Stimulus Blog

Nextgen Healthcare Information Systems

Physicians and healthcare providers across the country have found themselves scrambling to get their arms around the government’s plan to ensure electronic health records (EHR) are implemented within a few short years. It’s easy enough to understand the concept of adoption incentives, which will be activated in 2011, as well as the penalties for noncompliance to be imposed soon after. But other components of the plan are less concrete.

One of the major hurdles healthcare providers have encountered is the criterion that they prove they are “meaningful users” of EHR to be eligible for incentive bonuses. Everyone can agree that “meaningful use” sounds like a good idea – but, until now, no one has known exactly what it entails.

Fortunately, this grey area is close to being finalized. Throughout the summer, the Office of the National Coordinator for Health Information Technology (ONC) has entertained proposals and public comment as it developed a working definition for “meaningful use.” The broad goal they have recommended to the Department of Health and Human Services (HHS) is that meaningful use “enable significant and measurable improvements in population health through a transformed health care delivery system.”

To accomplish this, ONC recommended specific objectives for physicians to meet as they begin using automated systems. Criteria for the 2011 deadline include:

• Allowing patients to access their health records in a timely manner;
• Developing capabilities to exchange health information where possible;
• Implementing at least one clinical decision support rule for a specialty or clinical priority;
• Providing patients with electronic copies of discharge instructions and procedures;
• Submitting insurance claims electronically; and
• Verifying insurance eligibility electronically when possible.

ONC also called for enabling patient access to personal health records by 2013 and will require that all providers participate in a national health data exchange by 2015.

While these standards present no small challenge, the fact that they have been articulated represents enormous progress.  Although these recommendations do not yet carry the force of regulation, all messages from the Center for Medicare and Medicaid Services (CMS), the HHS implementation arm for the program, have indicated that these measures can be relied upon for the final rule.

Many healthcare organizations have hesitated to make purchasing decisions about EHR systems until they understood more clearly what CMS would ask of them.  Now they have the clearest signals so far.

We must keep in mind that, while clearing the “meaningful use” hurdle is a major accomplishment, other challenges remain – like determining the most appropriate approach to EHR certification. We will discuss factors impacting this issue in future posts.

All the guidelines may not be specified yet, but physicians must balance the details of meaningful use and certification plans with the impending deadlines – i.e., achieving meaningful use by January 2011.  In my opinion, finalizing EHR plans should be a major goal for all medical providers in the next few months.

Charlie Jarvis, FACHE, Vice President for Healthcare Industry Services and Government Relations

Most all security guys will tell you that Identity Management (IDM) is a security thing, but if you think about it security is focused on keeping people out of your systems and IDM is a framework for letting people in. I think that IDM fits  better in the privacy area. Privacy is about letting the right people, and only the right people, see your information. In healthcare no one would say that “keeping my data private means that no healthcare professionals should ever be able to see my data’. In a world like that we would be relegated to repeat all tests and procedures over and over again (come to think of it perhaps that IS what we have).

So if security is keeping people out and IDM identifies how to get in to data, then would that not be a privacy thing. If you look at the HIPAA privacy rule it talks about when users can access healthcare data, which is exactly what a well written IDM system does. IDM includes all the processes that control identifying users, and associating them with the services or data they can see or modify. It also has logging for users access (another HIPAA requirement).

So, who cares? IDM is privacy not security. What difference does this make? A LOT. If you look at the focus of IDM today most all of the technologies are primarily concerned with the use case of “the break-in”. (i.e. what happens if the identity is hacked or stolen). If we re-focus the discussion to privacy of information then we can create systems that better track authorization workflows (i.e. what happens if a user can’t get to the information they need). I think we would all agree that as much as I don’t want my information shared everywhere I really don’t want to be poked with a needle because my doctor can’t access the last blood test I had.

It may not change the products, but I think it may change the focus of discussion thereby enabling the creation of environments needed for SHARING of data not SECURING data from others.