health informatics online classroom€¦ · web viewjust a word on the national e-health...

VA Health Informatics 1011

Industry Expert Perspective SeriesHealth Data Exchange and Privacy & Security

October 2011

1 The following transcript has been edited for readability.

Health Data Exchange and Privacy & Security October 2011

Slide 1

VA Health Informatics 101Health Data Exchange and Privacy & Security

(Patricia): I am Patricia Dombroski. I am the Director of the Life Science Informatics Center at Bellevue College. We are bringing the VA Health Informatics 101series to you all, and of course it is funded by the Office of the National Coordinator for Health IT.

Welcome to the second in the Industry Expert Webinar Series. We are very much in hopes that the class is proving to be a delight to you, as it is to us, and certainly informative.

Just one special note: this webinar is live in October 2011; however, it will also be made available to our winter learners that start in January. So, it should be obvious, but just to never let the obvious go unsaid. For those of you listening on the winter quarter side, you will not be able to send up questions. You will certainly be hearing reference to that throughout the exchange today.

This series, as you already know, is intended to bring you really close to industry leaders who are genuinely forging the way in health IT today—so kind of as it happens. We are really honored to have our two luminaries with us today, Elliot Sloane and Kate Berry. Their biographies are posted on your class site.

Topics today are health information exchange (HIE) and data standards. Things that we all need a little illumination on, and certainty I do not think that any of us would agree that there is any aspect of that is set in concrete, so a very exciting area as well.

Kate will lead us off, and then we will hear from Elliot, and then they will both look for your questions after their presentations. So we will get started with Kate. Kate Berry is the Chief Executive Officer of the National E-Health Collaborative. It is a public/private partnership that works with partners including The Office of the National Coordinator for Health IT, the ONC. Of course we know that is seated at the U.S. Department of Health and Human Services.

of 43

Health Data Exchange and Privacy & Security October 2011

The mission there is to engage stakeholders in a collaborative way to realize common goals to lead to transformative change in health IT. Kate has more than 20 years of healthcare experience and is a nationally known expert on electronic prescribing.

And prior to joining the National e-Health Collaborative, she was Senior Vice-President at Surescripts. Kate, we are really thrilled to have you here today. Thank you.

(Kate): Thank you, Patricia.

Slide 2

SECRETS OF HIE SUCCESS REVEALED: Lessons from the Leaders

So, hello, everyone. It is really a pleasure to be here with you, and I am excited to share some findings of a report that we recently published profiling leading organizations that are involved in health information exchange. So I am just going to jump right in, and I really do look forward to an active Q&A session.

of 43

NeHC Mission, Vision and Strategy

Just a word on the National e-Health Collaborative (NeHC), as Patricia said we are a public/private partnership. We are a multistakeholder organization, so we have got a board made up of leading experts in health information technology and health information exchange. We have got people from provider organizations, public health, quality, technology vendors, etc., so a very diverse and multistakeholder board. And this slide just sort of highlights for you the major activities that National e-Health Collaborative is engaged in.

We actually run something called the NeHC University, which is a web-based education program, so we cover a lot of topics related to health information technology and health information exchange. We also provide communications and education and stakeholder engagement support to the Nationwide Health Information Network Exchange (NHIN), which is a network that includes a number of the federal agencies, such as the VA (Veterans Affairs) and the DOD (Department of Defense) as well as the Social Security Administration and CMS (Centers for Medicare & Medicaid Services) and CDC (Center for Disease Control) and about 20 or so private health systems and health information exchanges, so this is a network that is live and exchanging information electronically among all of those participants.

And then we also convene something called the Consumer Consortium on eHealth. So this is a group of 250 plus organizations that are coming together to coordinate the development and implementation of a program to get consumers more engaged in using health information technology and eHealth tools to better manage their health. And we also provide some thought leadership around health information exchanges looking at critical success factors and working collaboratively to try to tackle the various barriers and challenges associated with achieving widespread health information exchange.

12 Leading HIEs Profiled in the Report

So, as I said I am just going to share with you today the highlights of this recent report that we published, and on this slide you can see the various organizations that we profiled. So, it is a very diverse group of organizations in terms of both their structure. Eight of them are nonprofit organizations, three of them are actually for-profit organizations, and one is a government agency, the VA. And they are also diverse geographically as well as in their approach to health information exchange.

So what we did is we studied these organizations pretty deeply to understand what they are doing that is making them successful with health information exchange and what kind of impact they are having within their communities. And then we tried to synthesize from those findings: what are some of the commonalities, where are some of the differences etc., so I am just going to share, again, those highlights with you briefly today.

Critical Success Factors

In terms of critical success factors, there were a number of themes that we saw that all of these organizations essentially shared. One is, you know, they are all working very, very hard to engage with all of the stakeholders in their community. So, it is an ongoing and intensive effort to keep all of the different stakeholders in the communities connected with the health information exchange and engaged with them because they all sort of come with different perspectives and different needs if you are thinking about health systems, or payers, or employers, or physicians and other clinicians. So that alignment with stakeholders around the priorities of the health information exchange is a really important critical success factor. These organizations also find that they really have to position themselves as a trusted neutral entity. So providers are not going to use the information unless they know it is going to be protected. They are not going to share their information unless it is protected. So these leading health information exchanges really work hard to demonstrate that they can be trusted both with the data that is shared with them in terms of protecting security and privacy but also in terms of making sure that it is not accessed inappropriately, etc. So that trust and neutrality is important.

Being able to articulate and demonstrate a compelling value proposition around the services they are offering is also very, very critical. We often talk about the challenges of a sustainability model or a business model that works for health information exchange, and this is extremely difficult, but these organizations are very, very focused on making a strong business case for the services that they are offering and making sure that there are customers who need those services and are willing to pay for them.

Market structure also is important. These health information exchanges need to have a critical mass of providers and patients that they are taking care of so they need to be big enough to scale in the marketplace. And it helps especially if there are not multiple health information exchanges in a single community that are competing to get providers connected to them. So it is good to have a very collaborative market structure.

And then in terms of some of the core competencies of these health information exchanges, they are definitely finding that they need to really understand the workflow

in the physician practice and in the hospital and be able to help manage the change that they go through as they begin to adopt health information exchange because it needs to be easy for providers to use in order for them to fully adopt and use the technology. So these HIEs are definitely strong in terms of understanding clinical workflow and helping providers manage change.

Slide 6

Barriers

In terms of some of the barriers, these again—it is sort of the flip side of the success factors—so we did find that one of the ongoing challenges of these organizations are experiencing is the complexity of managing patient privacy and consent especially if they are cutting across state lines because there are lots of different rules in different states.

The other sort of major, major barrier that organizations, even these leaders, are struggling with is the gaps in and variation in terms of how the interoperability standards are implemented. So, even though we have fairly well-developed standards for health information exchange, how those are actually put into practice tend to vary a bit and that creates some challenges around exchange.

Portfolio of Services

In terms of what services these leading HIEs are offering, they all provide the basic services of essentially collecting and distributing patient health information among providers. They are enabling the delivery of clinical summaries on patients—the problem list and key summary information. And they are integrating with electronic health records so providers can access the exchange through their actual electronic health record in the practice.

So, these leaders are also developing additional services that typically are not available through a provider’s electronic health record, and so they are developing things like patient registries, which helps providers better manage a population of patients as opposed to just individual patients, so they can sort of figure out what the status is of all their diabetes patients for example and make sure they are getting all the appropriate care that they need.

They are also working on medication reconciliation so enabling that medication management process to work more efficiently, and they are supporting population health management. So, these are some of the sort of leading areas that these health information exchanges are becoming increasingly involved with. And it is sort of a gap because providers cannot do that through their electronic health record; they need a health information exchange to support that.

Business Models

Another really important part of our study was to understand how these organizations, what their business models are, how do they make money, how do they fund their operations, etc., and there were some important learning’s here. Essentially all of these information exchanges that are sustainable are being paid fees by the connective providers, and typically these are structured as subscriptions fees as opposed to transaction fees because transaction fee essentially has the tendency to disincentivize the use of the information.

So, subscription fees are the more common way that hospitals and physicians pay for the access to the information. Most of the these health information exchanges are also charging the data sources to make their data available to providers, so typically the health plans and/or the labs or other data sources are also paying a fee to deliver their information to providers.

So, finally the last point I will make on this is just that these leading organizations, they do not expect to fund their operations through grants. There is a lot of federal funding, and some states are providing funding to support the development of health information exchanges, but typically these organizations they will go after the grant money, but they will invest it in strategic initiatives as opposed to expecting that grant money to cover operations. So it is important strategy whereby they are all segregating the operational money, if you will, from the grant money.

Connectivity Strategies

In terms of connectivity strategies, most of these organizations are using multiple different strategies for how they connect with and share information with the various participants. So there are a number of different sort of possibilities for how that works. There is what I mentioned earlier—the NeHC works with the Nationwide Health Network Exchange. So, there are lots of organizations that are exchanging information through the exchange at the national level which enables one state HIE to exchange with another state HIE or enables a community health information exchange to share information with the VA or DOD, as an example, since many service people and Veterans get their care both within the VA or DOD system but also in the private sector. So, it is important that their information can follow the patient.

And then there is also something called Direct, which is more a push of information on a patient, that can support transitions in care, if you will, or referrals when a patient is referred from a primary care first person to a specialist. So, these organizations, the vast majority of them, are using multiple different strategies. So they are using the Exchange for certain purposes, they are using Direct for certain purposes, such as transitions in care as I said, and they are also collaborating with the state HIEs for certain use cases as well.

So I think it is important to recognize that health information exchange is not a one-size-fits-all model, but there are multiple different use cases and multiple different pathways for connectivity that are being used.

Strategies to Create Value

In terms of these leaders and how they expect to create value increasingly into the future, there is a number of things they are doing. They are helping providers to achieve meaningful use. So, there are major financial incentives available now for hospitals and physicians to adopt a meaningfully use technology. So the health information exchanges are playing a role in helping physicians and hospitals achieve that benchmark, if you will, and be eligible for those financial incentives so that is a value add for them.

There are also, as I said, they are beginning to do a lot more in terms of data analytics to support improving population health management, improving outcomes, understanding what additional care patients may need, be it preventive care, screening etc., but providing actionable information based on analytics that the providers can use to take better care of their patients.

They are also beginning to support—this is fairly immature—but in these health information exchanges, many of these leaders are helping their providers with patient engagement, consumer engagement so they may be providing a portal through which a patient can access their test results or electronically communicate with the provider, make appointments, maybe refill prescriptions, etc.

So these HIEs are providing patient engagement tools for their connected providers. They are also providing tools to help them work more closely with their patients, the providers and the patients, to manage chronic conditions more effectively. And then finally they are increasingly supporting their providers as they move to create Accountable Care Organizations and Patient-Centered Medical Homes. So all those things are sort of value-add services that Health Information Exchanges are getting increasingly involved with.

Future Outlook

And then in terms of where they are heading, these leaders, they are focused on growth, both geographic growth as well as development, of new services. They are definitely also increasingly engaging with payers and employers recognizing that we are going to be in an environment where we are going to have to deliver better quality, better coordination, and better cost effectiveness, so they want to be sure the payers and employers are engaged in that regard.

They need to continue to prove to everyone that they are in fact bringing value to the stakeholders and participants. And they are going to continue to play a greater role as it relates to care transformation, and all of this is going to require capital.

Programs on HIE Leadership and Innovation

Slide 12

So, I am just going to highlight very briefly on this slide some additional programs that we are offering related to health information exchange and encourage those of you who are interested in hearing more to certainly attend.

Slide 13

Download

And with that I will just show you the link where you can download the full report of this Health Information Exchange, Lessons from the Leaders. That is the link to the full report

(http://nationalehealth.org/SecretsofHIESuccessRevealed.pdf), and I will turn it back to Patricia. Thank you.

“The Buzz:” Some of the Hot Items about Health Information Exchange Standards and Privacy and Security

(Elliot): Since Patricia has not come on yet, perhaps I will start directly. This is Elliot Sloane, and I am pleased to have the opportunity to join you today and talk about some of the hot items that are going on in health information exchange standards and also privacy and security. I have sort of a very interesting background as a biomedical engineer also a health information person. I work in two spaces, medical devices and the informatics standards.

Slide 15

2011-12: Main components of the Nationwide Health Information Network (NwHIN)

I want to talk at first a bit about terms that were not in our field when the course material was put together for the community colleges and those community college courses, for example, a year ago the Direct program, which uses a form of secure email, was just in its earliest stages of discussion. That Direct system is a system that pushes communication to physicians

who do not necessarily have an electronic medical record system yet. So, it allows them to receive things that are real important for their patients, such as blood lab results.

Connect on the other hand has been around for a little while. Connect is a federally developed program as a gateway between federal organizations, like the Social Security Administration, Veterans Administration and the Department of Defense, that allows data to be pulled through the very secure Federal Firewalls, FISMA (Federal Information Security Management Act), I think is the abbreviation used, and the Connect program is both a push and a pull. In other words, someone can ask for Mrs. Good’s drug allergy list and can expect it to be returned through the Connect system.

Slide 16

Two kinds of exchanges emerging:

There are two kinds of exchanges now emerging. Again, these terms did not exist when we put the curriculum together for the community colleges. HISPs, the Health Information Service Providers, are organizations that are specializing in supporting the direct email like messages. Each HISP is sort of like a mini-post office and their business structure is similar to what Kate described as a per transaction basis to transfer the data from one physician or hospital to a patient or a physician or another hospital.

Of course, because the information is private, there are a number of extraordinary steps taken in encryption and privacy and authentication of the receiver so that we can ensure the information goes to the right place. And then the Health Information Exchanges in general, which as Kate described quite well, are able to handle more complex exchange tasks.

It is interesting that every state is in a different position of development or maturity. For example I am part of a strategic planning group in Pennsylvania that meets in Harrisburg several times a month to work on our strategic plan, and we found the white paper that Kate described extremely valuable because we want to learn from the best practices of organizations who are already in this field.

HISPs (Health Information Service Providers)

Again, the HISPs, the job of the HISP is to send just a single secure piece of information reliably through an email-like service. And that piece of information is not necessarily structured. So, if it is a lab result that has information about a particular kind of cancerous cell or an injury, that information might be in the form of a photograph or a hand written note, it does not have to be in a digitized numeric, alphanumeric format that can be put into an electronic medical record.

Slide 18

HIEs (Health Information Exchanges)

HIEs, on the other hand, are much, much more complex. In the world of the health information exchange, some form of Enterprise Master Patient Index, or EMPI, has to be maintained in order to make sure that all of the providers in that region can find a particular patient. Because the United States does not have a individual health identifier for patients, we are forced to use first name, last name, gender, weight, a number of parameters to try and make sure we match people, but of course in many communities people share the same first name, the same last name, and it becomes very, very confusing or potentially confusing.

HIEs do pull and push so that we can ask very interesting and important questions and get prompt answers, and also HIEs are generally designed to include structured data so that the numeric quantified information about a blood pressure or a blood glucose level can be put directly into the electronic medical record and, if necessary, also trigger a decision support system to recommend that a nurse make a follow-up call.

Data can also be unstructured. So, there are times, let us say in decubitus ulcer management for a homecare patient, where a photograph says a thousand words, and so it can carry structured or unstructured.

Slide 19

HIEs are evolving!

HIEs are evolving quickly. By 2012 many HIE protocols, many Health Information Exchange protocols, may be supplemented with HISP services. Again, a year ago the Health Information Exchanges, many of which Kate talked about, did not even have HISP or DIRECT to work with, so now they are incorporating it in their capabilities in order to allow them to reach out to small physicians, nursing centers, and clinics that do not have EMRs in place.

And then I will be giving you a description a little bit later about how CONNECT can allow sending information from private hospitals and institutions and physicians to the Social Security Administration or to the Veterans Administration or even to the DOD to support the care of a Warfighter or Veteran.

Why do we need Health Information Exchange?

So in this example that was written about three years ago I am going to talk about a Gunnery Sergeant Joseph NHINpatient, and obviously a made up name and the story here is of a young man who went through a life where he went into the service and was injured. This was originally developed in 2007 by Linda Fischetti and her colleagues at the Social Security Administration and the Department of Defense.

The person who narrates this in the original discussion was a surgeon, a neurosurgeon, with the Department of Defense, and I am going to use his words while we are reading the dialog and the history.

Gunnery Sergeant Joseph Nhinpatient Treatment History

And it starts with just a basic story of Joseph being born in Albuquerque, New Mexico, and he was cared for by a private physician who was part of the New Mexico Health Information Exchange. So the New Mexico Health Information Network actually is where his data was available and shared with local hospitals after he was born and in his early school years.

At six years old he has moved to Cherokee, North Carolina, and in Cherokee he is now living and going to school and being cared for by the Indian Health Service. He happens to visit a friend while he is in high school in Kingsport, Tennessee, and had an accident. And there he was cared for by a private hospital that was a Care Spark Provider. Care Spark is a, in Tennessee, is a Health Information Exchange that connects physicians and hospitals.

And then ultimately, after turning 18, he enlisted in the Marines and reported to duty at Quantico.

DoD Demonstration: Pre-deployment Evaluation

In the predeployment evaluation, he is about to be sent to Iraq the government needs to find out, well, is he healthy. Are there any conditions that would prevent his active duty? And in order to do that the Nationwide Health Information Network is the tool used to gather information from many different sources, such as the Department of Defense's own records, the New Mexico Health Information Community, the Indian Health Services, and Care Spark.

By doing that kind of data acquisition, they can find out if there are any unusual injuries, cardiac problems, or anything else that might pose a risk to Joseph before he is deployed.

Gunnery Sergeant Joseph Nhinpatient’s Treatment History - Iraq

Joseph spends six months in Iraq, and unfortunately is involved in a serious accident. He is ambushed, he sustains some major head trauma and leg and foot injuries, and because of that he is deployed, evacuated back to Bethesda, Maryland. And in Bethesda he is being taken care of by the DOD. He has got excellent care for his traumatic brain injury, but he is still having some problems, and in addition to his problems he has some foot injuries.

So, because of his foot injuries, which are not healing very well, he has been discharged temporarily to St. Mary's Hospital in Richmond, Virginia, because they specialize in certain kinds of foot injuries that can help Joseph. Now St. Mary's hospital is a private institution; it is also a part of the MedVirginia Health Information Exchange. So in MedVirginia, they are able to pull the information from the DOD that have all the records of his injuries so they can proceed properly with his care. And he has been at a leave of absence after he has recovered a bit to go on vacation in Pinehurst, North Carolina.

But in Pinehurst he starts to have severe headaches and has to visit a hospital that is part of the First Health Health Information Exchange Provider. So you can see the care for Joseph is getting more and more complex.

SSA Demonstration

But because of the NHIN, the NwHIN or sometimes we call it the NEW WHIN, we are designing a system that allows information to be sent from provider to provider reliably, securely, and accurately without delay and without rewriting or retaking histories.

Slide 25

Federal Consortium and NwHIN –Leveraging standards to assure Health Information Exchange across barriers…

All in all, the entire NwHIN and the Federal Consortium will allow many, many, many different players all to communicate—the CDC, who is interested in epidemiologic and outbreaks of diseases; the Indian Health Services; the Veterans Administration; the Social Security Administration; Medicare; the DoD themselves; community hospitals; integrated delivery networks (such as Kaiser Permanente®); and ultimately personal health records banks where people can find their own records though time.

And the goal is to have reliable dial tone-like communication with the same kind of sense of confidence when you pick up your home phone or your office phone or click on

your cell phone—that you get immediate access to the information and a chain of trust. The chain of trust is very important because each of these players has to be confident that the privacy of the patient will be protected, that they are sending or receiving information from authorized participants, that the information is accurate, timely, and complete.

Slide 26

Tackling the evolving HIE standards

Now, one of the leading organizations in this space currently in the U.S. is the Massachusetts eHealth Initiative (MeHi) and the NEHEN, New England Health Exchange Network. And because the standards are constantly changing, Dr. John Halamka, who is the CIO of Beth Israel Deaconess Hospital and also the Chairman of the NEHEN Organization, published a recent (September 19th) article on how they see the evolution of their systems.

Evolution of Systems

Currently they have many different small Health Information Exchanges in their region. Some are in New England, some are in Massachusetts, some are at individual hospitals, and all of them are going to be sharing access to a HISP provider because none of them currently have their own HISP DIRECT capabilities.

However, at the same time they believe that in the future, individual HIEs, such as Mass Health, or the Partners Health System, or Beth Israeli Medical Center, Beth Israel Deaconess Medical Center (which is supported by the NEHEN), they will each have their own HISP capabilities bolted onto their HIEs. And then individual physicians will access the entire community through the internet, potentially using HISPs for their own EMR system.

Again, what provides this capability, the underlying standard, is called the DIRECT standard, and that is an email-like push of data. And the argument there is that a primary care physician who is waiting for a single lab report about a person's cancer biopsy really is only interested in that one piece of information and that will suffice to allow her or him to make the next decisions for the patient.

Stay tuned!

So stay tuned. It is an exciting world of health information standards that is still evolving quite quickly.

Slide 29

Security and Confidentiality Challenges

Let me shift gears now and talk about the security and privacy challenges. The rubric or the pneumonic that is used for security in health care in other fields is CIA, Confidentiality, Integrity, and Availability. And the government has defined very, very carefully what CIA is within the HIPAA (Health Insurance Portability and Accountability Act) in the world of health care.

2003: the US HIPAA Final Rules

Confidentiality as defined in the 2003 regulations means the property or that data or information is not made available or disclosed to other persons or processes.

Now confidentiality is a little different than privacy. Confidentiality for example is something that an enterprise has to assure. Privacy is something that an individual expects or asks for. Integrity of information. Ensuring that the information is not destroyed, damaged, or tampered with, which is critically important for patients who have chronic diseases and have to have ongoing accurate information about their medication and the responses to side effects.

And then ultimately availability. Ensuring that information is available in a timely fashion to support a patient. So, for example if a patient arrives in a hospital in a coma, it does no good to get their records five hours later. It has to be made available in a timely fashion to determine if it is a diabetic coma, or if there is a stroke or some other probable cause of that problem.

e.g., the US HIPAA Final Security Rules’ “General Requirements” for Compliance

Confidentiality seems fairly obvious, but when you look in the details of how you achieve confidentiality, it is not just hiding screens or being careful of what you say to people, but it also includes things like encryption of data. And if any of you have played around with any encrypted or encryption systems, some of them are quite easy to use but the algorithms behind them are quite complex. And the more encryption that you use and deploy, the harder your computers have to work and slower your computer and disk drives will function.

Also it implies that there is authentication and authorization to see information. So, the role that a person plays in a hospital is quite complicated. A physician may be a patient in one setting, maybe a parent in another setting, and maybe the physician of record for a patient in a different setting. And their access and their legitimate legal access to information is going to be different in each setting.

Confidentiality challenges today? Growing larger!

The confidentiality challenges are frankly getting a lot harder. We have some very interesting discussions going on with the CMS and with Food and Drug Administration and others about how to deal with mobile apps. On the first day that the iPad was released, for example (it seems like just yesterday but I think it was 2 years ago), Dr. John Halamka blogged that he was using the iPad in his emergency department (ED) on his ED rounds because he is both a clinician and an informatics expert. And now it has become quite common for physicians and nurses to have their own PDAs, iPhones, iPads, or other products (some are issued by the hospital; some are not), and how to deal with the privacy and the security and confidentiality of information on these devices is quite challenging.

Users also might not be visible in the hospital. How do you make sure that someone has not brought in their own iPad or iPhone and hacked into the computer system in the hospital and accessed patient data?

Integrity

Integrity. Ensuring data is not altered or destroyed in an unauthorized manner. This is a lot more difficult than it seems especially with mobile devices. Because if a device is set down and it has not been logged off or shutdown, it is possible for someone to play with the information. It is a risk in a home setting for a home care nurse or physician, and it is also a risk in the hospital. And the loss or tampering with data for someone who has an acute or a chronic disease can be quite risky.

Another area we are struggling is the amount of consumer grade Wi-Fi—the IEEE 802.11 standards that are used to connect many of these devices—those access devices themselves are not intrinsically safe or easily secured.

Slide 34

Availability

And then finally availability. What happens if you have an iPad or iPhone in a town that has a major sports event? And if you have ever had that experience yourself, you have found that you cannot use your iPhone because you cannot get to the network. It is too busy; it is too congested.

During a disaster, it may be fine to make short phone calls, but can you

really rely on the iPad or iPhone to gather all of the clinical records or get the diagnostic information in a timely fashion to make a decision about patient care, drug allergies, dosing etc.? Some data in these systems is life critical. So if you do not know that a patient might be allergic to penicillin and you give them a prescription for that, they may go home and have a lethal reaction.

And then the other point we are realizing is that wireless jamming devices now you can buy online for as low as a hundred dollars. Pretty scary challenges.

Slide 35

The point?

So the point is that information technologies are constantly evolving and changing, and that makes this a very exciting and dynamic field but it also makes it very challenging for compliance with CIA, Confidentiality, Integrity and Availability. And as Kate mentioned, there is a whole area of consent management.

We would ideally like people to be able to say with very clear specificity which data they would like, what people or what physicians to have access to, and we are going to continue working in that direction as a community, as a nation. There are no easy answers to these.

The HITECH Act of 2009

Now in the HITECH (Health Information Technology for Economic and Clinical Health) Act of 2009—what I was reading before was the 2003 HIPAA Act—the HITECH Act added many new teeth and penalties. One of which is that entities that were not anticipated when the Federal Government first put together HIPAA now are playing in this field. Those entities include offshore data entry organizations; it includes remote diagnostic organizations, home care agencies, and others. And basically in the new HITECH Act, virtually any organization including health information exchange providers, personal health record providers, repositories, data entry firms, registries—all of them are now responsible to the HITECH CIA requirements and they will be penalized directly.

I should mention an interesting aspect of that is that the hospital or the physician themselves are not excused if something happens. Both organizations or entities will be bearing the brunt of the penalties.

HIPAA’s Final Security Rule “Applicability”

The kinds of information that are protected is…

Slide 38

HITECH Applicability to Medical Devices or HCIT systems?

… much more stringent than you might think, and it affects medical devices as well as healthcare information systems—things like billing account number, device identifiers, biometric identifiers, which might be IRIS or fingerprint information, types of treatment, prescription IDs, and all sorts of things that might relate back to the individual patient if you have the information and could trace it back through the system.

New, substantial HITECH penalties…

The penalties under the HITECH Act are quite high: up to 50,000 dollars per violation. Up to 1.5 million dollars per year with no maximum total penalty. The former penalties I think were in the area of tens of thousands of dollars. Now they are quite serious. And their violation, that is, perhaps that could generate that kind of fine is the disclosure of PHI (protected health information) by any sort of breach.

Slide 40

New, substantial HITECH disclosure obligation:

Furthermore, HITECH requires covered entities to provide a detailed log, an audit, of all personal health information that has been disclosed or shared. So, now hospitals and physicians have to keep an audit log of everything, and then if there is any sort of breach the individual whose information has been breached has to receive notification that that happened. These are both new requirements because the original HIPAA recording and reporting requirements only required reporting of unusual results.

But wait: there’s more

And then within 3 years HITECH requires state and federal regulations to be aligned to allow states’ Attorneys General to file civil suit against violators who has breached the HIPAA and HITECH CIA requirements.

Slide 42

Oh, by the way:

And an interesting aspect of this that I did not realize until we started working on it in federal committees about 2 years ago is that the state privacy laws are quite different and are quite disparate.

Examples of Individual State Regulations (1 of 4)

I will give you some examples quickly to make the point. You can get this data from a website, Medical Record Rights at Georgetown University, and there is for every state there is a report that tells what the privacy laws are for that individual state.

Slide 44


I am just going to pick out some individual examples. In Delaware a quick question about how long does my provider have to keep my medical records. Hospitals that receive Medicare payments have to keep your data for five years, physicians for seven years. So that seems a pretty straightforward piece of information right?


How about in Pennsylvania, where I live? Seven years from the date of last service or until a young person reaches 25 years old, seven years or 19 years old for physicians. It is 25 years for a hospital, 19 years old for physician, and if the hospital saw the patient at age 24, it is a longer period, it is 24 plus 7, until they are 31.

Slide 46


As opposed to New Jersey. How long does my provider have to keep my records? Ten years or until 23 years old, or 7 years for a physician. Now the interesting question is if you have physicians who are providing services across state boundaries, which we do in almost every state in the nation. Pennsylvania I think I counted has nine different surrounding states.

Complying with HIPAA

Complying with HIPAA, availability and integrity requirements and also complying with state requirements is quite difficult, and we try to ask the question of how good is good enough. The answer unfortunately is it depends.

Slide 48

Complying with HIPAA (cont’d)

John Halamka called it a quilted patchwork of standards, and I think that is a fair assessment of the state of the art today.

It will take time to sort out!

It is going to take a lot of time to sort out. With our seven states we really are struggling with no common law or understanding about retention of records, destruction of records, etc.

Slide 50

So, I can STILL hear some of you saying: “How HARD could it be???”

So how hard can security and privacy be? I want to give you, unfortunately this is a very hard problem. This is an ongoing set of issues. As of yesterday, yesterday's news in the American Medical Associations website, it talks about Tricare—an organization you folks in the VA are probably very familiar with—an estimated 4.9 million Tricare beneficiaries to be at risk after backup tapes that were unencrypted are now missing.

There are entire web sites devoted to Health IT Breaches

There are entire websites devoted to health IT data breaches. For example this DataBreaches.net site has enough information to fill—their data banks are actually running out of storage space to keep track of this information. Nemours for example reports loosing patient and payroll data for 1.6 million individuals in their system and that was as of three days ago.

Here is another report of an individual who has pled guilty in theft ID from electronic health record systems.

Slide 52

Food for thought: Is ANYTHING really sacred?

I just want to close on another final thought here, which is that is anything really scared? Well apparently not. U.S. drones were just hacked recently, and the information it is even worse. They were not just hacked, and it is not just that there is a virus. There is something called a data logger in the system that is keeping track of commands that are being given to the drones and being sent from the drones, and at

this point, at the moment, and this is from Saturday's news, at this point we do not even know where that data is being sent.

Slide 53

My point?

So my point here is the future looks bright indeed for those of you who choose to master and stay up to date on health IT security and privacy issues, a fascinating area, and it is an area that needs a fair amount of common sense, a lot of due diligence, and not that much technical detail, but a real commitment to protecting patients' privacy and data and their well-being.

Slide 54

For further information:

Here is my contact information (www.ebsloane.org; ebsloane2chirp.us.org [email protected]). You can reach almost anywhere. I have a web site esloane.org you can Google me. I would be glad to chat with any of you in the future, and I would like to thank you all for spending this time with me and Kate and Patricia, and I return the controls here to Patricia and open the floor to questions and answers.

(Patricia): Thanks Elliot, this is Patricia. I am sorry we missed the opportunity to thank you and Kate and to introduce you before your remarks. Now that our student participants have had the benefit of your brilliance, it will come as no surprise to them to learn that Dr. Elliot Sloane has many years in both industry and academia. On the industry side, his roles included CIO (Chief Information Officer), COO (Chief Operating Officer), and CTO (Chief, Technology Officer) in organizations such as Global Medical Device and Research Manufacturing.

Elliot is also a teacher, an educator. First as a Professor at Villanova and later at Drexel University as Research Professor and Director of Drexel's Health IT Systems Engineering Program. Certainly not one to rest on your laurels, Elliot. You have also created a nonprofit organization, the nonprofit Center for Healthcare Information Research and Policy (CHIRP). Elliot is also a HIMSS (Healthcare Information and Management Systems Society) Fellow, an IEEE (Institute of Electrical and Electronics Engineers) senior member, a Certified Clinical Engineer, and was past president of the ACCE (American College of Clinical Engineering).

He was a chair of the HIMSS Security and Privacy Steering Committee, served on HIMSS Annual Conference Education Committee, and is a member of the HIMSS Career Services task force. And I cannot let the opportunity go by without mentioning that Elliot Sloane is also the Co-Principal Investigator of a National Science Foundation grant which is creating a new entry level certificate for health IT for a career in health IT.

Kate and Elliot have provided us both, and thank you so much, you have provided us both with a wealth of current information.

You Elliot especially and Kate as well drew our attention to some really optimistic movement in the industry, but there are also some kind of big challenges that the United States has coming up. What would you say that the biggest challenge is in health IT for the United States in the very short-term?

(Elliot): Kate, do you have any information from your surveys that would be helpful there?

(Kate): Well, you know we did not really ask that exact question, but I mean I will throw out a couple of ideas. I am sure Elliot that you have some as well. I think that the economy and the pressure, I mean I think health care has been, you know, priced, the cost has been increasing at a very fast rate, and I think that we really cannot tolerate that anymore, which is why we finally after decades of trying passed health care reform last year. So I think the pressure to really transform how health care delivery, how health care is both paid for and delivered, you know, is the number one challenge.

And health IT is an enabler for that, and so I think that it is a supporter, it is an enabler, but there are a lot of challenges simply in getting the technology adopted and fully used in a widespread manner. So I would sort of leave it at that in terms of the pressure to transform and health IT as an enabler to that, but the fact that it is difficult to get it in place and get it fully utilized in order to achieve the benefits.

(Elliot): Well, certainly the technical issues are very substantial, and the fact that we are changing standards as we are going is sort of like the joking metaphor of building the airplane while you are flying it. It is a little scary at times and pretty hard to build a reliable system.

I think the other challenge is the cultural challenges in health care. Physicians are not used to disclosing every last detail about the discussion they had with a patient with their colleagues. They are not used to having every individual piece of work and decision they have made potentially reviewed and shared with their colleagues. And that raises some interesting challenges in our tort and our legal systems, and it also raises some just cultural behavior issues.

But there is a lot of work that has been done in the military that suggests that teamwork can produce extraordinary outcomes beyond what individuals can produce, and so I think that eventually physicians, nurses, hospitals will yield to that accumulated knowledge.

If anyone is interested, I have got some interesting articles from the aviation industry that point to that as well, and you can find a book called, Why Hospitals, I think it is called, Should Fly because it talks about some of the similarities in safety and reliability that lie there.

(Patricia): And that is taking a look beyond our borders as well. One of our participants is asking, "Do you think health informatics will be embraced worldwide?” I think some countries, of course, are already well of us are they not?

(Elliot): Well, they were well ahead of us, but I do a lot of work internationally. I have in the last five years have done work in health information projects in Dubai, in European Union, Geneva, Italy, Germany, in Australia, and Latin America, Korea, and I coach here at the IHE International, Integrating the healthcare enterprise healthcare standards body, and we have 24 countries involved. Everyone is struggling with much the same challenges that we are.

Some are, you might argue, ahead because they have national patient identifiers, but the real serious complications of illnesses and diseases and scientific challenges of medicine, health care is not the same as landing a jet fighter on an aircraft carrier where you can know the degrees of freedom, the variations you might expect. Diseases come in all sorts of flavors and compositions and combinations and people have all sorts of unexpected reactions to medications, and because of this Health Care Informatics is of great interest worldwide, and there are research studies, pilot projects everywhere on the planet.

There is even one project we are involved with in Europe called the epSOS Project that has I think at last count 17 nations working to share their data in more or less real time across the European Union because their citizens are allowed to travel and work anywhere in the European Union, and healthcare is supposedly provided for them where ever they are.

(Patricia): Kate, anything to add to that?

(Kate): Well, I guess the only thing I would add is when you have a single payer system, it is easier to sort of force the technology adoption. So, it is sort of a simpler, which many other places are, but I do not have the same level of experience in all those places that Elliot listed. That is just one observation.

(Elliot): It is interesting on that note. It looks easy, and then when you find out that, for example, Canada has, I think, it has five states, and they have each selected their own approach to their health information exchange, and they have their own budgets and manage their own policies. I think Australia is in the same boat. In China when I was there two years ago, I was shocked to find that each of their, essentially their regions or their states, I think they translated it, is building their own individual health information exchange, even though it is a national payment system, even though it is completely centralized in the dollars and cents and general policy.

I think the biggest example of a single system is in the UK, and they started probably ten years before us and have spent 15 or 20 billion dollars and are still struggling to get a system that does even close to what they need or want it to do. That’s' why I said I do not think we are as far behind as I thought we would be, and hopefully there will be more breakthroughs, just like your examples, Kate, about best practices in health information exchanges we can take from other countries.

(Patricia): You know you two are such a wealth of knowledge. I feel like we would like to design a course just around the two of you. So do not think I would not be calling you in the future. Kate and Elliot, thank you both so much for being with us today. We are genuinely honored to have your insights. It is such a grand undertaking interacting with the VA employees. We are just really delighted that you all would enter into the process.

And to our learners, I hope that you have learned as much as I have today, and I hope your learning week goes well. Thank you all for joining us. Bye now.

(Kate): Thank you.

(Elliot): Thank you. Have a great day.

[Congratulations, you have completed this video!

Select the "Quit" button to leave the course]

health informatics online classroom€¦ · web viewjust a word on the national e-health...

Documents