Diana Manos, Senior Editor

The Department of Health and Human Services issued new regulations Wednesday requiring healthcare providers, health plans and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify patients if their electronic health information has been breached.

The regulations are mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA) last February.

Developed by the HHS Office for Civil Rights, they require healthcare providers and other HIPAA “covered entities” to promptly notify people whose health records have been breached, as well as the HHS Secretary and the media in cases where a breach affects more than 500.

Covered entities include doctors, clinics, psychologists, dentists, chiropractors, nursing homes and pharmacies – if they transmit any information in an electronic form using a standard that HHS has adopted.

According to the OCR, the rule also applies to health insurance companies, HMOs, company health plans and government programs that pay for healthcare, such as Medicare, Medicaid and the military and veterans’ health care programs. It includes healthcare clearinghouses that process non-standard health information received from another entity into a standard electronic format or data content, or vice versa.

“This new federal law ensures that covered entities and business associates are accountable to the department and to individuals for proper safeguarding of the private information entrusted to their care,” said Robinsue Frohboese, acting director and principal deputy director of the OCR. “These protections will be a cornerstone of maintaining consumer trust as we move forward with meaningful use of electronic health records and electronic exchange of health information.”

HHS officials said they developed the regulations after taking public comment last April and under “close consultation” with the Federal Trade Commission). The FTC has issued its own breach notification regulations that apply to vendors of personal health records and certain others not covered by HIPAA.

To help providers to determine when information is “unsecured” and notification is required by the HHS and FTC rules, HHS is also issuing an update to its guidance on encryption and destruction of technologies that are no longer usable. Providers that are subject to the HHS and FTC regulations that secure electronic health records according to HHS guidance through encryption or destruction are relieved from having to notify in the event of a breach. This guidance will be updated annually.

The HHS interim final regulations on breach notification will be effective 30 days after they are published in the Federal Register and will include a 60-day public comment period.

Above article published on

http://www.healthcareitnews.com/news/hhs-issues-rule-ehr-breach-notification

By Mary Mosquera

The Centers for Medicare and Medicaid Services (CMS) plans to test its ability to accept selected clinical quality data directly from hospital electronic health record systems as early as July 2010.

CMS said it would seek volunteer hospitals to report stroke, blood clot and emergency department measures of care via EHR systems as part of the Reporting Hospital Quality Data for Annual Payment Update program, which provides higher Medicare payments to hospitals that report quality measures to the agency.

The agency detailed the plans in the Aug. 27 Federal Register in announcing changes to its rule for the Reporting Hospital Quality Data for Annual Payments Update. The program, a provision of 2003’s Medicare prescription drug legislation, required hospitals by 2010 to report on 42 quality measures to receive additional incentive payments.

Reporting to CMS is generally paper-based or through a mix of manual and automated systems.

Participating hospitals and their vendors will have to be able to transmit clinical EHR data that adhere to interoperability standards, such as cross document sharing, cross community access, clinical data architecture and Health Level 7 version 3, CMS said.

CMS has encouraged hospitals to adopt EHRs that can report quality data directly to a CMS data repository. Ideally, the use of EHR systems would improve the quality of care by providing physicians with pertinent clinical data as they were treating patients.

“The testing of EHR submission is an important and necessary step to establish the ability of EHRs to report clinical quality measures and the capacity of CMS to receive such data,” the agency said in the published interim rule.

The reporting of selected quality measures is also a key provision of the stimulus law. The Health IT Policy Committee, led by Dr. David Blumenthal, the national coordinator for health IT, has recommended that quality reporting be a part of the criteria providers must meet to demonstrate meaningful use of electronic health record systems, CMS said.

The stimulus law authorized Medicare and Medicaid incentive payments to providers who prove they are meaningful users of health IT starting in 2011.

Above article published on

http://www.govhealthit.com/newsitem.aspx?nid=72031

If the state’s governor gets his way, Kentucky will soon be home to a statewide electronic health records system. To foster that goal, State Gov. Steve Beshear (D) has created the Governor’s Office of Electronic Health Information.

The state is creating the office to make sure it gets its share of the Obama administration’s stimulus funding package for EHRs, which goes to states who adopt them by 2014.

To get those funds, states are required to create a department that oversees its EMR project. These state offices serve as single points-of-contact for federal and state agencies helping to get the EMR ball rolling. In this case, the office will also work with the state’s three regional health information organizations, healthcare providers, consumers, insurers and the whole kit and kaboodle involved in sharing health data.

It will be interesting to see if any of this comes to fruition. Despite some big talk, RHIOs aren’t going great guns, and getting a state’s worth of EMRs in place by 2014 sounds a tad optimistic at best. But hey, press releases wouldn’t exist if people weren’t optimistic!

Above article published on

http://www.fierceemr.com/story/kentucky-launches-initiative-designed-foster-statewide-emr-system/2009-08-20

The requirements for what health IT users need to do to meet the meaningful use dictates of the stimulus law are now clearer, with the focus apparently swinging to how the IT certification process will handle them.

Healthcare providers finally have some certainty about what they need to do to be meaningful users of health IT, said Dr. Bruce Taffel, chief medical officer of SharedHealth, an healthcare information exchange and application provider.

Dr. David Blumenthal, the national health IT coordinator, and the HIT Policy Committee, a public/private organization, approved July 16 a list of 28 health IT functions and corresponding quality and efficiency improvement measures for 2011 that become progressively more rigorous in 2013 and 2015.

The schedule is aggressive and the criteria will be difficult for some to achieve.

“The recommendations provide more clarity at this stage, although there’s still a lot more work to be done,” Taffel said today.

The goals for meaningful use are for providers to electronically capture data, report quality measures and use the data to track patients’ medical conditions. Under the American Recovery and Reinvestment Act, providers will be eligible for increased Medicare and Medicaid payments beginning in 2011 if they demonstrate meaningful use of their certified health IT. The payments end after 2015 when health IT should be broadly adopted.

“The committee shaped their recommendations on meaningful use and the progression to achieve that on the basis of what we can do today, what the current condition is and with a fairly reasonable explanation of how you begin phasing in much of this,” Taffel said.

The policy committee also made its first recommendations on the certification process of electronic health records. Currently, the Certification Commission for Health IT (CCHIT) is the sole certifying and testing organization. The HIT Policy Committee wants more competition.

Multiple groups will be needed to perform certifications because so many more providers will seek to have the service conform to the stimulus, said Paul Egerman, retired businessman and chair of the committee’s certification and adoption work group.

The certification process should also accommodate a scaled-down version of certification process for systems or applications that still allows providers to prove they are meaningful users with components of comprehensive electronic health records, EHRs from multiple sources or self-developed applications, he said.

“If comprehensive certification is important, say for vendor marketing, it’s a positive thing that should continue to exist,” Egerman said.

The committee agreed to focus certification on a minimal set of requirements for meaningful use, and not on features and functions. The national coordinator’s office would review CCHIT certification criteria for gaps in assuring meaningful use.

“We could have the meaningful use gap certification process decided by Labor Day,” Blumenthal said.

Those products that are currently CCHIT-certified will be certified for meaningful use under the Health and Human Services Department definition for 2011, “subject to completing a special meaningful use gap certification,” according to the work group’s transition plan.

The work group also urged that the certification process be used to improve progress on security, privacy and interoperability and provide a tighter link with standards.

Above article published on

http://www.govhealthit.com/newsitem.aspx?tid=10&nid=71842

FISMA is becoming a roadblock for electronic health record implementation, Government Health IT magazine reported this week.

The Federal Information and Security Management Act (FISMA), passed by Congress in 2002 to better protect the federal government against cyber attacks, mandates information security standards for all federal agencies. This includes the flow of data between the Centers for Medicare and Medicaid (CMS) and their contractors—over 200 hundred of them, processing billions of Medicare claims. The new worry from CMS, according to Government Health IT, is that healthcare providers sharing EHR files will be required to meet FISMA standards, which include an annual security test and FISMA certification.

A CMS spokesperson is quoted as saying that this would be more than “burdensome” for both CMS and health care providers and organizations.

The conundrum is that information will be moving between the HIPPA world (the private sector) and the FISMA world (the government)—that latter of which is much more secure, from a protocol/standards perspective. Federal agencies are held to a higher standard than the private sector with respect to information security.

For a long time, consumer groups have argued that HIPPA is a weak standard for patient information security. Yet, many worry that if FISMA is applied to the private sector, there will be a compliance crisis that will be costly to remedy. But why shouldn’t the transfer of health information be held to the highest security standards? Advocates of a middle ground argue “yes,” but not quite as stringent as FISMA. They standards should be more of a more of a “HIPPA-plus” or “FISMA-lite,” in the words of Vish Sankaran, a program director for the Federal Health Architecture project to connect health information entities.

In other words, get health care providers better engaged in securing healthcare information but do not stunt the growth of the EHR movement by placing the bar too high.

In the end, the Office of Management and Budget will dictate the debate through their determination of what falls under the FISMA umbrella. In August of 2008, OMB issued some guidance, stating that FISMA applies to groups that “possess or use Federal information—or which operate, use or have access to Federal information systems (whether automated or manual)—on behalf of a Federal agency.” OK, that could include a ton of organizations.

Confusing? You bet. This is government language after, all. Much like statistics, just mold it to your current need.

There is still debate over whether, for example, health information exchanges (HIEs) that “exchange” information but do not “access” federal information systems need to be FISMA compliant. In any event, there is a strong and important need to address information security in the field of healthcare. Will FISMA be the best vehicle for achieving information security with respect to patient information? That remains unresolved, but hopefully, the work to find a middle ground, coaxing the private sector into requiring more robust security standards, will be the outcome.

Above article published on

http://ohmygov.com/blogs/general_news/archive/2009/06/30/fisma-a-roadblock-for-ehrs.aspx

Maryland further strengthened the goals of the stimulus package or the American Reinvestment and Recovery Act (ARRA) this past week by passing legislation that required insurers to provide “monetary” incentives for physicians to adopt electronic health records (EHR).

The bill, signed by Governor Martin O’Malley, is one of the first of its kind to give sharper teeth to the EHR movement. Insurers may choose from a variety of fiscal incentives including increased reimbursement and lump-sum payments, according to Health IT News. The effort is viewed as a double incentive to providers to join the digital transition that promises to increase health care system efficiency while reducing medical errors for patients. Maryland is not alone in its effort to promote the change from paper to portal; other states are reviewing similar measures that would jumpstart implementation.

Included in the Maryland bill is a requirement for the state to bring a piloted health information exchange (HIE) live by October 1. The goal of the HIE, often comprised of business and community representatives, is to provide support to health care system stakeholders with the goal of increasing efficiency and quality.

Wait, have we heard of an HIE before? Yes. For clarification purposes, regional health information organizations (RHIO) and HIEs are terms used interchangeably; the HIE is simply a new name for a RHIO—it has yet to be determined if it is also a newer and better RHIO. Lingo aside, HIE investment is up.

Other states are looking to HIEs/RHIOs to play a prominent role in EHR adoption. New York, Texas, and Florida are all investing in these information exchanges.

In New York, the Western New York Clinical Information Exchange, known as HealthElink, signed on 6 EHR software vendors to provide community pricing to its clients.

In Texas, the legislature passed two pilot health information exchange programs that promote data transfer between local agencies.

Florida, having received a $9+ million grant from the Federal Communication Commission (FCC), is exploring how to expand broadband access across nine rural hospitals to increase the speed and efficiency of health data transfer.

Other states are vying to develop strategies for technology adoption that support EHR implementation as stimulus dollars dangle overhead. Now that EHRs are heavily banked by both federal and state government, HIEs and RHIOs may take a greater role in aiding communities in EHR adoption. These exchanges hope to serve as important providers of data warehousing as well as offering leadership for the development of criteria for data sharing and data quality. States view HIEs/RHIOs as vehicles for transporting dollars toward the development of technology infrastructure and they are moving as quickly as possible to get their take.

Above article published on

http://ohmygov.com/blogs/general_news/archive/2009/06/01/states-take-bigger-role-in-promoting-ehr-adoption.aspx

By Cody Kraatz

Sunnyvale Sun

Health care is going digital in Santa Clara County, which is rolling out electronic medical records at each of its Valley Health Center sites — including the one at 660 S. Fair Oaks Ave. in Sunnyvale. The goal is to make medicine safer and more efficient.

The switch from paper to digital records — something that President Barack Obama touted since he was campaigning — will take some time, and the county expects the Sunnyvale clinic to go live in June. The clinics provide outpatient services such as internal medicine, pediatrics and obstetrics.

“Patients have had untoward consequences and even deaths related to medication problems, inaccurate diagnosing or interactions between medications, or sometimes people didn’t completely know the information about a patient,” said Dr. Robert Horowitz, associate chief of primary care at Valley Health Center Moorpark in San Jose.

He was one of the first to try the electronic medical records system, starting in April 2008, and he said that despite some challenges it stands to help with several problems.

The county has numerous clinics in addition to the Valley Medical Center hospital, and a patient could have different charts at each location. “It’s really difficult to get a sense of one record that everybody sees and contributes to,” said Horowitz.

“The practice of medicine is really a collaboration, and many people participate in that,” including physicians, managed care coordinators, chronic disease specialists, pharmacists and dietitians, he said.

Doctors can also manipulate data from many visits or the course of a disease to tease out patterns in a patient’s history. “Those of us who have been using [electronic records] the longest are seeing the benefits of having the information at your fingertips,” said Horowitz.

The county is also hoping to secure funding from the American Recover and Reinvestment Act, or stimulus, for inpatient electronic medical records at the county hospital. But the county won’t decide how much stimulus money to seek until after May, when it expects the federal government to release criteria for how applicants must show a “meaningful” usage for the funds.

Besides the Moorpark clinic, the outpatient system was rolled out at the Valley Health Center Silver Creek in January and at the Valley Health Center East Valley in early April.

The county hopes that the cost of the system — which was one of eight elements of a $43.6 million information technology contract signed in 2006 — will be recouped through the efficiency that the system allows.

Take prescriptions, for example. The system allows a doctor to write a prescription directly into the computer and send it to the pharmacy electronically, saving the patient time.

Also, “you no longer have the doctor’s traditionally terrible handwriting to sort out,” Horowitz said. Moreover, because the patient’s existing prescriptions are in the electronic record, the system can highlight potentially dangerous drug interactions or allergies.

With paper records, that process would likely be slower. Refills — of which some doctors fill 25 to 100 per day — become more rapid through electronic requests, too.

All this could, in the end, save the county money. But many, including those who are not as technology-savvy, are finding that electronic medical records slow them down.

“That is definitely an issue that we will need to grapple with. I think it does make me a little bit slower,” said Horowitz.

It takes about six months to get comfortable with the program, which includes a mind-boggling number of pages, templates and data entry fields. There have also been technical glitches that the county hopes will be ironed out by the time clinics such as Sunnyvale’s go online.

Meanwhile, doctors who are accustomed to taking notes about patient visits by hand may feel that the many entry fields of the software disrupt their flow.

“It’s a significant learning curve both to learn the product but also to learn to use the [electronic record] and be with a patient at the same time,” Horowitz said. “You’re almost speaking a different language.” There is, however, a space for free text and he makes use of that.

There are also opportunities to make treatment more collaborative and transparent for patients, he said, by showing them what he is entering on the screen and asking them to review their medications with him.

Patients have been mostly enthusiastic about the electronic records, in Horowitz’s experience. “It’s sort of a`What took you so long?’ kind of feeling. This is a modern way to do medicine, and this is the way people expect medicine to be done,” he said.

However, he does know of one patient who refused to have information entered into an electronic record, fearing that it would be insecure. Ultimately, there will be no opting out.

Likening electronic records to e-mail, Horowitz said that within a year he expects doctors to feel the way he does. “I don’t know how I could have lived without it. I couldn’t see going back to the other way.”

http://www.mercurynews.com/valley/ci_12203584

To help transform health care, the state should invest more in electronic infrastructure that supports the automated exchange of electronic medical information, writes Russell Sarbora of Community Health Network of Washington. Increased efficiencies, lower costs and less waste of resources will help improve the health-care system.

By Russell Sarbora Special to The Times

IN Washington, state spending on health care ranks second only to education. The state has consistently asked how we can improve efficiency, reduce costs and focus scarce resources on insuring and caring for more Washingtonians.

The rapid exchange of accurate and timely information is going to transform the delivery of medical care. Infrastructure that supports the automated exchange of electronic medical information is and will continue to be a primary driver for efficient health-care delivery. We need to encourage and realize an efficient infrastructure for interoperability between electronic medical-record systems.

Washington state has at least two key assets already in place that have the potential to support creation of this infrastructure. These are the Washington State Health Care Authority-sponsored Health Information Infrastructure Advisory Board (HIIAB), and the Community Health Network of Washington (CHNW), the nation’s largest system of community health centers.

The 19 community health centers that make up the network are the primary health-care home for more than 600,000 low-income people in Washington state, including one-third of the state’s uninsured adults and one-half of the state’s uninsured children.

At CHNW we are working with HIIAB to achieve its objectives and have already implemented electronic medical-record systems that cover more than 70 percent of our member clinics and more than 85 percent of our patient population.

Business pressures will eventually produce efficient health-data-exchange services for patients served by commercial insurers and providers who rely primarily on commercially insured patients. But who will ensure that similar services are provided to vulnerable populations?

Through continued support for the HIIAB and by strengthening efforts to encourage the interoperability of electronic medical records, Washington state can improve patient health and safety while simultaneously controlling state-funded health-care costs.

Electronic medical records are used in the vast majority of acute-care facilities in Washington state; by all laboratory-service organizations operating in the state; by almost 25 percent of Washington’s primary-care physicians, and by more than 70 percent of CHNW’s member physicians. Yet, there is no statewide or national infrastructure today that supports sharing this information.

This infrastructure needs to be created, and the states that do so will lead the nation in delivery of efficient health care during the next decade. Washington state can and should be a leader in realizing this goal.

To achieve this leadership position, our state must adopt existing data-exchange policies and standards for health-information exchanges between organizations receiving state funding, provide incentives for technology investments required to support health-information exchanges, and financially support pilot programs that enable health-information exchanges.

CHNW is already working with HIIAB to create a Health Record Banking system that supports sharing of health information between patients and their health-care providers. We need to upgrade this existing business process to use current generation technology and thereby overcome existing shortcomings in reliability, efficiency and accuracy.

Interoperability between electronic medical-record systems is the key to achieving widespread sharing of clinical data. Today, these proprietary systems are incented to constrict access to the data they contain and there are numerous unresolved issues regarding access to the data and under what conditions data are shared.

Fortunately, the HIIAB is well-versed in these issues and well-positioned to support their resolution. The HIIAB is already proceeding with the creation of mechanisms to support patient access and control of their health data. However, the single greatest shortfall in the proposed Health Record Bank system is the absence of mechanisms to automatically include physician-created health data in these patient-controlled record systems. Lacking this critical body of data, the value of Health Record Banks will be substantially diminished.

We need to extend the HIIAB charter and role to encourage interoperability between electronic medical-record systems employed in Washington State and to achieve automated exchange of clinical data. The technology to do so already exists. Policy and will are the only hurdles to be overcome.

Russell Sarbora is the chief information officer for Community Health Network of Washington.

Copyright © 2009 The Seattle Times Company

Above article published on http://seattletimes.nwsource.com

WINSTON-SALEM, NC - The issue around ownership of electronic health information must be addressed before it can be used to improve healthcare, says a recent article in the Journal of the American Medical Association.

“This legal uncertainty presents a major obstacle to integrating and using information about a single patient from various clinicians and hospitals,” say the article’s authors, Mark A. Hall, a professor of law and public health sciences at Wake Forest University and Kevin A. Schulman, MD, a professor of medicine and vice chairman for business affairs in the Department of Medicine in Duke University’s School of Medicine.

Hall and Schulman point out that with paper records the concept of ownership is more straightforward: providers and insurance plans own the paper, so they control the information. “But now that digitizing information frees it from particular storage media, confusion reigns,” they said.

Normal property rights do not apply to patients and their medical records because providers also have a right to the information, the article explains, so patients don’t have sole possession or control. Instead, they have privacy rights to protect and control access to their records.

“Strong privacy laws (favoring the patient) and clinicians’ economic interests in limiting access to health records increase barriers to forming integrated electronic records. This combination of low commercial value with restricted access leaves medical information lying stunted in an undernourished field, ” wrote Schulman and Hall.

The article says the “infomediary” to build the network among different EHRs would need clear authority to bundle and exercise the economic rights of multiple parties.

“An intermediary could compile a bundle of patients’ authorizations to use their information for research or marketing purposes; the compiler could, with patient authorization, then market these databases to permitted users or could transfer the bundled rights to a third party aggregator and marketer,” the article states.

“Some earnings could flow back to patients or compensate participating clinicians. In this way, placing bundled rights to medical information into a stream of commerce could direct them toward their highest and best use,” the authors suggest.

The article maintains that a new system of patient-initiated control of health records could be the key to a successful system. Such a system could “loosen the logjam of competing interests and stimulate market mechanisms to make much larger investments in using and sharing electronic health information.”

Above article published on www.healthcareitnews.com