In other words, if we want "interoperability" between EHRs (which we do otherwise what is the point?) then all of these products will have to talk the same language. That language is likely to be the HL7 XML messaging standards. Evidently, the ISO has just blessed HL7 2.5 as an international standard:
Ann Arbor, Michigan, USA – September 21, 2009 – Health Level Seven® (HL7®), the global authority for interoperability and standards in healthcare information technology with members in 57 countries, today announced its Version 2.5 messaging standard has been approved as an international standard by the International Organization for Standardization (ISO).
HL7 Version 2.5 allows interoperability between electronic health record systems, practice management systems, laboratory IT systems, dietary, pharmacy and billing systems. It serves as a vehicle for disparate healthcare IT systems, applications and data architectures operating in diverse-system environments to communicate with each other. It is designed to support a central patient care system, as well as a more distributed environment where data resides in departmental systems.
This is a much bigger deal than most in the healthcare industry are aware of. The pieces of this puzzle are coming together and they have nothing to do with "healthcare reform" and everything to do with the HITECH Act that was signed into law in February 2009. It is already a done deal. All this brouhaha over healthcare reform, while important in its own right, does not change the HITECH Act in the slightest.
In order for HL7 to function as the "lingua franca" of EHR communications then it will have to support the privacy and security standards mandated by HITECH (e.g. encryption as recently addressed in HHS' Interim Final Rule on Breach Notification). There is a freight train coming and headed directly toward the healthcare industry, and nothing is in its it way to slow it down. It's a trojan horse that is already inside the city walls.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH / HIPAA experience?
This podcast that we did in collaboration with the World Heath Care Congress covers, among other things, a number of organizational frameworks required to effectively cope with your EHR/HITECH/HIPPA implementation initiatives. Notice that we are using the plural form of initiative. There is simply no way that one monolithic project will ever be successful. In fact, that is the most likely recipe for failure (see the September Issue of HITECH/HIPAA Compliance Newsletter for reasons why the healthcare industry must adopt agile methodologies).
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH / HIPAA experience?
This is an article that Esther Dyson wrote a couple of years ago (September 2007) after attending a Health 2.0 conference. A lot has changed since then, but many things will take time (lots), innovation (good 'ole American ingenuity), and a significant amount of hard work by smart and dedicated people, before we can claim anything like progress. Here's the money quote from the article:
In the same way, the companies here are empowering consumers (or patients) giving them the tools to talk to one another, to question their doctors, to monitor their own conditions... But they can't simply dissolve a hairball, as someone described the health care system earlier in the day. They need to take on the calcified mess at the bottom of the drain - or to be more anatomical about it, they are clearing the capillaries and buffing the nerve endings, but at the center of everything there's a calcified heart pumping blood/information/money in the wrong direction through a tangled mass of arteries that misdirects resources to tumors and useless vestigial organs.
Thehairball is being dissolved as we speak. We will get health reform in the U.S. because some of our best and brightest are working on the problem, and they're not in it just for the money. These are people that want to see an improved healthcare system in the U.S,.because if we don't get one we are all going to die a death of a thousand cuts. At 16% of GDP, healthcare costs are out of control and U.S. healthcare quality lags, in general, the rest of the developed world.
It is a matter of economic survival in a world economy wherein a sick America won't otherwise be able to compete. It is the right thing to do as well. It is a legacy that we owe our children and grandchildren. It is as basic as the First Amendment, the right to vote, and equal protection under the law. Our healthcare system, as it exists today, is un-American, a relic of days long past. It is time for people of good conscious, across the political spectrum, to stand up and be counted.
Electronic health records are a step in the right direction. Health 2.0 depends, to a large degree, in moving our healthcare system to the twenty first century. But that won't be enough, the industry is going to need lots of help if the vision is to be realized. Given those on the front lines some relief from absurdly priced malpractice insurance is also a must have requirement. We are collectively asking a lot of our providers, we should be prepared to give them something of significance in return.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH / HIPAA experience?
What Is globalization? Is it the integration of economic, political, and cultural systems across the globe? Or is it Americanization and United States dominance of world affairs? Is globalization a force for economic growth, prosperity, and democratic freedom? Or is it a force for environmental devastation, exploitation of the developing world, and suppression of human rights?
While these questions attempt to get at what passes for conventional wisdom regarding globalization, they all miss the mark. In a world where news travels at the speed of light, you can (and should) expect anything said (or done) in public to be instantly available as front page news (i.e. depending on its relevancy at a particular point in time) everywhere and anywhere. This is a lesson recently learned by a Honduran diplomat, by Yukio Hatoyama, by George Allen, and by countless others.
What does the mean to the healthcare industry as it undergoes transformational reform and nothing short of an electronic revolution? Well, for one thing it should be a wake up call to healthcare executives that privacy and security breaches are likely to make national (and likely international) news. These issues pose radically different regulatory governance issues,and most of the "pain" will come from the ensuing public relations disaster and not from the potentially millions of dollars in fines for non-compliance.
This is not your daddy's healthcare industry! Living in Internet time means that we already left Kansas a couple of lifetimes ago.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH / HIPAA experience?
Providers of medical transcription services have long been recognized as HIPAA "business associates(BAs)," but since HIPAA was more or less a paper tiger, these businesses were free to do what most covered entities did, simply not treat the statute/regulations with a degree of seriousness (or in some cases, except for the bare minimum requirements, simply ignore the statute altogether).
The HITECH Act changes all that. BAs are now "on the hook" for both civil and criminal penalties with respect to non HIPAA compliance. Medical transcription businesses need to review their BA contracts with their clients and better understand their potential liability under the Act. This post by Raj of the MT Herald provides an excellent foundational summary of what medical transcription businesses should be thinking about.
In short, the HITECH Act's scope is expansive and the extent of its reach is yet to be defined, but one thing is certain, the number of business associates potentially impacted is just starting to surface.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH / HIPAA experience?
There is good news and bad news with respect to the TS. The good news is that many (but not all) of the requirements encompassed by the TS will be implemented using commercial-off-the-shelf (COTS) software and hardware. The bad news is that these requirements are highly technical and therefore a fair amount of time is required just to understand what it is you are being asked to do. If you are still reading this post then the other bad news is that you are likely the one that has been charged with making it happen. Read on, this post was written with you in mind.
One way to think about the difference between the TS and the AS is that the latter has to do with the "what" and the former with the "how." There is still an analytical process to go through when implementing the TS but in addition to that, you are actually "doing the stuff" required to ensure that ePHI is protected from a technical perspective. That said, do not be surprised if there appears to be some overlap between the AS and the TS, there a few bright lines mixed in with varying shades of gray.
An organization might be tempted (most will be tempted) to simply turn the SR implementation over to IT staff. The CIO may even feel like implementation of the SR can be turned over to a technical manager. Resist the temptation to do this. How the SR is implemented could make the difference between having to notify HHS, the media, and all individual patients impacted during a breach, or simply doing a "post mortem" as to why the breach occurred.
Remember that section 13402 of the HITECH Actonly requires notification in the case of breach with respect to unsecured PHI. If the PHI has been secured as per recent HHS guidance (see HHS' Interim Final Rule on Breach Notification) then no notification is required because the information breached would be "unreadable, unusable or indecipherable."
HIPAA compliance is now a boardroom issue. Both strategic and tactical decisions must be made during the SR implementation cycle. I would not want to be the chief compliance officer (CPO) or general counsel that elected to take a simplistic approach and now has to explain to the CEO why the organization has a public relations disaster on its hands.
The Technical Safeguards
The approach taken to discuss the TS borrows heavily from the following NIST document: Implementing the HIPAA Security Rule, which demonstrates that "we're from the government and we're here to help" may not be such an oxymoron after all. A number of government agencies are required to comply with HIPAA and NIST's objective in this document was to assist them in this process.
As mentioned in the September issue of the HITECH/HIPAA Compliance Newsletter there are numerous high quality resources available on the Internet that should be leveraged. In many cases the wheel has already been invented, what is left to do is to put the pieces of the puzzle together in a manner that works for your organization.
There are five standards that make up the TS. They are contained in section 164.312. The standards are presented and then a link is provided where additional information information regarding the respective standard can be found. The objective here is to provide additional commentary and "visualization" without losing sight of the forest for the trees.
1. Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4).
2.Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
4. Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
5. Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
If you would like to get a feel for the complexity and the level of rigor required to implement these standards then I would encourage all readers (i.e. especially if you happen to be a "CXO") to click "Read More..." on each individual standard.
Remember that the TS is just a subset of the SR, and not the largest one at that. In short, I just wanted to take another opportunity to highlight the point (as if I haven't beat this horse to death) that this is NOT the old HIPAA you have come to know and love. This is a brand new ball game with different umpires and different rules of engagement.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH / HIPAA experience?
If you haven't already, sign up for the FREE HITECH / HIPAA Newsletter to receive a discount code for the conference. Hope to see you there!
For information visit the HITECH/HIPAA Survival Guide where the full text of the HITECH Act and HIPAA Regulations is now available.
Our topic isMeaningful Use Under HITECH: Why HIPAA is No Longer a Paper Tiger, scheduled November 9, 2009 - 4:15 to 5:30 pm.
We will cover:
The convergence between policy, law and technology: Breaking down the silos and painting a holistic picture for adherence and compliance
Starting with regulations, ending with practical guidance: How your compliance strategy and EHR strategy can (and should!) more forward together
Moving ahead by working smarter: Methodologies and practical guidelines for best practices in compliance and HIT adoption under HITECH's meaningful use definition
Determining organizational requirements for meaningful use and reporting requirements to CMS and other governing bodies for ensured compliance
Technology assessment and business impact: How will EHR adoption impact business processes, workflow and healthcare professionals with respect to the delivery of care?
Click on the images below to see a larger version.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH / HIPAA experience?
It may have been (and it was) the wild, wild west on these "Internets" for the last 15 years but it looks like Wyatt Earp and the boys are "fixin" to try and clean it up. As an Internet Lawyer, there is almost not a day that goes by where I don't get contacted from a business or consumer that got scammed on the Internet. In many instances there is simply nothing that can be done about it because the cost of pursuing the action far outweighs the amount of the transaction.
This change in regulatory enforcement does correspond to a new party in power, but it is a much bigger issue than that. The truth is that, like the world financial system, the global communications infrastructure represented by the Internet is far too important to global business for the status quo to remain unchallenged.
The rule of law, and the order imposed because of it, is good for the global business community. The "industrialized world" (this term seems rather quaint now in the communications age) and powerful corporations all stand to benefit from additional regulation.
HIPAA is No Longer a Paper Tiger!
Simply put, big business will make more money in an orderly environment than in one that is chaotic. This change in regulatory enforcement will have a huge impact on the healthcare industry as it moves to electronic records. The HITECH Act transforms HIPAA from a paper tiger into an electronic beast.
This is not your daddy's healthcare industry any more. Most of the country is obsessed with the healthcare reform debate and have not snapped to the fact that the change in the regulatory regime is already law. It became law the moment President Obama signed ARRA in February 2009. The freight train is coming and there is nothing in its way.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH / HIPAA experience?
