Dec

4

The Many Challenges of State HIT Expansion Efforts

The expanded use of health information technology (HIT) has become somewhat of a money maker for states and has been cited as key to successful healthcare reform. Many states have formed either legislatively created or Governor’s Office created HIT planning and oversight bodies. All are vying for stimulus dollars to develop state level HIT strategic plans and tap into dollars to pay for HIT expansion within (and hopefully between) states.

Oregon is no different. Initially HIT planning was the purview of the Oregon Health Information Infrastructure Advisory Committee (HIIAC), of which I was a member, created by executive order. The input from the Oregon HIIAC was incorporated in a broader healthcare reform report with recommendations presented to the Oregon Legislative Assembly for consideration during the 2009 legislative session. One of the HIIAC recommendations was to created a HIT oversight and planning body push expanded use of HIT in Oregon.

The recommendation was to create an independent HIT oversight and planning body, what later came to be named the Oregon Health Information Technology Oversight Council. During the course of the session the bill that was introduced to form this independent body was folded into Oregon’s version of healthcare reform and the HITOC was subsumed under the to be created Oregon Health Authority rather than to remain as an independent oversight body.

It makes sense for states to form independent bodies, whether public, private or a combination of, to move forward the expanded use of HIT within and between states. In Oregon, though, that independent body now must answer to a higher authority and lost the autonomy to act primarily as a catalyst to increase HIT use and take advantage of associated efficiencies and increases in quality care. That being said, we have what we have and, as with many other states, need to use whatever vehicle is available to hopefully help the healthcare industry move into the 21st century.

In this blog I included my latest testimony to the HITOC. It serves as an example of issues many states are facing and limitations to existing efforts. I believe many of the following recommendations and the details behind those recommendations are applicable not just in Oregon, but across state lines. States are all in varying stages of preparation for the new world of expanded use of HIT and the expansion of what I would call real electronic health information exchange (versus point-to-point or organization to organization communication only).

For your interest, pleasure and edification, I present to you the latest in my attempts to influence positively the march into the 21st century. Hopefully it can assist other states besides Oregon as differing bodies wrestle with what can be complicated and politically charged endeavors related to HIT expansion.

Summary of Recommendations:

1. Clearly define stakeholders (similar to the method used by the State of Oregon as part of the Health Information Security and Privacy Collaboration (HISPC) project).

2. Clearly define how all identified stakeholders will be afforded an opportunity to provide input as the HIT strategic plan is developed by the HITOC.

3. Review and re-examine entities or collaboratives that were previously categorized as Oregon health information exchanges (HIE) to determine which are truly HIEs versus point-to-point (organization to organization communication) data exchanges.

4. Review and revise electronic health record (EHR) statistics to differentiate between purchased or implemented EHRs versus actual EHR utilization.

5. Revise dollar figures related to EHR implementation incentive dollars that will flow into Oregon to reflect the likely inflow of funds versus the “best case scenario.”

6. Include plans to incentivize adoption of EHR/electronic medical records (EMR), especially by small to medium sized practices given the fact that the “stick” associated with stimulus package incentives will have minimal impact in moving these providers to adopt HIT combined with the lack of capital to make the necessary investment that precludes taking advantage of federal incentives.

7. Review regulatory requirements related to the privacy and security of individually identifiable health information (state and federal). This applies to intra and inter-state HIE.

8. Offer educational opportunities in conjunction with the Office for Civil Rights (OCR) regarding how consumers’ health information is used and their rights/control over the exchange of their identifiable health information.

9. Make an effort to take more of a consumer versus provider centric approach to expanded use of HIT in Oregon.

10. Reconsider adding “privacy” to the HITOC guiding principles.

11. Base the Oregon health information exchange (HIE) or health information exchange organization (HIEO; also called a regional health information organization (RHIO)) on a successful HIEO/RHIO model versus the unsuccessful Portland model.

12. Consider alternative models other than the Oregon Department of Human Services (DHS) Division of Medical Assistance Program’s (DMAP) Health Record Bank (HRB) project when developing plans to engage consumers through the use of personal health records (PHR) given current privacy, security and regulatory issues associated with the HRB project that remain unaddressed by DMAP.

13. Review and incorporate new privacy and security requirements included in the American Recovery and Reinvestment Act (ARRA) when developing especially the detailed portion of Oregon’s HIT strategic plan.

Detailed Recommendations, Comments and Issues:

1. Clearly define stakeholders (similar to the method used by the State of Oregon as part of the Health Information Security and Privacy Collaboration (HISPC) project): At this point in time there has been no clear identification of who are stakeholders that need to be included in the planning process resulting in the development of a successful HIT strategic plan for Oregon. Before outreach begins in earnest, it would be beneficial to clearly define who stakeholders are with the goal of informing the public, interested parties, HITOC members and supporting staff.

I believe it will be difficult to launch meaningful outreach if who the HITOC and supporting staff need to reach out to has not been defined. An example where successful stakeholder identification occurred in Oregon was as part of the HISPC project, Phase I (I was the formal technical advisor to the State of Oregon for the HISPC project during this phase as well as a member of the national HISPC technical advisory panel for all three phases of the national HISPC project).

1. Clearly define how all identified stakeholders will be afforded an opportunity to provide input as the HIT strategic plan is developed by the HITOC: I would appreciate it, and I believe identified stakeholders would also appreciate it, if the HITOC and supporting staff afforded all identified stakeholders an equal opportunity to provide input, raise concerns and recommend solutions as the HITOC develops Oregon’s HIT strategic plan. This is not always the case and I do agree such an outreach process can be labor intensive and time consuming to accomplish, especially when groups of stakeholders are not located within the Portland-Salem area.

I would recommend the use of Web based meeting tools to accommodate input from stakeholders in all geographic regions of the state because, as an example, the needs of and resources available to a physician in Newberg is not comparable to the needs and resources available to a physician in Enterprise.

1. Review and re-examine entities or collaboratives that were previously categorized as Oregon health information exchanges (HIE) to determine which are truly HIEs versus point-to-point (organization to organization communication) data exchanges: There was a significant amount of conversation around the number of HIE’s in Oregon at this time during the November HITOC meeting. I would ask the HITOC to re-examine the true number of existing HIE’s in Oregon. A fair number of the “HIEs” identified are not HIEs. They are associations who have purchased an EHR application for use by the associations’ members. It amounts to a subscription based EHR and not a hub where multiple providers are able to share health information interoperably and across multiple entities. In a lot of respects, this is no different than a clinic implementing an EHR, and using the EHR for clinical and related activities as well as occasionally extracting information that is shared in what amounts to a point-to-point or organization to organization fashion.

This is not to say existing association EHR adoption for members is not of value. Such efforts allow smaller providers the ability to move form a paper to an electronic environment in a cost effective manner. On the other hand, because, as an example, Mid-Valley Independent Physicians Association (IPA) and Douglas County IPA elect to purchase clinical EHRs that members can subscribe to does not open channels of electronic communication between the IPAs nor even the physician members within each IPA.

The bottom line is, in my opinion and others in other states and nationally, these are not HIEs. They are subscription based EHRs sponsored by associations. They also do not meant the national single definition of what constitutes a regional health information organization or a health information exchange organization.

1. Review and revise electronic health record (EHR) statistics to differentiate between purchased or implemented EHRs versus actual EHR utilization: At this time the statistics that have been published regarding EHR adoption in Oregon point to the fact that Oregon is far ahead of the national average when it comes to EHR adoption. This is a very misleading statistic. Per staff and supporting consultants from the Office for Health Policy and Research (OHPR), these statistics do not measure utilization. This could mean that while Oregon is ahead of the curve when it comes to provider organizations purchasing EHRs, Oregon is behind the curve as far as actual EHR use for other than, say, patient appointment scheduling.

As an example, I discussed EHR adoption and use with a retired surgeon and Oregon Health and Sciences University (OHSU) professor. He indicated that a fair number of physicians purchase EHRs or EMRs, expect to be able to customize the applications to support the way they have practiced medicine for a number of years and are frustrated because the applications will not meet their perceived needs (versus re-engineering clinical practices to take advantage of new technology to increase quality and efficiency). The end result is the physician refuses to use the EHR or EMR except potentially for appointment scheduling by the physician’s staff. This means the EHR has been implemented but it is not a potential source of data for HIEs.

I believe the available statistics need to be replaced by statistics that measure actual utilization. This is especially important if Oregon intends to move towards broader based HIEs with richer data sets that can improve health care quality and efficiency for Oregonians.

1. Revise dollar figures related to EHR implementation incentive dollars that will flow into Oregon to reflect the likely inflow of funds versus the “best case scenario”: The initial estimate of funding that would flow into Oregon associated with the stimulus package EHR/EMR implementation (Medicare and Medicaid) incentives was significantly overstated. The published figures appear to have anticipated all available incentive dollars that were available as part of the stimulus package would be available to and received by Oregon’s healthcare professionals (e.g., hospitals, clinics, individual practitioners, etc.).

Currently, the US Department of Health and Human Services (HHS) expects to publish drafts of the two rules associated with incentive eligibility (the definition of “meaningful use” which must be met to take advantage of incentive dollars and the EHR/EMR certification requirements vendors must meet before applications can be certified and considered to include the functionality necessary to demonstrate “meaningful use”) the end of December 2009 with rules final April 2010. This means vendors will need to modify applications to comply with the new certification requirements and then go through the certification process with changes to applications beginning in earnest April 2010 followed by the required federal government certification.

Given the timing of final rule publication, it likely means a significant number of vendors will be in a position to begin the certification process until, at the earliest, Summer 2010 (time will be necessary for vendors to modify applications following publication of final certification requirements before they will be ready to apply for federal certification). This means it is likely the majority of eligible EHRs and EMRs will not be available for implementation or upgrade by health care professionals until 3Q or 4Q 2010.

Incentive funding is available 10/1/2010 (Federal Fiscal 2011). Given it generally takes 12 months to implement a new EMR or HER and it generally takes at least six months to upgrade an existing application (given conversion time, staff training time, testing time, etc.), it likely means health care professionals will likely not be eligible to apply for incentive dollars until, at the earliest, mid-2011 or later. The current funding estimates anticipate providers will be in a position to take advantage of incentives “day one” which I and others in Oregon and nationally believe to be unrealistic.

In addition, small to medium sized providers in Oregon (as well as large providers) need to take into account the cost and effort associated with converting from the current ICD 9 diagnostic code set to the ICD 10 diagnostic code set by 2013 (mandated by federal regulation). There is a significant cost associated with the conversion. Providers will be seriously considering if it is financially worth implementing or upgrading EHRs and EMRs to take early advantage of incentives and then upgrade those EHRs and EMRs by, at the latest, 2012 to accommodate the ICD 10 diagnostic code set conversion.

This does not even take into account the requirement that providers need to invest the capital up front before they are eligible to take advantage of any incentives (which is a significant issue for small providers). The Medicare “stick” (the reduction in Medicare reimbursement beginning in 2015) is not much of an incentive to implement new technology in Oregon given the low reimbursement rates.

1. Include plans to incentivize adoption of EHR/EMRs, especially by small to medium sized practices given the fact that the “stick” associated with stimulus package incentives will have minimal impact in moving these practices to adopt HIT combined with the lack of capital to make the necessary investment that precludes taking advantage of available federal incentives: The incentives really do not take into account practices need to invest the capital up front to implement a certified EHR or EMR before they are eligible to take advantage of any incentives (which is significant especially with small providers). The Medicare “stick” (the reduction in Medicare reimbursement beginning in 2015 by one percent per year) is not much of a penalty encouraging Oregon providers to implement new technology in Oregon given the low Medicare reimbursement rates.

I believe the State of Oregon’s HIT strategic plan needs to include funds to accomplish two things: assist providers modify clinical practices to take advantage of efficiencies and increases in care quality associated with new technology and dollars to assist with the initial investment required to implement EHRs or EMRs, especially at the small practice level and in rural areas of Oregon. This could be through grants, low interest loans or other creative funding mechanisms.

As a member of the Health Information Infrastructure Advisory Committee (HIIAC), I was involved in discussions regarding educational requirements that should be addressed prior to investment in the actual technology – how to actually take advantage of the technology and how to increase interoperability. I recommend requiring EHR/EMR education focusing on how the technology can increase the quality and efficiency of health care prior to any investment in technology.

Also, I recommend requiring the development of HIT requirements and an implementation plan that coincides with what will be required to demonstrate “meaningful use” prior to funding the purchase of a new EHR or EMR or the upgrade to a certified EHR or EMR. The investment in technology will not achieve the end goal of expanded HIE, in my opinion, if technology funding is not preceded by education regarding how to enhance clinical practice to increase quality, efficiency and interoperability. This is also a strategy that has been identified as necessary to the expanded use of HIT in other states and nationally.

1. Review regulatory requirements related to the privacy and security of individually identifiable health information (state and federal). This applies to intra and inter-state HIE: There have been discussions at HITOC meetings regarding the requirement to adhere to the Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification Provisions privacy and security rules. There has been little discussion that I have been privy to regarding adherence to Oregon’s privacy laws and Oregon’s security laws.

Under Oregon law, certain conditions or categories of care are specially protected pursuant to Oregon law (e.g., mental health, genetic information, HIV/AIDS, etc.). Such health information cannot be shared with other health care professionals or health plans, even for treatment, payment and healthcare operations (with minimal exceptions) without express permission from the patient or health plan member. In addition to Oregon privacy laws, there are other federal privacy laws such as 42 CFR Pt. 2 (alcohol and chemical dependency) that are significantly more stringent than both state privacy laws and HIPAA.

In the case of Oregon privacy laws and other federal privacy laws more stringent than HIPAA, such laws preempt the HIPAA privacy rule and I would recommend including such requirements in the discussion because it will affect how HIT is used in Oregon and how available data will be for any HIE.

Oregon has also enacted security laws (see the Oregon Identity Theft Protection Act of 2007) that require entities other than health plans, health care providers and healthcare clearinghouses implement appropriate administrative, physical and technical safeguards. While this does not impact what are classified as HIPAA covered entities (as long as they are compliant with HIPAA), it does impact organizations categorized as business associates (organizations who store, use and disclose individually identifiable health information or protected health information (PHI)) on behalf of a covered entity). The Oregon security laws in conjunction with the privacy and security provisions of the American Recovery and Reinvestment Act (ARRA) require not only attention to privacy but also to security.

This does not address the state privacy law differences between Oregon and its bordering states that is a nationally recognized barrier to HIE. This is an especially important issue for multi-state healthcare organizations who operate in Oregon such as Peace Health, Providence, ‘The Regence Group and others. The patchwork of state privacy laws has been identified as a barrier nationally during the HISPC project and will be specifically highlighted in a report soon to be released by the National Governor’s Association (of which I co-authored).

Current technology generally does not easily accommodate segregation of health care information to meet state and federal privacy laws that specially protect certain types of health information. I would recommend the HITOC explore technical solutions that would be effective in assisting providers segregate certain health information as required by law, continue to provide statutorily required consumer protections related to privacy and security and improve the exchange of electronic health information.

1. Offer educational opportunities in conjunction with the Office for Civil Rights (OCR) regarding how consumers’ health information is used and their rights/control over the exchange of their identifiable health information: A provision of ARRA requires HHS educate consumers regarding how their health information is used and disclosed and what control they have, what rights they have as it pertains to their identifiable health information. In addition, as part of HISPC Phase II, the State of Oregon developed a consumer focused video intended to educate consumers regarding the use of their identifiable health information. I would recommend continuing and expanding such consumer educational opportunities.

The use of Web based content, list serves, etc. would be beneficial in informing consumers. Given HHS is mandated to educate consumers regarding their privacy rights, how their health information is used, etc., I believe Oregon has an opportunity to leverage federal resources to educate Oregon’s consumers regarding the use of their health information and their rights regarding control over the use of that health information. I recommend the HITOC partner with likely ONC and also tap into a rich repository of tools developed during HISPC Phase III to assist with consumer education, of which the State of Oregon was an active participant (posted on the Office of the National Coordinator for Health Information Technology (ONC) Web site).

1. Make an effort to take more of a consumer versus provider centric approach to expanded use of HIT in Oregon: Dr. Jody Petit has contributed significantly to Oregon’s efforts to effectively expand the use of HIT in Oregon. I would like to quote Dr. Petit here. She has said on more than one occasion that the health care system in Oregon and nationally is not patient centric. As a national expert in the field of HIT, security, privacy and regulatory compliance; as a patient; and as a mental health advocate, I strongly agree with Dr. Petit.

I would encourage the HITOC to move the consumer from the role of a bystander to an active participant. Also, I would recommend spending more time determining what will benefit the consumer versus spending a more significant amount of time determining what is best for health plans, providers, business associates, government, etc. In my opinion, that has more often been the focus of discussions to date that I have either participated in or observed over the past few years.

The buzz phrase regarding health care is now “consumer centric health care.” I would ask that the HITOC move more towards a consumer centric vision (which, in turn, will further engage consumers in their care, reduce care costs and increase the quality of life for Oregonians) versus what I perceive to be more of a healthcare industry centric vision.

1. Reconsider adding “privacy” to the HITOC guiding principles: At the November HITOC meeting, one council member stated that “confidentiality” and “privacy” had the same meaning and there was no need to add “privacy” to the HITOC guiding principles. From a regulatory and a practical perspective, “privacy” and “confidentiality” have two separate meanings. The HIPAA security rule requires covered entities (and soon business associates) reasonably ensure the confidentiality, integrity and availability of protected health information (PHI). On the other hand, the HIPAA privacy rule focuses on privacy versus confidentiality. Between the two rules, from a regulatory standpoint, “confidentiality” is generally associated with security and not privacy.

The confidentiality of a patient or health plan member’s PHI can be protected but this does not mean that the patient or health plan member’s privacy is also protected. As an example, a covered entity may violate the privacy rule by sharing a patient or health plan member’s PHI with a marketing company for target marketing purposes. Contracts can be entered into and the confidentiality of the data maintained. At the same time, illegal marketing is occurring using data while confidentiality is maintained. The confidentiality of PHI may be maintained while violating an individual’s privacy rights and related privacy statutes. HIPAA and Oregon law have specific privacy requirements. These laws are not called “confidentiality” laws, though.

From a practical perspective, consumers are concerned about privacy and will not necessarily equate confidentiality to privacy. If the guiding principles of the HITOC do not reference privacy, consumers and privacy advocacy groups may have difficulty trusting the HITOC will keep consumer privacy as a key element in Oregon’s HIT strategic plan.

Privacy can be viewed as a loaded word and the fact that it has not been included in the HITOC’s guiding principles have the potential of raising the ire of consumers and privacy advocates (not to mention healthcare organizations’ privacy officers). I would recommend specifically referencing privacy in the guiding principle rather than moving forward under the assumption that “confidentiality” and “privacy” have the same meaning when they do not, even from a regulatory standpoint.

1. Base the Oregon HIE/HIEO/RHIO on a successful HIEO/RHIO model versus the unsuccessful Portland model: The funding proposal developed to tap into ARRA strategic planning dollars specifically referenced using the Portland RHIO as a foundational piece as part of developing a plan for a successful HIE in Oregon. I would recommend considering other models that have proven successful in other states that are similar in population and geographic makeup to Oregon. The Portland RHIO was nationally publicized as unsuccessful. I understand learning from past mistakes and taking advantage of previous work that has been done in the area of HIEO/RHIO implementation but would recommend that the unsuccessful effort in Portland not be the primary foundation or basis when developing the model Oregon intends to implement in the future to successfully implement one or more HIEO/RHIOs in the state.

The Portland RHIO project turned out be divisive and was, in the end, opposed by Portland’s provider community. I would recommend referencing the work done in Portland and gleaning information from the project to assist in developing a successful model. I would also recommend not making the unsuccessful RHIO the centerpiece in the planning process, especially given the divisive nature of the project.

1. Consider alternative models other than the DHS DMAP’s HRB project when developing plans to engage consumers through the use of PHRs given current privacy, security and regulatory issues associated with the HRB project that remain unaddressed by DMAP: As a member of the HIIAC, I supported using the HRB project as a model when evaluating strategies to better engage consumers in participating in their own health care and taking ownership of such. The HRB is, for the most part, a personal health record (PHR) for Medicaid beneficiaries in Oregon and is intended to allow Medicaid beneficiaries to continue to use the HRB as their PHR when they cycle in and out of Medicaid coverage or, as DMAP would put it, allow continued use given the churn – individuals moving in and out Oregon Health Plan (OHP) coverage. I still have hopes that the HRB can serve as a model when expanding the use of PHRs by consumers but remain concerned about privacy, security and regulatory issues surrounding the project that continue to be left unanswered by DMAP.

At several points during the project I have raised concerns regarding privacy, security and regulatory issues it appears are not being addressed by the HRB project team or the selected vendor. My latest set of privacy, security and regulatory related questions were forwarded to the project director and the DHS chief security officer September 22, 2009. As of today, no response has been received from DHS or DMAP. Given the lack of response from the department, I have significant concerns relating to how the privacy and security of consumers’ individually identifiable health information will be maintained and whether DHS or DMAP is in a position to meet existing federal and state regulatory requirements related to privacy and security. Given the continued lack of response, I would recommend looking to other models that do meet privacy, security and regulatory requirements and also successfully engage consumers in managing their own health care through the use of PHRs.

1. Review and incorporate new privacy and security requirements included in ARRA when developing especially the detailed portion of Oregon’s HIT strategic plan: There were significant privacy and security changes included in ARRA, some of which are already effective and many that will be effective February 17, 2010. Along with other existing privacy and security regulatory/statutory requirements the healthcare industry in Oregon must live up to, the new changes need to be evaluated and communicated when working with the healthcare industry to expand the use of HIT in Oregon. I recommend that the new requirements, along with existing requirements, be reviewed up front and incorporated especially when drafting the details of the Oregon HIT strategic plan. Some of these changes include (list not inclusive): a. If PHI is stored electronically and a patient or health plan member requests a copy of his or her medical or claims record in electronic form, the covered entity is required to provide a copy in electronic form (effective February 17, 2010). b. RHIOs and HIEOs will be subject to the HIPAA security rule and the use and disclosure provisions of the HIPAA privacy rule (this includes also being subject to the civil and criminal penalties) as business associates (effective February 17, 2010). c. Marketing related activity has been more strictly defined as well as when covered entities can receive payment for sharing PHI (effective February 17, 2010). d. Breach notification requirements have been imposed on covered entities, business associates, PHR vendors who will be business associates effective February 17, 2009, and, following draft and publication by the Federal Trade Commission (FTC), all other PHR vendors (breach notification requirements for covered entities and business associates effective September 23, 2009). e. Civil penalties for violating the HIPAA security and privacy rules has been significantly increased up to $50,000 per violation up to $1.5 million per calendar year for the same type of violation (effective February 17, 2009; interim final enforcement rule effective October 31, 2009).

Closing Remarks:

Again I thank the HITOC for taking the time to consider my input. I understand limited time is available for the HITOC to develop Oregon’s HIT strategic plan. I would hope the HITOC would make every effort to take into account input such as mine as time allows when developing the state’s HIT strategic plan.

I would also encourage the HITOC to seriously take a look back of the work of the HISPC project team, the HIIAC and other planning efforts within this state and nationally to assist in shortening the planning time line by taking advantage of previous work done that contribute directly to the development of the Oregon HIT strategic plan.