Micky Tripathi gets into details about sharing patient records, clarifies April 5 and December 2022 compliance rules, and more.
The information blocking rule that took effect April 5 promises to usher in a new era of free-flowing electronic medical record information, under the direction of patients and their physicians.
In Part 1 of this interview with Micky Tripathi, PhD, MPP, who since January has headed the U.S. Department of Health and Human Services Office of the National Coordinator for Health Information Technology (ONC), Tripathi discussed the challenges hospitals and health systems face in interoperability and telehealth. Part 2 delves deeper into the April 5 rule. This interview has been lightly edited for space and clarity.
HL: How can patients achieve the ability to have a longitudinal health record, regardless of provider? This question is spawned by the April 5 rule. Say a patient used the Apple Health app, and they switch providers. Instead of their medical record being in Epic, now it's in Cerner. How will their next doctor be able to see what was in Epic, through the way that the patient carried it with them on Apple Health?
Tripathi: There are actually two pathways that a patient ought to be concerned about. You described one, which is to say that the patient is the conduit of the information. Implicit in what you just described was that I go to Mass General Hospital, they're on Epic. I download my record. Then tomorrow, I go to Baystate, [Health] in Massachusetts. They're on Cerner. And I want to be able to show that record to the next place.
The information blocking rule requires that by December 2022, that those APIs, those interfaces that allow you to access it via the Apple Health record, for example—there are there are other applications out there, but just as an example—be standardized. So that regardless of whether you're using your iPhone, or using an Android system on your end, or the provider is on eClinicalWorks, or Epic, or Cerner, or whatever it is, you should be able to get that from one provider to the other provider. It all ought to be able to be sort of integrated and available on your phone.
The other pathway, which is also an equally important one that's usually invisible to the patient (often the patient thinks it's happening when it's actually not), is the interoperability provider-to-provider. In some ways, and it is a personal decision, I actually don't want to be the one responsible for bringing that information to the next provider. I want them to exchange it. That's what you're supposed to be doing! I just want to make sure that when I show up, you've got access to it.
It's those interoperability networks that also were enhanced by [the] information blocking [rule]. So information blocking also applies to [the exchange of information between providers]. That's the other thing that patients ought to expect and demand and ought to ask their providers, "Why aren't you getting that information electronically from the other provider? You should have been getting that. I shouldn't be the one who has to do that."
Micky Tripathi, PhD, MPP, National Coordinator for Health Information Technology (Photo Courtesy of ONC)
HL: Can you clarify which part of the rule is effective immediately, as opposed to the 2022 date you mentioned?
Tripathi: The rule says that starting on April 5, you are required to make that information available via a variety of means that you already have available to you. In certified EHR systems, they are required to make information available as a CCD—a continuity of care document. Starting in December 2022, they're required to make it available via a FHIR API, which would make it very easy for you to download it into an app.
HL: Some are saying the April 5 information blocking rule covers all data created on and after April 5, but not necessarily before April 5. Please help us clear this up.
Tripathi: That is not true. It applies to all records, regardless of when they were generated. There's an FAQ on our site that specifically asks and answers that question.
HL: Should providers focus on all methods in which people want the data, via a FHIR message, CCD, or Direct? Smaller practices say they can't afford to do all those different things. Does that leave them in the lurch? Does it create a situation where they're more inclined to sell the practice and further consolidate the healthcare industry?
Tripathi: I don't think so. HIPAA has always said that you're required to provide the information, the records of the patient, in the mechanism that the patient chooses. But that's always had the constraints of what's practical, and what you have available to you. EHR certified systems today require that you make data available via an API. It doesn't have to be a FHIR API. It can be any API, but you have to openly publish the specification as an EHR vendor that's certified.
[In addition], it has to contain the same data elements, regardless of what API you use, which is the USCDI version one. So that's already a requirement for you to be able to get your information that way, or you can download the information. There's always been the view/download/transmit side of it as well. From a patient portal, I can download it off the computer into a web browser, for example, and then be able to get it that way as well. But with the information blocking rule, they are required to make it available via standard-based API.
HL: What's your next big challenge? Such as proof of vaccination, or other challenges?
Tripathi: For us. there are two big goals. One is concrete, and one is a little bit more conceptual or strategic in nature. The first one is getting people past thinking about information blocking as purely compliance or as only compliance—having them think about it more in a strategic way, which is, how do I engage patients, now that I have this information available, and they have these cool apps now on their hands? That means that I have an opportunity to engage patients in ways that I was never able to do before. And so rather than thinking of it as, "I've got to provide this thing, so that a patient can get their information," it's like, "Yeah, the patient now has the information in a way that you can actually do something with it."
You can engage the patient in much better ways. You can create stickiness. You can offer them a whole bunch of other things that you weren't able to able to offer them before. That is a big goal, because it takes a lot to get people to move beyond thinking about something just in regulatory terms, and think about a real strategic change, which is what this really implies, almost a cultural change in the way they think about information sharing.
The more concrete thing is also a big goal, which is TEFCA, the Trusted Exchange Framework and Cooperative Agreement, which is about creating some type of nationwide governance for network-to-network interoperability. We have networks out there—Carequality, CommonWell, eHealth Exchange. There are a number of state and regional HIEs (health information exchanges). They're sort of connected. They're not fully connected, all the way.
[It's analogous to] a world where you're on Verizon, I'm on AT&T, [and] we can't call each other. TEFCA wants to say, regardless of which network you're on, you should be able to communicate with someone else, and not have the user know that at all. I have no idea what phone system you use, [but] I'm very confident that if I had your phone number, I could call you. So that's what we want to be able to do with TEFCA, and that takes some work. That's governance. That's technical architecture. And that's working with a whole bunch of different parties who operate different networks at different levels, to be able to get a common understanding of how that works, and then actually get the technical pieces in place to make it work.
HL: The April 5 rule enforcement is going to be up to the HHS Office of Inspector General (OIG). That's really not your wheelhouse, right?
Tripathi: So you're expecting a yes or a no answer. It's a balance [and] complicated. We're responsible for policy, and OIG is responsible for the enforcement. There's one little piece where ONC actually is responsible for the enforcement, and that has to do with a technology vendor who is seen to be violating a condition of certification of their EHR system, because we're the ones who do certification of EHR systems. So a technology vendor could be seen as violating their condition of certification, in which case it would fall to us, because that's what we do. They could also be seen to be violating other provisions of information blocking, in which case, OIG would get involved in those cases as well.
ONC head Micky Tripathi urges swift adoption of federal regulations.
Micky Tripathi, PhD, MPP, who holds a master's degree in public policy from Harvard University, took the reins of the Department of Health and Human Services Office of the National Coordinator for Health Information Technology (ONC) on the first day of the Biden administration in January.
Tripathi is no stranger to the thorny issues at the heart of healthcare IT, such as medical record interoperability, standards, and certifying electronic health record software. His previous 20 years of work in the field let him hit the ground running. He most recently worked as chief alliance officer for population health management technology company Arcadia, previously served as president and CEO of the Massachusetts eHealth Collaborative, and has been on the board of directors of the HL7 FHIR Foundation, CommonWell Health Alliance, and The Sequoia Project.
Tripathi recently granted an interview to HealthLeaders. Following are excerpts from the discussion, lightly edited for space and clarity. Part 2 of this interview takes a deep dive into the April 5 ONC information blocking rule.
HealthLeaders: With the new administration, what are the most significant health technology policy changes that could affect hospitals and health systems? And how can leaders prepare for them?
Micky Tripathi: I don't know that there are many changes per se. I think it's more just about things that have been in the pipeline, and that are now being enacted. We're trying to encourage as speedy enactment as possible, within the regulatory structure we have. So if you think about things like information blocking, for example, and the 21st Century Cures Act, with TEFCA(Trusted Exchange Framework and Common Agreement), those were passed and signed by President [Barack] Obama and Vice President [Joe] Biden in December 2016, and the previous administration spent time working on implementation of that law that was signed by President Obama.
Now we're putting into effect and trying to do everything we can to accelerate it, because it's proceeded a little bit too slowly from my perspective. So now, of course, there are timelines already built into regulations, so it's not as if we changed those. But I'm doing everything I can to try to evangelize with the industry that they should be moving ahead of the actual regulatory timelines, to the extent that they can.
Micky Tripathi, PhD, MPP, National Coordinator for Health Information Technology (Photo Courtesy of ONC)
HL: With the rise of telehealth, especially in the last year, what role will ONC play to ensure that the barriers that have been lifted will be permanently changed, so patients can access their doctors this way going forward?
Tripathi: ONC doesn't directly play a role there. The reason, and this is sort of a subtle point in the health IT regulatory space, is that ONC is really an enabler of other agencies who have business needs. We don't go out and just certify systems on our own. Telehealth would be a great example. ONC doesn't really have the authority, nor would we just go out and say, "Oh there's a set of technologies that we think need standardization, so let's go and start certifying those, or start making those more standards-based."
We would follow an agency like CMS (Centers for Medicare & Medicaid Services), should they make a decision, for example, that they are going to keep the payments that they started to allow during COVID. That's when ONC would come into play and say, "Okay, now we support CMS, who's the business owner in creating a set of standards that then get put into rules." Maybe that turns into certifications as well, and we go down that path.
HL: What key technology challenges are hospitals and health systems facing related to telehealth, and how will ONC help?
Tripathi: I suspect that the key issues that they're facing are workflow and integration challenges, which is to say that no one wants to be in two different systems. A patient may or may not care. If you're on the patient side, you get a link, and you just click the link. You don't know that it's within the provider's EHR system, or whether it's a different system, as long as that physician is on the other end when you click the link, that's all you really care about.
But from the provider side, what they want is the ability to, for example, be able to document in the medical record when they're having this encounter with you, and not be flipping back and forth, essentially. They'd like for it to be recorded as an actual encounter in the EHR. If you think about how that might work a year from now, you come and you say, we had a video visit a year ago. Unless that was integrated in their system, they literally would have had to type in, "video visit," and create an encounter that's like a video visit, and then you have to go through all of that. If it's integrated into your system, you just click "video visit." It automatically knows what's going on and puts in that information, and then allows you to document the medical record as you would normally. And then it's all integrated, just like a telephone encounter for like a regular encounter. So it's mostly those workflow issues, I suspect.
Also from a [privacy] perspective, always wanting to know that it meets the HIPAA security rule. There was a temporary suspension during the public health emergency, so that people could use regular commercial solutions, like FaceTime and others, but if this goes forward, I think there will be a question of [whether there] are there standards or [other] things that are necessary. If this goes forward as something that's more enduring, and the public health emergency is lifted, we may go back to say, "Well, those solutions do need to meet the HIPAA security rule, which will be an OCR (Office for Civil Rights) and CMS decision." Then again, ONC might come into play at that point to say, "How would one determine that?"
HL: How can the patient ID problem be solved once and for all? Patient matching efforts seem endless.
Tripathi: Oy vey. The patient ID question is a really interesting one. As we know, the Congress has, since 1996, prevented the use of federal dollars for a universal patient identifier that was identified in the original HIPAA law. And there seems to be possible movement in the Congress, perhaps toward getting rid of that ban, but that ban is in place. I think we can, at least for now, say that is not going to be something that comes from the federal government. But it doesn't prevent a voluntary identifier, for example, being used in the market, if it got wide adoption. It doesn't prevent or ban a universal identifier that's provided by the private sector, What it bans is federal money being used toward a universal identifier. So that could be one pathway to getting to one.
There are a couple of companies out there that already claim that they have a unique identifier for every individual in the country already, because they do clearinghouse functions, or they do credit history kind of data. They're already making that claim. So there are some kinds of solutions out there right now. They're not widely adopted for perhaps a variety of reasons.
One of the things that we need to understand is that a universal identifier, even if it got magically created tomorrow—because we've now had to spend, since 1996, all of those years developing other ways to do patient matching—it isn't as if that would be a magic wand that solves all matching problems. If you're a hospital system, for example, you've already invested in technology and processes to do that matching. And now, if you think about that, I might use seven, eight different data categories to match [a patient]. I would use your first name, your last name, your middle name, your address, your birthdate, and maybe your cell phone number. So I've already got a technology that kind of does that, and it does it pretty well. It doesn't do it perfectly. It does it pretty well. I've invested as much as I think makes sense.
Now the universal identifier comes along. The first thing that happens across the industry is that everyone has to spend more money to incorporate that universal identifier in their system. So every vendor system now has to incorporate it.It all has to be promulgated, and they have to adjust their processes now to accommodate that universal identifier. Then the question is, "How much does that cost the industry? And where are we going to start to see the benefits?" That's why I think that's a little bit of a challenge as well. That's not a magic overnight solution to patient matching problems, and we still could face adoption problems, even if one magically appeared. That doesn't mean that it wouldn't be helpful. I think it would absolutely be helpful. But there are challenges because we've had to come up with other ways of doing it. Those other ways are not perfect, but are adequate solutions, in many cases, as imperfect as they are.
Nearly half of providers and payers surveyed had not made any changes as of April 5 effectiveness date.
A recent survey casts a pall over the April 5 enforcement phase of the U.S. Department of Health and Human Services (HHS) information blocking rule.
Fully half of 4,000 healthcare leaders surveyed in March demonstrated a broad lack of awareness and readiness to comply with these rules, according to the survey's organizer, Life Image, a medical evidence network for clinical and imaging data.
The survey of clinical, technology, and administrative leaders concluded that many organizations fall short of basic standards for interoperability, and that the rule meant to change this has generated general confusion, according to Life Image.
The final rules aimed to facilitate electronic access, exchange, and use of health information, reinforcing basic principles embodied in HIPAA that patients own their health data. Despite the intention of the April 5 rule, up to half of those surveyed reported still sharing records via paper or compact discs, or charging fees for record access. These practices are defined by the HHS Office of the National Coordinator for Health Information Technology (ONC) as constituting information blocking.
While 70% of participants in the Life Image survey said they were aware of the rules going into effect, nearly half had not made any changes, or were not aware of ways to meet requirements of the rule. Nearly half were not aware of policies or practices that could be considered information blocking.
Of those surveyed, 39% did not know that information blocking practices could result in them being liable to civil penalties. Also, of those interviewed, 15% currently charge $25 or more for patients to acquire their own records.
“Our recent survey validates what Life Image has been witnessing across the healthcare ecosystem in terms of interoperability readiness," said Matthew A. Michela, president and CEO of Life Image. "While the COVID-19 pandemic created massive challenges and delayed many interoperability initiatives, it also underscored the paramount importance of the final ONC rules for advancing patient care and driving innovation."
According to HIPAA 45 CFR § 164.524, providers must give patients, upon request, access to their protected health information in the form and format of the individual’s choosing, including electronic format and via third-party application. In an effort to address continuing industry resistance and barriers to interoperability, the ONC in March 2020 released the Final Cures Act Rule, based upon language in the 21st Century Cures Act. The rule mandates that patients be given greater control and access to their health data, targeting vendors and technologies that block information access.
David Schoolcraft, partner and chair of the digital health group at law firm Ogden Murphy Wallace, sees this as a pivotal moment for healthcare’s digital transformation. “This landmark regulation is also a massive undertaking as many stakeholders are currently non-compliant and are struggling to navigate the regulatory complexities,” he said. “As ONC starts enforcement, organizations must prioritize deepening their knowledge of these mandates and implementing changes to adapt to the evolving landscape, or run the risk of incurring significant penalties.”
Life Image provides a digital platform streamlining rapid exchange of medical images and related data. In a statement, the company said its technology was in use by 90% of the top hospitals in the United States.
Care is morphing to mix of real and virtual, powered by cloud and consumer demands. The desktop phone may be fading.
New realities in the wake of the COVID-19 pandemic are reshaping healthcare IT in ways that affect leadership, employees, and patients, according to a panel of healthcare system executives convened virtually during the recent virtual CHIME21 Spring Forum, presented by the College of Healthcare Information Management Executives (CHIME).
Various changes include:
Moving to a hybrid of virtual and in-person meetings
Shifting to certain patient monitoring and visits at home instead of in hospitals or clinics
Consumerization of healthcare
Accelerating a move to and dependency on cloud-based platforms
Questioning the expense of traditional desktop phones
"As people are starting to go back into getting care, which is good, we're seeing virtual care numbers now going down," said Rasu Shrestha, MD, MBA, chief strategy and transformation officer and executive vice president at Atrium Health.
The approach Atrium has taken in response is not so much to hit the off switch on virtual care, but to launch what it calls its virtual edge initiative, where virtual and in-person care, as well as synchronous and asynchronous care, all play a role, Shrestha said.
"The continuum approach is what will make this not just an overnight success story, but sticky throughout the next decade or more," he said.
COVID-19 is a predominant reason for the acceleration of hospital-in-the-home technology efforts, said Jim Noga, vice president and chief information officer at Mass General Brigham. "It's looking favorable that [payers] are going to offer reimbursement that makes that possible," Noga said.
"It's better for the clinician, it's better for the patient, and it's better for the family," Noga said. "Being in an urban area, having a family member in the hospital, and the family having to drive in for an hour and a half and pay outrageous parking rates, basically wipes out their day. COVID was an opportunity to explore [patients in the home] more quickly. I think it's on every CIO's set of priorities that they need to address in the next six months to a year."
'It's All About Health Literacy'
Consumerization of healthcare is top of mind in the wake of the pandemic, according to Teresa Meadows, RN, senior vice president and chief information officer at Cook Children's Health Care System.
Care outside the walls of the hospital and office environment is "what our patients want," Meadows said. As part of building its new hospital, Cook is building a tech bar, where patients can be educated about and begin using digital apps as part of their care.
"It's all about health literacy," Meadows said. "We've built workflows where physicians will refer patients to our tech bar," where such patients will learn "how do I incorporate devices into my medical daily life."
The tech bar will also train patients how to use the Cook patient portal and to set up virtual visits. "This is where we're going to hope to address some of the health equity issues, and our Foundation will be able to give patients certain technology or hotspots…so they're being taken care of the way we think [they] should," she said.
Cloud computing in healthcare as a vital platform is a clear winner emerging from the pandemic, Shrestha said. "It's here to stay," he said. "The scalability, the elasticity is exactly what we needed more of as we lived through the pandemic."
Shrestha says Atrium today is able to care for more than 54,000 patients experiencing mild COVID-19 symptoms via its virtual observation unit. "I talk about the need for us to accelerate our digital acceleration strategies," he said. "Cloud is absolutely the right catalyst for us to do that."
"A lot of the strategies that we have in our digital arena are really based on cloud technology," Meadows said. "Cloud makes good business sense. Now, as we move into new avenues like mobile digital, we're saying, does it make sense to have an on-premise solution? The whole point of digital and mobile is to be fluid, and have the ability to test some things, and then turn [them] back down because it didn't work for whatever reason."
Noga cautioned that some legacy apps "just are unable to do a lift and shift to the cloud." Where it makes sense, cloud is appropriate, such as creating a Covidpass app where employees attest to their wellness every day, "we immediately went to [Microsoft] Azure on that," Noga said. "We needed to spin it up quickly.
The big tech companies that run cloud platforms do possess an edge over hospital and health systems, Noga noted.
"What they can invest in cybersecurity and disaster recovery, running out of different regions, is truly important," he said. But it also creates new dependencies within healthcare.
"A few weeks ago, [Microsoft] Teams went down for about 90 minutes. That was pretty painful," Noga said.
Additional Transformation is Underway
Virtual healthcare will also be healthcare that, fundamentally, never shuts its doors. "We're moving from episodic care models to more of the always-on, ubiquitous 24/7 care model," Shrestha said.
The mix of employees who will continue to work from home, or outside the traditional four walls of the system, continues to emerge, Noga said.
"In INFOSEC, we're recruiting people in different time zones, intentionally," he said. One challenge yet to be adequately addressed is helping remote workers feel less disconnected. Remote workers are not feeling they are getting the necessary time to express or show their abilities, he added.
One other new reality could be fewer desktop phones, Noga added.
"We have a massive desktop telephone refresh coming up—tens of thousands of phones," he said. "And now people are saying, 'Do we really need desktop phones, if we have soft phones on our laptops?' And if we're communicating, whether it's Zoom or Teams, we're actually hoping to eliminate 50% of our desktop phones as we go through the refresh."
Hydrogen Health will leverage K Heath's AI technology to bring digital-first healthcare to employers, insurers, and the public.
Digital-first technology solutions, boosted by an investment from Anthem, Inc., will be the product of a new joint venture called Hydrogen Health, LLC.
K Health, which makes a free AI tool that helps people understand how doctors diagnose and treat those with similar symptoms; and Blackstone Growth, part of a leading investment firm, round out the new joint venture.
The healthcare technology startup aims to increase access to services and make care more affordable for millions of people in the U.S., the partners stated in a joint announcement Wednesday morning.
Hydrogen Health will leverage K Heath's AI technology to bring digital-first healthcare to employers, insurers, and the public, the companies added.
For several years, Anthem and K Health have worked together to leverage K Health technology in an attempt to reduce avoidable healthcare costs and improve health outcomes. Hydrogen Health is meant to expand that impact at a broader scale to more people, the companies stated.
Allon Bloch,CEO and co-founder of K Health, will serve as CEO of Hydrogen Health. The agreement includes a put/call framework between Anthem, the Indianapolis-based insurer, and Blackstone. No financial terms of the joint venture were disclosed.
"K Health has proven that we can give people access to really high-quality medicine remotely," Bloch said. "This partnership with Anthem and Blackstone will help get K Health’s solutions into the hands of those who need them most, expanding upon our existing base of 4 million users and reducing costs in the healthcare system to make it work for all."
“Our stakeholders expect us to find innovative solutions to increase access to high-quality care, enhance the healthcare experience, and help lower costs,” says Amy Mulderry, senior vice president and chief development officer at Anthem.
Blackstone’s $619 billion in assets under management include investments in private equity, real estate, public debt and equity, life sciences, growth equity, non-investment grade credit, real assets and secondary funds.
Broader set of tech tools tracks vendors' business agreements, use of PHI.
As healthcare organizations strive to innovate, their Achilles' heel has been the growing attack surface that such innovation exposes to criminals. One healthcare organization is responding by incorporating more agile risk management technology into its IT infrastructure.
"Managing cybersecurity is a little more complicated in an organization that prides itself on innovation, when risk is part of the equation," says George Carion, chief technology officer and chief information security officer at Cedars-Sinai, a Los Angeles nonprofit academic healthcare system.
"It's not just about measuring security or risk," Carion says. "It's about managing that risk over time."
To help, Cedars-Sinai has turned to Censinet which recently announced additional software to help health systems manage enterprise risk in a complex, multi-vendor world.
That service is made available to providers on a subscription basis. The expanded offering helps providers with the many complexities of risk management of the technology they use. "The mission of cybersecurity is largely about the reduction and management of risk," Carion says. "The need here is to move fast, but do it carefully."
For example, the new software, known as Censinet RiskOps, provides an enterprise risk dashboard, and can highlight risk hotspots, such as identifying technology suppliers who hold protected health information (PHI), as well as those who may not have signed a business associate agreement (BAA) with the provider. RiskOps also gathers information on other high-risk areas, such as when a vendor's technology uses virtual private networks, and how well they support other security standards such as PCI and ISO 27001, and even report on the kind of information various vendors create that has found its way onto the dark web.
In this way, providers can both manage and quantify their risk with suppliers, Carion says. "Every Censinet customer will want to measure risk in a slightly different way, so it’ll be interesting to see how customizable the platform is on day one," he says. It should save Cedars-Sinai considerable time, versus previous labor-intensive processes, all driven through manually completed spreadsheets, he adds.
System Helps Providers Understand Their IT Risks
Providers have the burden of understanding the risks they are bringing into their IT environment when they establish a relationship with a vendor or service provider, Carion says.
"It’s important that this assessment work happens quickly. What used to take weeks really needs to happen in days,” he says.
In the wake of sophisticated supply chain cyber-attacks, such as the infiltration of the Solar Winds technology platform by criminal hackers, Censinet is incorporating methods that standardize a software bill of materials (SBOM) into risk assessments, says Paul Russell, chief product officer at Censinet.
"We're doing this work with the National Telecommunications and Information Administration (NTIA) to start to drive standardization around how we talk about the software in other devices, and in other software, so that we can even get more granular than just what vendors you're working with, but [also] what software is in those vendors' products," Russell says.
Censinet assessments also take into consideration the fact that a growing number of technology providers based their products on cloud platforms, rather than standalone data centers.
"It requires openness and sharing from a full set of vendors—any industry where software is involved to deliver goods or services to a customer," Carion says.
"Rather than just answering a long list of risk and company background questions, it's a cooperative team working through the details of how to best implement a solution," Carion says. "The combination of a digital platform to manage risk, connected to the right people to think through best case end states, can really save time."
Solar Winds Attacks Highlight Need to Inventory Software Bill of Materials
In the Solar Winds instance, customers were updating their installations of Solar Winds software, not realizing that bad actors had inserted malware into that software upgrade, unbeknownst to Solar Winds.
"It's super-difficult for customers to detect those things," Carion says. "But it's also pretty important for customers to be aware of when they could be vulnerable to that type of an attack."
Censinet's support of SBOM documentation should help a security team see where a software supply chain creates extra risk, whether it’s software your IT department controls or critical software upstream in a hospital materials supply chain, Carion says. "We need to worry and plan for problems that can occur upstream, which can create service issues that affect Cedars-Sinai operations," he says.
"Risk assessments are becoming a standard practice in healthcare, and whether you’re an established company or a startup, you’ll need to learn how to work with your customer," Carion says. Working through a risk assessment for the first time will help startups. "When they knock on another hospital’s door," he says, "they’ll be better prepared."
“When CDI is done well, it can lead to better patient care and reduced burden on physicians,” said AHIMA President Katherine Lusk, MHSM, RHIA, FAHIMA. “Artificial intelligence-supported technologies like computer-assisted physician documentation (CAPD) are game-changers for patients and providers alike, taking time-consuming work and processes and creating actionable information that can lead to improved health outcomes.”
Done right, CAPD frees up physicians from some administrative duties, which lets them spend more time with patients. Patient care can be improved by ensuring accurate, complete, and actionable data. CAPD can also positively impact billing processes, lessening headaches for both health systems and patients.
"CAPD not only streamlines the physician's documentation workflow and makes it more efficient, it puts the focus back on patient-centered care for the provider,” said Shirlivia Parker, MHA, RHIA, CDIP, CDI unit manager for UC Davis Medical Center.
One component of CAPD is artificial intelligence (AI) technologies. “CDI programs supported by AI are able to deliver more complete and accurate data to providers in real-time, which helps close gaps in clinical documentation and care delivery,” said Elizabeth Guyton, vice president of 3M Health Information Systems. “With CAPD, physicians have more time to focus on patient care.”
Another key component is identifying physician champions to lead CDI education efforts that resonate and address physicians’ concerns. The panel highlights the importance of starting early, by educating residents on the importance of clinical documentation. Because residents are often responsible for starting documentation on a patient encounter, this ensures safer patient handoffs, the report states.
Software helps clients receive owed reimbursements and fix processes that lower payments.
Software incentivized to find every last dollar owed providers has been put through its paces by KLAS, and Cloudmed (Triage Consulting Group) Validated Services has come out on top in the overall rankings.
KLAS' 2019 report on this market examined differences in these vendors' experience and partnership. The Revenue Integrity/Underpayment Services 2021 report builds on that research and compares how the deepest-adopting clients of these vendors compare—clients using the vendor's services across several areas of revenue integrity.
The other software evaluated in this report are Besler Performance Metrics, Revecore Validated Services, TransUnion Healthcare Validated Services, and Cloudmed (Revint) Validated Services. The report also lists the percentage of respondents reporting the following use cases: underpayment recovery, charge capture/audit, denials management, transfer DRG, DRG validation/coding compliance, Medicare reimbursement, and insurance discovery.
The KLAS comparison awarded letter grades in five different areas—loyalty, operations, relationship, services, and value. Loyalty asks providers if they would purchase the software again, overall satisfaction, and would they recommend the software. Operations measures engagement execution. Relationship evaluates executive involvement and strength of partnership. Services compares quality of implementation staff and strategic expertise. Value sums up money's worth, ability of the software to drive tangible outcomes, and whether it exceeds expectations.
The data was collected over the past 12 months. The number of organizations responding to KLAS' survey varied from 19 to 43 standard clients per software package, and from five to 14 deep adoption clients.
Several respondents in the report told KLAS that the October 2020 merger between Cloudmed and Revint has not impacted the relationship or quality of work. Respondents praise Cloudmed (Triage)'s skill at identifying specific issues with internal processes and external payers, and reporting those back to clients to help increase accuracy of claims, efficiency, and financial results.
During the ONC annual meeting, state health officers call for boosting public health data infrastructure investment.
A practicing emergency medical physician, who is also the chief medical officer of Alaska, led calls for data modernization in U.S. public health at the recent annual meeting of the Office of the National Coordinator for Health Information Technology (ONC).
"When someone shows up in my ER with four different wristbands on, and that's how I figure out that they've been at another ER and gotten a recent CT scan, that's a problem," said Anne Zink, MD, chief medical officer for the state of Alaska, speaking on a panel about public health data modernization during a pandemic.
"There are real costs, not just financial costs, but human life costs, to not doing this integration and doing it well," Zink said. "Honestly, that's what drove me into public health, was seeing my patients having the system fail them again and again."
"EMTALA said to every hospital, if you're going to receive federal dollars to care for a patient, you're going to do emergency stabilization and treatment," Zink said. "We need the same thing for [healthcare] IT. If you're going to get federal dollars to do any healthcare, you integrate. That means these systems work together because there is real cost to not doing it."
Until such legislation puts real pressure on companies that have "proprietary desires to stay siloed off for all sorts of reasons," providers will be challenged to respond adequately to pandemics, improving overall life mortality, and moving forward, Zink said.
Tiberius Vaccine Allocation System Provides a Model for National Data Modernization
Zink pointed to Tiberius, an IT system developed in 2020 that updates vaccine allocations by state on a weekly basis. "This is an example of how nationalization needs to happen," Zink said. "I can put out a lot of reports as a public health department, but that means nothing if it's not going to help the clinician [who] needs to know if a patient was vaccinated."
Such information is critical to help physicians in the midst of a pandemic pivot their vaccine response to the neediest patients, Zink said.
Zink's comments were echoed by another panelist.
"In the next couple of years, we have to really work hard on retooling the systems that we have," said M. Norman Oliver, MD, MA, state health commissioner at the Virginia Department of Health. "Our data, our surveillance systems, our electronic lab recording, case reporting and other things need to be just worked on a great deal, because they have been limping along throughout this pandemic," Oliver said. "I'm amazed that our system hasn't crashed more than it has this past year."
Adequately trained public health personnel will be essential for data modernization success
Statewide and other public health departments face another challenge: recruiting personnel trained in public health informatics, Oliver said.
"The days of having someone who's an epidemiologist morphing themselves into being a health informatics person, we need to get beyond that," he said.
Public health still faces the double challenge of getting the right data to perform analysis on outbreaks, but then also figuring out the best way to present that data so that it is used appropriately and becomes actionable information for public health practitioners, Oliver said.
Despite these obstacles, Virginia has made some progress. "We linked up the EHRs of every emergency department in the Commonwealth, all 129 of them on a common platform," Oliver said. Virginia undertook this project in response to the opioid epidemic "to keep track of people who are utilizing the EDs in a way to train on narcotics, but we've built upon that as a way to effectively talk to each other about some of the health-related social needs of these patients."
Oliver said his ideal would be a patient identifier, not only to assist each patient get the right care, but also entire populations. "That obviously means standardizing the way that we take data and figuring out ways to ensure that that data is actually collected."
As an example, Oliver pointed to North Carolina, which mandated that vaccinators must collect race and ethnicity data.
Public health more typically collects such data from 60% of the population, according to Marcella Nunez-Smith, MD, MHS, director of equity research and the innovation center at the Yale School of Medicine.
"We are seeing inequity in the vaccination space, but we're limited by incomplete data," Nunez-Smith said.
North Carolina, by contrast, currently has 98% of race and ethnicity data in its vaccination records, Oliver said.
Jernigan says funding from the CARES Act, signed into law in 2020, has been set aside for the first stage of this modernization. "We need to get to the next step of implementation planning at CDC," Jernigan said.
Successful organizations must cut through the confusion and added costs to comply with new regulations.
On April 5, after years of consideration, the U.S. government for the first time will implement laws intended to combat the longtime practice in the healthcare industry of blocking the flow of patient information (authorized by patients under HIPAA), from one provider to another.
Arising out of language in the 21st Century Cures Act, the final rule issued by the HHS Office of the National Coordinator (ONC) poses challenges to an industry still in the midst of combatting the COVID-19 pandemic.
The profound impact of this rule is only beginning to be felt by the industry, according to Leigh C. Burchell, vice president of policy and government affairs at electronic health record (EHR) supplier Allscripts, and chair of the Electronic Health Records Association's public policy leadership workgroup. Recently, Burchell discussed these implications with HealthLeaders.
HealthLeaders: The ONC applicability date is April 5, but HHS hasn’t put out a proposed rule about disincentives for provider organizations related to information blocking and the OIG (Office of the Inspector General) final rule isn’t expected until summer. What does this web of regulatory timelines mean to the industry?
Leigh Burchell: There is a sizable amount of industry confusion because of the disconnect between the April 5th applicability date from ONC and the lack of regulatory finality from OIG and HHS. My guess is that a number of people won’t take it as seriously as they should until all of those rules are out, and I know that many are advocating for a final approach from OIG that allows for a learning period before any type of disincentive is applied. It’s a big rule and frankly, a confusing one, with a lot of ambiguous language, so it’s reasonable to hope that the regulators will allow some time for people to learn and adjust before any more serious steps are taken.
HL: Transparency into cost and outcomes has been a recent focus of the rule. Are the current policies and processes of physician practices up to the mission?
Burchell: I think the issue of policies and processes is the bigger barrier to information blocking regulatory compliance for most healthcare organizations, as compared to the technology. Some hospitals and practices have been under the impression that companies like Allscripts will release a new EHR version that will address all of their obligations, but that is not how this regulation is structured. Practices need to take a look at their processes for responding to requests that come in for patient data to the best of their ability, whether from another provider, a public health entity, or a patient, and critically, for capturing information about those instances when a request cannot be honored in order to explain the decision to any investigator from OIG who comes knocking. It’s a rule that can have a pretty stiff price as far as administrative and compliance burden, so organizations are really going to want to take a thorough look at whether they’re doing everything they need to.
HL: Authorization is a complex process that suggests that practices have quite a lot of overhead when disclosing protected health information (PHI). Is EHR software instrumented to simplify that process, or does the software itself require retooling?
Burchell: Certified EHRs currently offer a number of options to practices and hospitals who will be assessing the best way to comply with the new requirements around information sharing. For exchange with other providers, there are easy-to-use options, like sending C-CDAs or clinical notes through Direct Messaging if they aren’t otherwise connected to a larger health information exchange infrastructure. And for patients, data related to problems, medications, allergies, lab results, and diagnostic imaging results can be accessed through their personal health record or patient portal, while patient-directed exchange mechanisms like APIs and those supporting view/download/transmit requirements have been available for several years. Provider organizations will need to take a look at their policies and procedures, however, to ensure their systems are optimally configured to make that patient data accessible as quickly as possible and with as much depth as possible to meet the requirements around the USCDI.
HL: Will small practices simply attempt to invoke the "infeasibility" exception to the information blocking rule, and why won't that suffice in the short term?
Burchell: The first inclination for many small practices will be to invoke infeasibility, but they need to be aware that to do so requires a specific process of reviewing alternative means of getting the requested data to the patient or other inquiring party before they can turn to the infeasibility exception. If they jump to infeasibility without first going through the steps required of the content and manner exception, their infeasibility claim will be invalidated. They also have to document that process contemporaneously, meaning at the same time and per individual request, not just through a blanket policy, so they may find that it becomes an untenable use of resources to document infeasibility with any level of regularity. We’re encouraging our clients to use this as an opportunity to assess their information exchange and care coordination strategy, because it might be time to increase their Direct Messaging efforts, finally connect to an HIE or invest in HIE technology, or ensure that the personal health record they offer their patients is robust and capable of sharing as much data as is expected by this regulation.
HL: Do the remedies suggested here add to the cost of health IT, and if so, who will ultimately pay that cost?
Burchell: Allscripts has assigned significant resources to complying with this regulation, and some of the changes will require substantial work. Additionally, providers across the industry have to assess for themselves what changes they need to make to successfully be able to respond to data requests, including the health IT solutions they are using, and for some, that will mean additional investment could be necessary.
HL: Could these requirements accelerate the trend of small practices selling out to larger organizations?
Burchell: Independent physician practices are a critical backbone of the healthcare ecosystem in this country, and that’s particularly true in underserved and rural environments. I certainly hope that HHS is mindful of the impact of this massive regulation and closely keeps an eye on whether adjustments are needed if they find that it’s negatively impacting the ability of those practices to continue to thrive. Pushing for expanded information exchange is the right thing to do, but finding that right balance will be key.
