Dr. Anita Karcz, the chief medical officer of Health Metrics summed it up during the Meaningful Use symposium, which preceded the 50th annual HIMSS meeting in Orlando Florida this week. In addition to being unnecessarily complex, the information about Meaningful Use has been found to be incomplete, inconsistent and, the most frustrating of all, still undergoing clarifications.
Despite these issues with the regulations, she also mentioned that 81 percent of all hospitals and 41 percent of all eligible practitioners are planning to demonstrate their meaningful use of EHR’s over the next two years, which means that the majority of the US healthcare providers are serious about raking in the grant bonuses, which could mean millions of dollars for hospitals and almost $50,000 for physicians.
In order to qualify for the benefits as defined by the HITECH act, institutions are required to register their EHRs and show that it has a certified EHR. As Judy Murphy, RN, who was part of the certification panel, pointed out, there are also issues to be addressed with regard to the certification of EHR modules. She says it is very possible that an institution has an EMR that has been certified but that the hospital has only some of the EMR modules. In addition, it also possible that one or more of the EMR modules have been developed in-house, and the registration of modules is currently not possible; it is all or nothing. This problem is currently being addressed, and serves as an example of the ongoing clarifications. Any in-house modules will still have to be certified by the provider, a non-trivial task that also requires a certification fee, which is at least US $6,000.
The security and privacy requirements are also not quite clear. First of all the enhanced HIPAA 2.0 regulations are still in the proposal stage, and will have a major impact once finalized on Business Associates (BA’s), i.e. all professionals and organizations that have access to Protected Health Information (PHI) in an institution, and who do not work for that provider. Subcontractors of these BA’s were previously not addressed, but will almost certainly be impacted by the regulation. Another, somewhat troublesome twist in the proposal is that the Covered Entity or CE is directly responsible for the behavior of its BA’s and actually can get fined when there is a privacy or security violation.
A difficult area to address is how to deal with privacy breaches. These breaches, if it concerns more than 500 people, will have to be publicly reported in addition to obviously notifying the party who was subject to the breach. For individual or small-scale breaches, a committee of legal and privacy representatives will determine the course of action. It is important to consider how the breach occurred, was it a theft, did someone loose the information, was it misfiled, or was it shredded and/or thrown in the trash by accident? In the latter case, the risk that someone finds this information in case it was shredded, re-cycled and/or compacted at a dump, is relatively small.
Another occurrence that happens frequently is that a patient is given a folder with the incorrect cover sheet, i.e. that belongs to another patient, in which case the breach is of very minor concern and might not need reporting. If a breach occurred, it is considered a good policy that the provider offers a one year monitoring of the affected party’s credit report and watch for identity theft, something that can be outsourced to specialty security firms.
One of the requirements in the Meaningful Use regulation is the exchange of information with a patient in electronic form. Mrs. Nadia Fahim-Koster, who is the Director of Information Security for Piedmont, an Atlanta based provider group, spoke on this topic. She noted that this is already common practice for imaging as most providers supply a CD or DVD to a patient with their images. However, this information has to be expanded with all other relevant clinical information such as lab reports and other diagnostic test information. Fahim-Koster suggested that the electronic media should be encrypted. I personally would argue that this seems to be overkill as once in the hands of the patient it is his or her responsibility to safeguard this information. By way of contrast, if a physician loses his or her PDA that has stored confidential patient information, which commonly happens, then a good measure to prevent the information from being compromised is to make sure it is stored on these devices in a properly encrypted format.
Another tricky area of concern is the increase in social media. A department might have its own facebook page and it could very well happen that a nurse or other employee could comment on the status of a patient. If this is done, for example, to report on the status of a new-born, whose father or close relative in serving overseas, this might actually be a great marketing and promotion opportunity, however, there is a fine line between what a relative and professional provider can report.
The Meaningful Use symposium brought to the forefront many issues that need to be addressed. However, based on the feedback from the attendees and also from the percentages of providers that are planning to implement certified EMR’s, it is obvious that the healthcare map is going to change dramatically. It is expected that the promise of bringing down the high cost of healthcare in the USA resulting from electronic records will finally start to pay off in improvements in efficiency, and more importantly quality of care. Hopefully by this time next year, there will be positive reports that show that this was worth the effort.
Herman Oosterwijk, CTO OTech Media, live from the HIMSS meeting in Orlando