Web-Tones

This post cites and comments on a definition from a book edited by renown Healthcare informatics guru Renato M.E. Sabbatini, PhD (Handbook of Biomedical Informatics. Wikipedia Books, December 2009--A dynamic collection of more than 250 Wikipedia articles).

This healthcare informatics treatise is recommended reading (and a recommended reference) for the many stakeholders in the industry who will be required to weigh (e.g. management teams, privacy and compliance officers, HIT, legal, etc.) in on EHR implementations and everything they touch .

What is cybermedicine?

According to the Handbook of Biomedical Informatics cybermedicine is defined as follows:

Cybermedicine is the use of the Internet to deliver medical services, such as medical consultations and drug prescriptions. It is the successor to telemedicine, wherein doctors would consult and treat patients remotely via telephone or fax. Cybermedicine is already being used in small projects where images are transmitted from a primary care setting to a medical specialist, who comments on the case and suggests which intervention might benefit the patient. A field that lends itself to this approach is dermatology, where images of an eruption are communicated to a hospital specialist who determines if referral is necessary. A Cyber Doctor, is a medical professional who does consultation via the internet, treating virtual patients, who may never meet face to face. This is a new area of medicine which has been utilized by the armed forces and teaching hospitals offering online consultation to patients before making their decision to travel for unique medical treatment only offered at a particular medical facility.

Cybermedicine is really not a new area of medicine but rather a new way to practice medicine underpinned by the same enabling technologies that are transforming practices of all kinds and in all industries. There is an entire laundry list of concepts that potentially fall under this rubric including: eHealth, Health 2.0, mobile health, etc. Sure, the semantics of each are slightly different but what they all have in common is the foundational 24/7 communications platform of the Internet.

Clearly, the relentless movement toward cybermedicine is an idea whose time has come. According to Victor Hugo (paraphrasing): "all the forces in the world are no match for it." We have argued consistently that innovation is the real disruptor in the healthcare industry. Government is playing a role (see the HITECH Act) mainly because it is attempting to underpin what is already occurring in the marketplace. In short, government is an enabler but not the driver.

That said, government is a powerful enabler because the force of law in a civilized society has great weight, and as such is capable of providing a significant acceleration effect to the marketplace. The bottom line is that the combination of marketplace innovation and government acceleration is the "perfect storm" for transforming the monopolistic tendencies of the U.S. healthcare industry. The transformation is inevitable, the form it will take will continue to be a work in progress for the next twenty years.

The intersection of cybermedicine and cyberlaw will continue to see significant development as legislators, judges and industry stakeholders attempt to balance competing forces and priorities.

For more information regarding the intersection of cybermedicine and cyberlaw visit the HIPAA Survival Guide website or sign up for Digital Business Law Group's free monthly compliance newsletter. Also, check out a FREE EHR Checklist and a FREE Online Backup Checklist, both provided HSG affiliates.

As discussed in this post, HHS has issued two new rules: the first pertains to health information technology (HIT) standards (see PDF); and the second to meaningful use (see PDF). These are interim final rules. They are now open for public comment over the next sixty days.

This post provides a forest from the trees overview of the first rule and a subsequent post will do the same regarding the second rule.

Title 45 CFR Additions

The "mind map" below contains HHS' additions to 45 CFR. Sections 160, 162, and 164 are the HIPAA Regulations that we have all come to "know and love." The section added (i.e. Section 170) represents something radically new, the codification of health information technology standards.

The expanded version of this mind map can be accessed here. The new HIT Standards Rule is now available on the HIPAA Survival Guide in a fully "clickable" format. . The respective subparts and sections are listed below.

The HITECH Act's regulatory landscape regarding HIT Standards continues to expand rapidly. We will have a lot more commentary on specific sections in subsequent posts. HHS introduce Section 170 as follows:

The standards, implementation specifications, and certification criteria adopted in this part apply to Complete EHRs and EHR Modules and the testing and certification of such Complete EHRs and EHR Modules.

Subpart A General Provisions

170.100 Statutory basis and purpose.
170.101 Applicability.
170.102 Definitions.

Subpart B – Standards and Implementation Specifications for Health Information Technology

170.200 Applicability.
170.202 Transport standards for exchanging electronic health information.
170.205 Content exchange and vocabulary standards for exchanging electronic health information.
170.210 Standards for health information technology to protect electronic health information created, maintained, and exchanged.
170.299 Incorporation by reference.

Subpart C – Certification Criteria for Health Information Technology

170.300 Applicability.
170.302 General certification criteria for Complete EHRs or EHR Modules.
170.304 Specific certification criteria for Complete EHRs or EHR Modules designed for an ambulatory setting.
170.306 Specific certification criteria for Complete EHRs or EHR Modules designed for an inpatient setting.

For more information on healthcare innovation and the HITECH / HIPAA Privacy and Security Rules go to The HIPAA Survival Guide website or sign up for Digital Business Law Group's free monthly compliance newsletter. Also check out a FREE EHR Checklist and a FREE Online Backup Checklist.

Microsoft Buys Sentillion, The real "disruptor" in the healthcare industry is not the US government but rather the innovation that will be driven by some of America's most tech savvy companies. Microsoft, Google, IBM, Oracle, et. al, all want a piece of this multi-billion dollar market. These are proven players with war chests large enough to attack the market over the next few years, AND moreover, to provide solutions that actually deliver on the promise of interoperability, and other meaningful use measures.

Currently the vendor market appears to be in the middle of the tornado, but this storm will not only impact those players "looking for the money" but the target industry itself as well. In many ways the healthcare industry will be hit by the perfect storm, assaulted by many different forces at once. The ultimate fallout from the storm is completely unpredictable (as these things always are), but the fact that the storm is coming is a natural fact.

Somewhere in the middle of the perfect storm will remain the hurricane like force of privacy and security. There is simply no way that we can achieve the vision of the Health Internet without paying attention to these aspects of the storm.

Check out a FREE EHR Checklist. For more information on healthcare innovation and the HITECH / HIPAA Privacy and Security Rules go to The HIPAA Survival Guide website or sign up for Digital Business Law Group's free monthly compliance newsletter.

It's 5 minutes 2 midnight (read to bottom of post): This video shows Bill Clinton at his best. He simply has no living equal when it comes to getting at the heart of the matter on a policy question. Here's the $$ quote (paraphrasing):

Historically, everyone that has ever bet against America has been wrong. Why? Because we always knew when it was five minutes to midnight and managed to make the right decision.

This is Clinton's riff from a famous quote by Winston Churchill (again paraphrasing):

Americans always find a way to do the right thing, after exhausting every other possible alternative.

I wouldn't bet against America on healthcare, not because of some US government takeover of the health care system (a meme that is pure fiction), but rather because we STILL HAVE the most resilient entrepreneurial economy that the planet has ever known. I have written often about how American health care entrepreneurs will rise to the occasion and that we are going to innovate our way out of this health care mess. Why? Because 16% of GDP is unsustainable and we will bankrupt the future of our children and our grandchildren if we don't fix it. 

I was recently asked at a conference Q&A session if the EHR incentives of the HITECH Act would provide enough of an ROI to get providers to move? My long answer was NO. But if laggard providers don't believe that nimble competitors at this very moment are plotting their demise, then they don't understand that this is not your daddy's health care industry any longer, and yes it's 5 minutes to midnight and a bet against American ingenuity is a losing bet.

Check out a FREE EHR Checklist. For more information on healthcare innovation and the HITECH / HIPAA Privacy and Security Rules go to The HIPAA Survival Guide website or sign up for Digital Business Law Group's free monthly compliance newsletter.

Note: We will start conducting HITECH / HIPAA Risk Management Webinars beginning in January, 2010 that may also be of interest. These webinars will be managed as a forum of "round-table" discussions on the pertinent issues, with many opportunities for audience participation and questions. Our intention is to bring these complex issues down to a practical level with guidance for attendees.

On October 30, 2009 HHS issued the following release:

>>

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued an interim final rule today to conform the enforcement regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to currently effective statutory revisions made pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA).

In this interim final rule, published today in the Federal Register, HHS amends HIPAA’s enforcement regulations that relate to the imposition of civil money penalties to incorporate the HITECH Act’s categories of violations, tiered ranges of civil money penalty amounts, and revised limitations on the Secretary’s authority to impose civil money penalties for established violations of HIPAA’s Administrative Simplification Rules.  This interim final rule does not make amendments with respect to those enforcement provisions of the HITECH Act that are not yet effective under the applicable statutory provisions.  This interim final rule is effective 30 days after today.   

>>

If you are trying to follow along with the maze of HITECH's effective dates I suggest that you start here. HHS's Interim Final Rule ("IFR"), in general, relates to HITECH Section 13410-Improved Enforcement. The bottom line is that the "new Sheriff" has far more authority under HITECH to impose more stringent civil fines. Couple that with, among other things, HITECH fines returning to HHS' Office of Civil Rights coffers and you have a dramatically altered HITECH/HIPAA regulatory landscape. The full text of the IFR can be found here, along with HHS' commentary regarding same. If you want to review the sections of the Social Security Act that HITECH 13410 revises click here.

Check out a FREE EHR Checklist. For more information on HITECH / HIPAA Privacy and Security Rules go to The HIPAA Survival Guide website or sign up for Digital Business Law Group's free monthly compliance newsletter.

Note: We will start conducting HITECH / HIPAA Risk Management Webinars beginning in January, 2010 that may also be of interest. These webinars will be managed as a forum of "round-table" discussions on the pertinent issues, with many opportunities for audience participation and questions.

Note: We will start conducting HITECH / HIPAA Risk Management Webinars beginning in January, 2010 that may also be of interest. These webinars will be managed as a forum of "round-table" discussions on the pertinent issues, with many opportunities for audience participation and questions.

The Implementation Workgroup Testimony. Great post by John Halamka summarizing our current status regarding implementation of the beseline standards required to effectively exchange healthcare data across a number of domains (e.g. ePerscribing, Labs, administrative transactions, etc.). What is encouraging is that these folks have "grokked" the lessons of historically successful standards development initiatives. Here is a gross oversimplification of these lessons:

• Keep the standards lightweight for widespread adoption
• Target the simple use cases first
• Implement early and often

Notice also in John's post he links to an online, government sponsored forum, for achieving widespread collaboration on this work. The is proof that the power behind enabling technologies is starting to permeate government led initiatives, which should be a cause for celebration. President Obama gets it and correctly sums this up in his mantra of: "we don't need big government or small government, what we need is smart government."

John also makes a subtle but important distinction when he states that privacy and security concerns clearly need to be addressed as standards are developed, concurrent with said development, but of the two having the correct privacy policy in place is the more important. Why is that? Let me attempt an answer to this premise. Security, although often non trivial to implement based on the technical complexity, is a problem that has already been solved in other industries, it is an engineering problem. We are good at solving engineering problems (e.g. insert "man on the moon" meme).

A privacy policy, however, is culturally and organizationally complex (i.e. a wicked problem) and historically we have not been so good at solving these kinds of problems. All the really tough problems facing us (and the planet) are wicked problems. We should collectively become more fluent in problem identification because if we don't understand the nature of the problem, we have little hope of solving it effectively or efficiently.

Check out a FREE EHR Checklist. For more information on HITECH / HIPAA Privacy and Security Rules go to The HIPAA Survival Guide website or sign up for Digital Business Law Group's free monthly compliance newsletter.

Note: We will start conducting HITECH / HIPAA Risk Management Webinars beginning in January, 2010 that may also be of interest. These webinars will be managed as a forum of "round-table" discussions on the pertinent issues, with many opportunities for audience participation and questions.

The Health Care Blog: Is Healthcare IT Ready for its Big Coming Out Party?. It should go without saying, but I will say it anyway, because each industry seems to learn these lessons in their own unique way, that HIT implementations are by definition wicked problems. Whether a covered entity ("CE") goes with the market leader is no guarantee of success. We will be reading much more about EHR disasters in the coming months and years as the health care industry becomes the latest casualty of the people, process and platform conundrum.

Succinctly stated, HIT/EHR implementations are wicked problems to a large degree because people and process issues are ignored while providers focus on technology. All three components are mission critical and clearly, given the complexity, even the platform (read technology) component is "totally non trivial" to get right. So what is the solution? There are NO cookbook solutions, that is part of the definition of a wicked problem. Expect to be confronted with significant "unexpected challenges" and be prepared to iterate your way through them; in short, the best advice is to fail forward fast.

As counter intuitive as fail forward fast may seem (i.e. even more so in the heath care industry where anything that smacks of failure is anathema), this is right prescription but will almost universally not be followed. Why? Because as a society we appear to be hell bent on using engineering methodologies even in cases where agile methodologies are clearly called for. The latter has "failure cycles" built-in while the former is obsessed with getting the right answer.

There is no right answer. The answer will be different for every CE by definition. Add to this mix a completely transformed legal regulatory landscape and the challenges ahead appear daunting to say the least. If you want a fighting chance to succeed then you must start with accepting the premise that your organization must first change the way it thinks about the problem. This is no small feat.

Check out a FREE EHR Checklist. For more information on HITECH / HIPAA Privacy and Security Rules go to The HIPAA Survival Guide website or sign up for Digital Business Law Group's free monthly compliance newsletter.

Note: We will start conducting HITECH / HIPAA Risk Management Webinars beginning in January, 2010 that may also be of interest. These webinars will be managed as a forum of "round-table" discussions on the pertinent issues, with many opportunities for audience participation and questions.

Medicaid Payer Gives Breach Notification. By all accounts it looks like CalOptima, a Medicaid managed care plan serving 360,000 recipients in Orange County, Calif., quickly responded to this PHI breach. It notified the appropriate authorities and is in the process of notifying individuals as per the requirements of HITECH Section 13402.

It also appears likely that CalOptima had a breach notification plan in place, given the speed by which it is moving forward to comply with the regulations. Our basic philosophy is that a covered entity ("CE") should assume that a breach of PHI will occur and develop the necessary plan and response templates that will allow it to expedite, and correctly execute, the breach notification requirements of the HITECH Act.

Check out a FREE EHR Checklist. For more information on HITECH / HIPAA Privacy and Security Rules go to The HIPAA Survival Guide website or sign up for Digital Business Law Group's free monthly compliance newsletter.

Note: We will start conducting HITECH / HIPAA Risk Management Webinars beginning in January, 2010 that may also be of interest. These webinars will be managed as a forum of "round-table" discussions on the pertinent issues, with many opportunities for audience participation and questions.

DBLG Announces Release 2.0 of The HITECH/HIPAA Survival Guide and a HITECH Risk Management Webinar Series. We are happy to announce Release 2.0 of the HITECH/HIPAA Survival Guide (see link) and a HITECH Risk Management Webinar Series starting in January 2010 (final date TBD). The Webinar Series will focus on developing a set of HITECH/HIPAA compliance frameworks:

• HITECH Act Fundamentals (basic tenets of the new compliance regime)
• Organizational (training and process change organization wide)
• Breach Notification (Response teams and response templates)
• Internal Audits (substance and frequency)
• Legal (business associate contracts, compliance tools, input into all other frameworks)
• Attacking the HIPAA Privacy and Security Rules (coverage, budgets, staff skills)

Check out a FREE EHR Checklist. DBLG will be introducing these frameworks in our FREE HITECH/HIPAA Compliance Newsletter with full coverage continued in the Webinars. The HITECH Act has introduced a furious pace of change into the health care industry and annual conferences no longer suffice as the sole primary tools for tracking industry wide game changing events.

The Health Care Blog: JSK (national treasure) on data liquidity, and how it fits into Health 2.0. There are lots of "buzz words" now being thrown about in the healthcare space purporting to give solutions to "age old" information technology problems that other industries have struggled with for years, with some progress, and much pain, as a result of unintended consequences. HIT, although starting to open up to input from "outsiders," still appears to live mostly in its own isolated universe. So when you hear words/phrases like "data liquidity" and "substitutability" be sure that you do not "willy nilly" drink to much of this "kool aide."

For example, "substitutability" is a nice word and certainly monolithic EHR apps that want to "be everything to everybody" leave lots to be desired. The problem is that when you have too much interchange of moving parts then when something goes wrong (which it always does) then who owns the problem? This is where all the "finger pointing" starts between the vendors and the customer is always left holding the bag, usually having to "prove" to a particular vendor that the problem lies with them.

In addition, since nearly all "substitute vendors" will almost by definition be business associates, this expands the legal requirements placed upon the covered entity (CE). The more business associates (BA) the more BA contracts that are required, and with BAs now civilly and criminally liable under HITECH/HIPAA, CEs should expect these contractual negotiations to be significantly more than simply having BAs "signoff" on boilerplate agreements. 

The devil will be in striking the appropriate balance between the "number of cooks" in the software kitchen and the additional complexity that results because of it. There are simply no easy answers to health care's wicked problem.

Check out a FREE EHR Checklist. If you would like more information regarding this changing landscape, sign up for our FREE HITECH/HIPAA Compliance Newsletter. The archived copies of our monthly newsletter are available without a subscription.