and applications. Electronic and personal health records could be exempt from such regulation, unless the FDA adopts a broad definition of "clinical decision support," which includes decisions based on the information given to a provider via the EHR app or device.

Moreover, use of such mobile apps or devices in healthcare presents providers with a very long list of legal concerns. Privacy and security of patient data, compliance with state and federal laws (including Stark and anti-kickback statutes), assumption of risk and liability, along with many other critical issues, should be addressed in the contract between the healthcare provider and vendor of such software.

"iPad EHR gains meaningful use certification," Healthcare IT News (July 29, 2011).

"FDA's mobile medical app guidelines get everybody talking," Healthcare IT News (July 26, 2011).


Medicare EHR incentives attestation to begin on April 18, 2011

CMS announced that the online Attestation System for the Medicare EHR Incentive Program will launch on April 18, 2011. Eligible professionals and eligible hospitals will be able to use this online portal to self-attest to meeting the Meaningful Use criteria.

CMS also released a preview of the Attestation System. This preview includes attestation screenshots and is intended to give examples of what the attestation process will look like. CMS promised to release additional information about the attestation process soon, including "User Guides" that will give step-by-step instructions for completing attestation, along with educational webinars that describe the attestation process in depth.

Finally, CMS noted that providers will follow a similar process using their state's Attestation System. Such providers may find their state's scheduled launch dates of their Medicaid EHR Incentive Program by clicking here.

You can download the preview by clicking here.

For more information, please visit CMS's EHR Incentive Program web site.


Registration for CMS EHR Incentive program is now open

Center for Medicare and Medicaid Services (CMS) opened the registration process for eligible hospitals and professionals hoping to capitalize on the incentive payments provided under the HITECH Act.  Each such hospital or professional needs to register with CMS in order to receive such payments, and CMS encourages all eligible healthcare providers to register as soon as possible.

You can find the EHR Incentives Program registration page by clicking here.

According to Government Health IT, over 4,000 providers have already registered with CMS. Several states have also launched registrations for their Medicaid incentive programs.  Moreover, hospitals in Oklahoma and Kentucky have already begun receiving incentive payments:

Kentucky processed payment to the University of Kentucky Healthcare, the university’s teaching hospital, for $2.86 million. The first payment amounts to one- third of the hospital’s overall expected amount for participating in the program, according to CMS. Oklahoma issued payments to two physicians at the Gastorf Family Clinic of Durant, Okla., for $21,250 each for having adopted certified EHRs.

Besides Kentucky and Oklahoma, registration is available for the Medicaid EHR incentive program in Alaska, Iowa, Louisiana, Michigan, Mississippi, North Carolina, South Carolina, Tennessee and Texas.

In February, registration will open in California, Missouri, and North Dakota. Other states will likely launch their Medicaid EHR incentive programs during the spring and summer of 2011.

You can learn more about registration for Medicare incentives for eligible professionals by clicking here; and for Medicaid incentives for eligible professionals by clicking here. A similar CMS guide for both Medicare and Medicaid incentives for eligible hospitals can be found here.


New York State plans country's largest health information network

 Via Democrat and Chronicle (Rochester):

The New York state Department of Health and a public-private partnership called New York eHealth Collaborative, or NYeC (pronounced "nice"), recently announced plans to spend $129 million in state and federal money to create a statewide network for electronic medical records, to be complete in 2014. Like the highways, they envision the network as a public utility that will allow medical providers anywhere in the state to view — with your permission — a list of your medications, any allergies and any recent X-rays or other tests that could help guide your care. The e-records network would be the largest in the country, dwarfing networks of other states and the Veterans Administration.

The planned statewide network, called Statewide Health Information Network for New York or SHIN-NY, is intended to serve more than 200 hospitals, thousands of medical practitioners and up to 20 million patients a year.

You can read more about NYeC here.

GAO report: EHRs can improve patient care

The U.S. Government Accountability Office (GAO) released its report on integrated delivery systems (IDSs) in healthcare. The report found that electronic health record systems (EHRs) are able to improve patient care among such IDSs.

Via GAO:

Some IDSs said that using EHRs supports their patient care strategies such as care coordination, disease management, and use of care protocols by increasing the availability of individual patient and patient population data and by improving communication among providers.

All 15 IDSs which took part in this study have implemented EHR systems. Mayo Clinic, one of the participants, reported that "the EHR helps avoid overutilization and duplication of services."  Several other IDSs reported significant savings because of EHR use, including Marshfield Clinic in Wisconsin, which reported that its e-prescribing feature reduced "errors related to illegible handwriting and unintentional drug interactions." In addition, Marshfield's EHR requires physicians to consider appropriate "preferred alternatives" for prescription drugs, saving payers and patients $2.5 million in 1 year.

You can find the full report here.

"Health Care Delivery: Features of Integrated Systems Support Patient Care Strategies and Access to Care, but Systems Face Challenges," U.S. Government Accountability Office, GAO-11-49 November 16, 2010.


U.S. healthcare providers hesitant about "offshoring" EHRs to India

Will American healthcare providers, like major companies in other sectors of the economy, outsource their electronic medical records systems and maintenance offshore, especially to an established tech industry in India? According to the Wall Street Journal, Indian technology vendors face a significant amount of skepticism regarding outsourcing health IT to India. 

While major tech companies routinely utilize data centers, service desk and other products and services in India, healthcare providers are not used to such outsourcing arrangements.  Indian IT companies like HCL, InfoSys, and Wipro are trying to tap into the booming health IT market in the United States. However, they face a number of important challenges, including concerns over privacy, security and integrity of protected data, breadth of experience in the industry,and ease of implementation of such systems.  One prominent CIO described this challenge succinctly in the Journal:

Designing and installing new medical systems 'is hard to do off site, let alone offshore,' says Darren Dworkin, chief information officer of Cedars-Sinai Medical Center in Los Angeles. Cedars-Sinai is close to finishing a four-year, $100-million project to install an electronic medical-records system. Mr. Dworkin says that 80% to 90% of the work isn't the sort of commodity coding that is easily outsourced, instead requiring an intimate knowledge of the hospital's terminology and how its doctors and nurses work.

You can read the full article by clicking here.

"Qualms Arise Over Outsourcing Of Electronic Medical Records," Wall Street Journal (November 2, 2010).


Our column in Government Health IT on RECs and HIT contracts

Government Health IT published a column by Steve Fox and yours truly on the critical role Regional Extension Centers (RECs) can and should play in distributing best practices regarding contracting for health IT systems, including EHRs.  Via Government Health IT:

RECs have the potential to serve as a valuable resource, especially for remote and underserved paper-based primary practices. However, RECs could be doing a disservice to physicians by failing to advise or provide them with essential EMR contract negotiation skills.

With HITECH Act incentives expiring in just a few years, healthcare providers will likely get only one chance to qualify for the full amount of the incentive payments. Thus, successful implementation and operation of an EMR system by the selected health IT vendor becomes critical to each healthcare organization trying to achieve “meaningful use” and take advantage of the incentive program.

In this environment, strong and effective contracts between healthcare providers and health IT vendors is especially significant, because such agreements can provide adequate protections, safeguards and other rights for the provider-customer, in the event a vendor defaults or otherwise fails to perform to the provider’s satisfaction.

You can read the full column by clicking here.


Study: Less than 7% of doctors email patients

According to a new study by the Center for Studying Health System Change, less than 7% of U.S. physicians communicate with their patients via e-mail. According to the Wall Street Journal, most physicians did not have access to electronic health records or other health information technology allowing secure communication with patients online. Yet even among those physicians with access to such technology, only 19.5% reported communicating with patients via email regularly.

Via the Journal:

This survey didn’t ask non-emailing physicians why they weren’t trading LOLs and emoticons with their patients, but the CSHSC brief has a host of previously cited reasons: “lack of reimbursement, the potential for increased workload, maintaining data privacy and security, avoiding increased medical liability and the uncertain impact on care quality.” (Given that list, it’s hard to figure out why any physician would choose to email patients.)

Doctors working in practices the have already converted to electronic medical records were more likely to communicate with patients via email. So were physicians in HMOs or academic centers, compared to those in solo or two-doctor practices.


 Given the reimbursement issue, it’s not surprising that physicians on a fixed salary were more likely to communicate with patients than those with other compensation arrangements. (Aetna and Cigna are among the insurers reimbursing providers for communicating with patients via secure messaging.) Other options for compensation include a set per-patient fee paid to physicians for agreeing to coordinate care using email and other means or an annual fee paid directly by patients for email access privileges, the brief says.

Policy types “might more systematically explore whether email or other secure electronic communication with patients can deliver on its promise to enhance communication, increase patient engagement and satisfaction, improve patient outcomes and quality of care and boost efficiency,” the brief says. If email does all (or some) of that, “expanding incentives to encourage email communication between physicians and patients might be a worthwhile investment.”

"You've Got Mail - But Not From Your Doctor," Wall Street Journal (October 7, 2010).


CCHIT to launch certification process on September 20, 2010

According to Karen Bell, MD, chair of the Certification Commission on Health Information Technology (CCHIT), her organization will begin accepting applications for HHS certification as early as September 20, 2010.  Via Healthcare IT News:

CCHIT is authorized to offer HHS certification for complete EHRs that meet all of the Stage 1, 2011/2012 HHS/ONC criteria, as well as certification for modular EHR products that meet one or more - but not all - of the criteria, Bell said.

According to Bell, CCHIT plans to launch its authorized HHS certification program on Sept. 20 at 1 p.m. Eastern time with a Town Call Webcast describing its application and testing process. CCHIT will take new health IT developer applications immediately after the Webcast and the first group of HHS certified complete EHRs and EHR modules will be announced within weeks of that launch.

In addition to HHS certification, CCHIT will continue to offer its CCHIT Certified program for ambulatory and inpatient EHR products that exceed the HHS/ONC criteria and are designed for hospitals and physician practices that are looking for assurance of more robust, integrated EHR products to support the unique needs of its clinicians and patients. Many of these products will also be HHS certified, Bell said.

You can read more about CCHIT's plans here.



CCHIT and Drummond picked as ONC-ATCBs

Via HHS Press Release:

The Certification Commission for Health Information Technology (CCHIT), Chicago, Ill. and the Drummond Group Inc. (DGI), Austin, Texas, were named today by the Office of the National Coordinator for Health Information Technology (ONC) as the first technology review bodies that have been authorized to test and certify electronic health record (EHR) systems for compliance with the standards and certification criteria that were issued by the U.S. Department of Health and Human Services earlier this year.

Announcement of these ONC-Authorized Testing and Certification Bodies (ONC-ATCBs) means that EHR vendors can now begin to have their products certified as meeting criteria to support meaningful use, a key step in the national initiative to encourage adoption and effective use of EHRs by America’s health care providers.

“Less than two months following the issuance of final meaningful use rules, we have approved our initial ONC-ATCB certifiers. EHR vendors can begin immediately to get their products certified.” said David Blumenthal, M.D., national coordinator for Health Information Technology. This is a crucial step because it ensures that certified EHR products will be available to support the achievement of the required meaningful use objectives, that these products will be aligned with one another on key standards, and that doctors and hospitals can invest with confidence in these certified systems.”


Applications for additional ONC-ATCBs are also under review.

Certification of EHRs is part of a broad initiative undertaken by Congress and President Obama under the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was part of the American Recovery and Reinvestment Act (ARRA) of 2009. HITECH created new incentive payment programs to help health providers as they transition from paper-based medical records to EHRs. Incentive payments totaling as much as $27 billion may be made under the program. Individual physicians and other eligible professionals can receive up to $44,000 through Medicare and almost $64,000 through Medicaid. Hospitals can receive millions.

To qualify for the incentive payments, providers must not only adopt, but also demonstrate meaningful use of, certified EHR systems. The law envisions that defined meaningful use requirements will help ensure that the patient and provider benefits of EHRs are realized. Initial meaningful use criteria were defined in a final rule issued by the Centers for Medicare & Medicaid Services (CMS) on July 28.

In addition to the CMS rule, ONC also issued standards and certification criteria for EHRs on July 28, aimed at ensuring that EHR systems will support the specific tasks required under meaningful use. Also, through regulations issued on June 24, ONC created a system by which technology review organizations could also qualify as ONC- ATCBs that will certify EHR products as meeting the requirements necessary for meaningful use.

With the initial two ONC-ATCBs now named, EHR vendors can apply to them for certification of their products. By purchasing certified products, providers will have assurance that the products will support achievement of the meaningful use objectives.

“Multiple steps are underway to carry out the intent of Congress in supporting rapid and effective adoption of EHRs throughout our health care system,” Dr. Blumenthal said. “The naming of initial ONC-ATCBs is one important step. Actual certification of multiple vendors’ systems by the ONC-ATCBs is an important next step. CMS is also working to create an online system for providers to register and attest for the EHR incentive programs. The first incentive payments are targeted to be made in May 2011. Meanwhile, ONC is also carrying out new programs of technical assistance and training, especially for smaller hospitals and physician practices.”

Dr. Blumenthal said the Health IT initiative “is on an aggressive schedule to meet the urgent targets set by Congress and the President toward realizing the quality and safety improvements that we can achieve through health information technology.”

To learn more about the ONC-ATCBs named today visit www.cchit.org and www.drummondgroup.com.

For more information about the ONC certification programs visit http://healthit.hhs.gov/certification.

For more information about other HHS Recovery Act Health Information Technology funding and programs, visit http://www.hhs.gov/recovery/programs/index.html#Health.


Steve Fox interviewed by InformationWeek about EHR contracts

Our own Steve Fox was interviewed by InformationWeek regarding the essential protections healthcare providers should include in their EHR contracts with health IT  vendors.  In particular, Steve warned providers against simply accepting vendor agreements without carefully reviewing and negotiating the key provision therein. Via InformationWeek:

"Many health IT vendors offer online contacts that prompt the physician to click the 'agree' button. Unfortunately some of these agreements have no warranties and in fact disclaim many standard warranties, so the vendors are selling their products 'as is,' which means if something goes wrong they are not responsible," Fox told InformationWeek after his presentation. "Some contracts even go further and say if a third party, for example the patient, would sue as a result of a problem with the EHR, the physician has to indemnify and defend the vendor even if it was the vendor that caused the problem."

You can read more after the jump, or by clicking here.


Steve also opined on the reluctance of vendors to promise meeting future regulatory requirements, including the upcoming standards for Stages 2 and 3 of meaningful use:

"We do know there will be new meaningful use requirements for Stage 2 and 3, and it's a moving target. Many vendors are unwilling to agree to future, unknown regulations, saying 'We don't know what we don't know,' but vendors need to remember that providers are paying them a lot of money for support and maintenance to meet those requirements. This is a big area of tension between providers and vendors right now," Fox said.

Finally, Steve offered a few suggestions on some of the critical provisions relating to data access and ownership, as well as safeguarding the privacy and security of protected data:

For those providers adopting software-as-a-service models to outsource their EHRs, Fox recommends that providers restrict vendors from holding data "hostage" and ensure unfettered access to customer data, including protected health information (PHI), on vendors' systems.

He also said providers should insist that vendors routinely back-up data and mandate the return of customer data upon termination of the contract as well as ensure security of data and access to such data if the vendor goes out of business.

With regard to security, Fox said providers need to stress confidentiality of PHI and make clear who owns the data and establish guidelines for the use of data by a vendor. Healthcare providers should also negotiate agreements that include intellectual property issues, obligations of nondisclosure, remedies for breach of patient information, and indemnification obligations.

"Health IT Contracts Offer Little Protection For Buyers," InformationWeek (August 24, 2010).


NIST Publishes Approved Testing Procedures for EHRs


In efforts to help the nation's health care industry make the transition to the digital age in an effective and meaningful fashion, the National Institute of Standards and Technology (NIST) has published a set of approved procedures for testing information technology systems that work with electronic health records (EHRs). Released in draft form earlier this year (see "NIST, Partners Develop Testing Infrastructure for Health IT Systems," NIST Tech Beat for March 16, 2010, at http://www.nist.gov/itl/hit_031610.cfm), the approved and finalized testing procedures are now available for use.

Under a certification program established by the U.S. Department of Health and Human Services Office of the National Coordinator (HHS/ONC), testing organizations authorized by HHS/ONC can use the tools to evaluate EHR software and systems that vendors would like to sell to doctor's offices, hospitals and other health care providers. Starting next year, the federal government will provide extra Medicare and Medicaid payments to health care providers that implement EHR systems certified to meet ONC requirements that conform to technical standards and are put to "meaningful use," performing specifically defined functions.

These ONC-approved test procedures help ensure that electronic health records function properly and work interchangeably across systems developed by different vendors. The set of 45 approved test procedures evaluate components of electronic health records such as their encryption, how they plot and display growth charts, and how they control access so that only authorized users can access their information.

The development of these tools was mandated by the American Recovery and Reinvestment Act (ARRA) in order to support a health IT infrastructure.

Notice of the approved test procedures appears in the August 9, 2010, Federal Register. For more information, see http://healthcare.nist.gov/use_testing/finalized_requirements.html and http://healthit.hhs.gov/certification

CMS launches web site for incentive payment programs

CMS launched a very useful Web site, http://www.cms.gov/EHRIncentiveprograms, providing an overview of the Medicaid and Medicare incentive payment programs established by the HITECH Act.  The site provides up-to-date, detailed information and many important links and "fact sheets" about the incentive programs, including overviews of CMS's final rule on meaningful use, the scope of the incentives program, and a Frequently Asked Questions section.  

It is definitely worth saving or bookmarking this site, so that you can check back in easily for regular updates.

CMS issues final rules on Meaningful Use

On July 13, 2010, CMS issued the final rule defining "meaningful use" and establishing the parameters and requirements for eligible professionals, hospitals and other providers to receive incentive payments provided under the HITECH Act for widespread adoption of electronic health records.  According to CMS, the key changes included in the final rule (from the meaningful use NPRM published in the Federal Register on January 13, 2010) include:

  • Greater flexibility with respect to eligible professionals and hospitals in meeting and reporting certain objectives for demonstrating meaningful use. The final rule divides the objectives into a “core” group of required objectives and a “menu set” of procedures from which providers may choose any five to defer in 2011-2012. This gives providers latitude to pick their own path toward full EHR implementation and meaningful use.
  • An objective of providing condition-specific patient education resources for both EPs and eligible hospitals and the objective of recording advance directives for eligible hospitals, in line with recommendations from the Health Information Technology Policy Committee.
  • A definition of a hospital-based EP as one who performs substantially all of his or her services in an inpatient hospital setting or emergency room only, which conforms to the Continuing Extension Act of 2010
  • CAHs within the definition of acute care hospital for the purpose of incentive program eligibility under Medicaid.

You can view the PDF of the final rule on Meaningful Use by clicking here.

You can learn more about it from the HHS press release by clicking here.  Also, the New England Journal of Medicine published an excellent summary by Dr. Blumenthal of the changes included in the final rule; you can find this article by clicking here.

At the same time, ONC issued another final rule, finalizing the "standards and certification criteria for the certification of EHR technology, so eligible professionals and hospitals may be assured that the systems they adopt are capable of performing the required functions."  You can find a copy of this final rule by clicking here.

Stay tuned for much more analysis of the final rules published today, as well as the changes to HIPAA Privacy and Security Rules issued by OCR last week.

Breaking: ONC releases final rule on temporary EHR certification

On June 18, 2010, the Office of National Coordinator for Health IT issued a final rule, 45 CFR Part 170, establishing a temporary EHR certification program for the purposes of testing and certifying health information technology.

The National Coordinator will utilize the temporary certification program to authorize organizations to test and certify Complete Electronic Health Records (EHRs) and/or EHR Modules, thereby making Certified EHR
Technology available prior to the date on which health care providers seeking incentive payments available under the Medicare and Medicaid EHR Incentive Programs may begin demonstrating meaningful use of Certified EHR Technology.

You can find the new final rule here.

You can find ONC's "Fact Sheet" and Q&A regarding certification here.

Allscripts and Eclipsys announce $1.3B merger

Allscripts and Eclipsys announced a $1.3 billion merger, which some analysts tout as a match "made in heaven" due to Allscripts's strength in the ambulatory space and Eclipsys's strength on the acute side.  The merger is expected to be completed in four to six months; the combined company will have around 5,500 employees.  The merger will also pose some challenges for the combined entity, with some customers worrying that the merger will distract management from dealing with existing issues.  However, analysts believe that Allscripts's smooth merger with Misys in 2008 is a good sign that this merger with Eclipsys will succeed.

Both companies are looking to capitalize on the projected exponential growth in adoption of health IT, in part due to the incentives created by ARRA.  According to the Congressional Budget Office, adoption of electronic health records by physician practices is expected to increase from 12% in 2011 to 90% by 2019. 

This merger is yet another sign of future consolidation in the healthcare industry, both on the vendor side, and on the provider side, as enterprises try to minimize costs and maximize revenue in the ever-changing and often uncertain business environment.

"Allscripts-Eclipsys: 'A match made in heaven' - mostly," Healthcare IT News (June 10, 2010).

Definition of "hospital-based eligible professional" amended

Courtesy of the American Health Lawyers Association:

On April 15, 2010, President Barack Obama signed into law the "Continuing Extension Act of 2010" (Public Law 111-157). Section 5 of the Act contains "EHR Clarification" provisions which amend the definition of "hospital based eligible professional" that was created under the American Recovery and Reinvestment Act of 2009 (ARRA). As background, ARRA created incentives for the adoption and meaningful use of certified electronic health record (EHR) technology. However, the ARRA additions to the Social Security Act (42 U.S.C. 1395w-4) contained a limitation providing, in part, that no incentive payments would be made for these hospital-based eligible professionals.

This term was originally defined to include any professional who furnishes substantially all of the relevant services in a hospital "setting (whether inpatient or outpatient)."1 The new EHR Clarification provisions amend the ARRA definition/exclusion to only apply to a professional who furnishes substantially all of the relevant services in a hospital "in-patient or emergency room setting."2 The effect of this amended definition is that physicians practicing in an outpatient hospital setting are not excluded from and are now eligible to participate in the ARRA Medicare/Medicaid incentive programs.


CHIME comments on EHR certification NPRM

In a letter to Dr. David Blumenthal, the College of Healthcare Information Executives (CHIME), an organization which represents1,400 healthcare chief information officers, offered some criticism of ONC's recent notice of proposed rulemaking (NPRM) regarding the EHR certification program.  While CHIME expressed general support for a two-stage approach for creating the certifying bodies, the CIO's are worried about any destabilizing effects such rule may have on the health IT market.  Via Healthcare IT News:

We are very concerned that the introduction of a two-stage approach for certification will prolong the current instability in the health IT marketplace, which exists because of the un-finalized status of meaningful use and certification regulations," CHIME wrote. "The introduction of two separate certification schemes – one temporary and one permanent – carries a risk of continuing the uncertainty and promoting needless product replacement in the marketplace.

CHIME issued a few recommendations to combat such uncertainty, which you can find after the jump.

CHIME called for:

  • Temporary process to be a provisional or interim one that builds on current certification strategies and is "harmonized" with the eventual permanent certification process. According to CHIME, certification process should be the responsibility of the vendor, and that the purpose of certification should be to provide healthcare providers and professionals with assurance that the product they are purchasing can help them achieve meaningful use.
  • More specificity in language to define what constitutes a self-developed EHR. Current wording in the regulation suggests that any complete EHR or EHR module that's modified by a healthcare provider or a contractor could require certification.
  • Changes in certification requirements be made only when they are necessary to meet meaningful use evolution or advance interoperability, not just because a certain amount of time has passed.
  • If CMS maintains the "adoption year" approach originally advanced in proposed regulations, providers should not be required to have products certified for capabilities not required in their current adoption year.
  • Individual EHR modules be certified to ensure that they can communicate according to adopted standards, and that the interoperability of those modules as used by providers be deemed as certified.
  • HIT vendors fully disclose functions for which their products are certified and fully disclose known compatibility issues.
  • In the event of a certification body losing its authority to certify products, vendors should have six months to recertify products, and providers should not be penalized for a change in a product's certified status if they are still able to demonstrate the meaningful use of the technology.

"CHIME raises concerns about EHR certification," Healthcare IT News (April 9, 2010).

Steve Fox Interviewed on Negotiating EHR Agreements

As if foreshadowing our upcoming webinar on negotiating EHR license agreements in the post-HITECH world, For the Record interviewed our own Steve Fox on this very subject in its February 15, 2010 cover story:

Steve Fox, senior partner and chair of the IT group at the law firm Post & Schell, says such strategies will be critical to an implementation’s ultimate success. For instance, he says vendors’ guarantees that their platform will meet meaningful use thresholds should be discounted.

“I’d be surprised if [satisfying] the final regulations will be achieved by a vendor doing anything,” he says. “Ultimately, it will be up to individual physicians’ offices or provider organization to achieve meaningful use, and in order to do it, they will need that vendor’s help. I have to laugh when I see those guarantees, ‘If you buy our product, you’ll achieve meaningful use,’ because nobody can make that claim. On the other hand, the failure of the vendor’s product can cause you to fail to achieve meaningful use. That’s why it is so important that you have tight provisions in the contract saying that whatever you want that vendor’s product to achieve, it will meet those particular objectives.

“Many vendors use the phrase ‘We don’t know what we don’t know’ as a way to say they can’t try to comply with future regulations, but our position is if you are in the HIT arena, you have to agree up front to comply with whatever they are,” he adds.


You can read the full article here.

"IT Vendor Negotiations in the ARRA Era," For the Record (February 15, 2010).

Breaking: ONC releases NPRM on certification programs

ONC announced release of the much-anticipated Notice of Proposed Rulemaking (NPRM) on certification programs.  Via ONC Press Release:

Certification of Health IT will provide assurance to purchasers and other users that an EHR system, or other relevant technology, offers the necessary technological capability, functionality, and security to help them meet the meaningful use criteria established for a given phase. Providers and patients must also be confident that the electronic health IT products and systems they use are secure, can maintain data confidentially, and can work with other systems to share information. Confidence in health IT systems is an important part of advancing health IT system adoption and allowing for the realization of the benefits of improved patient care.

Eligible professionals and eligible hospitals who seek to qualify for incentive payments under the Medicare and Medicaid EHR Incentive Programs are required by statute to use Certified EHR Technology. Once certified, Complete EHRs and EHR Modules would be able to be used by eligible professionals and eligible hospitals, or be combined, to meet the statutory requirement for Certified EHR Technology.


To this end, an NPRM proposing the establishment of certification programs for purposes of testing and certifying health information technology was issued in March 2010 with a request for comments. The NPRM proposes:

* A temporary certification program to assure the availability of Certified EHR Technology prior to the date on which health care providers seeking the incentive payments would begin to report demonstrable meaningful use of Certified EHR Technology.

* A permanent certification program to replace the temporary certification program.

You can learn more about this new NPRM here.

You can find the full text of the NPRM here.


Free Webinar on Meaningful Use: Slides included below

Here are the slides from  our February 25, 2010 Webinar on Meaningful Use.  This webinar was first in a series, and focused on the critical definition of "meaningful use" of "certified EHR technology," as described in proposed regulations released and published by CMS pursuant to the HITECH Act on January 13, 2009.  Steve and I discussed:

  • Key policy goals and objectives behind meaningful use
  • Measures required to achieve meaningful use
  • Structure of incentive payments under Medicare and Medicaid
  • Eligibility requirements for professionals and hospitals

Our next webinar, to be held on Thursday March 18, 2010, from 1:00 to 2:00 PM, will focus on how to negotiate software and EHR licensing agreements and other transactional issues with respect to dealing with health IT vendors.

For more information, please contact me at vschick@postschell.com or 202-661-6945.

Thursday: Free Webinar on "Meaningful Use"

On Thursday, February 25, 2010 from 1:00PM to 2:00PM (EST), Steve Fox and yours truly will host a free webinar, the first in a series, which will focus on the critical definition of "meaningful use" of "certified EHR technology," as described in proposed regulations released and published by CMS pursuant to the HITECH Act on January 13, 2009.  We will discuss:

  • Key policy goals and objectives behind meaningful use
  • Measures required to achieve meaningful use
  • Structure of incentive payments under Medicare and Medicaid
  • Eligibility requirements for professionals and hospitals

You may view each of these presentations at your desk. There is no charge or limit to the number of people who may listen to each presentation on the same line. Click here to register. After registering, you will receive log-in information by e-mail.

Our next webinar, to be held on Thursday March 18, 2010, from 1:00 to 2:00 PM, will focus on how to negotiate software and EHR licensing agreements and other transactional issues with respect to dealing with health IT vendors.

For more information, please contact me at vschick@postschell.com or 202-661-6945.


Obama administration announces $975M in HIT grants

HHS Secretary Kathleen Sebelius, appearing with Labor Secretary Hilda Solis, announced the Obama administration will release almost $1 billion set aside in the stimulus bill in order to aid implementation of health information technology.

Secretary Sebelius announced $386 million in grants to advance widespread adoption of EHRs at the state level, including for health information exchanges (HIEs).  HHS also awarded $375 million to 32 nonprofits for Regional Extension Centers which assist providers in updating their medical record systems and train workers on such new technologies.

Secretary Solis announced around $225 million to support 55 job-training programs in 30 states which is expected to train around 15,000 people in the health records technology.

The Obama administration expects to help more than 100,000 health-care providers set up electronic medical records for their patients by 2014.

According to the Wall Street Journal's Washington Wire blog:

Patient privacy is the top priority,” Health and Human Services Secretary Kathleen Sebelius said. The agency is about to appoint a chief privacy officer, and the government has strengthen [sic] the penalties for negligent security breaches for companies so they reach up to $1 million.

"Electronic Medical Records get a boost," Washington Wire (February 12, 2010).

"Obama awards money for electronic medical records," Associated Press (February 13, 2010).

Negotiating vendor-financed EMR transactions

Ingenix, the technology unit of United Health Group, and Allscripts-Misys Healthcare Solutions joined Siemens, GE Healthcare and IBM in offering financing for purchasers of electronic medical record technology.   This continues the trend of vendors offering interest-free financing until healthcare providers receive the "meaningful use"  incentive payments or reimbursements under the HITECH Act.

While such offers may provide a solution to some of the credit and financing woes facing the healthcare industry, healthcare providers should be acutely aware of the many potential pitfalls and related issues inherent in vendor-financed deals, including: (1) additional pressure from vendors to accept their standard contractual terms and conditions, rather than engaging in full-blown contract negotiations, because vendors have much more leverage if they are also the creditor in the transaction; (2) failing to obtain necessary warranties and representations from vendors that their systems will comply with all relevant requirements under ARRA and the HITECH Act and will permit the provider to achieve meaningful use; (3) dealing with problems that may arise if either the vendor’s product fails to achieve applicable certification (e.g., CCHIT), is not “accepted” by the provider after completion of acceptance testing or the product does not enable the provider to achieve “meaningful use” in a timely manner, as well as a host of other issues.

Steve Fox and yours truly explore the issues around vendor financing of EHR system purchases in the latest issue of the Journal of Health Information Management, where we suggest recommended courses of action for healthcare providers considering acquiring HIT systems, including EMRs, by using vendor financing options.  A complimentary PDF copy of the article is available here.

Updated: Meaningful Use Definition Released in the Federal Register

CMS released a proposed rule pursuant to the HITECH Act which includes the much-anticipated definition of Meaningful Use of Certified EHR technology.  You can find the full text here.*

HHS has also released an interim final rule with a request for comments to adopt an initial set of standards, implementation specifications, and certification criteria, as required by section 3004(b)(1) of the Public Health Service Act. This interim final rule represents the first step in an incremental approach to adopting standards, implementation specifications, and certification criteria to enhance the interoperability, functionality, utility, and security of health information technology and to support its meaningful use. The certification criteria adopted in this initial set establish the capabilities and related standards that certified electronic health record (EHR) technology will need to include in order to, at a minimum, support the achievement of the proposed meaningful use Stage 1 (beginning in 2011) by eligible professionals and eligible hospitals under the Medicare and Medicaid EHR Incentive Programs.  You can find this interim rule here.*


* These are links to PDF versions of the NPRM and IFR published on January 13, 2010 in the Federal Register.

GE and Siemens provide new financing options for Health IT purchases

On the eve of HHS releasing the much-anticipated definition of "meaningful use," health IT divisions of GE and Siemens revealed new financing options for purchases of their EMR and other HIT products.

On December 16, 2009, Siemens followed IBM and GE in offering "a series of flexible financing solutions to help healthcare providers pursue meaningful use objectives and meet [HITECH Act] deadlines <...>  Featuring zero-percent interest terms for qualified customers, the solutions enable organizations to defer up-front payments associated with their technology investment while meeting criteria for future government incentive monies."

According to Fierce Healthcare:

To provide the greatest possible range of choices for customers, Siemens offers solutions from Siemens Financial Services, Inc. as well as from selected partners, including IBM Global Financing and 3-D Financial Services. These options allow customers to choose a customized financing solution that matches their individual technology acquisition roadmaps, business strategies, financial profiles, and technology needs. <...>

By bridging the gap between the project implementation and the receipt of ARRA incentive, Siemens will be providing its customers an option which allows them to optimize their cash flow while maximizing return on investment.

Back in June of 2009, GE announced its $2 billion commitment as part of its Stimulus Simplicity program. According to the Wall Street Journal, GE, through its GE Capital division, “expects to offer $100 million in interim financing to hospitals and health-care providers for projects that are expected to qualify for funds from the U.S. government's economic-stimulus package. GE said the move offers doctors, community health clinics and hospitals a bridge to qualify for stimulus funds and faster access to electronic medical records.” While the “meaningful use” definition and the EHR certification are not yet finalized, GE guarantees that its EHRs will meet the upcoming requirements, regardless of the details of the final rule. Like IBM’s program, GE’s financing is also restricted specifically for GE Centricity, GE’s EHR product.

On December 24, 2009, GE extended the financing terms available for its Centricity EMR software to other health IT products, including Centricity Enterprise and Centricity Business, a financial and administrative tool for providers.  According to Healthcare IT News:

GE executives say they have seen strong interest in the program, with demand exceeding $140 million in sales opportunities.

In the current economic environment, vendor financing may be the best (if not the only) option for healthcare providers seeking to qualify for incentive payments under ARRA.  However, such  providers should be aware of the many potential pitfalls and related issues inherent in vendor-financed deals, including: (1) additional pressure from vendors to accept standard contractual terms and conditions; (2) failing to obtain necessary warranties from vendors that their systems will comply with all relevant requirements under ARRA and the HITECH Act and will permit the provider to achieve meaningful use; (3) dealing with problems that may arise if either the vendors’ products fail to achieve certification, or the provider fails to achieve “meaningful use” in a timely manner, as well as a host of other issues. 

These issues are subject of an upcoming article by yours truly, in the Journal of Health Information Management.  We will link to the article when it becomes available online.

"Siemens Unveils Flexible Financing Solutions to Help Providers Achieve Meaningful Use," Fierce Healthcare (December 16, 2009).

"GE expands healthcare IT loan program," Healthcare IT News (December 24, 2009).

"GE Unit Offers Interim Loans to Hospitals, Health-Care Providers" The Wall Street Journal (June 16, 2009), B3.

"G.E. Offers Loans for E-Health Record Purchases," New York Times Bits Blog (June 15, 2009).

PWC report projects booming market in personalized medicine

The new science of personalized medicine, a new report on the $232 billion personalized medicine industry by PriceWaterhouseCoopers, anticipates an annual 11% growth in this market.  Health IT and telemedicine are among the key drivers for personalized medicine. 

According to Healthcare IT News, the report's findings include:

  • The core diagnostic and therapeutic segment of the market – made up primarily of pharmaceutical, medical device and diagnostics companies – is estimated at $24 billion and expected to grow by 10 percent annually, reaching $42 billion by 2015.
  • The personalized medical care portion of the market – including telemedicine, health information technology and disease management services offered by traditional health and technology companies – is estimated at $4 billion to $12 billion and could grow to more than $100 billion by 2015 if telemedicine takes off.
  • The related nutrition and wellness market – including retail, complementary and alternative medicines offered by consumer products, food and beverage, leisure and retail companies – is estimated at $196 billion and projected to grow 7 percent annually to more than $290 billion by 2015.

You can find the full report here.

"IT helps drive $232B personalized medicine market," Healthcare IT News (December 8, 2009).

New York Times: New study shows little improvement for EMR users

The New York Times reported on a new study led by Dr. Ashish Jha of the Harvard School of Public Health and Catherine M. DesRoches of Massachusetts General Hospital which found only marginal benefits to hospitals using electronic health records in terms of reducing costs and improving the quality of care.

The new study placed hospitals into three groups: those with full-featured electronic health records, those with more basic ones, and those without computerized records. It then looked at their performance on federally approved quality measures in the care of conditions like congestive heart failure and pneumonia, and in surgical infection prevention.

In the heart failure category, for example, the hospitals with advanced electronic records met best-practice standards 87.8 percent of the time; those with basic computer records, 86.7 percent; and those without, 85.9 percent. The differences in other categories were similarly slender.

Reducing the length of hospital stays, according to many experts, should be a big money-saving payoff from electronic health records — as better care aided by technology translates into less time spent in hospitals. For hospitals with full-featured digital records, the average length of stay was 5.5 days; for those with basic computer records, 5.7 days; and those without, 5.7 days.

The upside, if any? Dr. Karen Bell, a former HHS official, was not surprised by the findings and hopes that the real benefits will be achieved after use of EMRs is much more widespread:

'There will be no clear answers on the overall payoff from the wider use of electronic health records until we get further along, five years or more, said Dr. Bell, [now a] senior vice president for health information technology services at Masspro, a nonprofit group. “But that doesn’t mean we shouldn’t go forward.'

"Little Benefit Seen, So Far, in Electronic Patient Records," New York Times (November 16, 2009).


Timely advice: Begin preparations for "meaningful use" now

Our collaborator and friend James Oakes, a Principal at Health Care Information Consultants, LLC in Baltimore, Md., authored a wise and timely call for action for healthcare providers hoping to capitalize on the incentive payments for meaningful use of certified EHR technology included in the HITECH Act. 

The article, appearing in BNA's Health IT Law & Industry Report, argues that even though the HHS has yet to produce final regulations defining such key HITECH Act terms as "meaningful use" and "certified EHR technology," healthcare providers should not wait any longer to begin planning for the transition from paper to digital records, or the likely required updates to existing EHR systems:

Given the uncertainty surrounding these issues, a number of providers have elected to delay any action towards selecting and implementing an electronic health record (EHR) for their institution until answers are made available, reasoning that they want to know as much as possible before committing to a direction. However, providers who take this path may put themselves at risk for forfeiting eligibility for ARRA funds at all, given the time to execute and implement systems.


Oakes suggests several initial steps to EHR implementation:

  1. Gain a high-level understanding of the basic provisions of ARRA and the HITECH Act.
  2. Develop a realistic plan for your institution based on your assessment of the level of automation that is right for your circumstances, environment, and budget.
  3. Discuss the implementation, transition and any relevant software changes with your current health IT vendor.  Considering the huge increase in demand in HIT services, it is important to secure your vendor's support and involvement early on, so that your organization does not end up at the end of the line.
  4. Know the health IT market because your organization will benefit from having the most customized solution (as opposed to, e.g.,  the most expensive or feature-rich), at the right price.

"Get started!" urges Oakes:

Going through all of these steps will not be accomplished overnight. Indeed, past experience suggests that if a hospital has not started these steps already, it will take from 24 months to 48 months for a mid-sized hospital to transition from planning to live operation, including full use of clinical capabilities. Given that ARRA incentives start phasing down in FY 2013 for physicians (2014 for hospitals), it is not beyond the realm of possibility that an institution that waits too long to start could find itself shut out of maximum incentive payments.

You can find the full article, courtesy of BNA's Health IT Law and Industry Report, here.

CBS News reports on EHR efforts

By popular demand, here is the video of David Pogue's report on the Obama Administration's efforts to digitize patient records in the U.S. 

Watch CBS News Videos Online

"Charting a New Course," CBS News (September 13, 2009).

New York Times interviews David Blumenthal

David Pogue, a reporter for the New York Times, posted the transcript of his interview with Dr. David Blumenthal, National Coordinator for Health IT. Mr. Pogue interviewed Dr. Blumenthal for a CBS news report on digitization of healthcare in America (the video is available after the jump).

Here are some highlights from the interview:

On current state of health IT in the US:

We found that about 17 percent of physicians in 2008 had adopted an electronic health record, and about ten percent of hospitals. <...> The rest is paper. It's basically the same system that physicians have used since Hippocrates, which is writing on some piece of paper.

On reimbursement penalties for those failing to achieve meaningful use by 2015:

From 2011 to 2015, there is a bonus. The Congress has put $45 billion on the table to ease physicians and hospitals into this new world of computerized medicine.After 2015, if you have not adopted, and you see Medicare or Medicaid patients, you may experience a penalty. 2015 is six years off. Six years is plenty of time for physicians to get themselves organized to put a record in place and avoid those penalties.


On cost of EMRs:

On average, the cost is between $40,000 and $50,000, of which about a third is the software and the hardware, about a third is the cost of getting it set up in the office, and about a third is maintaining it. Much of the expense is related to the cost of implementing and the cost of maintaining it over time.

On privacy and security:

Privacy and security are foundational to a modern health information system. You cannot get the computer into this business without assuring people that their information, their personal information, will be safe.

So we are looking at the best possible technical solutions, technical protections, to privacy and security. We want to make sure that we have looked at every opportunity for encryption, every security device that the best minds can think of, to make information safer. We've got it in other parts of the industry, but we don't have it for healthcare. So I think that's a very important agenda item for us.


There are two kinds of anxieties. One is that their data may be used for purposes that they haven't authorized it. So if they haven't authorized their personal data to be used for research, they don't want it for that purpose. And the way the law gets around that problem is by saying that information should be de-identified; that is, it should be abstracted from the record in a way that can never be traced back to that individual.

And then that information can be used for research on drug safety, or research on the value of particular treatments, or anything els that may be useful to human health.

There's another kind of fear, and that is the fear of the breach or break-in, or hacking. And there have been some examples of that.

That's where better encryption and better barriers to hacking are critical. And, you know, we have a new cybersecurity initiative that President Obama has put in process. It's well known that the security of information is a national need for defense purposes. It's also, I think, a very important need for this domestic policy purpose. So we want to work with that security initiative to know that we've taken advantage of everything that the federal government and the computer industry knows about how to keep records secure.

Finally, the big picture:

Well, it's a big challenge, it's an exciting challenge, and a historic challenge. There's nothing that's worth doing that's easy to do in life, and this is one of those.

But I really think that history is on the side of this activity. To be a 21st-century physician, to be a 21st-century hospital, we can't record data the same way the Greeks did in 500 B.C. We've gotta move to use the computer to support our work. And that's what we're trying to do.

There'll be bumps on the road. We're not gonna be perfect. We'll make mistakes. But I think the wind is at our back in terms of the historical trends. And we'll get there, sooner or later.

"Computerized Health Records," New York Times (October 15, 2009).

"Charting a New Course," CBS News (September 13, 2009).


Watch CBS News Videos Online

In the news: Blumenthal on "meaningful use," new health information management jobs, etc.

Dr. David Blumenthal, the National Coordinator for Health IT, gave an update on the Obama Administration's efforts to define "meaningful use" and to further adoption of EHRs nationwide.  Blumenthal did not reveal any new details regarding the upcoming regulations on meaningful use, reminding his audience of the upcoming "notice of proposed rulemaking in late 2009 with a public comment period in early 2010."

Meanwhile, according to Government HealthIT, the next meeting of the HIT Policy Committee, which will meet on October 27 and 28, will focus on how to map meaningful use objectives to medical specialties as well as small practices and hospitals.

Speaking at the 81st annual American Health Information Management Association convention in Grapevine, Texas, Dr. Blumenthal stated that he expects 50,000 health information management (HIM) jobs to be created as the U.S. moves from the paper-based to the digital system of healthcare.  AHIMA's CEO, Linda Kloss, noted that the interest in HIM careers has "exploded" during the last year.

Much more news after the jump.


  • American Medical News reported on the staffing changes for healthcare organizations necessitated by the nationwide switch to electronic health records. According to the article:

There are some assumptions about staff changes that are easy to make, experts say. Any job that was strictly paper-based prior to implementation, for example, will need to be overhauled or eliminated.

Other changes are not so easy to predict, and could depend on how willing your employees are to adapt and learn new skills.

  • According to Crain's Detroit Business, urban hospitals lag behind rural hospitals and physicians' practices in joining health information exchanges (HIE's) because such HIE's pose a combination of monetary, strategic, and technological challenges.
  • Washington Post reported on a pilot project in Ohio aimed at streamlining the cost of healthcare administration.  The state's eight major health insurers - representing 91% of the patients - have signed on to participate in this initiative.  The Post described the program as:

a single Web portal [that the participants] believe will reduce duplication, miscommunication, and confusion between doctors and insurance companies. That will mean quicker office and hospital service, more time for patient care, and, ultimately, cost savings, participants said.

  • Healthcare IT News reported that -- according to e-prescribing company Surescripts -- "the number of physicians using electronic prescribing will have more than doubled in 2009 and that "more than 140,000 – 23 percent of all office-based physicians, nurse practitioners and physician assistants in the United States – are e-prescribing today."
  • USA Today reported on the various hardships and setbacks to widespread implementation of EHRs.  The article ended on a somewhat hopeful note, with a great quote by Stephanie Reel, the CIO of Johns Hopkins University:

We've been saying that we're five years away from electronic medical records for the past 40 years ... Now maybe we really are only five years away.

"Meaningful" Progress Toward Electronic Health Information Exchange, David Blumenthal, MD (October 1, 2009).

"Specialists, primary care providers differ in meaningful use," Government HealthIT (October 6, 2009).

"Health IT effort to create thousands of new jobs, says Blumenthal," Healthcare IT News (October 6, 2009).

"How electronic medical records affect staffing," Amednews.com (October 5, 2009).

"Slow with the flow: Hospitals lag in joining health info exchanges," Crain's Detroit Business (October 4, 2009).

"Paperwork angst drives Ohio doctor, insurer effort," The Washington Post (October 5, 2009).

"More than 140,000 physicians on growing list of e-prescribers," Healthcare IT News (October 5, 2009).

"High-tech 'scribes' help transfer medical records into electronic form, " USA Today (October 7, 2009).



A note of caution about vendor guarantees on "meaningful use"

According to Modern Healthcare, several HIT vendors, including GE Healthcare, NextGen Healthcare Information Systems, and Athenahealth, will guarantee that their EHR products will meet or "evolve to meet" the federal requirements for "meaningful use," even though such requirements have not been promulgated yet by CMS.  In fact,

Athenahealth recently upped the ante by guaranteeing that, not only will the company's AthenaClinicals Internet-based electronic health-record service meet federal standards, but the doctors who use it will receive a bonus payment for the 2011 program year under the terms of the [HITECH Act].

The HITECH Act provides for a first-year incentive payment of $18,000 for those eligible professionals who achieve meaningful use of certified EHR technology in 2011 or 2012, instead of a first-year payment of $15,000 thereafter.

Some vendors hope that such guarantees will spur activity in the market, persuading some reluctant healthcare providers not to wait until CMS issues its final "meaningful use" regulations next year.  There is also some doubt whether such guarantees apply to each vendor's existing customers or solely to new customers.

However, whenever a healthcare organization enters into an EMR purchase or license agreement, it must obtain strong warranties from the vendor that its product(s) and system will meet the applicable federal requirement standards at time of issuance of such standards, as well as for duration of the applicable license.  "Meaningful use" requirements will likely change over the life of a license, and a vendor's obligation to meet such evolving standards is absolutely essential.  Healthcare providers must also include proper remedies and appropriate carve-outs from vendor's limitation of liability for a vendor's breach of such warranties.

Of course, such warranties are just the tip of the iceberg.  If meeting "meaningful use" criteria is essential to your healthcare organization, your EMR license agreements should include robust testing and acceptance provisions; vendor warranties regarding meeting major milestones on time; warranties regarding compliance with patient information privacy and security laws; clauses securing your ownership and access to patient data, along with many other significant provisions.

"HITS Beyond: IT vendors say products will meet unknown guidelines," Modern Healthcare (September 28, 2009).

PWC Survey Findings May Support North Shore's EMR Gamble

The New York Times reported last week that the North Shore-Long Island Jewish Health System (North Shore) will offer its 7,000 affiliated (though not employed by North Shore) physicians subsidies for implementing electronic health records.  Interestingly, this subsidy does not include or prevent such physicians from qualifying for the approximately $44,000 in Medicare incentive payments under ARRA. 

North Shore plans to subsidize 50% of the total cost of the EMR system (which uses Dell hardware and Allscripts software) for practices "who simply install electronic health records that can communicate between the doctor's office, labs and hospitals."  However, the health system will subsidize 85% of the total cost of the EMR -- a figure driven, no doubt, by the exceptions to the Stark and Anti-Kickback laws -- for physicians willing to share some of their patient data. 

North Shore is counting on the availability of shared data to reduce the cost of care through reduction of unnecessary tests and medical mistakes.  A recent PriceWaterhouseCoopers (PWC) survey may support North Shore's reasoning.  The survey found broad agreement among healthcare executives with respect to secondary uses of EMR patient data.  Among other findings (discussed after the jump), the PWC survey found that 42% of organizations already using some form of secondary data use achieved cost savings, 29% increased their revenue, and 59% saw improvements in quality of care.

The Times implied that with this move, North Shore may be seeking a competitive advantage as well:

Digital links, analysts say, can also tighten the bonds between doctors and the hospital groups that subsidize the computerized records. In most local markets, independent physicians typically have admitting privileges at more than one nearby hospital, and so hospitals compete for doctors as well as patients.

There are, of course, risks associated with the North Shore program, including significant delays or even failure to realize significant savings from the EMR adoptions, or the uncertainty about the privacy and security measures for sharing patient data among affiliated providers.

However, both the North Shore program and the PWC survey findings suggest that the often reluctant physicians are beginning to accept the inevitability of the widespread use of electronic health records, and are trying to capitalize on the many benefits of EMR systems, including potential for improving the quality of care and reducing costs.

According to the Healthcare IT News, the PWC survey found that the "data that could be mined from a health system can improve patient care, predict public health trends and reduce healthcare costs," though "a lack of standards, privacy concerns and technology limitations are holding back progress."  In particular:

  • Nine in 10 healthcare executives believe that the secondary use of health information will significantly improve the quality of patient care and offers the promise of even greater benefits in the future.
  • Nearly two thirds (65 percent) of health organizations say they expect their secondary data use to increase significantly within the next two years.
  • Among organizations already using some form of secondary data, 59 percent have seen quality improvements, 42 percent have achieved cost savings, 36 percent have seen patient/member satisfaction improve and 29 percent have increased revenue.
  • Providers who are not using secondary data say the number one reason is lack of EHR implementation, not because they are opposed to the concept. Health plans are farthest behind in their secondary use of data despite their vast repository of comprehensive claims information from physicians, hospitals, pharmacies and dentists.
  • Ninety percent of pharmaceutical companies have limited or no access to health information contained in electronic health records.
  • Most health organizations that use secondary data do so for their own quality monitoring and reporting and for identifying areas that need quality improvement.

"E-Records Get a Big Endorsement," The New York Times (September 28, 2009).

"Survey: Secondary use of electronic health data will improve care, cut costs," Healthcare IT News (October 1, 2009).

Health IT Market Heats Up

The last few weeks saw a tremendous amount of activity in the health IT market.  Dell and Xerox were among the companies trying to capitalize on opportunities created by the ARRA incentives and certain market trends, including high demand for HIT products due to the ongoing digitization of the industry and, more generally, the expanding healthcare needs of an aging population in the United States.

Dell is quickly establishing itself as a major player in health IT.  In April 2009, Dell aligned itself with Wal-Mart and eClinical Works to supply hardware for Wal-Mart's new EHR system.  Last month, Dell rolled out its own EHR system aimed at physicians affiliated with hospital practices, with Tufts Medical Center and Memorial Hermann Health Care System among the early adopters. 

Even more significantly, on September 21, 2009, Dell announced its plans to acquire the health IT vendor Perot Systems Corp. for $3.9 billion.  Perot is a major player in the healthcare industry:  about half of Perot's $2.8 billion in annual revenue comes from the healthcare market; and as much as half of the hospitals that outsource their IT are Perot clients.   Perot runs over 3,000 healthcare applications for its clients, though the company does not have a preferred provider arrangement with a specific application vendor.

A mere week following Dell's announcement, Xerox's CEO Ursula M. Burns revealed her company's "game-changer" plan to buy Affiliated Computer Services (ACS) for $6.4 billion.  According to IT World:

ACS may be in a good position to get even more business in the next few years as the federal government starts spending billions of dollars to help health care providers create electronic medical records systems. ACS said that health care projects account for about $1 billion of its $6.5 billion in revenue for the year ended June 30.

While Dell and Xerox acquisitions grabbed most of the spotlight this week, other Wall Street giants, like Wal-Mart Stores, Inc., Intel and Google, havemade significant inroads into the health  IT market.  Healthcare consultants Frost & Sullivan, as cited in Healthcare IT News, see an expanding market which will benefit new players.

Companies with a fresh, outside perspective will be invaluable to improving healthcare delivery and producing the next generation of medical technology <...> The enormous demand for new technology and solutions to address both the clinical needs of patients and the systemic problems of healthcare delivery will create opportunities for companies with the foresight to identify and capitalize on opportunities.

However, Frost & Sullivan also cautions companies against jumping into this industry without considering potential downsides, including the incredibly complex regulatory framework governing U.S. healthcare.

Joseph Conn, "Dell's HIT Power Play," Modern Healthcare (September 28, 2009).

"Dell to Buy Perot Systems for About $3.9 Billion," The New York Times (September 21, 2009).

"Major corporations looking for stake in healthcare, medical technology market," Healthcare IT News (October 1, 2009).

"Doc, you're getting a Dell (EMR)," Healthcare IT News (September 10, 2009).

"Xerox Buys Affiliated, Fueling Shift to Services," The New York Times (September 28, 2009).

"With ACS, Xerox will gain a firm growing quickly offshore," IT World (September 28, 2009).


Government Health IT: CCHIT to serve temporarily as sole EHR certifier

Via Government Health IT:

The federal Health IT Policy Committee today endorsed recommendations that would leave the Certification Commission for Health IT in the short term as the sole organization authorized to certify health IT systems that qualified for funding under the economic stimulus plan. More certifying organizations would be added later.

Certification of electronic health record systems that met federal criteria for “meaningful use” of health IT could start as early as October, members of the Department of Health and Human Services’ Health IT Policy Committee said at the August 14th meeting.

Under the plan, CCHIT would provide a preliminary stamp of approval that health IT systems were HHS-qualified or certified until a final meaningful use regulation is published at the end of the year, said Marc Probst, chief information office of Intermountain Healthcare and co-chairman of the Committee’s certification work group.

Preliminary certification is meant to give providers and vendors enough certainty to proceed with planning, designing and purchasing systems in 2010. The HHS certification-qualification would mean that a provider purchasing the systems would be eligible for Medicare and Medicaid incentive payments under the stimulus law beginning in 2011.

"CCHIT will be sole health IT certifier, for now," Government Health IT (August 14, 2009).

New York Times reports on privacy concerns about use of de-identified health information

The New York Times reported on Americans' growing concern regarding commercial use of their personal health information, especially the use of re-identified prescription drugs information for marketing purposes.  

The article points out correctly that the Recovery Act of 2009 (ARRA) included a few key changes to the present privacy regime, which would make it more difficult for pharmacies and data mining companies to use patient information for marketing or fundraising purposes.  While the new law (and the upcoming applicable HHS regulations sanctioned by ARRA) will close a few loopholes in the current medical privacy regime, data mining companies like IMS Health and Verispan do not seem to be overly worried about these new developments:

The law won’t shut down the medical data mining industry, but there will be more restrictions on using private information without patients’ consent and penalties for civil violations will be increased. Government agencies are still writing new regulations called for in the law.  <...>

IMS Health reported operating revenue of $1.05 billion in the first half of 2009, down 10.6 percent from the period a year earlier. [An IMS representative] said he did not expect growing awareness of privacy issues to affect the business.

The Times article also touches on a few other important areas of concern for privacy advocates:  the effect of widespread adoption and use of electronic health records (EHR's) and personal health records (PHR's) on privacy and security of patients' protected health information.  

Interestingly, the article notes that while "Microsoft and WebMD acknowledge that the privacy rules in the stimulus law apply to them," "Google says the law’s prohibitions do not apply to it, except for its duty to report any breaches of medical privacy."  According to a Google spokeswoman, "Google is bound by the privacy policy that people agree to when they sign up."  Right after the enactment of the Recovery Act, Google claimed that the additional privacy rules included in the ARRA did not apply to its PHR products.  However, Google acknowledged the applicability of ARRA's data breach notification requirements a few months thereafter.  This quote in the Times may reintroduce, if not underscore, Google's ambiguous attitude toward applicability of the new privacy and security rules.

"And You Thought a Prescription Was Private," The New York Times (August 9, 2009).



HIT and the practice of medicine in Texas

While we anxiously await ONC's preliminary definition of "meaningful use" (due to be published on Thursday of this week), let us consider the future of American healthcare through the prism of recent industry analysis and new developments in Texas.

The New York Times Bits blog had a posting today about "an ambitious experiment" at the Cook Children's Health Care System in Ft. Worth, Texas.  Cook Children's is implementing a new EHR technology system (see details after the jump) which the administration hopes "will help the clinic improve care management and curb costs."  This outcome-oriented approach is also consistent with the payment and reimbursement structure at the clinic: "a capitated payment -- a set annual payment for each patient, instead of the standard fee-for-service system of American health care."

This development reminded me of Atul Gawande's fascinating article in The New Yorker last month about the bottom line-driven culture of hospitals and medical practices in McAllen, TX, which, according to his analysis, may lead to significantly higher cost of health care, while showing no real improvement in the quality of care.  The article contrasts the McAllen model with an outcome-oriented, collaborative model of practice of medicine in such healthcare enterprises as the Mayo Clinic in Minnesota and Grand Junction in Colorado, which produce better quality of care while significantly lowering costs.

According to the the Bits blog:

[Cook Children's] plans to install Web-based electronic health records and data integration technology at its 60 offices and clinics throughout Texas. It is also offering personal health records, controlled by the families of its young patients, that can follow them throughout their lifetimes.

The Web-based health records will be supplied by AthenaHealth, while the data integration software and personal health records will come from Microsoft.

The most intriguing thing Cook Children’s has planned is probably its prototype Innovation Clinic. It will be a small physician office, with two or three doctors. Small practices are the biggest challenge for electronic health-record adoption, since they cannot afford full-time technical helpers. The 2,000 to 3,000 patients will be from Medicaid families — lower-income homes where chronic health problems are most common.

The clinic, said Ryan Champlin, vice president of operations for Cook Children’s, will emphasize family engagement and preventive care.

Is outcome-oriented practice of medicine the answer to some of the major problems of the U.S. healthcare system? Will the final health reform bill, if passed, incentivize or address these issues?  While the answers to such questions remain uncertain, it is clear that health IT will play a crucial role in the future of healthcare in the U.S., and is absolutely essential to the collaborative medicine model adopted by providers like Cook Children's.

Atul Gawande, "The Cost Conundrum," The New Yorker (June 1, 2009).
"Electronic Health Records: A Texas Model," The Bits Blog (July 13, 2009).

Washington Post examines HIMSS role in securing HIT stimulus funding

The Washington Post provides an interesting behind-the-scenes account of how the funds for electronic health records adoption were included into the American Recovery and Reinvestment Act of 2009, commonly known as the stimulus bill.  Health Information and Management System Society (HIMSS) played a crucial role in this lobbying effort.  According to the Post:

[HIMSS] had worked closely with technology vendors, researchers and other allies in a sophisticated, decade-long campaign to shape public opinion and win over Washington's political machinery.

You can read the whole article here.

Steve Fox featured in For the Record's May 2009 Cover Story

Steve Fox was interviewed in this month's Cover Story "The Big Push", in For the Record, a biweekly  magazine for health information management professionals, regarding the incentives and challenges of EHR adoption.  On incentives included in the HITECH Act, Steve argued that:

“it’s almost crazy not to adopt EHRs because we’re talking about a significant amount of money ... From my discussions with hospitals and other physicians, the consensus seems to be that leaving that large sum on the table would just be foolish. Some hospitals I’ve spoken with are anticipating this will bring in millions.”

Steve also identified interoperability as a crucial goal for EHR systems:

“Trying to encourage not just adoption of EHRs but having them all interconnected is definitely the next step and perhaps even the definition of success in the end ... Hospitals need to be connected with one another or the EHRs are not being used to their full potential. Take Philadelphia, for instance. There are a lot of hospitals there but almost no connectivity among them. If a patient has his records at one hospital but gets taken to a different hospital, there’s no way to access his records, even if they do have an EHR in place.”

You can read the full article here.

Update: Healthcare Informatics Interviews Steve Fox and Ed Shay about the HITECH Act, Parts III and IV

Healthcare Informatics Editor-in-Chief Anthony Guerra recently talked with our own Steve Fox and fellow Post & Schell partner Edward Shay about the substance of the HITECH Act and what this new legislation means for healthcare providers. The interview appears under the "Online Exclusives" section of the Healthcare Informatics Web site.

Healthcare Informatics recently published Part III and Part IV of the interview on its Web site.

In the news: "Octomom" privacy breach at Kaiser Permanente; uptick in HIT stocks; and more

  • After what has become a rather typical breach of patient privacy for Southern California, Kaiser Permanente fired fifteen employees (and disciplined eight additional employees) for looking at the medical records of Nadya Suleman, the mother of octuplets commonly referred to as "Octomom".  Previously, similar breaches occurred at UCLA when that medical center's staff leaked celebrities' medical records to the tabloids.  (MercuryNews.com, via AP, March 30, 2009.)
  • Wall Street Journal reported last week that HIT stocks, especially smaller companies, like eClinicalWorks (which provide the software component of Wal-Mart's new EHR package) will benefit greatly from the billions of dollars in HIT funding included in the stimulus bill.  Also, in another sure sign of a growing industry, Quality Systems, the maker of the NextGen EHR software, is "beefing up its sales force." ("Stimulus Funds for E-Records Augur Big Windfall for Small Health Firms", Wall Street Journal, March 24, 2009.)
  • A new bill is introduced in the Pennsylvania Senate that would ban businesses from collecting personal data from driver's licenses.  This should also serve as a good reminder for businesses not to collect or store more information than absolutely necessary.  (Pennlive.com, March 30, 2009.)
  • Perot Systems will launch a new service tomorrow (April 1, 2009) to help hospitals achieve "meaningful use" status under HITECH, geared towards meeting the interoperability and standardization of HIT use.  (Healthcare IT News, March 30, 2009).


NEJM Study Finds Extremely Low Rates of EHR Adoption Among U.S. Hospitals

The New England Journal of Medicine published a study describing dismal rates of adoption and use of EHR technology in the United States.  The authors of the study found that

less than 2% of acute care hospitals have a comprehensive electronic-records system, and that, depending on the definition used, between 8 and 12% of hospitals have a basic electronic-records system.  With the use of the definition that requires the presence of functionalities for physicians' notes and nursing assessments, information systems in more than 90% of U.S. hospitals do not even meet the requirement for a basic electronic-records system.

Financial restraints is the most commonly cited reason for lack of electronic health records.  The authors found higher adoption rates among larger, urban, teaching hospitals (which the authors partially attributed to such institutions' financial resources available for EHR technology).  Interoperability and low levels of health information exchange also have a negative effect on EHR adoption levels.

However, the authors did provide a glimmer of hope, if not good news:

From a policy perspective, our data suggest that rewarding hospitals — especially financially vulnerable ones — for using health information technology may play a central role in a comprehensive approach to stimulating the spread of hospital electronic-records systems. Creating incentives for increasing information-technology staff and harmonizing information-technology standards and creating disincentives for not using such technology may also be helpful approaches.

Thus, hopefully the incentive payment provisions in the HITECH Act will have a positive effect on adoption rates in the foreseeable future.

It is worth pointing out that Dr. Blumenthal, the new head of ONCHIT, is one of the study's authors.  This study was covered by major national news outlets, including the Wall Street Journal and the New York Times.

"Use of Electronic Health Records in U.S. Hospitals" (New England Journal of Medicine, March 25, 2009).




Debate on EHR Savings Rages at Harvard

A battle royal rages on among various Harvard physicians about the effects of a widespread adoption of EHR technology.  In a Wall Street Journal op-ed, two Harvard doctors questioned President Obama's claim that nationwide adoption of EHR technology will save the taxpayers as much as $80 billion annually.   Drs. Groopman and Hartzband call on Mr. Obama to "apply real scientific rigor to fix our health-care system rather than rely on elegant exercises in wishful thinking."  

However, three other Harvard physicians, including Geek Doctor John Halamka, published a Letter to the Editor in response to the Groopman/Hartzband Op-Ed, claiming that the latter did not present a full or accurate picture of the positive effects of widespread adoption of EHR technology.  In part, Drs. Halamka, Bates and Middleton claim that:

The electronic health record represents a transformational change in healthcare, and will enable an array of improvements—although it will not necessarily result if implemented badly. The electronic record is to the paper record as the automobile was to the horse and buggy. No one will want to go back.


Separately, Stephen B. Soumerai, a Harvard Medical School professor (with a University of Alberta co-author, Sumit R. Majumdar) published an Op-Ed in the Washington Post supporting the Groopman/Hartzband claim that EHR technology is not going to produce the promised mass savings because major studies

have found that electronic records with computerized decision support did not result in a single improvement in any measure of quality of care for patients with chronic conditions including heart disease and asthma.

Soumerai and Majumdar sadly concluded that "a $50 billion investment in health information technology won't do much for many Americans." 

This did not go unnoticed by Halamka and the EHR enthusiasts, Drs. Bates and Middleton.  Their response in another Letter to the Editor (this time, in the Washington Post), systematically deconstructed Soumerai and Majumdar's conclusions, reinforcing the theme articulated by Halamka, Bates and Middleton in the Wall Street Journal:  bad implementation can lead to bad results; EHRs are the way of the future, and the focus should be on how to improve quality of care, not whether to implement EHR technology.  The Letter to the Editor also cited specific examples of savings produced by successful adoption of EHR technology:

a detailed case study of the cost and quality benefits of EHR at Family Care of Concord, NH found net benefits per clinician per year of $30,324. Another study of hospital-based provider order entry identified net savings of $1.7 million per year from drug dosing guidance, nursing time utilization, and error prevention.

While the fight continues at Harvard, there is some positive news from Wall Street.  The Wall Street Journal reports that the HIT funding included in the stimulus appears to boost stock prices of certain HIT vendors, including Quality Systems Inc. (QSII), Athenahealth Inc. (ATHN) and Allscripts-Misys Healthcare Solutions Inc. (MDRX).  Thus, it appears the stimulus is working for someone.  Let's hope the EHR enthusiasts at Harvard are correct, and that we will all benefit from lower-costs, increased efficiency and higher-quality health care as a result of nationwide EHR adoption.

"Obama's $80 Billion Exaggeration", Wall Street Journal, March 11, 2009.
"Bad Bet on Medical Records", The Washington Post, March 17, 2009.
"Health IT Push Helps Physician Practice Software Stocks", Wall Street Journal, March 23, 2009.

In the news

  • Kaiser Permanente and IBM inked a $500 million, seven-year IT services deal.  IBM will manage Kaiser's data center operations, storage and software, but IBM will not have access to patients' medical records.  AP, San Francisco Chronicle (March 17, 2009).
  • A new study expects that as much as three-quarters of prescribers will use e-prescribing by 2014 because of the incentives for adoption of e-prescribing technology included in the HITECH Act (though only about 15% of current prescribers use e-prescribing).  This could result in a massive $22 billion reduction in drug and medical costs.  Government Health IT (March 17, 2009).
  • Wal-Mart is bringing its "high-volume, low-cost" approach to the medical records industry.  Wal-Mart's Sam's Club division will produce a package that will include hardware from Dell, software from eClinicalWorks, as well as installation, maintenance and training services.  According to the New York Times (March 11, 2009), the "Sam’s Club offering, to be made available this spring, will be under $25,000 for the first physician in a practice, and about $10,000 for each additional doctor. After the installation and training, continuing annual costs for maintenance and support will be $4,000 to $6,500 a year, the company estimates." This development has huge implications for the EHR market, and may actually aid the widespread adoption of EHR technology.   Healthcare IT News (March 11, 2009) also covered this story.

More news after the jump.

  • Health Information Security and Privacy Collaboration (HISPC) is working on an engine to help healthcare providers navigate through the complex labyrinth of interstate transfers of health information.  Government Health IT (March 5, 2009).
  • President & CEO of HIMSS Analytics, Dave Garetz, predicts a huge rush in 2009 to adopt HIT in order to qualify for government incentives as meaningful EHR users.  There will likely be a significant shortage of competent HIT personnel and "change management experts" to help in this gigantic transition effort, which further underscores this Blog's urgent plea to begin planning for EHR adoption now.  Healthcare IT News (March 4, 2009).
  • Not everything is coming up roses:  Scott Haig of Time has a thoughtful article outlining some of the major challenges for nationwide adoption of EHR technology.  Time (March 5, 2009).
  • Universities are (and have been for years) the leading sector for publicized data breaches.  A new report examines the reasons.  ComputerWorld (March 9, 2009).  (The author of the article, Jay Cline, was only able 20 chief privacy officers at major U.S. universities, which is a clear sign that the academia - as institutions subject to numerous data privacy laws, including HIPAA, GLBA and FERPA - should be much more proactive and serious about data privacy protection.)