White House Panel Issues Report on Health IT

Posted on December 10, 2010 by Steve Fox and Vadim Schick

On December 8, 2010, President's Council of Advisors on Science and Technology (PCAST) issued its report on the importance of widespread adoption and use of health IT to improve healthcare delivery and reduce costs. The report concluded that:

information technology can help catalyze a number of important benefits including improved access to patient data, which can help clinicians as they diagnose and treat patients and patients themselves as they strive to take more control over their health; streamlined monitoring of public health patterns and trends; an enhanced ability to conduct clinical trials of new diagnostic methods and treatments; and the creation of new high­technology markets and jobs. Health information technology can also help support a range of healthcare ­related economic reforms needed to address our Nation’s long­term fiscal challenges.

PCAST also recommended "nationwide adoption of a universal exchange language for healthcare information and a digital infrastructure for locating patient records while strictly ensuring patient privacy," and tasked CMS and ONC with developing guidelines "to spur adoption of such a language and to facilitate a transition from traditional electronic health records to the use of healthcare data tagged with privacy and security specifications."

You can view PCAST's press release here.

You can view PCAST report here.

 

Tags: , , , , , , , , , ,

WSJ: Major consolidation among HIT vendors likely

Posted on October 28, 2010 by Steve Fox and Vadim Schick

The HITECH Act added over $27 billion to an industry whose publicly trading companies' market cap is below that, around $25 billion.  Such dramatic expansion of the industry will likely lead to significant consolidation among HIT vendors. We have already seen a merger between Eclypsis and Allscripts this summer (which became final last month); and now Cerner, another leading HIT vendor, entered into a partnership with MedAssets, Inc., a company that has specialized Internet-based financial improvement systems.  Via the Journal:

As that funding makes its way to health-care IT companies, it's likely to necessitate a lot more consolidation in an industry that's currently very fragmented. For instance, hospitals are not only looking to reduce the
number of different IT systems they use in-house, they also want more seamless ways of connecting to doctors' offices and insurers.

"We're at the beginning of the single fastest transformation of any industry in U.S. history," said Glen Tullman, chief executive of the health-care IT company Allscripts Healthcare Solutions Inc. (MDRX). <...> Tullman said he expects a lot more deals to come in the industry. He said that some of that consolidation will likely take place among the companies that provide IT systems to hospitals, a list that
includes Allscripts, privately held Epic Systems Corp., General Electric Co. (GE), Cerner, Germany-based Siemens AG (SI), McKesson Corp. (MCK) and privately held Medical Information Technology Inc., commonly known as Meditech. Tullman declined to comment on what companies he expects to make deals.

You can read more at the Wall Street Journal web site here

"Health-Care IT Sector Shaking Up As Medical World Goes Digital," Wall Street Journal (October 15, 2010).

 

Tags: , , , , , , , , , , , , , , , ,

CHIME comments on EHR certification NPRM

Posted on April 15, 2010 by Steve Fox and Vadim Schick

In a letter to Dr. David Blumenthal, the College of Healthcare Information Executives (CHIME), an organization which represents1,400 healthcare chief information officers, offered some criticism of ONC's recent notice of proposed rulemaking (NPRM) regarding the EHR certification program.  While CHIME expressed general support for a two-stage approach for creating the certifying bodies, the CIO's are worried about any destabilizing effects such rule may have on the health IT market.  Via Healthcare IT News:

We are very concerned that the introduction of a two-stage approach for certification will prolong the current instability in the health IT marketplace, which exists because of the un-finalized status of meaningful use and certification regulations," CHIME wrote. "The introduction of two separate certification schemes – one temporary and one permanent – carries a risk of continuing the uncertainty and promoting needless product replacement in the marketplace.

CHIME issued a few recommendations to combat such uncertainty, which you can find after the jump.

CHIME called for:

  • Temporary process to be a provisional or interim one that builds on current certification strategies and is "harmonized" with the eventual permanent certification process. According to CHIME, certification process should be the responsibility of the vendor, and that the purpose of certification should be to provide healthcare providers and professionals with assurance that the product they are purchasing can help them achieve meaningful use.
  • More specificity in language to define what constitutes a self-developed EHR. Current wording in the regulation suggests that any complete EHR or EHR module that's modified by a healthcare provider or a contractor could require certification.
  • Changes in certification requirements be made only when they are necessary to meet meaningful use evolution or advance interoperability, not just because a certain amount of time has passed.
  • If CMS maintains the "adoption year" approach originally advanced in proposed regulations, providers should not be required to have products certified for capabilities not required in their current adoption year.
  • Individual EHR modules be certified to ensure that they can communicate according to adopted standards, and that the interoperability of those modules as used by providers be deemed as certified.
  • HIT vendors fully disclose functions for which their products are certified and fully disclose known compatibility issues.
  • In the event of a certification body losing its authority to certify products, vendors should have six months to recertify products, and providers should not be penalized for a change in a product's certified status if they are still able to demonstrate the meaningful use of the technology.

"CHIME raises concerns about EHR certification," Healthcare IT News (April 9, 2010).
Tags: , , , , , , , , , , , , , , , ,

CBS News reports on EHR efforts

Posted on October 21, 2009 by Steve Fox and Vadim Schick

By popular demand, here is the video of David Pogue's report on the Obama Administration's efforts to digitize patient records in the U.S. 


Watch CBS News Videos Online

"Charting a New Course," CBS News (September 13, 2009).

Tags: , , , , , , , , , , , , , , , , , , ,

FTC Issues Final Breach Notification Rule for Electronic Health Information

Posted on August 17, 2009 by Steve Fox and Vadim Schick

Pursuant to the American Recovery and Reinvestment Act of 2009 (ARRA), the Federal Trade Commission (FTC) issued the final rule regarding notification requirements for breaches of electronic health information by vendors of personal health records and certain affiliated entities:

The rule applies to both vendors of personal health records – which provide online repositories that people can use to keep track of their health information – and entities that offer third-party applications for personal health records. These applications could include, for example, devices such as blood pressure cuffs or pedometers whose readings consumers can upload into their personal health records. Consumers may benefit by using these innovations, but only if they are confident that their health information is secure and confidential.

<...>

The Final Rule requires vendors of personal health records and related entities to notify consumers following a breach involving unsecured information. In addition, if a service provider to one of these entities has a breach, it must notify the entity, which in turn must notify consumers. The Final Rule also specifies the timing, method, and content of notification, and in the case of certain breaches involving 500 or more people, requires notice to the media. Entities covered by the rule must notify the FTC, and they may use a standard form, which can be found along with additional information about the rule at www.ftc.gov/healthbreach.

You can find the full text of the rule here.

"FTC Issues Final Breach Notification Rule for Electronic Health Information," FTC Press Release (August 17, 2009).

Tags: , , , , , , , , , , , , , , , , ,

In the news: Personal Health Records edition

Posted on April 28, 2009 by Steve Fox and Vadim Schick
  • The Federal Trade Commission (FTC) issued interim regulations regarding breach notification requirements for PHR vendors, as mandated by the American Recovery and Reinvestment Act of 2009.  According to the FTC press release, aside from breach notification, the proposed rule also:

stipulates that if a service provider to one of these [PHR vendor] entities experiences a breach, it must notify the entity, which in turn must notify consumers of the breach. The proposed rule contains additional requirements governing the standard for what triggers the notice, as well as the timing, method, and content of notice. It also requires entities covered by the proposed rule to notify the FTC of any breaches. The FTC can then post information about the breaches on its Web site, and notify the Secretary of Health and Human Services.

             The full notice can be found here.

  • Mayo Clinic, in collaboration with Microsoft, launched its new personal health record (PHR) site on Tuesday April 21, 2009.  The Mayo Clinic Health Manager uses Microsoft's HealthVault system to store medical histories, test results, immunization files and other records from doctors' offices and hospital visits, along with data from home devices like heart rate monitors.  Anyone, not just Mayo Clinic patients, can open an account online; users can grant limited access to doctors, family members, and others to view the information contained in their PHR.  It would be very interesting to learn if the Mayo Clinic required Microsoft to sign a Business Associate Agreement, or if Microsoft would publicly acknowledge that their PHR product is subject to certain privacy and security rules under HIPAA.  ("Mayo Clinic backs new personal health record site", USA Today, April 21, 2009.)

 

  • Meanwhile, the Boston Globe raised serious doubts regarding the accuracy of patient information contained in Google Health's PHRs because "Google takes some information from insurance billing records that use broad and imprecise codes to describe patient treatment."  According to Dr. David Kibbe, a senior technology adviser to the American Academy of Family Physicians, "[claims] data is notoriously inaccurate and notoriously incomplete with respect to an expression of the problems a person has."   However, as Bob Evans of Global CIO Blog points out in an entry on this subject, is it better to have some information regarding a patient contained in a PHR, even if there is a good chance that such information can be wrong, or no information at all? ("Electronic Health Records Raise Doubt", The Boston Globe, April 13, 2009; "Google Health Records Reveal Grossly Inaccurate Info", Global CIO Blog (Bob Evans), April 13, 2009.)

 
Tags: , , , , , , , , , , ,

Steve Fox on the new PHR privacy rules

Posted on April 27, 2009 by Vadim Schick

Bob Brewin of NextGov interviewed Steve Fox regarding the new privacy rules for vendors of personal health records (PHRs), and the applicability of such rules not only to PHR vendors such as Google and Microsoft, but also to the less obvious "related entities", a group so broad it may include an iPhone app:

Steven Fox, a lawyer with Post & Schell in Washington who co-chairs the firm's data protection group, agreed that the rules cover Google and Microsoft but said he wished FTC had specifically identified the two companies in the proposed rules.

The rules cover about 200 vendors of personal health record systems and 500 "related entities, which include online medication or weight tracking programs, and 200 third-party providers that offer billing and data services.

The related entities category could include low-cost iPhone applications that would have to comply with the potentially costly breach notification process, Dixon said. An online guide lists "100 Fabulous iPhone Apps for Your Health and Fitness," and Fox said these applications would be covered by the breach notification rules if they exchange information with personal health records.

("Proposed breach notification rule would affect more health vendors", NextGov, April 16, 2009.)

 

Tags: , , , , , , , , ,

In the news: CVS and Google; Connect Open Source Software; and more

Posted on April 8, 2009 by Steve Fox and Vadim Schick
  • CVS pharmacy customers now have the ability to download their prescription and medication histories to Google Health accounts after CVS and Google expanded their partnership.  Patients at CVS' walk-in MinuteClinics are also able to add summaries of their visits to their Google Health accounts.  It would be interesting to find out if CVS and Google ever executed a Business Associate Agreement.  After the enactment of the HITECH Act, Google famously maintained that its personal health records product is not a subject to the new legislation and certain privacy and security provisions under HIPAA.  ("CVS-Google Health pact now includes drugstores", AP, April 6, 2009.)
  • The federal government released Connect, and open source software which allows public and private entities to share health information via the National Health Information Network.  The source code is free to download (the code and its documentation are available here), but organizations choosing to acquire and use this product will be responsible for costs associated with the installation and maintenance of Connect.  The Social Security Administration, Department of Defense, Veterans Affairs, and the CDC are among the many government agencies using this software for health information exchange already.  ("NHIN software released to open-source community", Government Health IT, April 7, 2009.)

     

 

  • This Business Week article analyzes the various data privacy and security concerns facing health care providers and patients alike.  ("Putting Patient Privacy in Peril?", Business Week, April 6, 2009.)
  • The New York Times reports that New York-Presbyterian Hospital became "the first large institution to move beyond the pilot stage this week as it begins to offer consumer-controlled health records for patients... New York-Presbyterian has been working with Microsoft for more than a year, not only on technical matters but also ease-of-use concerns with patients. The introduction will be gradual, beginning with heart patients, who will be told of the potential benefits of personal health records when they visit a New York-Presbyterian hospital or outpatient clinics."  Once again, it would be very interesting to find out if NYB and Microsoft signed a Business Associate Agreement, or if Microsoft acknowledged whether it is now subject to certain privacy and security provisions under HIPAA.  ("A Hospital Is Offering Digital Records", New York Times, April 5, 2009.)

 
Tags: , , , , , , , , , , , , ,