Web-Tones

The Implementation Workgroup Testimony. Great post by John Halamka summarizing our current status regarding implementation of the beseline standards required to effectively exchange healthcare data across a number of domains (e.g. ePerscribing, Labs, administrative transactions, etc.). What is encouraging is that these folks have "grokked" the lessons of historically successful standards development initiatives. Here is a gross oversimplification of these lessons:

• Keep the standards lightweight for widespread adoption
• Target the simple use cases first
• Implement early and often

Notice also in John's post he links to an online, government sponsored forum, for achieving widespread collaboration on this work. The is proof that the power behind enabling technologies is starting to permeate government led initiatives, which should be a cause for celebration. President Obama gets it and correctly sums this up in his mantra of: "we don't need big government or small government, what we need is smart government."

John also makes a subtle but important distinction when he states that privacy and security concerns clearly need to be addressed as standards are developed, concurrent with said development, but of the two having the correct privacy policy in place is the more important. Why is that? Let me attempt an answer to this premise. Security, although often non trivial to implement based on the technical complexity, is a problem that has already been solved in other industries, it is an engineering problem. We are good at solving engineering problems (e.g. insert "man on the moon" meme).

A privacy policy, however, is culturally and organizationally complex (i.e. a wicked problem) and historically we have not been so good at solving these kinds of problems. All the really tough problems facing us (and the planet) are wicked problems. We should collectively become more fluent in problem identification because if we don't understand the nature of the problem, we have little hope of solving it effectively or efficiently.

Check out a FREE EHR Checklist. For more information on HITECH / HIPAA Privacy and Security Rules go to The HIPAA Survival Guide website or sign up for Digital Business Law Group's free monthly compliance newsletter.

Note: We will start conducting HITECH / HIPAA Risk Management Webinars beginning in January, 2010 that may also be of interest. These webinars will be managed as a forum of "round-table" discussions on the pertinent issues, with many opportunities for audience participation and questions.

The Health Care Blog: Is Healthcare IT Ready for its Big Coming Out Party?. It should go without saying, but I will say it anyway, because each industry seems to learn these lessons in their own unique way, that HIT implementations are by definition wicked problems. Whether a covered entity ("CE") goes with the market leader is no guarantee of success. We will be reading much more about EHR disasters in the coming months and years as the health care industry becomes the latest casualty of the people, process and platform conundrum.

Succinctly stated, HIT/EHR implementations are wicked problems to a large degree because people and process issues are ignored while providers focus on technology. All three components are mission critical and clearly, given the complexity, even the platform (read technology) component is "totally non trivial" to get right. So what is the solution? There are NO cookbook solutions, that is part of the definition of a wicked problem. Expect to be confronted with significant "unexpected challenges" and be prepared to iterate your way through them; in short, the best advice is to fail forward fast.

As counter intuitive as fail forward fast may seem (i.e. even more so in the heath care industry where anything that smacks of failure is anathema), this is right prescription but will almost universally not be followed. Why? Because as a society we appear to be hell bent on using engineering methodologies even in cases where agile methodologies are clearly called for. The latter has "failure cycles" built-in while the former is obsessed with getting the right answer.

There is no right answer. The answer will be different for every CE by definition. Add to this mix a completely transformed legal regulatory landscape and the challenges ahead appear daunting to say the least. If you want a fighting chance to succeed then you must start with accepting the premise that your organization must first change the way it thinks about the problem. This is no small feat.

Check out a FREE EHR Checklist. For more information on HITECH / HIPAA Privacy and Security Rules go to The HIPAA Survival Guide website or sign up for Digital Business Law Group's free monthly compliance newsletter.

Note: We will start conducting HITECH / HIPAA Risk Management Webinars beginning in January, 2010 that may also be of interest. These webinars will be managed as a forum of "round-table" discussions on the pertinent issues, with many opportunities for audience participation and questions.

Medicaid Payer Gives Breach Notification. By all accounts it looks like CalOptima, a Medicaid managed care plan serving 360,000 recipients in Orange County, Calif., quickly responded to this PHI breach. It notified the appropriate authorities and is in the process of notifying individuals as per the requirements of HITECH Section 13402.

It also appears likely that CalOptima had a breach notification plan in place, given the speed by which it is moving forward to comply with the regulations. Our basic philosophy is that a covered entity ("CE") should assume that a breach of PHI will occur and develop the necessary plan and response templates that will allow it to expedite, and correctly execute, the breach notification requirements of the HITECH Act.

Check out a FREE EHR Checklist. For more information on HITECH / HIPAA Privacy and Security Rules go to The HIPAA Survival Guide website or sign up for Digital Business Law Group's free monthly compliance newsletter.

Note: We will start conducting HITECH / HIPAA Risk Management Webinars beginning in January, 2010 that may also be of interest. These webinars will be managed as a forum of "round-table" discussions on the pertinent issues, with many opportunities for audience participation and questions.

DBLG Announces Release 2.0 of The HITECH/HIPAA Survival Guide and a HITECH Risk Management Webinar Series. We are happy to announce Release 2.0 of the HITECH/HIPAA Survival Guide (see link) and a HITECH Risk Management Webinar Series starting in January 2010 (final date TBD). The Webinar Series will focus on developing a set of HITECH/HIPAA compliance frameworks:

• HITECH Act Fundamentals (basic tenets of the new compliance regime)
• Organizational (training and process change organization wide)
• Breach Notification (Response teams and response templates)
• Internal Audits (substance and frequency)
• Legal (business associate contracts, compliance tools, input into all other frameworks)
• Attacking the HIPAA Privacy and Security Rules (coverage, budgets, staff skills)

Check out a FREE EHR Checklist. DBLG will be introducing these frameworks in our FREE HITECH/HIPAA Compliance Newsletter with full coverage continued in the Webinars. The HITECH Act has introduced a furious pace of change into the health care industry and annual conferences no longer suffice as the sole primary tools for tracking industry wide game changing events.

The Health Care Blog: JSK (national treasure) on data liquidity, and how it fits into Health 2.0. There are lots of "buzz words" now being thrown about in the healthcare space purporting to give solutions to "age old" information technology problems that other industries have struggled with for years, with some progress, and much pain, as a result of unintended consequences. HIT, although starting to open up to input from "outsiders," still appears to live mostly in its own isolated universe. So when you hear words/phrases like "data liquidity" and "substitutability" be sure that you do not "willy nilly" drink to much of this "kool aide."

For example, "substitutability" is a nice word and certainly monolithic EHR apps that want to "be everything to everybody" leave lots to be desired. The problem is that when you have too much interchange of moving parts then when something goes wrong (which it always does) then who owns the problem? This is where all the "finger pointing" starts between the vendors and the customer is always left holding the bag, usually having to "prove" to a particular vendor that the problem lies with them.

In addition, since nearly all "substitute vendors" will almost by definition be business associates, this expands the legal requirements placed upon the covered entity (CE). The more business associates (BA) the more BA contracts that are required, and with BAs now civilly and criminally liable under HITECH/HIPAA, CEs should expect these contractual negotiations to be significantly more than simply having BAs "signoff" on boilerplate agreements. 

The devil will be in striking the appropriate balance between the "number of cooks" in the software kitchen and the additional complexity that results because of it. There are simply no easy answers to health care's wicked problem.

Check out a FREE EHR Checklist. If you would like more information regarding this changing landscape, sign up for our FREE HITECH/HIPAA Compliance Newsletter. The archived copies of our monthly newsletter are available without a subscription.