As has been much reported, national coordinator for health IT, Karen DeSalvo, M.D., is leaving the office effective immediately to become acting assistant secretary for health in the Department of Health and Human Services. The announcement was made Oct. 26, 2014, by HHS Secretary Sylvia Burwell.
Burwell requested that DeSalvo to make the move in an effort to help battle and lead to containment of the Ebola crisis. DeSalvo will serve as acting assistant secretary until the Senate confirms an assistant secretary. There is no pending individual nominated for the permanent position.
Lisa Lewis, the ONC’s chief operating officer, now will serve as the acting national coordinator at ONC.
According to Modern Healthcare: HHS Secretary Sylvia Mathews Burwell, in a notice to her staff, welcomed DeSalvo, saying, “As the acting assistant secretary for health, Karen’s experience as a practicing physician, a senior member of the HHS team, and as a nationally recognized leader in public health, will be invaluable to the department and me.”
“She will bring her knowledge and real-world experience to bear on some of the most important issues confronting our department, especially our Ebola response efforts,” Burwell said.
DeSalvo was appointed in December 2013 and started in mid-January 2014. She took over after the departure of former national coordinator Dr. Farzad Mostashari who stepped down in October 2013.
To date, she’s the shortest serving ONC national coordinator, if she’s leaving the position permanently, which has not been verified.
Guest post by Scott Walters, client services, INetU.
Whether they are cloud providers, EHR services firms or SaaS providers, technology companies that market to healthcare organizations are considered “business associates” under HIPAA. In the past, that meant customers often asked them to sign agreements assuring that they were employing best practices and would provide breach notifications to help customers maintain compliance.
As of September 13, 2013. however, changes to the guidelines were implemented that mean technology providers are now directly liable to the U.S. Department of Health & Human Services (HHS) for securing any PHI that they’re entrusted with. In addition to the increase in accountability, this first-hand responsibility also brings technology providers under the threat of fines that can now reach well into the millions of dollars.
The Cost of a Breach
The HHS Office for Civil Rights (OCR), the main enforcement body for HIPAA, has been gradually increasing fines for organizations that violate HIPAA compliance. The penalties have totaled well into the millions, with several organizations in the past few years receiving fines in excess of $1.5 million from OCR. In fact, according to data from the Department of Health and Human Services, HIPAA-covered entities and now business associates have paid more than $18.6 million to date to settle alleged federal HIPAA violations with $3.7 million of that coming from organizations in the last year alone. On top of this, there are often state and private legal settlements involved.
The Massachusetts Eye and Ear Infirmary (MEEI) is among the organizations that have experienced dramatic penalties firsthand, incurring fines of $1.5 million in 2012 after the theft of a laptop from an MEEI doctor who was traveling to Asia ended up exposing PHI. Blue Cross Blue Shield of Tennessee also paid $1.5 million in the same year following a breach of 1 million patient records stemming from the theft of 57 unencrypted hard drives from a leased training facility.
These two examples not only show the potential cost of a breach, they also demonstrate another quality that reaches across many of the violations to date – the fact that many of the biggest healthcare and HIPAA breaches are caused by unencrypted data and local storage of PHI. As technology providers offer services to manage this type of data, the onus to meet HIPAA regulations is more frequently falling on their shoulders. The upside to this is that, with some forethought, SaaS and EHR providers have the opportunity to make their cloud services even more HIPAA ready than their customers’ on-premise solutions.
Guest post Ruby Raley is director of healthcare solutions at Axway.
One little-discussed but widely recognized aim of the HITECH Act’s meaningful use Stage 2 requirements is to stem rising costs and improve outcomes by engaging the consumer to take control of their healthcare. But how is the consumer supposed to take control of anything when their health plan determines which clinicians and hospitals they can visit, and their doctor controls their health record?
That’s an issue the Department of Health and Human Services (HHS) recognized as they developed the incentives for the HITECH Act. To address it, they adopted the electronic health record (EHR), a tool that (1) helps clinicians and hospitals reap incentives and avoid penalties by proving they’ve achieved meaningful use, and (2) puts the certification burden on EHR vendors instead of clinicians and hospitals.
Guest post byDaniel Castro, senior analyst with the Information Technology and Innovation Foundation.
Although we are only a month into it, 2013 is already shaping up to be an important year for health information technology (IT).
Two recent developments have increased pressure on the health care community to deliver results from government investments in health IT systems. First, concerns about the federal budget are causing policymakers to take a close look at programs with a large budget. As of July 2012, the U.S. Centers for Medicare and Medicaid Services (CMS) reports that the government has spent almost $6.6 billion in incentive payments for electronic health record (EHR) systems, and the amount of money spent on health IT will only continue to grow.
Second, policymakers are taking an extra critical look at any program that appears to be under performing. Whether fair or not, health IT will likely fit this profile as well because of recent concerns that have been raised about the effectiveness of some of these investments. In particular, earlier this month, the RAND Corporation released a report backtracking on its earlier assertion that health IT could save the United States more than $81 billion annually. This claim in the original RAND study played an important role in helping to quantify the potential impact of health IT for policymakers.
The authors of the latest RAND report have raised doubts about the accuracy of that prediction. More importantly, however, they have pointed to a number of factors that have contributed to the lower-than-expected performance of health IT in the United States. In particular, they argue that current performance is the result of slow adoption of health IT systems, the selection by health care providers of EHR systems that are not interoperable or easy to use, and the failure of health IT providers to adapt their processes to the technology.
Many of these problems were somewhat expected. For example, it is not too surprising that healthcare providers adopted systems that are not user friendly since those purchasing the systems are a relatively unsophisticated customer-base. We’ve seen the same type of problems in other areas of government. In the early-2000s, the Help America Vote Act gave out millions of dollars to state and local election officials to purchase new voting systems. Although there was (and is) a strong need to procure more sophisticated voting systems, many of these officials made poor decisions on what types of systems to purchase. We’ve seen the same type of problem in health care.
It is also not too surprising that healthcare providers are experiencing interoperability concerns since the federated, bottom-up approach to building health information exchanges does not properly incentivize data sharing or consumer access to data. The Department of Health and Human Services (HHS) has included some top-down mandates on meaningful use around these issues, but that is no replacement for consumer-driven competition. Still, while the United States may be taking the long route to data portability, at least projects like the VA’s “Blue Button” initiative to give consumers access to data are generally moving us in the right direction.
That is why, even with these minor setbacks, we should still have a positive outlook on the potential of health IT. True the RAND report is a bit discouraging, but it’s also come at an ideal time when healthcare practitioners and policymakers still have time to refine their efforts to implement the HITECH Act. After all, implementation is far from over and there is still time to have a course correction.
For example, HHS was tasked with defining three stages of meaningful use for EHR systems where each stage reflects an increase in complexity and utility. We have passed stage 1, where the criteria focused on capturing important data and reporting clinical quality measures, and we have moved into stage 2, which focuses on exchanging and transferring health information in different settings. The third stage, which focuses on improved outcomes, is not set to occur until 2016, so there is still time to get this right.
And the key to maximizing benefits is to encourage healthcare organizations to meet high performance metrics through the adoption of advanced technologies. A few years ago I co-authored a report on maximizing the benefits of IT. I wrote “Policymakers should recognize that IT is a means and not an end—it’s unreasonable to expect that simply using IT to perpetuate existing analog processes will lead to better solutions. Existing problems shouldn’t just be digitized; IT should be used to find new solutions to old problems.” These same words hold true today in healthcare where providers do not always understand that innovation takes a combination of people, process and technology.
This is why we need to be thinking long-term about how to maximize the benefits of health IT, not only in delivering more effective and efficient care, but also in rethinking how we use IT to innovate in healthcare. There are countless possibilities where IT can lead to radically new solutions in healthcare, from using IT to monitor health in the home to using health data for new types of medical research. But the reality is that we won’t get there unless we constantly evaluate where we are falling short and implement policies to address these problems so we can successfully move forward.
Daniel Castro is a senior analyst with the Information Technology and Innovation Foundation.
I’ve long been an advocate of HealthIT.gov, which I’ve profiled here multiple times for the guidance the site provides about electronic health records and ways to use the technology.
A new addition to the site is guidance for physicians about mobile health technology, which is beginning to pervade the healthcare landscape.
As healthcare workers and professionals continue to use mobile devices in the care setting, they’ll need accurate and helpful information to protect them and their patients from issues such as security breeches.
To that end, it’s nice to see the Department of Health and Human Services to assemble a series of tips and information to the public’s greater good.
The site features several articles and videos designed to offer support and education about using mobile device in healthcare.
For example, articles include topics such as:
How Can You Protect and Secure Health Information When Using a Mobile Device?
You, Your Organization and Your Mobile Device
Five Steps Organizations Can Take To Manage Mobile Devices Used By Health Care Providers and Professionals
For those who prefer video, topics covered include:
Worried About Using a Mobile Device for Work? Here’s What To Do!
Securing Your Mobile Device is Important!
Dr. Anderson’s Office Identifies a Risk
A Stolen Mobile Device
Can You Protect Patients’ Health Information When Using a Public Wi-Fi Network?
In addition, there’s also frequently asked questions and downloadable materials. All in all, the site is filled with a great deal of rich content.
On top of that, there’s a plethora of other information including tips for integrating privacy and security into a medical practice, building a health information privacy and security plan, information about health IT security resources, cyber security and mobile device security.
Simply put, this is a great resource for all of us in healthcare, patients included. Well done, well done, HealthIT.gov.
Will meaningful use Stage 2 reach patient engagement?
Patient engagement now requires patient action. So says the Department of Health and Human Services in meaningful use stage 2.
As a patient, your physician is counting on you to engage with him or her. It’s up to you, folks, to bring it home. Your physician’s incentive, and ultimately his or her potential non-penalty for Medicare, is on your shoulders.
That’s an awful lot of weight to bear. Can’t you feel it? It’s overwhelming. I’m exhausted just thinking about it.
Seriously, though, I’m confused. Someone please set me straight; seriously.
Meaningful use is now up to the patient? Whether or not I choose to interact with my physician via electronic means determines his/her level of success as gauged by the government?
I’m sure I don’t need to recite the language from the ruling, but I’ll do so for good measure.
Five percent of more of patients must send secure messages to their physicians (yes, I said “must”)
Five percent or more of patients must access their health information online (yes, I said “must” again)
The language isn’t written in an inviting tone, but one that tries to demand respect. It doesn’t say “may’ or “can,” if says “must.”
Is this a Ray Kinsella moment and HHS’ field of dreams?
“If you build it, he (they) will come,” sounds the whispered voice across the sky.
Cue the sound of rustling corn fields blowing in the wind as each of us imagine memories of our happy places where dreams live on forever.
If this gets built, will we all come and play? How can this be a requirement of our physicians? How can their level of success, the quality of the care they provide, be gauged based on whether or not I choose to interact with them via the web? After all, I want healthcare, not a Facebook friend or a Twitter follower. (I’m using obvious over exaggeration to make a point.)
I am all for patient engagement and believe it will increase given time and effort behind it, but forcing me — as a patient — to do something makes me a little less likely to follow so easily along. I’m not a lemming, and I don’t intend to be.
Sure, five percent seems like a manageable number; not that big of a deal. Surely, it’s just a few people, right?
Until next time, when the number increases to 25 percent of the overall patient population then 50 percent then 75 percent and so on until it’s just mandatory.
What might be the most troubling, though, is how this affects physicians and practices. Engaging patients to receive incentives and keep from being penalized becomes a marketing function, not a care function.
I can see it now: Your doctor will start offering club-type discount cards and try to cajole you with attractive terms like, “Sign up today for the patient portal and after you send just one email to your physician, you’ll be receive a $5 credit to your account.”
Or, perhaps the whole thing will have physicians sounding like to cashiers at Target: “Sign up for your patient portal access today and you’ll not only receive a nifty tote bag for your things, but you’ll get 25 percent off of of your next purchase!”
Lastly, I’m reminded of the lines of credit card pushers lining the student union of every college in the U.S. trying to convince our young and inexperienced that credit is the same as cash, don’t you know.
As noted on HealthWorks Collective, meeting this portion of the stage 2 requirement will take everyone in the practice, not to mention the support of those outside it.
But portals can only facilitate access to patient’s information, but it can’t force the participation of people to do something they don’t want. Requiring physicians and their practices to encourage me to engage with my care providers is up to me, and no matter how useful or entertaining, whether I choose to engage is something I commit to on my own terms.
Just because “they” build (read as “require”) it doesn’t mean I’ll come.