Karen DeSalvo started as the new National Coordinator for Healthcare Information Technology on January 13, 2014. After my brief discussion with her last week, I can already tell she’s a good listener, aware of the issues, and is passionate about using healthcare IT as a tool to improve population health.
She is a cheerleader for IT, not an informatics expert. She’ll rely on others to help with the IT details, and that’s appropriate.
What advice would I give her, given the current state of healthcare IT stakeholders?
1. Rethink the Certification Program – With a new National Coordinator, we have an opportunity to redesign certification. As I’ve written about previously some of the 2014 Certification test procedures have negatively impacted the healthcare IT industry by being overly prescriptive and by requiring functionality/workflows that are unlikely to be used in the real world.
One of the most negative aspects of 2014 certification is the concept of “certification only”. No actual clinical use or attestation is required but software must be engineered to incorporate standards/processes which are not yet mature. An example is the “transmit” portion of the view/download/transmit patient/family engagement requirements.
There is not yet an ecosystem for patients to ‘transmit’ using CCDA and Direct, yet vendors are required to implement complex functionality that few will use. Another example is the use of QRDA I and QRDA III for quality reporting.
CMS cannot yet receive such files but EHRs must send them in order to be certified. The result of this certification burden is a delay in 2014 certified product availability.
While there has been much focus lately on the ways in which ObamaCare is chilling the growth of private business, we should not overlook the continuing deleterious effects of the one surviving relic of HillaryCare, the Health Insurance Portability and Accountability Act (HIPAA). Quietly, September 23 came and went as the compliance effective date for a new rule, expanding the reach of HIPAA, and likely driving many smaller players out of the health care industry.
Spearheaded by then First Lady Clinton, HIPAA was established in 1996 to improve privacy of personal health information, referred to as protected health information, or PHI. It requires health care providers, known as “covered entities,” and their vendors, contractors, and agents with access to PHI, known as “business associates,” to comply with certain privacy standards under its “Privacy Rule,” and with certain security standards under its “Security Rule,” in order to protect sensitive health information that is held or transferred in electronic form.
Over the past decade, equipped with the noble aim of protecting our privacy, HIPAA has successfully demonstrated the power of the law of unintended consequences. Improved protection of PHI has been marginal. However, HIPAA has impeded communication among physicians, reduced physician time devoted to patient care, and deterred medical research. And all at an enormous cost of compliance. While estimates vary widely, the cost of compliance for many providers has been in the millions.
Now, rather than take heed, the government has decided to double down through expansion. Under the Health Information and Technology for Economic and Clinical Health Act (HITECH), a corollary of HIPAA, promulgated to create incentives to facilitate the development of healthcare information technology, the government has sought to update the requirements of HIPAA in light of the changing dynamics of technology and health practices, increasing the safeguards and obligations of health care providers and their business associates.
I’ve recently written about healthcare.gov and the lesson that going live too soon creates a very unpleasant memory.
As I work with healthcare leaders in Boston, in New England, and throughout the country, I’m seeing signs that well resourced medical centers will struggle with Meaningful Use stage 2 attestation, ICD-10 go live, HIPAA Omnibus Rule readiness, and Accountable Care Act implementation, all of which have 2013-2014 deadlines.
People are working hard. Priority setting is appropriate. Funding is available.
The problem is that the scope is too big and the timeline is too short.
What are the risks?
Over the next few months, Jacob Reider will serve as the interim National Coordinator for Healthcare IT while the search continues for Farzad Mostashari’s permanent replacement.
What advice would I give to the next national coordinator?
David Blumenthal led ONC during a period of remarkable regulatory change and expanding budgets. He was the right person for the “regulatory era.”
Farzad Mostashari led ONC during a period of implementation when resources peaked, grants were spent, and the industry ran marathons every day to keep up with the pace of change. He was the right person for the “implementation era”
The next coordinator will preside over the “consolidate our gains” era. Grants largely run out in January 2014. Budgets are likely to shrink because of sequestration and the impact of fiscal pressures (when the Federal government starts operating again). Many regulatory deadlines converge in the next coordinator’s term.
The right person for this next phase must listen to stakeholder challenges, adjust timelines, polish existing regulations, ensure the combined burden of regulations from many agencies in HHS do not break the camel’s back, and keep Congress informed every step of the way. I did not include parting the Red Sea, so maybe there is a mere human who could do this.
What tools does the coordinator have in an era of shrinking budgets?
At present, Meaningful Use Stage 2, ICD-10, the Affordable Care Act, HIPAA Omnibus Rule, and numerous CMS imperatives have overlapping timelines, making it nearly impossible for provider organizations to maintain operations while complying with all the new requirements.
Can resources be expanded?
Now that Labor Day has come and gone, I’ve thought about the months ahead and the major challenges I’ll face.
1. Mergers and Acquisitions
Healthcare in the US is not a system of care, it’s a disconnected collection of hospitals, clinics, pharmacies, labs, and imaging centers. As the Affordable Care Act rolls out, many accountable care organizations are realizing that the only way to survive is to create “systemness” through mergers, acquisitions, and affiliations. The workflow to support systemness may require different IT approaches than we’ve used in the past. We’ve been successful to date by leaving existing applications in place and building bidirectional clinical sharing interfaces via “magic button” viewing and state HIE summary exchange. Interfacing is great for many purposes. Integration is better for others, such as enterprise appointment scheduling and care management. Requirements for systemness have not yet been defined, but there could be significant future work ahead to replace existing systems with a single integrated application.
2. Regulatory uncertainty
Will ICD10 proceed on the October 1, 2014 timeline? All indications in Washington are that deadlines will not be changed. Yet, I’m concerned that payers, providers and government will not be ready to support the workflow changes required for successful ICD10 implementation. Will all aspects of the new HIPAA Omnibus rule be enforced including the “self pay” provision which restricts information flow to payers? Hospitals nationwide are not sure how to comply with the new requirements. Will Meaningful Use Stage 2 proceed on the current aggressive timeline? Products to support MU2 are still being certified yet hospitals are expected to begin attestation reporting periods as early as October 1. With Farzad Mostashari’s departure from ONC, the new national coordinator will have to address these challenging implementation questions against a backdrop of a Congress which wants to see the national HIT program move faster.
3. Meaningful Use Stage 2 challenges
Although attestation criteria are very clear (and achievable), certification is quite complex, especially for a small self development shop like mine. One of my colleagues at a healthcare institution in another state noted that 50 developers and 4 full analysts are hard at work at certification for their self built systems. I have 25 developers and a part time analyst available for the task. I’ve read every script and there are numerous areas in certification which go beyond the functionality needed for attestation. Many EHR vendors have described their certification burden to me. I am hopeful that ONC re-examines the certification process and does two things – removes those sections that add unnecessary complexity and makes certification clinically relevant by using scenarios that demonstrate a real world workflow supporting the functionality needed for attestation.
Join me in attacking an endemic problem in health care today by Hacking HIPAA. I am crowdfunding the development of a new legal form to be used on and after September 23, 2013 to allow patients to opt-in to easier health care communications – a Common Notice of Privacy Practices that is patient-focused. (Text me, please! Email me, please! etc.)
Depending on how much support this project garners, we can attack some related problems as well. Contributions at any level are welcome; contributions at the levels designated on the Hacking HIPAA Medstartr page get you a seat at the virtual table, voicing your concerns that need to be met in the CNPP and in follow-on projects.
I’m working on this project with two leading health care open source software developers, Ian Eslick and Fred Trotter. Check out Fred’s video intro to the project on the Medstartr page – you can find Ian and Fred online via the links on the project page, too.
Here’s an excerpt from the crowdfunding project page:
Right now we have the worst of all worlds with regards to patient privacy in healthcare. Patients are frequently subject to sub-standard security and privacy practices AND healthcare innovators are unable to deliver solutions that would be useful to patients because their technical approaches are uncomfortably novel for health care bureaucrats. Patients end up getting poor security and no innovation, the worst of all options. This problem is going to get worse before it gets better, since the new Omnibus HIPAA Rule will make cloud hosting of health care projects untenable very soon.