Mayo Clinic is the latest to offer a free, secure, online website for anyone to store and organize medical information. Such sites are designed to replace the proverbial shoebox of medical documents kept at home. Unlike some of its competitors, Mayo Clinic Health Manager will offer more than a place to organize medical data. It will also push out customized information, such as reminders for checkups.
The physician in charge of the federal government's push to move healthcare to electronic records from paper files faces "huge challenges" as he starts his new job in Washington. That phrase comes from a paper David Blumenthal himself published recently in the New England Journal of Medicine. He cited low adoption rates, high costs, technical complexities, and physician and patient concerns about privacy.
Few nursing homes are using electronic health records that allow them to share information with other healthcare providers—a standard known in the technology world as "interoperability." But more nursing homes could begin using more interoperable EHRs soon, thanks to incentives provided by the American Recovery and Reinvestment Act (ARRA) and a push to certify long-term care health IT products.
The Certification Commission for Healthcare Information Technology (CCHIT) announced last Thursday that it aims to begin certifying long-term care Health IT products by July 2010.
CCHIT has created a volunteer task force full of industry players representing skilled nursing facilities, assisted living, home care, and hospice services, according to the CCHIT. The task force will advise a CCHIT work group creating the Long Term Care Spectrum certification.
Although certification is voluntary, the marketplace is starting to request it, said John Morrissey, communications director for CCHIT.
A certification would ensure buyers that certified long-term care HIT products would work seamlessly with other certified HIT products, said Majd Alwan, PhD, director for the Center for Aging Services and Technologies (CAST).
The ARRA is putting a lot of emphasis on standards-based interoperable health IT to guarantee every American has a health record that is portable or can allow the exchange of information, Alwan said. The certification is an indication that the investment in this product is somewhat protected and the system will not become obsolete because it is not compliant with national standards for interoperability, he said.
Achieving interoperability in HIT products is especially important in long-term care because the sector serves seniors who often have multiple chronic conditions and multiple care providers, such as physicians and pharmacists, Alwan said.
The population also tends to move across the several care settings. For example, if a senior who falls suffers from a broken hip, he or she may move from a hospital to a skilled nursing facility for rehab before transitioning to an assisted living facility within in relatively short period of time, Alwan said.
Also, sharing electronic records may be useful because seniors in long-term care facilities may have a primary care physicians or geriatricians who work outside of their facilities.
"The benefits of interoperable HIT across settings would be maximized in this segment," Alwan said.
The long-term care industry has adopted electronic records at a rate that is comparable, if not higher, than acute care and private physician practices, he said. However, many nursing homes are not using fully integrated or interoperable electronic records, he said.
"This implies the long-term care sector is not only ready for this, but stands in a position where it could leap-frog other sectors" in adopting electronic records, Alwan said.
The Colon Health Center of Delaware has been selling an alternative to one of medicine's most unloved procedures: the colonoscopy. Rather than insert several feet of tubing into patients' lower intestines, clinicians slide patients into a computed tomography imaging machine that can quickly scan the abdomen for signs of cancer. Today, however, this procedure is the subject of a heated debate in Washington pitting powerful sectors of the healthcare industry against a government desperate to contain healthcare spending. The fight over virtual colonoscopy has also become a prime example of how hard it can be to ensure that healthcare dollars are spent efficiently, a key goal of the Obama administration.
We know you have plenty of spare time as you lead your hospital through an economic recession where the uninsured knock on your door and the insured don't answer the door when you come knocking for payment.
In your search, you will find 13 references, all under the Health Information Technology for Clinical and Economic Health (HITECH) Act, or Title XIII. Each one affects your HIPAA Security Rule compliance program in light of the new laws.
The problem?
No one knows what that means, exactly—at least not at this moment.
Congress gave the Department of Health & Human Services (HHS) 60 days from the February 17 signing of the Act–or Friday, April 17–to define "unsecured protected health information." So far, there has not been an announcement. If no definition is released, it goes to a default–one that includes all protected health information that is not secured by an encryption standard endorsed by the National Institute of Standards and Technology (NIST).
So how do you prepare now without that key definition? After all, the HITECH Act calls for strict notification requirements, all of which hinge upon breaches of "unsecured protected health information." The new requirements include:
Notification of all individuals whose unsecured PHI may have been disclosed or accessed
60-day window to notify those patients
Requirement to explain why you had to use the full 60 days to notify
Notification of prominent media outlets when breaches of unsecured PHI include 500 patient records or more
Immediate notification of the secretary of HHS on breaches of at least 500 patients
So, you can kind of see why this definition is important. Or is it? Should you be watching ever so closely for a definition?
"Don't hold your breath," says Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA.
Borten thinks the definition will matter, but she does not see it including any earth-shattering content that strays too far from what's already out there.
For instance, the Security Rule of 2003 already establishes encryption as a necessity for PHI flowing over the Internet and open networks. That encryption mandate goes back to the 1998 proposed Security Rule, Borten says. And the Healthcare Financing Administration came out with an Internet Security Policy in 1998.
"We've known we need to encrypt confidential data over the Internet for over a decade," Borten says.
Further, when you've got a federal department with no permanent leader–President Barack Obama nominated Kathleen Sebelius as the new secretary of HHS, but she has not been confirmed–how much can you do anyway?
Dena Boggan, CPC, CMC, CCP, HIPAA privacy/security officer for St. Dominic Jackson Memorial Hospital in Jackson, MS, says organizations have come a long way encrypting data already.
"We've come so far along making sure we've got under the Security Act everything protected, encrypted, and how to have a secure firewall, a hacker-proofed system and all of that," she says.
Organizations that have encrypted data are in good shape.
However, as Johnnie Cochrane might say, if you don't encrypt, you must equip. Look for any potential unsecured PHI and evaluate the need for encryption.
"It's free," Borten says. "We pay for it with our tax dollars. The resource is fabulous."
For the record, the general default definition of unsecured PHI in the HITECH Act is: "Protected health information that is not secured by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute."
When can they change the default definition? That's unclear now. Ultimately, things may not change a whole lot.
"As long as you're buying products that use known algorithms, you really should be fine," Borten says. "I don't think HHS or Congress expect organizations to throw out what they've done so far."
JPS Health Network administrators say several patient safety issues could be addressed if the Texas-based, taxpayer-supported hospital district does away with handwritten records and combines its paper files and various computer systems under one electronic medical record system. But the estimated cost of the project is $150 million, about one and a half times the cost of building the 108-bed pavilion that opened last year. JPS board members are expected to vote soon on a strategic plan to overhaul medical records.