ONC Sells Successes of Health IT Adoption to Congress in Annual Report

The ONC released its second annual report on the adoption of health IT this past June.  The report provides a snapshot of the nation's efforts and continuing barriers to health IT adoption.  Although EHRs have been lambasted lately by Congress, the report primarily covers the ongoing big "wins" for health IT adoption: increased participation in the Medicare and Medicaid EHR Incentive Programs ("Meaningful Use") in 2012, increased adoption of EHR technology among physicians and hospitals and increased rRx, and various federal and state HIE and HIT efforts. 

For example, CMS is more than happy to report that over half of the nation's eligible professionals have received payments through Meaningful Use as of April 2013, with about 80% of eligible hospitals receiving incentive payments as well. Among the 50 States, only 8 do not have mechanisms broadly available statewide for directed exchange, whether fully implemented or in pilot phases, of which New Jersey is one of. And 36 states have query-based exchange available either statewide or through at least certain regions.   

The report also highlights the variety of programs, pilots and regulatory efforts undertaken by CMS and ONC, among others, and the success these have had since the passage of the HITECH Act. However, ONC acknowledges the barriers that remain for health IT, particularly interoperability, and remains committed to developing flexible, modular standards and policies for the interaction and exchange of information among various types of systems. 

To help support interoperability, the State HIE Program recently released a set of online training modules for providers, supporting the roll-out of Meaningful Use Stage 2 set to kickoff this October for eligible hospitals, and January 2014 for eligible providers. The Standards and Interoperability ("S&I") Framework continues to work with stakeholders in the vendor and provider communities to identify barriers and their solutions to achieving national interoperability.  And the public/private partnership through the national eHealth Exchange (formerly the Nationwide Health Information Network or NwHIN) continues as ONC's "incubator of innovation" in HIE. 

Additional efforts highlighted by ONC include:

  • improving consumer and provider confidence and trust in health IT and HIE;
  • engaging consumers in their ehealth and identifying solutions for consumers to better control and direct the flow of their information through HIE;
  • gathering data through various public forums and surveys on privacy and security concerns for safeguarding health information in health IT;
  • development of interactive tools for providers to assess mobile device security as well as general security tools for safeguarding electronic PHI and EHRs, and minimizing breaches;
  • identifying strategies for improving coordination and integration of behavioral health providers into broader health IT efforts, including launching an interstate Direct behavioral health pilot; and
  • identifying stragegies for improving coordination and integration of long-term and post-acute care providers into broader health IT efforts.

For the entire snapshot of the nation's health IT status, read the full report with its easy-to-read charts and graphs.  You may be surprised at how much ONC has been involved with and that has happened in the evolution of health IT and HIE.  

ONC Releases Governance Framework for Trusted HIE

After backtracking on developing "Rules of the Road" for trusted electronic health information exchange (HIE) last year, ONC has released its promised Governance Framework for HIE after months of collaboration with stakeholders. Crafted through public listening sessions, hearings, partnerships and the NHIE Governance Forum, the Governance Framework,

Reflects what matters most to ONC when it comes to national health information exchange governance and the principles in which ONC believes,

stated Dr. Mostashari last Friday in his Health IT Buzz Blog. Short and sweet, the Governance Framework provides guidelines for the governance of HIE.

The Governance Framework sets forth four sets of principles for HIE which are specifically geared towards HIOs and other entities that set HIE policy such as state agencies and partnerships:

  • Organizational principles, focusing on transparency and openness, inclusiveness, oversight and enforcement;
  • Trust principles, focusing on meaningful choice to participate in HIE and to limit types of data exchange, transparency in privacy and security practices, and the accuracy of information;
  • Business principles, providing open access and standards to promote collaboration; and
  • Technical principles, ensuring technology can accomodate exchange through the use of standards and implementation specifications, testing and collaboration with voluntary consensus standards organizations. 

Of particular interest is the recommendation that HIOs provide a "Notice of Data Practices" entirely separate from the Notice of Privacy Practices each participating organization in an HIO would provide to its patients describing HIE activities. The Notice would describe not only uses and disclosures of identifiable information, but de-identified information as well

Furthermore, organizational principles would include,

[P]romot[ing] inclusive participation and adequate stakeholder representation (especially among patients and patient advocates) in the development of policies and practices.

Another recommendation would prompt HIOs to maintain and publish statistics on their exchange capacity, including number of users and patients, type of standards implemented and transaction volume, as well as to disseminate "up-to-date" information on compliance with statutes and regulations, best practices and even potential security vulnerabilities.

Is the Governance Framework helpful to HIOs? Maybe. It does NOT

Prescribe specific solutions but lays out milestones and outcomes that ONC expects for and from HIE governance entities as they enable electronic HIE.

It is a far cry from guidance for the every day problems HIOs are faced with as expressed by numerous stakeholders to ONC, such as sharing data across state lines, sustainability, variations in standards between providers and HIOs, and differences in policies governing who may access patient data (i.e., clinicians only vs. administrative and other personnel).

It does, however, provide at least a "common founation" for HIOs to build their organizational structure and policies upon. And it's better than a set of regulations and rules for HIE and HIOs that no one is ready for.  

To read the full Governance Framework and for additional information on ONC's HIE activities, visit ONC's HIE Governance website.   

HHS Releases RFI on Interoperability and HIE

HHS, CMS and ONC have released a Request for Information (RFI) seeking input on policies and programs to encourage health information exchange (HIE) through interoperable systems.  Although the Medicare and Medicaid EHR Incentive Programs and other federal efforts are rapidly increasing the adoption of standards based HIE and EHR technology,

This alone will not be enough to achieve the widespread interoperability and electronic exchange of information necessary for delivery reform where information will routinely follow the patient regardless of wheter they receive care....

The overarching goal is to develop and implement a set of policies that would encourage providers to routinely exchange health information through interoperable systems in support of care coordination across health care settings.  

HHS therefore seeks comment on several options for encouraging HIE among providers and settings of care through a hodge-podge of existing statutory vehicles (primarily CMS and ONC programs and projects). In addition to requesting comment on these existing vehicles, CMS and ONC seek to identify what is currently working to encourage HIE, and which changes would have the biggest impact on HIE adoption, including regulatory requirements.

Furthermore, although long neglected under the EHR Incentive Programs, CMS and ONC specifically seek comment on what policies and programs would have the most impact on post-acute and LTC care providers as well as behavioral health.  They ask for insight into how these programs and policies should be implemented and developed to maximize care coordination and quality improvement for these populations. In addition, CMS and ONC specifically seek comment on policies and programs which would most impact patient access and use of their electronic health information for management of their care.   

Post-Acute and Long-Term Care Providers.  HHS acknowledges the low rates of EHRs and HIE among LTC and post-acute care providers and identifies existing authority which could be leveraged to expand HIE.  These include incorporating HIE as key components of:

  1. Medicaid health homes;
  2. Demonstration and pilot projects under Medicaid and the Childrens Health Insurance Program (CHIP);
  3. Home and community based services (HCBS), which would include LTC;
  4. State expansions of HIE infrastructure as part of the Medicaid EHR Incentive Program, and
  5. CMS Conditions of Participation or Coverage

Settings of Care.  HHS additionally acknowledges the need to accelerate HIE across providers, including ambulatory care, behavioral health, laboratory, and post-acute and LTC. For example, HHS seeks comment on:

  1. New e-specified measures for exchanging summary records following transitions of care aligned with CMS quality reporting programs, including the EHR Incentive Programs;
  2. Medicare Shared Savings Program, requiring or encouraging Accountable Care Organization (ACO) to engage in HIE as part of coordination of care;
  3. Payment and service delivery model testing under the Affordable Care Act, such as demonstration of use of interoperable technology for HIE to facilitate model participation decisions and requirements;
  4. Model testing to align Medicare and Medicaid financing and care integration under the Capitated Financial Alignment model.

Consumer and Patient Engagement.  HHS and CMS seek to encourage engagement of patients in their care by improving their access to health information and electronic communication between their health care providers.  Options to encourage consumer and patient engagement include:

  1. Incorporating new measures into Medicare Advantage Program consumer assessment serveys (CAHPS);
  2. Blue Button availability to all CMS beneficiaries;
  3. Payment and service delivery model testing under the Affordable Care Act, such as demonstration of incentives for consumers to more actively participate in their health; and
  4. Direct access to lab results from laboratories (CLIA and HIPAA Amendments).

The RFI will be published today in the Federal Register.  Comments may be submitted up to 5pm on April 22, 2013. 

ONC Setting Stage for NHIN Governance Guidance

Last year, ONC announced that it would not be moving forward on establishing governance regulations for the Nationwide Health Information Network (now called the "eHealth Exchange") as a result of the comments and feedback it received.  Instead, it proposed to move forward with developing best practices guidance and support activities for existing governance initiatives and goals in nationwide health information exchange (HIE).

This year, ONC is kicking off several activities to support HIE governance. First, a federal funding opportunity is available for existing governance entities to further develop and adopt policies, interoperability requirements, and business practice criteria relating to HIE. Applications may be submitted until February 4 on Grants.gov

Secondly, Dr. Mostashari and ONC have scheduled an open Town Hall listening session for this coming Thursday, January 17, as well as February 14 in order for stakeholders to express their priorities, concerns or issues.  Based on stakeholder input, the HIT Policy Committee and HIT Standards Committee are expected to hold a public hearing then on January 29 to discuss current HIE policies, practices and impediments, as well as opportunities to strengthen and improve governance. 

Finally, ONC will develop and publish a series of governance "guidelines" based on the feedback it has received for effective and trustworthy HIE.  Stay tuned for more information on ONC's new site for HIE Governance

SERCH Project Recommendations for HIE and Disaster Preparedness

As Helen noted in her post on Thanksgiving, Superstorm Sandy re-emphasized the need for health care organizations to have plans in place for disaster preparedness, data backup and recovery. As New York and New Jersey rebuild, health care organizations are taking a closer look at what they can do to improve the availability of critical health care services for their patients, and in particular, the role of HIE in keeping patient information available.  

This past July, ONC released the results of a two-year effort by the Southeast Regional HIT-HIE Collaboration (SERCH) Project on Health Information Exchange in Disaster Preparedness and Response. The SERCH project began in November 2010 and included representatives from natural disaster-prone states such as Alabama, Arkansas, Florida, Georgia, Louisiana, and Texas. 

Supported by ONC, the SERCH Project was a state-led initiative aimed at identifying information-sharing challenges during natural disasters and developing strategic plans to incorporate HIE into disaster planning. The group developed an actionable plan to improve HIE capabilities in response to disasters, both during and in the aftermath, focusing particularly on interstate communication and information-sharing, and addressing legal and other barriers to the use and disclosure of patient information. 

Although limited primarily to the groundwork that needs to be covered prior to implementation of a fully-operational State HIE, the SERCH Project recommended five steps for any organization planning on sharing information through HIE to take to integrate HIE and disaster planning, especially where information-sharing could occur across state lines.

  1. Understanding the State’s disaster response policies and align with the State agency designated for Emergency Support Function #8 (Public Health and Medical Services) before a disaster occurs.
  2. Developing standard procedures approved by relevant public and private stakeholders to share electronic health information across State lines before a disaster occurs.
  3. Considering enactment of the Mutual Aid Memorandum of Understanding to establish a waiver of liability for the release of records when an emergency is declared and to default state privacy and security laws to existing Health Insurance Portability and Accountability Act (HIPAA) rules in a disaster. States should also consider using the Data Use and Reciprocal Support Agreement (DURSA) in order to address and/or expedite patient privacy, security, and health data-sharing concerns.
  4. Assessing the State’s availability of public and private health information sources and the ability to electronically share the data using HIE(s) and other health data-sharing entities.
  5. Considering a phased approach to establishing interstate electronic health information-sharing capabilities.

These recommendations can also be applied and implemented by individual HIE networks and organizations, not only at the state-level. 

A full copy of the whitepaper can be found on the Health IT website.  You can also find a summary of the report by Lee Stevens, Policy Director for the State HIE Program, as well as his blog post in 2011 on the Joplin Tornado and the role of EHRs at the Health IT Buzz

Is NwHIN going from "Free" to "For Fee"?

Notable news late last week included ONC Coordinator Dr. Fazad Mostashari publishing a blog post stating that ONC has decided NOT to pursue promulgating regulations to govern the NwHIN. The decision was made in part after his OfficeNot Free.png considered comments to the RFI it released in the early summer seeking public input on a potential regulatory approach for the NwHIN and its participants, including the possibility of requiring accreditation and certification to validate organizations seeking to participate in the NwHIN.  Mostashari explains in his post that many RFI responders expressed concern that issuing new regulations to set governance standards for the NwHIN could actually slow the development of trusted exchange. In light of this, Mostashari indicates that his Office has decided to allow the HIE and HIT markets to continue evolving organically, at least for now. 

The NwHIN website currently posts a list of 27 organizations that are already approved NwHIN Participants. Other organizations seeking to become a NwHIN Participant have to "on board" to the Exchange by following the (painfully detailed) process on the NwHIN website, which you can review here

But buyer beware...   

While current NwHIN Participants may have "on boarded" and be using the NwHIN for free, it looks like subscription and/or use fees for the NwHIN are coming soon .....

On August 20th, the HealtheWay Exchange Transition Update was published, which summarizes some of the "transitions" to expect with regard to the NwHIN.  To start, it's helpful to know that HealtheWay is the nonprofit organization now chartered to support the NwHIN Exchange. The entity's Articles of Amendment and Restatement of the Articles of Incorporation were recently filed in the Commonwealth of Virginia and made effective July 30, 2012. Bylaws for HealtheWay are posted there as well. The Update notes a list of changes to how the NwHIN will be operating, including:

  • Currently, NwHIN Exchange is an ONC initiative, but as of October 2012 it will transition to the public-private initiative called the eHealth Exchange;
  • Currently, NwHIN operations are supported and funded by ONC, but going forward, operations will be supported and funded by HealtheWay;
  • Currently, all services are provided to NwHIN Participants for free, but very soon Participants are going to be asked to pay for the NwHIN's services being supported through HealtheWay.

It is probably not a huge surprise that, going forward, Participants will be charged fees to connect through the NwHIN Exchange because "free" is not a viable model for financial sustainability. However, it will be interesting to see how organizations respond and whether paying fees to utilize the NwHIN was something that such organizations, and States for that matter, have factored in to their HIE models.

In light of all this, it is important for organizations, providers and even State governments looking to join the NwHIN to have a solid understanding of how the DURSA works, especially with regard to how "material terms" can be changed (i.e., like imposing new fees), and how a Participant can terminate its participation with the NwHIN if it cannot meet (or does not agree with) a material change.  

If NwHIN Participants are going to be charged fees to use the NwHIN Exchange, then organizations should be considering this as part of their evaluation of whether the NwHIN Exchange is the best solution to meet its organization's primary needs.  Organizations will also want to evaluate whether the NwHIN delivers sufficient value in exchange for the fee that they will be charging (an amount which we don't yet know). In addition, the integration and on-boarding process is extremely time-consuming and resource intensive, and so organizations will not necessarily want to "go through" this process with two different HIE vendor solutions. Finally, for those that were expecting to connect to the NwHIN for "free", they should update their plan (and budgets) to reflect the transition of the NwHIN Exchange to a "for fee" model.

To review the provisions of the DURSA that pertain to "changes" to material terms, click "Continue Reading".


Continue Reading

Are We Ready for the Nationwide Health Information Network? ONC Releases RFI for Governance of NwHIN

Currently, more than 500 hospitals and over 4,000 practices and clinics participate in the Nationwide Health Information Network (NwHIN).  According to the Federal Health Architecture (FHA) program in the Office of the National Coordinator for Health Information Technology (ONC), (InformationWeek, March 2012), most of the hospitals are those involved in programs operated by the Departments of Defense (DoD) and Veterans Affairs (VA).  Although participants also include entities such as Kaiser Permanente, health information exchanges or organizations (HIEs/HIOs) such as HealthBridge, and federal agencies including CMS, the DoD and VA, the overall percentage of participation in the NwHIN remains relatively low. 

The NwHIN is the set of standards, services, and policies developed to enable and ensure the secure electronic exchange of health information.  Geared originally towards larger HIEs/HIOs and other networks and systems, as envisioned, the NwHIN would be a network of networks among the States and their respective health care providers and hospitals facilitating the efficient exchange of electronic health information and promoting interoperability.  

Most stakeholders would agree that safeguards should be in place to protect the confidentiality, integrity and availability of health information as it is exchanged among health care providers and at a national level as well as to promote public trust in such electronic exchanges.  However, there remains a lack of consensus on where (and what) standards and processes should be set for such exchanges, deterring broader participation in the NwHIN, creating confusion, and inhibiting exchange among providers in general.  Currently, the various States as well as the private sector have implemented a variety of, and sometimes conflicting, approaches to how and under what conditions information can be exchanged electronically. 

In recognition of this and under order by the HITECH Act, ONC has released a Request for Information, "Nationwide Health Information Network: Conditions for Trusted Exchange” (RFI), seeking public comment on establishing a governance mechanism for the NwHIN and a form of “rules of the road” for electronic exchange.  The RFI seeks to identify potential rules and processes for trusted exchange of health information among the various health care providers and health information organizations or regional health information organizations and promoting trust and confidence among health care providers and their patients.   

We believe that this is an opportune time to solicit input on how the governance mechanism for the nationwide health information network should be shaped and how we could effectively use our statutory authority to complement existing Federal regulations to support and enable nationwide electronic exchange. We also believe that a properly crafted governance mechanism could yield substantial public benefits, including: reduced burden and costs to engage in electronic exchange; added protections for consumers and health care providers; and, in the long-run, a more innovative, and efficient electronic exchange marketplace that would ultimately create an environment where electronic exchange is commonplace and “worry-free.  77 FR 28545. 

In general, the RFI seeks public comment on five proposed areas and sets of questions which combined would create a framework for the electronic exchange of health information:

  1. Conditions for trusted exchange (CTEs), which would include safeguard, interoperability and business practice CTEs (those standards and implementation specifications as described in the HITECH Act),
  2. Validation process for conformance to CTEs as NwHIN network validated entities (NVE),
  3. Process for retiring and updating CTEs to address current exchange needs,
  4. Process for classifying the readiness of standards and implementation specifications to support interoperability related to CTEs, including identifying gaps needing to be filled to support nationwide electronic exchange, and
  5. Monitoring and transparent oversight, primarily by federal agencies, including ONC, OCR and the FTC, with some responsibilities delegated to the private sector.

Much like for certification of EHR technology in the Medicare and Medicaid EHR Incentive Programs, ONC would select an accrediting body responsible for the validation process of NVEs.  However, rather than focusing on and regulating only the product itself (e.g., the “certified” EHR technology), the services and activities performed by the entity itself would be the primary focus.  The NVE framework itself would be voluntary, with entities seeking validation as NVEs to the extent value is identified in seeking such validation, with of course, the ability as NVE status gains ground to be required as a condition of contracts, grants, and other relationships and procurements.

ONC clearly recognizes the critical need for flexibility and avoidance of a “one-size-fits-all” approach to governance and therefore would propose a variety of standards for electronic exchange, ranging from basic to more complex and ever-evolving exchange activities and use cases.  Entities contemplated which could seek status as an NVE would include EHR developers; regional, state, local or specialty-based health information exchanges; health information service providers; State agencies; Federal agencies, and integrated delivery networks.

Notably, ONC would propose that NVEs which were not otherwise Covered Entities or Business Associates comply with certain provisions of HIPAA, specifically 164.308, 164.310, 164.312, and 164.316.  NVEs in addition to complying with all of the HIPAA Security Rule's “required” implementation specifications would also be required to comply with those “addressable” as well, a proposition ONC is almost guaranteed to receive lively comment on.  NVEs would also be held to a more uniform set of policies and practices than those that would be required to comply with the HIPAA Privacy and Security Rules.

Consistent with previous recommendations of the HIT Policy Committee, ONC has not proposed that either an opt-out or opt-in mechanism would be required, but rather, that “meaningful choice” must be provided within three proposed exceptions, noting HIPAA baseline authorizations remain required for certain purposes: 

  1. For purposes of medical treatment;
  2. When information exchange is mandatorily required under law; or
  3. Where the NVE is acting solely as a conduit and not accessing or using the information beyond what is required to encrypt and route it to its intended destination.

Two other important proposals set forth by the RFI which ONC has requested public comment on is that NVEs would be required to either encrypt or make available encrypted channels for information to flow through, and that NVEs would not be permitted to use or disclose de-identified information for economic gain.  In addition, an NVE would be required to implement and use one of two types of transport specifications:  unsurprisingly, the Direct Project transport specifications, which may cause consternation for several HIEs, and the Exchange transport specifications. 

The overarching question which needs to be answered for this RFI is, are we there yet? Are we ready to adopt a nationwide governance mechanism? If so, can we come to a consensus on those critical standards, services and activities which are necessary for efficient, effective and trusted exchange of health information, while keeping the flexibility and responsiveness needed to support the broad array of electronic exchange activities as they evolve?

A Notice of Proposed Rulemaking (NPRM) would be the next step after ONC’s consideration of public comments.  Public comments on the RFI are due June 14, 2012 and may be submitted online at https://www.federalregister.gov/articles/2012/05/15/2012-11775/nationwide-health-information-network-conditions-for-trusted-exchange

**NOTE: As of June 5, ONC has extended the deadline for public comments on the RFI until Friday, June 29, 2012.  Comments must be submitted by 11:59PM Eastern Daylight Time. 

NeHC Releases Roadmap for Growth and Evolution of HIE, and Legal HIE Listed as a Helpful Resource!

Following ONC's release of its Program Information Notice "Privacy and Security Framework Requirements and Guidance for State Health Information Exchange Cooperative Agreement Program," (the P&S PIN discussed in a previous blog post) the National eHealth Collaborative (NeHC) has released a roadmap for successful and widespread growth of HIE to improve health and healthcare after extensive collaboration with private and public stakeholders (the HIE Roadmap). NeHC is a pubic-private partnership established through a grant from the ONC and is led by some of the nation's most respected thought leaders, and so we were thrilled to discover that our blog, Legal Health Information Exchange, was identified by NeHC as one of only a selected group of "Helpful Resources" found at Exhibit B of its HIE Roadmap. You can register with NeHC to download a copy of the HIE Roadmap here

Entitled "The Landscape and a Path Forward," the HIE Roadmap sets forth current HIE connectivity and exchange approaches across the nation, as well as federal efforts towards developing the foundation for interoperability and trusted HIE through common standards, services and policies.  It highlights those strategies for integrating these federal and private sector efforts, emphasizing the current progress that has been made and those challenges and barriers remaining to be overcome. 

Most importantly, it hopes to provide a roadmap of the major steps communities can follow to achieve progress towards HIE.  The HIE Roadmap states,

...Given the rapid market and policy changes and technology innovations occurring right now, there is confusion among healthcare stakeholders about how best to proceed with implementing HIE.  Leading HIE organizations are indeed charting new ground.  Emerging HIE efforts can and should learn from those who are further along in order to...leapfrog toward success."

It notes that in 2010, the number of public HIEs increased 81% from 37 to 67 with a whopping 210% increase in operating private HIEs, from 52 to 160.  Providing clear examples of leading HIE efforts, their leverage of national standards for exchange, and other factors contributing success, the HIE Roadmap seeks to capture the vision for why HIE is important to improving patient care and to the performance of our healthcare system, as well as provide a framework and a path forward for those working towards achieving HIE in their communities. 

The HIE Roadmap highlights several of the most notable challenges and barriers to HIE, including:

  • Funding and sustainability;
  • Variations in implementation of interoperability standards;
  • Provider adoption;
  • Disparate EMRs; and
  • Privacy and security concerns.

However, it recognizes that these challenges and barriers are being "tackled and overcome."  The HIE Roadmap highlights ONC efforts towards building a foundation of interoperability and trusted exchange, in particular, recommendations of the HIT Policy and Standards Committees and their workgroups, such as the Meaningful Use, Information Exchange, and Privacy and Security Policy Workgroups.  It highlights the importance the Direct Project and the Nationwide Health Information Network (NHIN) continues to play in developing a strong interoperable foundation and the potential the Direct Project and NHIN have to promote best practices, compliance with existing national standards and implementation recommendations, and following through responsibility to protect health information.

The HIE Roadmap describes the approaches taken by several HIE initiatives across the nation, including:

  • Care Connectivity Consortium, comprised of five leading health systems, Kaiser Permanent, Mayo Clinic, Geisinger Health, Intermountain Healthcare and Group Health;
  • HealthBridge, with 50 participating hospitals, 800 physician practices, and 7,500 physicians;
  • Indiana HIE (IHIE), with 90 hospitals and 19,000 participating physicians;
  • Inland Northwest Health Services (INHS), with an air ambulance collaborative, rehabilitation hospital, and IT management for 38 hospitals and EMR services for 750 physicians, and which also partners with the Departments of Defense and Veterans Affairs; and
  • Kaiser Permanente, which includes the Kaiser Foundation Health Plan and subsidiaries, 37 hospitals and over 450 clinical facilities, and the Permanente Medical Group Practices.

While highlighting the various strategies implemented by these initiative, the HIE Roadmap also recognizes that,

Indeed, interoperable HIE is a journey without a definite endpoint.  Many different approaches are being used, stakeholders are at different stages along this journey, and there is by no means a "one size fits all" model. 

It notes, however, that a key priority of many of these initiatives is to provide standards-based services to small physician practices, recognizing that most healthcare is delivered in these physician practices and the challenges they face.  Finally, the HIE Roadmap sets forth four major "steps" or phases for implementing successful and sustainable HIE, which starts wtih developing the HIE's objectives and vision.

In conclusion, the HIE Roadmap states,

The ultimate goal of HIE is to ensure that the right information is available at the right time and place every time to support the delivery of high quality, well coordinated, and cost effective patient-centered healthcare.  Keeping a consistent and clear focus on what is best for the patient is above all else the smartest way to stay on course in the ever-changing environment of HIE.

Grantees of HIE Funds Get "PIN-ned" on Privacy, Security and Patient Consent

 Pushpin.jpgOn March 22, 2012 HHS/ONC released a new Program Information Notice (PIN) called the "Privacy and Security Framework Requirements and Guidance for State Health Information Exchange Cooperative Agreement Program" (P&S PIN).  The P&S PIN applies to all State Health Information Exchange Cooperative Agreement Program Recipients, including State Designated Entities (SDEs), SDE sub-grantees, and other direct grantees of the federal HIE Cooperative program. Here is a link to the HHS/ONC PIN website.

The P&S PIN requires all SDEs to submit as part of a 2012 annual SOP (Strategic and Operational Plan) an update of their privacy and security framework consisting of all relevant statewide policies and practices adopted by recipients, and operational policies and practices for HIE services being implemented by Grant recipients of funding in whole or in part with federal cooperative agreement funds (HIE Grant Recipients).

Among other things, each HIE Grant Recipient will need to submit how their existing privacy and security policies align with each domain of the Fair Information Practices (FIPs), which the ONC and the ONC's Privacy & Security Tiger Team have each previously pointed to as providing a privacy and security framework for networked HIE.  The FIPs are:

  1. Openness and Transparency
  2. Collection and Use and Disclosure Limitation
  3. Safeguards
  4. Accountability
  5. Individual Access
  6. Correction
  7. Individual Choice
  8. Data Quality and Integrity

Specifically, Point-to-Point Directed HIE Exchange Models will be required to demonstrate that their P&S policies address FIPs 1-4, and have the option of addressing FIPs 5-8. HIE models that aggregate data will be required to demonstrate that their P&S policies address FIPs 1-8. If any GAPs exist between a FIP and the HIE Grant Recipient's current policies (i.e. a domain is not addressed), this must be identified and a strategy timeline and action plan for addressing these gaps in the 2012 SOP update must be provided.

One of the most debated topics with networked HIE has been patient consent. Many HIEs and stakeholders have asked the federal government on guidance on when and what form of consent is required for networked HIE.  

The P&S PIN addresses patient consent with HIE, and requires that aggregated HIE models offer, at a minimum, individuals with a meaningful choice with regard to whether their individually identifiable health information (IIHI) may be exchanged through an HIO entity that aggregates data.

The P&S PIN then further goes on to define “meaningful choice” as including:

  • Made with advance knowledge
  • Not used for discriminatory purposes or as condition for receiving treatment
  • Made with full transparency and education
  • Commensurate with circumstances for why IIHI is exchanged
  • Consistent with patient expectations
  • Revocable at any time

Notably, the P&S PIN confirms that both opt-in and opt-out are acceptable means of satisfying patient choice. On Wednesday, March 27th,  I had the opportunity to speak at the HIPAA Summit in Washington D.C. where an audience member asked whether a “no choice” HIE model is now no longer a viable option for HIE.  Both Joy Pritts, ONC Privacy Officer, and Deven McGraw, Co-Chair of the ONC P&S Tiger Team, confirmed that at least with respect to HIE Grant Recipients who are operating an aggregated HIE model, the P&S PIN must be followed and each patient must be afforded with meaningful choice to participate in networked HIE. It's also important to note that while the P&S PIN requirement could potentially be satisfied through obtaining written consent from the patient, written consent is not required and, moreover, Ms Pritts specifically pointed out that obtaining a written blanket consent without any supporting meaningful processes would not meet the FIP standard. Thus, whether an opt-in or opt-out model is used, HIOs must focus on ensuring that educational information about HIE is being delivered to patients, and the patient's decision-making process is meaningful.

The FIPs are nothing new, and ONC actually issued its Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health information back in December of 2008!  Ever since then, I have been advising HIE initiatives to BUILD their HIE Policies around the FIPs and this ONC guidance document. Here is an example of how I crosswalk the FIPs with my template set of HIE Policies for HIOs that aggregate IIHI.

For a copy of a sample set of our HIE Policies, email me at helen@oscislaw.com, or visit www.ohcsolutions.com which going live soon as a source for legal forms and templates.

Federal Government Releases Updated DURSA for NHIN Participants

An Amended and Restated DURSA dated May 3, 2011 was released November 30, 2011.  The DURSA is an acronym for the "Data Use and Reciprocal Support Agreement."  It is a comprehensive agreement to govern the exchange of health data through the Nationwide Health Information Network Exchange (NHIN).  It is a multi-party single agreement that establishes the rules of engagement and obligations to which all Participants agree and that all Participants sign as a condition of joining the NHIN community. A clean copy of the updated DURSA can be downloaded from the NHIN's Participant "Onboarding" Website, or by clicking here. The Office of National Coordinator (ONC) has also posted a Redline version comparing the most recent May 2011 version of the DURSA against its predecessor (scroll all the way down to the "DURSA" subcategory). 

According to a PowerPoint posted by the ONC that summarizes all the changes to the November 2009 version of the DURSA, here are some of the more significant ones that NHIN Participants can expect:

  • The term “Nationwide Health Information Network” is defined more broadly, and ONC is phasing out its use altogether.
  • The composition of the Coordinating Committee is being downsized/reduced significantly. ONC indicated that the current composition is not scalable given the rapid growth in the number and type of Participants.
  • The definition of "Permitted Purposes" has been revised to support varied types of transactions and not preclude legitimate reasons to transact Message Content including treatment, payment, limited healthcare operations with respect to the patient that is the subject of the data being exchanged, public health activities, meaningful use and disclosures based on an authorization from the individual.
  • Each Participant is required to (i) validate information about its Users prior to issuing the User credentials; (ii) use the credentials to verify the identity of its Users before enabling the User to transact Message Content; and (iii) provide truthful assertions.  The November 2009 version did not specifically require Participants to “identity proof” their Users or explicitly require a Participant to submit truthful information in the assertions and statements that accompany a Message.  At the time, the DURSA developers assumed that these issues would be addressed in the Specifications, but they were not.
  • Combines duties of a responder and requestor into duties of a Submitter, and adds that Messages must comply with Applicable Law, the DURSA, Operating P&P, applicable Performance and Service Specifications. Submitter must represent that all assertions or statements related to the submitted Message are true and accurate. Also, it is the responsibility of the Submitter – the one disclosing the data – to make sure that it has met all legal requirements before disclosing the data, including, but not limited to, obtaining any consent or authorization that is required by law applicable to the responding Participant.
  • Removed 24 notice requirement to Coordinating Committee before suspending a Participant.  Recognized that process is onerous.  Participant can now be voluntarily suspend from 5-10 days.

The government noted that the process has proven itself inefficient and has impeded the ability to amend [Operating Policies and Procedures, and technical specifications]......

  • The November 2009 version required 2/3 of non-governmental and 2/3 of governmental Participants to approve all changes to the Operating policies and procedures.  The government acknowledged that this process has proven itself inefficient and has impeded the Coordinating Committee’s ability to revise the Operating Policies and Procedures.  In the May 2011 version, the process for revising and adopting new Operating Policies & Procedures has been revised.  Prior to approving new Operating P&Ps, Coordinating Committee will solicit comments from the Participants.  There will be a 30 day objection period once the Coordinating Committee approves new or amended Operating P&P.  New or amended Operating P&Ps go into effect unless 1/3 of the Participants object.  If 1/3 object, then 2/3 of non-governmental and 2/3 of governmental Participants must approve before the new or amended OP&Ps become effective.
  • In the Nov 2009 version, approval of new or amended Performance and Service Specifications required the Coordinating Committee to make a determination of “materiality,” which then dictates the Technical Committee’s process of approving the Spec change.  The government noted that the process has proven itself inefficient and has impeded the ability to amend the Performance and Service Specifications and adopt new Performance and Service Specifications.  With the new May 2011 version of the DURSA, new and amended Performance and Service Specifications will be approved in the same way that new and amended Operating P&Ps are approved.

HITPC Releases Tiger Team EHR Amendment/Correction Recommendations

The ONC Health Information Technology Policy Committee (HITPC) released the Privacy & Security Tiger Team (Tiger Team) recommendations concerning amendments and corrections to electronic medical records (EMRs) in a letter to HHS on July 25, 2011 (HITPC Letter).  The Tiger Team's two recommendations are:

  • Certified electronic health record (EHR) technology for Meaningful Use Stage 2 should have the capability to support amendments to health information as well as support compliance with HIPAA obligations to respond to patient requests for amendments, specifically (i) to make it technologically possible for providers to make amendments consistent with their obligations with respect to the legal medical record (e.g., access/view the original data and identify changes made); and (ii) attach any information from the patient and any rebuttal from the entity regarding disputed data.
  • Certified EHR technology for Meaningful Use Stage 2 should have the ability to transmit amendments, updates or appended information to other providers to whom data in question had previously been transmitted. 

The recommendations address the concerns of stakeholders regarding technological capabilities of EHR systems to assist covered entities in complying with HIPAA amendment and correction procedures for their EMRs.  They also address issues concerning data integrity and quality when correcting errors in patient information not at the request of the patient or communicating updates in patient information. 

HIPAA requires covered entities to comply with specific procedures for correcting or amending protected health information (PHI) within their records where a patient requests such correction or amendment.  In addition, the principle of "correction" was adopted by the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information, which requires timely means provided to individuals to dispute the accuracy or integrity of their health information.  

The Tiger Team recommends that the HIT Standards Committee develop standards, specifications and criteria for the certified EHR technology, and that any technological capabilities be kept as simple as possible to start.  Capabilities could evolve over time and become more complex, including "potentially greater standarization and automation."  Most notably, the Tiger Team rejected placing affirmative obligations on providers to inform other providers and entities about errors which were not identified in response to a patient's request, citing the "range of different errors that could occur" and the potential difficulty in distinguishing between what was a difference in medical opinion and an actual error, deciding,

...Providers' existing ethical and legal obligations were sufficient to motivate them to use appropriate professional judgment regarding when to inform any known or potential recipients of amendments to health data.

Finally, the HITPC letter notes that the Tiger Team considered whether health information exchange organizations (HIOs) should be obligated to correct errors and transmit amendments or updates to affected providers where they may be responsible for such errors.  The Tiger Team has specifically sought input from the HITPC and will continue to research existing HIO policies prior to developing future recommendations on this issue. 

The full HITPC letter may be found here: HITPC Privacy & Security Tiger Team Amendment Recommendations

Doctors and Patients Mostly Agree on IT

Government Health IT reported yesterday that according to a national survey released January 31st by the Markle Foundation, patient and physicians share many similar views regarding increasing beneficial use of health information technology to improve delivery of care, as well as the necessary privacy protections that should go along with the shift to utlize electronic medical records.  The Markle Foundation states on its website that the Markle Survey of Health in a Networked Life is

[t]he first of its kind to compare the core values of physicians and the general public, referred to here also as patients based on their opinions as consumers of health care, on deployment of information technology in health care.

Key findings in the Markel Survey include:

  • 74% of the doctors surveyed would prefer computer-based means of sharing patient information with each other.
  • 47% of the doctors would prefer computer-based means of sharing records with their patients. (Only 5% do so today.)
  • 74% of doctors said patients should be able to share their information electronically with their doctors and other practitioners.
  • 10% of the public reported currently having an electronic PHR (up from 3% who reported having one in Markle’s 2008 survey).
  • 70% of the public and 65% of the doctors agreed that patients should be able to download their personal health information online.
  • 70% of the public said patients should get a written or online summary after each doctor visit, but only 36% of the doctors agreed. (Only 4% of doctors say that they currently provide all their patients a summary after every visit).

Other findings from the survey include:

  • 70% to 80% of both patients and doctors support privacy-protective practices, such as letting people see who has accessed their records, notifying people affected by information breaches, and giving people mechanisms to exercise choice and correct information.
  • 65% of the public and 75% of doctors agreed that it’s important to have a policy against the government collecting personally identifiable health information for health IT or health care quality-improvement programs.
  • If there are safeguards to protect identity,however, at least 68% of the public and 75% of the doctors expressed willingness to allow composite information to be used to detect outbreaks, bioterror attacks, and fraud, and to conduct research and quality and service improvement programs.
  • 75% of the public and 73% of the doctors said it will be important to measure progress on improving health care quality and safety to ensure the public health IT investments will be well spent. Both groups (each at 69%) agreed on the importance of specific requirements to improve the nation's health in areas like heart disease, obesity, diabetes, and asthma.
  • Many are unaware of the health IT incentives: 85% of the public and 36% of doctors describe themselves as not very or not at all familiar with the health IT incentives program, which makes subsidies available for doctors and hospitals to increase use of information technology.

For a detailed copy of the report, visit Markle Foundation's Latest Surveys.

Patient Protection and Affordable Care Act Declared Unconstitutional

In a brief 78 page Opinion, Federal District Court Judge Roger Vinson of the U.S. District Court of the Northern District of Florida struck down portions of the the Patient Protection and Affordable Care Act on constitutional grounds.  The impact of that decision on PPACA initiatives in Florida, such as Accountable Care Organizations, remains to be seen, althought the DOJ has expressed its intent to appeal the ruling. In addition, Deputy Senior Advisor Stephanie Cutter responded:

We don't believe this kind of judicial activism will be upheld and we are confident that the Affordable Care Act will ultimately be declared constitutional by the courts.

She characterized the ruling as "well out of the mainstream of judicial opinion," noting that 12 federal judges have dismissed challenges to the law's constitutionality and two--in Michigan and Virginia--have upheld the law.

(meta-data) "TAG, You-Are-It" (ONC, CMS, DHHS) !

This December 2010, the President’s Council of Advisors on Science and Technology (“PCAST”) released its Report titled “Realizing the Full Potential of Health Information Technology to Improve Healthcare for Americans: The Path Forward,” and, boy, it makes meaningful use look like a walk in the park!

The Report notes, among many other things, that the current structure of available health IT systems is inadequate, resulting in user difficulty, unavailability of relevant information, such as best practices, limited capability for sharing data across systems, patient concerns regarding improper access, and the inability to search or aggregate and de-aggregate data where necessary for research, public health, quality improvement, or patient safety. In essence, current health IT systems cannot easily support the desired outcomes. The Report identifies key legislation and regulations responsible for moving the development of health IT forward, namely, HITECH and the “meaningful use” EHR Incentive Program, as well as demonstration projects to develop experience and the necessary conditions for progress. However, the Report stresses the urgency of accelerating and redirecting much needed federal groundwork for HIE.

The Report notes the successes of early adopters of integrated EHR systems (i.e., Kaiser Permanente and VHA), while recognizing areas of functionality still in dire need of improvement, such as interoperability. It finds data exchange and aggregation central to accomplishing potential health IT benefits yet rejects current HIE models as being “ill-suited” as the basis for a national health information infrastructure due to durability and interoperability concerns. PCAST considers new technologies, such as “cloud-based” EHR products, patient personal health records, and data aggregation “middleware” products for interoperability that have potential to remove barriers and create solutions, as well as other promising models for data exchange.

PCAST rejects standardized health record formats and service-oriented architecture (SOA) in favor of metadata-tagged data elements and data-element access services (DEAS), the advantages of which the Report describes in detail. Such “tags” are small pieces of information accompanied by a larger “megadata tag” which groups them by attributes as well as required privacy and security protection.

The Report argues that a universal exchange language based upon tagged dataelements (i.e., DEAS and metadata-tagged data) is more sophisticated and better for privacy and security.

For example, DEAS would require authentication of an individual into the system and allow only access to information based upon the role he or she is assigned. To obtain access to encrypted tagged data elements, based upon a patient’s privacy choices, the individual would have to have the proper credentials and role. It is also crucial to note that the Report rejects that such a system would require “universal patient identifiers” or create a central repository of patient information.

Furthermore, the Report explores how HIPAA is ill-equipped, and possibly detrimental to medical research and care, to handle the changes in health IT and how HITECH both partially remedies and exacerbates this situation, such as accounting of disclosures which will “stifle innovation”.

Finally, the Report argues that federal leadership is necessary to combat economic concerns and incentivize information exchange and development of health IT systems. Adopting standardized metadata, aligning economic incentives (such as through “meaningful use”), encouraging technological innovation and competition, supporting development of network infrastructures through appropriately designed pilot projects, and developing a regulatory health IT structure along with regulatory oversight all are suggested by the Report as necessary.

PCAST detail several layers and roadmaps for government agencies to progress towards the realization of a national health IT infrastructure. It also recommends guidelines for transitioning from existing EHRs and information exchange systems to the new tagged data element model advocated by the Report, and addresses generation of necessary early design choices by ONC and the Report’s vision for future CMS meaningful use requirements. The Report concludes with specific short and mid-term recommendations for ONC, DHHS, CMS, and other agencies in order to realize the objectives outlined in the Report towards establishment of a national health IT infrastructure.   In response, ONC, for one, appears to have already set up a PCAST Report Workgroup, and the first meeting is scheduled for January 14, 2011.

 To review PCAST’s summary of Recommendations of who should do what next, click Continue Reading below.

Continue Reading