Health IT Law Blog : Health IT Law Blog : Post & Schell: Law Firm : HIT & Electronic Health Records

In the NAMCS, adoption among family physicians grew to 66.4% in 2011 from 24.8% in 2005. Among physicians undergoing the ABFM's maintenance of certification, adoption increased to 67.8% in 2011 from 28% in 2005.

The study notes “how federal efforts to increase adoption of EHRs have accelerated in recent years.” It adds that the federal government's “triple aim” goals to improve population health and healthcare delivery while lowering costs “will require data sharing and exchange that transects all aspects of healthcare delivery and depend in part on widespread adoption of EHRs, particularly by office-based physicians.”

But geographic variations were identified in both data sets. Utah, at 94.9%, had the highest rate of adoption among family physicians seeking maintenance of board certification; while North Dakota had the lowest rate of adoption, 47.1%. For family physicians in the national ambulatory survey, Hawaii had the highest rate of adoption, 87.6%. North Carolina family physicians had the lowest, 44%.

The researchers wrote that there was “strong regional clustering for adoption.” They speculated that states' commitment varied in their support for health IT funding mechanisms to promote EHR adoption, prescription drug tracking and quality data reporting. Other reasons that could explain the variation included differences in market penetration of health maintenance organizations and the presence of large integrated healthcare organizations.

By Andis Robeznieks

“EHR use up among family doctors, but varies by area,” Modern Healthcare (February 5, 2013)

The inspector general's review covered the early stages of the Medicare EHR incentive program, from when payments started flowing in May 2011 through December 2011. During that period, the program paid out about $1.7 billion to nearly 27,000 physicians and other eligible professionals and 668 hospitals, the report said. 
 
The inspector general said that the CMS validates the presence of some required information and confirms some calculations provided by hospitals and providers. For example, "The validation checks that self-reported numerators and denominators calculate to required percentage thresholds and that all relevant yes/no measures were checked 'yes,' " according to the report. However, the report continued, the CMS "does not verify that numerators and denominators entered for percentage-based measures reflect the actual number of patients for a given measure or that professionals and hospitals possess certified EHR technology."
 
One "obstacle" the CMS faces in trying to get independent validation that what the providers are attesting to actually happened is that data from other sources—such as Medicare claims or private insurance data—is either incomplete for the task or unavailable.
 
The inspector general's office notes that although the CMS is not required to perform prepayment verification, "doing so would strengthen its oversight of the anticipated $6.6 billion in incentive payments" the program is expected to shell out over its lifetime, which runs through 2016.
 
Regarding post-payment oversight, the inspector general noted that, so far, the CMS "has not yet completed any post-payment audits." But the CMS has said it plans to use EHR-generated reports "to verify the accuracy of self-reported information where possible" and obtain supporting documents in instances where the reports don't cover the audit subject matter—and this is where the ONC comes in for criticism.
 
The ONC oversees the rule writing, and the testing and certification programs to determine whether EHR technology qualifies for use in the Medicare EHR incentive payment program.
 
The CMS "cannot use EHR reports to verify all self-reported meaningful-use information because ONC does not require certified EHR technology to be capable of producing reports for all meaningful-use measures," the inspector general's report said. The ONC requires an EHR to write reports on the 30 percentage-based measures but not the 19 yes/no measures users also are required to attest to in order to get paid.
 
"EHR reports also do not contain information necessary for CMS to verify all percentage-based measures," the inspector general's report said, specifically noting that denominators for many of those measures include data from both paper-based and EHR systems.
 
The inspector general's office recommended that the CMS beef up its prepayment assessment program, including by focusing on "high-risk" professionals and hospitals, asking them to "submit supporting documentation for prepayment review."
 
It also recommended that ONC "improve the certification process" to ensure that certification bodies "comprehensively test EHR reports for accuracy as part of the certification process" as well as not rely on "vendor-supplied data" during the testing phase.
 
The CMS, in an Oct. 9 letter from acting Administrator Marilyn Tavenner, said prepayment audits were not necessary at this time, but concurred with another inspector general's office recommendation to issue a guidance on proper provider documentation required for the program.
 
In a similar letter to the inspector general's office dated Sept. 25, ONC chief Dr. Farzad Mostashari concurred with the inspector general's office's recommendation of testing a "yes/no" reporting functionality. He said he would ask his two advisory committees, the Health IT Policy and Standards committees, to make recommendations "on the appropriate scope and feasibility of a certification criterion focused on 'yes/no' reports."
 
Mostashari also said the ONC has “already taken steps” to address a separate inspector general's recommendation that it improve its EHR testing and certification program. Specifically, the OIG recommended that the national coordinator supplant vendor-supplied data used in the initial rounds of its certification tests with a standard data set to be used by all vendors.
 
Last fall, GE warned customers of two of its EHR systems for ambulatory-care providers that errors had been found in reports to support meaningful-use attestations. That incident was specifically mentioned in the OIG report, which added that the ONC's certification process "did not identify these potential inaccuracies because the vendor-supplied test data did not account for the manner in which some professionals use the products." Similar problems may exist with reports from other EHR products, the OIG report said, but it cited no other examples of report-writing failures.
 
In his letter, Mostashari said the updated 2014 edition testing and certification rules—which were released in February in conjunction with the CMS' Stage 2 meaningful-use rules—contain "more rigorous testing requirements" that became effective Oct. 4, 2012. He said the ONC "will continue to migrate away from the exclusive use of vendor-supplied data."
 
In a telephone interview, Mostashari said the GE report-writing problem was "old news." Asked whether he was aware of any other incidents of EHR systems failing to produce accurate test reports, Mostashari said, "It's really a CMS question."

By Joseph Conn

“HHS inspector general: Medicare EHR program needs better oversight,” Modern Healthcare  (November 29, 2012)

Meanwhile, plans to evacuate about 200 patients from Coney Island Hospital were underway early Tuesday afternoon, said Evelyn Hernandez, a spokeswoman for New York City Health and Hospitals Corp., which owns the hospital. Backup power was restored on Tuesday to Coney Island Hospital after it lost power during the storm. Most patients who depend on ventilators or other devices were evacuated ahead of the storm, but seven critically ill patients remained at Coney Island Hospital and relied on battery-supported ventilators during the power outage. Those patients were transferred elsewhere Tuesday morning. 
 
In New Jersey, Palisades Medical Center, North Bergen, began evacuating 83 patients Tuesday morning, said Donna Leusner, a spokeswoman for the New Jersey Department of Health. Flood damage knocked out power to Palisades Medical Center, said a spokeswoman with Hackensack (N.J.) University Medical Center, where Palisades patients were transferred by National Guard troops after 9 a.m. on Tuesday. Hackensack University Medical Center was expected to accept 51 patients from Palisades Medical Center, Nancy Radwin, an HUMC spokeswoman said.
 
Approximately 30 New Jersey acute-care hospitals were operating on backup generators after the storm, said Kerry McKean Kelly, a spokeswoman for the New Jersey Hospital Association.
 
Eight Pennsylvania hospitals experienced power outages and were operating on backup generators on Tuesday, the state Health Department said.
 
North Shore-Long Island Jewish Health System reported that Glen Cove (N.Y.) Hospital, Huntington (N.Y.) Hospital, Plainview (N.Y.) Hospital, Syosset (N.Y.) Hospital and its Stern Family Center for Rehabilitation, Manhasset, were operating on backup power, as was one campus of the two-campus Staten Island University Hospital in New York City.
 
Also, Staten Island University Hospital could no longer access electronic health records after flooding on Monday disrupted power to the building where data is stored. Doctors continued to use paper records on Tuesday.
 
Other hospitals lost access to EHRs during the storm. Doctors at West Penn Allegheny Health System in Pittsburgh reverted to paper and written orders as the storm came ashore and damaged a data center in Mountain Lakes, N.J. Dan Laurent, a spokesman for the system, said Allegheny General and Western Pennsylvania hospitals, both in Pittsburgh, and the emergency room at Forbes Regional Hospital, Monroeville, could not access electronic medical records between 8:30 p.m. on Monday and 4 a.m. on Tuesday.

By Melanie Evans

“Superstorm Sandy knocks out power at East Coast hospitals, prompting evacuations,” Modern Healthcare (October 30, 2012)

The agency's notice stated that health education materials delivered by EHRs “are rarely written in a way that is understandable and actionable for patients with basic or below basic health literacy,” which includes about 77 million people. “Persons with limited health literacy face numerous healthcare challenges,” according to the AHRQ notice. “They often have a poor understanding of basic medical vocabulary and healthcare concepts.” 
 
Agency officials expect the rating system to address that challenge by giving clinicians a method to determine the quality of the data their systems provide or that such resources are even available.
 
A draft version of the rating system was applied by researchers at AHRQ to sample education materials on asthma and colonoscopy and indicated some of the material had “low understandability or low actionability.” The agency plans to next use consumer panels to test the accuracy of the rating system.
 
Other related health literature activities planned by AHRQ includes creating a library of patient health education materials, a review of EHR's patient education capabilities and education of EHR vendors and users.

By Rich Daly

“AHRQ developing consumer info rating system,” Modern Healthcare (October 8, 2012)

A study published in the most recent issue of the Annals of Internal Medicine found that 60 to 78 percent of patients who read their visit notes reported that they were more likely to take their medications as prescribed.  And their doctors reported that sharing their notes actually strengthened relationships with patients.

The study included 105 primary care physicians and 13,564 of their patients at Beth Israel Deaconess Medical Center in Massachusetts, Geisinger Health System in Pennsylvania and Harborview Medical Center in Washington, who participated  in a project called OpenNotes, in which patients were given electronic access to their files.

Study authors Tom Delbanco and Jan Walker of Beth Israel said they were surprised and delighted to find that patients who viewed their medical notes were more likely to take their medicines correctly. “Medication adherence is one of the greatest problems in health care,” said Delbanco, “yet flipping this switch seems to activate patients.”

As one patient explained, “having it written down, it’s almost like there’s another person telling you to take your meds.”

Patients also reported “an increased sense of control, greater understanding of their medical issues, improved recall of their plans for care, and better preparation for future visits,” the study authors write.

Despite concerns among participating physicians that sharing their notes would increase their workload, few of them reported longer visits or spent more time answering patients’ questions outside of visits.

One concern is that doctors may change the way they write their notes if their patients can read them. Since the same notes are shared with other doctors, this could have a clinical impact. As an example of a minor change, some doctors reported using “body mass index” in place of “obesity” to avoid offending their patients.

Blunt language, however, seems to have motivated some patients. “In his notes, the doctor called me ‘mildly obese,” one patient commented. “This prompted my immediate enrollment in Weight Watchers and daily exercise. I didn’t think I had gained that much weight. I’m determined to reverse that comment by my next check-up.”

At the end of the experiment, nearly 99 percent of the participating patients wanted continued access to their visit notes. And all three participating hospital sites have decided to broaden patient access to their doctors’ notes.

“Our greatest hope is that this will become a standard of care,” said Walker. “We’re at a good time in history because more and more doctors and hospitals are getting electronic health records and putting up secure patient portals,” allowing many patients easy access to their records.

They add, however, that privacy implications could be enormous: 20 to 45 percent of patients reported that they shared their notes with others, including family and friends. A patient could also choose to post their notes on Facebook or Twitter. “The patient-doctor relationship is confidential,” explained Delbanco, “but whether it’s private is now up to the patient.”

By Jenny Gold

“For Patients, What A Difference A Note Makes,” Kaiser Health News (October 2, 2012)

The Office for Civil Rights alleges that the infirmary and the group not only failed to secure data on the laptop but also failed to comply with several other HIPAA security-rule requirements, including performing “a thorough analysis of the risk to the confidentiality” of individually identifiable patient information stored on the portable device and not “adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices.” The term ePHI refers to electronic protected health information. 

“In an age when health information is stored and transported on portable devices such as laptops, tablets and mobile phones, special attention must be paid to safeguarding the information held on these devices,” Office for Civil Rights Director Leon Rodriguez said in a news release. “This enforcement action emphasizes that compliance with the HIPAA privacy and security rules must be prioritized by management and implemented throughout an organization, from top to bottom.”

The settlement amount is to be paid in three equal installments of $500,000—the first on Oct. 15 of this year and the next two on the same date in 2013 and 2014.

The 17-page resolution agreement also requires the organization “to adhere to a corrective action plan” and permits an independent monitor to make semi-annual assessments of MEEI's compliance with the plan for three years.

The American Recovery and Reinvestment Act of 2009 required the reporting to HHS of breaches affecting 500 or more individuals and the creation of a public accessible website listing the breaches. There are now 490 such self-reported breach incidents on the list, which is maintained by the Office for Civil Rights. Combined, those breaches exposed the records of more than 21 million individuals, according to the office.

The infirmary is on the list twice. A November 2009 incident involving 1,076 records stemmed from a police investigation into improper use of credit card information that led to the firing of two infirmary employees.

By Joseph Conn

“Mass. provider to pay $1.5 million in HIPAA settlement,” Modern Healthcare (September 17, 2012)

The demo was part of a Data Segmentation for Privacy Initiative by the Office of the National Coordinator for Health Information Technology at HHS. It also answers a 2010 call by the President's Council of Advisors on Science and Technology to use metadata tagging to enhance privacy while making medical data more readily available for research. A metadata tag provides information about the underlying data.

Tagging a patient's record at the “granular” or data-element level enables patients to give consent to the exchange of some parts of their medical record—such as a diagnosis code for diabetes and a drug prescription for its treatment—but not other parts, such as the diagnosis of a sexually transmitted disease or a mental health counseling session.

“The bottom line is we're trying to provide patients some ability to control what information is shared and make it easy on them,” said Mike Davis, VA project lead and Veterans Health Administration security architect.

Federal law applying specifically to the VA requires that, under typical circumstances, the VA must obtain a veteran's consent before his or her medical records can be shared outside the organization. The VA also abides by another federal law that bars federally funded alcohol and drug treatment providers from sharing information about such treatment without patient consent. The latter law creates a consent requirement that sticks to and flows with the data, so that each subsequent provider to receive it also must obtain patient consent to disclose it elsewhere.

Privacy laws in several states also contain these sticky provisions, said Joy Pritts, chief privacy officer at ONC, who attended the demo in Baltimore this month during a conference sponsored by Health Level 7. The healthcare standards development organization has produced a classification and coding system to identify and constrain particularly sensitive information; the system was used by the VA and SAMHSA in the demo, as were the ONC's Direct messaging protocols.

In the demonstration, a care summary was exchanged between providers for a patient enrolled in an alcohol and drug abuse treatment program. The VA/SAMHSA system tagged discrete elements of the record “do not re-disclose.”

One missing piece in the automated privacy protection scheme, however, is how to deal with dictated notes containing sensitive patient data. A text document could be constrained by tagging the entire document, Davis said, but that would need to be done by hand, whereas tagging of discrete data can be done by the system, which can sit as a layer between one provider's EHR and another's.

Patients can specify their wishes with computerized consent directives created online at home or on a provider's computer system, he said.

Davis said there is no timeline for rolling out these functions across the VA, but the VA has several pilot sites running where the system is in daily use recording a veteran's simple “yes/no” electronic consent directives for exchange of their records with outside providers.

Pritts said ONC has two additional pilots planned, one with the VA and one with private-sector providers.

“I think this can work for what's called structure data—medications in the medication list, allergies in the allergies list, diagnostic codes in the problem list, lab test results, vital signs—that type of information,” said Daniel Gottlieb, a partner in the Chicago office of McDermott Will & Emery who heads the firm's health information technology and data protection practice.

With the EHR systems used by providers today, “typically the technology doesn't have the capability” to segregate those drugs on a medication list for a common ailment from those drugs to treat another, more sensitive one, such as a psychiatric condition, Gottlieb said.

“That leaves you with two options in the real world,” he said. “One is not to make that medication list available” outside the organization. “Or, you can take the position that providing high-quality care” is the greater good, “and just decide that you're going to accept that legal risk.”

Gottlieb said many providers lean toward the latter, for instance if a patient is taking medication for a psychiatric disorder but also for a chronic condition such as diabetes. “There could be the potential for the adverse reaction between the psychiatric drug and some other drug,” prescribed either in the same hospital or by another provider. “I think most people think avoiding that reaction takes precedent over the privacy concern.”

By Joseph Conn

“Working with the rules: Data tagging allows selective sharing with EHRs,” Modern Healthcare  (September 22, 2012)

“This story is so ironic -- most people worry that their health records will be spread all over their local newspaper,” said Dorothy Glancy, a professor at Santa Clara University’s law school who specializes in digital privacy. “But in this case, the doctors -- in fact, nobody -- can access these records.”

The Surgeons of Lake County isn’t the first health care provider to be targeted by extortionists. The incident, which was spotted by privacy blogger Dissent Doe in a federal database of health-related breaches, showcases an unsettling new strain of opportunism that is emerging as criminals try to exploit the industry’s shift to digital medical records.

Data Breach
The attackers’ choice of tactics, particularly the use of encryption, indicates a level of sophistication and targeting that suggests they knew what they were doing, said Rick Kam, president of ID Experts, a Portland, Oregon-based company that makes data-breach prevention technology and specializes in health care.

Based on the number of practices moving to electronic health records, “many more” of these types of breaches should be expected, Kam wrote in an e-mail.

Until now, medical-data blackmail has been a niche crime, largely because of the difficulty and risk involved. Spam and online bank fraud are easier ways for fraudsters to make money.

One case involved Express Scripts (ESRX), the large prescription- drug benefits manager, and a threat it received in 2008. Someone sent the St. Louis-based company personal information on about 75 of its members, including identification numbers and prescription records, and demanded an unspecified sum. The company refused to pay, and eventually told 700,000 customers that their information could have been exposed.

Patient Confidentiality
In 2003 and 2004, health care facilities came under fire for outsourcing their transcription chores when several California hospitals were blackmailed by their own workers in India and Pakistan.

The spiraling cost of health care and lack of insurance for millions of people have made medical identity theft a growing risk. Security and privacy risks are also emerging with the creation of “health information exchanges,” vast databases that states are setting up to handle electronic medical records.

It’s unclear whether the Illinois surgical center’s records were backed up or have been recovered. The organization declined to comment.

“Safeguarding every patient’s personal information is a top priority at the Surgeons of Lake County,” Scott Otto, the center’s president, said in a statement. “We are devoting significant people and technological resources to help protect patient confidentiality.”

For all of the benefits of making health records electronic, this incident highlights a downside, said Santa Clara University’s Glancy.

“This is a warning bell,” she said. “Maybe they’re the canary in the coal mine that unpredictable things can happen to data once it’s digitized.”

By Jordan Robertson

"Hacking Expecting [sic] To Increase As More Facilities Institute EHRs," Bloomberg News (August 10, 2012)
 

Specifically, the poll found that 55 percent of U.S. doctors have embraced some type of electronic health record system. And roughly 75 percent of those who have done so reported that the type of system they took on meets the criteria of playing a "meaningful" role in their practice, according to the terms of 2009 federal legislation (entitled the Health Information Technology for Economic and Clinical Health Act) designed to promote the use of electronic health records.

What's more, 85 percent of those doctors who now have an electronic health record system in place said they are either "somewhat" or "very" satisfied with its day-to-day operations (47 percent and 38 percent, respectively). And three in four said patient care has improved as a result of electronic health record adoption.

The poll also indicated that among those who have yet to embrace an electronic health record system, almost half said they plan to do so in the coming year.

Physician age seems to have played a role in how likely a doctor was to have already brought an electronic health record system into their practice, the findings showed. While 64 percent of those under the age of 50 have done so, the poll revealed that the same was true of only 49 percent among those aged 50 and older.

Office size also seems to matter, with larger physician practices being more likely to have incorporated an electronic health record system into their administrative infrastructure. Specifically, 86 percent of offices with 11 or more physicians on site had taken on such a system, compared with roughly 60 percent to 62 percent of those with two to 10 physicians and just under 30 percent of single-doctor practices.

But although some kinds of specialists (such as surgeons) were somewhat less likely to have implemented an electronic health record system, race, gender and physician location did not seem to play a role in the likelihood that a doctor's office would or would not bring the technology into their workplace.

Eric Jamoom, of the health care statistics division of the U.S. National Center for Health Statistics, and colleagues published their findings July 17 in the NCHS Data Brief.

More information

For more on electronic health records, visit the U.S. National Library of Medicine.

-- Alan Mozes

SOURCE: U.S. Centers for Disease Control and Prevention, news release, July 17, 2012

Copyright © 2012 HealthDay. All rights reserved.

“U.S. Doctors Embracing Electronic Health Records: Survey,” HealthDay (July 17, 2012)

CIOs must handle IT integration of the merged hospitals, just as they are leading a transition to electronic medical records. Around 30% of hospitals have already made the move to electronic medical records, up from just 11% in 2009, according to Dave Garets, executive director of The Advisory Board Company,a medical research firm.

The digital transition enables them to share in federal incentives. As part of President Barack Obama’s 2009 stimulus bill, the federal government offered $19 billion to hospitals and doctors who can demonstrate they are using electronic medical records to write patient histories, order medications and report quality improvements.

The Obama administration hopes that by pushing America’s health system towards electronic records it can slow rising healthcare costs by reducing duplicate tests and human error.

If the merger went through, Mark Moroses, CIO of Continuum, would work with partners at NYU Langone to meld dozens of billing, procurement and patient care systems over the next few years. At the same time he is in the process of moving the chain of hospitals, which includes Beth Israel, St. Luke’s, and Roosevelt, to digital healthcare records. That will allow the chain to claim $20 million to $30 million in government stimulus incentives over the next four years, he told CIO Journal.

Mergers can complicate the transition to electronic records. Hospitals have different technical terms, and methods of documenting care, complicating the migration of data between the two institutions. And because patient health is on the line, there is no room for error, says Moroses.

That level of accuracy requires many test runs before the real migration occurs, with doctors and nurses scrutinizing samples of the transfer to spot out potential mistakes, says Moroses.

In order to claim the government money, Continuum will need to prove that doctors are entering data from patient charts into its GE Centricity record keeping software. Nurses already enter basic information like blood pressure and medication information into wireless computers-on-wheels (or COWs as they’re called), which are brought into patient rooms.

Moroses says even his hospital’s current level of electronic medical record adoption is paying off. Electronic records are eliminating situations in which tests might have been reordered simply because paperwork didn’t transfer to another department. Patient allergy information is instantly available to doctors, because it is digital. And medications are less likely to be delivered to the wrong room or the wrong patient—-a mistake that can prove deadly. “Bad handwriting on prescriptions — I know it’s clichéd but you have a real improvement here,” Moroses said.

Over the next few months, doctors will begin entering longer patient histories, including detailed diagnoses, into the system as well. Moroses is also piloting the use of iPads with a handful of doctors. He’d like 95% of physicians across the hospital system to be using the devices over the next two years.

“The iPad is the first device with a long enough battery life,” Moroses said. “The challenge, so far, is navigating through the patient information on [the iPad’s] smaller screen.”

Moroses said Continuum is also part of a Department of Defense research project, which aims to allow the hospital to use data culled from the records to do predictive analytics. The project, which also includes John Hopkins Medical Center, will allow electronic records to produce alerts when data indicates a patient is at risk, and help researchers watch for trends on how treatments and dosage amounts affect patients.

As Continuum increases its use of electronic records, it will also have to prepare to merge its records with NYU Langone, without reversing the progress it made to secure millions in government grant money.

Moroses does not yet know what steps will go into the integration – the merger has not even been approved yet by government regulators. When it does his orders will come from the business units (“If they tell us to take a hill we’ll take a hill,” he said.)

But the experience of another major hospital chain North Shore-Long Island Jewish Health System, which took over Lenox Hill Hospital in 2010, offers clues.

To receive $8 million in government funding, North Shore chief medical information officer Michael Oppenheim is helping Lenox Hill ramp up its electronic record keeping to the level already in place at some of North Shore’s 12 other hospitals. To reach that goal Oppenheim is migrating Lenox Hill’s data to a newer version of the Allscripts medical record keeping system. (Lenox Hill currently uses an older version made by the same company, which is not on the list of systems the federal government will reimburse.)

While most data will transfer smoothly from one system to another, in some cases terminologies used by two hospitals don’t match. For example, one hospital may call an injury a “chief malady” and the other system may call it a “primary complaint,” complicating the migration.

Oppenheim plans to increase the number of Panasonic Toughbook tablets into Lenox Hill to allow doctors to enter data from patient charts directly into the system. But getting people onboard using the new tools and following a new set of protocols is the toughest part, Oppenheim said.

“You have to explain to the leadership that there is an upside,” Oppenheim said. “You want them to buy in rather than feel this is something coming from corporate. But in the end the fall back is that they don’t have an option of not going this way.”

CORRECTION: NYU Langone Medical Center and Continuum Health Partners agreed to pursue discussions of a merger last week. An earlier version of this article stated that the two hospitals had agreed to merge. Also, Mark Moroses, CIO of Continuum, will work with partners at NYU Langone should the hospitals merge. The earlier version of this article stated that Mark Moroses is already working with those partners.

“For Hospital CIOs, Mergers Complicate Move to Electronic Records,” Wall Street Journal (June 13, 2012)

As mentioned above, all of these issues, and the others identified in the eWeek summary, should be subject ton contract negotiations between the parties.  Frequently, ASP vendors use click-wrap license terms and non-negotiable contracts.  Healthcare providers should resist the pressure to simply sign such standard forms because failure to negotiate these agreements will expose your organization to very substantial risks with respect to, inter alia, control of and access to data, and privacy and security of the stored PHI.

"Data Storage: Storing Health Records in the Cloud: 10 Reasons Why It's a Bad Idea," eWeek.com (August 17, 2010).

• U.S. Senate passed a bill which, if approved by the House and signed by the President, would limit the definition of "hospital-based" eligible professionals to just those practicing in an inpatient or emergency room hospital setting.  If passed, this change would make the Medicare and Medicaid EHR incentive payments available to a far wider range of eligible professionals.

• CCHIT may be getting some competition from the Drummond Group, which announced plans to become an ONC-authorized certifying body of EHR technology (ONC-ATCB).

"U.S. Senate backs expanded physician eligibility for MU," HealthImaging.com (March 11, 2010).

"Drummond Group in EHR testing for the 'long term'," Healthcare IT News (March 12, 2010).

"Patient Billed for Liposuction as Medical Theft Rises," Bloomberg.com (March 23, 2010).

"As health data goes digital, security risks grow," Computerworld.com (March 22, 2010).

"EMR meaningful use rules warrant gradual approach," American Medical News (March 17, 2010).

• The Wall Street Journal reported on the rise in medical identity theft and that the situation is "expected to worsen."   Most of medical identity theft cases are committed by those who pay medical workers for patient data, exactly what Michelle Johnson was caught doing at Johns Hopkins.  According to the Journal and the World Privacy Forum report it cited, the adoption of electronic medical records may contribute to the problem by making such information more easily available. Data indicates that states with a high population of retirees experienced the most significant increases in medical identity theft, including California, Texas, New York, Arizona, and Florida.

"Patient ID Theft Rises," Wall Street Journal (November 30, 2009).

"MGMA concerned about success of EHR incentive program," Healthcare IT News (November 23, 2009).

"Woman Sentenced for Stealing Patients' Info," Associated Press (November 20, 2009).

Oakes suggests several initial steps to EHR implementation:

1. Gain a high-level understanding of the basic provisions of ARRA and the HITECH Act.
2. Develop a realistic plan for your institution based on your assessment of the level of automation that is right for your circumstances, environment, and budget.
3. Discuss the implementation, transition and any relevant software changes with your current health IT vendor.  Considering the huge increase in demand in HIT services, it is important to secure your vendor's support and involvement early on, so that your organization does not end up at the end of the line.
4. Know the health IT market because your organization will benefit from having the most customized solution (as opposed to, e.g.,  the most expensive or feature-rich), at the right price.

"Get started!" urges Oakes:

Going through all of these steps will not be accomplished overnight. Indeed, past experience suggests that if a hospital has not started these steps already, it will take from 24 months to 48 months for a mid-sized hospital to transition from planning to live operation, including full use of clinical capabilities. Given that ARRA incentives start phasing down in FY 2013 for physicians (2014 for hospitals), it is not beyond the realm of possibility that an institution that waits too long to start could find itself shut out of maximum incentive payments.

You can find the full article, courtesy of BNA's Health IT Law and Industry Report, here.

On cost of EMRs:

On average, the cost is between $40,000 and $50,000, of which about a third is the software and the hardware, about a third is the cost of getting it set up in the office, and about a third is maintaining it. Much of the expense is related to the cost of implementing and the cost of maintaining it over time.

On privacy and security:

Privacy and security are foundational to a modern health information system. You cannot get the computer into this business without assuring people that their information, their personal information, will be safe.

So we are looking at the best possible technical solutions, technical protections, to privacy and security. We want to make sure that we have looked at every opportunity for encryption, every security device that the best minds can think of, to make information safer. We've got it in other parts of the industry, but we don't have it for healthcare. So I think that's a very important agenda item for us.

<...>

There are two kinds of anxieties. One is that their data may be used for purposes that they haven't authorized it. So if they haven't authorized their personal data to be used for research, they don't want it for that purpose. And the way the law gets around that problem is by saying that information should be de-identified; that is, it should be abstracted from the record in a way that can never be traced back to that individual.

And then that information can be used for research on drug safety, or research on the value of particular treatments, or anything els that may be useful to human health.

There's another kind of fear, and that is the fear of the breach or break-in, or hacking. And there have been some examples of that.

That's where better encryption and better barriers to hacking are critical. And, you know, we have a new cybersecurity initiative that President Obama has put in process. It's well known that the security of information is a national need for defense purposes. It's also, I think, a very important need for this domestic policy purpose. So we want to work with that security initiative to know that we've taken advantage of everything that the federal government and the computer industry knows about how to keep records secure.

Finally, the big picture:

Well, it's a big challenge, it's an exciting challenge, and a historic challenge. There's nothing that's worth doing that's easy to do in life, and this is one of those.

But I really think that history is on the side of this activity. To be a 21st-century physician, to be a 21st-century hospital, we can't record data the same way the Greeks did in 500 B.C. We've gotta move to use the computer to support our work. And that's what we're trying to do.

There'll be bumps on the road. We're not gonna be perfect. We'll make mistakes. But I think the wind is at our back in terms of the historical trends. And we'll get there, sooner or later.

"Computerized Health Records," New York Times (October 15, 2009).

"Charting a New Course," CBS News (September 13, 2009).

Watch CBS News Videos Online

The Times implied that with this move, North Shore may be seeking a competitive advantage as well:

Digital links, analysts say, can also tighten the bonds between doctors and the hospital groups that subsidize the computerized records. In most local markets, independent physicians typically have admitting privileges at more than one nearby hospital, and so hospitals compete for doctors as well as patients.

There are, of course, risks associated with the North Shore program, including significant delays or even failure to realize significant savings from the EMR adoptions, or the uncertainty about the privacy and security measures for sharing patient data among affiliated providers.

However, both the North Shore program and the PWC survey findings suggest that the often reluctant physicians are beginning to accept the inevitability of the widespread use of electronic health records, and are trying to capitalize on the many benefits of EMR systems, including potential for improving the quality of care and reducing costs.

According to the Healthcare IT News, the PWC survey found that the "data that could be mined from a health system can improve patient care, predict public health trends and reduce healthcare costs," though "a lack of standards, privacy concerns and technology limitations are holding back progress."  In particular:

• Nine in 10 healthcare executives believe that the secondary use of health information will significantly improve the quality of patient care and offers the promise of even greater benefits in the future.
• Nearly two thirds (65 percent) of health organizations say they expect their secondary data use to increase significantly within the next two years.
• Among organizations already using some form of secondary data, 59 percent have seen quality improvements, 42 percent have achieved cost savings, 36 percent have seen patient/member satisfaction improve and 29 percent have increased revenue.
• Providers who are not using secondary data say the number one reason is lack of EHR implementation, not because they are opposed to the concept. Health plans are farthest behind in their secondary use of data despite their vast repository of comprehensive claims information from physicians, hospitals, pharmacies and dentists.
• Ninety percent of pharmaceutical companies have limited or no access to health information contained in electronic health records.
• Most health organizations that use secondary data do so for their own quality monitoring and reporting and for identifying areas that need quality improvement.

"E-Records Get a Big Endorsement," The New York Times (September 28, 2009).

"Survey: Secondary use of electronic health data will improve care, cut costs," Healthcare IT News (October 1, 2009).

A mere week following Dell's announcement, Xerox's CEO Ursula M. Burns revealed her company's "game-changer" plan to buy Affiliated Computer Services (ACS) for $6.4 billion.  According to IT World:

ACS may be in a good position to get even more business in the next few years as the federal government starts spending billions of dollars to help health care providers create electronic medical records systems. ACS said that health care projects account for about $1 billion of its $6.5 billion in revenue for the year ended June 30.

While Dell and Xerox acquisitions grabbed most of the spotlight this week, other Wall Street giants, like Wal-Mart Stores, Inc., Intel and Google, havemade significant inroads into the health  IT market.  Healthcare consultants Frost & Sullivan, as cited in Healthcare IT News, see an expanding market which will benefit new players.

Companies with a fresh, outside perspective will be invaluable to improving healthcare delivery and producing the next generation of medical technology <...> The enormous demand for new technology and solutions to address both the clinical needs of patients and the systemic problems of healthcare delivery will create opportunities for companies with the foresight to identify and capitalize on opportunities.

However, Frost & Sullivan also cautions companies against jumping into this industry without considering potential downsides, including the incredibly complex regulatory framework governing U.S. healthcare.

Joseph Conn, "Dell's HIT Power Play," Modern Healthcare (September 28, 2009).

"Dell to Buy Perot Systems for About $3.9 Billion," The New York Times (September 21, 2009).

"Major corporations looking for stake in healthcare, medical technology market," Healthcare IT News (October 1, 2009).

"Doc, you're getting a Dell (EMR)," Healthcare IT News (September 10, 2009).

"Xerox Buys Affiliated, Fueling Shift to Services," The New York Times (September 28, 2009).

"With ACS, Xerox will gain a firm growing quickly offshore," IT World (September 28, 2009).