STEVEN S. LAZARUS, PHD, CPEHR, CPHIE, CPHIT, CPORA, FHIMSS

PRESIDENT, BOUNDARY INFORMATION GROUPCO-FOUNDER, HEATH IT CERTIFICATION, LLC

OCTOBER 11, 2012

The (New) Current and Future Healthcare IT Paradigm for Staying Connected: The Cheese

has Moved – Finding your Cheese

Business process consultant focusing on electronic health records, and electronic transactions between organizationsFormer positions with MGMA, University of Denver, Dartmouth CollegeActive leader in the Workgroup for Electronic Data Interchange (WEDI)Speaker and author (two books on HIPAA Security and one on electronic health records)Recipient of Vision and Leadership Award as WEDI Chairman, WEDI Corporate Leadership Award, and WEDI Distinguished Service AwardsConsultant to CAQH CORE ProjectHIPAA Expert WitnessConsultant to three successful EHNAC applicants

-- Strategic IT business process planning

-- ROI/Benefits realization-- Project management and

oversight-- Workflow redesign-- Education and training-- Vendor selection and

enhanced use of vendor products

-- Facilitate collaborations among organizations to share/exchange health care information

-- EHR and HIE training and facilitation

-- Medical Banking -- EHNAC Support

Strategies for workflow, productivity, quality and patient satisfaction improvement through health care information

Steven S. Lazarus, Boundary Information Group

2

Who Moved my Cheese?, Revisited

Best seller, “Who Moved my Cheese”, 1998*Changes in the mazeSniff out early changesScurry goes into actionHem denies and resists change (often out of fear)Ham learns to adjust when he sees changing leads to something betterWe all need to find our way in the maze and succeed in changing times (Steven S. Lazarus, 2012)

* “Who Moved my Cheese”, Spencer Johnson, Putnam, 1998

3

Agenda

1. A history lesson to understand where we have been and the business need

2. The business case for interoperable and reliable security and operational infrastructure rules for all provider external communication

3. The infrastructure operating rules under ACA Section 1104

-- Connectivity

-- Interoperability

4. The challenges and how to overcome them

5. Are we there yet, and if we are not, how do we get there?

4

5

1. A History Lesson To Understand Where We

Have Been And The Business Need

1.1 The 1990’s – Security Interoperability Demonstrations

Demonstrations deducted under grant funding in Minnesota, North Carolina and UtahConclusions from the pilots and the general environment of the mid-1990’s

Anticipated changes in security technologyAnticipated potential of the InternetPKI considered a useful approach, but significant questions about its scalability

HIPAA legislation became law in 1996, including security provisionsSecurity technology agreement barriers persist

6

1.2 2005, a Breakthrough Year

April 20, 2005, HIPAA security rule compliance requiredSecurity rule includes requirements for transmission security including encryption and integrity controls

August 29, 2005, Hurricane Katrina hits LouisianaHealth care providers are challenged with this disaster recoveryMarkel Foundation and others lead effort to access prescription drug records for evacuated patients during the disaster

Heightened interest in providing electronic access to patient records resulting from Katrina

7

1.3 2006 to 2012, a Few Steps Forward

CAQH CORE operating rules initially adopted voluntarily in 2006

CAQH CORE infrastructure operating rules mandated under ACA (2010) , by January 1, 2013Increased ONC, Medicare and SSA activity associated with electronically transmitting patient records for specific purposes

8

2. The Business Case for Security and Operational Infrastructure Rules for

Provider Communication

9

The Business Case for Security, Interoperable Connectivity

Providers need a single technical approach to secure connectivity

One technical methodology for both administrative and clinical

Providers need a standard approach for security One or two factor authenticationEncryption specificationsInteroperable connectivity

10

The Business Case for Security, Interoperable Connectivity

Authentication of the provider organization and the individualReliable – identify receipt (e.g., acknowledgement)Real-time required in many cases

EligibilityPatient records to the ER for patient treatment

Batch may be an option in some casesRemittance advice (one business day, maximum)Disability medical records to social security or worker’s comp

11

The Business Case for Security, Interoperable Connectivity

Providers need an affordable approachReasonable technology cost and maintenanceMinimal human user resources required to maintain and understandIdentifier and passwords

One set of identifiers and passwords for all secure communicationsAcceptable frequency of password changes

12

13

3. The Infrastructure Operating Rules Under

ACA Section 1104

Moving Beyond the Standard Administrative Transactions

Section 1104 of Affordable Care Act (ACA) provides the authority for CMS to require the use of operating rules to further administrative simplificationThe business case for connectivity is best served by as common an approach as practical for communicating administrative and clinical information

Lower cost to the provider to one common technical infrastructurePredictable interoperability with one set of rules for clinical and administrativeAbility to migrate rapidly for new real-time for administrative and clinical connectivityCommon security requirements where practical to lower cost and reduce complexity and difficulty to comprehend and implement

14

Operating Rules Definition

Operating rules (O.R.s), as defined in the Affordable Care Act of 2010, are:

“The necessary business rules and guidelines for the electronic exchange of information that are not defined by a standard or its implementation specifications as adopted for purposes of [the HIPAA, Administrative Simplification, Transactions and Code Sets]”

In health care, the Council on Affordable Quality Healthcare (CAQH) formed the Committee on Operating Rules for Information Exchange(CORE) in 2005, leading to voluntary adoption of certain operating rules . CAQH CORE has also been working with ONC and others to incorporate CAQH CORE operating rules, including connectivity into Meaningful Use and other ONC programs as appropriate.

15

The HIPAA Standards and Operating Rules Players

CAQH CORE developed operating rules for voluntary use and rules that have been adopted under ACA

Eligibility and claim status have a compliance deadline of January 1, 2013*Electronic Funds Transfer (EFT) and Electronic Remittance Advice (ERA) have a compliance deadline of January 1, 2014*More operating rules are likely in 2012-2014 with adoption compliance deadlines as directed in ACA

*As required in ACA, regulations to implement these operating rules have been published by CMS

16

Operating Rules Enhance Standards’ Interoperability

Data content and data definitionsCompanion GuidesAcknowledgement standardsSecuritySystems availabilityResponse time: batch and real-timeSupport interoperability

17

Operating Rules Infrastructure

ConnectivitySOAP+WSDL or HTTP+MIME MultipartDigital certificates for authenticationAligned with ONC-adopted infrastructure for NwHINError reporting requirements using AAA Error Code

Response timeReal-time, 20 seconds or lessBatch: receipt by 9:00 pm ET requires response by 7:00 am ET, next business day

System availabilityMinimum 86% availability per calendar week

18

4. The Challenges and How to Overcome Them

HITECH Changes to HIPAA Enforcement

HITECH significantly increased civil monetary penalties for all violations of HIPAA (TCS, Privacy, Security) effective Feb. 18, 2009:

20

HITECH Changes to HIPAA Enforcement

Interim Final Rule Oct. 30, 2009, effective Nov. 30, 2009Clarifies person can be in violation of HIPAARequires civil monetary penalty (CMP) for noncompliance due to willful neglect

Note that HIPAA risk also includes criminal penalties; enforcement by state Attorneys General, and frequently entails private lawsuits

21

Health Plan Certification Penalty Fees

Health plans must certify to compliance with the following transactions and O.R.s or be subject to penalty fees of $1 per covered life per day until complete certification (fees accrue interest if late; double for misrepresentation; include additional administrative fees for collections; and increase annually by the annual percentage increase in totalnational health care expenditures not to exceed $20 [or $40 for misrepresentation]) by Apr. 1, 2014 and annually thereafter.

Reporting is required by:

22

• December 31, 2013 for: • December 31, 2015 for:• Eligibility (270/271) • Claims (837)• Claim Status (276/277) • Enrollment (834)• Electronic funds transfer • Premium payment (820)• Remittance advice (835) • Referral/authorization (278)

We Have “Sticks” and Security Interoperability for Admin, but we Need “Carrots” and Federal/Private Leadership

1. ONC issued an RFI in May, 2012 for comment on a possible approach for rule making to spell out “conditions” of trusted exchange, but on September 7, 2012, ONC announced abandonment of this approach

2. Standards-based exchange is required in Stage 2 of Meaningful Use

3. ONC is relying on the marketplace to solve the problem or at least provide a lot more specificity to the consensus solution.

23

Transition of the Nationwide Health Information Network (NwHIN) Exchange to eHealth Exchange

ONC is pleased to announce the successful transition of the Nationwide Health Information Network (NwHIN) Exchange to eHealth Exchange, a public-private partnership that represents ONC’s commitment to support health information exchange innovation in the private sector. The eHealth Exchange is composed of federal agencies and private partners that have implemented nationwide health information network standards and services and executed the Data Use and Reciprocal Support Agreement (DURSA), a legal agreement, in order to securely exchange electronic health information. 10/1/12

24

Questions for Discussion

Should the federal government or anyone else continue to fund the state level HIE approach until this issue is resolved Or, should the federal government and the private sector invest in a consensus building process based on available technology, cost and operational options to resolve this issue and bring it to closure within the next 12 months?

The track record without government leadership is not good. There is a 17 year history of pilots and demonstrations attempting to address this issue.

Or, is there a low cost, easy to use approach for providers that can exist in an environment where there are no rules of the road?Or, do we need a “central switch/clearinghouse” liked those used in financial services to move electronic payments and those used in retail pharmacy to move e-prescriptions, “one road with rules versus many roads with rules for the road”?

25

How to Learn More About the Operating Rules

Federal Register, July 11, 2011 for eligibility and claim status operating rules, January 1, 2012 for EFT and ERA standard, and August 10, 2012 for EFT and ERA operating rulesFree webinars and copies of the operating rules from CAQH CORE (www.caqh.org) see CORE operating rulesMGMA (www.mgma.com) Certified Professional in Operating Rules Administration (www.healthitcertification.com)

26

27

5. Are we there yet, and if we are not, how do we get there?

How will you find your cheese?28

Discussion

Contact Slide

Steven S. Lazarus, PhD, CPEHR, CPHIE, CPHIT, CPORA, FHIMSSPresident, Boundary Information Groupwww.boundary.netCo-Founder, Health IT Certification, LLCwww.healthitcertification.comsslazarus@boundary.net(303) 488-9911 (office), (303) 809-9337 (cell)

29